From 189b362227ae043b559a7fd35c6f8ff90cd1ab67 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Fri, 20 Jan 2017 16:24:43 -0600 Subject: [PATCH] initial add, copy of 33test --- conf/access-control.xml | 68 + conf/admin/general-admin.xml | 53 + conf/admin/metrics.xml | 129 + conf/attribute-filter.xml | 77 + conf/attribute-resolver-full.xml | 292 + conf/attribute-resolver-ldap.xml | 94 + conf/attribute-resolver.xml | 90 + conf/audit.xml | 32 + conf/authn/authn-comparison.xml | 77 + conf/authn/authn-events-flow.xml | 18 + conf/authn/duo-authn-config.xml | 25 + conf/authn/duo.properties | 9 + conf/authn/external-authn-config.xml | 70 + conf/authn/general-authn.xml | 156 + conf/authn/ipaddress-authn-config.xml | 37 + conf/authn/jaas-authn-config.xml | 27 + conf/authn/jaas.config | 11 + conf/authn/krb5-authn-config.xml | 31 + conf/authn/ldap-authn-config.xml | 135 + conf/authn/mfa-authn-config.xml | 94 + conf/authn/password-authn-config.xml | 121 + conf/authn/remoteuser-authn-config.xml | 75 + .../remoteuser-internal-authn-config.xml | 63 + conf/authn/spnego-authn-config.xml | 74 + conf/authn/x509-authn-config.xml | 44 + conf/authn/x509-internal-authn-config.xml | 21 + .../attribute-sourced-subject-c14n-config.xml | 44 + conf/c14n/simple-subject-c14n-config.xml | 27 + conf/c14n/subject-c14n-events-flow.xml | 18 + conf/c14n/subject-c14n.xml | 109 + conf/c14n/x500-subject-c14n-config.xml | 37 + conf/cas-protocol.xml | 84 + conf/credentials.xml | 65 + conf/errors.xml | 120 + conf/global.xml | 53 + conf/idp.properties | 195 + conf/intercept/consent-intercept-config.xml | 136 + .../context-check-intercept-config.xml | 42 + .../expiring-password-intercept-config.xml | 37 + conf/intercept/intercept-events-flow.xml | 18 + conf/intercept/profile-intercept.xml | 38 + conf/ldap.properties | 63 + conf/logback.xml | 186 + conf/metadata-providers.xml | 88 + conf/mvc-beans.xml | 23 + conf/relying-party.xml | 70 + conf/saml-nameid.properties | 35 + conf/saml-nameid.xml | 62 + conf/services.properties | 65 + conf/services.xml | 144 + conf/session-manager.xml | 45 + credentials/http.keytab | Bin 0 -> 834 bytes credentials/idp-backchannel.crt | 21 + credentials/idp-backchannel.p12 | Bin 0 -> 2660 bytes credentials/idp-encryption.crt | 21 + credentials/idp-encryption.key | 27 + credentials/idp-signing.crt | 21 + credentials/idp-signing.key | 27 + credentials/inc-md-cert.pem | 21 + credentials/sealer.jks | Bin 0 -> 500 bytes credentials/sealer.kver | 2 + edit-webapp/css/consent.css | 150 + edit-webapp/css/logout.css | 12 + edit-webapp/css/main.css | 163 + edit-webapp/images/dummylogo-mobile.png | Bin 0 -> 8208 bytes edit-webapp/images/dummylogo.png | Bin 0 -> 13742 bytes edit-webapp/images/failure-32x32.png | Bin 0 -> 2580 bytes edit-webapp/images/success-32x32.png | Bin 0 -> 2448 bytes messages/messages.properties | 240 + metadata/idp-metadata.xml | 228 + metadata/localCopyFromInCommon.xml | 515249 +++++++++++++++ metadata/sp-testbed-tier-metadata.xml | 80 + metadata/testbed-tier-metadata.xml | 79 + views/client-storage/client-storage-read.vm | 53 + views/client-storage/client-storage-write.vm | 53 + views/duo.vm | 83 + views/error.vm | 72 + views/intercept/attribute-release.vm | 158 + views/intercept/expiring-password.vm | 54 + views/intercept/terms-of-use.vm | 67 + views/login-error.vm | 24 + views/login.vm | 140 + views/logout-complete.vm | 59 + views/logout-propagate.vm | 58 + views/logout.vm | 91 + views/spnego-unavailable.vm | 49 + views/user-prefs.js | 45 + views/user-prefs.vm | 60 + 88 files changed, 521134 insertions(+) create mode 100644 conf/access-control.xml create mode 100644 conf/admin/general-admin.xml create mode 100644 conf/admin/metrics.xml create mode 100644 conf/attribute-filter.xml create mode 100644 conf/attribute-resolver-full.xml create mode 100644 conf/attribute-resolver-ldap.xml create mode 100644 conf/attribute-resolver.xml create mode 100644 conf/audit.xml create mode 100644 conf/authn/authn-comparison.xml create mode 100644 conf/authn/authn-events-flow.xml create mode 100644 conf/authn/duo-authn-config.xml create mode 100644 conf/authn/duo.properties create mode 100644 conf/authn/external-authn-config.xml create mode 100644 conf/authn/general-authn.xml create mode 100644 conf/authn/ipaddress-authn-config.xml create mode 100644 conf/authn/jaas-authn-config.xml create mode 100644 conf/authn/jaas.config create mode 100644 conf/authn/krb5-authn-config.xml create mode 100644 conf/authn/ldap-authn-config.xml create mode 100644 conf/authn/mfa-authn-config.xml create mode 100644 conf/authn/password-authn-config.xml create mode 100644 conf/authn/remoteuser-authn-config.xml create mode 100644 conf/authn/remoteuser-internal-authn-config.xml create mode 100644 conf/authn/spnego-authn-config.xml create mode 100644 conf/authn/x509-authn-config.xml create mode 100644 conf/authn/x509-internal-authn-config.xml create mode 100644 conf/c14n/attribute-sourced-subject-c14n-config.xml create mode 100644 conf/c14n/simple-subject-c14n-config.xml create mode 100644 conf/c14n/subject-c14n-events-flow.xml create mode 100644 conf/c14n/subject-c14n.xml create mode 100644 conf/c14n/x500-subject-c14n-config.xml create mode 100644 conf/cas-protocol.xml create mode 100644 conf/credentials.xml create mode 100644 conf/errors.xml create mode 100644 conf/global.xml create mode 100644 conf/idp.properties create mode 100644 conf/intercept/consent-intercept-config.xml create mode 100644 conf/intercept/context-check-intercept-config.xml create mode 100644 conf/intercept/expiring-password-intercept-config.xml create mode 100644 conf/intercept/intercept-events-flow.xml create mode 100644 conf/intercept/profile-intercept.xml create mode 100644 conf/ldap.properties create mode 100644 conf/logback.xml create mode 100644 conf/metadata-providers.xml create mode 100644 conf/mvc-beans.xml create mode 100644 conf/relying-party.xml create mode 100644 conf/saml-nameid.properties create mode 100644 conf/saml-nameid.xml create mode 100644 conf/services.properties create mode 100644 conf/services.xml create mode 100644 conf/session-manager.xml create mode 100644 credentials/http.keytab create mode 100644 credentials/idp-backchannel.crt create mode 100644 credentials/idp-backchannel.p12 create mode 100644 credentials/idp-encryption.crt create mode 100644 credentials/idp-encryption.key create mode 100644 credentials/idp-signing.crt create mode 100644 credentials/idp-signing.key create mode 100644 credentials/inc-md-cert.pem create mode 100644 credentials/sealer.jks create mode 100644 credentials/sealer.kver create mode 100644 edit-webapp/css/consent.css create mode 100644 edit-webapp/css/logout.css create mode 100644 edit-webapp/css/main.css create mode 100644 edit-webapp/images/dummylogo-mobile.png create mode 100644 edit-webapp/images/dummylogo.png create mode 100644 edit-webapp/images/failure-32x32.png create mode 100644 edit-webapp/images/success-32x32.png create mode 100644 messages/messages.properties create mode 100644 metadata/idp-metadata.xml create mode 100644 metadata/localCopyFromInCommon.xml create mode 100644 metadata/sp-testbed-tier-metadata.xml create mode 100644 metadata/testbed-tier-metadata.xml create mode 100644 views/client-storage/client-storage-read.vm create mode 100644 views/client-storage/client-storage-write.vm create mode 100644 views/duo.vm create mode 100644 views/error.vm create mode 100644 views/intercept/attribute-release.vm create mode 100644 views/intercept/expiring-password.vm create mode 100644 views/intercept/terms-of-use.vm create mode 100644 views/login-error.vm create mode 100644 views/login.vm create mode 100644 views/logout-complete.vm create mode 100644 views/logout-propagate.vm create mode 100644 views/logout.vm create mode 100644 views/spnego-unavailable.vm create mode 100644 views/user-prefs.js create mode 100644 views/user-prefs.vm diff --git a/conf/access-control.xml b/conf/access-control.xml new file mode 100644 index 0000000..a9184e6 --- /dev/null +++ b/conf/access-control.xml @@ -0,0 +1,68 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/conf/admin/general-admin.xml b/conf/admin/general-admin.xml new file mode 100644 index 0000000..9b3b180 --- /dev/null +++ b/conf/admin/general-admin.xml @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/admin/metrics.xml b/conf/admin/metrics.xml new file mode 100644 index 0000000..f9b5c16 --- /dev/null +++ b/conf/admin/metrics.xml @@ -0,0 +1,129 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/attribute-filter.xml b/conf/attribute-filter.xml new file mode 100644 index 0000000..9b49de0 --- /dev/null +++ b/conf/attribute-filter.xml @@ -0,0 +1,77 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/attribute-resolver-full.xml b/conf/attribute-resolver-full.xml new file mode 100644 index 0000000..4681b64 --- /dev/null +++ b/conf/attribute-resolver-full.xml @@ -0,0 +1,292 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/attribute-resolver-ldap.xml b/conf/attribute-resolver-ldap.xml new file mode 100644 index 0000000..ec79de9 --- /dev/null +++ b/conf/attribute-resolver-ldap.xml @@ -0,0 +1,94 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/attribute-resolver.xml b/conf/attribute-resolver.xml new file mode 100644 index 0000000..b23a80c --- /dev/null +++ b/conf/attribute-resolver.xml @@ -0,0 +1,90 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + member + + + + + + + + givenName sn displayName mail uid + + + diff --git a/conf/audit.xml b/conf/audit.xml new file mode 100644 index 0000000..22949fd --- /dev/null +++ b/conf/audit.xml @@ -0,0 +1,32 @@ + + + + + + + + + + + + + + http://shibboleth.net/ns/profiles/status + + + diff --git a/conf/authn/authn-comparison.xml b/conf/authn/authn-comparison.xml new file mode 100644 index 0000000..f167b7a --- /dev/null +++ b/conf/authn/authn-comparison.xml @@ -0,0 +1,77 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified + + + diff --git a/conf/authn/authn-events-flow.xml b/conf/authn/authn-events-flow.xml new file mode 100644 index 0000000..244e1db --- /dev/null +++ b/conf/authn/authn-events-flow.xml @@ -0,0 +1,18 @@ + + + + + + + + + + diff --git a/conf/authn/duo-authn-config.xml b/conf/authn/duo-authn-config.xml new file mode 100644 index 0000000..0a48152 --- /dev/null +++ b/conf/authn/duo-authn-config.xml @@ -0,0 +1,25 @@ + + + + + + diff --git a/conf/authn/duo.properties b/conf/authn/duo.properties new file mode 100644 index 0000000..2ca71ee --- /dev/null +++ b/conf/authn/duo.properties @@ -0,0 +1,9 @@ +# Duo integration settings + +# Note: If upgrading from pre-3.3 IdP versions, you will need to manually add a pointer +# to this property file to idp.properties. + +idp.duo.apiHost = hostname +idp.duo.applicationKey = key +idp.duo.integrationKey = key +idp.duo.secretKey = key diff --git a/conf/authn/external-authn-config.xml b/conf/authn/external-authn-config.xml new file mode 100644 index 0000000..8b3a159 --- /dev/null +++ b/conf/authn/external-authn-config.xml @@ -0,0 +1,70 @@ + + + + + + + + + + + + + + + + + + UnknownUsername + + + + + InvalidPassword + + + + + ExpiredPassword + + + + + ExpiringPassword + + + + + diff --git a/conf/authn/general-authn.xml b/conf/authn/general-authn.xml new file mode 100644 index 0000000..ac55bbb --- /dev/null +++ b/conf/authn/general-authn.xml @@ -0,0 +1,156 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + + + + diff --git a/conf/authn/ipaddress-authn-config.xml b/conf/authn/ipaddress-authn-config.xml new file mode 100644 index 0000000..a3ee096 --- /dev/null +++ b/conf/authn/ipaddress-authn-config.xml @@ -0,0 +1,37 @@ + + + + + + + + + + + + + + + diff --git a/conf/authn/jaas-authn-config.xml b/conf/authn/jaas-authn-config.xml new file mode 100644 index 0000000..daef4d2 --- /dev/null +++ b/conf/authn/jaas-authn-config.xml @@ -0,0 +1,27 @@ + + + + + + + + + + + ShibUserPassAuth + + + + + diff --git a/conf/authn/jaas.config b/conf/authn/jaas.config new file mode 100644 index 0000000..232e93d --- /dev/null +++ b/conf/authn/jaas.config @@ -0,0 +1,11 @@ +ShibUserPassAuth { + /* + com.sun.security.auth.module.Krb5LoginModule required; + */ + + org.ldaptive.jaas.LdapLoginModule required + ldapUrl="ldap://localhost:10389" + baseDn="ou=people,dc=example,dc=org" + userFilter="uid={user}"; + +}; \ No newline at end of file diff --git a/conf/authn/krb5-authn-config.xml b/conf/authn/krb5-authn-config.xml new file mode 100644 index 0000000..3230134 --- /dev/null +++ b/conf/authn/krb5-authn-config.xml @@ -0,0 +1,31 @@ + + + + + + + + + + + + + + + + diff --git a/conf/authn/ldap-authn-config.xml b/conf/authn/ldap-authn-config.xml new file mode 100644 index 0000000..56d1bc7 --- /dev/null +++ b/conf/authn/ldap-authn-config.xml @@ -0,0 +1,135 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/authn/mfa-authn-config.xml b/conf/authn/mfa-authn-config.xml new file mode 100644 index 0000000..6198c29 --- /dev/null +++ b/conf/authn/mfa-authn-config.xml @@ -0,0 +1,94 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/authn/password-authn-config.xml b/conf/authn/password-authn-config.xml new file mode 100644 index 0000000..48b2c3d --- /dev/null +++ b/conf/authn/password-authn-config.xml @@ -0,0 +1,121 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + NoCredentials + CLIENT_NOT_FOUND + Client not found + DN_RESOLUTION_FAILURE + + + + + InvalidCredentials + PREAUTH_FAILED + INVALID_CREDENTIALS + Checksum failed + + + + + AccountLocked + Clients credentials have been revoked + + + + + PASSWORD_EXPIRED + + + + + ACCOUNT_WARNING + + + + + + + + diff --git a/conf/authn/remoteuser-authn-config.xml b/conf/authn/remoteuser-authn-config.xml new file mode 100644 index 0000000..4b7e722 --- /dev/null +++ b/conf/authn/remoteuser-authn-config.xml @@ -0,0 +1,75 @@ + + + + + + + + + + + + + + + + + + NoCredentials + + + + + UnknownUsername + + + + + InvalidPassword + + + + + ExpiredPassword + + + + + ExpiringPassword + + + + + diff --git a/conf/authn/remoteuser-internal-authn-config.xml b/conf/authn/remoteuser-internal-authn-config.xml new file mode 100644 index 0000000..9e68c85 --- /dev/null +++ b/conf/authn/remoteuser-internal-authn-config.xml @@ -0,0 +1,63 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/authn/spnego-authn-config.xml b/conf/authn/spnego-authn-config.xml new file mode 100644 index 0000000..07563b9 --- /dev/null +++ b/conf/authn/spnego-authn-config.xml @@ -0,0 +1,74 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SPNEGONotAvailable + + + + + NTLMUnsupported + + + + + diff --git a/conf/authn/x509-authn-config.xml b/conf/authn/x509-authn-config.xml new file mode 100644 index 0000000..18b015a --- /dev/null +++ b/conf/authn/x509-authn-config.xml @@ -0,0 +1,44 @@ + + + + + + + + + + + + + NoCredentials + InvalidCredentials + + + + + diff --git a/conf/authn/x509-internal-authn-config.xml b/conf/authn/x509-internal-authn-config.xml new file mode 100644 index 0000000..bad3029 --- /dev/null +++ b/conf/authn/x509-internal-authn-config.xml @@ -0,0 +1,21 @@ + + + + + + diff --git a/conf/c14n/attribute-sourced-subject-c14n-config.xml b/conf/c14n/attribute-sourced-subject-c14n-config.xml new file mode 100644 index 0000000..938b30f --- /dev/null +++ b/conf/c14n/attribute-sourced-subject-c14n-config.xml @@ -0,0 +1,44 @@ + + + + + + altuid + + + + + altuid + + + + + + + + + + + + + diff --git a/conf/c14n/simple-subject-c14n-config.xml b/conf/c14n/simple-subject-c14n-config.xml new file mode 100644 index 0000000..3cddfa6 --- /dev/null +++ b/conf/c14n/simple-subject-c14n-config.xml @@ -0,0 +1,27 @@ + + + + + + + + + + + + + + diff --git a/conf/c14n/subject-c14n-events-flow.xml b/conf/c14n/subject-c14n-events-flow.xml new file mode 100644 index 0000000..d7458cd --- /dev/null +++ b/conf/c14n/subject-c14n-events-flow.xml @@ -0,0 +1,18 @@ + + + + + + + + + + diff --git a/conf/c14n/subject-c14n.xml b/conf/c14n/subject-c14n.xml new file mode 100644 index 0000000..16fc6f1 --- /dev/null +++ b/conf/c14n/subject-c14n.xml @@ -0,0 +1,109 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName + urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName + urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos + + + + + + + + + + + + + + + + + diff --git a/conf/c14n/x500-subject-c14n-config.xml b/conf/c14n/x500-subject-c14n-config.xml new file mode 100644 index 0000000..1ae25e4 --- /dev/null +++ b/conf/c14n/x500-subject-c14n-config.xml @@ -0,0 +1,37 @@ + + + + + + + + + + + 2.5.4.3 + + + + + + + + + + + + + diff --git a/conf/cas-protocol.xml b/conf/cas-protocol.xml new file mode 100644 index 0000000..d0b3d55 --- /dev/null +++ b/conf/cas-protocol.xml @@ -0,0 +1,84 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/conf/credentials.xml b/conf/credentials.xml new file mode 100644 index 0000000..7462879 --- /dev/null +++ b/conf/credentials.xml @@ -0,0 +1,65 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/errors.xml b/conf/errors.xml new file mode 100644 index 0000000..5de522f --- /dev/null +++ b/conf/errors.xml @@ -0,0 +1,120 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/global.xml b/conf/global.xml new file mode 100644 index 0000000..60562e3 --- /dev/null +++ b/conf/global.xml @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + + diff --git a/conf/idp.properties b/conf/idp.properties new file mode 100644 index 0000000..1f32c81 --- /dev/null +++ b/conf/idp.properties @@ -0,0 +1,195 @@ +# Load any additional property resources from a comma-delimited list +idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties + +# Set the entityID of the IdP +idp.entityID= https://idp.testbed.tier.internet2.edu/idp/shibboleth + +# Set the scope used in the attribute resolver for scoped attributes +idp.scope= testbed.tier.internet2.edu + +# General cookie properties (maxAge only applies to persistent cookies) +#idp.cookie.secure = false +#idp.cookie.httpOnly = true +#idp.cookie.domain = +#idp.cookie.path = +#idp.cookie.maxAge = 31536000 + +# Set the location of user-supplied web flow definitions +#idp.webflows = %{idp.home}/flows + +# Set the location of Velocity view templates +#idp.views = %{idp.home}/views + +# Settings for internal AES encryption key +#idp.sealer.storeType = JCEKS +#idp.sealer.updateInterval = PT15M +#idp.sealer.aliasBase = secret +idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks +idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver +idp.sealer.storePassword= changeit +idp.sealer.keyPassword= changeit + +# Settings for public/private signing and encryption key(s) +# During decryption key rollover, point the ".2" properties at a second +# keypair, uncomment in credentials.xml, then publish it in your metadata. +idp.signing.key= %{idp.home}/credentials/idp-signing.key +idp.signing.cert= %{idp.home}/credentials/idp-signing.crt +idp.encryption.key= %{idp.home}/credentials/idp-encryption.key +idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt +#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key +#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt + +# Sets the bean ID to use as a default security configuration set +#idp.security.config = shibboleth.DefaultSecurityConfiguration + +# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1 +#idp.signing.config = shibboleth.SigningConfiguration.SHA256 + +# Configures trust evaluation of keys used by services at runtime +# Defaults to supporting both explicit key and PKIX using SAML metadata. +#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine +# To pick only one set to one of: +# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine +#idp.trust.certificates = shibboleth.ChainingX509TrustEngine +# To pick only one set to one of: +# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine + +# If true, encryption will happen whenever a key to use can be located, but +# failure to encrypt won't result in request failure. +#idp.encryption.optional = false + +# Configuration of client- and server-side storage plugins +#idp.storage.cleanupInterval = PT10M +#idp.storage.htmlLocalStorage = false + +# Set to true to expose more detailed errors in responses to SPs +#idp.errors.detailed = false +# Set to false to skip signing of SAML response messages that signal errors +#idp.errors.signed = true +# Name of bean containing a list of Java exception classes to ignore +#idp.errors.excludedExceptions = ExceptionClassListBean +# Name of bean containing a property set mapping exception names to views +#idp.errors.exceptionMappings = ExceptionToViewPropertyBean +# Set if a different default view name for events and exceptions is needed +#idp.errors.defaultView = error + +# Set to false to disable the IdP session layer +#idp.session.enabled = true + +# Set to "shibboleth.StorageService" for server-side storage of user sessions +#idp.session.StorageService = shibboleth.ClientSessionStorageService + +# Size of session IDs +#idp.session.idSize = 32 +# Bind sessions to IP addresses +#idp.session.consistentAddress = true +# Inactivity timeout +#idp.session.timeout = PT60M +# Extra time to store sessions for logout +#idp.session.slop = PT0S +# Tolerate storage-related errors +#idp.session.maskStorageFailure = false +# Track information about SPs logged into +#idp.session.trackSPSessions = false +# Support lookup by SP for SAML logout +#idp.session.secondaryServiceIndex = false +# Length of time to track SP sessions +#idp.session.defaultSPlifetime = PT2H + +# Regular expression matching login flows to enable, e.g. IPAddress|Password +idp.authn.flows= Password + +# Regular expression of forced "initial" methods when no session exists, +# usually in conjunction with the idp.authn.resolveAttribute property below. +#idp.authn.flows.initial = Password + +# Set to an attribute ID to resolve prior to selecting authentication flows; +# its values are used to filter the flows to allow. +#idp.authn.resolveAttribute = eduPersonAssurance + +# Default lifetime and timeout of various authentication methods +#idp.authn.defaultLifetime = PT60M +#idp.authn.defaultTimeout = PT30M + +# Whether to populate relying party user interface information for display +# during authentication, consent, terms-of-use. +#idp.authn.rpui = true + +# Whether to prioritize "active" results when an SP requests more than +# one possible matching login method (V2 behavior was to favor them) +#idp.authn.favorSSO = false + +# Whether to fail requests when a user identity after authentication +# doesn't match the identity in a pre-existing session. +#idp.authn.identitySwitchIsError = false + +# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent +#idp.consent.StorageService = shibboleth.ClientPersistentStorageService + +# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute +# to key user consent storage records (and set the attribute name) +#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey +#idp.consent.userStorageKeyAttribute = uid + +# Flags controlling how built-in attribute consent feature operates +#idp.consent.allowDoNotRemember = true +#idp.consent.allowGlobal = true +#idp.consent.allowPerAttribute = false + +# Whether attribute values and terms of use text are compared +#idp.consent.compareValues = false +# Maximum number of consent records for space-limited storage (e.g. cookies) +#idp.consent.maxStoredRecords = 10 +# Maximum number of consent records for larger/server-side storage (0 = no limit) +#idp.consent.expandedMaxStoredRecords = 0 + +# Time in milliseconds to expire consent storage records. +#idp.consent.storageRecordLifetime = P1Y + +# Whether to lookup metadata, etc. for every SP involved in a logout +# for use by user interface logic; adds overhead so off by default. +#idp.logout.elaboration = false + +# Whether to require logout requests/responses be signed/authenticated. +#idp.logout.authenticated = true + +# Message freshness and replay cache tuning +#idp.policy.messageLifetime = PT3M +#idp.policy.clockSkew = PT3M + +# Set to custom bean for alternate storage of replay cache +#idp.replayCache.StorageService = shibboleth.StorageService + +# Toggles whether to allow outbound messages via SAML artifact +#idp.artifact.enabled = true +# Suppresses typical signing/encryption when artifact binding used +#idp.artifact.secureChannel = true +# May differ to direct SAML 2 artifact lookups to specific server nodes +#idp.artifact.endpointIndex = 2 +# Set to custom bean for alternate storage of artifact map state +#idp.artifact.StorageService = shibboleth.StorageService + +# Comma-delimited languages to use if not match can be found with the +# browser-supported languages, defaults to an empty list. +idp.ui.fallbackLanguages= en,fr,de + +# Storage service used by CAS protocol +# Defaults to shibboleth.StorageService (in-memory) +# MUST be server-side storage (e.g. in-memory, memcached, database) +# NOTE that idp.session.StorageService requires server-side storage +# when CAS protocol is enabled +#idp.cas.StorageService=shibboleth.StorageService + +# CAS service registry implementation class +#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry + +# Profile flows in which the ProfileRequestContext should be exposed +# in servlet request under the key "opensamlProfileRequestContext" +#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO + +# F-TICKS auditing - set a salt to include hashed username +#idp.fticks.federation=MyFederation +#idp.fticks.algorithm=SHA-256 +#idp.fticks.salt=somethingsecret +#idp.fticks.loghost=localhost +#idp.fticks.logport=514 diff --git a/conf/intercept/consent-intercept-config.xml b/conf/intercept/consent-intercept-config.xml new file mode 100644 index 0000000..ca183a7 --- /dev/null +++ b/conf/intercept/consent-intercept-config.xml @@ -0,0 +1,136 @@ + + + + + + + + + + + + + + + + + + + + + transientId + persistentId + eduPersonTargetedID + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/conf/intercept/context-check-intercept-config.xml b/conf/intercept/context-check-intercept-config.xml new file mode 100644 index 0000000..809f1d4 --- /dev/null +++ b/conf/intercept/context-check-intercept-config.xml @@ -0,0 +1,42 @@ + + + + + + + + + + + + + + * + + + + + + + + + + \ No newline at end of file diff --git a/conf/intercept/expiring-password-intercept-config.xml b/conf/intercept/expiring-password-intercept-config.xml new file mode 100644 index 0000000..5447b16 --- /dev/null +++ b/conf/intercept/expiring-password-intercept-config.xml @@ -0,0 +1,37 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/conf/intercept/intercept-events-flow.xml b/conf/intercept/intercept-events-flow.xml new file mode 100644 index 0000000..5cb30d5 --- /dev/null +++ b/conf/intercept/intercept-events-flow.xml @@ -0,0 +1,18 @@ + + + + + + + + + + diff --git a/conf/intercept/profile-intercept.xml b/conf/intercept/profile-intercept.xml new file mode 100644 index 0000000..4040a10 --- /dev/null +++ b/conf/intercept/profile-intercept.xml @@ -0,0 +1,38 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/conf/ldap.properties b/conf/ldap.properties new file mode 100644 index 0000000..6d75df0 --- /dev/null +++ b/conf/ldap.properties @@ -0,0 +1,63 @@ +# LDAP authentication configuration, see authn/ldap-authn-config.xml +# Note, this doesn't apply to the use of JAAS + +## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator +#idp.authn.LDAP.authenticator = anonSearchAuthenticator + +## Connection properties ## +idp.authn.LDAP.ldapURL = ldap://ldap.testbed.tier.internet2.edu +idp.authn.LDAP.useStartTLS = false +idp.authn.LDAP.useSSL = false +# Time in milliseconds that connects will block +#idp.authn.LDAP.connectTimeout = PT3S +# Time in milliseconds to wait for responses +#idp.authn.LDAP.responseTimeout = PT3S + +## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust +#idp.authn.LDAP.sslConfig = certificateTrust +## If using certificateTrust above, set to the trusted certificate's path +idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt +## If using keyStoreTrust above, set to the truststore path +idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore + +## Return attributes during authentication +idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining + +## DN resolution properties ## + +# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator +# for AD: CN=Users,DC=example,DC=org +idp.authn.LDAP.baseDN = ou=People,dc=testbed,dc=tier,dc=internet2,dc=edu +#idp.authn.LDAP.subtreeSearch = false +idp.authn.LDAP.userFilter = (uid={user}) +# bind search configuration +# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com +idp.authn.LDAP.bindDN = +idp.authn.LDAP.bindDNCredential = + +# Format DN resolution, used by directAuthenticator, adAuthenticator +# for AD use idp.authn.LDAP.dnFormat=%s@domain.com +idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org + +# LDAP attribute configuration, see attribute-resolver.xml +# Note, this likely won't apply to the use of legacy V2 resolver configurations +idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL} +idp.attribute.resolver.LDAP.connectTimeout = %{idp.authn.LDAP.connectTimeout:PT3S} +idp.attribute.resolver.LDAP.responseTimeout = %{idp.authn.LDAP.responseTimeout:PT3S} +idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN:undefined} +idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN:undefined} +idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined} +idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true} +idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined} +idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.principal) + +# LDAP pool configuration, used for both authn and DN resolution +#idp.pool.LDAP.minSize = 3 +#idp.pool.LDAP.maxSize = 10 +#idp.pool.LDAP.validateOnCheckout = false +#idp.pool.LDAP.validatePeriodically = true +#idp.pool.LDAP.validatePeriod = PT5M +#idp.pool.LDAP.prunePeriod = PT5M +#idp.pool.LDAP.idleTime = PT10M +#idp.pool.LDAP.blockWaitTime = PT3S +#idp.pool.LDAP.failFastInitialize = false diff --git a/conf/logback.xml b/conf/logback.xml new file mode 100644 index 0000000..104ec4c --- /dev/null +++ b/conf/logback.xml @@ -0,0 +1,186 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ${idp.logfiles}/idp-process.log + + + ${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory:-180} + + + + UTF-8 + %date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short} + + + + + + + VelocityStatusMatcher + ResourceManager : unable to find resource 'status.vm' in any resource loader. + + VelocityStatusMatcher.matches(formattedMessage) + + DENY + + + + + + 0 + + + + + + WARN + + + ${idp.logfiles}/idp-warn.log + + + ${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory:-180} + + + + UTF-8 + %date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short} + + + + + + + VelocityStatusMatcher + ResourceManager : unable to find resource 'status.vm' in any resource loader. + + VelocityStatusMatcher.matches(formattedMessage) + + DENY + + + + + + ${idp.logfiles}/idp-audit.log + + + ${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory:-180} + + + + UTF-8 + %msg%n + + + + + + ${idp.logfiles}/idp-consent-audit.log + + + ${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory:-180} + + + + UTF-8 + %msg%n + + + + + + ${idp.fticks.loghost:-localhost} + ${idp.fticks.logport:-514} + AUTH + [%thread] %logger %msg + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/conf/metadata-providers.xml b/conf/metadata-providers.xml new file mode 100644 index 0000000..778989c --- /dev/null +++ b/conf/metadata-providers.xml @@ -0,0 +1,88 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + md:SPSSODescriptor + + + + + + + + + + diff --git a/conf/mvc-beans.xml b/conf/mvc-beans.xml new file mode 100644 index 0000000..98d9bcd --- /dev/null +++ b/conf/mvc-beans.xml @@ -0,0 +1,23 @@ + + + + + + diff --git a/conf/relying-party.xml b/conf/relying-party.xml new file mode 100644 index 0000000..28c9193 --- /dev/null +++ b/conf/relying-party.xml @@ -0,0 +1,70 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/saml-nameid.properties b/conf/saml-nameid.properties new file mode 100644 index 0000000..8530c4f --- /dev/null +++ b/conf/saml-nameid.properties @@ -0,0 +1,35 @@ +# Properties involving SAML NameIdentifier/NameID generation/consumption + +# For the most part these settings only deal with "transient" and "persistent" +# identifiers. See saml-nameid.xml and c14n/subject-c14n.xml for advanced +# settings + +# Comment out to disable legacy NameID generation via Attribute Resolver +#idp.nameid.saml2.legacyGenerator = shibboleth.LegacySAML2NameIDGenerator +#idp.nameid.saml1.legacyGenerator = shibboleth.LegacySAML1NameIdentifierGenerator + +# Default NameID Formats to use when nothing else is called for. +# Don't change these just to change the Format used for a single SP! +#idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient +#idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier + +# Set to shibboleth.StoredTransientIdGenerator for server-side transient ID storage +#idp.transientId.generator = shibboleth.CryptoTransientIdGenerator + +# Persistent IDs can be computed on the fly with a hash, or managed in a database + +# For computed IDs, set a source attribute and a secret salt: +#idp.persistentId.sourceAttribute = changethistosomethingreal +#idp.persistentId.useUnfilteredAttributes = true +# Do *NOT* share the salt with other people, it's like divulging your private key. +#idp.persistentId.algorithm = SHA +#idp.persistentId.salt = changethistosomethingrandom + +# To use a database, use shibboleth.StoredPersistentIdGenerator +#idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator +# For basic use, set this to a JDBC DataSource bean name: +#idp.persistentId.dataSource = PersistentIdDataSource +# For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore +#idp.persistentId.store = MyPersistentIdStore +# Set to an empty property to skip hash-based generation of first stored ID +#idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator diff --git a/conf/saml-nameid.xml b/conf/saml-nameid.xml new file mode 100644 index 0000000..ea97448 --- /dev/null +++ b/conf/saml-nameid.xml @@ -0,0 +1,62 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/services.properties b/conf/services.properties new file mode 100644 index 0000000..eee86ee --- /dev/null +++ b/conf/services.properties @@ -0,0 +1,65 @@ +# Configure the resources to load for various services, +# and the settings for failure handling and auto-reload. + +# failFast=true prevents IdP startup if a configuration is bad +# checkInterval = PT0S means never reload (this is the default) + +# Global default for fail-fast behavior of most subsystems +# with individual override possible below. +#idp.service.failFast = false + +#idp.service.logging.resource = %{idp.home}/conf/logback.xml +#idp.service.logging.failFast = true +idp.service.logging.checkInterval = PT5M + +# Set to shibboleth.LegacyRelyingPartyResolverResources with legacy V2 relying-party.xml +#idp.service.relyingparty.resources = shibboleth.RelyingPartyResolverResources +#idp.service.relyingparty.failFast = false +idp.service.relyingparty.checkInterval = PT15M + +#idp.service.metadata.resources = shibboleth.MetadataResolverResources +#idp.service.metadata.failFast = false +#idp.service.metadata.checkInterval = PT0S + +#idp.service.attribute.resolver.resources = shibboleth.AttributeResolverResources +#idp.service.attribute.resolver.failFast = false +idp.service.attribute.resolver.checkInterval = PT15M +#idp.service.attribute.resolver.maskFailures = true + +#idp.service.attribute.filter.resources = shibboleth.AttributeFilterResources +# NOTE: Failing the filter fast leaves no filters enabled. +#idp.service.attribute.filter.failFast = false +idp.service.attribute.filter.checkInterval = PT15M +#idp.service.attribute.filter.maskFailures = true + +#idp.service.nameidGeneration.resources = shibboleth.NameIdentifierGenerationResources +#idp.service.nameidGeneration.failFast = false +idp.service.nameidGeneration.checkInterval = PT15M + +#idp.service.access.resources = shibboleth.AccessControlResources +#idp.service.access.failFast = true +idp.service.access.checkInterval = PT5M + +#idp.service.cas.registry.resources = shibboleth.CASServiceRegistryResources +#idp.service.cas.registry.failFast = false +idp.service.cas.registry.checkInterval = PT15M + +#idp.message.resources = shibboleth.MessageSourceResources +#idp.message.cacheSeconds = 300 + +# Parameters for pre-defined HttpClient instances which perform in-memory and filesystem caching. +# These are used with components such as remote configuration resources that are explicitly wired +# with these client instances, *not* by default with HTTP metadata resolvers. +#idp.httpclient.useTrustEngineTLSSocketFactory = false +#idp.httpclient.useSecurityEnhancedTLSSocketFactory = false +#idp.httpclient.connectionDisregardTLSCertificate = false +#idp.httpclient.connectionRequestTimeout = 60000 +#idp.httpclient.connectionTimeout = 60000 +#idp.httpclient.socketTimeout = 60000 +#idp.httpclient.maxConnectionsTotal = 100 +#idp.httpclient.maxConnectionsPerRoute = 100 +#idp.httpclient.memorycaching.maxCacheEntries = 50 +#idp.httpclient.memorycaching.maxCacheEntrySize = 1048576 +#idp.httpclient.filecaching.maxCacheEntries = 100 +#idp.httpclient.filecaching.maxCacheEntrySize = 10485760 +idp.httpclient.filecaching.cacheDirectory = %{idp.home}/tmp/httpClientCache \ No newline at end of file diff --git a/conf/services.xml b/conf/services.xml new file mode 100644 index 0000000..313b636 --- /dev/null +++ b/conf/services.xml @@ -0,0 +1,144 @@ + + + + + + + + + + + %{idp.home}/conf/relying-party.xml + %{idp.home}/conf/credentials.xml + %{idp.home}/system/conf/relying-party-system.xml + + + + + %{idp.home}/conf/relying-party.xml + %{idp.home}/system/conf/legacy-relying-party-defaults.xml + + + + %{idp.home}/conf/metadata-providers.xml + %{idp.home}/system/conf/metadata-providers-system.xml + + + + %{idp.home}/conf/attribute-resolver.xml + + + + %{idp.home}/conf/attribute-filter.xml + + + + %{idp.home}/conf/saml-nameid.xml + %{idp.home}/system/conf/saml-nameid-system.xml + + + + %{idp.home}/conf/access-control.xml + %{idp.home}/system/conf/access-control-system.xml + + + + %{idp.home}/conf/cas-protocol.xml + + + + + %{idp.home}/messages/messages + %{idp.home}/system/messages/messages + + + diff --git a/conf/session-manager.xml b/conf/session-manager.xml new file mode 100644 index 0000000..f195014 --- /dev/null +++ b/conf/session-manager.xml @@ -0,0 +1,45 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/credentials/http.keytab b/credentials/http.keytab new file mode 100644 index 0000000000000000000000000000000000000000..f057e3672460b8240b797cb2911ed651dbd904d5 GIT binary patch literal 834 zcmZQ&Vqjn>WME>D3ULh%adLIh3-NRf()08SaSifw4KdPlbqQr)@dybCV35m9DbOoP zEiOq)P0=gKOfAyO%qvMP%1bRV(o0P#1)9Sc&O7%2BZClwLb}|KgOztX98|M!ZWee` z`*nL;y`i!~+Od~?1umSt(f5Ih6RB&dAcMgCn1o!ZIbYr?6^ARSTsXi9v?P}g>j5o^q;6bsFmT-BXn2|Q$`cf9R5qNMfg}3w@jS!(N4fw(83iH$ literal 0 HcmV?d00001 diff --git a/credentials/idp-backchannel.crt b/credentials/idp-backchannel.crt new file mode 100644 index 0000000..78b0409 --- /dev/null +++ b/credentials/idp-backchannel.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZjCCAk6gAwIBAgIVAOFETpFi27881c/E8q+EMl9Q0x3eMA0GCSqGSIb3DQEB +CwUAMCkxJzAlBgNVBAMMHmlkcC50ZXN0YmVkLnRpZXIuaW50ZXJuZXQyLmVkdTAe +Fw0xNjA0MDEwMTU0MTZaFw0zNjA0MDEwMTU0MTZaMCkxJzAlBgNVBAMMHmlkcC50 +ZXN0YmVkLnRpZXIuaW50ZXJuZXQyLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAJHEgwTuY6udWkTkKrIAjy/0NFdqlSQ0KlUesN9806aSTB44kF4z +x3dqLNZ0sXYb42vVkhJs9ClD7+nU/PhYErMdsHFkeEiC/oaNA4KJxraPtQwdcXv7 +qutoiNcGPXAAqNC80OkcqneeWWEo83BYMPA/YB+Oko+qZkaAqaQq6fPUhUZzKxp1 +jkAWFknZXt676MRbqqXMSdLQScJ9DHC1t8m4+R29In8wybMofvmLZ1DzKjQPlRzD +XtEx66USOAoDZLXzmSkYPOx8Rq3HoEsIWnjUOXIA7zurKqyv3qe9Dwy6XYdBpvpw +JYtpfL9I7P5ftAqgDAd0nUuro7m133EHTXsCAwEAAaOBhDCBgTAdBgNVHQ4EFgQU +x7OgBHgTB2AYpVTo5OaIMlLOVgEwYAYDVR0RBFkwV4IeaWRwLnRlc3RiZWQudGll +ci5pbnRlcm5ldDIuZWR1hjVodHRwczovL2lkcC50ZXN0YmVkLnRpZXIuaW50ZXJu +ZXQyLmVkdS9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAdt2uTZVH +DflxXQ4MkPrPIP99xeTZfYc9Y9bwCMjt21+cDfnu92MzlbYzQ9txLQcw30iFc0Zj +i7gys2m+/dp8zRjB++RfXirbNyZUSo/KQIr1GrWeoIJ8CMVafRRw+46RJA/3GsSN +/0zX1sFJHz0q8WrKZMh2c4P7ejwuVp1JSh0vWZxXhyhHuSklygSvG6XXUPlBwB8p +QbZEuxKgalDTQSaa5vza0d+0ocgaaybMnex6N7MD1Lvsh/qEy+Yxc1/4ruay7nmk +2mXmsTUWN3majWZjsCJCMNrugom03rhC3BhnuLA/tYAHOiSt8W4zdfqf2/ShWRjJ +4HpJj1hbzraYTw== +-----END CERTIFICATE----- diff --git a/credentials/idp-backchannel.p12 b/credentials/idp-backchannel.p12 new file mode 100644 index 0000000000000000000000000000000000000000..91a22fc6446391d5c94ef0c82689c6e4ca4eb525 GIT binary patch literal 2660 zcmY+Ec{~&TAIG=Zh7HXSxpLn$GR)n#5<+g4Icm+7b8T;X3j3eUSuPG1 z#!JsouXbKORxjA9c`nNT`VnitTo4Eh0F%JaWO++1NV8BkpT%AlZQSnrk9%*l0|&+4 zk10vIO`q^Zb&XR1t1cJ!G;GFI3Xm_Vl3Gi+d#&%i-8Vfo)E-p}9!_8H=odqyhlY33 z+a@Mc+usQh#w3nsVJTCX>Ye4(F(0o8ypZ6_A0I+85D!b*?(-JGEstyo$tBcGXTx6Z zJM=4;omrYb-2yL~O6v0kZ>d2e* zb~*6T1BBXB(w9fNR}54gW~!bP?w!T-swQ=}mySu-Bn!%jB`IvG>0B3nm}1aLmqj9H z?zE&|8n0C^Qn3k}P8jBbojEtckCte?3@uO)x5g!0ayNIU{^A?ll^k!5wLK;P(JUWI zet+$mrLVF{JnZV*eVSeLiyu9h)t7Ro5xI6|X2!?GVKppb?@`-#C>1h|o_E1QR=qhl z+fGvSHZB*LX63r70P}Q9CR`3q*vSLh-iT^yQBB}8Lv-NQPu*Zq4dZj^splUE&Zw+E zf4-f)8S-b_naTT8(Z*jB_nq~I`!*n^qOn_$%m5O5adu7PPo58Ogquvy>GBhMc32&& zbg^jv+BAooK|_TjW*T+N-NCU3T^=uVDJFY~e*6ii^Nw|{do;KIs*;OEf3;yJdsQF| zsUC_9DnC3V01D~>bE`{EV(isI@@i*o;dVx0HduC|8IF;Td%)Z) zEQ-Vnzy^K>|MIkc5lP!u6XdE=3;Bgj1vL&#T=qKvO@{rdNbN0e4TP>v?w%e3D%@RK=SeU2uRf(!3-s z>rtLbi973*&%wLGuWAlX|A=4S?H7D7GjAPTnaeAuSl2&BS!we;(52gKtbWvG?rHu& zq2s|&8!p)bvf)gj#&AU%R$fY_()0!TZu+B>JFUraCHUm?PRAqv@-VOzs4>XGPbFFy z1`?OP@xwn(@!hg}O}%>pHd{42urhck0I4`-BKvV2{q$Ypw(5e(C+`wZw)AaQE8Y@8 z8eUaSzQSq(mWHIhJyy7zu{ju;uxKcHz+al0c9a(`sCz>RbJe`XsPgrdzr3zt!OjPo zTYQcfzFImgxsSE`$du1UmY}%K(i1O5M}9D(S8K)QTUb61o@j^K3Pr(SGl-hdQImL) z;)v>c)WhQ!TlGR8L9S*~c2n%%ccLs-dW@v>P2ux5M*D^aoe|ZeZ$4us^(_aRSjc2R_=-Mtk@9ca+sb5> z=Z(22X@{Xs|3gY%VQo`sV?Y4l0w4^a1-Jwt03tZ=c}~6X_dkH6h#VCF2>ClDaw>tN zbU5Dco=BAJzsp3lg~3SYfM9}*wk{f@tB=;>9Bq9LYw`ayaYH%yb>>+1ARvHKto}`a z{|98~Zy;}4^ABJ46f2Y$8EYKX&pYbBu9i@cu){cfM2ds5B(mS%0VI*Hqpyc#2cLjL$&^&8VQ+I?nS7Heu!1 z;oXw?(JVZxqQb zI1yRmaUPSHt*om2ay)fg&i9$s9X-D2^GCs6CQKed7-r(6UH$ye7)RAxJt)#1yXhy_ zEJ$Nkd%wH@j1LG8Daw~~=Ld^0nlzmfZ5<#5OInx+>3f|(?nJp|iH$BotSvL!?CN4{ z&NV5)J$T5uCxBJg)-Lr(p38aXi~vm;O7_G$jOI-v78_E!MtMjQ^w?q!@uJrfjx-SZbzq9XIa=X7S8q?im_OXuv zU&^<_GodE3{3)Vn=C{nss78P)^L_P7^>tChw{t(t#(hFM+1FE(<@ys{fn1Y*{JE<| z@6k^3^UuY~&Q1aDYZ}=o;qm*dcMm{^UlvtxIYQbi$*c+J#n7*_$M!Y9&t#Z|wwlX3 zl&IqB_77a7)@!)(RnL|UPQT7gwNf%TT~KGk8q-y(0=%a!rQ6?q&OIzf)$UkPP*SYf zBKGAx;W3<(6X+46jONrV$MWs7Gm9pd_LhM}yIPkcr9rAG*5(sVapz2ps%=LF!@o7$ zs?TcOKx8_-ei;O7-wk}dV|OCY>AVa7i$BCl%exsKL}t-cqMzv#Zr?BDtB&%RHLs%Q ztZ&i~;J#Tv`ydog#jWO+43`olWOl*)RT7Qd9hsvQm>v-13XOQ!4|C@=Ji6{Gzkrry`#l><$JRUQxs# znUz?USOL?Itj*5McG=ryDXA#|iA9OI#U%_((N56}0zg5Ky{ReA z`FSO&c_oDmbqq{C44egERgO97B@9A7APe+!67$magG-7s^U|$-K)y-L0ZN0^GglOp z7J&6Lx%@b5iDN+=O=v z^D9$-YleRC`=i9JST^nx*aYpE^Z(3^ypzvLU&?*|;I?!U+r-^9OVxXKlo!vvcE{RiQVOT;Gyg)Vu!vc* zKi|$Us!-&d=@a