diff --git a/README.md b/README.md index f26284c..84ef433 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Purpose -This project contains the configuration tree (structure) for Shibboleth IDP. The are various usage scenarios throughout the build, test, deploy cycle that warrant this abstraction +This project contains the configuration tree (structure) for Shibboleth IDP on Windows. The are various usage scenarios throughout the build, test, deploy cycle that warrant this abstraction of the configuration tree. There is a separate repository for the Docker Image which is responsible for building the runtime environment and pulling the configuration trees housed here to complete a deployment. @@ -11,4 +11,4 @@ to complete a deployment. * `test` branch * Internal Testing - (TEST) branch/repo that uses the "test bed" which is something that I2 provides (LDAP) and an element to make all integrations. Appropriate for Jenkins and testing environments * `release` branch - * External Testing - (RELEASE) branch/repo (ultimately will live in Subversion?) for end users + * External Testing - (RELEASE) branch/repo \ No newline at end of file diff --git a/conf/access-control.xml b/conf/access-control.xml new file mode 100644 index 0000000..a9184e6 --- /dev/null +++ b/conf/access-control.xml @@ -0,0 +1,68 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/conf/admin/general-admin.xml b/conf/admin/general-admin.xml new file mode 100644 index 0000000..9b3b180 --- /dev/null +++ b/conf/admin/general-admin.xml @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/admin/metrics.xml b/conf/admin/metrics.xml new file mode 100644 index 0000000..f9b5c16 --- /dev/null +++ b/conf/admin/metrics.xml @@ -0,0 +1,129 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/attribute-filter.xml b/conf/attribute-filter.xml new file mode 100644 index 0000000..f8c41ba --- /dev/null +++ b/conf/attribute-filter.xml @@ -0,0 +1,45 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/attribute-resolver-full.xml b/conf/attribute-resolver-full.xml new file mode 100644 index 0000000..4681b64 --- /dev/null +++ b/conf/attribute-resolver-full.xml @@ -0,0 +1,292 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/attribute-resolver-ldap.xml b/conf/attribute-resolver-ldap.xml new file mode 100644 index 0000000..ec79de9 --- /dev/null +++ b/conf/attribute-resolver-ldap.xml @@ -0,0 +1,94 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/attribute-resolver.xml b/conf/attribute-resolver.xml new file mode 100644 index 0000000..d752e07 --- /dev/null +++ b/conf/attribute-resolver.xml @@ -0,0 +1,86 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + uid + + + + + + + + + + + + + + + + + member + + + + diff --git a/conf/audit.xml b/conf/audit.xml new file mode 100644 index 0000000..22949fd --- /dev/null +++ b/conf/audit.xml @@ -0,0 +1,32 @@ + + + + + + + + + + + + + + http://shibboleth.net/ns/profiles/status + + + diff --git a/conf/authn/authn-comparison.xml b/conf/authn/authn-comparison.xml new file mode 100644 index 0000000..f167b7a --- /dev/null +++ b/conf/authn/authn-comparison.xml @@ -0,0 +1,77 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified + + + diff --git a/conf/authn/authn-events-flow.xml b/conf/authn/authn-events-flow.xml new file mode 100644 index 0000000..36d62a1 --- /dev/null +++ b/conf/authn/authn-events-flow.xml @@ -0,0 +1,21 @@ + + + + + + + + + diff --git a/conf/authn/duo-authn-config.xml b/conf/authn/duo-authn-config.xml new file mode 100644 index 0000000..0a48152 --- /dev/null +++ b/conf/authn/duo-authn-config.xml @@ -0,0 +1,25 @@ + + + + + + diff --git a/conf/authn/duo.properties b/conf/authn/duo.properties new file mode 100644 index 0000000..2ca71ee --- /dev/null +++ b/conf/authn/duo.properties @@ -0,0 +1,9 @@ +# Duo integration settings + +# Note: If upgrading from pre-3.3 IdP versions, you will need to manually add a pointer +# to this property file to idp.properties. + +idp.duo.apiHost = hostname +idp.duo.applicationKey = key +idp.duo.integrationKey = key +idp.duo.secretKey = key diff --git a/conf/authn/external-authn-config.xml b/conf/authn/external-authn-config.xml new file mode 100644 index 0000000..8b3a159 --- /dev/null +++ b/conf/authn/external-authn-config.xml @@ -0,0 +1,70 @@ + + + + + + + + + + + + + + + + + + UnknownUsername + + + + + InvalidPassword + + + + + ExpiredPassword + + + + + ExpiringPassword + + + + + diff --git a/conf/authn/general-authn.xml b/conf/authn/general-authn.xml new file mode 100644 index 0000000..ac55bbb --- /dev/null +++ b/conf/authn/general-authn.xml @@ -0,0 +1,156 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + + + + diff --git a/conf/authn/ipaddress-authn-config.xml b/conf/authn/ipaddress-authn-config.xml new file mode 100644 index 0000000..a3ee096 --- /dev/null +++ b/conf/authn/ipaddress-authn-config.xml @@ -0,0 +1,37 @@ + + + + + + + + + + + + + + + diff --git a/conf/authn/jaas-authn-config.xml b/conf/authn/jaas-authn-config.xml new file mode 100644 index 0000000..daef4d2 --- /dev/null +++ b/conf/authn/jaas-authn-config.xml @@ -0,0 +1,27 @@ + + + + + + + + + + + ShibUserPassAuth + + + + + diff --git a/conf/authn/jaas.config b/conf/authn/jaas.config new file mode 100644 index 0000000..232e93d --- /dev/null +++ b/conf/authn/jaas.config @@ -0,0 +1,11 @@ +ShibUserPassAuth { + /* + com.sun.security.auth.module.Krb5LoginModule required; + */ + + org.ldaptive.jaas.LdapLoginModule required + ldapUrl="ldap://localhost:10389" + baseDn="ou=people,dc=example,dc=org" + userFilter="uid={user}"; + +}; \ No newline at end of file diff --git a/conf/authn/krb5-authn-config.xml b/conf/authn/krb5-authn-config.xml new file mode 100644 index 0000000..d3590a2 --- /dev/null +++ b/conf/authn/krb5-authn-config.xml @@ -0,0 +1,31 @@ + + + + + + + + + + + + + diff --git a/conf/authn/ldap-authn-config.xml b/conf/authn/ldap-authn-config.xml new file mode 100644 index 0000000..56d1bc7 --- /dev/null +++ b/conf/authn/ldap-authn-config.xml @@ -0,0 +1,135 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/authn/mfa-authn-config.xml b/conf/authn/mfa-authn-config.xml new file mode 100644 index 0000000..ef3b80e --- /dev/null +++ b/conf/authn/mfa-authn-config.xml @@ -0,0 +1,99 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/authn/password-authn-config.xml b/conf/authn/password-authn-config.xml new file mode 100644 index 0000000..f27051b --- /dev/null +++ b/conf/authn/password-authn-config.xml @@ -0,0 +1,121 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + NoCredentials + CLIENT_NOT_FOUND + Client not found + DN_RESOLUTION_FAILURE + + + + + InvalidCredentials + PREAUTH_FAILED + INVALID_CREDENTIALS + Checksum failed + + + + + AccountLocked + Clients credentials have been revoked + + + + + PASSWORD_EXPIRED + + + + + ACCOUNT_WARNING + + + + + + + + diff --git a/conf/authn/remoteuser-authn-config.xml b/conf/authn/remoteuser-authn-config.xml new file mode 100644 index 0000000..4b7e722 --- /dev/null +++ b/conf/authn/remoteuser-authn-config.xml @@ -0,0 +1,75 @@ + + + + + + + + + + + + + + + + + + NoCredentials + + + + + UnknownUsername + + + + + InvalidPassword + + + + + ExpiredPassword + + + + + ExpiringPassword + + + + + diff --git a/conf/authn/remoteuser-internal-authn-config.xml b/conf/authn/remoteuser-internal-authn-config.xml new file mode 100644 index 0000000..9e68c85 --- /dev/null +++ b/conf/authn/remoteuser-internal-authn-config.xml @@ -0,0 +1,63 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/authn/spnego-authn-config.xml b/conf/authn/spnego-authn-config.xml new file mode 100644 index 0000000..07563b9 --- /dev/null +++ b/conf/authn/spnego-authn-config.xml @@ -0,0 +1,74 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SPNEGONotAvailable + + + + + NTLMUnsupported + + + + + diff --git a/conf/authn/x509-authn-config.xml b/conf/authn/x509-authn-config.xml new file mode 100644 index 0000000..18b015a --- /dev/null +++ b/conf/authn/x509-authn-config.xml @@ -0,0 +1,44 @@ + + + + + + + + + + + + + NoCredentials + InvalidCredentials + + + + + diff --git a/conf/authn/x509-internal-authn-config.xml b/conf/authn/x509-internal-authn-config.xml new file mode 100644 index 0000000..bad3029 --- /dev/null +++ b/conf/authn/x509-internal-authn-config.xml @@ -0,0 +1,21 @@ + + + + + + diff --git a/conf/c14n/attribute-sourced-subject-c14n-config.xml b/conf/c14n/attribute-sourced-subject-c14n-config.xml new file mode 100644 index 0000000..938b30f --- /dev/null +++ b/conf/c14n/attribute-sourced-subject-c14n-config.xml @@ -0,0 +1,44 @@ + + + + + + altuid + + + + + altuid + + + + + + + + + + + + + diff --git a/conf/c14n/simple-subject-c14n-config.xml b/conf/c14n/simple-subject-c14n-config.xml new file mode 100644 index 0000000..3cddfa6 --- /dev/null +++ b/conf/c14n/simple-subject-c14n-config.xml @@ -0,0 +1,27 @@ + + + + + + + + + + + + + + diff --git a/conf/c14n/subject-c14n-events-flow.xml b/conf/c14n/subject-c14n-events-flow.xml new file mode 100644 index 0000000..c8e7220 --- /dev/null +++ b/conf/c14n/subject-c14n-events-flow.xml @@ -0,0 +1,22 @@ + + + + + + + + + + diff --git a/conf/c14n/subject-c14n.xml b/conf/c14n/subject-c14n.xml new file mode 100644 index 0000000..16fc6f1 --- /dev/null +++ b/conf/c14n/subject-c14n.xml @@ -0,0 +1,109 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName + urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName + urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos + + + + + + + + + + + + + + + + + diff --git a/conf/c14n/x500-subject-c14n-config.xml b/conf/c14n/x500-subject-c14n-config.xml new file mode 100644 index 0000000..1ae25e4 --- /dev/null +++ b/conf/c14n/x500-subject-c14n-config.xml @@ -0,0 +1,37 @@ + + + + + + + + + + + 2.5.4.3 + + + + + + + + + + + + + diff --git a/conf/cas-protocol.xml b/conf/cas-protocol.xml new file mode 100644 index 0000000..d0b3d55 --- /dev/null +++ b/conf/cas-protocol.xml @@ -0,0 +1,84 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/conf/credentials.xml b/conf/credentials.xml new file mode 100644 index 0000000..7462879 --- /dev/null +++ b/conf/credentials.xml @@ -0,0 +1,65 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/errors.xml b/conf/errors.xml new file mode 100644 index 0000000..5de522f --- /dev/null +++ b/conf/errors.xml @@ -0,0 +1,120 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/global.xml b/conf/global.xml new file mode 100644 index 0000000..60562e3 --- /dev/null +++ b/conf/global.xml @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + + diff --git a/conf/idp.properties b/conf/idp.properties new file mode 100644 index 0000000..1a77f4a --- /dev/null +++ b/conf/idp.properties @@ -0,0 +1,195 @@ +# Load any additional property resources from a comma-delimited list +idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties + +# Set the entityID of the IdP +idp.entityID= https://shibboleth.example.org/idp/shibboleth + +# Set the scope used in the attribute resolver for scoped attributes +idp.scope= example.org + +# General cookie properties (maxAge only applies to persistent cookies) +#idp.cookie.secure = false +#idp.cookie.httpOnly = true +#idp.cookie.domain = +#idp.cookie.path = +#idp.cookie.maxAge = 31536000 + +# Set the location of user-supplied web flow definitions +#idp.webflows = %{idp.home}/flows + +# Set the location of Velocity view templates +#idp.views = %{idp.home}/views + +# Settings for internal AES encryption key +#idp.sealer.storeType = JCEKS +#idp.sealer.updateInterval = PT15M +#idp.sealer.aliasBase = secret +idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks +idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver +idp.sealer.storePassword= password +idp.sealer.keyPassword= password + +# Settings for public/private signing and encryption key(s) +# During decryption key rollover, point the ".2" properties at a second +# keypair, uncomment in credentials.xml, then publish it in your metadata. +idp.signing.key= %{idp.home}/credentials/idp-signing.key +idp.signing.cert= %{idp.home}/credentials/idp-signing.crt +idp.encryption.key= %{idp.home}/credentials/idp-encryption.key +idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt +#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key +#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt + +# Sets the bean ID to use as a default security configuration set +#idp.security.config = shibboleth.DefaultSecurityConfiguration + +# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1 +#idp.signing.config = shibboleth.SigningConfiguration.SHA256 + +# Configures trust evaluation of keys used by services at runtime +# Defaults to supporting both explicit key and PKIX using SAML metadata. +#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine +# To pick only one set to one of: +# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine +#idp.trust.certificates = shibboleth.ChainingX509TrustEngine +# To pick only one set to one of: +# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine + +# If true, encryption will happen whenever a key to use can be located, but +# failure to encrypt won't result in request failure. +#idp.encryption.optional = false + +# Configuration of client- and server-side storage plugins +#idp.storage.cleanupInterval = PT10M +#idp.storage.htmlLocalStorage = false + +# Set to true to expose more detailed errors in responses to SPs +#idp.errors.detailed = false +# Set to false to skip signing of SAML response messages that signal errors +#idp.errors.signed = true +# Name of bean containing a list of Java exception classes to ignore +#idp.errors.excludedExceptions = ExceptionClassListBean +# Name of bean containing a property set mapping exception names to views +#idp.errors.exceptionMappings = ExceptionToViewPropertyBean +# Set if a different default view name for events and exceptions is needed +#idp.errors.defaultView = error + +# Set to false to disable the IdP session layer +#idp.session.enabled = true + +# Set to "shibboleth.StorageService" for server-side storage of user sessions +#idp.session.StorageService = shibboleth.ClientSessionStorageService + +# Size of session IDs +#idp.session.idSize = 32 +# Bind sessions to IP addresses +#idp.session.consistentAddress = true +# Inactivity timeout +#idp.session.timeout = PT60M +# Extra time to store sessions for logout +#idp.session.slop = PT0S +# Tolerate storage-related errors +#idp.session.maskStorageFailure = false +# Track information about SPs logged into +#idp.session.trackSPSessions = false +# Support lookup by SP for SAML logout +#idp.session.secondaryServiceIndex = false +# Length of time to track SP sessions +#idp.session.defaultSPlifetime = PT2H + +# Regular expression matching login flows to enable, e.g. IPAddress|Password +idp.authn.flows= Password + +# Regular expression of forced "initial" methods when no session exists, +# usually in conjunction with the idp.authn.resolveAttribute property below. +#idp.authn.flows.initial = Password + +# Set to an attribute ID to resolve prior to selecting authentication flows; +# its values are used to filter the flows to allow. +#idp.authn.resolveAttribute = eduPersonAssurance + +# Default lifetime and timeout of various authentication methods +#idp.authn.defaultLifetime = PT60M +#idp.authn.defaultTimeout = PT30M + +# Whether to populate relying party user interface information for display +# during authentication, consent, terms-of-use. +#idp.authn.rpui = true + +# Whether to prioritize "active" results when an SP requests more than +# one possible matching login method (V2 behavior was to favor them) +#idp.authn.favorSSO = false + +# Whether to fail requests when a user identity after authentication +# doesn't match the identity in a pre-existing session. +#idp.authn.identitySwitchIsError = false + +# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent +#idp.consent.StorageService = shibboleth.ClientPersistentStorageService + +# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute +# to key user consent storage records (and set the attribute name) +#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey +#idp.consent.userStorageKeyAttribute = uid + +# Flags controlling how built-in attribute consent feature operates +#idp.consent.allowDoNotRemember = true +#idp.consent.allowGlobal = true +#idp.consent.allowPerAttribute = false + +# Whether attribute values and terms of use text are compared +#idp.consent.compareValues = false +# Maximum number of consent records for space-limited storage (e.g. cookies) +#idp.consent.maxStoredRecords = 10 +# Maximum number of consent records for larger/server-side storage (0 = no limit) +#idp.consent.expandedMaxStoredRecords = 0 + +# Time in milliseconds to expire consent storage records. +#idp.consent.storageRecordLifetime = P1Y + +# Whether to lookup metadata, etc. for every SP involved in a logout +# for use by user interface logic; adds overhead so off by default. +#idp.logout.elaboration = false + +# Whether to require logout requests/responses be signed/authenticated. +#idp.logout.authenticated = true + +# Message freshness and replay cache tuning +#idp.policy.messageLifetime = PT3M +#idp.policy.clockSkew = PT3M + +# Set to custom bean for alternate storage of replay cache +#idp.replayCache.StorageService = shibboleth.StorageService + +# Toggles whether to allow outbound messages via SAML artifact +#idp.artifact.enabled = true +# Suppresses typical signing/encryption when artifact binding used +#idp.artifact.secureChannel = true +# May differ to direct SAML 2 artifact lookups to specific server nodes +#idp.artifact.endpointIndex = 2 +# Set to custom bean for alternate storage of artifact map state +#idp.artifact.StorageService = shibboleth.StorageService + +# Comma-delimited languages to use if not match can be found with the +# browser-supported languages, defaults to an empty list. +idp.ui.fallbackLanguages= en,fr,de + +# Storage service used by CAS protocol +# Defaults to shibboleth.StorageService (in-memory) +# MUST be server-side storage (e.g. in-memory, memcached, database) +# NOTE that idp.session.StorageService requires server-side storage +# when CAS protocol is enabled +#idp.cas.StorageService=shibboleth.StorageService + +# CAS service registry implementation class +#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry + +# Profile flows in which the ProfileRequestContext should be exposed +# in servlet request under the key "opensamlProfileRequestContext" +#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO + +# F-TICKS auditing - set a salt to include hashed username +#idp.fticks.federation=MyFederation +#idp.fticks.algorithm=SHA-256 +#idp.fticks.salt=somethingsecret +#idp.fticks.loghost=localhost +#idp.fticks.logport=514 diff --git a/conf/intercept/consent-intercept-config.xml b/conf/intercept/consent-intercept-config.xml new file mode 100644 index 0000000..ca183a7 --- /dev/null +++ b/conf/intercept/consent-intercept-config.xml @@ -0,0 +1,136 @@ + + + + + + + + + + + + + + + + + + + + + transientId + persistentId + eduPersonTargetedID + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/conf/intercept/context-check-intercept-config.xml b/conf/intercept/context-check-intercept-config.xml new file mode 100644 index 0000000..809f1d4 --- /dev/null +++ b/conf/intercept/context-check-intercept-config.xml @@ -0,0 +1,42 @@ + + + + + + + + + + + + + + * + + + + + + + + + + \ No newline at end of file diff --git a/conf/intercept/expiring-password-intercept-config.xml b/conf/intercept/expiring-password-intercept-config.xml new file mode 100644 index 0000000..5447b16 --- /dev/null +++ b/conf/intercept/expiring-password-intercept-config.xml @@ -0,0 +1,37 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/conf/intercept/intercept-events-flow.xml b/conf/intercept/intercept-events-flow.xml new file mode 100644 index 0000000..315c258 --- /dev/null +++ b/conf/intercept/intercept-events-flow.xml @@ -0,0 +1,21 @@ + + + + + + + + + diff --git a/conf/intercept/profile-intercept.xml b/conf/intercept/profile-intercept.xml new file mode 100644 index 0000000..4040a10 --- /dev/null +++ b/conf/intercept/profile-intercept.xml @@ -0,0 +1,38 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/conf/ldap.properties b/conf/ldap.properties new file mode 100644 index 0000000..37b270e --- /dev/null +++ b/conf/ldap.properties @@ -0,0 +1,63 @@ +# LDAP authentication configuration, see authn/ldap-authn-config.xml +# Note, this doesn't apply to the use of JAAS + +## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator +#idp.authn.LDAP.authenticator = anonSearchAuthenticator + +## Connection properties ## +idp.authn.LDAP.ldapURL = ldap://localhost:10389 +#idp.authn.LDAP.useStartTLS = true +#idp.authn.LDAP.useSSL = false +# Time in milliseconds that connects will block +#idp.authn.LDAP.connectTimeout = PT3S +# Time in milliseconds to wait for responses +#idp.authn.LDAP.responseTimeout = PT3S + +## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust +#idp.authn.LDAP.sslConfig = certificateTrust +## If using certificateTrust above, set to the trusted certificate's path +idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt +## If using keyStoreTrust above, set to the truststore path +idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore + +## Return attributes during authentication +idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining + +## DN resolution properties ## + +# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator +# for AD: CN=Users,DC=example,DC=org +idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org +#idp.authn.LDAP.subtreeSearch = false +idp.authn.LDAP.userFilter = (uid={user}) +# bind search configuration +# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com +idp.authn.LDAP.bindDN = uid=myservice,ou=system +idp.authn.LDAP.bindDNCredential = myServicePassword + +# Format DN resolution, used by directAuthenticator, adAuthenticator +# for AD use idp.authn.LDAP.dnFormat=%s@domain.com +idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org + +# LDAP attribute configuration, see attribute-resolver.xml +# Note, this likely won't apply to the use of legacy V2 resolver configurations +idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL} +idp.attribute.resolver.LDAP.connectTimeout = %{idp.authn.LDAP.connectTimeout:PT3S} +idp.attribute.resolver.LDAP.responseTimeout = %{idp.authn.LDAP.responseTimeout:PT3S} +idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN:undefined} +idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN:undefined} +idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined} +idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true} +idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined} +idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.principal) + +# LDAP pool configuration, used for both authn and DN resolution +#idp.pool.LDAP.minSize = 3 +#idp.pool.LDAP.maxSize = 10 +#idp.pool.LDAP.validateOnCheckout = false +#idp.pool.LDAP.validatePeriodically = true +#idp.pool.LDAP.validatePeriod = PT5M +#idp.pool.LDAP.prunePeriod = PT5M +#idp.pool.LDAP.idleTime = PT10M +#idp.pool.LDAP.blockWaitTime = PT3S +#idp.pool.LDAP.failFastInitialize = false diff --git a/conf/logback.xml b/conf/logback.xml new file mode 100644 index 0000000..104ec4c --- /dev/null +++ b/conf/logback.xml @@ -0,0 +1,186 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ${idp.logfiles}/idp-process.log + + + ${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory:-180} + + + + UTF-8 + %date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short} + + + + + + + VelocityStatusMatcher + ResourceManager : unable to find resource 'status.vm' in any resource loader. + + VelocityStatusMatcher.matches(formattedMessage) + + DENY + + + + + + 0 + + + + + + WARN + + + ${idp.logfiles}/idp-warn.log + + + ${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory:-180} + + + + UTF-8 + %date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short} + + + + + + + VelocityStatusMatcher + ResourceManager : unable to find resource 'status.vm' in any resource loader. + + VelocityStatusMatcher.matches(formattedMessage) + + DENY + + + + + + ${idp.logfiles}/idp-audit.log + + + ${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory:-180} + + + + UTF-8 + %msg%n + + + + + + ${idp.logfiles}/idp-consent-audit.log + + + ${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory:-180} + + + + UTF-8 + %msg%n + + + + + + ${idp.fticks.loghost:-localhost} + ${idp.fticks.logport:-514} + AUTH + [%thread] %logger %msg + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/conf/metadata-providers.xml b/conf/metadata-providers.xml new file mode 100644 index 0000000..facc296 --- /dev/null +++ b/conf/metadata-providers.xml @@ -0,0 +1,67 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/mvc-beans.xml b/conf/mvc-beans.xml new file mode 100644 index 0000000..98d9bcd --- /dev/null +++ b/conf/mvc-beans.xml @@ -0,0 +1,23 @@ + + + + + + diff --git a/conf/relying-party.xml b/conf/relying-party.xml new file mode 100644 index 0000000..28c9193 --- /dev/null +++ b/conf/relying-party.xml @@ -0,0 +1,70 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/saml-nameid.properties b/conf/saml-nameid.properties new file mode 100644 index 0000000..8530c4f --- /dev/null +++ b/conf/saml-nameid.properties @@ -0,0 +1,35 @@ +# Properties involving SAML NameIdentifier/NameID generation/consumption + +# For the most part these settings only deal with "transient" and "persistent" +# identifiers. See saml-nameid.xml and c14n/subject-c14n.xml for advanced +# settings + +# Comment out to disable legacy NameID generation via Attribute Resolver +#idp.nameid.saml2.legacyGenerator = shibboleth.LegacySAML2NameIDGenerator +#idp.nameid.saml1.legacyGenerator = shibboleth.LegacySAML1NameIdentifierGenerator + +# Default NameID Formats to use when nothing else is called for. +# Don't change these just to change the Format used for a single SP! +#idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient +#idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier + +# Set to shibboleth.StoredTransientIdGenerator for server-side transient ID storage +#idp.transientId.generator = shibboleth.CryptoTransientIdGenerator + +# Persistent IDs can be computed on the fly with a hash, or managed in a database + +# For computed IDs, set a source attribute and a secret salt: +#idp.persistentId.sourceAttribute = changethistosomethingreal +#idp.persistentId.useUnfilteredAttributes = true +# Do *NOT* share the salt with other people, it's like divulging your private key. +#idp.persistentId.algorithm = SHA +#idp.persistentId.salt = changethistosomethingrandom + +# To use a database, use shibboleth.StoredPersistentIdGenerator +#idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator +# For basic use, set this to a JDBC DataSource bean name: +#idp.persistentId.dataSource = PersistentIdDataSource +# For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore +#idp.persistentId.store = MyPersistentIdStore +# Set to an empty property to skip hash-based generation of first stored ID +#idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator diff --git a/conf/saml-nameid.xml b/conf/saml-nameid.xml new file mode 100644 index 0000000..ea97448 --- /dev/null +++ b/conf/saml-nameid.xml @@ -0,0 +1,62 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/services.properties b/conf/services.properties new file mode 100644 index 0000000..eee86ee --- /dev/null +++ b/conf/services.properties @@ -0,0 +1,65 @@ +# Configure the resources to load for various services, +# and the settings for failure handling and auto-reload. + +# failFast=true prevents IdP startup if a configuration is bad +# checkInterval = PT0S means never reload (this is the default) + +# Global default for fail-fast behavior of most subsystems +# with individual override possible below. +#idp.service.failFast = false + +#idp.service.logging.resource = %{idp.home}/conf/logback.xml +#idp.service.logging.failFast = true +idp.service.logging.checkInterval = PT5M + +# Set to shibboleth.LegacyRelyingPartyResolverResources with legacy V2 relying-party.xml +#idp.service.relyingparty.resources = shibboleth.RelyingPartyResolverResources +#idp.service.relyingparty.failFast = false +idp.service.relyingparty.checkInterval = PT15M + +#idp.service.metadata.resources = shibboleth.MetadataResolverResources +#idp.service.metadata.failFast = false +#idp.service.metadata.checkInterval = PT0S + +#idp.service.attribute.resolver.resources = shibboleth.AttributeResolverResources +#idp.service.attribute.resolver.failFast = false +idp.service.attribute.resolver.checkInterval = PT15M +#idp.service.attribute.resolver.maskFailures = true + +#idp.service.attribute.filter.resources = shibboleth.AttributeFilterResources +# NOTE: Failing the filter fast leaves no filters enabled. +#idp.service.attribute.filter.failFast = false +idp.service.attribute.filter.checkInterval = PT15M +#idp.service.attribute.filter.maskFailures = true + +#idp.service.nameidGeneration.resources = shibboleth.NameIdentifierGenerationResources +#idp.service.nameidGeneration.failFast = false +idp.service.nameidGeneration.checkInterval = PT15M + +#idp.service.access.resources = shibboleth.AccessControlResources +#idp.service.access.failFast = true +idp.service.access.checkInterval = PT5M + +#idp.service.cas.registry.resources = shibboleth.CASServiceRegistryResources +#idp.service.cas.registry.failFast = false +idp.service.cas.registry.checkInterval = PT15M + +#idp.message.resources = shibboleth.MessageSourceResources +#idp.message.cacheSeconds = 300 + +# Parameters for pre-defined HttpClient instances which perform in-memory and filesystem caching. +# These are used with components such as remote configuration resources that are explicitly wired +# with these client instances, *not* by default with HTTP metadata resolvers. +#idp.httpclient.useTrustEngineTLSSocketFactory = false +#idp.httpclient.useSecurityEnhancedTLSSocketFactory = false +#idp.httpclient.connectionDisregardTLSCertificate = false +#idp.httpclient.connectionRequestTimeout = 60000 +#idp.httpclient.connectionTimeout = 60000 +#idp.httpclient.socketTimeout = 60000 +#idp.httpclient.maxConnectionsTotal = 100 +#idp.httpclient.maxConnectionsPerRoute = 100 +#idp.httpclient.memorycaching.maxCacheEntries = 50 +#idp.httpclient.memorycaching.maxCacheEntrySize = 1048576 +#idp.httpclient.filecaching.maxCacheEntries = 100 +#idp.httpclient.filecaching.maxCacheEntrySize = 10485760 +idp.httpclient.filecaching.cacheDirectory = %{idp.home}/tmp/httpClientCache \ No newline at end of file diff --git a/conf/services.xml b/conf/services.xml new file mode 100644 index 0000000..313b636 --- /dev/null +++ b/conf/services.xml @@ -0,0 +1,144 @@ + + + + + + + + + + + %{idp.home}/conf/relying-party.xml + %{idp.home}/conf/credentials.xml + %{idp.home}/system/conf/relying-party-system.xml + + + + + %{idp.home}/conf/relying-party.xml + %{idp.home}/system/conf/legacy-relying-party-defaults.xml + + + + %{idp.home}/conf/metadata-providers.xml + %{idp.home}/system/conf/metadata-providers-system.xml + + + + %{idp.home}/conf/attribute-resolver.xml + + + + %{idp.home}/conf/attribute-filter.xml + + + + %{idp.home}/conf/saml-nameid.xml + %{idp.home}/system/conf/saml-nameid-system.xml + + + + %{idp.home}/conf/access-control.xml + %{idp.home}/system/conf/access-control-system.xml + + + + %{idp.home}/conf/cas-protocol.xml + + + + + %{idp.home}/messages/messages + %{idp.home}/system/messages/messages + + + diff --git a/conf/session-manager.xml b/conf/session-manager.xml new file mode 100644 index 0000000..f195014 --- /dev/null +++ b/conf/session-manager.xml @@ -0,0 +1,45 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/credentials/idp-backchannel.crt b/credentials/idp-backchannel.crt new file mode 100644 index 0000000..752e5e0 --- /dev/null +++ b/credentials/idp-backchannel.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQzCCAiugAwIBAgIUbEZuLbKAcQzDND914sXQScSszvowDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWc2hpYmJvbGV0aC5leGFtcGxlLm9yZzAeFw0xNzA4MDMw +MDA3NThaFw0zNzA4MDMwMDA3NThaMCExHzAdBgNVBAMMFnNoaWJib2xldGguZXhh +bXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVr8AhZKq+ +QA/5F8EGRcf7uXfcVpN654RdICgpgB/zjvOpT0Qnw+YBraOpAJASUiTR/Ub5LUdC +cya0qzMlScNrcimli+GAPUbyUkhzkP5YD8ikAfKy0X0acU7CMXkBahR6kYqc3mQO +zGiDQImvDzfoDdOxP+cNyNhyPMgXQgdoIJzQFK9MKztXeq67aJ8lvx1R28JkIzzh +kbGadvEe+Sp+5QE8NrLg4gjOtgFAGmugeZDFF70bZCAIIdh0rbWxCOk4lLjPtOkM +4ZCEwhTG4WHvFS8Jhhv2qpQ+V+r6ifrFwetH6NeksY03jovMTGKnJt2Zr2nw/kM0 +YdXXgdClb2kRAgMBAAGjczBxMB0GA1UdDgQWBBQ5Yz+7JDneVDLb6W+47+mzrKGS +RTBQBgNVHREESTBHghZzaGliYm9sZXRoLmV4YW1wbGUub3Jnhi1odHRwczovL3No +aWJib2xldGguZXhhbXBsZS5vcmcvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL +BQADggEBAFFyKRdpd/TLaF0iL9E2dnmOmWCXqqp53/z5PNTHFbeeriK6PB3w0Q06 +0ECHdjIbVfRYt15bZowyfUb9oIq+mw/tAsZs/B5nQagAgk4EzHfh63QaPZE6hgvJ +t4I543cOlcPvDWhGuSXij9F6euOz2ke9lL1G5gTtgWvI5QvsKTDoPVXbXtw2fS0P +iXZWsBA/0o+2KJxs3zz4y8wpFyl5s3ms5cG4W4A5xZQrUU2yZPwG49uSky/QhWR5 +b3F0TgvqbRFFTM3i1j//9bqs5RRGtY/M+pDaCxk2e8r9NXMWRb+DBe3xCdKDTIyw +ZhTW1E3Hl11KDNf7E3lJwHUQpADwFCQ= +-----END CERTIFICATE----- diff --git a/credentials/idp-backchannel.p12 b/credentials/idp-backchannel.p12 new file mode 100644 index 0000000..0ecbe33 Binary files /dev/null and b/credentials/idp-backchannel.p12 differ diff --git a/credentials/idp-encryption.crt b/credentials/idp-encryption.crt new file mode 100644 index 0000000..2b34b0c --- /dev/null +++ b/credentials/idp-encryption.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRDCCAiygAwIBAgIVAP3jGt1ixK5Z0RLcQxlvH4UgPKYXMA0GCSqGSIb3DQEB +CwUAMCExHzAdBgNVBAMMFnNoaWJib2xldGguZXhhbXBsZS5vcmcwHhcNMTcwODAz +MDAwNzU3WhcNMzcwODAzMDAwNzU3WjAhMR8wHQYDVQQDDBZzaGliYm9sZXRoLmV4 +YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAigTACHbG +ERHyK2C9Bflj9eufn/gdvP+vZlduQZST8CHSVNrc0/39YR0yf725lFR8ThfOyMoP +xwfQAhvRS5SZVXZQHhbABxJkjDCvf8DQN21UU+8UHdIYldY9uq2ub3La+YyHU5MS +yXMSxj9pHec9tVlOe7oFjiGbBNcewBavSn+d+5YxzBZVR7k86bRwNtAfyPbZMwI0 +CZQ4NBjOQoqemDu/DuoZW7+Gefu5J+BprMJDDkBQ5NLPDWZwsvKpNpZnd45obxQq +RTzndSI7eVJWb0nA8YUUaArK788W6Vz7NMLhLoq3VtOuW8PGWsKu9DimBHyxGA5C +D8yAkiCXAUABCQIDAQABo3MwcTAdBgNVHQ4EFgQUNAeo+oRpwAej8Z963QfFGnEe +wXQwUAYDVR0RBEkwR4IWc2hpYmJvbGV0aC5leGFtcGxlLm9yZ4YtaHR0cHM6Ly9z +aGliYm9sZXRoLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB +CwUAA4IBAQBZxZeJXzgkTpfijeRs9QZL/Tnolml0ciqngOAjtGrK/QkhUuT0Yy1c +Gg+wfQRlvpLW25SmwmIXVIY7YcFZWNH+rjgdyNO7gShzYk5Is2dSIJQHcZyL1ms3 +2I0RBL5pDyhl08+mVpeZ0APvW94K4cZ0iZ6X2pkBcfdVd3XRsFaJlo9iEOZfCE9N ++gT0WH7SU/OF1yKJJDLVPsfuyvgGJUuF+NFwqLX8BktCVThObleAjVSL/g/8cOVa +FOZyH7qeX/+xmSbJgIx6f+HqHLkX2bwDvH77xGtYqvkVfLWKzt5LjAIjjqwzhUBC +xFgugtW094wGu30sgexh+O/ZRgskcCFR +-----END CERTIFICATE----- diff --git a/credentials/idp-encryption.key b/credentials/idp-encryption.key new file mode 100644 index 0000000..714aac8 --- /dev/null +++ b/credentials/idp-encryption.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAigTACHbGERHyK2C9Bflj9eufn/gdvP+vZlduQZST8CHSVNrc +0/39YR0yf725lFR8ThfOyMoPxwfQAhvRS5SZVXZQHhbABxJkjDCvf8DQN21UU+8U +HdIYldY9uq2ub3La+YyHU5MSyXMSxj9pHec9tVlOe7oFjiGbBNcewBavSn+d+5Yx +zBZVR7k86bRwNtAfyPbZMwI0CZQ4NBjOQoqemDu/DuoZW7+Gefu5J+BprMJDDkBQ +5NLPDWZwsvKpNpZnd45obxQqRTzndSI7eVJWb0nA8YUUaArK788W6Vz7NMLhLoq3 +VtOuW8PGWsKu9DimBHyxGA5CD8yAkiCXAUABCQIDAQABAoIBABt8rrIA1Zl4tX4m +Gf8il+HWN0gopeOKGGiNaQvuhzf/xF/Z5rjhkKDSq8f9BQShftAetbQPaez9hVOm +Lpyaz57RnUsgxMWjyBqTZ6BNyin/wBenOZ5mxTayIEEZbfAMM8gXUKw4UjmEjWym +HE00THnde1/wwEJ6NuFT5m/jFK4FR1vwnLyjZRPkZgcpfE6aO9bGJJ5mVt7MqH9f +zivkFf5tmiuoXyaMk2rtzdykjWgf0RuQawPBbfdUOmnnbq6/qCFOIcbjPIqMyUwe +HU3XrHeEgjnZG3xxYbcoY0rE5FsRpFGmPr9j1ZOIR0jLxy9SEancN5CYVaIc40Ye +JwsCM/ECgYEA78KGsk6OgqW/vZgZr1mPVdmgijvYkdur1ChC8zQjn8l0SS7XfajF +PYs/lf3wLCTcyPDv6QFH+Omr2XB2jfqPUCnRUEteUYyyUKz5CimW1CCTZ1GKlRuW +uKcUsdnQ5SS+3b8njq2FtbDn5jUynOT/WrWkjrggLwmY4xeG2jYmOMMCgYEAk14D +eyaZcQxUyCJOMPmuvEOPM1apzgN4/3c8IZf4Bb2vDJA70hcDgQmzGXc/hMFNP9WT +b0KfH2bsD+HetpyjjZh2WHPzSdGK5+MVKJqPSxc5pncJsQJLyA4AkHaOOL2ZK03q +QFKjoC6gqjoO2tgztFx1aM/PMpgAMxzllMIh4kMCgYEAhSWnPeBIXh+EEtsj8HAx +HIEGGZ5Qj/fJPcG6JGuhGPx8WqPrwfn2x03MWxSxyyIRhnnfEavHd2D1MYS2IfSy +n9cJSakBURJseEcG6nDcNSN+GJN8/X9bvWH0KSyISKiWYnjkk+Sja5o5vmtulxjJ +Amv7XdK89MJEqGCJYCdQJJcCgYAfgVrnKjJlu8goXUUwLUERGLR1ulJlK9Ljct9V +I0MwHwRcgD15xdfG74btq9PVkunr+sIhaDHSqdNP9e8CRWyl6fFrKabaokS7HI46 +dwipehamIw7cW+xNoci3GdGACfDEFE0/YSuAJFfO7MieOtia96VWOg9G9r4cL1JZ +wkMyNwKBgGtcTxWUbbCLX9lJrGo50aJ/NAePmhEova72+egBKJq241ouUqZelvYV +XVMF8WabICc80Gu3pYAf8kI2gVdyLAei8RbeLh5EKgZXdGn9/CDdAyXxL/P8Yd0H +d3+dgTRO7HM6eX9ymxxme0ciqux43XdV6TyqAB4FzQ8tZbn3rVX8 +-----END RSA PRIVATE KEY----- diff --git a/credentials/idp-signing.crt b/credentials/idp-signing.crt new file mode 100644 index 0000000..93449c9 --- /dev/null +++ b/credentials/idp-signing.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRDCCAiygAwIBAgIVAMeyqDjBqHXNh9j4nJ2Vzua8mfU7MA0GCSqGSIb3DQEB +CwUAMCExHzAdBgNVBAMMFnNoaWJib2xldGguZXhhbXBsZS5vcmcwHhcNMTcwODAz +MDAwNzU3WhcNMzcwODAzMDAwNzU3WjAhMR8wHQYDVQQDDBZzaGliYm9sZXRoLmV4 +YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlMzdKgBY +YVP8F+y9HL4m8TeTAJt3C+R5ZVdFDnKXbN0ZlHneLwWfqf2VLnA6/00wlIueak75 +dnbrL7J/m28g20eYfAvwJ1Q+nwm2nTGM4veK1VwzhJK2NhIH3jvLG6DTik0CVNqG +1eCWz47lHZktBbCKW7CdJRduUtBcjPL7scYWuzrUQHGejL1KmgEv939BBWtEh6fp +xVFz8OjnJ7+NQA6+MYQ2l6ZpRDA+AGjQVRd4W7pGNkQlwVmDKHdqAD/iZZhHTrBU +MTilE7k+NFZxueolWFs2rTbpP823tGp7mncEw72jblKZ2RQN9hbx+qz0bEmcZfGz +OLsMbs4AJNpNrQIDAQABo3MwcTAdBgNVHQ4EFgQU/sxWnZsDNrrQVIWxe3a7sRYH +7qAwUAYDVR0RBEkwR4IWc2hpYmJvbGV0aC5leGFtcGxlLm9yZ4YtaHR0cHM6Ly9z +aGliYm9sZXRoLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB +CwUAA4IBAQCAG8qiJRZOSyc+et9l9bfDfhVslX2t5cVu+qORKyH7SgBiUnh698VT +WwDTTLnh0MbPpp2ePRK9fwZlQAweNHkg1nLZcd4vG53O8juXHXEN4Y5ra1+lz/Ye +LyO8tvTU9XlXXckFtlCCtF7S2LS/X8OH0bPXCHeJarq6ZNM8HSgjSaCbFqqNbKpv +UgZEOKxVpEwOcasKlOalCyTKJylbtfqx+Lk92uZklmG7DzslE8cJIuqjS55m8qaj +vmVhDFHYINiYbjfNOSeYwpxkhAHUw2flflqw/bCx7o+/XdU/ubHgN6q5ZHpnte24 +1w6+YrBjhjUAkYCfxOcTjlfE9IKXCrKS +-----END CERTIFICATE----- diff --git a/credentials/idp-signing.key b/credentials/idp-signing.key new file mode 100644 index 0000000..d610df8 --- /dev/null +++ b/credentials/idp-signing.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAlMzdKgBYYVP8F+y9HL4m8TeTAJt3C+R5ZVdFDnKXbN0ZlHne +LwWfqf2VLnA6/00wlIueak75dnbrL7J/m28g20eYfAvwJ1Q+nwm2nTGM4veK1Vwz +hJK2NhIH3jvLG6DTik0CVNqG1eCWz47lHZktBbCKW7CdJRduUtBcjPL7scYWuzrU +QHGejL1KmgEv939BBWtEh6fpxVFz8OjnJ7+NQA6+MYQ2l6ZpRDA+AGjQVRd4W7pG +NkQlwVmDKHdqAD/iZZhHTrBUMTilE7k+NFZxueolWFs2rTbpP823tGp7mncEw72j +blKZ2RQN9hbx+qz0bEmcZfGzOLsMbs4AJNpNrQIDAQABAoIBACPVKbVBnAbkGKMS +SYAwcmRIQ8gzp/lfLbSvzVtrUPfQTqaoqk6chhSDknc6Y5qzVe2PqbhkCEL05DH6 +RCyEGF914EyO+2gdK29VAXrdQdYuUmqK54UXZ3Wh5e8oawLeOdLmNJeGgE3k5axZ +9uanymXCW6802sLh35llv8PZh68JaofS/nX54041u0d/Gl/EX/06P3gHorORN6PP +dLLFeQYjpd6SQ+2rqsdT1uD9G8iEzrn7KsBXUa1KpWbcGkFb7KUZX0lZg+lyOIw/ +fU7HJle6L7aqrVYJ1VJE5ODrI6j4vkXKPGOTjQHQVdaYofbOSgxgIC+cmV5lXmc9 +1+6Fs6kCgYEA81dhUWQW31rPFk6oa/tEKxh3IOj6FolTJKAabze+Z1dUQjy1ZgMu +u0cbvMbx0c5r71rFFD77Mr4gPKxE1lZTDNtI+L2Tsex0MxMroMizqKBw1NbFrl67 +fZHIYvqtPFdFVa/u3vfmLGlVUBgmqRW6dGX6EvpinkJpFvMoZfHUQhMCgYEAnIp2 +n45kASXo/UkBNObfLmz/nMD8GIse7UqoPlln5TGMxfP2Ui/Wwoprgsz6mVhuO2O+ +18j9MmT3X9ST4oGxsTiWixeJ4M0eeNb+jYT/hORj4R5vWR/Pv3GDUTFBX8SAXjkj +5HQWtMls7bQtl1DYZyF+iUMfmF5h17D6QcnzKT8CgYADdPNR960HgT+93mIwHoKq +Zg+TLRwYY90FgSy+9bjDuQ7eXgRprZPlXy46sUzQITGRVeXE0tw4rVDB6+SScul9 +HkRcHD1T4rsH2rbc8tzygUz5CRAH2Rqqvv5swYjieY7nl7c5/aWMbfajS6SI9GEQ +tD4oNNxfySu7ArtJL3VHdwKBgGm4pdaqjuWrmcf91x/IULCFErjmKRvWUWPHCQta +zG0g4scKNbBZ+LvYSjXDg/eunnvjqI8Jgd7YC62f3uSZ3M0ov5teoVK+lTbdVHt1 +eDBjIwV1zZOuhVrxKdPa5SDtkBiSlKgEsxUT+EotZqEMC6rTFydSuvLnw0KtlsZ5 +wox3AoGAcYuSljc2DpMiaiGQTaaTFejvWV0HfIwTafq4DRGx89vXCjfumMfBbyPh +Lz6OvxoCfCgYDxmkMGp3ZGmPypXGzkM1YMJ6NPll9dlYEgWOkRpazPe6HtvkliK5 +RDJLO3TcpdDKkG4UOxDHiSA8Gj0sWqpt5CghGwWz5wn7Y/kwNAE= +-----END RSA PRIVATE KEY----- diff --git a/credentials/idp-userfacing.p12 b/credentials/idp-userfacing.p12 new file mode 100644 index 0000000..1cb4efa Binary files /dev/null and b/credentials/idp-userfacing.p12 differ diff --git a/credentials/sealer.jks b/credentials/sealer.jks new file mode 100644 index 0000000..7daa3fd Binary files /dev/null and b/credentials/sealer.jks differ diff --git a/credentials/sealer.kver b/credentials/sealer.kver new file mode 100644 index 0000000..02a6b74 --- /dev/null +++ b/credentials/sealer.kver @@ -0,0 +1,2 @@ +#Thu Aug 03 00:07:58 UTC 2017 +CurrentVersion=1 diff --git a/edit-webapp/css/consent.css b/edit-webapp/css/consent.css new file mode 100644 index 0000000..5daabee --- /dev/null +++ b/edit-webapp/css/consent.css @@ -0,0 +1,150 @@ +.box { + width:600px; + margin-left: auto; + margin-right: auto; + margin-top: 50px; + background-color: white; + -webkit-box-shadow: 1px 1px 15px #999999; + -moz-box-shadow: 1px 1px 15px #999999; + box-shadow: 1px 1px 15px #999999; + -webkit-border-radius: 8px; + -moz-border-radius: 8px; + border-radius: 8px; + overflow: auto; + padding: 1.268em; +} + +body { + font-family:Verdana, Geneva, sans-serif; + font-size: 12px; +} + +h1 { + font-size: 13px; + padding-bottom: 12px; +} + +a { + color: #00247D; + text-decoration: underline; +} + +a:visited { + color: #00247D; + text-decoration: underline; +} + +a:focus, a:hover, a:active { + color: #F39800; + text-decoration: underline; +} + +#tou-content { + font-family:monospace; + width: 95%; + border: solid 1px #666; + margin: 4px; + padding: 10px; + overflow: hidden; +} + +#tou-content li{ + margin-bottom:10px; +} + +#tou-acceptance { + width: 95%; + border: solid 1px #666; + background-color: #F0F0F0; + margin: 4px; + padding: 10px; + text-align: left; + overflow: hidden; +} + +.service_name { + font-weight: bold; +} + +.service_description { + font-style: italic; +} + +.organization_name { +} + +#attributeRelease-consent { + width: 95%; + border: solid 1px #666; + background-color: #F0F0F0; + margin: 4px; + overflow: hidden; +} + +#attributeRelease { + width: 95%; + margin: 4px; + border: solid 1px black; + overflow: auto; +} + +#attributeRelease table { + border-collapse: collapse; + border: none 0px white; + width: 100%; +} + +#attributeRelease td { + padding: 3px 7px; + vertical-align: top; +} + +#attributeRelease th { + text-align: left; + font-size: 18px; + padding: 5px 7px; + background-color:#00247D; + color: white; +} + +#attributeRelease tr:nth-of-type(even) { + background-color: #E4E5E3; +} + +.federation_logo +{ + width: 50%; + float: left; + padding-top: 35px; + border: 0; +} +.organization_logo +{ + width: 50%; + float: right; + border: 0; +} + +.form-error { + padding: 0; + color: #B61601; +} + +/* Device specific styles */ +@media only screen and (max-device-width: 721px){ + .box { + width: auto; + box-shadow: none; + border-radius: 0; + -webkit-box-shadow: none; + -webkit-border-radius: 0; + -moz-box-shadow: none; + -moz-border-radius: 0; + padding: 0; + margin-top:0; + } + #tou-content, #tou-acceptance{ + /*width:87%;*/ + width:auto; + } +} diff --git a/edit-webapp/css/logout.css b/edit-webapp/css/logout.css new file mode 100644 index 0000000..26f1893 --- /dev/null +++ b/edit-webapp/css/logout.css @@ -0,0 +1,12 @@ +/* Success/Failure indicators for logout propagation. */ + +.success { + background: url(../images/success-32x32.png) no-repeat left center; + line-height: 36px; + padding-left: 36px; +} +.failure { + background: url(../images/failure-32x32.png) no-repeat left center; + line-height: 36px; + padding-left: 36px; +} diff --git a/edit-webapp/css/main.css b/edit-webapp/css/main.css new file mode 100644 index 0000000..116b31e --- /dev/null +++ b/edit-webapp/css/main.css @@ -0,0 +1,165 @@ +* { + margin: 0; + padding: 0; +} +header, footer, section, nav { + display: block; +} +html, body { + height: 100%; +} +body { + font-family:Verdana, Geneva, sans-serif; + font-size: 12px; + line-height: 1.5; + color: #717171; + background: #717171; +} +a:link, +a:visited { + text-decoration: none; + color: #717171; +} +img { + max-width: 100%; + margin-bottom: 12px; +} + +.wrapper { + background: #ffffff; +} + +.container { + position: relative; + left: 34%; + width: 540px; + margin-left: -270px; +} +.container-footer { + padding-top: 12px; +} +@media only screen and (max-width: 1020px) { + .container { + left: 45%; + } +} +@media only screen and (max-width: 650px) { + .container { + position: static; + margin: 0 auto; + width: 280px; + } +} + +header { + padding: 20px 0; +} + +.logo img { + border: none; +} +@media only screen and (max-width: 650px) { + .logo img { + display: none; + } + .logo { + background: url(../images/dummylogo-mobile.png) no-repeat top center; + display: block; + height: 115px; + width: 100px; + margin: 0 auto; + } +} + +.content { + padding-bottom: 80px; + overflow: hidden; +} + +.column { + float: left; +} +.column.one { + width: 50%; + margin-right: 48px; +} + +form { + width: 240px; + padding-bottom: 21px; +} +form label { /* labels are hidden */ + font-weight: bold; +} +form legend { + font-size:1.2em; + margin-bottom: 12px; +} +.form-element-wrapper { + margin-bottom: 12px; +} +.form-element { + width: 100%; + padding: 13px 12px; + border: none; + font-size: 14px; + border-radius: 4px; + -webkit-border-radius: 4px; + -moz-border-radius: 4px; +} +.form-field { + color: #B7B7B7; + border: 1px solid #B7B7B7; +} +.form-field-focus, +.form-field:focus, +input[type="text"]:focus { + color: #333333; + border-color: #333; +} +.form-button { + background: #B61601; + box-sizing: content-box; + -moz-box-sizing: content-box; + color: #ffffff; + cursor: pointer; +} +.form-button:hover { + background: #FF6400; +} +.form-error { + padding: 0; + color: #B61601; +} + +.list-help { + margin-top: 40px; /* offset padding on first anchor */ + list-style: none; +} +.list-help-item a { + display: block; + padding: 6px 0; +} +.item-marker { + color: #be0000; +} + +footer { + color: #ffffff; + font-size: 11px; + background: #717171; +} +.footer-text { + margin-bottom: 12px; +} +.footer-links a:link, +.footer-links a:visited { + color: #ffffff; + font-weight: bold; +} +.footer-links a:after { + content: "\00a0\00a0\00a0|\00a0\00a0"; +} +.footer-links a.last:after { + content: ""; +} diff --git a/edit-webapp/images/dummylogo-mobile.png b/edit-webapp/images/dummylogo-mobile.png new file mode 100644 index 0000000..8ba3c95 Binary files /dev/null and b/edit-webapp/images/dummylogo-mobile.png differ diff --git a/edit-webapp/images/dummylogo.png b/edit-webapp/images/dummylogo.png new file mode 100644 index 0000000..e89ede6 Binary files /dev/null and b/edit-webapp/images/dummylogo.png differ diff --git a/edit-webapp/images/failure-32x32.png b/edit-webapp/images/failure-32x32.png new file mode 100644 index 0000000..3c48e46 Binary files /dev/null and b/edit-webapp/images/failure-32x32.png differ diff --git a/edit-webapp/images/success-32x32.png b/edit-webapp/images/success-32x32.png new file mode 100644 index 0000000..aa51204 Binary files /dev/null and b/edit-webapp/images/success-32x32.png differ diff --git a/messages/messages.properties b/messages/messages.properties new file mode 100644 index 0000000..5f94396 --- /dev/null +++ b/messages/messages.properties @@ -0,0 +1,2 @@ +# You can define message properties here to override messages defined in +# system/messages/ or to add your own messages. diff --git a/metadata/idp-metadata.xml b/metadata/idp-metadata.xml new file mode 100644 index 0000000..e11e5b7 --- /dev/null +++ b/metadata/idp-metadata.xml @@ -0,0 +1,219 @@ + + + + + + + + example.org + + + + + + + +MIIDQzCCAiugAwIBAgIUbEZuLbKAcQzDND914sXQScSszvowDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWc2hpYmJvbGV0aC5leGFtcGxlLm9yZzAeFw0xNzA4MDMw +MDA3NThaFw0zNzA4MDMwMDA3NThaMCExHzAdBgNVBAMMFnNoaWJib2xldGguZXhh +bXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVr8AhZKq+ +QA/5F8EGRcf7uXfcVpN654RdICgpgB/zjvOpT0Qnw+YBraOpAJASUiTR/Ub5LUdC +cya0qzMlScNrcimli+GAPUbyUkhzkP5YD8ikAfKy0X0acU7CMXkBahR6kYqc3mQO +zGiDQImvDzfoDdOxP+cNyNhyPMgXQgdoIJzQFK9MKztXeq67aJ8lvx1R28JkIzzh +kbGadvEe+Sp+5QE8NrLg4gjOtgFAGmugeZDFF70bZCAIIdh0rbWxCOk4lLjPtOkM +4ZCEwhTG4WHvFS8Jhhv2qpQ+V+r6ifrFwetH6NeksY03jovMTGKnJt2Zr2nw/kM0 +YdXXgdClb2kRAgMBAAGjczBxMB0GA1UdDgQWBBQ5Yz+7JDneVDLb6W+47+mzrKGS +RTBQBgNVHREESTBHghZzaGliYm9sZXRoLmV4YW1wbGUub3Jnhi1odHRwczovL3No +aWJib2xldGguZXhhbXBsZS5vcmcvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL +BQADggEBAFFyKRdpd/TLaF0iL9E2dnmOmWCXqqp53/z5PNTHFbeeriK6PB3w0Q06 +0ECHdjIbVfRYt15bZowyfUb9oIq+mw/tAsZs/B5nQagAgk4EzHfh63QaPZE6hgvJ +t4I543cOlcPvDWhGuSXij9F6euOz2ke9lL1G5gTtgWvI5QvsKTDoPVXbXtw2fS0P +iXZWsBA/0o+2KJxs3zz4y8wpFyl5s3ms5cG4W4A5xZQrUU2yZPwG49uSky/QhWR5 +b3F0TgvqbRFFTM3i1j//9bqs5RRGtY/M+pDaCxk2e8r9NXMWRb+DBe3xCdKDTIyw +ZhTW1E3Hl11KDNf7E3lJwHUQpADwFCQ= + + + + + + + + + +MIIDRDCCAiygAwIBAgIVAMeyqDjBqHXNh9j4nJ2Vzua8mfU7MA0GCSqGSIb3DQEB +CwUAMCExHzAdBgNVBAMMFnNoaWJib2xldGguZXhhbXBsZS5vcmcwHhcNMTcwODAz +MDAwNzU3WhcNMzcwODAzMDAwNzU3WjAhMR8wHQYDVQQDDBZzaGliYm9sZXRoLmV4 +YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlMzdKgBY +YVP8F+y9HL4m8TeTAJt3C+R5ZVdFDnKXbN0ZlHneLwWfqf2VLnA6/00wlIueak75 +dnbrL7J/m28g20eYfAvwJ1Q+nwm2nTGM4veK1VwzhJK2NhIH3jvLG6DTik0CVNqG +1eCWz47lHZktBbCKW7CdJRduUtBcjPL7scYWuzrUQHGejL1KmgEv939BBWtEh6fp +xVFz8OjnJ7+NQA6+MYQ2l6ZpRDA+AGjQVRd4W7pGNkQlwVmDKHdqAD/iZZhHTrBU +MTilE7k+NFZxueolWFs2rTbpP823tGp7mncEw72jblKZ2RQN9hbx+qz0bEmcZfGz +OLsMbs4AJNpNrQIDAQABo3MwcTAdBgNVHQ4EFgQU/sxWnZsDNrrQVIWxe3a7sRYH +7qAwUAYDVR0RBEkwR4IWc2hpYmJvbGV0aC5leGFtcGxlLm9yZ4YtaHR0cHM6Ly9z +aGliYm9sZXRoLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB +CwUAA4IBAQCAG8qiJRZOSyc+et9l9bfDfhVslX2t5cVu+qORKyH7SgBiUnh698VT +WwDTTLnh0MbPpp2ePRK9fwZlQAweNHkg1nLZcd4vG53O8juXHXEN4Y5ra1+lz/Ye +LyO8tvTU9XlXXckFtlCCtF7S2LS/X8OH0bPXCHeJarq6ZNM8HSgjSaCbFqqNbKpv +UgZEOKxVpEwOcasKlOalCyTKJylbtfqx+Lk92uZklmG7DzslE8cJIuqjS55m8qaj +vmVhDFHYINiYbjfNOSeYwpxkhAHUw2flflqw/bCx7o+/XdU/ubHgN6q5ZHpnte24 +1w6+YrBjhjUAkYCfxOcTjlfE9IKXCrKS + + + + + + + + + +MIIDRDCCAiygAwIBAgIVAP3jGt1ixK5Z0RLcQxlvH4UgPKYXMA0GCSqGSIb3DQEB +CwUAMCExHzAdBgNVBAMMFnNoaWJib2xldGguZXhhbXBsZS5vcmcwHhcNMTcwODAz +MDAwNzU3WhcNMzcwODAzMDAwNzU3WjAhMR8wHQYDVQQDDBZzaGliYm9sZXRoLmV4 +YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAigTACHbG +ERHyK2C9Bflj9eufn/gdvP+vZlduQZST8CHSVNrc0/39YR0yf725lFR8ThfOyMoP +xwfQAhvRS5SZVXZQHhbABxJkjDCvf8DQN21UU+8UHdIYldY9uq2ub3La+YyHU5MS +yXMSxj9pHec9tVlOe7oFjiGbBNcewBavSn+d+5YxzBZVR7k86bRwNtAfyPbZMwI0 +CZQ4NBjOQoqemDu/DuoZW7+Gefu5J+BprMJDDkBQ5NLPDWZwsvKpNpZnd45obxQq +RTzndSI7eVJWb0nA8YUUaArK788W6Vz7NMLhLoq3VtOuW8PGWsKu9DimBHyxGA5C +D8yAkiCXAUABCQIDAQABo3MwcTAdBgNVHQ4EFgQUNAeo+oRpwAej8Z963QfFGnEe +wXQwUAYDVR0RBEkwR4IWc2hpYmJvbGV0aC5leGFtcGxlLm9yZ4YtaHR0cHM6Ly9z +aGliYm9sZXRoLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB +CwUAA4IBAQBZxZeJXzgkTpfijeRs9QZL/Tnolml0ciqngOAjtGrK/QkhUuT0Yy1c +Gg+wfQRlvpLW25SmwmIXVIY7YcFZWNH+rjgdyNO7gShzYk5Is2dSIJQHcZyL1ms3 +2I0RBL5pDyhl08+mVpeZ0APvW94K4cZ0iZ6X2pkBcfdVd3XRsFaJlo9iEOZfCE9N ++gT0WH7SU/OF1yKJJDLVPsfuyvgGJUuF+NFwqLX8BktCVThObleAjVSL/g/8cOVa +FOZyH7qeX/+xmSbJgIx6f+HqHLkX2bwDvH77xGtYqvkVfLWKzt5LjAIjjqwzhUBC +xFgugtW094wGu30sgexh+O/ZRgskcCFR + + + + + + + + + + + + + + + + + + + + + + + example.org + + + + + + +MIIDQzCCAiugAwIBAgIUbEZuLbKAcQzDND914sXQScSszvowDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWc2hpYmJvbGV0aC5leGFtcGxlLm9yZzAeFw0xNzA4MDMw +MDA3NThaFw0zNzA4MDMwMDA3NThaMCExHzAdBgNVBAMMFnNoaWJib2xldGguZXhh +bXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVr8AhZKq+ +QA/5F8EGRcf7uXfcVpN654RdICgpgB/zjvOpT0Qnw+YBraOpAJASUiTR/Ub5LUdC +cya0qzMlScNrcimli+GAPUbyUkhzkP5YD8ikAfKy0X0acU7CMXkBahR6kYqc3mQO +zGiDQImvDzfoDdOxP+cNyNhyPMgXQgdoIJzQFK9MKztXeq67aJ8lvx1R28JkIzzh +kbGadvEe+Sp+5QE8NrLg4gjOtgFAGmugeZDFF70bZCAIIdh0rbWxCOk4lLjPtOkM +4ZCEwhTG4WHvFS8Jhhv2qpQ+V+r6ifrFwetH6NeksY03jovMTGKnJt2Zr2nw/kM0 +YdXXgdClb2kRAgMBAAGjczBxMB0GA1UdDgQWBBQ5Yz+7JDneVDLb6W+47+mzrKGS +RTBQBgNVHREESTBHghZzaGliYm9sZXRoLmV4YW1wbGUub3Jnhi1odHRwczovL3No +aWJib2xldGguZXhhbXBsZS5vcmcvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL +BQADggEBAFFyKRdpd/TLaF0iL9E2dnmOmWCXqqp53/z5PNTHFbeeriK6PB3w0Q06 +0ECHdjIbVfRYt15bZowyfUb9oIq+mw/tAsZs/B5nQagAgk4EzHfh63QaPZE6hgvJ +t4I543cOlcPvDWhGuSXij9F6euOz2ke9lL1G5gTtgWvI5QvsKTDoPVXbXtw2fS0P +iXZWsBA/0o+2KJxs3zz4y8wpFyl5s3ms5cG4W4A5xZQrUU2yZPwG49uSky/QhWR5 +b3F0TgvqbRFFTM3i1j//9bqs5RRGtY/M+pDaCxk2e8r9NXMWRb+DBe3xCdKDTIyw +ZhTW1E3Hl11KDNf7E3lJwHUQpADwFCQ= + + + + + + + + + +MIIDRDCCAiygAwIBAgIVAMeyqDjBqHXNh9j4nJ2Vzua8mfU7MA0GCSqGSIb3DQEB +CwUAMCExHzAdBgNVBAMMFnNoaWJib2xldGguZXhhbXBsZS5vcmcwHhcNMTcwODAz +MDAwNzU3WhcNMzcwODAzMDAwNzU3WjAhMR8wHQYDVQQDDBZzaGliYm9sZXRoLmV4 +YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlMzdKgBY +YVP8F+y9HL4m8TeTAJt3C+R5ZVdFDnKXbN0ZlHneLwWfqf2VLnA6/00wlIueak75 +dnbrL7J/m28g20eYfAvwJ1Q+nwm2nTGM4veK1VwzhJK2NhIH3jvLG6DTik0CVNqG +1eCWz47lHZktBbCKW7CdJRduUtBcjPL7scYWuzrUQHGejL1KmgEv939BBWtEh6fp +xVFz8OjnJ7+NQA6+MYQ2l6ZpRDA+AGjQVRd4W7pGNkQlwVmDKHdqAD/iZZhHTrBU +MTilE7k+NFZxueolWFs2rTbpP823tGp7mncEw72jblKZ2RQN9hbx+qz0bEmcZfGz +OLsMbs4AJNpNrQIDAQABo3MwcTAdBgNVHQ4EFgQU/sxWnZsDNrrQVIWxe3a7sRYH +7qAwUAYDVR0RBEkwR4IWc2hpYmJvbGV0aC5leGFtcGxlLm9yZ4YtaHR0cHM6Ly9z +aGliYm9sZXRoLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB +CwUAA4IBAQCAG8qiJRZOSyc+et9l9bfDfhVslX2t5cVu+qORKyH7SgBiUnh698VT +WwDTTLnh0MbPpp2ePRK9fwZlQAweNHkg1nLZcd4vG53O8juXHXEN4Y5ra1+lz/Ye +LyO8tvTU9XlXXckFtlCCtF7S2LS/X8OH0bPXCHeJarq6ZNM8HSgjSaCbFqqNbKpv +UgZEOKxVpEwOcasKlOalCyTKJylbtfqx+Lk92uZklmG7DzslE8cJIuqjS55m8qaj +vmVhDFHYINiYbjfNOSeYwpxkhAHUw2flflqw/bCx7o+/XdU/ubHgN6q5ZHpnte24 +1w6+YrBjhjUAkYCfxOcTjlfE9IKXCrKS + + + + + + + + + +MIIDRDCCAiygAwIBAgIVAP3jGt1ixK5Z0RLcQxlvH4UgPKYXMA0GCSqGSIb3DQEB +CwUAMCExHzAdBgNVBAMMFnNoaWJib2xldGguZXhhbXBsZS5vcmcwHhcNMTcwODAz +MDAwNzU3WhcNMzcwODAzMDAwNzU3WjAhMR8wHQYDVQQDDBZzaGliYm9sZXRoLmV4 +YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAigTACHbG +ERHyK2C9Bflj9eufn/gdvP+vZlduQZST8CHSVNrc0/39YR0yf725lFR8ThfOyMoP +xwfQAhvRS5SZVXZQHhbABxJkjDCvf8DQN21UU+8UHdIYldY9uq2ub3La+YyHU5MS +yXMSxj9pHec9tVlOe7oFjiGbBNcewBavSn+d+5YxzBZVR7k86bRwNtAfyPbZMwI0 +CZQ4NBjOQoqemDu/DuoZW7+Gefu5J+BprMJDDkBQ5NLPDWZwsvKpNpZnd45obxQq +RTzndSI7eVJWb0nA8YUUaArK788W6Vz7NMLhLoq3VtOuW8PGWsKu9DimBHyxGA5C +D8yAkiCXAUABCQIDAQABo3MwcTAdBgNVHQ4EFgQUNAeo+oRpwAej8Z963QfFGnEe +wXQwUAYDVR0RBEkwR4IWc2hpYmJvbGV0aC5leGFtcGxlLm9yZ4YtaHR0cHM6Ly9z +aGliYm9sZXRoLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB +CwUAA4IBAQBZxZeJXzgkTpfijeRs9QZL/Tnolml0ciqngOAjtGrK/QkhUuT0Yy1c +Gg+wfQRlvpLW25SmwmIXVIY7YcFZWNH+rjgdyNO7gShzYk5Is2dSIJQHcZyL1ms3 +2I0RBL5pDyhl08+mVpeZ0APvW94K4cZ0iZ6X2pkBcfdVd3XRsFaJlo9iEOZfCE9N ++gT0WH7SU/OF1yKJJDLVPsfuyvgGJUuF+NFwqLX8BktCVThObleAjVSL/g/8cOVa +FOZyH7qeX/+xmSbJgIx6f+HqHLkX2bwDvH77xGtYqvkVfLWKzt5LjAIjjqwzhUBC +xFgugtW094wGu30sgexh+O/ZRgskcCFR + + + + + + + + + + + + + diff --git a/views/client-storage/client-storage-read.vm b/views/client-storage/client-storage-read.vm new file mode 100644 index 0000000..1993c14 --- /dev/null +++ b/views/client-storage/client-storage-read.vm @@ -0,0 +1,53 @@ +## +## Velocity template to read from local storage. +## +## Velocity context will contain the following properties +## flowExecutionUrl - the form action location +## flowRequestContext - the Spring Web Flow RequestContext +## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) +## profileRequestContext - root of context tree +## loadContext - context with details about the storage keys to load +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service")) +#set ($titleSuffix = $springMacroRequestContext.getMessage("idp.client-storage-read.suffix", "Loading Session Information")) +## + + + + + + $title - $titleSuffix + + + + +
+
+
+

$title - $titleSuffix

+
+
+ $springMacroRequestContext.getMessage("idp.client-storage-read.text", "Loading login session information from the browser...") +
+ + #parse( "client-storage/read.vm" ) +
+ +
+ + diff --git a/views/client-storage/client-storage-write.vm b/views/client-storage/client-storage-write.vm new file mode 100644 index 0000000..4b92d6b --- /dev/null +++ b/views/client-storage/client-storage-write.vm @@ -0,0 +1,53 @@ +## +## Velocity template to write to local storage. +## +## Velocity context will contain the following properties +## flowExecutionUrl - the form action location +## flowRequestContext - the Spring Web Flow RequestContext +## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) +## profileRequestContext - root of context tree +## saveContext - context with details about the storage data to save +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service")) +#set ($titleSuffix = $springMacroRequestContext.getMessage("idp.client-storage-write.suffix", "Saving Session Information...")) +## + + + + + + $title - $titleSuffix + + + + +
+
+
+

$title - $titleSuffix

+
+
+ $springMacroRequestContext.getMessage("idp.client-storage-write.text", "Saving login session information to the browser...") +
+ + #parse( "client-storage/write.vm" ) +
+ +
+ + \ No newline at end of file diff --git a/views/duo.vm b/views/duo.vm new file mode 100644 index 0000000..cf4f96a --- /dev/null +++ b/views/duo.vm @@ -0,0 +1,83 @@ +## +## Velocity Template for Duo login view-state +## +## Velocity context will contain the following properties +## flowExecutionUrl - the form action location +## flowRequestContext - the Spring Web Flow RequestContext +## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) +## profileRequestContext - root of context tree +## authenticationContext - context with authentication request information +## rpUIContext - the context with SP UI information from the metadata +## canonicalUsername - name of user passed to Duo +## duoHost - API hostname for Duo frame +## duoRequest - signed Duo request message +## duoScriptPath - path to Duo JavaScript source +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## + + + + + + + #springMessageText("idp.title", "Web Login Service") + + + + +
+
+
+ #springMessageText( +
+ +
+
+ +

#springMessageText("idp.login.duoRequired", "Authentication with Duo is required for the requested service.")

+ + + + +
+ + +
+ +

+ #springMessageText("idp.login.duoCancel", "Cancel this Request") +

+
+
+ +
+
+
+ + +
+ + diff --git a/views/error.vm b/views/error.vm new file mode 100644 index 0000000..dcb8e2b --- /dev/null +++ b/views/error.vm @@ -0,0 +1,73 @@ +## +## Velocity Template for error end-state +## +## Velocity context will contain the following properties +## flowRequestContext - the Spring Web Flow RequestContext +## profileRequestContext - root of context tree +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## +#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service")) +#set ($defaultTitleSuffix = $springMacroRequestContext.getMessage("idp.title.suffix", "Error")) +## +#if ($flowRequestContext) + ## This handles flow events, the most common case. + #set ($eventId = $flowRequestContext.getCurrentEvent().getId()) + #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error")) + #set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix")) + #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId")) + #if ($eventId == "AccessDenied" or $eventId == "ContextCheckDenied") + $response.setStatus(403) + #elseif ($eventId == "AttributeReleaseRejected" || $eventId == "TermsRejected") + $response.setStatus(200) + #elseif ($eventKey == "unexpected" || $eventKey == "runtime-error" || $eventKey == "error") + $response.setStatus(500) + #else + $response.setStatus(400) + #end +#elseif ($exception) + ## This handles exceptions that reach the Spring-MVC exception handler. + #set ($eventId = $exception.getClass().getSimpleName()) + #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error")) + #set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix")) + #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId")) +#else + ## This is a catch-all that theoretically shouldn't happen? + #set ($titleSuffix = $defaultTitleSuffix) + #set ($message = $springMacroRequestContext.getMessage("idp.message", "An unidentified error occurred.")) +#end +## + + + + + + $title - $titleSuffix + + + + +
+
+
+ #springMessageText( +

$title - $titleSuffix

+
+ +
+ #evaluate($message) +
+
+ + + +
+ + \ No newline at end of file diff --git a/views/intercept/attribute-release.vm b/views/intercept/attribute-release.vm new file mode 100644 index 0000000..0b74551 --- /dev/null +++ b/views/intercept/attribute-release.vm @@ -0,0 +1,158 @@ +## +## Velocity Template for DisplayAttributeReleasePage view-state +## +## Velocity context will contain the following properties : +## +## attributeReleaseContext - context holding consentable attributes +## attributeReleaseFlowDescriptor - attribute consent flow descriptor +## attributeDisplayNameFunction - function to display attribute name +## consentContext - context representing the state of a consent flow +## encoder - HTMLEncoder class +## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl) +## flowExecutionUrl - form action location +## flowRequestContext - Spring Web Flow RequestContext +## profileRequestContext - OpenSAML profile request context +## request - HttpServletRequest +## response - HttpServletResponse +## rpUIContext - context with SP UI information from the metadata +## environment - Spring Environment object for property resolution +#set ($serviceName = $rpUIContext.serviceName) +#set ($serviceDescription = $rpUIContext.serviceDescription) +#set ($informationURL = $rpUIContext.informationURL) +#set ($privacyStatementURL = $rpUIContext.privacyStatementURL) +#set ($rpOrganizationLogo = $rpUIContext.getLogo()) +#set ($rpOrganizationName = $rpUIContext.organizationName) +#set ($replaceDollarWithNewline = true) +## + + + + + + + #springMessageText("idp.attribute-release.title", "Information Release") + + +
+
+
+ + #if ($rpOrganizationLogo) + + #end +
+ #if ($serviceName) +

+ #springMessageText("idp.attribute-release.serviceNameLabel", "You are about to access the service:")
+ $serviceName + #if ($rpOrganizationName) + #springMessageText("idp.attribute-release.of", "of") $encoder.encodeForHTML($rpOrganizationName) + #end +

+ #end + #if ($serviceDescription) +

+ #springMessageText("idp.attribute-release.serviceDescriptionLabel", "Description as provided by this service:")
+ $encoder.encodeForHTML($serviceDescription) +
+

+ #end + #if ($informationURL) +

+ #springMessageText("idp.attribute-release.informationURLLabel", "Additional information about the service") +

+ #end +
+ + + + + + + + #foreach ($attribute in $attributeReleaseContext.getConsentableAttributes().values()) + + + + + + #end + +
+ #springMessageText("idp.attribute-release.attributesHeader", "Information to be Provided to Service") +
$encoder.encodeForHTML($attributeDisplayNameFunction.apply($attribute)) + #foreach ($value in $attribute.values) + #if ($replaceDollarWithNewline) + #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue()).replaceAll($encoder.encodeForHTML("$"),"
")) + #else + #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue())) + #end + #if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled) + + #else + $encodedValue + #end +
+ #end + 		+ #if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled) + #set ($inputType = "checkbox") + #else + #set ($inputType = "hidden") + #end + +
+
+ #if ($privacyStatementURL) +

+ #springMessageText("idp.attribute-release.privacyStatementURLLabel", "Data privacy information of the service") +

+ #end +
+

+ #springMessageText("idp.attribute-release.confirmationQuestion", "The information above would be shared with the service if you proceed. Do you agree to release this information to the service every time you access it?") +

+ #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed) +
+ #springMessageText("idp.attribute-release.consentMethod", "Select an information release consent duration:") + #end + #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed) +

+ + +

    +
  • #springMessageText("idp.attribute-release.doNotRememberConsentItem", "I agree to send my information this time.")
    • +
+

+ #end + #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed) +

+ + +

    +
  • #springMessageText("idp.attribute-release.rememberConsentItem", "I agree that the same information will be sent automatically to this service in the future.")
    • +
+

+ #end + #if ($attributeReleaseFlowDescriptor.globalConsentAllowed) +

+ + +

    +
  • #springMessageText("idp.attribute-release.globalConsentItem", "I agree that all of my information will be released to any service.")
    • +
+

+ #end + #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed) + #springMessageText("idp.attribute-release.consentMethodRevoke", "This setting can be revoked at any time with the checkbox on the login page.") +
+ #end +

+ + +

+
+
+
+ + diff --git a/views/intercept/expiring-password.vm b/views/intercept/expiring-password.vm new file mode 100644 index 0000000..4395844 --- /dev/null +++ b/views/intercept/expiring-password.vm @@ -0,0 +1,54 @@ +## +## Velocity Template for expiring password view +## +## Velocity context will contain the following properties +## flowExecutionUrl - the form action location +## flowRequestContext - the Spring Web Flow RequestContext +## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) +## profileRequestContext - root of context tree +## authenticationContext - context with authentication request information +## authenticationErrorContext - context with login error state +## authenticationWarningContext - context with login warning state +## ldapResponseContext - context with LDAP state (if using native LDAP) +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## + + + + + + #springMessageText("idp.title", "Web Login Service") + + + + + +
+
+
+ #springMessageText( +

#springMessageText("idp.login.expiringSoon", "Your password will be expiring soon!")

+
+ +
+

#springMessageText("idp.login.changePassword", "To create a new password now, go to") + #.

+

#springMessageText("idp.login.proceedBegin", "Your login will proceed in 20 seconds or you may click") + #springMessageText("idp.login.proceedHere", "here") + #springMessageText("idp.login.proceedEnd", "to continue").

+
+
+ + + +
+ + \ No newline at end of file diff --git a/views/intercept/terms-of-use.vm b/views/intercept/terms-of-use.vm new file mode 100644 index 0000000..1bf12c7 --- /dev/null +++ b/views/intercept/terms-of-use.vm @@ -0,0 +1,67 @@ +## +## Velocity Template for DisplayTermsOfUsePage view-state +## +## Velocity context will contain the following properties : +## +## encoder - HTMLEncoder class +## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl) +## flowExecutionUrl - form action location +## flowRequestContext - Spring Web Flow RequestContext +## request - HttpServletRequest +## response - HttpServletResponse +## rpUIContext - context with SP UI information from the metadata +## termsOfUseId - terms of use ID to lookup message strings +## environment - Spring Environment object for property resolution +#set ($serviceName = $rpUIContext.serviceName) +#set ($rpOrganizationLogo = $rpUIContext.getLogo()) +## + + + + + + + #springMessageText("${termsOfUseId}.title", "Terms of Use") + + +
+
+ + #if ($rpOrganizationLogo) + + #end +
+ #if ($rpOrganizationLogo) +
+

#springMessageText("${termsOfUseId}.title", "Terms of Use")

+
+ #end +
+ #springMessageText("${termsOfUseId}.text", "Terms of Use Text...") +
+
+
+
+ +
+
+
+
+ + + #if ($requireCheckbox) +

#springMessageText("idp.terms-of-use.required", "Please check this box if you want to proceed.")

+ #end + +
+
+
+
+ +
+ + diff --git a/views/login-error.vm b/views/login-error.vm new file mode 100644 index 0000000..44676b3 --- /dev/null +++ b/views/login-error.vm @@ -0,0 +1,24 @@ +## Velocity Template for login error message production, included by login.vm +## +## authenticationErrorContext - context containing error data, if available +## +#if ($authenticationErrorContext && $authenticationErrorContext.getClassifiedErrors().size() > 0 && $authenticationErrorContext.getClassifiedErrors().iterator().next() != "ReselectFlow") + ## This handles errors that are classified by the message maps in the authentication config. + #set ($eventId = $authenticationErrorContext.getClassifiedErrors().iterator().next()) + #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "login")) + #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "Login Failure: $eventId")) +#elseif ($authenticationErrorContext && $authenticationErrorContext.getExceptions().size() > 0) + ## This handles login exceptions that are left unclassified. + #set ($loginException = $authenticationErrorContext.getExceptions().get(0)) + #if ($loginException.getMessage()) + #set ($message = "Login Failure: $loginException.getMessage()") + #else + #set ($message = $loginException.toString()) + #end +#end + +#if ($message) +
+

$encoder.encodeForHTML($message)

+
+#end diff --git a/views/login.vm b/views/login.vm new file mode 100644 index 0000000..c421a99 --- /dev/null +++ b/views/login.vm @@ -0,0 +1,140 @@ +## +## Velocity Template for DisplayUsernamePasswordPage view-state +## +## Velocity context will contain the following properties +## flowExecutionUrl - the form action location +## flowRequestContext - the Spring Web Flow RequestContext +## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) +## profileRequestContext - root of context tree +## authenticationContext - context with authentication request information +## authenticationErrorContext - context with login error state +## authenticationWarningContext - context with login warning state +## ldapResponseContext - context with LDAP state (if using native LDAP) +## rpUIContext - the context with SP UI information from the metadata +## extendedAuthenticationFlows - collection of "extended" AuthenticationFlowDescriptor objects +## passwordPrincipals - contents of the shibboleth.authn.Password.PrincipalOverride bean +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## +#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext')) +#set ($username = $authenticationContext.getSubcontext('net.shibboleth.idp.authn.context.UsernamePasswordContext', true).getUsername()) +#set ($passwordEnabled = false) +#if (!$passwordPrincipals or $passwordPrincipals.isEmpty() or $authenticationContext.isAcceptable($passwordPrincipals)) + #set ($passwordEnabled = true) +#end +## + + + + + + #springMessageText("idp.title", "Web Login Service") + + + +
+
+
+ #springMessageText( +
+ +
+
+ #parse("login-error.vm") + +
+ + #set ($serviceName = $rpUIContext.serviceName) + #if ($serviceName && !$rpContext.getRelyingPartyId().contains($serviceName)) + + #springMessageText("idp.login.loginTo", "Login to") $encoder.encodeForHTML($serviceName) + + #end + + #if ($passwordEnabled) +
+ + +
+ +
+ + +
+ +
+ + +
+ #end + +
+ + +
+ + #if ($passwordEnabled) +
+ +
+ #end + + #foreach ($extFlow in $extendedAuthenticationFlows) + #if ($authenticationContext.isAcceptable($extFlow) and $extFlow.apply(profileRequestContext)) +
+ +
+ #end + #end +
+ + #* + // + // SP Description & Logo (optional) + // These idpui lines will display added information (if available + // in the metadata) about the Service Provider (SP) that requested + // authentication. These idpui lines are "active" in this example + // (not commented out) - this extra SP info will be displayed. + // Remove or comment out these lines to stop the display of the + // added SP information. + // + *# + #set ($logo = $rpUIContext.getLogo()) + #if ($logo) + $encoder.encodeForHTMLAttribute($serviceName) + #end + #set ($desc = $rpUIContext.getServiceDescription()) + #if ($desc) + $encoder.encodeForHTML($desc) + #end + +
+
+ +
+
+
+ + +
+ + + \ No newline at end of file diff --git a/views/logout-complete.vm b/views/logout-complete.vm new file mode 100644 index 0000000..d780252 --- /dev/null +++ b/views/logout-complete.vm @@ -0,0 +1,59 @@ +## +## Velocity Template for logout flow's concluding view-state (no propagation) +## +## Velocity context will contain the following properties +## flowExecutionUrl - the form action location +## flowRequestContext - the Spring Web Flow RequestContext +## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) +## profileRequestContext - root of context tree +## logoutContext - context with SPSession details for logout operation +## multiRPContext - context with RelyingPartyContexts and possibly SP UI information from the metadata +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## + + + + + + #springMessageText("idp.title", "Web Login Service") + + + + +
+
+
+ #springMessageText( +
+ +
+
+

#springMessageText("idp.logout.local", "You elected not to log out of all the applications accessed during your session.")

+
+
+ +
+
+
+ + + #if ( $profileRequestContext.getProfileId().contains("saml2/logout") ) + + #end + + +
+ + + \ No newline at end of file diff --git a/views/logout-propagate.vm b/views/logout-propagate.vm new file mode 100644 index 0000000..86b3fa1 --- /dev/null +++ b/views/logout-propagate.vm @@ -0,0 +1,58 @@ +## +## Velocity Template for logout flow's concluding view-state (with propagation) +## +## Velocity context will contain the following properties +## flowExecutionUrl - the form action location +## flowRequestContext - the Spring Web Flow RequestContext +## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) +## profileRequestContext - root of context tree +## logoutContext - context with SPSession details for logout operation +## multiRPContext - context with RelyingPartyContexts and possibly SP UI information from the metadata +## htmlEncoder - HTMLEncoder class +## urlEncoder - urlEncoder class +## codecUtil - CodecUtil class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## + + + + + + #springMessageText("idp.title", "Web Login Service") + + + + + +
+
+
+ #springMessageText( +
+ +
+
+

#springMessageText("idp.logout.attempt", "Attempting to log out of the following services:")

+ #parse("logout/propagate.vm") +
+
+ +
+
+
+ + +
+ + + \ No newline at end of file diff --git a/views/logout.vm b/views/logout.vm new file mode 100644 index 0000000..2342855 --- /dev/null +++ b/views/logout.vm @@ -0,0 +1,91 @@ +## +## Velocity Template for logout flow's starting view-state +## +## Velocity context will contain the following properties +## flowExecutionUrl - the form action location +## flowRequestContext - the Spring Web Flow RequestContext +## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) +## profileRequestContext - root of context tree +## logoutContext - context with SPSession details for logout operation +## multiRPContext - context with RelyingPartyContexts and possibly SP UI information from the metadata +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## + + + + + + #if ( $logoutContext and !$logoutContext.getSessionMap().isEmpty() ) + + #end + #springMessageText("idp.title", "Web Login Service") + + + + +
+
+
+ #springMessageText( +
+ +
+
+

This page is displayed when a logout operation at the Identity Provider completes. This page is an example + and should be customized. It is not fully internationalized because the presentation will be a highly localized + decision, and we don't have a good suggestion for a default.

+
+ + #if ( $logoutContext and !$logoutContext.getSessionMap().isEmpty() ) +

#springMessageText("idp.logout.ask", "Would you like to attempt to log out of all services accessed during your session? Please select Yes or No to ensure the logout operation completes, or wait a few seconds for Yes.")

+
+ +
+ + +
+ +
+

#springMessageText("idp.logout.contactServices", "If you proceed, the system will attempt to contact the following services:")

+
    + #foreach ($sp in $logoutContext.getSessionMap().keySet()) + #set ($rpCtx = $multiRPContext.getRelyingPartyContextById($sp)) + #if ($rpCtx) + #set ($rpUIContext = $rpCtx.getSubcontext("net.shibboleth.idp.ui.context.RelyingPartyUIContext")) + #end + #if ($rpUIContext and $rpUIContext.getServiceName()) +
  1. $encoder.encodeForHTML($rpUIContext.getServiceName())
    2. + #else +
  2. $encoder.encodeForHTML($sp)
    3. + #end + #end +
+ #else +

#springMessageText("idp.logout.complete", "The logout operation is complete, and no other services appear to have been accessed during this session.")

+ + + #end + +
+
+ +
+
+
+ + +
+ + + \ No newline at end of file diff --git a/views/spnego-unavailable.vm b/views/spnego-unavailable.vm new file mode 100644 index 0000000..3673f02 --- /dev/null +++ b/views/spnego-unavailable.vm @@ -0,0 +1,49 @@ +## +## Velocity Template for SPNEGO unauthorized page +## +## This is not a Spring Webflow view, but a special view internal to the +## SPNEGO login flow, so it doesn't contain all of the usual SWF variables. +## +## Velocity context will contain the following properties +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## profileRequestContext - root of context tree +## errorUrl - URL to call to indicate error and return back to the login flow +## +#set ($eventKey = $springMacroRequestContext.getMessage("SPNEGOUnavailable", "spnego-unavailable")) + + + + + + #springMessageText("idp.title", "Web Login Sevice") - #springMessageText("${eventKey}.title", "Error") + + + + +
+
+
+ #springMessageText( +

#springMessageText("idp.title", "Web Login Sevice") - #springMessage("idp.title.suffix", "Error")

+
+ +
+ #springMessageText("${eventKey}.message", "Your web browser doesn't support authentication with your desktop login credentials.") + +
+
+ + +
+ + diff --git a/views/user-prefs.js b/views/user-prefs.js new file mode 100644 index 0000000..ab994f9 --- /dev/null +++ b/views/user-prefs.js @@ -0,0 +1,45 @@ +"use strict"; + +function createCookie(name, value, seconds) { + var date = new Date(); + date.setTime(date.getTime() + (seconds * 1000)); + var expires = "; expires=" + date.toGMTString(); + + var path = '$environment.getProperty("idp.cookie.path", $request.getContextPath())'; + if (path.length > 0) + path = "; path=" + path; + document.cookie = name + "=" + value + expires + path; +} + +function eraseCookie(name) { + createCookie(name, "", -31536000); +} + +function readCookie(name) { + var nameEQ = name + "="; + var ca = document.cookie.split(';'); + for (var i = 0; i < ca.length; i++) { + var c = ca[i]; + while (c.charAt(0) == ' ') + c = c.substring(1, c.length); + if (c.indexOf(nameEQ) == 0) + return c.substring(nameEQ.length, c.length); + } + return null; +} + +function load(id) { + var checkbox = document.getElementById(id); + if (checkbox != null) { + var spnego = readCookie(checkbox.name); + checkbox.checked = (spnego == "1"); + } +} + +function check(checkbox) { + if (checkbox.checked) { + createCookie(checkbox.name, checkbox.value, $environment.getProperty("idp.cookie.maxAge","31536000")); + } else { + eraseCookie(checkbox.name); + } +} diff --git a/views/user-prefs.vm b/views/user-prefs.vm new file mode 100644 index 0000000..8de0503 --- /dev/null +++ b/views/user-prefs.vm @@ -0,0 +1,60 @@ +## +## Velocity Template for user preferences view +## +## Velocity context will contain the following properties +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## + + + + + + #springMessageText("idp.userprefs.title", "Web Login Service") - #springMessageText("idp.userprefs.title.suffix", "Login Preferences") + + + + +
+
+
+ #springMessageText( +

#springMessageText("idp.title", "Web Login Service") - #springMessageText("idp.userprefs.title.suffix", "Login Preferences")

+

+ #springMessage("idp.userprefs.info") +

+
+ + + + +
+ + +
+ + +