From ccf6798e741fc1f83d0c3f6ecfbc48c0d48b560e Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 3 Aug 2017 17:37:52 -0500 Subject: [PATCH] initial commit --- README.md | 4 +- conf/access-control.xml | 68 ++++ conf/admin/general-admin.xml | 53 ++++ conf/admin/metrics.xml | 129 ++++++++ conf/attribute-filter.xml | 45 +++ conf/attribute-resolver-full.xml | 292 ++++++++++++++++++ conf/attribute-resolver-ldap.xml | 94 ++++++ conf/attribute-resolver.xml | 86 ++++++ conf/audit.xml | 32 ++ conf/authn/authn-comparison.xml | 77 +++++ conf/authn/authn-events-flow.xml | 21 ++ conf/authn/duo-authn-config.xml | 25 ++ conf/authn/duo.properties | 9 + conf/authn/external-authn-config.xml | 70 +++++ conf/authn/general-authn.xml | 156 ++++++++++ conf/authn/ipaddress-authn-config.xml | 37 +++ conf/authn/jaas-authn-config.xml | 27 ++ conf/authn/jaas.config | 11 + conf/authn/krb5-authn-config.xml | 31 ++ conf/authn/ldap-authn-config.xml | 135 ++++++++ conf/authn/mfa-authn-config.xml | 99 ++++++ conf/authn/password-authn-config.xml | 121 ++++++++ conf/authn/remoteuser-authn-config.xml | 75 +++++ .../remoteuser-internal-authn-config.xml | 63 ++++ conf/authn/spnego-authn-config.xml | 74 +++++ conf/authn/x509-authn-config.xml | 44 +++ conf/authn/x509-internal-authn-config.xml | 21 ++ .../attribute-sourced-subject-c14n-config.xml | 44 +++ conf/c14n/simple-subject-c14n-config.xml | 27 ++ conf/c14n/subject-c14n-events-flow.xml | 22 ++ conf/c14n/subject-c14n.xml | 109 +++++++ conf/c14n/x500-subject-c14n-config.xml | 37 +++ conf/cas-protocol.xml | 84 +++++ conf/credentials.xml | 65 ++++ conf/errors.xml | 120 +++++++ conf/global.xml | 53 ++++ conf/idp.properties | 195 ++++++++++++ conf/intercept/consent-intercept-config.xml | 136 ++++++++ .../context-check-intercept-config.xml | 42 +++ .../expiring-password-intercept-config.xml | 37 +++ conf/intercept/intercept-events-flow.xml | 21 ++ conf/intercept/profile-intercept.xml | 38 +++ conf/ldap.properties | 63 ++++ conf/logback.xml | 186 +++++++++++ conf/metadata-providers.xml | 67 ++++ conf/mvc-beans.xml | 23 ++ conf/relying-party.xml | 70 +++++ conf/saml-nameid.properties | 35 +++ conf/saml-nameid.xml | 62 ++++ conf/services.properties | 65 ++++ conf/services.xml | 144 +++++++++ conf/session-manager.xml | 45 +++ credentials/idp-backchannel.crt | 20 ++ credentials/idp-backchannel.p12 | Bin 0 -> 2596 bytes credentials/idp-encryption.crt | 20 ++ credentials/idp-encryption.key | 27 ++ credentials/idp-signing.crt | 20 ++ credentials/idp-signing.key | 27 ++ credentials/idp-userfacing.p12 | Bin 0 -> 2596 bytes credentials/sealer.jks | Bin 0 -> 500 bytes credentials/sealer.kver | 2 + edit-webapp/css/consent.css | 150 +++++++++ edit-webapp/css/logout.css | 12 + edit-webapp/css/main.css | 165 ++++++++++ edit-webapp/images/dummylogo-mobile.png | Bin 0 -> 8208 bytes edit-webapp/images/dummylogo.png | Bin 0 -> 13742 bytes edit-webapp/images/failure-32x32.png | Bin 0 -> 2580 bytes edit-webapp/images/success-32x32.png | Bin 0 -> 2448 bytes messages/messages.properties | 2 + metadata/idp-metadata.xml | 219 +++++++++++++ views/client-storage/client-storage-read.vm | 53 ++++ views/client-storage/client-storage-write.vm | 53 ++++ views/duo.vm | 83 +++++ views/error.vm | 73 +++++ views/intercept/attribute-release.vm | 158 ++++++++++ views/intercept/expiring-password.vm | 54 ++++ views/intercept/terms-of-use.vm | 67 ++++ views/login-error.vm | 24 ++ views/login.vm | 140 +++++++++ views/logout-complete.vm | 59 ++++ views/logout-propagate.vm | 58 ++++ views/logout.vm | 91 ++++++ views/spnego-unavailable.vm | 49 +++ views/user-prefs.js | 45 +++ views/user-prefs.vm | 60 ++++ 85 files changed, 5418 insertions(+), 2 deletions(-) create mode 100644 conf/access-control.xml create mode 100644 conf/admin/general-admin.xml create mode 100644 conf/admin/metrics.xml create mode 100644 conf/attribute-filter.xml create mode 100644 conf/attribute-resolver-full.xml create mode 100644 conf/attribute-resolver-ldap.xml create mode 100644 conf/attribute-resolver.xml create mode 100644 conf/audit.xml create mode 100644 conf/authn/authn-comparison.xml create mode 100644 conf/authn/authn-events-flow.xml create mode 100644 conf/authn/duo-authn-config.xml create mode 100644 conf/authn/duo.properties create mode 100644 conf/authn/external-authn-config.xml create mode 100644 conf/authn/general-authn.xml create mode 100644 conf/authn/ipaddress-authn-config.xml create mode 100644 conf/authn/jaas-authn-config.xml create mode 100644 conf/authn/jaas.config create mode 100644 conf/authn/krb5-authn-config.xml create mode 100644 conf/authn/ldap-authn-config.xml create mode 100644 conf/authn/mfa-authn-config.xml create mode 100644 conf/authn/password-authn-config.xml create mode 100644 conf/authn/remoteuser-authn-config.xml create mode 100644 conf/authn/remoteuser-internal-authn-config.xml create mode 100644 conf/authn/spnego-authn-config.xml create mode 100644 conf/authn/x509-authn-config.xml create mode 100644 conf/authn/x509-internal-authn-config.xml create mode 100644 conf/c14n/attribute-sourced-subject-c14n-config.xml create mode 100644 conf/c14n/simple-subject-c14n-config.xml create mode 100644 conf/c14n/subject-c14n-events-flow.xml create mode 100644 conf/c14n/subject-c14n.xml create mode 100644 conf/c14n/x500-subject-c14n-config.xml create mode 100644 conf/cas-protocol.xml create mode 100644 conf/credentials.xml create mode 100644 conf/errors.xml create mode 100644 conf/global.xml create mode 100644 conf/idp.properties create mode 100644 conf/intercept/consent-intercept-config.xml create mode 100644 conf/intercept/context-check-intercept-config.xml create mode 100644 conf/intercept/expiring-password-intercept-config.xml create mode 100644 conf/intercept/intercept-events-flow.xml create mode 100644 conf/intercept/profile-intercept.xml create mode 100644 conf/ldap.properties create mode 100644 conf/logback.xml create mode 100644 conf/metadata-providers.xml create mode 100644 conf/mvc-beans.xml create mode 100644 conf/relying-party.xml create mode 100644 conf/saml-nameid.properties create mode 100644 conf/saml-nameid.xml create mode 100644 conf/services.properties create mode 100644 conf/services.xml create mode 100644 conf/session-manager.xml create mode 100644 credentials/idp-backchannel.crt create mode 100644 credentials/idp-backchannel.p12 create mode 100644 credentials/idp-encryption.crt create mode 100644 credentials/idp-encryption.key create mode 100644 credentials/idp-signing.crt create mode 100644 credentials/idp-signing.key create mode 100644 credentials/idp-userfacing.p12 create mode 100644 credentials/sealer.jks create mode 100644 credentials/sealer.kver create mode 100644 edit-webapp/css/consent.css create mode 100644 edit-webapp/css/logout.css create mode 100644 edit-webapp/css/main.css create mode 100644 edit-webapp/images/dummylogo-mobile.png create mode 100644 edit-webapp/images/dummylogo.png create mode 100644 edit-webapp/images/failure-32x32.png create mode 100644 edit-webapp/images/success-32x32.png create mode 100644 messages/messages.properties create mode 100644 metadata/idp-metadata.xml create mode 100644 views/client-storage/client-storage-read.vm create mode 100644 views/client-storage/client-storage-write.vm create mode 100644 views/duo.vm create mode 100644 views/error.vm create mode 100644 views/intercept/attribute-release.vm create mode 100644 views/intercept/expiring-password.vm create mode 100644 views/intercept/terms-of-use.vm create mode 100644 views/login-error.vm create mode 100644 views/login.vm create mode 100644 views/logout-complete.vm create mode 100644 views/logout-propagate.vm create mode 100644 views/logout.vm create mode 100644 views/spnego-unavailable.vm create mode 100644 views/user-prefs.js create mode 100644 views/user-prefs.vm diff --git a/README.md b/README.md index f26284c..84ef433 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Purpose -This project contains the configuration tree (structure) for Shibboleth IDP. The are various usage scenarios throughout the build, test, deploy cycle that warrant this abstraction +This project contains the configuration tree (structure) for Shibboleth IDP on Windows. The are various usage scenarios throughout the build, test, deploy cycle that warrant this abstraction of the configuration tree. There is a separate repository for the Docker Image which is responsible for building the runtime environment and pulling the configuration trees housed here to complete a deployment. @@ -11,4 +11,4 @@ to complete a deployment. * `test` branch * Internal Testing - (TEST) branch/repo that uses the "test bed" which is something that I2 provides (LDAP) and an element to make all integrations. Appropriate for Jenkins and testing environments * `release` branch - * External Testing - (RELEASE) branch/repo (ultimately will live in Subversion?) for end users + * External Testing - (RELEASE) branch/repo \ No newline at end of file diff --git a/conf/access-control.xml b/conf/access-control.xml new file mode 100644 index 0000000..a9184e6 --- /dev/null +++ b/conf/access-control.xml @@ -0,0 +1,68 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/conf/admin/general-admin.xml b/conf/admin/general-admin.xml new file mode 100644 index 0000000..9b3b180 --- /dev/null +++ b/conf/admin/general-admin.xml @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/admin/metrics.xml b/conf/admin/metrics.xml new file mode 100644 index 0000000..f9b5c16 --- /dev/null +++ b/conf/admin/metrics.xml @@ -0,0 +1,129 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/attribute-filter.xml b/conf/attribute-filter.xml new file mode 100644 index 0000000..f8c41ba --- /dev/null +++ b/conf/attribute-filter.xml @@ -0,0 +1,45 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/attribute-resolver-full.xml b/conf/attribute-resolver-full.xml new file mode 100644 index 0000000..4681b64 --- /dev/null +++ b/conf/attribute-resolver-full.xml @@ -0,0 +1,292 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/attribute-resolver-ldap.xml b/conf/attribute-resolver-ldap.xml new file mode 100644 index 0000000..ec79de9 --- /dev/null +++ b/conf/attribute-resolver-ldap.xml @@ -0,0 +1,94 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/attribute-resolver.xml b/conf/attribute-resolver.xml new file mode 100644 index 0000000..d752e07 --- /dev/null +++ b/conf/attribute-resolver.xml @@ -0,0 +1,86 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + uid + + + + + + + + + + + + + + + + + member + + + + diff --git a/conf/audit.xml b/conf/audit.xml new file mode 100644 index 0000000..22949fd --- /dev/null +++ b/conf/audit.xml @@ -0,0 +1,32 @@ + + + + + + + + + + + + + + http://shibboleth.net/ns/profiles/status + + + diff --git a/conf/authn/authn-comparison.xml b/conf/authn/authn-comparison.xml new file mode 100644 index 0000000..f167b7a --- /dev/null +++ b/conf/authn/authn-comparison.xml @@ -0,0 +1,77 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified + + + diff --git a/conf/authn/authn-events-flow.xml b/conf/authn/authn-events-flow.xml new file mode 100644 index 0000000..36d62a1 --- /dev/null +++ b/conf/authn/authn-events-flow.xml @@ -0,0 +1,21 @@ + + + + + + + + + diff --git a/conf/authn/duo-authn-config.xml b/conf/authn/duo-authn-config.xml new file mode 100644 index 0000000..0a48152 --- /dev/null +++ b/conf/authn/duo-authn-config.xml @@ -0,0 +1,25 @@ + + + + + + diff --git a/conf/authn/duo.properties b/conf/authn/duo.properties new file mode 100644 index 0000000..2ca71ee --- /dev/null +++ b/conf/authn/duo.properties @@ -0,0 +1,9 @@ +# Duo integration settings + +# Note: If upgrading from pre-3.3 IdP versions, you will need to manually add a pointer +# to this property file to idp.properties. + +idp.duo.apiHost = hostname +idp.duo.applicationKey = key +idp.duo.integrationKey = key +idp.duo.secretKey = key diff --git a/conf/authn/external-authn-config.xml b/conf/authn/external-authn-config.xml new file mode 100644 index 0000000..8b3a159 --- /dev/null +++ b/conf/authn/external-authn-config.xml @@ -0,0 +1,70 @@ + + + + + + + + + + + + + + + + + + UnknownUsername + + + + + InvalidPassword + + + + + ExpiredPassword + + + + + ExpiringPassword + + + + + diff --git a/conf/authn/general-authn.xml b/conf/authn/general-authn.xml new file mode 100644 index 0000000..ac55bbb --- /dev/null +++ b/conf/authn/general-authn.xml @@ -0,0 +1,156 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + + + + diff --git a/conf/authn/ipaddress-authn-config.xml b/conf/authn/ipaddress-authn-config.xml new file mode 100644 index 0000000..a3ee096 --- /dev/null +++ b/conf/authn/ipaddress-authn-config.xml @@ -0,0 +1,37 @@ + + + + + + + + + + + + + + + diff --git a/conf/authn/jaas-authn-config.xml b/conf/authn/jaas-authn-config.xml new file mode 100644 index 0000000..daef4d2 --- /dev/null +++ b/conf/authn/jaas-authn-config.xml @@ -0,0 +1,27 @@ + + + + + + + + + + + ShibUserPassAuth + + + + + diff --git a/conf/authn/jaas.config b/conf/authn/jaas.config new file mode 100644 index 0000000..232e93d --- /dev/null +++ b/conf/authn/jaas.config @@ -0,0 +1,11 @@ +ShibUserPassAuth { + /* + com.sun.security.auth.module.Krb5LoginModule required; + */ + + org.ldaptive.jaas.LdapLoginModule required + ldapUrl="ldap://localhost:10389" + baseDn="ou=people,dc=example,dc=org" + userFilter="uid={user}"; + +}; \ No newline at end of file diff --git a/conf/authn/krb5-authn-config.xml b/conf/authn/krb5-authn-config.xml new file mode 100644 index 0000000..d3590a2 --- /dev/null +++ b/conf/authn/krb5-authn-config.xml @@ -0,0 +1,31 @@ + + + + + + + + + + + + + diff --git a/conf/authn/ldap-authn-config.xml b/conf/authn/ldap-authn-config.xml new file mode 100644 index 0000000..56d1bc7 --- /dev/null +++ b/conf/authn/ldap-authn-config.xml @@ -0,0 +1,135 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/authn/mfa-authn-config.xml b/conf/authn/mfa-authn-config.xml new file mode 100644 index 0000000..ef3b80e --- /dev/null +++ b/conf/authn/mfa-authn-config.xml @@ -0,0 +1,99 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/authn/password-authn-config.xml b/conf/authn/password-authn-config.xml new file mode 100644 index 0000000..f27051b --- /dev/null +++ b/conf/authn/password-authn-config.xml @@ -0,0 +1,121 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + NoCredentials + CLIENT_NOT_FOUND + Client not found + DN_RESOLUTION_FAILURE + + + + + InvalidCredentials + PREAUTH_FAILED + INVALID_CREDENTIALS + Checksum failed + + + + + AccountLocked + Clients credentials have been revoked + + + + + PASSWORD_EXPIRED + + + + + ACCOUNT_WARNING + + + + + + + + diff --git a/conf/authn/remoteuser-authn-config.xml b/conf/authn/remoteuser-authn-config.xml new file mode 100644 index 0000000..4b7e722 --- /dev/null +++ b/conf/authn/remoteuser-authn-config.xml @@ -0,0 +1,75 @@ + + + + + + + + + + + + + + + + + + NoCredentials + + + + + UnknownUsername + + + + + InvalidPassword + + + + + ExpiredPassword + + + + + ExpiringPassword + + + + + diff --git a/conf/authn/remoteuser-internal-authn-config.xml b/conf/authn/remoteuser-internal-authn-config.xml new file mode 100644 index 0000000..9e68c85 --- /dev/null +++ b/conf/authn/remoteuser-internal-authn-config.xml @@ -0,0 +1,63 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/authn/spnego-authn-config.xml b/conf/authn/spnego-authn-config.xml new file mode 100644 index 0000000..07563b9 --- /dev/null +++ b/conf/authn/spnego-authn-config.xml @@ -0,0 +1,74 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SPNEGONotAvailable + + + + + NTLMUnsupported + + + + + diff --git a/conf/authn/x509-authn-config.xml b/conf/authn/x509-authn-config.xml new file mode 100644 index 0000000..18b015a --- /dev/null +++ b/conf/authn/x509-authn-config.xml @@ -0,0 +1,44 @@ + + + + + + + + + + + + + NoCredentials + InvalidCredentials + + + + + diff --git a/conf/authn/x509-internal-authn-config.xml b/conf/authn/x509-internal-authn-config.xml new file mode 100644 index 0000000..bad3029 --- /dev/null +++ b/conf/authn/x509-internal-authn-config.xml @@ -0,0 +1,21 @@ + + + + + + diff --git a/conf/c14n/attribute-sourced-subject-c14n-config.xml b/conf/c14n/attribute-sourced-subject-c14n-config.xml new file mode 100644 index 0000000..938b30f --- /dev/null +++ b/conf/c14n/attribute-sourced-subject-c14n-config.xml @@ -0,0 +1,44 @@ + + + + + + altuid + + + + + altuid + + + + + + + + + + + + + diff --git a/conf/c14n/simple-subject-c14n-config.xml b/conf/c14n/simple-subject-c14n-config.xml new file mode 100644 index 0000000..3cddfa6 --- /dev/null +++ b/conf/c14n/simple-subject-c14n-config.xml @@ -0,0 +1,27 @@ + + + + + + + + + + + + + + diff --git a/conf/c14n/subject-c14n-events-flow.xml b/conf/c14n/subject-c14n-events-flow.xml new file mode 100644 index 0000000..c8e7220 --- /dev/null +++ b/conf/c14n/subject-c14n-events-flow.xml @@ -0,0 +1,22 @@ + + + + + + + + + + diff --git a/conf/c14n/subject-c14n.xml b/conf/c14n/subject-c14n.xml new file mode 100644 index 0000000..16fc6f1 --- /dev/null +++ b/conf/c14n/subject-c14n.xml @@ -0,0 +1,109 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName + urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName + urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos + + + + + + + + + + + + + + + + + diff --git a/conf/c14n/x500-subject-c14n-config.xml b/conf/c14n/x500-subject-c14n-config.xml new file mode 100644 index 0000000..1ae25e4 --- /dev/null +++ b/conf/c14n/x500-subject-c14n-config.xml @@ -0,0 +1,37 @@ + + + + + + + + + + + 2.5.4.3 + + + + + + + + + + + + + diff --git a/conf/cas-protocol.xml b/conf/cas-protocol.xml new file mode 100644 index 0000000..d0b3d55 --- /dev/null +++ b/conf/cas-protocol.xml @@ -0,0 +1,84 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/conf/credentials.xml b/conf/credentials.xml new file mode 100644 index 0000000..7462879 --- /dev/null +++ b/conf/credentials.xml @@ -0,0 +1,65 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/errors.xml b/conf/errors.xml new file mode 100644 index 0000000..5de522f --- /dev/null +++ b/conf/errors.xml @@ -0,0 +1,120 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/global.xml b/conf/global.xml new file mode 100644 index 0000000..60562e3 --- /dev/null +++ b/conf/global.xml @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + + diff --git a/conf/idp.properties b/conf/idp.properties new file mode 100644 index 0000000..1a77f4a --- /dev/null +++ b/conf/idp.properties @@ -0,0 +1,195 @@ +# Load any additional property resources from a comma-delimited list +idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties + +# Set the entityID of the IdP +idp.entityID= https://shibboleth.example.org/idp/shibboleth + +# Set the scope used in the attribute resolver for scoped attributes +idp.scope= example.org + +# General cookie properties (maxAge only applies to persistent cookies) +#idp.cookie.secure = false +#idp.cookie.httpOnly = true +#idp.cookie.domain = +#idp.cookie.path = +#idp.cookie.maxAge = 31536000 + +# Set the location of user-supplied web flow definitions +#idp.webflows = %{idp.home}/flows + +# Set the location of Velocity view templates +#idp.views = %{idp.home}/views + +# Settings for internal AES encryption key +#idp.sealer.storeType = JCEKS +#idp.sealer.updateInterval = PT15M +#idp.sealer.aliasBase = secret +idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks +idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver +idp.sealer.storePassword= password +idp.sealer.keyPassword= password + +# Settings for public/private signing and encryption key(s) +# During decryption key rollover, point the ".2" properties at a second +# keypair, uncomment in credentials.xml, then publish it in your metadata. +idp.signing.key= %{idp.home}/credentials/idp-signing.key +idp.signing.cert= %{idp.home}/credentials/idp-signing.crt +idp.encryption.key= %{idp.home}/credentials/idp-encryption.key +idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt +#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key +#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt + +# Sets the bean ID to use as a default security configuration set +#idp.security.config = shibboleth.DefaultSecurityConfiguration + +# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1 +#idp.signing.config = shibboleth.SigningConfiguration.SHA256 + +# Configures trust evaluation of keys used by services at runtime +# Defaults to supporting both explicit key and PKIX using SAML metadata. +#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine +# To pick only one set to one of: +# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine +#idp.trust.certificates = shibboleth.ChainingX509TrustEngine +# To pick only one set to one of: +# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine + +# If true, encryption will happen whenever a key to use can be located, but +# failure to encrypt won't result in request failure. +#idp.encryption.optional = false + +# Configuration of client- and server-side storage plugins +#idp.storage.cleanupInterval = PT10M +#idp.storage.htmlLocalStorage = false + +# Set to true to expose more detailed errors in responses to SPs +#idp.errors.detailed = false +# Set to false to skip signing of SAML response messages that signal errors +#idp.errors.signed = true +# Name of bean containing a list of Java exception classes to ignore +#idp.errors.excludedExceptions = ExceptionClassListBean +# Name of bean containing a property set mapping exception names to views +#idp.errors.exceptionMappings = ExceptionToViewPropertyBean +# Set if a different default view name for events and exceptions is needed +#idp.errors.defaultView = error + +# Set to false to disable the IdP session layer +#idp.session.enabled = true + +# Set to "shibboleth.StorageService" for server-side storage of user sessions +#idp.session.StorageService = shibboleth.ClientSessionStorageService + +# Size of session IDs +#idp.session.idSize = 32 +# Bind sessions to IP addresses +#idp.session.consistentAddress = true +# Inactivity timeout +#idp.session.timeout = PT60M +# Extra time to store sessions for logout +#idp.session.slop = PT0S +# Tolerate storage-related errors +#idp.session.maskStorageFailure = false +# Track information about SPs logged into +#idp.session.trackSPSessions = false +# Support lookup by SP for SAML logout +#idp.session.secondaryServiceIndex = false +# Length of time to track SP sessions +#idp.session.defaultSPlifetime = PT2H + +# Regular expression matching login flows to enable, e.g. IPAddress|Password +idp.authn.flows= Password + +# Regular expression of forced "initial" methods when no session exists, +# usually in conjunction with the idp.authn.resolveAttribute property below. +#idp.authn.flows.initial = Password + +# Set to an attribute ID to resolve prior to selecting authentication flows; +# its values are used to filter the flows to allow. +#idp.authn.resolveAttribute = eduPersonAssurance + +# Default lifetime and timeout of various authentication methods +#idp.authn.defaultLifetime = PT60M +#idp.authn.defaultTimeout = PT30M + +# Whether to populate relying party user interface information for display +# during authentication, consent, terms-of-use. +#idp.authn.rpui = true + +# Whether to prioritize "active" results when an SP requests more than +# one possible matching login method (V2 behavior was to favor them) +#idp.authn.favorSSO = false + +# Whether to fail requests when a user identity after authentication +# doesn't match the identity in a pre-existing session. +#idp.authn.identitySwitchIsError = false + +# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent +#idp.consent.StorageService = shibboleth.ClientPersistentStorageService + +# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute +# to key user consent storage records (and set the attribute name) +#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey +#idp.consent.userStorageKeyAttribute = uid + +# Flags controlling how built-in attribute consent feature operates +#idp.consent.allowDoNotRemember = true +#idp.consent.allowGlobal = true +#idp.consent.allowPerAttribute = false + +# Whether attribute values and terms of use text are compared +#idp.consent.compareValues = false +# Maximum number of consent records for space-limited storage (e.g. cookies) +#idp.consent.maxStoredRecords = 10 +# Maximum number of consent records for larger/server-side storage (0 = no limit) +#idp.consent.expandedMaxStoredRecords = 0 + +# Time in milliseconds to expire consent storage records. +#idp.consent.storageRecordLifetime = P1Y + +# Whether to lookup metadata, etc. for every SP involved in a logout +# for use by user interface logic; adds overhead so off by default. +#idp.logout.elaboration = false + +# Whether to require logout requests/responses be signed/authenticated. +#idp.logout.authenticated = true + +# Message freshness and replay cache tuning +#idp.policy.messageLifetime = PT3M +#idp.policy.clockSkew = PT3M + +# Set to custom bean for alternate storage of replay cache +#idp.replayCache.StorageService = shibboleth.StorageService + +# Toggles whether to allow outbound messages via SAML artifact +#idp.artifact.enabled = true +# Suppresses typical signing/encryption when artifact binding used +#idp.artifact.secureChannel = true +# May differ to direct SAML 2 artifact lookups to specific server nodes +#idp.artifact.endpointIndex = 2 +# Set to custom bean for alternate storage of artifact map state +#idp.artifact.StorageService = shibboleth.StorageService + +# Comma-delimited languages to use if not match can be found with the +# browser-supported languages, defaults to an empty list. +idp.ui.fallbackLanguages= en,fr,de + +# Storage service used by CAS protocol +# Defaults to shibboleth.StorageService (in-memory) +# MUST be server-side storage (e.g. in-memory, memcached, database) +# NOTE that idp.session.StorageService requires server-side storage +# when CAS protocol is enabled +#idp.cas.StorageService=shibboleth.StorageService + +# CAS service registry implementation class +#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry + +# Profile flows in which the ProfileRequestContext should be exposed +# in servlet request under the key "opensamlProfileRequestContext" +#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO + +# F-TICKS auditing - set a salt to include hashed username +#idp.fticks.federation=MyFederation +#idp.fticks.algorithm=SHA-256 +#idp.fticks.salt=somethingsecret +#idp.fticks.loghost=localhost +#idp.fticks.logport=514 diff --git a/conf/intercept/consent-intercept-config.xml b/conf/intercept/consent-intercept-config.xml new file mode 100644 index 0000000..ca183a7 --- /dev/null +++ b/conf/intercept/consent-intercept-config.xml @@ -0,0 +1,136 @@ + + + + + + + + + + + + + + + + + + + + + transientId + persistentId + eduPersonTargetedID + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/conf/intercept/context-check-intercept-config.xml b/conf/intercept/context-check-intercept-config.xml new file mode 100644 index 0000000..809f1d4 --- /dev/null +++ b/conf/intercept/context-check-intercept-config.xml @@ -0,0 +1,42 @@ + + + + + + + + + + + + + + * + + + + + + + + + + \ No newline at end of file diff --git a/conf/intercept/expiring-password-intercept-config.xml b/conf/intercept/expiring-password-intercept-config.xml new file mode 100644 index 0000000..5447b16 --- /dev/null +++ b/conf/intercept/expiring-password-intercept-config.xml @@ -0,0 +1,37 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/conf/intercept/intercept-events-flow.xml b/conf/intercept/intercept-events-flow.xml new file mode 100644 index 0000000..315c258 --- /dev/null +++ b/conf/intercept/intercept-events-flow.xml @@ -0,0 +1,21 @@ + + + + + + + + + diff --git a/conf/intercept/profile-intercept.xml b/conf/intercept/profile-intercept.xml new file mode 100644 index 0000000..4040a10 --- /dev/null +++ b/conf/intercept/profile-intercept.xml @@ -0,0 +1,38 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/conf/ldap.properties b/conf/ldap.properties new file mode 100644 index 0000000..37b270e --- /dev/null +++ b/conf/ldap.properties @@ -0,0 +1,63 @@ +# LDAP authentication configuration, see authn/ldap-authn-config.xml +# Note, this doesn't apply to the use of JAAS + +## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator +#idp.authn.LDAP.authenticator = anonSearchAuthenticator + +## Connection properties ## +idp.authn.LDAP.ldapURL = ldap://localhost:10389 +#idp.authn.LDAP.useStartTLS = true +#idp.authn.LDAP.useSSL = false +# Time in milliseconds that connects will block +#idp.authn.LDAP.connectTimeout = PT3S +# Time in milliseconds to wait for responses +#idp.authn.LDAP.responseTimeout = PT3S + +## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust +#idp.authn.LDAP.sslConfig = certificateTrust +## If using certificateTrust above, set to the trusted certificate's path +idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt +## If using keyStoreTrust above, set to the truststore path +idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore + +## Return attributes during authentication +idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining + +## DN resolution properties ## + +# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator +# for AD: CN=Users,DC=example,DC=org +idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org +#idp.authn.LDAP.subtreeSearch = false +idp.authn.LDAP.userFilter = (uid={user}) +# bind search configuration +# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com +idp.authn.LDAP.bindDN = uid=myservice,ou=system +idp.authn.LDAP.bindDNCredential = myServicePassword + +# Format DN resolution, used by directAuthenticator, adAuthenticator +# for AD use idp.authn.LDAP.dnFormat=%s@domain.com +idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org + +# LDAP attribute configuration, see attribute-resolver.xml +# Note, this likely won't apply to the use of legacy V2 resolver configurations +idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL} +idp.attribute.resolver.LDAP.connectTimeout = %{idp.authn.LDAP.connectTimeout:PT3S} +idp.attribute.resolver.LDAP.responseTimeout = %{idp.authn.LDAP.responseTimeout:PT3S} +idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN:undefined} +idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN:undefined} +idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined} +idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true} +idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined} +idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.principal) + +# LDAP pool configuration, used for both authn and DN resolution +#idp.pool.LDAP.minSize = 3 +#idp.pool.LDAP.maxSize = 10 +#idp.pool.LDAP.validateOnCheckout = false +#idp.pool.LDAP.validatePeriodically = true +#idp.pool.LDAP.validatePeriod = PT5M +#idp.pool.LDAP.prunePeriod = PT5M +#idp.pool.LDAP.idleTime = PT10M +#idp.pool.LDAP.blockWaitTime = PT3S +#idp.pool.LDAP.failFastInitialize = false diff --git a/conf/logback.xml b/conf/logback.xml new file mode 100644 index 0000000..104ec4c --- /dev/null +++ b/conf/logback.xml @@ -0,0 +1,186 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ${idp.logfiles}/idp-process.log + + + ${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory:-180} + + + + UTF-8 + %date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short} + + + + + + + VelocityStatusMatcher + ResourceManager : unable to find resource 'status.vm' in any resource loader. + + VelocityStatusMatcher.matches(formattedMessage) + + DENY + + + + + + 0 + + + + + + WARN + + + ${idp.logfiles}/idp-warn.log + + + ${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory:-180} + + + + UTF-8 + %date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short} + + + + + + + VelocityStatusMatcher + ResourceManager : unable to find resource 'status.vm' in any resource loader. + + VelocityStatusMatcher.matches(formattedMessage) + + DENY + + + + + + ${idp.logfiles}/idp-audit.log + + + ${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory:-180} + + + + UTF-8 + %msg%n + + + + + + ${idp.logfiles}/idp-consent-audit.log + + + ${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory:-180} + + + + UTF-8 + %msg%n + + + + + + ${idp.fticks.loghost:-localhost} + ${idp.fticks.logport:-514} + AUTH + [%thread] %logger %msg + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/conf/metadata-providers.xml b/conf/metadata-providers.xml new file mode 100644 index 0000000..facc296 --- /dev/null +++ b/conf/metadata-providers.xml @@ -0,0 +1,67 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/mvc-beans.xml b/conf/mvc-beans.xml new file mode 100644 index 0000000..98d9bcd --- /dev/null +++ b/conf/mvc-beans.xml @@ -0,0 +1,23 @@ + + + + + + diff --git a/conf/relying-party.xml b/conf/relying-party.xml new file mode 100644 index 0000000..28c9193 --- /dev/null +++ b/conf/relying-party.xml @@ -0,0 +1,70 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/saml-nameid.properties b/conf/saml-nameid.properties new file mode 100644 index 0000000..8530c4f --- /dev/null +++ b/conf/saml-nameid.properties @@ -0,0 +1,35 @@ +# Properties involving SAML NameIdentifier/NameID generation/consumption + +# For the most part these settings only deal with "transient" and "persistent" +# identifiers. See saml-nameid.xml and c14n/subject-c14n.xml for advanced +# settings + +# Comment out to disable legacy NameID generation via Attribute Resolver +#idp.nameid.saml2.legacyGenerator = shibboleth.LegacySAML2NameIDGenerator +#idp.nameid.saml1.legacyGenerator = shibboleth.LegacySAML1NameIdentifierGenerator + +# Default NameID Formats to use when nothing else is called for. +# Don't change these just to change the Format used for a single SP! +#idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient +#idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier + +# Set to shibboleth.StoredTransientIdGenerator for server-side transient ID storage +#idp.transientId.generator = shibboleth.CryptoTransientIdGenerator + +# Persistent IDs can be computed on the fly with a hash, or managed in a database + +# For computed IDs, set a source attribute and a secret salt: +#idp.persistentId.sourceAttribute = changethistosomethingreal +#idp.persistentId.useUnfilteredAttributes = true +# Do *NOT* share the salt with other people, it's like divulging your private key. +#idp.persistentId.algorithm = SHA +#idp.persistentId.salt = changethistosomethingrandom + +# To use a database, use shibboleth.StoredPersistentIdGenerator +#idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator +# For basic use, set this to a JDBC DataSource bean name: +#idp.persistentId.dataSource = PersistentIdDataSource +# For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore +#idp.persistentId.store = MyPersistentIdStore +# Set to an empty property to skip hash-based generation of first stored ID +#idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator diff --git a/conf/saml-nameid.xml b/conf/saml-nameid.xml new file mode 100644 index 0000000..ea97448 --- /dev/null +++ b/conf/saml-nameid.xml @@ -0,0 +1,62 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/services.properties b/conf/services.properties new file mode 100644 index 0000000..eee86ee --- /dev/null +++ b/conf/services.properties @@ -0,0 +1,65 @@ +# Configure the resources to load for various services, +# and the settings for failure handling and auto-reload. + +# failFast=true prevents IdP startup if a configuration is bad +# checkInterval = PT0S means never reload (this is the default) + +# Global default for fail-fast behavior of most subsystems +# with individual override possible below. +#idp.service.failFast = false + +#idp.service.logging.resource = %{idp.home}/conf/logback.xml +#idp.service.logging.failFast = true +idp.service.logging.checkInterval = PT5M + +# Set to shibboleth.LegacyRelyingPartyResolverResources with legacy V2 relying-party.xml +#idp.service.relyingparty.resources = shibboleth.RelyingPartyResolverResources +#idp.service.relyingparty.failFast = false +idp.service.relyingparty.checkInterval = PT15M + +#idp.service.metadata.resources = shibboleth.MetadataResolverResources +#idp.service.metadata.failFast = false +#idp.service.metadata.checkInterval = PT0S + +#idp.service.attribute.resolver.resources = shibboleth.AttributeResolverResources +#idp.service.attribute.resolver.failFast = false +idp.service.attribute.resolver.checkInterval = PT15M +#idp.service.attribute.resolver.maskFailures = true + +#idp.service.attribute.filter.resources = shibboleth.AttributeFilterResources +# NOTE: Failing the filter fast leaves no filters enabled. +#idp.service.attribute.filter.failFast = false +idp.service.attribute.filter.checkInterval = PT15M +#idp.service.attribute.filter.maskFailures = true + +#idp.service.nameidGeneration.resources = shibboleth.NameIdentifierGenerationResources +#idp.service.nameidGeneration.failFast = false +idp.service.nameidGeneration.checkInterval = PT15M + +#idp.service.access.resources = shibboleth.AccessControlResources +#idp.service.access.failFast = true +idp.service.access.checkInterval = PT5M + +#idp.service.cas.registry.resources = shibboleth.CASServiceRegistryResources +#idp.service.cas.registry.failFast = false +idp.service.cas.registry.checkInterval = PT15M + +#idp.message.resources = shibboleth.MessageSourceResources +#idp.message.cacheSeconds = 300 + +# Parameters for pre-defined HttpClient instances which perform in-memory and filesystem caching. +# These are used with components such as remote configuration resources that are explicitly wired +# with these client instances, *not* by default with HTTP metadata resolvers. +#idp.httpclient.useTrustEngineTLSSocketFactory = false +#idp.httpclient.useSecurityEnhancedTLSSocketFactory = false +#idp.httpclient.connectionDisregardTLSCertificate = false +#idp.httpclient.connectionRequestTimeout = 60000 +#idp.httpclient.connectionTimeout = 60000 +#idp.httpclient.socketTimeout = 60000 +#idp.httpclient.maxConnectionsTotal = 100 +#idp.httpclient.maxConnectionsPerRoute = 100 +#idp.httpclient.memorycaching.maxCacheEntries = 50 +#idp.httpclient.memorycaching.maxCacheEntrySize = 1048576 +#idp.httpclient.filecaching.maxCacheEntries = 100 +#idp.httpclient.filecaching.maxCacheEntrySize = 10485760 +idp.httpclient.filecaching.cacheDirectory = %{idp.home}/tmp/httpClientCache \ No newline at end of file diff --git a/conf/services.xml b/conf/services.xml new file mode 100644 index 0000000..313b636 --- /dev/null +++ b/conf/services.xml @@ -0,0 +1,144 @@ + + + + + + + + + + + %{idp.home}/conf/relying-party.xml + %{idp.home}/conf/credentials.xml + %{idp.home}/system/conf/relying-party-system.xml + + + + + %{idp.home}/conf/relying-party.xml + %{idp.home}/system/conf/legacy-relying-party-defaults.xml + + + + %{idp.home}/conf/metadata-providers.xml + %{idp.home}/system/conf/metadata-providers-system.xml + + + + %{idp.home}/conf/attribute-resolver.xml + + + + %{idp.home}/conf/attribute-filter.xml + + + + %{idp.home}/conf/saml-nameid.xml + %{idp.home}/system/conf/saml-nameid-system.xml + + + + %{idp.home}/conf/access-control.xml + %{idp.home}/system/conf/access-control-system.xml + + + + %{idp.home}/conf/cas-protocol.xml + + + + + %{idp.home}/messages/messages + %{idp.home}/system/messages/messages + + + diff --git a/conf/session-manager.xml b/conf/session-manager.xml new file mode 100644 index 0000000..f195014 --- /dev/null +++ b/conf/session-manager.xml @@ -0,0 +1,45 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/credentials/idp-backchannel.crt b/credentials/idp-backchannel.crt new file mode 100644 index 0000000..752e5e0 --- /dev/null +++ b/credentials/idp-backchannel.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQzCCAiugAwIBAgIUbEZuLbKAcQzDND914sXQScSszvowDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWc2hpYmJvbGV0aC5leGFtcGxlLm9yZzAeFw0xNzA4MDMw +MDA3NThaFw0zNzA4MDMwMDA3NThaMCExHzAdBgNVBAMMFnNoaWJib2xldGguZXhh +bXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVr8AhZKq+ +QA/5F8EGRcf7uXfcVpN654RdICgpgB/zjvOpT0Qnw+YBraOpAJASUiTR/Ub5LUdC +cya0qzMlScNrcimli+GAPUbyUkhzkP5YD8ikAfKy0X0acU7CMXkBahR6kYqc3mQO +zGiDQImvDzfoDdOxP+cNyNhyPMgXQgdoIJzQFK9MKztXeq67aJ8lvx1R28JkIzzh +kbGadvEe+Sp+5QE8NrLg4gjOtgFAGmugeZDFF70bZCAIIdh0rbWxCOk4lLjPtOkM +4ZCEwhTG4WHvFS8Jhhv2qpQ+V+r6ifrFwetH6NeksY03jovMTGKnJt2Zr2nw/kM0 +YdXXgdClb2kRAgMBAAGjczBxMB0GA1UdDgQWBBQ5Yz+7JDneVDLb6W+47+mzrKGS +RTBQBgNVHREESTBHghZzaGliYm9sZXRoLmV4YW1wbGUub3Jnhi1odHRwczovL3No +aWJib2xldGguZXhhbXBsZS5vcmcvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL +BQADggEBAFFyKRdpd/TLaF0iL9E2dnmOmWCXqqp53/z5PNTHFbeeriK6PB3w0Q06 +0ECHdjIbVfRYt15bZowyfUb9oIq+mw/tAsZs/B5nQagAgk4EzHfh63QaPZE6hgvJ +t4I543cOlcPvDWhGuSXij9F6euOz2ke9lL1G5gTtgWvI5QvsKTDoPVXbXtw2fS0P +iXZWsBA/0o+2KJxs3zz4y8wpFyl5s3ms5cG4W4A5xZQrUU2yZPwG49uSky/QhWR5 +b3F0TgvqbRFFTM3i1j//9bqs5RRGtY/M+pDaCxk2e8r9NXMWRb+DBe3xCdKDTIyw +ZhTW1E3Hl11KDNf7E3lJwHUQpADwFCQ= +-----END CERTIFICATE----- diff --git a/credentials/idp-backchannel.p12 b/credentials/idp-backchannel.p12 new file mode 100644 index 0000000000000000000000000000000000000000..0ecbe3393cae3f3be7b6d8a4f3ce880da4c04666 GIT binary patch literal 2596 zcmY+EcQ_mR8po4J%;H$LM_N=6n*^t|V$a&KVr!{Yqex@ajJ=|$Dm8Md)Lu18aH_;k z5w&TxHCkI;HQI2U``mlZbDrPxKJW8>zQ6bV^Mk-MUjqT@5O}6}dM1fPgTy0NAOnzy zXBq+HnFcO!F9Huq{zn7}1LGn0FL2;R`O&ldZ|f2>5Jbd-PZ4;!x2m}Uz@!&x=zv}dr5>E;0oQVF!wT5r@`k~`ZuIZc4K?UNrtI^0a{@9xA90Us zHP=nrga~`|5qlqUHhAyyF*e3;+ve6V7uPw3!;C3=DcKljJ+H_C&Av<(FFgx^KBd^1 zT{s&mZY#hV+-sZPzY>4$pAdYYV6NaYoPXny_oj)*js_7aQ0}mH;$VnhI{#>RCCJjf zSCl4S)e&<7659TroK4;MinIQk*HW*UwYH|=4z zVIN!G<$S_78dr%X2~W%;l@Q!AhjVtTX*E7<@nj@SyM_!G-8be z6|EH?N{@d!k}+aAthR%koqpx4_B;Cx^$1QZ ze|H46XLEJlr+9e}tiMHGa30_}?uluYNz+#om>MQK9YRlS*ZtwiDOZlVx!k#!CH;O$ zGNP2OTdkqc#O*F*e>%6Q!wSw6I1cL2)MQ=0-xJ)dAIo}sj7|NO@oa<{c&kJTM*IUV zOe$+~a+y7Aef5T5)X`chTL&1Ix&uHxzE-)voR(4$uYoU}qkPgR-p?6|Z_(ZOCC82&5AK0BybP4A(%cBuT^ps2Y@O7AN ze`iQKToa9-Xt@b!eOP(RhE`{T#qRK&b+wD$9=2xntbsj?YrENvX6Hs-i!5q(iEl)B zn6?Dlyp)&wZ31mPBu6y8+EBP}pCDRezjua?yj%)qe}4=lPXi|%l!9{ioTp88Tkydf zp@jwqWA8e&t+)w-0`0GMNIJ1I{Pl}Z2|_+uYI`ULjqWSlGyG3Hv^Rc9E`{XZJhrHy z#^=Lyphi0x-zlgu{f(!xQ|Cv)w%N&TYNG%={Aq7jWo~XU)xPFH`NIjvr_RX(l+c)I z!ziI7B3(E!0vc(l-ZNkEU{)(#``dVn*64QC+E=Pl1>8KSUBk*l!G%jDoPS2!P^Gx1 zjOLNX))#cQ2&0jAp!bCL^SHqy(t*ZlazRd@-ksagiLXhXg{odvEu@*7{)EQCyf>OFn8CXtQ%ljFg!2Z$xe~e}-yyoRf_nU|29y2^*2ks8{i6 zOyX|oXl0~YpL=lr8q1H~6=aZ1mWqTZ^k4e@6ZV<2(hq$s<5er8!5vt1qcRs0lWdXFJ1t^7jOrFy_jV#dMMx)zz=Zmzf9&L3j%l|1pi*Rq#29e4B zJV^A=r&JBwHP1*}s7~PWjeyi{T{k)N;9wX`pLU3x$P7q&M6Y7UHMJoP;G83~zT3f+ zE70wBFJ+$#%2`K$e;S$jk-Ed+A6(|&-IGsdBnHI@iM@dmLVQb5W-IXB{Cej(*Rn>x zei3gRq0HlwJ;VMQ!wL4S(SpbeiXKZI;oeP=e}&27ib3)6zy;o{afv3AIO4RP2`UgN z=BCTSk!o)Hd*4s2-Qrx1+;EC=W@NNDn38MD{PqPbDhg@0EP+le4V=gY`w@Ks_`ybwAmqPa85_d7qI+Ymic)+n|S=11%`D?kPQ)i z&eW_Gm76hpKT27POGIp`-^#1-Fi#oH6~<|19({;t)J$`7Zu42~lrukkOC9$|y$E^N zFeiSuSLYNwQ^JmsIMD_`PQ5NK3^4n=KX1C+ZU@2T9$Qe_wyk;6Sx275NgP$T&ASwd zO$`KsuuK>i$a`P1VnLpmZBcX8HzL0}#=9rUukXP&pQ}jd!lf^lbI(_**&D@m`^}Eb zmOaop1h!+*7kh>pZEU=2YEEBamh{NBUx%YHGOMOe>K#RMJh31k+E`B5j>bVyo+p*N zyOddfxE?v`#i*fbLL9{PpYk08pLyU6snE_GW-}~dt&8BE`0iFcdb*Lk-)~xz1?u}r98RwyQ z5?&C{@AW`B`>K^R>*6q_x&31iK|?}UQJdVTaLeT73AD_-=}r7=N0kqZmVSbvPm=?p zsnZ+R!$yYLA`Z&#We(>)cANX*{arP2F;&}9{^U-2bKk$sNac7EEOIMyHwYwtP|+K8 zhDkieV5RzX&YY=6Z>uqBVuQ33(_j;0vz_#6hFTRHtNd;Q6{rwuPvYu!eV2Bl5)f0a zC)V(+uk6Te$l4Y&y|>jy!tX$J5GaHof{7j?$wmi)LI7ZH5NWbjm&=ulu_ZW1+P|7K h%iyjK=6+mQFW%?)JWGzk8-O2!6*_^*g19E4*DKEddd_GRV#-xY*|2}s6)_TV_sHe8OC43gX86D*w-l}i(9*CELmr3g&V>UGR92&IkSs2fs)&`cV7vvbAno_dE9KVjucdaIv zVW&q;qQ|h9A%vr+g2q-7@i)lJ!|ZFnWv+!fiAEblrivEc&vW$9&xq#gRr8xhnP+mg z8tuGgtvH=7IP`Ef6}WrKoL7+XgK-qHckY$DOn%oeyI~njv|R$3(g73tsaC(=ZNA5V z7Sh+d`)=x1s9D@7JXN}jvF?6OK}oz$WYtlPMqA`pV9zqt(2_+lt3kQPrahpfXCJAM!$J)=bnBNVP~fba{KNw`a6Xazp?6ygsru z`*5K{e$!Jmjxta?coRQ7^#eEzL5~yd5|_Tlro~u`2zZY82^r4t_8Uf}EvkshWIz`# z%xLY~T|Z`nXMO3P*b*Q>|17*Xv|U|S5ExlG?sJQuT|H|Em!(>4Xdk)g^sSRQ357ko+nyme zvUR?ixok}b&!_4ywq8oyJ{P=6O66M`R-CzCI-8S1lQZ?+NXm=I0Dds7tStJgL_$M( zGVaBDmWCM9G|I;eYJBs~oILKaV#MNWGqnz>f;sUPSJKin|IxB^7SV51_NZCgQ1BXo zu3274$xW@7aVT1*`SY?29%28KCZwg*dDO2BG@`oRoN92SNQGIJ1Y+d(!X+T7R z#pBp8$C)I>T<#_{7JebcqTGlDy}C%#^cElB(&m`fA_LsVs%{+c1jY0RV7qrO&*SvN z)#BVeqqPurmP{#+3GUnr5Ct~FI>)XTt`P!n_*H9v<{I=)_-;Y3d>5JeMvPwInELXQ zXX72C0mdo3b|!e7Z=R2o7@W(v=lHou=z;(GOF||;ktv)?B-6Q7)-aVR*#*e1+%oWI zgfm>{Z&QMy2xT!PKoGza;016!DSv>RLLH8{fY8*`)X>mCoVfM;-%D()C%TnBK_>zSoDAWA5~hC%nDv){HR>|7 z(N{$7R^_;TCeNSD*3y{0`Z z#s}6C<~&%}GMRipd1qn6eh19F4tEyw&NkgV_MG{*)?x|inN)oVy;28#(c9Bt!uC4s;cOT2i89xm4 zJ|;if1dG_}_WO1p-}QTje?>wz9k%5t?1}CC{zSNw%;OgTTjV%%o%ACO=PFT+32Ti~eZcOsos3W=s_CG54p8aI`LH zN5qwEX=+c1(EMJ@29I~FUDRsxV0wa2lF^3U-_BZb*CfcZOWNskr8nwgIQ+14mmTgm z6D+Q(xPkz zeZ8=U_@Kvh7e-dRn4@;UJ~}Gxq7+g_LCda}ustDpPpwQZ`1tiC!Bu+lBEM=dS_SNu zV&+gf_Ygjkf3OwvnD!$x1p`pWwMDm>dWH-*QWwJF?Vjw~)C}VB3i`UbHbtgO)Pbk; zvAJ<~6&0>Jq_V(*O55GuPkPvwJ+zko@>-TA$#@3uPpt^2crJ`w=HnI8%@6)@=y!J+ z5su%H{5nIiiTV?lUvnV@=G8uY6I*6(*kIiLiN2b%?JC|*T%H~U9Or8H7tRi^S*ojK z2T0W{=%pwK>)Sv0;^T+Ats}i%YUP%CP;$;oJ7+SKsBU}GNSnhQIcB$3h5mpMVyqD{ zr?|e6ZE}F+s+f=Ijm4*zJ`in7a_26X`smD_&0uyegP=#>)eq8ALVrd{dDr7hZ(48T z(s{y-8!K)h@{KO$EH2!)kJia@Ktj$RKoW>-Z}l|k1@VFP5j&na6#UjqIZD~o+iN?c zrb=Qy+WFqVzRSzKBNFn!GT&CYhFNg1UlGalyX)NBRgGqa*Ef={>L>Hm zr42wPDl@*CGzV4B3rujlz>S$nWTRBp$W{^57onZ>xUy1Hyi2ZuS$iJxBL*;er`Mcd zTwW5)Vnxp6HlDbcPTkitdYQ#*Bq};IvIiDsaJpYIt`n!U6GD~)_CHjJLokN5IVJ3>>RrQ|AUhWjLa8`ip!6o2eRu)BWW}pZQ00iw2iA)59XE8llZ~@?Ou9j>nuG^hKNZ``#-$Ba(t!zZCHwHOs}Q literal 0 HcmV?d00001 diff --git a/credentials/sealer.jks b/credentials/sealer.jks new file mode 100644 index 0000000000000000000000000000000000000000..7daa3fd96f6a014b234f2f9ff55a9f1142948057 GIT binary patch literal 500 zcmX?i?%X*B1_mY|W&~np2KM6ART7Qd9hsvQm>v-13XOQ!4|C@=Ji6{Gzkrry`#l><$JRUQxs# znUz?USOL?Itj*5McG=ryDXA#|iA9OI#U%_((N56}0zg5Ky{ReA z`FSO&c_oDmbqq{C44egERgO97B@9A7APe+!67$magG-7s^U|$-K)y-L0ZN0^GglOp z7Jdt1{gf7BR-5ZD@K1ZWNeI`hrNv8A8U)Nv6;3@ehrzRV!XJm2d%vB` zr)_!1dh__>w$vMMtDhKayX3KQ*WUQ%^Y6~b4}Om=O)5H0lrV?|IJt&rmSp(4m^$XA kgcM~K