README.md

@@ -14,3 +14,4 @@ to complete a deployment.
     * Internal Testing - (TEST) branch/repo that uses the "test bed" which is something that I2 provides (LDAP) and an element to make all integrations.  Appropriate for Jenkins and testing environments
   * `release` branch
     * External Testing - (RELEASE) branch/repo (ultimately will live in Subversion?) for end users
+

conf/access-control.xml

@@ -34,7 +34,7 @@
         </entry>
 
         <!--
-        <entry key="AccessByUser">
+        <entry key="AccessByAdminUser">
             <bean parent="shibboleth.PredicateAccessControl">
                 <constructor-arg>
                     <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
@@ -47,7 +47,7 @@
         <entry key="AccessByAttribute">
             <bean parent="shibboleth.PredicateAccessControl">
                 <constructor-arg>
-                    <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
+                    <bean parent="shibboleth.Conditions.SimpleAttribute">
                         <property name="attributeValueMap">
                             <map>
                                 <entry key="eduPersonEntitlement">

conf/admin/admin.properties

@@ -0,0 +1,89 @@
+# Configure properties controlling administrative features
+
+#idp.status.logging = Status
+#idp.status.accessPolicy = AccessByIPAddress
+#idp.status.authenticated = false
+#idp.status.nonBrowserSupported = false
+#idp.status.defaultAuthenticationMethods =
+#idp.status.resolveAttributes = false
+#idp.status.postAuthenticationFlows =
+
+#idp.reload.logging = Reload
+#idp.reload.accessPolicy = AccessByIPAddress
+#idp.reload.authenticated = false
+#idp.reload.nonBrowserSupported = false
+#idp.reload.defaultAuthenticationMethods =
+#idp.reload.resolveAttributes = false
+#idp.reload.postAuthenticationFlows =
+
+#idp.resolvertest.logging = ResolverTest
+#idp.resolvertest.accessPolicy = AccessByIPAddress
+#idp.resolvertest.authenticated = false
+#idp.resolvertest.nonBrowserSupported = false
+#idp.resolvertest.defaultAuthenticationMethods =
+#idp.resolvertest.resolveAttributes = false
+#idp.resolvertest.postAuthenticationFlows =
+
+#idp.dumpconfig.logging = DumpConfig
+#idp.dumpconfig.accessPolicy = AccessByIPAddress
+#idp.dumpconfig.authenticated = false
+#idp.dumpconfig.nonBrowserSupported = false
+#idp.dumpconfig.defaultAuthenticationMethods =
+#idp.dumpconfig.resolveAttributes = false
+#idp.dumpconfig.postAuthenticationFlows =
+
+#idp.mdquery.logging = MetadataQuery
+#idp.mdquery.accessPolicy = AccessByIPAddress
+#idp.mdquery.authenticated = false
+#idp.mdquery.nonBrowserSupported = false
+#idp.mdquery.defaultAuthenticationMethods =
+#idp.mdquery.resolveAttributes = false
+#idp.mdquery.postAuthenticationFlows =
+
+#idp.metrics.logging = Metrics
+#idp.metrics.authenticated = false
+#idp.metrics.nonBrowserSupported = false
+#idp.metrics.defaultAuthenticationMethods =
+#idp.metrics.resolveAttributes = false
+#idp.metrics.postAuthenticationFlows =
+# See admin/metrics.xml for other configuration
+
+#idp.hello.logging = Hello
+#idp.hello.accessPolicy = AccessByAdminUser
+#idp.hello.authenticated = true
+#idp.hello.nonBrowserSupported = false
+#idp.hello.defaultAuthenticationMethods =
+#idp.hello.resolveAttributes = true
+#idp.hello.postAuthenticationFlows =
+
+#idp.lockout.logging = Lockout
+#idp.lockout.accessPolicy = AccessDenied
+#idp.lockout.authenticated = false
+#idp.lockout.nonBrowserSupported = false
+#idp.lockout.defaultAuthenticationMethods =
+#idp.lockout.resolveAttributes = false
+#idp.lockout.postAuthenticationFlows =
+
+#idp.revocation.logging = Revocation
+#idp.revocation.accessPolicy = AccessDenied
+#idp.revocation.authenticated = false
+#idp.revocation.nonBrowserSupported = false
+#idp.revocation.defaultAuthenticationMethods =
+#idp.revocation.resolveAttributes = false
+#idp.revocation.postAuthenticationFlows =
+
+#idp.storage.logging = Storage
+#idp.storage.accessPolicy = AccessDenied
+#idp.storage.authenticated = false
+#idp.storage.nonBrowserSupported = false
+#idp.storage.defaultAuthenticationMethods =
+#idp.storage.resolveAttributes = false
+#idp.storage.postAuthenticationFlows =
+
+#idp.unlock-keys.logging = UnlockKeys
+#idp.unlock-keys.accessPolicy = AccessDenied
+#idp.unlock-keys.authenticated = true
+#idp.unlock-keys.nonBrowserSupported = false
+#idp.unlock-keys.defaultAuthenticationMethods =
+#idp.unlock-keys.resolveAttributes = false
+#idp.unlock-keys.postAuthenticationFlows =

conf/admin/metrics.xml

@@ -26,8 +26,15 @@
                 <ref bean="shibboleth.metrics.MetadataGaugeSet" />
                 <ref bean="shibboleth.metrics.NameIdentifierGaugeSet" />
                 <ref bean="shibboleth.metrics.RelyingPartyGaugeSet" />
+                <ref bean="shibboleth.metrics.AttributeRegistryGaugeSet" />
                 <ref bean="shibboleth.metrics.AttributeResolverGaugeSet" />
                 <ref bean="shibboleth.metrics.AttributeFilterGaugeSet" />
+                <ref bean="shibboleth.metrics.CASServiceRegistryGaugeSet" />
+                <ref bean="shibboleth.metrics.ManagedBeanGaugeSet" />
+                <ref bean="shibboleth.metrics.ModuleGaugeSet" />
+
+                <!-- Note that this accesses remote "state" regarding IdP and plugin updates. -->
+                <ref bean="shibboleth.metrics.InstallableComponents" />
 
                 <!--
                 <bean class="com.codahale.metrics.jvm.CachedThreadStatesGaugeSet"
@@ -52,15 +59,26 @@
     <util:map id="shibboleth.metrics.MetricGroups">
         <entry key="core" value-ref="shibboleth.metrics.CoreGaugeSet" />
         <entry key="idp" value-ref="shibboleth.metrics.IdPGaugeSet" />
+        <entry key="updates" value-ref="shibboleth.metrics.InstallableComponents" />
         <entry key="logging" value-ref="shibboleth.metrics.LoggingGaugeSet" />
         <entry key="access" value-ref="shibboleth.metrics.AccessControlGaugeSet" />
         <entry key="metadata" value-ref="shibboleth.metrics.MetadataGaugeSet" />
         <entry key="nameid" value-ref="shibboleth.metrics.NameIdentifierGaugeSet" />
         <entry key="relyingparty" value-ref="shibboleth.metrics.RelyingPartyGaugeSet" />
+        <entry key="registry" value-ref="shibboleth.metrics.AttributeRegistryGaugeSet" />
         <entry key="resolver" value-ref="shibboleth.metrics.AttributeResolverGaugeSet" />
         <entry key="filter" value-ref="shibboleth.metrics.AttributeFilterGaugeSet" />
+        <entry key="cas" value-ref="shibboleth.metrics.CASServiceRegistryGaugeSet" />
+        <entry key="bean" value-ref="shibboleth.metrics.ManagedBeanGaugeSet" />
     </util:map>
-
+
+    <!-- Add any desired properties into set to expose them as IdP metrics. -->
+    <!--
+    <util:set id="shibboleth.metrics.ExposedProperties">
+        <value>idp.entityID</value>
+    </util:set>
+    -->
+
     <!-- If you don't specify an alternate access policy, this named policy will be enforced. -->
     <bean id="shibboleth.metrics.DefaultAccessPolicy" class="java.lang.String" c:_0="AccessByIPAddress" />
 

conf/attribute-filter.xml

@@ -14,6 +14,14 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
 
+
+    <!-- Release home org signifier to everybody. -->
+    <AttributeFilterPolicy id="alwaysRelease">
+        <PolicyRequirementRule xsi:type="ANY" />
+
+        <AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
+    </AttributeFilterPolicy>
+
     <!--
     Example rule relying on a locally applied tag in metadata to trigger attribute
     release of some specific attributes. Add additional attributes as desired.

conf/intercept/impersonate-intercept-config.xml → conf/attribute-registry.xml

@@ -13,13 +13,17 @@
        default-destroy-method="destroy">
 
     <!--
-    Names of access control policies defined in access-control.xml to control impersonation.
-    The general policy runs first and determines whether to offer the impersonation option.
-    The specific policy runs second and determines whether to allow the requested impersonation.
+    The system comes preconfigured to load rules directly from resource files
+    configured in services.xml so they're monitored for changes.
+    
+    You can add mappings here, add more XML resource files, or drop property
+    files into the directory noted below, but they won't be monitored for changes
+    themselves.
     -->
 
-    <bean id="shibboleth.impersonate.GeneralPolicy" class="java.lang.String" c:_0="GeneralImpersonationPolicy" />
-
-    <bean id="shibboleth.impersonate.SpecificPolicy" class="java.lang.String" c:_0="SpecificImpersonationPolicy" />
-
+    <!-- Default directory for custom mappings. -->
+    <bean parent="shibboleth.TranscodingRuleLoader"
+        c:dir="%{idp.home}/conf/attributes/custom"
+        c:extensions="#{{'.txt', '.props', '.properties', '.rule'}}" />
+
 </beans>