add IdP UI

Workbench/docker-compose.yml

@@ -268,7 +268,41 @@ services:
      - net
     ports:
      - 13443:443
+    volumes:
+     - generated-metadata:/opt/shibboleth-idp/metadata/generated
+     - generated-config:/opt/shibboleth-idp/conf/generated
+
+  idp_ui:
+    build: 
+      context: ./idp_ui/
+      args:
+        - CSPHOSTNAME
+    depends_on:
+     - idp
+    networks:
+     - net
+    ports:
+     - 8080:8080
+    volumes:
+     - generated-metadata:/generated-metadata
+     - generated-config:/generated-config
 
+  idp_ui_data:
+    image: tier/mariadb:latest
+    ports:
+     - 33366:3306
+    environment:
+      MYSQL_USER: shibui
+      MYSQL_PASSWORD: secret
+      MYSQL_DATABASE: shibui
+      MYSQL_RANDOM_ROOT_PASSWORD: "yes"
+    networks:
+      net:
+        aliases:
+         - idpui-data
+    volumes:
+    - mariadb-data:/var/lib/mysql
+
   mq:
     build: ./mq/
     environment:
@@ -427,5 +461,8 @@ volumes:
   mq:
   wordpress_data:
   wordpress_server:
+  generated-config:
+  generated-metadata:
+  mariadb-data:
 
 

Workbench/idp/Dockerfile

@@ -7,6 +7,8 @@ ENV CSPHOSTNAME=$CSPHOSTNAME
 
 COPY shibboleth-idp/ /opt/shibboleth-idp/
 
+RUN mkdir -p /opt/shibboleth-idp/metadata/generated && mkdir -p /opt/shibboleth-idp/conf/generated
+
 COPY container_files/system/setservername.sh /usr/local/bin/
 RUN chmod 755 /usr/local/bin/setservername.sh
 

Workbench/idp/container_files/system/setservername.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-files="/opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/grouper-sp.xml /opt/shibboleth-idp/metadata/proxy-sp.xml /opt/shibboleth-idp/metadata/comanage-sp.xml /opt/shibboleth-idp/metadata/midpoint-sp.xml /opt/shibboleth-idp/metadata/wordpress-sp.xml"
+files="/opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/idpui-sp.xml /opt/shibboleth-idp/metadata/grouper-sp.xml /opt/shibboleth-idp/metadata/proxy-sp.xml /opt/shibboleth-idp/metadata/comanage-sp.xml /opt/shibboleth-idp/metadata/midpoint-sp.xml /opt/shibboleth-idp/metadata/wordpress-sp.xml"
 
 for file in $files
   do

Workbench/idp/shibboleth-idp/conf/attribute-filter.xml

@@ -30,4 +30,11 @@
         <AttributeRule attributeID="uid" permitAny="true" />
         <AttributeRule attributeID="mail" permitAny="true" />
     </AttributeFilterPolicy>
+
+	<AttributeFilterPolicy id="shibui">
+        <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org/shibui" />
+        <AttributeRule attributeID="uid" permitAny="true" />
+		<AttributeRule attributeID="mail" permitAny="true" />
+    </AttributeFilterPolicy>
+
 </AttributeFilterPolicyGroup>

Workbench/idp/shibboleth-idp/conf/metadata-providers.xml

@@ -30,6 +30,7 @@
     <MetadataProvider id="ComanageSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/comanage-sp.xml"/>
     <MetadataProvider id="WordpressSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/wordpress-sp.xml"/>
     <MetadataProvider id="ProxySP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/proxy-sp.xml"/>
+	<MetadataProvider id="ShibUISP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/idpui-sp.xml"/>
 
     <!-- Example HTTP metadata provider.  Use this if you want to download
          the metadata from a remote service.

Workbench/idp/shibboleth-idp/metadata/idpui-sp.xml

@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_zij31efrehgvhxgib5fugrypnm9i5ru0olesbuo" entityID="https://sp.example.org/shibui" validUntil="2040-12-15T20:55:14.900Z">
+    <md:Extensions>
+        <alg:DigestMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"/>
+        <alg:DigestMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"/>
+        <alg:DigestMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"/>
+        <alg:DigestMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"/>
+        <alg:DigestMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"/>
+        <alg:DigestMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"/>
+        <alg:DigestMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"/>
+        <alg:DigestMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"/>
+        <alg:DigestMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"/>
+        <alg:DigestMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"/>
+    </md:Extensions>
+    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
+        <md:Extensions>
+            <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://__CSPHOSTNAME__/idpui/callback?client_name=Saml2Client"/>
+        </md:Extensions>
+        <md:KeyDescriptor use="signing">
+		  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+            <ds:X509Data>
+              <ds:X509Certificate>
+MIICpzCCAY+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAXMRUwEwYDVQQDDAxmYzRh
+ZGZjYWU2YzEwHhcNMjAxMjE1MjE0MTEzWhcNMjExMjE1MjE0MTE0WjAXMRUwEwYD
+VQQDDAxmYzRhZGZjYWU2YzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCA6b7o1/Nk7n1QGEnlmvG9xEY7F9adyx5KBvoLLDQDN6PIKxH5nFoJJEmh3xWG
+BDWJV6+QG3qaCOLDgNzVPw8M9Ns+P9pVn+/y4Lpddel2QgoTNkUM7w1/1sm4LbbL
+rcnMqYjhGwdm5ay+PvmhUOncmQN3m7x58JRRQcaDmFY3wKs61F5+dDa1AJydjrNW
+2V1tJVOFEOozmxJDh0rllIzzlmacBNBK9i5pfhOt3dMoh4PdBsUqiqWFGPEYX+Vx
+BmtcpHblNXfQSORVIuqx4qbti//QcFMT+DNe08TTCs9/UFwRZI/MDM1sdRge4Im3
+a9u509zFJJBNh9UWwR3Bzlg5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFd1tj7E
+joWPXpknmMzVGiJ3+3khvXnuIMOTHMcllxrjwcbAEfZ115tVlZHw3zza1qN3kq1L
+Gcg9NYCikn+ogPr542X06AgUs3KYBzHOTyubcgCGcvltNaOR+Du1LMQgr6VS5RII
+m8O7eQjL/Rpbm5GOkRROT8Sr+c8jcVFJoqw84pZyKdOaFTns2GfwLbHltLucLaON
+066UxGVYjBKhqeEzuEm+vn7Igrls6djGNKgH5DdmVpTzCqVyAUDEcGgRN6NOhcss
+4GamIudEFQczGqVgywv0nYIHZtSvYerO82ctt+osaOnmGU+Do4tdbBhIFHbguhzT
+490d7NC/yWS99RU=
+			</ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+		</md:KeyDescriptor>
+        <md:KeyDescriptor use="encryption">
+		  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+            <ds:X509Data>
+              <ds:X509Certificate>
+MIICpzCCAY+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAXMRUwEwYDVQQDDAxmYzRh
+ZGZjYWU2YzEwHhcNMjAxMjE1MjE0MTEzWhcNMjExMjE1MjE0MTE0WjAXMRUwEwYD
+VQQDDAxmYzRhZGZjYWU2YzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCA6b7o1/Nk7n1QGEnlmvG9xEY7F9adyx5KBvoLLDQDN6PIKxH5nFoJJEmh3xWG
+BDWJV6+QG3qaCOLDgNzVPw8M9Ns+P9pVn+/y4Lpddel2QgoTNkUM7w1/1sm4LbbL
+rcnMqYjhGwdm5ay+PvmhUOncmQN3m7x58JRRQcaDmFY3wKs61F5+dDa1AJydjrNW
+2V1tJVOFEOozmxJDh0rllIzzlmacBNBK9i5pfhOt3dMoh4PdBsUqiqWFGPEYX+Vx
+BmtcpHblNXfQSORVIuqx4qbti//QcFMT+DNe08TTCs9/UFwRZI/MDM1sdRge4Im3
+a9u509zFJJBNh9UWwR3Bzlg5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFd1tj7E
+joWPXpknmMzVGiJ3+3khvXnuIMOTHMcllxrjwcbAEfZ115tVlZHw3zza1qN3kq1L
+Gcg9NYCikn+ogPr542X06AgUs3KYBzHOTyubcgCGcvltNaOR+Du1LMQgr6VS5RII
+m8O7eQjL/Rpbm5GOkRROT8Sr+c8jcVFJoqw84pZyKdOaFTns2GfwLbHltLucLaON
+066UxGVYjBKhqeEzuEm+vn7Igrls6djGNKgH5DdmVpTzCqVyAUDEcGgRN6NOhcss
+4GamIudEFQczGqVgywv0nYIHZtSvYerO82ctt+osaOnmGU+Do4tdbBhIFHbguhzT
+490d7NC/yWS99RU=
+			</ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+		</md:KeyDescriptor>
+        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://__CSPHOSTNAME__/idpui/callback?client_name=Saml2Client&amp;idplogoutrequest=true"/>
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
+        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://__CSPHOSTNAME__/idpui/callback?client_name=Saml2Client" index="0"/>
+    </md:SPSSODescriptor>
+</md:EntityDescriptor>

Workbench/idp_ui/Dockerfile

@@ -0,0 +1,19 @@
+FROM tier/shib-idp-ui:1.7.0
+
+ARG CSPHOSTNAME=localhost
+ENV CSPHOSTNAME=$CSPHOSTNAME
+
+COPY container_files/idp_ui/application.yml /opt/shibui/
+COPY container_files/idp_ui/shibui-test.p12 /opt/shibui/
+COPY container_files/idp_ui/users.txt /opt/shibui/
+
+RUN mkdir -p /opt/shibui/saml/
+COPY container_files/idp_ui/samlkeystore.jks /opt/shibui/saml/
+COPY container_files/idp_ui/idp-metadata.xml /opt/shibui/saml/
+
+COPY container_files/system/setservername.sh /usr/local/bin/
+RUN chmod 755 /usr/local/bin/setservername.sh
+RUN /usr/local/bin/setservername.sh
+
+
+EXPOSE 8443

Workbench/idp_ui/container_files/idp_ui/application.yml

@@ -0,0 +1,48 @@
+server:
+  context-path: /idpui
+  servlet:
+    context-path: /idpui
+  tomcat:
+    redirect-context-root: false
+  ssl:
+    enabled: true
+    key-store: /opt/shibui/shibui-test.p12
+    key-store-password: testing
+    key-store-type: pkcs12
+    key-password: testing
+  port: 8443
+shibui:
+  default-password: "{noop}letmein7"
+  metadataProviders:
+    target: "file:/generated-conf/shibui-metadata-providers.xml"
+  metadata-dir: "/generated-metadata"
+  beacon-enabled: true
+  pac4j-enabled: false
+  pac4j:
+    keystorePath: "/opt/shibui/saml/samlkeystore.jks"
+    keystorePassword: "changeit"
+    privateKeyPassword: "changeit"
+    serviceProviderEntityId: "https://sp.example.org/shibui"
+    serviceProviderMetadataPath: "/opt/shibui/saml/sp-metadata.xml"
+    identityProviderMetadataPath: "/opt/shibui/saml/idp-metadata.xml"
+    forceServiceProviderMetadataGeneration: false
+    callbackUrl: "https://__CSPHOSTNAME__/idpui/callback"
+    maximumAuthenticationLifetime: 3600000
+    saml2ProfileMapping:
+      username: urn:oid:0.9.2342.19200300.100.1.1
+      firstname: urn:oid:2.5.4.42
+      lastname: urn:oid:2.5.4.4
+      email: urn:oid:0.9.2342.19200300.100.1.3
+spring:
+  datasource:
+    username: shibui
+    password: secret
+    url: jdbc:mariadb://idpui-data:3306/shibui
+    driverClassName: org.mariadb.jdbc.Driver
+    platform: mariadb
+  jpa:
+    database-platform: org.hibernate.dialect.MariaDBDialect
+    hibernate:
+      ddl-auto: update
+
+