midpoint/shib + new grouper

Workbench/docker-compose.yml

@@ -209,6 +209,7 @@ services:
      - midpoint_data
     ports:
      - 10443:443
+    command: /usr/local/bin/startup.sh
     environment:
      - ENV
      - USERTOKEN

Workbench/grouper_daemon/Dockerfile

@@ -1,4 +1,4 @@
-FROM tier/grouper:2.4.0-a47-u25-w5-p6-20190611
+FROM tier/grouper:2.5.37.1
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 

Workbench/grouper_ui/Dockerfile

@@ -1,4 +1,4 @@
-FROM tier/grouper:2.4.0-a96-u57-w11-p12-20200324-rc1
+FROM i2incommon/grouper:2.5.37.1
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 

Workbench/grouper_ws/Dockerfile

@@ -1,4 +1,4 @@
-FROM tier/grouper:2.4.0-a47-u25-w5-p6-20190611
+FROM i2incommon/grouper:2.5.37.1
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 

Workbench/idp/container_files/system/setservername.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-files="/opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/grouper-sp.xml /opt/shibboleth-idp/metadata/proxy-sp.xml /opt/shibboleth-idp/metadata/comanage-sp.xml"
+files="/opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/grouper-sp.xml /opt/shibboleth-idp/metadata/proxy-sp.xml /opt/shibboleth-idp/metadata/comanage-sp.xml /opt/shibboleth-idp/metadata/midpoint-sp.xml"
 
 for file in $files
   do

Workbench/idp/shibboleth-idp/conf/attribute-filter.xml

@@ -7,41 +7,27 @@
     <!-- Release some attributes to an SP. -->
     <AttributeFilterPolicy id="grouper">
         <PolicyRequirementRule xsi:type="Requester" value="https://grouperdemo/shibboleth" />
-
         <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
-
         <AttributeRule attributeID="uid" permitAny="true" />
-
         <AttributeRule attributeID="mail" permitAny="true" />
-
     </AttributeFilterPolicy>
 
     <AttributeFilterPolicy id="comanage">
         <PolicyRequirementRule xsi:type="Requester" value="https://comanagedemo/shibboleth" />
-
         <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
-
         <AttributeRule attributeID="uid" permitAny="true" />
-
         <AttributeRule attributeID="mail" permitAny="true" />
-
     </AttributeFilterPolicy>
 
     <AttributeFilterPolicy id="midpoint">
-        <PolicyRequirementRule xsi:type="Requester" value="midpointdemo-shibboleth" />
-
+        <PolicyRequirementRule xsi:type="Requester" value="https://midpointdemo/shibboleth" />
         <AttributeRule attributeID="uid" permitAny="true" />
-
     </AttributeFilterPolicy>
 
     <AttributeFilterPolicy id="proxy">
         <PolicyRequirementRule xsi:type="Requester" value="https://proxysp.example.org/shibboleth" />
-
         <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
-
         <AttributeRule attributeID="uid" permitAny="true" />
-
         <AttributeRule attributeID="mail" permitAny="true" />
-
     </AttributeFilterPolicy>
 </AttributeFilterPolicyGroup>

Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml

@@ -11,36 +11,24 @@
     <!-- Schema: Core schema attributes-->
     <AttributeDefinition xsi:type="Simple" id="uid">
         <InputDataConnector ref="myLDAP" attributeNames="uid"/>
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
     </AttributeDefinition>
-
+	
     <AttributeDefinition xsi:type="Simple" id="mail">
         <InputDataConnector ref="myLDAP" attributeNames="mail"/>
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
     </AttributeDefinition>
     <AttributeDefinition xsi:type="Simple" id="surname">
         <InputDataConnector ref="myLDAP" attributeNames="sn"/>
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
     </AttributeDefinition>
     <AttributeDefinition xsi:type="Simple" id="givenName">
         <InputDataConnector ref="myLDAP" attributeNames="givenName"/>
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
     </AttributeDefinition>
 
     <!-- Schema: eduPerson attributes -->
     <AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation">
         <InputDataConnector ref="myLDAP" attributeNames="cn"/>
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" />
     </AttributeDefinition>
     <AttributeDefinition xsi:type="Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}">
         <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName"/>
-        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
     </AttributeDefinition>
 
     <!-- ========================================== -->

Workbench/idp/shibboleth-idp/conf/idp.properties

@@ -193,3 +193,6 @@ idp.cas.StorageService=shibboleth.StorageService
 #idp.fticks.federation=MyFederation
 #idp.fticks.algorithm=SHA-256
 #idp.fticks.salt=somethingsecret
+
+#custom/added
+idp.loglevel.messages=DEBUG

Workbench/idp/shibboleth-idp/conf/logback.xml

@@ -0,0 +1,175 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+
+    <!--
+    Variables for simplifying logging configuration.
+    http://logback.qos.ch/manual/configuration.html#variableSubstitution
+    -->
+
+    <!--
+    If you want to use custom properties in this config file,
+    we load the main property file for you.
+    -->
+    <variable file="${idp.home}/conf/idp.properties" />
+
+    <!-- Location and retention. -->
+
+    <variable name="idp.logfiles" value="${idp.home}/logs" />
+    <variable name="idp.loghistory" value="${idp.loghistory:-180}" />
+
+    <!-- Much higher performance if you operate on DEBUG. -->
+    <!-- <variable name="idp.process.appender" value="ASYNC_PROCESS" /> -->
+
+    <!-- Logging level shortcuts. -->
+    <variable name="idp.loglevel.idp" value="${idp.loglevel.idp:-INFO}" />
+    <variable name="idp.loglevel.ldap" value="${idp.loglevel.ldap:-WARN}" />
+    <variable name="idp.loglevel.messages" value="${idp.loglevel.messages:-INFO}" />
+    <variable name="idp.loglevel.encryption" value="${idp.loglevel.encryption:-INFO}" />
+    <variable name="idp.loglevel.opensaml" value="${idp.loglevel.opensaml:-INFO}" />
+    <variable name="idp.loglevel.props" value="${idp.loglevel.props:-INFO}" />
+    <variable name="idp.loglevel.httpclient" value="${idp.loglevel.httpclient:-INFO}" />
+
+    <!-- Don't turn these up unless you want a *lot* of noise. -->
+    <variable name="idp.loglevel.spring" value="${idp.loglevel.spring:-ERROR}" />
+    <variable name="idp.loglevel.container" value="${idp.loglevel.container:-ERROR}" />
+    <variable name="idp.loglevel.xmlsec" value="${idp.loglevel.xmlsec:-INFO}" />
+
+    <!-- =========================================================== -->
+    <!-- ============== Logging Categories and Levels ============== -->
+    <!-- =========================================================== -->
+
+    <!-- Logs IdP, but not OpenSAML, messages -->
+    <logger name="net.shibboleth.idp" level="${idp.loglevel.idp}"/>
+
+    <!-- Logs OpenSAML, but not IdP, messages -->
+    <logger name="org.opensaml.saml" level="${idp.loglevel.opensaml}"/>
+
+    <!-- Logs LDAP related messages -->
+    <logger name="org.ldaptive" level="${idp.loglevel.ldap}"/>
+
+    <!-- Logs embedded HTTP client messages -->
+    <logger name="org.apache.http" level="${idp.loglevel.httpclient}"/>
+
+    <!-- Logs inbound and outbound protocols messages at DEBUG level -->
+    <logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages}" />
+
+    <!-- Logs unencrypted SAML at DEBUG level -->
+    <logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption}" />
+
+    <!-- Logs system properties during startup at DEBUG level -->
+    <logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props}" />
+
+    <!-- Especially chatty. -->
+    <logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec}" />
+    <logger name="org.springframework" level="${idp.loglevel.spring}"/>
+    <logger name="org.apache.catalina" level="${idp.loglevel.container}"/>
+    <logger name="org.eclipse.jetty" level="${idp.loglevel.container}"/>
+
+
+    <!-- =========================================================== -->
+    <!-- ============== Low Level Details or Changes =============== -->
+    <!-- =========================================================== -->
+
+    <!-- Process log. -->
+    <appender name="IDP_PROCESS" class="ch.qos.logback.core.FileAppender">
+        <File>/tmp/logidp-process</File>
+
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
+        </encoder>
+
+        <!-- Ignore Velocity status page error. -->
+        <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
+            <evaluator>
+                <matcher>
+                    <Name>VelocityStatusMatcher</Name>
+                    <regex>ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\.</regex>
+                </matcher>
+                <expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
+            </evaluator>
+            <OnMatch>DENY</OnMatch>
+        </filter>
+    </appender>
+
+    <appender name="ASYNC_PROCESS" class="ch.qos.logback.classic.AsyncAppender">
+        <appender-ref ref="IDP_PROCESS" />
+        <discardingThreshold>0</discardingThreshold>
+    </appender>
+
+    <appender name="IDP_WARN" class="ch.qos.logback.core.FileAppender">
+        <!-- Suppress anything below WARN. -->
+        <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+            <level>WARN</level>
+        </filter>
+
+        <File>/tmp/logidp-warn</File>
+
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{full}</Pattern>
+        </encoder>
+
+        <!-- Ignore Velocity status page error. -->
+        <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
+            <evaluator>
+                <matcher>
+                    <Name>VelocityStatusMatcher</Name>
+                    <regex>ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\.</regex>
+                </matcher>
+                <expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
+            </evaluator>
+            <OnMatch>DENY</OnMatch>
+        </filter>
+    </appender>
+
+    <!-- Audit log. -->
+    <appender name="IDP_AUDIT" class="ch.qos.logback.core.FileAppender">
+        <File>/tmp/logidp-audit</File>
+
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%msg%n</Pattern>
+        </encoder>
+    </appender>
+
+    <!-- Consent audit log. -->
+    <appender name="IDP_CONSENT_AUDIT" class="ch.qos.logback.core.FileAppender">
+        <File>/tmp/logidp-consent-audit</File>
+
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%msg%n</Pattern>
+        </encoder>
+    </appender>
+
+    <!-- F-TICKS syslog destination. -->
+    <appender name="IDP_FTICKS" class="ch.qos.logback.classic.net.SyslogAppender">
+        <syslogHost>${idp.fticks.loghost:-localhost}</syslogHost>
+        <port>${idp.fticks.logport:-514}</port>
+        <facility>AUTH</facility>
+        <suffixPattern>[%thread] %logger %msg</suffixPattern>
+    </appender>
+
+    <logger name="Shibboleth-Audit" level="ALL">
+        <appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/>
+    </logger>
+
+    <logger name="Shibboleth-FTICKS" level="ALL" additivity="false">
+        <appender-ref ref="${idp.fticks.appender:-IDP_FTICKS}"/>
+    </logger>
+
+    <logger name="Shibboleth-Consent-Audit" level="ALL">
+        <appender-ref ref="${idp.consent.appender:-IDP_CONSENT_AUDIT}"/>
+    </logger>
+
+    <root level="${idp.loglevel.root:-INFO}">
+        <appender-ref ref="${idp.process.appender:-IDP_PROCESS}"/>
+        <appender-ref ref="${idp.warn.appender:-IDP_WARN}" />
+    </root>
+
+</configuration>