Skip to content
Permalink
Browse files

initial commit of default config

  • Loading branch information
pcaskey committed Oct 2, 2019
1 parent eabd17c commit 64e05e45ef12367420109e1580fba083859601ac
Showing with 1,391 additions and 516,357 deletions.
  1. +3 −1 README.md
  2. +1 −1 conf/access-control.xml
  3. +21 −0 conf/admin/general-admin.xml
  4. +69 −73 conf/attribute-filter.xml
  5. +0 −96 conf/attribute-resolver-default.xml
  6. +7 −8 conf/attribute-resolver-full.xml
  7. +7 −7 conf/attribute-resolver-ldap.xml
  8. +56 −249 conf/attribute-resolver.xml
  9. +2 −1 conf/audit.xml
  10. +7 −3 conf/authn/authn-events-flow.xml
  11. +5 −1 conf/authn/duo-authn-config.xml
  12. +24 −3 conf/authn/duo.properties
  13. +37 −0 conf/authn/function-authn-config.xml
  14. +2 −0 conf/authn/general-authn.xml
  15. +2 −2 conf/authn/krb5-authn-config.xml
  16. +9 −2 conf/authn/mfa-authn-config.xml
  17. +1 −1 conf/authn/password-authn-config.xml
  18. +1 −1 conf/authn/spnego-authn-config.xml
  19. +7 −3 conf/c14n/subject-c14n-events-flow.xml
  20. +1 −1 conf/c14n/subject-c14n.xml
  21. +30 −6 conf/cas-protocol.xml
  22. +3 −0 conf/credentials.xml
  23. +2 −0 conf/errors.xml
  24. +0 −1 conf/global.xml
  25. +47 −30 conf/idp.properties
  26. +5 −20 conf/intercept/consent-intercept-config.xml
  27. +22 −1 conf/intercept/context-check-intercept-config.xml
  28. +2 −8 conf/intercept/expiring-password-intercept-config.xml
  29. +8 −6 conf/{mvc-beans.xml → intercept/impersonate-intercept-config.xml}
  30. +6 −4 conf/intercept/intercept-events-flow.xml
  31. +3 −17 conf/intercept/profile-intercept.xml
  32. +20 −20 conf/ldap.properties
  33. +43 −53 conf/logback.xml
  34. +192 −0 conf/logback.xml.dist
  35. +192 −0 conf/logback.xml.tmp3
  36. +13 −18 conf/metadata-providers.xml
  37. +4 −6 conf/relying-party.xml
  38. +2 −0 conf/saml-nameid.properties
  39. +2 −0 conf/saml-nameid.xml
  40. +4 −4 conf/services.properties
  41. +4 −48 conf/services.xml
  42. +0 −16 conf/session-manager.xml
  43. +25 −0 credentials/idp-backchannel.crt
  44. BIN credentials/idp-backchannel.p12
  45. +25 −0 credentials/idp-encryption.crt
  46. +39 −0 credentials/idp-encryption.key
  47. +25 −0 credentials/idp-signing.crt
  48. +39 −0 credentials/idp-signing.key
  49. +0 −21 credentials/inc-md-cert.pem
  50. BIN credentials/sealer.jks
  51. +2 −1 credentials/sealer.kver
  52. BIN edit-webapp/WEB-INF/lib/jstl-1.2.jar
  53. +1 −1 edit-webapp/css/consent.css
  54. +3 −1 edit-webapp/css/main.css
  55. BIN edit-webapp/jstl-1.2.jar
  56. +0 −238 messages/messages.properties
  57. +158 −135 metadata/idp-metadata.xml
  58. +0 −515,249 metadata/localCopyFromInCommon.xml
  59. +96 −0 views/admin/unlock-keys.vm
  60. +1 −0 views/error.vm
  61. +1 −0 views/intercept/attribute-release.vm
  62. +90 −0 views/intercept/impersonate.vm
  63. +4 −0 views/login.vm
  64. +16 −0 views/logout.vm
@@ -2,12 +2,14 @@

## Purpose

This project contains the configuration tree (structure) for Shibboleth IDP. The are various usage scenarios throughout the build, test, deploy cycle that warrant this abstraction
This branch contains the default configuration tree (structure) for Shibboleth IDP. The are various usage scenarios throughout the build, test, deploy cycle that warrant this abstraction
of the configuration tree. There is a separate repository for the Docker Image which is responsible for building the runtime environment and pulling the configuration trees housed here
to complete a deployment.

### Configuration Trees

* `default` branch
* Comparison - (Default) branch/repo that is created by the Shibboleth IdP installer. It is used for comparing the other branches.
* `test` branch
* Internal Testing - (TEST) branch/repo that uses the "test bed" which is something that I2 provides (LDAP) and an element to make all integrations. Appropriate for Jenkins and testing environments
* `release` branch
@@ -30,7 +30,7 @@

<entry key="AccessByIPAddress">
<bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.17.0.0/24', '172.18.0.0/24', '10.255.0.0/16'} }" />
p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
</entry>

<!--
@@ -36,6 +36,18 @@
p:loggingId="%{idp.service.logging.resolvertest:ResolverTest}"
p:policyName="%{idp.resolvertest.accessPolicy:AccessByIPAddress}" />

<!-- Metadata Query -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/mdquery"
p:loggingId="MetadataQuery"
p:policyName="AccessByIPAddress" />

<!-- REST AccountLockoutManager Access -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/lockout-manager"
p:loggingId="Lockout"
p:policyName="AccessByIPAddress" />

<!-- REST StorageService Access -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/storage"
@@ -47,6 +59,15 @@
c:id="http://shibboleth.net/ns/profiles/metrics"
p:loggingId="Metrics"
p:policyNameLookupStrategy-ref="shibboleth.metrics.AccessPolicyStrategy" />

<!-- Attended Startup Unlock -->
<!--
<bean parent="shibboleth.OneTimeAdminFlow"
c:id="http://shibboleth.net/ns/profiles/unlock-keys"
p:loggingId="UnlockKeys"
p:authenticated="true"
p:policyName="AccessByAdminUser" />
-->

</util:list>

@@ -4,97 +4,93 @@
example file is illustrative of some simple cases, it relies on the names of
non-existent example services and the example attributes demonstrated in the
default attribute-resolver.xml file.
Deployers should refer to the documentation for a complete list of components
and their options.
This example does contain some usable "general purpose" policies that may be
useful in conjunction with specific deployment choices, but those policies may
not be applicable to your specific needs or constraints.
-->
<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
xmlns="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">

<!-- EXAMPLES -->
<!-- Release some attributes to an SP. -->
<!--
<AttributeFilterPolicy id="example1">
<PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
Example rule relying on a locally applied tag in metadata to trigger attribute
release of some specific attributes. Add additional attributes as desired.
-->
<AttributeFilterPolicy id="Per-Attribute-singleValued">
<PolicyRequirementRule xsi:type="ANY" />

<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="eduPersonPrincipalName" />
</AttributeRule>

<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="mail" />
</AttributeRule>
</AttributeFilterPolicy>

<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<!--
Same as above but more efficient form for an attribute with multiple values.
-->
<AttributeFilterPolicy id="Per-Attribute-Affiliation">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="eduPersonScopedAffiliation" />

<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
</AttributeFilterPolicy>

<!--
Example rule for honoring Subject ID requirement tag in metadata.
The example supplies pairwise-id if subject-id isn't explicitly required.
-->
<AttributeFilterPolicy id="subject-identifiers">
<PolicyRequirementRule xsi:type="ANY" />

<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="ANY" />
<AttributeRule attributeID="samlPairwiseID">
<PermitValueRule xsi:type="OR">
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="pairwise-id" />
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="any" />
</PermitValueRule>
</AttributeRule>

<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
<AttributeRule attributeID="samlSubjectID">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="subject-id" />
</AttributeRule>
</AttributeFilterPolicy>
-->
<!-- Release eduPersonAffiliation to two specific SPs. -->
<!--

<!-- Release an additional attribute to an SP. -->
<AttributeFilterPolicy id="example1">
<PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />

<AttributeRule attributeID="uid" permitAny="true" />
</AttributeFilterPolicy>

<!-- Release eduPersonScopedAffiliation to two specific SPs. -->
<AttributeFilterPolicy id="example2">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="Requester" value="https://sp.example.org" />
<Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
</PolicyRequirementRule>

<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
</AttributeFilterPolicy>
-->

<!-- Attribute release for all SPs (global) tagged as 'Research and Scholarship' -->
<AttributeFilterPolicy id="releaseRandSAttributeBundle">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>


<!-- Attribute release for all InCommon SPs -->
<AttributeFilterPolicy id="releaseToInCommon">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>


</AttributeFilterPolicyGroup>

This file was deleted.

@@ -284,14 +284,14 @@
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
<ConnectionPool
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize:3}"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
@@ -306,15 +306,14 @@

<!--
<DataConnector id="computed" xsi:type="ComputedId"
generatedAttributeID="computedId"
salt="%{idp.persistentId.salt}"
algorithm="%{idp.persistentId.algorithm:SHA}"
generatedAttributeID="computedId"
salt="%{idp.persistentId.salt}"
algorithm="%{idp.persistentId.algorithm:SHA}"
encoding="%{idp.persistentId.encoding:BASE32}">
<InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" />
</DataConnector>
</DataConnector>
-->

</AttributeResolver>

0 comments on commit 64e05e4

Please sign in to comment.
You can’t perform that action at this time.