initial commit of default config

README.md

@@ -2,12 +2,14 @@
 
 ## Purpose
 
-This project contains the configuration tree (structure) for Shibboleth IDP.  The are various usage scenarios throughout the build, test, deploy cycle that warrant this abstraction
+This branch contains the default configuration tree (structure) for Shibboleth IDP.  The are various usage scenarios throughout the build, test, deploy cycle that warrant this abstraction
 of the configuration tree.  There is a separate repository for the Docker Image which is responsible for building the runtime environment and pulling the configuration trees housed here
 to complete a deployment.
 
 ### Configuration Trees
 
+  * `default` branch
+    * Comparison - (Default) branch/repo that is created by the Shibboleth IdP installer.  It is used for comparing the other branches.
   * `test` branch
     * Internal Testing - (TEST) branch/repo that uses the "test bed" which is something that I2 provides (LDAP) and an element to make all integrations.  Appropriate for Jenkins and testing environments
   * `release` branch

conf/access-control.xml

@@ -30,7 +30,7 @@
 
         <entry key="AccessByIPAddress">
             <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
-                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.17.0.0/24', '172.18.0.0/24', '10.255.0.0/16'} }" />
+                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
         </entry>
 
         <!--

conf/admin/general-admin.xml

@@ -36,6 +36,18 @@
             p:loggingId="%{idp.service.logging.resolvertest:ResolverTest}"
             p:policyName="%{idp.resolvertest.accessPolicy:AccessByIPAddress}" />
 
+        <!-- Metadata Query -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/mdquery"
+            p:loggingId="MetadataQuery"
+            p:policyName="AccessByIPAddress" />
+
+        <!-- REST AccountLockoutManager Access -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/lockout-manager"
+            p:loggingId="Lockout"
+            p:policyName="AccessByIPAddress" />
+
         <!-- REST StorageService Access -->
         <bean parent="shibboleth.AdminFlow"
             c:id="http://shibboleth.net/ns/profiles/storage"
@@ -47,6 +59,15 @@
             c:id="http://shibboleth.net/ns/profiles/metrics"
             p:loggingId="Metrics"
             p:policyNameLookupStrategy-ref="shibboleth.metrics.AccessPolicyStrategy" />
+
+        <!-- Attended Startup Unlock -->
+        <!--
+        <bean parent="shibboleth.OneTimeAdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/unlock-keys"
+            p:loggingId="UnlockKeys"
+            p:authenticated="true"
+            p:policyName="AccessByAdminUser" />
+        -->
 
     </util:list>
 

conf/attribute-filter.xml

@@ -4,97 +4,93 @@
     example file is illustrative of some simple cases, it relies on the names of
     non-existent example services and the example attributes demonstrated in the
     default attribute-resolver.xml file.
-    
-    Deployers should refer to the documentation for a complete list of components
-    and their options.
+
+    This example does contain some usable "general purpose" policies that may be
+    useful in conjunction with specific deployment choices, but those policies may
+    not be applicable to your specific needs or constraints.    
 -->
 <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
         xmlns="urn:mace:shibboleth:2.0:afp"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
 
-    <!-- EXAMPLES -->
-    <!-- Release some attributes to an SP. -->
     <!--
-    <AttributeFilterPolicy id="example1">
-        <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
+    Example rule relying on a locally applied tag in metadata to trigger attribute
+    release of some specific attributes. Add additional attributes as desired.
+    -->
+	<AttributeFilterPolicy id="Per-Attribute-singleValued">
+	    <PolicyRequirementRule xsi:type="ANY" />
+
+	    <AttributeRule attributeID="eduPersonPrincipalName">
+	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
+	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+	            attributeValue="eduPersonPrincipalName" />
+	    </AttributeRule>
+
+	    <AttributeRule attributeID="mail">
+	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
+	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+	            attributeValue="mail" />
+	    </AttributeRule>
+	</AttributeFilterPolicy>
 
-        <AttributeRule attributeID="eduPersonPrincipalName">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
+    <!--
+    Same as above but more efficient form for an attribute with multiple values.
+    -->
+    <AttributeFilterPolicy id="Per-Attribute-Affiliation">
+        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+            attributeValue="eduPersonScopedAffiliation" />
+
+        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
+    </AttributeFilterPolicy>
+
+    <!--
+    Example rule for honoring Subject ID requirement tag in metadata.
+    The example supplies pairwise-id if subject-id isn't explicitly required.
+    -->
+    <AttributeFilterPolicy id="subject-identifiers">
+        <PolicyRequirementRule xsi:type="ANY" />
 
-        <AttributeRule attributeID="uid">
-            <PermitValueRule xsi:type="ANY" />
+        <AttributeRule attributeID="samlPairwiseID">
+            <PermitValueRule xsi:type="OR">
+                <Rule xsi:type="EntityAttributeExactMatch"
+                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                    attributeValue="pairwise-id" />
+                <Rule xsi:type="EntityAttributeExactMatch"
+                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                    attributeValue="any" />
+            </PermitValueRule>
         </AttributeRule>
 
-        <AttributeRule attributeID="mail">
-            <PermitValueRule xsi:type="ANY" />
+        <AttributeRule attributeID="samlSubjectID">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+                attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                attributeValue="subject-id" />
         </AttributeRule>
     </AttributeFilterPolicy>
-	-->
-    <!-- Release eduPersonAffiliation to two specific SPs. -->
-    <!--
+
+    <!-- Release an additional attribute to an SP. -->
+    <AttributeFilterPolicy id="example1">
+        <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
+
+        <AttributeRule attributeID="uid" permitAny="true" />
+    </AttributeFilterPolicy>
+
+    <!-- Release eduPersonScopedAffiliation to two specific SPs. -->
     <AttributeFilterPolicy id="example2">
         <PolicyRequirementRule xsi:type="OR">
             <Rule xsi:type="Requester" value="https://sp.example.org" />
             <Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
         </PolicyRequirementRule>
 
-        <AttributeRule attributeID="eduPersonScopedAffiliation">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
+        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
     </AttributeFilterPolicy>
-	-->
-
-    <!-- Attribute release for all SPs (global) tagged as 'Research and Scholarship' -->
-    <AttributeFilterPolicy id="releaseRandSAttributeBundle">
-        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
-			attributeName="http://macedir.org/entity-category"
-			attributeValue="http://refeds.org/category/research-and-scholarship"/>
-        <AttributeRule attributeID="eduPersonPrincipalName">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="eduPersonScopedAffiliation">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="givenName">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="surname">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="displayName">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="mail">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-    </AttributeFilterPolicy>
-
-
-    <!-- Attribute release for all InCommon SPs -->
-    <AttributeFilterPolicy id="releaseToInCommon">	
-        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
-			attributeName="http://macedir.org/entity-category"
-			attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
-        <AttributeRule attributeID="eduPersonPrincipalName">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="eduPersonScopedAffiliation">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="givenName">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="surname">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="displayName">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="mail">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-    </AttributeFilterPolicy>
-
+
 </AttributeFilterPolicyGroup>

conf/attribute-resolver-full.xml

@@ -284,14 +284,14 @@
         principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
         useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
         connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
-                trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
+		trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
         responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
         <FilterTemplate>
             <![CDATA[
                 %{idp.attribute.resolver.LDAP.searchFilter}
             ]]>
         </FilterTemplate>
-            <ConnectionPool
+	    <ConnectionPool
             minPoolSize="%{idp.pool.LDAP.minSize:3}"
             maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
             blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
@@ -306,15 +306,14 @@
 
 <!-- 
     <DataConnector id="computed" xsi:type="ComputedId"
-            generatedAttributeID="computedId"
-            salt="%{idp.persistentId.salt}"
-            algorithm="%{idp.persistentId.algorithm:SHA}"
+	    generatedAttributeID="computedId"
+	    salt="%{idp.persistentId.salt}"
+	    algorithm="%{idp.persistentId.algorithm:SHA}"
         encoding="%{idp.persistentId.encoding:BASE32}">
-            
+	    
         <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" />
         
-        </DataConnector>
+	</DataConnector>
 -->
 
 </AttributeResolver>
-