diff --git a/test-compose/idp/container_files/config/shib-idp/conf/access-control.xml b/test-compose/idp/container_files/config/shib-idp/conf/access-control.xml index ff7b36f..a9184e6 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/access-control.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/access-control.xml @@ -30,7 +30,7 @@ + p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" /> + + + + + + + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/admin/metrics.xml b/test-compose/idp/container_files/config/shib-idp/conf/admin/metrics.xml index f9b5c16..fccf419 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/admin/metrics.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/admin/metrics.xml @@ -28,6 +28,8 @@ + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/attribute-filter.xml b/test-compose/idp/container_files/config/shib-idp/conf/attribute-filter.xml index 8e43db8..e9077e7 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/attribute-filter.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/attribute-filter.xml @@ -4,53 +4,109 @@ example file is illustrative of some simple cases, it relies on the names of non-existent example services and the example attributes demonstrated in the default attribute-resolver.xml file. - - Deployers should refer to the documentation for a complete list of components - and their options. + + This example does contain some usable "general purpose" policies that may be + useful in conjunction with specific deployment choices, but those policies may + not be applicable to your specific needs or constraints. --> - - + - - - + + - - + + - - + + + + + + - +--> + + attributeName="http://macedir.org/entity-category" + attributeValue="http://refeds.org/category/research-and-scholarship"/> @@ -70,13 +126,12 @@ - - + - + + attributeName="http://macedir.org/entity-category" + attributeValue="http://id.incommon.org/category/registered-by-incommon"/> diff --git a/test-compose/idp/container_files/config/shib-idp/conf/mvc-beans.xml b/test-compose/idp/container_files/config/shib-idp/conf/attribute-registry.xml similarity index 69% rename from test-compose/idp/container_files/config/shib-idp/conf/mvc-beans.xml rename to test-compose/idp/container_files/config/shib-idp/conf/attribute-registry.xml index 98d9bcd..8890f4b 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/mvc-beans.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/attribute-registry.xml @@ -1,13 +1,11 @@ + The system comes preconfigured to load rules directly from resource files + configured in services.xml so they're monitored for changes. + You can add mappings here, add more XML resource files, + or drop property files into the directory noted below. + --> + + + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver-default.xml b/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver-default.xml deleted file mode 100644 index e111728..0000000 --- a/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver-default.xml +++ /dev/null @@ -1,96 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - member - - - - - - - - givenName sn displayName mail uid - - - diff --git a/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver-full.xml b/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver-full.xml index 32647a3..ad75dbc 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver-full.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver-full.xml @@ -27,116 +27,78 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --> @@ -144,88 +106,60 @@ @@ -233,8 +167,6 @@ @@ -242,12 +174,10 @@ @@ -257,13 +187,16 @@ - + + @@ -306,15 +238,14 @@ - diff --git a/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver-ldap.xml b/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver-ldap.xml index ec79de9..76e6d55 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver-ldap.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver-ldap.xml @@ -29,10 +29,8 @@ not expose a value for this attribute without considering the long term implications. --> - - - - + + - - - - + + - - - - + + @@ -81,14 +75,13 @@ %{idp.attribute.resolver.LDAP.searchFilter} ]]> - + expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"/> diff --git a/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver.xml b/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver.xml index fb963b2..9993dbc 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver.xml @@ -15,10 +15,8 @@ --> + xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> @@ -27,262 +25,219 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - member - + + + + + + - givenName sn displayName mail uid + - - + + - diff --git a/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver.xml.orig b/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver.xml.orig new file mode 100644 index 0000000..0ee236b --- /dev/null +++ b/test-compose/idp/container_files/config/shib-idp/conf/attribute-resolver.xml.orig @@ -0,0 +1,76 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + member + + + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/attributes/custom/README.txt b/test-compose/idp/container_files/config/shib-idp/conf/attributes/custom/README.txt new file mode 100644 index 0000000..98977b0 --- /dev/null +++ b/test-compose/idp/container_files/config/shib-idp/conf/attributes/custom/README.txt @@ -0,0 +1,9 @@ +# You can create custom attribute mapping rules using +# simple property files stored in this directory tree. +# Spring property replacement is NOT supported. + +# As an example, a default SAML 2 rule for eduPersonPrincipalName would be: + +#id=eduPersonPrincipalName +#transcoder=SAML2ScopedStringTranscoder +#saml2.name=urn:oid:1.3.6.1.4.1.5923.1.1.1.6 diff --git a/test-compose/idp/container_files/config/shib-idp/conf/attributes/default-rules.xml b/test-compose/idp/container_files/config/shib-idp/conf/attributes/default-rules.xml new file mode 100644 index 0000000..b6289fe --- /dev/null +++ b/test-compose/idp/container_files/config/shib-idp/conf/attributes/default-rules.xml @@ -0,0 +1,803 @@ + + + + + + + + + + + + + + uid + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:0.9.2342.19200300.100.1.1 + urn:mace:dir:attribute-def:uid + User ID + Benutzer-ID + ID utilisateur + ID dell'utente + ユーザID + User ID + Användaridentitet + A unique identifier for a person, mainly used for user identification within the user's home organization. + Eine eindeutige Nummer für eine Person, welche hauptsächlich zur Identifikation innerhalb der Organisation benutzt wird. + Identifiant de connexion d'une personnes sur les systèmes informatiques. + Identificativo unico della persona, usato per l'identificazione dell'utente all'interno della organizzazione di appartenenza. + 所属機関内で一意の利用者識別子 + Identificador do utilizador + Användaridentitet: Unik identifierar som används vid lokal inloggning i hemmaorganisationen. + + + + + + + + mail + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:0.9.2342.19200300.100.1.3 + urn:mace:dir:attribute-def:mail + E-mail + E-Mail + Email + E-mail + メールアドレス + E-mail + E-postadress + E-Mail: Preferred address for e-mail to be sent to this person + E-Mail-Adresse + E-Mail Adresse + Adresse de courrier électronique + E-Mail: l'indirizzo e-mail preferito dall'utente + メールアドレス + E-Mail: Endereço de correio electronico + E-postadress: E-postadress som används av personen. + + + + + + + + homePhone + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:0.9.2342.19200300.100.1.20 + urn:mace:dir:attribute-def:homePhone + Private phone number + Telefon Privat + Teléphone personnel + Numero di telefono privato + 自宅電話番号 + Número de telefone privado + Telefonnummer (hem) + Private phone number + Private Telefonnummer + Numéro de téléphone de domicile de la personne + Numero di telefono privato + 自宅の電話番号 + Número de telefone privado do utilizador + Telefonnummer (hem): Telefonnummer till bostaden. + + + + + + + + homePostalAddress + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:0.9.2342.19200300.100.1.39 + urn:mace:dir:attribute-def:homePostalAddress + Home postal address + Heimatadresse + Heimadresse + Adresse personnelle + Indirizzo personale + 自宅住所 + Morada Pessoal + Postadress (hem) + Home postal address: Home address of the user + Heimatadresse + Heimadresse + Adresse postale de domicile de la personne + Indirizzo personale: indirizzo dove abita l'utente + 自宅の住所 + Morada Pessoal: Morada do utilizador + Postadress (hem): Postadress till bostaden. + + + + + + + + mobile + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:0.9.2342.19200300.100.1.41 + urn:mace:dir:attribute-def:mobile + Mobile phone number + Telefon Mobil + Numéro de mobile + Numero di cellulare + 携帯電話番号 + Número de telemóvel + Telefonnummer (mobil) + Mobile phone number + Mobile Telefonnummer + Numéro de teléphone mobile + Numero di cellulare + 携帯電話の電話番号 + Número de telemóvel do utilizador + Telefonnummer (mobil): Telefonnummer till mobiltelefon. + + + + + + + + pager + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:0.9.2342.19200300.100.1.42 + urn:mace:dir:attribute-def:pager + Pager number + Pager number + + + + + + + + surname + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.4 + urn:mace:dir:attribute-def:sn + Surname + Nachname + Nom de famille + Cognome + + Nome de Família + Efternamn + Surname or family name + Familienname + Nom de famille de l'utilisateur. + Cognome dell'utilizzatore + 氏名(姓)の英語表記 + Nome de Família + Efternamn: Efternamn för personen. + + + + + + + + locality + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.7 + urn:mace:dir:attribute-def:l + Locality name + Ort + Locality name + 場所(L) + Locality name + Ort + Nom de la localité où réside l'objet + 場所の名前 日本の場合は市区町村名 + + + + + + + + stateProvince + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.8 + urn:mace:dir:attribute-def:st + State or province name + 都道府県もしくは州や省(ST) + State or province name + 州名や省名 国によって異なり日本の場合は都道府県名 + + + + + + + + street + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.9 + urn:mace:dir:attribute-def:street + Street + Straße + Strasse + Rue + 通り + Street address + Name der Straße + Strassenadresse + Nom de rue + 通りおよび番地 + + + + + + + + organizationName + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.10 + urn:mace:dir:attribute-def:o + Organization name + Organisationsname + Nom de l'organisation + 所属機関名 + Organization name + Name der Organisation + Nom de l'organisation + 所属機関名称の英語表記 + + + + + + + + organizationalUnit + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.11 + urn:mace:dir:attribute-def:ou + Organizational unit + Organisationseinheit + Unité organisationnelle + 機関内所属名 + Organizational unit + Name der Organisationseinheit + Nom de l'unité organisationnelle + 機関内所属名称の英語表記 + + + + + + + + title + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.12 + urn:mace:dir:attribute-def:title + Title + Titel + Title + 肩書き + Title of a person + Titel der Person + Titre de la personne + 利用者の肩書き + + + + + + + + postalAddress + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.16 + urn:mace:dir:attribute-def:postalAddress + Business postal address + Geschäftsadresse + Adresse professionnelle + Indirizzo professionale + 所属機関住所 + Morada + Postadress (arbete): + Business postal address: Campus or office address + Geschäftliche Adresse + Adresse am Arbeitsplatz + Adresse de l'institut, de l'université + Indirizzo professionale: indirizzo dell'istituto o dell'ufficio + 所属機関の住所 + Morada da instituição + Postadress (arbete): Postadressen för arbetsplatsen + + + + + + + + postalCode + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.17 + urn:mace:dir:attribute-def:postalCode + Postal code + ZIP code + Postleitzahl + Code postal + 郵便番号 + Postal code + ZIP code + Postleitzahl + Code postal + 郵便番号 + + + + + + + + postOfficeBox + SAML2StringTranscoder SAML1StringTranscoder + urn:mace:dir:attribute-def:postOfficeBox + urn:oid:2.5.4.18 + Postal box + Postfach + Boite postale + Case postale + 私書箱 + Postal box identifier + Postfach + Boite postale + Case postale + 私書箱 + + + + + + + + telephoneNumber + SAML2StringTranscoder SAML1StringTranscoder + urn:mace:dir:attribute-def:telephoneNumber + urn:oid:2.5.4.20 + Business phone number + Telefon Geschäft + Teléphone professionnel + Numero di telefono dell'ufficio + 勤務先電話番号 + Telefone + Telefonummer (arbete) + Business phone number: Office or campus phone number + Telefonnummer am Arbeitsplatz + Teléphone de l'institut, de l'université + Numero di telefono dell'ufficio + 所属機関での利用者の電話番号 + Número de telefone + Telefonummer (arbete): Telefonnummer till arbetsplatsen + + + + + + + + givenName + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.42 + urn:mace:dir:attribute-def:givenName + Given name + Vorname + Prénom + Nome + + Nome + Förnamn + Given name of a person + Vorname + Prénom de l'utilisateur + Nome + 氏名(名)の英語表記 + Nome + Förnamn: Förnamn för personen. + + + + + + + + initials + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.43 + urn:mace:dir:attribute-def:initials + Initials + Initialen + Initiales + イニシャル + Initials + Anfangsbuchstaben des Namens + Die Anfangsbuchstaben + L' initiales + イニシャル + + + + + + + + + + departmentNumber + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.16.840.1.113730.3.1.2 + urn:mace:dir:attribute-def:departmentNumber + Department number + Abteilungsnummer + Department number + Nummer der Abteilung + + + + + + + + displayName + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.16.840.1.113730.3.1.241 + urn:mace:dir:attribute-def:displayName + Display Name + Anzeigename + Nom + Nome + 表示名 + The name that should appear in white-pages-like applications for this person. + Anzeigename + Nom complet d'affichage + Nome + アプリケーションでの表示に用いられる英字氏名 + + + + + + + + employeeNumber + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.16.840.1.113730.3.1.3 + urn:mace:dir:attribute-def:employeeNumber + Employee number + Mitarbeiternummer + Numéro d'employé + Numero dell'utente + 従業員番号 + Número de empregado + Anställningsnummer + Identifies an employee within an organization + Identifiziert einen Mitarbeiter innerhalb der Organisation + Identifie un employé au sein de l'organisation + Identifica l' utente presso l'organizzazione + 所属機関における利用者の従業員番号 + Número de empregado + Anställningsnummer: Unik anställningsidentifierare i hemmaorganisationen. + + + + + + + + employeeType + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.16.840.1.113730.3.1.4 + urn:mace:dir:attribute-def:employeeType + Employee type + Employee type + + + + + + + + jpegPhoto + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:0.9.2342.19200300.100.1.60 + urn:mace:dir:attribute-def:jpegPhoto + JPEG Photo + Image of a person in JPEG format + + + + + + + + preferredLanguage + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.16.840.1.113730.3.1.39 + urn:mace:dir:attribute-def:preferredLanguage + Preferred Language + Bevorzugte Sprache + Langue préférée + Lingua preferita + 希望言語 + Língua preferida + Språkönskemål + Preferred language: Users preferred language (see RFC1766) + Bevorzugte Sprache (siehe RFC1766) + Exemple: fr, de, it, en, ... (voir RFC1766) + Lingua preferita: la lingua preferita dall'utente (cfr. RFC1766) + 利用者が希望する言語(RFC1766 を参照) + Língua preferida: Língua preferida do utilizador (cfr. RFC1766) + Språkönskemål: Personens önskade språk (see RFC1766). + + + + + + + + + + eduPersonAffiliation + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.1 + urn:mace:dir:attribute-def:eduPersonAffiliation + Affiliation + Zugehörigkeit + Affiliation + Tipo di membro + 職位 + Tipo de utilizador + Anknytning + Affiliation: Type of affiliation with Home Organization + Art der Zugehörigkeit zur Heimatorganisation + Art der Zugehörigkeit zur Heimorganisation + Type d'affiliation dans l'organisation + Tipo di membro: Tipo di lavoro svolto per l'organizzazione + 所属機関における職位(faculty,staff,student,memberなど) + Tipo de utilizador: tipo de utilizador na organização. Exemplo: Estudante, ... + Anknytning: Vilken anknytning personen har till organisationen. + + + + + + + + eduPersonEntitlement + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.7 + urn:mace:dir:attribute-def:eduPersonEntitlement + Entitlement + Berechtigung + Entitlement + Prerogativa + 資格情報 + Título + Rättigheter + Member of: URI (either URL or URN) that indicates a set of rights to specific resources based on an agreement across the releavant community + Zeichenkette, die Rechte für spezifische Ressourcen beschreibt + Membre de: URI (soit une URL ou une URN) décrivant un droit spécific d'accès. + Membro delle seguenti URI (sia URL o URN) che rappresentano diritti specifici d'accesso validi in tutta la communità + 特定のアプリケーションもしくはコミュニティ内の複数リソースへのアクセス権限を持つことを示すURI(URLもしくはURN) + URI (retractado por um URN ou URL) que indica um conjunto de direitos para recursos específicos. + Rättigheter: URI (either URL or URN) som beskriver olika rättigheter till angivna tjänster. + + + + + + + + eduPersonNickname + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.2 + urn:mace:dir:attribute-def:eduPersonNickname + Nick name + Kurzname + Übername + Surnom + Diminutivo + ニックネーム + Person's nickname, or the informal name by which they are accustomed to be hailed. + Kurzname einer Person, oder üblicher Rufname zur Begrüßung. + Übername einer Person, oder üblicher Rufname zur Begrüssung. + Nom personnalisable pour un usage informel. + Diminutivo della persona, o soprannome. + 利用者のニックネームもしくは通称 + + + + + + + + eduPersonPrimaryAffiliation + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.5 + urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation + Primary affiliation + Primäre Zugehörigkeit + Affiliation pricipale + Appartenenza principale + 主要職位 + Specifies the person's primary relationship to the institution in broad categories such as student, faculty, staff, alum, etc. + Spezifiziert der Hauptbeziehung einer Person innerhalb ihrer Organisation in groben Kategorien wie Student, Mitarbeiter, Alumni, etc. + Spécifie la relation principale d'une personne avec l'institution selon des majeures catégories comme étudiant, collaborateur, alumni etc. + Specifica la relazione principale dell persona con l'istituzione secondo le maggiori categorie come studente, collaboratore, alumni, etc. + 所属機関における主要な職位(faculty,staff,student,memberなど) + + + + + + + + eduPersonPrincipalName + SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.6 + urn:mace:dir:attribute-def:eduPersonPrincipalName + Principal Name + Persönliche ID + Principal Name + Principal Name + プリンシパルID + A unique identifier for a person, mainly for inter-institutional user identification. + Eindeutige Benutzeridentifikation + Eindeutige Benützeridentifikation + L'identifiant unique de l'utilisateur + Un ID personale che identifica chiaramente l'utente in seno alla sua organizzazione + フェデレーション内で一意かつ永続的な利用者識別子 + + + + + + + + eduPersonPrincipalNamePrior + SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.12 + urn:oid:1.3.6.1.4.1.5923.1.1.1.12 + Prior Principal Name + eduPersonPrincipalName value that was previously associated with the entry. + + + + + + + + eduPersonScopedAffiliation + SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.9 + urn:mace:dir:attribute-def:eduPersonScopedAffiliation + Scoped Affiliation + Zugehörigkeit + Affiliation + Tipo di membro + スコープ付き職位 + Specifies the person's affiliation within a particular security domain + Art der Zugehörigkeit zur Heimatorganisation + Art der Zugehörigkeit zur Heimorganisation + Type d'affiliation dans l'organisation + Tipo di membro: Tipo di lavoro svolto per l'organizzazione + セキュリティドメインのスコープが付いた所属機関における職位 + + + + + + + + eduPersonAssurance + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.11 + urn:mace:dir:attribute-def:eduPersonAssurance + Assurance Level + Vertrauensgrad + Niveau de confiance + Livello di sicurezza + 保証レベル + Set of URIs that assert compliance with specific standards for identity assurance. + URIs die eine gewisse Zusicherung für spezifische Standards des Vertrauens beinhalten + Un ensemble d'URI qui attestent la conformité selon un standard pour les niveaux d'assurance d'identités + Un insieme di URI che asseriscono l'osservanza dei livelli di sicurezza richiesti + IDの保証レベルに関して特定の基準に準拠していることを示すURI + + + + + + + + + + eduPersonUniqueId + SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.13 + urn:oid:1.3.6.1.4.1.5923.1.1.1.13 + Unique ID + Eindeutige ID + ID unique + ID unico + ユニークID + ID único + Unik identifierare + A unique identifier for a person, mainly for inter-institutional user identification. + Eindeutige Benutzeridentifikation + Eindeutige Benützeridentifikation + Identifiant unique de l'utilisateur + Un identificativo personale che identifica chiaramente l'utente in seno alla sua organizzazione + フェデレーション内で一意で永続的かつ難読化された利用者識別子(後継はサブジェクトID) + ID único: Identificador pessoal que identifica claramente o utilizador na sua organização + Unik identifierare: En unik identifierare för en person, används primärt för att identifiera personen inloggning vid annan organisation än hemmaorganisationen. + + + + + + + + + + samlSubjectID + SAML2ScopedStringTranscoder + urn:oasis:names:tc:SAML:attribute:subject-id + Unique ID + Eindeutige ID + ID unique + ID unico + サブジェクトID + A unique identifier for a person, mainly for inter-institutional user identification. + Eindeutige Benutzeridentifikation + Eindeutige Benützeridentifikation + Identifiant unique de l'utilisateur + Un identificativo personale che identifica chiaramente l'utente in seno alla sua organizzazione + フェデレーション内で一意で永続的かつ難読化された利用者識別子(eduPersonUniqueIdの後継) + + + + + + + + samlPairwiseID + SAML2ScopedStringTranscoder + urn:oasis:names:tc:SAML:attribute:pairwise-id + Pairwise ID + Pairwise ID + Pairwise ID + Pairwise ID + ペアワイズID + Pairwise ID: A unique identifier for a person, different for each service provider. + Pairwise ID: Eindeutige Benutzeridentifikation, unterschiedlich pro Service Provider. + Pairwise ID: Eindeutige Benützeridentifikation, unterschiedlich pro Service Provider. + Pairwise ID: Un identifiant unique de l'utilisateur, différent pour chaque fournisseur de service. + Pairwise ID: identificativo unico della persona, differente per ogni fornitore di servizio. + フェデレーション内で一意かつSP毎に送出される値が異なる利用者識別子(eduPersonTargetedIDの後継) + + + + + + + + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/audit.xml b/test-compose/idp/container_files/config/shib-idp/conf/audit.xml index 22949fd..a690ae0 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/audit.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/audit.xml @@ -15,7 +15,7 @@ for compatibility with V2 audit logging. --> - + @@ -27,6 +27,7 @@ http://shibboleth.net/ns/profiles/status + http://shibboleth.net/ns/profiles/mdquery diff --git a/test-compose/idp/container_files/config/shib-idp/conf/authn/authn-comparison.xml b/test-compose/idp/container_files/config/shib-idp/conf/authn/authn-comparison.xml index f167b7a..dcf0271 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/authn/authn-comparison.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/authn/authn-comparison.xml @@ -74,4 +74,73 @@ urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified + + + + + + + + + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/authn/authn-events-flow.xml b/test-compose/idp/container_files/config/shib-idp/conf/authn/authn-events-flow.xml index 244e1db..8846677 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/authn/authn-events-flow.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/authn/authn-events-flow.xml @@ -11,8 +11,12 @@ --> - + + + + + + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/authn/discovery-config.xml b/test-compose/idp/container_files/config/shib-idp/conf/authn/discovery-config.xml new file mode 100644 index 0000000..e21e3fd --- /dev/null +++ b/test-compose/idp/container_files/config/shib-idp/conf/authn/discovery-config.xml @@ -0,0 +1,34 @@ + + + + + + + + + + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/authn/duo-authn-config.xml b/test-compose/idp/container_files/config/shib-idp/conf/authn/duo-authn-config.xml index 0a48152..2867f48 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/authn/duo-authn-config.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/authn/duo-authn-config.xml @@ -9,10 +9,12 @@ default-init-method="initialize" default-destroy-method="destroy"> diff --git a/test-compose/idp/container_files/config/shib-idp/conf/authn/duo.properties b/test-compose/idp/container_files/config/shib-idp/conf/authn/duo.properties index 2ca71ee..cb4b4aa 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/authn/duo.properties +++ b/test-compose/idp/container_files/config/shib-idp/conf/authn/duo.properties @@ -1,9 +1,30 @@ -# Duo integration settings +## Duo integration settings -# Note: If upgrading from pre-3.3 IdP versions, you will need to manually add a pointer -# to this property file to idp.properties. +## Note: If upgrading from pre-3.3 IdP versions, you will need to manually add a pointer +## to this property file to idp.properties. + +## The first set of properties support DuoWeb "iframe" integration. idp.duo.apiHost = hostname idp.duo.applicationKey = key idp.duo.integrationKey = key idp.duo.secretKey = key + +## The second set are used for direct AuthAPI usage for ECP support. +## A seperate integration has to be created for this to work. + +#idp.duo.nonbrowser.apiHost = %{idp.duo.apiHost} +#idp.duo.nonbrowser.applicationKey = key +#idp.duo.nonbrowser.integrationKey = key +#idp.duo.nonbrowser.secretKey = key + +## Request header names for Duo non-browser credentials. +# idp.duo.nonbrowser.header.factor = X-Shibboleth-Duo-Factor +# idp.duo.nonbrowser.header.device = X-Shibboleth-Duo-Device +# idp.duo.nonbrowser.header.passcode = X-Shibboleth-Duo-Passcode + +## Enables auto selection of factor/device if not specified by client. +# idp.duo.nonbrowser.auto = true + +## Enables transmission of client address to Duo during authentication. +# idp.duo.nonbrowser.clientAddressTrusted = true diff --git a/test-compose/idp/container_files/config/shib-idp/conf/authn/external-authn-config.xml b/test-compose/idp/container_files/config/shib-idp/conf/authn/external-authn-config.xml index 8b3a159..9d6652a 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/authn/external-authn-config.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/authn/external-authn-config.xml @@ -14,7 +14,7 @@ + c:_0="contextRelative:external.jsp" /> + + + + + + + + + + + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/authn/general-authn.xml b/test-compose/idp/container_files/config/shib-idp/conf/authn/general-authn.xml index ac55bbb..b936f97 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/authn/general-authn.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/authn/general-authn.xml @@ -51,13 +51,7 @@ - - - - - + @@ -132,6 +126,29 @@ + + + + + + + + + + + + - - diff --git a/test-compose/idp/container_files/config/shib-idp/conf/authn/ldap-authn-config.xml b/test-compose/idp/container_files/config/shib-idp/conf/authn/ldap-authn-config.xml index 56d1bc7..22824d0 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/authn/ldap-authn-config.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/authn/ldap-authn-config.xml @@ -5,131 +5,28 @@ xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - default-init-method="initialize" default-destroy-method="destroy" default-lazy-init="true"> - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/authn/mfa-authn-config.xml b/test-compose/idp/container_files/config/shib-idp/conf/authn/mfa-authn-config.xml index 6198c29..3bfbcbb 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/authn/mfa-authn-config.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/authn/mfa-authn-config.xml @@ -56,33 +56,17 @@ - + - - - + + + - @@ -34,9 +33,17 @@ + + + + + + + + + + + + + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/authn/spnego-authn-config.xml b/test-compose/idp/container_files/config/shib-idp/conf/authn/spnego-authn-config.xml index 07563b9..6c0fa48 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/authn/spnego-authn-config.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/authn/spnego-authn-config.xml @@ -48,7 +48,7 @@ - + + + + + + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/c14n/subject-c14n.xml b/test-compose/idp/container_files/config/shib-idp/conf/c14n/subject-c14n.xml index 16fc6f1..e4b772f 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/c14n/subject-c14n.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/c14n/subject-c14n.xml @@ -16,12 +16,18 @@ - + + + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName + urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName + urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos + + - - + + + + + + + + + + - - + + + + + + @@ -89,7 +130,7 @@ Any condition can be used here; the example is suitable for enumerating a number of SPs to allow. --> - + @@ -102,7 +143,7 @@ --> diff --git a/test-compose/idp/container_files/config/shib-idp/conf/cas-protocol.xml b/test-compose/idp/container_files/config/shib-idp/conf/cas-protocol.xml index d0b3d55..2eb1733 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/cas-protocol.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/cas-protocol.xml @@ -3,6 +3,7 @@ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:c="http://www.springframework.org/schema/c" xmlns:p="http://www.springframework.org/schema/p" + xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" @@ -35,6 +36,16 @@ + + + - + + + + + + + + + @@ -75,10 +103,4 @@ --> - - - \ No newline at end of file diff --git a/test-compose/idp/container_files/config/shib-idp/conf/credentials.xml b/test-compose/idp/container_files/config/shib-idp/conf/credentials.xml index 7462879..dde530b 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/credentials.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/credentials.xml @@ -36,6 +36,9 @@ p:certificateResource="%{idp.signing.cert}" p:entityId-ref="entityID" /> + + + + + + - diff --git a/test-compose/idp/container_files/config/shib-idp/conf/idp.properties b/test-compose/idp/container_files/config/shib-idp/conf/idp.properties index ba38100..d03fc19 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/idp.properties +++ b/test-compose/idp/container_files/config/shib-idp/conf/idp.properties @@ -1,18 +1,43 @@ # Load any additional property resources from a comma-delimited list -idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties +idp.additionalProperties=/conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties, /credentials/secrets.properties + +# In most cases (and unless noted in the surrounding comments) the +# commented settings in the distributed files document default behavior. +# Uncomment them and change the value to change functionality. +# +# Uncommented properties are either required or ship non-defaulted. # Set the entityID of the IdP -idp.entityID= https://idp.example.edu/idp/shibboleth +idp.entityID=https://idp.example.edu/idp/shibboleth + +# Set the file path which backs the IdP's own metadata publishing endpoint at /shibboleth. +# Set to empty value to disable and return a 404. +#idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml # Set the scope used in the attribute resolver for scoped attributes -idp.scope= example.edu +idp.scope=example.edu # General cookie properties (maxAge only applies to persistent cookies) -idp.cookie.secure = true +#idp.cookie.secure = true #idp.cookie.httpOnly = true #idp.cookie.domain = #idp.cookie.path = #idp.cookie.maxAge = 31536000 +# These control operation of the SameSite filter, which is off by default. +#idp.cookie.sameSite = None +#idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE + +# Enable cross-site request forgery mitigation for views. +idp.csrf.enabled=true +# Name of the HTTP parameter that stores the CSRF token. +#idp.csrf.token.parameter = csrf_token + +# HSTS/CSP response headers +#idp.hsts = max-age=0 +# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing +#idp.frameoptions = DENY +# Content-Security-Policy value, set to match X-Frame-Options default +#idp.csp = frame-ancestors 'none'; # Set the location of user-supplied web flow definitions #idp.webflows = %{idp.home}/flows @@ -21,38 +46,41 @@ idp.cookie.secure = true #idp.views = %{idp.home}/views # Settings for internal AES encryption key +#idp.sealer.keyStrategy = shibboleth.DataSealerKeyStrategy #idp.sealer.storeType = JCEKS #idp.sealer.updateInterval = PT15M #idp.sealer.aliasBase = secret -idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks -idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver -idp.sealer.storePassword= 90fa668e-ce0f-45e7-82f1-fa4bd0273b51 -idp.sealer.keyPassword= 90fa668e-ce0f-45e7-82f1-fa4bd0273b51 +idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks +idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver # Settings for public/private signing and encryption key(s) # During decryption key rollover, point the ".2" properties at a second # keypair, uncomment in credentials.xml, then publish it in your metadata. -idp.signing.key= %{idp.home}/credentials/idp-signing.key -idp.signing.cert= %{idp.home}/credentials/idp-signing.crt -idp.encryption.key= %{idp.home}/credentials/idp-encryption.key -idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt +idp.signing.key=%{idp.home}/credentials/idp-signing.key +idp.signing.cert=%{idp.home}/credentials/idp-signing.crt +idp.encryption.key=%{idp.home}/credentials/idp-encryption.key +idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt #idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key #idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt # Sets the bean ID to use as a default security configuration set #idp.security.config = shibboleth.DefaultSecurityConfiguration -# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1 +# To downgrade to SHA-1, set to shibboleth.SigningConfiguration.SHA1 #idp.signing.config = shibboleth.SigningConfiguration.SHA256 +# To upgrade to AES-GCM encryption, set to shibboleth.EncryptionConfiguration.GCM +# This is unlikely to work for all SPs, but this is a quick way to test them. +#idp.encryption.config = shibboleth.EncryptionConfiguration.CBC + # Configures trust evaluation of keys used by services at runtime -# Defaults to supporting both explicit key and PKIX using SAML metadata. -#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine -# To pick only one set to one of: -# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine -#idp.trust.certificates = shibboleth.ChainingX509TrustEngine -# To pick only one set to one of: -# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine +# Internal default is Chaining, overriden for new installs +idp.trust.signatures=shibboleth.ExplicitKeySignatureTrustEngine +# Other options: +# shibboleth.ChainingSignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine +idp.trust.certificates=shibboleth.ExplicitKeyX509TrustEngine +# Other options: +# shibboleth.ChainingX509TrustEngine, shibboleth.PKIXX509TrustEngine # If true, encryption will happen whenever a key to use can be located, but # failure to encrypt won't result in request failure. @@ -60,7 +88,7 @@ idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt # Configuration of client- and server-side storage plugins #idp.storage.cleanupInterval = PT10M -#idp.storage.htmlLocalStorage = false +idp.storage.htmlLocalStorage=true # Set to true to expose more detailed errors in responses to SPs #idp.errors.detailed = false @@ -90,22 +118,14 @@ idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt # Tolerate storage-related errors #idp.session.maskStorageFailure = false # Track information about SPs logged into -#idp.session.trackSPSessions = false +idp.session.trackSPSessions=true # Support lookup by SP for SAML logout -#idp.session.secondaryServiceIndex = false +idp.session.secondaryServiceIndex=true # Length of time to track SP sessions #idp.session.defaultSPlifetime = PT2H # Regular expression matching login flows to enable, e.g. IPAddress|Password -idp.authn.flows= Password - -# Regular expression of forced "initial" methods when no session exists, -# usually in conjunction with the idp.authn.resolveAttribute property below. -#idp.authn.flows.initial = Password - -# Set to an attribute ID to resolve prior to selecting authentication flows; -# its values are used to filter the flows to allow. -#idp.authn.resolveAttribute = eduPersonAssurance +idp.authn.flows=Password # Default lifetime and timeout of various authentication methods #idp.authn.defaultLifetime = PT60M @@ -128,8 +148,14 @@ idp.authn.flows= Password # Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute # to key user consent storage records (and set the attribute name) -#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey -#idp.consent.userStorageKeyAttribute = uid +#idp.consent.attribute-release.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey +#idp.consent.attribute-release.userStorageKeyAttribute = uid +#idp.consent.terms-of-use.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey +#idp.consent.terms-of-use.userStorageKeyAttribute = uid + +# Suffix of message property used as value of consent storage records when idp.consent.compareValues is true. +# Defaults to text displayed to the user. +#idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text # Flags controlling how built-in attribute consent feature operates #idp.consent.allowDoNotRemember = true @@ -153,15 +179,19 @@ idp.authn.flows= Password # Whether to require logout requests/responses be signed/authenticated. #idp.logout.authenticated = true +# Bean to determine whether user should be allowed to cancel logout +#idp.logout.promptUser=shibboleth.Conditions.FALSE + # Message freshness and replay cache tuning #idp.policy.messageLifetime = PT3M #idp.policy.clockSkew = PT3M # Set to custom bean for alternate storage of replay cache #idp.replayCache.StorageService = shibboleth.StorageService +#idp.replayCache.strict = true # Toggles whether to allow outbound messages via SAML artifact -idp.artifact.enabled = false +#idp.artifact.enabled = true # Suppresses typical signing/encryption when artifact binding used #idp.artifact.secureChannel = true # May differ to direct SAML 2 artifact lookups to specific server nodes @@ -171,7 +201,7 @@ idp.artifact.enabled = false # Comma-delimited languages to use if not match can be found with the # browser-supported languages, defaults to an empty list. -idp.ui.fallbackLanguages= en,fr,de +idp.ui.fallbackLanguages=en,fr,de # Storage service used by CAS protocol # Defaults to shibboleth.StorageService (in-memory) @@ -183,9 +213,8 @@ idp.ui.fallbackLanguages= en,fr,de # CAS service registry implementation class #idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry -# Profile flows in which the ProfileRequestContext should be exposed -# in servlet request under the key "opensamlProfileRequestContext" -#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO +# If true, CAS services provisioned with SAML metadata are identified via entityID +#idp.cas.relyingPartyIdFromMetadata=false # F-TICKS auditing - set a salt to include hashed username #idp.fticks.federation=MyFederation @@ -193,3 +222,5 @@ idp.ui.fallbackLanguages= en,fr,de #idp.fticks.salt=somethingsecret #idp.fticks.loghost=localhost #idp.fticks.logport=514 +idp.sealer.keyPassword=90fa668e-ce0f-45e7-82f1-fa4bd0273b51 +idp.sealer.storePassword=90fa668e-ce0f-45e7-82f1-fa4bd0273b51 diff --git a/test-compose/idp/container_files/config/shib-idp/conf/idp.properties.dist b/test-compose/idp/container_files/config/shib-idp/conf/idp.properties.dist deleted file mode 100644 index 2c5dcc0..0000000 --- a/test-compose/idp/container_files/config/shib-idp/conf/idp.properties.dist +++ /dev/null @@ -1,195 +0,0 @@ -# Load any additional property resources from a comma-delimited list -idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties - -# Set the entityID of the IdP -idp.entityID= https://example.org/idp/shibboleth - -# Set the scope used in the attribute resolver for scoped attributes -idp.scope= example.org - -# General cookie properties (maxAge only applies to persistent cookies) -idp.cookie.secure = true -#idp.cookie.httpOnly = true -#idp.cookie.domain = -#idp.cookie.path = -#idp.cookie.maxAge = 31536000 - -# Set the location of user-supplied web flow definitions -#idp.webflows = %{idp.home}/flows - -# Set the location of Velocity view templates -#idp.views = %{idp.home}/views - -# Settings for internal AES encryption key -#idp.sealer.storeType = JCEKS -#idp.sealer.updateInterval = PT15M -#idp.sealer.aliasBase = secret -idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks -idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver -idp.sealer.storePassword= changeit -idp.sealer.keyPassword= changeit - -# Settings for public/private signing and encryption key(s) -# During decryption key rollover, point the ".2" properties at a second -# keypair, uncomment in credentials.xml, then publish it in your metadata. -idp.signing.key= %{idp.home}/credentials/idp-signing.key -idp.signing.cert= %{idp.home}/credentials/idp-signing.crt -idp.encryption.key= %{idp.home}/credentials/idp-encryption.key -idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt -#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key -#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt - -# Sets the bean ID to use as a default security configuration set -#idp.security.config = shibboleth.DefaultSecurityConfiguration - -# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1 -#idp.signing.config = shibboleth.SigningConfiguration.SHA256 - -# Configures trust evaluation of keys used by services at runtime -# Defaults to supporting both explicit key and PKIX using SAML metadata. -#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine -# To pick only one set to one of: -# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine -#idp.trust.certificates = shibboleth.ChainingX509TrustEngine -# To pick only one set to one of: -# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine - -# If true, encryption will happen whenever a key to use can be located, but -# failure to encrypt won't result in request failure. -#idp.encryption.optional = false - -# Configuration of client- and server-side storage plugins -#idp.storage.cleanupInterval = PT10M -#idp.storage.htmlLocalStorage = false - -# Set to true to expose more detailed errors in responses to SPs -#idp.errors.detailed = false -# Set to false to skip signing of SAML response messages that signal errors -#idp.errors.signed = true -# Name of bean containing a list of Java exception classes to ignore -#idp.errors.excludedExceptions = ExceptionClassListBean -# Name of bean containing a property set mapping exception names to views -#idp.errors.exceptionMappings = ExceptionToViewPropertyBean -# Set if a different default view name for events and exceptions is needed -#idp.errors.defaultView = error - -# Set to false to disable the IdP session layer -#idp.session.enabled = true - -# Set to "shibboleth.StorageService" for server-side storage of user sessions -#idp.session.StorageService = shibboleth.ClientSessionStorageService - -# Size of session IDs -#idp.session.idSize = 32 -# Bind sessions to IP addresses -#idp.session.consistentAddress = true -# Inactivity timeout -#idp.session.timeout = PT60M -# Extra time to store sessions for logout -#idp.session.slop = PT0S -# Tolerate storage-related errors -#idp.session.maskStorageFailure = false -# Track information about SPs logged into -#idp.session.trackSPSessions = false -# Support lookup by SP for SAML logout -#idp.session.secondaryServiceIndex = false -# Length of time to track SP sessions -#idp.session.defaultSPlifetime = PT2H - -# Regular expression matching login flows to enable, e.g. IPAddress|Password -idp.authn.flows= Password - -# Regular expression of forced "initial" methods when no session exists, -# usually in conjunction with the idp.authn.resolveAttribute property below. -#idp.authn.flows.initial = Password - -# Set to an attribute ID to resolve prior to selecting authentication flows; -# its values are used to filter the flows to allow. -#idp.authn.resolveAttribute = eduPersonAssurance - -# Default lifetime and timeout of various authentication methods -#idp.authn.defaultLifetime = PT60M -#idp.authn.defaultTimeout = PT30M - -# Whether to populate relying party user interface information for display -# during authentication, consent, terms-of-use. -#idp.authn.rpui = true - -# Whether to prioritize "active" results when an SP requests more than -# one possible matching login method (V2 behavior was to favor them) -#idp.authn.favorSSO = false - -# Whether to fail requests when a user identity after authentication -# doesn't match the identity in a pre-existing session. -#idp.authn.identitySwitchIsError = false - -# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent -#idp.consent.StorageService = shibboleth.ClientPersistentStorageService - -# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute -# to key user consent storage records (and set the attribute name) -#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey -#idp.consent.userStorageKeyAttribute = uid - -# Flags controlling how built-in attribute consent feature operates -#idp.consent.allowDoNotRemember = true -#idp.consent.allowGlobal = true -#idp.consent.allowPerAttribute = false - -# Whether attribute values and terms of use text are compared -#idp.consent.compareValues = false -# Maximum number of consent records for space-limited storage (e.g. cookies) -#idp.consent.maxStoredRecords = 10 -# Maximum number of consent records for larger/server-side storage (0 = no limit) -#idp.consent.expandedMaxStoredRecords = 0 - -# Time in milliseconds to expire consent storage records. -#idp.consent.storageRecordLifetime = P1Y - -# Whether to lookup metadata, etc. for every SP involved in a logout -# for use by user interface logic; adds overhead so off by default. -#idp.logout.elaboration = false - -# Whether to require logout requests/responses be signed/authenticated. -#idp.logout.authenticated = true - -# Message freshness and replay cache tuning -#idp.policy.messageLifetime = PT3M -#idp.policy.clockSkew = PT3M - -# Set to custom bean for alternate storage of replay cache -#idp.replayCache.StorageService = shibboleth.StorageService - -# Toggles whether to allow outbound messages via SAML artifact -idp.artifact.enabled = false -# Suppresses typical signing/encryption when artifact binding used -#idp.artifact.secureChannel = true -# May differ to direct SAML 2 artifact lookups to specific server nodes -#idp.artifact.endpointIndex = 2 -# Set to custom bean for alternate storage of artifact map state -#idp.artifact.StorageService = shibboleth.StorageService - -# Comma-delimited languages to use if not match can be found with the -# browser-supported languages, defaults to an empty list. -idp.ui.fallbackLanguages= en,fr,de - -# Storage service used by CAS protocol -# Defaults to shibboleth.StorageService (in-memory) -# MUST be server-side storage (e.g. in-memory, memcached, database) -# NOTE that idp.session.StorageService requires server-side storage -# when CAS protocol is enabled -#idp.cas.StorageService=shibboleth.StorageService - -# CAS service registry implementation class -#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry - -# Profile flows in which the ProfileRequestContext should be exposed -# in servlet request under the key "opensamlProfileRequestContext" -#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO - -# F-TICKS auditing - set a salt to include hashed username -#idp.fticks.federation=MyFederation -#idp.fticks.algorithm=SHA-256 -#idp.fticks.salt=somethingsecret -#idp.fticks.loghost=localhost -#idp.fticks.logport=514 diff --git a/test-compose/idp/container_files/config/shib-idp/conf/intercept/consent-intercept-config.xml b/test-compose/idp/container_files/config/shib-idp/conf/intercept/consent-intercept-config.xml index ca183a7..66f06a0 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/intercept/consent-intercept-config.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/intercept/consent-intercept-config.xml @@ -24,8 +24,7 @@ - - - - - - - - - - - - - - + + \ No newline at end of file diff --git a/test-compose/idp/container_files/config/shib-idp/conf/intercept/context-check-intercept-config.xml b/test-compose/idp/container_files/config/shib-idp/conf/intercept/context-check-intercept-config.xml index 809f1d4..aae07f0 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/intercept/context-check-intercept-config.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/intercept/context-check-intercept-config.xml @@ -22,7 +22,7 @@ - + @@ -39,4 +39,25 @@ + + + \ No newline at end of file diff --git a/test-compose/idp/container_files/config/shib-idp/conf/intercept/expiring-password-intercept-config.xml b/test-compose/idp/container_files/config/shib-idp/conf/intercept/expiring-password-intercept-config.xml index 5447b16..b3bf96d 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/intercept/expiring-password-intercept-config.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/intercept/expiring-password-intercept-config.xml @@ -19,14 +19,8 @@ The format pattern parses the value and the negative offset determines how soon to warn the user beforehand. --> - - - - - - - + c:attribute="passwordExpiration" c:formatString="yyyyMMddHHmmss'T'" + p:resultIfMissing="true" p:offset="-P14D" /> diff --git a/test-compose/idp/container_files/config/shib-idp/conf/intercept/external-intercept-config.xml b/test-compose/idp/container_files/config/shib-idp/conf/intercept/external-intercept-config.xml new file mode 100644 index 0000000..1d0fc29 --- /dev/null +++ b/test-compose/idp/container_files/config/shib-idp/conf/intercept/external-intercept-config.xml @@ -0,0 +1,25 @@ + + + + + + + + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/intercept/impersonate-intercept-config.xml b/test-compose/idp/container_files/config/shib-idp/conf/intercept/impersonate-intercept-config.xml new file mode 100644 index 0000000..7dfda2b --- /dev/null +++ b/test-compose/idp/container_files/config/shib-idp/conf/intercept/impersonate-intercept-config.xml @@ -0,0 +1,25 @@ + + + + + + + + + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/intercept/intercept-events-flow.xml b/test-compose/idp/container_files/config/shib-idp/conf/intercept/intercept-events-flow.xml index 5cb30d5..6214e80 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/intercept/intercept-events-flow.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/intercept/intercept-events-flow.xml @@ -10,9 +10,11 @@ report custom events in response to unusual conditions. --> - - + + + + + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/intercept/profile-intercept.xml b/test-compose/idp/container_files/config/shib-idp/conf/intercept/profile-intercept.xml index bb3d3a7..f086cfa 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/intercept/profile-intercept.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/intercept/profile-intercept.xml @@ -30,25 +30,13 @@ - + + + + + - - - - - - - true - TRUE - YES - yes - - - - - - diff --git a/test-compose/idp/container_files/config/shib-idp/conf/ldap.properties b/test-compose/idp/container_files/config/shib-idp/conf/ldap.properties index e207f06..d874509 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/ldap.properties +++ b/test-compose/idp/container_files/config/shib-idp/conf/ldap.properties @@ -5,7 +5,7 @@ idp.authn.LDAP.authenticator = bindSearchAuthenticator ## Connection properties ## -idp.authn.LDAP.ldapURL = ldap://data:389 +idp.authn.LDAP.ldapURL=ldap://data:389 idp.authn.LDAP.useStartTLS = false idp.authn.LDAP.useSSL = false # Time in milliseconds that connects will block @@ -16,40 +16,38 @@ idp.authn.LDAP.useSSL = false ## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust #idp.authn.LDAP.sslConfig = certificateTrust ## If using certificateTrust above, set to the trusted certificate's path -idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt +idp.authn.LDAP.trustCertificates=%{idp.home}/credentials/ldap-server.crt ## If using keyStoreTrust above, set to the truststore path -idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore +idp.authn.LDAP.trustStore=%{idp.home}/credentials/ldap-server.truststore ## Return attributes during authentication -idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining +idp.authn.LDAP.returnAttributes=passwordExpirationTime,loginGraceRemaining ## DN resolution properties ## # Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator # for AD: CN=Users,DC=example,DC=org -idp.authn.LDAP.baseDN = ou=People,dc=internet2,dc=edu +idp.authn.LDAP.baseDN=ou=People,dc=internet2,dc=edu #idp.authn.LDAP.subtreeSearch = false -idp.authn.LDAP.userFilter = (uid={user}) +idp.authn.LDAP.userFilter=(uid={user}) # bind search configuration # for AD: idp.authn.LDAP.bindDN=adminuser@domain.com -idp.authn.LDAP.bindDN = cn=admin,dc=internet2,dc=edu -idp.authn.LDAP.bindDNCredential = password +idp.authn.LDAP.bindDN=cn=admin,dc=internet2,dc=edu # Format DN resolution, used by directAuthenticator, adAuthenticator # for AD use idp.authn.LDAP.dnFormat=%s@domain.com -idp.authn.LDAP.dnFormat = uid=%s,ou=People,dc=internet2,dc=edu +idp.authn.LDAP.dnFormat=uid=%s,ou=People,dc=internet2,dc=edu # LDAP attribute configuration, see attribute-resolver.xml # Note, this likely won't apply to the use of legacy V2 resolver configurations -idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL} -idp.attribute.resolver.LDAP.connectTimeout = %{idp.authn.LDAP.connectTimeout:PT3S} -idp.attribute.resolver.LDAP.responseTimeout = %{idp.authn.LDAP.responseTimeout:PT3S} -idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN:undefined} -idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN:undefined} -idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined} -idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true} -idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined} -idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.principal) +idp.attribute.resolver.LDAP.ldapURL=%{idp.authn.LDAP.ldapURL} +idp.attribute.resolver.LDAP.connectTimeout=%{idp.authn.LDAP.connectTimeout:PT3S} +idp.attribute.resolver.LDAP.responseTimeout=%{idp.authn.LDAP.responseTimeout:PT3S} +idp.attribute.resolver.LDAP.baseDN=%{idp.authn.LDAP.baseDN:undefined} +idp.attribute.resolver.LDAP.bindDN=%{idp.authn.LDAP.bindDN:undefined} +idp.attribute.resolver.LDAP.useStartTLS=%{idp.authn.LDAP.useStartTLS:true} +idp.attribute.resolver.LDAP.trustCertificates=%{idp.authn.LDAP.trustCertificates:undefined} +idp.attribute.resolver.LDAP.searchFilter=(uid=$resolutionContext.principal) # LDAP pool configuration, used for both authn and DN resolution #idp.pool.LDAP.minSize = 3 @@ -60,4 +58,3 @@ idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.princi #idp.pool.LDAP.prunePeriod = PT5M #idp.pool.LDAP.idleTime = PT10M #idp.pool.LDAP.blockWaitTime = PT3S -#idp.pool.LDAP.failFastInitialize = false diff --git a/test-compose/idp/container_files/config/shib-idp/conf/ldap.properties.dist b/test-compose/idp/container_files/config/shib-idp/conf/ldap.properties.dist deleted file mode 100644 index e045c8e..0000000 --- a/test-compose/idp/container_files/config/shib-idp/conf/ldap.properties.dist +++ /dev/null @@ -1,63 +0,0 @@ -# LDAP authentication configuration, see authn/ldap-authn-config.xml -# Note, this doesn't apply to the use of JAAS - -## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator -#idp.authn.LDAP.authenticator = anonSearchAuthenticator - -## Connection properties ## -idp.authn.LDAP.ldapURL = ldap://localhost:10389 -idp.authn.LDAP.useStartTLS = false -idp.authn.LDAP.useSSL = false -# Time in milliseconds that connects will block -#idp.authn.LDAP.connectTimeout = PT3S -# Time in milliseconds to wait for responses -#idp.authn.LDAP.responseTimeout = PT3S - -## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust -#idp.authn.LDAP.sslConfig = certificateTrust -## If using certificateTrust above, set to the trusted certificate's path -idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt -## If using keyStoreTrust above, set to the truststore path -idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore - -## Return attributes during authentication -idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining - -## DN resolution properties ## - -# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator -# for AD: CN=Users,DC=example,DC=org -idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org -#idp.authn.LDAP.subtreeSearch = false -idp.authn.LDAP.userFilter = (uid={user}) -# bind search configuration -# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com -idp.authn.LDAP.bindDN = uid=myservice,ou=system -idp.authn.LDAP.bindDNCredential = myServicePassword - -# Format DN resolution, used by directAuthenticator, adAuthenticator -# for AD use idp.authn.LDAP.dnFormat=%s@domain.com -idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org - -# LDAP attribute configuration, see attribute-resolver.xml -# Note, this likely won't apply to the use of legacy V2 resolver configurations -idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL} -idp.attribute.resolver.LDAP.connectTimeout = %{idp.authn.LDAP.connectTimeout:PT3S} -idp.attribute.resolver.LDAP.responseTimeout = %{idp.authn.LDAP.responseTimeout:PT3S} -idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN:undefined} -idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN:undefined} -idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined} -idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true} -idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined} -idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.principal) - -# LDAP pool configuration, used for both authn and DN resolution -#idp.pool.LDAP.minSize = 3 -#idp.pool.LDAP.maxSize = 10 -#idp.pool.LDAP.validateOnCheckout = false -#idp.pool.LDAP.validatePeriodically = true -#idp.pool.LDAP.validatePeriod = PT5M -#idp.pool.LDAP.prunePeriod = PT5M -#idp.pool.LDAP.idleTime = PT10M -#idp.pool.LDAP.blockWaitTime = PT3S -#idp.pool.LDAP.failFastInitialize = false diff --git a/test-compose/idp/container_files/config/shib-idp/conf/logback.xml b/test-compose/idp/container_files/config/shib-idp/conf/logback.xml index 104ec4c..9a91d26 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/logback.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/logback.xml @@ -5,60 +5,65 @@ Variables for simplifying logging configuration. http://logback.qos.ch/manual/configuration.html#variableSubstitution --> + + + + + - + - - - - - - + + + + + + + - - - + + + - - - - + - + - + + + + - + - + - + - - - - - + + + + @@ -66,17 +71,13 @@ - - ${idp.logfiles}/idp-process.log + + /tmp/logidp-process - - ${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz - ${idp.loghistory:-180} - UTF-8 - %date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short} + %date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{full} @@ -97,22 +98,18 @@ 0 - + WARN - ${idp.logfiles}/idp-warn.log + /tmp/logidp-warn - - ${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz - ${idp.loghistory:-180} - UTF-8 - %date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short} + %date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{short} @@ -129,13 +126,9 @@ - - ${idp.logfiles}/idp-audit.log + + /tmp/logidp-audit - - ${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz - ${idp.loghistory:-180} - UTF-8 @@ -144,13 +137,9 @@ - - ${idp.logfiles}/idp-consent-audit.log + + /tmp/logidp-consent-audit - - ${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz - ${idp.loghistory:-180} - UTF-8 @@ -183,4 +172,4 @@ - \ No newline at end of file + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/logback.xml.dist b/test-compose/idp/container_files/config/shib-idp/conf/logback.xml.dist new file mode 100644 index 0000000..ac19b1f --- /dev/null +++ b/test-compose/idp/container_files/config/shib-idp/conf/logback.xml.dist @@ -0,0 +1,191 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ${idp.logfiles}/idp-process.log + + + ${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{full} + + + + + + + VelocityStatusMatcher + ResourceManager : unable to find resource 'status.vm' in any resource loader. + + VelocityStatusMatcher.matches(formattedMessage) + + DENY + + + + + + 0 + + + + + + WARN + + + ${idp.logfiles}/idp-warn.log + + + ${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{short} + + + + + + + VelocityStatusMatcher + ResourceManager : unable to find resource 'status.vm' in any resource loader. + + VelocityStatusMatcher.matches(formattedMessage) + + DENY + + + + + + ${idp.logfiles}/idp-audit.log + + + ${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %msg%n + + + + + + ${idp.logfiles}/idp-consent-audit.log + + + ${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %msg%n + + + + + + ${idp.fticks.loghost:-localhost} + ${idp.fticks.logport:-514} + AUTH + [%thread] %logger %msg + + + + + + + + + + + + + + + + + + + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/logback.xml.tmp3 b/test-compose/idp/container_files/config/shib-idp/conf/logback.xml.tmp3 new file mode 100644 index 0000000..4eebeaa --- /dev/null +++ b/test-compose/idp/container_files/config/shib-idp/conf/logback.xml.tmp3 @@ -0,0 +1,191 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /tmp/logidp-process + + + ${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{full} + + + + + + + VelocityStatusMatcher + ResourceManager : unable to find resource 'status.vm' in any resource loader. + + VelocityStatusMatcher.matches(formattedMessage) + + DENY + + + + + + 0 + + + + + + WARN + + + /tmp/logidp-warn + + + ${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{short} + + + + + + + VelocityStatusMatcher + ResourceManager : unable to find resource 'status.vm' in any resource loader. + + VelocityStatusMatcher.matches(formattedMessage) + + DENY + + + + + + /tmp/logidp-audit + + + ${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %msg%n + + + + + + ${idp.logfiles}/idp-consent-audit.log + + + ${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %msg%n + + + + + + ${idp.fticks.loghost:-localhost} + ${idp.fticks.logport:-514} + AUTH + [%thread] %logger %msg + + + + + + + + + + + + + + + + + + + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/metadata-providers.xml b/test-compose/idp/container_files/config/shib-idp/conf/metadata-providers.xml index 6daa0ca..4939ff0 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/metadata-providers.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/metadata-providers.xml @@ -1,15 +1,25 @@ - + urn:oasis:names:tc:SAML:2.0:assertion http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd + urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd + urn:oasis:names:tc:SAML:metadata:algsupport http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-algsupport-v1.0.xsd + http://www.w3.org/2000/09/xmldsig# http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd + http://www.w3.org/2009/xmldsig11# http://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/xmldsig11-schema.xsd + http://www.w3.org/2001/04/xmlenc# http://www.w3.org/TR/xmlenc-core/xenc-schema.xsd + http://www.w3.org/2009/xmlenc11# http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/xenc-schema-11.xsd"> + @@ -62,25 +72,48 @@ --> - - - - - - - - md:SPSSODescriptor - - + + + + + + + + + + + + + + + https://mdq.incommon.org/ + + + + + + + + + + + + https://mdq.incommon.org/ - + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/relying-party.xml b/test-compose/idp/container_files/config/shib-idp/conf/relying-party.xml index 1f48cff..a972b97 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/relying-party.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/relying-party.xml @@ -34,16 +34,20 @@ - - + - + + --> + + - - + + diff --git a/test-compose/idp/container_files/config/shib-idp/conf/saml-nameid.properties b/test-compose/idp/container_files/config/shib-idp/conf/saml-nameid.properties index 8530c4f..7169c5e 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/saml-nameid.properties +++ b/test-compose/idp/container_files/config/shib-idp/conf/saml-nameid.properties @@ -4,10 +4,6 @@ # identifiers. See saml-nameid.xml and c14n/subject-c14n.xml for advanced # settings -# Comment out to disable legacy NameID generation via Attribute Resolver -#idp.nameid.saml2.legacyGenerator = shibboleth.LegacySAML2NameIDGenerator -#idp.nameid.saml1.legacyGenerator = shibboleth.LegacySAML1NameIdentifierGenerator - # Default NameID Formats to use when nothing else is called for. # Don't change these just to change the Format used for a single SP! #idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient @@ -18,12 +14,12 @@ # Persistent IDs can be computed on the fly with a hash, or managed in a database -# For computed IDs, set a source attribute and a secret salt: +# For computed IDs, set a source attribute, and a secret salt in secrets.properties #idp.persistentId.sourceAttribute = changethistosomethingreal #idp.persistentId.useUnfilteredAttributes = true -# Do *NOT* share the salt with other people, it's like divulging your private key. #idp.persistentId.algorithm = SHA -#idp.persistentId.salt = changethistosomethingrandom +# BASE64 will match V2 values, we recommend BASE32 encoding for new installs. +idp.persistentId.encoding = BASE32 # To use a database, use shibboleth.StoredPersistentIdGenerator #idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator diff --git a/test-compose/idp/container_files/config/shib-idp/conf/saml-nameid.xml b/test-compose/idp/container_files/config/shib-idp/conf/saml-nameid.xml index ea97448..7d82cf5 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/saml-nameid.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/saml-nameid.xml @@ -40,6 +40,7 @@ @@ -53,6 +54,7 @@ diff --git a/test-compose/idp/container_files/config/shib-idp/conf/services.properties b/test-compose/idp/container_files/config/shib-idp/conf/services.properties index eee86ee..9dc3dff 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/services.properties +++ b/test-compose/idp/container_files/config/shib-idp/conf/services.properties @@ -12,19 +12,30 @@ #idp.service.logging.failFast = true idp.service.logging.checkInterval = PT5M -# Set to shibboleth.LegacyRelyingPartyResolverResources with legacy V2 relying-party.xml #idp.service.relyingparty.resources = shibboleth.RelyingPartyResolverResources #idp.service.relyingparty.failFast = false idp.service.relyingparty.checkInterval = PT15M +# Set true to limit metadata-driven settings lookup to decoded EntityAttributes +idp.service.relyingparty.ignoreUnmappedEntityAttributes=true #idp.service.metadata.resources = shibboleth.MetadataResolverResources #idp.service.metadata.failFast = false #idp.service.metadata.checkInterval = PT0S +# Set to false if not using ByReference MetadataFilters for a small perf gain +#idp.service.metadata.enableByReferenceFilters = true + +#idp.service.attribute.registry.resources = shibboleth.AttributeRegistryResources +#idp.service.attribute.registry.namingRegistry = shibboleth.DefaultNamingRegistry +#idp.service.attribute.registry.failFast = false +idp.service.attribute.registry.checkInterval = PT15M +# Default control of whether to encode XML attribute data with xsi:type +idp.service.attribute.registry.encodeType = false #idp.service.attribute.resolver.resources = shibboleth.AttributeResolverResources #idp.service.attribute.resolver.failFast = false idp.service.attribute.resolver.checkInterval = PT15M #idp.service.attribute.resolver.maskFailures = true +#idp.service.attribute.resolver.stripNulls = false #idp.service.attribute.filter.resources = shibboleth.AttributeFilterResources # NOTE: Failing the filter fast leaves no filters enabled. @@ -44,18 +55,21 @@ idp.service.access.checkInterval = PT5M #idp.service.cas.registry.failFast = false idp.service.cas.registry.checkInterval = PT15M +#idp.service.managedBean.resources = shibboleth.ManagedBeanResources +#idp.service.managedBean.failFast = false +idp.service.managedBean.checkInterval = PT15M + #idp.message.resources = shibboleth.MessageSourceResources #idp.message.cacheSeconds = 300 # Parameters for pre-defined HttpClient instances which perform in-memory and filesystem caching. # These are used with components such as remote configuration resources that are explicitly wired # with these client instances, *not* by default with HTTP metadata resolvers. -#idp.httpclient.useTrustEngineTLSSocketFactory = false #idp.httpclient.useSecurityEnhancedTLSSocketFactory = false #idp.httpclient.connectionDisregardTLSCertificate = false -#idp.httpclient.connectionRequestTimeout = 60000 -#idp.httpclient.connectionTimeout = 60000 -#idp.httpclient.socketTimeout = 60000 +#idp.httpclient.connectionRequestTimeout = PT1M +#idp.httpclient.connectionTimeout = PT1M +#idp.httpclient.socketTimeout = PT1M #idp.httpclient.maxConnectionsTotal = 100 #idp.httpclient.maxConnectionsPerRoute = 100 #idp.httpclient.memorycaching.maxCacheEntries = 50 diff --git a/test-compose/idp/container_files/config/shib-idp/conf/services.xml b/test-compose/idp/container_files/config/shib-idp/conf/services.xml index 313b636..5a4cdea 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/services.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/services.xml @@ -4,55 +4,11 @@ xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"> + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - + default-init-method="initialize" + default-destroy-method="destroy"> + - - %{idp.home}/conf/relying-party.xml - %{idp.home}/system/conf/legacy-relying-party-defaults.xml - - %{idp.home}/conf/metadata-providers.xml %{idp.home}/system/conf/metadata-providers-system.xml @@ -113,6 +63,13 @@ %{idp.home}/conf/attribute-resolver.xml + + %{idp.home}/conf/attribute-registry.xml + %{idp.home}/system/conf/attribute-registry-system.xml + %{idp.home}/conf/attributes/default-rules.xml + %{idp.home}/conf/attribute-resolver.xml + + %{idp.home}/conf/attribute-filter.xml diff --git a/test-compose/idp/container_files/config/shib-idp/conf/session-manager.xml b/test-compose/idp/container_files/config/shib-idp/conf/session-manager.xml index f195014..7372029 100644 --- a/test-compose/idp/container_files/config/shib-idp/conf/session-manager.xml +++ b/test-compose/idp/container_files/config/shib-idp/conf/session-manager.xml @@ -15,22 +15,6 @@ - - - - - - - - - - - - - - - - + +
+ + +
+ +
+ + +
+ + + +
+ + +
+ +
+ +
+ +
+ +
+ + + #end + + + +
+
+

#springMessageText("idp.footer", "Insert your footer text here.")

+
+
+ + + + \ No newline at end of file diff --git a/test-compose/idp/container_files/config/shib-idp/views/duo.vm b/test-compose/idp/container_files/config/shib-idp/views/duo.vm index cf4f96a..d212df7 100644 --- a/test-compose/idp/container_files/config/shib-idp/views/duo.vm +++ b/test-compose/idp/container_files/config/shib-idp/views/duo.vm @@ -57,8 +57,8 @@ >
+ #parse("csrf/csrf.vm") -

@@ -67,7 +67,7 @@
diff --git a/test-compose/idp/container_files/config/shib-idp/views/error.vm b/test-compose/idp/container_files/config/shib-idp/views/error.vm index c595175..dcb8e2b 100644 --- a/test-compose/idp/container_files/config/shib-idp/views/error.vm +++ b/test-compose/idp/container_files/config/shib-idp/views/error.vm @@ -3,6 +3,7 @@ ## ## Velocity context will contain the following properties ## flowRequestContext - the Spring Web Flow RequestContext +## profileRequestContext - root of context tree ## encoder - HTMLEncoder class ## request - HttpServletRequest ## response - HttpServletResponse diff --git a/test-compose/idp/container_files/config/shib-idp/views/intercept/attribute-release.vm b/test-compose/idp/container_files/config/shib-idp/views/intercept/attribute-release.vm index 0b74551..c170b69 100644 --- a/test-compose/idp/container_files/config/shib-idp/views/intercept/attribute-release.vm +++ b/test-compose/idp/container_files/config/shib-idp/views/intercept/attribute-release.vm @@ -6,6 +6,7 @@ ## attributeReleaseContext - context holding consentable attributes ## attributeReleaseFlowDescriptor - attribute consent flow descriptor ## attributeDisplayNameFunction - function to display attribute name +## attributeDisplayDescriptionFunction - function to display attribute description ## consentContext - context representing the state of a consent flow ## encoder - HTMLEncoder class ## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl) @@ -21,7 +22,7 @@ #set ($informationURL = $rpUIContext.informationURL) #set ($privacyStatementURL = $rpUIContext.privacyStatementURL) #set ($rpOrganizationLogo = $rpUIContext.getLogo()) -#set ($rpOrganizationName = $rpUIContext.organizationName) +#set ($rpOrganizationName = $rpUIContext.organizationDisplayName) #set ($replaceDollarWithNewline = true) ## @@ -34,6 +35,7 @@
+ #parse("csrf/csrf.vm")
@@ -78,7 +80,7 @@ #foreach ($value in $attribute.values) #if ($replaceDollarWithNewline) - #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue()).replaceAll($encoder.encodeForHTML("$"),"
")) + #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue()).replaceAll($encoder.encodeForHTML('$'),"
")) #else #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue())) #end diff --git a/test-compose/idp/container_files/config/shib-idp/views/intercept/impersonate.vm b/test-compose/idp/container_files/config/shib-idp/views/intercept/impersonate.vm new file mode 100644 index 0000000..37c486c --- /dev/null +++ b/test-compose/idp/container_files/config/shib-idp/views/intercept/impersonate.vm @@ -0,0 +1,90 @@ +## +## Velocity Template for expiring password view +## +## Velocity context will contain the following properties +## flowExecutionUrl - the form action location +## flowRequestContext - the Spring Web Flow RequestContext +## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) +## profileRequestContext - root of context tree +## rpUIContext - the context with SP UI information from the metadata +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## +#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext')) + + + + + + #springMessageText("idp.title", "Web Login Service") + + + + +
+
+
+ #springMessageText( +

#springMessageText("idp.impersonate.header", "Account Impersonation")

+
+ +
+ + + #parse("csrf/csrf.vm") + #set ($serviceName = $rpUIContext.serviceName) + #if ($serviceName && !$rpContext.getRelyingPartyId().contains($serviceName)) + + $encoder.encodeForHTML($serviceName) + + #end + + + #springMessageText("idp.impersonate.text", "Enter an account name to impersonate to this service or continue normally.") + + +
+ + + + + +
+ +
+ +
+ +
+ +
+ + + +
+
+ +
+
+

#springMessageText("idp.footer", "Insert your footer text here.")

+
+
+ +
+ + \ No newline at end of file diff --git a/test-compose/idp/container_files/config/shib-idp/views/intercept/terms-of-use.vm b/test-compose/idp/container_files/config/shib-idp/views/intercept/terms-of-use.vm index 1bf12c7..67b2c15 100644 --- a/test-compose/idp/container_files/config/shib-idp/views/intercept/terms-of-use.vm +++ b/test-compose/idp/container_files/config/shib-idp/views/intercept/terms-of-use.vm @@ -42,11 +42,13 @@
+ #parse("csrf/csrf.vm")
+ #parse("csrf/csrf.vm") #if ($requireCheckbox) diff --git a/test-compose/idp/container_files/config/shib-idp/views/login-error.vm b/test-compose/idp/container_files/config/shib-idp/views/login-error.vm index 44676b3..224976b 100644 --- a/test-compose/idp/container_files/config/shib-idp/views/login-error.vm +++ b/test-compose/idp/container_files/config/shib-idp/views/login-error.vm @@ -2,11 +2,13 @@ ## ## authenticationErrorContext - context containing error data, if available ## -#if ($authenticationErrorContext && $authenticationErrorContext.getClassifiedErrors().size() > 0 && $authenticationErrorContext.getClassifiedErrors().iterator().next() != "ReselectFlow") +#if ($authenticationErrorContext && $authenticationErrorContext.getClassifiedErrors().size() > 0) ## This handles errors that are classified by the message maps in the authentication config. #set ($eventId = $authenticationErrorContext.getClassifiedErrors().iterator().next()) - #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "login")) - #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "Login Failure: $eventId")) + #if ($eventId != "ReselectFlow") + #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "login")) + #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "Login Failure: $eventId")) + #end #elseif ($authenticationErrorContext && $authenticationErrorContext.getExceptions().size() > 0) ## This handles login exceptions that are left unclassified. #set ($loginException = $authenticationErrorContext.getExceptions().get(0)) diff --git a/test-compose/idp/container_files/config/shib-idp/views/login.vm b/test-compose/idp/container_files/config/shib-idp/views/login.vm index c421a99..7609d40 100644 --- a/test-compose/idp/container_files/config/shib-idp/views/login.vm +++ b/test-compose/idp/container_files/config/shib-idp/views/login.vm @@ -46,7 +46,7 @@ #parse("login-error.vm") - + #parse("csrf/csrf.vm") #set ($serviceName = $rpUIContext.serviceName) #if ($serviceName && !$rpContext.getRelyingPartyId().contains($serviceName)) @@ -58,22 +58,26 @@
+ value="#if($username)$encoder.encodeForHTML($username)#end" />
- +
+ ## You may need to modify this to taste, such as changing the flow name its checking for to authn/MFA. + #if (!$authenticationContext.getActiveResults().containsKey('authn/Password'))
+ #end + #end
- +
@@ -96,7 +100,7 @@ #end - #* + #* // // SP Description & Logo (optional) // These idpui lines will display added information (if available @@ -121,9 +125,9 @@
@@ -136,5 +140,5 @@
- + \ No newline at end of file diff --git a/test-compose/idp/container_files/config/shib-idp/views/logout-complete.vm b/test-compose/idp/container_files/config/shib-idp/views/logout-complete.vm index d780252..7341e69 100644 --- a/test-compose/idp/container_files/config/shib-idp/views/logout-complete.vm +++ b/test-compose/idp/container_files/config/shib-idp/views/logout-complete.vm @@ -14,6 +14,8 @@ ## environment - Spring Environment object for property resolution ## custom - arbitrary object injected by deployer ## +#set ($activeIdPSessions = $logoutContext and !$logoutContext.getIdPSessions().isEmpty()) +#set ($activeSPSessions = $logoutContext and !$logoutContext.getSessionMap().isEmpty()) @@ -32,12 +34,18 @@
+ #if ($activeIdPSessions) +

#springMessageText("idp.logout.cancelled", "Logout has been cancelled.")

+ #elseif ($activeSPSessions)

#springMessageText("idp.logout.local", "You elected not to log out of all the applications accessed during your session.")

+ #else +

#springMessageText("idp.logout.complete", "The logout operation is complete, and no other services appear to have been accessed during this session.")

+ #end
diff --git a/test-compose/idp/container_files/config/shib-idp/views/logout-propagate.vm b/test-compose/idp/container_files/config/shib-idp/views/logout-propagate.vm index 86b3fa1..470eff5 100644 --- a/test-compose/idp/container_files/config/shib-idp/views/logout-propagate.vm +++ b/test-compose/idp/container_files/config/shib-idp/views/logout-propagate.vm @@ -40,8 +40,8 @@
diff --git a/test-compose/idp/container_files/config/shib-idp/views/logout.vm b/test-compose/idp/container_files/config/shib-idp/views/logout.vm index 2342855..0b9103b 100644 --- a/test-compose/idp/container_files/config/shib-idp/views/logout.vm +++ b/test-compose/idp/container_files/config/shib-idp/views/logout.vm @@ -14,20 +14,30 @@ ## environment - Spring Environment object for property resolution ## custom - arbitrary object injected by deployer ## +#set ($rpContext = $profileRequestContext.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext")) +#if ($rpContext) +#set ($rpUIContext = $rpContext.getSubcontext("net.shibboleth.idp.ui.context.RelyingPartyUIContext")) +#end +#set ($promptForIdP = $logoutContext and !$logoutContext.getIdPSessions().isEmpty()) +#set ($promptForSP = $logoutContext and !$logoutContext.getSessionMap().isEmpty()) - #if ( $logoutContext and !$logoutContext.getSessionMap().isEmpty() ) + #* + #if ($promptForSP) + #elseif ($promptForIdP) + #end + *# #springMessageText("idp.title", "Web Login Service") -
+
#springMessageText( @@ -40,19 +50,38 @@ decision, and we don't have a good suggestion for a default.


- #if ( $logoutContext and !$logoutContext.getSessionMap().isEmpty() ) -

#springMessageText("idp.logout.ask", "Would you like to attempt to log out of all services accessed during your session? Please select Yes or No to ensure the logout operation completes, or wait a few seconds for Yes.")

-
+ #if ($rpContext) +

#springMessageText("idp.logout.sp-initiated", "You have been logged out of the following service:")

+
+ #if ($rpUIContext) + $encoder.encodeForHTML($rpUIContext.getServiceName()) + #else + $encoder.encodeForHTML($rpContext.getRelyingPartyId()) + #end +
+
+ #end + + #if ($promptForIdP or $promptForSP) +

#springMessageText("idp.logout.prompt", "Choose one of the following, or wait a few seconds for the default.")

+
-
- - -
+
+ +
+ +

#springMessageText("idp.logout.idponly.caption", "End your SSO session.")

+
+ #end -
-

#springMessageText("idp.logout.contactServices", "If you proceed, the system will attempt to contact the following services:")

-
    - #foreach ($sp in $logoutContext.getSessionMap().keySet()) + #if ($promptForSP) +
    + +

    #springMessageText("idp.logout.global.caption", "End your SSO session and attempt logout of services accessed during session.")

    +
    +

    #springMessageText("idp.logout.contactServices", "If instructed, the system will attempt to contact the following services:")

    +
      + #foreach ($sp in $logoutContext.getSessionMap().keySet()) #set ($rpCtx = $multiRPContext.getRelyingPartyContextById($sp)) #if ($rpCtx) #set ($rpUIContext = $rpCtx.getSubcontext("net.shibboleth.idp.ui.context.RelyingPartyUIContext")) @@ -62,8 +91,21 @@ #else
    1. $encoder.encodeForHTML($sp)
      2. #end - #end -
    + #end +
+
+
+ #end + + #if ($promptForIdP) +
+ +

#springMessageText("idp.logout.cancel.caption", "Cancel logout and retain your SSO session.")

+
+ #end + + #if ($promptForIdP or $promptForSP) + #else

#springMessageText("idp.logout.complete", "The logout operation is complete, and no other services appear to have been accessed during this session.")

@@ -73,8 +115,8 @@
@@ -87,5 +129,5 @@ - + \ No newline at end of file diff --git a/test-compose/idp/container_files/credentials/shib-idp/secrets.properties b/test-compose/idp/container_files/credentials/shib-idp/secrets.properties new file mode 100644 index 0000000..cfe7795 --- /dev/null +++ b/test-compose/idp/container_files/credentials/shib-idp/secrets.properties @@ -0,0 +1,13 @@ +# This is a reserved spot for most properties containing passwords or other secrets. +# Created by install at 2020-02-06T17:19:55.442Z + +# Access to internal AES encryption key +idp.sealer.storePassword = 90fa668e-ce0f-45e7-82f1-fa4bd0273b51 +idp.sealer.keyPassword = 90fa668e-ce0f-45e7-82f1-fa4bd0273b51 + +# Default access to LDAP authn and attribute stores. +idp.authn.LDAP.bindDNCredential = password +idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined} + +# Salt used to generate persistent/pairwise IDs, must be kept secret +#idp.persistentId.salt = changethistosomethingrandom