From 54b4708a1e3a3d0199c70d313df4080940765d48 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Tue, 30 Mar 2021 20:16:01 +0000 Subject: [PATCH] initial 4.1 config --- README.md | 1 + conf/access-control.xml | 2 +- conf/admin/admin.properties | 55 +++++ conf/admin/general-admin.xml | 74 ------ conf/admin/metrics.xml | 11 +- conf/attribute-resolver.xml | 21 +- conf/attributes/inetOrgPerson.xml | 4 +- conf/audit.xml | 2 +- conf/authn/authn-comparison.xml | 73 ++---- conf/authn/authn.properties | 213 ++++++++++++++++++ conf/authn/discovery-config.xml | 34 --- conf/authn/duo-authn-config.xml | 29 --- conf/authn/duo.properties | 30 --- conf/authn/external-authn-config.xml | 70 ------ conf/authn/function-authn-config.xml | 37 --- conf/authn/general-authn.xml | 173 -------------- conf/authn/ipaddress-authn-config.xml | 37 --- conf/authn/jaas-authn-config.xml | 25 -- conf/authn/jaas.config | 11 - conf/authn/krb5-authn-config.xml | 29 --- conf/authn/ldap-authn-config.xml | 32 --- conf/authn/mfa-authn-config.xml | 78 ------- conf/authn/password-authn-config.xml | 56 +++-- conf/authn/remoteuser-authn-config.xml | 75 ------ .../remoteuser-internal-authn-config.xml | 63 ------ conf/authn/saml-authn-config.xml | 35 --- conf/authn/spnego-authn-config.xml | 74 ------ conf/authn/x509-authn-config.xml | 44 ---- conf/authn/x509-internal-authn-config.xml | 21 -- .../attribute-sourced-subject-c14n-config.xml | 44 ---- conf/c14n/simple-subject-c14n-config.xml | 27 --- conf/c14n/subject-c14n.properties | 40 ++++ conf/c14n/subject-c14n.xml | 9 +- conf/c14n/x500-subject-c14n-config.xml | 37 --- conf/cas-protocol.xml | 106 --------- conf/errors.xml | 1 + .../attribute-resolver-ldap.xml | 17 +- conf/global.xml | 22 +- conf/idp.properties | 64 +++--- conf/intercept/consent-intercept-config.xml | 118 ---------- .../context-check-intercept-config.xml | 63 ------ .../expiring-password-intercept-config.xml | 31 --- conf/intercept/external-intercept-config.xml | 25 -- .../impersonate-intercept-config.xml | 25 -- conf/intercept/profile-intercept.xml | 42 ---- conf/ldap.properties | 9 +- conf/logback.xml | 2 +- conf/logback.xml.dist | 2 +- conf/logback.xml.tmp3 | 191 ++++++++++++++++ conf/metadata-providers.xml | 10 +- conf/relying-party.xml | 11 +- conf/services.properties | 3 +- conf/services.xml | 11 - conf/session-manager.xml | 29 --- credentials/idp-backchannel.crt | 46 ++-- credentials/idp-backchannel.p12 | Bin 3377 -> 3377 bytes credentials/idp-encryption.crt | 44 ++-- credentials/idp-encryption.key | 74 +++--- credentials/idp-signing.crt | 44 ++-- credentials/idp-signing.key | 74 +++--- credentials/sealer.jks | Bin 502 -> 502 bytes credentials/sealer.kver | 2 +- credentials/secrets.properties | 2 +- views/admin/hello.vm | 73 ++++++ views/admin/unlock-keys.vm | 97 -------- views/duo.vm | 83 ------- views/error.vm | 2 + views/intercept/attribute-release.vm | 160 ------------- views/intercept/expiring-password.vm | 54 ----- views/intercept/impersonate.vm | 90 -------- views/intercept/terms-of-use.vm | 69 ------ views/login.vm | 2 +- views/logout.vm | 2 - views/spnego-unavailable.vm | 49 ---- 74 files changed, 882 insertions(+), 2433 deletions(-) create mode 100644 conf/admin/admin.properties delete mode 100644 conf/admin/general-admin.xml create mode 100644 conf/authn/authn.properties delete mode 100644 conf/authn/discovery-config.xml delete mode 100644 conf/authn/duo-authn-config.xml delete mode 100644 conf/authn/duo.properties delete mode 100644 conf/authn/external-authn-config.xml delete mode 100644 conf/authn/function-authn-config.xml delete mode 100644 conf/authn/general-authn.xml delete mode 100644 conf/authn/ipaddress-authn-config.xml delete mode 100644 conf/authn/jaas-authn-config.xml delete mode 100644 conf/authn/jaas.config delete mode 100644 conf/authn/krb5-authn-config.xml delete mode 100644 conf/authn/ldap-authn-config.xml delete mode 100644 conf/authn/mfa-authn-config.xml delete mode 100644 conf/authn/remoteuser-authn-config.xml delete mode 100644 conf/authn/remoteuser-internal-authn-config.xml delete mode 100644 conf/authn/saml-authn-config.xml delete mode 100644 conf/authn/spnego-authn-config.xml delete mode 100644 conf/authn/x509-authn-config.xml delete mode 100644 conf/authn/x509-internal-authn-config.xml delete mode 100644 conf/c14n/attribute-sourced-subject-c14n-config.xml delete mode 100644 conf/c14n/simple-subject-c14n-config.xml create mode 100644 conf/c14n/subject-c14n.properties delete mode 100644 conf/c14n/x500-subject-c14n-config.xml delete mode 100644 conf/cas-protocol.xml rename conf/{ => examples}/attribute-resolver-ldap.xml (84%) delete mode 100644 conf/intercept/consent-intercept-config.xml delete mode 100644 conf/intercept/context-check-intercept-config.xml delete mode 100644 conf/intercept/expiring-password-intercept-config.xml delete mode 100644 conf/intercept/external-intercept-config.xml delete mode 100644 conf/intercept/impersonate-intercept-config.xml delete mode 100644 conf/intercept/profile-intercept.xml create mode 100644 conf/logback.xml.tmp3 delete mode 100644 conf/session-manager.xml create mode 100644 views/admin/hello.vm delete mode 100644 views/admin/unlock-keys.vm delete mode 100644 views/duo.vm delete mode 100644 views/intercept/attribute-release.vm delete mode 100644 views/intercept/expiring-password.vm delete mode 100644 views/intercept/impersonate.vm delete mode 100644 views/intercept/terms-of-use.vm delete mode 100644 views/spnego-unavailable.vm diff --git a/README.md b/README.md index 8fe42b3..dc2e6bd 100644 --- a/README.md +++ b/README.md @@ -14,3 +14,4 @@ to complete a deployment. * Internal Testing - (TEST) branch/repo that uses the "test bed" which is something that I2 provides (LDAP) and an element to make all integrations. Appropriate for Jenkins and testing environments * `release` branch * External Testing - (RELEASE) branch/repo (ultimately will live in Subversion?) for end users + diff --git a/conf/access-control.xml b/conf/access-control.xml index a9184e6..3853722 100644 --- a/conf/access-control.xml +++ b/conf/access-control.xml @@ -34,7 +34,7 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/conf/admin/metrics.xml b/conf/admin/metrics.xml index fccf419..208ab6b 100644 --- a/conf/admin/metrics.xml +++ b/conf/admin/metrics.xml @@ -26,6 +26,7 @@ + @@ -59,12 +60,20 @@ + - + + + + diff --git a/conf/attribute-resolver.xml b/conf/attribute-resolver.xml index 0ee236b..8d16a59 100644 --- a/conf/attribute-resolver.xml +++ b/conf/attribute-resolver.xml @@ -1,17 +1,16 @@ telephoneNumber SAML2StringTranscoder SAML1StringTranscoder - urn:mace:dir:attribute-def:telephoneNumber - urn:oid:2.5.4.20 + urn:oid:2.5.4.20 + urn:mace:dir:attribute-def:telephoneNumber Business phone number Telefon Geschäft Teléphone professionnel diff --git a/conf/audit.xml b/conf/audit.xml index a9faf4c..42d82b8 100644 --- a/conf/audit.xml +++ b/conf/audit.xml @@ -19,7 +19,7 @@ diff --git a/conf/authn/authn-comparison.xml b/conf/authn/authn-comparison.xml index dcf0271..0730bcb 100644 --- a/conf/authn/authn-comparison.xml +++ b/conf/authn/authn-comparison.xml @@ -12,62 +12,33 @@ default-destroy-method="destroy"> - - - - - - - + + + + + + 1 + + - - - - - - - - + + - - - - - - - - - - - - - - - - - + --> + diff --git a/conf/authn/authn.properties b/conf/authn/authn.properties new file mode 100644 index 0000000..56111ef --- /dev/null +++ b/conf/authn/authn.properties @@ -0,0 +1,213 @@ +# Properties that control authentication generally and the behavior of +# specific methods. + +# Regular expression matching login flows to enable, e.g. IPAddress|Password +#idp.authn.flows = Password + +# Default settings for most authentication methods. +#idp.authn.defaultLifetime = PT1H +#idp.authn.defaultTimeout = PT30M +#idp.authn.proxyRestrictionsEnforced = true + +# Whether to populate relying party user interface information for display +# during authentication, consent, terms-of-use. +#idp.authn.rpui = true + +# Whether to prioritize "active" results when an SP requests more than +# one possible matching login method (V2 behavior was to favor them) +#idp.authn.favorSSO = false + +# Whether to fail requests when a user identity after authentication +# doesn't match the identity in a pre-existing session. +#idp.authn.identitySwitchIsError = false + +# If using IdP discovery feature, provides a discovery location to use. +#idp.authn.discoveryURL = https://ds.example.org/shibboleth-ds/index.html + +# Properties below override specific method behavior, as an alternative +# to defining Spring beans in XML. Refer to the documentation for a complete +# list. Many of the properties below are mentioned only because they are +# atypical defaults assumed for a given method. + +# Flow selection among multiple equivalent options can be managed with +# the order properties, lower will be tried first. + +#### Password #### + +#idp.authn.Password.order = 1000 +#idp.authn.Password.passiveAuthenticationSupported = true +#idp.authn.Password.forcedAuthenticationSupported = true +# Override this and removeAfterValidation to require all validators to succeed +#idp.authn.Password.requireAll = false +# Override to keep the password around +#idp.authn.Password.removeAfterValidation = true +# Override to store password in Java Subject +#idp.authn.Password.retainAsPrivateCredential = false +# Simple username transforms before validation +#idp.authn.Password.trim = true +#idp.authn.Password.lowercase = false +#idp.authn.Password.uppercase = false +#idp.authn.Password.matchExpression = +# Override default form field names +#idp.authn.Password.usernameFieldName = j_username +#idp.authn.Password.passwordFieldName = j_password +#idp.authn.Password.ssoBypassFieldName = donotcache +# Unset if using customized Principals per validator +#idp.authn.Password.addDefaultPrincipals = true +# The Principal collection below is the typical default if not otherwise noted. +#idp.authn.Password.supportedPrincipals = \ +# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \ +# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \ +# saml1/urn:oasis:names:tc:SAML:1.0:am:password +# Validators are controlled in password-authn-config.xml + +#### Password Backends #### + +# See ldap.properties for LDAP authn properties +# Kerberos settings +#idp.authn.Krb5.refreshConfig = false +#idp.authn.Krb5.preserveTicket = false +# Set next two for KDC verification +#idp.authn.Krb5.servicePrincipal = +#idp.authn.Krb5.keytab = +# JAAS settings +#idp.authn.JAAS.loginConfigNames = ShibUserPassAuth +#idp.authn.JAAS.loginConfig = %{idp.home}/conf/authn/jaas.config + +#### External #### + +#idp.authn.External.order = 1000 +#idp.authn.External.nonBrowserSupported = false +#idp.authn.External.matchExpression = +# Unset if you plan to return full Java Subject from external source +#idp.authn.External.addDefaultPrincipals = true +# Servlet context-relative path to wherever your implementation lives +idp.authn.External.externalAuthnPath = contextRelative:external.jsp + +#### RemoteUser #### + +#idp.authn.RemoteUser.order = 1000 +#idp.authn.RemoteUser.nonBrowserSupported = false +#idp.authn.RemoteUser.matchExpression = +# Unset in most cases only if using the authnMethodHeader or +# subjectAttribute settings +#idp.authn.RemoteUser.addDefaultPrincipals = true +# Most other settings need to be supplied via web.xml to the servlet + +#### RemoteUserInternal #### + +#idp.authn.RemoteUserInternal.order = 1000 +#idp.authn.RemoteUserInternal.nonBrowserSupported = true +# Unset in most cases only if using the authnMethodHeader feature +#idp.authn.RemoteUserInternal.addDefaultPrincipals = true +#idp.authn.RemoteUserInternal.checkRemoteUser = true +# Comma-delimited lists of attributes or headers to pull from +#idp.authn.RemoteUserInternal.checkAttributes = +#idp.authn.RemoteUserInternal.checkHeaders = +# Simple transforms to apply +#idp.authn.RemoteUserInternal.trim = true +#idp.authn.RemoteUserInternal.lowercase = false +#idp.authn.RemoteUserInternal.uppercase = false +#idp.authn.RemoteUserInternal.matchExpression = +#idp.authn.RemoteUserInternal.allowedUsernames = +#idp.authn.RemoteUserInternal.deniedUsernames = + +#### SPNEGO #### + +#idp.authn.SPNEGO.order = 1000 +#idp.authn.SPNEGO.nonBrowserSupported = false +#idp.authn.SPNEGO.enforceRun = false +#idp.authn.SPNEGO.refreshKrbConfig = false +#idp.authn.SPNEGO.matchExpression = +idp.authn.SPNEGO.supportedPrincipals = \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, \ + saml1/urn:ietf:rfc:1510 + +#### X509 #### + +#idp.authn.X509.order = 1000 +#idp.authn.X509.nonBrowserSupported = false +# Servlet context-relative path to wherever your implementation lives +#idp.authn.X509.externalAuthnPath = contextRelative:x509-prompt.jsp +idp.authn.X509.supportedPrincipals = \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \ + saml1/urn:ietf:rfc:2246 + +#### X509Internal #### + +#idp.authn.X509Internal.order = 1000 +#idp.authn.X509Internal.nonBrowserSupported = false +#idp.authn.X509Internal.saveCertificateToCredentialSet = true +idp.authn.X509Internal.supportedPrincipals = \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \ + saml1/urn:ietf:rfc:2246 + +#### IPAddress #### + +#idp.authn.IPAddress.order = 1000 +#idp.authn.IPAddress.passiveAuthenticationSupported = true +#idp.authn.IPAddress.lifetime = PT60S +#idp.authn.IPAddress.inactivityTimeout = PT60S +idp.authn.IPAddress.supportedPrincipals = \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol + +#### Function #### + +#idp.authn.Function.order = 1000 +#idp.authn.Function.passiveAuthenticationSupported = true +# Unset if you plan to return full Java Subject from function +#idp.authn.Function.addDefaultPrincipals = true + +#### Duo #### + +#idp.authn.Duo.order = 1000 +#idp.authn.Duo.nonBrowserSupported = false +#idp.authn.Duo.forcedAuthenticationSupported = true +# Unset if you have advanced Duo integrations with individualized Principals +#idp.authn.Duo.addDefaultPrincipals = true +# The list below should be changed to reflect whatever locally- or +# community-defined values are appropriate to represent Duo. It is +# strongly advised that the value not be specific to Duo or any +# particular technology to avoid lock-in. +idp.authn.Duo.supportedPrincipals = \ + saml2/http://example.org/ac/classes/mfa, \ + saml1/http://example.org/ac/classes/mfa +# Default Duo integration settings are defined separately +# in duo.properties due to the sensitivity of the secret key. + + +#### SAML #### + +#idp.authn.SAML.order = 1000 +#idp.authn.SAML.nonBrowserSupported = false +#idp.authn.SAML.passiveAuthenticationSupported = true +#idp.authn.SAML.forcedAuthenticationSupported = true +#idp.authn.SAML.proxyScopingEnforced = true +# Discovery options: +# Define shibboleth.authn.SAML.discoveryFunction bean +# Set proxyEntityID property +# Fall through to discovery via discoveryRequired property +#idp.authn.SAML.proxyEntityID = https://idp.example.org/idp/shibboleth +#idp.authn.SAML.discoveryRequired = true +# Generally left false with bidirectional mappings in +# conf/authn/authn-comparison.xml across the proxy boundary. +#idp.authn.SAML.addDefaultPrincipals = false + +#### MFA #### + +#idp.authn.MFA.order = 1000 +#idp.authn.MFA.passiveAuthenticationSupported = true +#idp.authn.MFA.forcedAuthenticationSupported = true +#idp.authn.MFA.validateLoginTransitions = true +# The list below almost certainly requires changes, and should generally be the +# union of any of the separate factors you combine in your particular MFA flow +# rules. The example corresponds to the example in mfa-authn-config.xml that +# combines IPAddress with Password. +idp.authn.MFA.supportedPrincipals = \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \ + saml1/urn:oasis:names:tc:SAML:1.0:am:password +# Most actual setup via mfa-authn-config.xml diff --git a/conf/authn/discovery-config.xml b/conf/authn/discovery-config.xml deleted file mode 100644 index e21e3fd..0000000 --- a/conf/authn/discovery-config.xml +++ /dev/null @@ -1,34 +0,0 @@ - - - - - - - - - - - diff --git a/conf/authn/duo-authn-config.xml b/conf/authn/duo-authn-config.xml deleted file mode 100644 index 2867f48..0000000 --- a/conf/authn/duo-authn-config.xml +++ /dev/null @@ -1,29 +0,0 @@ - - - - - - diff --git a/conf/authn/duo.properties b/conf/authn/duo.properties deleted file mode 100644 index cb4b4aa..0000000 --- a/conf/authn/duo.properties +++ /dev/null @@ -1,30 +0,0 @@ -## Duo integration settings - -## Note: If upgrading from pre-3.3 IdP versions, you will need to manually add a pointer -## to this property file to idp.properties. - -## The first set of properties support DuoWeb "iframe" integration. - -idp.duo.apiHost = hostname -idp.duo.applicationKey = key -idp.duo.integrationKey = key -idp.duo.secretKey = key - -## The second set are used for direct AuthAPI usage for ECP support. -## A seperate integration has to be created for this to work. - -#idp.duo.nonbrowser.apiHost = %{idp.duo.apiHost} -#idp.duo.nonbrowser.applicationKey = key -#idp.duo.nonbrowser.integrationKey = key -#idp.duo.nonbrowser.secretKey = key - -## Request header names for Duo non-browser credentials. -# idp.duo.nonbrowser.header.factor = X-Shibboleth-Duo-Factor -# idp.duo.nonbrowser.header.device = X-Shibboleth-Duo-Device -# idp.duo.nonbrowser.header.passcode = X-Shibboleth-Duo-Passcode - -## Enables auto selection of factor/device if not specified by client. -# idp.duo.nonbrowser.auto = true - -## Enables transmission of client address to Duo during authentication. -# idp.duo.nonbrowser.clientAddressTrusted = true diff --git a/conf/authn/external-authn-config.xml b/conf/authn/external-authn-config.xml deleted file mode 100644 index 9d6652a..0000000 --- a/conf/authn/external-authn-config.xml +++ /dev/null @@ -1,70 +0,0 @@ - - - - - - - - - - - - - - - - - - UnknownUsername - - - - - InvalidPassword - - - - - ExpiredPassword - - - - - ExpiringPassword - - - - - diff --git a/conf/authn/function-authn-config.xml b/conf/authn/function-authn-config.xml deleted file mode 100644 index cf7876a..0000000 --- a/conf/authn/function-authn-config.xml +++ /dev/null @@ -1,37 +0,0 @@ - - - - - - - - - - - - - - - - diff --git a/conf/authn/general-authn.xml b/conf/authn/general-authn.xml deleted file mode 100644 index b936f97..0000000 --- a/conf/authn/general-authn.xml +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - diff --git a/conf/authn/ipaddress-authn-config.xml b/conf/authn/ipaddress-authn-config.xml deleted file mode 100644 index a3ee096..0000000 --- a/conf/authn/ipaddress-authn-config.xml +++ /dev/null @@ -1,37 +0,0 @@ - - - - - - - - - - - - - - - diff --git a/conf/authn/jaas-authn-config.xml b/conf/authn/jaas-authn-config.xml deleted file mode 100644 index 7edd41c..0000000 --- a/conf/authn/jaas-authn-config.xml +++ /dev/null @@ -1,25 +0,0 @@ - - - - - - - - - - - ShibUserPassAuth - - - diff --git a/conf/authn/jaas.config b/conf/authn/jaas.config deleted file mode 100644 index 232e93d..0000000 --- a/conf/authn/jaas.config +++ /dev/null @@ -1,11 +0,0 @@ -ShibUserPassAuth { - /* - com.sun.security.auth.module.Krb5LoginModule required; - */ - - org.ldaptive.jaas.LdapLoginModule required - ldapUrl="ldap://localhost:10389" - baseDn="ou=people,dc=example,dc=org" - userFilter="uid={user}"; - -}; \ No newline at end of file diff --git a/conf/authn/krb5-authn-config.xml b/conf/authn/krb5-authn-config.xml deleted file mode 100644 index f826f30..0000000 --- a/conf/authn/krb5-authn-config.xml +++ /dev/null @@ -1,29 +0,0 @@ - - - - - - - - - - - diff --git a/conf/authn/ldap-authn-config.xml b/conf/authn/ldap-authn-config.xml deleted file mode 100644 index 22a760b..0000000 --- a/conf/authn/ldap-authn-config.xml +++ /dev/null @@ -1,32 +0,0 @@ - - - - - - - - - - - - - - - - diff --git a/conf/authn/mfa-authn-config.xml b/conf/authn/mfa-authn-config.xml deleted file mode 100644 index 3bfbcbb..0000000 --- a/conf/authn/mfa-authn-config.xml +++ /dev/null @@ -1,78 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/conf/authn/password-authn-config.xml b/conf/authn/password-authn-config.xml index 73ac7f8..4529b6f 100644 --- a/conf/authn/password-authn-config.xml +++ b/conf/authn/password-authn-config.xml @@ -13,34 +13,18 @@ default-destroy-method="destroy"> - - - + Ordered list of CredentialValidators to apply to a request. - + The four supplied variants are shown below; the HTPasswd option + is an OOB default for demo account purposes, and you will + want to remove it after initial install and testing. + --> + + + - - - - - - - - - - - - - - - - - @@ -58,7 +42,7 @@ p:lockoutDuration="PT5M" p:extendLockoutDuration="false" /> --> - + - - - - - - - - - - - - - - NoCredentials - - - - - UnknownUsername - - - - - InvalidPassword - - - - - ExpiredPassword - - - - - ExpiringPassword - - - - - diff --git a/conf/authn/remoteuser-internal-authn-config.xml b/conf/authn/remoteuser-internal-authn-config.xml deleted file mode 100644 index 9e68c85..0000000 --- a/conf/authn/remoteuser-internal-authn-config.xml +++ /dev/null @@ -1,63 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/conf/authn/saml-authn-config.xml b/conf/authn/saml-authn-config.xml deleted file mode 100644 index 4ff55f9..0000000 --- a/conf/authn/saml-authn-config.xml +++ /dev/null @@ -1,35 +0,0 @@ - - - - - - - - - - diff --git a/conf/authn/spnego-authn-config.xml b/conf/authn/spnego-authn-config.xml deleted file mode 100644 index 6c0fa48..0000000 --- a/conf/authn/spnego-authn-config.xml +++ /dev/null @@ -1,74 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SPNEGONotAvailable - - - - - NTLMUnsupported - - - - - diff --git a/conf/authn/x509-authn-config.xml b/conf/authn/x509-authn-config.xml deleted file mode 100644 index 18b015a..0000000 --- a/conf/authn/x509-authn-config.xml +++ /dev/null @@ -1,44 +0,0 @@ - - - - - - - - - - - - - NoCredentials - InvalidCredentials - - - - - diff --git a/conf/authn/x509-internal-authn-config.xml b/conf/authn/x509-internal-authn-config.xml deleted file mode 100644 index bad3029..0000000 --- a/conf/authn/x509-internal-authn-config.xml +++ /dev/null @@ -1,21 +0,0 @@ - - - - - - diff --git a/conf/c14n/attribute-sourced-subject-c14n-config.xml b/conf/c14n/attribute-sourced-subject-c14n-config.xml deleted file mode 100644 index 938b30f..0000000 --- a/conf/c14n/attribute-sourced-subject-c14n-config.xml +++ /dev/null @@ -1,44 +0,0 @@ - - - - - - altuid - - - - - altuid - - - - - - - - - - - - - diff --git a/conf/c14n/simple-subject-c14n-config.xml b/conf/c14n/simple-subject-c14n-config.xml deleted file mode 100644 index 3cddfa6..0000000 --- a/conf/c14n/simple-subject-c14n-config.xml +++ /dev/null @@ -1,27 +0,0 @@ - - - - - - - - - - - - - - diff --git a/conf/c14n/subject-c14n.properties b/conf/c14n/subject-c14n.properties new file mode 100644 index 0000000..3811493 --- /dev/null +++ b/conf/c14n/subject-c14n.properties @@ -0,0 +1,40 @@ +# Properties that control the behavior of post-login subject c14n flows. +# A few more advanced settings require XML configuration, see flow-specific docs. + + +# Simple username -> principal name c14n +#idp.c14n.simple.lowercase = false +#idp.c14n.simple.uppercase = false +#idp.c14n.simple.trim = true + + +# Attribute resolution -> principal name c14n +#idp.c14n.attribute.lowercase = false +#idp.c14n.attribute.uppercase = false +#idp.c14n.attribute.trim = true +# Lists of attributes to resolve... +#idp.c14n.attribute.attributesToResolve = +# and then select a principal name from +#idp.c14n.attribute.attributeSourceIds = +# Allows direct use of attributes via SAML proxy authn, bypasses resolver +#idp.c14n.attribute.resolveFromSubject = false +#idp.c14n.attribute.resolutionCondition = shibboleth.Conditions.TRUE + +# X.509 certificate -> principal name c14n +#idp.c14n.x500.lowercase = false +#idp.c14n.x500.uppercase = false +#idp.c14n.x500.trim = true +# Precedence is to check for a subjectAltName and then an OID RDN +# Comma-delimited list of subjectAltName type numbers +# (See https://tools.ietf.org/html/rfc5280#section-4.2.1.6) +#idp.c14n.x500.subjectAltNameTypes = +# Comma-delimited list of OIDS +#idp.c14n.x500.objectIDs = + +# Proxied SAML NameID -> principal name c14n +#idp.c14n.saml.proxy.lowercase = false +#idp.c14n.saml.proxy.uppercase = false + +# NameID consumption from SAML requests +#idp.c14n.saml.lowercase = false +#idp.c14n.saml.uppercase = false diff --git a/conf/c14n/subject-c14n.xml b/conf/c14n/subject-c14n.xml index e4b772f..b354535 100644 --- a/conf/c14n/subject-c14n.xml +++ b/conf/c14n/subject-c14n.xml @@ -21,6 +21,8 @@ principal name. Flows are identified with an ID that corresponds to a Spring Web Flow subflow name. + + Most of the simple settings that configure these flows are in subject-c14n.properties. --> @@ -54,7 +55,7 @@ diff --git a/conf/c14n/x500-subject-c14n-config.xml b/conf/c14n/x500-subject-c14n-config.xml deleted file mode 100644 index 1ae25e4..0000000 --- a/conf/c14n/x500-subject-c14n-config.xml +++ /dev/null @@ -1,37 +0,0 @@ - - - - - - - - - - - 2.5.4.3 - - - - - - - - - - - - - diff --git a/conf/cas-protocol.xml b/conf/cas-protocol.xml deleted file mode 100644 index 2eb1733..0000000 --- a/conf/cas-protocol.xml +++ /dev/null @@ -1,106 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/conf/errors.xml b/conf/errors.xml index a5a8790..a9730c0 100644 --- a/conf/errors.xml +++ b/conf/errors.xml @@ -26,6 +26,7 @@ + diff --git a/conf/attribute-resolver-ldap.xml b/conf/examples/attribute-resolver-ldap.xml similarity index 84% rename from conf/attribute-resolver-ldap.xml rename to conf/examples/attribute-resolver-ldap.xml index 19b68d6..ec375b4 100644 --- a/conf/attribute-resolver-ldap.xml +++ b/conf/examples/attribute-resolver-ldap.xml @@ -62,6 +62,10 @@ connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}" responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}" + connectionStrategy="%{idp.attribute.resolver.LDAP.connectionStrategy}" + noResultIsError="true" + multipleResultsIsError="true" + excludeResolutionPhases="c14n/attribute" exportAttributes="mail displayName sn givenName departmentNumber employeeNumber eduPersonEntitlement eduPersonAssurance"> - - + - - - - - - - - - - - - - - - - - samlPairwiseID - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/conf/intercept/context-check-intercept-config.xml b/conf/intercept/context-check-intercept-config.xml deleted file mode 100644 index aae07f0..0000000 --- a/conf/intercept/context-check-intercept-config.xml +++ /dev/null @@ -1,63 +0,0 @@ - - - - - - - - - - - - - - * - - - - - - - - - - - - - \ No newline at end of file diff --git a/conf/intercept/expiring-password-intercept-config.xml b/conf/intercept/expiring-password-intercept-config.xml deleted file mode 100644 index b3bf96d..0000000 --- a/conf/intercept/expiring-password-intercept-config.xml +++ /dev/null @@ -1,31 +0,0 @@ - - - - - - - - - - - - - diff --git a/conf/intercept/external-intercept-config.xml b/conf/intercept/external-intercept-config.xml deleted file mode 100644 index 1d0fc29..0000000 --- a/conf/intercept/external-intercept-config.xml +++ /dev/null @@ -1,25 +0,0 @@ - - - - - - - - - diff --git a/conf/intercept/impersonate-intercept-config.xml b/conf/intercept/impersonate-intercept-config.xml deleted file mode 100644 index 7dfda2b..0000000 --- a/conf/intercept/impersonate-intercept-config.xml +++ /dev/null @@ -1,25 +0,0 @@ - - - - - - - - - - diff --git a/conf/intercept/profile-intercept.xml b/conf/intercept/profile-intercept.xml deleted file mode 100644 index f086cfa..0000000 --- a/conf/intercept/profile-intercept.xml +++ /dev/null @@ -1,42 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/conf/ldap.properties b/conf/ldap.properties index d89412a..45b0be0 100644 --- a/conf/ldap.properties +++ b/conf/ldap.properties @@ -7,11 +7,12 @@ ## Connection properties ## idp.authn.LDAP.ldapURL=ldap://localhost:10389 #idp.authn.LDAP.useStartTLS = true -#idp.authn.LDAP.useSSL = false # Time in milliseconds that connects will block #idp.authn.LDAP.connectTimeout = PT3S # Time in milliseconds to wait for responses #idp.authn.LDAP.responseTimeout = PT3S +# Connection strategy to use when multiple URLs are supplied, either ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM +#idp.authn.LDAP.connectionStrategy = ACTIVE_PASSIVE ## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust #idp.authn.LDAP.sslConfig = certificateTrust @@ -38,11 +39,15 @@ idp.authn.LDAP.bindDN=uid=myservice,ou=system # for AD use idp.authn.LDAP.dnFormat=%s@domain.com idp.authn.LDAP.dnFormat=uid=%s,ou=people,dc=example,dc=org +# pool passivator, either none, bind or anonymousBind +#idp.authn.LDAP.bindPoolPassivator = none + # LDAP attribute configuration, see attribute-resolver.xml # Note, this likely won't apply to the use of legacy V2 resolver configurations idp.attribute.resolver.LDAP.ldapURL=%{idp.authn.LDAP.ldapURL} idp.attribute.resolver.LDAP.connectTimeout=%{idp.authn.LDAP.connectTimeout:PT3S} idp.attribute.resolver.LDAP.responseTimeout=%{idp.authn.LDAP.responseTimeout:PT3S} +idp.attribute.resolver.LDAP.connectionStrategy=%{idp.authn.LDAP.connectionStrategy:ACTIVE_PASSIVE} idp.attribute.resolver.LDAP.baseDN=%{idp.authn.LDAP.baseDN:undefined} idp.attribute.resolver.LDAP.bindDN=%{idp.authn.LDAP.bindDN:undefined} idp.attribute.resolver.LDAP.useStartTLS=%{idp.authn.LDAP.useStartTLS:true} @@ -55,6 +60,8 @@ idp.attribute.resolver.LDAP.searchFilter=(uid=$resolutionContext.principal) #idp.pool.LDAP.validateOnCheckout = false #idp.pool.LDAP.validatePeriodically = true #idp.pool.LDAP.validatePeriod = PT5M +#idp.pool.LDAP.validateDN = +#idp.pool.LDAP.validateFilter = (objectClass=*) #idp.pool.LDAP.prunePeriod = PT5M #idp.pool.LDAP.idleTime = PT10M #idp.pool.LDAP.blockWaitTime = PT3S diff --git a/conf/logback.xml b/conf/logback.xml index 817de02..bf38b44 100644 --- a/conf/logback.xml +++ b/conf/logback.xml @@ -14,7 +14,7 @@ - + diff --git a/conf/logback.xml.dist b/conf/logback.xml.dist index 2b76770..730f583 100644 --- a/conf/logback.xml.dist +++ b/conf/logback.xml.dist @@ -14,7 +14,7 @@ - + diff --git a/conf/logback.xml.tmp3 b/conf/logback.xml.tmp3 new file mode 100644 index 0000000..4674e93 --- /dev/null +++ b/conf/logback.xml.tmp3 @@ -0,0 +1,191 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /tmp/logidp-process + + + ${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{short} + + + + + + + VelocityStatusMatcher + ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\. + + VelocityStatusMatcher.matches(formattedMessage) + + DENY + + + + + + 0 + + + + + + WARN + + + /tmp/logidp-warn + + + ${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{full} + + + + + + + VelocityStatusMatcher + ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\. + + VelocityStatusMatcher.matches(formattedMessage) + + DENY + + + + + + /tmp/logidp-audit + + + ${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %msg%n + + + + + + ${idp.logfiles}/idp-consent-audit.log + + + ${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %msg%n + + + + + + ${idp.fticks.loghost:-localhost} + ${idp.fticks.logport:-514} + AUTH + [%thread] %logger %msg + + + + + + + + + + + + + + + + + + + + diff --git a/conf/metadata-providers.xml b/conf/metadata-providers.xml index fc81612..d5cb34b 100644 --- a/conf/metadata-providers.xml +++ b/conf/metadata-providers.xml @@ -18,7 +18,8 @@ http://www.w3.org/2000/09/xmldsig# http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd http://www.w3.org/2009/xmldsig11# http://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/xmldsig11-schema.xsd http://www.w3.org/2001/04/xmlenc# http://www.w3.org/TR/xmlenc-core/xenc-schema.xsd - http://www.w3.org/2009/xmlenc11# http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/xenc-schema-11.xsd"> + http://www.w3.org/2009/xmlenc11# http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/xenc-schema-11.xsd" + sortKey="1"> @@ -49,11 +50,12 @@ + metadataURL="http://WHATEVER" + failFastInitialization="false"> - + md:SPSSODescriptor diff --git a/conf/relying-party.xml b/conf/relying-party.xml index 5045b93..439e7f1 100644 --- a/conf/relying-party.xml +++ b/conf/relying-party.xml @@ -27,20 +27,17 @@ - + - + - %{idp.home}/conf/relying-party.xml %{idp.home}/conf/credentials.xml - %{idp.home}/system/conf/relying-party-system.xml %{idp.home}/conf/metadata-providers.xml - %{idp.home}/system/conf/metadata-providers-system.xml @@ -33,7 +30,6 @@ --> %{idp.home}/conf/attribute-registry.xml - %{idp.home}/system/conf/attribute-registry-system.xml %{idp.home}/conf/attributes/default-rules.xml %{idp.home}/conf/attribute-resolver.xml @@ -44,16 +40,10 @@ %{idp.home}/conf/saml-nameid.xml - %{idp.home}/system/conf/saml-nameid-system.xml %{idp.home}/conf/access-control.xml - %{idp.home}/system/conf/access-control-system.xml - - - - %{idp.home}/conf/cas-protocol.xml %{idp.home}/messages/messages - %{idp.home}/system/messages/messages diff --git a/conf/session-manager.xml b/conf/session-manager.xml deleted file mode 100644 index 7372029..0000000 --- a/conf/session-manager.xml +++ /dev/null @@ -1,29 +0,0 @@ - - - - - - - - - - - - - - - - diff --git a/credentials/idp-backchannel.crt b/credentials/idp-backchannel.crt index c8886ea..a4d86af 100644 --- a/credentials/idp-backchannel.crt +++ b/credentials/idp-backchannel.crt @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEKDCCApCgAwIBAgIVAIsUgQNNYuil54yiVLUFlzdr/qQUMA0GCSqGSIb3DQEB -CwUAMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzAeFw0yMDAyMDYxNzE5NTRa -Fw00MDAyMDYxNzE5NTRaMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzCCAaIw -DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOSJwBSKrIMjDCdjxHYxQ0YGz56h -Vqb/DklBpsOeOgXnFMPoDf941IDu2kOvCpRKW12wWmDUskv9Vi+4RfiA9gUXUCdh -jHTNBUj9GXYafCFFMReZ/fVbqvSRHCE/EBHHjo2qAHTfw/R0P8IBdAICs1LvkzCn -W3prZJnJH3HD3+W/yubesNe5cG3/D9OnAeNMcwtNh7fyuGIFzUL1OA/pL0Gu+UXx -W0sMjOPR4Tlt0yi1k2tsZGmB6AYMqX2Wjd/nhjTibqGEVC0OSRiDtr/C8nEx5MAD -bl23mzHR8S/9vxQN8Y9N78FtObnMcB5PPtkkJsqBPpAlDiz2ONT27AnTM6EsaBjc -VG3PH7Js7SSEvJPuibTfxIOWcLmVVSt6RozMSclXpvq2I9l35hoCq+OaoF+RXbSO -8gaon5NYbCfWVSpbmKbw1o/wcOqsrM1F/4mtZp3T5VMYOZBARXlewwkh+xm0p5JB -lmJO8x9WOIiQFjiPZKkK63GR5OgO5RwD5O3U4wIDAQABo2UwYzAdBgNVHQ4EFgQU -3ztcEnBpdG+CgScY9MC0g81oOVcwQgYDVR0RBDswOYIPaWRwLmV4YW1wbGUub3Jn -hiZodHRwczovL2lkcC5leGFtcGxlLm9yZy9pZHAvc2hpYmJvbGV0aDANBgkqhkiG -9w0BAQsFAAOCAYEAAsszcNm8lHWf31vwbNGY8m6Oz6XXrhYAmRcudvs86z2bWw3C -oDLvKWFuyJAAeIP11UpbW4aSs+P2f4I9/ZfTVbqKxPfSYIG1LSdKl5ICFaGP18K6 -PBqtu6eu71Hrz083IvR8qddD7Kl12aGfwDhFUtqy2zhmYsI7LhfwRA8ayJX4204x -tOmU6LxRtgJWsdlqjyzcZ9buafqfvoTCbjnzbO2gUoEPCDUxfTi+HRn+JppXVxzV -vXbs9G5xWI6eeojYtZqKWn3xaLQcPcla2b0dJSYvZ0paoC44hpwr5eWX2mGQ5+cn -AzK55H3uOq975QJDIdXpuuWIh99y+jC8/NcUFkFjb/86DSOs+LtwM2VhjiL5HL3I -oVIuAVBS4YAxE8NDGgcuPrS7+m1UjnHiagOkEqbhMr0/j16/g++CivWpWPxjTYfL -Rbw85j+b7/uzUTYXzQgVpSnvgB6cP92MH3WNWyIYf+d/mribIybrKpE65diSVUYC -vwiLfazt2AHOsVki +MIIEJzCCAo+gAwIBAgIUEtJU0oOkMid5473At++VFGAbX3gwDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTIxMDMyNDE1NTQyNFoX +DTQxMDMyNDE1NTQyNFowGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojAN +BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAq+6x7Ay8s9vl/r+trvJMbwdXiFxH +PwQeJ/Oof48EWuP61zluBENhk9E5rdf2zlCxkfiB78G8YFZh9ZjcWkIR63xIO9YA ++NuQg+WOPu8fvegcly0ulg2dRXvi0b7q/FsK1MtKcxRECpTNu2DD6K5oHkjf/nmp +nJIlAxvYyP0aqwEy+qq1NFC+WTjoFP7ZyKt+oSz08ONV2v/1dNRwcjfgc8MJcoq0 +Nw56mGZ2LlTidXP8lQBpsQ6/gJvdnVv/B4q8fVS3zpFgokkyQM6eW1ZpGjPY9K1A +paLcAio+MCoPbRJwAlI+5tdgKMMvz+xq4RN0e68IIZS4IgmkVem52uJcfUiX297F +Ar1QdH4NZvijir2Wt4xYMxpThsV6n7F88wWzJj/D5bErZeIWG+DWJq2FZ7rqq3Oc +tz22TH3iBkYrSvFG5nwyHQJaptDDMm6OpWTfmcjh9jT9H6mz4BdBln2uJUswVNGG +bR9w9OcXqYN6X8bll9Q9XcVZh2uBgPB3NWGzAgMBAAGjZTBjMB0GA1UdDgQWBBTc +BIECuv3b1y5K9FBK2zKFc2j4HzBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeG +Jmh0dHBzOi8vaWRwLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3 +DQEBCwUAA4IBgQAQsx5PLHRi8+WjBTSW6RiNiSRFTpNKPdFzoKDhpaCVSlrpjgzp +0qD7QorlKPVJNUhl56Fs2S6oWy6e7lb1eBPBAfCNqTalFJNnDdMvZh02FCecbE87 +6Wv7JcD5kA+f6HUDwmaB15fabheSE3YMGQFtaEidmd/jd23CaDL5RNeHUoKS6JHC +yNsUlZ+R0Cq2ia2wLhW2Z2CYpNh9JM/LOmcTslOgmThNeCnrMIikWSTLQ4C3H9/R +/iN8NaQhKn4vcYTwEqiaVFQbIU2mQQLT+YK63L4S4S339IsjZiqGEw8DKBnfjL7b +D1snXa+G6MiQJNcuChuvGfGSlXCSFjtUr9vivzHeGW2h+6uStzTuZ7t5NhQMRTFD +qT+gyCR/bzsEUh1Lj3J2mFPM/cUSlhH3H0TJcVT9GZUzFNAP0qbaFs9PxXH2gpDI +XrshYcEiXlj+dsSUNhaCqYibPwkHrRBIAqoDGdMFI+Y5SePVo4ksA55m0gPeY+FM +mUbCNQngUzNlYPU= -----END CERTIFICATE----- diff --git a/credentials/idp-backchannel.p12 b/credentials/idp-backchannel.p12 index f39cfa8df1b3447869fb29e8fef70eff16d3dd8c..9e30c3da6a4bbef31a0e7c20f460929c8952461d 100644 GIT binary patch delta 3183 zcmV-#43P7&8nGIXXn*YfJdj6e;luH6i=;NX7vH_d0NDZq0K-rOf(Hmdqae-z-+KVr zb#B;EG(Cu5KtrG?3qZ(diZ1MLLmp9~G&cAW?V1sSzNhBKoeNJV3F?*YPH$r+nVJzt$&ZK@OR*3enr~jZTqrOGK65#G881u?NF7>?505V$_^=3ZJ|+bCeB zMG1(te5H)8XRl{z)!rs^?0*I9NEkn`P{$v+gsQ9vWW4p8jbt=w(qLQKXc;LT;!NBi z(&!uoi+>B5c&Z(38Q0`0?^<;t=~Jv5S5X`E!}nWS=}WfO#EntSbd|hcQR$EHP_`EN z@Nn|9p{@|djGo>{e3KUN^t@lh>-z>YiK^HBq1#WMv;u}vaoRxDCUoE;(t*G@>i(aV zVkf?`86u?c=!6wQ3pZ^cmb|N;UrNw0Dko9k@mlKir;Oih!v<<|0 zzwm`tdBJ1800yHiazHHI#gYHsyfy;`fx%}{-Ons<>_InPX6CKHdq<8LOQOrhAHD?} z9?lJtLF$g_&VECi=XrqMq}&y!GGNC z6ExTujfV(LgV<*johvk%5FJK{(}Ki(evkbUmRJ*monA6(ap+0Rn@|XB_DI0U`H}+r zR&~QO#;Sb@rV}50m<2X`spR@YUMS4&PP9d)!`~PW912E zRg!qtIBheUJAcQ5Anhi! zbP&^NZ%~*M!!^*7+^$WkCBr$3;z7Ov$@=U_^++xQEPTvpS^b}t(XTmX*73&5$0 z0I&uOPa^C@7-vq&jtPB~sef$y>a;bXCN)HEeVUHayJmln)nP4LUsswrAlg}0(sbdw z;ke%nUDmIv3c1qivm}^qI$)Ji=s4y{=Gmu&3~FDYDj%;P@1vj z47)2k!*9$T_|xy?SvWuz$r=SUr9U1%Gy{+tCgJupEm+;o3(G5YCFmq8GtX>HzoB^a z(cz%3(GS&4)FcbOIZG2x$ILlM9kWahAiZ9|lUV1xif9<>x@;&M!3N$#2yyjb;t1Qi zzmX0o0&5cFG_mWAhJU>wY!}=X2i~Oz`WMsFjGv8cN$2{9yFFG~au&_&_O2`Ih@Fqd zEAg6Y?)m333q81Nr}t2#UI^k_*m_E}pLg>6HvJF*7VY$UlJHxasz=j^EC| zS|PxW?#VAF{{-IKTDaFU1AW|9oBg!l{orgc_dgnRYuG_XIy3T34=?9w!>D+r+p+Psduvr#89>k-6Y1Qz2=P#(H)|yEX!XU^ygLUOhYtY)0|3KNfPw_LK8c4ySTx(@fcx8n(1Y%A|Oyt{l20uEC{ha&fHyohG<7wd- zJH#ZA)Y6c#eYrx$tVJR{>`)ys^W2qwC3(ViWZTj=b?- zc#l&b2nW|&fFj#bx!e+6ejH-^V}%9>ZQXyZ;?0j{{O4+?FbCUv{8k#R-g^`kA_X?1 z?#gnL5d}H#h1F$`RXnGIMEHTeC#^p_ZIc4@b|;KCYx2{_>G6cvWRD}ljVf|p@p70V zh?=l!toL-&6Hn^ROrC$3__Z;0H&w}tHKK|1#oUX37D!D^as3MGqt-6xSoW=?4%UAj z`?$t6HmAFYj3e?Bk;+x--ljhDJ;q@cV?X1h*4s@y@d01 zh}d9iv<&WDp)q>hNw#)vKdSC9s-yT)SGy^D2#q6LVl-<>lyK5 zEvi!4b4;rfA^r!8y@oPl;IL2o|3l5@Jp&d9S<={FrI>jgM;6Wz0s8GLRa4bF{0;`h z7)KXa4?x+vvKP9NDJ2jvH(n<5)vlFFa$g!P1$a>-j}cdz({qzU+L%NSE|h;$$(^16 z!p~4sWK4F=gezTZ(xdGpb?>|&8~!o&L%-qR4=qN3{lp7)KGs6ZSn%Yri99^_k`m)* zgtrks;k@1uV~~sDgaRe8^R%e{a0(IJuDuO}Ei+B3uwYH11CusRWW69)dIgAbA52SE zj4-ICSQJGMvuC^Uv0W9_f*gNR^|_>g;>}K_KrwtHoDo{rfx9hZ1SIoMErb-T4|Jf( zl(Ui2n(>KpP_(9+`cn{_b)+Qg#p*i6-VhL<^W>~>2NS=`{D!hP?1}h5#&3dx{D2$N zcpz49QQ%QvG&yBjF!twbUwba|ZZ6fu3{j+?OFbqjXu)40FWlwsggbxf!Jan3-E98| z`3k{A3jDJvWYV!ModkA3Yt0barSvKGcvC)K=fkXMv2~U5ODn8w(cIsori271f-%Kpt}^o&*dFP)U`jxQ8-ng zo&X5BqKN|PMg&MDS3!SKfMv`bEX!lc1aZ|k1vbR@p$}p%rT}dI|3cI;zVoZi=-Gqt zU|b}(HxlRz{K=n4aJ(V!TnQK8YE3uRV5NRErH1qC{~1p4(2bp9l%-AbMX^=)xz!V+ zdioGzp)fu$AutIB1uG5%0vZJX1QY~Z#^Y)>M?yz?CW!mhU~&@ci60K-rOf(Hohf05eX3lGLN zU936Se5tsI?o5@-R6}dj|3P^&-R~XNjRKRM82^!(_0e#4fMYej>M?I~N`EzDiWabt+6vZ$x=6l= z9gR<$%Z4}odk(OviReM4t}=+Ljl1`ZM#eqwpgx((0d* zMe`sTnxdpw^nWI^S&?C#r9SY&9C5zmnfjb`emPaRLtmKeY$9^gAm&*TnZ%!UCv|@u zt!*HlEhYV!GI?okm-LB+gTyfW%7kaqC)I9KyOnj@B~vpJQi5r!aGDY9NWT~>SUc?t zRUz>nr4>5@_P>jO4SA%R7iq~-JA(SkKka@<%f|diQGZ}=pL^$xYtK<0+7+iqGA8Gi zUpuyr^ES0dKLnu@7{8P!mVu8Xo1I(QqPV<+D!c@olOM}r8IuM{XAvOM&)Pzi{PlFp z=ZCu>nxR%tF@G^=p{*d`br$fDlD$xNc@EelsChzhbOP#!p~QRkpm-S%)K`&+naKJK zhY{FT=6~A6^38yT4_ss&y#P-^(v9oI3TXMmq$ktMU*bB6+vI)qQMu`pRy}aW{n^A0 z?b701(piC<<(gt`(Ax7TVaMx(Sqc2y?p7Gq(a9wBYMpsjGPa8?Q|zf>mT4KOauhM2BuPfE!Z5wH z9ED^2THs|}*dS)E2DN^Sx^{c>{9d$ifWJF=qXVWijT%B zbos&5oo2KjgGiHW2XqqDQoRmt*b#DE-F;mI(BA6nVYvPTt7FXwx{|W<3&=g71&+UF z%zxt9!^uMr`Pw}<#^siAHhg(_kGo0>p5!1-VUC@yH3K;h(uoxRY$jpu4g&mb33;g9 z6m3pw`VWbx?c+mjPqOyM0WIF8`U6xLvcluBdAixg|S{VK0_J5+9c#gEtxTAmhq0}(7okmE|%l(IPv0^TX zkm+`_=%XQtl)DHBNE@kbOW}K85i#fcX^@T#Qa)qj!s zV(~l6-Ji&*PI~f`JYPVkvM=F-r(uUx;a_@jzvgOh!MjUA{3oODj)<0KcQmPyYj00- z252;c8dIZXd^LDu~3mgr~>$mERoPx9$cbDEpKSyV+P z(R$omZ#zL?@{^!bP(o_9jvrCA5UR(9xpX@}V!=R-_PJ{3gLux2j6G$9`hT%VdiQLR zG$(>108n0#CJ>jkzfGCnFBE!RI8xrXLs6t!&$pFLUBH6_5FwPP)}&l%94T=|Jgf6g zo(I~{6ZRb!xN&i>^B#UyyD^&?pc10+Ui!sTs@S2tq+fl+`La=m-f!g9Td@NKyG3F_ z1gT9csAb;?E;H2@0PYvST7UTKEo@9xW?)XD=Mec;`pFz5gSZd$Z?1cjd8ZqvH2@^= zvmpwPbxvJK57t4Vi+k{2%%$qUpr^psE$WY6LhD%@Ey92&PqSgn1 zT()V4RVK9+0+R$mE_IZad~$S=PG&wi-y~(7JR09FURX-TZ-b&fH>Q)@8eOqs`V_%W zsSmqLW|glc=>a4uSFs9VJNb=c?2$Zr-uoe=$KY6LWEH@`SSXUO)vO`&2<`i_SW$P* z%TqUD4%6{J6u`Z{E`NVn@h%M)c6|Vw;ML}NSTvuCZ_(8hYUM$aSP89nC~~uZZj$*9 z2It~VQkdD4d{4kbsES)^>`kn`0M~u#3d+={aR1IZMiCJ_2#5d0i@b|k;xFv)W0m={ z>Y9EH14$~hwh0JS|1%O#@D3NlSA#bWnHKheo2KOG3Hve+Rx_q#>$zAt=yJpRy+RrN zBql_sm@tv{<;dd-o@HqVH-6%qM4MxmU5SO&a+O*a>WYG#a+8e*NDMVNF)%PWH90jf zFfxFiMVd*#x&;z@AYS zixH-ok`t4nX*l!KtPe$4|Fx3;lQ9on+ze;w|MN}TeqZ3k5k;)&2?9X63IN#1=|JzK=V)043#!ZyT1p5EJgMil30_q` z8TiOV+L|bWcJr;n9ir;2218lSWXK!vi+$d7rqD7MK{0u+wgjm`>Z^ON1~gTO4c2?B zf=RhRMg5r^l(xm8hFO=SK(VbI)YZLpduxA){HlhSbvC*;u*od}uwC=*Qf!czhq&<^ ztN_dayfbWkltZK6k_V5k)wdDesOJ2IyzOZbu3%T42|Q>@e8#m2n(W(PL*i-0r|+qA z*b+spk-%R+Sy-ivz&;TrH{fo3%o&!8ZC-@c_MCv<<^ zpzGxcf!j|Zceuu<<0MsVR2XTgH+G5_#_p{ZtP1a_&UvIw^ftj3F&3Cuh`ig-uH>^n zB{a+HuLtWl4EjhR$f5{hFf(O@Nqp$=?CPh`2a3S^Goc{U1&WF7VUsC4&pfz0~8SlO3Lm20dejp1mkIKwqpW!^ciT4`IfEs-#E8xVgp4MPu5 z4N9c#ZPf&yO#sGRZi5*mwj9jE;AT}O?Mu={ubP+$Y9Z*S_H+Cp%q>XC(7L(BLyRGl zF7oKq)Z+}um@JPG<7_#&yS!x{9HhD{#HG*6VtNNz_}p@7&v-j`Tc-E{s@OqDKPcLB zVjA^0PtE%)2~L5y)6KHN`4fK*KQch7TY*U5X`8ImX)w)fKK|VnbMd6CJ2vO9erme< z{-A7afM5PHHg1B0$iK|WohK#`0c0vjBWkQYAXzXc!)Tq)#8c*G5;oCw|II^QKPk5!z|OkaQGwkKgdVP_b- z-8M>y`z&GUo^=2w8$D5s&Qv0FCC}Oi^BnQQ_^PDgB>Y>ny8i8z+b-tr%N2$^bnz0F& zY}XD1>t^aJr}_cD2WR23JufY^6SWyqVAThb9(gt~w}CH8(vU}ywdu~{j5GIj`& zP>wgYP~J=5xq8uIuRC4YQT^a2ykF6JMS+=~HA~UJ3c0dkDGoHF@5Ba?^%E$pRqXl4 zpJA>uA&k)l_F39(E`BetU|{8c=O@2UOxlGSM)>-&8WE_IumLg@I4&r{u~*8X8ynbH LB!H;Qd+^vsDClA> delta 209 zcmV;?051Rb1NH-u90hP2gX?sWA?SbLLuEEvt-DJC0|N~}b#VZG00jU50Fda7tZk#z zT=?M(2|V_kSE4pGn8?tf4y%~x zXt40<_1SK725SroglXR^xj5k@z3b{YP$o4fev)q-Y6v*?b38t`aNZZE65l8<*a*`v zE_V8%%KS(jqVG SubjectContext +## attributeContext - ProfileRequestContext -> AttributeContext +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## + + + + + + #springMessageText("idp.title", "Web Login Service") - #springMessageText("hello-world.title", "Hello World") + + + + +
+
+
+ #springMessageText( +

#springMessageText("idp.title", "Web Login Service")

+
+ +
+

#springMessageText("hello-world.greeting", "Greetings"), $encoder.encodeForHTML($subjectContext.getPrincipalName())

+
+

Authenticated By

+ #foreach ($result in $subjectContext.getAuthenticationResults().entrySet()) +
$encoder.encodeForHTML($result.getKey())
+ #end +
+

Java Principals in Subjects

+ #foreach ($s in $subjectContext.getSubjects()) + #foreach ($p in $s.getPrincipals()) +
$encoder.encodeForHTML($p)
+ #end + #end + #if ($attributeContext && !$attributeContext.getUnfilteredIdPAttributes().isEmpty()) +
+

Attributes:

+ #foreach ($a in $attributeContext.getUnfilteredIdPAttributes()) + #if (!$a.getValues().isEmpty()) +
+
$encoder.encodeForHTML($a.getId())
+ #foreach ($v in $a.getValues()) +
$encoder.encodeForHTML($v.getDisplayValue())
+ #end + #end + #end + #end +
+ +
+

#springMessageText("hello-world.reload", "Reload the Page")

+
+
+ +
+
+

#springMessageText("idp.footer", "Insert your footer text here.")

+
+
+
+ + diff --git a/views/admin/unlock-keys.vm b/views/admin/unlock-keys.vm deleted file mode 100644 index a8228ae..0000000 --- a/views/admin/unlock-keys.vm +++ /dev/null @@ -1,97 +0,0 @@ -## -## Velocity Template for Attended Startup Unlock Utility -## -## Velocity context will contain the following properties: -## flowRequestContext - the Spring Web Flow RequestContext -## request - HttpServletRequest -## response - HttpServletResponse -## profileRequestContext -## environment - Spring Environment object for property resolution -## custom - arbitrary object injected by deployer -## -#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service")) -#set ($titleSuffix = $springMacroRequestContext.getMessage("idp.unlock-keys.title", "Attended Restart Key Unlock")) -#set ($eventId = $profileRequestContext.getSubcontext("org.opensaml.profile.context.EventContext").getEvent()) -#set ($state = $flowRequestContext.getCurrentState().getId()) - - - - - - $title - $titleSuffix - - - - -
-
-
- #springMessageText( -

$title - $titleSuffix

-
- -
- #if ($state == "end") - #springMessageText("idp.unlock-keys.complete", "The system is unlocked and ready for use.") -

Validation Link

- #else - #if ($eventId == "InvalidMessage") -

- #springMessageText("idp.unlock-keys.error", "Unlock failed; check log for specific message.") -

-

- #end - -
- #parse("csrf/csrf.vm") - - - -
- - -
- -
- - -
- - - -
- - -
- -
- -
- -
- -
- -
- #end -
-
- -
-
-

#springMessageText("idp.footer", "Insert your footer text here.")

-
-
- -
- - \ No newline at end of file diff --git a/views/duo.vm b/views/duo.vm deleted file mode 100644 index d212df7..0000000 --- a/views/duo.vm +++ /dev/null @@ -1,83 +0,0 @@ -## -## Velocity Template for Duo login view-state -## -## Velocity context will contain the following properties -## flowExecutionUrl - the form action location -## flowRequestContext - the Spring Web Flow RequestContext -## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) -## profileRequestContext - root of context tree -## authenticationContext - context with authentication request information -## rpUIContext - the context with SP UI information from the metadata -## canonicalUsername - name of user passed to Duo -## duoHost - API hostname for Duo frame -## duoRequest - signed Duo request message -## duoScriptPath - path to Duo JavaScript source -## encoder - HTMLEncoder class -## request - HttpServletRequest -## response - HttpServletResponse -## environment - Spring Environment object for property resolution -## custom - arbitrary object injected by deployer -## - - - - - - - #springMessageText("idp.title", "Web Login Service") - - - - -
-
-
- #springMessageText( -
- -
-
- -

#springMessageText("idp.login.duoRequired", "Authentication with Duo is required for the requested service.")

- - - - -
- #parse("csrf/csrf.vm") - -
- -

- #springMessageText("idp.login.duoCancel", "Cancel this Request") -

-
-
- -
-
-
- -
-
-

#springMessageText("idp.footer", "Insert your footer text here.")

-
-
-
- - diff --git a/views/error.vm b/views/error.vm index dcb8e2b..a44bd6f 100644 --- a/views/error.vm +++ b/views/error.vm @@ -34,10 +34,12 @@ #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error")) #set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix")) #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId")) + $response.setStatus(500) #else ## This is a catch-all that theoretically shouldn't happen? #set ($titleSuffix = $defaultTitleSuffix) #set ($message = $springMacroRequestContext.getMessage("idp.message", "An unidentified error occurred.")) + $response.setStatus(500) #end ## diff --git a/views/intercept/attribute-release.vm b/views/intercept/attribute-release.vm deleted file mode 100644 index c170b69..0000000 --- a/views/intercept/attribute-release.vm +++ /dev/null @@ -1,160 +0,0 @@ -## -## Velocity Template for DisplayAttributeReleasePage view-state -## -## Velocity context will contain the following properties : -## -## attributeReleaseContext - context holding consentable attributes -## attributeReleaseFlowDescriptor - attribute consent flow descriptor -## attributeDisplayNameFunction - function to display attribute name -## attributeDisplayDescriptionFunction - function to display attribute description -## consentContext - context representing the state of a consent flow -## encoder - HTMLEncoder class -## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl) -## flowExecutionUrl - form action location -## flowRequestContext - Spring Web Flow RequestContext -## profileRequestContext - OpenSAML profile request context -## request - HttpServletRequest -## response - HttpServletResponse -## rpUIContext - context with SP UI information from the metadata -## environment - Spring Environment object for property resolution -#set ($serviceName = $rpUIContext.serviceName) -#set ($serviceDescription = $rpUIContext.serviceDescription) -#set ($informationURL = $rpUIContext.informationURL) -#set ($privacyStatementURL = $rpUIContext.privacyStatementURL) -#set ($rpOrganizationLogo = $rpUIContext.getLogo()) -#set ($rpOrganizationName = $rpUIContext.organizationDisplayName) -#set ($replaceDollarWithNewline = true) -## - - - - - - - #springMessageText("idp.attribute-release.title", "Information Release") - - -
- #parse("csrf/csrf.vm") -
-
- - #if ($rpOrganizationLogo) - - #end -
- #if ($serviceName) -

- #springMessageText("idp.attribute-release.serviceNameLabel", "You are about to access the service:")
- $serviceName - #if ($rpOrganizationName) - #springMessageText("idp.attribute-release.of", "of") $encoder.encodeForHTML($rpOrganizationName) - #end -

- #end - #if ($serviceDescription) -

- #springMessageText("idp.attribute-release.serviceDescriptionLabel", "Description as provided by this service:")
- $encoder.encodeForHTML($serviceDescription) -
-

- #end - #if ($informationURL) -

- #springMessageText("idp.attribute-release.informationURLLabel", "Additional information about the service") -

- #end -
- - - - - - - - #foreach ($attribute in $attributeReleaseContext.getConsentableAttributes().values()) - - - - - - #end - -
- #springMessageText("idp.attribute-release.attributesHeader", "Information to be Provided to Service") -
$encoder.encodeForHTML($attributeDisplayNameFunction.apply($attribute)) - #foreach ($value in $attribute.values) - #if ($replaceDollarWithNewline) - #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue()).replaceAll($encoder.encodeForHTML('$'),"
")) - #else - #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue())) - #end - #if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled) - - #else - $encodedValue - #end -
- #end - 		- #if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled) - #set ($inputType = "checkbox") - #else - #set ($inputType = "hidden") - #end - -
-
- #if ($privacyStatementURL) -

- #springMessageText("idp.attribute-release.privacyStatementURLLabel", "Data privacy information of the service") -

- #end -
-

- #springMessageText("idp.attribute-release.confirmationQuestion", "The information above would be shared with the service if you proceed. Do you agree to release this information to the service every time you access it?") -

- #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed) -
- #springMessageText("idp.attribute-release.consentMethod", "Select an information release consent duration:") - #end - #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed) -

- - -

    -
  • #springMessageText("idp.attribute-release.doNotRememberConsentItem", "I agree to send my information this time.")
    • -
-

- #end - #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed) -

- - -

    -
  • #springMessageText("idp.attribute-release.rememberConsentItem", "I agree that the same information will be sent automatically to this service in the future.")
    • -
-

- #end - #if ($attributeReleaseFlowDescriptor.globalConsentAllowed) -

- - -

    -
  • #springMessageText("idp.attribute-release.globalConsentItem", "I agree that all of my information will be released to any service.")
    • -
-

- #end - #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed) - #springMessageText("idp.attribute-release.consentMethodRevoke", "This setting can be revoked at any time with the checkbox on the login page.") -
- #end -

- - -

-
-
-
- - diff --git a/views/intercept/expiring-password.vm b/views/intercept/expiring-password.vm deleted file mode 100644 index 4395844..0000000 --- a/views/intercept/expiring-password.vm +++ /dev/null @@ -1,54 +0,0 @@ -## -## Velocity Template for expiring password view -## -## Velocity context will contain the following properties -## flowExecutionUrl - the form action location -## flowRequestContext - the Spring Web Flow RequestContext -## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) -## profileRequestContext - root of context tree -## authenticationContext - context with authentication request information -## authenticationErrorContext - context with login error state -## authenticationWarningContext - context with login warning state -## ldapResponseContext - context with LDAP state (if using native LDAP) -## encoder - HTMLEncoder class -## request - HttpServletRequest -## response - HttpServletResponse -## environment - Spring Environment object for property resolution -## custom - arbitrary object injected by deployer -## - - - - - - #springMessageText("idp.title", "Web Login Service") - - - - - -
-
-
- #springMessageText( -

#springMessageText("idp.login.expiringSoon", "Your password will be expiring soon!")

-
- -
-

#springMessageText("idp.login.changePassword", "To create a new password now, go to") - #.

-

#springMessageText("idp.login.proceedBegin", "Your login will proceed in 20 seconds or you may click") - #springMessageText("idp.login.proceedHere", "here") - #springMessageText("idp.login.proceedEnd", "to continue").

-
-
- -
-
-

#springMessageText("idp.footer", "Insert your footer text here.")

-
-
- -
- - \ No newline at end of file diff --git a/views/intercept/impersonate.vm b/views/intercept/impersonate.vm deleted file mode 100644 index 37c486c..0000000 --- a/views/intercept/impersonate.vm +++ /dev/null @@ -1,90 +0,0 @@ -## -## Velocity Template for expiring password view -## -## Velocity context will contain the following properties -## flowExecutionUrl - the form action location -## flowRequestContext - the Spring Web Flow RequestContext -## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) -## profileRequestContext - root of context tree -## rpUIContext - the context with SP UI information from the metadata -## encoder - HTMLEncoder class -## request - HttpServletRequest -## response - HttpServletResponse -## environment - Spring Environment object for property resolution -## custom - arbitrary object injected by deployer -## -#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext')) - - - - - - #springMessageText("idp.title", "Web Login Service") - - - - -
-
-
- #springMessageText( -

#springMessageText("idp.impersonate.header", "Account Impersonation")

-
- -
- -
- #parse("csrf/csrf.vm") - #set ($serviceName = $rpUIContext.serviceName) - #if ($serviceName && !$rpContext.getRelyingPartyId().contains($serviceName)) - - $encoder.encodeForHTML($serviceName) - - #end - - - #springMessageText("idp.impersonate.text", "Enter an account name to impersonate to this service or continue normally.") - - -
- - - - - -
- -
- -
- -
- -
- -
- -
-
- -
-
-

#springMessageText("idp.footer", "Insert your footer text here.")

-
-
- -
- - \ No newline at end of file diff --git a/views/intercept/terms-of-use.vm b/views/intercept/terms-of-use.vm deleted file mode 100644 index 67b2c15..0000000 --- a/views/intercept/terms-of-use.vm +++ /dev/null @@ -1,69 +0,0 @@ -## -## Velocity Template for DisplayTermsOfUsePage view-state -## -## Velocity context will contain the following properties : -## -## encoder - HTMLEncoder class -## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl) -## flowExecutionUrl - form action location -## flowRequestContext - Spring Web Flow RequestContext -## request - HttpServletRequest -## response - HttpServletResponse -## rpUIContext - context with SP UI information from the metadata -## termsOfUseId - terms of use ID to lookup message strings -## environment - Spring Environment object for property resolution -#set ($serviceName = $rpUIContext.serviceName) -#set ($rpOrganizationLogo = $rpUIContext.getLogo()) -## - - - - - - - #springMessageText("${termsOfUseId}.title", "Terms of Use") - - -
-
- - #if ($rpOrganizationLogo) - - #end -
- #if ($rpOrganizationLogo) -
-

#springMessageText("${termsOfUseId}.title", "Terms of Use")

-
- #end -
- #springMessageText("${termsOfUseId}.text", "Terms of Use Text...") -
-
-
-
- #parse("csrf/csrf.vm") - -
-
-
-
- #parse("csrf/csrf.vm") - - - #if ($requireCheckbox) -

#springMessageText("idp.terms-of-use.required", "Please check this box if you want to proceed.")

- #end - -
-
-
-
-
-
-

#springMessageText("idp.footer", "Insert your footer text here.")

-
-
-
- - diff --git a/views/login.vm b/views/login.vm index 7609d40..c7b15c9 100644 --- a/views/login.vm +++ b/views/login.vm @@ -90,7 +90,7 @@ #end #foreach ($extFlow in $extendedAuthenticationFlows) - #if ($authenticationContext.isAcceptable($extFlow) and $extFlow.apply(profileRequestContext)) + #if ($authenticationContext.isAcceptable($extFlow) and $extFlow.test(profileRequestContext))