diff --git a/README.md b/README.md index 8fe42b3..dc2e6bd 100644 --- a/README.md +++ b/README.md @@ -14,3 +14,4 @@ to complete a deployment. * Internal Testing - (TEST) branch/repo that uses the "test bed" which is something that I2 provides (LDAP) and an element to make all integrations. Appropriate for Jenkins and testing environments * `release` branch * External Testing - (RELEASE) branch/repo (ultimately will live in Subversion?) for end users + diff --git a/conf/access-control.xml b/conf/access-control.xml index a9184e6..3853722 100644 --- a/conf/access-control.xml +++ b/conf/access-control.xml @@ -34,7 +34,7 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/conf/admin/metrics.xml b/conf/admin/metrics.xml index fccf419..208ab6b 100644 --- a/conf/admin/metrics.xml +++ b/conf/admin/metrics.xml @@ -26,6 +26,7 @@ + @@ -59,12 +60,20 @@ + - + + + + diff --git a/conf/attribute-resolver.xml b/conf/attribute-resolver.xml index 0ee236b..8d16a59 100644 --- a/conf/attribute-resolver.xml +++ b/conf/attribute-resolver.xml @@ -1,17 +1,16 @@ telephoneNumber SAML2StringTranscoder SAML1StringTranscoder - urn:mace:dir:attribute-def:telephoneNumber - urn:oid:2.5.4.20 + urn:oid:2.5.4.20 + urn:mace:dir:attribute-def:telephoneNumber Business phone number Telefon Geschäft Teléphone professionnel diff --git a/conf/audit.xml b/conf/audit.xml index a9faf4c..42d82b8 100644 --- a/conf/audit.xml +++ b/conf/audit.xml @@ -19,7 +19,7 @@ diff --git a/conf/authn/authn-comparison.xml b/conf/authn/authn-comparison.xml index dcf0271..0730bcb 100644 --- a/conf/authn/authn-comparison.xml +++ b/conf/authn/authn-comparison.xml @@ -12,62 +12,33 @@ default-destroy-method="destroy"> - - - - - - - + + + + + + 1 + + - - - - - - - - + + - - - - - - - - - - - - - - - - - + --> + diff --git a/conf/authn/authn.properties b/conf/authn/authn.properties new file mode 100644 index 0000000..56111ef --- /dev/null +++ b/conf/authn/authn.properties @@ -0,0 +1,213 @@ +# Properties that control authentication generally and the behavior of +# specific methods. + +# Regular expression matching login flows to enable, e.g. IPAddress|Password +#idp.authn.flows = Password + +# Default settings for most authentication methods. +#idp.authn.defaultLifetime = PT1H +#idp.authn.defaultTimeout = PT30M +#idp.authn.proxyRestrictionsEnforced = true + +# Whether to populate relying party user interface information for display +# during authentication, consent, terms-of-use. +#idp.authn.rpui = true + +# Whether to prioritize "active" results when an SP requests more than +# one possible matching login method (V2 behavior was to favor them) +#idp.authn.favorSSO = false + +# Whether to fail requests when a user identity after authentication +# doesn't match the identity in a pre-existing session. +#idp.authn.identitySwitchIsError = false + +# If using IdP discovery feature, provides a discovery location to use. +#idp.authn.discoveryURL = https://ds.example.org/shibboleth-ds/index.html + +# Properties below override specific method behavior, as an alternative +# to defining Spring beans in XML. Refer to the documentation for a complete +# list. Many of the properties below are mentioned only because they are +# atypical defaults assumed for a given method. + +# Flow selection among multiple equivalent options can be managed with +# the order properties, lower will be tried first. + +#### Password #### + +#idp.authn.Password.order = 1000 +#idp.authn.Password.passiveAuthenticationSupported = true +#idp.authn.Password.forcedAuthenticationSupported = true +# Override this and removeAfterValidation to require all validators to succeed +#idp.authn.Password.requireAll = false +# Override to keep the password around +#idp.authn.Password.removeAfterValidation = true +# Override to store password in Java Subject +#idp.authn.Password.retainAsPrivateCredential = false +# Simple username transforms before validation +#idp.authn.Password.trim = true +#idp.authn.Password.lowercase = false +#idp.authn.Password.uppercase = false +#idp.authn.Password.matchExpression = +# Override default form field names +#idp.authn.Password.usernameFieldName = j_username +#idp.authn.Password.passwordFieldName = j_password +#idp.authn.Password.ssoBypassFieldName = donotcache +# Unset if using customized Principals per validator +#idp.authn.Password.addDefaultPrincipals = true +# The Principal collection below is the typical default if not otherwise noted. +#idp.authn.Password.supportedPrincipals = \ +# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \ +# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \ +# saml1/urn:oasis:names:tc:SAML:1.0:am:password +# Validators are controlled in password-authn-config.xml + +#### Password Backends #### + +# See ldap.properties for LDAP authn properties +# Kerberos settings +#idp.authn.Krb5.refreshConfig = false +#idp.authn.Krb5.preserveTicket = false +# Set next two for KDC verification +#idp.authn.Krb5.servicePrincipal = +#idp.authn.Krb5.keytab = +# JAAS settings +#idp.authn.JAAS.loginConfigNames = ShibUserPassAuth +#idp.authn.JAAS.loginConfig = %{idp.home}/conf/authn/jaas.config + +#### External #### + +#idp.authn.External.order = 1000 +#idp.authn.External.nonBrowserSupported = false +#idp.authn.External.matchExpression = +# Unset if you plan to return full Java Subject from external source +#idp.authn.External.addDefaultPrincipals = true +# Servlet context-relative path to wherever your implementation lives +idp.authn.External.externalAuthnPath = contextRelative:external.jsp + +#### RemoteUser #### + +#idp.authn.RemoteUser.order = 1000 +#idp.authn.RemoteUser.nonBrowserSupported = false +#idp.authn.RemoteUser.matchExpression = +# Unset in most cases only if using the authnMethodHeader or +# subjectAttribute settings +#idp.authn.RemoteUser.addDefaultPrincipals = true +# Most other settings need to be supplied via web.xml to the servlet + +#### RemoteUserInternal #### + +#idp.authn.RemoteUserInternal.order = 1000 +#idp.authn.RemoteUserInternal.nonBrowserSupported = true +# Unset in most cases only if using the authnMethodHeader feature +#idp.authn.RemoteUserInternal.addDefaultPrincipals = true +#idp.authn.RemoteUserInternal.checkRemoteUser = true +# Comma-delimited lists of attributes or headers to pull from +#idp.authn.RemoteUserInternal.checkAttributes = +#idp.authn.RemoteUserInternal.checkHeaders = +# Simple transforms to apply +#idp.authn.RemoteUserInternal.trim = true +#idp.authn.RemoteUserInternal.lowercase = false +#idp.authn.RemoteUserInternal.uppercase = false +#idp.authn.RemoteUserInternal.matchExpression = +#idp.authn.RemoteUserInternal.allowedUsernames = +#idp.authn.RemoteUserInternal.deniedUsernames = + +#### SPNEGO #### + +#idp.authn.SPNEGO.order = 1000 +#idp.authn.SPNEGO.nonBrowserSupported = false +#idp.authn.SPNEGO.enforceRun = false +#idp.authn.SPNEGO.refreshKrbConfig = false +#idp.authn.SPNEGO.matchExpression = +idp.authn.SPNEGO.supportedPrincipals = \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, \ + saml1/urn:ietf:rfc:1510 + +#### X509 #### + +#idp.authn.X509.order = 1000 +#idp.authn.X509.nonBrowserSupported = false +# Servlet context-relative path to wherever your implementation lives +#idp.authn.X509.externalAuthnPath = contextRelative:x509-prompt.jsp +idp.authn.X509.supportedPrincipals = \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \ + saml1/urn:ietf:rfc:2246 + +#### X509Internal #### + +#idp.authn.X509Internal.order = 1000 +#idp.authn.X509Internal.nonBrowserSupported = false +#idp.authn.X509Internal.saveCertificateToCredentialSet = true +idp.authn.X509Internal.supportedPrincipals = \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \ + saml1/urn:ietf:rfc:2246 + +#### IPAddress #### + +#idp.authn.IPAddress.order = 1000 +#idp.authn.IPAddress.passiveAuthenticationSupported = true +#idp.authn.IPAddress.lifetime = PT60S +#idp.authn.IPAddress.inactivityTimeout = PT60S +idp.authn.IPAddress.supportedPrincipals = \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol + +#### Function #### + +#idp.authn.Function.order = 1000 +#idp.authn.Function.passiveAuthenticationSupported = true +# Unset if you plan to return full Java Subject from function +#idp.authn.Function.addDefaultPrincipals = true + +#### Duo #### + +#idp.authn.Duo.order = 1000 +#idp.authn.Duo.nonBrowserSupported = false +#idp.authn.Duo.forcedAuthenticationSupported = true +# Unset if you have advanced Duo integrations with individualized Principals +#idp.authn.Duo.addDefaultPrincipals = true +# The list below should be changed to reflect whatever locally- or +# community-defined values are appropriate to represent Duo. It is +# strongly advised that the value not be specific to Duo or any +# particular technology to avoid lock-in. +idp.authn.Duo.supportedPrincipals = \ + saml2/http://example.org/ac/classes/mfa, \ + saml1/http://example.org/ac/classes/mfa +# Default Duo integration settings are defined separately +# in duo.properties due to the sensitivity of the secret key. + + +#### SAML #### + +#idp.authn.SAML.order = 1000 +#idp.authn.SAML.nonBrowserSupported = false +#idp.authn.SAML.passiveAuthenticationSupported = true +#idp.authn.SAML.forcedAuthenticationSupported = true +#idp.authn.SAML.proxyScopingEnforced = true +# Discovery options: +# Define shibboleth.authn.SAML.discoveryFunction bean +# Set proxyEntityID property +# Fall through to discovery via discoveryRequired property +#idp.authn.SAML.proxyEntityID = https://idp.example.org/idp/shibboleth +#idp.authn.SAML.discoveryRequired = true +# Generally left false with bidirectional mappings in +# conf/authn/authn-comparison.xml across the proxy boundary. +#idp.authn.SAML.addDefaultPrincipals = false + +#### MFA #### + +#idp.authn.MFA.order = 1000 +#idp.authn.MFA.passiveAuthenticationSupported = true +#idp.authn.MFA.forcedAuthenticationSupported = true +#idp.authn.MFA.validateLoginTransitions = true +# The list below almost certainly requires changes, and should generally be the +# union of any of the separate factors you combine in your particular MFA flow +# rules. The example corresponds to the example in mfa-authn-config.xml that +# combines IPAddress with Password. +idp.authn.MFA.supportedPrincipals = \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \ + saml1/urn:oasis:names:tc:SAML:1.0:am:password +# Most actual setup via mfa-authn-config.xml diff --git a/conf/authn/discovery-config.xml b/conf/authn/discovery-config.xml deleted file mode 100644 index e21e3fd..0000000 --- a/conf/authn/discovery-config.xml +++ /dev/null @@ -1,34 +0,0 @@ - - - - - - - - - - - diff --git a/conf/authn/duo-authn-config.xml b/conf/authn/duo-authn-config.xml deleted file mode 100644 index 2867f48..0000000 --- a/conf/authn/duo-authn-config.xml +++ /dev/null @@ -1,29 +0,0 @@ - - - - - - diff --git a/conf/authn/duo.properties b/conf/authn/duo.properties deleted file mode 100644 index cb4b4aa..0000000 --- a/conf/authn/duo.properties +++ /dev/null @@ -1,30 +0,0 @@ -## Duo integration settings - -## Note: If upgrading from pre-3.3 IdP versions, you will need to manually add a pointer -## to this property file to idp.properties. - -## The first set of properties support DuoWeb "iframe" integration. - -idp.duo.apiHost = hostname -idp.duo.applicationKey = key -idp.duo.integrationKey = key -idp.duo.secretKey = key - -## The second set are used for direct AuthAPI usage for ECP support. -## A seperate integration has to be created for this to work. - -#idp.duo.nonbrowser.apiHost = %{idp.duo.apiHost} -#idp.duo.nonbrowser.applicationKey = key -#idp.duo.nonbrowser.integrationKey = key -#idp.duo.nonbrowser.secretKey = key - -## Request header names for Duo non-browser credentials. -# idp.duo.nonbrowser.header.factor = X-Shibboleth-Duo-Factor -# idp.duo.nonbrowser.header.device = X-Shibboleth-Duo-Device -# idp.duo.nonbrowser.header.passcode = X-Shibboleth-Duo-Passcode - -## Enables auto selection of factor/device if not specified by client. -# idp.duo.nonbrowser.auto = true - -## Enables transmission of client address to Duo during authentication. -# idp.duo.nonbrowser.clientAddressTrusted = true diff --git a/conf/authn/external-authn-config.xml b/conf/authn/external-authn-config.xml deleted file mode 100644 index 9d6652a..0000000 --- a/conf/authn/external-authn-config.xml +++ /dev/null @@ -1,70 +0,0 @@ - - - - - - - - - - - - - - - - - - UnknownUsername - - - - - InvalidPassword - - - - - ExpiredPassword - - - - - ExpiringPassword - - - - - diff --git a/conf/authn/function-authn-config.xml b/conf/authn/function-authn-config.xml deleted file mode 100644 index cf7876a..0000000 --- a/conf/authn/function-authn-config.xml +++ /dev/null @@ -1,37 +0,0 @@ - - - - - - - - - - - - - - - - diff --git a/conf/authn/general-authn.xml b/conf/authn/general-authn.xml deleted file mode 100644 index b936f97..0000000 --- a/conf/authn/general-authn.xml +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - diff --git a/conf/authn/ipaddress-authn-config.xml b/conf/authn/ipaddress-authn-config.xml deleted file mode 100644 index a3ee096..0000000 --- a/conf/authn/ipaddress-authn-config.xml +++ /dev/null @@ -1,37 +0,0 @@ - - - - - - - - - - - - - - - diff --git a/conf/authn/jaas-authn-config.xml b/conf/authn/jaas-authn-config.xml deleted file mode 100644 index 7edd41c..0000000 --- a/conf/authn/jaas-authn-config.xml +++ /dev/null @@ -1,25 +0,0 @@ - - - - - - - - - - - ShibUserPassAuth - - - diff --git a/conf/authn/jaas.config b/conf/authn/jaas.config deleted file mode 100644 index 232e93d..0000000 --- a/conf/authn/jaas.config +++ /dev/null @@ -1,11 +0,0 @@ -ShibUserPassAuth { - /* - com.sun.security.auth.module.Krb5LoginModule required; - */ - - org.ldaptive.jaas.LdapLoginModule required - ldapUrl="ldap://localhost:10389" - baseDn="ou=people,dc=example,dc=org" - userFilter="uid={user}"; - -}; \ No newline at end of file diff --git a/conf/authn/krb5-authn-config.xml b/conf/authn/krb5-authn-config.xml deleted file mode 100644 index f826f30..0000000 --- a/conf/authn/krb5-authn-config.xml +++ /dev/null @@ -1,29 +0,0 @@ - - - - - - - - - - - diff --git a/conf/authn/ldap-authn-config.xml b/conf/authn/ldap-authn-config.xml deleted file mode 100644 index 22a760b..0000000 --- a/conf/authn/ldap-authn-config.xml +++ /dev/null @@ -1,32 +0,0 @@ - - - - - - - - - - - - - - - - diff --git a/conf/authn/mfa-authn-config.xml b/conf/authn/mfa-authn-config.xml deleted file mode 100644 index 3bfbcbb..0000000 --- a/conf/authn/mfa-authn-config.xml +++ /dev/null @@ -1,78 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/conf/authn/password-authn-config.xml b/conf/authn/password-authn-config.xml index 73ac7f8..4529b6f 100644 --- a/conf/authn/password-authn-config.xml +++ b/conf/authn/password-authn-config.xml @@ -13,34 +13,18 @@ default-destroy-method="destroy"> - - - + Ordered list of CredentialValidators to apply to a request. - + The four supplied variants are shown below; the HTPasswd option + is an OOB default for demo account purposes, and you will + want to remove it after initial install and testing. + --> + + + - - - - - - - - - - - - - - - - - @@ -58,7 +42,7 @@ p:lockoutDuration="PT5M" p:extendLockoutDuration="false" /> --> - + - - - - - - - - - - - - - - NoCredentials - - - - - UnknownUsername - - - - - InvalidPassword - - - - - ExpiredPassword - - - - - ExpiringPassword - - - - - diff --git a/conf/authn/remoteuser-internal-authn-config.xml b/conf/authn/remoteuser-internal-authn-config.xml deleted file mode 100644 index 9e68c85..0000000 --- a/conf/authn/remoteuser-internal-authn-config.xml +++ /dev/null @@ -1,63 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/conf/authn/saml-authn-config.xml b/conf/authn/saml-authn-config.xml deleted file mode 100644 index 4ff55f9..0000000 --- a/conf/authn/saml-authn-config.xml +++ /dev/null @@ -1,35 +0,0 @@ - - - - - - - - - - diff --git a/conf/authn/spnego-authn-config.xml b/conf/authn/spnego-authn-config.xml deleted file mode 100644 index 6c0fa48..0000000 --- a/conf/authn/spnego-authn-config.xml +++ /dev/null @@ -1,74 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SPNEGONotAvailable - - - - - NTLMUnsupported - - - - - diff --git a/conf/authn/x509-authn-config.xml b/conf/authn/x509-authn-config.xml deleted file mode 100644 index 18b015a..0000000 --- a/conf/authn/x509-authn-config.xml +++ /dev/null @@ -1,44 +0,0 @@ - - - - - - - - - - - - - NoCredentials - InvalidCredentials - - - - - diff --git a/conf/authn/x509-internal-authn-config.xml b/conf/authn/x509-internal-authn-config.xml deleted file mode 100644 index bad3029..0000000 --- a/conf/authn/x509-internal-authn-config.xml +++ /dev/null @@ -1,21 +0,0 @@ - - - - - - diff --git a/conf/c14n/attribute-sourced-subject-c14n-config.xml b/conf/c14n/attribute-sourced-subject-c14n-config.xml deleted file mode 100644 index 938b30f..0000000 --- a/conf/c14n/attribute-sourced-subject-c14n-config.xml +++ /dev/null @@ -1,44 +0,0 @@ - - - - - - altuid - - - - - altuid - - - - - - - - - - - - - diff --git a/conf/c14n/simple-subject-c14n-config.xml b/conf/c14n/simple-subject-c14n-config.xml deleted file mode 100644 index 3cddfa6..0000000 --- a/conf/c14n/simple-subject-c14n-config.xml +++ /dev/null @@ -1,27 +0,0 @@ - - - - - - - - - - - - - - diff --git a/conf/c14n/subject-c14n.properties b/conf/c14n/subject-c14n.properties new file mode 100644 index 0000000..3811493 --- /dev/null +++ b/conf/c14n/subject-c14n.properties @@ -0,0 +1,40 @@ +# Properties that control the behavior of post-login subject c14n flows. +# A few more advanced settings require XML configuration, see flow-specific docs. + + +# Simple username -> principal name c14n +#idp.c14n.simple.lowercase = false +#idp.c14n.simple.uppercase = false +#idp.c14n.simple.trim = true + + +# Attribute resolution -> principal name c14n +#idp.c14n.attribute.lowercase = false +#idp.c14n.attribute.uppercase = false +#idp.c14n.attribute.trim = true +# Lists of attributes to resolve... +#idp.c14n.attribute.attributesToResolve = +# and then select a principal name from +#idp.c14n.attribute.attributeSourceIds = +# Allows direct use of attributes via SAML proxy authn, bypasses resolver +#idp.c14n.attribute.resolveFromSubject = false +#idp.c14n.attribute.resolutionCondition = shibboleth.Conditions.TRUE + +# X.509 certificate -> principal name c14n +#idp.c14n.x500.lowercase = false +#idp.c14n.x500.uppercase = false +#idp.c14n.x500.trim = true +# Precedence is to check for a subjectAltName and then an OID RDN +# Comma-delimited list of subjectAltName type numbers +# (See https://tools.ietf.org/html/rfc5280#section-4.2.1.6) +#idp.c14n.x500.subjectAltNameTypes = +# Comma-delimited list of OIDS +#idp.c14n.x500.objectIDs = + +# Proxied SAML NameID -> principal name c14n +#idp.c14n.saml.proxy.lowercase = false +#idp.c14n.saml.proxy.uppercase = false + +# NameID consumption from SAML requests +#idp.c14n.saml.lowercase = false +#idp.c14n.saml.uppercase = false diff --git a/conf/c14n/subject-c14n.xml b/conf/c14n/subject-c14n.xml index e4b772f..b354535 100644 --- a/conf/c14n/subject-c14n.xml +++ b/conf/c14n/subject-c14n.xml @@ -21,6 +21,8 @@ principal name. Flows are identified with an ID that corresponds to a Spring Web Flow subflow name. + + Most of the simple settings that configure these flows are in subject-c14n.properties. --> @@ -54,7 +55,7 @@ diff --git a/conf/c14n/x500-subject-c14n-config.xml b/conf/c14n/x500-subject-c14n-config.xml deleted file mode 100644 index 1ae25e4..0000000 --- a/conf/c14n/x500-subject-c14n-config.xml +++ /dev/null @@ -1,37 +0,0 @@ - - - - - - - - - - - 2.5.4.3 - - - - - - - - - - - - - diff --git a/conf/cas-protocol.xml b/conf/cas-protocol.xml deleted file mode 100644 index 2eb1733..0000000 --- a/conf/cas-protocol.xml +++ /dev/null @@ -1,106 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/conf/errors.xml b/conf/errors.xml index a5a8790..a9730c0 100644 --- a/conf/errors.xml +++ b/conf/errors.xml @@ -26,6 +26,7 @@ + diff --git a/conf/attribute-resolver-ldap.xml b/conf/examples/attribute-resolver-ldap.xml similarity index 84% rename from conf/attribute-resolver-ldap.xml rename to conf/examples/attribute-resolver-ldap.xml index 19b68d6..ec375b4 100644 --- a/conf/attribute-resolver-ldap.xml +++ b/conf/examples/attribute-resolver-ldap.xml @@ -62,6 +62,10 @@ connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}" responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}" + connectionStrategy="%{idp.attribute.resolver.LDAP.connectionStrategy}" + noResultIsError="true" + multipleResultsIsError="true" + excludeResolutionPhases="c14n/attribute" exportAttributes="mail displayName sn givenName departmentNumber employeeNumber eduPersonEntitlement eduPersonAssurance"> - - + - - - - - - - - - - - - - - - - - samlPairwiseID - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/conf/intercept/context-check-intercept-config.xml b/conf/intercept/context-check-intercept-config.xml deleted file mode 100644 index aae07f0..0000000 --- a/conf/intercept/context-check-intercept-config.xml +++ /dev/null @@ -1,63 +0,0 @@ - - - - - - - - - - - - - - * - - - - - - - - - - - - - \ No newline at end of file diff --git a/conf/intercept/expiring-password-intercept-config.xml b/conf/intercept/expiring-password-intercept-config.xml deleted file mode 100644 index b3bf96d..0000000 --- a/conf/intercept/expiring-password-intercept-config.xml +++ /dev/null @@ -1,31 +0,0 @@ - - - - - - - - - - - - - diff --git a/conf/intercept/external-intercept-config.xml b/conf/intercept/external-intercept-config.xml deleted file mode 100644 index 1d0fc29..0000000 --- a/conf/intercept/external-intercept-config.xml +++ /dev/null @@ -1,25 +0,0 @@ - - - - - - - - - diff --git a/conf/intercept/impersonate-intercept-config.xml b/conf/intercept/impersonate-intercept-config.xml deleted file mode 100644 index 7dfda2b..0000000 --- a/conf/intercept/impersonate-intercept-config.xml +++ /dev/null @@ -1,25 +0,0 @@ - - - - - - - - - - diff --git a/conf/intercept/profile-intercept.xml b/conf/intercept/profile-intercept.xml deleted file mode 100644 index f086cfa..0000000 --- a/conf/intercept/profile-intercept.xml +++ /dev/null @@ -1,42 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/conf/ldap.properties b/conf/ldap.properties index d89412a..45b0be0 100644 --- a/conf/ldap.properties +++ b/conf/ldap.properties @@ -7,11 +7,12 @@ ## Connection properties ## idp.authn.LDAP.ldapURL=ldap://localhost:10389 #idp.authn.LDAP.useStartTLS = true -#idp.authn.LDAP.useSSL = false # Time in milliseconds that connects will block #idp.authn.LDAP.connectTimeout = PT3S # Time in milliseconds to wait for responses #idp.authn.LDAP.responseTimeout = PT3S +# Connection strategy to use when multiple URLs are supplied, either ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM +#idp.authn.LDAP.connectionStrategy = ACTIVE_PASSIVE ## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust #idp.authn.LDAP.sslConfig = certificateTrust @@ -38,11 +39,15 @@ idp.authn.LDAP.bindDN=uid=myservice,ou=system # for AD use idp.authn.LDAP.dnFormat=%s@domain.com idp.authn.LDAP.dnFormat=uid=%s,ou=people,dc=example,dc=org +# pool passivator, either none, bind or anonymousBind +#idp.authn.LDAP.bindPoolPassivator = none + # LDAP attribute configuration, see attribute-resolver.xml # Note, this likely won't apply to the use of legacy V2 resolver configurations idp.attribute.resolver.LDAP.ldapURL=%{idp.authn.LDAP.ldapURL} idp.attribute.resolver.LDAP.connectTimeout=%{idp.authn.LDAP.connectTimeout:PT3S} idp.attribute.resolver.LDAP.responseTimeout=%{idp.authn.LDAP.responseTimeout:PT3S} +idp.attribute.resolver.LDAP.connectionStrategy=%{idp.authn.LDAP.connectionStrategy:ACTIVE_PASSIVE} idp.attribute.resolver.LDAP.baseDN=%{idp.authn.LDAP.baseDN:undefined} idp.attribute.resolver.LDAP.bindDN=%{idp.authn.LDAP.bindDN:undefined} idp.attribute.resolver.LDAP.useStartTLS=%{idp.authn.LDAP.useStartTLS:true} @@ -55,6 +60,8 @@ idp.attribute.resolver.LDAP.searchFilter=(uid=$resolutionContext.principal) #idp.pool.LDAP.validateOnCheckout = false #idp.pool.LDAP.validatePeriodically = true #idp.pool.LDAP.validatePeriod = PT5M +#idp.pool.LDAP.validateDN = +#idp.pool.LDAP.validateFilter = (objectClass=*) #idp.pool.LDAP.prunePeriod = PT5M #idp.pool.LDAP.idleTime = PT10M #idp.pool.LDAP.blockWaitTime = PT3S diff --git a/conf/logback.xml b/conf/logback.xml index 817de02..bf38b44 100644 --- a/conf/logback.xml +++ b/conf/logback.xml @@ -14,7 +14,7 @@ - + diff --git a/conf/logback.xml.dist b/conf/logback.xml.dist index 2b76770..730f583 100644 --- a/conf/logback.xml.dist +++ b/conf/logback.xml.dist @@ -14,7 +14,7 @@ - + diff --git a/conf/logback.xml.tmp3 b/conf/logback.xml.tmp3 new file mode 100644 index 0000000..4674e93 --- /dev/null +++ b/conf/logback.xml.tmp3 @@ -0,0 +1,191 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /tmp/logidp-process + + + ${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{short} + + + + + + + VelocityStatusMatcher + ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\. + + VelocityStatusMatcher.matches(formattedMessage) + + DENY + + + + + + 0 + + + + + + WARN + + + /tmp/logidp-warn + + + ${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{full} + + + + + + + VelocityStatusMatcher + ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\. + + VelocityStatusMatcher.matches(formattedMessage) + + DENY + + + + + + /tmp/logidp-audit + + + ${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %msg%n + + + + + + ${idp.logfiles}/idp-consent-audit.log + + + ${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %msg%n + + + + + + ${idp.fticks.loghost:-localhost} + ${idp.fticks.logport:-514} + AUTH + [%thread] %logger %msg + + + + + + + + + + + + + + + + + + + + diff --git a/conf/metadata-providers.xml b/conf/metadata-providers.xml index fc81612..d5cb34b 100644 --- a/conf/metadata-providers.xml +++ b/conf/metadata-providers.xml @@ -18,7 +18,8 @@ http://www.w3.org/2000/09/xmldsig# http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd http://www.w3.org/2009/xmldsig11# http://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/xmldsig11-schema.xsd http://www.w3.org/2001/04/xmlenc# http://www.w3.org/TR/xmlenc-core/xenc-schema.xsd - http://www.w3.org/2009/xmlenc11# http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/xenc-schema-11.xsd"> + http://www.w3.org/2009/xmlenc11# http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/xenc-schema-11.xsd" + sortKey="1"> @@ -49,11 +50,12 @@ + metadataURL="http://WHATEVER" + failFastInitialization="false"> - + md:SPSSODescriptor diff --git a/conf/relying-party.xml b/conf/relying-party.xml index 5045b93..439e7f1 100644 --- a/conf/relying-party.xml +++ b/conf/relying-party.xml @@ -27,20 +27,17 @@ - + - + - %{idp.home}/conf/relying-party.xml %{idp.home}/conf/credentials.xml - %{idp.home}/system/conf/relying-party-system.xml %{idp.home}/conf/metadata-providers.xml - %{idp.home}/system/conf/metadata-providers-system.xml @@ -33,7 +30,6 @@ --> %{idp.home}/conf/attribute-registry.xml - %{idp.home}/system/conf/attribute-registry-system.xml %{idp.home}/conf/attributes/default-rules.xml %{idp.home}/conf/attribute-resolver.xml @@ -44,16 +40,10 @@ %{idp.home}/conf/saml-nameid.xml - %{idp.home}/system/conf/saml-nameid-system.xml %{idp.home}/conf/access-control.xml - %{idp.home}/system/conf/access-control-system.xml - - - - %{idp.home}/conf/cas-protocol.xml %{idp.home}/messages/messages - %{idp.home}/system/messages/messages diff --git a/conf/session-manager.xml b/conf/session-manager.xml deleted file mode 100644 index 7372029..0000000 --- a/conf/session-manager.xml +++ /dev/null @@ -1,29 +0,0 @@ - - - - - - - - - - - - - - - - diff --git a/credentials/idp-backchannel.crt b/credentials/idp-backchannel.crt index c8886ea..a4d86af 100644 --- a/credentials/idp-backchannel.crt +++ b/credentials/idp-backchannel.crt @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEKDCCApCgAwIBAgIVAIsUgQNNYuil54yiVLUFlzdr/qQUMA0GCSqGSIb3DQEB -CwUAMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzAeFw0yMDAyMDYxNzE5NTRa -Fw00MDAyMDYxNzE5NTRaMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzCCAaIw -DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOSJwBSKrIMjDCdjxHYxQ0YGz56h -Vqb/DklBpsOeOgXnFMPoDf941IDu2kOvCpRKW12wWmDUskv9Vi+4RfiA9gUXUCdh -jHTNBUj9GXYafCFFMReZ/fVbqvSRHCE/EBHHjo2qAHTfw/R0P8IBdAICs1LvkzCn -W3prZJnJH3HD3+W/yubesNe5cG3/D9OnAeNMcwtNh7fyuGIFzUL1OA/pL0Gu+UXx -W0sMjOPR4Tlt0yi1k2tsZGmB6AYMqX2Wjd/nhjTibqGEVC0OSRiDtr/C8nEx5MAD -bl23mzHR8S/9vxQN8Y9N78FtObnMcB5PPtkkJsqBPpAlDiz2ONT27AnTM6EsaBjc -VG3PH7Js7SSEvJPuibTfxIOWcLmVVSt6RozMSclXpvq2I9l35hoCq+OaoF+RXbSO -8gaon5NYbCfWVSpbmKbw1o/wcOqsrM1F/4mtZp3T5VMYOZBARXlewwkh+xm0p5JB -lmJO8x9WOIiQFjiPZKkK63GR5OgO5RwD5O3U4wIDAQABo2UwYzAdBgNVHQ4EFgQU -3ztcEnBpdG+CgScY9MC0g81oOVcwQgYDVR0RBDswOYIPaWRwLmV4YW1wbGUub3Jn -hiZodHRwczovL2lkcC5leGFtcGxlLm9yZy9pZHAvc2hpYmJvbGV0aDANBgkqhkiG -9w0BAQsFAAOCAYEAAsszcNm8lHWf31vwbNGY8m6Oz6XXrhYAmRcudvs86z2bWw3C -oDLvKWFuyJAAeIP11UpbW4aSs+P2f4I9/ZfTVbqKxPfSYIG1LSdKl5ICFaGP18K6 -PBqtu6eu71Hrz083IvR8qddD7Kl12aGfwDhFUtqy2zhmYsI7LhfwRA8ayJX4204x -tOmU6LxRtgJWsdlqjyzcZ9buafqfvoTCbjnzbO2gUoEPCDUxfTi+HRn+JppXVxzV -vXbs9G5xWI6eeojYtZqKWn3xaLQcPcla2b0dJSYvZ0paoC44hpwr5eWX2mGQ5+cn -AzK55H3uOq975QJDIdXpuuWIh99y+jC8/NcUFkFjb/86DSOs+LtwM2VhjiL5HL3I -oVIuAVBS4YAxE8NDGgcuPrS7+m1UjnHiagOkEqbhMr0/j16/g++CivWpWPxjTYfL -Rbw85j+b7/uzUTYXzQgVpSnvgB6cP92MH3WNWyIYf+d/mribIybrKpE65diSVUYC -vwiLfazt2AHOsVki +MIIEJzCCAo+gAwIBAgIUEtJU0oOkMid5473At++VFGAbX3gwDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTIxMDMyNDE1NTQyNFoX +DTQxMDMyNDE1NTQyNFowGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojAN +BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAq+6x7Ay8s9vl/r+trvJMbwdXiFxH +PwQeJ/Oof48EWuP61zluBENhk9E5rdf2zlCxkfiB78G8YFZh9ZjcWkIR63xIO9YA ++NuQg+WOPu8fvegcly0ulg2dRXvi0b7q/FsK1MtKcxRECpTNu2DD6K5oHkjf/nmp +nJIlAxvYyP0aqwEy+qq1NFC+WTjoFP7ZyKt+oSz08ONV2v/1dNRwcjfgc8MJcoq0 +Nw56mGZ2LlTidXP8lQBpsQ6/gJvdnVv/B4q8fVS3zpFgokkyQM6eW1ZpGjPY9K1A +paLcAio+MCoPbRJwAlI+5tdgKMMvz+xq4RN0e68IIZS4IgmkVem52uJcfUiX297F +Ar1QdH4NZvijir2Wt4xYMxpThsV6n7F88wWzJj/D5bErZeIWG+DWJq2FZ7rqq3Oc +tz22TH3iBkYrSvFG5nwyHQJaptDDMm6OpWTfmcjh9jT9H6mz4BdBln2uJUswVNGG +bR9w9OcXqYN6X8bll9Q9XcVZh2uBgPB3NWGzAgMBAAGjZTBjMB0GA1UdDgQWBBTc +BIECuv3b1y5K9FBK2zKFc2j4HzBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeG +Jmh0dHBzOi8vaWRwLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3 +DQEBCwUAA4IBgQAQsx5PLHRi8+WjBTSW6RiNiSRFTpNKPdFzoKDhpaCVSlrpjgzp +0qD7QorlKPVJNUhl56Fs2S6oWy6e7lb1eBPBAfCNqTalFJNnDdMvZh02FCecbE87 +6Wv7JcD5kA+f6HUDwmaB15fabheSE3YMGQFtaEidmd/jd23CaDL5RNeHUoKS6JHC +yNsUlZ+R0Cq2ia2wLhW2Z2CYpNh9JM/LOmcTslOgmThNeCnrMIikWSTLQ4C3H9/R +/iN8NaQhKn4vcYTwEqiaVFQbIU2mQQLT+YK63L4S4S339IsjZiqGEw8DKBnfjL7b +D1snXa+G6MiQJNcuChuvGfGSlXCSFjtUr9vivzHeGW2h+6uStzTuZ7t5NhQMRTFD +qT+gyCR/bzsEUh1Lj3J2mFPM/cUSlhH3H0TJcVT9GZUzFNAP0qbaFs9PxXH2gpDI +XrshYcEiXlj+dsSUNhaCqYibPwkHrRBIAqoDGdMFI+Y5SePVo4ksA55m0gPeY+FM +mUbCNQngUzNlYPU= -----END CERTIFICATE----- diff --git a/credentials/idp-backchannel.p12 b/credentials/idp-backchannel.p12 index f39cfa8..9e30c3d 100644 Binary files a/credentials/idp-backchannel.p12 and b/credentials/idp-backchannel.p12 differ diff --git a/credentials/idp-encryption.crt b/credentials/idp-encryption.crt index f834a3c..10fa34d 100644 --- a/credentials/idp-encryption.crt +++ b/credentials/idp-encryption.crt @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEKDCCApCgAwIBAgIVAJ9U0+AO1v0VbDiaql+oeEssbFCYMA0GCSqGSIb3DQEB -CwUAMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzAeFw0yMDAyMDYxNzE5NTRa -Fw00MDAyMDYxNzE5NTRaMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzCCAaIw -DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJyOGdr38pJc2pEZe+YcJSoo3ym2 -oP/5M2jW2mT2oJO13qrcTcBZi+x8/g+3wJmmJxX7BACnSquY2FZ0eDJl0rADInTO -MihxesnjSVo9t8f63hTJ5SEpqM70NnanOcEbJuNQCr3ZRxXjD2Xnoiql1wY7EcDY -S2B4LWNU41ruqZcZAitTHA9jIA2+jmIGjqKSh1mBmFqN4fVUQICW4NExfedIyo+L -H4wijFi3W4wFdqYONYmXlxpG03fRokOplsFjwDoxLKR5h5lNnyd/vjQ6Prx+vedu -FfdAt1TGAPJ6DXUtoPVpyajP6WZK96jXM7uaHlQ/uLMQQwJN7nzfvKobCLylHRre -Y2aov0JOEAqMd5X9L7xPcB+DjKkhaUBowS+qb50SNK87eejpZQS8BEhQ9Xi/jHnJ -T8tn9vL39NDwvCYu6vdpiY5kexKZ6WvVK3NltkUzaKMuvfULmHy2pg1ro30Wwb4+ -rOfwvLkE4UZdg07JyP94obkRVxh9uBliAqvDtQIDAQABo2UwYzAdBgNVHQ4EFgQU -zOMLGuvLojqNEvGDS8IddKPwM/cwQgYDVR0RBDswOYIPaWRwLmV4YW1wbGUub3Jn +MIIEKDCCApCgAwIBAgIVAPyKe4kuv7ZzU9YkyhDT6PWudYj5MA0GCSqGSIb3DQEB +CwUAMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzAeFw0yMTAzMjQxNTU0MjNa +Fw00MTAzMjQxNTU0MjNaMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzCCAaIw +DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAL+i5PmO/JsPcM25CSY0zJeJ+rim +4mqlr0sT7BRIEEv6ja9RAxRI3fRXOYfz6PxfF6AMsYy35bCueOAOcbr5IyCIhHiu +HemT3ieiROoOUY3P0D4KdwC3cSxANc53pEIVsNd05Xxe2mVnGJ9liomWGl0Zsj4v +TC6f7PFjAEV3JyaETMyLpKVH9rt9FVKPZ3zl9FN/nqA0KodjQVbJYjIyJsib3WBB +WWZ6VgwErHQriCk2gIGrYbltcZe3ujKOpNaRiIraG1VPs/YaP0IcsPekS0Vy9qcF +6Xq4xErWdR+Fh0v5iI6bZ3feKnGDO1q30M5I/cfkwW9CQd9zqLjM38MilFJYCoqI +KbZRPvvKAt1B/JZJMhZZJaBy9y5CtTHnZiEZxdovz1R8BsZgmYgMRfIqTAN3+bYl +kzfgaS/PmQkiY+iUzsi7Bi753Eqlaksa1xqeV7tkpVRDOUeTMOvjBzueQS1wdP7i +VgiQrWF+EqBBxGY6QqlYdPbOZOwcL8nOE6+BwwIDAQABo2UwYzAdBgNVHQ4EFgQU +N1YcXFUpP/ioF9ByIell/FLIxCIwQgYDVR0RBDswOYIPaWRwLmV4YW1wbGUub3Jn hiZodHRwczovL2lkcC5leGFtcGxlLm9yZy9pZHAvc2hpYmJvbGV0aDANBgkqhkiG -9w0BAQsFAAOCAYEAC+KIjwmRVTPwbzvwkYum1ZCjBL99Z4T+rvFtYM9HWWZQqKo/ -YmQIF/bYtf6IzU2ayQXd77Wrm4gfJYXvIdLqpj3oE1+kBeZ+XJ1/sn9Rp7qw4int -pyPZ9W+j+/IAD2OVs6ykbU32QnIrKYAotgIygwKTpzpkg+peuzQ1l/duCCT4m7Re -e9RHjKfrp+pRwBG8ppTE2EupCkJV+wIokZCn1kepDJ+E1CodofVAIUuXkX9yAwz5 -eqfLj2VNIpHLHNi8U/LSutwOYTuulBdPWvjYQ8wZZoE4JId4K5u6wvMwbhpDad0e -kar1XJR8zFBi63smQ3CJ/7jUCbanESVAs3U9S5o12Bl9sfQsAxz4icLhhHgEGAV1 -UhpcGn83CI/hWp/swjEVstIxlrQOpr9nd3G3zLSrTS6TRiBMMfVV/wkwnhBFfUaM -cWp5+Rt6wo05o8+njQ2QETsFt8kP5SImFg5YNatqiXPrtlY6PBULB8yOil8mX4Bi -OK0/vM0ibCFaRAzB +9w0BAQsFAAOCAYEAq3MFr90wgCFV2fUdxACwnytfK3tlpT7bczA4ks3iUlMM2o8t +QuaMe5pru+5nhMk+D8Be3RoIIks/ddxHwVKbwLjzJFEG/9S43MduXP6P3weMr0Y8 +lIqZrd65uaaEbAd0ldGSn6ekB+ERwDNC2aYghwMIPqyCvQo6vLRsBsnLEa3q63Xr +GYbkCawtvMTINYxAgFP0vavxNXF7A9qqDCpS/m4QgdbL7DLEJTN/wCgJVPTA9f9M +SyjcmSRJ2FMNHyRgor26jT0rCeUNJ1MgM0kA3hwqW5eK+nj9OZWWVjOZaAkdVRn1 +mGJoRmtK/dGE4SEXfyIgWqQfdGOpIAEkIG9EHaH37Kg+slMjb/ZwN/riShIxPacT +YPkAC/AqRaiJOzvi4ZB9OtjC3wyoyak5e33p5DnCIQ2+hEbebAsnYWP6Yf/c1KMw +1Z56FlQwmY1yBZ6+yTIR0jCKWj5mFuahsDW7VSkRUBmt55Q/o24YbHfLioYRSJAi +uADV9N9NCGawgJnf -----END CERTIFICATE----- diff --git a/credentials/idp-encryption.key b/credentials/idp-encryption.key index 9fec9ff..b8ed07c 100644 --- a/credentials/idp-encryption.key +++ b/credentials/idp-encryption.key @@ -1,39 +1,39 @@ -----BEGIN RSA PRIVATE KEY----- -MIIG5AIBAAKCAYEAnI4Z2vfyklzakRl75hwlKijfKbag//kzaNbaZPagk7XeqtxN -wFmL7Hz+D7fAmaYnFfsEAKdKq5jYVnR4MmXSsAMidM4yKHF6yeNJWj23x/reFMnl -ISmozvQ2dqc5wRsm41AKvdlHFeMPZeeiKqXXBjsRwNhLYHgtY1TjWu6plxkCK1Mc -D2MgDb6OYgaOopKHWYGYWo3h9VRAgJbg0TF950jKj4sfjCKMWLdbjAV2pg41iZeX -GkbTd9GiQ6mWwWPAOjEspHmHmU2fJ3++NDo+vH69524V90C3VMYA8noNdS2g9WnJ -qM/pZkr3qNczu5oeVD+4sxBDAk3ufN+8qhsIvKUdGt5jZqi/Qk4QCox3lf0vvE9w -H4OMqSFpQGjBL6pvnRI0rzt56OllBLwESFD1eL+MeclPy2f28vf00PC8Ji7q92mJ -jmR7Epnpa9Urc2W2RTNooy699QuYfLamDWujfRbBvj6s5/C8uQThRl2DTsnI/3ih -uRFXGH24GWICq8O1AgMBAAECggGAPFWDX2EZKhEA5tSkbD1CkWno/2Fz0NKQXoIW -7rwhjGuV4dE/Ybbg9wYAv7v4TP68p3rywvG2FEW2cjM2s22McerzV4Kzz+RUBwRC -G7YXYsmq1uYsGMi+VuvFJZsy5dn59ba+PQZEoAm+wG4xkDATm0IeiGyTOB14mIR5 -jmzWDPZFYL8J3GA+VS2wH9UZGUxRP0xzk8qEX5DVvvjmsZhaRk1GS2W5hb82yWX4 -sRDV9g8Z0OoMAMN08gNnfp4YDHXNX70NKxsmxaGkJOz/7VB3pF43iv+hp0Vmcc5t -3MjbBHnnPY9g229g9fMEbbDzu4wvLA3XvG2ExF+cDEumX1KdtjoeFJXke7mi3tIp -2xlSaDpDIc4dQDvIWnxpkkRXGh+QDWlaZJTPW7Ju6IATa9w9FYsDO90g1G1ezqMW -emZkzzTi3UnBhZUmtNF14tIT+1PjGPjnTq+9EukDHTetNBcnX1ozv7huzeo76utq -69oiorLK2YAAayC7k+/HX4iDNvvNAoHBANW0HaQ50Nr7Xq0kbVdV5p+zO9pxhIc9 -gBQGuzMGXU1jbT0j5rIglGfZMLWaqyMEw6ek9kF1azyY6ozjDb5a4+OHCd5JLeh3 -BmAufbosrYT0/yF5mDXb4zGuS2ZD2tlWBhed1MgK5KSTIF2tfMusA2n4DBNkVOsV -J1Jf4Sd09fYNbEVB/MDYvVHgvXIaovmkQz9rlOWdy0XigxGlIiEledE1YaTSOUVU -J9sshdt+JnULPG+qqWkEQTdcatlGTccN6wKBwQC7imX0Vgi78gEp+nMRaWW3ZdYv -lA0dmQk5YTSV9XLcYVmaTic1uinFgwjbKPoxbAsi29qTClCAPhulY/2ixdw01o3F -ei+rMiwaPBtrFyF43dQlNPJ0cbQBTyJI44pUcA+WKhdfN0X4KyTyzUFmAR8AiZq+ -gu80ToVu454nGQoH73GO4sAGnR8GxSpZ1jIatBNsUHmlwblRsoZhIzAaKlXWjnF2 -dVXiEk+BdsqdWSZKjS6hWeVEJnAm+OhOBp3W7N8CgcEAm+pgofwItGwnxD1KhSjI -LYYwSgz+e0lUk8fhdrXTBu5euffijd2VSTs9/ZGOAOut8Dc778BCcCDFJ+tUkKhx -kgRpH8PWeb+1aCEjW9zS8KlrJzo24jy+wvV+T2t8VYscwMhHgXfpH2W0fIRiA5tJ -llwCO3e9ORLi8IfBlu8PsOhUMSeWyACaCA3nSkPC2k6NPc05Alog/6jmpc4MW5Cj -Ew9WYVF7tWhT9+XA98ZPOp/rBTHHjjYrer+zuThA8NTnAoHATzEf4E88HPESIMHL -OT0CYLE2Ap1H9Imc5YfwhqpAuGK7TXdXA077OJYedT0WeSwgf7XK1HB0kdKoJezV -O5jFZeJ7tznjSy1Chkl/YndAASPa42M6RoWE91CNL641yXYQft6DRAe5GhRN4+Fc -jlBG4Rk6KNxtWe8WVT70l5nxLGylzSpe3+wVH+y993WFbtU/pmtNEvt838y9BeOv -+jyKRrGbo+PkQjRtMkQRRuRQUQbQ+/1T3LVGgo50ug39NLaNAoHBAK5d0JIkk5/j -QqJaFwIp2hnPHHIRb8BCtrIBzjzEU3jZ4AlVgMeRhdkObyZqSr0MQ5jiCKQR/mVr -u7biW26CSbcF3+mj6aFYzeSXr2QIKQRnZtdBOcyTDnRLlWSe8Z4e4C888YuFF0gf -Nnh0XrKdEUMuc6QeHtm//5X14nGj5noqm9lRYmQ/hk114Vxn5CEphCZOlxZwYVX4 -WcZ+73VyJ/E5W9zXEIqcNbtzvHfSOeOXKl1Rsgh6QHpsO0GrMbFD5A== +MIIG5QIBAAKCAYEAv6Lk+Y78mw9wzbkJJjTMl4n6uKbiaqWvSxPsFEgQS/qNr1ED +FEjd9Fc5h/Po/F8XoAyxjLflsK544A5xuvkjIIiEeK4d6ZPeJ6JE6g5Rjc/QPgp3 +ALdxLEA1znekQhWw13TlfF7aZWcYn2WKiZYaXRmyPi9MLp/s8WMARXcnJoRMzIuk +pUf2u30VUo9nfOX0U3+eoDQqh2NBVsliMjImyJvdYEFZZnpWDASsdCuIKTaAgath +uW1xl7e6Mo6k1pGIitobVU+z9ho/Qhyw96RLRXL2pwXperjEStZ1H4WHS/mIjptn +d94qcYM7WrfQzkj9x+TBb0JB33OouMzfwyKUUlgKiogptlE++8oC3UH8lkkyFlkl +oHL3LkK1MedmIRnF2i/PVHwGxmCZiAxF8ipMA3f5tiWTN+BpL8+ZCSJj6JTOyLsG +LvncSqVqSxrXGp5Xu2SlVEM5R5Mw6+MHO55BLXB0/uJWCJCtYX4SoEHEZjpCqVh0 +9s5k7Bwvyc4Tr4HDAgMBAAECggGBAIQTUJxu38o+qhAfJx8d5KPMhPAelI3MAzRL +VrnjsNesp1ndC7I/RjnQo+X/ROQq5a15EiVZ2QQcO1KwodGrQ3p4nFRQLG1/a+0E ++VoW5D5Iq80WiU4FIArPdkYGTz78lBTqi/9boEmi9GVnJkQNH75qp14UWv0HW9ZB +1T4LEQCKziNrWt5O6s3tN3TfQQPjuLCTlE/1pBoLXkziHrtZtUEtqzVb1LG8PvGp +hvHJzt4Yohi8dW3G8DMQfVO63ADF65OwjaMO4SmU/lbRDqJSvb4LxRiahRasBLYC +qoqi53Y3grDiZMVd6XAnDrr12JzsgGDj2/j4GiMHSQKkPBMcy+SQpiVYV2jFiaGn +31vJufShqP+70Vez+1DVwjj9Gf/R/3zipib9q8sz7UDkpi2Du5I2mX4K5uEmx9Aw +hkZoqIM+yHegfDSIwCqHqNqh7mHOwHOmOAgFqkY2DNyTpA513iIUzggQ1pNKsg+d +cLljbubz7KppNApcTBaZUSGy7KzFAQKBwQDnKoxT1feWZhsDPOFa474sebHfpsMK +vlvnEUzG4UvBz/QqR8ib7BsT2ZuF90lo+NTDg6Wohn5J/gTc6z0J5SBhjDay21a4 +qaGTA2BZL6D1el3yBTI0dK9AA/1UaNGQN1MUNmHEXlxFuAh6KEEbau0qNNgxJXpQ +90FzQaonHdstGRj49iHbX1xO28AYlRkYFzraR9u1M8wFcWnVpoJ8nHP3LH/Qwq3m +8ov63Jl9YkxPgvOnZb3Irj3Pz20CIgBWUPkCgcEA1Dk1ewLqkxYgMEcRnGGyF489 +3K88pe28/HCL7qWUuIHyHHnym10S0qRHxApTPKhpJS7L/h46lqFfPuxvLHLfB8I+ +uXxq4TKHVRbLHxbcC6h7oHJS5Ezi+PCIFP8nINJ97wq7OWaPVn388MU8sA9khy5j +gsyPoRj8QnJrWi37j6RFJWoYiCwFRRtCzhMRJUafuOba865h2wXUZwhfMPCuhA4u +go5621Sld/RD9PajGsfiGx/5uMdtdvPwDzLXOhObAoHBANUKI1VIBes3ooFzZASN +isAWT1VcrLeEA9KJ4QYQr+6oJc+pZDo+eB3tGCV4ZtE1MXAWLV+Iw26Rig3HRfOO +lC8SN37SIbQBsQR5whuvh1l0MoxPOZuaRcBrbNaT2z5bnlcsXyHIDKW8GyPpYUdR +Xczd8rgoX/eqR0lfJN7z5wBC9v7KZx1zXvDWGM0O65eGIRj1zIfMeqQxh2X9FJie +30jWW90a7YW/1j2VfGdPZiCJAOAvJZ6C5jhUY5PpngHukQKBwQCk7Qy920dXJWPA +gQqToGzZ2Ez4Gwsj3Dz5ZbGpte588Sepr6+1w8AkCN1o4alMQ4jrB5Iqm21msGQn +r3C6d08SZYd/eMxK1IzNuJgEQiyhtr7UsuPuXj4pvivTPXM4E70grxNPCYAtdF3E +81M1c9DpKUjWVojsZlFshiUdgQy11bCS4f/Mm4FA8m2ZXsH9WQQ5mtbfd06++qnV +pHDtxK2rHKZSec3Kc97f+OlzDtU0s8/oypG0Yu+T+QE/noAaty8CgcBLiCGm3D4z +eQvCyp2ifIx3aS0EPClKYME3x5TyZJbQ5EKYEsmWk5zpfNczwQCSjgnURs1X4Txv +4vTShW6isvC4D1+nmK19jajlhk9humMshhLSkSsbWAMIJYtqwz/w6CN4b7QvXhcB +x7d3BR8cL8/aLAJxBLx0hcenbEM6u8f3nAivllcrW0kMrJDErjT8unkQJdLWV3ct +qvrSqBArpykBjayM52USIUuNZFUIvjmwN2XUlC46+388fWwIiPwnfM0= -----END RSA PRIVATE KEY----- diff --git a/credentials/idp-signing.crt b/credentials/idp-signing.crt index 034f9db..a7f2528 100644 --- a/credentials/idp-signing.crt +++ b/credentials/idp-signing.crt @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEJzCCAo+gAwIBAgIUFmFRSFCknM+R2MDTUOUxy4Ly2a0wDQYJKoZIhvcNAQEL -BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTIwMDIwNjE3MTk1NFoX -DTQwMDIwNjE3MTk1NFowGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojAN -BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEApypXQpLV3wqhAtxqO99neORxrWkM -pmTF3w6/R8dvbxNIUAmO73l5lssAKcBUumzsxJiyuXNfBqpUColP94EByCUSNxmt -iYiqv2t57dIX+0xVnQCp+IV6FjNG7IqZtODIicSeJ515uBKC2iVURtIUPG8Bx1h7 -IucPXgAfO5+fde+82nCH4/QTNTHED6JnsuATQMhLicTmQRCMTXLBirIC1iGDqc6h -fqBPMKUKyVJ9cpB1z4DMZ3dK+E7OUeO2ewvA0y43s2Bd2OV6paJ6ZHLcLWMIEYue -gpxfh2pGGDZeryxyfG72BNbJ2mf3sMz1EtBgXFsHjCnGiSJ/BRLRJ0bs+Fr2Wsd+ -DmhMkJ0QyfFsbuyfMhPXA3j95l25NHHH+OqZB5UUssvqfUZ8X0hs1Mt01en1Gfp+ -uS+FSnytcO+/7jIL4DRFhrHOEXZHqnGpcRgwti6WmBcQgW9nWFCAPhEaSSARUxxr -tinfyg7zD8I9Jg9iwRZU6W/y7oMH5aifaZ+rAgMBAAGjZTBjMB0GA1UdDgQWBBQN -5NoPrBmezuYsRGNOlMrQiVMNvTBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeG +MIIEJzCCAo+gAwIBAgIUZMvUeW53jFMs4M1rlNztvoKNXGowDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTIxMDMyNDE1NTQyMloX +DTQxMDMyNDE1NTQyMlowGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojAN +BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAvtENeKgTFxJ3l8ZTeaFifLRLS4da +xjnKy7JpTfrVOqZHGUQ3zAwY4xifs5rbiBkOAiLLBIqjJJalZQ6A+fSu34eVYdxp +5VY5L2gAcF/6kf+wOMCU2zdEwiewM9CZMo6HN77Z/ZEC1737/OBaRHwCEtC8l1Bx +U0V9TgEB/n31mtg5h7FWDPe6dgo1NSeCjsKVGHrdG4Ozo+JHvklqy6knbqnNvPqm +cLv4nrp/wQnRalqv7/26dlzoecXmCICH4cToBVACILXs331bpWEdHEc+bxInja15 +BOwb4pWLbqD5Qaj9hnPFCAKFtA+Ivb9PKV+44eNN3n73dYEPmx21QeqXWVfn3Ukl +4lIIhFC9XETbmSI+V8HLYl7e7n6GKN3hdVip0thN5vyPWYBt2DskW6+QFXry2F+E +qMxNHUqJt0k3uu4pTZ9f/DsQaA+/e+H23DGBIOytNzBz1jbU0Do/35td39YvRGN4 +T5KOuwmGTjrB6cM0/WOxJhaKourpM6qiDs0bAgMBAAGjZTBjMB0GA1UdDgQWBBSA +UDgNLBosYiGapWvY1CIRGm5f/jBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeG Jmh0dHBzOi8vaWRwLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3 -DQEBCwUAA4IBgQA9G+WW5ASr86DGtUZEwzp0ZQZ4EBj3/tAHG8VuORxbA8hMOFo0 -Iz/NfzFpurGJtd3S7o0DepEwQjMZoYja2bYSJkpHscm9sEcrIKyiu01kOsjCwncv -xJ+cdILWS4JUZtk2vmnRjS/ufHLBPTcEYGrix0DoG3qPgqNXljRptrvrLfeDIvid -AalmxNqWyKDNDgWua9iB9piEF3ZRe1Jc/Od5ByG1sjT8z+NbZuR7QHEwgziBl1ff -4hpE84JvUhxDu8xhuwTJBkTh9Oh4+wKquRNwa95dhrQrYDF48oA90dboRaO4X4z8 -TxDy8v0QMbGFUIVqhDkVGPbzbir8Ni4vScjSRIzpkAX9FhfqoHaD8rl5f5DTpDPq -dK6Kg9675akm5DKQ1SGq/3rl6ucDEtN1ma5UqBVZkXGKmo61PcnWMeTRioAprcnJ -rYw6Kjf/0EqShDEbkSuiVR63dTr9bdFS9nt74uyuEpSBfT4ryRZxCOOlt/orIxUt -Ae3vkDmc/eCooWg= +DQEBCwUAA4IBgQBb9ncPd748rnxrJ7tat50vDGAj/wnFM/9qt6gfwSv7gCikj29V +QYgZ0gB76xH7RdLw/iuR4g3stuoARt+CYrzkh/A/pG6/FAFI6HZvX/Lic7YLv/rp +m0aRcBLDzu6gYZ66qm05iXLs1Kueq8Eh0txpbg35LUVZGtXxE6t4da8a/XfSfgDs +KlUj7ANT1vkbDYXJiio60EqGWxMiyxTacEFOSUqRTlDL1wdvU8hrcyO4ZQSf20Mv +uROvXwki8Zb1Hoakn51fgJIKvIM6ttLpNdwsXFWpopMw9s5obtrNAB4KbbuISXdn +3AjJtynK9HuIOyBkphetJcOXj99bAn6VLyl3ieuPPLzXPQ9byNmLlwp0njJE2xtR +HjztBijmO8wtif3di+nUSwHRG0DcuE7f06Z28+pSrpB0XHDmALSefbq5g51aIR64 +fgC3txaEwILjHFjdK7Iaf0DHqQDUyxqC00IWATB9Dr9dtMIeQVN46x4681AfKp8p +oHdTCGNvbFo8vGI= -----END CERTIFICATE----- diff --git a/credentials/idp-signing.key b/credentials/idp-signing.key index 191cf78..cf8eb60 100644 --- a/credentials/idp-signing.key +++ b/credentials/idp-signing.key @@ -1,39 +1,39 @@ -----BEGIN RSA PRIVATE KEY----- -MIIG4wIBAAKCAYEApypXQpLV3wqhAtxqO99neORxrWkMpmTF3w6/R8dvbxNIUAmO -73l5lssAKcBUumzsxJiyuXNfBqpUColP94EByCUSNxmtiYiqv2t57dIX+0xVnQCp -+IV6FjNG7IqZtODIicSeJ515uBKC2iVURtIUPG8Bx1h7IucPXgAfO5+fde+82nCH -4/QTNTHED6JnsuATQMhLicTmQRCMTXLBirIC1iGDqc6hfqBPMKUKyVJ9cpB1z4DM -Z3dK+E7OUeO2ewvA0y43s2Bd2OV6paJ6ZHLcLWMIEYuegpxfh2pGGDZeryxyfG72 -BNbJ2mf3sMz1EtBgXFsHjCnGiSJ/BRLRJ0bs+Fr2Wsd+DmhMkJ0QyfFsbuyfMhPX -A3j95l25NHHH+OqZB5UUssvqfUZ8X0hs1Mt01en1Gfp+uS+FSnytcO+/7jIL4DRF -hrHOEXZHqnGpcRgwti6WmBcQgW9nWFCAPhEaSSARUxxrtinfyg7zD8I9Jg9iwRZU -6W/y7oMH5aifaZ+rAgMBAAECggGAIw0/ytfbPK+P33e0VuWbXsAYDhKO8n0C+Kiw -9y4ccaALc6ztac2A71uVpyuLGKQqaXbTUwucC1u/z43HVNCaPQt47FDYEJS1qPmy -UWnSWYFCGm+/NDtYxDrwTj0pycGwiyLNPuVIVo6bHX7iUw9N6vYj21b0SvdEQ6Om -6OupliM06GDcPbI6LNdIkzaso9dUcisNm8/LsCz2Hm9Hoft9mMTiRMLtHg4jTMHu -pxRC9bjQ2zfYpIFhGPv9SzKCWv61k1FC9VyYgV89xVtzdpxg9/h6hL8GGfzjgOSN -inmxqmchFWgTlSJRJb18W146UXxLTFYPkGvoS4oj6dKHKcCbKIl1t0GmpGJiO8v6 -V4eeK1WM/M4L4ipX/4rBeyLtXfyIlJZpkVavyRAaObCglrpXgH5zqoe2i20Uy+bS -YRjNkSuFBLmM3NZTM8+qfSMgQjYKpJBrmbyh0NmYNITDyfeXzpGPPc5PsfwB3DZL -BE01YSHCQaCfpONV0uc0BG8HoF+xAoHBAM9VvjKStNnbaPGTs3HV5lUe1ubf/b25 -Cx7Mo9ZPkf5zifM8AxmZs7bQqhqyCKo02+esKd/+hGPYK+M3KCilWK0G9XNakmw7 -nxNJ0VI0mycTghoSFj1/m97epDD8HsKofQWWL1xG0JnlreE6Vv15+BCJ8tCnXElk -QBDMkm8CrWfIznEViMKvnh18bH0XIVkZJCCXOAZno3RUBp7k5enyps4hvxcMQqTX -FBEBADyByp/gjEUNQZtCUNPUpN7D0ZAERwKBwQDOZugvZyDkqlT679/75LCc4ym6 -wXuRFLTDE8VfYw1xZ/TIqkSabYRF0cJWTvqSb9YdGfKHLnyKELJdUEv0wxg0JGIP -RB/xcMYdHvjpALUO/18lSei1wz5zMgNuAo+/aC0zO3l7By9tkgAfvTFjBMTP/pN/ -/m1N2+IjTY2AxIXzcfRw5doeJp/8RLO0uCKT8rzz3yAVnJTtTLAU8fyjkIoX0wfq -qaK1rJcvWI2yIAnvOrwK8N8KnHZu8JPEZ+n9r30CgcBlqc5sL+F73YkUw26+x7p8 -THXlmTlrOPvJ61/+qt+UXATtfqSqfeJQJvrxwhBbnTWi4Jlb2woBhzLl49rOK11S -4lGicWvQpF947r4zx9W4EGm/7NR47UR5wMPTvRw8KK+8+IpafeK1Q5jCEoArJA5N -1cZ5J0cqOXzsf9Lhmfd7J0yKyJtZkxE9tg/gOmJAtQIw9NUk1tagKL9iVCykTTYb -ZxKy83EOMOQG/m2mPaIkSM+e4EQmJBtL8z2weWYdbusCgcAhyjUOtZpr9PqujiCk -Ez9an9HQEibRjIs/OHhickvcGgG37DAI/A7gg0OGb62T1Z0+7GWI/fJDhBI/NosI -yfunZaFsEGIOW8EDOXPUaVo611HTP/NJ9mm94B0xoFe6JSrpLT5pBrcb///nMkjo -hfpWdr3dAWERkwLFdsfIoeOwBCLZbLe1oeslGHY3CsIWaHHIlumgwB6dbqWQ+EC8 -4kfJOLIeF6FcjqG9jYi89YPK11m7jM1m5lB5Pwdh6wUik90CgcEAmhPeuvRrwg8L -WWGG5d89i+tlqJ6ooeUJ8Dn8jFUe8i0XfLFys4min4KsDb6urDs25ZcJqpaQ/TXa -j0zYdaog+fPY5hmO18PoDq6jcv6XczJnq/XkgPzYR1i5PAe6gjXdMPWua9VMgqCm -aVqJxSCTdmd/RKhw8lUSqchT7p57B/5d22FHoky4fpJH7ihh53EVDHRYG/MSEqBl -SV0LK7SZSqZA80+tFnDf7r4TLDWVpmkLl9fn32xIE7EKjyeXUcuk +MIIG4gIBAAKCAYEAvtENeKgTFxJ3l8ZTeaFifLRLS4daxjnKy7JpTfrVOqZHGUQ3 +zAwY4xifs5rbiBkOAiLLBIqjJJalZQ6A+fSu34eVYdxp5VY5L2gAcF/6kf+wOMCU +2zdEwiewM9CZMo6HN77Z/ZEC1737/OBaRHwCEtC8l1BxU0V9TgEB/n31mtg5h7FW +DPe6dgo1NSeCjsKVGHrdG4Ozo+JHvklqy6knbqnNvPqmcLv4nrp/wQnRalqv7/26 +dlzoecXmCICH4cToBVACILXs331bpWEdHEc+bxInja15BOwb4pWLbqD5Qaj9hnPF +CAKFtA+Ivb9PKV+44eNN3n73dYEPmx21QeqXWVfn3Ukl4lIIhFC9XETbmSI+V8HL +Yl7e7n6GKN3hdVip0thN5vyPWYBt2DskW6+QFXry2F+EqMxNHUqJt0k3uu4pTZ9f +/DsQaA+/e+H23DGBIOytNzBz1jbU0Do/35td39YvRGN4T5KOuwmGTjrB6cM0/WOx +JhaKourpM6qiDs0bAgMBAAECggGAXXk7CCgNcffx7b+RlLuh60TGvbEInqIg3bgA +Ldr6KUja+12Xl7U1W8nsMadic0ESw6kXmpnvYTUKwH5iYA+kuotIei/nEBk02iww +Stw5etuuD58HTHu+iv22Kyu8YC/BvWUYlEY9BkJi9nVQwsucmGr4d4dIfGpF/7gu +qeQ6NChHxljwtlmEVd6aQfeg1R4su1k0hw31Kgrm6ig80JeEYYl8515BumfaWqcx +ffa5R0g1d3LrrJ/GoiB3lyKfbdFuns5Nw6Cd4gBwTFoFwZrRPGXQGnBNLhaicSFQ +vchLZQDe+SCdfOcdCmYI7pm9i8jbI+deTzDCT1am3gqvoil0Y+TW9EDk20a4vVnH +unSsz+kIpVw1O8Hkc7U4yPXxLbS8qTMJUmp0GwLV9egGy8iVVjPXp8VbyjiEDNIJ +Sp8y9wvjvDPDPxPg7H9Jkgk41muBVuo4KfpaojXSRomlqSD8NfzL6TIMSCPFq2vO +brp3Gblf14jwj1gPaHiQ7Kr1cH/BAoHBAOLoUvcS1kbxp0NDDBiEgCLPXpoG8MMc +Y3iSAZ9dtDXyqaUiFEyrpOCtJdIo/YW+on7J86t/+2t5hhJ1VQq7jUpHvoCnIOEj +SuMAv806owV7XueoFBpaKBEMp28gWFAygeKhGI9g75hjq23f55XT43jPB4NOmYmW +/Qle2ZS3G/lWKfMbNPbk4MAvvCULVWjaXgzOKnU3L4LybXYq1KzW0xxI7bAEj5ft +38SyzCJn0pIhpvDgQe0TpkBGajDeHEQiNQKBwQDXSCJbWC8B8dF/kjdTPeeDo/gX +sK2nBRxQuNJ6BwpAHaPcOA6G3Xcb9LNDFuRReh5jFDs1G86N4ZhL2dVthsQJHt/9 +1pNrn7/UlOjrgRKVZDR8gFZxvuxn/TifuR3xv6+kTgaqknMepA5SpD4VB55VBeJP +B5OJtSrHxHh4fty+OMvvmpBNC+505yxY69nIRxAtOaFH6xFyM/klp7jgKsJV4lco +Un1WO0BqflPkLXlbMx4FjcSjikUnkhzbJxdnHA8CgcARfOxgBIClSRymD3XQMe4a +QLc+0cgekYKNGVusp7Eq8z/l7UF5Q0Va151xnB0mALJPaUsxbZS4DM6rf4WFZT0X +e34QNlFPaMPtyPH/ZESKOJ7w5cBe45Hw9nO1Gd4UmD/wcpANBOCScyQUPMyBfKos +dnBSy20D8LIh1cCZOJ+cUOq8xN0JJky4IzWx+TSk9yeGfyFAlXdA9WRAVj6773an +2GsRRNi4UeoMI+edwzi0cImISRBrsDcA/yxSBdxR1/0CgcAry0zR8Dp/1sWbgg8n +K+yw5uZNS2/IDk4YTcDjehMnv9/ZqL2rydm1Ii5lc3625HTSCweQYju+uSnWJFY6 +lbPDdzhx1vjeZ/0KLdDEN9mj8mKLAUCUmxZUgTrHo0zoJOqCLi1E/c3VaeJQBYFr +ncUj3rKPCSeGWAh/4wPu3z/gooU6FONOCSNVPMHUxQXkrDAqQxMAIl3GMbR5aIk/ +cPNfrU+1sDI3HI6aG2DNhkKtvtRYpOJfsn0m855TJryoCRkCgcAHnLZQEkXP624q +Pq5i5OaKUUeVfIlxHW4S9ucTDw/+G3iHdV9Gxeq3bmMh5B8c8VL9YIHHTKn1xs+h +iOolSuroDbzzjn+7wF6g2+6wxGg5G0JAiU2WNR4Lv1yJ57tkL42wmEhbzEdqtg47 +RPHPnKhBTxQ4dRMQ9/wCxFsgM1CuD4Fpog4VK06HGt9fXB2iDNQrZmgHbKuGmCL/ +p/9Ftzzg5fo/D3Vd28r2rVo1r4M/LmPuQ5ODWffn4leVNkkV3Gg= -----END RSA PRIVATE KEY----- diff --git a/credentials/sealer.jks b/credentials/sealer.jks index 0274ab6..f10f00a 100644 Binary files a/credentials/sealer.jks and b/credentials/sealer.jks differ diff --git a/credentials/sealer.kver b/credentials/sealer.kver index 81a9ede..aa1fae9 100644 --- a/credentials/sealer.kver +++ b/credentials/sealer.kver @@ -1,2 +1,2 @@ -#Thu Feb 06 17:19:55 UTC 2020 +#Wed Mar 24 15:54:24 UTC 2021 CurrentVersion=1 diff --git a/credentials/secrets.properties b/credentials/secrets.properties index afd43f4..26d4af7 100644 --- a/credentials/secrets.properties +++ b/credentials/secrets.properties @@ -1,5 +1,5 @@ # This is a reserved spot for most properties containing passwords or other secrets. -# Created by install at 2020-02-06T17:19:55.442Z +# Created by install at 2021-03-24T15:54:24.596740Z # Access to internal AES encryption key idp.sealer.storePassword = changeit diff --git a/views/admin/hello.vm b/views/admin/hello.vm new file mode 100644 index 0000000..33a0528 --- /dev/null +++ b/views/admin/hello.vm @@ -0,0 +1,73 @@ +## +## Velocity Template for Hello World page. +## +## Velocity context will contain the following properties +## flowRequestContext - the Spring Web Flow RequestContext +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## profileRequestContext - root of context tree +## subjectContext - ProfileRequestContext -> SubjectContext +## attributeContext - ProfileRequestContext -> AttributeContext +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## + + + + + + #springMessageText("idp.title", "Web Login Service") - #springMessageText("hello-world.title", "Hello World") + + + + +
+
+
+ #springMessageText( +

#springMessageText("idp.title", "Web Login Service")

+
+ +
+

#springMessageText("hello-world.greeting", "Greetings"), $encoder.encodeForHTML($subjectContext.getPrincipalName())

+
+

Authenticated By

+ #foreach ($result in $subjectContext.getAuthenticationResults().entrySet()) +
$encoder.encodeForHTML($result.getKey())
+ #end +
+

Java Principals in Subjects

+ #foreach ($s in $subjectContext.getSubjects()) + #foreach ($p in $s.getPrincipals()) +
$encoder.encodeForHTML($p)
+ #end + #end + #if ($attributeContext && !$attributeContext.getUnfilteredIdPAttributes().isEmpty()) +
+

Attributes:

+ #foreach ($a in $attributeContext.getUnfilteredIdPAttributes()) + #if (!$a.getValues().isEmpty()) +
+
$encoder.encodeForHTML($a.getId())
+ #foreach ($v in $a.getValues()) +
$encoder.encodeForHTML($v.getDisplayValue())
+ #end + #end + #end + #end +
+ +
+

#springMessageText("hello-world.reload", "Reload the Page")

+
+
+ +
+
+

#springMessageText("idp.footer", "Insert your footer text here.")

+
+
+
+ + diff --git a/views/admin/unlock-keys.vm b/views/admin/unlock-keys.vm deleted file mode 100644 index a8228ae..0000000 --- a/views/admin/unlock-keys.vm +++ /dev/null @@ -1,97 +0,0 @@ -## -## Velocity Template for Attended Startup Unlock Utility -## -## Velocity context will contain the following properties: -## flowRequestContext - the Spring Web Flow RequestContext -## request - HttpServletRequest -## response - HttpServletResponse -## profileRequestContext -## environment - Spring Environment object for property resolution -## custom - arbitrary object injected by deployer -## -#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service")) -#set ($titleSuffix = $springMacroRequestContext.getMessage("idp.unlock-keys.title", "Attended Restart Key Unlock")) -#set ($eventId = $profileRequestContext.getSubcontext("org.opensaml.profile.context.EventContext").getEvent()) -#set ($state = $flowRequestContext.getCurrentState().getId()) - - - - - - $title - $titleSuffix - - - - -
-
-
- #springMessageText( -

$title - $titleSuffix

-
- -
- #if ($state == "end") - #springMessageText("idp.unlock-keys.complete", "The system is unlocked and ready for use.") -

Validation Link

- #else - #if ($eventId == "InvalidMessage") -

- #springMessageText("idp.unlock-keys.error", "Unlock failed; check log for specific message.") -

-

- #end - -
- #parse("csrf/csrf.vm") - - - -
- - -
- -
- - -
- - - -
- - -
- -
- -
- -
- -
- -
- #end -
-
- -
-
-

#springMessageText("idp.footer", "Insert your footer text here.")

-
-
- -
- - \ No newline at end of file diff --git a/views/duo.vm b/views/duo.vm deleted file mode 100644 index d212df7..0000000 --- a/views/duo.vm +++ /dev/null @@ -1,83 +0,0 @@ -## -## Velocity Template for Duo login view-state -## -## Velocity context will contain the following properties -## flowExecutionUrl - the form action location -## flowRequestContext - the Spring Web Flow RequestContext -## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) -## profileRequestContext - root of context tree -## authenticationContext - context with authentication request information -## rpUIContext - the context with SP UI information from the metadata -## canonicalUsername - name of user passed to Duo -## duoHost - API hostname for Duo frame -## duoRequest - signed Duo request message -## duoScriptPath - path to Duo JavaScript source -## encoder - HTMLEncoder class -## request - HttpServletRequest -## response - HttpServletResponse -## environment - Spring Environment object for property resolution -## custom - arbitrary object injected by deployer -## - - - - - - - #springMessageText("idp.title", "Web Login Service") - - - - -
-
-
- #springMessageText( -
- -
-
- -

#springMessageText("idp.login.duoRequired", "Authentication with Duo is required for the requested service.")

- - - - -
- #parse("csrf/csrf.vm") - -
- -

- #springMessageText("idp.login.duoCancel", "Cancel this Request") -

-
-
- -
-
-
- -
-
-

#springMessageText("idp.footer", "Insert your footer text here.")

-
-
-
- - diff --git a/views/error.vm b/views/error.vm index dcb8e2b..a44bd6f 100644 --- a/views/error.vm +++ b/views/error.vm @@ -34,10 +34,12 @@ #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error")) #set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix")) #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId")) + $response.setStatus(500) #else ## This is a catch-all that theoretically shouldn't happen? #set ($titleSuffix = $defaultTitleSuffix) #set ($message = $springMacroRequestContext.getMessage("idp.message", "An unidentified error occurred.")) + $response.setStatus(500) #end ## diff --git a/views/intercept/attribute-release.vm b/views/intercept/attribute-release.vm deleted file mode 100644 index c170b69..0000000 --- a/views/intercept/attribute-release.vm +++ /dev/null @@ -1,160 +0,0 @@ -## -## Velocity Template for DisplayAttributeReleasePage view-state -## -## Velocity context will contain the following properties : -## -## attributeReleaseContext - context holding consentable attributes -## attributeReleaseFlowDescriptor - attribute consent flow descriptor -## attributeDisplayNameFunction - function to display attribute name -## attributeDisplayDescriptionFunction - function to display attribute description -## consentContext - context representing the state of a consent flow -## encoder - HTMLEncoder class -## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl) -## flowExecutionUrl - form action location -## flowRequestContext - Spring Web Flow RequestContext -## profileRequestContext - OpenSAML profile request context -## request - HttpServletRequest -## response - HttpServletResponse -## rpUIContext - context with SP UI information from the metadata -## environment - Spring Environment object for property resolution -#set ($serviceName = $rpUIContext.serviceName) -#set ($serviceDescription = $rpUIContext.serviceDescription) -#set ($informationURL = $rpUIContext.informationURL) -#set ($privacyStatementURL = $rpUIContext.privacyStatementURL) -#set ($rpOrganizationLogo = $rpUIContext.getLogo()) -#set ($rpOrganizationName = $rpUIContext.organizationDisplayName) -#set ($replaceDollarWithNewline = true) -## - - - - - - - #springMessageText("idp.attribute-release.title", "Information Release") - - -
- #parse("csrf/csrf.vm") -
-
- - #if ($rpOrganizationLogo) - - #end -
- #if ($serviceName) -

- #springMessageText("idp.attribute-release.serviceNameLabel", "You are about to access the service:")
- $serviceName - #if ($rpOrganizationName) - #springMessageText("idp.attribute-release.of", "of") $encoder.encodeForHTML($rpOrganizationName) - #end -

- #end - #if ($serviceDescription) -

- #springMessageText("idp.attribute-release.serviceDescriptionLabel", "Description as provided by this service:")
- $encoder.encodeForHTML($serviceDescription) -
-

- #end - #if ($informationURL) -

- #springMessageText("idp.attribute-release.informationURLLabel", "Additional information about the service") -

- #end -
- - - - - - - - #foreach ($attribute in $attributeReleaseContext.getConsentableAttributes().values()) - - - - - - #end - -
- #springMessageText("idp.attribute-release.attributesHeader", "Information to be Provided to Service") -
$encoder.encodeForHTML($attributeDisplayNameFunction.apply($attribute)) - #foreach ($value in $attribute.values) - #if ($replaceDollarWithNewline) - #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue()).replaceAll($encoder.encodeForHTML('$'),"
")) - #else - #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue())) - #end - #if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled) - - #else - $encodedValue - #end -
- #end - 		- #if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled) - #set ($inputType = "checkbox") - #else - #set ($inputType = "hidden") - #end - -
-
- #if ($privacyStatementURL) -

- #springMessageText("idp.attribute-release.privacyStatementURLLabel", "Data privacy information of the service") -

- #end -
-

- #springMessageText("idp.attribute-release.confirmationQuestion", "The information above would be shared with the service if you proceed. Do you agree to release this information to the service every time you access it?") -

- #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed) -
- #springMessageText("idp.attribute-release.consentMethod", "Select an information release consent duration:") - #end - #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed) -

- - -

    -
  • #springMessageText("idp.attribute-release.doNotRememberConsentItem", "I agree to send my information this time.")
    • -
-

- #end - #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed) -

- - -

    -
  • #springMessageText("idp.attribute-release.rememberConsentItem", "I agree that the same information will be sent automatically to this service in the future.")
    • -
-

- #end - #if ($attributeReleaseFlowDescriptor.globalConsentAllowed) -

- - -

    -
  • #springMessageText("idp.attribute-release.globalConsentItem", "I agree that all of my information will be released to any service.")
    • -
-

- #end - #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed) - #springMessageText("idp.attribute-release.consentMethodRevoke", "This setting can be revoked at any time with the checkbox on the login page.") -
- #end -

- - -

-
-
-
- - diff --git a/views/intercept/expiring-password.vm b/views/intercept/expiring-password.vm deleted file mode 100644 index 4395844..0000000 --- a/views/intercept/expiring-password.vm +++ /dev/null @@ -1,54 +0,0 @@ -## -## Velocity Template for expiring password view -## -## Velocity context will contain the following properties -## flowExecutionUrl - the form action location -## flowRequestContext - the Spring Web Flow RequestContext -## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) -## profileRequestContext - root of context tree -## authenticationContext - context with authentication request information -## authenticationErrorContext - context with login error state -## authenticationWarningContext - context with login warning state -## ldapResponseContext - context with LDAP state (if using native LDAP) -## encoder - HTMLEncoder class -## request - HttpServletRequest -## response - HttpServletResponse -## environment - Spring Environment object for property resolution -## custom - arbitrary object injected by deployer -## - - - - - - #springMessageText("idp.title", "Web Login Service") - - - - - -
-
-
- #springMessageText( -

#springMessageText("idp.login.expiringSoon", "Your password will be expiring soon!")

-
- -
-

#springMessageText("idp.login.changePassword", "To create a new password now, go to") - #.

-

#springMessageText("idp.login.proceedBegin", "Your login will proceed in 20 seconds or you may click") - #springMessageText("idp.login.proceedHere", "here") - #springMessageText("idp.login.proceedEnd", "to continue").

-
-
- -
-
-

#springMessageText("idp.footer", "Insert your footer text here.")

-
-
- -
- - \ No newline at end of file diff --git a/views/intercept/impersonate.vm b/views/intercept/impersonate.vm deleted file mode 100644 index 37c486c..0000000 --- a/views/intercept/impersonate.vm +++ /dev/null @@ -1,90 +0,0 @@ -## -## Velocity Template for expiring password view -## -## Velocity context will contain the following properties -## flowExecutionUrl - the form action location -## flowRequestContext - the Spring Web Flow RequestContext -## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) -## profileRequestContext - root of context tree -## rpUIContext - the context with SP UI information from the metadata -## encoder - HTMLEncoder class -## request - HttpServletRequest -## response - HttpServletResponse -## environment - Spring Environment object for property resolution -## custom - arbitrary object injected by deployer -## -#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext')) - - - - - - #springMessageText("idp.title", "Web Login Service") - - - - -
-
-
- #springMessageText( -

#springMessageText("idp.impersonate.header", "Account Impersonation")

-
- -
- -
- #parse("csrf/csrf.vm") - #set ($serviceName = $rpUIContext.serviceName) - #if ($serviceName && !$rpContext.getRelyingPartyId().contains($serviceName)) - - $encoder.encodeForHTML($serviceName) - - #end - - - #springMessageText("idp.impersonate.text", "Enter an account name to impersonate to this service or continue normally.") - - -
- - - - - -
- -
- -
- -
- -
- -
- -
-
- -
-
-

#springMessageText("idp.footer", "Insert your footer text here.")

-
-
- -
- - \ No newline at end of file diff --git a/views/intercept/terms-of-use.vm b/views/intercept/terms-of-use.vm deleted file mode 100644 index 67b2c15..0000000 --- a/views/intercept/terms-of-use.vm +++ /dev/null @@ -1,69 +0,0 @@ -## -## Velocity Template for DisplayTermsOfUsePage view-state -## -## Velocity context will contain the following properties : -## -## encoder - HTMLEncoder class -## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl) -## flowExecutionUrl - form action location -## flowRequestContext - Spring Web Flow RequestContext -## request - HttpServletRequest -## response - HttpServletResponse -## rpUIContext - context with SP UI information from the metadata -## termsOfUseId - terms of use ID to lookup message strings -## environment - Spring Environment object for property resolution -#set ($serviceName = $rpUIContext.serviceName) -#set ($rpOrganizationLogo = $rpUIContext.getLogo()) -## - - - - - - - #springMessageText("${termsOfUseId}.title", "Terms of Use") - - -
-
- - #if ($rpOrganizationLogo) - - #end -
- #if ($rpOrganizationLogo) -
-

#springMessageText("${termsOfUseId}.title", "Terms of Use")

-
- #end -
- #springMessageText("${termsOfUseId}.text", "Terms of Use Text...") -
-
-
-
- #parse("csrf/csrf.vm") - -
-
-
-
- #parse("csrf/csrf.vm") - - - #if ($requireCheckbox) -

#springMessageText("idp.terms-of-use.required", "Please check this box if you want to proceed.")

- #end - -
-
-
-
-
-
-

#springMessageText("idp.footer", "Insert your footer text here.")

-
-
-
- - diff --git a/views/login.vm b/views/login.vm index 7609d40..c7b15c9 100644 --- a/views/login.vm +++ b/views/login.vm @@ -90,7 +90,7 @@ #end #foreach ($extFlow in $extendedAuthenticationFlows) - #if ($authenticationContext.isAcceptable($extFlow) and $extFlow.apply(profileRequestContext)) + #if ($authenticationContext.isAcceptable($extFlow) and $extFlow.test(profileRequestContext))