Skip to content
Jump to bottom

3.3test #6

Closed
wants to merge 18 commits into from
+521,137 −0
Closed

3.3test #6

Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
6c29088
Test configuration tree.
Aug 1, 2016
8071101
Removing war file binary
Aug 2, 2016
fcbb03a
Removing bad config per Jim J's request
Aug 25, 2016
4f68960
Prompts on what command to issue
Aug 25, 2016
011751d
test
Jan 19, 2017
3702cd3
test2
Jan 19, 2017
19dca48
reset author
pcaskey Jan 19, 2017
532f9e1
remove all files in conf
pcaskey Jan 19, 2017
747aecf
Merge branch '3.3' of https://github.internet2.edu/docker/shib-idp-co…
pcaskey Jan 19, 2017
3bf10f9
remove webapp folder
pcaskey Jan 19, 2017
449e58c
remove doc and dist folders
pcaskey Jan 19, 2017
6d063d6
add new files/directories for 3.3.0 in conf directory
pcaskey Jan 19, 2017
cf1a7ad
config for metadata-providers
pcaskey Jan 20, 2017
66cfcd5
metadata providers config
pcaskey Jan 20, 2017
a1487cb
fix metadata config
pcaskey Jan 20, 2017
2d1c7d0
fix metadata providers
pcaskey Jan 20, 2017
22126ca
finish remaining items in conf folder
pcaskey Jan 20, 2017
fe2d88d
complete 3.3 test config
pcaskey Jan 20, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
@@ -0,0 +1 @@
shib-idp-conftree.tar*
2 changes: 2 additions & 0 deletions README.md
View file
@@ -1 +1,3 @@
# shib-idp-conftree

`tar cvf shib-idp-conftree.tar --exclude .git .`
68 changes: 68 additions & 0 deletions conf/access-control.xml
View file
@@ -0,0 +1,68 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!--
Map of access control policies used to limit access to administrative functions.
The purpose of the map is to label policies with a key/name so they can be reused.
-->

<!--
Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control.
The ranges provided MUST be CIDR network expressions. To specify a single address,
add "/32" or "/128" for IPv4 or IPv6 respectively.
The additional examples below demonstrate how to control access by username
and by attribute(s), in the case of authenticated access to admin functions.
-->

<util:map id="shibboleth.AccessControlPolicies">

<entry key="AccessByIPAddress">
<bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
</entry>

<!--
<entry key="AccessByUser">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
<bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
</constructor-arg>
</bean>
</entry>
-->

<!--
<entry key="AccessByAttribute">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
<bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
<property name="attributeValueMap">
<map>
<entry key="eduPersonEntitlement">
<list>
<value>https://example.org/entitlement/idpadmin</value>
</list>
</entry>
</map>
</property>
</bean>
</constructor-arg>
</bean>
</entry>
-->

</util:map>

</beans>
53 changes: 53 additions & 0 deletions conf/admin/general-admin.xml
View file
@@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<util:list id="shibboleth.AvailableAdminFlows">

<!-- Status Page -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/status"
p:loggingId="%{idp.service.logging.status:Status}"
p:policyName="%{idp.status.accessPolicy:AccessByIPAddress}" />

<!-- Service Reload -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/reload-service-configuration"
p:loggingId="%{idp.service.logging.serviceReload:Reload}"
p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />

<!-- MetadataResolver Reload -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/reload-metadata"
p:loggingId="%{idp.service.logging.serviceReload:Reload}"
p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />

<!-- AttributeResolver Debugging -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/resolvertest"
p:loggingId="%{idp.service.logging.resolvertest:ResolverTest}"
p:policyName="%{idp.resolvertest.accessPolicy:AccessByIPAddress}" />

<!-- REST StorageService Access -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/storage"
p:loggingId="Storage"
p:policyName="AccessByIPAddress" />

<!-- REST Interface to Metrics -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/metrics"
p:loggingId="Metrics"
p:policyNameLookupStrategy-ref="shibboleth.metrics.AccessPolicyStrategy" />

</util:list>

</beans>
129 changes: 129 additions & 0 deletions conf/admin/metrics.xml
View file
@@ -0,0 +1,129 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!-- Metrics enablement / activation. -->

<!--
Register one or more of the built-in system metric sets available.
-->

<bean parent="shibboleth.metrics.RegisterMetricSets">
<property name="arguments">
<list>
<ref bean="shibboleth.metrics.CoreGaugeSet" />
<ref bean="shibboleth.metrics.IdPGaugeSet" />
<ref bean="shibboleth.metrics.LoggingGaugeSet" />
<ref bean="shibboleth.metrics.AccessControlGaugeSet" />
<ref bean="shibboleth.metrics.MetadataGaugeSet" />
<ref bean="shibboleth.metrics.NameIdentifierGaugeSet" />
<ref bean="shibboleth.metrics.RelyingPartyGaugeSet" />
<ref bean="shibboleth.metrics.AttributeResolverGaugeSet" />
<ref bean="shibboleth.metrics.AttributeFilterGaugeSet" />

<!--
<bean class="com.codahale.metrics.jvm.CachedThreadStatesGaugeSet"
c:_0="1" c:_1="#{T(java.util.concurrent.TimeUnit).MINUTES}" />
<bean class="com.codahale.metrics.jvm.ClassLoadingGaugeSet" />
<bean class="com.codahale.metrics.jvm.GarbageCollectorMetricSet" />
<bean class="com.codahale.metrics.jvm.MemoryUsageGaugeSet" />
-->
</list>
</property>
</bean>

<!-- Metrics REST API Configuration -->

<!--
The global metric set is available by default at /idp/profile/admin/metrics
Any pathinfo after that is assumed to identify specific named metrics. You can
create mappings here between a logical "group" name and an implementation of the
com.codahale.metrics.MetricFilter interface to specify which metrics to include.
-->
<util:map id="shibboleth.metrics.MetricGroups">
<entry key="core" value-ref="shibboleth.metrics.CoreGaugeSet" />
<entry key="idp" value-ref="shibboleth.metrics.IdPGaugeSet" />
<entry key="logging" value-ref="shibboleth.metrics.LoggingGaugeSet" />
<entry key="access" value-ref="shibboleth.metrics.AccessControlGaugeSet" />
<entry key="metadata" value-ref="shibboleth.metrics.MetadataGaugeSet" />
<entry key="nameid" value-ref="shibboleth.metrics.NameIdentifierGaugeSet" />
<entry key="relyingparty" value-ref="shibboleth.metrics.RelyingPartyGaugeSet" />
<entry key="resolver" value-ref="shibboleth.metrics.AttributeResolverGaugeSet" />
<entry key="filter" value-ref="shibboleth.metrics.AttributeFilterGaugeSet" />
</util:map>

<!-- If you don't specify an alternate access policy, this named policy will be enforced. -->
<bean id="shibboleth.metrics.DefaultAccessPolicy" class="java.lang.String" c:_0="AccessByIPAddress" />

<!--
To override the default access policy, map a metric name or
mapped group above to an alternative policy name.
-->
<util:map id="shibboleth.metrics.AccessPolicyMap">

</util:map>

<!--
In addition to the "pull" REST API for accessing metrics, a "push" reporter is also
available to upload a JSON feed to a URL. The example shown relies on standard JVM
trust configuration for TLS server verification.
The "start" method triggers the timer thread; the example pushes every 30 minutes.
-->
<!--
<bean id="PushReporter" parent="shibboleth.metrics.HTTPReporter" c:name="MyCollector"
p:collectorURL="https://log.example.org/cgi-bin/collector.cgi" />
<bean class="org.springframework.beans.factory.config.MethodInvokingBean"
p:targetObject-ref="PushReporter"
p:targetMethod="start">
<property name="arguments">
<list>
<value>30</value>
<util:constant static-field="java.util.concurrent.TimeUnit.MINUTES" />
</list>
</property>
</bean>
-->

<!-- IdP Metrics Configuration -->

<!--
A bean named shibboleth.metrics.MetricStrategy of type Function<ProfileRequestContext,Boolean>
can be defined to add timers and counters to a large range of objects in the system. Each timer is
defined by a triple (timer name, start object, stop object). Counters are just object/counter pairs.
The most common example is to start a timer when a particular flow action bean starts and
stop it when the same or different action bean stops, to measure how long the execution takes.
If you want to leave a timer in place but disabled to prevent overhead, you can turn off a
logging category named "metrics.<timername>" in your logging configuration.
-->
<!--
<bean id="shibboleth.metrics.MetricStrategy" parent="shibboleth.ContextFunctions.Scripted"
factory-method="inlineScript">
<constructor-arg>
<value>
<![CDATA[
metricCtx = input.getSubcontext("org.opensaml.profile.context.MetricContext");
metricCtx.addTimer("idp.attribute.resolution",
"ResolveAttributes",
"FilterAttributes"
);
true; // Signals success.
]]>
</value>
</constructor-arg>
</bean>
-->

</beans>
77 changes: 77 additions & 0 deletions conf/attribute-filter.xml
View file
@@ -0,0 +1,77 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is an EXAMPLE policy file. While the policy presented in this
example file is illustrative of some simple cases, it relies on the names of
non-existent example services and the example attributes demonstrated in the
default attribute-resolver.xml file.

Deployers should refer to the documentation for a complete list of components
and their options.
-->
<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
xmlns="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">

<!-- EXAMPLES -->
<!-- Release some attributes to an SP. -->
<!--
<AttributeFilterPolicy id="example1">
<PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />

<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>

<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>

<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
-->
<!-- Release eduPersonAffiliation to two specific SPs. -->
<!--
<AttributeFilterPolicy id="example2">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="Requester" value="https://sp.example.org" />
<Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
</PolicyRequirementRule>

<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
-->
<AttributeFilterPolicy id="releaseToAnyone">
<PolicyRequirementRule xsi:type="ANY" />

<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>

<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>

<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>

<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>

<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>

<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>

</AttributeFilterPolicy>

</AttributeFilterPolicyGroup>
292 changes: 292 additions & 0 deletions conf/attribute-resolver-full.xml
View file

Large diffs are not rendered by default.

94 changes: 94 additions & 0 deletions conf/attribute-resolver-ldap.xml
View file
@@ -0,0 +1,94 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is an EXAMPLE configuration file. While the configuration
presented in this example file is semi-functional, it isn't very
interesting. It is here only as a starting point for your deployment
process.
Very few attribute definitions and data connectors are demonstrated,
and use of LDAP is assumed, with the LDAP configuration primarily
supplied from the ldap.properties file.
Attribute-resolver-full.xml contains more examples of attributes,
encoders, and data connectors. Deployers should refer to the Shibboleth
documentation for a complete list of components and their options.
-->
<AttributeResolver
xmlns="urn:mace:shibboleth:2.0:resolver"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">

<!-- ========================================== -->
<!-- Attribute Definitions -->
<!-- ========================================== -->

<!--
The EPPN is the "standard" federated username in higher ed.
For guidelines on the implementation of this attribute, refer
to the Shibboleth and eduPerson documentation. Above all, do
not expose a value for this attribute without considering the
long term implications.
-->
<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Prescoped" sourceAttributeID="eduPersonPrincipalName">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
</AttributeDefinition>

<!--
The uid is the closest thing to a "standard" LDAP attribute
representing a local username, but you should generally *never*
expose uid to federated services, as it is rarely globally unique.
-->
<AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
</AttributeDefinition>

<!--
In the rest of the world, the email address is the standard identifier,
despite the problems with that practice. Consider making the EPPN value
the same as your official email addresses whenever possible.
-->
<AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
</AttributeDefinition>

<!-- ========================================== -->
<!-- Data Connectors -->
<!-- ========================================== -->

<!--
Example LDAP Connector
The connectivity details can be specified in ldap.properties to
share them with your authentication settings if desired.
-->
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize:3}"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
</DataConnector>

</AttributeResolver>
90 changes: 90 additions & 0 deletions conf/attribute-resolver.xml
View file
@@ -0,0 +1,90 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is an EXAMPLE configuration file. While the configuration
presented in this example file is semi-functional, it isn't very
interesting. It is here only as a starting point for your deployment
process.
Very few attribute definitions and data connectors are demonstrated,
and the data is derived statically from the logged-in username and a
static example connector.
Attribute-resolver-full.xml contains more examples of attributes,
encoders, and data connectors. Deployers should refer to the Shibboleth
documentation for a complete list of components and their options.
-->
<AttributeResolver
xmlns="urn:mace:shibboleth:2.0:resolver"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">


<!-- ========================================== -->
<!-- Attribute Definitions -->
<!-- ========================================== -->

<!--
The EPPN is the "standard" federated username in higher ed.
For guidelines on the implementation of this attribute, refer
to the Shibboleth and eduPerson documentation. Above all, do
not expose a value for this attribute without considering the
long term implications.
-->
<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
<Dependency ref="uid" />
<AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
</AttributeDefinition>

<AttributeDefinition xsi:type="Simple" id="givenName" sourceAttributeID="givenName">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
</AttributeDefinition>

<AttributeDefinition xsi:type="Simple" id="surname" sourceAttributeID="sn">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
</AttributeDefinition>

<AttributeDefinition xsi:type="Simple" id="displayName" sourceAttributeID="displayName">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
</AttributeDefinition>

<AttributeDefinition xsi:type="Simple" id="mail" sourceAttributeID="mail">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
</AttributeDefinition>


<!-- ========================================== -->
<!-- Data Connectors -->
<!-- ========================================== -->

<DataConnector id="staticAttributes" xsi:type="Static">
<Attribute id="affiliation">
<Value>member</Value>
</Attribute>
</DataConnector>

<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
<dc:ReturnAttributes>givenName sn displayName mail uid</dc:ReturnAttributes>
</DataConnector>

</AttributeResolver>
32 changes: 32 additions & 0 deletions conf/audit.xml
View file
@@ -0,0 +1,32 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!--
This bean defines a mapping between audit log categories and formatting strings. The default entry is
for compatibility with V2 audit logging.
-->
<util:map id="shibboleth.AuditFormattingMap">
<entry key="Shibboleth-Audit" value="%T|%b|%I|%SP|%P|%IDP|%bb|%III|%u|%ac|%attr|%n|%i|" />
</util:map>

<!-- Override the format of date/time fields in the log and/or convert to default time zone. -->
<!--
<bean id="shibboleth.AuditDateTimeFormat" class="java.lang.String" c:_0="YYYY-MM-dd'T'HH:mm:ss.SSSZZ" />
<util:constant id="shibboleth.AuditDefaultTimeZone" static-field="java.lang.Boolean.TRUE" />
-->

<!-- Allows auditing to be disabled selectively for particular profiles/flows. -->
<util:list id="shibboleth.AuditSuppressedProfiles">
<value>http://shibboleth.net/ns/profiles/status</value>
</util:list>

</beans>
77 changes: 77 additions & 0 deletions conf/authn/authn-comparison.xml
View file
@@ -0,0 +1,77 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!--
These beans can be used in the AuthnComparisonRules map below instead of the defaults to
support more advanced matching rules. The top example shows how to configure a matching rule,
in this case a rule that the two listed classes are "better" than the password class.
To use these beans, configure the matchingRules map as desired, and then reference the bean id in the
desired value-ref slot in the AuthnComparisonRules map.
-->

<bean id="shibboleth.BetterClassRefMatchFactory" parent="shibboleth.InexactMatchFactory">
<!--
<property name="matchingRules">
<map>
<entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:Password">
<list>
<value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</value>
<value>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</value>
</list>
</entry>
</map>
</property>
-->
</bean>

<bean id="shibboleth.MinimumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" />

<bean id="shibboleth.MaximumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" />

<!-- DeclRefs are rarely used in SAML, so you likely won't bother with these. -->
<bean id="shibboleth.BetterDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
<bean id="shibboleth.MinimumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
<bean id="shibboleth.MaximumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" />


<!-- Registry of matching rules. -->

<util:map id="shibboleth.AuthnComparisonRules">

<!-- Exact matching, should be left alone to avoid tricking the IdP into behaving incorrectly. -->
<entry key-ref="shibboleth.SAMLAuthnMethodExact" value-ref="shibboleth.ExactMatchFactory"/>
<entry key-ref="shibboleth.SAMLACClassRefExact" value-ref="shibboleth.ExactMatchFactory"/>
<entry key-ref="shibboleth.SAMLACDeclRefExact" value-ref="shibboleth.ExactMatchFactory"/>

<!-- Minimum matching, leave to allow degeneration into exact, or replace with custom rules. -->
<entry key-ref="shibboleth.SAMLACClassRefMinimum" value-ref="shibboleth.ExactMatchFactory"/>
<entry key-ref="shibboleth.SAMLACDeclRefMinimum" value-ref="shibboleth.ExactMatchFactory"/>

<!-- Maximum matching, leave to allow degeneration into exact, or replace with custom rules. -->
<entry key-ref="shibboleth.SAMLACClassRefMaximum" value-ref="shibboleth.ExactMatchFactory"/>
<entry key-ref="shibboleth.SAMLACDeclRefMaximum" value-ref="shibboleth.ExactMatchFactory"/>

<!-- Better matching, refers to empty ruleset that has to be populated to work. -->
<entry key-ref="shibboleth.SAMLACClassRefBetter" value-ref="shibboleth.BetterClassRefMatchFactory"/>
<entry key-ref="shibboleth.SAMLACDeclRefBetter" value-ref="shibboleth.BetterDeclRefMatchFactory"/>

</util:map>

<!-- List of context classes or declarations to ignore if an SP requests them. -->

<util:list id="shibboleth.IgnoredContexts">
<value>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</value>
</util:list>

</beans>
18 changes: 18 additions & 0 deletions conf/authn/authn-events-flow.xml
View file
@@ -0,0 +1,18 @@
<flow xmlns="http://www.springframework.org/schema/webflow"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
abstract="true">

<!-- ADVANCED USE ONLY -->

<!--
You can ignore this file unless you are creating your own custom login subflows that want to
report custom events in response to unusual error or warning conditions.
-->

<!-- Custom error events to reflect back from user-supplied login subflows. -->
<!--
<end-state id="MyCustomEvent" />
-->

</flow>
25 changes: 25 additions & 0 deletions conf/authn/duo-authn-config.xml
View file
@@ -0,0 +1,25 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize" default-destroy-method="destroy">

<!--
By default, the Duo flow will use a statically-defined integration defined with the
duo.properties file. If you need more flexibility, you can define a function bean
called "shibboleth.authn.Duo.DuoIntegrationStrategy" to return an instance of
net.shibboleth.idp.authn.duo.DuoIntegration based on the state of the request.
The Duo flow is designed to operate in conjunction with some other login flow,
usually orchestrated by the MFA login flow. It obtains the username to send to
Duo based on the output of the other login flow or a previous session with the
user. You can override that approach using a function bean called
"shibboleth.authn.Duo.UsernameLookupStrategy" to supply the username from a
different source.
-->

</beans>
9 changes: 9 additions & 0 deletions conf/authn/duo.properties
View file
@@ -0,0 +1,9 @@
# Duo integration settings

# Note: If upgrading from pre-3.3 IdP versions, you will need to manually add a pointer
# to this property file to idp.properties.

idp.duo.apiHost = hostname
idp.duo.applicationKey = key
idp.duo.integrationKey = key
idp.duo.secretKey = key
70 changes: 70 additions & 0 deletions conf/authn/external-authn-config.xml
View file
@@ -0,0 +1,70 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!-- Servlet context-relative path to wherever your implementation lives. -->
<bean id="shibboleth.authn.External.externalAuthnPath" class="java.lang.String"
c:_0="contextRelative:Authn/External" />

<!--
Default is to always use the path in the bean above. If you want to determine it
dynamically, define a bean called "shibboleth.authn.External.externalAuthnPathStrategy"
of type Function<ProfileRequestContext,String> that returns the path to use.
-->

<!--
Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject?
You would normally only unset this if you plan to return a fully decorated Java Subject from your
external authentication source.
-->
<util:constant id="shibboleth.authn.External.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" />

<!--
<bean id="shibboleth.authn.External.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
c:_0="^(.+)@example\.edu]$" />
-->

<!--
Define entries here to map error messages returned by external modules and classify them as particular
kinds of errors for use in your templates and as events in flows.
Keys are events to signal, values are error codes.
The examples here just allow external signaling of the exact type of condition to record.
If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow".
-->
<util:map id="shibboleth.authn.External.ClassifiedMessageMap">
<entry key="UnknownUsername">
<list>
<value>UnknownUsername</value>
</list>
</entry>
<entry key="InvalidPassword">
<list>
<value>InvalidPassword</value>
</list>
</entry>
<entry key="ExpiredPassword">
<list>
<value>ExpiredPassword</value>
</list>
</entry>
<entry key="ExpiringPassword">
<list>
<value>ExpiringPassword</value>
</list>
</entry>
</util:map>

</beans>
156 changes: 156 additions & 0 deletions conf/authn/general-authn.xml
View file
@@ -0,0 +1,156 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!--
This file provisions the IdP with information about the configured login mechanisms available for use.
The actual beans and subflows that make up those mechanisms are in their own files, but this pulls them
together with deployer-supplied metadata to describe them to the system.
You can turn on and off individual mechanisms by adding and remove them here. Nothing left out will
be used, regardless any other files loaded by the Spring container.
Flow defaults include: no support for IsPassive/ForceAuthn, support for non-browser clients enabled,
and default timeout and lifetime values set via properties. We also default to supporting the SAML 1/2
expressions for password-based authentication over a secure channel, so anything more exotic requires
customization, as the examples below for IP address and SPNEGO authentication illustrate.
-->

<util:list id="shibboleth.AvailableAuthenticationFlows">

<bean id="authn/IPAddress" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:lifetime="PT60S" p:inactivityTimeout="PT60S">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
</list>
</property>
</bean>

<bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:ietf:rfc:1510" />
</list>
</property>
</bean>

<bean id="authn/External" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false" />

<bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false" />

<bean id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow" />

<bean id="authn/X509" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:ietf:rfc:2246" />
</list>
</property>
</bean>

<bean id="authn/X509Internal" parent="shibboleth.AuthenticationFlow">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:ietf:rfc:2246" />
</list>
</property>
</bean>

<bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true" />

<bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
p:forcedAuthenticationSupported="true"
p:nonBrowserSupported="false">
<!--
The list below should be changed to reflect whatever locally- or
community-defined values are appropriate to represent MFA. It is
strongly advised that the value not be specific to Duo or any
particular technology.
-->
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="http://example.org/ac/classes/mfa" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="http://example.org/ac/classes/mfa" />
</list>
</property>
</bean>

<bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true">
<!--
The list below almost certainly requires changes, and should generally be the
union of any of the separate factors you combine in your particular MFA flow
rules. The example corresponds to the example in mfa-authn-config.xml that
combines IPAddress with Password.
-->
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</list>
</property>
</bean>

</util:list>

<!--
This is a map used to "weight" particular methods above others if the IdP has to randomly select one
to insert into a SAML authentication statement. The typical use shown below is to bias the IdP in favor
of expressing the SAML 2 PasswordProtectedTransport class over the more vanilla Password class on the
assumption that the IdP doesn't accept passwords via an insecure channel. This map never causes the IdP
to violate its matching rules if an RP requests a particular value; it only matters when nothing specific
is chosen. Anything not in the map has a weight of zero.
-->

<util:map id="shibboleth.AuthenticationPrincipalWeightMap">
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
</key>
<value>1</value>
</entry>
</util:map>

</beans>
37 changes: 37 additions & 0 deletions conf/authn/ipaddress-authn-config.xml
View file
@@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">


<!-- Apply any regular expression replacement pairs to address before validation. -->
<util:list id="shibboleth.authn.IPAddress.Transforms" />

<!--
Configure the address range(s) and principal name(s) for IP-based login here.
The ranges provided MUST be CIDR network expressions. To specify a single address,
add "/32" or "/128" for IPv4 or IPv6 respectively.
-->


<util:map id="shibboleth.authn.IPAddress.Mappings">
<!--
<entry key="jdoe">
<list>
<value>127.0.0.1/32</value>
<value>::1/128</value>
</list>
</entry>
-->
</util:map>

</beans>
27 changes: 27 additions & 0 deletions conf/authn/jaas-authn-config.xml
View file
@@ -0,0 +1,27 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!-- Specify your JAAS config. -->
<bean id="JAASConfig" class="org.springframework.core.io.FileSystemResource" c:path="%{idp.home}/conf/authn/jaas.config" />

<util:property-path id="shibboleth.authn.JAAS.JAASConfigURI" path="JAASConfig.URI" />

<!-- Specify the application name(s) in the JAAS config. -->
<util:list id="shibboleth.authn.JAAS.LoginConfigNames">
<value>ShibUserPassAuth</value>
</util:list>

<alias name="ValidateUsernamePasswordAgainstJAAS" alias="ValidateUsernamePassword"/>

</beans>
11 changes: 11 additions & 0 deletions conf/authn/jaas.config
View file
@@ -0,0 +1,11 @@
ShibUserPassAuth {
/*
com.sun.security.auth.module.Krb5LoginModule required;
*/

org.ldaptive.jaas.LdapLoginModule required
ldapUrl="ldap://localhost:10389"
baseDn="ou=people,dc=example,dc=org"
userFilter="uid={user}";

};
31 changes: 31 additions & 0 deletions conf/authn/krb5-authn-config.xml
View file
@@ -0,0 +1,31 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<util:constant id="shibboleth.authn.Krb5.RefreshConfig" static-field="java.lang.Boolean.FALSE" />

<util:constant id="shibboleth.authn.Krb5.PreserveTicket" static-field="java.lang.Boolean.FALSE" />

<!--
Uncomment these beans to perform KDC verification using a service principal and keytab.
The keytab bean must be an absolute file pathname and not a reference to a classpath resource,
so if idp.home is not a path, don't use it in the value.
-->

<bean id="shibboleth.authn.Krb5.ServicePrincipal" class="java.lang.String" c:_0="HTTP/idp.testbed.tier.internet2.edu@TESTBED.TIER.INTERNET2.EDU" />
<bean id="shibboleth.authn.Krb5.Keytab" class="java.lang.String" c:_0="%{idp.home}/credentials/http.keytab" />


<alias name="ValidateUsernamePasswordAgainstKerberos" alias="ValidateUsernamePassword"/>

</beans>
135 changes: 135 additions & 0 deletions conf/authn/ldap-authn-config.xml
View file
@@ -0,0 +1,135 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy"
default-lazy-init="true">

<alias name="%{idp.authn.LDAP.authenticator:anonSearchAuthenticator}" alias="shibboleth.authn.LDAP.authenticator" />
<bean id="shibboleth.authn.LDAP.returnAttributes" parent="shibboleth.CommaDelimStringArray">
<constructor-arg type="java.lang.String" value="%{idp.authn.LDAP.returnAttributes:1.1}" />
</bean>

<alias name="ValidateUsernamePasswordAgainstLDAP" alias="ValidateUsernamePassword" />

<!-- Connection Configuration -->
<bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" abstract="true" p:ldapUrl="%{idp.authn.LDAP.ldapURL}"
p:useStartTLS="%{idp.authn.LDAP.useStartTLS:true}"
p:useSSL="%{idp.authn.LDAP.useSSL:false}"
p:connectTimeoutDuration="%{idp.authn.LDAP.connectTimeout:PT3S}"
p:responseTimeoutDuration="%{idp.authn.LDAP.responseTimeout:PT3S}"
p:sslConfig-ref="sslConfig" />

<alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="sslConfig" />

<bean id="jvmTrust" class="org.ldaptive.ssl.SslConfig" />
<bean id="certificateTrust" class="org.ldaptive.ssl.SslConfig">
<property name="credentialConfig">
<bean parent="shibboleth.X509ResourceCredentialConfig" p:trustCertificates="%{idp.authn.LDAP.trustCertificates:undefined}" />
</property>
</bean>
<bean id="keyStoreTrust" class="org.ldaptive.ssl.SslConfig">
<property name="credentialConfig">
<bean parent="shibboleth.KeystoreResourceCredentialConfig" p:truststore="%{idp.authn.LDAP.trustStore:undefined}" />
</property>
</bean>

<!-- Authentication handler -->
<bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler" p:connectionFactory-ref="bindPooledConnectionFactory" />
<bean id="bindPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" p:connectionPool-ref="bindConnectionPool" />
<bean id="bindConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
p:connectionFactory-ref="bindConnectionFactory" p:name="bind-pool" />
<bean id="bindConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindConnectionConfig" />
<bean id="bindConnectionConfig" parent="connectionConfig" />

<!-- Format DN resolution -->
<bean id="formatDnResolver" class="org.ldaptive.auth.FormatDnResolver" p:format="%{idp.authn.LDAP.dnFormat:undefined}" />

<!-- Pool Configuration -->
<bean id="connectionPool" class="org.ldaptive.pool.BlockingConnectionPool" abstract="true"
p:blockWaitTimeDuration="%{idp.pool.LDAP.blockWaitTime:PT3S}"
p:poolConfig-ref="poolConfig"
p:pruneStrategy-ref="pruneStrategy"
p:validator-ref="searchValidator"
p:failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
<bean id="poolConfig" class="org.ldaptive.pool.PoolConfig"
p:minPoolSize="%{idp.pool.LDAP.minSize:3}"
p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}"
p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
p:validatePeriodDuration="%{idp.pool.LDAP.validatePeriod:PT5M}" />
<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
p:prunePeriodDuration="%{idp.pool.LDAP.prunePeriod:PT5M}"
p:idleTimeDuration="%{idp.pool.LDAP.idleTime:PT10M}" />
<bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />

<!-- Anonymous Search Configuration -->
<bean name="anonSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
<constructor-arg index="0" ref="anonSearchDnResolver" />
<constructor-arg index="1" ref="authHandler" />
</bean>
<bean id="anonSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver"
p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
p:connectionFactory-ref="anonSearchPooledConnectionFactory" >
<constructor-arg index="0" ref="shibboleth.VelocityEngine" />
<constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" />
</bean>
<bean id="anonSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="anonSearchConnectionPool" />
<bean id="anonSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
p:connectionFactory-ref="anonSearchConnectionFactory" p:name="search-pool" />
<bean id="anonSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="anonSearchConnectionConfig" />
<bean id="anonSearchConnectionConfig" parent="connectionConfig" />

<!-- Bind Search Configuration -->
<bean name="bindSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
<constructor-arg index="0" ref="bindSearchDnResolver" />
<constructor-arg index="1" ref="authHandler" />
</bean>
<bean id="bindSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver"
p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
p:connectionFactory-ref="bindSearchPooledConnectionFactory" >
<constructor-arg index="0" ref="shibboleth.VelocityEngine" />
<constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" />
</bean>
<bean id="bindSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="bindSearchConnectionPool" />
<bean id="bindSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
p:connectionFactory-ref="bindSearchConnectionFactory" p:name="search-pool" />
<bean id="bindSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindSearchConnectionConfig" />
<bean id="bindSearchConnectionConfig" parent="connectionConfig" p:connectionInitializer-ref="bindConnectionInitializer" />
<bean id="bindConnectionInitializer" class="org.ldaptive.BindConnectionInitializer"
p:bindDn="#{'%{idp.authn.LDAP.bindDN:undefined}'.trim()}">
<property name="bindCredential">
<bean class="org.ldaptive.Credential">
<constructor-arg value="%{idp.authn.LDAP.bindDNCredential:undefined}" />
</bean>
</property>
</bean>

<!-- Direct Search Configuration -->
<bean name="directAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
<constructor-arg index="0" ref="formatDnResolver" />
<constructor-arg index="1" ref="authHandler" />
</bean>

<!-- Want to use ppolicy? Configure support by adding <bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler"
/> add p:authenticationResponseHandlers-ref="authenticationResponseHandler" to the authenticator <bean id="authenticationControl"
class="org.ldaptive.control.PasswordPolicyControl" /> add p:authenticationControls-ref="authenticationControl" to the authHandler -->

<!-- Active Directory Configuration -->
<bean id="adAuthenticator" class="org.ldaptive.auth.Authenticator" p:authenticationResponseHandlers-ref="authenticationResponseHandler"
p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
<constructor-arg index="0" ref="formatDnResolver" />
<constructor-arg index="1" ref="authHandler" />
</bean>
<bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler" />

</beans>
94 changes: 94 additions & 0 deletions conf/authn/mfa-authn-config.xml
View file
@@ -0,0 +1,94 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!--
This is a map of transition rules that guide the behavior of the MFA flow
and controls how factors are sequenced, skipped, etc. The key of each entry
is the name of the step/flow out of which control is passing. The starting
rule has an empty key.
Each entry is a bean inherited from "shibboleth.authn.MFA.Transition". Per
the Javadoc for net.shibboleth.idp.authn.MultiFactorAuthenticationTransition:
p:nextFlow (String)
- A flow to run if the previous step signaled a "proceed" event, for simple
transitions.
p:nextFlowStrategy (Function<ProfileRequestContext,String>)
- A function to run if the previous step signaled a "proceed" event, for dynamic
transitions. Returning null ends the MFA process.
p:nextFlowStrategyMap (Map<String,Object> where Object is String or Function<ProfileRequestContext,String>)
- Fully dynamic way of expressing control paths. Map is keyed by a previously
signaled event and the value is a flow to run or a function to
return the flow to run. Returning null ends the MFA process.
When no rule is provided, there's an implicit "null" that ends the MFA flow
with whatever event was last signaled. If the "proceed" event from a step is
the final event, then the MFA process attempts to complete itself successfully.
-->
<util:map id="shibboleth.authn.MFA.TransitionMap">
<!-- First rule runs the IPAddress login flow. -->
<entry key="">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/IPAddress" />
</entry>

<!--
Second rule runs a function if IPAddress succeeds, to determine whether an additional
factor is required.
-->
<entry key="authn/IPAddress">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" />
</entry>

<!-- An implicit final rule will return whatever the final flow returns. -->
</util:map>

<!-- Example script to see if second factor is required. -->
<bean id="checkSecondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
p:customObject-ref="shibboleth.AttributeResolverService">
<constructor-arg>
<value>
<![CDATA[
nextFlow = "authn/Password";
// Go straight to second factor if we have to, or set up for an attribute lookup first.
authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
if (mfaCtx.isAcceptable()) {
// Attribute check is required to decide if first factor alone is enough.
resCtx = input.getSubcontext(
"net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);
resCtx.setPrincipal(input.getSubcontext(
"net.shibboleth.idp.authn.context.SubjectCanonicalizationContext").getPrincipalName());
resCtx.getRequestedIdPAttributeNames().add("allowedLoginMethods");
resCtx.resolveAttributes(custom);
// Check for an attribute that authorizes use of first factor.
attribute = resCtx.getResolvedIdPAttributes().get("allowedLoginMethods");
valueType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
if (attribute != null && attribute.getValues().contains(new valueType("IPAddress"))) {
nextFlow = null;
}
input.removeSubcontext(resCtx); // cleanup
}
nextFlow; // pass control to second factor or end with the first
]]>
</value>
</constructor-arg>
</bean>

</beans>
121 changes: 121 additions & 0 deletions conf/authn/password-authn-config.xml
View file
@@ -0,0 +1,121 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!-- Choose an import based on the back-end you want to use. -->
<!-- <import resource="jaas-authn-config.xml" /> -->
<import resource="krb5-authn-config.xml" />
<!--<import resource="ldap-authn-config.xml" />-->


<!-- Names of form fields to pull username and password from. -->
<bean id="shibboleth.authn.Password.UsernameFieldName" class="java.lang.String" c:_0="j_username" />
<bean id="shibboleth.authn.Password.PasswordFieldName" class="java.lang.String" c:_0="j_password" />
<bean id="shibboleth.authn.Password.SSOBypassFieldName" class="java.lang.String" c:_0="donotcache" />

<!-- Simple transforms to apply to username before validation. -->
<util:constant id="shibboleth.authn.Password.Lowercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.authn.Password.Uppercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.authn.Password.Trim" static-field="java.lang.Boolean.TRUE"/>

<!-- Set to TRUE if you want the password kept in the resulting Subject as a private credential. -->
<util:constant id="shibboleth.authn.Password.RetainAsPrivateCredential" static-field="java.lang.Boolean.FALSE"/>

<!-- Apply any regular expression replacement pairs to username before validation. -->
<util:list id="shibboleth.authn.Password.Transforms">
<!--
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
-->
</util:list>

<!-- Uncomment to configure account lockout backed by in-memory storage. -->
<!--
<bean id="shibboleth.authn.Password.AccountLockoutManager"
parent="shibboleth.StorageBackedAccountLockoutManager"
p:maxAttempts="5"
p:counterInterval="PT5M"
p:lockoutDuration="PT5M"
p:extendLockoutDuration="false" />
-->

<!--
Define entries here to map error messages detected by validation actions and classify them as particular
kinds of errors for use in your templates and as events in flows.
Keys are events to signal, values are error codes.
-->
<util:map id="shibboleth.authn.Password.ClassifiedMessageMap">
<entry key="UnknownUsername">
<list>
<value>NoCredentials</value>
<value>CLIENT_NOT_FOUND</value>
<value>Client not found</value>
<value>DN_RESOLUTION_FAILURE</value>
</list>
</entry>
<entry key="InvalidPassword">
<list>
<value>InvalidCredentials</value>
<value>PREAUTH_FAILED</value>
<value>INVALID_CREDENTIALS</value>
<value>Checksum failed</value>
</list>
</entry>
<entry key="AccountLocked">
<list>
<value>AccountLocked</value>
<value>Clients credentials have been revoked</value>
</list>
</entry>
<entry key="ExpiredPassword">
<list>
<value>PASSWORD_EXPIRED</value>
</list>
</entry>
<entry key="ExpiringPassword">
<list>
<value>ACCOUNT_WARNING</value>
</list>
</entry>
</util:map>

<!--
Configuration of "extended" login methods to offer in the password login form.
The String bean is a regular expression identifying the flows to offer. These flows
must also be enabled at the "top" level to be available for use.
The ExtendedFlowParameters bean can be used to transfer custom parameters from the
login form into the context tree for use later by other flows.
The last bean provides the set of custom Principals to use for results produced by the
Password flow itself. You would use this if you need the Password flow to run as a shell
to run the "extended" login methods, but want to limit its own results more narrowly.
-->
<!--
<bean id="shibboleth.authn.Password.ExtendedFlows" class="java.lang.String" c:_0="" />
<util:list id="shibboleth.authn.Password.ExtendedFlowParameters">
</util:list>
<util:list id="shibboleth.authn.Password.PrincipalOverride">
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</util:list>
-->

</beans>
75 changes: 75 additions & 0 deletions conf/authn/remoteuser-authn-config.xml
View file
@@ -0,0 +1,75 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!-- Servlet context-relative path to wherever your implementation lives. -->
<bean id="shibboleth.authn.RemoteUser.externalAuthnPath" class="java.lang.String"
c:_0="contextRelative:Authn/RemoteUser" />

<!--
Default is to always use the path in the bean above. If you want to determine it
dynamically, define a bean called "shibboleth.authn.RemoteUser.externalAuthnPathStrategy"
of type Function<ProfileRequestContext,String> that returns the path to use.
-->

<!--
Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject?
You would normally only unset this if you plan to use the authnMethodHeader servlet parameter to
supply authentication method string(s) from the external authentication system.
-->
<util:constant id="shibboleth.authn.RemoteUser.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" />

<!--
<bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
c:_0="^(.+)@example\.edu]$" />
-->

<!--
Define entries here to map error messages returned by external modules and classify them as particular
kinds of errors for use in your templates and as events in flows.
Keys are events to signal, values are error codes.
The examples here just allow external signaling of an exact condition.
If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow".
-->
<util:map id="shibboleth.authn.RemoteUser.ClassifiedMessageMap">
<entry key="ReselectFlow">
<list>
<value>NoCredentials</value>
</list>
</entry>
<entry key="UnknownUsername">
<list>
<value>UnknownUsername</value>
</list>
</entry>
<entry key="InvalidPassword">
<list>
<value>InvalidPassword</value>
</list>
</entry>
<entry key="ExpiredPassword">
<list>
<value>ExpiredPassword</value>
</list>
</entry>
<entry key="ExpiringPassword">
<list>
<value>ExpiringPassword</value>
</list>
</entry>
</util:map>

</beans>
63 changes: 63 additions & 0 deletions conf/authn/remoteuser-internal-authn-config.xml
View file
@@ -0,0 +1,63 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!-- Check getRemoteUser() for identity (the typical case). -->
<util:constant id="shibboleth.authn.RemoteUser.checkRemoteUser" static-field="java.lang.Boolean.TRUE"/>

<!-- Populate one or both of the lists below to define HTTP headers or Servlet Attributes to check. -->

<util:list id="shibboleth.authn.RemoteUser.checkHeaders">
<!--
<value>User-Identity</value>
-->
</util:list>

<util:list id="shibboleth.authn.RemoteUser.checkAttributes">
<!--
<value>User-Identity</value>
-->
</util:list>

<!-- Simple transforms to apply to username before validation. -->
<util:constant id="shibboleth.authn.RemoteUser.Lowercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.authn.RemoteUser.Uppercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.authn.RemoteUser.Trim" static-field="java.lang.Boolean.TRUE"/>

<!-- Apply any regular expression replacement pairs before validation. -->
<util:list id="shibboleth.authn.RemoteUser.Transforms">
<!--
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
-->
</util:list>

<!-- Uncomment/configure to install username whitelist, blacklist, and/or match expressions. -->

<util:list id="shibboleth.authn.RemoteUser.whitelistedUsernames">
<!--
<value>goodguy</value>
-->
</util:list>

<util:list id="shibboleth.authn.RemoteUser.blacklistedUsernames">
<!--
<value>badguy</value>
-->
</util:list>

<!--
<bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
c:_0="^(.+)@example\.edu]$" />
-->

</beans>
74 changes: 74 additions & 0 deletions conf/authn/spnego-authn-config.xml
View file
@@ -0,0 +1,74 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!-- General Configuration -->

<!--
Enforce running SPNEGO for all users, independent of user's autologin state.
TRUE means that SPNEGO login is always tried (if available).
FALSE means that SPNEGO login is run only if the user has enabled autologin.
-->
<util:constant id="shibboleth.authn.SPNEGO.EnforceRun" static-field="java.lang.Boolean.FALSE" />

<!-- Kerberos Configuration-->

<!-- General Kerberos Settings -->

<util:constant id="shibboleth.authn.SPNEGO.Krb5.RefreshConfig" static-field="java.lang.Boolean.FALSE" />

<!-- Kerberos Service Principal(s) -->

<!--
For each service principal/realm, a "RealmSettings" bean must be created.
For each "RealmSettings" bean, the following settings are supported:
p:servicePrincipal: - kerberos service principal (required)
p:keytab: - path to the keytab file containing the kerberos service principal's credentials
(optional; either "p:keytab" or "p:password" is required)
p:password: - kerberos service principal's password
(optional; either "p:keytab" or "p:password" is required)
-->
<util:list id="shibboleth.authn.SPNEGO.Krb5.Realms">

<bean parent="shibboleth.KerberosRealmSettings"
p:servicePrincipal="HTTP/aai-logon.domain_a.com@DOMAIN_A.COM"
p:keytab="%{idp.home}/credentials/http_domainA.keytab" />

</util:list>

<!--
<bean id="shibboleth.authn.SPNEGO.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
c:_0="^(.+)@example\.edu]$" />
-->

<!--
Define entries here to map events or error messages returned by the SPNEGO module
and classify them as particular kinds of errors for use in your templates and as
events in flows.
Keys are events to signal, values are error codes.
-->
<util:map id="shibboleth.authn.SPNEGO.ClassifiedMessageMap">
<entry key="SPNEGONotAvailable">
<list>
<value>SPNEGONotAvailable</value>
</list>
</entry>
<entry key="NTLMUnsupported">
<list>
<value>NTLMUnsupported</value>
</list>
</entry>
</util:map>

</beans>
44 changes: 44 additions & 0 deletions conf/authn/x509-authn-config.xml
View file
@@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!-- Servlet context-relative path to wherever your implementation lives. -->
<bean id="shibboleth.authn.X509.externalAuthnPath" class="java.lang.String"
c:_0="contextRelative:x509-prompt.jsp" />

<!--
Default is to always use the path in the bean above. If you want to determine it
dynamically, define a bean called "shibboleth.authn.X509.externalAuthnPathStrategy"
of type Function<ProfileRequestContext,String> that returns the path to use.
-->

<!--
Define entries here to map error messages returned by external modules and classify them as particular
kinds of errors for use in your templates and as events in flows.
Keys are events to signal, values are error codes.
The examples here just allow external signaling of an exact condition.
If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow".
-->
<util:map id="shibboleth.authn.X509.ClassifiedMessageMap">
<entry key="ReselectFlow">
<list>
<value>NoCredentials</value>
<value>InvalidCredentials</value>
</list>
</entry>
</util:map>

</beans>
21 changes: 21 additions & 0 deletions conf/authn/x509-internal-authn-config.xml
View file
@@ -0,0 +1,21 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!--
You can define a TrustEngine to apply to any candidate certificates by defining a bean named
"shibboleth.authn.X509.TrustEngine". You could also define that in conf/global.xml if you need
to share one between the internal and external versions of this flow.
-->

</beans>
44 changes: 44 additions & 0 deletions conf/c14n/attribute-sourced-subject-c14n-config.xml
View file
@@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!--
A list of attributes to resolve for normalizing the subject. For example, you might
intend to lookup a uid in a directory based on what the user entered. You can make this
an empty list if you just want to resolve everything you normally would.
-->
<util:list id="shibboleth.c14n.attribute.AttributesToResolve">
<value>altuid</value>
</util:list>

<!--
A list of attributes to search for a value to produce as the normalized subject name.
This will normally be something you resolve above.
-->
<util:list id="shibboleth.c14n.attribute.AttributeSourceIds">
<value>altuid</value>
</util:list>

<!-- Simple transforms to apply to attribute value used for canonicalization result. -->
<util:constant id="shibboleth.c14n.attribute.Lowercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.c14n.attribute.Uppercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.c14n.attribute.Trim" static-field="java.lang.Boolean.TRUE"/>

<!-- Apply any regular expression replacement pairs. -->
<util:list id="shibboleth.c14n.attribute.Transforms">
<!--
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
-->
</util:list>

</beans>
27 changes: 27 additions & 0 deletions conf/c14n/simple-subject-c14n-config.xml
View file
@@ -0,0 +1,27 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!-- Simple transforms to apply to username after authentication. -->
<util:constant id="shibboleth.c14n.simple.Lowercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.c14n.simple.Uppercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.c14n.simple.Trim" static-field="java.lang.Boolean.TRUE"/>

<!-- Apply any regular expression replacement pairs after authentication. -->
<util:list id="shibboleth.c14n.simple.Transforms">
<!--
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
-->
</util:list>

</beans>
18 changes: 18 additions & 0 deletions conf/c14n/subject-c14n-events-flow.xml
View file
@@ -0,0 +1,18 @@
<flow xmlns="http://www.springframework.org/schema/webflow"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
abstract="true">

<!-- ADVANCED USE ONLY -->

<!--
You can ignore this file unless you are creating your own custom c14n subflows that want to
report custom events in response to unusual error or warning conditions.
-->

<!-- Custom error events to reflect back from user-supplied c14n subflows. -->
<!--
<end-state id="MyCustomEvent" />
-->

</flow>
109 changes: 109 additions & 0 deletions conf/c14n/subject-c14n.xml
View file
@@ -0,0 +1,109 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!-- ========================= Java Subject -> Principal Mapping ========================= -->

<!--
These are lists of Subject Canonicalization flows that turn complex Subject data into a string-based
principal name that the rest of the IdP can operate on. They're used both after authentication and
during operations like SAML attribute queries, to map the SAML Subject into a principal name.
Flows are identified with an ID that corresponds to a Spring Web Flow subflow name.
-->

<!-- Flows used after authentication to produce canonical principal name. -->
<util:list id="shibboleth.PostLoginSubjectCanonicalizationFlows">
<!--
This is an advanced post-login step that performs attribute resolution and then produces a username
from an attribute value. Most of this configuration is handled by attribute-sourced-c14n-config.xml.
To enable universally, just uncomment, but if you want it to run under more specific conditions,
set an activationCondition property to a condition function to use to control when it should run.
-->
<!-- <bean id="c14n/attribute" parent="shibboleth.PostLoginSubjectCanonicalizationFlow" /> -->

<!--
This is an alternative that handles Subjects containing an X500Principal object and
allows extraction from the DN.
-->
<ref bean="c14n/x500" />

<!--
This is the standard post-login step that returns a username derived from the login process. If you
have more complex needs such as mapping a certificate DN into a principal name, an alternative may
be required such as that above, but you can configure simple transforms in simple-subject-c14n-config.xml
-->
<ref bean="c14n/simple" />
</util:list>

<!--
Flows used during SAML requests to reverse-map NameIdentifiers/NameIDs. The actual beans defining these
flows are in a system file. Below the list are some settings that might be useful to adjust.
-->
<util:list id="shibboleth.SAMLSubjectCanonicalizationFlows">

<!--
This is installed to support the old mechanism of using PrincipalConnectors in the attribute resolver
to map SAML Subjects back into principals. If you don't use those (or this is a new install) you can
remove this.
-->
<ref bean="c14n/LegacyPrincipalConnector" />

<!-- The next four are for handling transient IDs (in-storage and stateless variants). -->
<ref bean="c14n/SAML2Transient" />
<ref bean="c14n/SAML2CryptoTransient" />
<ref bean="c14n/SAML1Transient" />
<ref bean="c14n/SAML1CryptoTransient" />

<!-- Handle a SAML 2 persistent ID, provided a stored strategy is in use. -->
<!-- <ref bean="c14n/SAML2Persistent" /> -->

<!--
Finally we have beans for decoding arbitrary SAML formats directly. By default, these are turned off,
having *no* circumstances for which they apply (see shibboleth.TransformNamePredicate below).
-->
<ref bean="c14n/SAML2Transform" />
<ref bean="c14n/SAML1Transform" />
</util:list>

<!-- What SAML NameID formats do you want to support direct transformations for? -->
<util:list id="shibboleth.NameTransformFormats">
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</value>
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</value>
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</value>
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</value>
<value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</value>
</util:list>

<!--
Under what conditions should direct NameID mapping be allowed? By default, never.
Any condition can be used here; the example is suitable for enumerating a number of SPs to allow.
-->
<bean id="shibboleth.NameTransformPredicate" parent="shibboleth.Conditions.RelyingPartyId">
<constructor-arg>
<list>
<!-- <value>https://sp.example.org</value> -->
</list>
</constructor-arg>
</bean>

<!--
Regular expression transforms to apply to incoming subject names. The default empty list just
echoes the name through unmodified.
-->
<util:list id="shibboleth.NameTransforms">
<!--
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
-->
</util:list>

</beans>
37 changes: 37 additions & 0 deletions conf/c14n/x500-subject-c14n-config.xml
View file
@@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!-- First priority is given to any subjectAltNames specified (emailAddress is 1) -->
<util:list id="shibboleth.c14n.x500.SubjectAltNameTypes">
<!-- <value>1</value> -->
</util:list>

<!-- Second priority is a list of Certificate Subject RDN OIDs to look for. -->
<util:list id="shibboleth.c14n.x500.ObjectIDs">
<value>2.5.4.3</value>
</util:list>

<!-- Simple transforms to apply to username after authentication. -->
<util:constant id="shibboleth.c14n.x500.Lowercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.c14n.x500.Uppercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.c14n.x500.Trim" static-field="java.lang.Boolean.TRUE"/>

<!-- Apply any regular expression replacement pairs after authentication. -->
<util:list id="shibboleth.c14n.x500.Transforms">
<!--
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
-->
</util:list>

</beans>
84 changes: 84 additions & 0 deletions conf/cas-protocol.xml
View file
@@ -0,0 +1,84 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">

<!--
| The CAS service registry defines verified relying parties by endpoint URI.
| The default implementation treats the ID of each entry as a regular expression defining a logical group of
| services whose URIs match the expression.
|
| This bean is reloaded periodically according to %{idp.home}/conf/services.properties.
-->
<bean id="reloadableServiceRegistry"
class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}">
<property name="definitions">
<list>
<!--
<bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
c:regex="https://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
p:group="proxying-services"
p:authorizedToProxy="true"
p:singleLogoutParticipant="true" />
<bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
c:regex="http://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
p:group="non-proxying-services"
p:authorizedToProxy="false" /
-->
</list>
</property>
</bean>

<!--
| The default ticket service as of 3.3.0 serializes ticket data into the opaque section of the ticket ID
| for service tickets and proxy tickets. Proxy-granting tickets still require server-side storage, and
| a StorageService defined by the idp.cas.StorageService is used. Thus for deployers that do not require
| CAS proxy capabilities, no stateful storage mechanism is required; that means no memcached or database
| is required for HA deployments that want CAS (without proxy) support. A notable limitation of the new
| component is that the one-time use feature of service and proxy tickets is not available due to the lack
| of a ticket-tracking mechanism. Instead, tickets expire when their expiration period is exceeded.
| If this limitation is of concern, one may consider decreasing ticketValidityPeriod on the profile
| configuration from the default 15000ms.
-->
<alias name="encodingTicketService" alias="shibboleth.CASTicketService" />

<!--
| Uncomment the following element and comment out the above to enable the previous default ticket service
| that uses a StorageService for ticket persistence. Use this if the one-time use limitation of
| EncodingTicketService is problematic and can't be mitigated by decreasing ticketValidityPeriod.
-->
<!--<alias name="simpleTicketService" alias="shibboleth.CASTicketService" /> -->

<!--
| The predicate used to determine whether IdP session validation is performed during the process of granting
| a proxy ticket. When the predicate evaluates to true, an IdP session is resolved and validated prior to
| granting a proxy ticket. This feature prevents issuing proxy tickets when an IdP session is expired, but comes
| at the cost of requiring server-side storage of IdP session data. If this is configured to a predicate that
| evaluates to true under any condition, a server-side storage service must be enabled for IdP session
| storage. The most common non-default value is "alwaysTrue."
-->
<bean id="shibboleth.CASProxyValidateIdPSessionPredicate"
class="com.google.common.base.Predicates"
factory-method="alwaysFalse" />


<!-- ============== Advanced CAS Configuration ============== -->

<!-- Configure a third-party ticket service. -->
<!--
<bean id="shibboleth.CASTicketService"
class="org.example.idp.cas.CustomTicketService" />
-->

<!-- Configure a third-party proxy authenticator. -->
<!--
<bean id="shibboleth.CASProxyAuthenticator"
class="org.example.idp.cas.CustomProxyAuthenticator" />
-->
</beans>
65 changes: 65 additions & 0 deletions conf/credentials.xml
View file
@@ -0,0 +1,65 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!--
NOTE: if you're using a legacy relying-party.xml file from a V2 configuration, this file is ignored.
This defines the signing and encryption key and certificate pairs referenced by your relying-party.xml
configuration. You don't normally need to touch this, unless you have advanced requirements such as
supporting multiple sets of keys for different relying parties, in which case you may want to define
all your credentials here for convenience.
-->

<!--
The list of ALL of your IdP's signing credentials. If you define additional signing credentials,
for example for specific relying parties or different key types, make sure to include them within this list.
-->
<util:list id="shibboleth.SigningCredentials">
<ref bean="shibboleth.DefaultSigningCredential" />
</util:list>

<!-- Your IdP's default signing key, set via property file. -->
<bean id="shibboleth.DefaultSigningCredential"
class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.signing.key}"
p:certificateResource="%{idp.signing.cert}"
p:entityId-ref="entityID" />

<!--
The list of ALL of your IdP's encryption credentials. By default this is just an alias
for 'shibboleth.DefaultEncryptionCredentials'. It could be re-defined as
a list with additional credentials if needed.
-->
<alias alias="shibboleth.EncryptionCredentials" name="shibboleth.DefaultEncryptionCredentials" />

<!-- Your IdP's default encryption (really decryption) keys, set via property file. -->
<util:list id="shibboleth.DefaultEncryptionCredentials">
<bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.encryption.key}"
p:certificateResource="%{idp.encryption.cert}"
p:entityId-ref="entityID" />

<!--
For key rollover, uncomment and point to your original keypair, and use the one above
to point to your new keypair. Once metadata has propagated, comment this one out again.
-->
<!--
<bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.encryption.key.2}"
p:certificateResource="%{idp.encryption.cert.2}"
p:entityId-ref="entityID" />
-->
</util:list>

</beans>
120 changes: 120 additions & 0 deletions conf/errors.xml
View file
@@ -0,0 +1,120 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<bean id="shibboleth.DefaultErrorView" class="java.lang.String" c:_0="%{idp.errors.defaultView:error}" />

<!-- Map local events to alternate view templates. -->
<util:map id="shibboleth.EventViewMap">
<!-- <entry key="EventToChange" value="viewname" /> -->
</util:map>

<!--
Map of events to trap and handle with local views, without returning to SPs.
The map values are flags indicating whether to write an audit log record.
-->
<util:map id="shibboleth.LocalEventMap">
<entry key="ContextCheckDenied" value="true" />
<entry key="AttributeReleaseRejected" value="true" />
<entry key="TermsRejected" value="true" />
<entry key="RuntimeException" value="false" />
<!--
<entry key="IdentitySwitch" value="false" />
<entry key="NoPotentialFlow" value="false" />
-->
</util:map>

<!-- Mappings of error events during requests to SAML status codes and SOAP fault codes. -->

<util:map id="shibboleth.SAML1StatusMappings">
<entry key="InvalidMessageVersion" value-ref="shibboleth.SAML1Status.VersionMismatch" />

<entry key="UnableToDecode" value-ref="shibboleth.SAML1Status.Requester" />

<entry key="UnableToEncode" value-ref="shibboleth.SAML1Status.Requester" />

<entry key="MessageReplay" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="MessageExpired" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="MessageAuthenticationError" value-ref="shibboleth.SAML1Status.Requester" />

<entry key="RequestUnsupported" value-ref="shibboleth.SAML1Status.Requester" />

<entry key="NoPassive" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="NoPotentialFlow" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="NoCredentials" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="InvalidCredentials" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="AccountError" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="IdentitySwitch" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="AuthenticationException" value-ref="shibboleth.SAML1Status.Requester" />

<entry key="InvalidSubject" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="SubjectCanonicalizationError" value-ref="shibboleth.SAML1Status.Requester" />
</util:map>

<util:map id="shibboleth.SAML2StatusMappings">
<entry key="InvalidMessageVersion" value-ref="shibboleth.SAML2Status.VersionMismatch" />

<entry key="UnableToDecode" value-ref="shibboleth.SAML2Status.RequestUnsupported" />

<entry key="UnableToEncode" value-ref="shibboleth.SAML2Status.UnsupportedBinding" />

<entry key="MessageReplay" value-ref="shibboleth.SAML2Status.RequestDenied" />
<entry key="MessageExpired" value-ref="shibboleth.SAML2Status.RequestDenied" />
<entry key="MessageAuthenticationError" value-ref="shibboleth.SAML2Status.RequestDenied" />

<entry key="RequestUnsupported" value-ref="shibboleth.SAML2Status.NoAuthnContext" />

<entry key="NoPassive" value-ref="shibboleth.SAML2Status.NoPassive" />

<entry key="NoPotentialFlow" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="NoCredentials" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="InvalidCredentials" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="AccountError" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="IdentitySwitch" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="AuthenticationException" value-ref="shibboleth.SAML2Status.AuthnFailed" />

<entry key="InvalidSubject" value-ref="shibboleth.SAML2Status.UnknownPrincipal" />
<entry key="SubjectCanonicalizationError" value-ref="shibboleth.SAML2Status.UnknownPrincipal" />
<entry key="SessionNotFound" value-ref="shibboleth.SAML2Status.UnknownPrincipal" />

<entry key="InvalidNameIDPolicy" value-ref="shibboleth.SAML2Status.InvalidNameIDPolicy" />

<entry key="ChannelBindingsError" value-ref="shibboleth.SAML2Status.ChannelBindingsError" />
</util:map>

<util:map id="shibboleth.SOAPFaultCodeMappings">
<entry key="InvalidMessageVersion" value-ref="shibboleth.SOAP.VersionMismatch" />

<entry key="UnableToDecode" value-ref="shibboleth.SOAP.Client" />

<entry key="MessageReplay" value-ref="shibboleth.SOAP.Client" />
<entry key="MessageExpired" value-ref="shibboleth.SOAP.Client" />
<entry key="MessageAuthenticationError" value-ref="shibboleth.SOAP.Client" />

<entry key="RequestUnsupported" value-ref="shibboleth.SOAP.Client" />

<entry key="NoPassive" value-ref="shibboleth.SOAP.Client" />

<entry key="NoPotentialFlow" value-ref="shibboleth.SOAP.Client" />
<entry key="NoCredentials" value-ref="shibboleth.SOAP.Client" />
<entry key="InvalidCredentials" value-ref="shibboleth.SOAP.Client" />
<entry key="AccountError" value-ref="shibboleth.SOAP.Client" />
<entry key="AuthenticationException" value-ref="shibboleth.SOAP.Client" />

<entry key="InvalidSubject" value-ref="shibboleth.SOAP.Client" />
<entry key="SubjectCanonicalizationError" value-ref="shibboleth.SOAP.Client" />

<entry key="InvalidNameIDPolicy" value-ref="shibboleth.SOAP.Client" />

<entry key="ChannelBindingsError" value-ref="shibboleth.SOAP.Client" />
</util:map>

</beans>
53 changes: 53 additions & 0 deletions conf/global.xml
View file
@@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!-- Use this file to define any custom beans needed globally. -->

<!--
Algorithm whitelists and blacklists that override or merge with library defaults. Normally you can leave
these empty or commented and use the system defaults, but you can override those defaults using these lists.
Each <value> element is an algorithm URI, or you can use <util:constant> elements in place of literal values.
-->

<!--
<util:list id="shibboleth.SignatureWhitelist">
</util:list>
<util:list id="shibboleth.SignatureBlacklist">
</util:list>
<util:list id="shibboleth.EncryptionWhitelist">
</util:list>
<util:list id="shibboleth.EncryptionBlacklist">
</util:list>
-->

<!--
If you need to define and inject custom Java object(s) into the various views used throughout the
system (errors, login, logout, etc.), you can uncomment and define the bean below to be of any
type required. It will appear in the view scope as a variable named "custom".
The example below defines the bean as a map, which allows you to inject multiple objects under
named keys to expand the feature to support multiple injected objects.
-->

<!--
<util:map id="shibboleth.CustomViewContext">
<entry key="foo" value="bar"/>
</util:map>
-->


</beans>