Merge pull request #143 from internet2/pc_April23

bump IdP-UI to 1.17.3 and enabled encrypted assertions
internet2 · Apr 14, 2023 · 5b95495 · 5b95495
2 parents 427b4f9 + 2e84d0a
commit 5b95495
Show file tree

Hide file tree

Showing 6 changed files with 81 additions and 8 deletions.
diff --git a/Workbench/idp/shibboleth-idp/conf/relying-party.xml b/Workbench/idp/shibboleth-idp/conf/relying-party.xml
@@ -67,14 +67,15 @@
         </bean>
         -->
 
+	<!--
         <bean id="ShibUI" parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org/shibui">
             <property name="profileConfigurations">
                 <list>
                     <bean parent="SAML2.SSO" p:encryptionOptional="true" />
                 </list>
             </property>
         </bean>
-        
+	-->
     </util:list>
 
 </beans>

diff --git a/Workbench/idp/shibboleth-idp/metadata/idpui-sp.xml b/Workbench/idp/shibboleth-idp/metadata/idpui-sp.xml
@@ -15,8 +15,60 @@
         <md:Extensions>
             <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://__CSPHOSTNAME__/idpui/callback?client_name=shibUIAuthClient"/>
         </md:Extensions>
-        <md:KeyDescriptor use="signing" />
-        <md:KeyDescriptor use="encryption" />
+	<md:KeyDescriptor use="signing">
+	    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+	        <ds:X509Data>
+		    <ds:X509Certificate>
+MIIDgzCCAmugAwIBAgIEcPqhyTANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJV
+UzERMA8GA1UECBMITWljaGlnYW4xEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UE
+ChMJSW50ZXJuZXQyMQwwCgYDVQQLEwNkZXYxGjAYBgNVBAMTEWlkcHVpLmV4YW1w
+bGUub3JnMB4XDTIwMTIxNTIyMjE1MloXDTMwMTIxMzIyMjE1MlowcjELMAkGA1UE
+BhMCVVMxETAPBgNVBAgTCE1pY2hpZ2FuMRIwEAYDVQQHEwlBbm4gQXJib3IxEjAQ
+BgNVBAoTCUludGVybmV0MjEMMAoGA1UECxMDZGV2MRowGAYDVQQDExFpZHB1aS5l
+eGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIYkcjUA
+B9RePxkLMOKc+he23yY1m9YocYwkcJOJnPt9+L/2laIYJzxgAtDmxZ+YcpJxI0Px
+QJ6kQJVhEbMYEOnbfqxgphrUxYHkVyXHVVtNInydAawWWrT9DrA1HRzq8RXTqLit
++8OeKjsiRHAiR2/g2CmuLvo3KhQbpe4FUJbIC2Eo3BHtlMElHGtubBfnY7S4zULY
+vZXCiTBJSFX4S/8Sk8DirHCKK47CDGMLbuvXYYpk+rnegVQudYprNy70Yx0xH2gl
+I3WyL4/sPgPPJg5FbA0nF5WDlVkMKQq6kYbT2PuIu67lCAeMlNgihp95e3L0xYUg
+qiukTAIIk+CDHskCAwEAAaMhMB8wHQYDVR0OBBYEFK1cSS3HdqLZyGW2+9H9gDkP
+dl7wMA0GCSqGSIb3DQEBCwUAA4IBAQBiOi+h2/Xg6Yr53mvQqcFJxd/jDTfBob9L
+h21cCr3tv0ZldgZN5WYobw6pX8VRCZMc91bCEqI1XrlueRDM785iLHcYYFt1RM7m
+Ly+F0lsvn5VdTN+L/sOypU1Eco+3SxiSItk2VBXG1U+gkJWvmpOTE+W93y6W6Lyl
+hoixs3MTdn7IZrKeBUgBtiho/+QRjm74Y4DSveGIOt521GLYmiP9CW5wIvnh1z2c
+gr6gaui1XfGQA/1DqGz9FIcnr+39hIbXA3qgVub7H5x30e6nSA5Dc+UkVZ7I+75u
+sCw582pAQy6p2Vy3unUExYINbXima4SuEYsTBLsjuH4LiaNSWwB/
+		    </ds:X509Certificate>
+		</ds:X509Data>
+            </ds:KeyInfo>
+	</md:KeyDescriptor>
+        <md:KeyDescriptor use="encryption">
+            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+                <ds:X509Data>
+                    <ds:X509Certificate>
+MIIDgzCCAmugAwIBAgIEcPqhyTANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJV
+UzERMA8GA1UECBMITWljaGlnYW4xEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UE
+ChMJSW50ZXJuZXQyMQwwCgYDVQQLEwNkZXYxGjAYBgNVBAMTEWlkcHVpLmV4YW1w
+bGUub3JnMB4XDTIwMTIxNTIyMjE1MloXDTMwMTIxMzIyMjE1MlowcjELMAkGA1UE
+BhMCVVMxETAPBgNVBAgTCE1pY2hpZ2FuMRIwEAYDVQQHEwlBbm4gQXJib3IxEjAQ
+BgNVBAoTCUludGVybmV0MjEMMAoGA1UECxMDZGV2MRowGAYDVQQDExFpZHB1aS5l
+eGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIYkcjUA
+B9RePxkLMOKc+he23yY1m9YocYwkcJOJnPt9+L/2laIYJzxgAtDmxZ+YcpJxI0Px
+QJ6kQJVhEbMYEOnbfqxgphrUxYHkVyXHVVtNInydAawWWrT9DrA1HRzq8RXTqLit
++8OeKjsiRHAiR2/g2CmuLvo3KhQbpe4FUJbIC2Eo3BHtlMElHGtubBfnY7S4zULY
+vZXCiTBJSFX4S/8Sk8DirHCKK47CDGMLbuvXYYpk+rnegVQudYprNy70Yx0xH2gl
+I3WyL4/sPgPPJg5FbA0nF5WDlVkMKQq6kYbT2PuIu67lCAeMlNgihp95e3L0xYUg
+qiukTAIIk+CDHskCAwEAAaMhMB8wHQYDVR0OBBYEFK1cSS3HdqLZyGW2+9H9gDkP
+dl7wMA0GCSqGSIb3DQEBCwUAA4IBAQBiOi+h2/Xg6Yr53mvQqcFJxd/jDTfBob9L
+h21cCr3tv0ZldgZN5WYobw6pX8VRCZMc91bCEqI1XrlueRDM785iLHcYYFt1RM7m
+Ly+F0lsvn5VdTN+L/sOypU1Eco+3SxiSItk2VBXG1U+gkJWvmpOTE+W93y6W6Lyl
+hoixs3MTdn7IZrKeBUgBtiho/+QRjm74Y4DSveGIOt521GLYmiP9CW5wIvnh1z2c
+gr6gaui1XfGQA/1DqGz9FIcnr+39hIbXA3qgVub7H5x30e6nSA5Dc+UkVZ7I+75u
+sCw582pAQy6p2Vy3unUExYINbXima4SuEYsTBLsjuH4LiaNSWwB/
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </md:KeyDescriptor>
         <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://__CSPHOSTNAME__/idpui/callback?client_name=shibUIAuthClient&amp;idplogoutrequest=true"/>
         <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
         <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>

diff --git a/Workbench/idp_ui/Dockerfile b/Workbench/idp_ui/Dockerfile
@@ -1,4 +1,4 @@
-FROM i2incommon/shib-idp-ui:1.17.2
+FROM i2incommon/shib-idp-ui:1.17.3
 
 ARG CSPHOSTNAME=localhost
 ENV CSPHOSTNAME=$CSPHOSTNAME
@@ -8,7 +8,7 @@ COPY container_files/idp_ui/shibui-test.p12 /opt/shibui/
 COPY container_files/idp_ui/users.txt /opt/shibui/
 
 RUN mkdir -p /opt/shibui/saml/
-#COPY container_files/idp_ui/samlkeystore.jks /opt/shibui/saml/
+COPY container_files/idp_ui/samlkeystore.jks /opt/shibui/saml/
 COPY container_files/idp_ui/idp-metadata.xml /opt/shibui/saml/
 
 COPY container_files/system/setservername.sh /usr/local/bin/

diff --git a/Workbench/idp_ui/container_files/idp_ui/application.yml b/Workbench/idp_ui/container_files/idp_ui/application.yml
@@ -1,4 +1,6 @@
 server:
+  use-forward-headers: true
+  forward-headers-strategy: NATIVE
   context-path: /idpui
   servlet:
     context-path: /idpui
@@ -13,6 +15,7 @@ server:
   port: 8443
 shibui:
   default-password: "{noop}letmein7"
+  roles: ROLE_ADMIN,ROLE_NONE,ROLE_USER,ROLE_ENABLE,ROLE_PONY
   metadataProviders:
     target: "file:/generated-config/shibui-metadata-providers.xml"
   metadata-dir: "/generated-metadata"
@@ -25,14 +28,15 @@ shibui:
     serviceProviderEntityId: "https://sp.example.org/shibui"
     serviceProviderMetadataPath: "/opt/shibui/saml/sp-metadata.xml"
     identityProviderMetadataPath: "/opt/shibui/saml/idp-metadata.xml"
-    forceServiceProviderMetadataGeneration: false
+    forceServiceProviderMetadataGeneration: true
     callbackUrl: "https://__CSPHOSTNAME__/idpui/callback"
     maximumAuthenticationLifetime: 3600000
     simpleProfileMapping:
       username: urn:oid:0.9.2342.19200300.100.1.1
       firstname: urn:oid:2.5.4.42
       lastname: urn:oid:2.5.4.4
       email: urn:oid:0.9.2342.19200300.100.1.3
+      groups: urn:oid:1.3.6.1.4.1.5923.1.5.1.1     #memberOf
 spring:
   datasource:
     platform: postgres
@@ -46,4 +50,20 @@ spring:
       hibernate:
         dialect: org.hibernate.dialect.PostgreSQL95Dialect
         format_sql: true
+logging:
+  level:
+    org:
+      pac4j:
+        saml:
+          crypto: DEBUG
+      opensaml:
+        security:
+          credential: DEBUG
+        xmlsec:
+          encryption:
+            support: DEBUG
+      apache:
+        xml:
+          security:
+            encryption: DEBUG
 
diff --git a/Workbench/idp_ui_api/Dockerfile b/Workbench/idp_ui_api/Dockerfile
@@ -1,4 +1,4 @@
-FROM i2incommon/shib-idp-ui:1.17.2
+FROM i2incommon/shib-idp-ui:1.17.3
 
 ARG CSPHOSTNAME=localhost
 ENV CSPHOSTNAME=$CSPHOSTNAME

diff --git a/Workbench/webproxy/container_files/httpd/index.html b/Workbench/webproxy/container_files/httpd/index.html
@@ -13,7 +13,7 @@ <h3>Welcome to the InCommon TAP Workbench!</h3>
 <li><a href="https://__CSPHOSTNAME__/midpoint" target="TAP-WB-MIDPOINT">midPoint (4.6)</a></li>
 <ul><li><a href="https://__CSPHOSTNAME__/midPoint-doc.html" target="TAP-WB-MIDPOINT-CONFIG">Technical doc on midPoint's configuration</a></li></ul>
 <li><a href="https://__CSPHOSTNAME__/registry" target="TAP-WB-COMANAGE">COmanage Registry (4.1.0)</a></li>
-<li><a href="https://__CSPHOSTNAME__/idpui/" target="TAP-WB-IDPUI">Shibboleth IdP UI (1.17.2)</a></li>
+<li><a href="https://__CSPHOSTNAME__/idpui/" target="TAP-WB-IDPUI">Shibboleth IdP UI (1.17.3)</a></li>
 </ul>
 
 <br />