Merge branch 'configuration-flex-auth' into 4.1

Dockerfile

@@ -22,7 +22,6 @@ RUN rm /etc/shibboleth/sp-signing-key.pem /etc/shibboleth/sp-signing-cert.pem  /
 
 COPY container_files/supervisor/supervisord.conf /etc/supervisor/supervisord.conf
 COPY container_files/httpd/conf/* /etc/httpd/conf.d/
-COPY container_files/shibboleth/* /etc/shibboleth/
 COPY container_files/usr-local-bin/* /usr/local/bin/
 COPY container_files/opt-tier/* /opt/tier/
 

container_files/usr-local-bin/start-midpoint.sh

@@ -8,6 +8,17 @@ function check () {
     fi
 }
 
+echo "Linking secrets"
+for filepath in /run/secrets/*; do
+  label_file=`basename $filepath`
+  if [ "$label_file" == "mp_shibboleth_sp_keys.jks" ]; then
+	if [ ! -d "/etc/pki/mp" ]; then
+		mkdir /etc/pki/mp
+	fi
+    ln -sf /run/secrets/mp_shibboleth_sp_keys.jks /etc/pki/mp/sp-shibboleth-keys.jks
+  fi
+done
+
 # These variables have reasonable defaults in Dockerfile. So we will _not_ supply defaults here.
 # The composer or user has to make sure they are well defined.
 
@@ -20,7 +31,6 @@ check REPO_PASSWORD_FILE
 check REPO_MISSING_SCHEMA_ACTION
 check REPO_UPGRADEABLE_SCHEMA_ACTION
 check MP_KEYSTORE_PASSWORD_FILE
-check SSO_HEADER
 check AJP_ENABLED
 check AJP_PORT
 
@@ -40,7 +50,6 @@ java -Xmx$MP_MEM_MAX -Xms$MP_MEM_INIT -Dfile.encoding=UTF8 \
        -Dmidpoint.logging.alt.enabled=true \
        -Dmidpoint.logging.alt.filename=/tmp/logmidpoint \
        -Dspring.profiles.active="`$MP_DIR/active-spring-profiles`" \
-       $(if [ "$AUTHENTICATION" = "shibboleth" ]; then echo "-Dauth.logout.url=$LOGOUT_URL -Dauth.sso.header=$SSO_HEADER"; fi) \
        -Dserver.tomcat.ajp.enabled=$AJP_ENABLED \
        -Dserver.tomcat.ajp.port=$AJP_PORT \
        -Dlogging.path=/tmp/logtomcat \

demo/grouper/.env

@@ -9,5 +9,4 @@ REPO_MISSING_SCHEMA_ACTION=create
 REPO_UPGRADEABLE_SCHEMA_ACTION=stop
 MP_MEM_MAX=2048m
 MP_MEM_INIT=1024m
-SSO_HEADER=uid
 TIMEZONE=UTC

demo/grouper/docker-compose.yml

@@ -208,7 +208,6 @@ services:
      - MP_MEM_MAX
      - MP_MEM_INIT
      - MP_JAVA_OPTS
-     - SSO_HEADER
      - TIER_BEACON_OPT_OUT
      - TIMEZONE
     networks:
@@ -219,6 +218,7 @@ services:
      - mp_database_password.txt
      - mp_keystore_password.txt
      - mp_host-key.pem
+     - mp_shibboleth_sp_keys.jks
     volumes:
      - midpoint_home:/opt/midpoint/var
      - type: bind
@@ -283,6 +283,8 @@ secrets:
     file: ./configs-and-secrets/midpoint/application/database_password.txt
   mp_keystore_password.txt:
     file: ./configs-and-secrets/midpoint/application/keystore_password.txt    
+  mp_shibboleth_sp_keys.jks:
+    file: ./configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks
 
 volumes:
   grouper_data:

demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml

@@ -28,153 +28,27 @@
                     <singleLogoutEnabled>true</singleLogoutEnabled>
                     <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
                     <keys>
-                        <active>
-                            <name>sp-signing-key-1</name>
-                            <privateKey>
-                                <t:clearValue>-----BEGIN RSA PRIVATE KEY-----
-MIIG5AIBAAKCAYEA0nU4LpCXi17b/s8CsGS4z8QXU1xAgu/tslp5wkMZgFWhaAvR
-rYpDRcwRK6yCRWZWOP+Nxu2/AiJcj/oES7zXk4Xp5JkjDFZ1AGl4putZNu3TsaIa
-B1ehei3qgyzlr1he5Yu3ylNesVUybBdT5l9Ym25Tw4iCb16wAQhAEe8NU4m10p0E
-xYkVrmdTORpW8DQWvyv78UdS9IKeUo4xpQh9OC2hL0BCdpFDV1WXf1nYoCHzsli9
-EjG9to9oqBqvZ4ZD49APyuqwHkrnCCcAMDFgz1WjRhdKk8f4W/A3cQmBRFRIRjYT
-QnHwk7HfrwRE0tfHeR+dHEKJlEORNkX1Y/qUGcPBzVZdHClUINNGcX5IiHogLUGP
-+qmSkIPeeuLu3Jx6Oh4C1WPVhkdZqt/2Kp1wtg4BaZ7IZsWXeGO/qpxech/LUrIc
-sIB0iuDVPKYui9dcpbT2kRtUt2weYvPSH4PE+zgWyKcrYBAEyfXq7wEkn/6ykLMh
-DZA09wY5GHpd6YGlAgMBAAECggGBAJJgcRkB/EU1TvHk7UveYiQvkMGr8jqfwcVA
-5FrW7I+z/zUss0NuXOfYzUCBFYJLcUDnjaaEiUtktth03jQHPjEe/NTAJf5Yy7vj
-n8UI/94SgCCWTGA69NbTxL5DpeTVI/unt8cDQWM5jH5doz8hpbFFhQEEmyP2yZeO
-M3HFwJEPwOShzUXO2MOanemjhkA/GmsQnoTsRKhHiPKGb8UHKIDAS9FfclqhIiNG
-Jr6usNp/gs3Spn5XFko5aGMzXDg2yxH9vvP3wWYR00tBiwiKkKSvrWcbeCu+wytq
-di/XWLhyu77Vp9Y9GCMD6g/kFVbbk3ewTjpmpD49hOxF6vxrxcPIAf4ES6C7iUqu
-b74T60lbialncQ7sUrrRoCKDd5kMXdgI7gV76sGGmd1Bh2ZQWAEMeSAogBo8b/9c
-5iqfvTiR4Hv2tXumfI4EHKUuzljYVHY+qn7PiIlihGjDOw/HY+J3KAKwaRO/wc5V
-bid++3Kkcd+WpTHCpWsEFhdWKkg6wQKBwQD0oqQi8+LK91No5bl3oZ7WLCnr1nAb
-RZBHePQMubmU7v2sHiliKM4w7e09y5o2IvkBqbdvDHTZqaKH2Dpqbfpa3NB1q7/l
-AfZP6hcX8IGSml2tZ5v1S3yu+y+CAfCPXaY7w4u9uF4PySdY7BjNd/oxhH00E5eB
-4tJWcDMnVDvjuKFgeJBvaoRfAvskHNdgghR/g2vLsHMDPswicEZt6jCnHon4RBgL
-hSeN9Eae3LqpSWH0GeKVYUccD+r57HCws/kCgcEA3DweWwo3IvxzHtFdfR8T6yod
-IRjyyEQjwGpE/DM/DdpVQLVg1xS+anh7JJenH/EUC363FIi/o0Lw+VVfCOwZKJQr
-9BmU/6t+iP2dUCpUAtTtCBhv4TasLT0vOWDOsgvOGCCsdKzejtN/52HLJUb9favj
-DYkfbGRHjenEnFHOmlCDYVo80OJm/GfRK4Lia6tLAqAFVPrf8kaP2Af3dsXTfVy3
-vtnILDOrNE4h6OL9knhRynsAcPkS6cq0oWOgjs4NAoHBANBBcLdspYIhoHkpL4Vf
-KierOxjQ2WjuBFBD8IawyQK3nW4b0yEEGdvfgFpd7G7vwMkgoM7BbOwrE/jPI5Od
-Aka9uhyiVF7xF62aW4R+st+J1/uZu1PLql4P6bakThTOJYi1BE5DGJgZpwx1GPw5
-id0Dq85ca1sgK+134KQ3ejB26bKFkHe41u1HTWLFxrgapLaUu3yQPqjhmcgrillh
-x39NaSjXVxzfgve+nyv4PlOE7AVwz8pZIL8L8f5GwPw8iQKBwEMVwP1kWDU9Bugd
-SEgDvnKEyoi5a8LbFrTW6hqUlaFnn05tsYjylaoi9wfHdi4BpmR1/diwaweVLYgV
-nDRAjs1QjS721+8lUw7xigjQS/Ts3SL5JqNInxvMpmTo+y068VViJoYH3mdNP4nA
-vTumqzKruCb4XO0MgstUqQIg3TkeS1bNQPcz78D08r85SDUZ4Wh0TAt9u9e17L0W
-eCfizLBEHOhyuEnWl1EAd83Tzv/dzLRL0W+YP02d5HXAvjihxQKBwDvUd8umY1DP
-E/P+F3MkQ/evFeLGSL1UH6Umh/Ohjk6xAmaeUqkllE6gFkyVktMiHLQDC+tJ1hfj
-j0VJa6tMpNr3jfUXunln8qMkDhXfdlPm8Yd0BLnuSxjsKaqz1f9XCUhXb/PHkvhf
-Ku4v3Q++uU4qOpCYys1zzdxSagLzQZQJ2juAKW7s6G9uUJJptDVUB2qfkyRiTL19
-r1V/QoxOoWlVqtZSTGpJKEDniJcouYg47faw5SMA2HhlpOChYLCjOw==
------END RSA PRIVATE KEY-----</t:clearValue>
-                            </privateKey>
-                            <passphrase>
-                                <t:clearValue>password</t:clearValue>
-                            </passphrase>
-                            <certificate>
-                                <t:clearValue>-----BEGIN CERTIFICATE-----
-MIID/TCCAmWgAwIBAgIJAJZqOL69C6nRMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-BAMTEnNwdGVzdC5leGFtcGxlLmVkdTAeFw0xODEyMjAyMjM4NDhaFw0yODEyMTcy
-MjM4NDhaMB0xGzAZBgNVBAMTEnNwdGVzdC5leGFtcGxlLmVkdTCCAaIwDQYJKoZI
-hvcNAQEBBQADggGPADCCAYoCggGBANJ1OC6Ql4te2/7PArBkuM/EF1NcQILv7bJa
-ecJDGYBVoWgL0a2KQ0XMESusgkVmVjj/jcbtvwIiXI/6BEu815OF6eSZIwxWdQBp
-eKbrWTbt07GiGgdXoXot6oMs5a9YXuWLt8pTXrFVMmwXU+ZfWJtuU8OIgm9esAEI
-QBHvDVOJtdKdBMWJFa5nUzkaVvA0Fr8r+/FHUvSCnlKOMaUIfTgtoS9AQnaRQ1dV
-l39Z2KAh87JYvRIxvbaPaKgar2eGQ+PQD8rqsB5K5wgnADAxYM9Vo0YXSpPH+Fvw
-N3EJgURUSEY2E0Jx8JOx368ERNLXx3kfnRxCiZRDkTZF9WP6lBnDwc1WXRwpVCDT
-RnF+SIh6IC1Bj/qpkpCD3nri7tycejoeAtVj1YZHWarf9iqdcLYOAWmeyGbFl3hj
-v6qcXnIfy1KyHLCAdIrg1TymLovXXKW09pEbVLdsHmLz0h+DxPs4FsinK2AQBMn1
-6u8BJJ/+spCzIQ2QNPcGORh6XemBpQIDAQABo0AwPjAdBgNVHREEFjAUghJzcHRl
-c3QuZXhhbXBsZS5lZHUwHQYDVR0OBBYEFPC8rkASWHQxrtCQ4wwtnsJRy6K5MA0G
-CSqGSIb3DQEBCwUAA4IBgQCks2nY7YzdIKV02NHD9STWD3yPtEwPYZZ3NBno0WW2
-0rS6cU+fxFx37nY8ULve4cFQkLR8fOO44e1qIuTgLGCauSGTx/Ts/tbmZXbpGTwV
-7cjZDCfC7yEFAVrfQFOMNKeQEssuLFj+d4STGLorxsM+2YygdOgohJz0e3xOcmCN
-HqEuC9RbzrnLc/A4/mOHKwnwCCg71zA1/Ew9NUoRm2n8IfaONIUaMg9opNiHxX4e
-u3UFaaPmn/mInuWYYMXzbIbdlU/XhKvXrujWYWj7anTDWvGQmNEecsQH92SrO0pf
-+9WwcWUQTQiWUdq8/OxjXfzs1PrQnSlp0eizgcdKHDKbCUaSuK1i2wdxfEsu5sbZ
-AIW0+dXJ2IyzM+0sv2g4DOsXsnSvinGqjr82A54mXGSr7edhPdlQhILFkJfhTwLq
-+mjnyQSNe3s24VNeGc76jbHIrkEWuA460QGqz1Fa2CsQo5SH1IkxNIKpBZWt+w2L
-dAza/NzYyDruY5IJCrZa9Qw=
------END CERTIFICATE-----</t:clearValue>
-                            </certificate>
-                        </active>
-                        <standBy>
-                            <name>sp-encrypt-key-1</name>
-                            <privateKey>
-                                <t:clearValue>-----BEGIN RSA PRIVATE KEY-----
-MIIG5AIBAAKCAYEA6OY9IHNGyNs8EEDqNhVb5C2xgzl+8i40SsZUNG8ofIJM1uZ0
-VnfuoSX9/Cyt0XiGfhXt8BnqNbpHVowYWXW9DInbz0HyXkc4+N8a4HaAv0jG6U6a
-uRhU3yd+COVsU02S0xAnw2mtgTKXejvzrEILHHcCIDkyB2/jTQvq+WYR80cjCw4c
-BRM1HILAxL0/qMEnkgjEPQx5/7ehSMC9Ww9m7bgQmfNNRqxmcjQXxoL9jNVvE5sE
-1zKa0DYil5z+At7UHT14NlR25c8v9qzntBa+AmtaPxsIr4t2PQ8w9K9bOvgGc3nx
-3FpiAKBEfu2eFm50+8KMFqRDOTGj+eOxEgq2beU31SZRiJduX55u7QNJAVRoV87a
-E45RM0Cv9C4L4ZAv5TtUB3JtNs/4pwfkts1RKpiTFLCFsXPlrKajkqmmdgH0rmLJ
-JFa8YiGfBcc2/nIWuZRt63YE8mUzO/s1p49pnvrKmhvM2OM0FuBo0QKxDVkP197Z
-DxQF7SbaBA/li7HlAgMBAAECggGATN3ggttJG3WwJzUll+AIyhCCq+rICSpSu/Ml
-S4D8fcuLjMnWz8sZiTo+z4H3hFEhInAebcY/1Ke8b8YhKzV+xaqiT49WbONY3FrW
-RgsWhwuACvSUgE6VhGlGYa1GyV+q+9ozJX21dBS8he1PiSTrAeQNYZE+/9Ff1cf/
-L30Oo5pw6G8ptEsYlmZZNRW48vt9EeeuzO9XPJzgsGBcnrdAo2jCoez5LkAsN7kV
-t8D36glvdasON/BNxDZ5yExaUZw1CImSFyUo90qnMf1u0OsXovsveVOLZLE9/0kO
-4VV6fgYX8o13Sv5NLzc8WX1pPZwg/Iex3okLizxDc65TsLlrSPoCwyHRaZV1Cfv6
-Yit6JHbLXRyXFnDVHpVvMq+yUqb9SGtijIByNheFFXE2C2a3r88XeWtHKbxVu75r
-3cNrxawm+SbFbJqgbuTi3mlRgyGyANki3yaqtdn4tq8ZNvFbcF14Ggk7bUjPvFWO
-3ZU/5jwql90sdnjOxD7ekVR7q4uBAoHBAPt6ulYbetGFzWsO5uARSEp7VZuGdoBh
-TbMC5a4D0RzmnGkFTCoaardx5jSgE9TA/2uQutB5FIzAfeZtpxOJNSGnXvBM1D1w
-9RbxWxPf/onzcdjqwvKSqxJkYk5gmKHpeObqF7JLDRicp37kadk6QFUma12iGxim
-YjCWb9EGQIpVQbq2Z2cldIykGJEhTBTretDwySRKmcxtNXbwycbCGEFEbYzbHDtE
-dp3JaC15u6rtf33D+wgGsFoBWMnq9lhHVQKBwQDtFgIcQrxaHr9+PFn995UIvXOs
-O1jf1hJITTieaeDyrCaYUmW7dm4wrUXUZr2oUl3ohqwz7msaFmkKnF6a3Lt53RWA
-XCtsWaSJf5n9MK9UExBwpEV838UYwjJsvsk3ik+C9fMSoIOqSZ/sAt4cLL9gUD5K
-fjTyYQ9m5lVFqK6l6uX4gVdm+5U4NKtRx12LcZNtm8O8bbLRRDRk6mttisA+Vnep
-4/Q2pi8yoVITnXCe8hlbvbHu2HBhoaYOe5rooFECgcEA+X3h/emXaOVBTfRj02rx
-+Irx/LFjQazHhFDcg07gGLcl9/88eAzrUQIcLJuf8RRkk1fsL0XgwF98yK6C8pvO
-bYv6YZcnfaliTpe3DznL8xrmGRmXvUcLl9yltzKYWxIhU55tUgKphIBuoDKGXPAw
-wQmzvRpFnaf8hE3Ls2lrgJJi+pVacvey8JEgmmOZcqvIliA8vdeRTEIQp+btmFYZ
-8C6uLO94y8f5kkMuKue56zNip+hWVbklHrZ1WyXTrvNdAoHATQs22loxfRO65NnV
-4LsA+lseaNzMT8jwHgDCInCDwjiBPkSgfJ/KxRS5uYE9pqJFlBeXhDS5JzwbHHCe
-KbMLVVmr8A+DqO0kk+4ca3PTtf2P/RrU3fSVxyrsWfxRxTO0DPnB6M6ymrbcOkTg
-SsWb1z+cTnbe29kAuU6mbUGYp6BC5VOaxIODBUXQWn3v/y2EXD0fCW+YiXqhkB3B
-lVJekKNmtZW3Ob8dXVWhJ3ClNXG1HePyG4zIUGHIZbJzL59RAoHBAMcE/1Ly8IWH
-hSulB0cCf89XihgAvEdgfbZZoHXWcU/d6m1auJWVysN6LKnYvqYFr75oPWiva/3T
-tRPd0tdZrJ6EyPlvcU6/sucvXTf4ceXXkDFCvt8KC6IOi7BoihNiGpgjUARZIHeF
-b4V4BvtqUz2CfZ8rhAPp2vrXxOm0mn6CfCkE9a5kRUGEW6AWP8carbJejYfOCSu5
-AsNuzTXYbLMrooqX2vDSzOJvsngOp/6M/MSpeTysDq75Ngx/hcGgIA==
------END RSA PRIVATE KEY-----</t:clearValue>
-                            </privateKey>
-                            <passphrase>
-                                <t:clearValue>password</t:clearValue>
-                            </passphrase>
-                            <certificate>
-                                <t:clearValue>-----BEGIN CERTIFICATE-----
-MIID/TCCAmWgAwIBAgIJAINng1bI63LGMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-BAMTEnNwdGVzdC5leGFtcGxlLmVkdTAeFw0xODEyMjAyMjM4MDJaFw0yODEyMTcy
-MjM4MDJaMB0xGzAZBgNVBAMTEnNwdGVzdC5leGFtcGxlLmVkdTCCAaIwDQYJKoZI
-hvcNAQEBBQADggGPADCCAYoCggGBAOjmPSBzRsjbPBBA6jYVW+QtsYM5fvIuNErG
-VDRvKHyCTNbmdFZ37qEl/fwsrdF4hn4V7fAZ6jW6R1aMGFl1vQyJ289B8l5HOPjf
-GuB2gL9IxulOmrkYVN8nfgjlbFNNktMQJ8NprYEyl3o786xCCxx3AiA5Mgdv400L
-6vlmEfNHIwsOHAUTNRyCwMS9P6jBJ5IIxD0Mef+3oUjAvVsPZu24EJnzTUasZnI0
-F8aC/YzVbxObBNcymtA2Ipec/gLe1B09eDZUduXPL/as57QWvgJrWj8bCK+Ldj0P
-MPSvWzr4BnN58dxaYgCgRH7tnhZudPvCjBakQzkxo/njsRIKtm3lN9UmUYiXbl+e
-bu0DSQFUaFfO2hOOUTNAr/QuC+GQL+U7VAdybTbP+KcH5LbNUSqYkxSwhbFz5aym
-o5KppnYB9K5iySRWvGIhnwXHNv5yFrmUbet2BPJlMzv7NaePaZ76ypobzNjjNBbg
-aNECsQ1ZD9fe2Q8UBe0m2gQP5Yux5QIDAQABo0AwPjAdBgNVHREEFjAUghJzcHRl
-c3QuZXhhbXBsZS5lZHUwHQYDVR0OBBYEFGcLIl5kg+GFIh9HXeZyLzsv5e7qMA0G
-CSqGSIb3DQEBCwUAA4IBgQAf8/iZXUWtWGMBw2OfonDDWbuhgLnNWddpllcVx7v/
-Yu75+wgfIdNXg6XM4WkGkpbhlkpDLRt2c6rMQpxrQtq/5G3OKEXKyjUOl5pZsYkG
-asVENYPSCfuu3rlK85XaW3H1SSJqSax/UKcYXyB1TIW6mNy3OxuvHak6y4LzFnug
-CO7p/W2jvffwmxfqjbO7wQfXUQz3SZS04sHMqQoStOwy2N5xxQ3uTF34EoXBto+n
-XIEOptKPhV2NkEzj+UUIi1588dck8T0SstbSElbTnJ4sNZFriX6JOPFNW08fezot
-izerOHuAFpFQvtugWoZT87YYaFwG+Zr5QNa4fNOcAL+FHvbOfEqIGs+H6GSf0dZV
-lkcJyzWZvuK/4RGqWbLvfAYRm0PAGTQSLdO8QJSYWdJtJvZFEMgddQ2HoIzeO5wo
-B42FKDSHottI9avilApQBdRCtust8XRPtEAzDB/t/1jbO7u2tkzgY3614mX5xgut
-Ileaae5eVCjw4uYbkh+Mt5M=
------END CERTIFICATE-----</t:clearValue>
-                            </certificate>
-                            <type>encryption</type>
-                        </standBy>
+                        <activeKeyStoreKey>
+    				<keyStorePath>/etc/pki/mp/sp-shibboleth-keys.jks</keyStorePath>
+    				<keyStorePassword>
+        				<t:clearValue>changeit</t:clearValue>
+    				</keyStorePassword>
+    				<keyAlias>signing-key</keyAlias>
+    				<keyPassword>
+        				<t:clearValue>password</t:clearValue>
+    				</keyPassword>
+			</activeKeyStoreKey>
+                        <standByKeyStoreKey>
+    				<keyStorePath>/etc/pki/mp/sp-shibboleth-keys.jks</keyStorePath>
+    				<keyStorePassword>
+        				<t:clearValue>changeit</t:clearValue>
+    				</keyStorePassword>
+    				<keyAlias>encrypt-key</keyAlias>
+    				<keyPassword>
+        				<t:clearValue>password</t:clearValue>
+    				</keyPassword>
+				<type>encryption</type>
+			</standByKeyStoreKey>
                     </keys>
                     <provider>
                         <entityId>https://idptestbed/idp/shibboleth</entityId>
@@ -256,6 +130,8 @@ Ileaae5eVCjw4uYbkh+Mt5M=
                 <necessity>sufficient</necessity>
             </module>
         </sequence>
+	<ignoredLocalPath>/actuator</ignoredLocalPath>
+    	<ignoredLocalPath>/actuator/health</ignoredLocalPath>
     </authentication>
     <credentials>
         <password>

demo/shibboleth/docker-compose-tests.yml

@@ -45,17 +45,18 @@ services:
      - mp_database_password.txt
      - mp_keystore_password.txt
      - mp_host-key.pem
+     - mp_shibboleth_sp_keys.jks
     volumes:
      - midpoint_home:/opt/midpoint/var
+     - type: bind
+       source: ./configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
+       target: /etc/shibboleth/idp-metadata.xml
      - type: bind
        source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
        target: /etc/pki/tls/certs/host-cert.pem
      - type: bind
        source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
        target: /etc/pki/tls/certs/cachain.pem
-     - type: bind
-       source: ./configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
-       target: /etc/shibboleth/idp-metadata.xml
 
   directory:
     build: ./directory/
@@ -89,7 +90,9 @@ secrets:
   mp_database_password.txt:
     file: ./configs-and-secrets/midpoint/application/database_password.txt
   mp_keystore_password.txt:
-    file: ./configs-and-secrets/midpoint/application/keystore_password.txt 
+    file: ./configs-and-secrets/midpoint/application/keystore_password.txt
+  mp_shibboleth_sp_keys.jks:
+    file: ./configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks
 
 volumes:
   midpoint_mysql:

demo/shibboleth/docker-compose.yml

@@ -42,17 +42,18 @@ services:
      - mp_database_password.txt
      - mp_keystore_password.txt
      - mp_host-key.pem
+     - mp_shibboleth_sp_keys.jks
     volumes:
      - midpoint_home:/opt/midpoint/var
+     - type: bind
+       source: ./configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
+       target: /etc/shibboleth/idp-metadata.xml
      - type: bind
        source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
        target: /etc/pki/tls/certs/host-cert.pem
      - type: bind
        source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
        target: /etc/pki/tls/certs/cachain.pem
-     - type: bind
-       source: ./configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
-       target: /etc/shibboleth/idp-metadata.xml
 
   directory:
     build: ./directory/
@@ -86,7 +87,9 @@ secrets:
   mp_database_password.txt:
     file: ./configs-and-secrets/midpoint/application/database_password.txt
   mp_keystore_password.txt:
-    file: ./configs-and-secrets/midpoint/application/keystore_password.txt 
+    file: ./configs-and-secrets/midpoint/application/keystore_password.txt
+  mp_shibboleth_sp_keys.jks:
+    file: ./configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks
 
 volumes:
   midpoint_mysql:

demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml

@@ -28,153 +28,27 @@
                     <singleLogoutEnabled>true</singleLogoutEnabled>
                     <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
                     <keys>
-                        <active>
-                            <name>sp-signing-key-1</name>
-                            <privateKey>
-                                <t:clearValue>-----BEGIN RSA PRIVATE KEY-----
-MIIG5AIBAAKCAYEA0nU4LpCXi17b/s8CsGS4z8QXU1xAgu/tslp5wkMZgFWhaAvR
-rYpDRcwRK6yCRWZWOP+Nxu2/AiJcj/oES7zXk4Xp5JkjDFZ1AGl4putZNu3TsaIa
-B1ehei3qgyzlr1he5Yu3ylNesVUybBdT5l9Ym25Tw4iCb16wAQhAEe8NU4m10p0E
-xYkVrmdTORpW8DQWvyv78UdS9IKeUo4xpQh9OC2hL0BCdpFDV1WXf1nYoCHzsli9
-EjG9to9oqBqvZ4ZD49APyuqwHkrnCCcAMDFgz1WjRhdKk8f4W/A3cQmBRFRIRjYT
-QnHwk7HfrwRE0tfHeR+dHEKJlEORNkX1Y/qUGcPBzVZdHClUINNGcX5IiHogLUGP
-+qmSkIPeeuLu3Jx6Oh4C1WPVhkdZqt/2Kp1wtg4BaZ7IZsWXeGO/qpxech/LUrIc
-sIB0iuDVPKYui9dcpbT2kRtUt2weYvPSH4PE+zgWyKcrYBAEyfXq7wEkn/6ykLMh
-DZA09wY5GHpd6YGlAgMBAAECggGBAJJgcRkB/EU1TvHk7UveYiQvkMGr8jqfwcVA
-5FrW7I+z/zUss0NuXOfYzUCBFYJLcUDnjaaEiUtktth03jQHPjEe/NTAJf5Yy7vj
-n8UI/94SgCCWTGA69NbTxL5DpeTVI/unt8cDQWM5jH5doz8hpbFFhQEEmyP2yZeO
-M3HFwJEPwOShzUXO2MOanemjhkA/GmsQnoTsRKhHiPKGb8UHKIDAS9FfclqhIiNG
-Jr6usNp/gs3Spn5XFko5aGMzXDg2yxH9vvP3wWYR00tBiwiKkKSvrWcbeCu+wytq
-di/XWLhyu77Vp9Y9GCMD6g/kFVbbk3ewTjpmpD49hOxF6vxrxcPIAf4ES6C7iUqu
-b74T60lbialncQ7sUrrRoCKDd5kMXdgI7gV76sGGmd1Bh2ZQWAEMeSAogBo8b/9c
-5iqfvTiR4Hv2tXumfI4EHKUuzljYVHY+qn7PiIlihGjDOw/HY+J3KAKwaRO/wc5V
-bid++3Kkcd+WpTHCpWsEFhdWKkg6wQKBwQD0oqQi8+LK91No5bl3oZ7WLCnr1nAb
-RZBHePQMubmU7v2sHiliKM4w7e09y5o2IvkBqbdvDHTZqaKH2Dpqbfpa3NB1q7/l
-AfZP6hcX8IGSml2tZ5v1S3yu+y+CAfCPXaY7w4u9uF4PySdY7BjNd/oxhH00E5eB
-4tJWcDMnVDvjuKFgeJBvaoRfAvskHNdgghR/g2vLsHMDPswicEZt6jCnHon4RBgL
-hSeN9Eae3LqpSWH0GeKVYUccD+r57HCws/kCgcEA3DweWwo3IvxzHtFdfR8T6yod
-IRjyyEQjwGpE/DM/DdpVQLVg1xS+anh7JJenH/EUC363FIi/o0Lw+VVfCOwZKJQr
-9BmU/6t+iP2dUCpUAtTtCBhv4TasLT0vOWDOsgvOGCCsdKzejtN/52HLJUb9favj
-DYkfbGRHjenEnFHOmlCDYVo80OJm/GfRK4Lia6tLAqAFVPrf8kaP2Af3dsXTfVy3
-vtnILDOrNE4h6OL9knhRynsAcPkS6cq0oWOgjs4NAoHBANBBcLdspYIhoHkpL4Vf
-KierOxjQ2WjuBFBD8IawyQK3nW4b0yEEGdvfgFpd7G7vwMkgoM7BbOwrE/jPI5Od
-Aka9uhyiVF7xF62aW4R+st+J1/uZu1PLql4P6bakThTOJYi1BE5DGJgZpwx1GPw5
-id0Dq85ca1sgK+134KQ3ejB26bKFkHe41u1HTWLFxrgapLaUu3yQPqjhmcgrillh
-x39NaSjXVxzfgve+nyv4PlOE7AVwz8pZIL8L8f5GwPw8iQKBwEMVwP1kWDU9Bugd
-SEgDvnKEyoi5a8LbFrTW6hqUlaFnn05tsYjylaoi9wfHdi4BpmR1/diwaweVLYgV
-nDRAjs1QjS721+8lUw7xigjQS/Ts3SL5JqNInxvMpmTo+y068VViJoYH3mdNP4nA
-vTumqzKruCb4XO0MgstUqQIg3TkeS1bNQPcz78D08r85SDUZ4Wh0TAt9u9e17L0W
-eCfizLBEHOhyuEnWl1EAd83Tzv/dzLRL0W+YP02d5HXAvjihxQKBwDvUd8umY1DP
-E/P+F3MkQ/evFeLGSL1UH6Umh/Ohjk6xAmaeUqkllE6gFkyVktMiHLQDC+tJ1hfj
-j0VJa6tMpNr3jfUXunln8qMkDhXfdlPm8Yd0BLnuSxjsKaqz1f9XCUhXb/PHkvhf
-Ku4v3Q++uU4qOpCYys1zzdxSagLzQZQJ2juAKW7s6G9uUJJptDVUB2qfkyRiTL19
-r1V/QoxOoWlVqtZSTGpJKEDniJcouYg47faw5SMA2HhlpOChYLCjOw==
------END RSA PRIVATE KEY-----</t:clearValue>
-                            </privateKey>
-                            <passphrase>
-                                <t:clearValue>password</t:clearValue>
-                            </passphrase>
-                            <certificate>
-                                <t:clearValue>-----BEGIN CERTIFICATE-----
-MIID/TCCAmWgAwIBAgIJAJZqOL69C6nRMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-BAMTEnNwdGVzdC5leGFtcGxlLmVkdTAeFw0xODEyMjAyMjM4NDhaFw0yODEyMTcy
-MjM4NDhaMB0xGzAZBgNVBAMTEnNwdGVzdC5leGFtcGxlLmVkdTCCAaIwDQYJKoZI
-hvcNAQEBBQADggGPADCCAYoCggGBANJ1OC6Ql4te2/7PArBkuM/EF1NcQILv7bJa
-ecJDGYBVoWgL0a2KQ0XMESusgkVmVjj/jcbtvwIiXI/6BEu815OF6eSZIwxWdQBp
-eKbrWTbt07GiGgdXoXot6oMs5a9YXuWLt8pTXrFVMmwXU+ZfWJtuU8OIgm9esAEI
-QBHvDVOJtdKdBMWJFa5nUzkaVvA0Fr8r+/FHUvSCnlKOMaUIfTgtoS9AQnaRQ1dV
-l39Z2KAh87JYvRIxvbaPaKgar2eGQ+PQD8rqsB5K5wgnADAxYM9Vo0YXSpPH+Fvw
-N3EJgURUSEY2E0Jx8JOx368ERNLXx3kfnRxCiZRDkTZF9WP6lBnDwc1WXRwpVCDT
-RnF+SIh6IC1Bj/qpkpCD3nri7tycejoeAtVj1YZHWarf9iqdcLYOAWmeyGbFl3hj
-v6qcXnIfy1KyHLCAdIrg1TymLovXXKW09pEbVLdsHmLz0h+DxPs4FsinK2AQBMn1
-6u8BJJ/+spCzIQ2QNPcGORh6XemBpQIDAQABo0AwPjAdBgNVHREEFjAUghJzcHRl
-c3QuZXhhbXBsZS5lZHUwHQYDVR0OBBYEFPC8rkASWHQxrtCQ4wwtnsJRy6K5MA0G
-CSqGSIb3DQEBCwUAA4IBgQCks2nY7YzdIKV02NHD9STWD3yPtEwPYZZ3NBno0WW2
-0rS6cU+fxFx37nY8ULve4cFQkLR8fOO44e1qIuTgLGCauSGTx/Ts/tbmZXbpGTwV
-7cjZDCfC7yEFAVrfQFOMNKeQEssuLFj+d4STGLorxsM+2YygdOgohJz0e3xOcmCN
-HqEuC9RbzrnLc/A4/mOHKwnwCCg71zA1/Ew9NUoRm2n8IfaONIUaMg9opNiHxX4e
-u3UFaaPmn/mInuWYYMXzbIbdlU/XhKvXrujWYWj7anTDWvGQmNEecsQH92SrO0pf
-+9WwcWUQTQiWUdq8/OxjXfzs1PrQnSlp0eizgcdKHDKbCUaSuK1i2wdxfEsu5sbZ
-AIW0+dXJ2IyzM+0sv2g4DOsXsnSvinGqjr82A54mXGSr7edhPdlQhILFkJfhTwLq
-+mjnyQSNe3s24VNeGc76jbHIrkEWuA460QGqz1Fa2CsQo5SH1IkxNIKpBZWt+w2L
-dAza/NzYyDruY5IJCrZa9Qw=
------END CERTIFICATE-----</t:clearValue>
-                            </certificate>
-                        </active>
-                        <standBy>
-                            <name>sp-encrypt-key-1</name>
-                            <privateKey>
-                                <t:clearValue>-----BEGIN RSA PRIVATE KEY-----
-MIIG5AIBAAKCAYEA6OY9IHNGyNs8EEDqNhVb5C2xgzl+8i40SsZUNG8ofIJM1uZ0
-VnfuoSX9/Cyt0XiGfhXt8BnqNbpHVowYWXW9DInbz0HyXkc4+N8a4HaAv0jG6U6a
-uRhU3yd+COVsU02S0xAnw2mtgTKXejvzrEILHHcCIDkyB2/jTQvq+WYR80cjCw4c
-BRM1HILAxL0/qMEnkgjEPQx5/7ehSMC9Ww9m7bgQmfNNRqxmcjQXxoL9jNVvE5sE
-1zKa0DYil5z+At7UHT14NlR25c8v9qzntBa+AmtaPxsIr4t2PQ8w9K9bOvgGc3nx
-3FpiAKBEfu2eFm50+8KMFqRDOTGj+eOxEgq2beU31SZRiJduX55u7QNJAVRoV87a
-E45RM0Cv9C4L4ZAv5TtUB3JtNs/4pwfkts1RKpiTFLCFsXPlrKajkqmmdgH0rmLJ
-JFa8YiGfBcc2/nIWuZRt63YE8mUzO/s1p49pnvrKmhvM2OM0FuBo0QKxDVkP197Z
-DxQF7SbaBA/li7HlAgMBAAECggGATN3ggttJG3WwJzUll+AIyhCCq+rICSpSu/Ml
-S4D8fcuLjMnWz8sZiTo+z4H3hFEhInAebcY/1Ke8b8YhKzV+xaqiT49WbONY3FrW
-RgsWhwuACvSUgE6VhGlGYa1GyV+q+9ozJX21dBS8he1PiSTrAeQNYZE+/9Ff1cf/
-L30Oo5pw6G8ptEsYlmZZNRW48vt9EeeuzO9XPJzgsGBcnrdAo2jCoez5LkAsN7kV
-t8D36glvdasON/BNxDZ5yExaUZw1CImSFyUo90qnMf1u0OsXovsveVOLZLE9/0kO
-4VV6fgYX8o13Sv5NLzc8WX1pPZwg/Iex3okLizxDc65TsLlrSPoCwyHRaZV1Cfv6
-Yit6JHbLXRyXFnDVHpVvMq+yUqb9SGtijIByNheFFXE2C2a3r88XeWtHKbxVu75r
-3cNrxawm+SbFbJqgbuTi3mlRgyGyANki3yaqtdn4tq8ZNvFbcF14Ggk7bUjPvFWO
-3ZU/5jwql90sdnjOxD7ekVR7q4uBAoHBAPt6ulYbetGFzWsO5uARSEp7VZuGdoBh
-TbMC5a4D0RzmnGkFTCoaardx5jSgE9TA/2uQutB5FIzAfeZtpxOJNSGnXvBM1D1w
-9RbxWxPf/onzcdjqwvKSqxJkYk5gmKHpeObqF7JLDRicp37kadk6QFUma12iGxim
-YjCWb9EGQIpVQbq2Z2cldIykGJEhTBTretDwySRKmcxtNXbwycbCGEFEbYzbHDtE
-dp3JaC15u6rtf33D+wgGsFoBWMnq9lhHVQKBwQDtFgIcQrxaHr9+PFn995UIvXOs
-O1jf1hJITTieaeDyrCaYUmW7dm4wrUXUZr2oUl3ohqwz7msaFmkKnF6a3Lt53RWA
-XCtsWaSJf5n9MK9UExBwpEV838UYwjJsvsk3ik+C9fMSoIOqSZ/sAt4cLL9gUD5K
-fjTyYQ9m5lVFqK6l6uX4gVdm+5U4NKtRx12LcZNtm8O8bbLRRDRk6mttisA+Vnep
-4/Q2pi8yoVITnXCe8hlbvbHu2HBhoaYOe5rooFECgcEA+X3h/emXaOVBTfRj02rx
-+Irx/LFjQazHhFDcg07gGLcl9/88eAzrUQIcLJuf8RRkk1fsL0XgwF98yK6C8pvO
-bYv6YZcnfaliTpe3DznL8xrmGRmXvUcLl9yltzKYWxIhU55tUgKphIBuoDKGXPAw
-wQmzvRpFnaf8hE3Ls2lrgJJi+pVacvey8JEgmmOZcqvIliA8vdeRTEIQp+btmFYZ
-8C6uLO94y8f5kkMuKue56zNip+hWVbklHrZ1WyXTrvNdAoHATQs22loxfRO65NnV
-4LsA+lseaNzMT8jwHgDCInCDwjiBPkSgfJ/KxRS5uYE9pqJFlBeXhDS5JzwbHHCe
-KbMLVVmr8A+DqO0kk+4ca3PTtf2P/RrU3fSVxyrsWfxRxTO0DPnB6M6ymrbcOkTg
-SsWb1z+cTnbe29kAuU6mbUGYp6BC5VOaxIODBUXQWn3v/y2EXD0fCW+YiXqhkB3B
-lVJekKNmtZW3Ob8dXVWhJ3ClNXG1HePyG4zIUGHIZbJzL59RAoHBAMcE/1Ly8IWH
-hSulB0cCf89XihgAvEdgfbZZoHXWcU/d6m1auJWVysN6LKnYvqYFr75oPWiva/3T
-tRPd0tdZrJ6EyPlvcU6/sucvXTf4ceXXkDFCvt8KC6IOi7BoihNiGpgjUARZIHeF
-b4V4BvtqUz2CfZ8rhAPp2vrXxOm0mn6CfCkE9a5kRUGEW6AWP8carbJejYfOCSu5
-AsNuzTXYbLMrooqX2vDSzOJvsngOp/6M/MSpeTysDq75Ngx/hcGgIA==
------END RSA PRIVATE KEY-----</t:clearValue>
-                            </privateKey>
-                            <passphrase>
-                                <t:clearValue>password</t:clearValue>
-                            </passphrase>
-                            <certificate>
-                                <t:clearValue>-----BEGIN CERTIFICATE-----
-MIID/TCCAmWgAwIBAgIJAINng1bI63LGMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-BAMTEnNwdGVzdC5leGFtcGxlLmVkdTAeFw0xODEyMjAyMjM4MDJaFw0yODEyMTcy
-MjM4MDJaMB0xGzAZBgNVBAMTEnNwdGVzdC5leGFtcGxlLmVkdTCCAaIwDQYJKoZI
-hvcNAQEBBQADggGPADCCAYoCggGBAOjmPSBzRsjbPBBA6jYVW+QtsYM5fvIuNErG
-VDRvKHyCTNbmdFZ37qEl/fwsrdF4hn4V7fAZ6jW6R1aMGFl1vQyJ289B8l5HOPjf
-GuB2gL9IxulOmrkYVN8nfgjlbFNNktMQJ8NprYEyl3o786xCCxx3AiA5Mgdv400L
-6vlmEfNHIwsOHAUTNRyCwMS9P6jBJ5IIxD0Mef+3oUjAvVsPZu24EJnzTUasZnI0
-F8aC/YzVbxObBNcymtA2Ipec/gLe1B09eDZUduXPL/as57QWvgJrWj8bCK+Ldj0P
-MPSvWzr4BnN58dxaYgCgRH7tnhZudPvCjBakQzkxo/njsRIKtm3lN9UmUYiXbl+e
-bu0DSQFUaFfO2hOOUTNAr/QuC+GQL+U7VAdybTbP+KcH5LbNUSqYkxSwhbFz5aym
-o5KppnYB9K5iySRWvGIhnwXHNv5yFrmUbet2BPJlMzv7NaePaZ76ypobzNjjNBbg
-aNECsQ1ZD9fe2Q8UBe0m2gQP5Yux5QIDAQABo0AwPjAdBgNVHREEFjAUghJzcHRl
-c3QuZXhhbXBsZS5lZHUwHQYDVR0OBBYEFGcLIl5kg+GFIh9HXeZyLzsv5e7qMA0G
-CSqGSIb3DQEBCwUAA4IBgQAf8/iZXUWtWGMBw2OfonDDWbuhgLnNWddpllcVx7v/
-Yu75+wgfIdNXg6XM4WkGkpbhlkpDLRt2c6rMQpxrQtq/5G3OKEXKyjUOl5pZsYkG
-asVENYPSCfuu3rlK85XaW3H1SSJqSax/UKcYXyB1TIW6mNy3OxuvHak6y4LzFnug
-CO7p/W2jvffwmxfqjbO7wQfXUQz3SZS04sHMqQoStOwy2N5xxQ3uTF34EoXBto+n
-XIEOptKPhV2NkEzj+UUIi1588dck8T0SstbSElbTnJ4sNZFriX6JOPFNW08fezot
-izerOHuAFpFQvtugWoZT87YYaFwG+Zr5QNa4fNOcAL+FHvbOfEqIGs+H6GSf0dZV
-lkcJyzWZvuK/4RGqWbLvfAYRm0PAGTQSLdO8QJSYWdJtJvZFEMgddQ2HoIzeO5wo
-B42FKDSHottI9avilApQBdRCtust8XRPtEAzDB/t/1jbO7u2tkzgY3614mX5xgut
-Ileaae5eVCjw4uYbkh+Mt5M=
------END CERTIFICATE-----</t:clearValue>
-                            </certificate>
-                            <type>encryption</type>
-                        </standBy>
+			<activeKeyStoreKey>
+    				<keyStorePath>/etc/pki/mp/sp-shibboleth-keys.jks</keyStorePath>
+    				<keyStorePassword>
+        				<t:clearValue>changeit</t:clearValue>
+    				</keyStorePassword>
+    				<keyAlias>signing-key</keyAlias>
+    				<keyPassword>
+        				<t:clearValue>password</t:clearValue>
+    				</keyPassword>
+			</activeKeyStoreKey>
+                        <standByKeyStoreKey>
+    				<keyStorePath>/etc/pki/mp/sp-shibboleth-keys.jks</keyStorePath>
+    				<keyStorePassword>
+        				<t:clearValue>changeit</t:clearValue>
+    				</keyStorePassword>
+    				<keyAlias>encrypt-key</keyAlias>
+    				<keyPassword>
+        				<t:clearValue>password</t:clearValue>
+    				</keyPassword>
+				<type>encryption</type>
+			</standByKeyStoreKey>
                     </keys>
                     <provider>
                         <entityId>https://idptestbed/idp/shibboleth</entityId>
@@ -256,6 +130,8 @@ Ileaae5eVCjw4uYbkh+Mt5M=
                 <necessity>sufficient</necessity>
             </module>
         </sequence>
+	<ignoredLocalPath>/actuator</ignoredLocalPath>
+    	<ignoredLocalPath>/actuator/health</ignoredLocalPath>
     </authentication>
     <credentials>
         <password>