diff --git a/Dockerfile b/Dockerfile
index 03c121f..0b8a5c5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,8 +16,7 @@ RUN yum -y install \
libcurl \
&& yum clean -y all
-RUN rm /etc/shibboleth/sp-signing-key.pem /etc/shibboleth/sp-signing-cert.pem /etc/shibboleth/sp-encrypt-key.pem /etc/shibboleth/sp-encrypt-cert.pem\
- && cd /etc/httpd/conf.d/ \
+RUN cd /etc/httpd/conf.d/ \
&& rm -f autoindex.conf ssl.conf userdir.conf welcome.conf
COPY container_files/supervisor/supervisord.conf /etc/supervisor/supervisord.conf
@@ -35,6 +34,7 @@ RUN chmod 755 /opt/tier/setenv.sh \
&& chmod 755 /usr/local/bin/healthcheck.sh
RUN cp /dev/null /etc/httpd/conf.d/ssl.conf \
+ && mkdir /etc/httpd/conf.d/vhosts \
&& rm /etc/httpd/conf.d/shib.conf \
&& sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
&& echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
diff --git a/container_files/httpd/conf/ssl-enable.conf b/container_files/httpd/conf/ssl-enable.conf
index 35bf295..a756e78 100644
--- a/container_files/httpd/conf/ssl-enable.conf
+++ b/container_files/httpd/conf/ssl-enable.conf
@@ -25,4 +25,6 @@ Listen 443 https
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
+
+ IncludeOptional conf.d/vhosts/*.conf
</VirtualHost>
diff --git a/container_files/supervisor/supervisord.conf b/container_files/supervisor/supervisord.conf
index 8619f53..a1dc9bf 100644
--- a/container_files/supervisor/supervisord.conf
+++ b/container_files/supervisor/supervisord.conf
@@ -18,6 +18,13 @@ stdout_logfile_maxbytes=0
redirect_stderr=true
autorestart=false
+[program:shibboleth]
+command=/usr/sbin/shibd -f
+stdout_logfile=/dev/fd/2
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+autorestart=false
+
[program:crond]
command=/usr/sbin/crond -n -i -m off
stdout_logfile=/tmp/logcrond
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/httpd/00-shib.conf b/demo/shibboleth/configs-and-secrets/midpoint/httpd/00-shib.conf
new file mode 100644
index 0000000..0e5c7b2
--- /dev/null
+++ b/demo/shibboleth/configs-and-secrets/midpoint/httpd/00-shib.conf
@@ -0,0 +1 @@
+LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/httpd/midpoint-shib.conf b/demo/shibboleth/configs-and-secrets/midpoint/httpd/midpoint-shib.conf
new file mode 100644
index 0000000..a383349
--- /dev/null
+++ b/demo/shibboleth/configs-and-secrets/midpoint/httpd/midpoint-shib.conf
@@ -0,0 +1,14 @@
+<Location /midpoint/auth/shib>
+ AuthType shibboleth
+ ShibRequestSetting requireSession 1
+ ShibRequireSession on
+ ShibUseHeaders On
+ require shibboleth
+</Location>
+
+<Location />
+ AuthType shibboleth
+ ShibRequestSetting requireSession false
+ ShibUseHeaders On
+ require shibboleth
+</Location>
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/httpd/vhosts.conf b/demo/shibboleth/configs-and-secrets/midpoint/httpd/vhosts.conf
new file mode 100644
index 0000000..a434bd8
--- /dev/null
+++ b/demo/shibboleth/configs-and-secrets/midpoint/httpd/vhosts.conf
@@ -0,0 +1 @@
+RewriteRule "^/midpoint/$" "/midpoint/auth/shib" [R]
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/attribute-map.xml b/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/attribute-map.xml
new file mode 100644
index 0000000..f0a5f19
--- /dev/null
+++ b/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/attribute-map.xml
@@ -0,0 +1,168 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ <!--
+ The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+ community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+ few exceptions for newer attributes where the name is the same for both versions. You will
+ usually want to uncomment or map the names for both SAML versions as a unit.
+ -->
+
+ <!-- New standard identifier attributes for SAML. -->
+
+ <Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <!-- The most typical eduPerson attributes. -->
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+
+ <!--
+ Legacy pairwise identifier attribute / NameID format, intended to be replaced by the
+ simpler pairwise-id attribute (see top of file).
+ -->
+
+ <!-- The eduPerson attribute version (note the OID-style name): -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+
+ <!-- The SAML 2.0 NameID Format: -->
+ <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+
+ <!-- Other eduPerson attributes (SAML 2 names followed by SAML 1 names)... -->
+ <!--
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+ -->
+
+ <!-- Older LDAP-defined attributes (SAML 2.0 names followed by SAML 1 names)... -->
+ <!--
+ <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+ <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+ <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+ -->
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+ <!--
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+ <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.12" id="title"/>
+ <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+ <Attribute name="urn:oid:2.5.4.13" id="description"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+ <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+ <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.9" id="street"/>
+ <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+ <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+ <Attribute name="urn:oid:2.5.4.8" id="st"/>
+ <Attribute name="urn:oid:2.5.4.7" id="l"/>
+ <Attribute name="urn:oid:2.5.4.10" id="o"/>
+ <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+ <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+ <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+
+ <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+ <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+ <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+ <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+ <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
+ <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+ <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+ <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+ <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+ <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+ <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+ <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+ <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+ <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+ <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+ <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+ <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+ <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+ <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+ <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+ <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+ <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+ <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
+ -->
+
+ <!-- SCHAC attributes... -->
+ <!--
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" id="schacPersonalUniqueCode">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.15" id="schacPersonalUniqueID"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.19" id="schacUserStatus">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.20" id="schacProjectMembership">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.21" id="schacProjectSpecificRole">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ -->
+
+</Attributes>
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml b/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
new file mode 100644
index 0000000..9ed72c2
--- /dev/null
+++ b/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
@@ -0,0 +1,112 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+ xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+ clockSkew="180">
+
+ <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
+
+ <!--
+ By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+ are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+ -->
+
+ <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+ <ApplicationDefaults entityID="https://idptestbed/sp/shibboleth"
+ REMOTE_USER="uid"
+ cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
+
+ <!--
+ Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+ Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
+ and should be a relative path, with the SP computing the full value based on the virtual
+ host. Using handlerSSL="true" will force the protocol to be https. You should also set
+ cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
+ "false", this makes an assertion stolen in transit easier for attackers to misuse.
+ -->
+ <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+ checkAddress="false" handlerSSL="false" cookieProps="http"
+ redirectLimit="exact">
+
+ <!--
+ Configures SSO for a default IdP. To properly allow for >1 IdP, remove
+ entityID property and adjust discoveryURL to point to discovery service.
+ You can also override entityID on /Login query string, or in RequestMap/htaccess.
+ -->
+ <SSO entityID="https://idptestbed/idp/shibboleth">
+ SAML2
+ </SSO>
+
+ <!-- SAML and local-only logout. -->
+ <Logout>SAML2 Local</Logout>
+
+ <!-- Administrative logout. -->
+ <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
+
+ <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+ <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+ <!-- Status reporting service. -->
+ <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+ <!-- Session diagnostic service. -->
+ <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+ <!-- JSON feed of discovery information. -->
+ <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+ </Sessions>
+
+ <!--
+ Allows overriding of error template information/filenames. You can
+ also add your own attributes with values that can be plugged into the
+ templates, e.g., helpLocation below.
+ -->
+ <Errors supportContact="root@localhost"
+ helpLocation="/about.html"
+ styleSheet="/shibboleth-sp/main.css"/>
+
+ <!-- Example of locally maintained metadata. -->
+ <MetadataProvider type="XML" validate="true" path="/etc/shibboleth/idp-metadata.xml"/>
+
+ <!-- Example of remotely supplied batch of signed metadata. -->
+ <!--
+ <MetadataProvider type="XML" validate="true"
+ url="http://federation.org/federation-metadata.xml"
+ backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+ <MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
+ <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
+ attributeName="http://macedir.org/entity-category"
+ attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+ attributeValue="http://refeds.org/category/hide-from-discovery" />
+ </MetadataProvider>
+ -->
+
+ <!-- Example of remotely supplied "on-demand" signed metadata. -->
+ <!--
+ <MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
+ baseUrl="http://mdq.federation.org" ignoreTransport="true">
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+ <MetadataFilter type="Signature" certificate="mdqsigner.pem" />
+ </MetadataProvider>
+ -->
+
+ <!-- Map to extract attributes from SAML assertions. -->
+ <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+ <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+ <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+ <!-- Simple file-based resolvers for separate signing/encryption keys. -->
+ <CredentialResolver type="File" use="signing"
+ key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
+ <CredentialResolver type="File" use="encryption"
+ key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
+
+ </ApplicationDefaults>
+
+ <!-- Policies that determine how to process and authenticate runtime messages. -->
+ <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+ <!-- Low-level configuration about protocols and bindings available for use. -->
+ <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
diff --git a/demo/shibboleth/docker-compose.yml b/demo/shibboleth/docker-compose.yml
index decacb9..3817e6b 100644
--- a/demo/shibboleth/docker-compose.yml
+++ b/demo/shibboleth/docker-compose.yml
@@ -16,6 +16,7 @@ services:
midpoint_server:
build: ./midpoint_server/
+ command: /usr/local/bin/startup.sh
ports:
- 8443:443
environment:
@@ -48,12 +49,27 @@ services:
- type: bind
source: ./configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
target: /etc/shibboleth/idp-metadata.xml
+ - type: bind
+ source: ./configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
+ target: /etc/shibboleth/shibboleth2.xml
+ - type: bind
+ source: ./configs-and-secrets/midpoint/shibboleth/attribute-map.xml
+ target: /etc/shibboleth/attribute-map.xml
- type: bind
source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
target: /etc/pki/tls/certs/host-cert.pem
- type: bind
source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
target: /etc/pki/tls/certs/cachain.pem
+ - type: bind
+ source: ./configs-and-secrets/midpoint/httpd/00-shib.conf
+ target: /etc/httpd/conf.modules.d/00-shib.conf
+ - type: bind
+ source: ./configs-and-secrets/midpoint/httpd/midpoint-shib.conf
+ target: /etc/httpd/conf.d/midpoint-shib.conf
+ - type: bind
+ source: ./configs-and-secrets/midpoint/httpd/vhosts.conf
+ target: /etc/httpd/conf.d/vhosts/vhosts.conf
directory:
build: ./directory/
diff --git a/demo/shibboleth/idp/shibboleth-idp/conf/attribute-filter.xml b/demo/shibboleth/idp/shibboleth-idp/conf/attribute-filter.xml
index 2fcb257..c7a14c7 100644
--- a/demo/shibboleth/idp/shibboleth-idp/conf/attribute-filter.xml
+++ b/demo/shibboleth/idp/shibboleth-idp/conf/attribute-filter.xml
@@ -26,4 +26,13 @@
</afp:AttributeFilterPolicy>
+ <afp:AttributeFilterPolicy id="midpoint-shib">
+ <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://idptestbed/sp/shibboleth" />
+
+ <afp:AttributeRule attributeID="uid">
+ <afp:PermitValueRule xsi:type="basic:ANY" />
+ </afp:AttributeRule>
+
+ </afp:AttributeFilterPolicy>
+
</afp:AttributeFilterPolicyGroup>
diff --git a/demo/shibboleth/idp/shibboleth-idp/conf/idp.properties b/demo/shibboleth/idp/shibboleth-idp/conf/idp.properties
index 6294a30..2470feb 100644
--- a/demo/shibboleth/idp/shibboleth-idp/conf/idp.properties
+++ b/demo/shibboleth/idp/shibboleth-idp/conf/idp.properties
@@ -56,7 +56,7 @@ idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt
# If true, encryption will happen whenever a key to use can be located, but
# failure to encrypt won't result in request failure.
-#idp.encryption.optional = false
+idp.encryption.optional = true
# Configuration of client- and server-side storage plugins
#idp.storage.cleanupInterval = PT10M
diff --git a/demo/shibboleth/idp/shibboleth-idp/conf/metadata-providers.xml b/demo/shibboleth/idp/shibboleth-idp/conf/metadata-providers.xml
index 684b387..2a44b8d 100644
--- a/demo/shibboleth/idp/shibboleth-idp/conf/metadata-providers.xml
+++ b/demo/shibboleth/idp/shibboleth-idp/conf/metadata-providers.xml
@@ -27,6 +27,8 @@
<MetadataProvider id="MidpointSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/midpoint-sp.xml"/>
+ <MetadataProvider id="Midpoint-shib-SP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/midpoint-shib-sp.xml"/>
+
<!-- Example HTTP metadata provider. Use this if you want to download
the metadata from a remote service.
diff --git a/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-shib-sp.xml b/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-shib-sp.xml
new file mode 100644
index 0000000..c774f35
--- /dev/null
+++ b/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-shib-sp.xml
@@ -0,0 +1,110 @@
+<!--
+This is example metadata only. Do *NOT* supply it as is without review,
+and do *NOT* provide it in real time to your partners.
+ -->
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_47f6a8e267294234bd178b0300e37107740c6bed" entityID="https://idptestbed/sp/shibboleth">
+
+ <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
+ <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
+ <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
+ <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+ <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
+ <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
+ </md:Extensions>
+
+ <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+ <md:Extensions>
+ <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://localhost:8443/Shibboleth.sso/Login"/>
+ </md:Extensions>
+ <md:KeyDescriptor use="signing">
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:KeyName>47abdf273ac1</ds:KeyName>
+ <ds:X509Data>
+ <ds:X509SubjectName>CN=47abdf273ac1</ds:X509SubjectName>
+ <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAN3KLR1rSj7uMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDQ3YWJkZjI3M2FjMTAeFw0xOTA0MjYxODAzMzRaFw0yOTA0MjMxODAzMzRa
+MBcxFTATBgNVBAMTDDQ3YWJkZjI3M2FjMTCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBAMPUEiYPVaEV2CyAdVLjj57vw71o47bkiErWqhh8Flq+JMTA6BUc
+wgXVMSlM6OcB+gGdInNSuCwUGD+/LTiRoaECERPRzYAJjO9nSLmldsvBxnR/E5rw
+n5c+8K3BOAoLZ/mGKHDhjLlbiClKTMl2Nx3okyb1jKdR/mTjTKzrUy9T42o688s2
+CFuEYmVulHww2zgNSIv5nUaYyH/D3jPYf9ANayv60R3JUp0sijywbRTm4VRgV3P3
+jQ4Y7AlWNnqQlqkEvqZfWt87E56Dbo+nuD0uTRSUmUY4j1DJ0ns8jIUfkHCfq4Sh
+bVJQ4eLfc9sTLPE7/42uesT9mH5RGUTB6bZJD2gvKZ9pnbTZUYygOFGcJjkl/Trl
+Q0rXMArffseUEqGNJeslQJQAQXDDVwbzFCpneJmMAUNKUwNRhCaazdFErDTvHytB
+wmpBvcqhEbbocGxxXm6gNEOrWRK3dZD4GBf+vJA8/Z770ZrQWQfUL/DpYm4tCoDJ
+m4/Rsaosv/PqsQIDAQABozowODAXBgNVHREEEDAOggw0N2FiZGYyNzNhYzEwHQYD
+VR0OBBYEFLb8Mqq4XpiJZs3S0cQ/nLLfnkoTMA0GCSqGSIb3DQEBCwUAA4IBgQCc
+u3AKCgPIOY73bWoXeVD1M6qG1asU9E1r5xle5+2vnXfo+fq/EfA2t+9kNsPs/yxG
+O+sL9COXRrTTPhHzbjTQ3AHvd/ar3DUgTTj9rAVmpyXzmu17mFlcx6ihFldYwCFE
+k1ZBXQ6hvZeQpFcTeqiPwPza+XeiJh3qgKBinm7RESTNzM5eiAlOCrEgx1tmRV5p
+mLrPZYPKUIW9IY0a85lm9lw4rWDEqKaiWDF0E/BWPzF7xsx37ofLCabQm2zPc5Nk
+aJD3xxa3OExsIHOa46K72UoaXY2HT8Pf3DucAGp8wBZ8UJBRBmSlbF/U6rjj4L4F
+fRWMX+9yfmNOPCi6196EDQ+K4U/96kiq77WcqsqhU4HHwqR0cqvCHxvrU7Y84aXu
+lfwgC6d8W/YhLAUIs8yFKTFbiufNW7KdqMs97b2QpNX2RHCFhnUBd1opDLTQGByB
+WXrWfdEqrgYwoBN18u0A5migNn5wWpozl84ChRpjTaIangle4Eox8dZq5qV6mf0=
+</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </md:KeyDescriptor>
+ <md:KeyDescriptor use="encryption">
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:KeyName>47abdf273ac1</ds:KeyName>
+ <ds:X509Data>
+ <ds:X509SubjectName>CN=47abdf273ac1</ds:X509SubjectName>
+ <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAJsNOvtU9eJFMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDQ3YWJkZjI3M2FjMTAeFw0xOTA0MjYxODAzMzRaFw0yOTA0MjMxODAzMzRa
+MBcxFTATBgNVBAMTDDQ3YWJkZjI3M2FjMTCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBALjZmkfztDJ7HDqewumGwXfh93U8T4rjIw0wtc/Vh3PHMzNmJtie
+MtoUjJaJ99I9UahrWprpdYQIgxDmjnN3mS89HvFHL/vq4r7m5srrxBXNfRuODyj2
+FJ7R6RVrISyBv/zuSzdhqvC2pBsLp/qocSE+4KPQrVT6i+w7fDYtSTJX257YDRj8
+XntvWUaXnCUMJuHbHbt7tDgKVYTsm6zP3ohaaVxFc2wzJ4SGQk/FY088ZShHWP9I
+KJ/0YbSYxTXX3Htq5n54UDAIF1w8lUZvwxfbfWAhH7wTOZK/qAIm0d7RdrsFXs64
+6VyQUhEY4LOsGJKQI+mLnLGrSUELTgsfdFcoArokN7RgCOXLsFDoP2QnXZX83VVG
+1aWJb0rvtr/cDT9FOGrOVXaT/gtAt3rh39hlKRBpXvXZBE0L3gegam3Uq05drdHK
+RFw+CHCXyCOvj/xjTmeQjQlhNPK3HetQqlSNhAgh+sDZkZzz3Qw1jU3D2JUHTPUN
+9eC3c1+XWn5cTQIDAQABozowODAXBgNVHREEEDAOggw0N2FiZGYyNzNhYzEwHQYD
+VR0OBBYEFLDpZ+fBmCN5KDjZ8UyjKHMXRcv2MA0GCSqGSIb3DQEBCwUAA4IBgQCi
+GWsUc75R+jBjZfwbReMUCQkbS/a2A7de3VCyWUeoFnlTka9wUOxfKnTRE6XHvjFk
+Q/4HT+mE+uHXnVoiJg/NM9yVTKPl503va1bm9+kEW1b6CoxTmUF+fTPc5Pxz9Rto
+vlTVTWH8M2YK6nWrWB8xUEVz8hALHBtvN1JUd22mnN6v5s80JLdVc0lwFtcmvcp/
+SnMwkYBIOkEe55uDwODVJtvpdEny0E6ZqofP5bfWfTccX4FOFuA0NqeBullDCjWg
+ErIEnmT+qWYdsS2ru5K52pfSaTB1DHyeoiLnqJOnavg1LB0sIMRQK3O5t/5y59VD
+9UuR9KGj6DZvpc/jN0CQ353NlG8U+a0QrK9Dkr/g/HiUs2819bNo13ZugdrZ758F
+dL+Al2doe9BUzgfZTYm8p2lftfKw4Yycdj+p3DqNk4w1v6I6Oe8PbtwFjZvFFd50
+SZert/PFKIu94m11abs//JPKo0+QcOTn7/5NVD7gRNZY2OpxeERTD2xhtk5zukg=
+</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+ </md:KeyDescriptor>
+ <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:8443/Shibboleth.sso/Artifact/SOAP" index="1"/>
+ <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:8443/Shibboleth.sso/SLO/SOAP"/>
+ <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/Shibboleth.sso/SLO/Redirect"/>
+ <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/Shibboleth.sso/SLO/POST"/>
+ <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:8443/Shibboleth.sso/SLO/Artifact"/>
+ <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/Shibboleth.sso/SAML2/POST" index="1"/>
+ <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost:8443/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
+ <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:8443/Shibboleth.sso/SAML2/Artifact" index="3"/>
+ <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://localhost:8443/Shibboleth.sso/SAML2/ECP" index="4"/>
+ </md:SPSSODescriptor>
+
+</md:EntityDescriptor>
\ No newline at end of file
diff --git a/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-sp.xml b/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-sp.xml
index 5789ed8..55c61f5 100644
--- a/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-sp.xml
+++ b/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-sp.xml
@@ -64,8 +64,8 @@ AIW0+dXJ2IyzM+0sv2g4DOsXsnSvinGqjr82A54mXGSr7edhPdlQhILFkJfhTwLq+mjnyQSNe3s2
<md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
</md:KeyDescriptor>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/midpoint/auth/gui-default/mySamlSso/logout/alias/midpointdemo-shibbolet"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/midpoint/auth/gui-default/mySamlSso/SSO/alias/midpointdemo-shibboleth" index="1"/>
+ <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/midpoint/auth/saml-internal/mySamlSso/logout/alias/midpointdemo-shibbolet"/>
+ <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/midpoint/auth/saml-internal/mySamlSso/SSO/alias/midpointdemo-shibboleth" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
diff --git a/demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml b/demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml
index 5cc5998..4abf399 100644
--- a/demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml
+++ b/demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml
@@ -63,16 +63,21 @@
</provider>
</serviceProvider>
</saml2>
+ <httpHeader>
+ <name>httpHeader</name>
+ <logoutUrl>https://localhost:8443/Shibboleth.sso/Logout</logoutUrl>
+ <usernameHeader>REMOTE_USER</usernameHeader>
+ </httpHeader>
</modules>
<sequence>
- <name>admin-gui-default</name>
+ <name>admin-gui-saml-internal</name>
<description>
- Default GUI authentication sequence.
+ Internal SAML2 GUI authentication sequence.
</description>
<channel>
<channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
- <default>true</default>
- <urlSuffix>gui-default</urlSuffix>
+ <default>false</default>
+ <urlSuffix>saml-internal</urlSuffix>
</channel>
<module>
<name>mySamlSso</name>
@@ -98,6 +103,22 @@
<necessity>sufficient</necessity>
</module>
</sequence>
+ <sequence>
+ <name>admin-gui-default</name>
+ <description>
+ Special GUI authentication sequence that is using Shibboleth SP
+ </description>
+ <channel>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
+ <default>true</default>
+ <urlSuffix>shib</urlSuffix>
+ </channel>
+ <module>
+ <name>httpHeader</name>
+ <order>30</order>
+ <necessity>sufficient</necessity>
+ </module>
+ </sequence>
<sequence>
<name>rest</name>
<description>