Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
initial 3.4 config
@pcaskey
pcaskey committed Oct 10, 2018
1 parent 6e759ac commit 0621453
Showing 79 changed files with 521,206 additions and 0 deletions.
68 changes: 68 additions & 0 deletions conf/access-control.xml
View file
@@ -0,0 +1,68 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!--
Map of access control policies used to limit access to administrative functions.
The purpose of the map is to label policies with a key/name so they can be reused.
-->

<!--
Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control.
The ranges provided MUST be CIDR network expressions. To specify a single address,
add "/32" or "/128" for IPv4 or IPv6 respectively.
The additional examples below demonstrate how to control access by username
and by attribute(s), in the case of authenticated access to admin functions.
-->

<util:map id="shibboleth.AccessControlPolicies">

<entry key="AccessByIPAddress">
<bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.17.0.0/24', '172.18.0.0/24', '10.255.0.0/16'} }" />
</entry>

<!--
<entry key="AccessByUser">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
<bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
</constructor-arg>
</bean>
</entry>
-->

<!--
<entry key="AccessByAttribute">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
<bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
<property name="attributeValueMap">
<map>
<entry key="eduPersonEntitlement">
<list>
<value>https://example.org/entitlement/idpadmin</value>
</list>
</entry>
</map>
</property>
</bean>
</constructor-arg>
</bean>
</entry>
-->

</util:map>

</beans>
53 changes: 53 additions & 0 deletions conf/admin/general-admin.xml
View file
@@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<util:list id="shibboleth.AvailableAdminFlows">

<!-- Status Page -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/status"
p:loggingId="%{idp.service.logging.status:Status}"
p:policyName="%{idp.status.accessPolicy:AccessByIPAddress}" />

<!-- Service Reload -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/reload-service-configuration"
p:loggingId="%{idp.service.logging.serviceReload:Reload}"
p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />

<!-- MetadataResolver Reload -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/reload-metadata"
p:loggingId="%{idp.service.logging.serviceReload:Reload}"
p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />

<!-- AttributeResolver Debugging -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/resolvertest"
p:loggingId="%{idp.service.logging.resolvertest:ResolverTest}"
p:policyName="%{idp.resolvertest.accessPolicy:AccessByIPAddress}" />

<!-- REST StorageService Access -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/storage"
p:loggingId="Storage"
p:policyName="AccessByIPAddress" />

<!-- REST Interface to Metrics -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/metrics"
p:loggingId="Metrics"
p:policyNameLookupStrategy-ref="shibboleth.metrics.AccessPolicyStrategy" />

</util:list>

</beans>
129 changes: 129 additions & 0 deletions conf/admin/metrics.xml
View file
@@ -0,0 +1,129 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!-- Metrics enablement / activation. -->

<!--
Register one or more of the built-in system metric sets available.
-->

<bean parent="shibboleth.metrics.RegisterMetricSets">
<property name="arguments">
<list>
<ref bean="shibboleth.metrics.CoreGaugeSet" />
<ref bean="shibboleth.metrics.IdPGaugeSet" />
<ref bean="shibboleth.metrics.LoggingGaugeSet" />
<ref bean="shibboleth.metrics.AccessControlGaugeSet" />
<ref bean="shibboleth.metrics.MetadataGaugeSet" />
<ref bean="shibboleth.metrics.NameIdentifierGaugeSet" />
<ref bean="shibboleth.metrics.RelyingPartyGaugeSet" />
<ref bean="shibboleth.metrics.AttributeResolverGaugeSet" />
<ref bean="shibboleth.metrics.AttributeFilterGaugeSet" />

<!--
<bean class="com.codahale.metrics.jvm.CachedThreadStatesGaugeSet"
c:_0="1" c:_1="#{T(java.util.concurrent.TimeUnit).MINUTES}" />
<bean class="com.codahale.metrics.jvm.ClassLoadingGaugeSet" />
<bean class="com.codahale.metrics.jvm.GarbageCollectorMetricSet" />
<bean class="com.codahale.metrics.jvm.MemoryUsageGaugeSet" />
-->
</list>
</property>
</bean>

<!-- Metrics REST API Configuration -->

<!--
The global metric set is available by default at /idp/profile/admin/metrics
Any pathinfo after that is assumed to identify specific named metrics. You can
create mappings here between a logical "group" name and an implementation of the
com.codahale.metrics.MetricFilter interface to specify which metrics to include.
-->
<util:map id="shibboleth.metrics.MetricGroups">
<entry key="core" value-ref="shibboleth.metrics.CoreGaugeSet" />
<entry key="idp" value-ref="shibboleth.metrics.IdPGaugeSet" />
<entry key="logging" value-ref="shibboleth.metrics.LoggingGaugeSet" />
<entry key="access" value-ref="shibboleth.metrics.AccessControlGaugeSet" />
<entry key="metadata" value-ref="shibboleth.metrics.MetadataGaugeSet" />
<entry key="nameid" value-ref="shibboleth.metrics.NameIdentifierGaugeSet" />
<entry key="relyingparty" value-ref="shibboleth.metrics.RelyingPartyGaugeSet" />
<entry key="resolver" value-ref="shibboleth.metrics.AttributeResolverGaugeSet" />
<entry key="filter" value-ref="shibboleth.metrics.AttributeFilterGaugeSet" />
</util:map>

<!-- If you don't specify an alternate access policy, this named policy will be enforced. -->
<bean id="shibboleth.metrics.DefaultAccessPolicy" class="java.lang.String" c:_0="AccessByIPAddress" />

<!--
To override the default access policy, map a metric name or
mapped group above to an alternative policy name.
-->
<util:map id="shibboleth.metrics.AccessPolicyMap">

</util:map>

<!--
In addition to the "pull" REST API for accessing metrics, a "push" reporter is also
available to upload a JSON feed to a URL. The example shown relies on standard JVM
trust configuration for TLS server verification.
The "start" method triggers the timer thread; the example pushes every 30 minutes.
-->
<!--
<bean id="PushReporter" parent="shibboleth.metrics.HTTPReporter" c:name="MyCollector"
p:collectorURL="https://log.example.org/cgi-bin/collector.cgi" />
<bean class="org.springframework.beans.factory.config.MethodInvokingBean"
p:targetObject-ref="PushReporter"
p:targetMethod="start">
<property name="arguments">
<list>
<value>30</value>
<util:constant static-field="java.util.concurrent.TimeUnit.MINUTES" />
</list>
</property>
</bean>
-->

<!-- IdP Metrics Configuration -->

<!--
A bean named shibboleth.metrics.MetricStrategy of type Function<ProfileRequestContext,Boolean>
can be defined to add timers and counters to a large range of objects in the system. Each timer is
defined by a triple (timer name, start object, stop object). Counters are just object/counter pairs.
The most common example is to start a timer when a particular flow action bean starts and
stop it when the same or different action bean stops, to measure how long the execution takes.
If you want to leave a timer in place but disabled to prevent overhead, you can turn off a
logging category named "metrics.<timername>" in your logging configuration.
-->
<!--
<bean id="shibboleth.metrics.MetricStrategy" parent="shibboleth.ContextFunctions.Scripted"
factory-method="inlineScript">
<constructor-arg>
<value>
<![CDATA[
metricCtx = input.getSubcontext("org.opensaml.profile.context.MetricContext");
metricCtx.addTimer("idp.attribute.resolution",
"ResolveAttributes",
"FilterAttributes"
);
true; // Signals success.
]]>
</value>
</constructor-arg>
</bean>
-->

</beans>
100 changes: 100 additions & 0 deletions conf/attribute-filter.xml
View file
@@ -0,0 +1,100 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is an EXAMPLE policy file. While the policy presented in this
example file is illustrative of some simple cases, it relies on the names of
non-existent example services and the example attributes demonstrated in the
default attribute-resolver.xml file.
Deployers should refer to the documentation for a complete list of components
and their options.
-->
<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
xmlns="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">

<!-- EXAMPLES -->
<!-- Release some attributes to an SP. -->
<!--
<AttributeFilterPolicy id="example1">
<PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
-->
<!-- Release eduPersonAffiliation to two specific SPs. -->
<!--
<AttributeFilterPolicy id="example2">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="Requester" value="https://sp.example.org" />
<Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
-->

<!-- Attribute release for all SPs (global) tagged as 'Research and Scholarship' -->
<AttributeFilterPolicy id="releaseRandSAttributeBundle">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>


<!-- Attribute release for all InCommon SPs -->
<AttributeFilterPolicy id="releaseToInCommon">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>

</AttributeFilterPolicyGroup>

0 comments on commit 0621453

Please sign in to comment.