sync release and test configs

README.md

@@ -1,3 +1,14 @@
 # shib-idp-conftree
 
-`tar cvf shib-idp-conftree.tar --exclude .git .`
+## Purpose
+
+This project contains the configuration tree (structure) for Shibboleth IDP.  The are various usage scenarios throughout the build, test, deploy cycle that warrant this abstraction
+of the configuration tree.  There is a separate repository for the Docker Image which is responsible for building the runtime environment and pulling the configuration trees housed here
+to complete a deployment.
+
+### Configuration Trees
+
+  * `test` branch
+    * Internal Testing - (TEST) branch/repo that uses the "test bed" which is something that I2 provides (LDAP) and an element to make all integrations.  Appropriate for Jenkins and testing environments
+  * `release` branch
+    * External Testing - (RELEASE) branch/repo (ultimately will live in Subversion?) for end users

conf/access-control.xml

@@ -30,7 +30,7 @@
 
         <entry key="AccessByIPAddress">
             <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
-                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
+                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.18.0.0/24'} }" />
         </entry>
 
         <!--

conf/attribute-filter.xml

@@ -13,9 +13,9 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
 
-	<!-- EXAMPLES -->
+    <!-- EXAMPLES -->
     <!-- Release some attributes to an SP. -->
-	<!--
+    <!--
     <AttributeFilterPolicy id="example1">
         <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
 
@@ -33,7 +33,7 @@
     </AttributeFilterPolicy>
 	-->
     <!-- Release eduPersonAffiliation to two specific SPs. -->
-	<!--
+    <!--
     <AttributeFilterPolicy id="example2">
         <PolicyRequirementRule xsi:type="OR">
             <Rule xsi:type="Requester" value="https://sp.example.org" />
@@ -45,33 +45,56 @@
         </AttributeRule>
     </AttributeFilterPolicy>
 	-->
-	<AttributeFilterPolicy id="releaseToAnyone">
-        <PolicyRequirementRule xsi:type="ANY" />
-
+
+    <!-- Attribute release for all SPs (global) tagged as 'Research and Scholarship' -->
+    <AttributeFilterPolicy id="releaseRandSAttributeBundle">
+        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+			attributeName="http://macedir.org/entity-category"
+			attributeValue="http://refeds.org/category/research-and-scholarship"/>
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonScopedAffiliation">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="givenName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="surname">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="displayName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+
+    <!-- Attribute release for all InCommon SPs -->
+    <AttributeFilterPolicy id="releaseToInCommon">	
+        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+			attributeName="http://macedir.org/entity-category"
+			attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
         <AttributeRule attributeID="eduPersonPrincipalName">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="eduPersonScopedAffiliation">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="givenName">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="surname">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="displayName">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="mail">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
     </AttributeFilterPolicy>
 
 </AttributeFilterPolicyGroup>

conf/attribute-resolver.xml

@@ -31,7 +31,7 @@
     long term implications. 
     -->
     <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
-        <Dependency ref="uid" />
+        <Dependency ref="myLDAP" />
         <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
         <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
     </AttributeDefinition>
@@ -60,6 +60,12 @@
         <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
     </AttributeDefinition>
 
+    <!-- The attribute definition below is designed to represent whether a particular user is FERPA_restricted for attribute release
+         Change the sourceAttributeID property to reflect the correct attribute name in the local LDAP -->
+    <AttributeDefinition xsi:type="Simple" id="isFERPAattr" sourceAttributeID="isFERPAattr">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML2String" name="foo:attributes:isFERPAattr" friendlyName="isFERPAattr" encodeType="false" />
+    </AttributeDefinition>
 
     <!-- ========================================== -->
     <!--      Data Connectors                       -->
@@ -84,7 +90,7 @@
                 %{idp.attribute.resolver.LDAP.searchFilter}
             ]]>
         </FilterTemplate>
-		<dc:ReturnAttributes>givenName sn displayName mail uid</dc:ReturnAttributes>
+		<ReturnAttributes>givenName sn displayName mail uid</ReturnAttributes>
     </DataConnector>
 
 </AttributeResolver>

conf/authn/krb5-authn-config.xml

@@ -21,10 +21,10 @@
     The keytab bean must be an absolute file pathname and not a reference to a classpath resource,
     so if idp.home is not a path, don't use it in the value.
     -->
-
+    <!--
     <bean id="shibboleth.authn.Krb5.ServicePrincipal" class="java.lang.String" c:_0="HTTP/idp.testbed.tier.internet2.edu@TESTBED.TIER.INTERNET2.EDU" />
     <bean id="shibboleth.authn.Krb5.Keytab" class="java.lang.String" c:_0="%{idp.home}/credentials/http.keytab" />
-
+    -->
 
     <alias name="ValidateUsernamePasswordAgainstKerberos" alias="ValidateUsernamePassword"/>
 

conf/authn/password-authn-config.xml

@@ -14,8 +14,8 @@
 
     <!-- Choose an import based on the back-end you want to use. -->
     <!-- <import resource="jaas-authn-config.xml" /> -->
-    <import resource="krb5-authn-config.xml" />
-    <!--<import resource="ldap-authn-config.xml" />-->
+    <!--<import resource="krb5-authn-config.xml" />-->
+    <import resource="ldap-authn-config.xml" />
 
 
     <!-- Names of form fields to pull username and password from. -->

conf/idp.properties

@@ -2,10 +2,10 @@
 idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties
 
 # Set the entityID of the IdP
-idp.entityID= https://idp.testbed.tier.internet2.edu/idp/shibboleth
+idp.entityID= https://example.org/idp/shibboleth
 
 # Set the scope used in the attribute resolver for scoped attributes
-idp.scope= testbed.tier.internet2.edu
+idp.scope= example.org
 
 # General cookie properties (maxAge only applies to persistent cookies)
 #idp.cookie.secure = false
@@ -161,7 +161,7 @@ idp.authn.flows= Password
 #idp.replayCache.StorageService = shibboleth.StorageService
 
 # Toggles whether to allow outbound messages via SAML artifact
-#idp.artifact.enabled = true
+idp.artifact.enabled = false
 # Suppresses typical signing/encryption when artifact binding used
 #idp.artifact.secureChannel = true
 # May differ to direct SAML 2 artifact lookups to specific server nodes

conf/intercept/profile-intercept.xml

@@ -30,9 +30,25 @@
 
                 <bean id="intercept/terms-of-use" parent="shibboleth.consent.TermsOfUseFlow" />
 
-                <bean id="intercept/attribute-release" parent="shibboleth.consent.AttributeReleaseFlow" />
+                <bean id="intercept/attribute-release" parent="shibboleth.consent.AttributeReleaseFlow" p:activationCondition-ref="isFERPA" />
             </list>
         </property>
     </bean>
 
+    <!-- Check if the FERPA restriction attribute is set -->
+    <bean id="isFERPA" class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
+      <property name="attributeValueMap">
+        <map>
+            <entry key="isFERPAattr">
+                <list>
+                    <value>true</value>
+                    <value>TRUE</value>
+                    <value>YES</value>
+                    <value>yes</value>
+                </list>
+            </entry>
+        </map>
+      </property>
+    </bean>
+
 </beans>

conf/ldap.properties

@@ -5,7 +5,7 @@
 #idp.authn.LDAP.authenticator                   = anonSearchAuthenticator
 
 ## Connection properties ##
-idp.authn.LDAP.ldapURL                          = ldap://testbed.tier.internet2.edu
+idp.authn.LDAP.ldapURL                          = ldap://localhost:10389
 idp.authn.LDAP.useStartTLS                     = false
 idp.authn.LDAP.useSSL                          = false
 # Time in milliseconds that connects will block
@@ -27,13 +27,13 @@ idp.authn.LDAP.returnAttributes                 = passwordExpirationTime,loginGr
 
 # Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
 # for AD: CN=Users,DC=example,DC=org
-idp.authn.LDAP.baseDN                           = ou=People,dc=testbed,dc=tier,dc=internet2,dc=edu
+idp.authn.LDAP.baseDN                           = ou=people,dc=example,dc=org
 #idp.authn.LDAP.subtreeSearch                   = false
 idp.authn.LDAP.userFilter                       = (uid={user})
 # bind search configuration
 # for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
-idp.authn.LDAP.bindDN                           = 
-idp.authn.LDAP.bindDNCredential                 = 
+idp.authn.LDAP.bindDN                           = uid=myservice,ou=system
+idp.authn.LDAP.bindDNCredential                 = myServicePassword
 
 # Format DN resolution, used by directAuthenticator, adAuthenticator
 # for AD use idp.authn.LDAP.dnFormat=%s@domain.com

conf/metadata-providers.xml

@@ -80,9 +80,5 @@
 
     </MetadataProvider>
 
-    <MetadataProvider id="testbed.tier" xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/metadata/testbed-tier-metadata.xml"/>
-	<MetadataProvider id="sp.testbed.tier" xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/metadata/sp-testbed-tier-metadata.xml"/>
 
 </MetadataProvider>
-
-</MetadataProvider>

conf/relying-party.xml

@@ -34,14 +34,16 @@
     <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
         <property name="profileConfigurations">
             <list>
-                <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
+                <!-- Uncomment to enable optional SAML 1.1 support -->
+                <!--<bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
                 <ref bean="SAML1.AttributeQuery" />
-                <ref bean="SAML1.ArtifactResolution" />
+                <ref bean="SAML1.ArtifactResolution" />-->
                 <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
                 <ref bean="SAML2.ECP" />
                 <ref bean="SAML2.Logout" />
-                <ref bean="SAML2.AttributeQuery" />
-                <ref bean="SAML2.ArtifactResolution" />
+                <!-- Uncomment to enable optional back-channel features -->
+                <!--<ref bean="SAML2.AttributeQuery" />
+                <ref bean="SAML2.ArtifactResolution" />-->
                 <ref bean="Liberty.SSOS" />
             </list>
         </property>