docker · Oct 10, 2018 · Nov 14, 2018 · Nov 14, 2018 · Nov 26, 2018 · Nov 26, 2018
diff --git a/README.md b/README.md
@@ -2,12 +2,14 @@
 
 ## Purpose
 
-This project contains the configuration tree (structure) for Shibboleth IDP.  The are various usage scenarios throughout the build, test, deploy cycle that warrant this abstraction
+This branch contains the default configuration tree (structure) for Shibboleth IDP.  The are various usage scenarios throughout the build, test, deploy cycle that warrant this abstraction
 of the configuration tree.  There is a separate repository for the Docker Image which is responsible for building the runtime environment and pulling the configuration trees housed here
 to complete a deployment.
 
 ### Configuration Trees
 
+  * `default` branch
+    * Comparison - (Default) branch/repo that is created by the Shibboleth IdP installer.  It is used for comparing the other branches.
   * `test` branch
     * Internal Testing - (TEST) branch/repo that uses the "test bed" which is something that I2 provides (LDAP) and an element to make all integrations.  Appropriate for Jenkins and testing environments
   * `release` branch

diff --git a/conf/access-control.xml b/conf/access-control.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    Map of access control policies used to limit access to administrative functions.
+    The purpose of the map is to label policies with a key/name so they can be reused.
+    -->
+
+    <!--
+    Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control.
+    The ranges provided MUST be CIDR network expressions. To specify a single address,
+    add "/32" or "/128" for IPv4 or IPv6 respectively.
+
+    The additional examples below demonstrate how to control access by username
+    and by attribute(s), in the case of authenticated access to admin functions.
+    -->
+
+    <util:map id="shibboleth.AccessControlPolicies">
+
+        <entry key="AccessByIPAddress">
+            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
+                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
+        </entry>
+
+        <!--
+        <entry key="AccessByUser">
+            <bean parent="shibboleth.PredicateAccessControl">
+                <constructor-arg>
+                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
+                </constructor-arg>
+            </bean>
+        </entry>
+        -->
+
+        <!--
+        <entry key="AccessByAttribute">
+            <bean parent="shibboleth.PredicateAccessControl">
+                <constructor-arg>
+                    <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
+                        <property name="attributeValueMap">
+                            <map>
+                                <entry key="eduPersonEntitlement">
+                                    <list>
+                                        <value>https://example.org/entitlement/idpadmin</value>
+                                    </list>
+                                </entry>
+                            </map>
+                        </property>
+                    </bean>
+                </constructor-arg>
+            </bean>
+        </entry>
+        -->
+
+    </util:map>
+
+</beans>
diff --git a/conf/admin/general-admin.xml b/conf/admin/general-admin.xml
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+    default-init-method="initialize"
+    default-destroy-method="destroy">
+
+    <util:list id="shibboleth.AvailableAdminFlows">
+
+        <!-- Status Page -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/status"
+            p:loggingId="%{idp.service.logging.status:Status}"
+            p:policyName="%{idp.status.accessPolicy:AccessByIPAddress}" />
+
+        <!-- Service Reload -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/reload-service-configuration"
+            p:loggingId="%{idp.service.logging.serviceReload:Reload}"
+            p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />
+
+        <!-- MetadataResolver Reload -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/reload-metadata"
+            p:loggingId="%{idp.service.logging.serviceReload:Reload}"
+            p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />
+
+        <!-- AttributeResolver Debugging -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/resolvertest"
+            p:loggingId="%{idp.service.logging.resolvertest:ResolverTest}"
+            p:policyName="%{idp.resolvertest.accessPolicy:AccessByIPAddress}" />
+
+        <!-- Metadata Query -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/mdquery"
+            p:loggingId="MetadataQuery"
+            p:policyName="AccessByIPAddress" />
+
+        <!-- REST AccountLockoutManager Access -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/lockout-manager"
+            p:loggingId="Lockout"
+            p:policyName="AccessByIPAddress" />
+
+        <!-- REST StorageService Access -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/storage"
+            p:loggingId="Storage"
+            p:policyName="AccessByIPAddress" />
+
+        <!-- REST Interface to Metrics -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/metrics"
+            p:loggingId="Metrics"
+            p:policyNameLookupStrategy-ref="shibboleth.metrics.AccessPolicyStrategy" />
+
+        <!-- Attended Startup Unlock -->
+        <!--
+        <bean parent="shibboleth.OneTimeAdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/unlock-keys"
+            p:loggingId="UnlockKeys"
+            p:authenticated="true"
+            p:policyName="AccessByAdminUser" />
+        -->
+
+    </util:list>
+
+</beans>
diff --git a/conf/admin/metrics.xml b/conf/admin/metrics.xml
@@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+    default-init-method="initialize"
+    default-destroy-method="destroy">
+
+    <!-- Metrics enablement / activation. -->
+
+    <!--
+    Register one or more of the built-in system metric sets available.
+    -->
+
+    <bean parent="shibboleth.metrics.RegisterMetricSets">
+        <property name="arguments">
+            <list>
+                <ref bean="shibboleth.metrics.CoreGaugeSet" />
+                <ref bean="shibboleth.metrics.IdPGaugeSet" />
+                <ref bean="shibboleth.metrics.LoggingGaugeSet" />
+                <ref bean="shibboleth.metrics.AccessControlGaugeSet" />
+                <ref bean="shibboleth.metrics.MetadataGaugeSet" />
+                <ref bean="shibboleth.metrics.NameIdentifierGaugeSet" />
+                <ref bean="shibboleth.metrics.RelyingPartyGaugeSet" />
+                <ref bean="shibboleth.metrics.AttributeResolverGaugeSet" />
+                <ref bean="shibboleth.metrics.AttributeFilterGaugeSet" />
+
+                <!--
+                <bean class="com.codahale.metrics.jvm.CachedThreadStatesGaugeSet"
+                    c:_0="1" c:_1="#{T(java.util.concurrent.TimeUnit).MINUTES}" />
+                <bean class="com.codahale.metrics.jvm.ClassLoadingGaugeSet" />
+                <bean class="com.codahale.metrics.jvm.GarbageCollectorMetricSet" />
+                <bean class="com.codahale.metrics.jvm.MemoryUsageGaugeSet" />
+                -->
+            </list>
+        </property>
+    </bean>
+
+    <!-- Metrics REST API Configuration -->
+
+    <!--
+    The global metric set is available by default at /idp/profile/admin/metrics
+    
+    Any pathinfo after that is assumed to identify specific named metrics. You can
+    create mappings here between a logical "group" name and an implementation of the
+    com.codahale.metrics.MetricFilter interface to specify which metrics to include.
+    -->
+    <util:map id="shibboleth.metrics.MetricGroups">
+        <entry key="core" value-ref="shibboleth.metrics.CoreGaugeSet" />
+        <entry key="idp" value-ref="shibboleth.metrics.IdPGaugeSet" />
+        <entry key="logging" value-ref="shibboleth.metrics.LoggingGaugeSet" />
+        <entry key="access" value-ref="shibboleth.metrics.AccessControlGaugeSet" />
+        <entry key="metadata" value-ref="shibboleth.metrics.MetadataGaugeSet" />
+        <entry key="nameid" value-ref="shibboleth.metrics.NameIdentifierGaugeSet" />
+        <entry key="relyingparty" value-ref="shibboleth.metrics.RelyingPartyGaugeSet" />
+        <entry key="resolver" value-ref="shibboleth.metrics.AttributeResolverGaugeSet" />
+        <entry key="filter" value-ref="shibboleth.metrics.AttributeFilterGaugeSet" />
+    </util:map>
+
+    <!-- If you don't specify an alternate access policy, this named policy will be enforced. -->
+    <bean id="shibboleth.metrics.DefaultAccessPolicy" class="java.lang.String" c:_0="AccessByIPAddress" />
+
+    <!--
+    To override the default access policy, map a metric name or
+    mapped group above to an alternative policy name.
+    -->
+    <util:map id="shibboleth.metrics.AccessPolicyMap">
+
+    </util:map>
+
+    <!--
+    In addition to the "pull" REST API for accessing metrics, a "push" reporter is also
+    available to upload a JSON feed to a URL. The example shown relies on standard JVM
+    trust configuration for TLS server verification.
+    
+    The "start" method triggers the timer thread; the example pushes every 30 minutes.
+    -->
+    <!--
+    <bean id="PushReporter" parent="shibboleth.metrics.HTTPReporter" c:name="MyCollector"
+        p:collectorURL="https://log.example.org/cgi-bin/collector.cgi" />
+                
+    <bean class="org.springframework.beans.factory.config.MethodInvokingBean"
+            p:targetObject-ref="PushReporter"
+            p:targetMethod="start">
+        <property name="arguments">
+            <list>
+                <value>30</value>
+                <util:constant static-field="java.util.concurrent.TimeUnit.MINUTES" />
+            </list>
+        </property>
+    </bean>
+    -->
+
+    <!-- IdP Metrics Configuration -->
+
+    <!--
+    A bean named shibboleth.metrics.MetricStrategy of type Function<ProfileRequestContext,Boolean>
+    can be defined to add timers and counters to a large range of objects in the system. Each timer is
+    defined by a triple (timer name, start object, stop object). Counters are just object/counter pairs.
+    
+    The most common example is to start a timer when a particular flow action bean starts and
+    stop it when the same or different action bean stops, to measure how long the execution takes.
+    
+    If you want to leave a timer in place but disabled to prevent overhead, you can turn off a
+    logging category named "metrics.<timername>" in your logging configuration.
+    -->
+    <!--
+    <bean id="shibboleth.metrics.MetricStrategy" parent="shibboleth.ContextFunctions.Scripted"
+            factory-method="inlineScript">
+        <constructor-arg>
+            <value>
+            <![CDATA[
+                metricCtx = input.getSubcontext("org.opensaml.profile.context.MetricContext");
+                metricCtx.addTimer("idp.attribute.resolution",
+                    "ResolveAttributes",
+                    "FilterAttributes"
+                    );                                
+                true; // Signals success.
+            ]]>
+            </value>
+        </constructor-arg>
+    </bean>
+    -->
+
+</beans>
diff --git a/conf/attribute-filter.xml b/conf/attribute-filter.xml
@@ -0,0 +1,96 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+    This file is an EXAMPLE policy file.  While the policy presented in this 
+    example file is illustrative of some simple cases, it relies on the names of
+    non-existent example services and the example attributes demonstrated in the
+    default attribute-resolver.xml file.
+
+    This example does contain some usable "general purpose" policies that may be
+    useful in conjunction with specific deployment choices, but those policies may
+    not be applicable to your specific needs or constraints.    
+-->
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+        xmlns="urn:mace:shibboleth:2.0:afp"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+
+    <!--
+    Example rule relying on a locally applied tag in metadata to trigger attribute
+    release of some specific attributes. Add additional attributes as desired.
+    -->
+	<AttributeFilterPolicy id="Per-Attribute-singleValued">
+	    <PolicyRequirementRule xsi:type="ANY" />
+
+	    <AttributeRule attributeID="eduPersonPrincipalName">
+	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
+	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+	            attributeValue="eduPersonPrincipalName" />
+	    </AttributeRule>
+
+	    <AttributeRule attributeID="mail">
+	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
+	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+	            attributeValue="mail" />
+	    </AttributeRule>
+	</AttributeFilterPolicy>
+
+    <!--
+    Same as above but more efficient form for an attribute with multiple values.
+    -->
+    <AttributeFilterPolicy id="Per-Attribute-Affiliation">
+        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+            attributeValue="eduPersonScopedAffiliation" />
+
+        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
+    </AttributeFilterPolicy>
+
+    <!--
+    Example rule for honoring Subject ID requirement tag in metadata.
+    The example supplies pairwise-id if subject-id isn't explicitly required.
+    -->
+    <AttributeFilterPolicy id="subject-identifiers">
+        <PolicyRequirementRule xsi:type="ANY" />
+
+        <AttributeRule attributeID="samlPairwiseID">
+            <PermitValueRule xsi:type="OR">
+                <Rule xsi:type="EntityAttributeExactMatch"
+                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                    attributeValue="pairwise-id" />
+                <Rule xsi:type="EntityAttributeExactMatch"
+                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                    attributeValue="any" />
+            </PermitValueRule>
+        </AttributeRule>
+
+        <AttributeRule attributeID="samlSubjectID">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+                attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                attributeValue="subject-id" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+    <!-- Release an additional attribute to an SP. -->
+    <AttributeFilterPolicy id="example1">
+        <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
+
+        <AttributeRule attributeID="uid" permitAny="true" />
+    </AttributeFilterPolicy>
+
+    <!-- Release eduPersonScopedAffiliation to two specific SPs. -->
+    <AttributeFilterPolicy id="example2">
+        <PolicyRequirementRule xsi:type="OR">
+            <Rule xsi:type="Requester" value="https://sp.example.org" />
+            <Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
+        </PolicyRequirementRule>
+
+        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
+    </AttributeFilterPolicy>
+
+</AttributeFilterPolicyGroup>