initial commit for 5.0 default files

docker · Oct 12, 2023 · 53828be · 53828be
1 parent 54b4708
commit 53828be
Showing 58 changed files with 2,098 additions and 1,089 deletions.
diff --git a/conf/access-control.xml b/conf/access-control.xml
@@ -47,7 +47,7 @@
         <entry key="AccessByAttribute">
             <bean parent="shibboleth.PredicateAccessControl">
                 <constructor-arg>
-                    <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
+                    <bean parent="shibboleth.Conditions.SimpleAttribute">
                         <property name="attributeValueMap">
                             <map>
                                 <entry key="eduPersonEntitlement">

diff --git a/conf/admin/admin.properties b/conf/admin/admin.properties
@@ -4,52 +4,86 @@
 #idp.status.accessPolicy = AccessByIPAddress
 #idp.status.authenticated = false
 #idp.status.nonBrowserSupported = false
+#idp.status.defaultAuthenticationMethods =
 #idp.status.resolveAttributes = false
+#idp.status.postAuthenticationFlows =
 
 #idp.reload.logging = Reload
 #idp.reload.accessPolicy = AccessByIPAddress
 #idp.reload.authenticated = false
 #idp.reload.nonBrowserSupported = false
+#idp.reload.defaultAuthenticationMethods =
 #idp.reload.resolveAttributes = false
+#idp.reload.postAuthenticationFlows =
 
 #idp.resolvertest.logging = ResolverTest
 #idp.resolvertest.accessPolicy = AccessByIPAddress
 #idp.resolvertest.authenticated = false
 #idp.resolvertest.nonBrowserSupported = false
+#idp.resolvertest.defaultAuthenticationMethods =
 #idp.resolvertest.resolveAttributes = false
+#idp.resolvertest.postAuthenticationFlows =
+
+#idp.dumpconfig.logging = DumpConfig
+#idp.dumpconfig.accessPolicy = AccessByIPAddress
+#idp.dumpconfig.authenticated = false
+#idp.dumpconfig.nonBrowserSupported = false
+#idp.dumpconfig.defaultAuthenticationMethods =
+#idp.dumpconfig.resolveAttributes = false
+#idp.dumpconfig.postAuthenticationFlows =
 
 #idp.mdquery.logging = MetadataQuery
 #idp.mdquery.accessPolicy = AccessByIPAddress
 #idp.mdquery.authenticated = false
 #idp.mdquery.nonBrowserSupported = false
+#idp.mdquery.defaultAuthenticationMethods =
 #idp.mdquery.resolveAttributes = false
+#idp.mdquery.postAuthenticationFlows =
 
 #idp.metrics.logging = Metrics
 #idp.metrics.authenticated = false
 #idp.metrics.nonBrowserSupported = false
+#idp.metrics.defaultAuthenticationMethods =
 #idp.metrics.resolveAttributes = false
+#idp.metrics.postAuthenticationFlows =
 # See admin/metrics.xml for other configuration
 
 #idp.hello.logging = Hello
 #idp.hello.accessPolicy = AccessByAdminUser
 #idp.hello.authenticated = true
 #idp.hello.nonBrowserSupported = false
+#idp.hello.defaultAuthenticationMethods =
 #idp.hello.resolveAttributes = true
+#idp.hello.postAuthenticationFlows =
 
 #idp.lockout.logging = Lockout
 #idp.lockout.accessPolicy = AccessDenied
 #idp.lockout.authenticated = false
 #idp.lockout.nonBrowserSupported = false
+#idp.lockout.defaultAuthenticationMethods =
 #idp.lockout.resolveAttributes = false
+#idp.lockout.postAuthenticationFlows =
+
+#idp.revocation.logging = Revocation
+#idp.revocation.accessPolicy = AccessDenied
+#idp.revocation.authenticated = false
+#idp.revocation.nonBrowserSupported = false
+#idp.revocation.defaultAuthenticationMethods =
+#idp.revocation.resolveAttributes = false
+#idp.revocation.postAuthenticationFlows =
 
 #idp.storage.logging = Storage
 #idp.storage.accessPolicy = AccessDenied
 #idp.storage.authenticated = false
 #idp.storage.nonBrowserSupported = false
+#idp.storage.defaultAuthenticationMethods =
 #idp.storage.resolveAttributes = false
+#idp.storage.postAuthenticationFlows =
 
 #idp.unlock-keys.logging = UnlockKeys
 #idp.unlock-keys.accessPolicy = AccessDenied
 #idp.unlock-keys.authenticated = true
 #idp.unlock-keys.nonBrowserSupported = false
+#idp.unlock-keys.defaultAuthenticationMethods =
 #idp.unlock-keys.resolveAttributes = false
+#idp.unlock-keys.postAuthenticationFlows =
diff --git a/conf/admin/metrics.xml b/conf/admin/metrics.xml
@@ -31,6 +31,10 @@
                 <ref bean="shibboleth.metrics.AttributeFilterGaugeSet" />
                 <ref bean="shibboleth.metrics.CASServiceRegistryGaugeSet" />
                 <ref bean="shibboleth.metrics.ManagedBeanGaugeSet" />
+                <ref bean="shibboleth.metrics.ModuleGaugeSet" />
+
+                <!-- Note that this accesses remote "state" regarding IdP and plugin updates. -->
+                <ref bean="shibboleth.metrics.InstallableComponents" />
 
                 <!--
                 <bean class="com.codahale.metrics.jvm.CachedThreadStatesGaugeSet"
@@ -55,6 +59,7 @@
     <util:map id="shibboleth.metrics.MetricGroups">
         <entry key="core" value-ref="shibboleth.metrics.CoreGaugeSet" />
         <entry key="idp" value-ref="shibboleth.metrics.IdPGaugeSet" />
+        <entry key="updates" value-ref="shibboleth.metrics.InstallableComponents" />
         <entry key="logging" value-ref="shibboleth.metrics.LoggingGaugeSet" />
         <entry key="access" value-ref="shibboleth.metrics.AccessControlGaugeSet" />
         <entry key="metadata" value-ref="shibboleth.metrics.MetadataGaugeSet" />

diff --git a/conf/attribute-filter.xml b/conf/attribute-filter.xml
@@ -14,6 +14,14 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
 
+
+    <!-- Release home org signifier to everybody. -->
+    <AttributeFilterPolicy id="alwaysRelease">
+        <PolicyRequirementRule xsi:type="ANY" />
+
+        <AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
+    </AttributeFilterPolicy>
+
     <!--
     Example rule relying on a locally applied tag in metadata to trigger attribute
     release of some specific attributes. Add additional attributes as desired.

diff --git a/conf/attribute-resolver.xml b/conf/attribute-resolver.xml
@@ -66,7 +66,10 @@ list of possible components and their options.
     <!--      Data Connectors                       -->
     <!-- ========================================== -->
 
-    <DataConnector id="staticAttributes" xsi:type="Static">
+    <DataConnector id="staticAttributes" xsi:type="Static" exportAttributes="schacHomeOrganization">
+        <Attribute id="schacHomeOrganization">
+            <Value>%{idp.scope}</Value>
+        </Attribute>
         <Attribute id="affiliation">
             <Value>member</Value>
         </Attribute>

diff --git a/conf/attributes/default-rules.xml b/conf/attributes/default-rules.xml
@@ -23,6 +23,7 @@
     <import resource="inetOrgPerson.xml" />
     <import resource="eduPerson.xml" />
     <import resource="eduCourse.xml" />
+    <import resource="schac.xml" />
     <import resource="samlSubject.xml" />
 
 </beans>
diff --git a/conf/attributes/eduCourse.xml b/conf/attributes/eduCourse.xml
@@ -12,6 +12,13 @@
        default-init-method="initialize"
        default-destroy-method="destroy">
 
+    <!--
+    Note that all built-in rules rely on URI-naming and thus include the implied settings:
+    
+    <prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</prop>
+    <prop key="saml1.namespace">urn:mace:shibboleth:1.0:attributeNamespace:uri</prop>
+    -->
+
     <bean parent="shibboleth.TranscodingRuleLoader">
     <constructor-arg>
     <list>