Add files via upload

Sources/SIS/shib-idp/bin/init-idp.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+export JAVA_HOME=/opt/jre-home
+export PATH=$PATH:$JAVA_HOME/bin
+
+cd /opt/shibboleth-idp/bin
+
+# Remove existing config to build starts with an empty config
+rm -r ../conf/
+
+echo "Please complete the following for your IdP environment:"
+./build.sh -Didp.target.dir=/opt/shibboleth-idp init gethostname askscope metadata-gen
+
+mkdir -p /ext-mount/customized-shibboleth-idp/conf/
+
+# Copy the essential and routinely customized config to out Docker mount.
+cd ..
+cp -r credentials/ /ext-mount/customized-shibboleth-idp/
+cp -r metadata/ /ext-mount/customized-shibboleth-idp/
+cp conf/{attribute-resolver.xml,attribute-filter.xml,cas-protocol.xml,idp.properties,ldap.properties,metadata-providers.xml,relying-party.xml,saml-nameid.xml} /ext-mount/customized-shibboleth-idp/conf/
+
+# Copy the basic UI components, which are routinely customized
+cp -r views/ /ext-mount/customized-shibboleth-idp/
+mkdir /ext-mount/customized-shibboleth-idp/webapp/
+cp -r webapp/css/ /ext-mount/customized-shibboleth-idp/webapp/
+cp -r webapp/images/ /ext-mount/customized-shibboleth-idp/webapp/
+cp -r webapp/js/ /ext-mount/customized-shibboleth-idp/webapp/
+rm -r /ext-mount/customized-shibboleth-idp/views/user-prefs.js
+
+echo "A basic Shibboleth IdP config and UI has been copied to ./customized-shibboleth-idp/ (assuming the default volume mapping was used)."
+echo "Most files, if not being customized can be removed from what was exported/the local Docker image and baseline files will be used."

Sources/SIS/shib-idp/bin/run-jetty.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+#set -x
+
+export JAVA_HOME=/opt/jre-home
+export PATH=$PATH:$JAVA_HOME/bin
+
+if [ -e "/opt/shibboleth-idp/ext-conf/idp-secrets.properties" ]; then
+  export JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=`gawk 'match($0,/^jetty.backchannel.sslContext.keyStorePassword=\s?(.*)\s?$/, a) {print a[1]}' /opt/shibboleth-idp/ext-conf/idp-secrets.properties`
+  export JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=`gawk 'match($0,/^jetty\.sslContext\.keyStorePassword=\s?(.*)\s?$/, a) {print a[1]}' /opt/shibboleth-idp/ext-conf/idp-secrets.properties`
+fi
+
+export JETTY_ARGS="jetty.sslContext.keyStorePassword=$JETTY_BROWSER_SSL_KEYSTORE_PASSWORD jetty.backchannel.sslContext.keyStorePassword=$JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD"
+sed -i "s/^-Xmx.*$/-Xmx$JETTY_MAX_HEAP/g" /opt/shib-jetty-base/start.ini
+
+exec /etc/init.d/jetty run

Sources/SIS/shib-idp/customized-shibboleth-idp/conf/attribute-filter.xml

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+    This file is an EXAMPLE policy file.  While the policy presented in this 
+    example file is illustrative of some simple cases, it relies on the names of
+    non-existent example services and the example attributes demonstrated in the
+    default attribute-resolver.xml file.
+    
+    Deployers should refer to the documentation for a complete list of components
+    and their options.
+-->
+
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+        xmlns="urn:mace:shibboleth:2.0:afp"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+
+    <!-- Release everything to everything for this demo. -->
+    <AttributeFilterPolicy id="DEFAULT">
+        <PolicyRequirementRule xsi:type="ANY" />
+
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <!-- you wouldn't want to do this in a federation. You should use EPPN -->
+        <AttributeRule attributeID="uid">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <!-- mail attribute I'm "generating" based on uid. -->
+        <!-- eventually get this from ldap -->
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <!-- eduPerson stuff -->
+        <AttributeRule attributeID="eduPersonEntitlement"> 
+            <PermitValueRule xsi:type="ANY"/> 
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonAffiliation"> 
+            <PermitValueRule xsi:type="ANY"/> 
+        </AttributeRule>
+
+        <!-- name stuff -->
+        <AttributeRule attributeID="commonName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule>
+        <AttributeRule attributeID="surname"> <PermitValueRule xsi:type="ANY" /> </AttributeRule>
+        <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule>
+
+        <!--  Release isMemberOf to anyone -->
+        <AttributeRule attributeID="isMemberOf"> <PermitValueRule xsi:type="ANY"/> </AttributeRule>
+
+    </AttributeFilterPolicy>
+
+</AttributeFilterPolicyGroup>

Sources/SIS/shib-idp/customized-shibboleth-idp/conf/attribute-resolver.xml

@@ -0,0 +1,187 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+    This file is an EXAMPLE configuration file. While the configuration
+    presented in this example file is semi-functional, it isn't very
+    interesting. It is here only as a starting point for your deployment
+    process.
+    
+    Very few attribute definitions and data connectors are demonstrated,
+    and the data is derived statically from the logged-in username and a
+    static example connector.
+
+    Attribute-resolver-full.xml contains more examples of attributes,
+    encoders, and data connectors. Deployers should refer to the Shibboleth
+    documentation for a complete list of components and their options.
+-->
+<AttributeResolver
+        xmlns="urn:mace:shibboleth:2.0:resolver" 
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
+
+
+    <!-- ========================================== -->
+    <!--      Attribute Definitions                 -->
+    <!-- ========================================== -->
+
+    <!--
+    The EPPN is the "standard" federated username in higher ed.
+    For guidelines on the implementation of this attribute, refer
+    to the Shibboleth and eduPerson documentation. Above all, do
+    not expose a value for this attribute without considering the
+    long term implications. 
+    -->
+    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
+        <Dependency ref="uid" />
+        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+    </AttributeDefinition>
+
+    <!--
+    The uid is the closest thing to a "standard" LDAP attribute
+    representing a local username, but you should generally *never*
+    expose uid to federated services, as it is rarely globally unique.
+    -->
+    <AttributeDefinition id="uid" xsi:type="PrincipalName">
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
+    </AttributeDefinition>
+
+    <!--
+    In the rest of the world, the email address is the standard identifier,
+    despite the problems with that practice. Consider making the EPPN
+    value the same as your official email addresses whenever possible.
+    -->
+    <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="email">
+        <Dependency ref="registryDB" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+    </AttributeDefinition>
+
+<!-- attributes from ldap -->
+<AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="fullName">
+    <Dependency ref="registryDB" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" />
+</AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="givenName" sourceAttributeID="givenname">
+        <Dependency ref="registryDB"/>
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName"/>
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName"/>
+    </AttributeDefinition>
+
+   <AttributeDefinition xsi:type="Simple" id="surname" sourceAttributeID="surname">
+        <Dependency ref="registryDB"/>
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn"/>
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn"/>
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation" sourceAttributeID="affiliation">
+        <Dependency ref="staticAttributes"/>
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation"/>
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation"/>
+    </AttributeDefinition>
+
+
+   <AttributeDefinition xsi:type="Simple" id="eduPersonEntitlement" sourceAttributeID="entitlement">
+        <Dependency ref="staticAttributes"/>
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement"/>
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement"/>
+    </AttributeDefinition>
+
+
+   <AttributeDefinition xsi:type="Simple" id="isMemberOf" sourceAttributeID="GROUP_NAME">
+        <Dependency ref="grouperDB"/>
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:isMemberOf"/>
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="isMemberOf"/>
+    </AttributeDefinition>
+
+
+
+    <!-- ========================================== -->
+    <!--      Data Connectors                       -->
+    <!-- ========================================== -->
+
+    <DataConnector id="staticAttributes" xsi:type="Static">
+        <Attribute id="affiliation">
+            <Value>member</Value>
+        </Attribute>
+        <Attribute id="entitlement">
+            <Value>urn:mace:example.edu:demoservice:demo-user</Value>
+        </Attribute>
+    </DataConnector>
+
+<!-- LDAP Data connector -->
+<!-- most of these settings are set in ldap.properties file -->
+<!-- 
+
+NOTE: no longer used...attributes come from DB based registry in this version...
+
+<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+    ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+    baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
+    principal="%{idp.attribute.resolver.LDAP.bindDN}"
+    principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
+    useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}">
+    <FilterTemplate>
+        <![CDATA[
+            %{idp.attribute.resolver.LDAP.searchFilter}
+        ]]>
+    </FilterTemplate>
+    <ReturnAttributes>*</ReturnAttributes>
+</DataConnector> -->
+
+<!-- Restricting based on entityID or default release: -->
+<DataConnector id="grouperDB" xsi:type="RelationalDatabase" readOnlyConnection="false" queryTimeout="PT3S">
+  <Dependency ref="uid"/>
+  <BeanManagedConnection>MyDataSource</BeanManagedConnection>
+  <QueryTemplate><![CDATA[
+      #if (${uid.size()} > 0)
+           SELECT DISTINCT grouper_memberships_lw_v.group_name
+           FROM grouper.grouper_aval_asn_group_v
+           JOIN grouper.grouper_memberships_lw_v
+           USING (group_id)
+           WHERE subject_id='$uid.get(0)'
+               AND grouper_aval_asn_group_v.attribute_def_name_name='etc:attribute:ShibEntityId:ShibEntityId'
+               AND (value_string = '$requestContext.getPeerEntityId()' OR value_string='DEFAULT')
+               AND grouper_aval_asn_group_v.enabled='T'
+           ORDER BY group_name ASC;
+      #else
+          SELECT 1
+      #end
+  ]]></QueryTemplate>
+ </DataConnector>
+
+<!-- Every single membership to isMemberOf: -->
+<!--
+<DataConnector id="grouperDB" xsi:type="RelationalDatabase" readOnlyConnection="false" queryTimeout="PT3S">
+  <Dependency ref="uid"/>
+  <BeanManagedConnection>MyDataSource</BeanManagedConnection>
+  <QueryTemplate><![CDATA[
+      #if (${uid.size()} > 0)
+          SELECT DISTINCT GROUP_NAME 
+          FROM grouper.grouper_memberships_lw_v
+          WHERE SUBJECT_ID='$uid.get(0)'
+      #else
+          SELECT 1
+      #end
+  ]]></QueryTemplate>
+ </DataConnector>
+-->
+
+<DataConnector id="registryDB" xsi:type="RelationalDatabase" readOnlyConnection="false" queryTimeout="PT3S">
+  <Dependency ref="uid"/>
+  <BeanManagedConnection>MyDataSource</BeanManagedConnection>
+  <QueryTemplate><![CDATA[
+      #if (${uid.size()} > 0)
+          select givenname, surname, fullName, email from myapp_development.users where uid='$uid.get(0)'
+      #else
+          SELECT 1
+      #end
+  ]]></QueryTemplate>
+ </DataConnector>
+
+
+
+
+</AttributeResolver>

Sources/SIS/shib-idp/customized-shibboleth-idp/conf/cas-protocol.xml

@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+       | The CAS service registry defines verified relying parties by endpoint URI.
+       | The default implementation treats the ID of each entry as a regular expression defining a logical group of
+       | services whose URIs match the expression.
+       |
+       | This bean is reloaded periodically according to %{idp.home}/conf/services.properties.
+       -->
+    <bean id="reloadableServiceRegistry"
+          class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}">
+        <property name="definitions">
+            <list>
+                <!--
+                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
+                      c:regex="https://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
+                      p:group="proxying-services"
+                      p:authorizedToProxy="true"
+                      p:singleLogoutParticipant="true" />
+                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
+                      c:regex="http://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
+                      p:group="non-proxying-services"
+                      p:authorizedToProxy="false" /
+                -->
+            </list>
+        </property>
+    </bean>
+
+    <!--
+       | The default ticket service as of 3.3.0 serializes ticket data into the opaque section of the ticket ID
+       | for service tickets and proxy tickets. Proxy-granting tickets still require server-side storage, and
+       | a StorageService defined by the idp.cas.StorageService is used. Thus for deployers that do not require
+       | CAS proxy capabilities, no stateful storage mechanism is required; that means no memcached or database
+       | is required for HA deployments that want CAS (without proxy) support. A notable limitation of the new
+       | component is that the one-time use feature of service and proxy tickets is not available due to the lack
+       | of a ticket-tracking mechanism. Instead, tickets expire when their expiration period is exceeded.
+       | If this limitation is of concern, one may consider decreasing ticketValidityPeriod on the profile
+       | configuration from the default 15000ms.
+       -->
+    <alias name="encodingTicketService" alias="shibboleth.CASTicketService" />
+
+    <!--
+       | Uncomment the following element and comment out the above to enable the previous default ticket service
+       | that uses a StorageService for ticket persistence. Use this if the one-time use limitation of
+       | EncodingTicketService is problematic and can't be mitigated by decreasing ticketValidityPeriod.
+       -->
+    <!--<alias name="simpleTicketService" alias="shibboleth.CASTicketService" /> -->
+
+    <!--
+       | The predicate used to determine whether IdP session validation is performed during the process of granting
+       | a proxy ticket. When the predicate evaluates to true, an IdP session is resolved and validated prior to
+       | granting a proxy ticket. This feature prevents issuing proxy tickets when an IdP session is expired, but comes
+       | at the cost of requiring server-side storage of IdP session data. If this is configured to a predicate that
+       | evaluates to true under any condition, a server-side storage service must be enabled for IdP session
+       | storage. The most common non-default value is "alwaysTrue."
+       -->
+    <bean id="shibboleth.CASProxyValidateIdPSessionPredicate"
+          class="com.google.common.base.Predicates"
+          factory-method="alwaysFalse" />
+
+
+    <!-- ============== Advanced CAS Configuration ============== -->
+
+    <!-- Configure a third-party ticket service. -->
+    <!--
+    <bean id="shibboleth.CASTicketService"
+          class="org.example.idp.cas.CustomTicketService" />
+    -->
+
+    <!-- Configure a third-party proxy authenticator. -->
+    <!--
+    <bean id="shibboleth.CASProxyAuthenticator"
+          class="org.example.idp.cas.CustomProxyAuthenticator" />
+    -->
+</beans>