initial 4.1 config

README.md

@@ -14,3 +14,4 @@ to complete a deployment.
     * Internal Testing - (TEST) branch/repo that uses the "test bed" which is something that I2 provides (LDAP) and an element to make all integrations.  Appropriate for Jenkins and testing environments
   * `release` branch
     * External Testing - (RELEASE) branch/repo (ultimately will live in Subversion?) for end users
+

conf/access-control.xml

@@ -34,7 +34,7 @@
         </entry>
 
         <!--
-        <entry key="AccessByUser">
+        <entry key="AccessByAdminUser">
             <bean parent="shibboleth.PredicateAccessControl">
                 <constructor-arg>
                     <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />

conf/admin/admin.properties

@@ -0,0 +1,55 @@
+# Configure properties controlling administrative features
+
+#idp.status.logging = Status
+#idp.status.accessPolicy = AccessByIPAddress
+#idp.status.authenticated = false
+#idp.status.nonBrowserSupported = false
+#idp.status.resolveAttributes = false
+
+#idp.reload.logging = Reload
+#idp.reload.accessPolicy = AccessByIPAddress
+#idp.reload.authenticated = false
+#idp.reload.nonBrowserSupported = false
+#idp.reload.resolveAttributes = false
+
+#idp.resolvertest.logging = ResolverTest
+#idp.resolvertest.accessPolicy = AccessByIPAddress
+#idp.resolvertest.authenticated = false
+#idp.resolvertest.nonBrowserSupported = false
+#idp.resolvertest.resolveAttributes = false
+
+#idp.mdquery.logging = MetadataQuery
+#idp.mdquery.accessPolicy = AccessByIPAddress
+#idp.mdquery.authenticated = false
+#idp.mdquery.nonBrowserSupported = false
+#idp.mdquery.resolveAttributes = false
+
+#idp.metrics.logging = Metrics
+#idp.metrics.authenticated = false
+#idp.metrics.nonBrowserSupported = false
+#idp.metrics.resolveAttributes = false
+# See admin/metrics.xml for other configuration
+
+#idp.hello.logging = Hello
+#idp.hello.accessPolicy = AccessByAdminUser
+#idp.hello.authenticated = true
+#idp.hello.nonBrowserSupported = false
+#idp.hello.resolveAttributes = true
+
+#idp.lockout.logging = Lockout
+#idp.lockout.accessPolicy = AccessDenied
+#idp.lockout.authenticated = false
+#idp.lockout.nonBrowserSupported = false
+#idp.lockout.resolveAttributes = false
+
+#idp.storage.logging = Storage
+#idp.storage.accessPolicy = AccessDenied
+#idp.storage.authenticated = false
+#idp.storage.nonBrowserSupported = false
+#idp.storage.resolveAttributes = false
+
+#idp.unlock-keys.logging = UnlockKeys
+#idp.unlock-keys.accessPolicy = AccessDenied
+#idp.unlock-keys.authenticated = true
+#idp.unlock-keys.nonBrowserSupported = false
+#idp.unlock-keys.resolveAttributes = false

conf/admin/metrics.xml

@@ -26,6 +26,7 @@
                 <ref bean="shibboleth.metrics.MetadataGaugeSet" />
                 <ref bean="shibboleth.metrics.NameIdentifierGaugeSet" />
                 <ref bean="shibboleth.metrics.RelyingPartyGaugeSet" />
+                <ref bean="shibboleth.metrics.AttributeRegistryGaugeSet" />
                 <ref bean="shibboleth.metrics.AttributeResolverGaugeSet" />
                 <ref bean="shibboleth.metrics.AttributeFilterGaugeSet" />
                 <ref bean="shibboleth.metrics.CASServiceRegistryGaugeSet" />
@@ -59,12 +60,20 @@
         <entry key="metadata" value-ref="shibboleth.metrics.MetadataGaugeSet" />
         <entry key="nameid" value-ref="shibboleth.metrics.NameIdentifierGaugeSet" />
         <entry key="relyingparty" value-ref="shibboleth.metrics.RelyingPartyGaugeSet" />
+        <entry key="registry" value-ref="shibboleth.metrics.AttributeRegistryGaugeSet" />
         <entry key="resolver" value-ref="shibboleth.metrics.AttributeResolverGaugeSet" />
         <entry key="filter" value-ref="shibboleth.metrics.AttributeFilterGaugeSet" />
         <entry key="cas" value-ref="shibboleth.metrics.CASServiceRegistryGaugeSet" />
         <entry key="bean" value-ref="shibboleth.metrics.ManagedBeanGaugeSet" />
     </util:map>
-
+
+    <!-- Add any desired properties into set to expose them as IdP metrics. -->
+    <!--
+    <util:set id="shibboleth.metrics.ExposedProperties">
+        <value>idp.entityID</value>
+    </util:set>
+    -->
+
     <!-- If you don't specify an alternate access policy, this named policy will be enforced. -->
     <bean id="shibboleth.metrics.DefaultAccessPolicy" class="java.lang.String" c:_0="AccessByIPAddress" />
 

conf/attribute-resolver.xml

@@ -1,17 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!-- 
-    This file is an EXAMPLE configuration file. While the configuration
-    presented in this example file is semi-functional, it isn't very
-    interesting. It is here only as a starting point for your deployment
-    process.
-    
-    Very few attribute definitions and data connectors are demonstrated,
-    and the data is derived statically from the logged-in username and a
-    static example connector.
+This file is a rudimentary example. While it is semi-functional, it isn't very
+interesting. It is here only as a starting point for your deployment process
+to avoid any dependency on components like an LDAP directory.
 
-    Attribute-resolver-full.xml contains more examples of attributes,
-    encoders, and data connectors. Deployers should refer to the Shibboleth
-    documentation for a complete list of components and their options.
+Very few attribute definitions and data connectors are demonstrated, and the
+data is derived statically from the logged-in username and a static example
+connector.
+
+The file(s) in the examples directory contain more examples that involve more
+complex approaches. Deployers should refer to the documentation for a complete
+list of possible components and their options.
 -->
 <AttributeResolver
         xmlns="urn:mace:shibboleth:2.0:resolver" 

conf/attributes/inetOrgPerson.xml

@@ -447,8 +447,8 @@
                 <props merge="true">
                     <prop key="id">telephoneNumber</prop>
                     <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
-                    <prop key="saml2.name">urn:mace:dir:attribute-def:telephoneNumber</prop>
-                    <prop key="saml1.name">urn:oid:2.5.4.20</prop>
+                    <prop key="saml2.name">urn:oid:2.5.4.20</prop>
+                    <prop key="saml1.name">urn:mace:dir:attribute-def:telephoneNumber</prop>
                     <prop key="displayName.en">Business phone number</prop>
                     <prop key="displayName.de">Telefon Geschäft</prop>
                     <prop key="displayName.fr">Teléphone professionnel</prop>

conf/audit.xml

@@ -19,7 +19,7 @@
 
     <!-- Override the format of date/time fields in the log and/or convert to default time zone. -->
     <!--
-    <bean id="shibboleth.AuditDateTimeFormat" class="java.lang.String" c:_0="YYYY-MM-dd'T'HH:mm:ss.SSSZZ" />
+    <bean id="shibboleth.AuditDateTimeFormat" class="java.lang.String" c:_0="yyyy-MM-dd'T'HH:mm:ss.SSSZZ" />
     <util:constant id="shibboleth.AuditDefaultTimeZone" static-field="java.lang.Boolean.TRUE" />
     -->
 

conf/authn/authn-comparison.xml

@@ -12,62 +12,33 @@
        default-destroy-method="destroy">
 
     <!--
-    These beans can be used in the AuthnComparisonRules map below instead of the defaults to
-    support more advanced matching rules. The top example shows how to configure a matching rule,
-    in this case a rule that the two listed classes are "better" than the password class.
-    
-    To use these beans, configure the matchingRules map as desired, and then reference the bean id in the
-    desired value-ref slot in the AuthnComparisonRules map.
+    This is a map used to "weight" particular methods above others if the IdP has to randomly select one
+    to insert into a SAML authentication statement. The typical use shown below is to bias the IdP in favor
+    of expressing the SAML 2 PasswordProtectedTransport class over the more vanilla Password class on the
+    assumption that the IdP doesn't accept passwords via an insecure channel. This map never causes the IdP
+    to violate its matching rules if an RP requests a particular value; it only matters when nothing specific
+    is chosen. Anything not in the map has a weight of zero.
     -->
 
-    <bean id="shibboleth.BetterClassRefMatchFactory" parent="shibboleth.InexactMatchFactory">
-        <!--
-        <property name="matchingRules">
-            <map>
-                <entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:Password">
-                    <list>
-                        <value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</value>
-                        <value>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</value>
-                    </list>
-                </entry>
-            </map>
-        </property>
-        -->
-    </bean>
-
-    <bean id="shibboleth.MinimumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
-
-    <bean id="shibboleth.MaximumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
+    <util:map id="shibboleth.AuthenticationPrincipalWeightMap">
+        <entry>
+            <key>
+                <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                    c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
+            </key>
+            <value>1</value>
+        </entry>
+    </util:map>
 
-    <!-- DeclRefs are rarely used in SAML, so you likely won't bother with these. -->
-    <bean id="shibboleth.BetterDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
-    <bean id="shibboleth.MinimumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
-    <bean id="shibboleth.MaximumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
-
-
-    <!-- Registry of matching rules. -->
-
+    <!--
+    Uncomment and add entries to this map to support "inexact" SAML RequestedAuthnContext operators.
+    Please refer to the AuthenticationFlowSelection documentation topic for details and examples. 
+    -->
+    <!--
     <util:map id="shibboleth.AuthnComparisonRules">
-
-        <!-- Exact matching, should be left alone to avoid tricking the IdP into behaving incorrectly. -->
-        <entry key-ref="shibboleth.SAMLAuthnMethodExact" value-ref="shibboleth.ExactMatchFactory"/>
-        <entry key-ref="shibboleth.SAMLACClassRefExact" value-ref="shibboleth.ExactMatchFactory"/>
-        <entry key-ref="shibboleth.SAMLACDeclRefExact" value-ref="shibboleth.ExactMatchFactory"/>
-
-        <!-- Minimum matching, leave to allow degeneration into exact, or replace with custom rules. -->
-        <entry key-ref="shibboleth.SAMLACClassRefMinimum" value-ref="shibboleth.ExactMatchFactory"/>
-        <entry key-ref="shibboleth.SAMLACDeclRefMinimum" value-ref="shibboleth.ExactMatchFactory"/>
-
-        <!-- Maximum matching, leave to allow degeneration into exact, or replace with custom rules. -->
-        <entry key-ref="shibboleth.SAMLACClassRefMaximum" value-ref="shibboleth.ExactMatchFactory"/>
-        <entry key-ref="shibboleth.SAMLACDeclRefMaximum" value-ref="shibboleth.ExactMatchFactory"/>
-
-        <!-- Better matching, refers to empty ruleset that has to be populated to work. -->
-        <entry key-ref="shibboleth.SAMLACClassRefBetter" value-ref="shibboleth.BetterClassRefMatchFactory"/>
-        <entry key-ref="shibboleth.SAMLACDeclRefBetter" value-ref="shibboleth.BetterDeclRefMatchFactory"/>
-
     </util:map>
-
+    -->
+
     <!-- List of context classes or declarations to ignore if an SP requests them. -->
 
     <util:list id="shibboleth.IgnoredContexts">