diff --git a/LICENSE.txt b/LICENSE.txt
new file mode 100644
index 0000000..261eeb9
--- /dev/null
+++ b/LICENSE.txt
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/conf/access-control.xml b/conf/access-control.xml
new file mode 100644
index 0000000..9b23ad7
--- /dev/null
+++ b/conf/access-control.xml
@@ -0,0 +1,32 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/attribute-filter.xml b/conf/attribute-filter.xml
new file mode 100644
index 0000000..f8c41ba
--- /dev/null
+++ b/conf/attribute-filter.xml
@@ -0,0 +1,45 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/attribute-resolver-full.xml b/conf/attribute-resolver-full.xml
new file mode 100644
index 0000000..d09a1ea
--- /dev/null
+++ b/conf/attribute-resolver-full.xml
@@ -0,0 +1,295 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/attribute-resolver-ldap.xml b/conf/attribute-resolver-ldap.xml
new file mode 100644
index 0000000..9ac44d3
--- /dev/null
+++ b/conf/attribute-resolver-ldap.xml
@@ -0,0 +1,97 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ %{idp.attribute.resolver.LDAP.returnAttributes}
+
+ %{idp.attribute.resolver.LDAP.trustCertificates}
+
+
+
+
diff --git a/conf/attribute-resolver.xml b/conf/attribute-resolver.xml
new file mode 100644
index 0000000..52b475a
--- /dev/null
+++ b/conf/attribute-resolver.xml
@@ -0,0 +1,95 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ uid
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ member
+
+
+
+
diff --git a/conf/audit.xml b/conf/audit.xml
new file mode 100644
index 0000000..9940cec
--- /dev/null
+++ b/conf/audit.xml
@@ -0,0 +1,103 @@
+
+
+
+
+
+
+
+
+
+
+ http://shibboleth.net/ns/profiles/status
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/authn/authn-comparison.xml b/conf/authn/authn-comparison.xml
new file mode 100644
index 0000000..f167b7a
--- /dev/null
+++ b/conf/authn/authn-comparison.xml
@@ -0,0 +1,77 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
+
+
+
diff --git a/conf/authn/authn-events-flow.xml b/conf/authn/authn-events-flow.xml
new file mode 100644
index 0000000..244e1db
--- /dev/null
+++ b/conf/authn/authn-events-flow.xml
@@ -0,0 +1,18 @@
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/authn/external-authn-config.xml b/conf/authn/external-authn-config.xml
new file mode 100644
index 0000000..4ce8f26
--- /dev/null
+++ b/conf/authn/external-authn-config.xml
@@ -0,0 +1,62 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UnknownUsername
+
+
+
+
+ InvalidPassword
+
+
+
+
+ ExpiredPassword
+
+
+
+
+ ExpiringPassword
+
+
+
+
+
diff --git a/conf/authn/general-authn.xml b/conf/authn/general-authn.xml
new file mode 100644
index 0000000..f127a13
--- /dev/null
+++ b/conf/authn/general-authn.xml
@@ -0,0 +1,114 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+
+
+
+
diff --git a/conf/authn/ipaddress-authn-config.xml b/conf/authn/ipaddress-authn-config.xml
new file mode 100644
index 0000000..a3ee096
--- /dev/null
+++ b/conf/authn/ipaddress-authn-config.xml
@@ -0,0 +1,37 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/authn/jaas-authn-config.xml b/conf/authn/jaas-authn-config.xml
new file mode 100644
index 0000000..daef4d2
--- /dev/null
+++ b/conf/authn/jaas-authn-config.xml
@@ -0,0 +1,27 @@
+
+
+
+
+
+
+
+
+
+
+ ShibUserPassAuth
+
+
+
+
+
diff --git a/conf/authn/jaas.config b/conf/authn/jaas.config
new file mode 100644
index 0000000..232e93d
--- /dev/null
+++ b/conf/authn/jaas.config
@@ -0,0 +1,11 @@
+ShibUserPassAuth {
+ /*
+ com.sun.security.auth.module.Krb5LoginModule required;
+ */
+
+ org.ldaptive.jaas.LdapLoginModule required
+ ldapUrl="ldap://localhost:10389"
+ baseDn="ou=people,dc=example,dc=org"
+ userFilter="uid={user}";
+
+};
\ No newline at end of file
diff --git a/conf/authn/krb5-authn-config.xml b/conf/authn/krb5-authn-config.xml
new file mode 100644
index 0000000..d3590a2
--- /dev/null
+++ b/conf/authn/krb5-authn-config.xml
@@ -0,0 +1,31 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/authn/ldap-authn-config.xml b/conf/authn/ldap-authn-config.xml
new file mode 100644
index 0000000..5626629
--- /dev/null
+++ b/conf/authn/ldap-authn-config.xml
@@ -0,0 +1,130 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/authn/password-authn-config.xml b/conf/authn/password-authn-config.xml
new file mode 100644
index 0000000..be8b06f
--- /dev/null
+++ b/conf/authn/password-authn-config.xml
@@ -0,0 +1,109 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NoCredentials
+ CLIENT_NOT_FOUND
+ Client not found
+ DN_RESOLUTION_FAILURE
+
+
+
+
+ InvalidCredentials
+ PREAUTH_FAILED
+ INVALID_CREDENTIALS
+
+
+
+
+ Clients credentials have been revoked
+
+
+
+
+ PASSWORD_EXPIRED
+
+
+
+
+ ACCOUNT_WARNING
+
+
+
+
+
+
+
+
diff --git a/conf/authn/remoteuser-authn-config.xml b/conf/authn/remoteuser-authn-config.xml
new file mode 100644
index 0000000..b5a923f
--- /dev/null
+++ b/conf/authn/remoteuser-authn-config.xml
@@ -0,0 +1,67 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NoCredentials
+
+
+
+
+ UnknownUsername
+
+
+
+
+ InvalidPassword
+
+
+
+
+ ExpiredPassword
+
+
+
+
+ ExpiringPassword
+
+
+
+
+
diff --git a/conf/authn/remoteuser-internal-authn-config.xml b/conf/authn/remoteuser-internal-authn-config.xml
new file mode 100644
index 0000000..9e68c85
--- /dev/null
+++ b/conf/authn/remoteuser-internal-authn-config.xml
@@ -0,0 +1,63 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/authn/spnego-authn-config.xml b/conf/authn/spnego-authn-config.xml
new file mode 100644
index 0000000..404d7e9
--- /dev/null
+++ b/conf/authn/spnego-authn-config.xml
@@ -0,0 +1,69 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SPNEGONotAvailable
+
+
+
+
+ NTLMUnsupported
+
+
+
+
+
diff --git a/conf/authn/x509-authn-config.xml b/conf/authn/x509-authn-config.xml
new file mode 100644
index 0000000..0e54f45
--- /dev/null
+++ b/conf/authn/x509-authn-config.xml
@@ -0,0 +1,41 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NoCredentials
+ InvalidCredentials
+
+
+
+
+
diff --git a/conf/authn/x509-internal-authn-config.xml b/conf/authn/x509-internal-authn-config.xml
new file mode 100644
index 0000000..bad3029
--- /dev/null
+++ b/conf/authn/x509-internal-authn-config.xml
@@ -0,0 +1,21 @@
+
+
+
+
+
+
diff --git a/conf/c14n/attribute-sourced-subject-c14n-config.xml b/conf/c14n/attribute-sourced-subject-c14n-config.xml
new file mode 100644
index 0000000..938b30f
--- /dev/null
+++ b/conf/c14n/attribute-sourced-subject-c14n-config.xml
@@ -0,0 +1,44 @@
+
+
+
+
+
+ altuid
+
+
+
+
+ altuid
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/c14n/simple-subject-c14n-config.xml b/conf/c14n/simple-subject-c14n-config.xml
new file mode 100644
index 0000000..3cddfa6
--- /dev/null
+++ b/conf/c14n/simple-subject-c14n-config.xml
@@ -0,0 +1,27 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/c14n/subject-c14n-events-flow.xml b/conf/c14n/subject-c14n-events-flow.xml
new file mode 100644
index 0000000..d7458cd
--- /dev/null
+++ b/conf/c14n/subject-c14n-events-flow.xml
@@ -0,0 +1,18 @@
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/c14n/subject-c14n.xml b/conf/c14n/subject-c14n.xml
new file mode 100644
index 0000000..16fc6f1
--- /dev/null
+++ b/conf/c14n/subject-c14n.xml
@@ -0,0 +1,109 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+ urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
+ urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
+ urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/c14n/x500-subject-c14n-config.xml b/conf/c14n/x500-subject-c14n-config.xml
new file mode 100644
index 0000000..1ae25e4
--- /dev/null
+++ b/conf/c14n/x500-subject-c14n-config.xml
@@ -0,0 +1,37 @@
+
+
+
+
+
+
+
+
+
+
+ 2.5.4.3
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/cas-protocol.xml b/conf/cas-protocol.xml
new file mode 100644
index 0000000..09a05ef
--- /dev/null
+++ b/conf/cas-protocol.xml
@@ -0,0 +1,53 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/conf/credentials.xml b/conf/credentials.xml
new file mode 100644
index 0000000..7462879
--- /dev/null
+++ b/conf/credentials.xml
@@ -0,0 +1,65 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/errors.xml b/conf/errors.xml
new file mode 100644
index 0000000..5de522f
--- /dev/null
+++ b/conf/errors.xml
@@ -0,0 +1,120 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/global.xml b/conf/global.xml
new file mode 100644
index 0000000..60562e3
--- /dev/null
+++ b/conf/global.xml
@@ -0,0 +1,53 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/idp.properties b/conf/idp.properties
new file mode 100644
index 0000000..a31bd7e
--- /dev/null
+++ b/conf/idp.properties
@@ -0,0 +1,194 @@
+# Load any additional property resources from a comma-delimited list
+idp.additionalProperties = /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties
+
+# Set the entityID of the IdP
+idp.entityID = https://idp.example.org
+
+# Set the scope used in the attribute resolver for scoped attributes
+idp.scope = example.org
+
+# General cookie properties (maxAge only applies to persistent cookies)
+#idp.cookie.secure = false
+#idp.cookie.httpOnly = true
+#idp.cookie.domain =
+#idp.cookie.path =
+#idp.cookie.maxAge = 31536000
+
+# Set the location of user-supplied web flow definitions
+#idp.webflows = %{idp.home}/flows
+
+# Set the location of Velocity view templates
+#idp.views = %{idp.home}/views
+
+# Settings for internal AES encryption key
+#idp.sealer.storeType = JCEKS
+#idp.sealer.updateInterval = PT15M
+#idp.sealer.aliasBase = secret
+idp.sealer.storeResource = %{idp.home}/credentials/sealer.jks
+idp.sealer.versionResource = %{idp.home}/credentials/sealer.kver
+idp.sealer.storePassword = password
+idp.sealer.keyPassword = password
+
+# Settings for public/private signing and encryption key(s)
+# During decryption key rollover, point the ".2" properties at a second
+# keypair, uncomment in credentials.xml, then publish it in your metadata.
+idp.signing.key = %{idp.home}/credentials/idp-signing.key
+idp.signing.cert = %{idp.home}/credentials/idp-signing.crt
+idp.encryption.key = %{idp.home}/credentials/idp-encryption.key
+idp.encryption.cert = %{idp.home}/credentials/idp-encryption.crt
+#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
+#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt
+
+# Sets the bean ID to use as a default security configuration set
+#idp.security.config = shibboleth.DefaultSecurityConfiguration
+
+# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1
+#idp.signing.config = shibboleth.SigningConfiguration.SHA256
+
+# Configures trust evaluation of keys used by services at runtime
+# Defaults to supporting both explicit key and PKIX using SAML metadata.
+#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine
+# To pick only one set to one of:
+# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
+#idp.trust.certificates = shibboleth.ChainingX509TrustEngine
+# To pick only one set to one of:
+# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine
+
+# If true, encryption will happen whenever a key to use can be located, but
+# failure to encrypt won't result in request failure.
+#idp.encryption.optional = false
+
+# Configuration of client- and server-side storage plugins
+#idp.storage.cleanupInterval = PT10M
+#idp.storage.htmlLocalStorage = false
+
+# Set to true to expose more detailed errors in responses to SPs
+#idp.errors.detailed = false
+# Set to false to skip signing of SAML response messages that signal errors
+#idp.errors.signed = true
+# Name of bean containing a list of Java exception classes to ignore
+#idp.errors.excludedExceptions = ExceptionClassListBean
+# Name of bean containing a property set mapping exception names to views
+#idp.errors.exceptionMappings = ExceptionToViewPropertyBean
+# Set if a different default view name for events and exceptions is needed
+#idp.errors.defaultView = error
+
+# Set to false to disable the IdP session layer
+#idp.session.enabled = true
+
+# Set to "shibboleth.StorageService" for server-side storage of user sessions
+#idp.session.StorageService = shibboleth.ClientSessionStorageService
+
+# Size of session IDs
+#idp.session.idSize = 32
+# Bind sessions to IP addresses
+#idp.session.consistentAddress = true
+# Inactivity timeout
+#idp.session.timeout = PT60M
+# Extra time to store sessions for logout
+#idp.session.slop = PT0S
+# Tolerate storage-related errors
+#idp.session.maskStorageFailure = false
+# Track information about SPs logged into
+#idp.session.trackSPSessions = false
+# Support lookup by SP for SAML logout
+#idp.session.secondaryServiceIndex = false
+# Length of time to track SP sessions
+#idp.session.defaultSPlifetime = PT2H
+
+# Regular expression matching login flows to enable, e.g. IPAddress|Password
+idp.authn.flows = Password
+
+# Regular expression of forced "initial" methods when no session exists,
+# usually in conjunction with the idp.authn.resolveAttribute property below.
+#idp.authn.flows.initial = Password
+
+# Set to an attribute ID to resolve prior to selecting authentication flows;
+# its values are used to filter the flows to allow.
+#idp.authn.resolveAttribute = eduPersonAssurance
+
+# Default lifetime and timeout of various authentication methods
+#idp.authn.defaultLifetime = PT60M
+#idp.authn.defaultTimeout = PT30M
+
+# Whether to prioritize "active" results when an SP requests more than
+# one possible matching login method (V2 behavior was to favor them)
+#idp.authn.favorSSO = true
+
+# Whether to fail requests when a user identity after authentication
+# doesn't match the identity in a pre-existing session.
+#idp.authn.identitySwitchIsError = false
+
+# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
+#idp.consent.StorageService = shibboleth.ClientPersistentStorageService
+
+# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute
+# to key user consent storage records (and set the attribute name)
+#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
+#idp.consent.userStorageKeyAttribute = uid
+
+# Flags controlling how built-in attribute consent feature operates
+#idp.consent.allowDoNotRemember = true
+#idp.consent.allowGlobal = true
+#idp.consent.allowPerAttribute = false
+
+# Whether attribute values and terms of use text are compared
+#idp.consent.compareValues = false
+# Maximum number of consent records for space-limited storage (e.g. cookies)
+#idp.consent.maxStoredRecords = 10
+# Maximum number of consent records for larger/server-side storage (0 = no limit)
+#idp.consent.expandedMaxStoredRecords = 0
+
+# Time in milliseconds to expire consent storage records.
+#idp.consent.storageRecordLifetime = P1Y
+
+# Whether to lookup metadata, etc. for every SP involved in a logout
+# for use by user interface logic; adds overhead so off by default.
+#idp.logout.elaboration = false
+
+# Whether to require logout requests be signed/authenticated.
+#idp.logout.authenticated = true
+
+# Message freshness and replay cache tuning
+#idp.policy.messageLifetime = PT3M
+#idp.policy.clockSkew = PT3M
+
+# Set to custom bean for alternate storage of replay cache
+#idp.replayCache.StorageService = shibboleth.StorageService
+
+# Toggles whether to allow outbound messages via SAML artifact
+#idp.artifact.enabled = true
+# Suppresses typical signing/encryption when artifact binding used
+#idp.artifact.secureChannel = true
+# May differ to direct SAML 2 artifact lookups to specific server nodes
+#idp.artifact.endpointIndex = 2
+# Set to custom bean for alternate storage of artifact map state
+#idp.artifact.StorageService = shibboleth.StorageService
+
+# Name of access control policy for various admin flows
+idp.status.accessPolicy = AccessByIPAddress
+idp.resolvertest.accessPolicy = AccessByIPAddress
+idp.reload.accessPolicy = AccessByIPAddress
+
+# Comma-delimited languages to use if not match can be found with the
+# browser-supported languages, defaults to an empty list.
+idp.ui.fallbackLanguages=en,fr,de
+
+# Storage service used by CAS protocol
+# Defaults to shibboleth.StorageService (in-memory)
+# MUST be server-side storage (e.g. in-memory, memcached, database)
+# NOTE that idp.session.StorageService requires server-side storage
+# when CAS protocol is enabled
+#idp.cas.StorageService=shibboleth.StorageService
+
+# CAS service registry implementation class
+#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry
+
+# Profile flows in which the ProfileRequestContext should be exposed
+# in servlet request under the key "opensamlProfileRequestContext"
+#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO
+
+# F-TICKS auditing - set salt to include hashed username
+#idp.fticks.federation=MyFederation
+#idp.fticks.algorithm=SHA-256
+#idp.fticks.salt=somethingsecret
\ No newline at end of file
diff --git a/conf/intercept/consent-intercept-config.xml b/conf/intercept/consent-intercept-config.xml
new file mode 100644
index 0000000..ca183a7
--- /dev/null
+++ b/conf/intercept/consent-intercept-config.xml
@@ -0,0 +1,136 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ transientId
+ persistentId
+ eduPersonTargetedID
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/conf/intercept/context-check-intercept-config.xml b/conf/intercept/context-check-intercept-config.xml
new file mode 100644
index 0000000..809f1d4
--- /dev/null
+++ b/conf/intercept/context-check-intercept-config.xml
@@ -0,0 +1,42 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/conf/intercept/intercept-events-flow.xml b/conf/intercept/intercept-events-flow.xml
new file mode 100644
index 0000000..5cb30d5
--- /dev/null
+++ b/conf/intercept/intercept-events-flow.xml
@@ -0,0 +1,18 @@
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/intercept/profile-intercept.xml b/conf/intercept/profile-intercept.xml
new file mode 100644
index 0000000..fedc2b2
--- /dev/null
+++ b/conf/intercept/profile-intercept.xml
@@ -0,0 +1,36 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/ldap.properties b/conf/ldap.properties
new file mode 100644
index 0000000..2d2aef2
--- /dev/null
+++ b/conf/ldap.properties
@@ -0,0 +1,60 @@
+# LDAP authentication configuration, see authn/ldap-authn-config.xml
+# Note, this doesn't apply to the use of JAAS
+
+## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
+#idp.authn.LDAP.authenticator = anonSearchAuthenticator
+
+## Connection properties ##
+idp.authn.LDAP.ldapURL = ldap://localhost:10389
+#idp.authn.LDAP.useStartTLS = true
+#idp.authn.LDAP.useSSL = false
+#idp.authn.LDAP.connectTimeout = 3000
+
+## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
+#idp.authn.LDAP.sslConfig = certificateTrust
+## If using certificateTrust above, set to the trusted certificate's path
+idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
+## If using keyStoreTrust above, set to the truststore path
+idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore
+
+## Return attributes during authentication
+## NOTE: there is a separate property used for attribute resolution
+idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining
+
+## DN resolution properties ##
+
+# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
+# for AD: CN=Users,DC=example,DC=org
+idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org
+#idp.authn.LDAP.subtreeSearch = false
+idp.authn.LDAP.userFilter = (uid={user})
+# bind search configuration
+# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
+idp.authn.LDAP.bindDN = uid=myservice,ou=system
+idp.authn.LDAP.bindDNCredential = myServicePassword
+
+# Format DN resolution, used by directAuthenticator, adAuthenticator
+# for AD use idp.authn.LDAP.dnFormat=%s@domain.com
+idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org
+
+# LDAP attribute configuration, see attribute-resolver.xml
+# Note, this likely won't apply to the use of legacy V2 resolver configurations
+idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL}
+idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN:undefined}
+idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN:undefined}
+idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}
+idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true}
+idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined}
+idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.principal)
+idp.attribute.resolver.LDAP.returnAttributes = cn,homephone,mail
+
+# LDAP pool configuration, used for both authn and DN resolution
+#idp.pool.LDAP.minSize = 3
+#idp.pool.LDAP.maxSize = 10
+#idp.pool.LDAP.validateOnCheckout = false
+#idp.pool.LDAP.validatePeriodically = true
+#idp.pool.LDAP.validatePeriod = 300
+#idp.pool.LDAP.prunePeriod = 300
+#idp.pool.LDAP.idleTime = 600
+#idp.pool.LDAP.blockWaitTime = 3000
+#idp.pool.LDAP.failFastInitialize = false
diff --git a/conf/logback.xml b/conf/logback.xml
new file mode 100644
index 0000000..2582d1c
--- /dev/null
+++ b/conf/logback.xml
@@ -0,0 +1,166 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ${idp.logfiles}/idp-process.log
+
+
+ ${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz
+ ${idp.loghistory:-180}
+
+
+
+ UTF-8
+ %date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}
+
+
+
+
+
+ 0
+
+
+
+
+
+ WARN
+
+
+ ${idp.logfiles}/idp-warn.log
+
+
+ ${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz
+ ${idp.loghistory:-180}
+
+
+
+ UTF-8
+ %date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}
+
+
+
+
+
+ ${idp.logfiles}/idp-audit.log
+
+
+ ${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz
+ ${idp.loghistory:-180}
+
+
+
+ UTF-8
+ %msg%n
+
+
+
+
+
+ ${idp.logfiles}/idp-consent-audit.log
+
+
+ ${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz
+ ${idp.loghistory:-180}
+
+
+
+ UTF-8
+ %msg%n
+
+
+
+
+
+ ${idp.fticks.loghost:-localhost}
+ ${idp.fticks.logport:-514}
+ AUTH
+ [%thread] %logger %msg
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/conf/metadata-providers.xml b/conf/metadata-providers.xml
new file mode 100644
index 0000000..49fd53c
--- /dev/null
+++ b/conf/metadata-providers.xml
@@ -0,0 +1,72 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/mvc-beans.xml b/conf/mvc-beans.xml
new file mode 100644
index 0000000..98d9bcd
--- /dev/null
+++ b/conf/mvc-beans.xml
@@ -0,0 +1,23 @@
+
+
+
+
+
+
diff --git a/conf/relying-party.xml b/conf/relying-party.xml
new file mode 100644
index 0000000..28c9193
--- /dev/null
+++ b/conf/relying-party.xml
@@ -0,0 +1,70 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/saml-nameid.properties b/conf/saml-nameid.properties
new file mode 100644
index 0000000..8530c4f
--- /dev/null
+++ b/conf/saml-nameid.properties
@@ -0,0 +1,35 @@
+# Properties involving SAML NameIdentifier/NameID generation/consumption
+
+# For the most part these settings only deal with "transient" and "persistent"
+# identifiers. See saml-nameid.xml and c14n/subject-c14n.xml for advanced
+# settings
+
+# Comment out to disable legacy NameID generation via Attribute Resolver
+#idp.nameid.saml2.legacyGenerator = shibboleth.LegacySAML2NameIDGenerator
+#idp.nameid.saml1.legacyGenerator = shibboleth.LegacySAML1NameIdentifierGenerator
+
+# Default NameID Formats to use when nothing else is called for.
+# Don't change these just to change the Format used for a single SP!
+#idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+#idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier
+
+# Set to shibboleth.StoredTransientIdGenerator for server-side transient ID storage
+#idp.transientId.generator = shibboleth.CryptoTransientIdGenerator
+
+# Persistent IDs can be computed on the fly with a hash, or managed in a database
+
+# For computed IDs, set a source attribute and a secret salt:
+#idp.persistentId.sourceAttribute = changethistosomethingreal
+#idp.persistentId.useUnfilteredAttributes = true
+# Do *NOT* share the salt with other people, it's like divulging your private key.
+#idp.persistentId.algorithm = SHA
+#idp.persistentId.salt = changethistosomethingrandom
+
+# To use a database, use shibboleth.StoredPersistentIdGenerator
+#idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator
+# For basic use, set this to a JDBC DataSource bean name:
+#idp.persistentId.dataSource = PersistentIdDataSource
+# For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore
+#idp.persistentId.store = MyPersistentIdStore
+# Set to an empty property to skip hash-based generation of first stored ID
+#idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator
diff --git a/conf/saml-nameid.xml b/conf/saml-nameid.xml
new file mode 100644
index 0000000..ea97448
--- /dev/null
+++ b/conf/saml-nameid.xml
@@ -0,0 +1,62 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/conf/services.properties b/conf/services.properties
new file mode 100644
index 0000000..116625a
--- /dev/null
+++ b/conf/services.properties
@@ -0,0 +1,61 @@
+# Configure the resources to load for various services,
+# and the settings for failure handling and auto-reload.
+
+# failFast=true prevents IdP startup if a configuration is bad
+# checkInterval = PT0S means never reload (this is the default)
+
+# Global default for fail-fast behavior of most subsystems
+# with individual override possible below.
+#idp.service.failFast = false
+
+#idp.service.logging.resource = %{idp.home}/conf/logback.xml
+#idp.service.logging.failFast = true
+idp.service.logging.checkInterval = PT5M
+
+# Set to shibboleth.LegacyRelyingPartyResolverResources with legacy V2 relying-party.xml
+#idp.service.relyingparty.resources = shibboleth.RelyingPartyResolverResources
+#idp.service.relyingparty.failFast = false
+idp.service.relyingparty.checkInterval = PT15M
+
+#idp.service.metadata.resources = shibboleth.MetadataResolverResources
+#idp.service.metadata.failFast = false
+#idp.service.metadata.checkInterval = PT0S
+
+#idp.service.attribute.resolver.resources = shibboleth.AttributeResolverResources
+#idp.service.attribute.resolver.failFast = false
+idp.service.attribute.resolver.checkInterval = PT15M
+#idp.service.attribute.resolver.maskFailures = true
+
+#idp.service.attribute.filter.resources = shibboleth.AttributeFilterResources
+# NOTE: Failing the filter fast leaves no filters enabled.
+#idp.service.attribute.filter.failFast = false
+idp.service.attribute.filter.checkInterval = PT15M
+#idp.service.attribute.filter.maskFailures = true
+
+#idp.service.nameidGeneration.resources = shibboleth.NameIdentifierGenerationResources
+#idp.service.nameidGeneration.failFast = false
+idp.service.nameidGeneration.checkInterval = PT15M
+
+#idp.service.access.resources = shibboleth.AccessControlResources
+#idp.service.access.failFast = true
+idp.service.access.checkInterval = PT5M
+
+#idp.service.cas.registry.resources = shibboleth.CASServiceRegistryResources
+#idp.service.cas.registry.failFast = false
+idp.service.cas.registry.checkInterval = PT15M
+
+#idp.message.resources = shibboleth.MessageSourceResources
+#idp.message.cacheSeconds = 300
+
+# Parameters for pre-defined HttpClient instances which perform in-memory and filesystem caching.
+# These are used with components such as remote configuration resources that are explicitly wired
+# with these client instances, *not* by default with HTTP metadata resolvers.
+#idp.httpclient.useTrustEngineTLSSocketFactory = false
+#idp.httpclient.useSecurityEnhancedTLSSocketFactory = false
+#idp.httpclient.connectionDisregardTLSCertificate = false
+#idp.httpclient.connectionTimeout = -1
+#idp.httpclient.memorycaching.maxCacheEntries = 50
+#idp.httpclient.memorycaching.maxCacheEntrySize = 1048576
+#idp.httpclient.filecaching.maxCacheEntries = 100
+#idp.httpclient.filecaching.maxCacheEntrySize = 10485760
+idp.httpclient.filecaching.cacheDirectory = %{idp.home}/tmp/httpClientCache
\ No newline at end of file
diff --git a/conf/services.xml b/conf/services.xml
new file mode 100644
index 0000000..d22fff9
--- /dev/null
+++ b/conf/services.xml
@@ -0,0 +1,145 @@
+
+
+
+
+
+
+
+
+
+
+ %{idp.home}/conf/relying-party.xml
+ %{idp.home}/conf/credentials.xml
+ %{idp.home}/system/conf/relying-party-system.xml
+
+
+
+
+ %{idp.home}/conf/relying-party.xml
+ %{idp.home}/system/conf/legacy-relying-party-defaults.xml
+
+
+
+ %{idp.home}/conf/metadata-providers.xml
+ %{idp.home}/system/conf/metadata-providers-system.xml
+
+
+
+ %{idp.home}/conf/attribute-resolver.xml
+
+
+
+ %{idp.home}/conf/attribute-filter.xml
+
+
+
+ %{idp.home}/conf/saml-nameid.xml
+ %{idp.home}/system/conf/saml-nameid-system.xml
+
+
+
+ %{idp.home}/conf/access-control.xml
+ %{idp.home}/system/conf/access-control-system.xml
+
+
+
+ %{idp.home}/conf/cas-protocol.xml
+
+
+
+
+ %{idp.home}/messages/authn-messages
+ %{idp.home}/messages/consent-messages
+ %{idp.home}/messages/error-messages
+
+
+
diff --git a/conf/session-manager.xml b/conf/session-manager.xml
new file mode 100644
index 0000000..f195014
--- /dev/null
+++ b/conf/session-manager.xml
@@ -0,0 +1,45 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/access-control.xml.dist b/dist/conf/access-control.xml.dist
new file mode 100644
index 0000000..9b23ad7
--- /dev/null
+++ b/dist/conf/access-control.xml.dist
@@ -0,0 +1,32 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/attribute-filter.xml.dist b/dist/conf/attribute-filter.xml.dist
new file mode 100644
index 0000000..f8c41ba
--- /dev/null
+++ b/dist/conf/attribute-filter.xml.dist
@@ -0,0 +1,45 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/attribute-resolver-full.xml.dist b/dist/conf/attribute-resolver-full.xml.dist
new file mode 100644
index 0000000..d09a1ea
--- /dev/null
+++ b/dist/conf/attribute-resolver-full.xml.dist
@@ -0,0 +1,295 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/attribute-resolver-ldap.xml.dist b/dist/conf/attribute-resolver-ldap.xml.dist
new file mode 100644
index 0000000..9ac44d3
--- /dev/null
+++ b/dist/conf/attribute-resolver-ldap.xml.dist
@@ -0,0 +1,97 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ %{idp.attribute.resolver.LDAP.returnAttributes}
+
+ %{idp.attribute.resolver.LDAP.trustCertificates}
+
+
+
+
diff --git a/dist/conf/attribute-resolver.xml.dist b/dist/conf/attribute-resolver.xml.dist
new file mode 100644
index 0000000..52b475a
--- /dev/null
+++ b/dist/conf/attribute-resolver.xml.dist
@@ -0,0 +1,95 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ uid
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ member
+
+
+
+
diff --git a/dist/conf/audit.xml.dist b/dist/conf/audit.xml.dist
new file mode 100644
index 0000000..9940cec
--- /dev/null
+++ b/dist/conf/audit.xml.dist
@@ -0,0 +1,103 @@
+
+
+
+
+
+
+
+
+
+
+ http://shibboleth.net/ns/profiles/status
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/authn/authn-comparison.xml.dist b/dist/conf/authn/authn-comparison.xml.dist
new file mode 100644
index 0000000..f167b7a
--- /dev/null
+++ b/dist/conf/authn/authn-comparison.xml.dist
@@ -0,0 +1,77 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
+
+
+
diff --git a/dist/conf/authn/authn-events-flow.xml.dist b/dist/conf/authn/authn-events-flow.xml.dist
new file mode 100644
index 0000000..244e1db
--- /dev/null
+++ b/dist/conf/authn/authn-events-flow.xml.dist
@@ -0,0 +1,18 @@
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/authn/external-authn-config.xml.dist b/dist/conf/authn/external-authn-config.xml.dist
new file mode 100644
index 0000000..4ce8f26
--- /dev/null
+++ b/dist/conf/authn/external-authn-config.xml.dist
@@ -0,0 +1,62 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UnknownUsername
+
+
+
+
+ InvalidPassword
+
+
+
+
+ ExpiredPassword
+
+
+
+
+ ExpiringPassword
+
+
+
+
+
diff --git a/dist/conf/authn/general-authn.xml.dist b/dist/conf/authn/general-authn.xml.dist
new file mode 100644
index 0000000..f127a13
--- /dev/null
+++ b/dist/conf/authn/general-authn.xml.dist
@@ -0,0 +1,114 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+
+
+
+
diff --git a/dist/conf/authn/ipaddress-authn-config.xml.dist b/dist/conf/authn/ipaddress-authn-config.xml.dist
new file mode 100644
index 0000000..a3ee096
--- /dev/null
+++ b/dist/conf/authn/ipaddress-authn-config.xml.dist
@@ -0,0 +1,37 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/authn/jaas-authn-config.xml.dist b/dist/conf/authn/jaas-authn-config.xml.dist
new file mode 100644
index 0000000..daef4d2
--- /dev/null
+++ b/dist/conf/authn/jaas-authn-config.xml.dist
@@ -0,0 +1,27 @@
+
+
+
+
+
+
+
+
+
+
+ ShibUserPassAuth
+
+
+
+
+
diff --git a/dist/conf/authn/jaas.config.dist b/dist/conf/authn/jaas.config.dist
new file mode 100644
index 0000000..232e93d
--- /dev/null
+++ b/dist/conf/authn/jaas.config.dist
@@ -0,0 +1,11 @@
+ShibUserPassAuth {
+ /*
+ com.sun.security.auth.module.Krb5LoginModule required;
+ */
+
+ org.ldaptive.jaas.LdapLoginModule required
+ ldapUrl="ldap://localhost:10389"
+ baseDn="ou=people,dc=example,dc=org"
+ userFilter="uid={user}";
+
+};
\ No newline at end of file
diff --git a/dist/conf/authn/krb5-authn-config.xml.dist b/dist/conf/authn/krb5-authn-config.xml.dist
new file mode 100644
index 0000000..d3590a2
--- /dev/null
+++ b/dist/conf/authn/krb5-authn-config.xml.dist
@@ -0,0 +1,31 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/authn/ldap-authn-config.xml.dist b/dist/conf/authn/ldap-authn-config.xml.dist
new file mode 100644
index 0000000..5626629
--- /dev/null
+++ b/dist/conf/authn/ldap-authn-config.xml.dist
@@ -0,0 +1,130 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/authn/password-authn-config.xml.dist b/dist/conf/authn/password-authn-config.xml.dist
new file mode 100644
index 0000000..be8b06f
--- /dev/null
+++ b/dist/conf/authn/password-authn-config.xml.dist
@@ -0,0 +1,109 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NoCredentials
+ CLIENT_NOT_FOUND
+ Client not found
+ DN_RESOLUTION_FAILURE
+
+
+
+
+ InvalidCredentials
+ PREAUTH_FAILED
+ INVALID_CREDENTIALS
+
+
+
+
+ Clients credentials have been revoked
+
+
+
+
+ PASSWORD_EXPIRED
+
+
+
+
+ ACCOUNT_WARNING
+
+
+
+
+
+
+
+
diff --git a/dist/conf/authn/remoteuser-authn-config.xml.dist b/dist/conf/authn/remoteuser-authn-config.xml.dist
new file mode 100644
index 0000000..b5a923f
--- /dev/null
+++ b/dist/conf/authn/remoteuser-authn-config.xml.dist
@@ -0,0 +1,67 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NoCredentials
+
+
+
+
+ UnknownUsername
+
+
+
+
+ InvalidPassword
+
+
+
+
+ ExpiredPassword
+
+
+
+
+ ExpiringPassword
+
+
+
+
+
diff --git a/dist/conf/authn/remoteuser-internal-authn-config.xml.dist b/dist/conf/authn/remoteuser-internal-authn-config.xml.dist
new file mode 100644
index 0000000..9e68c85
--- /dev/null
+++ b/dist/conf/authn/remoteuser-internal-authn-config.xml.dist
@@ -0,0 +1,63 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/authn/spnego-authn-config.xml.dist b/dist/conf/authn/spnego-authn-config.xml.dist
new file mode 100644
index 0000000..404d7e9
--- /dev/null
+++ b/dist/conf/authn/spnego-authn-config.xml.dist
@@ -0,0 +1,69 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SPNEGONotAvailable
+
+
+
+
+ NTLMUnsupported
+
+
+
+
+
diff --git a/dist/conf/authn/x509-authn-config.xml.dist b/dist/conf/authn/x509-authn-config.xml.dist
new file mode 100644
index 0000000..0e54f45
--- /dev/null
+++ b/dist/conf/authn/x509-authn-config.xml.dist
@@ -0,0 +1,41 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NoCredentials
+ InvalidCredentials
+
+
+
+
+
diff --git a/dist/conf/authn/x509-internal-authn-config.xml.dist b/dist/conf/authn/x509-internal-authn-config.xml.dist
new file mode 100644
index 0000000..bad3029
--- /dev/null
+++ b/dist/conf/authn/x509-internal-authn-config.xml.dist
@@ -0,0 +1,21 @@
+
+
+
+
+
+
diff --git a/dist/conf/c14n/attribute-sourced-subject-c14n-config.xml.dist b/dist/conf/c14n/attribute-sourced-subject-c14n-config.xml.dist
new file mode 100644
index 0000000..938b30f
--- /dev/null
+++ b/dist/conf/c14n/attribute-sourced-subject-c14n-config.xml.dist
@@ -0,0 +1,44 @@
+
+
+
+
+
+ altuid
+
+
+
+
+ altuid
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/c14n/simple-subject-c14n-config.xml.dist b/dist/conf/c14n/simple-subject-c14n-config.xml.dist
new file mode 100644
index 0000000..3cddfa6
--- /dev/null
+++ b/dist/conf/c14n/simple-subject-c14n-config.xml.dist
@@ -0,0 +1,27 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/c14n/subject-c14n-events-flow.xml.dist b/dist/conf/c14n/subject-c14n-events-flow.xml.dist
new file mode 100644
index 0000000..d7458cd
--- /dev/null
+++ b/dist/conf/c14n/subject-c14n-events-flow.xml.dist
@@ -0,0 +1,18 @@
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/c14n/subject-c14n.xml.dist b/dist/conf/c14n/subject-c14n.xml.dist
new file mode 100644
index 0000000..16fc6f1
--- /dev/null
+++ b/dist/conf/c14n/subject-c14n.xml.dist
@@ -0,0 +1,109 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+ urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
+ urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
+ urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/c14n/x500-subject-c14n-config.xml.dist b/dist/conf/c14n/x500-subject-c14n-config.xml.dist
new file mode 100644
index 0000000..1ae25e4
--- /dev/null
+++ b/dist/conf/c14n/x500-subject-c14n-config.xml.dist
@@ -0,0 +1,37 @@
+
+
+
+
+
+
+
+
+
+
+ 2.5.4.3
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/cas-protocol.xml.dist b/dist/conf/cas-protocol.xml.dist
new file mode 100644
index 0000000..09a05ef
--- /dev/null
+++ b/dist/conf/cas-protocol.xml.dist
@@ -0,0 +1,53 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/dist/conf/credentials.xml.dist b/dist/conf/credentials.xml.dist
new file mode 100644
index 0000000..7462879
--- /dev/null
+++ b/dist/conf/credentials.xml.dist
@@ -0,0 +1,65 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/errors.xml.dist b/dist/conf/errors.xml.dist
new file mode 100644
index 0000000..5de522f
--- /dev/null
+++ b/dist/conf/errors.xml.dist
@@ -0,0 +1,120 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/global.xml.dist b/dist/conf/global.xml.dist
new file mode 100644
index 0000000..60562e3
--- /dev/null
+++ b/dist/conf/global.xml.dist
@@ -0,0 +1,53 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/idp.properties.dist b/dist/conf/idp.properties.dist
new file mode 100644
index 0000000..a31bd7e
--- /dev/null
+++ b/dist/conf/idp.properties.dist
@@ -0,0 +1,194 @@
+# Load any additional property resources from a comma-delimited list
+idp.additionalProperties = /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties
+
+# Set the entityID of the IdP
+idp.entityID = https://idp.example.org
+
+# Set the scope used in the attribute resolver for scoped attributes
+idp.scope = example.org
+
+# General cookie properties (maxAge only applies to persistent cookies)
+#idp.cookie.secure = false
+#idp.cookie.httpOnly = true
+#idp.cookie.domain =
+#idp.cookie.path =
+#idp.cookie.maxAge = 31536000
+
+# Set the location of user-supplied web flow definitions
+#idp.webflows = %{idp.home}/flows
+
+# Set the location of Velocity view templates
+#idp.views = %{idp.home}/views
+
+# Settings for internal AES encryption key
+#idp.sealer.storeType = JCEKS
+#idp.sealer.updateInterval = PT15M
+#idp.sealer.aliasBase = secret
+idp.sealer.storeResource = %{idp.home}/credentials/sealer.jks
+idp.sealer.versionResource = %{idp.home}/credentials/sealer.kver
+idp.sealer.storePassword = password
+idp.sealer.keyPassword = password
+
+# Settings for public/private signing and encryption key(s)
+# During decryption key rollover, point the ".2" properties at a second
+# keypair, uncomment in credentials.xml, then publish it in your metadata.
+idp.signing.key = %{idp.home}/credentials/idp-signing.key
+idp.signing.cert = %{idp.home}/credentials/idp-signing.crt
+idp.encryption.key = %{idp.home}/credentials/idp-encryption.key
+idp.encryption.cert = %{idp.home}/credentials/idp-encryption.crt
+#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
+#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt
+
+# Sets the bean ID to use as a default security configuration set
+#idp.security.config = shibboleth.DefaultSecurityConfiguration
+
+# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1
+#idp.signing.config = shibboleth.SigningConfiguration.SHA256
+
+# Configures trust evaluation of keys used by services at runtime
+# Defaults to supporting both explicit key and PKIX using SAML metadata.
+#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine
+# To pick only one set to one of:
+# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
+#idp.trust.certificates = shibboleth.ChainingX509TrustEngine
+# To pick only one set to one of:
+# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine
+
+# If true, encryption will happen whenever a key to use can be located, but
+# failure to encrypt won't result in request failure.
+#idp.encryption.optional = false
+
+# Configuration of client- and server-side storage plugins
+#idp.storage.cleanupInterval = PT10M
+#idp.storage.htmlLocalStorage = false
+
+# Set to true to expose more detailed errors in responses to SPs
+#idp.errors.detailed = false
+# Set to false to skip signing of SAML response messages that signal errors
+#idp.errors.signed = true
+# Name of bean containing a list of Java exception classes to ignore
+#idp.errors.excludedExceptions = ExceptionClassListBean
+# Name of bean containing a property set mapping exception names to views
+#idp.errors.exceptionMappings = ExceptionToViewPropertyBean
+# Set if a different default view name for events and exceptions is needed
+#idp.errors.defaultView = error
+
+# Set to false to disable the IdP session layer
+#idp.session.enabled = true
+
+# Set to "shibboleth.StorageService" for server-side storage of user sessions
+#idp.session.StorageService = shibboleth.ClientSessionStorageService
+
+# Size of session IDs
+#idp.session.idSize = 32
+# Bind sessions to IP addresses
+#idp.session.consistentAddress = true
+# Inactivity timeout
+#idp.session.timeout = PT60M
+# Extra time to store sessions for logout
+#idp.session.slop = PT0S
+# Tolerate storage-related errors
+#idp.session.maskStorageFailure = false
+# Track information about SPs logged into
+#idp.session.trackSPSessions = false
+# Support lookup by SP for SAML logout
+#idp.session.secondaryServiceIndex = false
+# Length of time to track SP sessions
+#idp.session.defaultSPlifetime = PT2H
+
+# Regular expression matching login flows to enable, e.g. IPAddress|Password
+idp.authn.flows = Password
+
+# Regular expression of forced "initial" methods when no session exists,
+# usually in conjunction with the idp.authn.resolveAttribute property below.
+#idp.authn.flows.initial = Password
+
+# Set to an attribute ID to resolve prior to selecting authentication flows;
+# its values are used to filter the flows to allow.
+#idp.authn.resolveAttribute = eduPersonAssurance
+
+# Default lifetime and timeout of various authentication methods
+#idp.authn.defaultLifetime = PT60M
+#idp.authn.defaultTimeout = PT30M
+
+# Whether to prioritize "active" results when an SP requests more than
+# one possible matching login method (V2 behavior was to favor them)
+#idp.authn.favorSSO = true
+
+# Whether to fail requests when a user identity after authentication
+# doesn't match the identity in a pre-existing session.
+#idp.authn.identitySwitchIsError = false
+
+# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
+#idp.consent.StorageService = shibboleth.ClientPersistentStorageService
+
+# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute
+# to key user consent storage records (and set the attribute name)
+#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
+#idp.consent.userStorageKeyAttribute = uid
+
+# Flags controlling how built-in attribute consent feature operates
+#idp.consent.allowDoNotRemember = true
+#idp.consent.allowGlobal = true
+#idp.consent.allowPerAttribute = false
+
+# Whether attribute values and terms of use text are compared
+#idp.consent.compareValues = false
+# Maximum number of consent records for space-limited storage (e.g. cookies)
+#idp.consent.maxStoredRecords = 10
+# Maximum number of consent records for larger/server-side storage (0 = no limit)
+#idp.consent.expandedMaxStoredRecords = 0
+
+# Time in milliseconds to expire consent storage records.
+#idp.consent.storageRecordLifetime = P1Y
+
+# Whether to lookup metadata, etc. for every SP involved in a logout
+# for use by user interface logic; adds overhead so off by default.
+#idp.logout.elaboration = false
+
+# Whether to require logout requests be signed/authenticated.
+#idp.logout.authenticated = true
+
+# Message freshness and replay cache tuning
+#idp.policy.messageLifetime = PT3M
+#idp.policy.clockSkew = PT3M
+
+# Set to custom bean for alternate storage of replay cache
+#idp.replayCache.StorageService = shibboleth.StorageService
+
+# Toggles whether to allow outbound messages via SAML artifact
+#idp.artifact.enabled = true
+# Suppresses typical signing/encryption when artifact binding used
+#idp.artifact.secureChannel = true
+# May differ to direct SAML 2 artifact lookups to specific server nodes
+#idp.artifact.endpointIndex = 2
+# Set to custom bean for alternate storage of artifact map state
+#idp.artifact.StorageService = shibboleth.StorageService
+
+# Name of access control policy for various admin flows
+idp.status.accessPolicy = AccessByIPAddress
+idp.resolvertest.accessPolicy = AccessByIPAddress
+idp.reload.accessPolicy = AccessByIPAddress
+
+# Comma-delimited languages to use if not match can be found with the
+# browser-supported languages, defaults to an empty list.
+idp.ui.fallbackLanguages=en,fr,de
+
+# Storage service used by CAS protocol
+# Defaults to shibboleth.StorageService (in-memory)
+# MUST be server-side storage (e.g. in-memory, memcached, database)
+# NOTE that idp.session.StorageService requires server-side storage
+# when CAS protocol is enabled
+#idp.cas.StorageService=shibboleth.StorageService
+
+# CAS service registry implementation class
+#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry
+
+# Profile flows in which the ProfileRequestContext should be exposed
+# in servlet request under the key "opensamlProfileRequestContext"
+#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO
+
+# F-TICKS auditing - set salt to include hashed username
+#idp.fticks.federation=MyFederation
+#idp.fticks.algorithm=SHA-256
+#idp.fticks.salt=somethingsecret
\ No newline at end of file
diff --git a/dist/conf/intercept/consent-intercept-config.xml.dist b/dist/conf/intercept/consent-intercept-config.xml.dist
new file mode 100644
index 0000000..ca183a7
--- /dev/null
+++ b/dist/conf/intercept/consent-intercept-config.xml.dist
@@ -0,0 +1,136 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ transientId
+ persistentId
+ eduPersonTargetedID
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/dist/conf/intercept/context-check-intercept-config.xml.dist b/dist/conf/intercept/context-check-intercept-config.xml.dist
new file mode 100644
index 0000000..809f1d4
--- /dev/null
+++ b/dist/conf/intercept/context-check-intercept-config.xml.dist
@@ -0,0 +1,42 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/dist/conf/intercept/intercept-events-flow.xml.dist b/dist/conf/intercept/intercept-events-flow.xml.dist
new file mode 100644
index 0000000..5cb30d5
--- /dev/null
+++ b/dist/conf/intercept/intercept-events-flow.xml.dist
@@ -0,0 +1,18 @@
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/intercept/profile-intercept.xml.dist b/dist/conf/intercept/profile-intercept.xml.dist
new file mode 100644
index 0000000..fedc2b2
--- /dev/null
+++ b/dist/conf/intercept/profile-intercept.xml.dist
@@ -0,0 +1,36 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/ldap.properties.dist b/dist/conf/ldap.properties.dist
new file mode 100644
index 0000000..2d2aef2
--- /dev/null
+++ b/dist/conf/ldap.properties.dist
@@ -0,0 +1,60 @@
+# LDAP authentication configuration, see authn/ldap-authn-config.xml
+# Note, this doesn't apply to the use of JAAS
+
+## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
+#idp.authn.LDAP.authenticator = anonSearchAuthenticator
+
+## Connection properties ##
+idp.authn.LDAP.ldapURL = ldap://localhost:10389
+#idp.authn.LDAP.useStartTLS = true
+#idp.authn.LDAP.useSSL = false
+#idp.authn.LDAP.connectTimeout = 3000
+
+## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
+#idp.authn.LDAP.sslConfig = certificateTrust
+## If using certificateTrust above, set to the trusted certificate's path
+idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
+## If using keyStoreTrust above, set to the truststore path
+idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore
+
+## Return attributes during authentication
+## NOTE: there is a separate property used for attribute resolution
+idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining
+
+## DN resolution properties ##
+
+# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
+# for AD: CN=Users,DC=example,DC=org
+idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org
+#idp.authn.LDAP.subtreeSearch = false
+idp.authn.LDAP.userFilter = (uid={user})
+# bind search configuration
+# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
+idp.authn.LDAP.bindDN = uid=myservice,ou=system
+idp.authn.LDAP.bindDNCredential = myServicePassword
+
+# Format DN resolution, used by directAuthenticator, adAuthenticator
+# for AD use idp.authn.LDAP.dnFormat=%s@domain.com
+idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org
+
+# LDAP attribute configuration, see attribute-resolver.xml
+# Note, this likely won't apply to the use of legacy V2 resolver configurations
+idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL}
+idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN:undefined}
+idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN:undefined}
+idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}
+idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true}
+idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined}
+idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.principal)
+idp.attribute.resolver.LDAP.returnAttributes = cn,homephone,mail
+
+# LDAP pool configuration, used for both authn and DN resolution
+#idp.pool.LDAP.minSize = 3
+#idp.pool.LDAP.maxSize = 10
+#idp.pool.LDAP.validateOnCheckout = false
+#idp.pool.LDAP.validatePeriodically = true
+#idp.pool.LDAP.validatePeriod = 300
+#idp.pool.LDAP.prunePeriod = 300
+#idp.pool.LDAP.idleTime = 600
+#idp.pool.LDAP.blockWaitTime = 3000
+#idp.pool.LDAP.failFastInitialize = false
diff --git a/dist/conf/logback.xml.dist b/dist/conf/logback.xml.dist
new file mode 100644
index 0000000..2582d1c
--- /dev/null
+++ b/dist/conf/logback.xml.dist
@@ -0,0 +1,166 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ${idp.logfiles}/idp-process.log
+
+
+ ${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz
+ ${idp.loghistory:-180}
+
+
+
+ UTF-8
+ %date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}
+
+
+
+
+
+ 0
+
+
+
+
+
+ WARN
+
+
+ ${idp.logfiles}/idp-warn.log
+
+
+ ${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz
+ ${idp.loghistory:-180}
+
+
+
+ UTF-8
+ %date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}
+
+
+
+
+
+ ${idp.logfiles}/idp-audit.log
+
+
+ ${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz
+ ${idp.loghistory:-180}
+
+
+
+ UTF-8
+ %msg%n
+
+
+
+
+
+ ${idp.logfiles}/idp-consent-audit.log
+
+
+ ${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz
+ ${idp.loghistory:-180}
+
+
+
+ UTF-8
+ %msg%n
+
+
+
+
+
+ ${idp.fticks.loghost:-localhost}
+ ${idp.fticks.logport:-514}
+ AUTH
+ [%thread] %logger %msg
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/dist/conf/metadata-providers.xml.dist b/dist/conf/metadata-providers.xml.dist
new file mode 100644
index 0000000..49fd53c
--- /dev/null
+++ b/dist/conf/metadata-providers.xml.dist
@@ -0,0 +1,72 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/mvc-beans.xml.dist b/dist/conf/mvc-beans.xml.dist
new file mode 100644
index 0000000..98d9bcd
--- /dev/null
+++ b/dist/conf/mvc-beans.xml.dist
@@ -0,0 +1,23 @@
+
+
+
+
+
+
diff --git a/dist/conf/relying-party.xml.dist b/dist/conf/relying-party.xml.dist
new file mode 100644
index 0000000..28c9193
--- /dev/null
+++ b/dist/conf/relying-party.xml.dist
@@ -0,0 +1,70 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/saml-nameid.properties.dist b/dist/conf/saml-nameid.properties.dist
new file mode 100644
index 0000000..8530c4f
--- /dev/null
+++ b/dist/conf/saml-nameid.properties.dist
@@ -0,0 +1,35 @@
+# Properties involving SAML NameIdentifier/NameID generation/consumption
+
+# For the most part these settings only deal with "transient" and "persistent"
+# identifiers. See saml-nameid.xml and c14n/subject-c14n.xml for advanced
+# settings
+
+# Comment out to disable legacy NameID generation via Attribute Resolver
+#idp.nameid.saml2.legacyGenerator = shibboleth.LegacySAML2NameIDGenerator
+#idp.nameid.saml1.legacyGenerator = shibboleth.LegacySAML1NameIdentifierGenerator
+
+# Default NameID Formats to use when nothing else is called for.
+# Don't change these just to change the Format used for a single SP!
+#idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+#idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier
+
+# Set to shibboleth.StoredTransientIdGenerator for server-side transient ID storage
+#idp.transientId.generator = shibboleth.CryptoTransientIdGenerator
+
+# Persistent IDs can be computed on the fly with a hash, or managed in a database
+
+# For computed IDs, set a source attribute and a secret salt:
+#idp.persistentId.sourceAttribute = changethistosomethingreal
+#idp.persistentId.useUnfilteredAttributes = true
+# Do *NOT* share the salt with other people, it's like divulging your private key.
+#idp.persistentId.algorithm = SHA
+#idp.persistentId.salt = changethistosomethingrandom
+
+# To use a database, use shibboleth.StoredPersistentIdGenerator
+#idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator
+# For basic use, set this to a JDBC DataSource bean name:
+#idp.persistentId.dataSource = PersistentIdDataSource
+# For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore
+#idp.persistentId.store = MyPersistentIdStore
+# Set to an empty property to skip hash-based generation of first stored ID
+#idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator
diff --git a/dist/conf/saml-nameid.xml.dist b/dist/conf/saml-nameid.xml.dist
new file mode 100644
index 0000000..ea97448
--- /dev/null
+++ b/dist/conf/saml-nameid.xml.dist
@@ -0,0 +1,62 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/conf/services.properties.dist b/dist/conf/services.properties.dist
new file mode 100644
index 0000000..116625a
--- /dev/null
+++ b/dist/conf/services.properties.dist
@@ -0,0 +1,61 @@
+# Configure the resources to load for various services,
+# and the settings for failure handling and auto-reload.
+
+# failFast=true prevents IdP startup if a configuration is bad
+# checkInterval = PT0S means never reload (this is the default)
+
+# Global default for fail-fast behavior of most subsystems
+# with individual override possible below.
+#idp.service.failFast = false
+
+#idp.service.logging.resource = %{idp.home}/conf/logback.xml
+#idp.service.logging.failFast = true
+idp.service.logging.checkInterval = PT5M
+
+# Set to shibboleth.LegacyRelyingPartyResolverResources with legacy V2 relying-party.xml
+#idp.service.relyingparty.resources = shibboleth.RelyingPartyResolverResources
+#idp.service.relyingparty.failFast = false
+idp.service.relyingparty.checkInterval = PT15M
+
+#idp.service.metadata.resources = shibboleth.MetadataResolverResources
+#idp.service.metadata.failFast = false
+#idp.service.metadata.checkInterval = PT0S
+
+#idp.service.attribute.resolver.resources = shibboleth.AttributeResolverResources
+#idp.service.attribute.resolver.failFast = false
+idp.service.attribute.resolver.checkInterval = PT15M
+#idp.service.attribute.resolver.maskFailures = true
+
+#idp.service.attribute.filter.resources = shibboleth.AttributeFilterResources
+# NOTE: Failing the filter fast leaves no filters enabled.
+#idp.service.attribute.filter.failFast = false
+idp.service.attribute.filter.checkInterval = PT15M
+#idp.service.attribute.filter.maskFailures = true
+
+#idp.service.nameidGeneration.resources = shibboleth.NameIdentifierGenerationResources
+#idp.service.nameidGeneration.failFast = false
+idp.service.nameidGeneration.checkInterval = PT15M
+
+#idp.service.access.resources = shibboleth.AccessControlResources
+#idp.service.access.failFast = true
+idp.service.access.checkInterval = PT5M
+
+#idp.service.cas.registry.resources = shibboleth.CASServiceRegistryResources
+#idp.service.cas.registry.failFast = false
+idp.service.cas.registry.checkInterval = PT15M
+
+#idp.message.resources = shibboleth.MessageSourceResources
+#idp.message.cacheSeconds = 300
+
+# Parameters for pre-defined HttpClient instances which perform in-memory and filesystem caching.
+# These are used with components such as remote configuration resources that are explicitly wired
+# with these client instances, *not* by default with HTTP metadata resolvers.
+#idp.httpclient.useTrustEngineTLSSocketFactory = false
+#idp.httpclient.useSecurityEnhancedTLSSocketFactory = false
+#idp.httpclient.connectionDisregardTLSCertificate = false
+#idp.httpclient.connectionTimeout = -1
+#idp.httpclient.memorycaching.maxCacheEntries = 50
+#idp.httpclient.memorycaching.maxCacheEntrySize = 1048576
+#idp.httpclient.filecaching.maxCacheEntries = 100
+#idp.httpclient.filecaching.maxCacheEntrySize = 10485760
+idp.httpclient.filecaching.cacheDirectory = %{idp.home}/tmp/httpClientCache
\ No newline at end of file
diff --git a/dist/conf/services.xml.dist b/dist/conf/services.xml.dist
new file mode 100644
index 0000000..d22fff9
--- /dev/null
+++ b/dist/conf/services.xml.dist
@@ -0,0 +1,145 @@
+
+
+
+
+
+
+
+
+
+
+ %{idp.home}/conf/relying-party.xml
+ %{idp.home}/conf/credentials.xml
+ %{idp.home}/system/conf/relying-party-system.xml
+
+
+
+
+ %{idp.home}/conf/relying-party.xml
+ %{idp.home}/system/conf/legacy-relying-party-defaults.xml
+
+
+
+ %{idp.home}/conf/metadata-providers.xml
+ %{idp.home}/system/conf/metadata-providers-system.xml
+
+
+
+ %{idp.home}/conf/attribute-resolver.xml
+
+
+
+ %{idp.home}/conf/attribute-filter.xml
+
+
+
+ %{idp.home}/conf/saml-nameid.xml
+ %{idp.home}/system/conf/saml-nameid-system.xml
+
+
+
+ %{idp.home}/conf/access-control.xml
+ %{idp.home}/system/conf/access-control-system.xml
+
+
+
+ %{idp.home}/conf/cas-protocol.xml
+
+
+
+
+ %{idp.home}/messages/authn-messages
+ %{idp.home}/messages/consent-messages
+ %{idp.home}/messages/error-messages
+
+
+
diff --git a/dist/conf/session-manager.xml.dist b/dist/conf/session-manager.xml.dist
new file mode 100644
index 0000000..f195014
--- /dev/null
+++ b/dist/conf/session-manager.xml.dist
@@ -0,0 +1,45 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/flows/authn/conditions/account-locked/account-locked-flow.xml.dist b/dist/flows/authn/conditions/account-locked/account-locked-flow.xml.dist
new file mode 100644
index 0000000..5fe7523
--- /dev/null
+++ b/dist/flows/authn/conditions/account-locked/account-locked-flow.xml.dist
@@ -0,0 +1,16 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/flows/authn/conditions/conditions-flow.xml.dist b/dist/flows/authn/conditions/conditions-flow.xml.dist
new file mode 100644
index 0000000..caa0a13
--- /dev/null
+++ b/dist/flows/authn/conditions/conditions-flow.xml.dist
@@ -0,0 +1,35 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/flows/authn/conditions/expired-password/expired-password-flow.xml.dist b/dist/flows/authn/conditions/expired-password/expired-password-flow.xml.dist
new file mode 100644
index 0000000..5fe7523
--- /dev/null
+++ b/dist/flows/authn/conditions/expired-password/expired-password-flow.xml.dist
@@ -0,0 +1,16 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/flows/authn/conditions/expiring-password/expiring-password-flow.xml.dist b/dist/flows/authn/conditions/expiring-password/expiring-password-flow.xml.dist
new file mode 100644
index 0000000..f9f5ceb
--- /dev/null
+++ b/dist/flows/authn/conditions/expiring-password/expiring-password-flow.xml.dist
@@ -0,0 +1,32 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/flows/user/prefs/prefs-flow.xml.dist b/dist/flows/user/prefs/prefs-flow.xml.dist
new file mode 100644
index 0000000..c79093b
--- /dev/null
+++ b/dist/flows/user/prefs/prefs-flow.xml.dist
@@ -0,0 +1,25 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/messages/authn-messages.properties.dist b/dist/messages/authn-messages.properties.dist
new file mode 100644
index 0000000..ed92747
--- /dev/null
+++ b/dist/messages/authn-messages.properties.dist
@@ -0,0 +1,73 @@
+# In addition to the Apache 2.0 license, this content is also licensed
+# under the Creative Commons Attribution-ShareAlike 3.0 Unported license
+# (see http://creativecommons.org/licenses/by-sa/3.0/).
+
+# Login / Logout messages
+
+idp.login.loginTo = Login to
+
+idp.login.username = Username
+idp.login.password = Password
+
+idp.login.donotcache = Don't Remember Login
+
+idp.login.login = Login
+idp.login.pleasewait = Logging in, please wait...
+
+idp.login.forgotPassword = Forgot your password?
+idp.login.needHelp = Need Help?
+
+# Expiring password example messages
+
+idp.login.expiringSoon = Your password will be expiring soon!
+idp.login.changePassword = To create a new password now, go to
+idp.login.proceedBegin = Your login will proceed in 20 seconds or you may click
+idp.login.proceedHere = here
+idp.login.proceedEnd = to continue
+
+# Useful links
+
+idp.url.password.reset = #
+idp.url.helpdesk = #
+
+# User Preferences example messages
+
+idp.userprefs.title = Web Login Service
+idp.userprefs.title.suffice = Login Preferences
+idp.userprefs.info = This page allows you to configure your device to tell the Web Login Service that it \
+ can use more advanced login approaches that are more convenient, but not always usable.
+idp.userprefs.options = The following options are available:
+idp.userprefs.spnego = Automatically try desktop login when available.
+idp.userprefs.no-js = This feature requires Javascript.
+
+# Classified Login Error messages
+
+UnknownUsername = bad-username
+InvalidPassword = bad-password
+ExpiredPassword = expired-password
+AccountLocked = account-locked
+SPNEGONotAvailable = spnego-unavailable
+NTLMUnsupported = ntlm
+
+bad-username.message = The username you entered cannot be identified.
+
+bad-password.message = The password you entered was incorrect.
+
+expired-password.message = Your password has expired.
+
+account-locked.message = Your account is locked.
+
+spnego-unavailable.message = Your web browser doesn't support authentication with your desktop login credentials.
+spnego-unavailable.return = Cancel the attempt.
+
+ntlm.message = Your web browser attempted to negotiate a weaker form of desktop authentication.
+
+# Logout-related messages
+
+idp.logout.ask = Would you like to attempt to log out of all services accessed during your session? \
+ Please select Yes or No to ensure the logout \
+ operation completes, or wait a few seconds for Yes.
+idp.logout.contactServices = If you proceed, the system will attempt to contact the following services:
+idp.logout.complete = The logout operation is complete, and no other services appear to have been accessed during this session.
+idp.logout.local = You elected not to log out of all the applications accessed during your session.
+idp.logout.attempt = Attempting to log out of the following services:
diff --git a/dist/messages/consent-messages.properties.dist b/dist/messages/consent-messages.properties.dist
new file mode 100644
index 0000000..bed612e
--- /dev/null
+++ b/dist/messages/consent-messages.properties.dist
@@ -0,0 +1,77 @@
+# In addition to the Apache 2.0 license, this content is also licensed
+# under the Creative Commons Attribution-ShareAlike 3.0 Unported license
+# (see http://creativecommons.org/licenses/by-sa/3.0/).
+
+# General messages related to terms of use consent.
+
+idp.terms-of-use.accept = I accept the terms of use
+idp.terms-of-use.submit = Submit
+idp.terms-of-use.reject = Refuse
+idp.terms-of-use.required = Please check this box if you want to proceed.
+
+# Triples consisting of a TOU key, and a title and text for each set of terms.
+# The default implementation uses the SP name as the key, but this can be overriden.
+
+https\://sp.example.org = example-tou-1
+example-tou-1.title = Example Terms of Use
+example-tou-1.text = *** This is an example ToU - tailor due to your needs *** \
+
Example organization AAI services: Terms of Use (ToU)
\
+ A. Data Protection Sample Clause \
+
\
+ "The End User notes that personal data about the End User is compiled from generally \
+ available sources and from communications received from the End User and other \
+ Universities as well as from off-site sources. The policy relating to the use and procession \
+ of such data is posted on the University website at [...]. Such data will be used, inter alia, \
+ to authenticate and authorize the access to and use of various resources within \
+ the University and on other sites ("Approved Uses"). The End User hereby consents to \
+ the collection, processing, use and release of such data to the extent reasonably necessary \
+ for the Approved Uses. Such consent includes, but is not limited to, the release \
+ of personal data to other institutions by employing cookies and electronically exchanging, \
+ caching and storing personal authorization attributes." \
+
\
+ B. Limitation of Liability \
+
\
+ "To the extent permitted by the applicable law, the End User hereby waives all and any \
+ claims for cost and damages, whether direct or indirect, incidental, or consequential(including, \
+ inter alia, loss of use and lost profits), both in contract and in tort, arising from \
+ the use or in any way related to the inter-organizational authentication and authorization \
+ services which allow the End User to access certain resources of other organizations. \
+ This waiver of claims shall be valid and effective in relation to all participants of \
+ the inter-organizational authentication and authorization services including the AAI \
+ Service Provider and its affiliates, officers, employees and agents." \
+
+
+# Messages related to attribute release consent.
+
+idp.attribute-release.revoke = Clear prior granting of permission for release of your information to this service.
+
+idp.attribute-release.title = Information Release
+
+idp.attribute-release.attributesHeader = Information to be Provided to Service
+
+idp.attribute-release.serviceNameLabel = You are about to access the service:
+idp.attribute-release.of = of
+idp.attribute-release.serviceDescriptionLabel = Description as provided by this service:
+
+idp.attribute-release.informationURLLabel = Additional information about the service
+idp.attribute-release.privacyStatementURLLabel = Data privacy information of the service
+
+idp.attribute-release.showDetails = show details
+
+idp.attribute-release.accept = Accept
+idp.attribute-release.reject = Reject
+
+idp.attribute-release.confirmationQuestion = The information above would be shared with the service if you proceed. \
+ Do you agree to release this information to the service every time you access it?
+
+idp.attribute-release.consentMethod = Select an information release consent duration:
+idp.attribute-release.consentMethodRevoke = This setting can be revoked at any time with the checkbox on the login page.
+
+idp.attribute-release.doNotRememberConsent = Ask me again at next login
+idp.attribute-release.doNotRememberConsentItem = I agree to send my information this time.
+
+idp.attribute-release.rememberConsent = Ask me again if information to be provided to this service changes
+idp.attribute-release.rememberConsentItem = I agree that the same information will be sent automatically to this service in the future.
+
+idp.attribute-release.globalConsent = Do not ask me again
+idp.attribute-release.globalConsentItem = I agree that all of my information will be released to any service.
diff --git a/dist/messages/error-messages.properties.dist b/dist/messages/error-messages.properties.dist
new file mode 100644
index 0000000..4f93680
--- /dev/null
+++ b/dist/messages/error-messages.properties.dist
@@ -0,0 +1,119 @@
+# In addition to the Apache 2.0 license, this content is also licensed
+# under the Creative Commons Attribution-ShareAlike 3.0 Unported license
+# (see http://creativecommons.org/licenses/by-sa/3.0/).
+
+# Title / Message mappings for error view
+
+# General strings
+idp.title = Web Login Service
+idp.title.suffix = Error
+idp.logo = /images/dummylogo.png
+idp.logo.alt-text = Replace or remove this logo
+idp.message = An unidentified error occurred.
+idp.footer = Insert your footer text here.
+
+idp.client-storage-read.title = Loading Session State...
+idp.client-storage-write.title = Saving Session State...
+idp.client-storage.no-js = Since your browser does not support JavaScript, \
+ you must press the Continue button once to proceed.
+
+# Event to error key mappings
+
+AccessDenied = access
+ContextCheckDenied = context-check-denied
+EndpointResolutionFailed = endpoint
+InvalidProfileConfiguration = relying-party
+InvalidSecurityConfiguration = security-cfg
+MessageAuthenticationError = security-msg
+MessageReplay = stale
+MessageExpired = stale
+UnableToDecode = stale
+AccountError = authn
+AuthenticationException = authn
+InvalidCredentials = authn
+NoCredentials = authn
+NoPotentialFlow = authn
+RequestUnsupported = authn
+SubjectCanonicalizationError = authn
+InvalidAttributeContext = unexpected
+InvalidAuthenticationContext = unexpected
+InvalidSubjectContext = unexpected
+InvalidSubjectCanonicalizationContext = unexpected
+InvalidMessageContext = unexpected
+InvalidMessageVersion = unexpected
+InvalidProfileContext = unexpected
+InvalidRelyingPartyContext = unexpected
+InvalidRelyingPartyConfiguration = unexpected
+MessageProcessingError = unexpected
+UnableToEncode = unexpected
+UnableToSign = unexpected
+UnableToEncrypt = unexpected
+AttributeReleaseRejected = no-release
+TermsRejected = no-terms
+RuntimeException = runtime-error
+
+# Exception to error key mappings
+
+FlowExecutionRestorationFailureException = stale
+
+# Error key to title and message mappings
+
+access.title = Access Denied
+access.message = You do not have access to the requested resource.
+
+context-check-denied.title = Access Denied
+context-check-denied.message = You are not eligible for the service requested.
+
+no-release.title = Release of Information Prevented
+no-release.message = At your request, the release of your information has been blocked. If you wish to \
+ change your decision, you may access the service again and approve the release in the \
+ future.
+
+no-terms.title = Terms of Use Refused
+no-terms.message = Having refused the mandatory Terms of Use, access to the service is not permitted. \
+ If you wish to change your decision, you may access the service again and approve \
+ the terms in the future.
+
+authn.title = Login Failed
+authn.message = User login was not successful or could not meet the requirements of the requesting application.
+
+endpoint.title = Unable to Respond
+endpoint.message = The login service was unable to identify a compatible way to respond to the requested \
+ application. This is generally to due to a misconfiguration on the part of the application \
+ and should be reported to the application's support team or owner.
+
+relying-party.title = Unsupported Request
+relying-party.message = The application you have accessed is not registered for use with this service.
+
+security-cfg.title = Security Configuration Error
+security-cfg.message = The login service and the requested application do not share a compatible \
+ security configuration, and the request cannot be fulfilled.
+
+security-msg.title = Message Security Error
+security-msg.message = The request cannot be fulfilled because the message received does not meet the \
+ security requirements of the login service.
+
+stale.title = Stale Request
+stale.message =
You may be seeing this page because you used the Back button while browsing a \
+ secure web site or application. Alternatively, you may have mistakenly bookmarked \
+ the web login form instead of the actual web site you wanted to bookmark or used a \
+ link created by somebody else who made the same mistake.
\
+ \
+
Left unchecked, this can cause errors on some browsers or result in you returning to \
+ the web site you tried to leave, so this page is presented instead.
+
+unexpected.title = Unexpected Error
+unexpected.message = An unexpected error was encountered, usually reflecting a configuration or software error.
+
+runtime-error.title = Uncaught Exception
+runtime-error.message =
A software error was encountered that prevents normal operation:
Please report this problem to your Help Desk or administrative staff. It has \
+ also been logged for an administrator to review.
+
+error.title = Error
+error.message = An error occurred: $eventId
+
+root.title = Shibboleth IdP
+root.message = No services are available at this location.
+root.footer = Insert your footer text here.
diff --git a/dist/views/error.vm.dist b/dist/views/error.vm.dist
new file mode 100644
index 0000000..fb08a82
--- /dev/null
+++ b/dist/views/error.vm.dist
@@ -0,0 +1,71 @@
+##
+## Velocity Template for error end-state
+##
+## Velocity context will contain the following properties
+## flowRequestContext - the Spring Web Flow RequestContext
+## encoder - HTMLEncoder class
+## request - HttpServletRequest
+## response - HttpServletResponse
+## environment - Spring Environment object for property resolution
+## custom - arbitrary object injected by deployer
+##
+#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service"))
+#set ($defaultTitleSuffix = $springMacroRequestContext.getMessage("idp.title.suffix", "Error"))
+##
+#if ($flowRequestContext)
+ ## This handles flow events, the most common case.
+ #set ($eventId = $flowRequestContext.getCurrentEvent().getId())
+ #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error"))
+ #set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix"))
+ #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId"))
+ #if ($eventId == "AccessDenied" or $eventId == "ContextCheckDenied")
+ $response.setStatus(403)
+ #elseif ($eventId == "AttributeReleaseRejected" || $eventId == "TermsRejected")
+ $response.setStatus(200)
+ #elseif ($eventKey == "unexpected" || $eventKey == "runtime-error" || $eventKey == "error")
+ $response.setStatus(500)
+ #else
+ $response.setStatus(400)
+ #end
+#elseif ($exception)
+ ## This handles exceptions that reach the Spring-MVC exception handler.
+ #set ($eventId = $exception.getClass().getSimpleName())
+ #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error"))
+ #set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix"))
+ #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId"))
+#else
+ ## This is a catch-all that theoretically shouldn't happen?
+ #set ($titleSuffix = $defaultTitleSuffix)
+ #set ($message = $springMacroRequestContext.getMessage("idp.message", "An unidentified error occurred."))
+#end
+##
+
+
+
+
+ $title - $titleSuffix
+
+
+
+
+
+
+
+
+
$title - $titleSuffix
+
+
+
+ #evaluate($message)
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/dist/views/expiring-password.vm.dist b/dist/views/expiring-password.vm.dist
new file mode 100644
index 0000000..0cb9d90
--- /dev/null
+++ b/dist/views/expiring-password.vm.dist
@@ -0,0 +1,53 @@
+##
+## Velocity Template for expiring password view
+##
+## Velocity context will contain the following properties
+## flowExecutionUrl - the form action location
+## flowRequestContext - the Spring Web Flow RequestContext
+## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
+## profileRequestContext - root of context tree
+## authenticationContext - context with authentication request information
+## authenticationErrorContext - context with login error state
+## authenticationWarningContext - context with login warning state
+## ldapResponseContext - context with LDAP state (if using native LDAP)
+## encoder - HTMLEncoder class
+## request - HttpServletRequest
+## response - HttpServletResponse
+## environment - Spring Environment object for property resolution
+## custom - arbitrary object injected by deployer
+##
+
+
+
+
+ #springMessageText("idp.title", "Web Login Service")
+
+
+
+
+
+
+
+
+
+
#springMessageText("idp.login.expiringSoon", "Your password will be expiring soon!")
+
+
+
+
#springMessageText("idp.login.changePassword", "To create a new password now, go to")
+ #.
+
#springMessageText("idp.login.proceedBegin", "Your login will proceed in 20 seconds or you may click")
+ #springMessageText("idp.login.proceedHere", "here")
+ #springMessageText("idp.login.proceedEnd", "to continue").
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/dist/views/intercept/attribute-release.vm.dist b/dist/views/intercept/attribute-release.vm.dist
new file mode 100644
index 0000000..9c8b614
--- /dev/null
+++ b/dist/views/intercept/attribute-release.vm.dist
@@ -0,0 +1,148 @@
+##
+## Velocity Template for DisplayAttributeReleasePage view-state
+##
+## Velocity context will contain the following properties :
+##
+## attributeReleaseContext - context holding consentable attributes
+## attributeReleaseFlowDescriptor - attribute consent flow descriptor
+## attributeDisplayNameFunction - function to display attribute name
+## consentContext - context representing the state of a consent flow
+## encoder - HTMLEncoder class
+## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl)
+## flowExecutionUrl - form action location
+## flowRequestContext - Spring Web Flow RequestContext
+## profileRequestContext - OpenSAML profile request context
+## request - HttpServletRequest
+## response - HttpServletResponse
+## rpUIContext - context with SP UI information from the metadata
+## environment - Spring Environment object for property resolution
+#set ($serviceName = $rpUIContext.serviceName)
+#set ($serviceDescription = $rpUIContext.serviceDescription)
+#set ($informationURL = $rpUIContext.informationURL)
+#set ($privacyStatementURL = $rpUIContext.privacyStatementURL)
+#set ($rpOrganizationLogo = $rpUIContext.getLogo())
+#set ($rpOrganizationName = $rpUIContext.organizationName)
+##
+
+
+
+
+
+
+ #springMessageText("idp.attribute-release.title", "Information Release")
+
+
+
+
+
diff --git a/dist/views/intercept/terms-of-use.vm.dist b/dist/views/intercept/terms-of-use.vm.dist
new file mode 100644
index 0000000..1bf12c7
--- /dev/null
+++ b/dist/views/intercept/terms-of-use.vm.dist
@@ -0,0 +1,67 @@
+##
+## Velocity Template for DisplayTermsOfUsePage view-state
+##
+## Velocity context will contain the following properties :
+##
+## encoder - HTMLEncoder class
+## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl)
+## flowExecutionUrl - form action location
+## flowRequestContext - Spring Web Flow RequestContext
+## request - HttpServletRequest
+## response - HttpServletResponse
+## rpUIContext - context with SP UI information from the metadata
+## termsOfUseId - terms of use ID to lookup message strings
+## environment - Spring Environment object for property resolution
+#set ($serviceName = $rpUIContext.serviceName)
+#set ($rpOrganizationLogo = $rpUIContext.getLogo())
+##
+
+
+
+
+
+
+ #springMessageText("${termsOfUseId}.title", "Terms of Use")
+
+
+
#springMessageText("${termsOfUseId}.title", "Terms of Use")
+
+ #end
+
+ #springMessageText("${termsOfUseId}.text", "Terms of Use Text...")
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dist/views/login-error.vm.dist b/dist/views/login-error.vm.dist
new file mode 100644
index 0000000..44676b3
--- /dev/null
+++ b/dist/views/login-error.vm.dist
@@ -0,0 +1,24 @@
+## Velocity Template for login error message production, included by login.vm
+##
+## authenticationErrorContext - context containing error data, if available
+##
+#if ($authenticationErrorContext && $authenticationErrorContext.getClassifiedErrors().size() > 0 && $authenticationErrorContext.getClassifiedErrors().iterator().next() != "ReselectFlow")
+ ## This handles errors that are classified by the message maps in the authentication config.
+ #set ($eventId = $authenticationErrorContext.getClassifiedErrors().iterator().next())
+ #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "login"))
+ #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "Login Failure: $eventId"))
+#elseif ($authenticationErrorContext && $authenticationErrorContext.getExceptions().size() > 0)
+ ## This handles login exceptions that are left unclassified.
+ #set ($loginException = $authenticationErrorContext.getExceptions().get(0))
+ #if ($loginException.getMessage())
+ #set ($message = "Login Failure: $loginException.getMessage()")
+ #else
+ #set ($message = $loginException.toString())
+ #end
+#end
+
+#if ($message)
+
+
$encoder.encodeForHTML($message)
+
+#end
diff --git a/dist/views/login.vm.dist b/dist/views/login.vm.dist
new file mode 100644
index 0000000..a623db5
--- /dev/null
+++ b/dist/views/login.vm.dist
@@ -0,0 +1,138 @@
+##
+## Velocity Template for DisplayUsernamePasswordPage view-state
+##
+## Velocity context will contain the following properties
+## flowExecutionUrl - the form action location
+## flowRequestContext - the Spring Web Flow RequestContext
+## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
+## profileRequestContext - root of context tree
+## authenticationContext - context with authentication request information
+## authenticationErrorContext - context with login error state
+## authenticationWarningContext - context with login warning state
+## ldapResponseContext - context with LDAP state (if using native LDAP)
+## rpUIContext - the context with SP UI information from the metadata
+## extendedAuthenticationFlows - collection of "extended" AuthenticationFlowDescriptor objects
+## passwordPrincipals - contents of the shibboleth.authn.Password.PrincipalOverride bean
+## encoder - HTMLEncoder class
+## request - HttpServletRequest
+## response - HttpServletResponse
+## environment - Spring Environment object for property resolution
+## custom - arbitrary object injected by deployer
+##
+#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext'))
+#set ($username = $authenticationContext.getSubcontext('net.shibboleth.idp.authn.context.UsernamePasswordContext', true).getUsername())
+#set ($passwordEnabled = false)
+#if (!$passwordPrincipals or $passwordPrincipals.isEmpty() or $authenticationContext.isAcceptable($passwordPrincipals))
+ #set ($passwordEnabled = true)
+#end
+##
+
+
+
+
+ #springMessageText("idp.title", "Web Login Service")
+
+
+
+
+
+
+
+
+
+
+
+ #parse("login-error.vm")
+
+
+
+ #*
+ //
+ // SP Description & Logo (optional)
+ // These idpui lines will display added information (if available
+ // in the metadata) about the Service Provider (SP) that requested
+ // authentication. These idpui lines are "active" in this example
+ // (not commented out) - this extra SP info will be displayed.
+ // Remove or comment out these lines to stop the display of the
+ // added SP information.
+ //
+ *#
+ #set ($logo = $rpUIContext.getLogo())
+ #if ($logo)
+
+ #end
+ #set ($desc = $rpUIContext.getServiceDescription())
+ #if ($desc)
+ $encoder.encodeForHTML($desc)
+ #end
+
+
+
+
+
\ No newline at end of file
diff --git a/dist/views/logout-complete.vm.dist b/dist/views/logout-complete.vm.dist
new file mode 100644
index 0000000..4bf0a62
--- /dev/null
+++ b/dist/views/logout-complete.vm.dist
@@ -0,0 +1,58 @@
+##
+## Velocity Template for logout flow's concluding view-state (no propagation)
+##
+## Velocity context will contain the following properties
+## flowExecutionUrl - the form action location
+## flowRequestContext - the Spring Web Flow RequestContext
+## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
+## profileRequestContext - root of context tree
+## logoutContext - context with SPSession details for logout operation
+## multiRPContext - context with RelyingPartyContexts and possibly SP UI information from the metadata
+## encoder - HTMLEncoder class
+## request - HttpServletRequest
+## response - HttpServletResponse
+## environment - Spring Environment object for property resolution
+## custom - arbitrary object injected by deployer
+##
+
+
+
+
+ #springMessageText("idp.title", "Web Login Service")
+
+
+
+
+
+
+
+
+
+
+
+
+
#springMessageText("idp.logout.local", "You elected not to log out of all the applications accessed during your session.")
#springMessage()
+