diff --git a/README.md b/README.md
index 8fe42b3..dc2e6bd 100644
--- a/README.md
+++ b/README.md
@@ -14,3 +14,4 @@ to complete a deployment.
* Internal Testing - (TEST) branch/repo that uses the "test bed" which is something that I2 provides (LDAP) and an element to make all integrations. Appropriate for Jenkins and testing environments
* `release` branch
* External Testing - (RELEASE) branch/repo (ultimately will live in Subversion?) for end users
+
diff --git a/conf/access-control.xml b/conf/access-control.xml
index a9184e6..9ed4242 100644
--- a/conf/access-control.xml
+++ b/conf/access-control.xml
@@ -34,7 +34,7 @@
</entry>
<!--
- <entry key="AccessByUser">
+ <entry key="AccessByAdminUser">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
<bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
@@ -47,7 +47,7 @@
<entry key="AccessByAttribute">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
- <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
+ <bean parent="shibboleth.Conditions.SimpleAttribute">
<property name="attributeValueMap">
<map>
<entry key="eduPersonEntitlement">
diff --git a/conf/admin/admin.properties b/conf/admin/admin.properties
new file mode 100644
index 0000000..8713a81
--- /dev/null
+++ b/conf/admin/admin.properties
@@ -0,0 +1,89 @@
+# Configure properties controlling administrative features
+
+#idp.status.logging = Status
+#idp.status.accessPolicy = AccessByIPAddress
+#idp.status.authenticated = false
+#idp.status.nonBrowserSupported = false
+#idp.status.defaultAuthenticationMethods =
+#idp.status.resolveAttributes = false
+#idp.status.postAuthenticationFlows =
+
+#idp.reload.logging = Reload
+#idp.reload.accessPolicy = AccessByIPAddress
+#idp.reload.authenticated = false
+#idp.reload.nonBrowserSupported = false
+#idp.reload.defaultAuthenticationMethods =
+#idp.reload.resolveAttributes = false
+#idp.reload.postAuthenticationFlows =
+
+#idp.resolvertest.logging = ResolverTest
+#idp.resolvertest.accessPolicy = AccessByIPAddress
+#idp.resolvertest.authenticated = false
+#idp.resolvertest.nonBrowserSupported = false
+#idp.resolvertest.defaultAuthenticationMethods =
+#idp.resolvertest.resolveAttributes = false
+#idp.resolvertest.postAuthenticationFlows =
+
+#idp.dumpconfig.logging = DumpConfig
+#idp.dumpconfig.accessPolicy = AccessByIPAddress
+#idp.dumpconfig.authenticated = false
+#idp.dumpconfig.nonBrowserSupported = false
+#idp.dumpconfig.defaultAuthenticationMethods =
+#idp.dumpconfig.resolveAttributes = false
+#idp.dumpconfig.postAuthenticationFlows =
+
+#idp.mdquery.logging = MetadataQuery
+#idp.mdquery.accessPolicy = AccessByIPAddress
+#idp.mdquery.authenticated = false
+#idp.mdquery.nonBrowserSupported = false
+#idp.mdquery.defaultAuthenticationMethods =
+#idp.mdquery.resolveAttributes = false
+#idp.mdquery.postAuthenticationFlows =
+
+#idp.metrics.logging = Metrics
+#idp.metrics.authenticated = false
+#idp.metrics.nonBrowserSupported = false
+#idp.metrics.defaultAuthenticationMethods =
+#idp.metrics.resolveAttributes = false
+#idp.metrics.postAuthenticationFlows =
+# See admin/metrics.xml for other configuration
+
+#idp.hello.logging = Hello
+#idp.hello.accessPolicy = AccessByAdminUser
+#idp.hello.authenticated = true
+#idp.hello.nonBrowserSupported = false
+#idp.hello.defaultAuthenticationMethods =
+#idp.hello.resolveAttributes = true
+#idp.hello.postAuthenticationFlows =
+
+#idp.lockout.logging = Lockout
+#idp.lockout.accessPolicy = AccessDenied
+#idp.lockout.authenticated = false
+#idp.lockout.nonBrowserSupported = false
+#idp.lockout.defaultAuthenticationMethods =
+#idp.lockout.resolveAttributes = false
+#idp.lockout.postAuthenticationFlows =
+
+#idp.revocation.logging = Revocation
+#idp.revocation.accessPolicy = AccessDenied
+#idp.revocation.authenticated = false
+#idp.revocation.nonBrowserSupported = false
+#idp.revocation.defaultAuthenticationMethods =
+#idp.revocation.resolveAttributes = false
+#idp.revocation.postAuthenticationFlows =
+
+#idp.storage.logging = Storage
+#idp.storage.accessPolicy = AccessDenied
+#idp.storage.authenticated = false
+#idp.storage.nonBrowserSupported = false
+#idp.storage.defaultAuthenticationMethods =
+#idp.storage.resolveAttributes = false
+#idp.storage.postAuthenticationFlows =
+
+#idp.unlock-keys.logging = UnlockKeys
+#idp.unlock-keys.accessPolicy = AccessDenied
+#idp.unlock-keys.authenticated = true
+#idp.unlock-keys.nonBrowserSupported = false
+#idp.unlock-keys.defaultAuthenticationMethods =
+#idp.unlock-keys.resolveAttributes = false
+#idp.unlock-keys.postAuthenticationFlows =
diff --git a/conf/admin/general-admin.xml b/conf/admin/general-admin.xml
deleted file mode 100644
index 2814bf6..0000000
--- a/conf/admin/general-admin.xml
+++ /dev/null
@@ -1,74 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <util:list id="shibboleth.AvailableAdminFlows">
-
- <!-- Status Page -->
- <bean parent="shibboleth.AdminFlow"
- c:id="http://shibboleth.net/ns/profiles/status"
- p:loggingId="%{idp.service.logging.status:Status}"
- p:policyName="%{idp.status.accessPolicy:AccessByIPAddress}" />
-
- <!-- Service Reload -->
- <bean parent="shibboleth.AdminFlow"
- c:id="http://shibboleth.net/ns/profiles/reload-service-configuration"
- p:loggingId="%{idp.service.logging.serviceReload:Reload}"
- p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />
-
- <!-- MetadataResolver Reload -->
- <bean parent="shibboleth.AdminFlow"
- c:id="http://shibboleth.net/ns/profiles/reload-metadata"
- p:loggingId="%{idp.service.logging.serviceReload:Reload}"
- p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />
-
- <!-- AttributeResolver Debugging -->
- <bean parent="shibboleth.AdminFlow"
- c:id="http://shibboleth.net/ns/profiles/resolvertest"
- p:loggingId="%{idp.service.logging.resolvertest:ResolverTest}"
- p:policyName="%{idp.resolvertest.accessPolicy:AccessByIPAddress}" />
-
- <!-- Metadata Query -->
- <bean parent="shibboleth.AdminFlow"
- c:id="http://shibboleth.net/ns/profiles/mdquery"
- p:loggingId="MetadataQuery"
- p:policyName="AccessByIPAddress" />
-
- <!-- REST AccountLockoutManager Access -->
- <bean parent="shibboleth.AdminFlow"
- c:id="http://shibboleth.net/ns/profiles/lockout-manager"
- p:loggingId="Lockout"
- p:policyName="AccessByIPAddress" />
-
- <!-- REST StorageService Access -->
- <bean parent="shibboleth.AdminFlow"
- c:id="http://shibboleth.net/ns/profiles/storage"
- p:loggingId="Storage"
- p:policyName="AccessByIPAddress" />
-
- <!-- REST Interface to Metrics -->
- <bean parent="shibboleth.AdminFlow"
- c:id="http://shibboleth.net/ns/profiles/metrics"
- p:loggingId="Metrics"
- p:policyNameLookupStrategy-ref="shibboleth.metrics.AccessPolicyStrategy" />
-
- <!-- Attended Startup Unlock -->
- <!--
- <bean parent="shibboleth.OneTimeAdminFlow"
- c:id="http://shibboleth.net/ns/profiles/unlock-keys"
- p:loggingId="UnlockKeys"
- p:authenticated="true"
- p:policyName="AccessByAdminUser" />
- -->
-
- </util:list>
-
-</beans>
diff --git a/conf/admin/metrics.xml b/conf/admin/metrics.xml
index f9b5c16..7ac0735 100644
--- a/conf/admin/metrics.xml
+++ b/conf/admin/metrics.xml
@@ -26,8 +26,15 @@
<ref bean="shibboleth.metrics.MetadataGaugeSet" />
<ref bean="shibboleth.metrics.NameIdentifierGaugeSet" />
<ref bean="shibboleth.metrics.RelyingPartyGaugeSet" />
+ <ref bean="shibboleth.metrics.AttributeRegistryGaugeSet" />
<ref bean="shibboleth.metrics.AttributeResolverGaugeSet" />
<ref bean="shibboleth.metrics.AttributeFilterGaugeSet" />
+ <ref bean="shibboleth.metrics.CASServiceRegistryGaugeSet" />
+ <ref bean="shibboleth.metrics.ManagedBeanGaugeSet" />
+ <ref bean="shibboleth.metrics.ModuleGaugeSet" />
+
+ <!-- Note that this accesses remote "state" regarding IdP and plugin updates. -->
+ <ref bean="shibboleth.metrics.InstallableComponents" />
<!--
<bean class="com.codahale.metrics.jvm.CachedThreadStatesGaugeSet"
@@ -52,15 +59,26 @@
<util:map id="shibboleth.metrics.MetricGroups">
<entry key="core" value-ref="shibboleth.metrics.CoreGaugeSet" />
<entry key="idp" value-ref="shibboleth.metrics.IdPGaugeSet" />
+ <entry key="updates" value-ref="shibboleth.metrics.InstallableComponents" />
<entry key="logging" value-ref="shibboleth.metrics.LoggingGaugeSet" />
<entry key="access" value-ref="shibboleth.metrics.AccessControlGaugeSet" />
<entry key="metadata" value-ref="shibboleth.metrics.MetadataGaugeSet" />
<entry key="nameid" value-ref="shibboleth.metrics.NameIdentifierGaugeSet" />
<entry key="relyingparty" value-ref="shibboleth.metrics.RelyingPartyGaugeSet" />
+ <entry key="registry" value-ref="shibboleth.metrics.AttributeRegistryGaugeSet" />
<entry key="resolver" value-ref="shibboleth.metrics.AttributeResolverGaugeSet" />
<entry key="filter" value-ref="shibboleth.metrics.AttributeFilterGaugeSet" />
+ <entry key="cas" value-ref="shibboleth.metrics.CASServiceRegistryGaugeSet" />
+ <entry key="bean" value-ref="shibboleth.metrics.ManagedBeanGaugeSet" />
</util:map>
-
+
+ <!-- Add any desired properties into set to expose them as IdP metrics. -->
+ <!--
+ <util:set id="shibboleth.metrics.ExposedProperties">
+ <value>idp.entityID</value>
+ </util:set>
+ -->
+
<!-- If you don't specify an alternate access policy, this named policy will be enforced. -->
<bean id="shibboleth.metrics.DefaultAccessPolicy" class="java.lang.String" c:_0="AccessByIPAddress" />
diff --git a/conf/attribute-filter.xml b/conf/attribute-filter.xml
index 7787d0c..e12b502 100644
--- a/conf/attribute-filter.xml
+++ b/conf/attribute-filter.xml
@@ -14,6 +14,14 @@
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+
+ <!-- Release home org signifier to everybody. -->
+ <AttributeFilterPolicy id="alwaysRelease">
+ <PolicyRequirementRule xsi:type="ANY" />
+
+ <AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
+ </AttributeFilterPolicy>
+
<!--
Example rule relying on a locally applied tag in metadata to trigger attribute
release of some specific attributes. Add additional attributes as desired.
@@ -77,13 +85,15 @@
</AttributeFilterPolicy>
<!-- Release an additional attribute to an SP. -->
+ <!--
<AttributeFilterPolicy id="example1">
<PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
<AttributeRule attributeID="uid" permitAny="true" />
</AttributeFilterPolicy>
-
+ -->
<!-- Release eduPersonScopedAffiliation to two specific SPs. -->
+ <!--
<AttributeFilterPolicy id="example2">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="Requester" value="https://sp.example.org" />
@@ -92,5 +102,56 @@
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
</AttributeFilterPolicy>
-
+ -->
+
+ <!-- Attribute release for all SPs (global) tagged as 'Research and Scholarship' -->
+ <AttributeFilterPolicy id="releaseRandSAttributeBundle">
+ <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+ attributeName="http://macedir.org/entity-category"
+ attributeValue="http://refeds.org/category/research-and-scholarship"/>
+ <AttributeRule attributeID="eduPersonPrincipalName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="givenName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="sn">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="mail">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- Attribute release for all InCommon SPs -->
+ <AttributeFilterPolicy id="releaseToInCommon">
+ <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+ attributeName="http://macedir.org/entity-category"
+ attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
+ <AttributeRule attributeID="eduPersonPrincipalName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="givenName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="sn">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="mail">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
</AttributeFilterPolicyGroup>
diff --git a/conf/intercept/impersonate-intercept-config.xml b/conf/attribute-registry.xml
similarity index 63%
rename from conf/intercept/impersonate-intercept-config.xml
rename to conf/attribute-registry.xml
index 7dfda2b..133930b 100644
--- a/conf/intercept/impersonate-intercept-config.xml
+++ b/conf/attribute-registry.xml
@@ -13,13 +13,17 @@
default-destroy-method="destroy">
<!--
- Names of access control policies defined in access-control.xml to control impersonation.
- The general policy runs first and determines whether to offer the impersonation option.
- The specific policy runs second and determines whether to allow the requested impersonation.
+ The system comes preconfigured to load rules directly from resource files
+ configured in services.xml so they're monitored for changes.
+
+ You can add mappings here, add more XML resource files, or drop property
+ files into the directory noted below, but they won't be monitored for changes
+ themselves.
-->
- <bean id="shibboleth.impersonate.GeneralPolicy" class="java.lang.String" c:_0="GeneralImpersonationPolicy" />
-
- <bean id="shibboleth.impersonate.SpecificPolicy" class="java.lang.String" c:_0="SpecificImpersonationPolicy" />
-
+ <!-- Default directory for custom mappings. -->
+ <bean parent="shibboleth.TranscodingRuleLoader"
+ c:dir="%{idp.home}/conf/attributes/custom"
+ c:extensions="#{{'.txt', '.props', '.properties', '.rule'}}" />
+
</beans>
diff --git a/conf/attribute-resolver-full.xml b/conf/attribute-resolver-full.xml
deleted file mode 100644
index e44ffbc..0000000
--- a/conf/attribute-resolver-full.xml
+++ /dev/null
@@ -1,319 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- This file is an EXAMPLE configuration file containing lots of commented
- example attributes, encoders, and a couple of example data connectors.
-
- Not all attribute definitions or data connectors are demonstrated, but
- a variety of LDAP attributes, some common to Shibboleth deployments and
- many not, are included.
-
- Deployers should refer to the Identity Provider 3 documentation
-
- https://wiki.shibboleth.net/confluence/display/IDP30/AttributeResolverConfiguration
-
- for a complete list of components and their options.
--->
-<AttributeResolver
- xmlns="urn:mace:shibboleth:2.0:resolver"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
-
- <!-- ========================================== -->
- <!-- Attribute Definitions -->
- <!-- ========================================== -->
-
- <!-- Schema: Core schema attributes-->
-<!--
-
- <AttributeDefinition xsi:type="Simple" id="uid">
- <InputDataConnector ref="myLDAP" attributeNames="uid"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="mail">
- <InputDataConnector ref="myLDAP" attributeNames="mail"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="homePhone">
- <InputDataConnector ref="myLDAP" attributeNames="homePhone"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="homePostalAddress">
- <InputDataConnector ref="myLDAP" attributeNames="homePostalAddress"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePostalAddress" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="mobileNumber">
- <InputDataConnector ref="myLDAP" attributeNames="mobile"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="pagerNumber">
- <InputDataConnector ref="myLDAP" attributeNames="pager"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="surname">
- <InputDataConnector ref="myLDAP" attributeNames="sn"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="locality">
- <InputDataConnector ref="myLDAP" attributeNames="l"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="stateProvince">
- <InputDataConnector ref="myLDAP" attributeNames="st"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:st" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.8" friendlyName="st" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="street">
- <InputDataConnector ref="myLDAP" attributeNames="street"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:street" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.9" friendlyName="street" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="organizationName">
- <InputDataConnector ref="myLDAP" attributeNames="o"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="organizationalUnit">
- <InputDataConnector ref="myLDAP" attributeNames="ou"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:ou" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.11" friendlyName="ou" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="title">
- <InputDataConnector ref="myLDAP" attributeNames="title"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="postalAddress">
- <InputDataConnector ref="myLDAP" attributeNames="postalAddress"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalAddress" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.16" friendlyName="postalAddress" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="postalCode">
- <InputDataConnector ref="myLDAP" attributeNames="postalCode"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalCode" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.17" friendlyName="postalCode" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="postOfficeBox">
- <InputDataConnector ref="myLDAP" attributeNames="postOfficeBox"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postOfficeBox" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="telephoneNumber">
- <InputDataConnector ref="myLDAP" attributeNames="telephoneNumber"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="givenName">
- <InputDataConnector ref="myLDAP" attributeNames="givenName"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="initials">
- <InputDataConnector ref="myLDAP" attributeNames="initials"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" />
- </AttributeDefinition>
--->
-
- <!-- Schema: inetOrgPerson attributes-->
-<!--
- <AttributeDefinition xsi:type="Simple" id="departmentNumber">
- <InputDataConnector ref="myLDAP" attributeNames="departmentNumber"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="displayName">
- <InputDataConnector ref="myLDAP" attributeNames="displayName"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="employeeNumber">
- <InputDataConnector ref="myLDAP" attributeNames="employeeNumber"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="employeeType">
- <InputDataConnector ref="myLDAP" attributeNames="employeeType"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="jpegPhoto">
- <InputDataConnector ref="myLDAP" attributeNames="jpegPhoto"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:jpegPhoto" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="preferredLanguage">
- <InputDataConnector ref="myLDAP" attributeNames="preferredLanguage"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" />
- </AttributeDefinition>
--->
- <!-- Schema: eduPerson attributes -->
-<!--
- <AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation">
- <InputDataConnector ref="myLDAP" attributeNames="eduPersonAffiliation" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="eduPersonEntitlement">
- <InputDataConnector ref="myLDAP" attributeNames="eduPersonEntitlement"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="eduPersonNickname">
- <InputDataConnector ref="myLDAP" attributeNames="eduPersonNickname"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonNickname" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="eduPersonPrimaryAffiliation">
- <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrimaryAffiliation"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName">
- <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName"/>
- <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalNamePrior">
- <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalNamePrior"/>
- <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" friendlyName="eduPersonPrincipalNamePrior" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}">
- <InputDataConnector ref="myLDAP" attributeNames="eduPersonAffiliation"/>
- <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Simple" id="eduPersonAssurance">
- <InputDataConnector ref="myLDAP" attributeNames="eduPersonAssurance"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" encodeType="false" />
- </AttributeDefinition>
--->
-
- <!-- Semi-deprecated eduPersonUniqueId, should be phased out in favor of SAML subject-id replacement below. -->
-<!--
- <AttributeDefinition xsi:type="Scoped" id="eduPersonUniqueId" scope="%{idp.scope}">
- <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}"/>
- <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" />
- </AttributeDefinition>
--->
-
- <!-- Schema: SAML Subject ID Attributes -->
-<!--
- <AttributeDefinition xsi:type="Scoped" id="samlSubjectID" scope="%{idp.scope}">
- <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}"/>
- <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oasis:names:tc:SAML:attribute:subject-id" friendlyName="subject-id" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}">
- <InputDataConnector ref="computed" attributeNames="computedId"/>
- <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oasis:names:tc:SAML:attribute:pairwise-id" friendlyName="pairwise-id" encodeType="false" />
- </AttributeDefinition>
--->
-
- <!-- ========================================== -->
- <!-- Data Connectors -->
- <!-- ========================================== -->
-
- <!-- Example Static Connector -->
-
- <!-- Example Relational Database Connector -->
-<!--
- <DataConnector id="mySIS" xsi:type="RelationalDatabase">
- <ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
- jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB"
- jdbcUserName="myid"
- jdbcPassword="mypassword" />
- <QueryTemplate>
- <![CDATA[
- SELECT * FROM student WHERE gzbtpid = '$resolutionContext.principal'
- ]]>
- </QueryTemplate>
-
- <Column columnName="gzbtpid" attributeID="uid" />
- <Column columnName="fqlft" attributeID="gpa" />
- </DataConnector>
--->
-
- <!-- Example LDAP Connector -->
-<!--
- <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
- ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
- baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
- principal="%{idp.attribute.resolver.LDAP.bindDN}"
- principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
- useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
- connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
- trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
- responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
- <FilterTemplate>
- <![CDATA[
- %{idp.attribute.resolver.LDAP.searchFilter}
- ]]>
- </FilterTemplate>
- <ConnectionPool
- minPoolSize="%{idp.pool.LDAP.minSize:3}"
- maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
- blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
- validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
- validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
- expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
- failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
- </DataConnector>
--->
-
- <!-- DataConector for pairwise-id (example depends on saml-nameid.properties). -->
-
-<!--
- <DataConnector id="computed" xsi:type="ComputedId"
- generatedAttributeID="computedId"
- salt="%{idp.persistentId.salt}"
- algorithm="%{idp.persistentId.algorithm:SHA}"
- encoding="%{idp.persistentId.encoding:BASE32}">
-
- <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" />
-
- </DataConnector>
--->
-
-</AttributeResolver>
diff --git a/conf/attribute-resolver-ldap.xml b/conf/attribute-resolver-ldap.xml
deleted file mode 100644
index 69154c0..0000000
--- a/conf/attribute-resolver-ldap.xml
+++ /dev/null
@@ -1,94 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- This file is an EXAMPLE configuration file. While the configuration
- presented in this example file is semi-functional, it isn't very
- interesting. It is here only as a starting point for your deployment
- process.
-
- Very few attribute definitions and data connectors are demonstrated,
- and use of LDAP is assumed, with the LDAP configuration primarily
- supplied from the ldap.properties file.
-
- Attribute-resolver-full.xml contains more examples of attributes,
- encoders, and data connectors. Deployers should refer to the Shibboleth
- documentation for a complete list of components and their options.
--->
-<AttributeResolver
- xmlns="urn:mace:shibboleth:2.0:resolver"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
-
- <!-- ========================================== -->
- <!-- Attribute Definitions -->
- <!-- ========================================== -->
-
- <!--
- The EPPN is the "standard" federated username in higher ed.
- For guidelines on the implementation of this attribute, refer
- to the Shibboleth and eduPerson documentation. Above all, do
- not expose a value for this attribute without considering the
- long term implications.
- -->
- <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Prescoped" >
- <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName"/>
- <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
- </AttributeDefinition>
-
- <!--
- The uid is the closest thing to a "standard" LDAP attribute
- representing a local username, but you should generally *never*
- expose uid to federated services, as it is rarely globally unique.
- -->
- <AttributeDefinition id="uid" xsi:type="Simple" >
- <InputDataConnector ref="myLDAP" attributeNames="uid"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
- </AttributeDefinition>
-
- <!--
- In the rest of the world, the email address is the standard identifier,
- despite the problems with that practice. Consider making the EPPN value
- the same as your official email addresses whenever possible.
- -->
- <AttributeDefinition id="mail" xsi:type="Simple" >
- <InputDataConnector ref="myLDAP" attributeNames="mail"/>
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
- </AttributeDefinition>
-
- <!-- ========================================== -->
- <!-- Data Connectors -->
- <!-- ========================================== -->
-
- <!--
- Example LDAP Connector
-
- The connectivity details can be specified in ldap.properties to
- share them with your authentication settings if desired.
- -->
- <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
- ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
- baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
- principal="%{idp.attribute.resolver.LDAP.bindDN}"
- principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
- useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
- connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
- trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
- responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
- <FilterTemplate>
- <![CDATA[
- %{idp.attribute.resolver.LDAP.searchFilter}
- ]]>
- </FilterTemplate>
- <ConnectionPool
- minPoolSize="%{idp.pool.LDAP.minSize:3}"
- maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
- blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
- validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
- validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
- expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
- failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
- </DataConnector>
-
-</AttributeResolver>
diff --git a/conf/attribute-resolver.xml b/conf/attribute-resolver.xml
index 471bf0b..e7daff6 100644
--- a/conf/attribute-resolver.xml
+++ b/conf/attribute-resolver.xml
@@ -1,86 +1,283 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!--
- This file is an EXAMPLE configuration file. While the configuration
- presented in this example file is semi-functional, it isn't very
- interesting. It is here only as a starting point for your deployment
- process.
+<!--
+ This file is an EXAMPLE configuration file containing lots of commented
+ example attributes, encoders, and a couple of example data connectors.
+
+ Not all attribute definitions or data connectors are demonstrated, but
+ a variety of LDAP attributes, some common to Shibboleth deployments and
+ many not, are included.
- Very few attribute definitions and data connectors are demonstrated,
- and the data is derived statically from the logged-in username and a
- static example connector.
-
- Attribute-resolver-full.xml contains more examples of attributes,
- encoders, and data connectors. Deployers should refer to the Shibboleth
- documentation for a complete list of components and their options.
+ Deployers should refer to the Identity Provider 3 documentation
+
+ https://wiki.shibboleth.net/confluence/display/IDP30/AttributeResolverConfiguration
+
+ for a complete list of components and their options.
-->
<AttributeResolver
- xmlns="urn:mace:shibboleth:2.0:resolver"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns="urn:mace:shibboleth:2.0:resolver"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
-
<!-- ========================================== -->
<!-- Attribute Definitions -->
<!-- ========================================== -->
- <!--
- The EPPN is the "standard" federated username in higher ed.
- For guidelines on the implementation of this attribute, refer
- to the Shibboleth and eduPerson documentation. Above all, do
- not expose a value for this attribute without considering the
- long term implications.
- -->
- <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}">
- <InputAttributeDefinition ref="uid" />
- <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+ <!-- Schema: Core schema attributes-->
+ <AttributeDefinition xsi:type="Simple" id="uid">
+ <InputDataConnector ref="myLDAP" attributeNames="uid"/>
</AttributeDefinition>
- <!--
- The uid is the closest thing to a "standard" LDAP attribute
- representing a local username, but you should generally *never*
- expose uid to federated services, as it is rarely globally unique.
- -->
- <AttributeDefinition id="uid" xsi:type="PrincipalName">
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
+ <AttributeDefinition xsi:type="Simple" id="mail">
+ <InputDataConnector ref="myLDAP" attributeNames="mail"/>
</AttributeDefinition>
- <!--
- In the rest of the world, the email address is the standard identifier,
- despite the problems with that practice. Consider making the EPPN
- value the same as your official email addresses whenever possible.
- -->
- <AttributeDefinition id="mail" xsi:type="Template">
- <InputAttributeDefinition ref="uid" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
- <Template>
- <![CDATA[
- ${uid}@example.org
- ]]>
- </Template>
- <SourceAttribute>uid</SourceAttribute>
+ <AttributeDefinition xsi:type="Simple" id="homePhone">
+ <InputDataConnector ref="myLDAP" attributeNames="homePhone"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="homePostalAddress">
+ <InputDataConnector ref="myLDAP" attributeNames="homePostalAddress"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="mobileNumber">
+ <InputDataConnector ref="myLDAP" attributeNames="mobile"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="pagerNumber">
+ <InputDataConnector ref="myLDAP" attributeNames="pager"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="sn">
+ <InputDataConnector ref="myLDAP" attributeNames="sn"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="locality">
+ <InputDataConnector ref="myLDAP" attributeNames="l"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="stateProvince">
+ <InputDataConnector ref="myLDAP" attributeNames="st"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="street">
+ <InputDataConnector ref="myLDAP" attributeNames="street"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="organizationName">
+ <InputDataConnector ref="myLDAP" attributeNames="o"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="organizationalUnit">
+ <InputDataConnector ref="myLDAP" attributeNames="ou"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="title">
+ <InputDataConnector ref="myLDAP" attributeNames="title"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="postalAddress">
+ <InputDataConnector ref="myLDAP" attributeNames="postalAddress"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="postalCode">
+ <InputDataConnector ref="myLDAP" attributeNames="postalCode"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="postOfficeBox">
+ <InputDataConnector ref="myLDAP" attributeNames="postOfficeBox"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="telephoneNumber">
+ <InputDataConnector ref="myLDAP" attributeNames="telephoneNumber"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="givenName">
+ <InputDataConnector ref="myLDAP" attributeNames="givenName"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="initials">
+ <InputDataConnector ref="myLDAP" attributeNames="initials"/>
+ </AttributeDefinition>
+
+ <!-- Schema: inetOrgPerson attributes-->
+ <AttributeDefinition xsi:type="Simple" id="departmentNumber">
+ <InputDataConnector ref="myLDAP" attributeNames="departmentNumber"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="displayName">
+ <InputDataConnector ref="myLDAP" attributeNames="displayName"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="employeeNumber">
+ <InputDataConnector ref="myLDAP" attributeNames="employeeNumber"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="employeeType">
+ <InputDataConnector ref="myLDAP" attributeNames="employeeType"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="jpegPhoto">
+ <InputDataConnector ref="myLDAP" attributeNames="jpegPhoto"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="preferredLanguage">
+ <InputDataConnector ref="myLDAP" attributeNames="preferredLanguage"/>
+ </AttributeDefinition>
+
+ <!-- Schema: eduPerson attributes -->
+ <AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonAffiliation" />
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="eduPersonEntitlement">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonEntitlement"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="eduPersonNickname">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonNickname"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="eduPersonPrimaryAffiliation">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrimaryAffiliation"/>
</AttributeDefinition>
<!--
- This is an example of an attribute sourced from a data connector.
+ <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName"/>
+ </AttributeDefinition>
-->
- <AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}">
- <InputDataConnector ref="staticAttributes" attributeNames="affiliation" />
- <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
+ <AttributeDefinition xsi:type="Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}">
+ <InputDataConnector ref="myLDAP" attributeNames="uid"/>
</AttributeDefinition>
+ <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalNamePrior">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalNamePrior"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonAffiliation"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Simple" id="eduPersonAssurance">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonAssurance"/>
+ </AttributeDefinition>
+
+ <!-- Semi-deprecated eduPersonUniqueId, should be phased out in favor of SAML subject-id replacement below. -->
+<!--
+ <AttributeDefinition xsi:type="Scoped" id="eduPersonUniqueId" scope="%{idp.scope}">
+ <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}"/>
+ </AttributeDefinition>
+-->
+
+ <!-- Schema: SAML Subject ID Attributes -->
+<!--
+ <AttributeDefinition xsi:type="Scoped" id="samlSubjectID" scope="%{idp.scope}">
+ <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}">
+ <InputDataConnector ref="computed" attributeNames="computedId"/>
+ </AttributeDefinition>
+-->
<!-- ========================================== -->
<!-- Data Connectors -->
<!-- ========================================== -->
- <DataConnector id="staticAttributes" xsi:type="Static">
- <Attribute id="affiliation">
- <Value>member</Value>
- </Attribute>
+ <!-- Example Static Connector -->
+
+ <!-- Example Relational Database Connector.
+ In practice a <SimpleManagedConnection> is enough to get you going but you should consider a
+ <BeanManagedConnection> fully configured for your particular environment -->
+
+<!--
+ <DataConnector id="mySIS" xsi:type="RelationalDatabase">
+ <SimpleManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
+ jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB"
+ jdbcUserName="myid"
+ jdbcPassword="mypassword" />
+ <QueryTemplate>
+ <![CDATA[
+ SELECT * FROM student WHERE gzbtpid = '$resolutionContext.principal'
+ ]]>
+ </QueryTemplate>
+
+ <Column columnName="gzbtpid" attributeID="uid" />
+ <Column columnName="fqlft" attributeID="gpa" />
</DataConnector>
+-->
+
+ <!-- Example LDAP Connector -->
+<!--
+ <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+ ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+ baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
+ principal="%{idp.attribute.resolver.LDAP.bindDN}"
+ principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
+ useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
+ connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
+ trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
+ responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
+ <FilterTemplate>
+ <![CDATA[
+ %{idp.attribute.resolver.LDAP.searchFilter}
+ ]]>
+ </FilterTemplate>
+ <ConnectionPool
+ minPoolSize="%{idp.pool.LDAP.minSize:3}"
+ maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
+ blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
+ validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
+ validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
+ expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" />
+ </DataConnector>
+-->
+
+ <!-- Default LDAP Connector (no TLS) -->
+ <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+ ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+ baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
+ principal="%{idp.attribute.resolver.LDAP.bindDN}"
+ principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
+ useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
+ connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
+ responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
+ connectionStrategy="%{idp.attribute.resolver.LDAP.connectionStrategy}"
+ noResultIsError="true"
+ multipleResultsIsError="true"
+ excludeResolutionPhases="c14n/attribute"
+ exportAttributes="uid mail displayName sn givenName departmentNumber employeeNumber eduPersonEntitlement eduPersonAssurance">
+ <FilterTemplate>
+ <![CDATA[
+ %{idp.attribute.resolver.LDAP.searchFilter}
+ ]]>
+ </FilterTemplate>
+ <ConnectionPool
+ minPoolSize="%{idp.pool.LDAP.minSize:3}"
+ maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
+ blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
+ validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
+ validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
+ validateDN="%{idp.pool.LDAP.validateDN:}"
+ validateOnCheckout="%{idp.pool.LDAP.validateOnCheckout:false}"
+ validateFilter="%{idp.pool.LDAP.validateFilter:(objectClass=*)}"
+ prunePeriod="%{idp.pool.LDAP.prunePeriod:PT5M}"
+ expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" />
+ </DataConnector>
+
+
+ <!-- DataConector for pairwise-id (example depends on saml-nameid.properties). -->
+
+<!--
+ <DataConnector id="computed" xsi:type="ComputedId"
+ generatedAttributeID="computedId"
+ salt="%{idp.persistentId.salt}"
+ algorithm="%{idp.persistentId.algorithm:SHA}"
+ encoding="%{idp.persistentId.encoding:BASE32}">
+
+ <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" />
+
+ </DataConnector>
+-->
</AttributeResolver>
diff --git a/conf/attributes/custom/README b/conf/attributes/custom/README
new file mode 100644
index 0000000..98977b0
--- /dev/null
+++ b/conf/attributes/custom/README
@@ -0,0 +1,9 @@
+# You can create custom attribute mapping rules using
+# simple property files stored in this directory tree.
+# Spring property replacement is NOT supported.
+
+# As an example, a default SAML 2 rule for eduPersonPrincipalName would be:
+
+#id=eduPersonPrincipalName
+#transcoder=SAML2ScopedStringTranscoder
+#saml2.name=urn:oid:1.3.6.1.4.1.5923.1.1.1.6
diff --git a/conf/authn/x509-internal-authn-config.xml b/conf/attributes/default-rules.xml
similarity index 66%
rename from conf/authn/x509-internal-authn-config.xml
rename to conf/attributes/default-rules.xml
index bad3029..db8f1a1 100644
--- a/conf/authn/x509-internal-authn-config.xml
+++ b/conf/attributes/default-rules.xml
@@ -12,10 +12,18 @@
default-init-method="initialize"
default-destroy-method="destroy">
+ <!-- Default Attribute transcoding rules. -->
+
<!--
- You can define a TrustEngine to apply to any candidate certificates by defining a bean named
- "shibboleth.authn.X509.TrustEngine". You could also define that in conf/global.xml if you need
- to share one between the internal and external versions of this flow.
+ Many if not most of these attributes are not suited or may even be actively discouraged
+ from use in federated protocols, but this is merely a set of well-known definitions, not
+ a recommended set to support or use.
-->
+ <import resource="inetOrgPerson.xml" />
+ <import resource="eduPerson.xml" />
+ <import resource="eduCourse.xml" />
+ <import resource="schac.xml" />
+ <import resource="samlSubject.xml" />
+
</beans>
diff --git a/conf/attributes/eduCourse.xml b/conf/attributes/eduCourse.xml
new file mode 100644
index 0000000..96341c3
--- /dev/null
+++ b/conf/attributes/eduCourse.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xmlns:p="http://www.springframework.org/schema/p"
+ xmlns:c="http://www.springframework.org/schema/c"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+ http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+ default-init-method="initialize"
+ default-destroy-method="destroy">
+
+ <!--
+ Note that all built-in rules rely on URI-naming and thus include the implied settings:
+
+ <prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</prop>
+ <prop key="saml1.namespace">urn:mace:shibboleth:1.0:attributeNamespace:uri</prop>
+ -->
+
+ <bean parent="shibboleth.TranscodingRuleLoader">
+ <constructor-arg>
+ <list>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduCourseOffering</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.6.1.1</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.6.1.1</prop>
+ <prop key="displayName.en">Course offering</prop>
+ <prop key="description.en">Unique identifier for a course offering</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduCourseMember</prop>
+ <prop key="transcoder">SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.6.1.2</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.6.1.2</prop>
+ <prop key="saml1.encodeType">false</prop>
+ <prop key="displayName.en">Course role</prop>
+ <prop key="description.en">Specifies the person's role within a particular course offering</prop>
+ </props>
+ </property>
+ </bean>
+
+ </list>
+ </constructor-arg>
+ </bean>
+
+</beans>
diff --git a/conf/attributes/eduPerson.xml b/conf/attributes/eduPerson.xml
new file mode 100644
index 0000000..115967c
--- /dev/null
+++ b/conf/attributes/eduPerson.xml
@@ -0,0 +1,309 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xmlns:p="http://www.springframework.org/schema/p"
+ xmlns:c="http://www.springframework.org/schema/c"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+ http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+ default-init-method="initialize"
+ default-destroy-method="destroy">
+
+ <!--
+ Note that all built-in rules rely on URI-naming and thus include the implied settings:
+
+ <prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</prop>
+ <prop key="saml1.namespace">urn:mace:shibboleth:1.0:attributeNamespace:uri</prop>
+ -->
+
+ <bean parent="shibboleth.TranscodingRuleLoader">
+ <constructor-arg>
+ <list>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduPersonAffiliation</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.1</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonAffiliation</prop>
+ <prop key="displayName.en">Affiliation</prop>
+ <prop key="displayName.de">Zugehörigkeit</prop>
+ <prop key="displayName.fr">Affiliation</prop>
+ <prop key="displayName.it">Affiliazione</prop>
+ <prop key="displayName.ja">職位</prop>
+ <prop key="description.en">Affiliation: Type of affiliation with Home Organization</prop>
+ <prop key="description.de">Art der Zugehörigkeit zur Heimatorganisation</prop>
+ <prop key="description.de-ch">Art der Zugehörigkeit zur Heimorganisation</prop>
+ <prop key="description.fr">Type d'affiliation dans l'organisation</prop>
+ <prop key="description.it">Affiliazione: Tipo di affiliazione presso l'organizzazione</prop>
+ <prop key="description.ja">所属機関における職位(faculty,staff,student,memberなど)</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduPersonAssurance</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.11</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonAssurance</prop>
+ <prop key="displayName.en">Assurance level</prop>
+ <prop key="displayName.de">Vertrauensgrad</prop>
+ <prop key="displayName.fr">Niveau de confiance</prop>
+ <prop key="displayName.it">Livello di garanzia dell'identita'</prop>
+ <prop key="displayName.ja">保証レベル</prop>
+ <prop key="description.en">Set of URIs that assert compliance with specific standards for identity assurance</prop>
+ <prop key="description.de">URIs die eine gewisse Zusicherung für spezifische Standards des Vertrauens beinhalten</prop>
+ <prop key="description.fr">Un ensemble d'URI qui attestent la conformité selon un standard pour les niveaux d'assurance d'identités</prop>
+ <prop key="description.it">Un insieme di URI che asseriscono l'osservanza dei livelli di garanzia dell'identita'</prop>
+ <prop key="description.ja">IDの保証レベルに関して特定の基準に準拠していることを示すURI</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduPersonEntitlement</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.7</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonEntitlement</prop>
+ <prop key="displayName.en">Entitlement</prop>
+ <prop key="displayName.de">Berechtigung</prop>
+ <prop key="displayName.fr">Membre de</prop>
+ <prop key="displayName.it">Diritti</prop>
+ <prop key="displayName.ja">資格情報</prop>
+ <prop key="description.en">Member of: URI (either URL or URN) that indicates a set of rights to specific resources based on an agreement across the releavant community</prop>
+ <prop key="description.de">Zeichenkette, die Rechte für spezifische Ressourcen beschreibt</prop>
+ <prop key="description.fr">Membre de: URI (soit une URL ou une URN) décrivant un droit spécific d'accès</prop>
+ <prop key="description.it">Membro di: URI (sia URL, sia URN) che rappresentano diritti su specifiche risorse e basati su accordi tra le comunità interessate</prop>
+ <prop key="description.ja">特定のアプリケーションもしくはコミュニティ内の複数リソースへのアクセス権限を持つことを示すURI(URLもしくはURN)</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduPersonNickname</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.2</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonNickname</prop>
+ <prop key="displayName.en">Nickname</prop>
+ <prop key="displayName.de">Kurzname</prop>
+ <prop key="displayName.de-ch">Übername</prop>
+ <prop key="displayName.fr">Surnom</prop>
+ <prop key="displayName.it">Soprannome</prop>
+ <prop key="displayName.ja">ニックネーム</prop>
+ <prop key="description.en">Person's nickname, or the informal name by which they are accustomed to be hailed</prop>
+ <prop key="description.de">Kurzname einer Person, oder üblicher Rufname zur Begrüßung</prop>
+ <prop key="description.de-ch">Übername einer Person, oder üblicher Rufname zur Begrüssung</prop>
+ <prop key="description.fr">Nom personnalisable pour un usage informel</prop>
+ <prop key="description.it">Soprannome della persona</prop>
+ <prop key="description.ja">利用者のニックネームもしくは通称</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduPersonOrgDN</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.3</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonOrgDN</prop>
+ <prop key="displayName.en">Organization distinguished name</prop>
+ <prop key="description.en">Distinguished name (DN) of the directory entry representing the institution with which the person is associated</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduPersonOrgUnitDN</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.4</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonOrgUnitDN</prop>
+ <prop key="displayName.en">Organization unit distinguished name</prop>
+ <prop key="displayName.fr">Structures de rattachement</prop>
+ <prop key="description.en">Distinguished name(s) (DN) of the directory entries representing the person's Organizational Unit(s)</prop>
+ <prop key="description.fr">Structures d'affectation (composante, service...) de la personne dans l'annuaire</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduPersonOrcid</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.16</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.16</prop>
+ <prop key="displayName.en">ORCID</prop>
+ <prop key="displayName.fr">identifiants ORCID</prop>
+ <prop key="description.en">ORCID researcher identifier(s) belonging to a person</prop>
+ <prop key="description.fr">Identifiant(s) ORCID d'une personne</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduPersonPrimaryAffiliation</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.5</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation</prop>
+ <prop key="displayName.en">Primary affiliation</prop>
+ <prop key="displayName.de">Primäre Zugehörigkeit</prop>
+ <prop key="displayName.fr">Affiliation principale</prop>
+ <prop key="displayName.it">Affiliazione principale</prop>
+ <prop key="displayName.ja">主要職位</prop>
+ <prop key="description.en">Specifies the person's primary relationship to the institution in broad categories such as student, faculty, staff, alum, etc.</prop>
+ <prop key="description.de">Spezifiziert der Hauptbeziehung einer Person innerhalb ihrer Organisation in groben Kategorien wie Student, Mitarbeiter, Alumni, etc.</prop>
+ <prop key="description.fr">Spécifie la relation principale d'une personne avec l'institution selon des majeures catégories comme étudiant, collaborateur, alumni etc.</prop>
+ <prop key="description.it">Specifica la relazione principale della persona con l'istituzione secondo le categorie studente, collaboratore, alumni, etc.</prop>
+ <prop key="description.ja">所属機関における主要な職位(faculty,staff,student,memberなど)</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduPersonPrimaryOrgUnitDN</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.8</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN</prop>
+ <prop key="displayName.en">Primary organization unit distinguished name</prop>
+ <prop key="displayName.fr">Structure de rattachement principal</prop>
+ <prop key="description.en">Distinguished name (DN) of the directory entry representing the person's primary Organizational Unit</prop>
+ <prop key="description.fr">Structure (composante, service) dans l'annuaire considérée comme affectation principale de la personne</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduPersonPrincipalName</prop>
+ <prop key="transcoder">SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.6</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonPrincipalName</prop>
+ <prop key="saml1.encodeType">false</prop>
+ <prop key="displayName.en">Principal name</prop>
+ <prop key="displayName.de">Persönliche ID</prop>
+ <prop key="displayName.fr">Identifiant unique</prop>
+ <prop key="displayName.it">ID personale</prop>
+ <prop key="displayName.ja">プリンシパルID</prop>
+ <prop key="description.en">A unique identifier for a person, mainly for inter-institutional user identification</prop>
+ <prop key="description.de">Eindeutige Benutzeridentifikation</prop>
+ <prop key="description.de-ch">Eindeutige Benützeridentifikation</prop>
+ <prop key="description.fr">L'identifiant unique de l'utilisateur</prop>
+ <prop key="description.it">Un ID personale che identifica chiaramente l'utente in seno alla sua organizzazione</prop>
+ <prop key="description.ja">フェデレーション内で一意かつ永続的な利用者識別子</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduPersonPrincipalNamePrior</prop>
+ <prop key="transcoder">SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.12</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.12</prop>
+ <prop key="saml1.encodeType">false</prop>
+ <prop key="displayName.en">Prior principal name(s)</prop>
+ <prop key="displayName.fr">Anciens identifiants EPPN</prop>
+ <prop key="description.en">eduPersonPrincipalName value(s) previously associated with the entry</prop>
+ <prop key="description.fr">Liste des valeurs de l'attribut eduPersonPrincipalName précédemment attribuées à la personne</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduPersonScopedAffiliation</prop>
+ <prop key="transcoder">SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.9</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonScopedAffiliation</prop>
+ <prop key="saml1.encodeType">false</prop>
+ <prop key="displayName.en">Scoped affiliation</prop>
+ <prop key="displayName.de">Zugehörigkeit</prop>
+ <prop key="displayName.fr">Affiliation</prop>
+ <prop key="displayName.it">Affiliazione</prop>
+ <prop key="displayName.ja">スコープ付き職位</prop>
+ <prop key="description.en">Specifies the person's affiliation within a particular security domain</prop>
+ <prop key="description.de">Art der Zugehörigkeit zur Heimatorganisation</prop>
+ <prop key="description.de-ch">Art der Zugehörigkeit zur Heimorganisation</prop>
+ <prop key="description.fr">Type d'affiliation dans l'organisation</prop>
+ <prop key="description.it">Affiliazione: Tipo di affiliazione pressocon l'organizzazione</prop>
+ <prop key="description.ja">セキュリティドメインのスコープが付いた所属機関における職位</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduPersonUniqueId</prop>
+ <prop key="transcoder">SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.13</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.13</prop>
+ <prop key="saml1.encodeType">false</prop>
+ <prop key="displayName.en">Unique ID</prop>
+ <prop key="displayName.de">Eindeutige ID</prop>
+ <prop key="displayName.fr">ID unique</prop>
+ <prop key="displayName.it">ID univoco</prop>
+ <prop key="displayName.ja">ユニークID</prop>
+ <prop key="description.en">A unique identifier for a person, mainly for inter-institutional user identification</prop>
+ <prop key="description.de">Eindeutige Benutzeridentifikation</prop>
+ <prop key="description.de-ch">Eindeutige Benützeridentifikation</prop>
+ <prop key="description.fr">Identifiant unique de l'utilisateur</prop>
+ <prop key="description.it">Un identificativo univoco che identifica chiaramente l'utente in seno alla sua organizzazione</prop>
+ <prop key="description.ja">フェデレーション内で一意で永続的かつ難読化された利用者識別子(後継はサブジェクトID)</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduPersonAnalyticsTag</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder CASStringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.17</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.17</prop>
+ <prop key="saml1.encodeType">false</prop>
+ <prop key="displayName.en">Aggregated analytics tag</prop>
+ <prop key="description.en">Opaque string that aggregates the use of a service by a set of subjects for the purpose of reporting or analytics</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">eduPersonDisplayPronouns</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder CASStringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.18</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.18</prop>
+ <prop key="saml1.encodeType">false</prop>
+ <prop key="displayName.en">Display Pronouns</prop>
+ <prop key="description.en">Personal pronouns by which the person prefers to be identified</prop>
+ </props>
+ </property>
+ </bean>
+
+ </list>
+ </constructor-arg>
+ </bean>
+
+</beans>
diff --git a/conf/attributes/inetOrgPerson.xml b/conf/attributes/inetOrgPerson.xml
new file mode 100644
index 0000000..2ab78ef
--- /dev/null
+++ b/conf/attributes/inetOrgPerson.xml
@@ -0,0 +1,525 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xmlns:p="http://www.springframework.org/schema/p"
+ xmlns:c="http://www.springframework.org/schema/c"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+ http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+ default-init-method="initialize"
+ default-destroy-method="destroy">
+
+ <!--
+ Note that all built-in rules rely on URI-naming and thus include the implied settings:
+
+ <prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</prop>
+ <prop key="saml1.namespace">urn:mace:shibboleth:1.0:attributeNamespace:uri</prop>
+ -->
+
+ <!-- https://tools.ietf.org/html/rfc2798 -->
+
+ <bean parent="shibboleth.TranscodingRuleLoader">
+ <constructor-arg>
+ <list>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">cn</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.5.4.3</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:cn</prop>
+ <prop key="displayName.en">Common name</prop>
+ <prop key="displayName.fr">Nom et Prénom</prop>
+ <prop key="description.en">Common name of a person</prop>
+ <prop key="description.fr">Nom complet sans accent d'une personne</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">departmentNumber</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.16.840.1.113730.3.1.2</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:departmentNumber</prop>
+ <prop key="displayName.en">Department number</prop>
+ <prop key="displayName.fr">departmentNumber</prop>
+ <prop key="displayName.de">Abteilungsnummer</prop>
+ <prop key="description.en">Department number</prop>
+ <prop key="description.de">Nummer der Abteilung</prop>
+ <prop key="description.fr">Identifiant du département dans l'organisation</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">displayName</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.16.840.1.113730.3.1.241</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:displayName</prop>
+ <prop key="displayName.en">Display name</prop>
+ <prop key="displayName.de">Anzeigename</prop>
+ <prop key="displayName.fr">Nom</prop>
+ <prop key="displayName.it">Nome</prop>
+ <prop key="displayName.ja">表示名</prop>
+ <prop key="description.en">The name that should appear in white-pages-like applications for this person</prop>
+ <prop key="description.de">Anzeigename</prop>
+ <prop key="description.fr">Nom complet d'affichage</prop>
+ <prop key="description.it">Nome</prop>
+ <prop key="description.ja">アプリケーションでの表示に用いられる英字氏名</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">employeeNumber</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.16.840.1.113730.3.1.3</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:employeeNumber</prop>
+ <prop key="displayName.en">Employee number</prop>
+ <prop key="displayName.de">Mitarbeiternummer</prop>
+ <prop key="displayName.fr">Numéro d'employé</prop>
+ <prop key="displayName.it">Numero dell'utente</prop>
+ <prop key="displayName.ja">従業員番号</prop>
+ <prop key="description.en">Identifies an employee within an organization</prop>
+ <prop key="description.de">Identifiziert einen Mitarbeiter innerhalb der Organisation</prop>
+ <prop key="description.fr">Identifie un employé au sein de l'organisation</prop>
+ <prop key="description.it">Identifica l' utente presso l'organizzazione</prop>
+ <prop key="description.ja">所属機関における利用者の従業員番号</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">employeeType</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.16.840.1.113730.3.1.4</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:employeeType</prop>
+ <prop key="displayName.en">Employee type</prop>
+ <prop key="displayName.fr">Type d'employé</prop>
+ <prop key="description.en">Employee type</prop>
+ <prop key="description.fr">Catégorie d'employé dans l'organisation</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">givenName</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.5.4.42</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:givenName</prop>
+ <prop key="displayName.en">Given name</prop>
+ <prop key="displayName.de">Vorname</prop>
+ <prop key="displayName.fr">Prénom</prop>
+ <prop key="displayName.it">Nome</prop>
+ <prop key="displayName.ja">名</prop>
+ <prop key="description.en">Given name of a person</prop>
+ <prop key="description.de">Vorname</prop>
+ <prop key="description.fr">Prénom de l'utilisateur</prop>
+ <prop key="description.it">Nome</prop>
+ <prop key="description.ja">氏名(名)の英語表記</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">homePhone</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:0.9.2342.19200300.100.1.20</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:homePhone</prop>
+ <prop key="displayName.en">Private phone number</prop>
+ <prop key="displayName.de">Telefon Privat</prop>
+ <prop key="displayName.fr">Teléphone personnel</prop>
+ <prop key="displayName.it">Numero di telefono privato</prop>
+ <prop key="displayName.ja">自宅電話番号</prop>
+ <prop key="description.en">Private phone number</prop>
+ <prop key="description.de">Private Telefonnummer</prop>
+ <prop key="description.fr">Numéro de téléphone de domicile de la personne</prop>
+ <prop key="description.it">Numero di telefono privato</prop>
+ <prop key="description.ja">自宅の電話番号</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">homePostalAddress</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:0.9.2342.19200300.100.1.39</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:homePostalAddress</prop>
+ <prop key="displayName.en">Home postal address</prop>
+ <prop key="displayName.de">Heimatadresse</prop>
+ <prop key="displayName.de-ch">Heimadresse</prop>
+ <prop key="displayName.fr">Adresse personnelle</prop>
+ <prop key="displayName.it">Indirizzo personale</prop>
+ <prop key="displayName.ja">自宅住所</prop>
+ <prop key="description.en">Home postal address: Home address of the user</prop>
+ <prop key="description.de">Heimatadresse</prop>
+ <prop key="description.de-ch">Heimadresse</prop>
+ <prop key="description.fr">Adresse postale de domicile de la personne</prop>
+ <prop key="description.it">Indirizzo personale: indirizzo dove abita l'utente</prop>
+ <prop key="description.ja">自宅の住所</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">initials</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.5.4.43</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:initials</prop>
+ <prop key="displayName.en">Initials</prop>
+ <prop key="displayName.de">Initialen</prop>
+ <prop key="displayName.fr">Initiales</prop>
+ <prop key="displayName.ja">イニシャル</prop>
+ <prop key="description.en">Initials</prop>
+ <prop key="description.de">Anfangsbuchstaben des Namens</prop>
+ <prop key="description.de-ch">Die Anfangsbuchstaben</prop>
+ <prop key="description.fr">L' initiales</prop>
+ <prop key="description.ja">イニシャル</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">l</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.5.4.7</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:l</prop>
+ <prop key="displayName.en">Locality name</prop>
+ <prop key="displayName.de">Ort</prop>
+ <prop key="displayName.fr">Localité</prop>
+ <prop key="displayName.ja">場所(L)</prop>
+ <prop key="description.en">Locality name</prop>
+ <prop key="description.de">Ort</prop>
+ <prop key="description.fr">Nom de la localité où réside l'objet</prop>
+ <prop key="description.ja">場所の名前 日本の場合は市区町村名</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">mail</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:0.9.2342.19200300.100.1.3</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:mail</prop>
+ <prop key="displayName.en">E-mail</prop>
+ <prop key="displayName.de">E-Mail</prop>
+ <prop key="displayName.fr">Email</prop>
+ <prop key="displayName.it">E-mail</prop>
+ <prop key="displayName.ja">メールアドレス</prop>
+ <prop key="description.en">E-Mail: Preferred address for e-mail to be sent to this person</prop>
+ <prop key="description.de">E-Mail-Adresse</prop>
+ <prop key="description.de-ch">E-Mail Adresse</prop>
+ <prop key="description.fr">Adresse de courrier électronique</prop>
+ <prop key="description.it">E-Mail: l'indirizzo e-mail preferito dall'utente</prop>
+ <prop key="description.ja">メールアドレス</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">mobile</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:0.9.2342.19200300.100.1.41</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:mobile</prop>
+ <prop key="displayName.en">Mobile phone number</prop>
+ <prop key="displayName.de">Telefon Mobil</prop>
+ <prop key="displayName.fr">Numéro de mobile</prop>
+ <prop key="displayName.it">Numero di cellulare</prop>
+ <prop key="displayName.ja">携帯電話番号</prop>
+ <prop key="description.en">Mobile phone number</prop>
+ <prop key="description.de">Mobile Telefonnummer</prop>
+ <prop key="description.fr">Numéro de teléphone mobile</prop>
+ <prop key="description.it">Numero di cellulare</prop>
+ <prop key="description.ja">携帯電話の電話番号</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">o</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.5.4.10</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:o</prop>
+ <prop key="displayName.en">Organization name</prop>
+ <prop key="displayName.de">Organisationsname</prop>
+ <prop key="displayName.fr">Nom de l'organisation</prop>
+ <prop key="displayName.ja">所属機関名</prop>
+ <prop key="description.en">Organization name</prop>
+ <prop key="description.de">Name der Organisation</prop>
+ <prop key="description.fr">Nom de l'organisation</prop>
+ <prop key="description.ja">所属機関名称の英語表記</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">ou</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.5.4.11</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:ou</prop>
+ <prop key="displayName.en">Organizational unit</prop>
+ <prop key="displayName.de">Organisationseinheit</prop>
+ <prop key="displayName.fr">Unité organisationnelle</prop>
+ <prop key="displayName.ja">機関内所属名</prop>
+ <prop key="description.en">Organizational unit</prop>
+ <prop key="description.de">Name der Organisationseinheit</prop>
+ <prop key="description.fr">Nom de l'unité organisationnelle</prop>
+ <prop key="description.ja">機関内所属名称の英語表記</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">pager</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:0.9.2342.19200300.100.1.42</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:pager</prop>
+ <prop key="displayName.en">Pager number</prop>
+ <prop key="description.en">Pager number</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">postalAddress</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.5.4.16</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:postalAddress</prop>
+ <prop key="displayName.en">Business postal address</prop>
+ <prop key="displayName.de">Geschäftsadresse</prop>
+ <prop key="displayName.fr">Adresse professionnelle</prop>
+ <prop key="displayName.it">Indirizzo professionale</prop>
+ <prop key="displayName.ja">所属機関住所</prop>
+ <prop key="description.en">Business postal address: Campus or office address</prop>
+ <prop key="description.de">Geschäftliche Adresse</prop>
+ <prop key="description.de-ch">Adresse am Arbeitsplatz</prop>
+ <prop key="description.fr">Adresse de l'institut, de l'université</prop>
+ <prop key="description.it">Indirizzo professionale: indirizzo dell'istituto o dell'ufficio</prop>
+ <prop key="description.ja">所属機関の住所</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">postalCode</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.5.4.17</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:postalCode</prop>
+ <prop key="displayName.en">Postal code</prop>
+ <prop key="displayName.en-us">ZIP code</prop>
+ <prop key="displayName.de">Postleitzahl</prop>
+ <prop key="displayName.fr">Code postal</prop>
+ <prop key="displayName.ja">郵便番号</prop>
+ <prop key="description.en">Postal code</prop>
+ <prop key="description.en-us">ZIP code</prop>
+ <prop key="description.de">Postleitzahl</prop>
+ <prop key="description.fr">Code postal</prop>
+ <prop key="description.ja">郵便番号</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">postOfficeBox</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:mace:dir:attribute-def:postOfficeBox</prop>
+ <prop key="saml1.name">urn:oid:2.5.4.18</prop>
+ <prop key="displayName.en">Postal box</prop>
+ <prop key="displayName.de">Postfach</prop>
+ <prop key="displayName.fr">Boite postale</prop>
+ <prop key="displayName.fr-ch">Case postale</prop>
+ <prop key="displayName.ja">私書箱</prop>
+ <prop key="description.en">Postal box identifier</prop>
+ <prop key="description.de">Postfach</prop>
+ <prop key="description.fr">Boite postale</prop>
+ <prop key="description.fr-ch">Case postale</prop>
+ <prop key="description.ja">私書箱</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">preferredLanguage</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.16.840.1.113730.3.1.39</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:preferredLanguage</prop>
+ <prop key="displayName.en">Preferred Language</prop>
+ <prop key="displayName.de">Bevorzugte Sprache</prop>
+ <prop key="displayName.fr">Langue préférée</prop>
+ <prop key="displayName.it">Lingua preferita</prop>
+ <prop key="displayName.ja">希望言語</prop>
+ <prop key="description.en">Preferred language: Users preferred language (see RFC1766)</prop>
+ <prop key="description.de">Bevorzugte Sprache (siehe RFC1766)</prop>
+ <prop key="description.fr">Exemple: fr, de, it, en, ... (voir RFC1766)</prop>
+ <prop key="description.it">Lingua preferita: la lingua preferita dall'utente (cfr. RFC1766)</prop>
+ <prop key="description.ja">利用者が希望する言語(RFC1766 を参照)</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">sn</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.5.4.4</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:sn</prop>
+ <prop key="displayName.en">Surname</prop>
+ <prop key="displayName.de">Nachname</prop>
+ <prop key="displayName.fr">Nom de famille</prop>
+ <prop key="displayName.it">Cognome</prop>
+ <prop key="displayName.ja">姓</prop>
+ <prop key="description.en">Surname or family name</prop>
+ <prop key="description.de">Familienname</prop>
+ <prop key="description.fr">Nom de famille de l'utilisateur</prop>
+ <prop key="description.it">Cognome dell'utilizzatore</prop>
+ <prop key="description.ja">氏名(姓)の英語表記</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">st</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.5.4.8</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:st</prop>
+ <prop key="displayName.en">State or province name</prop>
+ <prop key="displayName.fr">Etat ou nom de province</prop>
+ <prop key="displayName.ja">都道府県もしくは州や省(ST)</prop>
+ <prop key="description.en">State or province name</prop>
+ <prop key="description.fr">Etat ou nom de province</prop>
+ <prop key="description.ja">州名や省名 国によって異なり日本の場合は都道府県名</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">street</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.5.4.9</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:street</prop>
+ <prop key="displayName.en">Street</prop>
+ <prop key="displayName.de">Straße</prop>
+ <prop key="displayName.de-ch">Strasse</prop>
+ <prop key="displayName.fr">Rue</prop>
+ <prop key="displayName.ja">通り</prop>
+ <prop key="description.en">Street address</prop>
+ <prop key="description.de">Name der Straße</prop>
+ <prop key="description.de-ch">Strassenadresse</prop>
+ <prop key="description.fr">Nom de rue</prop>
+ <prop key="description.ja">通りおよび番地</prop>
+ </props>
+ </property>
+ </bean>
+
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">telephoneNumber</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.5.4.20</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:telephoneNumber</prop>
+ <prop key="displayName.en">Business phone number</prop>
+ <prop key="displayName.de">Telefon Geschäft</prop>
+ <prop key="displayName.fr">Teléphone professionnel</prop>
+ <prop key="displayName.it">Numero di telefono dell'ufficio</prop>
+ <prop key="displayName.ja">所属機関内電話番号</prop>
+ <prop key="description.en">Business phone number: Office or campus phone number</prop>
+ <prop key="description.de">Telefonnummer am Arbeitsplatz</prop>
+ <prop key="description.fr">Teléphone de l'institut, de l'université</prop>
+ <prop key="description.it">Numero di telefono dell'ufficio</prop>
+ <prop key="description.ja">所属機関での利用者の電話番号</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">title</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:2.5.4.12</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:title</prop>
+ <prop key="displayName.en">Title</prop>
+ <prop key="displayName.de">Titel</prop>
+ <prop key="displayName.fr">Title</prop>
+ <prop key="displayName.ja">肩書き</prop>
+ <prop key="description.en">Title of a person</prop>
+ <prop key="description.de">Titel der Person</prop>
+ <prop key="description.fr">Titre de la personne</prop>
+ <prop key="description.ja">利用者の肩書き</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">uid</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:0.9.2342.19200300.100.1.1</prop>
+ <prop key="saml1.name">urn:mace:dir:attribute-def:uid</prop>
+ <prop key="displayName.en">User ID</prop>
+ <prop key="displayName.de">Benutzer-ID</prop>
+ <prop key="displayName.fr">ID utilisateur</prop>
+ <prop key="displayName.it">ID dell'utente</prop>
+ <prop key="displayName.ja">ユーザID</prop>
+ <prop key="description.en">A unique identifier for a person, mainly used for user identification within the user's home organization</prop>
+ <prop key="description.de">Eine eindeutige Nummer für eine Person, welche hauptsächlich zur Identifikation innerhalb der Organisation benutzt wird</prop>
+ <prop key="description.fr">Identifiant de connexion d'une personnes sur les systèmes informatiques</prop>
+ <prop key="description.it">Identificativo unico della persona, usato per l'identificazione dell'utente all'interno della organizzazione di appartenenza</prop>
+ <prop key="description.ja">所属機関内で一意の利用者識別子</prop>
+ </props>
+ </property>
+ </bean>
+
+ </list>
+ </constructor-arg>
+ </bean>
+
+</beans>
diff --git a/conf/attributes/samlSubject.xml b/conf/attributes/samlSubject.xml
new file mode 100644
index 0000000..3ffa3cc
--- /dev/null
+++ b/conf/attributes/samlSubject.xml
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xmlns:p="http://www.springframework.org/schema/p"
+ xmlns:c="http://www.springframework.org/schema/c"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+ http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+ default-init-method="initialize"
+ default-destroy-method="destroy">
+
+ <!--
+ Note that all built-in rules rely on URI-naming and thus include the implied settings:
+
+ <prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</prop>
+ -->
+
+ <!-- https://wiki.oasis-open.org/security/SAMLSubjectIDAttr -->
+
+ <bean parent="shibboleth.TranscodingRuleLoader">
+ <constructor-arg>
+ <list>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">samlSubjectID</prop>
+ <prop key="transcoder">SAML2ScopedStringTranscoder</prop>
+ <prop key="saml2.name">urn:oasis:names:tc:SAML:attribute:subject-id</prop>
+ <prop key="displayName.en">Unique ID</prop>
+ <prop key="displayName.de">Eindeutige ID</prop>
+ <prop key="displayName.fr">ID unique</prop>
+ <prop key="displayName.it">ID unico</prop>
+ <prop key="displayName.ja">サブジェクトID</prop>
+ <prop key="description.en">A unique identifier for a person, mainly for inter-institutional user identification</prop>
+ <prop key="description.de">Eindeutige Benutzeridentifikation</prop>
+ <prop key="description.de-ch">Eindeutige Benützeridentifikation</prop>
+ <prop key="description.fr">Identifiant unique de l'utilisateur</prop>
+ <prop key="description.it">Un identificativo personale che identifica chiaramente l'utente in seno alla sua organizzazione</prop>
+ <prop key="description.ja">フェデレーション内で一意で永続的かつ難読化された利用者識別子(eduPersonUniqueIdの後継)</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">samlPairwiseID</prop>
+ <prop key="transcoder">SAML2ScopedStringTranscoder</prop>
+ <prop key="saml2.name">urn:oasis:names:tc:SAML:attribute:pairwise-id</prop>
+ <prop key="displayName.en">Pairwise ID</prop>
+ <prop key="displayName.de">Pairwise ID</prop>
+ <prop key="displayName.fr">Pairwise ID</prop>
+ <prop key="displayName.it">Pairwise ID</prop>
+ <prop key="displayName.ja">ペアワイズID</prop>
+ <prop key="description.en">Pairwise ID: A unique identifier for a person, different for each service provider</prop>
+ <prop key="description.de">Pairwise ID: Eindeutige Benutzeridentifikation, unterschiedlich pro Service Provider</prop>
+ <prop key="description.de-ch">Pairwise ID: Eindeutige Benützeridentifikation, unterschiedlich pro Service Provider</prop>
+ <prop key="description.fr">Pairwise ID: Un identifiant unique de l'utilisateur, différent pour chaque fournisseur de service</prop>
+ <prop key="description.it">Pairwise ID: identificativo unico della persona, differente per ogni fornitore di servizio</prop>
+ <prop key="description.ja">フェデレーション内で一意かつSP毎に送出される値が異なる利用者識別子(eduPersonTargetedIDの後継)</prop>
+ </props>
+ </property>
+ </bean>
+
+ </list>
+ </constructor-arg>
+ </bean>
+
+</beans>
diff --git a/conf/attributes/schac.xml b/conf/attributes/schac.xml
new file mode 100644
index 0000000..2e0db26
--- /dev/null
+++ b/conf/attributes/schac.xml
@@ -0,0 +1,382 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xmlns:p="http://www.springframework.org/schema/p"
+ xmlns:c="http://www.springframework.org/schema/c"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+ http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+ default-init-method="initialize"
+ default-destroy-method="destroy">
+
+ <!--
+ Note that all built-in rules rely on URI-naming and thus include the implied settings:
+
+ <prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</prop>
+ <prop key="saml1.namespace">urn:mace:shibboleth:1.0:attributeNamespace:uri</prop>
+ -->
+
+ <bean parent="shibboleth.TranscodingRuleLoader">
+ <constructor-arg>
+ <list>
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacMotherTongue</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.1</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.1</prop>
+ <prop key="displayName.en">Mother Tongue</prop>
+ <prop key="displayName.fr">Langue maternelle</prop>
+ <prop key="displayName.it">Lingua Madre</prop>
+ <prop key="description.en">Mother Tongue of the user</prop>
+ <prop key="description.fr">Langue maternelle (la langue apprise en premier par une personne : fr</prop>
+ <prop key="description.it">Lingua Madre dell'utente</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacGender</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.2</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.2</prop>
+ <prop key="displayName.en">Gender</prop>
+ <prop key="displayName.fr">Genre</prop>
+ <prop key="displayName.it">Genere</prop>
+ <prop key="description.en">Gender of the user</prop>
+ <prop key="description.fr">Genre de la personne : un chiffre (0 "Not known, 1 "Male", 2 "Female", 9 "Not specified")</prop>
+ <prop key="description.it">Genere dell'utente</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacDateOfBirth</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.3</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.3</prop>
+ <prop key="displayName.en">Date or Birth</prop>
+ <prop key="displayName.fr">Date de naissance</prop>
+ <prop key="displayName.it">Giorno di nascita</prop>
+ <prop key="description.en">The date of birth for the subject it is associated with</prop>
+ <prop key="description.fr">Date de naissance au format "YYYYMMJJ"</prop>
+ <prop key="description.it">Giorno di nascita del soggetto</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacYearOfBirth</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.0.2.3</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.0.2.3</prop>
+ <prop key="displayName.en">Year of birth</prop>
+ <prop key="displayName.fr">Année de naissance</prop>
+ <prop key="displayName.it">Anno di nascita</prop>
+ <prop key="description.en">The year of birth for the subject it is associated with</prop>
+ <prop key="description.fr">Année de naissance au format "YYYY"</prop>
+ <prop key="description.it">Anno di nascita del soggetto</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacPlaceOfBirth</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.4</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.4</prop>
+ <prop key="displayName.en">Place of Birth</prop>
+ <prop key="displayName.fr">Lieu de naissance</prop>
+ <prop key="displayName.it">Luogo di nascita</prop>
+ <prop key="description.en">The place of birth for the subject it is associated with</prop>
+ <prop key="description.fr">Lieu de naissance</prop>
+ <prop key="description.it">Luogo di nascita del soggetto</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacCountryOfCitizenship</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.5</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.5</prop>
+ <prop key="displayName.en">Country of Citizenship</prop>
+ <prop key="displayName.fr">Nationalité</prop>
+ <prop key="description.en">The countries of citizenship for the subject it is associated with</prop>
+ <prop key="description.fr">Pays où une personne est un citoyen : 2 lettres au format ISO 3166 (fr, es...)</prop>
+ <prop key="description.it">Cittadinanza</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacSn1</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.6</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.6</prop>
+ <prop key="displayName.en">First Surname</prop>
+ <prop key="displayName.fr">Premier nom</prop>
+ <prop key="displayName.it">Primo Cognome</prop>
+ <prop key="description.en">First surname of a person ("the surname" in international terms)</prop>
+ <prop key="description.fr">Premier nom d'une personne</prop>
+ <prop key="description.it">Il cognome di una persona</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacSn2</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.7</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.7</prop>
+ <prop key="displayName.en">Second Surname</prop>
+ <prop key="displayName.fr">Second nom</prop>
+ <prop key="displayName.it">Secondo Cognome</prop>
+ <prop key="description.en">Second surname of a person</prop>
+ <prop key="description.fr">Second nom d'une personne</prop>
+ <prop key="description.it">Secondo cognome di una persona</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacPersonalTitle</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.8</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.8</prop>
+ <prop key="displayName.en">Personal Title</prop>
+ <prop key="displayName.fr">Titre</prop>
+ <prop key="displayName.it">Soprannome</prop>
+ <prop key="description.en">Nice name used for the user</prop>
+ <prop key="description.fr">Titre de la personne</prop>
+ <prop key="description.it">Titolo usato per salutare l'utente</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacHomeOrganization</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.9</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.9</prop>
+ <prop key="displayName.en">Home Organization</prop>
+ <prop key="displayName.fi">Kotiorganisaatio</prop>
+ <prop key="displayName.fr">Organisme</prop>
+ <prop key="displayName.it">Dominio dell'istituzione</prop>
+ <prop key="description.en">The domain name of the person's home organisation</prop>
+ <prop key="description.fi">Henkilön kotiorganisaation domain-nimi</prop>
+ <prop key="description.fr">Nom de domaine DNS de l'organisme d'origine d'une personne</prop>
+ <prop key="description.it">Dominio dell'istituzione</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacHomeOrganizationType</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.10</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.10</prop>
+ <prop key="displayName.en">Home organization type</prop>
+ <prop key="displayName.fi">Kotiorganisaation tyyppi</prop>
+ <prop key="displayName.fr">Type d'organisme</prop>
+ <prop key="displayName.it">Tipo di organizzazione di appartenenza (internazionale)</prop>
+ <prop key="description.en">Home organisation type: university, polytechnic, etc</prop>
+ <prop key="description.fi">Kotiorganisaation tyyppi: yliopisto, ammattikorkeakoulu jne</prop>
+ <prop key="description.fr">Type d'organisme d'origine d'une personne</prop>
+ <prop key="description.it">Tipo di organizzazione di appartenenza</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacCountryOfResidence</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.11</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.11</prop>
+ <prop key="displayName.en">Country of Residence</prop>
+ <prop key="displayName.fr">Pays de résidence</prop>
+ <prop key="displayName.it">Residenza</prop>
+ <prop key="description.en">The country of residence for the subject</prop>
+ <prop key="description.fr">Pays de résidence : fr, es...</prop>
+ <prop key="description.it">Paese di residenza dell'utente</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacUserPresenceID</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.12</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.12</prop>
+ <prop key="displayName.en">User Presence ID</prop>
+ <prop key="displayName.fr">Identifiant de présence</prop>
+ <prop key="displayName.it">ID utente sulla rete</prop>
+ <prop key="description.en">Identifiers that user collect on the net</prop>
+ <prop key="description.fr">Ensemble de valeurs liées aux protocoles de présence réseau (sip, xmpp, h323...)</prop>
+ <prop key="description.it">Identificativi usati dall'utente sulla rete</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacPersonalPosition</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.13</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.13</prop>
+ <prop key="displayName.en">Personal Position</prop>
+ <prop key="displayName.fr">Position/Rôle</prop>
+ <prop key="displayName.it">Ruolo ricoperto</prop>
+ <prop key="description.en">Personal Position of the user for the institution</prop>
+ <prop key="description.fr">Position/Rôle de la personne au sein d'une institution</prop>
+ <prop key="description.it">Ruolo dell'utente nell'istituzione</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacPersonalUniqueCode</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.14</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.14</prop>
+ <prop key="displayName.en">Personal Unique Code</prop>
+ <prop key="displayName.fr">Code personnel unique</prop>
+ <prop key="displayName.it">Codice Univoco</prop>
+ <prop key="description.en">Unique code for the subject it is associated with</prop>
+ <prop key="description.fr">"Code unique" pour le sujet auquel il est associé (peut être le numéro d'étudiant, le numéro d'employé, ...)</prop>
+ <prop key="description.it">Codice Univoco legato al soggetto</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacPersonalUniqueID</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.15</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.15</prop>
+ <prop key="displayName.en">Personal Unique ID</prop>
+ <prop key="displayName.fr">Identifiant personnel unique</prop>
+ <prop key="displayName.it">ID Legale Univoco</prop>
+ <prop key="description.en">Unique Legal Identifier of a person</prop>
+ <prop key="description.fr">identifiant unique légal (DNI en espagne)</prop>
+ <prop key="description.it">Identificativo Univoco Legale associato alla persona</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacExpiryDate</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.17</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.17</prop>
+ <prop key="displayName.en">Expiry Date</prop>
+ <prop key="displayName.fr">Date d'expiration</prop>
+ <prop key="description.en">The date from which the set of data is to be considered invalid (specifically, in what refers to rights and entitlements)</prop>
+ <prop key="description.fr">Date à partir de laquelle l'ensemble de données de la personne doit être considéré comme invalide, au format "YYYYMMDDhhmmssZ"</prop>
+ <prop key="description.it">Data di scadenza dei dati utente (diritti e titoli)</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacUserPrivateAttribute</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.18</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.18</prop>
+ <prop key="displayName.en">User Private Attribute</prop>
+ <prop key="displayName.fr">Exigences de confidentialité</prop>
+ <prop key="description.en">Datas that the user and/or organization policies want to keep private</prop>
+ <prop key="description.fr">Exigences de confidentialité, telles qu'exprimées par l'utilisateur et / ou les stratégies de l'entreprise</prop>
+ <prop key="description.it">Dati che l'utente o le policy organizzative vogliono tenere private</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacUserStatus</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.19</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.19</prop>
+ <prop key="displayName.en">User Status</prop>
+ <prop key="displayName.fr">Status utilisateur</prop>
+ <prop key="description.en">Set of status of a person as user of services</prop>
+ <prop key="description.fr">Ensemble de status d'une personne en tant qu'utilisateur de services</prop>
+ <prop key="description.it">Stato di attivita' per l'utente sui diversi servizi</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacProjectMembership</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.20</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.20</prop>
+ <prop key="displayName.en">Project Membership</prop>
+ <prop key="displayName.fr">Appartenance au projet</prop>
+ <prop key="description.en">Name of the project the user belongs to</prop>
+ <prop key="description.fr">Nom du projet auquel l'utilisateur appartient</prop>
+ <prop key="description.it">Nome del progetto a cui l'utente appartiene</prop>
+ </props>
+ </property>
+ </bean>
+
+ <bean parent="shibboleth.TranscodingProperties">
+ <property name="properties">
+ <props merge="true">
+ <prop key="id">schacProjectSpecificRole</prop>
+ <prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
+ <prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.21</prop>
+ <prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.21</prop>
+ <prop key="displayName.en">Project Specific Role</prop>
+ <prop key="displayName.fr">Roles spécifiques au projet</prop>
+ <prop key="description.en">Set of roles inside specific projects for the user</prop>
+ <prop key="description.fr">Ensemble de rôles dans des projets spécifiques</prop>
+ <prop key="description.it">Insieme dei ruoli svolti dall'utente su specifici progetti</prop>
+ </props>
+ </property>
+ </bean>
+ </list>
+ </constructor-arg>
+ </bean>
+</beans>
diff --git a/conf/audit.xml b/conf/audit.xml
index 43f029d..3c9c408 100644
--- a/conf/audit.xml
+++ b/conf/audit.xml
@@ -11,16 +11,15 @@
default-destroy-method="destroy">
<!--
- This bean defines a mapping between audit log categories and formatting strings. The default entry is
- for compatibility with V2 audit logging.
+ This bean defines a mapping between audit log categories and formatting strings.
-->
<util:map id="shibboleth.AuditFormattingMap">
- <entry key="Shibboleth-Audit" value="%T|%b|%I|%SP|%P|%IDP|%bb|%III|%u|%ac|%attr|%n|%i|%X" />
+ <entry key="Shibboleth-Audit" value="%a|%ST|%T|%u|%SP|%i|%ac|%t|%attr|%n|%f|%SSO|%XX|%XA|%b|%bb|%e|%S|%SS|%s|%UA" />
</util:map>
<!-- Override the format of date/time fields in the log and/or convert to default time zone. -->
<!--
- <bean id="shibboleth.AuditDateTimeFormat" class="java.lang.String" c:_0="YYYY-MM-dd'T'HH:mm:ss.SSSZZ" />
+ <bean id="shibboleth.AuditDateTimeFormat" class="java.lang.String" c:_0="yyyy-MM-dd'T'HH:mm:ss.SSSZZ" />
<util:constant id="shibboleth.AuditDefaultTimeZone" static-field="java.lang.Boolean.TRUE" />
-->
@@ -30,4 +29,27 @@
<value>http://shibboleth.net/ns/profiles/mdquery</value>
</util:list>
+ <!--
+ You can freely add/change this map to map constants or frequently appearing strings into
+ shorter values in the audit log.
+ -->
+ <util:map id="shibboleth.AuditFieldReplacementMap">
+ <entry key="urn:oasis:names:tc:SAML:1.0:am:password" value="password" />
+ <entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" value="password" />
+ <entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" value="password" />
+ <entry key="urn:mace:shibboleth:1.0:nameIdentifier" value="transient" />
+ <entry key="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" value="transient" />
+ <entry key="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" value="persistent" />
+ <entry key="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" value="emailAddress" />
+ <entry key="urn:oasis:names:tc:SAML:2.0:status:Success" value="Success" />
+ <entry key="urn:oasis:names:tc:SAML:2.0:status:Requester" value="Requester" />
+ <entry key="urn:oasis:names:tc:SAML:2.0:status:Responder" value="Responder" />
+ <entry key="http://www.w3.org/2009/xmlenc11#aes128-gcm" value="AES128-GCM" />
+ <entry key="http://www.w3.org/2009/xmlenc11#aes192-gcm" value="AES192-GCM" />
+ <entry key="http://www.w3.org/2009/xmlenc11#aes256-gcm" value="AES256-GCM" />
+ <entry key="http://www.w3.org/2001/04/xmlenc#aes128-cbc" value="AES128-CBC" />
+ <entry key="http://www.w3.org/2001/04/xmlenc#aes192-cbc" value="AES192-CBC" />
+ <entry key="http://www.w3.org/2001/04/xmlenc#aes256-cbc" value="AES256-CBC" />
+ </util:map>
+
</beans>
diff --git a/conf/authn/authn-comparison.xml b/conf/authn/authn-comparison.xml
index f167b7a..0730bcb 100644
--- a/conf/authn/authn-comparison.xml
+++ b/conf/authn/authn-comparison.xml
@@ -12,66 +12,106 @@
default-destroy-method="destroy">
<!--
- These beans can be used in the AuthnComparisonRules map below instead of the defaults to
- support more advanced matching rules. The top example shows how to configure a matching rule,
- in this case a rule that the two listed classes are "better" than the password class.
-
- To use these beans, configure the matchingRules map as desired, and then reference the bean id in the
- desired value-ref slot in the AuthnComparisonRules map.
+ This is a map used to "weight" particular methods above others if the IdP has to randomly select one
+ to insert into a SAML authentication statement. The typical use shown below is to bias the IdP in favor
+ of expressing the SAML 2 PasswordProtectedTransport class over the more vanilla Password class on the
+ assumption that the IdP doesn't accept passwords via an insecure channel. This map never causes the IdP
+ to violate its matching rules if an RP requests a particular value; it only matters when nothing specific
+ is chosen. Anything not in the map has a weight of zero.
-->
- <bean id="shibboleth.BetterClassRefMatchFactory" parent="shibboleth.InexactMatchFactory">
- <!--
- <property name="matchingRules">
- <map>
- <entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:Password">
- <list>
- <value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</value>
- <value>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</value>
- </list>
- </entry>
- </map>
- </property>
- -->
- </bean>
-
- <bean id="shibboleth.MinimumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
-
- <bean id="shibboleth.MaximumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
+ <util:map id="shibboleth.AuthenticationPrincipalWeightMap">
+ <entry>
+ <key>
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
+ </key>
+ <value>1</value>
+ </entry>
+ </util:map>
- <!-- DeclRefs are rarely used in SAML, so you likely won't bother with these. -->
- <bean id="shibboleth.BetterDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
- <bean id="shibboleth.MinimumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
- <bean id="shibboleth.MaximumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
-
-
- <!-- Registry of matching rules. -->
-
+ <!--
+ Uncomment and add entries to this map to support "inexact" SAML RequestedAuthnContext operators.
+ Please refer to the AuthenticationFlowSelection documentation topic for details and examples.
+ -->
+ <!--
<util:map id="shibboleth.AuthnComparisonRules">
-
- <!-- Exact matching, should be left alone to avoid tricking the IdP into behaving incorrectly. -->
- <entry key-ref="shibboleth.SAMLAuthnMethodExact" value-ref="shibboleth.ExactMatchFactory"/>
- <entry key-ref="shibboleth.SAMLACClassRefExact" value-ref="shibboleth.ExactMatchFactory"/>
- <entry key-ref="shibboleth.SAMLACDeclRefExact" value-ref="shibboleth.ExactMatchFactory"/>
-
- <!-- Minimum matching, leave to allow degeneration into exact, or replace with custom rules. -->
- <entry key-ref="shibboleth.SAMLACClassRefMinimum" value-ref="shibboleth.ExactMatchFactory"/>
- <entry key-ref="shibboleth.SAMLACDeclRefMinimum" value-ref="shibboleth.ExactMatchFactory"/>
-
- <!-- Maximum matching, leave to allow degeneration into exact, or replace with custom rules. -->
- <entry key-ref="shibboleth.SAMLACClassRefMaximum" value-ref="shibboleth.ExactMatchFactory"/>
- <entry key-ref="shibboleth.SAMLACDeclRefMaximum" value-ref="shibboleth.ExactMatchFactory"/>
-
- <!-- Better matching, refers to empty ruleset that has to be populated to work. -->
- <entry key-ref="shibboleth.SAMLACClassRefBetter" value-ref="shibboleth.BetterClassRefMatchFactory"/>
- <entry key-ref="shibboleth.SAMLACDeclRefBetter" value-ref="shibboleth.BetterDeclRefMatchFactory"/>
-
</util:map>
-
+ -->
+
<!-- List of context classes or declarations to ignore if an SP requests them. -->
<util:list id="shibboleth.IgnoredContexts">
<value>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</value>
</util:list>
+ <!--
+ Mappings to transform custom Principals for proxied AuthnRequests.
+ Key is the input, value is a collection of possibly empty outputs.
+ Used by default to transform authentication type values from
+ SPs -> Proxied IdPs.
+ -->
+ <util:map id="shibboleth.PrincipalProxyRequestMappings">
+ <!--
+ <entry>
+ <key>
+ <bean parent="shibboleth.SAML1AuthenticationMethod"
+ c:classRef="https://sp.example.org/context" />
+ </key>
+ <list>
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="https://proxy.example.org/context1" />
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="https://proxy.example.org/context2" />
+ </list>
+ </entry>
+ <entry>
+ <key>
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="https://sp.example.org/context" />
+ </key>
+ <list>
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="https://proxy.example.org/context1" />
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="https://proxy.example.org/context2" />
+ </list>
+ </entry>
+ -->
+ </util:map>
+
+ <!--
+ Mappings to transform proxied Principals for inclusion in Subjects.
+ Key is the input, value is a collection of possibly empty outputs.
+ Used by default to transform values from Proxied IdP. ->
+ -->
+ <util:map id="shibboleth.PrincipalProxyResponseMappings">
+ <!--
+ <entry>
+ <key>
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="https://proxy.example.org/context1" />
+ </key>
+ <list>
+ <bean parent="shibboleth.SAML1AuthenticationMethod"
+ c:classRef="https://sp.example.org/context" />
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="https://sp.example.org/context" />
+ </list>
+ </entry>
+ <entry>
+ <key>
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="https://proxy.example.org/context2" />
+ </key>
+ <list>
+ <bean parent="shibboleth.SAML1AuthenticationMethod"
+ c:classRef="https://sp.example.org/context" />
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="https://sp.example.org/context" />
+ </list>
+ </entry>
+ -->
+ </util:map>
+
</beans>
diff --git a/conf/authn/authn.properties b/conf/authn/authn.properties
new file mode 100644
index 0000000..405c522
--- /dev/null
+++ b/conf/authn/authn.properties
@@ -0,0 +1,227 @@
+# Properties that control authentication generally and the behavior of
+# specific methods.
+
+# Regular expression matching login flows to enable, e.g. IPAddress|Password
+#idp.authn.flows = Password
+
+# Default settings for most authentication methods.
+#idp.authn.defaultLifetime = PT1H
+#idp.authn.defaultTimeout = PT30M
+#idp.authn.proxyRestrictionsEnforced = true
+
+# Whether to populate relying party user interface information for display
+# during authentication, consent, terms-of-use.
+#idp.authn.rpui = true
+
+# Whether to prioritize "active" results when an SP requests more than
+# one possible matching login method (V2 behavior was to favor them)
+#idp.authn.favorSSO = false
+
+# Whether to fail requests when a user identity after authentication
+# doesn't match the identity in a pre-existing session.
+#idp.authn.identitySwitchIsError = false
+
+# If using IdP discovery feature, provides a discovery location to use.
+#idp.authn.discoveryURL = https://ds.example.org/shibboleth-ds/index.html
+
+# Login flow audit logging (defaults false for log compatibility)
+#idp.authn.audit.enabled = false
+
+# Revocation (administrative logout)
+#idp.authn.revocation = false
+#idp.authn.revocation.lifetime = %{idp.authn.defaultAuthnLifetime:PT12H}
+# Name of BiCondition to apply for check
+#idp.authn.revocation.Condition = shibboleth.RevocationCacheCondition
+# Set to true to treat lookup failures as being revoked.
+#idp.authn.revocation.strict = false
+# Set to true to check for address-based revocation.
+#idp.authn.revocation.addressBased = false
+# Default implementation based on a StorageService bean.
+#idp.authn.revocation.cache = shibboleth.AuthnRevocationCache
+#idp.authn.revocation.StorageService = shibboleth.StorageService
+
+
+# Properties below override specific method behavior, as an alternative
+# to defining Spring beans in XML. Refer to the documentation for a complete
+# list. Many of the properties below are mentioned only because they are
+# atypical defaults assumed for a given method.
+
+# Flow selection among multiple equivalent options can be managed with
+# the order properties, lower will be tried first.
+
+#### Password ####
+
+#idp.authn.Password.order = 1000
+#idp.authn.Password.passiveAuthenticationSupported = true
+#idp.authn.Password.forcedAuthenticationSupported = true
+# Override this and removeAfterValidation to require all validators to succeed
+#idp.authn.Password.requireAll = false
+# Override to keep the password around
+#idp.authn.Password.removeAfterValidation = true
+# Override to store password in Java Subject
+#idp.authn.Password.retainAsPrivateCredential = false
+# Simple username transforms before validation
+#idp.authn.Password.trim = true
+#idp.authn.Password.lowercase = false
+#idp.authn.Password.uppercase = false
+#idp.authn.Password.matchExpression =
+# Override default form field names
+#idp.authn.Password.usernameFieldName = j_username
+#idp.authn.Password.passwordFieldName = j_password
+#idp.authn.Password.ssoBypassFieldName = donotcache
+# Unset if using customized Principals per validator
+#idp.authn.Password.addDefaultPrincipals = true
+# The Principal collection below is the typical default if not otherwise noted.
+#idp.authn.Password.supportedPrincipals = \
+# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
+# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
+# saml1/urn:oasis:names:tc:SAML:1.0:am:password
+# Validators are controlled in password-authn-config.xml
+
+#### Password Backends ####
+
+# See ldap.properties for LDAP authn properties
+# Kerberos settings
+#idp.authn.Krb5.refreshConfig = false
+#idp.authn.Krb5.preserveTicket = false
+# Set next two for KDC verification
+#idp.authn.Krb5.servicePrincipal =
+#idp.authn.Krb5.keytab =
+# JAAS settings
+#idp.authn.JAAS.loginConfigNames = ShibUserPassAuth
+#idp.authn.JAAS.loginConfig = %{idp.home}/conf/authn/jaas.config
+
+#### External ####
+
+#idp.authn.External.order = 1000
+#idp.authn.External.nonBrowserSupported = false
+#idp.authn.External.matchExpression =
+# Unset if you plan to return full Java Subject from external source
+#idp.authn.External.addDefaultPrincipals = true
+# Servlet context-relative path to wherever your implementation lives
+idp.authn.External.externalAuthnPath = contextRelative:external.jsp
+
+#### RemoteUser ####
+
+#idp.authn.RemoteUser.order = 1000
+#idp.authn.RemoteUser.nonBrowserSupported = false
+#idp.authn.RemoteUser.matchExpression =
+# Unset in most cases only if using the authnMethodHeader or
+# subjectAttribute settings
+#idp.authn.RemoteUser.addDefaultPrincipals = true
+#idp.authn.RemoteUser.checkRemoteUser = true
+# Comma-delimited lists of attributes or headers to pull from
+#idp.authn.RemoteUser.checkAttributes =
+#idp.authn.RemoteUser.checkHeaders =
+# Advanced settings
+#idp.authn.RemoteUser.subjectAttribute =
+#idp.authn.RemoteUser.authnMethodHeader =
+#idp.authn.RemoteUser.authnAuthorityHeader =
+
+#### RemoteUserInternal ####
+
+#idp.authn.RemoteUserInternal.order = 1000
+#idp.authn.RemoteUserInternal.nonBrowserSupported = true
+# Unset in most cases only if using the authnMethodHeader feature
+#idp.authn.RemoteUserInternal.addDefaultPrincipals = true
+#idp.authn.RemoteUserInternal.checkRemoteUser = true
+# Comma-delimited lists of attributes or headers to pull from
+#idp.authn.RemoteUserInternal.checkAttributes =
+#idp.authn.RemoteUserInternal.checkHeaders =
+# Simple transforms to apply
+#idp.authn.RemoteUserInternal.trim = true
+#idp.authn.RemoteUserInternal.lowercase = false
+#idp.authn.RemoteUserInternal.uppercase = false
+#idp.authn.RemoteUserInternal.matchExpression =
+#idp.authn.RemoteUserInternal.allowedUsernames =
+#idp.authn.RemoteUserInternal.deniedUsernames =
+
+#### SPNEGO ####
+
+#idp.authn.SPNEGO.order = 1000
+#idp.authn.SPNEGO.nonBrowserSupported = false
+#idp.authn.SPNEGO.enforceRun = false
+#idp.authn.SPNEGO.refreshKrbConfig = false
+#idp.authn.SPNEGO.matchExpression =
+idp.authn.SPNEGO.supportedPrincipals = \
+ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, \
+ saml1/urn:ietf:rfc:1510
+
+#### X509 ####
+
+#idp.authn.X509.order = 1000
+#idp.authn.X509.nonBrowserSupported = false
+#idp.authn.X509.saveCertificateToCredentialSet = true
+# Servlet context-relative path to wherever your implementation lives
+#idp.authn.X509.externalAuthnPath = contextRelative:x509-prompt.jsp
+idp.authn.X509.supportedPrincipals = \
+ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \
+ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \
+ saml1/urn:ietf:rfc:2246
+
+#### X509Internal ####
+
+#idp.authn.X509Internal.order = 1000
+#idp.authn.X509Internal.nonBrowserSupported = false
+#idp.authn.X509Internal.saveCertificateToCredentialSet = true
+idp.authn.X509Internal.supportedPrincipals = \
+ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \
+ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \
+ saml1/urn:ietf:rfc:2246
+
+#### IPAddress ####
+
+#idp.authn.IPAddress.order = 1000
+#idp.authn.IPAddress.passiveAuthenticationSupported = true
+#idp.authn.IPAddress.lifetime = PT60S
+#idp.authn.IPAddress.inactivityTimeout = PT60S
+idp.authn.IPAddress.supportedPrincipals = \
+ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol
+
+#### Function ####
+
+#idp.authn.Function.order = 1000
+#idp.authn.Function.passiveAuthenticationSupported = true
+# Unset if you plan to return full Java Subject from function
+#idp.authn.Function.addDefaultPrincipals = true
+
+#### SAML ####
+
+#idp.authn.SAML.order = 1000
+#idp.authn.SAML.nonBrowserSupported = false
+#idp.authn.SAML.passiveAuthenticationSupported = true
+#idp.authn.SAML.forcedAuthenticationSupported = true
+#idp.authn.SAML.proxyScopingEnforced = true
+# Discovery options:
+# Define shibboleth.authn.SAML.discoveryFunction bean
+# Set proxyEntityID property
+# Fall through to discovery via discoveryRequired property
+#idp.authn.SAML.proxyEntityID = https://idp.example.org/idp/shibboleth
+#idp.authn.SAML.discoveryRequired = true
+# Generally left false with bidirectional mappings in
+# conf/authn/authn-comparison.xml across the proxy boundary.
+# Adjust as needed to reflect IdP's capabilities/support.
+#idp.authn.SAML.addDefaultPrincipals = false
+#idp.authn.SAML.supportedPrincipals = \
+# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
+# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
+# saml1/urn:oasis:names:tc:SAML:1.0:am:password
+
+#### MFA ####
+
+#idp.authn.MFA.order = 1000
+#idp.authn.MFA.passiveAuthenticationSupported = true
+#idp.authn.MFA.forcedAuthenticationSupported = true
+#idp.authn.MFA.validateLoginTransitions = true
+# Defaults to set AuthnInstant based on oldest component result
+#idp.authn.MFA.useLatestTimestamp = false
+# The list below almost certainly requires changes, and should generally be the
+# union of any of the separate factors you combine in your particular MFA flow
+# rules. The example corresponds to the example in mfa-authn-config.xml that
+# combines IPAddress with Password.
+idp.authn.MFA.supportedPrincipals = \
+ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \
+ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
+ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
+ saml1/urn:oasis:names:tc:SAML:1.0:am:password
+# Most actual setup via mfa-authn-config.xml
diff --git a/conf/authn/duo-authn-config.xml b/conf/authn/duo-authn-config.xml
deleted file mode 100644
index 2867f48..0000000
--- a/conf/authn/duo-authn-config.xml
+++ /dev/null
@@ -1,29 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize" default-destroy-method="destroy">
-
- <!--
- By default, the Duo flow will use statically-defined integrations defined with the
- duo.properties file. If you need more flexibility, you can define a function bean
- called "shibboleth.authn.Duo.DuoIntegrationStrategy" to return an instance of
- net.shibboleth.idp.authn.duo.DuoIntegration based on the state of the request.
- A second bean, "shibboleth.authn.Duo.NonBrowser.DuoIntegrationStrategy", can be
- supplied to use the AuthAPI for non-browser profiles.
-
- The Duo flow is designed to operate in conjunction with some other login flow,
- usually orchestrated by the MFA login flow. It obtains the username to send to
- Duo based on the output of the other login flow or a previous session with the
- user. You can override that approach using a function bean called
- "shibboleth.authn.Duo.UsernameLookupStrategy" to supply the username from a
- different source.
-
- Various other beans are supported, per the documentation.
- -->
-
-</beans>
diff --git a/conf/authn/duo.properties b/conf/authn/duo.properties
deleted file mode 100644
index cb4b4aa..0000000
--- a/conf/authn/duo.properties
+++ /dev/null
@@ -1,30 +0,0 @@
-## Duo integration settings
-
-## Note: If upgrading from pre-3.3 IdP versions, you will need to manually add a pointer
-## to this property file to idp.properties.
-
-## The first set of properties support DuoWeb "iframe" integration.
-
-idp.duo.apiHost = hostname
-idp.duo.applicationKey = key
-idp.duo.integrationKey = key
-idp.duo.secretKey = key
-
-## The second set are used for direct AuthAPI usage for ECP support.
-## A seperate integration has to be created for this to work.
-
-#idp.duo.nonbrowser.apiHost = %{idp.duo.apiHost}
-#idp.duo.nonbrowser.applicationKey = key
-#idp.duo.nonbrowser.integrationKey = key
-#idp.duo.nonbrowser.secretKey = key
-
-## Request header names for Duo non-browser credentials.
-# idp.duo.nonbrowser.header.factor = X-Shibboleth-Duo-Factor
-# idp.duo.nonbrowser.header.device = X-Shibboleth-Duo-Device
-# idp.duo.nonbrowser.header.passcode = X-Shibboleth-Duo-Passcode
-
-## Enables auto selection of factor/device if not specified by client.
-# idp.duo.nonbrowser.auto = true
-
-## Enables transmission of client address to Duo during authentication.
-# idp.duo.nonbrowser.clientAddressTrusted = true
diff --git a/conf/authn/external-authn-config.xml b/conf/authn/external-authn-config.xml
deleted file mode 100644
index 8b3a159..0000000
--- a/conf/authn/external-authn-config.xml
+++ /dev/null
@@ -1,70 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!-- Servlet context-relative path to wherever your implementation lives. -->
- <bean id="shibboleth.authn.External.externalAuthnPath" class="java.lang.String"
- c:_0="contextRelative:Authn/External" />
-
- <!--
- Default is to always use the path in the bean above. If you want to determine it
- dynamically, define a bean called "shibboleth.authn.External.externalAuthnPathStrategy"
- of type Function<ProfileRequestContext,String> that returns the path to use.
- -->
-
- <!--
- Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject?
- You would normally only unset this if you plan to return a fully decorated Java Subject from your
- external authentication source.
- -->
- <util:constant id="shibboleth.authn.External.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" />
-
- <!--
- <bean id="shibboleth.authn.External.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
- c:_0="^(.+)@example\.edu]$" />
- -->
-
- <!--
- Define entries here to map error messages returned by external modules and classify them as particular
- kinds of errors for use in your templates and as events in flows.
-
- Keys are events to signal, values are error codes.
-
- The examples here just allow external signaling of the exact type of condition to record.
-
- If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow".
- -->
- <util:map id="shibboleth.authn.External.ClassifiedMessageMap">
- <entry key="UnknownUsername">
- <list>
- <value>UnknownUsername</value>
- </list>
- </entry>
- <entry key="InvalidPassword">
- <list>
- <value>InvalidPassword</value>
- </list>
- </entry>
- <entry key="ExpiredPassword">
- <list>
- <value>ExpiredPassword</value>
- </list>
- </entry>
- <entry key="ExpiringPassword">
- <list>
- <value>ExpiringPassword</value>
- </list>
- </entry>
- </util:map>
-
-</beans>
diff --git a/conf/authn/function-authn-config.xml b/conf/authn/function-authn-config.xml
deleted file mode 100644
index cf7876a..0000000
--- a/conf/authn/function-authn-config.xml
+++ /dev/null
@@ -1,37 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!--
- Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject?
- You would normally only unset this if you plan to return a completely constructed Subject from
- your authentication function.
- -->
- <util:constant id="shibboleth.authn.Function.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" />
-
- <!--
- The entire flow depends on the execution of a function bean you supply. A pathological script example
- is below. The function may return a String, Principal, Subject, or a null to signal failure.
- -->
-
- <bean id="shibboleth.authn.Function.ResultLookupStrategy"
- parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript">
- <constructor-arg>
- <value>
- <![CDATA[
- null;
- ]]>
- </value>
- </constructor-arg>
- </bean>
-</beans>
diff --git a/conf/authn/general-authn.xml b/conf/authn/general-authn.xml
deleted file mode 100644
index 5699022..0000000
--- a/conf/authn/general-authn.xml
+++ /dev/null
@@ -1,158 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!--
- This file provisions the IdP with information about the configured login mechanisms available for use.
- The actual beans and subflows that make up those mechanisms are in their own files, but this pulls them
- together with deployer-supplied metadata to describe them to the system.
-
- You can turn on and off individual mechanisms by adding and remove them here. Nothing left out will
- be used, regardless any other files loaded by the Spring container.
-
- Flow defaults include: no support for IsPassive/ForceAuthn, support for non-browser clients enabled,
- and default timeout and lifetime values set via properties. We also default to supporting the SAML 1/2
- expressions for password-based authentication over a secure channel, so anything more exotic requires
- customization, as the examples below for IP address and SPNEGO authentication illustrate.
- -->
-
- <util:list id="shibboleth.AvailableAuthenticationFlows">
-
- <bean id="authn/IPAddress" parent="shibboleth.AuthenticationFlow"
- p:passiveAuthenticationSupported="true"
- p:lifetime="PT60S" p:inactivityTimeout="PT60S">
- <property name="supportedPrincipals">
- <list>
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
- </list>
- </property>
- </bean>
-
- <bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow"
- p:nonBrowserSupported="false">
- <property name="supportedPrincipals">
- <list>
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" />
- <bean parent="shibboleth.SAML1AuthenticationMethod"
- c:method="urn:ietf:rfc:1510" />
- </list>
- </property>
- </bean>
-
- <bean id="authn/External" parent="shibboleth.AuthenticationFlow"
- p:nonBrowserSupported="false" />
-
- <bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow"
- p:nonBrowserSupported="false" />
-
- <bean id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow" />
-
- <bean id="authn/Function" parent="shibboleth.AuthenticationFlow" />
-
- <bean id="authn/X509" parent="shibboleth.AuthenticationFlow"
- p:nonBrowserSupported="false">
- <property name="supportedPrincipals">
- <list>
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
- <bean parent="shibboleth.SAML1AuthenticationMethod"
- c:method="urn:ietf:rfc:2246" />
- </list>
- </property>
- </bean>
-
- <bean id="authn/X509Internal" parent="shibboleth.AuthenticationFlow">
- <property name="supportedPrincipals">
- <list>
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
- <bean parent="shibboleth.SAML1AuthenticationMethod"
- c:method="urn:ietf:rfc:2246" />
- </list>
- </property>
- </bean>
-
- <bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
- p:passiveAuthenticationSupported="true"
- p:forcedAuthenticationSupported="true" />
-
- <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
- p:forcedAuthenticationSupported="true"
- p:nonBrowserSupported="false">
- <!--
- The list below should be changed to reflect whatever locally- or
- community-defined values are appropriate to represent MFA. It is
- strongly advised that the value not be specific to Duo or any
- particular technology.
- -->
- <property name="supportedPrincipals">
- <list>
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="http://example.org/ac/classes/mfa" />
- <bean parent="shibboleth.SAML1AuthenticationMethod"
- c:method="http://example.org/ac/classes/mfa" />
- </list>
- </property>
- </bean>
-
- <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
- p:passiveAuthenticationSupported="true"
- p:forcedAuthenticationSupported="true">
- <!--
- The list below almost certainly requires changes, and should generally be the
- union of any of the separate factors you combine in your particular MFA flow
- rules. The example corresponds to the example in mfa-authn-config.xml that
- combines IPAddress with Password.
- -->
- <property name="supportedPrincipals">
- <list>
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
- <bean parent="shibboleth.SAML1AuthenticationMethod"
- c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
- </list>
- </property>
- </bean>
-
- </util:list>
-
- <!--
- This is a map used to "weight" particular methods above others if the IdP has to randomly select one
- to insert into a SAML authentication statement. The typical use shown below is to bias the IdP in favor
- of expressing the SAML 2 PasswordProtectedTransport class over the more vanilla Password class on the
- assumption that the IdP doesn't accept passwords via an insecure channel. This map never causes the IdP
- to violate its matching rules if an RP requests a particular value; it only matters when nothing specific
- is chosen. Anything not in the map has a weight of zero.
- -->
-
- <util:map id="shibboleth.AuthenticationPrincipalWeightMap">
- <entry>
- <key>
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
- </key>
- <value>1</value>
- </entry>
- </util:map>
-
-</beans>
diff --git a/conf/authn/ipaddress-authn-config.xml b/conf/authn/ipaddress-authn-config.xml
deleted file mode 100644
index a3ee096..0000000
--- a/conf/authn/ipaddress-authn-config.xml
+++ /dev/null
@@ -1,37 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
-
- <!-- Apply any regular expression replacement pairs to address before validation. -->
- <util:list id="shibboleth.authn.IPAddress.Transforms" />
-
- <!--
- Configure the address range(s) and principal name(s) for IP-based login here.
- The ranges provided MUST be CIDR network expressions. To specify a single address,
- add "/32" or "/128" for IPv4 or IPv6 respectively.
- -->
-
-
- <util:map id="shibboleth.authn.IPAddress.Mappings">
- <!--
- <entry key="jdoe">
- <list>
- <value>127.0.0.1/32</value>
- <value>::1/128</value>
- </list>
- </entry>
- -->
- </util:map>
-
-</beans>
diff --git a/conf/authn/jaas-authn-config.xml b/conf/authn/jaas-authn-config.xml
deleted file mode 100644
index daef4d2..0000000
--- a/conf/authn/jaas-authn-config.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!-- Specify your JAAS config. -->
- <bean id="JAASConfig" class="org.springframework.core.io.FileSystemResource" c:path="%{idp.home}/conf/authn/jaas.config" />
-
- <util:property-path id="shibboleth.authn.JAAS.JAASConfigURI" path="JAASConfig.URI" />
-
- <!-- Specify the application name(s) in the JAAS config. -->
- <util:list id="shibboleth.authn.JAAS.LoginConfigNames">
- <value>ShibUserPassAuth</value>
- </util:list>
-
- <alias name="ValidateUsernamePasswordAgainstJAAS" alias="ValidateUsernamePassword"/>
-
-</beans>
diff --git a/conf/authn/jaas.config b/conf/authn/jaas.config
deleted file mode 100644
index 232e93d..0000000
--- a/conf/authn/jaas.config
+++ /dev/null
@@ -1,11 +0,0 @@
-ShibUserPassAuth {
- /*
- com.sun.security.auth.module.Krb5LoginModule required;
- */
-
- org.ldaptive.jaas.LdapLoginModule required
- ldapUrl="ldap://localhost:10389"
- baseDn="ou=people,dc=example,dc=org"
- userFilter="uid={user}";
-
-};
\ No newline at end of file
diff --git a/conf/authn/krb5-authn-config.xml b/conf/authn/krb5-authn-config.xml
deleted file mode 100644
index d3590a2..0000000
--- a/conf/authn/krb5-authn-config.xml
+++ /dev/null
@@ -1,31 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <util:constant id="shibboleth.authn.Krb5.RefreshConfig" static-field="java.lang.Boolean.FALSE" />
-
- <util:constant id="shibboleth.authn.Krb5.PreserveTicket" static-field="java.lang.Boolean.FALSE" />
-
- <!--
- Uncomment these beans to perform KDC verification using a service principal and keytab.
- The keytab bean must be an absolute file pathname and not a reference to a classpath resource,
- so if idp.home is not a path, don't use it in the value.
- -->
- <!--
- <bean id="shibboleth.authn.Krb5.ServicePrincipal" class="java.lang.String" c:_0="SERVICE/principal" />
- <bean id="shibboleth.authn.Krb5.Keytab" class="java.lang.String" c:_0="%{idp.home}/credentials/keytab" />
- -->
-
- <alias name="ValidateUsernamePasswordAgainstKerberos" alias="ValidateUsernamePassword"/>
-
-</beans>
diff --git a/conf/authn/ldap-authn-config.xml b/conf/authn/ldap-authn-config.xml
deleted file mode 100644
index 56d1bc7..0000000
--- a/conf/authn/ldap-authn-config.xml
+++ /dev/null
@@ -1,135 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy"
- default-lazy-init="true">
-
- <alias name="%{idp.authn.LDAP.authenticator:anonSearchAuthenticator}" alias="shibboleth.authn.LDAP.authenticator" />
- <bean id="shibboleth.authn.LDAP.returnAttributes" parent="shibboleth.CommaDelimStringArray">
- <constructor-arg type="java.lang.String" value="%{idp.authn.LDAP.returnAttributes:1.1}" />
- </bean>
-
- <alias name="ValidateUsernamePasswordAgainstLDAP" alias="ValidateUsernamePassword" />
-
- <!-- Connection Configuration -->
- <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" abstract="true" p:ldapUrl="%{idp.authn.LDAP.ldapURL}"
- p:useStartTLS="%{idp.authn.LDAP.useStartTLS:true}"
- p:useSSL="%{idp.authn.LDAP.useSSL:false}"
- p:connectTimeoutDuration="%{idp.authn.LDAP.connectTimeout:PT3S}"
- p:responseTimeoutDuration="%{idp.authn.LDAP.responseTimeout:PT3S}"
- p:sslConfig-ref="sslConfig" />
-
- <alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="sslConfig" />
-
- <bean id="jvmTrust" class="org.ldaptive.ssl.SslConfig" />
- <bean id="certificateTrust" class="org.ldaptive.ssl.SslConfig">
- <property name="credentialConfig">
- <bean parent="shibboleth.X509ResourceCredentialConfig" p:trustCertificates="%{idp.authn.LDAP.trustCertificates:undefined}" />
- </property>
- </bean>
- <bean id="keyStoreTrust" class="org.ldaptive.ssl.SslConfig">
- <property name="credentialConfig">
- <bean parent="shibboleth.KeystoreResourceCredentialConfig" p:truststore="%{idp.authn.LDAP.trustStore:undefined}" />
- </property>
- </bean>
-
- <!-- Authentication handler -->
- <bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler" p:connectionFactory-ref="bindPooledConnectionFactory" />
- <bean id="bindPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" p:connectionPool-ref="bindConnectionPool" />
- <bean id="bindConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
- p:connectionFactory-ref="bindConnectionFactory" p:name="bind-pool" />
- <bean id="bindConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindConnectionConfig" />
- <bean id="bindConnectionConfig" parent="connectionConfig" />
-
- <!-- Format DN resolution -->
- <bean id="formatDnResolver" class="org.ldaptive.auth.FormatDnResolver" p:format="%{idp.authn.LDAP.dnFormat:undefined}" />
-
- <!-- Pool Configuration -->
- <bean id="connectionPool" class="org.ldaptive.pool.BlockingConnectionPool" abstract="true"
- p:blockWaitTimeDuration="%{idp.pool.LDAP.blockWaitTime:PT3S}"
- p:poolConfig-ref="poolConfig"
- p:pruneStrategy-ref="pruneStrategy"
- p:validator-ref="searchValidator"
- p:failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
- <bean id="poolConfig" class="org.ldaptive.pool.PoolConfig"
- p:minPoolSize="%{idp.pool.LDAP.minSize:3}"
- p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
- p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}"
- p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
- p:validatePeriodDuration="%{idp.pool.LDAP.validatePeriod:PT5M}" />
- <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
- p:prunePeriodDuration="%{idp.pool.LDAP.prunePeriod:PT5M}"
- p:idleTimeDuration="%{idp.pool.LDAP.idleTime:PT10M}" />
- <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
-
- <!-- Anonymous Search Configuration -->
- <bean name="anonSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
- <constructor-arg index="0" ref="anonSearchDnResolver" />
- <constructor-arg index="1" ref="authHandler" />
- </bean>
- <bean id="anonSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver"
- p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
- p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
- p:connectionFactory-ref="anonSearchPooledConnectionFactory" >
- <constructor-arg index="0" ref="shibboleth.VelocityEngine" />
- <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" />
- </bean>
- <bean id="anonSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"
- p:connectionPool-ref="anonSearchConnectionPool" />
- <bean id="anonSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
- p:connectionFactory-ref="anonSearchConnectionFactory" p:name="search-pool" />
- <bean id="anonSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="anonSearchConnectionConfig" />
- <bean id="anonSearchConnectionConfig" parent="connectionConfig" />
-
- <!-- Bind Search Configuration -->
- <bean name="bindSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
- <constructor-arg index="0" ref="bindSearchDnResolver" />
- <constructor-arg index="1" ref="authHandler" />
- </bean>
- <bean id="bindSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver"
- p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
- p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
- p:connectionFactory-ref="bindSearchPooledConnectionFactory" >
- <constructor-arg index="0" ref="shibboleth.VelocityEngine" />
- <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" />
- </bean>
- <bean id="bindSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"
- p:connectionPool-ref="bindSearchConnectionPool" />
- <bean id="bindSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
- p:connectionFactory-ref="bindSearchConnectionFactory" p:name="search-pool" />
- <bean id="bindSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindSearchConnectionConfig" />
- <bean id="bindSearchConnectionConfig" parent="connectionConfig" p:connectionInitializer-ref="bindConnectionInitializer" />
- <bean id="bindConnectionInitializer" class="org.ldaptive.BindConnectionInitializer"
- p:bindDn="#{'%{idp.authn.LDAP.bindDN:undefined}'.trim()}">
- <property name="bindCredential">
- <bean class="org.ldaptive.Credential">
- <constructor-arg value="%{idp.authn.LDAP.bindDNCredential:undefined}" />
- </bean>
- </property>
- </bean>
-
- <!-- Direct Search Configuration -->
- <bean name="directAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
- <constructor-arg index="0" ref="formatDnResolver" />
- <constructor-arg index="1" ref="authHandler" />
- </bean>
-
- <!-- Want to use ppolicy? Configure support by adding <bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler"
- /> add p:authenticationResponseHandlers-ref="authenticationResponseHandler" to the authenticator <bean id="authenticationControl"
- class="org.ldaptive.control.PasswordPolicyControl" /> add p:authenticationControls-ref="authenticationControl" to the authHandler -->
-
- <!-- Active Directory Configuration -->
- <bean id="adAuthenticator" class="org.ldaptive.auth.Authenticator" p:authenticationResponseHandlers-ref="authenticationResponseHandler"
- p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
- <constructor-arg index="0" ref="formatDnResolver" />
- <constructor-arg index="1" ref="authHandler" />
- </bean>
- <bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler" />
-
-</beans>
diff --git a/conf/authn/mfa-authn-config.xml b/conf/authn/mfa-authn-config.xml
deleted file mode 100644
index f1b3918..0000000
--- a/conf/authn/mfa-authn-config.xml
+++ /dev/null
@@ -1,101 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!--
- This is a map of transition rules that guide the behavior of the MFA flow
- and controls how factors are sequenced, skipped, etc. The key of each entry
- is the name of the step/flow out of which control is passing. The starting
- rule has an empty key.
-
- Each entry is a bean inherited from "shibboleth.authn.MFA.Transition". Per
- the Javadoc for net.shibboleth.idp.authn.MultiFactorAuthenticationTransition:
-
- p:nextFlow (String)
- - A flow to run if the previous step signaled a "proceed" event, for simple
- transitions.
-
- p:nextFlowStrategy (Function<ProfileRequestContext,String>)
- - A function to run if the previous step signaled a "proceed" event, for dynamic
- transitions. Returning null ends the MFA process.
-
- p:nextFlowStrategyMap (Map<String,Object> where Object is String or Function<ProfileRequestContext,String>)
- - Fully dynamic way of expressing control paths. Map is keyed by a previously
- signaled event and the value is a flow to run or a function to
- return the flow to run. Returning null ends the MFA process.
-
- When no rule is provided, there's an implicit "null" that ends the MFA flow
- with whatever event was last signaled. If the "proceed" event from a step is
- the final event, then the MFA process attempts to complete itself successfully.
- -->
- <util:map id="shibboleth.authn.MFA.TransitionMap">
- <!-- First rule runs the IPAddress login flow. -->
- <entry key="">
- <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/IPAddress" />
- </entry>
-
- <!--
- Second rule runs a function if IPAddress succeeds, to determine whether an additional
- factor is required.
- -->
- <entry key="authn/IPAddress">
- <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" />
- </entry>
-
- <!-- An implicit final rule will return whatever the final flow returns. -->
- </util:map>
-
- <!-- Example script to see if second factor is required. -->
- <bean id="checkSecondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
- p:customObject-ref="shibboleth.AttributeResolverService">
- <constructor-arg>
- <value>
- <![CDATA[
- nextFlow = "authn/Password";
-
- // Go straight to second factor if we have to, or set up for an attribute lookup first.
- authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
- mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
- if (mfaCtx.isAcceptable()) {
- // Attribute check is required to decide if first factor alone is enough.
- resCtx = input.getSubcontext(
- "net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);
- rpCtx = input.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext");
- resCtx.setAttributeRecipientID(rpCtx.getRelyingPartyId());
-
- // Look up the username using a standard function.
- usernameLookupStrategyClass
- = Java.type("net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy");
- usernameLookupStrategy = new usernameLookupStrategyClass();
- resCtx.setPrincipal(usernameLookupStrategy.apply(input));
-
- resCtx.getRequestedIdPAttributeNames().add("allowedLoginMethods");
- resCtx.resolveAttributes(custom);
-
- // Check for an attribute that authorizes use of first factor.
- attribute = resCtx.getResolvedIdPAttributes().get("allowedLoginMethods");
- valueType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
- if (attribute != null && attribute.getValues().contains(new valueType("IPAddress"))) {
- nextFlow = null;
- }
-
- input.removeSubcontext(resCtx); // cleanup
- }
-
- nextFlow; // pass control to second factor or end with the first
- ]]>
- </value>
- </constructor-arg>
- </bean>
-
-</beans>
diff --git a/conf/authn/password-authn-config.xml b/conf/authn/password-authn-config.xml
index f27051b..dc10fa1 100644
--- a/conf/authn/password-authn-config.xml
+++ b/conf/authn/password-authn-config.xml
@@ -12,29 +12,24 @@
default-init-method="initialize"
default-destroy-method="destroy">
- <!-- Choose an import based on the back-end you want to use. -->
- <!-- <import resource="jaas-authn-config.xml" /> -->
- <!-- <import resource="krb5-authn-config.xml" /> -->
- <import resource="ldap-authn-config.xml" />
-
+ <!--
+ Ordered list of CredentialValidators to apply to a request.
- <!-- Names of form fields to pull username and password from. -->
- <bean id="shibboleth.authn.Password.UsernameFieldName" class="java.lang.String" c:_0="j_username" />
- <bean id="shibboleth.authn.Password.PasswordFieldName" class="java.lang.String" c:_0="j_password" />
- <bean id="shibboleth.authn.Password.SSOBypassFieldName" class="java.lang.String" c:_0="donotcache" />
-
- <!-- Simple transforms to apply to username before validation. -->
- <util:constant id="shibboleth.authn.Password.Lowercase" static-field="java.lang.Boolean.FALSE"/>
- <util:constant id="shibboleth.authn.Password.Uppercase" static-field="java.lang.Boolean.FALSE"/>
- <util:constant id="shibboleth.authn.Password.Trim" static-field="java.lang.Boolean.TRUE"/>
-
- <!-- Set to TRUE if you want the password kept in the resulting Subject as a private credential. -->
- <util:constant id="shibboleth.authn.Password.RetainAsPrivateCredential" static-field="java.lang.Boolean.FALSE"/>
+ The four supplied variants are shown below; the HTPasswd option
+ is an OOB default for demo account purposes, and you will
+ want to remove it after initial install and testing.
+ -->
+ <util:list id="shibboleth.authn.Password.Validators">
+ <ref bean="shibboleth.LDAPValidator" />
+ <!-- <ref bean="shibboleth.KerberosValidator" /> -->
+ <!-- <ref bean="shibboleth.JAASValidator" /> -->
+ <!-- <bean parent="shibboleth.HTPasswdValidator" p:resource="%{idp.home}/credentials/demo.htpasswd" /> -->
+ </util:list>
<!-- Apply any regular expression replacement pairs to username before validation. -->
<util:list id="shibboleth.authn.Password.Transforms">
<!--
- <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
+ <bean parent="shibboleth.Pair" p:first="^(.+)@example\.org$" p:second="$1" />
-->
</util:list>
@@ -47,7 +42,7 @@
p:lockoutDuration="PT5M"
p:extendLockoutDuration="false" />
-->
-
+
<!--
Define entries here to map error messages detected by validation actions and classify them as particular
kinds of errors for use in your templates and as events in flows.
@@ -60,7 +55,12 @@
<value>NoCredentials</value>
<value>CLIENT_NOT_FOUND</value>
<value>Client not found</value>
+ <value>Cannot get kdc for realm</value>
+ <value>Client not found in Kerberos database</value>
<value>DN_RESOLUTION_FAILURE</value>
+ <value>Cannot authenticate dn, invalid dn</value>
+ <value>Cannot authenticate dn, invalid credential</value>
+ <value>AcceptSecurityContext error, data 525</value>
</list>
</entry>
<entry key="InvalidPassword">
@@ -69,17 +69,30 @@
<value>PREAUTH_FAILED</value>
<value>INVALID_CREDENTIALS</value>
<value>Checksum failed</value>
+ <value>Integrity check on decrypted field failed</value>
+ <value>Pre-authentication information was invalid</value>
+ <value>Key bytes cannot be null</value>
+ <value>AcceptSecurityContext error, data 52e</value>
</list>
</entry>
<entry key="AccountLocked">
<list>
- <value>AccountLocked</value>
<value>Clients credentials have been revoked</value>
+ <value>AcceptSecurityContext error, data 775</value>
+ </list>
+ </entry>
+ <entry key="AccountDisabled">
+ <list>
+ <value>AcceptSecurityContext error, data 533</value>
</list>
</entry>
<entry key="ExpiredPassword">
<list>
<value>PASSWORD_EXPIRED</value>
+ <value>CLIENT KEY EXPIRED</value>
+ <value>AcceptSecurityContext error, data 532</value>
+ <value>AcceptSecurityContext error, data 773</value>
+ <value>AcceptSecurityContext error, data 701</value>
</list>
</entry>
<entry key="ExpiringPassword">
@@ -89,33 +102,4 @@
</entry>
</util:map>
- <!--
- Configuration of "extended" login methods to offer in the password login form.
-
- The String bean is a regular expression identifying the flows to offer. These flows
- must also be enabled at the "top" level to be available for use.
-
- The ExtendedFlowParameters bean can be used to transfer custom parameters from the
- login form into the context tree for use later by other flows.
-
- The last bean provides the set of custom Principals to use for results produced by the
- Password flow itself. You would use this if you need the Password flow to run as a shell
- to run the "extended" login methods, but want to limit its own results more narrowly.
- -->
- <!--
- <bean id="shibboleth.authn.Password.ExtendedFlows" class="java.lang.String" c:_0="" />
-
- <util:list id="shibboleth.authn.Password.ExtendedFlowParameters">
- </util:list>
-
- <util:list id="shibboleth.authn.Password.PrincipalOverride">
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
- <bean parent="shibboleth.SAML1AuthenticationMethod"
- c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
- </util:list>
- -->
-
</beans>
diff --git a/conf/authn/remoteuser-authn-config.xml b/conf/authn/remoteuser-authn-config.xml
deleted file mode 100644
index 4b7e722..0000000
--- a/conf/authn/remoteuser-authn-config.xml
+++ /dev/null
@@ -1,75 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!-- Servlet context-relative path to wherever your implementation lives. -->
- <bean id="shibboleth.authn.RemoteUser.externalAuthnPath" class="java.lang.String"
- c:_0="contextRelative:Authn/RemoteUser" />
-
- <!--
- Default is to always use the path in the bean above. If you want to determine it
- dynamically, define a bean called "shibboleth.authn.RemoteUser.externalAuthnPathStrategy"
- of type Function<ProfileRequestContext,String> that returns the path to use.
- -->
-
- <!--
- Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject?
- You would normally only unset this if you plan to use the authnMethodHeader servlet parameter to
- supply authentication method string(s) from the external authentication system.
- -->
- <util:constant id="shibboleth.authn.RemoteUser.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" />
-
- <!--
- <bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
- c:_0="^(.+)@example\.edu]$" />
- -->
-
- <!--
- Define entries here to map error messages returned by external modules and classify them as particular
- kinds of errors for use in your templates and as events in flows.
-
- Keys are events to signal, values are error codes.
-
- The examples here just allow external signaling of an exact condition.
-
- If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow".
- -->
- <util:map id="shibboleth.authn.RemoteUser.ClassifiedMessageMap">
- <entry key="ReselectFlow">
- <list>
- <value>NoCredentials</value>
- </list>
- </entry>
- <entry key="UnknownUsername">
- <list>
- <value>UnknownUsername</value>
- </list>
- </entry>
- <entry key="InvalidPassword">
- <list>
- <value>InvalidPassword</value>
- </list>
- </entry>
- <entry key="ExpiredPassword">
- <list>
- <value>ExpiredPassword</value>
- </list>
- </entry>
- <entry key="ExpiringPassword">
- <list>
- <value>ExpiringPassword</value>
- </list>
- </entry>
- </util:map>
-
-</beans>
diff --git a/conf/authn/remoteuser-internal-authn-config.xml b/conf/authn/remoteuser-internal-authn-config.xml
deleted file mode 100644
index 9e68c85..0000000
--- a/conf/authn/remoteuser-internal-authn-config.xml
+++ /dev/null
@@ -1,63 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!-- Check getRemoteUser() for identity (the typical case). -->
- <util:constant id="shibboleth.authn.RemoteUser.checkRemoteUser" static-field="java.lang.Boolean.TRUE"/>
-
- <!-- Populate one or both of the lists below to define HTTP headers or Servlet Attributes to check. -->
-
- <util:list id="shibboleth.authn.RemoteUser.checkHeaders">
- <!--
- <value>User-Identity</value>
- -->
- </util:list>
-
- <util:list id="shibboleth.authn.RemoteUser.checkAttributes">
- <!--
- <value>User-Identity</value>
- -->
- </util:list>
-
- <!-- Simple transforms to apply to username before validation. -->
- <util:constant id="shibboleth.authn.RemoteUser.Lowercase" static-field="java.lang.Boolean.FALSE"/>
- <util:constant id="shibboleth.authn.RemoteUser.Uppercase" static-field="java.lang.Boolean.FALSE"/>
- <util:constant id="shibboleth.authn.RemoteUser.Trim" static-field="java.lang.Boolean.TRUE"/>
-
- <!-- Apply any regular expression replacement pairs before validation. -->
- <util:list id="shibboleth.authn.RemoteUser.Transforms">
- <!--
- <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
- -->
- </util:list>
-
- <!-- Uncomment/configure to install username whitelist, blacklist, and/or match expressions. -->
-
- <util:list id="shibboleth.authn.RemoteUser.whitelistedUsernames">
- <!--
- <value>goodguy</value>
- -->
- </util:list>
-
- <util:list id="shibboleth.authn.RemoteUser.blacklistedUsernames">
- <!--
- <value>badguy</value>
- -->
- </util:list>
-
- <!--
- <bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
- c:_0="^(.+)@example\.edu]$" />
- -->
-
-</beans>
diff --git a/conf/authn/spnego-authn-config.xml b/conf/authn/spnego-authn-config.xml
deleted file mode 100644
index 6c0fa48..0000000
--- a/conf/authn/spnego-authn-config.xml
+++ /dev/null
@@ -1,74 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!-- General Configuration -->
-
- <!--
- Enforce running SPNEGO for all users, independent of user's autologin state.
- TRUE means that SPNEGO login is always tried (if available).
- FALSE means that SPNEGO login is run only if the user has enabled autologin.
- -->
- <util:constant id="shibboleth.authn.SPNEGO.EnforceRun" static-field="java.lang.Boolean.FALSE" />
-
- <!-- Kerberos Configuration-->
-
- <!-- General Kerberos Settings -->
-
- <util:constant id="shibboleth.authn.SPNEGO.Krb5.RefreshConfig" static-field="java.lang.Boolean.FALSE" />
-
- <!-- Kerberos Service Principal(s) -->
-
- <!--
- For each service principal/realm, a "RealmSettings" bean must be created.
- For each "RealmSettings" bean, the following settings are supported:
- p:servicePrincipal: - kerberos service principal (required)
- p:keytab: - path to the keytab file containing the kerberos service principal's credentials
- (optional; either "p:keytab" or "p:password" is required)
- p:password: - kerberos service principal's password
- (optional; either "p:keytab" or "p:password" is required)
- -->
- <util:list id="shibboleth.authn.SPNEGO.Krb5.Realms">
-
- <bean parent="shibboleth.KerberosRealmSettings"
- p:servicePrincipal="HTTP/aai-logon.domain_a.com@DOMAIN_A.COM"
- p:keytab="%{idp.home}/credentials/http_domainA.keytab" />
-
- </util:list>
-
- <!--
- <bean id="shibboleth.authn.SPNEGO.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
- c:_0="^(.+)@example\.edu$" />
- -->
-
- <!--
- Define entries here to map events or error messages returned by the SPNEGO module
- and classify them as particular kinds of errors for use in your templates and as
- events in flows.
-
- Keys are events to signal, values are error codes.
- -->
- <util:map id="shibboleth.authn.SPNEGO.ClassifiedMessageMap">
- <entry key="SPNEGONotAvailable">
- <list>
- <value>SPNEGONotAvailable</value>
- </list>
- </entry>
- <entry key="NTLMUnsupported">
- <list>
- <value>NTLMUnsupported</value>
- </list>
- </entry>
- </util:map>
-
-</beans>
diff --git a/conf/authn/x509-authn-config.xml b/conf/authn/x509-authn-config.xml
deleted file mode 100644
index 18b015a..0000000
--- a/conf/authn/x509-authn-config.xml
+++ /dev/null
@@ -1,44 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!-- Servlet context-relative path to wherever your implementation lives. -->
- <bean id="shibboleth.authn.X509.externalAuthnPath" class="java.lang.String"
- c:_0="contextRelative:x509-prompt.jsp" />
-
- <!--
- Default is to always use the path in the bean above. If you want to determine it
- dynamically, define a bean called "shibboleth.authn.X509.externalAuthnPathStrategy"
- of type Function<ProfileRequestContext,String> that returns the path to use.
- -->
-
- <!--
- Define entries here to map error messages returned by external modules and classify them as particular
- kinds of errors for use in your templates and as events in flows.
-
- Keys are events to signal, values are error codes.
-
- The examples here just allow external signaling of an exact condition.
-
- If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow".
- -->
- <util:map id="shibboleth.authn.X509.ClassifiedMessageMap">
- <entry key="ReselectFlow">
- <list>
- <value>NoCredentials</value>
- <value>InvalidCredentials</value>
- </list>
- </entry>
- </util:map>
-
-</beans>
diff --git a/conf/c14n/attribute-sourced-subject-c14n-config.xml b/conf/c14n/attribute-sourced-subject-c14n-config.xml
deleted file mode 100644
index 938b30f..0000000
--- a/conf/c14n/attribute-sourced-subject-c14n-config.xml
+++ /dev/null
@@ -1,44 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!--
- A list of attributes to resolve for normalizing the subject. For example, you might
- intend to lookup a uid in a directory based on what the user entered. You can make this
- an empty list if you just want to resolve everything you normally would.
- -->
- <util:list id="shibboleth.c14n.attribute.AttributesToResolve">
- <value>altuid</value>
- </util:list>
-
- <!--
- A list of attributes to search for a value to produce as the normalized subject name.
- This will normally be something you resolve above.
- -->
- <util:list id="shibboleth.c14n.attribute.AttributeSourceIds">
- <value>altuid</value>
- </util:list>
-
- <!-- Simple transforms to apply to attribute value used for canonicalization result. -->
- <util:constant id="shibboleth.c14n.attribute.Lowercase" static-field="java.lang.Boolean.FALSE"/>
- <util:constant id="shibboleth.c14n.attribute.Uppercase" static-field="java.lang.Boolean.FALSE"/>
- <util:constant id="shibboleth.c14n.attribute.Trim" static-field="java.lang.Boolean.TRUE"/>
-
- <!-- Apply any regular expression replacement pairs. -->
- <util:list id="shibboleth.c14n.attribute.Transforms">
- <!--
- <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
- -->
- </util:list>
-
-</beans>
diff --git a/conf/c14n/simple-subject-c14n-config.xml b/conf/c14n/simple-subject-c14n-config.xml
deleted file mode 100644
index 3cddfa6..0000000
--- a/conf/c14n/simple-subject-c14n-config.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!-- Simple transforms to apply to username after authentication. -->
- <util:constant id="shibboleth.c14n.simple.Lowercase" static-field="java.lang.Boolean.FALSE"/>
- <util:constant id="shibboleth.c14n.simple.Uppercase" static-field="java.lang.Boolean.FALSE"/>
- <util:constant id="shibboleth.c14n.simple.Trim" static-field="java.lang.Boolean.TRUE"/>
-
- <!-- Apply any regular expression replacement pairs after authentication. -->
- <util:list id="shibboleth.c14n.simple.Transforms">
- <!--
- <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
- -->
- </util:list>
-
-</beans>
diff --git a/conf/c14n/subject-c14n.properties b/conf/c14n/subject-c14n.properties
new file mode 100644
index 0000000..3811493
--- /dev/null
+++ b/conf/c14n/subject-c14n.properties
@@ -0,0 +1,40 @@
+# Properties that control the behavior of post-login subject c14n flows.
+# A few more advanced settings require XML configuration, see flow-specific docs.
+
+
+# Simple username -> principal name c14n
+#idp.c14n.simple.lowercase = false
+#idp.c14n.simple.uppercase = false
+#idp.c14n.simple.trim = true
+
+
+# Attribute resolution -> principal name c14n
+#idp.c14n.attribute.lowercase = false
+#idp.c14n.attribute.uppercase = false
+#idp.c14n.attribute.trim = true
+# Lists of attributes to resolve...
+#idp.c14n.attribute.attributesToResolve =
+# and then select a principal name from
+#idp.c14n.attribute.attributeSourceIds =
+# Allows direct use of attributes via SAML proxy authn, bypasses resolver
+#idp.c14n.attribute.resolveFromSubject = false
+#idp.c14n.attribute.resolutionCondition = shibboleth.Conditions.TRUE
+
+# X.509 certificate -> principal name c14n
+#idp.c14n.x500.lowercase = false
+#idp.c14n.x500.uppercase = false
+#idp.c14n.x500.trim = true
+# Precedence is to check for a subjectAltName and then an OID RDN
+# Comma-delimited list of subjectAltName type numbers
+# (See https://tools.ietf.org/html/rfc5280#section-4.2.1.6)
+#idp.c14n.x500.subjectAltNameTypes =
+# Comma-delimited list of OIDS
+#idp.c14n.x500.objectIDs =
+
+# Proxied SAML NameID -> principal name c14n
+#idp.c14n.saml.proxy.lowercase = false
+#idp.c14n.saml.proxy.uppercase = false
+
+# NameID consumption from SAML requests
+#idp.c14n.saml.lowercase = false
+#idp.c14n.saml.uppercase = false
diff --git a/conf/c14n/subject-c14n.xml b/conf/c14n/subject-c14n.xml
index 9740fdd..b354535 100644
--- a/conf/c14n/subject-c14n.xml
+++ b/conf/c14n/subject-c14n.xml
@@ -16,21 +16,36 @@
<!--
These are lists of Subject Canonicalization flows that turn complex Subject data into a string-based
- principal name that the rest of the IdP can operate on. They're used both after authentication and
- during operations like SAML attribute queries, to map the SAML Subject into a principal name.
+ principal name that the rest of the IdP can operate on. They're used primarily after authentication
+ and also during less common operations like SAML attribute queries, to map the SAML Subject into a
+ principal name.
+
Flows are identified with an ID that corresponds to a Spring Web Flow subflow name.
+
+ Most of the simple settings that configure these flows are in subject-c14n.properties.
-->
- <!-- Flows used after authentication to produce canonical principal name. -->
+ <!--
+ ====================================================================
+ Flows used after authentication to produce canonical principal name.
+ ====================================================================
+ -->
<util:list id="shibboleth.PostLoginSubjectCanonicalizationFlows">
<!--
This is an advanced post-login step that performs attribute resolution and then produces a username
- from an attribute value. Most of this configuration is handled by attribute-sourced-c14n-config.xml.
- To enable universally, just uncomment, but if you want it to run under more specific conditions,
- set an activationCondition property to a condition function to use to control when it should run.
+ from an attribute value. To enable universally, just uncomment, but if you want it to run under more
+ specific conditions, set an activationCondition property to a condition to apply.
-->
<!-- <bean id="c14n/attribute" parent="shibboleth.PostLoginSubjectCanonicalizationFlow" /> -->
+ <!--
+ This is an advanced option for use with SAML 2 proxy authentication to a second IdP that
+ derives the principal name semi-directly from the incoming NameID value. It is functionally
+ akin to the c14n/SAML2Transform flow for SAML Request scenarios, but separately defined so
+ a suitably restrictive format list and/or condition can be applied to it.
+ -->
+ <!-- <ref bean="c14n/SAML2ProxyTransform" /> -->
+
<!--
This is an alternative that handles Subjects containing an X500Principal object and
allows extraction from the DN.
@@ -40,24 +55,51 @@
<!--
This is the standard post-login step that returns a username derived from the login process. If you
have more complex needs such as mapping a certificate DN into a principal name, an alternative may
- be required such as that above, but you can configure simple transforms in simple-subject-c14n-config.xml
+ be required such as that above, but you can use this for simple transforms.
-->
<ref bean="c14n/simple" />
</util:list>
+ <!-- What SAML NameID formats do you want to support direct transformations for while proxying? -->
+ <util:list id="shibboleth.ProxyNameTransformFormats">
+ <value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</value>
+ <value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</value>
+ <value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</value>
+ <value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</value>
+ <value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</value>
+ </util:list>
+
<!--
- Flows used during SAML requests to reverse-map NameIdentifiers/NameIDs. The actual beans defining these
- flows are in a system file. Below the list are some settings that might be useful to adjust.
+ Under what conditions should direct NameID mapping during proxying be allowed? By default, never.
+ Any condition can be used here; the example is suitable for enumerating a number of IdPs to allow.
-->
- <util:list id="shibboleth.SAMLSubjectCanonicalizationFlows">
-
+ <bean id="shibboleth.ProxyNameTransformPredicate" parent="shibboleth.Conditions.ProxyAuthentication">
+ <constructor-arg name="collection">
+ <list>
+ <!-- <value>https://idp-proxy.example.org</value> -->
+ </list>
+ </constructor-arg>
+ </bean>
+
+ <!--
+ Regular expression transforms to apply to incoming proxied subject names. The default empty list just
+ echoes the name through unmodified.
+ -->
+ <util:list id="shibboleth.ProxyNameTransforms">
<!--
- This is installed to support the old mechanism of using PrincipalConnectors in the attribute resolver
- to map SAML Subjects back into principals. If you don't use those (or this is a new install) you can
- remove this.
+ <bean parent="shibboleth.Pair" p:first="^(.+)@example\.org$" p:second="$1" />
-->
- <ref bean="c14n/LegacyPrincipalConnector" />
-
+ </util:list>
+
+
+ <!--
+ =======================================================================
+ Flows used during SAML requests to reverse-map NameIdentifiers/NameIDs.
+ Below the list are some settings that might be useful to adjust.
+ =======================================================================
+ -->
+ <util:list id="shibboleth.SAMLSubjectCanonicalizationFlows">
+
<!-- The next four are for handling transient IDs (in-storage and stateless variants). -->
<ref bean="c14n/SAML2Transient" />
<ref bean="c14n/SAML2CryptoTransient" />
@@ -102,7 +144,7 @@
-->
<util:list id="shibboleth.NameTransforms">
<!--
- <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
+ <bean parent="shibboleth.Pair" p:first="^(.+)@example\.org$" p:second="$1" />
-->
</util:list>
diff --git a/conf/c14n/x500-subject-c14n-config.xml b/conf/c14n/x500-subject-c14n-config.xml
deleted file mode 100644
index 1ae25e4..0000000
--- a/conf/c14n/x500-subject-c14n-config.xml
+++ /dev/null
@@ -1,37 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!-- First priority is given to any subjectAltNames specified (emailAddress is 1) -->
- <util:list id="shibboleth.c14n.x500.SubjectAltNameTypes">
- <!-- <value>1</value> -->
- </util:list>
-
- <!-- Second priority is a list of Certificate Subject RDN OIDs to look for. -->
- <util:list id="shibboleth.c14n.x500.ObjectIDs">
- <value>2.5.4.3</value>
- </util:list>
-
- <!-- Simple transforms to apply to username after authentication. -->
- <util:constant id="shibboleth.c14n.x500.Lowercase" static-field="java.lang.Boolean.FALSE"/>
- <util:constant id="shibboleth.c14n.x500.Uppercase" static-field="java.lang.Boolean.FALSE"/>
- <util:constant id="shibboleth.c14n.x500.Trim" static-field="java.lang.Boolean.TRUE"/>
-
- <!-- Apply any regular expression replacement pairs after authentication. -->
- <util:list id="shibboleth.c14n.x500.Transforms">
- <!--
- <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
- -->
- </util:list>
-
-</beans>
diff --git a/conf/cas-protocol.xml b/conf/cas-protocol.xml
deleted file mode 100644
index 535cf0a..0000000
--- a/conf/cas-protocol.xml
+++ /dev/null
@@ -1,108 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:util="http://www.springframework.org/schema/util"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!--
- | The CAS service registry defines verified relying parties by endpoint URI.
- | The default implementation treats the ID of each entry as a regular expression defining a logical group of
- | services whose URIs match the expression.
- |
- | This bean is reloaded periodically according to %{idp.home}/conf/services.properties.
- -->
- <bean id="reloadableServiceRegistry"
- class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}">
- <property name="definitions">
- <list>
- <!--
- <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
- c:regex="https://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
- p:group="proxying-services"
- p:authorizedToProxy="true"
- p:singleLogoutParticipant="true" />
- <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
- c:regex="http://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
- p:group="non-proxying-services"
- p:authorizedToProxy="false" /
- -->
- </list>
- </property>
- </bean>
-
- <!--
- | Uncomment this bean if you want to override the default list of CAS service registries.
- | The default configuration tries to find the relying party in a SAML metadata source and falls back to
- | reloadableServiceRegistry if a match is not found.
- -->
- <!--<util:list id="shibboleth.CASServiceRegistries">
- <ref bean="shibboleth.CASMetadataServiceRegistry" />
- <ref bean="shibboleth.CASServiceRegistry" />
- </util:list>-->
-
- <!--
- | The default ticket service as of 3.3.0 serializes ticket data into the opaque section of the ticket ID
- | for service tickets and proxy tickets. Proxy-granting tickets still require server-side storage, and
- | a StorageService defined by the idp.cas.StorageService is used. Thus for deployers that do not require
- | CAS proxy capabilities, no stateful storage mechanism is required; that means no memcached or database
- | is required for HA deployments that want CAS (without proxy) support. A notable limitation of the new
- | component is that the one-time use feature of service and proxy tickets is not available due to the lack
- | of a ticket-tracking mechanism. Instead, tickets expire when their expiration period is exceeded.
- | If this limitation is of concern, one may consider decreasing ticketValidityPeriod on the profile
- | configuration from the default 15000ms.
- -->
- <alias name="encodingTicketService" alias="shibboleth.CASTicketService" />
-
- <!--
- | Uncomment the following element and comment out the above to enable the previous default ticket service
- | that uses a StorageService for ticket persistence. Use this if the one-time use limitation of
- | EncodingTicketService is problematic and can't be mitigated by decreasing ticketValidityPeriod.
- -->
- <!--<alias name="simpleTicketService" alias="shibboleth.CASTicketService" /> -->
-
- <!--
- | The predicate used to determine whether IdP session validation is performed during the process of granting
- | a proxy ticket. When the predicate evaluates to true, an IdP session is resolved and validated prior to
- | granting a proxy ticket. This feature prevents issuing proxy tickets when an IdP session is expired, but comes
- | at the cost of requiring server-side storage of IdP session data. If this is configured to a predicate that
- | evaluates to true under any condition, a server-side storage service must be enabled for IdP session
- | storage. The most common non-default value is "alwaysTrue."
- -->
- <bean id="shibboleth.CASProxyValidateIdPSessionPredicate"
- class="com.google.common.base.Predicates"
- factory-method="alwaysFalse" />
-
- <!--
- | Uncomment the following bean if you want to ignore jsessionid artifacts in service URLs.
- | Those sorts of URLs are commonly emitted by Java servlet-based web applications.
- -->
- <!--<bean id="shibboleth.CASServiceComparator"
- class="net.shibboleth.idp.cas.service.impl.DefaultServiceComparator"
- c:parameterNames="[a-z]+sessionid" />-->
-
- <!--
- | Define the list of static certificates that you trust to secure CAS proxy callback endpoints.
- | Typically these are CA certificates and apply to _all_ CAS proxy callback endpoints.
- | This facility complements the capability to supply relying-party-specific certificates in SAML metadata,
- | which is the preferred mechanism to specify CAS proxy trust material. In the case of metadata, self-signed
- | certificates are recommended.
- -->
- <util:list id="shibboleth.CASProxyTrustedCertificates" value-type="java.lang.String">
- <!--<value>%{idp.home}/credentials/your_ca.pem</value>-->
- </util:list>
-
-
- <!-- ============== Advanced CAS Configuration ============== -->
-
- <!-- Configure a third-party ticket service. -->
- <!--
- <bean id="shibboleth.CASTicketService"
- class="org.example.idp.cas.CustomTicketService" />
- -->
-</beans>
\ No newline at end of file
diff --git a/conf/credentials.xml b/conf/credentials.xml
index dde530b..b40778d 100644
--- a/conf/credentials.xml
+++ b/conf/credentials.xml
@@ -13,8 +13,6 @@
default-destroy-method="destroy">
<!--
- NOTE: if you're using a legacy relying-party.xml file from a V2 configuration, this file is ignored.
-
This defines the signing and encryption key and certificate pairs referenced by your relying-party.xml
configuration. You don't normally need to touch this, unless you have advanced requirements such as
supporting multiple sets of keys for different relying parties, in which case you may want to define
@@ -30,8 +28,7 @@
</util:list>
<!-- Your IdP's default signing key, set via property file. -->
- <bean id="shibboleth.DefaultSigningCredential"
- class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
+ <bean id="shibboleth.DefaultSigningCredential" parent="shibboleth.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.signing.key}"
p:certificateResource="%{idp.signing.cert}"
p:entityId-ref="entityID" />
@@ -48,7 +45,7 @@
<!-- Your IdP's default encryption (really decryption) keys, set via property file. -->
<util:list id="shibboleth.DefaultEncryptionCredentials">
- <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
+ <bean parent="shibboleth.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.encryption.key}"
p:certificateResource="%{idp.encryption.cert}"
p:entityId-ref="entityID" />
@@ -58,7 +55,7 @@
to point to your new keypair. Once metadata has propagated, comment this one out again.
-->
<!--
- <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
+ <bean parent="shibboleth.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.encryption.key.2}"
p:certificateResource="%{idp.encryption.cert.2}"
p:entityId-ref="entityID" />
diff --git a/conf/errors.xml b/conf/errors.xml
index a9f4074..8d629ab 100644
--- a/conf/errors.xml
+++ b/conf/errors.xml
@@ -26,8 +26,11 @@
<entry key="ImpersonationViolation" value="true" />
<entry key="AttributeReleaseRejected" value="true" />
<entry key="TermsRejected" value="true" />
+ <entry key="EndpointResolutionFailed" value="true" />
+ <entry key="MessageAuthenticationError" value="true" />
<entry key="RuntimeException" value="false" />
<entry key="InvalidEvent" value="false" />
+ <entry key="InvalidCSRFToken" value="false" />
<!--
<entry key="IdentitySwitch" value="false" />
<entry key="NoPotentialFlow" value="false" />
@@ -68,6 +71,7 @@
<entry key="UnableToEncode" value-ref="shibboleth.SAML2Status.UnsupportedBinding" />
+ <entry key="AccessDenied" value-ref="shibboleth.SAML2Status.RequestDenied" />
<entry key="MessageReplay" value-ref="shibboleth.SAML2Status.RequestDenied" />
<entry key="MessageExpired" value-ref="shibboleth.SAML2Status.RequestDenied" />
<entry key="MessageAuthenticationError" value-ref="shibboleth.SAML2Status.RequestDenied" />
@@ -88,6 +92,7 @@
<entry key="SessionNotFound" value-ref="shibboleth.SAML2Status.UnknownPrincipal" />
<entry key="InvalidNameIDPolicy" value-ref="shibboleth.SAML2Status.InvalidNameIDPolicy" />
+ <entry key="ProxyCountExceeded" value-ref="shibboleth.SAML2Status.ProxyCountExceeded" />
<entry key="ChannelBindingsError" value-ref="shibboleth.SAML2Status.ChannelBindingsError" />
</util:map>
diff --git a/conf/examples/attribute-resolver-ldap.xml b/conf/examples/attribute-resolver-ldap.xml
new file mode 100644
index 0000000..74b3033
--- /dev/null
+++ b/conf/examples/attribute-resolver-ldap.xml
@@ -0,0 +1,108 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ This file is an EXAMPLE configuration file containing some example attributes
+ based on some commonly used approaches when LDAP is the principal data source.
+
+ Not all attribute definitions or data connectors are demonstrated, but some
+ LDAP attributes common to Shibboleth deployments (and some not so common) are
+ included.
+
+ This example is in no way usable as a substitute for reading the documentation.
+-->
+<AttributeResolver
+ xmlns="urn:mace:shibboleth:2.0:resolver"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
+
+ <!-- ========================================== -->
+ <!-- Attribute Definitions -->
+ <!-- ========================================== -->
+
+ <!-- Simple attributes are exported directly from the LDAP connector. -->
+
+ <!-- eduPerson attributes requiring post-lookup manipulation -->
+<!--
+
+ <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalNamePrior">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalNamePrior"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}">
+ <InputDataConnector ref="myLDAP" attributeNames="eduPersonAffiliation"/>
+ </AttributeDefinition>
+-->
+
+ <!-- Schema: SAML Subject ID Attributes -->
+<!--
+ <AttributeDefinition xsi:type="Scoped" id="samlSubjectID" scope="%{idp.scope}">
+ <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}"/>
+ </AttributeDefinition>
+
+ <AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}">
+ <InputDataConnector ref="computed" attributeNames="computedId"/>
+ </AttributeDefinition>
+-->
+
+ <!-- ========================================== -->
+ <!-- Data Connectors -->
+ <!-- ========================================== -->
+
+ <!-- Example LDAP Connector -->
+
+ <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+ ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+ baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
+ principal="%{idp.attribute.resolver.LDAP.bindDN}"
+ principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
+ useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
+ startTLSTimeout="%{idp.attribute.resolver.LDAP.startTLSTimeout}"
+ connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
+ trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
+ responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
+ connectionStrategy="%{idp.attribute.resolver.LDAP.connectionStrategy}"
+ noResultIsError="true"
+ multipleResultsIsError="true"
+ excludeResolutionPhases="c14n/attribute"
+ exportAttributes="mail displayName sn givenName departmentNumber employeeNumber eduPersonEntitlement eduPersonAssurance">
+ <FilterTemplate>
+ <![CDATA[
+ %{idp.attribute.resolver.LDAP.searchFilter}
+ ]]>
+ </FilterTemplate>
+ <ConnectionPool
+ minPoolSize="%{idp.pool.LDAP.minSize:3}"
+ maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
+ blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
+ validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
+ validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
+ validateDN="%{idp.pool.LDAP.validateDN:}"
+ validateOnCheckout="%{idp.pool.LDAP.validateOnCheckout:false}"
+ validateFilter="%{idp.pool.LDAP.validateFilter:(objectClass=*)}"
+ prunePeriod="%{idp.pool.LDAP.prunePeriod:PT5M}"
+ expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"/>
+ </DataConnector>
+
+ <!--
+ DataConnector for pairwise-id (example depends in part on saml-nameid.properties).
+ Note that this relies on BASE32 encoding in accordance with the attribute definition.
+ Older uses of this plugin for legacy eduPersonTargetedID/NameID values may require
+ different settings.
+ -->
+<!--
+ <DataConnector id="computed" xsi:type="ComputedId"
+ excludeResolutionPhases="c14n/attribute"
+ generatedAttributeID="computedId"
+ salt="%{idp.persistentId.salt}"
+ algorithm="%{idp.persistentId.algorithm:SHA}"
+ encoding="BASE32">
+
+ <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" />
+
+ </DataConnector>
+-->
+
+</AttributeResolver>
diff --git a/conf/global.xml b/conf/global.xml
index 457a814..0bfa7bc 100644
--- a/conf/global.xml
+++ b/conf/global.xml
@@ -15,23 +15,23 @@
<!-- Use this file to define any custom beans needed globally. -->
<!--
- Algorithm whitelists and blacklists that override or merge with library defaults. Normally you can leave
- these empty or commented and use the system defaults, but you can override those defaults using these lists.
- Each <value> element is an algorithm URI, or you can use <util:constant> elements in place of literal values.
+ Algorithm include/exclude sets that override or merge with library defaults. Normally you can leave these
+ empty or commented and use the system defaults, but you can override those defaults using these beans.
+ Each <value> element is an algorithm URI; you can also use <util:constant> elements in place of literal values.
-->
<!--
- <util:list id="shibboleth.SignatureWhitelist">
- </util:list>
+ <util:set id="shibboleth.IncludedSignatureAlgorithms">
+ </util:set>
- <util:list id="shibboleth.SignatureBlacklist">
- </util:list>
+ <util:set id="shibboleth.ExcludedSignatureAlgorithms">
+ </util:set>
- <util:list id="shibboleth.EncryptionWhitelist">
- </util:list>
+ <util:set id="shibboleth.IncludedEncryptionAlgorithms">
+ </util:set>
- <util:list id="shibboleth.EncryptionBlacklist">
- </util:list>
+ <util:set id="shibboleth.ExcludedEncryptionAlgorithms">
+ </util:set>
-->
<!--
@@ -41,6 +41,9 @@
The example below defines the bean as a map, which allows you to inject multiple objects under
named keys to expand the feature to support multiple injected objects.
+
+ You MUST NOT change the bean(s) referenced in this way, they should be treated as read-only from
+ within views.
-->
<!--
diff --git a/conf/idp.properties b/conf/idp.properties
index 783adfa..59a6299 100644
--- a/conf/idp.properties
+++ b/conf/idp.properties
@@ -1,11 +1,19 @@
-# Load any additional property resources from a comma-delimited list
-idp.additionalProperties=/conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties
+# Set false if you do not want the IdP to check (asynchronously) whether
+# it can be updated or not when the container starts
+#idp.updateCheck.enable=true
+
+# Auto-load all files matching conf/**/*.properties
+# Disable if you want to manually maintain a list of sources.
+idp.searchForProperties=true
+
+# Load any "outside-tree" property sources from a comma-delimited list
+idp.additionalProperties=/credentials/secrets.properties
# In most cases (and unless noted in the surrounding comments) the
-# commented settings in the distributed files are the default
-# behavior for V3.
-#
+# commented settings in the distributed files document default behavior.
# Uncomment them and change the value to change functionality.
+#
+# Uncommented properties are either required or ship non-defaulted.
# Set the entityID of the IdP
idp.entityID=https://idp.example.org/idp/shibboleth
@@ -14,42 +22,59 @@ idp.entityID=https://idp.example.org/idp/shibboleth
# Set to empty value to disable and return a 404.
#idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml
-# Set the scope used in the attribute resolver for scoped attributes
+# Set the scope used in the attribute resolver for scoped attributes
idp.scope=example.org
# General cookie properties (maxAge only applies to persistent cookies)
-# Note the default for idp.cookie.secure, you will usually want it set.
-#idp.cookie.secure = false
+#idp.cookie.secure = true
#idp.cookie.httpOnly = true
#idp.cookie.domain =
-#idp.cookie.path =
+# Note the path is now / to allow defaulting to __Host- prefixed names.
+#idp.cookie.path = /
#idp.cookie.maxAge = 31536000
+# These control operation of the SameSite filter, which is off by default.
+#idp.cookie.sameSite = None
+#idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE
+
+# Enable cross-site request forgery mitigation for views.
+idp.csrf.enabled=true
+# Name of the HTTP parameter that stores the CSRF token.
+#idp.csrf.token.parameter = csrf_token
# HSTS/CSP response headers
-#idp.hsts = max-age=0
+#idp.hsts = max-age=31536000
# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing
#idp.frameoptions = DENY
# Content-Security-Policy value, set to match X-Frame-Options default
#idp.csp = frame-ancestors 'none';
+# Set to false to disable filter that forcibly applies UTF-8 encoding
+#idp.encoding.forceUTF8 = true
+
+# Enable and control MDC filter
+#idp.logging.MDC.enabled = true
+#idp.logging.MDC.createSession = true
+
# Set the location of user-supplied web flow definitions
#idp.webflows = %{idp.home}/flows
# Set the location of Velocity view templates
#idp.views = %{idp.home}/views
+# Do we fail on velocity "syntax errors"
+#idp.velocity.runtime.strictmode=false
+
# Settings for internal AES encryption key
+#idp.sealer.keyStrategy = shibboleth.DataSealerKeyStrategy
#idp.sealer.storeType = JCEKS
#idp.sealer.updateInterval = PT15M
#idp.sealer.aliasBase = secret
idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks
idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver
-idp.sealer.storePassword=changeit
-idp.sealer.keyPassword=changeit
-# Settings for public/private signing and encryption key(s)
-# During decryption key rollover, point the ".2" properties at a second
-# keypair, uncomment in credentials.xml, then publish it in your metadata.
+# Settings for public/private signing and encryption key(s):
+# During decryption key rollover, point the ".2" properties at a second
+# keypair, uncomment in credentials.xml, then publish it in your metadata.
idp.signing.key=%{idp.home}/credentials/idp-signing.key
idp.signing.cert=%{idp.home}/credentials/idp-signing.crt
idp.encryption.key=%{idp.home}/credentials/idp-encryption.key
@@ -63,18 +88,21 @@ idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
# To downgrade to SHA-1, set to shibboleth.SigningConfiguration.SHA1
#idp.signing.config = shibboleth.SigningConfiguration.SHA256
-# To upgrade to AES-GCM encryption, set to shibboleth.EncryptionConfiguration.GCM
-# This is unlikely to work for all SPs, but this is a quick way to test them.
-#idp.encryption.config = shibboleth.EncryptionConfiguration.CBC
+# The new install default for encryption is now AES-GCM.
+idp.encryption.config=shibboleth.EncryptionConfiguration.GCM
+
+# Sets the default strategy for key agreement key wrap usage for credentials from metadata,
+# if not otherwise configured on the security configuration
+#idp.encryption.keyagreement.metadata.defaultUseKeyWrap = Default
# Configures trust evaluation of keys used by services at runtime
-# Defaults to supporting both explicit key and PKIX using SAML metadata.
-#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine
-# To pick only one set to one of:
-# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
-#idp.trust.certificates = shibboleth.ChainingX509TrustEngine
-# To pick only one set to one of:
-# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine
+# Internal default is Chaining, overriden for new installs
+idp.trust.signatures=shibboleth.ExplicitKeySignatureTrustEngine
+# Other options:
+# shibboleth.ChainingSignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
+idp.trust.certificates=shibboleth.ExplicitKeyX509TrustEngine
+# Other options:
+# shibboleth.ChainingX509TrustEngine, shibboleth.PKIXX509TrustEngine
# If true, encryption will happen whenever a key to use can be located, but
# failure to encrypt won't result in request failure.
@@ -82,7 +110,9 @@ idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
# Configuration of client- and server-side storage plugins
#idp.storage.cleanupInterval = PT10M
-#idp.storage.htmlLocalStorage = false
+idp.storage.htmlLocalStorage=true
+#idp.storage.clientSessionStorageName = shib_idp_session_ss
+#idp.storage.clientPersistentStorageName = shib_idp_persistent_ss
# Set to true to expose more detailed errors in responses to SPs
#idp.errors.detailed = false
@@ -98,9 +128,14 @@ idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
# Set to false to disable the IdP session layer
#idp.session.enabled = true
+# Set to true to rely on persistent cookies for session management
+#idp.session.persistent = false
+
# Set to "shibboleth.StorageService" for server-side storage of user sessions
#idp.session.StorageService = shibboleth.ClientSessionStorageService
+# Name of cookie used for session
+#idp.session.cookieName = __Host-shib_idp_session
# Size of session IDs
#idp.session.idSize = 32
# Bind sessions to IP addresses
@@ -112,34 +147,19 @@ idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
# Tolerate storage-related errors
#idp.session.maskStorageFailure = false
# Track information about SPs logged into
-#idp.session.trackSPSessions = false
+idp.session.trackSPSessions=true
# Support lookup by SP for SAML logout
-#idp.session.secondaryServiceIndex = false
+idp.session.secondaryServiceIndex=true
# Length of time to track SP sessions
#idp.session.defaultSPlifetime = PT2H
-# Regular expression matching login flows to enable, e.g. IPAddress|Password
-idp.authn.flows=Password
-
-# Default lifetime and timeout of various authentication methods
-#idp.authn.defaultLifetime = PT60M
-#idp.authn.defaultTimeout = PT30M
-
-# Whether to populate relying party user interface information for display
-# during authentication, consent, terms-of-use.
-#idp.authn.rpui = true
-
-# Whether to prioritize "active" results when an SP requests more than
-# one possible matching login method (V2 behavior was to favor them)
-#idp.authn.favorSSO = false
-
-# Whether to fail requests when a user identity after authentication
-# doesn't match the identity in a pre-existing session.
-#idp.authn.identitySwitchIsError = false
-
# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
#idp.consent.StorageService = shibboleth.ClientPersistentStorageService
+# Default consent auditing formats
+#idp.consent.terms-of-use.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA
+#idp.consent.attribute-release.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA
+
# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute
# to key user consent storage records (and set the attribute name)
#idp.consent.attribute-release.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
@@ -151,7 +171,7 @@ idp.authn.flows=Password
# Defaults to text displayed to the user.
#idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text
-# Flags controlling how built-in attribute consent feature operates
+# Flags controlling how built-in attribute consent feature operates
#idp.consent.allowDoNotRemember = true
#idp.consent.allowGlobal = true
#idp.consent.allowPerAttribute = false
@@ -164,7 +184,18 @@ idp.authn.flows=Password
#idp.consent.expandedMaxStoredRecords = 0
# Time in milliseconds to expire consent storage records.
-#idp.consent.storageRecordLifetime = P1Y
+# Leave commented out for the default of infinite
+#idp.consent.storageRecordLifetime =
+
+# Path to use with External interceptor flow
+#idp.intercept.External.externalPath = contextRelative:intercept.jsp
+
+# Policies to use with Impersonate interceptor flow
+#idp.impersonate.generalPolicy = GeneralImpersonationPolicy
+#idp.impersonate.specificPolicy = SpecificImpersonationPolicy
+
+# Picks outbound bindings more sensibly than based on metadata order
+idp.bindings.inMetadataOrder=false
# Whether to lookup metadata, etc. for every SP involved in a logout
# for use by user interface logic; adds overhead so off by default.
@@ -173,8 +204,18 @@ idp.authn.flows=Password
# Whether to require logout requests/responses be signed/authenticated.
#idp.logout.authenticated = true
+# Whether to handle logout lacking response endpoonts as asynchronous.
+#idp.logout.assumeAsync = false
+
+# Whether to hide logout propagation status reporting.
+#idp.logout.propagationHidden = false
+
+# Bean to determine whether user should be allowed to cancel logout
+#idp.logout.promptUser=shibboleth.Conditions.FALSE
+
# Message freshness and replay cache tuning
#idp.policy.messageLifetime = PT3M
+#idp.policy.assertionLifetime = PT3M
#idp.policy.clockSkew = PT3M
# Set to custom bean for alternate storage of replay cache
@@ -194,19 +235,25 @@ idp.authn.flows=Password
# browser-supported languages, defaults to an empty list.
idp.ui.fallbackLanguages=en,fr,de
-# Storage service used by CAS protocol
+# Storage service used by CAS protocol for chained proxy-granting tickets
+# and when using server-managed "simple" TicketService.
# Defaults to shibboleth.StorageService (in-memory)
# MUST be server-side storage (e.g. in-memory, memcached, database)
-# NOTE that idp.session.StorageService requires server-side storage
-# when CAS protocol is enabled
#idp.cas.StorageService=shibboleth.StorageService
# CAS service registry implementation class
#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry
+# If true, CAS services provisioned with SAML metadata are identified via entityID
+#idp.cas.relyingPartyIdFromMetadata=false
+
# F-TICKS auditing - set a salt to include hashed username
-#idp.fticks.federation=MyFederation
-#idp.fticks.algorithm=SHA-256
-#idp.fticks.salt=somethingsecret
-#idp.fticks.loghost=localhost
-#idp.fticks.logport=514
+#idp.fticks.federation = MyFederation
+#idp.fticks.condition = MyFTICKSCondition
+#idp.fticks.algorithm = SHA-256
+#idp.fticks.salt = somethingsecret
+#idp.fticks.loghost = localhost
+#idp.fticks.logport = 514
+
+# Set false if you want SAML bindings "spelled out" in audit log
+idp.audit.shortenBindings=true
diff --git a/conf/intercept/consent-intercept-config.xml b/conf/intercept/consent-intercept-config.xml
deleted file mode 100644
index a089211..0000000
--- a/conf/intercept/consent-intercept-config.xml
+++ /dev/null
@@ -1,121 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!-- Terms of Use configuration -->
-
- <!--
- Terms of use is driven by a lookup function returning a key into messages/consent-messages.properties
-
- The default mapping returns the relying party / SP name as the key. The second example below
- demonstrates use of a custom mapping table from the relying party name to the key to use.
- -->
-
- <alias alias="shibboleth.consent.terms-of-use.Key" name="shibboleth.RelyingPartyIdLookup.Simple" />
-
- <!--
- <bean id="shibboleth.consent.terms-of-use.Key"
- class="com.google.common.base.Functions" factory-method="compose">
- <constructor-arg name="g">
- <bean class="com.google.common.base.Functions" factory-method="forMap" c:defaultValue="terms-of-use">
- <constructor-arg name="map">
- <map>
- <entry key="https://sp.example.org/shibboleth" value="example-terms" />
- </map>
- </constructor-arg>
- </bean>
- </constructor-arg>
- <constructor-arg name="f">
- <ref bean="shibboleth.RelyingPartyIdLookup.Simple" />
- </constructor-arg>
- </bean>
- -->
-
- <!-- Attribute Release configuration -->
-
- <!--
- Attribute release whitelist, blacklist, and match expressions to determine
- whether consent should be obtained for an attribute based on the attribute ID.
- -->
-
- <util:list id="shibboleth.consent.attribute-release.WhitelistedAttributeIDs">
- <!--
- <value>mail</value>
- -->
- </util:list>
-
- <util:list id="shibboleth.consent.attribute-release.BlacklistedAttributeIDs">
- <value>transientId</value>
- <value>persistentId</value>
- <value>eduPersonTargetedID</value>
- </util:list>
-
- <!--
- <bean id="shibboleth.consent.attribute-release.MatchExpression" class="java.util.regex.Pattern" factory-method="compile"
- c:_0="^exampleAttribute.*$" />
- -->
-
- <!--
- Customize the order in which attributes are displayed.
- Attribute IDs not present in this list will be sorted according to their
- natural order and displayed subsequent to any attribute IDs specified here.
- -->
- <!--
- <util:list id="shibboleth.consent.attribute-release.AttributeDisplayOrder">
- <value>mail</value>
- </util:list>
- -->
-
- <!--
- These beans define mappings between audit log categories and formatting strings.
- -->
-
- <!--
- For terms-of-use acceptance, the default entry is :
- 'YYYYMMDDTHHMMSSZ|TermsAccepted|jdoe|example-tou-1|rHo...rrw=|true'
-
- For terms-of-use refusal, the default entry is :
- 'YYYYMMDDTHHMMSSZ|TermsRejected|jdoe|example-tou-1|rHo...rrw=|false'
- -->
- <util:map id="shibboleth.consent.terms-of-use.AuditFormattingMap">
- <entry key="Shibboleth-Consent-Audit" value="%T|%SP|%e|%u|%CCI|%CCV|%CCA" />
- </util:map>
-
- <!--
- For attribute-release consent, the default entry is :
- 'YYYYMMDDTHHMMSSZ|https://sp.example.org|AttributeReleaseConsent|jdoe|email,eduPersonAffiliation|rHo...rrw=,rHo...rrw=|false,false'
- -->
- <util:map id="shibboleth.consent.attribute-release.AuditFormattingMap">
- <entry key="Shibboleth-Consent-Audit" value="%T|%SP|%e|%u|%CCI|%CCV|%CCA" />
- </util:map>
-
- <!--
- Specify custom symbolic replacements for attribute names to shrink the size of results saved to client-side storage
- such as cookies.
- -->
- <bean id="shibboleth.consent.AttributeSymbolics" parent="shibboleth.consent.DefaultAttributeSymbolics" lazy-init="true">
- <property name="sourceMap">
- <map merge="true">
- <!--
- <entry key="myAttribute" value="900" />
- -->
- </map>
- </property>
- </bean>
-
- <!--
- Condition to evaluate to apply attribute-release consent to attribute queries.
- -->
- <bean id="shibboleth.consent.AttributeQuery.Condition" parent="shibboleth.Conditions.FALSE" />
-
-</beans>
\ No newline at end of file
diff --git a/conf/intercept/context-check-intercept-config.xml b/conf/intercept/context-check-intercept-config.xml
deleted file mode 100644
index aae07f0..0000000
--- a/conf/intercept/context-check-intercept-config.xml
+++ /dev/null
@@ -1,63 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!--
- Condition to evaluate to interrupt SSO flows to check the state of the transaction before allowing.
-
- Typically the flow itself will be activated based on configuration in relying-party.xml, and this controls
- whether to proceed if the flow is activated. The most common use for this flow is to check the set of
- resolved/filtered attributes and values to see if the user is authorized or provisioned into a service.
- -->
- <bean id="shibboleth.context-check.Condition" parent="shibboleth.Conditions.AND">
- <constructor-arg>
- <list>
- <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'https://sp.example.org'}}" />
- <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate"
- p:useUnfilteredAttributes="true">
- <property name="attributeValueMap">
- <map>
- <entry key="eppn">
- <list>
- <value>*</value>
- </list>
- </entry>
- </map>
- </property>
- </bean>
- </list>
- </constructor-arg>
- </bean>
-
- <!--
- More general purpose approach using a Function that returns either "proceed" or a custom error Event.
- This is a cleaner way of applying multiple conditions in different cases or triggering different events.
- -->
- <!--
- <bean id="shibboleth.context-check.Function" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
- p:customObject-ref="shibboleth.context-check.Condition">
- <constructor-arg>
- <value>
- <![CDATA[
- var event = "proceed";
- if (!custom.apply(input)) {
- event = "ContextCheckDenied";
- }
- event;
- ]]>
- </value>
- </constructor-arg>
- </bean>
- -->
-
-</beans>
\ No newline at end of file
diff --git a/conf/intercept/expiring-password-intercept-config.xml b/conf/intercept/expiring-password-intercept-config.xml
deleted file mode 100644
index b3bf96d..0000000
--- a/conf/intercept/expiring-password-intercept-config.xml
+++ /dev/null
@@ -1,31 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!--
- Condition to evaluate to determine if expiring password view should be displayed, false means to notify.
-
- The example uses a built-in class to evaluate an attribute containing a date/time of password expiration.
- The format pattern parses the value and the negative offset determines how soon to warn the user beforehand.
- -->
- <bean id="shibboleth.expiring-password.Condition" class="net.shibboleth.idp.profile.logic.DateAttributePredicate"
- c:attribute="passwordExpiration" c:formatString="yyyyMMddHHmmss'T'"
- p:resultIfMissing="true" p:offset="-P14D" />
-
- <!-- Name of cookie to track when user was last notified. -->
- <bean id="shibboleth.expiring-password.NotifyCookieName" class="java.lang.String" c:_0="shib_idp_exp_pwd" />
-
- <!-- Interval (milliseconds) between notifications, default is 8 hours. -->
- <bean id="shibboleth.expiring-password.NotifyInterval" class="java.lang.Long" c:_0="28800000" />
-
-</beans>
diff --git a/conf/intercept/profile-intercept.xml b/conf/intercept/profile-intercept.xml
deleted file mode 100644
index 7b4c8aa..0000000
--- a/conf/intercept/profile-intercept.xml
+++ /dev/null
@@ -1,40 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!--
- Intercept flows are used at various injection points to modify processing. This is the master list
- of flows available that provide interesting features to deployers, but flows are actually enabled by
- specifying them in various profile configuration beans via relying-party.xml
-
- This list of flows is merged with a built-in set defined in a system configuration file, and may be
- empty, but should not be removed. You must add your own custom flows to this list if you create any.
- -->
-
- <bean id="shibboleth.AvailableInterceptFlows" parent="shibboleth.DefaultInterceptFlows" lazy-init="true">
- <property name="sourceList">
- <list merge="true">
- <bean id="intercept/context-check" parent="shibboleth.InterceptFlow" />
-
- <bean id="intercept/expiring-password" parent="shibboleth.InterceptFlow" />
-
- <bean id="intercept/terms-of-use" parent="shibboleth.consent.TermsOfUseFlow" />
-
- <bean id="intercept/attribute-release" parent="shibboleth.consent.AttributeReleaseFlow" />
-
- <bean id="intercept/impersonate" parent="shibboleth.InterceptFlow" />
- </list>
- </property>
- </bean>
-
-</beans>
diff --git a/conf/ldap.properties b/conf/ldap.properties
index 241aba1..f537a86 100644
--- a/conf/ldap.properties
+++ b/conf/ldap.properties
@@ -1,17 +1,20 @@
-# LDAP authentication configuration, see authn/ldap-authn-config.xml
-# Note, this doesn't apply to the use of JAAS
+# LDAP authentication (and possibly attribute resolver) configuration
+# Note, this doesn't apply to the use of JAAS authentication via LDAP
## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
#idp.authn.LDAP.authenticator = anonSearchAuthenticator
## Connection properties ##
idp.authn.LDAP.ldapURL=ldap://localhost:10389
-#idp.authn.LDAP.useStartTLS = true
-#idp.authn.LDAP.useSSL = false
-# Time in milliseconds that connects will block
+idp.authn.LDAP.useStartTLS = false
+# Time to wait for startTLS responses
+#idp.authn.LDAP.startTLSTimeout = PT3S
+# Time to wait for connections to open
#idp.authn.LDAP.connectTimeout = PT3S
-# Time in milliseconds to wait for responses
+# Time to wait for operation responses (e.g. search, bind)
#idp.authn.LDAP.responseTimeout = PT3S
+# Connection strategy to use when multiple URLs are supplied, either ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM
+#idp.authn.LDAP.connectionStrategy = ACTIVE_PASSIVE
## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
#idp.authn.LDAP.sslConfig = certificateTrust
@@ -33,21 +36,24 @@ idp.authn.LDAP.userFilter=(uid={user})
# bind search configuration
# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
idp.authn.LDAP.bindDN=uid=myservice,ou=system
-idp.authn.LDAP.bindDNCredential=myServicePassword
# Format DN resolution, used by directAuthenticator, adAuthenticator
# for AD use idp.authn.LDAP.dnFormat=%s@domain.com
idp.authn.LDAP.dnFormat=uid=%s,ou=people,dc=example,dc=org
+# pool passivator, either none, bind or anonymousBind
+#idp.authn.LDAP.bindPoolPassivator = none
+
# LDAP attribute configuration, see attribute-resolver.xml
# Note, this likely won't apply to the use of legacy V2 resolver configurations
idp.attribute.resolver.LDAP.ldapURL=%{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout=%{idp.authn.LDAP.connectTimeout:PT3S}
idp.attribute.resolver.LDAP.responseTimeout=%{idp.authn.LDAP.responseTimeout:PT3S}
+idp.attribute.resolver.LDAP.connectionStrategy=%{idp.authn.LDAP.connectionStrategy:ACTIVE_PASSIVE}
idp.attribute.resolver.LDAP.baseDN=%{idp.authn.LDAP.baseDN:undefined}
idp.attribute.resolver.LDAP.bindDN=%{idp.authn.LDAP.bindDN:undefined}
-idp.attribute.resolver.LDAP.bindDNCredential=%{idp.authn.LDAP.bindDNCredential:undefined}
idp.attribute.resolver.LDAP.useStartTLS=%{idp.authn.LDAP.useStartTLS:true}
+idp.attribute.resolver.LDAP.startTLSTimeout=%{idp.authn.LDAP.startTLSTimeout:PT3S}
idp.attribute.resolver.LDAP.trustCertificates=%{idp.authn.LDAP.trustCertificates:undefined}
idp.attribute.resolver.LDAP.searchFilter=(uid=$resolutionContext.principal)
@@ -57,7 +63,8 @@ idp.attribute.resolver.LDAP.searchFilter=(uid=$resolutionContext.principal)
#idp.pool.LDAP.validateOnCheckout = false
#idp.pool.LDAP.validatePeriodically = true
#idp.pool.LDAP.validatePeriod = PT5M
+#idp.pool.LDAP.validateDN =
+#idp.pool.LDAP.validateFilter = (objectClass=*)
#idp.pool.LDAP.prunePeriod = PT5M
#idp.pool.LDAP.idleTime = PT10M
#idp.pool.LDAP.blockWaitTime = PT3S
-#idp.pool.LDAP.failFastInitialize = false
diff --git a/conf/logback.xml b/conf/logback.xml
index 2bf2c2b..034886f 100644
--- a/conf/logback.xml
+++ b/conf/logback.xml
@@ -48,19 +48,19 @@
<logger name="org.ldaptive" level="${idp.loglevel.ldap}"/>
<!-- Logs embedded HTTP client messages -->
- <logger name="org.apache.http" level="${idp.loglevel.httpclient}"/>
+ <logger name="org.apache.hc" level="${idp.loglevel.httpclient}"/>
<!-- Logs inbound and outbound protocols messages at DEBUG level -->
<logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages}" />
<!-- Logs unencrypted SAML at DEBUG level -->
<logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption}" />
+ <logger name="org.opensaml.saml.saml2.encryption.Decrypter" level="${idp.loglevel.encryption}" />
<!-- Logs system properties during startup at DEBUG level -->
- <logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props}" />
+ <logger name="net.shibboleth.idp.admin.impl.LogImplementationDetails" level="${idp.loglevel.props}" />
<!-- Especially chatty. -->
- <logger name="net.shibboleth.idp.saml.attribute.mapping" level="INFO" />
<logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec}" />
<logger name="org.springframework" level="${idp.loglevel.spring}"/>
<logger name="org.apache.catalina" level="${idp.loglevel.container}"/>
@@ -86,7 +86,7 @@
<evaluator>
<matcher>
<Name>VelocityStatusMatcher</Name>
- <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
+ <regex>ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\.</regex>
</matcher>
<expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
</evaluator>
@@ -110,7 +110,7 @@
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
<charset>UTF-8</charset>
- <Pattern>%date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
+ <Pattern>%date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{full}</Pattern>
</encoder>
<!-- Ignore Velocity status page error. -->
@@ -118,7 +118,7 @@
<evaluator>
<matcher>
<Name>VelocityStatusMatcher</Name>
- <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
+ <regex>ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\.</regex>
</matcher>
<expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
</evaluator>
@@ -156,6 +156,8 @@
<suffixPattern>[%thread] %logger %msg</suffixPattern>
</appender>
+ <!-- Top level loggers. -->
+
<logger name="Shibboleth-Audit" level="ALL">
<appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/>
</logger>
@@ -173,4 +175,22 @@
<appender-ref ref="${idp.warn.appender:-IDP_WARN}" />
</root>
-</configuration>
\ No newline at end of file
+ <!-- Example routing Password flow auditing to separate location (extend to other flows as needed). -->
+
+ <!--
+ <appender name="IDP_PASSWORD_AUDIT" class="ch.qos.logback.core.FileAppender">
+ <File>${idp.logfiles}/idp-password-audit.log</File>
+
+
+ <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+ <charset>UTF-8</charset>
+ <Pattern>%msg%n</Pattern>
+ </encoder>
+ </appender>
+
+ <logger name="Shibboleth-Audit.Password" level="ALL" additivity="false">
+ <appender-ref ref="IDP_PASSWORD_AUDIT"/>
+ </logger>
+ -->
+
+</configuration>
diff --git a/conf/logback.xml.dist b/conf/logback.xml.dist
index cda207e..0124fce 100644
--- a/conf/logback.xml.dist
+++ b/conf/logback.xml.dist
@@ -48,19 +48,19 @@
<logger name="org.ldaptive" level="${idp.loglevel.ldap}"/>
<!-- Logs embedded HTTP client messages -->
- <logger name="org.apache.http" level="${idp.loglevel.httpclient}"/>
+ <logger name="org.apache.hc" level="${idp.loglevel.httpclient}"/>
<!-- Logs inbound and outbound protocols messages at DEBUG level -->
<logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages}" />
<!-- Logs unencrypted SAML at DEBUG level -->
<logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption}" />
+ <logger name="org.opensaml.saml.saml2.encryption.Decrypter" level="${idp.loglevel.encryption}" />
<!-- Logs system properties during startup at DEBUG level -->
- <logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props}" />
+ <logger name="net.shibboleth.idp.admin.impl.LogImplementationDetails" level="${idp.loglevel.props}" />
<!-- Especially chatty. -->
- <logger name="net.shibboleth.idp.saml.attribute.mapping" level="INFO" />
<logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec}" />
<logger name="org.springframework" level="${idp.loglevel.spring}"/>
<logger name="org.apache.catalina" level="${idp.loglevel.container}"/>
@@ -90,7 +90,7 @@
<evaluator>
<matcher>
<Name>VelocityStatusMatcher</Name>
- <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
+ <regex>ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\.</regex>
</matcher>
<expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
</evaluator>
@@ -118,7 +118,7 @@
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
<charset>UTF-8</charset>
- <Pattern>%date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
+ <Pattern>%date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{full}</Pattern>
</encoder>
<!-- Ignore Velocity status page error. -->
@@ -126,7 +126,7 @@
<evaluator>
<matcher>
<Name>VelocityStatusMatcher</Name>
- <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
+ <regex>ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\.</regex>
</matcher>
<expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
</evaluator>
@@ -172,6 +172,8 @@
<suffixPattern>[%thread] %logger %msg</suffixPattern>
</appender>
+ <!-- Top level loggers. -->
+
<logger name="Shibboleth-Audit" level="ALL">
<appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/>
</logger>
@@ -189,4 +191,26 @@
<appender-ref ref="${idp.warn.appender:-IDP_WARN}" />
</root>
-</configuration>
\ No newline at end of file
+ <!-- Example routing Password flow auditing to separate location (extend to other flows as needed). -->
+
+ <!--
+ <appender name="IDP_PASSWORD_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <File>${idp.logfiles}/idp-password-audit.log</File>
+
+ <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <fileNamePattern>${idp.logfiles}/idp-password-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+ <maxHistory>${idp.loghistory}</maxHistory>
+ </rollingPolicy>
+
+ <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+ <charset>UTF-8</charset>
+ <Pattern>%msg%n</Pattern>
+ </encoder>
+ </appender>
+
+ <logger name="Shibboleth-Audit.Password" level="ALL" additivity="false">
+ <appender-ref ref="IDP_PASSWORD_AUDIT"/>
+ </logger>
+ -->
+
+</configuration>
diff --git a/conf/logback.xml.tmp3 b/conf/logback.xml.tmp3
index 88c28eb..989cf30 100644
--- a/conf/logback.xml.tmp3
+++ b/conf/logback.xml.tmp3
@@ -48,19 +48,19 @@
<logger name="org.ldaptive" level="${idp.loglevel.ldap}"/>
<!-- Logs embedded HTTP client messages -->
- <logger name="org.apache.http" level="${idp.loglevel.httpclient}"/>
+ <logger name="org.apache.hc" level="${idp.loglevel.httpclient}"/>
<!-- Logs inbound and outbound protocols messages at DEBUG level -->
<logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages}" />
<!-- Logs unencrypted SAML at DEBUG level -->
<logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption}" />
+ <logger name="org.opensaml.saml.saml2.encryption.Decrypter" level="${idp.loglevel.encryption}" />
<!-- Logs system properties during startup at DEBUG level -->
- <logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props}" />
+ <logger name="net.shibboleth.idp.admin.impl.LogImplementationDetails" level="${idp.loglevel.props}" />
<!-- Especially chatty. -->
- <logger name="net.shibboleth.idp.saml.attribute.mapping" level="INFO" />
<logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec}" />
<logger name="org.springframework" level="${idp.loglevel.spring}"/>
<logger name="org.apache.catalina" level="${idp.loglevel.container}"/>
@@ -90,7 +90,7 @@
<evaluator>
<matcher>
<Name>VelocityStatusMatcher</Name>
- <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
+ <regex>ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\.</regex>
</matcher>
<expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
</evaluator>
@@ -118,7 +118,7 @@
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
<charset>UTF-8</charset>
- <Pattern>%date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
+ <Pattern>%date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{full}</Pattern>
</encoder>
<!-- Ignore Velocity status page error. -->
@@ -126,7 +126,7 @@
<evaluator>
<matcher>
<Name>VelocityStatusMatcher</Name>
- <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
+ <regex>ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\.</regex>
</matcher>
<expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
</evaluator>
@@ -172,6 +172,8 @@
<suffixPattern>[%thread] %logger %msg</suffixPattern>
</appender>
+ <!-- Top level loggers. -->
+
<logger name="Shibboleth-Audit" level="ALL">
<appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/>
</logger>
@@ -189,4 +191,26 @@
<appender-ref ref="${idp.warn.appender:-IDP_WARN}" />
</root>
-</configuration>
\ No newline at end of file
+ <!-- Example routing Password flow auditing to separate location (extend to other flows as needed). -->
+
+ <!--
+ <appender name="IDP_PASSWORD_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <File>${idp.logfiles}/idp-password-audit.log</File>
+
+ <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <fileNamePattern>${idp.logfiles}/idp-password-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+ <maxHistory>${idp.loghistory}</maxHistory>
+ </rollingPolicy>
+
+ <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+ <charset>UTF-8</charset>
+ <Pattern>%msg%n</Pattern>
+ </encoder>
+ </appender>
+
+ <logger name="Shibboleth-Audit.Password" level="ALL" additivity="false">
+ <appender-ref ref="IDP_PASSWORD_AUDIT"/>
+ </logger>
+ -->
+
+</configuration>
diff --git a/conf/metadata-providers.xml b/conf/metadata-providers.xml
index d723005..d922a97 100644
--- a/conf/metadata-providers.xml
+++ b/conf/metadata-providers.xml
@@ -1,29 +1,39 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!-- This file is an EXAMPLE metadata configuration file. -->
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
- xmlns:resource="urn:mace:shibboleth:2.0:resource"
xmlns:security="urn:mace:shibboleth:2.0:security"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:ds11="http://www.w3.org/2009/xmldsig11#"
+ xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
+ xmlns:enc11="http://www.w3.org/2009/xmlenc11#"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
- urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
- urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
-
- <!-- ========================================================================================== -->
- <!-- Metadata Configuration -->
- <!-- -->
- <!-- Below you place the mechanisms which define how to load the metadata for SP(s) you will -->
- <!-- provide service to. -->
- <!-- -->
- <!-- Two examples are provided. The Shibboleth Documentation at -->
- <!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration -->
- <!-- provides more details. -->
- <!-- -->
- <!-- NOTE. This file SHOULD NOT contain the metadata for this IdP. -->
- <!-- ========================================================================================== -->
+ urn:oasis:names:tc:SAML:2.0:assertion http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd
+ urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd
+ urn:oasis:names:tc:SAML:metadata:algsupport http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-algsupport-v1.0.xsd
+ http://www.w3.org/2000/09/xmldsig# http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
+ http://www.w3.org/2009/xmldsig11# http://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/xmldsig11-schema.xsd
+ http://www.w3.org/2001/04/xmlenc# http://www.w3.org/TR/xmlenc-core/xenc-schema.xsd
+ http://www.w3.org/2009/xmlenc11# http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/xenc-schema-11.xsd"
+ sortKey="1">
+ <!--
+ Below you place the mechanisms which define how to load the metadata for SP(s) you will
+ provide service to.
+
+ Some simple examples are provided. The documentation provides more details; in most cases,
+ the modern replacement for these older plugins are the "DynamicHTTPMetadataProvider" and
+ "LocalDynamic" variants, which provide dramatic memory savings and more reliable operation.
+
+ NOTE: You do NOT need to load metadata for this IdP itself within this configuration.
+ -->
+
+
+
<!--
Example HTTP metadata provider. Use this if you want to download the metadata
from a remote source.
@@ -32,19 +42,20 @@
Get the public key certificate from the party publishing the metadata, and validate
it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
- The EntityRoleWhiteList saves memory by only loading metadata from SAML roles
- that the IdP needs to interoperate with.
+ The EntityRole filter saves memory by only loading metadata from SAML roles
+ that the IdP needs to interoperate with.
-->
<!--
<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
- metadataURL="http://WHATEVER">
+ metadataURL="http://WHATEVER"
+ failFastInitialization="false">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
- <MetadataFilter xsi:type="EntityRoleWhiteList">
+ <MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
@@ -52,8 +63,8 @@
<!--
Example file metadata provider. Use this if you want to load metadata
- from a local file. You might use this if you have some local SPs
- which are not "federated" but you wish to offer a service to.
+ from a local file. You use this if you have some local SPs which are not
+ "federated" but you wish to offer a service to.
If you do not provide a SignatureValidation filter, then you have the
responsibility to ensure that the contents on disk are trustworthy.
@@ -65,14 +76,28 @@
<!--
- Example CAS metadata source.
+ Example CAS metadata source for managing CAS services using SAML metadata.
-->
<!--
- <MetadataProvider id="CasMetadata"
+ <MetadataProvider id="CASMetadata"
xsi:type="FilesystemMetadataProvider"
metadataFile="PATH_TO_YOUR_METADATA"
indexesRef="shibboleth.CASMetadataIndices" />
-->
+ <!-- InCommon Per-Entity Metadata Distribution Service -->
+ <MetadataProvider id="incommon" xsi:type="DynamicHTTPMetadataProvider"
+ maxCacheDuration="PT24H" minCacheDuration="PT10M">
+ <!-- Verify the signature on the root element (i.e., the EntityDescriptor element) -->
+ <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
+ certificateFile="%{idp.home}/credentials/inc-md-cert-mdq.pem" />
+
+ <!-- Require a validUntil XML attribute no more than 14 days into the future -->
+ <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D" />
+
+ <!-- The MetadataQueryProtocol element specifies the base URL for the query protocol -->
+ <MetadataQueryProtocol>https://mdq.incommon.org/</MetadataQueryProtocol>
+ </MetadataProvider>
+
</MetadataProvider>
diff --git a/conf/relying-party.xml b/conf/relying-party.xml
index 28c9193..26c6c17 100644
--- a/conf/relying-party.xml
+++ b/conf/relying-party.xml
@@ -28,21 +28,28 @@
</bean>
<!--
- Default configuration, with default settings applied for all profiles, and enables
- the attribute-release consent flow.
+ Default configuration, with default settings applied for all profiles.
+
+ Take care with any defaults you apply at this level because you will have to create
+ overrides or apply metadata tags for every single SP that requires a different setting.
+ Changed defaults should be things you really do want to apply to nearly every SP.
-->
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
- <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
+ <!-- SAML 1.1 and SAML 2.0 AttributeQuery are disabled by default. -->
+ <!--
+ <ref bean="Shibboleth.SSO" />
<ref bean="SAML1.AttributeQuery" />
<ref bean="SAML1.ArtifactResolution" />
- <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
+ -->
+ <ref bean="SAML2.SSO" />
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
+ <!--
<ref bean="SAML2.AttributeQuery" />
+ -->
<ref bean="SAML2.ArtifactResolution" />
- <ref bean="Liberty.SSOS" />
</list>
</property>
</bean>
@@ -56,7 +63,7 @@
for SAML 2 SSO without encryption. This is a common "vendor" scenario.
-->
<!--
- <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org">
+ <bean id="ExampleSP" parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" p:encryptAssertions="false" />
diff --git a/conf/saml-nameid.properties b/conf/saml-nameid.properties
index bbc1597..08b66c5 100644
--- a/conf/saml-nameid.properties
+++ b/conf/saml-nameid.properties
@@ -4,10 +4,6 @@
# identifiers. See saml-nameid.xml and c14n/subject-c14n.xml for advanced
# settings
-# Comment out to disable legacy NameID generation via Attribute Resolver
-#idp.nameid.saml2.legacyGenerator = shibboleth.LegacySAML2NameIDGenerator
-#idp.nameid.saml1.legacyGenerator = shibboleth.LegacySAML1NameIdentifierGenerator
-
# Default NameID Formats to use when nothing else is called for.
# Don't change these just to change the Format used for a single SP!
#idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
@@ -18,12 +14,10 @@
# Persistent IDs can be computed on the fly with a hash, or managed in a database
-# For computed IDs, set a source attribute and a secret salt:
+# For computed IDs, set a source attribute, and a secret salt in secrets.properties
#idp.persistentId.sourceAttribute = changethistosomethingreal
#idp.persistentId.useUnfilteredAttributes = true
-# Do *NOT* share the salt with other people, it's like divulging your private key.
#idp.persistentId.algorithm = SHA
-#idp.persistentId.salt = changethistosomethingrandom
# BASE64 will match V2 values, we recommend BASE32 encoding for new installs.
idp.persistentId.encoding = BASE32
@@ -31,7 +25,7 @@ idp.persistentId.encoding = BASE32
#idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator
# For basic use, set this to a JDBC DataSource bean name:
#idp.persistentId.dataSource = PersistentIdDataSource
-# For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore
-#idp.persistentId.store = MyPersistentIdStore
+# Controls which JDBC error codes are treated as retryable
+#idp.persistentId.retryableErrors = 23000,23505
# Set to an empty property to skip hash-based generation of first stored ID
#idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator
diff --git a/conf/services.properties b/conf/services.properties
index 0aa9007..6e507a2 100644
--- a/conf/services.properties
+++ b/conf/services.properties
@@ -12,14 +12,23 @@
#idp.service.logging.failFast = true
idp.service.logging.checkInterval = PT5M
-# Set to shibboleth.LegacyRelyingPartyResolverResources with legacy V2 relying-party.xml
#idp.service.relyingparty.resources = shibboleth.RelyingPartyResolverResources
#idp.service.relyingparty.failFast = false
idp.service.relyingparty.checkInterval = PT15M
+# See MetadataDrivenConfiguration wiki topic for details
+idp.service.relyingparty.ignoreUnmappedEntityAttributes=true
#idp.service.metadata.resources = shibboleth.MetadataResolverResources
#idp.service.metadata.failFast = false
#idp.service.metadata.checkInterval = PT0S
+# Set to false if not using ByReference MetadataFilters for a small perf gain
+#idp.service.metadata.enableByReferenceFilters = true
+
+#idp.service.attribute.registry.resources = shibboleth.AttributeRegistryResources
+#idp.service.attribute.registry.failFast = false
+idp.service.attribute.registry.checkInterval = PT15M
+# Default control of whether to encode XML attribute data with xsi:type
+idp.service.attribute.registry.encodeType = false
#idp.service.attribute.resolver.resources = shibboleth.AttributeResolverResources
#idp.service.attribute.resolver.failFast = false
@@ -45,12 +54,15 @@ idp.service.access.checkInterval = PT5M
#idp.service.cas.registry.failFast = false
idp.service.cas.registry.checkInterval = PT15M
+#idp.service.managedBean.resources = shibboleth.ManagedBeanResources
+#idp.service.managedBean.failFast = false
+idp.service.managedBean.checkInterval = PT15M
+
#idp.message.resources = shibboleth.MessageSourceResources
#idp.message.cacheSeconds = 300
-# Parameters for pre-defined HttpClient instances which perform in-memory and filesystem caching.
-# These are used with components such as remote configuration resources that are explicitly wired
-# with these client instances, *not* by default with HTTP metadata resolvers.
+# These settings impact the behavior of the internal HTTP Client used by default
+# with some internal components, but notably *not* for metadata acquisition.
#idp.httpclient.useSecurityEnhancedTLSSocketFactory = false
#idp.httpclient.connectionDisregardTLSCertificate = false
#idp.httpclient.connectionRequestTimeout = PT1M
@@ -58,8 +70,3 @@ idp.service.cas.registry.checkInterval = PT15M
#idp.httpclient.socketTimeout = PT1M
#idp.httpclient.maxConnectionsTotal = 100
#idp.httpclient.maxConnectionsPerRoute = 100
-#idp.httpclient.memorycaching.maxCacheEntries = 50
-#idp.httpclient.memorycaching.maxCacheEntrySize = 1048576
-#idp.httpclient.filecaching.maxCacheEntries = 100
-#idp.httpclient.filecaching.maxCacheEntrySize = 10485760
-idp.httpclient.filecaching.cacheDirectory = %{idp.home}/tmp/httpClientCache
\ No newline at end of file
diff --git a/conf/services.xml b/conf/services.xml
index e04ac8f..24e2b1e 100644
--- a/conf/services.xml
+++ b/conf/services.xml
@@ -9,82 +9,41 @@
default-init-method="initialize"
default-destroy-method="destroy">
- <!-- Advanced configuration of services from HTTP.
-
- To use an HTTP resource you first need to configure the Apache HttpClient which will be used
- to communicate with the web server. Any HttpClient can be used, but two Factory Beans allow simple
- configuration of in-memory or file-based caching clients.
-
- Examples are:
-
- A resource which will be supplied from an in-memory cache for as long as the file on the webserver does not change.
- If the webserver becomes unavailable the resource will be unavailable.
-
- <bean id="inMemoryResource" class="net.shibboleth.ext.spring.resource.HTTPResource"
- c:client-ref="shibboleth.MemoryCachingHttpClient"
- c:url="http://example.org/path/to/file.xml" />
-
- Two resources which will be supplied from an on disk cache (suitable for multiple or large files) for as long
- as the file on the webserver does not change. If the webserver becomes unavailable the last used contents
- of the file will be returned (even if that was in a previous IdP lifetime).
-
- <bean id="fileResource" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource"
- c:client-ref="shibboleth.FileCachingHttpClient"
- c:url="http://example.org/path/to/file.xml"
- c:backingFile="/var/shibboleth/caches/resourcecache/file.xml"/>
-
- <bean id="otherFileResource" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource"
- c:client-ref="shibboleth.FileCachingHttpClient"
- c:url="http://another.server.example.org/path/to/different/file.xml"
- c:backingFile="/var/shibboleth/caches/resourcecache/differentFile.xml"/>
-
- In all cases you should review the "idp.httpclient.*" properties defined in services.properties
- -->
-
- <!--
- Otherwise by default we look at resources whose names are derived from %{idp.home}. Services not configured
- using native Spring syntax also need to load the property-placeholder file in order to pull settings from
- property sources.
- -->
+ <!-- By default we look at resources whose names are derived from %{idp.home}. -->
- <!-- This set of resources supports a native Spring relying-party.xml file. -->
<util:list id="shibboleth.RelyingPartyResolverResources">
<value>%{idp.home}/conf/relying-party.xml</value>
<value>%{idp.home}/conf/credentials.xml</value>
- <value>%{idp.home}/system/conf/relying-party-system.xml</value>
- </util:list>
-
- <!-- This set of resources supports a legacy 2.x relying-party.xml file. -->
- <util:list id="shibboleth.LegacyRelyingPartyResolverResources">
- <value>%{idp.home}/conf/relying-party.xml</value>
- <value>%{idp.home}/system/conf/legacy-relying-party-defaults.xml</value>
</util:list>
<util:list id="shibboleth.MetadataResolverResources">
<value>%{idp.home}/conf/metadata-providers.xml</value>
- <value>%{idp.home}/system/conf/metadata-providers-system.xml</value>
</util:list>
<util:list id ="shibboleth.AttributeResolverResources">
<value>%{idp.home}/conf/attribute-resolver.xml</value>
</util:list>
+ <!--
+ This is suitable for new installs but will usually produce duplicate Attribute
+ output if a legacy resolver file is used that contains AttributeEncoders.
+ -->
+ <util:list id ="shibboleth.AttributeRegistryResources">
+ <value>%{idp.home}/conf/attribute-registry.xml</value>
+ <value>%{idp.home}/conf/attributes/default-rules.xml</value>
+ <value>%{idp.home}/conf/attribute-resolver.xml</value>
+ </util:list>
+
<util:list id ="shibboleth.AttributeFilterResources">
<value>%{idp.home}/conf/attribute-filter.xml</value>
</util:list>
<util:list id ="shibboleth.NameIdentifierGenerationResources">
<value>%{idp.home}/conf/saml-nameid.xml</value>
- <value>%{idp.home}/system/conf/saml-nameid-system.xml</value>
</util:list>
<util:list id="shibboleth.AccessControlResources">
<value>%{idp.home}/conf/access-control.xml</value>
- <value>%{idp.home}/system/conf/access-control-system.xml</value>
- </util:list>
-
- <util:list id="shibboleth.CASServiceRegistryResources">
- <value>%{idp.home}/conf/cas-protocol.xml</value>
</util:list>
<!--
@@ -94,7 +53,6 @@
-->
<util:list id="shibboleth.MessageSourceResources">
<value>%{idp.home}/messages/messages</value>
- <value>%{idp.home}/system/messages/messages</value>
</util:list>
</beans>
diff --git a/conf/session-manager.xml b/conf/session-manager.xml
deleted file mode 100644
index 7372029..0000000
--- a/conf/session-manager.xml
+++ /dev/null
@@ -1,29 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!-- Flows that propagate logout to additional services using supported protocols. -->
- <util:list id="shibboleth.LogoutPropagationFlows">
- <ref bean="logoutprop/cas" />
- <ref bean="logoutprop/saml2" />
- </util:list>
-
- <!--
- List of client-side storage service plugins. If you use server-side storage and don't need these
- services, you can remove or comment out the <ref> elements, but don't remove the list bean or
- a default list will be substituted for backward compatibility.
- -->
- <util:list id="shibboleth.ClientStorageServices">
- <ref bean="shibboleth.ClientSessionStorageService" />
- <ref bean="shibboleth.ClientPersistentStorageService" />
- </util:list>
-
-</beans>
diff --git a/credentials/beta1-keys b/credentials/beta1-keys
new file mode 100644
index 0000000..1767e17
--- /dev/null
+++ b/credentials/beta1-keys
@@ -0,0 +1,100 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBE56gwwBEADI6Y7tBIdYr8t0zfHU2hRbD7GfuanIkn4Fhf/CZ7ICN+SfA/XP
+JAx3HDRkM/nc65U2mKG7vG3zlNOcKgeFoCwqhlLc4sSGP6DDoPYKtZOLEHwA/sIy
+Lldw3re5KbCFIElnbBW/0av15IGHXgyylmG24jhlY/ufjLd53Qm4agxv51kdYdgH
+cI0djzLqvMWTabWhw8QtmitPZSKdqOwTqkIt6bYAdOvc9r5bvAzemw6IO01L9aX7
+/yFIVJAYySL/UpbEtLcl3B/qXUXwhiq2bAUtvdmV+35FSMrAgfD25bYv+dVoJdtX
+Gb4tQcPteSRDIQYswT+bilEtGOOu9vqLvko3hSHOK2Yqc8SufDakrOlCWO1R00Sw
+QHGSkPKgA5O3RpOz3qbuPN6sDt/7FgqyzB6VqF9445bTqWDfIihXEAFr97gf28Xg
+ngAn2Tp8ZZ6zTzYWv3/GGvCedCcrHrIG/nKf0Z0/1q9Uf8P7crv2udGuZjs3bMtY
+RQNKzki/wKRuGnZ7HjgOEDIe8E+QMs+568i5vYqdaNrmCxUodRFjwkZ/0aRuHzxo
+JNQaB/r2Ckj5X/yEX6f45D0hiwBmIFz2+VUnis7RAPelcUl1X/kT4p/3gvKSsFE0
+Ti7JWCY9e+ntnzcsb4ywisFen9tQQPP4G++qnhGyApz323LfDVPJkFWWJwARAQAB
+tB9TY290dCBDYW50b3IgPGNhbnRvci4yQG9zdS5lZHU+iEYEEBECAAYFAk6DTO8A
+CgkQ70D8KeoogrukNwCdGX5zZOsC44CjV2AopI8KoMFJto4AoMH+qA35GIBUkEt8
+IoRVFs1rp3TGiEYEEBEKAAYFAk6ApGIACgkQpXtW80eQXRUgxwCePIV9LehYh+Ji
+o8mtQ74I/NWvfDQAoLmXTfmKAganE+r/FcCcwykzj70ViQEcBBABAgAGBQJOfS4a
+AAoJEH8LUwap169VyrAH/1lrWiCJarm8eFLNlajcDt5TR5ZpanZVUbuzAp9Jk8Xt
+BkCMssnuzcqqSbGmq3P6CuaSTx0BybBOhRgC+UCb/DCS0TGomJYUTcG7e7MyJZC4
+ocarORGURABk1UK/fkgEBn+9o2jdDlf7bm7JHlZJ8huLjiAq5fapzp5WhTUAcreH
+jYieTS5umt01yxFatxhqiTbNXzs1c7Hc19rW4cTLREm6YQUNwTIxqJ2hHyDfU13e
+phowv1DpoAwLXdHAsNy/C8RKRlr0Qc4snihVkGevLNWatYK4HP6M0tEvGX9CpnTX
+pOsLZkfp96RMtE2TEvMEEA0HVoZPE7/kCyYR5DForeqJARwEEAECAAYFAlQtSU8A
+CgkQWcpz+XPnY1H5dQgA4p+myZvcKjMAfhgvQZtEeqeSloZIcyYF1NyWJp0WAUUK
+pZKdYYauaxPVd9l+iqz0dBlVotx5CHuymbqnj6JiX55kfKsbClWcDUs0wE6NGH3m
+evosr55/17u01yFGw2KhbevdpgO5i+rNAliFe5LkZ+50CEzWcO0Io2ZhXy+qYpcz
+Oy71ezwstgTJG2guH5BpbcIKku75dauPkD106wmSSswA+D95nXiJ5CFSdK3c4+Q2
+GDbXoIxJtKECb0c6tsjhU1TSPgc/XeeWqAaH/z4u8S5QlQCrMYHOMmvi8ExIrZG3
+3ba8qvB4RhSMKq+5GeJ3Gsgytp/Kc7UnVo09XFYkYokCHAQQAQIABgUCToOQYAAK
+CRCagE6X1wecd5lDD/9ChSLSg/WWnsyNsUoai8KIJBTWoTRgQMemSQPHCP/KgYrf
+KU4Z3fat6DPdO6hXgA/tkXt5m+shexUHmnZvwUvgiQEmL39xdQl1n5zL/QJ3u+K9
+3jycQFM1m8c2TIrKMVbz8VwTYjLKUkhv1pxXZadmAap84ynyT+UpzN/M1ppXcUVV
+jXlDVDuF5JSICh/zn93EA6hbSLWPt2ZE0QpEciZ7S/vVC/4nvXhz3m6ODV3zeshr
+m5V8P8R4Fsmf1a9FY7s49jKWG7Ike6u29DYIkv39FQveYixo3FMfB5d8q4uzJigi
+RAvsekMgYOlnmM8yu9JJ4//zCBj81Q2teFixUrTQON369X3bnEOt0Djqk0QXgXCU
+vhYUdmAa6s/EZgngxeV5axDbW3vQa9Mki3UWsXnlpi4clx/nH7xWKcba27WkImDl
+v3g4n2SbUFj/GOCc3DFp+qmWwFV8yMs300zSPbAqr+CXO0GAitoqpmhxCLmiauaG
+ImnWqt051YWFG0hjaQLKhfjzXfsVuyEDD870RMXqnkS4oQd35OOy1OFbqgghxtJX
+o8oCL2fRwvlREv0ko7X6rpCxPhiyy6LFoHRt+4X0G5h2/LbGjIV4oPi436pJyozb
+83kCh5yGP1oh+GrKFfgTHxakp3MTNXzil8a+9aTyQRlARIevaFlGrKSR0umqaokC
+HAQQAQIABgUCTpRR2wAKCRCgs8sJ0rNzUwVbD/4ufRZKllrocevu/7MEiNPyBYo1
+xOHhBjXXBKZqZmYUnoWmcp8mxAGdLDmHrKFni4v6mv9eHOcNkljKF1Heei9qbKsF
+9UkeSlCNzELzRoQJ2wjP7enW80QoEWcAN7P3SBRwVE1XF3zBo5mwN/RXBGy7xy/6
+6Yy378uunCwnPyZabNTWrMhOIAw3Qhd2fMCoDt86sVm9x8CfQzJI8YPJOFSwbSuX
+YMkfx/Va9sO5A9LDaX79abafHAHiwJBiGeu8W7VwJYh5acr/lTUQbUW8Hlco5IKz
+3Rjd8t7qfCWpcALR2pOPYJaii97lEonrtT9Hx+iL9gma9PN1D80ty7bMYYtOdMsk
+udH8XD0FBKEi0ViT83lzl2Wz3T/2INdJsuHLhLMo+R2wrE9M4jLsp6P4qRJ3NVpj
+DkNe3CXwVQgQ6Q+EjtXGb541MvZY1442pHPE7c6eTDIgw5P7LpH0Jcim/iXQdpPW
+apdLB1zxntmCRyYyDYhd0KNvWNDRsr+PAE2XK82KD8fF2r3m8eULm4buGA8tf2sq
+uQ5K2okLlZT1NLIXmgThSDgSBjy/iFUz95AmtYdy2eqT5oRgXAsJDKMCl+nO5/1s
+IRA1sRHaXCnPczQkiXhKidiVOuRpkThx3mMxYhIV2wYCG/pEpoeCHkuUMiBDSRpG
+DaxucQQJR9r83xK5JIkCHAQTAQIABgUCTnvvowAKCRD6QbX3MKI2LppVEACA4l4N
+BK1m38ziJZ0IBlWBKgXi4v0LK0jv1WrsrQzLWijoHSaLMt9wzbXjDyAlugxq+8Gf
+PXr3bmV5Zyo6MeJiybLzQCXzbsPhpN3iT7tRAnU5EX7Qef390oWHB9GSTr2jE8yw
+3dmx3UGFuP4ELmHIyxYvWSdSjGTPROVONRruR6/yVCrzy/51VPY4vw59Iv+JxbjY
+5iE00TNtaXNcH2M9K7xnwrjSAGE4cViHpV12gqRdD94X8F/xKCxPD+kJCaAIKD2u
+fGcdanabU6lM+UyrscNvnpXjDUFHdldE245yfdBgbm8RLWzJJKz9ETz/rYto+A6F
+NZPRocbaeSv0A1J6v5MkmqNVISORxyCznhu+30s2Knw2Mn02quM/CxadxrrN/3ZW
+Gcat29R3KG7OF9qEMV+5NJ84MHNqmUdCYSjdKrh4VGZcvA/+KrxDdlKmuk5Lj5Qt
+b3QAv0ql6cUEEJ+ekunzQmW8UHz4XOwJ5r3OI1wuGdPShK6ItLls2W3Hxu3vDRFW
+2trbj5/GHn67aJCRqkLtxRpgN4o9YPvC8kdj8WO/iMw10w7OfprEA8S1CjnOwkZw
+Q6Mqr+JZZk/MKFHAeywIiLE1i1VPel2s4o7NXaaFthoFR33RIW3LMGFUsyfqyL/t
+RGzDG3fso5VOy/4fiGulJ8YrWW9KjXGudQIb3IkCNwQTAQoAIQUCTnqDDAIbAwUL
+CQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRA3i4RUAid5Yun8D/9dC3GDJEIVzg3j
+tvkJD08TNVTMUwSQozN2V+WaQgglKJSboR5ajZY6SVMeqtlT+1LzcdU9c3lpQq0n
+B1GZ8WkugYdFk8/0njXTI9Tw1i2Xhp/hKJEUzUkcx1NlyYHZ1EQjW/KVnq0rhPAb
+qDDlyET/qo/38SrzZqOauMye8uT+aqUElF8W3U7l4t4C7ollnwychRrOaOJjSAwL
+tK1WJIneDqLxzDv+bVmoZL+7Vw7iry4xwYovZ+7CpaZsicTJMYvo/CXG2qhyrvJ0
+DcxEIdhk0KiPkiP7Nd3b52vA4Z30yjfwqkoC1XlpzeD4v7il+L6HdcOigl4PDr85
+Uhoo//5SB654tmTL2a32w8GnCK/b8ySu6XwlUISiUABKGerycBeThz65c8Ud67Hi
+P9QDK7+sEpqANxuX1IfwhCAnvdDKc96Y8kO8aC4pfO/bTFhhkyARMW98CVyP4XCy
+wPXQQ75w5ekS/wecgKzYk/4S4aH1vErtDeY3WF5IDNTAOau747vgbf8nz0gxBwWg
+Kdlwh11zslKV1fLPML7tiVyT2id2pGGOO3gUJ5Bu4LeUkLndQZeERZwWcd0IhDsE
+JWIazg0lbEWCLtW7Cf/B0/X6MT9wq8aq64UMksnOU6iI91ZkH3mj2I8Ty+nl+ZXU
+t1cVgj+AyYdyHIWLHfZkQLvkH5oJ5rkCDQROeoMMARAAtzb8+leM9ELMiTgwb4EG
+KwY7wNt6mWOcrlvwp+mnGN4VPJa0ftDn/kFyPxtFkg4oVlHlmPUGk5RukRrl9K3q
+zHMuWa+NqhjM69Fw9hZlvCcL0bqqq/CKB0GyJX/bn2V/WRgAuVQAL8P4fAQ/t8Sf
+80lTTQ40ImE6F//n52AFsK0S5+gG71iCANY6DuMz4GUPbwTV1FKZqaYVdiz4Erxd
+/qaurPDcgcaqtiSQnOf6qrYIX/LZqwQrpEmruj8l5xP1N8eTLtx0iW/mB0AXYyH2
+eXmtclHTYHjvoPgZajSO2obnLdDngqJ5zHZXkCX4RLFgCq/3A4NvxLOtVDYyiID3
+HcQ167aDbpjMHetleUKXMWIA4/6o+WZs9bhbgf6xDa73Qqug8RP4VX7FBrEe2s0x
+cc9d15YbA8rGrq4jvGB3hUEw/tK/3uVuft+mRrHqNFEjKs49MKTc8vu4CyxQN21O
+6dfrp/84MD93VjQUkYUrL2zxbJcBvQTA5SuE0mqBR/e8IH8UBYmuM4nWdUuHNTsw
+KqzRsAqdPfZ1bNnfo9empNFEl2me2IXhNgiBpbpGEFWY02bEXdtCId/hpMNhE3y6
+pxJwTtxqj1Kw+u32qcL0lswz5tCF0CrW5ha9UDzO5xH3kY19/NXUnb2WFNqViy02
+KwpbHG5jQcQ206Amwo/Fun0AEQEAAYkCHwQYAQoACQUCTnqDDAIbDAAKCRA3i4RU
+Aid5YjyED/9vz1JX0q4TEFVxzgla8BbhVwlaXoOmbJcOxw8ne2qO3NZ+ecnoWS0d
+DRe1AJLcaAgC2hwpDpZ3Or5bCpQSUBlwdA/rxOMJom7GKYO9oGp54V+cjNlzJpb1
+1cKuYzj6HdmVGKbzo65G8tYUK0fDTsjWWU4Mh7HAztZH9Umh0e9103DfkGf2uS8e
+A8WVc2sBwCtlfJTilyJ7LxVO+vfodb9RKTPx0PGbQBNbFaxmK64Sz4xjVUTZiHn9
+j329rTDv7yzQuCiO+CWSy7Ti789bRcUgPWv2bbg4UlTPn40OIfAUb/s1P39J3lID
+g4GstZcBjGNTa5o65tF3m0+s2mDbDAToGqzqv0fHE6iDDvctudFZoUbgJ/5DSqsA
+5Xe5VCRRvwR3S9t7OJS4eQdxDYWxgPGhoovNdzPePTbdIfkWBw+Wwokj0rsAUKfx
+7jXZtjYXfG6NJdEHqGQLYeW23kMmxIdoY1jjWOEJwdD0q8p7M2aum9Ncjn1sW/RU
+PPLu+U3rtjc6fhf4VWpvp6NVp7a8/6cgSTZL4eavYIOuXDCa44KsnGhWpPBOJNeZ
+WvCkgGNCUbzArnre3iDTnf6iJ1aMrXToN838IV2svifkAvEnMkhYfjUgDIFOMOrs
+fLhRULAR6zzyXiJiznT6rjlxlixsKazyy9dLC3qlwC4pCIpol0QKbQ==
+=96Mf
+-----END PGP PUBLIC KEY BLOCK-----
+
diff --git a/credentials/idp-backchannel.crt b/credentials/idp-backchannel.crt
index fd26a59..d42aba2 100644
--- a/credentials/idp-backchannel.crt
+++ b/credentials/idp-backchannel.crt
@@ -1,25 +1,25 @@
-----BEGIN CERTIFICATE-----
-MIIEKDCCApCgAwIBAgIVAJ0iknQBSFLEkl3ybj6HYSWkOw+CMA0GCSqGSIb3DQEB
-CwUAMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzAeFw0xOTEwMDIxNDQ2NTZa
-Fw0zOTEwMDIxNDQ2NTZaMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzCCAaIw
-DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJJI3OlyhXVII2YS2VGAZlCy/PE1
-RPLwTb9hIrBETcpA3JwVba2hBq8v0lWGpWkmvQfsjH+bKRJe611EyXwWQH04qGCU
-RDCFKBU8E9P87m6GTeh+DC6eVXxOB2h0pf3Zmktf48hlhV1X24NwIjba6v9X8oHF
-FTFFqopOPAaJWnODPQyul/d4DqkqkBfQer6p0RiDL/V79WpTVG87pJxmGH2FbchP
-PivVO9sMYfC5lqe37x/zu8huU0jDnB20eqEjnVNjvPjzbF36xPA06770FJuPxCYd
-5oebut50pO7DZY7MZGu4/UME0JfDrnCsyPz2L1gdxXX28mydAVL3YwIajZzuPVwJ
-HC+HJuF3YNgIZ7ZO6uN2Cyi1tKKAE5n3G19L8NLLW44MVxkS9ox9cFvw5e2Zm+ek
-Hh6iu6Y9/blyuFjlqVaffM6l6NVnAAXPiIpwnBdzWdJqMcJzgC5bTqOGEZdeR9hT
-ei0e1s+bmBj3/3cOB3hII74P5sCuGLfiYqSQzQIDAQABo2UwYzAdBgNVHQ4EFgQU
-hb0zxPkLe5m7vmD8AH0fjATSaIwwQgYDVR0RBDswOYIPaWRwLmV4YW1wbGUub3Jn
-hiZodHRwczovL2lkcC5leGFtcGxlLm9yZy9pZHAvc2hpYmJvbGV0aDANBgkqhkiG
-9w0BAQsFAAOCAYEADQ17KGVQJ6AZTqDUDxVAfrTlFXysuvQg1WntrMB1PUzlb6Pa
-AO6Nb24YiY0PonSk7iz+gOg4P/V2b9wX4NXPBcX5h86fxR8R3cwZYsYKhwBBQ6uo
-UZnqtNyYNY/3hM2Dj8sR1PMijwgNmo7KOzzBPKKhID2dtGL3bS3TrX8xjmc7NK+r
-5VE9LrK3kG3ht3qM0I7iPMNuQXBOuduRG8WGD8NsFwHcYfORJmK5Ac/AtjHMVLF0
-x+m4LyLxP53t9/5+5fiJ3bghXM7Uuzjjmes6fdZyUcxinrwFxvSIGz3gqXf35Omf
-EwFemewB5B9GkAVXJSq2J64+iWXTo556YEC/RUrX6ZA5db6zHIeHX4BSf7U5YUBm
-LRJ/RJZKKPKEBBJgvh8vUFLF64tDn0c9x3n1mw+ZLHnPcjdX5v/stLVgR020vRx7
-8CGsrydmj+80Gm3Ji1eGJfD2LdUslve3bNerEW2AUM3DFx6wDlR5K/0ix98Ah1w0
-AuAeyajXyLR9NkPm
+MIIEJzCCAo+gAwIBAgIUZZ1ALRCNTEGZYSBsigxOeq+v1C8wDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTIzMDkxNDE4NDczOFoX
+DTQzMDkxNDE4NDczOFowGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojAN
+BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAmYDThO5zYOJ9ZHwIXdr9NoifSnYZ
+QpSJzwYr8dX+DxOyL3gWs2N+z5PnZJlBuxtCKKvgmJGT0uomKj+PFD1OSgSz5gv9
+LwBJxGIzqQpiXyYX2Lol1CYlBno+p2oqM4eGadjMp9doHxRH+sbVzn6+5pjC6zIE
+dYLZ4oGdWZrel9JcjRXTuYzPMKrnioQd6bWS5UJDtXuPxAODP9t7R7e6RSEREoMe
+eJ/jO0M92383l99wB3OkkdjJpvzFnJLHuOG1h22ObhWIqUCyjBpN1W3jmGfkonfX
+j2IVqjXerP9RWUP6yE5GH/m4dTlmoy1nMkwE+kkYD8CLNsjnV1ztqjR6gFdaQTuH
+i2mKwvC0wh9gh/tqkYju7FtjT8mMgQh1rv2g6qtinM5aP6XLsUN9X+NTR2bhpP4N
+Rx32uBnwVPjUTuSXSUgNdnf4kT++UT/waznAjYB6pYUvqix0re6hhrTrOvkWSLSR
+KIrSxtR88oL+t+DgPfbYTYI4FypPUXr0TNhvAgMBAAGjZTBjMB0GA1UdDgQWBBSY
+fAaupAgeAd0fKfSj8Xzx4+cVajBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeG
+Jmh0dHBzOi8vaWRwLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3
+DQEBCwUAA4IBgQBfVjToMenwC4TUFk/cHv0/AfblQLKA+qeJNxZVAleKbkfAncqD
+q7PTWFGSTX4z0jfR/STUArVLlmKN15PRS7D/b/7SbXvWPP0cMIc/JOqZCSO4MC1T
+sRy94BNUKmifY0WzR4i03XwAkl3MKZ7Y1dj8xDAe6a0owLszyZfECjrOwgEoe1Gd
+RLJ66EtweqrOyjfyIy0r2VRE4HIE1jaKMyTZHTKksM8vaJVMUjm3czymDPOBikKY
+rvCGmQdh8QH/8kOIAlgKiMnoAYX5WjNa4Ai7om+gpTBACfBj32n/nDWhTlxwJ3nZ
+6R8dxYBFiAo4WOzcSbY0ig/sFyzPRhdvs2SivJYyxSl8tloXYzMUAdPmlVA03NYq
+7j8R8heok2y508RH/v/OqqXKm0JCT5OeL9TwGXMt81sIdTINU1GVEXa8aeHE6T/6
+fe5APorQU5n5RNEeC5dVODD92cF2JSk/fi73I1phtexF027d58CTzPpUJteQ9VRH
+JysbXuA3viPdblE=
-----END CERTIFICATE-----
diff --git a/credentials/idp-backchannel.p12 b/credentials/idp-backchannel.p12
index ef5ab52..b5501a9 100644
Binary files a/credentials/idp-backchannel.p12 and b/credentials/idp-backchannel.p12 differ
diff --git a/credentials/idp-encryption.crt b/credentials/idp-encryption.crt
index 23bbeb8..c5e4b2b 100644
--- a/credentials/idp-encryption.crt
+++ b/credentials/idp-encryption.crt
@@ -1,25 +1,25 @@
-----BEGIN CERTIFICATE-----
-MIIEJzCCAo+gAwIBAgIUe0fsxBFnYrItqaF1zUSc7oTFFhswDQYJKoZIhvcNAQEL
-BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTE5MTAwMjE0NDY1NloX
-DTM5MTAwMjE0NDY1NlowGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojAN
-BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAlBwK5LM+22M0RLLhaVoTlgGJlF75
-0hfDGl45GqSVh7gB4X93icnoh2mUoGq/wgqx+YwCJ04hEJF0BXGRzmP5qQdSPw/z
-VV2e90emvoFvRD0OWrRDo4kn9GO2a4t8nAdLNe8dclsEpxyKktvmppMbna0jNGau
-h8OMsSNlTKH8C6qzIUtxOGnN75Qw1JAQ0N6U0Jl9w7x1LoR2tiyiTDKMAyx8v7xu
-eurxduh/Y1g/2fxi3UGA0i0znwTjEM0eZ/3JQMtuCKW6mTNTF/klBWiEhP6Vm3Yk
-WgbYDMgahiaEo2dzxmKgFfFysoSxkfV93zSh31+zKovj5NpNEU9LrlFDD8iRYPlK
-ZKjdleWOsGFbtyfvSV8Xq1bJvn9LScH02gCDbjkYFOlGgs32nGIqe4tr7ekT8A60
-S9dtIV54834ZdntBRzPkaLRaHb6FWY74U5+o1U1spd2JhWvFMlrkHCghcIWKmG87
-pzmZBFcyxSBIK0E6dhjm3EGXMmWdn80Sr1lxAgMBAAGjZTBjMB0GA1UdDgQWBBQ8
-+tUYkLiwLXUxRdIcfwUUs3s+dTBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeG
-Jmh0dHBzOi8vaWRwLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3
-DQEBCwUAA4IBgQBXnSl1RPlziZEpGUc3FGoQCpsu6FovK7jlieATyKWD3NY7lha6
-iOqiyxpNnrekh3Sf3XvmwvoxBHULQNS06GMMej8WtFBSaomNIkuztzMUAEmil2UF
-rP1xT0Gx+lT/Don9e60dGMMl2FWYIHobkQj4yhjSW6yN/emQRkwOhkj1DRGkZ1Zz
-wIRtH7/VT1YXH6n4P6lWNMgV+GInhT7ogitN5Vf6tCfMaZtowu3bb2I1gDlgYY/v
-0TrokTQteO7vcf+EpTODPRBiFV/Wwub5r8BDN4O3qGt52f2lhlEqdupFArooNVyF
-tU+zmj0gaclvvBBAaN2oh0Tj+j7HBh1YWB8p93vm62dKqY/9L9xSNAni6EI5o7dm
-58OUngvQopb7U7MDDuH2gM0XiH/R2BNp4c7/jqBP2Of5Bg68yKCZHB7D5XOJbQLf
-gjm4h9tRHtDijVkHcuIEICBwrie+JSEL225UnTfsesPiArDvo5BhQeNc3q1CPJgF
-2QOuaDoiGwFbc5s=
+MIIEKDCCApCgAwIBAgIVAJLvssEzx/CNl7hX6vhAYmUSTlbPMA0GCSqGSIb3DQEB
+CwUAMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzAeFw0yMzA5MTQxODQ3Mzda
+Fw00MzA5MTQxODQ3MzdaMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzCCAaIw
+DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAI4Lg9rN4x3rux40VV0rDGp+LY4h
+UXvXhAWVmeqFvl4BV8ndCoaR04BiEOs7jl2WVljWh6bVNgGe/oekDdztVMeeumNQ
+r9Bnl9VuSR5BbNM8RpA/KaDYluKv97CntaWOYCkwZljb9Sn5/SpKEod/b6r6aHqN
+5W2tShg5HIwlTqhAq3SnygYQk133B4r1TzTiRfk4Ti5kVw3Nc04Gmv6fdq5nP7gC
+I3tgl4zEK8XuHDgdN6mG3prE8LFTLO6VARFpEWQQg71Iu0vJhqpGBjKbQliejiti
+dzD3AvGSakA7Gum2A6V/BDXFZd/pjctgutXqJ1aBQ1F4DgEredLqORkyK3h6+ufq
+1hG47fxGvgJF5NV9KyPrxNVdNJ9c7i9oDEjoYD1oX7T48xCnUQChLK+80pWBNDSS
+5YdxeCdoci3C/T3uIePZetsEQ0u+zc97feqaINI983CIN839hFOOQQ6Y9TBBxTkd
+i4VXkWa3E6RqiUBAld4H1SN6rkRiGNhoeZ49uwIDAQABo2UwYzAdBgNVHQ4EFgQU
+4JYXPboLsz/+QjOITS7Ht6imKUAwQgYDVR0RBDswOYIPaWRwLmV4YW1wbGUub3Jn
+hiZodHRwczovL2lkcC5leGFtcGxlLm9yZy9pZHAvc2hpYmJvbGV0aDANBgkqhkiG
+9w0BAQsFAAOCAYEASeKc1xHMb18Qw5SF7D7sRRqyDoVwrN8ZHUDEE7zVMVeCkjCm
+L2GvSmbNpJfJbs78EsQt3mTTfroHByuH3LnTYv1i+CangdHrEe0K8u63pth0JjUn
+kZ3m6UPzGq69hZXIi3cLu0v6l3aywxjiQkNQg/3ndTrdL99/2AJS1TMknznRptGu
+bTbxvMomvKYp0O6WU0zcn3ElupZs2EnsOuM05QkLndh7KWodT5AjVODbiawVjfSl
+WB7INmDk1TVtk2nHRaoagjbcDKUWGHlXUsGgtqDuxb7THx2+glFaRGuUoT5LqZU2
+Zr1rwj9z7gKqZrpbkn2/xrA5W6M8WxUWGiPn6F+P+8liXbeq0MMrn6DWN8HKScVK
+vQy1G9fo3hHn0x+yAtWgEgi4GhuoaLFarw9oaVZP6yAlFrL39LWoj7sowCjoIK17
+pvgBrNqgolW25QHWLLG6SbAqIq9JxfiOxSs+XLWJorFtrmQuIap0e5mZw+hsuun/
+AcPlbssPcPJmxeCU
-----END CERTIFICATE-----
diff --git a/credentials/idp-encryption.key b/credentials/idp-encryption.key
index 3e9f81c..4ff57eb 100644
--- a/credentials/idp-encryption.key
+++ b/credentials/idp-encryption.key
@@ -1,39 +1,39 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIG4wIBAAKCAYEAlBwK5LM+22M0RLLhaVoTlgGJlF750hfDGl45GqSVh7gB4X93
-icnoh2mUoGq/wgqx+YwCJ04hEJF0BXGRzmP5qQdSPw/zVV2e90emvoFvRD0OWrRD
-o4kn9GO2a4t8nAdLNe8dclsEpxyKktvmppMbna0jNGauh8OMsSNlTKH8C6qzIUtx
-OGnN75Qw1JAQ0N6U0Jl9w7x1LoR2tiyiTDKMAyx8v7xueurxduh/Y1g/2fxi3UGA
-0i0znwTjEM0eZ/3JQMtuCKW6mTNTF/klBWiEhP6Vm3YkWgbYDMgahiaEo2dzxmKg
-FfFysoSxkfV93zSh31+zKovj5NpNEU9LrlFDD8iRYPlKZKjdleWOsGFbtyfvSV8X
-q1bJvn9LScH02gCDbjkYFOlGgs32nGIqe4tr7ekT8A60S9dtIV54834ZdntBRzPk
-aLRaHb6FWY74U5+o1U1spd2JhWvFMlrkHCghcIWKmG87pzmZBFcyxSBIK0E6dhjm
-3EGXMmWdn80Sr1lxAgMBAAECggGAOEnMDgzdR62VMMK3Dj3wkaL18ZCC60iimoPS
-ugBw38qb1GKIQLKej9AdbzYCuLEt4IRIUT3NLSnKaUM3QbQXLxkcNeFO/lN9VcdC
-ZMZ2Tf3SVcCKsD0xFR1MN+UkL3xKJi5BB7P1ubkMJTIzn3zrEuq5JXIcxHYaIzwr
-hItPafOu7mlolyMG5BVy1WYHLgpZjkm3VUtrUYmAQE4IRGM1eQNQSeJILqjZqfJE
-b7IbWjIkNKhvV/Fb3ASUc08xTh5R5daoC3JrdtcCUb77Og4Gn7UBht7miyBx78EW
-8kuy11kbZB7IO3h1DJkfsW7pwHkkrXFL7mmg8qS4sAMcIATom2oysgriYAGxaBZp
-Ub2lZlTj/pPoUuqG5bixedQozirV/m0bIPzFUP+2JDlqZJSkBV2f8VkTwKi4udk/
-fYiWM4POqaWD19DMcwZ3mMRYdmMXN1hYam3VRwFHt8xsToO31l1lI6/ndWNet1BG
-izrergy8vh3X9I2iL/MtfUXurKx9AoHBAPDDPf4U7mjU2SxlUtGXBjZQU/CIa7YE
-y1jXMuRKIpzCcOpIEqIIVD0Mbl7a7pGxuXIRjrvxgLVtTCN2c3jZlHkUxWfJ867g
-gaCYwqNz7PZBr5ChQl+UsEzrM2tE+Vd512HQW8Zu1XfoXdoEPkQTAQEy/21jERAu
-sVIzclkwUoAYVBn8Yi8V6TZvJiKobU2t+5N0ngiyOYa6FTsHG36yrzryEUdQjj5q
-QfPtZtCVe8k6gH8GzqL92h6HmKWbtGQgYwKBwQCde6oycL2fPEoJVG99aGwbenOp
-jAMYjZN1cvf7IYiRoJ1hY90TXs9I+Th0ASuuoaiqQWS5s0xVfU/ROWg8hz9AY0Fh
-EkR/iI7WdPXR1pfLc8Gc+IM8fx44cixL/wwIrmfz1TTUA58+36Topcgj3pO/7sBK
-dWX6O7f9e2iL2hFLKUYmkKLylFW1iy9TZHWYiW3A+P2eXoLqOXH067SFkmgVmRyI
-zo6aP/+ui0Ob+GqrJtE0qYCoIT9bx8M2aJ/qBRsCgcBv14K4wShu8lFgWkE6s5lj
-KbWUiwreJyP/RRiTDA1AHOMvMgPV2WCoa1nqHnGspI6s+pL/o5RSs08nOiMyBIEA
-LjH1oM7ecdRFsjDYlUWCr8jKut6GYB/121yrfAMIK8Vt3siDSYFIjlzqpgX2wY05
-7WLSga6vgcFFmjiITfZFIwgOejtx/A+2BbQFbZA5AZVYTlgLWh93AoJSRV70YDUe
-gMyeAEHTpLC2i5WzV32FYPPIDnV3Kc1lWUADzmziBlkCgcEAk3tfrbM1ce2lLE2d
-x6VGMQmhTfPoZlMX+JL9t3r1CeSP3sgGHwDYQO/ctY7vGLEeYquxJ9PJNfqQCFGp
-052ZV7RcYwsXiRQbKK4KFETSjV9Pv7BgPwSRCa2q3FTzMSIcChbuTWtC9D+/kXzI
-DQeB+OofvNtq8EiDC2lKREapkWkK4EztvR27krPRU1iuZHa3iVPlOC4sjivUE9m1
-iq3MugVU2q4OkFhFG3Iik+u2AajtnVLsQQg57LsMj2S19hRnAoHAdzabeYxnCZDX
-AHPwMTZyBltOApLU3yy1TqPSunDHHl+AN/56Ct5Ug2d1pLYgGvk5oIrz1j8txEki
-aGfjhIs26lfjOJ2y4HIbLdeNDvfWLHi7OreqNkN2Yq9UULvDSW5ASngom760o2Hn
-e/VPvoWQgvIFCrhw7jBC0GJFHVFwBpjs4kjUgmr8jbxkWgk3LC/SugclDZUnE4X2
-ecB5GgbcER+qYbt7WuDYf3690QTp3n+h7BXs9UTeJXIV9BzY1JqN
+MIIG4gIBAAKCAYEAjguD2s3jHeu7HjRVXSsMan4tjiFRe9eEBZWZ6oW+XgFXyd0K
+hpHTgGIQ6zuOXZZWWNaHptU2AZ7+h6QN3O1Ux566Y1Cv0GeX1W5JHkFs0zxGkD8p
+oNiW4q/3sKe1pY5gKTBmWNv1Kfn9KkoSh39vqvpoeo3lba1KGDkcjCVOqECrdKfK
+BhCTXfcHivVPNOJF+ThOLmRXDc1zTgaa/p92rmc/uAIje2CXjMQrxe4cOB03qYbe
+msTwsVMs7pUBEWkRZBCDvUi7S8mGqkYGMptCWJ6OK2J3MPcC8ZJqQDsa6bYDpX8E
+NcVl3+mNy2C61eonVoFDUXgOASt50uo5GTIreHr65+rWEbjt/Ea+AkXk1X0rI+vE
+1V00n1zuL2gMSOhgPWhftPjzEKdRAKEsr7zSlYE0NJLlh3F4J2hyLcL9Pe4h49l6
+2wRDS77Nz3t96pog0j3zcIg3zf2EU45BDpj1MEHFOR2LhVeRZrcTpGqJQECV3gfV
+I3quRGIY2Gh5nj27AgMBAAECggGAAsxxje5KQwcQSJindQAPihBSoefXsUlEJzlJ
+TEWN236QdgBM2mFxPJFyECnfAG1+Wh6NZKfFBdubrWK/lHKEb2r3DCYoJEK0EPzb
+admCavrXc28b4Fu5590zPIWmeMbjTMUt2fRANUaPllKT7JvHqVILywVDI1nUSXv7
+TiTXqjYos1288DHsl45O7N91y9G3G35sF+mg0xh5qrJLEzRjYS13r5pKF9u0St+T
+fnttjqIFGWoD5Nx3qKSPkHqJWYg9EV72Gl5OUxY5lCxk4+ZK2Aj4cEsTIHS7TKlX
+wr/mfm3j462EVh/aHo6Terej2wD1QQiuQZZIKW1iNXnjfpYk7/0pViFyBpbVZJfb
+XWOjSg+QTVyM49zVGQI3xp3qILrItZ6lfVv3gDQd2lahLxH10Rc1wqbV1bdyLomp
+SwX5nQFs9KMRftYHy9Rbq0BnjxDgu/a2WhZMrva2YL1ycKHLdWGfVAP9ZMwO9LpE
+dWkrzuiVxzgDH6GqFcKVWUhBfueFAoHBAMOdHzH4mU3IWqfktPqh759Q/iQipn7L
+n4xkmwbsya9K7iSwlAzVqnuHCqq0wpGjwSdbr51UHbqNo0BF910VubWCB+wZbQG4
+4ceUjfizHso3GMpZdeFS/rpGCqwU1fro6PlTGcC3G/x1y9K181UfE569ohr7sZyr
+ZXhRIHYcFQXGpQshcf7GVV8X5Z0d2oKmd6qO+hilxCU4+uAkI2zRM4PdWTTClB0n
+UkbVS2xTJPQjg9y/gZ9ETrtIlFS1R+bv3QKBwQC55PvCzt+YlZLPTBmHuo+yP1jc
+BpZ0idO2l0geIVhKjfNoJDgfhtlB6WdSaV3fvVTo92DzKWwqX5WSLkLiXbHM8CAH
+tjxUa0raUhNQFzQe4GsBYjUPuaucwG+CThS3RiGHNHpI7qlPVUJUS3mvpD92h2IK
+QrE1Lt10P2kVp9gjE6kHQFubsZ2Q/R+ydHCaYHABkuuqwTLNgLDjHX9LvhiMhPC1
+FkcovtPBKwVIwXAx+Sg2jFMwyVvbDBYeZRiq1ncCgcA1kJ7sNiD0tbptYylTwGg3
+fhw5lOt2qRelgB8bhFeuEpynm1rPMOsgLFh1ak4lR2wq9OZf9Jq3bPWZMg+Mg9h4
+pYS52DSLVi8tUbaWtaXmxbOaJWksLGfoZimh+YqmzISPUXwp03psZW1M49ogIwRi
+YZc0QFvghOaiTcTP0tzG2iBzrdLjazgRdB/CKFyfjioSoFhHy4ysjK/WFM9GivrK
+TyCQW//nA8956gpfPV1PJTKEjkRWcoQEsNk9YO6xhFkCgcAXcv4bHdNwwPVq9tOF
+no//0SPZZW9XNgeh0cWEH3qutOdObLszpuQC/3lMGQSBc7WhSYtOQRxm3/XTIcjI
+Gz+RdXzk3CUSFRK1JYNQKA0oE/ELlKLS3/344QFv83+DevJBxuniB1EOM9gRIBAy
+isqCniNM3grShZ3jyxfrZmfKTPGWe5TSt/4DSxrTfQKzRpT6bdkSihppd+FYVOE4
+4brhBugCP9QsHJ5DkLSy78vCUgazktHvpobSw9yKawBIlJMCgcAmB89kc4xVTo5j
+9IH7eLD0MfATPN52lpKvTM77te5wCmWS4HdSwiTFx7tjZGGtP4zhVJRX4CuoZf7E
+WaTKXoTQlc+TddUhdJYvdrPtahCl+IfMydvgSV5FDrTg05pJbNM/vdqc+K9G+BGA
+fNRexLtGu/3Dzgd44+RIG4V2I4ew41k0LG0ZXFhJXwo/iVOWk0hVxf6ss/WouXpX
+QoPoNFqvRng0Xc2FpEA/elinM51zno5xq7GI15q/8rCaOC4dBZA=
-----END RSA PRIVATE KEY-----
diff --git a/credentials/idp-signing.crt b/credentials/idp-signing.crt
index 0468315..0996181 100644
--- a/credentials/idp-signing.crt
+++ b/credentials/idp-signing.crt
@@ -1,25 +1,25 @@
-----BEGIN CERTIFICATE-----
-MIIEJzCCAo+gAwIBAgIUOCYqGG6JElEG1wHKL7CvULRTvEswDQYJKoZIhvcNAQEL
-BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTE5MTAwMjE0NDY1NVoX
-DTM5MTAwMjE0NDY1NVowGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojAN
-BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwkiDw0dpZmup6VpfVXkib8fiv7KF
-T1Z3z6tq7c/ki/CH2x8BYtLPNgIvQa8KhggHUKG+rRU9yBwWg4Yvdsi05h5pJwcE
-xE1hwE7oVWiY+DtMggv4zVbDm0TnbvJvXN9eYXNn/e9RL3hD3umPIzDSli3wwiNg
-GvMesn/4Npq6ERi80CPIkUENkL3N7XTDX+Fy/mhXCxc73Dv3Meo0qk0pii005nV1
-vHCP9jsUgPfDCBScUuikfQ8V9SPLgOSf1x3vc5RqSPWaHgLesqoXpFFTthlVjB8j
-cUzqjQllhOS6LKWJE7VIfV6MdpfkRZBWhsaeuT7I48kRmFuALLnIopkclqu3HtON
-0Fgd1oPPBHa04bLcPqbneqGL+2RzZOdnuarTtY+JOuCRnE1qCWUeRoH2yeMMdKPy
-amX6HZJ35Vsk3uJxJX/IyipduZ+nHPC5qi52Elu+oyBrJwTbVAhhlXwPehC6nU/c
-1LUnbo3M4SGOYWuPmI1ko5KF91MVUU7ttmkFAgMBAAGjZTBjMB0GA1UdDgQWBBQ1
-CuX1jKcG8rdC0xBBveSJAYoFfzBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeG
+MIIEJzCCAo+gAwIBAgIUN5wi8O8FMY2nZCXakMaHkvb261QwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTIzMDkxNDE4NDczNloX
+DTQzMDkxNDE4NDczNlowGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojAN
+BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxM/ZTukRf08tonAflzexZJSSLGoW
+BOQ3JXzqWYh9gRW92S/MSyeBb0Ry05skyqgXXmuyg/lx9eJ+sziHcHdR0kkjE6d7
+0Un52SqgG5d1DHkB0kDpop0ePD811LQfBqXuZNYtlCqghR7e5mKGVZsKUmUL254V
+i3pSNyk5Kxae3R/WFpAg6Vo1i5e3odAc3Qr5H4raxY8IJfwK0GOzX9PMVq5O9dgc
+Fq2l+0NpmBGuovIjUEyqmK9FJykUJToXunjTdghnkuucR4Kpg0JjACSlcnUjO+2H
+2G3hMuoWdkAGhoj95kmIy78Q3OEv97F+n1ifvrWa3l2yzuUFHiUilnfusTFdM1CQ
+f5hkC09JNRnrNgyMi6dwgjkFVm3uOPuEov9vlbfma97INDnkPUIHAmXz5YF+FDgp
+nPCDa1G+t0DgrfOnCSUTJlleRWft/BcF/Y8uA8Bf0jkhebkwZrACbKPWl1Mr84FW
+9UAcJixAlGo7g/beF3vIDFZ2ehDyS/ARSHPLAgMBAAGjZTBjMB0GA1UdDgQWBBTP
+nlImROLHrQIuJJ1bGfmnCifpfTBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeG
Jmh0dHBzOi8vaWRwLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3
-DQEBCwUAA4IBgQA89rYZmayIfst0cGyt+zdeHpnvyo+zVfAk7OztXF5OXsakX9TV
-Iq8ur1lq4Q4KC/Ev+9p1za1gP7Ea9ugFJinuVa6ntpzGP0vh42pmphLNaRFvnPch
-pwgGCvcF2leYG6zZl/Qln0Kbv+pyByens7xPdKKA8U5ySVkouLuw7017XSIulPtW
-u5tPz51awJubHCK+FckcVH0yZZg44s4HmjzLpJCdslMIxmhtX7DW3vtqH1pL9Mir
-3qykySFUJGthV3ndHesG08y3Tni5HZaRqHHafGRBiezO8JCwVvWrdC29SdAwY2i0
-HhKB7zCDOpYrh3o8TTx3ZJd+6Uel/e0bCefs9uhMj7O5ErNySHyTtNRrFxTl2c98
-RDweMp6NLfm+P3+EqJycmpR9CKudcL6RUikN9hDvy6qqG2t5fW7pvU/+mzRm/3Cf
-gMxKHQM+OAry1E6pQSYh8qkPZYDezwiz4gINxn7SFAxFJQcTlaSVmFHLOQV7TetI
-g4sTktRrBmgU/vk=
+DQEBCwUAA4IBgQAkFQeq4iMNgzk1JVHdn4qVK8Y4vOUlHIDL4LOlYG0Nsyp9/L62
+LzF4/q9RU2+CQ6QuvwL1FXuH+pNxb4A2L9qx8X23u/fmdpGdH+YXfezOiEKW74v1
+usD18bFIw/E9aeyWQgWrQajqXkiLk4C4+ZOQ8IDxIBrVawV65tqyujx7DOHYd8zq
+VcdJjnchudt1mRzRPz6ajG6X5Zd4htNSim/Trd9JGymr4Xr3ILqHEnWihqpEETNd
+snwzij6jtdXixmSGPeVI/YlGiKJuBgC6j+wjXrXglvnA5WD/5aNtqo409/1rnzLK
+0XElMIvUTqtM2L/9MNALKcQqAoEzfjdtAqJ/yZ528+/H41gEfjoqyZicT8Av6Gf2
++EOx61jXmz9NLB5eUp1h2u94OrkZEpdYQN3VxVEdxR4CFdfllIev1lxMYwxQjai7
+J7bOAjiQAUK8peLx+HvQRMaCWW9VYCHVT7Fs/icq95yQPiLSUaQ0m86rSYG9IZGQ
+YQdqqQZaO3Z2nw8=
-----END CERTIFICATE-----
diff --git a/credentials/idp-signing.key b/credentials/idp-signing.key
index 9fe1261..ec2fef1 100644
--- a/credentials/idp-signing.key
+++ b/credentials/idp-signing.key
@@ -1,39 +1,39 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIG4wIBAAKCAYEAwkiDw0dpZmup6VpfVXkib8fiv7KFT1Z3z6tq7c/ki/CH2x8B
-YtLPNgIvQa8KhggHUKG+rRU9yBwWg4Yvdsi05h5pJwcExE1hwE7oVWiY+DtMggv4
-zVbDm0TnbvJvXN9eYXNn/e9RL3hD3umPIzDSli3wwiNgGvMesn/4Npq6ERi80CPI
-kUENkL3N7XTDX+Fy/mhXCxc73Dv3Meo0qk0pii005nV1vHCP9jsUgPfDCBScUuik
-fQ8V9SPLgOSf1x3vc5RqSPWaHgLesqoXpFFTthlVjB8jcUzqjQllhOS6LKWJE7VI
-fV6MdpfkRZBWhsaeuT7I48kRmFuALLnIopkclqu3HtON0Fgd1oPPBHa04bLcPqbn
-eqGL+2RzZOdnuarTtY+JOuCRnE1qCWUeRoH2yeMMdKPyamX6HZJ35Vsk3uJxJX/I
-yipduZ+nHPC5qi52Elu+oyBrJwTbVAhhlXwPehC6nU/c1LUnbo3M4SGOYWuPmI1k
-o5KF91MVUU7ttmkFAgMBAAECggGBAKiX0reX9a/qR9T3FnmOl8KWm38shKCXcXrl
-zvG1kSeav9n3avV96FB+ztFZ+3DZ8LcY1OVP5IANV8AkpnWWr9xtkWRLo+hRGj2O
-e/D5xpzKoJbNmsddvnqz7X2Kpfba4wT/58MldLcTzxnWZd7s1CF8lktx9UkNpprR
-j+yaklKZu+eG1dqur/3lp5ii1ZQTiP2aP8ahD9IKu3U2PyN1uFFu71P5pAS1TUgo
-dp9/4V/Wutz7gxn/CFflCwi73LUJBKfeJM4XaBccXkZhwNBQDvFUrBKZXIo6M7LZ
-XlOGS8d8E6EZgFFl4NhJpWk3ckKNIi7AlK5zhra6i5+JgpWrVYrWNk9tzsuL9b+0
-mia4is3XYo3l8nqnyZLNcvE+OKmci9Z/BMxDZ82tiFWSSjqrAnoDZR/oI9L6niOU
-0vk6UtFW1BqK8vUN0DrD6pOYKmsALwPx9JmnGnGS8vBOZZRKX2YjkOY7pFXGi+YH
-CZ5MTc8lyHJngyN8EgJ1T50kc4HjQQKBwQD1VhTmnRg6EwrtIGhXLSwY+dRL5WK+
-qaovpXcyMj6F2r+Dl/QBq+QD7uP3U5vI+kEa2JdBd9OOaxBXdXZK1/9zk+jfEUtT
-SvWCcKoB/Xrla4WHfGEtUxC7qitkfTy57PB5j1X5qDr87epZ15mRAz7r7F64XjwT
-pbuZT5wHAZnrphVs4TjBh2QjTP8ATj01J508XI6DC7KMxdYioApD1Kv5VV73fiNi
-cpS9NLtkaR646peZ77tYa+7pgcVcxmcj8lUCgcEAyrpafyiI9IyrFsZWAacvb3r+
-jRJh+fNF/u/VixDMwAFVwjy8CMIC4EbDfyHalsPHN8yr0NogCSZ5iao9/benx6gm
-4i/3mxhOY68h/N28etJU55cPoOIWGXcs4KJNEQNC7N78yU95sC4IXJyFwzI76VWx
-pCzPx8QYzYo1Uy/rALuMXJ6FFhZ/fPqwQKtxpNxO/jVGSHXA0Ibn1ED3vMBzD9vp
-fP0si69AjYfLaqk/dsq/rljIXxBmfYX3oYJHfyvxAoHAe8/PiHqraVOG5hi+z4/6
-ezhJjWvcI4CYZKdKukhlCURV9mFPQTCwR9PdtEm7ivfQt22rF90TJQKfIqQi6K6N
-OpTgpwKhUw23TPbytUJpLTLQFooMuMT84tiEQZh6dxI+YfqWVwIxkse2x1RpKafL
-r2CAhOb5xqiTPlHQ2jBSr3wHwAUBkZl0TeRjpJHXjeXKElZbjYLvvt9wq9S8mXLQ
-v2n4HUrJLLvKmJnuIER0vrmVfJhhocQGtE1LfwCZuKhpAoHAULbjgw8zgBJlp/qt
-kZjr5PnWUXqJMcgvDTKWFflJXATsDRq7Ts1X8c2a1oo3CqHGNqwxmETQTnRYHXx/
-k/3EOlTzrkikz8Zcp4m6AYCTI1+M2Gwnl8mMPPVbE9Dq2CQxSDf783bGH2QkhiL3
-iuD8Q4mP4arJy2KC8YreclF4wmDpoJKosEOi3LK+6/CWnantdX7mjcD8VMnxkWuQ
-d0E0TpMjIlV2n+LV08PGNKBQGU7eBF9q35abB80H6/D/4F0xAoHAea5EbTEhTd91
-c82Kus2Mo5NY1oN5V5gxjrp9MHqB9AQfo/Ihks/VLV+2TFDIncFgdQvdzWm1QTNj
-PPLMRcxkVDjqjjlE7ymPGVLHZIDRRuDosATqOD9j+JHSib008xJVdL5awm8yG32T
-zQz+o+rjD+b64KhWamVuKUaf0DXE9i9hIjeROlzw5c+TD4yo8RLRRxNekX8tfxZ7
-nIapUVjyooDHQ8UfdOqpBfWXprrNrwSVQOROCeQFmongU9ZIaYAo
+MIIG4gIBAAKCAYEAxM/ZTukRf08tonAflzexZJSSLGoWBOQ3JXzqWYh9gRW92S/M
+SyeBb0Ry05skyqgXXmuyg/lx9eJ+sziHcHdR0kkjE6d70Un52SqgG5d1DHkB0kDp
+op0ePD811LQfBqXuZNYtlCqghR7e5mKGVZsKUmUL254Vi3pSNyk5Kxae3R/WFpAg
+6Vo1i5e3odAc3Qr5H4raxY8IJfwK0GOzX9PMVq5O9dgcFq2l+0NpmBGuovIjUEyq
+mK9FJykUJToXunjTdghnkuucR4Kpg0JjACSlcnUjO+2H2G3hMuoWdkAGhoj95kmI
+y78Q3OEv97F+n1ifvrWa3l2yzuUFHiUilnfusTFdM1CQf5hkC09JNRnrNgyMi6dw
+gjkFVm3uOPuEov9vlbfma97INDnkPUIHAmXz5YF+FDgpnPCDa1G+t0DgrfOnCSUT
+JlleRWft/BcF/Y8uA8Bf0jkhebkwZrACbKPWl1Mr84FW9UAcJixAlGo7g/beF3vI
+DFZ2ehDyS/ARSHPLAgMBAAECggGAMgQcVqh2cOMfVsuly5k0tLnpF+5x4BZbSWSg
+bdZ5BqgO0jYKdgL5Kty7Tbl8tR/YqH84I7/tzS4dQtCX4uX/3jAGAQWsOrjRDPZ/
+L+PitCPAab1jYpcJSwhJVt/bjqX2mpuvg5r9pjb9MJFTUEgRbHUPeWWIViTk5e3N
+AH1ELC/eCWfhZUwulWYeHbo0y5vxSanRBSnfST/vQ5xCxpSdtl2f5WxhXwYMS3mL
+SUEdH33nqY2CQUExks0muHs18oanzGnFPohA0PLCtUnPe//mK/xc9b6f9FpDeYYZ
+LTnEadz9f9n6FD7Sw8q/PdpL70odySvR4JbNh+1ntTG12KXdJw186QfEoe1P88SK
+dNLFuCttHTVjr6TCsaA/BnoyUv78SvO1MEr6nf78yqontmEqNM0C34UvFSMNZdkv
+2B9vn/Bl3ojOSNG2r1seMugFfVrXMv2MQVi96WO3T6WG329OCGKPFmjg0NQ77xYw
+V3OwMHnw345AxGHmDPFKVCjlTcAZAoHBAO5A1xco/my2RI0IFqvaUUlPPpg1s+pR
+vzVM5lAfU6NpZaYgYJ5EvssCXHKNHqOS8+8sBx2Bq6kkJIJamKLnZJ+kixPHDK9t
+tffhb2RY0jB1wDSNnculoOX29jPJBqVG2rrW4Q3GOiejD0Ig68OIYMOal4nr5GIE
+Y9HG9l7AuApyzJtlLI290mUp6aU4tszidG8PUx9rzL+a9V5HWUoTinIED0w7AJ+O
+6bIJkoOStF0/sYEXTIZKEcGOxZaJZogJ/QKBwQDTeMd1wgrkSebj3fgxUOOx1Pt2
+pFuT0ZZV0Wg7WwlOqpowlTbmQE+pmkmaus/T1o/8Nf1/djm8nlBr74FC7aShaRmH
+HDvl5t21aflV1K/m8AF3mi+ZIkYTfOhE/3Lr0x9Q1Y1eN1/oEwfszfm+lUL9ZJ99
+CDb97dokDe4+x/GutVELwCoz1kFD5Ne3t1afsU/wsIICe/BWrMyK0RzFE3LuUZhA
+C5Y0aelAz4R+T98CCfSpOEGBLlc+NqdoDUtV22cCgcBXFvSIzr9R1b5xHwfKgd88
+wO7MjLTbbk5KmXWGzCyyixBRDXzD3bUwWAibBuKwQENSpfFj48Zv6Xo+/AbXZWXu
+xSLhc907MwtVNN6W+7C5bhF4JFwN2Nlbtk6A13bKa4AA1BMoCdGwM3acYZRMwUk9
+twC1tbih66DhSa09LY0YpKYOF4mVtlF2EUAK2RRZCF4vSpbD4Y/Saj5O3B3Tahkt
+XDaLUvYDXSYnokAgQDwV6fZkjbO3UtPywNGRGWCVUbECgcBr7oQW9S+r7pAakwr+
+2KMt+19Q4XggDOOm71c8nC026loCG9ZGVGKUVLvmbhxuqV8ZwdCdQpEbVM4FGNun
+djUFcOfnjqB/qYJU+j6Y8RHKU4rcKWTLyrNrdN/zf1F/TWT5U9VwVeDsSPJNiZ9D
+B1mGjNnd7dhrZ/9jUXzcrB4NJlu0HKMti9gJt/3ltXxPyyba2KuyauFyy4UmAK6n
+Y1LQkfKcFY3XOIslWgTslwViPASUbbL5JNbAWRK+R7LAolcCgcA20+/3jIyTBOxM
+T2LrTYdPi2RxfnLavSjz9EuAs/WWRdpd3x1MGyz+H5fml4FxnJw0pACm9VRfW1F9
+AJL7Dnlr8eDIpuvFJeNvb0BHYbCecNLt5N8yjIljorY04iiQRLjN2XeyQ2Dh8DjW
+JK4gynLpB8bXgqU7fpEfUuiy/fOF6b5IQPPuSV90UZ6zWY+1Gm7X4pefg4eveD1R
+KFEkG95gmxR++xIDhXrI/uV+OFxkbr5qmR4riliqO31Hs+ZNbZs=
-----END RSA PRIVATE KEY-----
diff --git a/credentials/inc-md-cert-mdq.pem b/credentials/inc-md-cert-mdq.pem
new file mode 100644
index 0000000..178dcf8
--- /dev/null
+++ b/credentials/inc-md-cert-mdq.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEvjCCAyagAwIBAgIJANpi9/mkU/zoMA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRYwFAYDVQQK
+DA1JbnRlcm5ldDIuZWR1MREwDwYDVQQLDAhJbkNvbW1vbjEZMBcGA1UEAwwQbWRx
+LmluY29tbW9uLm9yZzAeFw0xODExMTMxNDI5NDNaFw0zODExMTAxNDI5NDNaMHQx
+CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRYw
+FAYDVQQKDA1JbnRlcm5ldDIuZWR1MREwDwYDVQQLDAhJbkNvbW1vbjEZMBcGA1UE
+AwwQbWRxLmluY29tbW9uLm9yZzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoC
+ggGBAJ0+fUTzYVSP6ZOutOEhNdp3WPCPOYqnB4sQFz7IeGbFL1o0lZjx5Izm4Yho
+4wNDd0h486iSkHxNf5dDhCqgz7ZRSmbusOl98SYn70PrUQj/Nzs3w47dPg9Tpb/x
+y44PvNLS/rE56hPgCz/fbHoTTiJt5eosysa1ZebQ3LEyW3jGm+LGtLbdIfkynKVQ
+vpp1FVeCamzdeB3ZRICAvqTYQKE1JQDGlWrEsSW0VVEGNjfbzMzr/g4l8JRdMabQ
+Jig8tj3UIXnu7A2CKSMJSy3WZ3HX+85oHEbL+EV4PtpQz765c69tUIdNTJax9jQ2
+1c3wL0K27HE8jSRlrXImD50R3dXQBKH+iiynBWxRPdyMBa1YfK+zZEWPbLHshSTc
+9hkylQv3awmPR/+Plz5AtTpe5yss/Ifyp01wz1jt42R+6jDE+WbUjp5XDBCAjGEE
+0FPaYtxjZLkmNl367bdTN12OIn/ixPNH+Z/S/4skdBB9Gc4lb2fEBywJQY0OYNOd
+WOxmPwIDAQABo1MwUTAdBgNVHQ4EFgQUMHZuwMaYSJM5mlu3Wc4Ts5xq4/swHwYD
+VR0jBBgwFoAUMHZuwMaYSJM5mlu3Wc4Ts5xq4/swDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQsFAAOCAYEAMr4wfLrSoPTzfpXtvL+2vrKBJNnRfuJpOYTbPKUc
+DOP2QfzRlczi7suYJvd5rLiRonq8rjyPUyM8gvTfbTps+JhJ6S9mS6dTBxOV1qPZ
+3Ab+XKmq8LUtguGRabKgJgmJH0+inR/wVoal7EVHcWXfij9AT8DZOXW88shc6grh
+jUaFZBu/2+q8c8ee0e4ip8B+CVEnCwDKI0d+nTcSmPvAE34CNa33F+QGpXawv5yv
+VvIpSaLAeFQhc/jKcnNHfy+Zi7JmSnKZiMvQCbWANQmDjHg7pGmBW9nyQcm6P2/B
+0AVcEj1YTpAR8Mbh1pUdIhoB+chaNnFEIZsXeRsdbbAFpxodInlJ7WekfuvSQ6sU
+EXpoyBGOeuuTmR1va8k3QeL8Wc4yNu/g5LwjmtvPrh2jBF8xujc4J6VzP8K2BjA4
+xk4LnXgjHOT93dBAJhVYJkykDHwyvHUvsBHoP6lfjrt5P8zunK2mdP/AZKik+Rdt
+1GGlErV2AyWShTOaDLW6NxdP
+-----END CERTIFICATE-----
diff --git a/credentials/sealer.jks b/credentials/sealer.jks
index 47de93f..db5ab6d 100644
Binary files a/credentials/sealer.jks and b/credentials/sealer.jks differ
diff --git a/credentials/sealer.kver b/credentials/sealer.kver
index d03abf1..9604208 100644
--- a/credentials/sealer.kver
+++ b/credentials/sealer.kver
@@ -1,2 +1,2 @@
-#Wed Oct 02 14:46:56 UTC 2019
+#Thu Sep 14 18:47:39 UTC 2023
CurrentVersion=1
diff --git a/credentials/secrets.properties b/credentials/secrets.properties
new file mode 100644
index 0000000..93658fc
--- /dev/null
+++ b/credentials/secrets.properties
@@ -0,0 +1,16 @@
+# This is a reserved spot for most properties containing passwords or other secrets.
+# Created by install at 2023-09-14T18:47:39.214769704Z
+
+# Access to internal AES encryption key
+idp.sealer.storePassword =changeit
+idp.sealer.keyPassword =changeit
+
+# Password for idp-backchannel.p12
+idp.backchannel.keyStorePassword =changeit
+
+# Default access to LDAP authn and attribute stores.
+idp.authn.LDAP.bindDNCredential =myServicePassword
+idp.attribute.resolver.LDAP.bindDNCredential =%{idp.authn.LDAP.bindDNCredential:undefined}
+
+# Salt used to generate persistent/pairwise IDs, must be kept secret
+#idp.persistentId.salt =changethistosomethingrandom
diff --git a/edit-webapp/css/consent.css b/edit-webapp/css/consent.css
deleted file mode 100644
index 5daabee..0000000
--- a/edit-webapp/css/consent.css
+++ /dev/null
@@ -1,150 +0,0 @@
-.box {
- width:600px;
- margin-left: auto;
- margin-right: auto;
- margin-top: 50px;
- background-color: white;
- -webkit-box-shadow: 1px 1px 15px #999999;
- -moz-box-shadow: 1px 1px 15px #999999;
- box-shadow: 1px 1px 15px #999999;
- -webkit-border-radius: 8px;
- -moz-border-radius: 8px;
- border-radius: 8px;
- overflow: auto;
- padding: 1.268em;
-}
-
-body {
- font-family:Verdana, Geneva, sans-serif;
- font-size: 12px;
-}
-
-h1 {
- font-size: 13px;
- padding-bottom: 12px;
-}
-
-a {
- color: #00247D;
- text-decoration: underline;
-}
-
-a:visited {
- color: #00247D;
- text-decoration: underline;
-}
-
-a:focus, a:hover, a:active {
- color: #F39800;
- text-decoration: underline;
-}
-
-#tou-content {
- font-family:monospace;
- width: 95%;
- border: solid 1px #666;
- margin: 4px;
- padding: 10px;
- overflow: hidden;
-}
-
-#tou-content li{
- margin-bottom:10px;
-}
-
-#tou-acceptance {
- width: 95%;
- border: solid 1px #666;
- background-color: #F0F0F0;
- margin: 4px;
- padding: 10px;
- text-align: left;
- overflow: hidden;
-}
-
-.service_name {
- font-weight: bold;
-}
-
-.service_description {
- font-style: italic;
-}
-
-.organization_name {
-}
-
-#attributeRelease-consent {
- width: 95%;
- border: solid 1px #666;
- background-color: #F0F0F0;
- margin: 4px;
- overflow: hidden;
-}
-
-#attributeRelease {
- width: 95%;
- margin: 4px;
- border: solid 1px black;
- overflow: auto;
-}
-
-#attributeRelease table {
- border-collapse: collapse;
- border: none 0px white;
- width: 100%;
-}
-
-#attributeRelease td {
- padding: 3px 7px;
- vertical-align: top;
-}
-
-#attributeRelease th {
- text-align: left;
- font-size: 18px;
- padding: 5px 7px;
- background-color:#00247D;
- color: white;
-}
-
-#attributeRelease tr:nth-of-type(even) {
- background-color: #E4E5E3;
-}
-
-.federation_logo
-{
- width: 50%;
- float: left;
- padding-top: 35px;
- border: 0;
-}
-.organization_logo
-{
- width: 50%;
- float: right;
- border: 0;
-}
-
-.form-error {
- padding: 0;
- color: #B61601;
-}
-
-/* Device specific styles */
-@media only screen and (max-device-width: 721px){
- .box {
- width: auto;
- box-shadow: none;
- border-radius: 0;
- -webkit-box-shadow: none;
- -webkit-border-radius: 0;
- -moz-box-shadow: none;
- -moz-border-radius: 0;
- padding: 0;
- margin-top:0;
- }
- #tou-content, #tou-acceptance{
- /*width:87%;*/
- width:auto;
- }
-}
diff --git a/edit-webapp/css/logout.css b/edit-webapp/css/logout.css
index 26f1893..5cd06c1 100644
--- a/edit-webapp/css/logout.css
+++ b/edit-webapp/css/logout.css
@@ -1,12 +1,20 @@
/* Success/Failure indicators for logout propagation. */
-
-.success {
- background: url(../images/success-32x32.png) no-repeat left center;
+ol li:before {
+ content: ''
+}
+li.logout {
line-height: 36px;
padding-left: 36px;
}
-.failure {
+li.logout.success {
+ background: url(../images/success-32x32.png) no-repeat left center;
+}
+li.logout.failure {
+ background: url(../images/failure-32x32.png) no-repeat left center;
+}
+li.logout.pending{
+
+}
+li.logout.na {
background: url(../images/failure-32x32.png) no-repeat left center;
- line-height: 36px;
- padding-left: 36px;
}
diff --git a/edit-webapp/css/main.css b/edit-webapp/css/main.css
deleted file mode 100644
index 116b31e..0000000
--- a/edit-webapp/css/main.css
+++ /dev/null
@@ -1,165 +0,0 @@
-* {
- margin: 0;
- padding: 0;
-}
-header, footer, section, nav {
- display: block;
-}
-html, body {
- height: 100%;
-}
-body {
- font-family:Verdana, Geneva, sans-serif;
- font-size: 12px;
- line-height: 1.5;
- color: #717171;
- background: #717171;
-}
-a:link,
-a:visited {
- text-decoration: none;
- color: #717171;
-}
-img {
- max-width: 100%;
- margin-bottom: 12px;
-}
-
-.wrapper {
- background: #ffffff;
-}
-
-.container {
- position: relative;
- left: 34%;
- width: 540px;
- margin-left: -270px;
-}
-.container-footer {
- padding-top: 12px;
-}
-@media only screen and (max-width: 1020px) {
- .container {
- left: 45%;
- }
-}
-@media only screen and (max-width: 650px) {
- .container {
- position: static;
- margin: 0 auto;
- width: 280px;
- }
-}
-
-header {
- padding: 20px 0;
-}
-
-.logo img {
- border: none;
-}
-@media only screen and (max-width: 650px) {
- .logo img {
- display: none;
- }
- .logo {
- background: url(../images/dummylogo-mobile.png) no-repeat top center;
- display: block;
- height: 115px;
- width: 100px;
- margin: 0 auto;
- }
-}
-
-.content {
- padding-bottom: 80px;
- overflow: hidden;
-}
-
-.column {
- float: left;
-}
-.column.one {
- width: 50%;
- margin-right: 48px;
-}
-
-form {
- width: 240px;
- padding-bottom: 21px;
-}
-form label { /* labels are hidden */
- font-weight: bold;
-}
-form legend {
- font-size:1.2em;
- margin-bottom: 12px;
-}
-.form-element-wrapper {
- margin-bottom: 12px;
-}
-.form-element {
- width: 100%;
- padding: 13px 12px;
- border: none;
- font-size: 14px;
- border-radius: 4px;
- -webkit-border-radius: 4px;
- -moz-border-radius: 4px;
-}
-.form-field {
- color: #B7B7B7;
- border: 1px solid #B7B7B7;
-}
-.form-field-focus,
-.form-field:focus,
-input[type="text"]:focus {
- color: #333333;
- border-color: #333;
-}
-.form-button {
- background: #B61601;
- box-sizing: content-box;
- -moz-box-sizing: content-box;
- color: #ffffff;
- cursor: pointer;
-}
-.form-button:hover {
- background: #FF6400;
-}
-.form-error {
- padding: 0;
- color: #B61601;
-}
-
-.list-help {
- margin-top: 40px; /* offset padding on first anchor */
- list-style: none;
-}
-.list-help-item a {
- display: block;
- padding: 6px 0;
-}
-.item-marker {
- color: #be0000;
-}
-
-footer {
- color: #ffffff;
- font-size: 11px;
- background: #717171;
-}
-.footer-text {
- margin-bottom: 12px;
-}
-.footer-links a:link,
-.footer-links a:visited {
- color: #ffffff;
- font-weight: bold;
-}
-.footer-links a:after {
- content: "\00a0\00a0\00a0|\00a0\00a0";
-}
-.footer-links a.last:after {
- content: "";
-}
diff --git a/edit-webapp/css/placeholder.css b/edit-webapp/css/placeholder.css
new file mode 100644
index 0000000..c1dbe1c
--- /dev/null
+++ b/edit-webapp/css/placeholder.css
@@ -0,0 +1,802 @@
+/* Colours pallet
+
+To change the colours, use find and replace with the values below:
+
+ #ECEFF1 - Body background, header / section border, read only / disabled input fields.
+
+ #1534E3 - Links, buttons, list items, selected radio, selected checkbox.
+
+ #1A237E - Hover buttons.
+
+ #32424A - Body text, input fields border.
+
+ #7A2D00 - Output message.
+
+ #B50024 - Error messages / fields.
+
+ #1C7D40 - Success messages / fields.
+
+ #999999 - read only / disabled input fields.
+
+*/
+
+html, html * {
+ margin: 0;
+ padding: 0;
+ border: 0;
+ font-size: 100%;
+ font: inherit;
+ vertical-align: baseline;
+ box-sizing: border-box;
+ background: none;
+ background-repeat: no-repeat;
+ background-position: left top;
+ border: 0;
+ outline: 0;
+}
+
+html {
+ height: 100%;
+}
+
+/* HTML5 display-role reset for older browsers */
+article, aside, details, figcaption, figure, footer, header, hgroup, menu, nav, section, main {
+ display: block;
+}
+
+/* Default document styles - fonts, font sizes, text colours, font weight */
+body {
+ font-family: Segoe UI, Helvetica, Arial, sans-serif, Apple Color Emoji, Segoe UI Emoji, Segoe UI Symbol;
+ font-size: 16px;
+ font-size: 1rem;
+ line-height: 24px;
+ line-height: 1.5rem;
+ color: #32424a;
+ font-weight: 400;
+ max-width: 3000px;
+ margin: 0 auto;
+ background-color: #eceff1;
+ padding: 24px;
+}
+
+/* Links */
+a[href] {
+ text-decoration: none;
+ color: #1534e3;
+}
+
+/* Link hover states */
+a[href]:hover, a[href]:active, a[href]:focus {
+ text-decoration: underline;
+ color: #1534e3;
+}
+
+/* Heading styles */
+h1 {
+ font-size: 24px;
+ font-size: 1.5rem;
+ line-height: 28px;
+ line-height: 1.75rem;
+ font-weight: 700;
+}
+
+h2 {
+ font-size: 20px;
+ font-size: 1.25rem;
+ line-height: 25px;
+ line-height: 1.5rem;
+ font-weight: 400;
+}
+
+h3 {
+ font-size: 16px;
+ font-size: 1rem;
+ line-height: 22px;
+ line-height: 1.375rem;
+ font-weight: 700;
+}
+
+h4 {
+ font-size: 14px;
+ font-size: 0.875rem;
+ line-height: 18px;
+ line-height: 1.125rem;
+ font-weight: 700;
+ margin-bottom: 0.5em;
+}
+
+h5 {
+ font-size: 14px;
+ font-size: 0.875rem;
+ line-height: 18px;
+ line-height: 1.125rem;
+ font-weight: 400;
+}
+
+h1, h2, h3, h4, h5, h6, p {
+ margin-bottom: 1em;
+}
+
+h1:last-child, h2:last-child, h3:last-child, h4:last-child, h5:last-child, h6:last-child, p:last-child {
+ margin-bottom: 0px;
+}
+
+/* List styles */
+ol, ul {
+ list-style: none;
+ margin: 20px 0;
+}
+
+ol:before, ol:after,
+ul:before, ul:after {
+ content: " ";
+ display: table;
+}
+
+ol:after,
+ul:after {
+ clear: both;
+}
+
+ol:last-child,
+ul:last-child {
+ margin-bottom: 0px;
+}
+
+ol:first-child,
+ul:first-child {
+ margin-top: 0px;
+}
+
+ul li {
+ padding-left: 22px;
+ margin-bottom: 4px;
+ position: relative;
+ list-style: none;
+}
+
+ul li:last-child {
+ margin-bottom: 0px;
+}
+
+ul li:before {
+ content: '';
+ -webkit-border-radius: 2px;
+ -ms-border-radius: 2px;
+ -moz-border-radius: 2px;
+ -o-border-radius: 2px;
+ border-radius: 2px;
+ background-color: #1534e3;
+ height: 7px;
+ width: 7px;
+ display: block;
+ position: absolute;
+ left: 0;
+ top: 7px;
+}
+
+ol {
+ counter-reset: item;
+}
+
+ol li {
+ padding-left: 22px;
+ margin-bottom: 10px;
+ position: relative;
+ list-style: none;
+}
+
+ol li:last-child {
+ margin-bottom: 0px;
+}
+
+ol li:before {
+ color: #1534e3;
+ position: absolute;
+ left: 0;
+ content: counter(item) ". ";
+ counter-increment: item;
+ font-weight: 700;
+ top: 1px;
+}
+
+ol li:nth-child(n+10) {
+ padding-left: 30px;
+}
+
+ol li:nth-child(n+100) {
+ padding-left: 38px;
+}
+
+hr {
+ width: 100%;
+ clear: both;
+ border: 0;
+ outline: 0;
+ background-color: #eceff1;
+ height: 1px;
+ display: block;
+ margin: 30px 0;
+}
+
+b, strong {
+ font-weight: 700;
+}
+
+i, em {
+ font-style: italic;
+}
+
+small {
+ font-size: 0.8em;
+}
+
+big {
+ font-size: 1.2em;
+}
+
+.cc {
+ clear: both;
+ margin: 0 auto;
+ width: 100%;
+ max-width: 649px;
+ padding: 0 0;
+}
+
+.cc:before, .cc:after {
+ content: " ";
+ display: table;
+}
+
+.cc:after {
+ clear: both;
+}
+
+img {
+ max-width: 100%;
+ height: auto;
+}
+
+/* Main content area */
+main {
+ clear: both;
+ margin: 0 auto;
+ width: 100%;
+ max-width: 800px;
+ background-color: #fff;
+ -webkit-border-radius: 8px;
+ -ms-border-radius: 8px;
+ -moz-border-radius: 8px;
+ -o-border-radius: 8px;
+ border-radius: 8px;
+ -webkit-box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+ -ms-box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+ -moz-box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+ -o-box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+ box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+}
+
+/* Add a border top when 2 sections are together */
+main section + section {
+ border-top: 1px solid #eceff1;
+}
+
+/* Header */
+header {
+ display: block; /* Change to display: none to hide */
+ border-bottom: 1px solid #eceff1;
+ text-align: center;
+ padding: 6% 8%;
+}
+
+header .main-logo {
+ display: block;
+ margin: 0 auto;
+}
+
+.service-logo {
+ display: block;
+ margin: 24px 0;
+}
+
+section {
+ padding: 4% 8% 4% 8%;
+}
+
+/* Output Messages */
+.output-message {
+ font-size: 14px;
+ font-size: 0.875rem;
+ line-height: 18px;
+ line-height: 1.125rem;
+ font-style: italic;
+ -webkit-border-radius: 4px;
+ -ms-border-radius: 4px;
+ -moz-border-radius: 4px;
+ -o-border-radius: 4px;
+ border-radius: 4px;
+ background-color: #FFD8C2;
+ display: block;
+ padding: 4%;
+ margin-bottom: 20px;
+ color: #7A2D00;
+}
+
+.output-message:last-child {
+ margin-bottom: 0px;
+}
+
+/* Output Message Success */
+.output-message.output--success {
+ background-color: #DCF9E7;
+ color: #1C7D40;
+}
+
+/* Output Message Error */
+.output-message.output--error {
+ background-color: #FFF0F3;
+ color: #B50024;
+}
+
+.boxed {
+ -webkit-border-radius: 4px;
+ -ms-border-radius: 4px;
+ -moz-border-radius: 4px;
+ -o-border-radius: 4px;
+ border-radius: 4px;
+ -webkit-box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+ -ms-box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+ -moz-box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+ -o-box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+ box-shadow: 0px 0px 10px 0px rgba(38, 50, 56, 0.11);
+ background-color: #fff;
+ padding: 6%;
+ margin: 30px 0;
+}
+
+.boxed:last-child {
+ margin-bottom: 0px;
+}
+
+.boxed:first-child {
+ margin-top: 0px;
+}
+
+/* Footer style */
+footer {
+ z-index: 1;
+ position: relative;
+ text-align: center;
+ margin-top: 20px;
+ font-size: 12px;
+ font-size: 0.75rem;
+ line-height: 16px;
+ line-height: 1rem;
+}
+
+/* Forms styles */
+fieldset {
+ display: block;
+ margin-bottom: 20px;
+}
+
+fieldset:last-child {
+ margin-bottom: 0px;
+}
+
+fieldset .field-validation {
+ display: block;
+ margin-top: 10px;
+}
+
+fieldset .error {
+ color: #B50024;
+}
+
+fieldset legend span {
+ display: block;
+ text-indent: 100%;
+ white-space: nowrap;
+ overflow: hidden;
+ height: 0;
+}
+
+/* Form labels */
+label {
+ vertical-align: top;
+ font-size: 14px;
+ font-size: 0.875rem;
+ line-height: 18px;
+ line-height: 1.125rem;
+ font-weight: 700;
+ display: block;
+ color: #32424a;
+ margin-bottom: 6px;
+}
+
+label:focus {
+ color: #1534E3;
+}
+
+/* Form input fields */
+input[type="text"],
+input[type="email"],
+input[type="password"],
+input[type="telephone"],
+input[type="tel"],
+input[type="url"],
+textarea,
+select {
+ background-color: #fff;
+ border: 2px solid #32424a;
+ -webkit-transition: all 0.3s ease-in-out;
+ -moz-transition: all 0.3s ease-in-out;
+ -ms-transition: all 0.3s ease-in-out;
+ -o-transition: all 0.3s ease-in-out;
+ transition: all 0.3s ease-in-out;
+ color: #32424a;
+ padding: 13px 20px;
+ display: block;
+ width: 100%;
+ -webkit-appearance: none;
+ -ms-appearance: none;
+ -moz-appearance: none;
+ -o-appearance: none;
+ appearance: none;
+ -webkit-border-radius: 4px;
+ -ms-border-radius: 4px;
+ -moz-border-radius: 4px;
+ -o-border-radius: 4px;
+ border-radius: 4px;
+}
+
+/* Form input focus */
+input[type="text"]:focus,
+input[type="email"]:focus,
+input[type="password"]:focus,
+input[type="telephone"]:focus,
+input[type="tel"]:focus,
+input[type="url"]:focus,
+textarea:focus,
+select:focus,
+input[type="text"]:active,
+input[type="email"]:active,
+input[type="password"]:active,
+input[type="telephone"]:active,
+input[type="tel"]:active,
+input[type="url"]:active,
+textarea:active,
+select:active {
+ border-color: #1534e3;
+ background-color: #fff;
+}
+
+/* Form input errors */
+input[type="text"].error,
+input[type="email"].error,
+input[type="password"].error,
+input[type="telephone"].error,
+input[type="tel"].error,
+input[type="url"].error,
+textarea.error,
+select.error {
+ border-color: #B50024;
+}
+
+/* Form input read only / disabled */
+input[type="text"]:read-only,
+input[type="email"]:read-only,
+input[type="password"]:read-only,
+input[type="telephone"]:read-only,
+input[type="tel"]:read-only,
+input[type="url"]:read-only,
+textarea:read-only,
+select:read-only,
+input[type="text"]:disabled,
+input[type="email"]:disabled,
+input[type="password"]:disabled,
+input[type="telephone"]:disabled,
+input[type="tel"]:disabled,
+input[type="url"]:disabled,
+textarea:disabled,
+select:disabled {
+ background-color: #ECEFF1;
+ pointer-events: none;
+}
+
+/* Text areas */
+textarea {
+ height: 124px;
+ resize: none;
+}
+
+
+/* Dropdowns */
+select {
+ -webkit-appearance: auto;
+ -ms-appearance: auto;
+ -moz-appearance: auto;
+ -o-appearance: auto;
+ appearance: auto;
+}
+
+select:read-only {
+ background-color: #fff;
+ pointer-events: unset;
+}
+
+select::-ms-expand {
+ display: none;
+}
+
+/* Checkboxes / Radio buttons */
+input[type="checkbox"], input[type="radio"] {
+ position : absolute;
+ opacity: 0;
+ height: 0;
+ width: 0;
+}
+
+input[type="checkbox"] + label, input[type="radio"] + label {
+ display: block;
+ font-weight: 400;
+ font-size: 16px;
+ font-size: 1rem;
+ line-height: 24px;
+ line-height: 1.5rem;
+ cursor: pointer;
+ position: relative;
+ padding-left: 30px;
+ padding-top: 3px;
+ margin-bottom: 4px;
+ margin-right: 12px;
+ display: inline-block;
+}
+
+input[type="checkbox"] + label:before, input[type="radio"] + label:before {
+ content: "";
+ position: absolute;
+ top: 2px;
+ left: 0;
+ height: 20px;
+ width: 20px;
+ background-color: #fff;
+ border: 2px solid #32424a;
+ -webkit-transition: all 0.2s ease-out;
+ -ms-transition: all 0.2s ease-out;
+ -moz-transition: all 0.2s ease-out;
+ -o-transition: all 0.2s ease-out;
+ transition: all 0.2s ease-out;
+}
+
+input[type="checkbox"] + label:after, input[type="radio"] + label:after {
+ content: "";
+ position: absolute;
+ -webkit-transform: rotate(45deg);
+ -ms-transform: rotate(45deg);
+ -moz-transform: rotate(45deg);
+ -o-transform: rotate(45deg);
+ transform: rotate(45deg);
+ display: none;
+}
+
+input[type="checkbox"]:checked + label, input[type="radio"]:checked + label,
+input[type="checkbox"]:focus + label, input[type="radio"]:focus + label {
+ color: #1534e3;
+}
+
+input[type="checkbox"]:checked + label:before, input[type="radio"]:checked + label:before,
+input[type="checkbox"]:focus + label:before, input[type="radio"]:focus + label:before {
+ border-color: #1534e3;
+}
+
+input[type="checkbox"]:checked + label:after, input[type="radio"]:checked + label:after {
+ display: block;
+}
+
+input[type="checkbox"] + label:before {
+ -webkit-border-radius: 4px;
+ -ms-border-radius: 4px;
+ -moz-border-radius: 4px;
+ -o-border-radius: 4px;
+ border-radius: 4px;
+}
+
+input[type="checkbox"] + label:after {
+ left: 8px;
+ top: 5px;
+ width: 4px;
+ height: 10px;
+ border: solid #1534e3;
+ border-width: 0 4px 4px 0;
+}
+
+input[type="radio"] + label:before {
+ -webkit-border-radius: 100%;
+ -ms-border-radius: 100%;
+ -moz-border-radius: 100%;
+ -o-border-radius: 100%;
+ border-radius: 100%;
+}
+
+input[type="radio"] + label:after {
+ background-color: #1534e3;
+ height: 12px;
+ width: 12px;
+ -webkit-border-radius: 100%;
+ -ms-border-radius: 100%;
+ -moz-border-radius: 100%;
+ -o-border-radius: 100%;
+ border-radius: 100%;
+ left: 6px;
+ top: 8px;
+}
+
+/* Buttons / Submit buttons */
+button, input[type=button],
+input[type=submit],
+a.button,
+.button {
+ display: inline-block;
+ text-align: center;
+ background-color: #1534e3;
+ border: 4px solid #1534e3;
+ font-weight: 700;
+ padding: 11px 74px;
+ cursor: pointer;
+ color: #fff;
+ -webkit-appearance: none;
+ -ms-appearance: none;
+ -moz-appearance: none;
+ -o-appearance: none;
+ appearance: none;
+ -webkit-border-radius: 4px;
+ -ms-border-radius: 4px;
+ -moz-border-radius: 4px;
+ -o-border-radius: 4px;
+ border-radius: 4px;
+ -webkit-transition: all 0.2s ease-out;
+ -ms-transition: all 0.2s ease-out;
+ -moz-transition: all 0.2s ease-out;
+ -o-transition: all 0.2s ease-out;
+ transition: all 0.2s ease-out;
+}
+
+/* Button hover & focus states */
+button:hover,
+input[type=button]:hover,
+input[type=submit]:hover,
+a.button:hover,
+.button:hover,
+button:focus,
+input[type=button]:focus,
+input[type=submit]:focus,
+a.button:focus,
+.button:focus {
+ background: #1a237e;
+ color: #fff !important;
+ text-decoration: none !important;
+ border-color: #1a237e;
+}
+
+/* Secondary button styles */
+button.button--secondary,
+input[type=button].button--secondary,
+input[type=submit].button--secondary,
+a.button.button--secondary,
+.button.button--secondary {
+ background-color: transparent;
+ border-color: #1534e3;
+ color: #1534e3;
+}
+
+/* Secondary button hover & focus states */
+button.button--secondary:hover,
+input[type=button].button--secondary:hover,
+input[type=submit].button--secondary:hover,
+a.button.button--secondary:hover,
+.button.button--secondary:hover,
+button.button--secondary:focus,
+input[type=button].button--secondary:focus,
+input[type=submit].button--secondary:focus,
+a.button.button--secondary:focus,
+.button.button--secondary:focus {
+ background: #1a237e;
+ border-color: #1a237e;
+}
+
+/* Secondary button disabled states */
+button.button--secondary:disabled,
+input[type=button].button--secondary:disabled,
+input[type=submit].button--secondary:disabled,
+a.button.button--secondary:disabled,
+.button.button--secondary:disabled {
+ background-color: transparent;
+ color: #999999;
+}
+
+/* Full width buttons */
+button.button--full,
+input[type=button].button--full,
+input[type=submit].button--full,
+a.button.button--full,
+.button.button--full {
+ width: 100%;
+ padding-left: 30px;
+ padding-right: 30px;
+}
+
+/* Button disabled states */
+button:disabled,
+input[type=button]:disabled,
+input[type=submit]:disabled,
+a.button:disabled,
+.button:disabled {
+ pointer-events: none;
+ background-color: #999999;
+ border-color: #999999;
+}
+
+/* Placeholder styles */
+::-webkit-input-placeholder {
+ color: #a9b0b4;
+}
+
+:-moz-placeholder {
+ color: #a9b0b4;
+}
+
+::-moz-placeholder {
+ color: #a9b0b4;
+}
+
+:-ms-input-placeholder {
+ color: #a9b0b4;
+}
+
+.grid {
+ margin-top: 12px;
+}
+
+/* Grid (used for 2 columns) */
+.grid:before, .grid:after {
+ content: " ";
+ display: table;
+}
+
+.grid:after {
+ clear: both;
+}
+
+.grid > .grid-item {
+ margin-bottom: 18px;
+ min-height: 1px;
+ width: 100%;
+}
+
+.grid:last-child > .item:last-child {
+ margin-bottom: 0px;
+}
+
+@media screen and (min-width: 760px) {
+
+ .grid.md-2 > .grid-item {
+ float: left;
+ width: 48.34436%;
+ margin-right: 3.31126%;
+ }
+
+ .grid.md-2 > .grid-item:nth-child(n), .grid.md-2 > .grid-item:nth-of-type(n) {
+ margin-right: 3.31126%;
+ clear: none;
+ }
+
+ .grid.md-2 > .grid-item:nth-child(2n) {
+ margin-right: 0;
+ }
+
+ .grid.md-2 > .grid-item:nth-child(2n+1) {
+ clear: both;
+ }
+
+}
diff --git a/edit-webapp/images/dummylogo-mobile.png b/edit-webapp/images/dummylogo-mobile.png
deleted file mode 100644
index 8ba3c95..0000000
Binary files a/edit-webapp/images/dummylogo-mobile.png and /dev/null differ
diff --git a/edit-webapp/images/dummylogo.png b/edit-webapp/images/dummylogo.png
deleted file mode 100644
index e89ede6..0000000
Binary files a/edit-webapp/images/dummylogo.png and /dev/null differ
diff --git a/edit-webapp/images/placeholder-logo.png b/edit-webapp/images/placeholder-logo.png
new file mode 100644
index 0000000..f5807ed
Binary files /dev/null and b/edit-webapp/images/placeholder-logo.png differ
diff --git a/edit-webapp/index.jsp b/edit-webapp/index.jsp
new file mode 100644
index 0000000..087cee2
--- /dev/null
+++ b/edit-webapp/index.jsp
@@ -0,0 +1,31 @@
+<%@ page pageEncoding="UTF-8" %>
+<%@ taglib uri="http://www.springframework.org/tags" prefix="spring" %>
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta charset="utf-8">
+ <title><spring:message code="root.title" text="Shibboleth IdP" /></title>
+ <link rel="stylesheet" type="text/css" href="<%= request.getContextPath()%><spring:message code="root.css" text="/css/placeholder.css" />">
+ </head>
+
+ <body>
+ <div class="wrapper">
+ <div class="container">
+ <header>
+ <img src="<%= request.getContextPath() %><spring:message code="idp.logo" />" alt="<spring:message code="idp.logo.alt-text" text="logo" />">
+ </header>
+
+ <div class="content">
+ <h2><spring:message code="root.message" text="No services are available at this location." /></h2>
+ </div>
+ </div>
+
+ <footer>
+ <div class="container container-footer">
+ <p class="footer-text"><spring:message code="root.footer" text="Insert your footer text here." /></p>
+ </div>
+ </footer>
+ </div>
+
+ </body>
+</html>
diff --git a/flows/authn/conditions/account-locked/account-locked-flow.xml b/flows/authn/conditions/account-locked/account-locked-flow.xml
new file mode 100644
index 0000000..5fe7523
--- /dev/null
+++ b/flows/authn/conditions/account-locked/account-locked-flow.xml
@@ -0,0 +1,16 @@
+<flow xmlns="http://www.springframework.org/schema/webflow"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd">
+
+ <!-- This is a placeholder flow that does nothing out of the box but reserves a subflow ID. -->
+
+ <!-- Rudimentary impediment to direct execution of subflow. -->
+ <input name="calledAsSubflow" type="boolean" required="true" />
+
+ <on-start>
+ <evaluate expression="'proceed'" />
+ </on-start>
+
+ <end-state id="proceed" />
+
+</flow>
diff --git a/flows/authn/conditions/conditions-flow.xml b/flows/authn/conditions/conditions-flow.xml
new file mode 100644
index 0000000..53c4994
--- /dev/null
+++ b/flows/authn/conditions/conditions-flow.xml
@@ -0,0 +1,35 @@
+<flow xmlns="http://www.springframework.org/schema/webflow"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
+ abstract="true">
+
+ <!-- Rudimentary impediment to direct execution of subflow. -->
+ <input name="calledAsSubflow" type="boolean" required="true" />
+
+ <action-state id="ValidateUsernamePassword">
+
+ <!-- Call outs for exceptional conditions. -->
+ <transition on="AccountWarning" to="CallExpiringPassword" />
+ <transition on="ExpiringPassword" to="CallExpiringPassword" />
+ <transition on="ExpiredPassword" to="CallExpiredPassword" />
+ <transition on="AccountLocked" to="CallAccountLocked" />
+
+ <transition to="DisplayUsernamePasswordPage" />
+ </action-state>
+
+ <subflow-state id="CallExpiringPassword" subflow="authn/conditions/expiring-password">
+ <input name="calledAsSubflow" value="true" />
+ <transition on="proceed" to="ContinueSuccessfulAuthentication" />
+ </subflow-state>
+
+ <subflow-state id="CallExpiredPassword" subflow="authn/conditions/expired-password">
+ <input name="calledAsSubflow" value="true" />
+ <transition on="proceed" to="DisplayUsernamePasswordPage" />
+ </subflow-state>
+
+ <subflow-state id="CallAccountLocked" subflow="authn/conditions/account-locked">
+ <input name="calledAsSubflow" value="true" />
+ <transition on="proceed" to="DisplayUsernamePasswordPage" />
+ </subflow-state>
+
+</flow>
diff --git a/flows/authn/conditions/expired-password/expired-password-flow.xml b/flows/authn/conditions/expired-password/expired-password-flow.xml
new file mode 100644
index 0000000..5fe7523
--- /dev/null
+++ b/flows/authn/conditions/expired-password/expired-password-flow.xml
@@ -0,0 +1,16 @@
+<flow xmlns="http://www.springframework.org/schema/webflow"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd">
+
+ <!-- This is a placeholder flow that does nothing out of the box but reserves a subflow ID. -->
+
+ <!-- Rudimentary impediment to direct execution of subflow. -->
+ <input name="calledAsSubflow" type="boolean" required="true" />
+
+ <on-start>
+ <evaluate expression="'proceed'" />
+ </on-start>
+
+ <end-state id="proceed" />
+
+</flow>
diff --git a/flows/authn/conditions/expiring-password/expiring-password-flow.xml b/flows/authn/conditions/expiring-password/expiring-password-flow.xml
new file mode 100644
index 0000000..75bb86a
--- /dev/null
+++ b/flows/authn/conditions/expiring-password/expiring-password-flow.xml
@@ -0,0 +1,33 @@
+<flow xmlns="http://www.springframework.org/schema/webflow"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd">
+
+ <!--
+ This is an example flow that displays a view template in response to an expiring password.
+ The view might display a pointer to the password change portal while automatically continuing
+ after a few seconds.
+ -->
+
+ <!-- Rudimentary impediment to direct execution of subflow. -->
+ <input name="calledAsSubflow" type="boolean" required="true" />
+
+ <view-state id="ExpiringPassword" view="intercept/expiring-password">
+ <attribute name="csrf_excluded" value="true" type="boolean"/>
+ <on-render>
+ <evaluate expression="environment" result="viewScope.environment" />
+ <evaluate expression="opensamlProfileRequestContext" result="viewScope.profileRequestContext" />
+ <evaluate expression="opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.authn.context.AuthenticationContext))" result="viewScope.authenticationContext" />
+ <evaluate expression="authenticationContext.getSubcontext(T(net.shibboleth.idp.authn.context.AuthenticationErrorContext))" result="viewScope.authenticationErrorContext" />
+ <evaluate expression="authenticationContext.getSubcontext(T(net.shibboleth.idp.authn.context.AuthenticationWarningContext))" result="viewScope.authenticationWarningContext" />
+ <evaluate expression="authenticationContext.getSubcontext(T(net.shibboleth.idp.authn.context.LDAPResponseContext))" result="viewScope.ldapResponseContext" />
+ <evaluate expression="T(net.shibboleth.shared.codec.HTMLEncoder)" result="viewScope.encoder" />
+ <evaluate expression="flowRequestContext.getExternalContext().getNativeRequest()" result="viewScope.request" />
+ <evaluate expression="flowRequestContext.getExternalContext().getNativeResponse()" result="viewScope.response" />
+ <evaluate expression="flowRequestContext.getActiveFlow().getApplicationContext().containsBean('shibboleth.CustomViewContext') ? flowRequestContext.getActiveFlow().getApplicationContext().getBean('shibboleth.CustomViewContext') : null" result="viewScope.custom" />
+ </on-render>
+ <transition on="proceed" to="proceed" />
+ </view-state>
+
+ <end-state id="proceed" />
+
+</flow>
diff --git a/messages/messages.properties b/messages/messages.properties
index 5f94396..b59fc89 100644
--- a/messages/messages.properties
+++ b/messages/messages.properties
@@ -1,2 +1,6 @@
# You can define message properties here to override messages defined in
-# system/messages/ or to add your own messages.
+# the system-supplied message file or to add your own messages.
+
+# You should alter these to point to different files of your own choosing.
+#idp.css = /css/placeholder.css
+#idp.logo = /images/placeholder-logo.png
diff --git a/metadata/idp-metadata.xml b/metadata/idp-metadata.xml
deleted file mode 100644
index a1f33a1..0000000
--- a/metadata/idp-metadata.xml
+++ /dev/null
@@ -1,251 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- This is example metadata only. Do *NOT* supply it as is without review,
- and do *NOT* provide it in real time to your partners.
-
- This metadata is not dynamic - it will not change as your configuration changes.
--->
-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr" validUntil="2019-10-02T14:46:57.225Z" entityID="https://idp.example.org/idp/shibboleth">
-
- <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
-
- <Extensions>
- <shibmd:Scope regexp="false">example.org</shibmd:Scope>
-<!--
- Fill in the details for your IdP here
-
- <mdui:UIInfo>
- <mdui:DisplayName xml:lang="en">A Name for the IdP at idp.example.org</mdui:DisplayName>
- <mdui:Description xml:lang="en">Enter a description of your IdP at idp.example.org</mdui:Description>
- <mdui:Logo height="80" width="80">https://idp.example.org/Path/To/Logo.png</mdui:Logo>
- </mdui:UIInfo>
--->
- </Extensions>
-
- <!-- First signing certificate is BackChannel, the Second is FrontChannel -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIEKDCCApCgAwIBAgIVAJ0iknQBSFLEkl3ybj6HYSWkOw+CMA0GCSqGSIb3DQEB
-CwUAMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzAeFw0xOTEwMDIxNDQ2NTZa
-Fw0zOTEwMDIxNDQ2NTZaMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzCCAaIw
-DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJJI3OlyhXVII2YS2VGAZlCy/PE1
-RPLwTb9hIrBETcpA3JwVba2hBq8v0lWGpWkmvQfsjH+bKRJe611EyXwWQH04qGCU
-RDCFKBU8E9P87m6GTeh+DC6eVXxOB2h0pf3Zmktf48hlhV1X24NwIjba6v9X8oHF
-FTFFqopOPAaJWnODPQyul/d4DqkqkBfQer6p0RiDL/V79WpTVG87pJxmGH2FbchP
-PivVO9sMYfC5lqe37x/zu8huU0jDnB20eqEjnVNjvPjzbF36xPA06770FJuPxCYd
-5oebut50pO7DZY7MZGu4/UME0JfDrnCsyPz2L1gdxXX28mydAVL3YwIajZzuPVwJ
-HC+HJuF3YNgIZ7ZO6uN2Cyi1tKKAE5n3G19L8NLLW44MVxkS9ox9cFvw5e2Zm+ek
-Hh6iu6Y9/blyuFjlqVaffM6l6NVnAAXPiIpwnBdzWdJqMcJzgC5bTqOGEZdeR9hT
-ei0e1s+bmBj3/3cOB3hII74P5sCuGLfiYqSQzQIDAQABo2UwYzAdBgNVHQ4EFgQU
-hb0zxPkLe5m7vmD8AH0fjATSaIwwQgYDVR0RBDswOYIPaWRwLmV4YW1wbGUub3Jn
-hiZodHRwczovL2lkcC5leGFtcGxlLm9yZy9pZHAvc2hpYmJvbGV0aDANBgkqhkiG
-9w0BAQsFAAOCAYEADQ17KGVQJ6AZTqDUDxVAfrTlFXysuvQg1WntrMB1PUzlb6Pa
-AO6Nb24YiY0PonSk7iz+gOg4P/V2b9wX4NXPBcX5h86fxR8R3cwZYsYKhwBBQ6uo
-UZnqtNyYNY/3hM2Dj8sR1PMijwgNmo7KOzzBPKKhID2dtGL3bS3TrX8xjmc7NK+r
-5VE9LrK3kG3ht3qM0I7iPMNuQXBOuduRG8WGD8NsFwHcYfORJmK5Ac/AtjHMVLF0
-x+m4LyLxP53t9/5+5fiJ3bghXM7Uuzjjmes6fdZyUcxinrwFxvSIGz3gqXf35Omf
-EwFemewB5B9GkAVXJSq2J64+iWXTo556YEC/RUrX6ZA5db6zHIeHX4BSf7U5YUBm
-LRJ/RJZKKPKEBBJgvh8vUFLF64tDn0c9x3n1mw+ZLHnPcjdX5v/stLVgR020vRx7
-8CGsrydmj+80Gm3Ji1eGJfD2LdUslve3bNerEW2AUM3DFx6wDlR5K/0ix98Ah1w0
-AuAeyajXyLR9NkPm
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIEJzCCAo+gAwIBAgIUOCYqGG6JElEG1wHKL7CvULRTvEswDQYJKoZIhvcNAQEL
-BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTE5MTAwMjE0NDY1NVoX
-DTM5MTAwMjE0NDY1NVowGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojAN
-BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwkiDw0dpZmup6VpfVXkib8fiv7KF
-T1Z3z6tq7c/ki/CH2x8BYtLPNgIvQa8KhggHUKG+rRU9yBwWg4Yvdsi05h5pJwcE
-xE1hwE7oVWiY+DtMggv4zVbDm0TnbvJvXN9eYXNn/e9RL3hD3umPIzDSli3wwiNg
-GvMesn/4Npq6ERi80CPIkUENkL3N7XTDX+Fy/mhXCxc73Dv3Meo0qk0pii005nV1
-vHCP9jsUgPfDCBScUuikfQ8V9SPLgOSf1x3vc5RqSPWaHgLesqoXpFFTthlVjB8j
-cUzqjQllhOS6LKWJE7VIfV6MdpfkRZBWhsaeuT7I48kRmFuALLnIopkclqu3HtON
-0Fgd1oPPBHa04bLcPqbneqGL+2RzZOdnuarTtY+JOuCRnE1qCWUeRoH2yeMMdKPy
-amX6HZJ35Vsk3uJxJX/IyipduZ+nHPC5qi52Elu+oyBrJwTbVAhhlXwPehC6nU/c
-1LUnbo3M4SGOYWuPmI1ko5KF91MVUU7ttmkFAgMBAAGjZTBjMB0GA1UdDgQWBBQ1
-CuX1jKcG8rdC0xBBveSJAYoFfzBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeG
-Jmh0dHBzOi8vaWRwLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3
-DQEBCwUAA4IBgQA89rYZmayIfst0cGyt+zdeHpnvyo+zVfAk7OztXF5OXsakX9TV
-Iq8ur1lq4Q4KC/Ev+9p1za1gP7Ea9ugFJinuVa6ntpzGP0vh42pmphLNaRFvnPch
-pwgGCvcF2leYG6zZl/Qln0Kbv+pyByens7xPdKKA8U5ySVkouLuw7017XSIulPtW
-u5tPz51awJubHCK+FckcVH0yZZg44s4HmjzLpJCdslMIxmhtX7DW3vtqH1pL9Mir
-3qykySFUJGthV3ndHesG08y3Tni5HZaRqHHafGRBiezO8JCwVvWrdC29SdAwY2i0
-HhKB7zCDOpYrh3o8TTx3ZJd+6Uel/e0bCefs9uhMj7O5ErNySHyTtNRrFxTl2c98
-RDweMp6NLfm+P3+EqJycmpR9CKudcL6RUikN9hDvy6qqG2t5fW7pvU/+mzRm/3Cf
-gMxKHQM+OAry1E6pQSYh8qkPZYDezwiz4gINxn7SFAxFJQcTlaSVmFHLOQV7TetI
-g4sTktRrBmgU/vk=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
- <KeyDescriptor use="encryption">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIEJzCCAo+gAwIBAgIUe0fsxBFnYrItqaF1zUSc7oTFFhswDQYJKoZIhvcNAQEL
-BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTE5MTAwMjE0NDY1NloX
-DTM5MTAwMjE0NDY1NlowGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojAN
-BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAlBwK5LM+22M0RLLhaVoTlgGJlF75
-0hfDGl45GqSVh7gB4X93icnoh2mUoGq/wgqx+YwCJ04hEJF0BXGRzmP5qQdSPw/z
-VV2e90emvoFvRD0OWrRDo4kn9GO2a4t8nAdLNe8dclsEpxyKktvmppMbna0jNGau
-h8OMsSNlTKH8C6qzIUtxOGnN75Qw1JAQ0N6U0Jl9w7x1LoR2tiyiTDKMAyx8v7xu
-eurxduh/Y1g/2fxi3UGA0i0znwTjEM0eZ/3JQMtuCKW6mTNTF/klBWiEhP6Vm3Yk
-WgbYDMgahiaEo2dzxmKgFfFysoSxkfV93zSh31+zKovj5NpNEU9LrlFDD8iRYPlK
-ZKjdleWOsGFbtyfvSV8Xq1bJvn9LScH02gCDbjkYFOlGgs32nGIqe4tr7ekT8A60
-S9dtIV54834ZdntBRzPkaLRaHb6FWY74U5+o1U1spd2JhWvFMlrkHCghcIWKmG87
-pzmZBFcyxSBIK0E6dhjm3EGXMmWdn80Sr1lxAgMBAAGjZTBjMB0GA1UdDgQWBBQ8
-+tUYkLiwLXUxRdIcfwUUs3s+dTBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeG
-Jmh0dHBzOi8vaWRwLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3
-DQEBCwUAA4IBgQBXnSl1RPlziZEpGUc3FGoQCpsu6FovK7jlieATyKWD3NY7lha6
-iOqiyxpNnrekh3Sf3XvmwvoxBHULQNS06GMMej8WtFBSaomNIkuztzMUAEmil2UF
-rP1xT0Gx+lT/Don9e60dGMMl2FWYIHobkQj4yhjSW6yN/emQRkwOhkj1DRGkZ1Zz
-wIRtH7/VT1YXH6n4P6lWNMgV+GInhT7ogitN5Vf6tCfMaZtowu3bb2I1gDlgYY/v
-0TrokTQteO7vcf+EpTODPRBiFV/Wwub5r8BDN4O3qGt52f2lhlEqdupFArooNVyF
-tU+zmj0gaclvvBBAaN2oh0Tj+j7HBh1YWB8p93vm62dKqY/9L9xSNAni6EI5o7dm
-58OUngvQopb7U7MDDuH2gM0XiH/R2BNp4c7/jqBP2Of5Bg68yKCZHB7D5XOJbQLf
-gjm4h9tRHtDijVkHcuIEICBwrie+JSEL225UnTfsesPiArDvo5BhQeNc3q1CPJgF
-2QOuaDoiGwFbc5s=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
-
- <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
- <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.org:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>
-
- <!--
- <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.org/idp/profile/SAML2/Redirect/SLO"/>
- <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.example.org/idp/profile/SAML2/POST/SLO"/>
- <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.example.org/idp/profile/SAML2/POST-SimpleSign/SLO"/>
- <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.org:8443/idp/profile/SAML2/SOAP/SLO"/>
- -->
-
- <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.example.org/idp/profile/Shibboleth/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" req-attr:supportsRequestedAttributes="true" Location="https://idp.example.org/idp/profile/SAML2/POST/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" req-attr:supportsRequestedAttributes="true" Location="https://idp.example.org/idp/profile/SAML2/POST-SimpleSign/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" req-attr:supportsRequestedAttributes="true" Location="https://idp.example.org/idp/profile/SAML2/Redirect/SSO"/>
-
- </IDPSSODescriptor>
-
-
- <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
-
- <Extensions>
- <shibmd:Scope regexp="false">example.org</shibmd:Scope>
- </Extensions>
-
- <!-- First signing certificate is BackChannel, the Second is FrontChannel -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIEKDCCApCgAwIBAgIVAJ0iknQBSFLEkl3ybj6HYSWkOw+CMA0GCSqGSIb3DQEB
-CwUAMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzAeFw0xOTEwMDIxNDQ2NTZa
-Fw0zOTEwMDIxNDQ2NTZaMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLm9yZzCCAaIw
-DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJJI3OlyhXVII2YS2VGAZlCy/PE1
-RPLwTb9hIrBETcpA3JwVba2hBq8v0lWGpWkmvQfsjH+bKRJe611EyXwWQH04qGCU
-RDCFKBU8E9P87m6GTeh+DC6eVXxOB2h0pf3Zmktf48hlhV1X24NwIjba6v9X8oHF
-FTFFqopOPAaJWnODPQyul/d4DqkqkBfQer6p0RiDL/V79WpTVG87pJxmGH2FbchP
-PivVO9sMYfC5lqe37x/zu8huU0jDnB20eqEjnVNjvPjzbF36xPA06770FJuPxCYd
-5oebut50pO7DZY7MZGu4/UME0JfDrnCsyPz2L1gdxXX28mydAVL3YwIajZzuPVwJ
-HC+HJuF3YNgIZ7ZO6uN2Cyi1tKKAE5n3G19L8NLLW44MVxkS9ox9cFvw5e2Zm+ek
-Hh6iu6Y9/blyuFjlqVaffM6l6NVnAAXPiIpwnBdzWdJqMcJzgC5bTqOGEZdeR9hT
-ei0e1s+bmBj3/3cOB3hII74P5sCuGLfiYqSQzQIDAQABo2UwYzAdBgNVHQ4EFgQU
-hb0zxPkLe5m7vmD8AH0fjATSaIwwQgYDVR0RBDswOYIPaWRwLmV4YW1wbGUub3Jn
-hiZodHRwczovL2lkcC5leGFtcGxlLm9yZy9pZHAvc2hpYmJvbGV0aDANBgkqhkiG
-9w0BAQsFAAOCAYEADQ17KGVQJ6AZTqDUDxVAfrTlFXysuvQg1WntrMB1PUzlb6Pa
-AO6Nb24YiY0PonSk7iz+gOg4P/V2b9wX4NXPBcX5h86fxR8R3cwZYsYKhwBBQ6uo
-UZnqtNyYNY/3hM2Dj8sR1PMijwgNmo7KOzzBPKKhID2dtGL3bS3TrX8xjmc7NK+r
-5VE9LrK3kG3ht3qM0I7iPMNuQXBOuduRG8WGD8NsFwHcYfORJmK5Ac/AtjHMVLF0
-x+m4LyLxP53t9/5+5fiJ3bghXM7Uuzjjmes6fdZyUcxinrwFxvSIGz3gqXf35Omf
-EwFemewB5B9GkAVXJSq2J64+iWXTo556YEC/RUrX6ZA5db6zHIeHX4BSf7U5YUBm
-LRJ/RJZKKPKEBBJgvh8vUFLF64tDn0c9x3n1mw+ZLHnPcjdX5v/stLVgR020vRx7
-8CGsrydmj+80Gm3Ji1eGJfD2LdUslve3bNerEW2AUM3DFx6wDlR5K/0ix98Ah1w0
-AuAeyajXyLR9NkPm
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIEJzCCAo+gAwIBAgIUOCYqGG6JElEG1wHKL7CvULRTvEswDQYJKoZIhvcNAQEL
-BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTE5MTAwMjE0NDY1NVoX
-DTM5MTAwMjE0NDY1NVowGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojAN
-BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwkiDw0dpZmup6VpfVXkib8fiv7KF
-T1Z3z6tq7c/ki/CH2x8BYtLPNgIvQa8KhggHUKG+rRU9yBwWg4Yvdsi05h5pJwcE
-xE1hwE7oVWiY+DtMggv4zVbDm0TnbvJvXN9eYXNn/e9RL3hD3umPIzDSli3wwiNg
-GvMesn/4Npq6ERi80CPIkUENkL3N7XTDX+Fy/mhXCxc73Dv3Meo0qk0pii005nV1
-vHCP9jsUgPfDCBScUuikfQ8V9SPLgOSf1x3vc5RqSPWaHgLesqoXpFFTthlVjB8j
-cUzqjQllhOS6LKWJE7VIfV6MdpfkRZBWhsaeuT7I48kRmFuALLnIopkclqu3HtON
-0Fgd1oPPBHa04bLcPqbneqGL+2RzZOdnuarTtY+JOuCRnE1qCWUeRoH2yeMMdKPy
-amX6HZJ35Vsk3uJxJX/IyipduZ+nHPC5qi52Elu+oyBrJwTbVAhhlXwPehC6nU/c
-1LUnbo3M4SGOYWuPmI1ko5KF91MVUU7ttmkFAgMBAAGjZTBjMB0GA1UdDgQWBBQ1
-CuX1jKcG8rdC0xBBveSJAYoFfzBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeG
-Jmh0dHBzOi8vaWRwLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3
-DQEBCwUAA4IBgQA89rYZmayIfst0cGyt+zdeHpnvyo+zVfAk7OztXF5OXsakX9TV
-Iq8ur1lq4Q4KC/Ev+9p1za1gP7Ea9ugFJinuVa6ntpzGP0vh42pmphLNaRFvnPch
-pwgGCvcF2leYG6zZl/Qln0Kbv+pyByens7xPdKKA8U5ySVkouLuw7017XSIulPtW
-u5tPz51awJubHCK+FckcVH0yZZg44s4HmjzLpJCdslMIxmhtX7DW3vtqH1pL9Mir
-3qykySFUJGthV3ndHesG08y3Tni5HZaRqHHafGRBiezO8JCwVvWrdC29SdAwY2i0
-HhKB7zCDOpYrh3o8TTx3ZJd+6Uel/e0bCefs9uhMj7O5ErNySHyTtNRrFxTl2c98
-RDweMp6NLfm+P3+EqJycmpR9CKudcL6RUikN9hDvy6qqG2t5fW7pvU/+mzRm/3Cf
-gMxKHQM+OAry1E6pQSYh8qkPZYDezwiz4gINxn7SFAxFJQcTlaSVmFHLOQV7TetI
-g4sTktRrBmgU/vk=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
- <KeyDescriptor use="encryption">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIEJzCCAo+gAwIBAgIUe0fsxBFnYrItqaF1zUSc7oTFFhswDQYJKoZIhvcNAQEL
-BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMB4XDTE5MTAwMjE0NDY1NloX
-DTM5MTAwMjE0NDY1NlowGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUub3JnMIIBojAN
-BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAlBwK5LM+22M0RLLhaVoTlgGJlF75
-0hfDGl45GqSVh7gB4X93icnoh2mUoGq/wgqx+YwCJ04hEJF0BXGRzmP5qQdSPw/z
-VV2e90emvoFvRD0OWrRDo4kn9GO2a4t8nAdLNe8dclsEpxyKktvmppMbna0jNGau
-h8OMsSNlTKH8C6qzIUtxOGnN75Qw1JAQ0N6U0Jl9w7x1LoR2tiyiTDKMAyx8v7xu
-eurxduh/Y1g/2fxi3UGA0i0znwTjEM0eZ/3JQMtuCKW6mTNTF/klBWiEhP6Vm3Yk
-WgbYDMgahiaEo2dzxmKgFfFysoSxkfV93zSh31+zKovj5NpNEU9LrlFDD8iRYPlK
-ZKjdleWOsGFbtyfvSV8Xq1bJvn9LScH02gCDbjkYFOlGgs32nGIqe4tr7ekT8A60
-S9dtIV54834ZdntBRzPkaLRaHb6FWY74U5+o1U1spd2JhWvFMlrkHCghcIWKmG87
-pzmZBFcyxSBIK0E6dhjm3EGXMmWdn80Sr1lxAgMBAAGjZTBjMB0GA1UdDgQWBBQ8
-+tUYkLiwLXUxRdIcfwUUs3s+dTBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeG
-Jmh0dHBzOi8vaWRwLmV4YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3
-DQEBCwUAA4IBgQBXnSl1RPlziZEpGUc3FGoQCpsu6FovK7jlieATyKWD3NY7lha6
-iOqiyxpNnrekh3Sf3XvmwvoxBHULQNS06GMMej8WtFBSaomNIkuztzMUAEmil2UF
-rP1xT0Gx+lT/Don9e60dGMMl2FWYIHobkQj4yhjSW6yN/emQRkwOhkj1DRGkZ1Zz
-wIRtH7/VT1YXH6n4P6lWNMgV+GInhT7ogitN5Vf6tCfMaZtowu3bb2I1gDlgYY/v
-0TrokTQteO7vcf+EpTODPRBiFV/Wwub5r8BDN4O3qGt52f2lhlEqdupFArooNVyF
-tU+zmj0gaclvvBBAaN2oh0Tj+j7HBh1YWB8p93vm62dKqY/9L9xSNAni6EI5o7dm
-58OUngvQopb7U7MDDuH2gM0XiH/R2BNp4c7/jqBP2Of5Bg68yKCZHB7D5XOJbQLf
-gjm4h9tRHtDijVkHcuIEICBwrie+JSEL225UnTfsesPiArDvo5BhQeNc3q1CPJgF
-2QOuaDoiGwFbc5s=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
-
- <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
- <!-- <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.org:8443/idp/profile/SAML2/SOAP/AttributeQuery"/> -->
- <!-- If you uncomment the above you should add urn:oasis:names:tc:SAML:2.0:protocol to the protocolSupportEnumeration above -->
-
- </AttributeAuthorityDescriptor>
-
-</EntityDescriptor>
diff --git a/views/admin/hello.vm b/views/admin/hello.vm
new file mode 100644
index 0000000..6268c6c
--- /dev/null
+++ b/views/admin/hello.vm
@@ -0,0 +1,68 @@
+##
+## Velocity Template for Hello World page.
+##
+## Velocity context will contain the following properties
+## flowRequestContext - the Spring Web Flow RequestContext
+## encoder - HTMLEncoder class
+## request - HttpServletRequest
+## response - HttpServletResponse
+## profileRequestContext - root of context tree
+## subjectContext - ProfileRequestContext -> SubjectContext
+## attributeContext - ProfileRequestContext -> AttributeContext
+## environment - Spring Environment object for property resolution
+## custom - arbitrary object injected by deployer
+##
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>#springMessageText("idp.title", "Web Login Service") - #springMessageText("hello-world.title", "Hello World")</title>
+ <meta charset="UTF-8" />
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
+ <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")" media="all">
+ </head>
+
+ <body>
+ <main class="main">
+ <header>
+ <img class="main-logo" src="$request.getContextPath()#springMessageText("idp.logo", "/images/placeholder-logo.png")" alt="#springMessageText("idp.logo.alt-text", "logo")">
+ </header>
+
+ <section>
+ <h1>#springMessageText("hello-world.greeting", "Greetings"), <em>$encoder.encodeForHTML($subjectContext.getPrincipalName())</em></h1>
+ <p><strong>Authenticated by</strong><br />
+ #foreach ($result in $subjectContext.getAuthenticationResults().entrySet())
+ <small>$encoder.encodeForHTML($result.getKey())</small><br/>
+ #end</p>
+
+ <p><strong>Java Principals in Subjects</strong><br/>
+ #foreach ($s in $subjectContext.getSubjects())
+ #foreach ($p in $s.getPrincipals())
+ <small>$encoder.encodeForHTML($p)</small></br/>
+ #end
+ #end</p>
+
+ #if ($attributeContext && !$attributeContext.getUnfilteredIdPAttributes().isEmpty())
+
+ <p><strong>Attributes</strong><br/>
+ #foreach ($a in $attributeContext.getUnfilteredIdPAttributes())
+ #if (!$a.getValues().isEmpty())
+ <small><strong>$encoder.encodeForHTML($a.getId())</strong></small><br/>
+ #foreach ($v in $a.getValues())
+ <small>$encoder.encodeForHTML($v.getDisplayValue())</small><br/>
+ #end
+ #end
+ #end
+ #end
+ </p>
+
+ <a class="button button--secondary" href="$request.getContextPath()/profile/admin/hello">#springMessageText("hello-world.reload", "Reload the Page")</a>
+ </section>
+ </main>
+ <footer class="footer">
+ <div class="cc">
+ <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
+ </div>
+ </footer>
+ </body>
+</html>
diff --git a/views/admin/unlock-keys.vm b/views/admin/unlock-keys.vm
deleted file mode 100644
index 3b15f3e..0000000
--- a/views/admin/unlock-keys.vm
+++ /dev/null
@@ -1,96 +0,0 @@
-##
-## Velocity Template for Attended Startup Unlock Utility
-##
-## Velocity context will contain the following properties:
-## flowRequestContext - the Spring Web Flow RequestContext
-## request - HttpServletRequest
-## response - HttpServletResponse
-## profileRequestContext
-## environment - Spring Environment object for property resolution
-## custom - arbitrary object injected by deployer
-##
-#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service"))
-#set ($titleSuffix = $springMacroRequestContext.getMessage("idp.unlock-keys.title", "Attended Restart Key Unlock"))
-#set ($eventId = $profileRequestContext.getSubcontext("org.opensaml.profile.context.EventContext").getEvent())
-#set ($state = $flowRequestContext.getCurrentState().getId())
-<!DOCTYPE html>
-<html>
- <head>
- <meta charset="utf-8">
- <meta name="viewport" content="width=device-width,initial-scale=1.0">
- <title>$title - $titleSuffix</title>
- <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
- </head>
-
- <body>
- <div class="wrapper">
- <div class="container">
- <header>
- <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
- <h3>$title - $titleSuffix</h3>
- </header>
-
- <div class="content">
- #if ($state == "end")
- <strong>#springMessageText("idp.unlock-keys.complete", "The system is unlocked and ready for use.")</strong>
- <p><a href="$request.getContextPath()/profile/SAML2/Unsolicited/SSO?providerId=https://sp.example.org/shibboleth">Validation Link</a></p>
- #else
- #if ($eventId == "InvalidMessage")
- <p class="form-element form-error">
- #springMessageText("idp.unlock-keys.error", "Unlock failed; check log for specific message.")
- </p>
- <br/><br/>
- #end
-
- <form action="$flowExecutionUrl" method="post">
-
- <!--
- If you have multiple key strategies defined, you'll need multiple pairs of form fields for
- the passwords, labeled in the order they're fed into the shibboleth.unlock-keys.KeyStrategies
- bean. If you have none, remove the fields.
- -->
-
- <div class="form-element-wrapper">
- <label for="password">#springMessageText("idp.unlock-keys.keystorePassword", "DataSealer Keystore Password")</label>
- <input class="form-element form-field" id="password" name="keystorePassword" type="password">
- </div>
-
- <div class="form-element-wrapper">
- <label for="password">#springMessageText("idp.unlock-keys.keyPassword", "DataSealer Key Password")</label>
- <input class="form-element form-field" id="password" name="keyPassword" type="password">
- </div>
-
- <!--
- If you have multiple private keys defined, you'll need a form field for each passwords, labeled in the order
- they're fed into the shibboleth.unlock-keys.Credentials/PrivateKeys beans. If you have none, remove the fields.
- -->
-
- <div class="form-element-wrapper">
- <label for="password">#springMessageText("idp.unlock-keys.privateKeyPassword", "Private Key Password")</label>
- <input class="form-element form-field" id="password" name="privateKeyPassword" type="password">
- </div>
-
- <div class="form-element-wrapper">
- <button class="form-element form-button" type="submit" name="_eventId_proceed"
- >#springMessageText("idp.unlock-keys.unlock", "Unlock")</button>
- </div>
-
- <div class="form-element-wrapper">
- <button class="form-element form-button" type="submit" name="_eventId_cancel"
- >#springMessageText("idp.unlock-keys.cancel", "Cancel")</button>
- </div>
-
- </form>
- #end
- </div>
- </div>
-
- <footer>
- <div class="container container-footer">
- <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
- </div>
- </footer>
-
- </div>
- </body>
-</html>
\ No newline at end of file
diff --git a/views/client-storage/client-storage-read.vm b/views/client-storage/client-storage-read.vm
index 1993c14..1afe818 100644
--- a/views/client-storage/client-storage-read.vm
+++ b/views/client-storage/client-storage-read.vm
@@ -17,37 +17,32 @@
<!DOCTYPE html>
<html>
<head>
- <meta charset="utf-8" />
- <meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>$title - $titleSuffix</title>
- <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+ <meta charset="UTF-8" />
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
+ <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")">
<script>
<!--
- #include( "client-storage/local-storage-read.js" )
+ #include("client-storage/local-storage-read.js")
// -->
</script>
</head>
- <body onload="doLoad()">
- <div class="wrapper">
- <div class="container">
- <header>
- <h3>$title - $titleSuffix</h3>
- </header>
- <div class="content">
- $springMacroRequestContext.getMessage("idp.client-storage-read.text", "Loading login session information from the browser...")
- </div>
+ <body onload="doLoad()">
+ <main class="main">
+ <section>
+ <h1>$title - $titleSuffix</h1>
+ <p>$springMacroRequestContext.getMessage("idp.client-storage-read.text", "Loading login session information from the browser...")</p>
<noscript>
- <div class="content">
$springMacroRequestContext.getMessage("idp.client-storage.no-js", "Since your browser does not support JavaScript, you must press the Continue button once to proceed.")
- </div>
</noscript>
- #parse( "client-storage/read.vm" )
+ #parse("client-storage/read.vm")
+ </section>
+ </main>
+ <footer class="footer">
+ <div class="cc">
+ <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
- <footer>
- <div class="container container-footer">
- <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
- </div>
- </footer>
- </div>
+ </footer>
</body>
</html>
diff --git a/views/client-storage/client-storage-write.vm b/views/client-storage/client-storage-write.vm
index 4b92d6b..066cbdb 100644
--- a/views/client-storage/client-storage-write.vm
+++ b/views/client-storage/client-storage-write.vm
@@ -17,37 +17,34 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
- <meta charset="utf-8" />
- <meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>$title - $titleSuffix</title>
- <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+ <meta charset="UTF-8" />
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
+ <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")">
<script>
<!--
- #include( "client-storage/local-storage-write.js" )
+ #include("client-storage/local-storage-write.js")
// -->
</script>
</head>
- <body onload="doSave()">
- <div class="wrapper">
- <div class="container">
- <header>
- <h3>$title - $titleSuffix</h3>
- </header>
- <div class="content">
- $springMacroRequestContext.getMessage("idp.client-storage-write.text", "Saving login session information to the browser...")
- </div>
+ <body onload="doSave()">
+ <main class="main">
+ <section>
+ <h1>$title - $titleSuffix</h1>
+ <p>$springMacroRequestContext.getMessage("idp.client-storage-write.text", "Saving login session information to the browser...")</p>
<noscript>
<div class="content">
$springMacroRequestContext.getMessage("idp.client-storage.no-js", "Since your browser does not support JavaScript, you must press the Continue button once to proceed.")
</div>
</noscript>
- #parse( "client-storage/write.vm" )
+ #parse("client-storage/write.vm")
+ </section>
+ </main>
+ <footer class="footer">
+ <div class="cc">
+ <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
- <footer>
- <div class="container container-footer">
- <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
- </div>
- </footer>
- </div>
+ </footer>
</body>
</html>
\ No newline at end of file
diff --git a/views/duo.vm b/views/duo.vm
deleted file mode 100644
index cf4f96a..0000000
--- a/views/duo.vm
+++ /dev/null
@@ -1,83 +0,0 @@
-##
-## Velocity Template for Duo login view-state
-##
-## Velocity context will contain the following properties
-## flowExecutionUrl - the form action location
-## flowRequestContext - the Spring Web Flow RequestContext
-## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
-## profileRequestContext - root of context tree
-## authenticationContext - context with authentication request information
-## rpUIContext - the context with SP UI information from the metadata
-## canonicalUsername - name of user passed to Duo
-## duoHost - API hostname for Duo frame
-## duoRequest - signed Duo request message
-## duoScriptPath - path to Duo JavaScript source
-## encoder - HTMLEncoder class
-## request - HttpServletRequest
-## response - HttpServletResponse
-## environment - Spring Environment object for property resolution
-## custom - arbitrary object injected by deployer
-##
-<!DOCTYPE html>
-<html>
-<head>
- <meta http-equiv="X-UA-Compatible" content="IE=edge">
- <meta charset="utf-8">
- <meta name="viewport" content="width=device-width, initial-scale=1.0">
- <title>#springMessageText("idp.title", "Web Login Service")</title>
- <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
- <style>
- #duo_iframe {
- width: 100%;
- min-width: 304px;
- max-width: 620px;
- height: 330px;
- }
- </style>
-</head>
-<body>
- <div class="wrapper">
- <div class="container">
- <header>
- <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
- </header>
-
- <div class="content">
- <div class="column one">
-
- <h3>#springMessageText("idp.login.duoRequired", "Authentication with Duo is required for the requested service.")</h3>
-
- <noscript>#springMessageText("idp.login.duoNoScript", "The Duo service requires JavaScript.")</noscript>
- <script src="$request.getContextPath()$duoScriptPath"></script>
- <iframe id="duo_iframe"
- data-host="$duoHost"
- data-sig-request="$duoRequest"
- data-post-action="$flowExecutionUrl"
- frameborder="0"
- >
- </iframe>
- <form id="duo_form" method="post">
- <input type="hidden" name="_eventId" value="proceed" />
-
- </form>
-
- <h3 style="text-align: center">
- <a href="$flowExecutionUrl&_eventId=cancel">#springMessageText("idp.login.duoCancel", "Cancel this Request")</a>
- </h3>
- </div>
- <div class="column two">
- <ul class="list list-help">
- <li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", "#")"><span class="item-marker">›</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li>
- </ul>
- </div>
- </div>
- </div>
-
- <footer>
- <div class="container container-footer">
- <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
- </div>
- </footer>
- </div>
-</body>
-</html>
diff --git a/views/error.vm b/views/error.vm
index dcb8e2b..0f01e89 100644
--- a/views/error.vm
+++ b/views/error.vm
@@ -1,7 +1,10 @@
##
## Velocity Template for error end-state
##
-## Velocity context will contain the following properties
+## Velocity context will contain the following variables during controlled errors.
+## Some error paths involve runtime exceptions handled outside Spring Web Flow by the
+## MVC layer and will not generally populate most of these variables.
+##
## flowRequestContext - the Spring Web Flow RequestContext
## profileRequestContext - root of context tree
## encoder - HTMLEncoder class
@@ -34,40 +37,38 @@
#set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error"))
#set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix"))
#set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId"))
+ $response.setStatus(500)
#else
## This is a catch-all that theoretically shouldn't happen?
#set ($titleSuffix = $defaultTitleSuffix)
#set ($message = $springMacroRequestContext.getMessage("idp.message", "An unidentified error occurred."))
+ $response.setStatus(500)
#end
##
<!DOCTYPE html>
<html>
<head>
- <meta charset="utf-8">
- <meta name="viewport" content="width=device-width,initial-scale=1.0">
- <title>$title - $titleSuffix</title>
- <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+ <meta charset="UTF-8" />
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
+ <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")">
</head>
<body>
- <div class="wrapper">
- <div class="container">
- <header>
- <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
- <h3>$title - $titleSuffix</h3>
- </header>
-
- <div class="content">
- #evaluate($message)
+ <main class="main">
+ <header>
+ <img class="main-logo" src="$request.getContextPath()#springMessageText("idp.logo", "/images/placeholder-logo.png")" alt="#springMessageText("idp.logo.alt-text", "logo")" />
+ </header>
+
+ <section>
+ <h1>$title - $titleSuffix</h1>
+ <p>#evaluate($message)</p>
+ </section>
+ </main>
+ <footer class="footer">
+ <div class="cc">
+ <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
- </div>
-
- <footer>
- <div class="container container-footer">
- <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
- </div>
- </footer>
-
- </div>
+ </footer>
</body>
-</html>
\ No newline at end of file
+</html>
diff --git a/views/intercept/attribute-release.vm b/views/intercept/attribute-release.vm
deleted file mode 100644
index 20bde46..0000000
--- a/views/intercept/attribute-release.vm
+++ /dev/null
@@ -1,159 +0,0 @@
-##
-## Velocity Template for DisplayAttributeReleasePage view-state
-##
-## Velocity context will contain the following properties :
-##
-## attributeReleaseContext - context holding consentable attributes
-## attributeReleaseFlowDescriptor - attribute consent flow descriptor
-## attributeDisplayNameFunction - function to display attribute name
-## attributeDisplayDescriptionFunction - function to display attribute description
-## consentContext - context representing the state of a consent flow
-## encoder - HTMLEncoder class
-## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl)
-## flowExecutionUrl - form action location
-## flowRequestContext - Spring Web Flow RequestContext
-## profileRequestContext - OpenSAML profile request context
-## request - HttpServletRequest
-## response - HttpServletResponse
-## rpUIContext - context with SP UI information from the metadata
-## environment - Spring Environment object for property resolution
-#set ($serviceName = $rpUIContext.serviceName)
-#set ($serviceDescription = $rpUIContext.serviceDescription)
-#set ($informationURL = $rpUIContext.informationURL)
-#set ($privacyStatementURL = $rpUIContext.privacyStatementURL)
-#set ($rpOrganizationLogo = $rpUIContext.getLogo())
-#set ($rpOrganizationName = $rpUIContext.organizationName)
-#set ($replaceDollarWithNewline = true)
-##
-<!DOCTYPE html>
-<html>
- <head>
- <meta charset="UTF-8">
- <meta name="viewport" content="width=device-width,initial-scale=1.0">
- <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/consent.css">
- <title>#springMessageText("idp.attribute-release.title", "Information Release")</title>
- </head>
- <body>
- <form action="$flowExecutionUrl" method="post" style="padding:10px" >
- <div class="box">
- <header>
- <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")" class="federation_logo">
- #if ($rpOrganizationLogo)
- <img src="$encoder.encodeForHTMLAttribute($rpOrganizationLogo)" alt="logo for $encoder.encodeForHTMLAttribute($serviceName)" class="organization_logo">
- #end
- </header>
- #if ($serviceName)
- <p style="margin-top: 70px;">
- #springMessageText("idp.attribute-release.serviceNameLabel", "You are about to access the service:")<br>
- <span class="service_name">$serviceName</span>
- #if ($rpOrganizationName)
- #springMessageText("idp.attribute-release.of", "of") <span class="organization_name">$encoder.encodeForHTML($rpOrganizationName)</span>
- #end
- </p>
- #end
- #if ($serviceDescription)
- <p style="margin-top: 10px;">
- #springMessageText("idp.attribute-release.serviceDescriptionLabel", "Description as provided by this service:")<br>
- <span class="service_description">$encoder.encodeForHTML($serviceDescription)</span>
- <br>
- </p>
- #end
- #if ($informationURL)
- <p style="margin-top: 10px;">
- <a href="$informationURL">#springMessageText("idp.attribute-release.informationURLLabel", "Additional information about the service")</a>
- </p>
- #end
- <div id="attributeRelease">
- <table>
- <thead>
- <tr>
- <th colspan="3">
- #springMessageText("idp.attribute-release.attributesHeader", "Information to be Provided to Service")
- </th>
- </tr>
- </thead>
- <tbody>
- #foreach ($attribute in $attributeReleaseContext.getConsentableAttributes().values())
- <tr>
- <td>$encoder.encodeForHTML($attributeDisplayNameFunction.apply($attribute))</td>
- <td>
- #foreach ($value in $attribute.values)
- #if ($replaceDollarWithNewline)
- #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue()).replaceAll($encoder.encodeForHTML("$"),"<br>"))
- #else
- #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue()))
- #end
- #if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled)
- <label for="$attribute.id"><strong>$encodedValue</strong></label>
- #else
- <strong>$encodedValue</strong>
- #end
- <br>
- #end
- </td>
- <td style="vertical-align: top">
- #if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled)
- #set ($inputType = "checkbox")
- #else
- #set ($inputType = "hidden")
- #end
- <input id="$attribute.id" type="$inputType" name="_shib_idp_consentIds" value="$encoder.encodeForHTML($attribute.id)" checked>
- </td>
- </tr>
- #end
- </tbody>
- </table>
- </div>
- #if ($privacyStatementURL)
- <p style="margin-top: 10px;">
- <a href="$privacyStatementURL">#springMessageText("idp.attribute-release.privacyStatementURLLabel", "Data privacy information of the service")</a>
- </p>
- #end
- <div style="float:left;">
- <p>
- #springMessageText("idp.attribute-release.confirmationQuestion", "The information above would be shared with the service if you proceed. Do you agree to release this information to the service every time you access it?")
- </p>
- #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed)
- <div id="generalConsentDiv" style="display: block; background-color: #F6F6F6;border: 1px gray solid; padding: 10px; width: 92%;">
- #springMessageText("idp.attribute-release.consentMethod", "Select an information release consent duration:")
- #end
- #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed)
- <p>
- <input id="_shib_idp_doNotRememberConsent" type="radio" name="_shib_idp_consentOptions" value="_shib_idp_doNotRememberConsent">
- <label for="_shib_idp_doNotRememberConsent">#springMessageText("idp.attribute-release.doNotRememberConsent", "Ask me again at next login")</label>
- <ul>
- <li>#springMessageText("idp.attribute-release.doNotRememberConsentItem", "I agree to send my information this time.")</li>
- </ul>
- </p>
- #end
- #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed)
- <p>
- <input id="_shib_idp_rememberConsent" type="radio" name="_shib_idp_consentOptions" value="_shib_idp_rememberConsent" checked>
- <label for="_shib_idp_rememberConsent">#springMessageText("idp.attribute-release.rememberConsent", "Ask me again if information changes")</label>
- <ul>
- <li>#springMessageText("idp.attribute-release.rememberConsentItem", "I agree that the same information will be sent automatically to this service in the future.")</li>
- </ul>
- </p>
- #end
- #if ($attributeReleaseFlowDescriptor.globalConsentAllowed)
- <p>
- <input id="_shib_idp_globalConsent" type="radio" name="_shib_idp_consentOptions" value="_shib_idp_globalConsent">
- <label for="_shib_idp_globalConsent">#springMessageText("idp.attribute-release.globalConsent", "Do not ask me again")</label>
- <ul>
- <li>#springMessageText("idp.attribute-release.globalConsentItem", "I agree that <strong>all</strong> of my information will be released to <strong>any</strong> service.")</li>
- </ul>
- </p>
- #end
- #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed)
- #springMessageText("idp.attribute-release.consentMethodRevoke", "This setting can be revoked at any time with the checkbox on the login page.")
- </div>
- #end
- <p style="text-align: center;">
- <input type="submit" name="_eventId_AttributeReleaseRejected" value="#springMessageText("idp.attribute-release.reject", "Reject")" style="margin-right: 30px;">
- <input type="submit" name="_eventId_proceed" value="#springMessageText("idp.attribute-release.accept", "Accept")">
- </p>
- </div>
- </div>
- </form>
- </body>
-</html>
diff --git a/views/intercept/expiring-password.vm b/views/intercept/expiring-password.vm
deleted file mode 100644
index 4395844..0000000
--- a/views/intercept/expiring-password.vm
+++ /dev/null
@@ -1,54 +0,0 @@
-##
-## Velocity Template for expiring password view
-##
-## Velocity context will contain the following properties
-## flowExecutionUrl - the form action location
-## flowRequestContext - the Spring Web Flow RequestContext
-## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
-## profileRequestContext - root of context tree
-## authenticationContext - context with authentication request information
-## authenticationErrorContext - context with login error state
-## authenticationWarningContext - context with login warning state
-## ldapResponseContext - context with LDAP state (if using native LDAP)
-## encoder - HTMLEncoder class
-## request - HttpServletRequest
-## response - HttpServletResponse
-## environment - Spring Environment object for property resolution
-## custom - arbitrary object injected by deployer
-##
-<!DOCTYPE html>
-<html>
- <head>
- <meta charset="utf-8">
- <meta name="viewport" content="width=device-width,initial-scale=1.0">
- <title>#springMessageText("idp.title", "Web Login Service")</title>
- <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
- <meta http-equiv="refresh" content="20;url=$flowExecutionUrl&_eventId_proceed=1">
- </head>
-
- <body>
- <div class="wrapper">
- <div class="container">
- <header>
- <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
- <h3>#springMessageText("idp.login.expiringSoon", "Your password will be expiring soon!")</h3>
- </header>
-
- <div class="content">
- <p>#springMessageText("idp.login.changePassword", "To create a new password now, go to")
- <strong><a href="#" target="_blank">#</a></strong>.</p>
- <p>#springMessageText("idp.login.proceedBegin", "Your login will proceed in 20 seconds or you may click")
- <strong><a href="$flowExecutionUrl&_eventId_proceed=1">#springMessageText("idp.login.proceedHere", "here")</a></strong>
- #springMessageText("idp.login.proceedEnd", "to continue").</p>
- </div>
- </div>
-
- <footer>
- <div class="container container-footer">
- <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
- </div>
- </footer>
-
- </div>
- </body>
-</html>
\ No newline at end of file
diff --git a/views/intercept/impersonate.vm b/views/intercept/impersonate.vm
deleted file mode 100644
index 2bae957..0000000
--- a/views/intercept/impersonate.vm
+++ /dev/null
@@ -1,90 +0,0 @@
-##
-## Velocity Template for expiring password view
-##
-## Velocity context will contain the following properties
-## flowExecutionUrl - the form action location
-## flowRequestContext - the Spring Web Flow RequestContext
-## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
-## profileRequestContext - root of context tree
-## rpUIContext - the context with SP UI information from the metadata
-## encoder - HTMLEncoder class
-## request - HttpServletRequest
-## response - HttpServletResponse
-## environment - Spring Environment object for property resolution
-## custom - arbitrary object injected by deployer
-##
-#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext'))
-<!DOCTYPE html>
-<html>
- <head>
- <meta charset="utf-8">
- <meta name="viewport" content="width=device-width,initial-scale=1.0">
- <title>#springMessageText("idp.title", "Web Login Service")</title>
- <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
- </head>
-
- <body>
- <div class="wrapper">
- <div class="container">
- <header>
- <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
- <h3>#springMessageText("idp.impersonate.header", "Account Impersonation")</h3>
- </header>
-
- <div class="content">
-
- <form action="$flowExecutionUrl" method="post">
-
- #set ($serviceName = $rpUIContext.serviceName)
- #if ($serviceName && !$rpContext.getRelyingPartyId().contains($serviceName))
- <legend>
- $encoder.encodeForHTML($serviceName)
- </legend>
- #end
-
- <legend>
- #springMessageText("idp.impersonate.text", "Enter an account name to impersonate to this service or continue normally.")
- </legend>
-
- <div class="form-element-wrapper">
- <label for="impersonation">#springMessageText("idp.impersonate.login-as", "Login as")</label>
- <input class="form-element form-field" id="impersonation" name="principal" type="text">
-
- <!-- Defaults to input box above, example below populates a select list from an IdPAttribute. -->
- <!--
- #set ($attributeContext = $rpContext.getSubcontext('net.shibboleth.idp.attribute.context.AttributeContext'))
- #set ($usernamesAttribute = $attributeContext.getUnfilteredIdPAttributes().get("impersonatableUsernames"))
- <select class="form-element form-field" id="impersonation" name="principal">
- #if ($usernamesAttribute)
- #foreach ($username in $usernamesAttribute.getValues())
- <option value="$encoder.encodeForHTML($username.getValue())">$encoder.encodeForHTML($username.getValue())</option>
- #end
- #end
- </select>
- -->
- </div>
-
- <div class="form-element-wrapper">
- <button class="form-element form-button" type="submit" name="_eventId_impersonate"
- >#springMessageText("idp.impersonate.impersonate", "Impersonate")</button>
- </div>
-
- <div class="form-element-wrapper">
- <button class="form-element form-button" type="submit" name="_eventId_proceed"
- >#springMessageText("idp.impersonate.continue", "Continue Normally")</button>
- </div>
-
- </form>
-
- </div>
- </div>
-
- <footer>
- <div class="container container-footer">
- <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
- </div>
- </footer>
-
- </div>
- </body>
-</html>
\ No newline at end of file
diff --git a/views/intercept/terms-of-use.vm b/views/intercept/terms-of-use.vm
deleted file mode 100644
index 1bf12c7..0000000
--- a/views/intercept/terms-of-use.vm
+++ /dev/null
@@ -1,67 +0,0 @@
-##
-## Velocity Template for DisplayTermsOfUsePage view-state
-##
-## Velocity context will contain the following properties :
-##
-## encoder - HTMLEncoder class
-## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl)
-## flowExecutionUrl - form action location
-## flowRequestContext - Spring Web Flow RequestContext
-## request - HttpServletRequest
-## response - HttpServletResponse
-## rpUIContext - context with SP UI information from the metadata
-## termsOfUseId - terms of use ID to lookup message strings
-## environment - Spring Environment object for property resolution
-#set ($serviceName = $rpUIContext.serviceName)
-#set ($rpOrganizationLogo = $rpUIContext.getLogo())
-##
-<!DOCTYPE html>
-<html>
- <head>
- <meta charset="UTF-8">
- <meta name="viewport" content="width=device-width,initial-scale=1.0">
- <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/consent.css">
- <title>#springMessageText("${termsOfUseId}.title", "Terms of Use")</title>
- </head>
- <body>
- <div class="box">
- <header>
- <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")" class="federation_logo">
- #if ($rpOrganizationLogo)
- <img src="$encoder.encodeForHTMLAttribute($rpOrganizationLogo)" alt="$encoder.encodeForHTMLAttribute($serviceName)" class="organization_logo">
- #end
- </header>
- #if ($rpOrganizationLogo)
- <div style="float:left;">
- <h1>#springMessageText("${termsOfUseId}.title", "Terms of Use")</h1>
- </div>
- #end
- <div id="tou-content">
- #springMessageText("${termsOfUseId}.text", "Terms of Use Text...")
- </div>
- <div id="tou-acceptance">
- <div style="float:left;">
- <form action="$flowExecutionUrl" method="post" >
- <input type="submit" name="_eventId_TermsRejected" value="#springMessageText("idp.terms-of-use.reject", "Refuse")" style="margin-right: 30px;">
- </form>
- </div>
- <div style="float:right;">
- <form action="$flowExecutionUrl" method="post" >
- <input id="accept" type="checkbox" name="_shib_idp_consentIds" value="$encoder.encodeForHTML($termsOfUseId)" required>
- <label for="accept">#springMessageText("idp.terms-of-use.accept", "I accept the terms of use")</label>
- #if ($requireCheckbox)
- <p class="form-error">#springMessageText("idp.terms-of-use.required", "Please check this box if you want to proceed.")</p>
- #end
- <input type="submit" name="_eventId_proceed" value="#springMessageText("idp.terms-of-use.submit", "Submit")">
- </form>
- </div>
- <div style="clear:both;"></div>
- </div>
- <footer>
- <div class="container container-footer">
- <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
- </div>
- </footer>
- </div>
- </body>
-</html>
diff --git a/views/login-error.vm b/views/login-error.vm
index 44676b3..4a9e641 100644
--- a/views/login-error.vm
+++ b/views/login-error.vm
@@ -2,11 +2,13 @@
##
## authenticationErrorContext - context containing error data, if available
##
-#if ($authenticationErrorContext && $authenticationErrorContext.getClassifiedErrors().size() > 0 && $authenticationErrorContext.getClassifiedErrors().iterator().next() != "ReselectFlow")
+#if ($authenticationErrorContext && $authenticationErrorContext.getClassifiedErrors().size() > 0 && !$authenticationErrorContext.getClassifiedErrors().contains('AuthenticationException'))
## This handles errors that are classified by the message maps in the authentication config.
#set ($eventId = $authenticationErrorContext.getClassifiedErrors().iterator().next())
- #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "login"))
- #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "Login Failure: $eventId"))
+ #if ($eventId != "ReselectFlow")
+ #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "authn"))
+ #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "Login Failure: $eventId"))
+ #end
#elseif ($authenticationErrorContext && $authenticationErrorContext.getExceptions().size() > 0)
## This handles login exceptions that are left unclassified.
#set ($loginException = $authenticationErrorContext.getExceptions().get(0))
@@ -18,7 +20,5 @@
#end
#if ($message)
- <section>
- <p class="form-element form-error">$encoder.encodeForHTML($message)</p>
- </section>
+ <p class="output-message output--error">$encoder.encodeForHTML($message)</p>
#end
diff --git a/views/login.vm b/views/login.vm
index 4ebf9bf..20ed38e 100644
--- a/views/login.vm
+++ b/views/login.vm
@@ -11,134 +11,96 @@
## authenticationWarningContext - context with login warning state
## ldapResponseContext - context with LDAP state (if using native LDAP)
## rpUIContext - the context with SP UI information from the metadata
-## extendedAuthenticationFlows - collection of "extended" AuthenticationFlowDescriptor objects
-## passwordPrincipals - contents of the shibboleth.authn.Password.PrincipalOverride bean
## encoder - HTMLEncoder class
## request - HttpServletRequest
## response - HttpServletResponse
## environment - Spring Environment object for property resolution
## custom - arbitrary object injected by deployer
##
-#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext'))
+#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.profile.context.RelyingPartyContext'))
#set ($username = $authenticationContext.getSubcontext('net.shibboleth.idp.authn.context.UsernamePasswordContext', true).getUsername())
-#set ($passwordEnabled = false)
-#if (!$passwordPrincipals or $passwordPrincipals.isEmpty() or $authenticationContext.isAcceptable($passwordPrincipals))
- #set ($passwordEnabled = true)
-#end
##
<!DOCTYPE html>
<html>
<head>
- <meta charset="utf-8">
- <meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>#springMessageText("idp.title", "Web Login Service")</title>
- <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+ <meta charset="UTF-8" />
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
+ <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")">
</head>
<body>
- <div class="wrapper">
- <div class="container">
- <header>
- <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
- </header>
-
- <div class="content">
- <div class="column one">
- #parse("login-error.vm")
+ <main class="main">
+ <header>
+ <img class="main-logo" src="$request.getContextPath()#springMessageText("idp.logo", "/images/placeholder-logo.png")" alt="#springMessageText("idp.logo.alt-text", "logo")" />
+
+ #set ($serviceName = $rpUIContext.serviceName)
+ #if ($serviceName && !$rpContext.getRelyingPartyId().contains($serviceName))
+ <h1>#springMessageText("idp.login.loginTo", "Login to") $encoder.encodeForHTML($serviceName)</h1>
+ #end
+ </header>
+
+ <section>
+ <form action="$flowExecutionUrl" method="post">
+ #parse("csrf/csrf.vm")
- <form action="$flowExecutionUrl" method="post">
+ #*
+ //
+ // SP Description & Logo (optional)
+ // These idpui lines will display added information (if available
+ // in the metadata) about the Service Provider (SP) that requested
+ // authentication. These idpui lines are "active" in this example
+ // (not commented out) - this extra SP info will be displayed.
+ // Remove or comment out these lines to stop the display of the
+ // added SP information.
+ //
+ *#
+ #set ($logo = $rpUIContext.getLogo())
+ #if ($logo)
+ <img class="service-logo" src= "$encoder.encodeForHTMLAttribute($logo)" alt="$encoder.encodeForHTMLAttribute($serviceName)">
+ #end
+ #set ($desc = $rpUIContext.getServiceDescription())
+ #if ($desc)
+ <p>$encoder.encodeForHTML($desc)</p>
+ #end
+
+ #parse("login-error.vm")
- #set ($serviceName = $rpUIContext.serviceName)
- #if ($serviceName && !$rpContext.getRelyingPartyId().contains($serviceName))
- <legend>
- #springMessageText("idp.login.loginTo", "Login to") $encoder.encodeForHTML($serviceName)
- </legend>
- #end
+ <label for="username">#springMessageText("idp.login.username", "Username")</label>
+ <input id="username" name="j_username" type="text"
+ value="#if($username)$encoder.encodeForHTML($username)#end" />
- #if ($passwordEnabled)
- <div class="form-element-wrapper">
- <label for="username">#springMessageText("idp.login.username", "Username")</label>
- <input class="form-element form-field" id="username" name="j_username" type="text"
- value="#if($username)$encoder.encodeForHTML($username)#end">
- </div>
-
- <div class="form-element-wrapper">
- <label for="password">#springMessageText("idp.login.password", "Password")</label>
- <input class="form-element form-field" id="password" name="j_password" type="password" value="">
- </div>
-
- ## You may need to modify this to taste, such as changing the flow name its checking for to authn/MFA.
- #if (!$authenticationContext.getActiveResults().containsKey('authn/Password'))
- <div class="form-element-wrapper">
- <input type="checkbox" name="donotcache" value="1" id="donotcache">
- <label for="donotcache">#springMessageText("idp.login.donotcache", "Don't Remember Login")</label>
- </div>
- #end
-
- #end
-
- <div class="form-element-wrapper">
- <input id="_shib_idp_revokeConsent" type="checkbox" name="_shib_idp_revokeConsent" value="true">
- <label for="_shib_idp_revokeConsent">#springMessageText("idp.attribute-release.revoke", "Clear prior granting of permission for release of your information to this service.")</label>
- </div>
-
- #if ($passwordEnabled)
- <div class="form-element-wrapper">
- <button class="form-element form-button" type="submit" name="_eventId_proceed"
- onClick="this.childNodes[0].nodeValue='#springMessageText("idp.login.pleasewait", "Logging in, please wait...")'"
- >#springMessageText("idp.login.login", "Login")</button>
- </div>
- #end
-
- #foreach ($extFlow in $extendedAuthenticationFlows)
- #if ($authenticationContext.isAcceptable($extFlow) and $extFlow.apply(profileRequestContext))
- <div class="form-element-wrapper">
- <button class="form-element form-button" type="submit" name="_eventId_$extFlow.getId()">
- #springMessageText("idp.login.$extFlow.getId().replace('authn/','')", $extFlow.getId().replace('authn/',''))
- </button>
- </div>
- #end
- #end
- </form>
-
- #*
- //
- // SP Description & Logo (optional)
- // These idpui lines will display added information (if available
- // in the metadata) about the Service Provider (SP) that requested
- // authentication. These idpui lines are "active" in this example
- // (not commented out) - this extra SP info will be displayed.
- // Remove or comment out these lines to stop the display of the
- // added SP information.
- //
- *#
- #set ($logo = $rpUIContext.getLogo())
- #if ($logo)
- <img src= "$encoder.encodeForHTMLAttribute($logo)"
- alt="$encoder.encodeForHTMLAttribute($serviceName)">
- #end
- #set ($desc = $rpUIContext.getServiceDescription())
- #if ($desc)
- $encoder.encodeForHTML($desc)
- #end
-
- </div>
- <div class="column two">
- <ul class="list list-help">
- #if ($passwordEnabled)
- <li class="list-help-item"><a href="#springMessageText("idp.url.password.reset", "#")"><span class="item-marker">›</span> #springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
- #end
- <li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", "#")"><span class="item-marker">›</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li>
- </ul>
- </div>
- </div>
- </div>
-
- <footer>
- <div class="container container-footer">
- <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
- </div>
- </footer>
- </div>
+ <label for="password">#springMessageText("idp.login.password", "Password")</label>
+ <input type="password" name="j_password" id="password" value="" />
+
+ ## You may need to modify this to taste, such as changing the flow name checked to authn/MFA.
+ #if (!$authenticationContext.getActiveResults().containsKey('authn/Password'))
+ <input type="checkbox" name="donotcache" value="1" id="donotcache" />
+ <label for="donotcache">#springMessageText("idp.login.donotcache", "Don't Remember Login")</label>
+ #end
+
+ <input id="_shib_idp_revokeConsent" type="checkbox" name="_shib_idp_revokeConsent" value="true" />
+ <label for="_shib_idp_revokeConsent">#springMessageText("idp.attribute-release.revoke", "Clear prior granting of permission for release of your information to this service.")</label>
+
+ <div class="grid">
+ <div class="grid-item">
+ <button type="submit" name="_eventId_proceed"
+ onClick="this.childNodes[0].nodeValue='#springMessageText("idp.login.pleasewait", "Logging in, please wait...")'"
+ >#springMessageText("idp.login.login", "Login")</button>
+ </div>
+ </div>
+ </form>
- </body>
+ <ul>
+ <li><a href="#springMessageText("idp.url.password.reset", '#')">#springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
+ <li><a href="#springMessageText("idp.url.helpdesk", '#')">#springMessageText("idp.login.needHelp", "Need Help?")</a></li>
+ </ul>
+ </section>
+ </main>
+ <footer class="footer">
+ <div class="cc">
+ <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
+ </div>
+ </footer>
+ </body>
</html>
\ No newline at end of file
diff --git a/views/logout-complete.vm b/views/logout-complete.vm
index d780252..2d332ea 100644
--- a/views/logout-complete.vm
+++ b/views/logout-complete.vm
@@ -14,46 +14,48 @@
## environment - Spring Environment object for property resolution
## custom - arbitrary object injected by deployer
##
+#set ($activeIdPSessions = $logoutContext and !$logoutContext.getIdPSessions().isEmpty())
+#set ($activeSPSessions = $logoutContext and !$logoutContext.getSessionMap().isEmpty())
<!DOCTYPE html>
<html>
<head>
- <meta charset="utf-8">
- <meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>#springMessageText("idp.title", "Web Login Service")</title>
- <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+ <meta charset="UTF-8" />
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
+ <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")">
</head>
<body>
- <div class="wrapper">
- <div class="container">
- <header>
- <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
- </header>
-
- <div class="content">
- <div class="column one">
- <p>#springMessageText("idp.logout.local", "You elected not to log out of all the applications accessed during your session.")</p>
- </div>
- <div class="column two">
- <ul class="list list-help">
- <li class="list-help-item"><a href="#springMessageText("idp.url.password.reset", "#")"><span class="item-marker">›</span> #springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
- <li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", "#")"><span class="item-marker">›</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li>
- </ul>
- </div>
- </div>
- </div>
-
- <!-- If SAML logout, complete the flow by adding a hidden iframe. -->
- #if ( $profileRequestContext.getProfileId().contains("saml2/logout") )
- <iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed"></iframe>
- #end
-
- <footer>
- <div class="container container-footer">
- <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
- </div>
- </footer>
- </div>
-
+ <main class="main">
+ <header>
+ <img class="main-logo" src="$request.getContextPath()#springMessageText("idp.logo", "/images/placeholder-logo.png")" alt="#springMessageText("idp.logo.alt-text", "logo")" />
+ </header>
+
+ <section>
+ #if ($activeIdPSessions)
+ <h2>#springMessageText("idp.logout.cancelled", "Logout has been cancelled.")</h2>
+ #elseif ($activeSPSessions)
+ <p>#springMessageText("idp.logout.local", "You elected not to log out of all the applications accessed during your session.")</p>
+ #else
+ <p>#springMessageText("idp.logout.complete", "The logout operation is complete, and no other services appear to have been accessed during this session.")</p>
+ #end
+
+ <ul>
+ <li><a href="#springMessageText("idp.url.password.reset", '#')">#springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
+ <li><a href="#springMessageText("idp.url.helpdesk", '#')">#springMessageText("idp.login.needHelp", "Need Help?")</a></li>
+ </ul>
+
+ <!-- If SAML logout, complete the flow by adding a hidden iframe. -->
+ #if ( $profileRequestContext.getProfileId().contains("saml2/logout") )
+ <iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed"></iframe>
+ #end
+ </section>
+ </main>
+ <footer class="footer">
+ <div class="cc">
+ <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
+ </div>
+ </footer>
</body>
</html>
\ No newline at end of file
diff --git a/views/logout-propagate.vm b/views/logout-propagate.vm
index 86b3fa1..ab73382 100644
--- a/views/logout-propagate.vm
+++ b/views/logout-propagate.vm
@@ -16,43 +16,42 @@
## environment - Spring Environment object for property resolution
## custom - arbitrary object injected by deployer
##
+#set ($hidden = $environment.getProperty("idp.logout.propagationHidden", "false"))
<!DOCTYPE html>
<html>
<head>
- <meta charset="utf-8">
- <meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>#springMessageText("idp.title", "Web Login Service")</title>
- <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+ <meta charset="UTF-8" />
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
+ <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")">
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/logout.css">
</head>
<body>
- <div class="wrapper">
- <div class="container">
- <header>
- <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
- </header>
-
- <div class="content">
- <div class="column one">
- <p>#springMessageText("idp.logout.attempt", "Attempting to log out of the following services:")</p>
- #parse("logout/propagate.vm")
- </div>
- <div class="column two">
- <ul class="list list-help">
- <li class="list-help-item"><a href="#springMessageText("idp.url.password.reset", "#")"><span class="item-marker">›</span> #springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
- <li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", "#")"><span class="item-marker">›</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li>
- </ul>
- </div>
- </div>
- </div>
-
- <footer>
- <div class="container container-footer">
- <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
- </div>
- </footer>
- </div>
-
+ <main class="main">
+ <header>
+ <img class="main-logo" src="$request.getContextPath()#springMessageText("idp.logo", "/images/placeholder-logo.png")" alt="#springMessageText("idp.logo.alt-text", "logo")" />
+ </header>
+
+ <section>
+ #if($hidden == "true")
+ <p>#springMessageText("idp.logout.hidden", "Your single sign-on session has been terminated, but you are still logged into many of the services you have accessed during your session.")</p>
+ #else
+ <h1>#springMessageText("idp.logout.attempt", "Attempting to log out of the following services:")</h1>
+ #end
+ #parse("logout/propagate.vm")
+
+ <ul>
+ <li><a href="#springMessageText("idp.url.password.reset", '#')">#springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
+ <li><a href="#springMessageText("idp.url.helpdesk", '#')">#springMessageText("idp.login.needHelp", "Need Help?")</a></li>
+ </ul>
+ </section>
+ </main>
+ <footer class="footer">
+ <div class="cc">
+ <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
+ </div>
+ </footer>
</body>
</html>
\ No newline at end of file
diff --git a/views/logout.vm b/views/logout.vm
index d31ae0e..ab01600 100644
--- a/views/logout.vm
+++ b/views/logout.vm
@@ -14,61 +14,68 @@
## environment - Spring Environment object for property resolution
## custom - arbitrary object injected by deployer
##
-#set ($rpContext = $profileRequestContext.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext"))
+#set ($rpContext = $profileRequestContext.getSubcontext("net.shibboleth.profile.context.RelyingPartyContext"))
#if ($rpContext)
#set ($rpUIContext = $rpContext.getSubcontext("net.shibboleth.idp.ui.context.RelyingPartyUIContext"))
#end
+#set ($promptForIdP = $logoutContext and !$logoutContext.getIdPSessions().isEmpty())
+#set ($promptForSP = $logoutContext and !$logoutContext.getSessionMap().isEmpty())
<!DOCTYPE html>
<html>
<head>
- <meta charset="utf-8">
- <meta name="viewport" content="width=device-width,initial-scale=1.0">
- #if ( $logoutContext and !$logoutContext.getSessionMap().isEmpty() )
+ <title>#springMessageText("idp.title", "Web Login Service")</title>
+ <meta charset="UTF-8" />
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
+ #if ($promptForSP)
<meta http-equiv="refresh" content="10;url=$flowExecutionUrl&_eventId=propagate">
+ #elseif ($promptForIdP)
+ <meta http-equiv="refresh" content="10;url=$flowExecutionUrl&_eventId=local">
#end
- <title>#springMessageText("idp.title", "Web Login Service")</title>
- <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+ <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")">
</head>
- <body>
- <div class="wrapper">
- <div class="container">
- <header>
- <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
- </header>
+ <body>
+ <main class="main">
+ <header>
+ <img class="main-logo" src="$request.getContextPath()#springMessageText("idp.logo", "/images/placeholder-logo.png")" alt="#springMessageText("idp.logo.alt-text", "logo")" />
+ </header>
- <div class="content">
- <div class="column one">
- <p>This page is displayed when a logout operation at the Identity Provider completes. This page is an example
- and should be customized. It is not fully internationalized because the presentation will be a highly localized
- decision, and we don't have a good suggestion for a default.</p>
- <br>
+ <section>
+ <div class="output-message">
+ <p><strong>Note for deployers:</strong> This page is displayed when a logout operation at the Identity Provider completes.
+ This page is an example and should be customized. It is not fully internationalized because the presentation will be a highly localized decision,
+ and we don't have a good suggestion for a default.</p>
+ </div>
#if ($rpContext)
- <p>#springMessageText("idp.logout.sp-initiated", "You have been logged out of the following service:")</p>
- <blockquote>
- #if ($rpUIContext)
- $encoder.encodeForHTML($rpUIContext.getServiceName())
- #else
- $encoder.encodeForHTML($rpContext.getRelyingPartyId())
- #end
- </blockquote>
- <br>
+ <p>#springMessageText("idp.logout.sp-initiated", "You have been logged out of the following service:")</p>
+ <blockquote>
+ #if ($rpUIContext)
+ $encoder.encodeForHTML($rpUIContext.getServiceName())
+ #else
+ $encoder.encodeForHTML($rpContext.getRelyingPartyId())
+ #end
+ </blockquote>
+ <br>
#end
+
+ #if ($promptForIdP or $promptForSP)
+ <p>#springMessageText("idp.logout.prompt", "Choose one of the following, or wait a few seconds for the default.")</p>
+ <br>
- #if ( $logoutContext and !$logoutContext.getSessionMap().isEmpty() )
- <p>#springMessageText("idp.logout.ask", "Would you like to attempt to log out of all services accessed during your session? Please select <strong>Yes</strong> or <strong>No</strong> to ensure the logout operation completes, or wait a few seconds for Yes.")</p>
- <br>
-
- <form id="propagate_form" method="POST" action="$flowExecutionUrl">
- <button id="propagate_yes" type="submit" name="_eventId" value="propagate">Yes</button>
- <button id="propagate_no" type="submit" name="_eventId" value="end">No</button>
- </form>
+ <form id="propagate_form" method="POST" action="$flowExecutionUrl">
+
+ <p><button id="logout_local" type="submit" name="_eventId" value="local">#springMessageText("idp.logout.idponly", "Logout Locally")</button></p>
+ <p>#springMessageText("idp.logout.idponly.caption", "End your SSO session.")</p>
+ #end
- <br>
- <p>#springMessageText("idp.logout.contactServices", "If you proceed, the system will attempt to contact the following services:")</p>
- <ol>
- #foreach ($sp in $logoutContext.getSessionMap().keySet())
+ #if ($promptForSP)
+ <p><button id="logout_propagate" type="submit" name="_eventId" value="propagate">#springMessageText("idp.logout.global", "Logout Globally")</button></p>
+ <p>#springMessageText("idp.logout.global.caption", "End your SSO session and attempt logout of services accessed during session.")</p>
+ <p>#springMessageText("idp.logout.contactServices", "If instructed, the system will attempt to contact the following services:")</p>
+ <ol>
+ #foreach ($sp in $logoutContext.getSessionMap().keySet())
#set ($rpCtx = $multiRPContext.getRelyingPartyContextById($sp))
#if ($rpCtx)
#set ($rpUIContext = $rpCtx.getSubcontext("net.shibboleth.idp.ui.context.RelyingPartyUIContext"))
@@ -78,30 +85,34 @@
#else
<li>$encoder.encodeForHTML($sp)</li>
#end
- #end
- </ol>
+ #end
+ </ol>
+ #end
+
+ #if ($promptForIdP)
+ <p><button class="button--secondary" id="logout_cancel" type="submit" name="_eventId" value="end">#springMessageText("idp.logout.cancel", "Cancel")</button></p>
+ <p>#springMessageText("idp.logout.cancel.caption", "Cancel logout and retain your SSO session.")</p>
+ #end
+
+ #if ($promptForIdP or $promptForSP)
+ </form>
#else
<p><strong>#springMessageText("idp.logout.complete", "The logout operation is complete, and no other services appear to have been accessed during this session.")</strong></p>
<!-- Complete the flow by adding a hidden iframe. -->
<iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed"></iframe>
#end
- </div>
- <div class="column two">
- <ul class="list list-help">
- <li class="list-help-item"><a href="#springMessageText("idp.url.password.reset", "#")"><span class="item-marker">›</span> #springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
- <li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", "#")"><span class="item-marker">›</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li>
- </ul>
- </div>
- </div>
- </div>
-
- <footer>
- <div class="container container-footer">
- <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
- </div>
- </footer>
- </div>
-
- </body>
+ <ul>
+ <li><a href="#springMessageText("idp.url.password.reset", '#')">#springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
+ <li><a href="#springMessageText("idp.url.helpdesk", '#')">#springMessageText("idp.login.needHelp", "Need Help?")</a></li>
+ </ul>
+ </section>
+
+ </main>
+ <footer class="footer">
+ <div class="cc">
+ <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
+ </div>
+ </footer>
+ </body>
</html>
\ No newline at end of file
diff --git a/views/spnego-unavailable.vm b/views/spnego-unavailable.vm
deleted file mode 100644
index 3673f02..0000000
--- a/views/spnego-unavailable.vm
+++ /dev/null
@@ -1,49 +0,0 @@
-##
-## Velocity Template for SPNEGO unauthorized page
-##
-## This is not a Spring Webflow view, but a special view internal to the
-## SPNEGO login flow, so it doesn't contain all of the usual SWF variables.
-##
-## Velocity context will contain the following properties
-## encoder - HTMLEncoder class
-## request - HttpServletRequest
-## response - HttpServletResponse
-## profileRequestContext - root of context tree
-## errorUrl - URL to call to indicate error and return back to the login flow
-##
-#set ($eventKey = $springMacroRequestContext.getMessage("SPNEGOUnavailable", "spnego-unavailable"))
-<!DOCTYPE html>
-<html>
- <head>
- <meta charset="utf-8">
- <meta name="viewport" content="width=device-width,initial-scale=1.0">
- <title>#springMessageText("idp.title", "Web Login Sevice") - #springMessageText("${eventKey}.title", "Error")</title>
- <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
- </head>
-
- <body onload="window.location = '$errorUrl'">
- <div class="wrapper">
- <div class="container">
- <header>
- <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
- <h3>#springMessageText("idp.title", "Web Login Sevice") - #springMessage("idp.title.suffix", "Error")</h3>
- </header>
-
- <div class="content">
- #springMessageText("${eventKey}.message", "Your web browser doesn't support authentication with your desktop login credentials.")
- <ul class="list list-help">
- <li class="list-help-item">
- <a href="$errorUrl"><span class="item-marker">›</span> #springMessageText("spnego-unavailable.return", "Cancel the attempt.")</a>
- </li>
- </ul>
- </div>
- </div>
-
- <footer>
- <div class="container container-footer">
- <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
- </div>
- </footer>
- </div>
- </body>
-</html>
diff --git a/views/user-prefs.js b/views/user-prefs.js
deleted file mode 100644
index ab994f9..0000000
--- a/views/user-prefs.js
+++ /dev/null
@@ -1,45 +0,0 @@
-"use strict";
-
-function createCookie(name, value, seconds) {
- var date = new Date();
- date.setTime(date.getTime() + (seconds * 1000));
- var expires = "; expires=" + date.toGMTString();
-
- var path = '$environment.getProperty("idp.cookie.path", $request.getContextPath())';
- if (path.length > 0)
- path = "; path=" + path;
- document.cookie = name + "=" + value + expires + path;
-}
-
-function eraseCookie(name) {
- createCookie(name, "", -31536000);
-}
-
-function readCookie(name) {
- var nameEQ = name + "=";
- var ca = document.cookie.split(';');
- for (var i = 0; i < ca.length; i++) {
- var c = ca[i];
- while (c.charAt(0) == ' ')
- c = c.substring(1, c.length);
- if (c.indexOf(nameEQ) == 0)
- return c.substring(nameEQ.length, c.length);
- }
- return null;
-}
-
-function load(id) {
- var checkbox = document.getElementById(id);
- if (checkbox != null) {
- var spnego = readCookie(checkbox.name);
- checkbox.checked = (spnego == "1");
- }
-}
-
-function check(checkbox) {
- if (checkbox.checked) {
- createCookie(checkbox.name, checkbox.value, $environment.getProperty("idp.cookie.maxAge","31536000"));
- } else {
- eraseCookie(checkbox.name);
- }
-}
diff --git a/views/user-prefs.vm b/views/user-prefs.vm
deleted file mode 100644
index 8de0503..0000000
--- a/views/user-prefs.vm
+++ /dev/null
@@ -1,60 +0,0 @@
-##
-## Velocity Template for user preferences view
-##
-## Velocity context will contain the following properties
-## request - HttpServletRequest
-## response - HttpServletResponse
-## environment - Spring Environment object for property resolution
-## custom - arbitrary object injected by deployer
-##
-<!DOCTYPE html>
-<html>
- <head>
- <meta charset="utf-8">
- <meta name="viewport" content="width=device-width,initial-scale=1.0">
- <title>#springMessageText("idp.userprefs.title", "Web Login Service") - #springMessageText("idp.userprefs.title.suffix", "Login Preferences")</title>
- <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
- <script language="Javascript">
- <!--
- #parse( "user-prefs.js" )
- // -->
- </script>
- </head>
- <body onLoad="document.getElementById('content').style.display='block'; load('spnego')">
- <div class="wrapper">
- <div class="container">
- <header>
- <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
- <h3>#springMessageText("idp.title", "Web Login Service") - #springMessageText("idp.userprefs.title.suffix", "Login Preferences")</h3>
- <p>
- #springMessage("idp.userprefs.info")
- </p>
- </header>
-
- <noscript>
- <div id="content" class="content">
- $springMacroRequestContext.getMessage("idp.userprefs.no-js", "This feature requires Javascript.")
- </div>
- </noscript>
-
- <div id="content" class="content" style="display:none">
- <div class="form-element-wrapper">
- <h4>#springMessageText("idp.userprefs.options", "The following options are available:")</h4>
- </div>
-
- <div class="form-element-wrapper">
- <input type="checkbox" id="spnego" name="_idp_spnego_autologin" value="1" onClick="check(this)">
- #springMessageText("idp.userprefs.spnego", "Automatically try desktop login when available.")
- </div>
- </div>
- </div>
-
- <footer>
- <div class="container container-footer">
- <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
- </div>
- </footer>
- </div>
-
- </body>
-</html>