diff --git a/.dockerignore b/.dockerignore
deleted file mode 100644
index 3cf5f0e..0000000
--- a/.dockerignore
+++ /dev/null
@@ -1,3 +0,0 @@
-demo
-.git
-tests
diff --git a/Dockerfile b/Dockerfile
deleted file mode 100644
index 0b8a5c5..0000000
--- a/Dockerfile
+++ /dev/null
@@ -1,110 +0,0 @@
-#
-# Building assumes midpoint-dist.tar.gz is present in the current directory.
-#
-
-FROM tier/shibboleth_sp:3.0.4_03122019
-
-MAINTAINER info@evolveum.com
-
-RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems
-RUN curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo
-RUN yum -y update
-RUN yum -y install \
- zulu-11 \
- cron \
- supervisor \
- libcurl \
- && yum clean -y all
-
-RUN cd /etc/httpd/conf.d/ \
- && rm -f autoindex.conf ssl.conf userdir.conf welcome.conf
-
-COPY container_files/supervisor/supervisord.conf /etc/supervisor/supervisord.conf
-COPY container_files/httpd/conf/* /etc/httpd/conf.d/
-COPY container_files/usr-local-bin/* /usr/local/bin/
-COPY container_files/opt-tier/* /opt/tier/
-
-RUN chmod 755 /opt/tier/setenv.sh \
- && chmod 755 /usr/local/bin/sendtierbeacon.sh \
- && chmod 755 /usr/local/bin/setup-cron.sh \
- && chmod 755 /usr/local/bin/setup-timezone.sh \
- && chmod 755 /usr/local/bin/start-midpoint.sh \
- && chmod 755 /usr/local/bin/start-httpd.sh \
- && chmod 755 /usr/local/bin/startup.sh \
- && chmod 755 /usr/local/bin/healthcheck.sh
-
-RUN cp /dev/null /etc/httpd/conf.d/ssl.conf \
- && mkdir /etc/httpd/conf.d/vhosts \
- && rm /etc/httpd/conf.d/shib.conf \
- && sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
- && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
- && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/loghttpd"/g' /etc/httpd/conf/httpd.conf \
- && sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/loghttpd"/g' /etc/httpd/conf/httpd.conf \
- && echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \
- && echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf
-
-# Build arguments
-
-ARG MP_VERSION=4.0.1
-ARG MP_DIST_FILE=midpoint-dist.tar.gz
-
-ENV MP_DIR /opt/midpoint
-
-RUN mkdir -p ${MP_DIR}/var
-
-COPY ${MP_DIST_FILE} ${MP_DIR}
-COPY container_files/mp-dir/ ${MP_DIR}/
-
-RUN echo 'Extracting midPoint archive...' \
- && tar xzf ${MP_DIR}/${MP_DIST_FILE} -C ${MP_DIR} --strip-components=1
-
-# Disabled because of wider compatibility issues (e.g. AWS)
-# TODO: consider all the consequences
-#VOLUME ${MP_DIR}/var
-
-# Repository parameters
-
-ENV REPO_DATABASE_TYPE mariadb
-ENV REPO_JDBC_URL default
-ENV REPO_HOST midpoint_data
-ENV REPO_PORT default
-ENV REPO_DATABASE registry
-ENV REPO_USER registry_user
-ENV REPO_PASSWORD_FILE /run/secrets/mp_database_password.txt
-ENV REPO_MISSING_SCHEMA_ACTION create
-ENV REPO_UPGRADEABLE_SCHEMA_ACTION stop
-
-# Logging parameters
-
-ENV ENV demo
-ENV USERTOKEN ""
-
-# Authentication/web
-
-ENV AJP_ENABLED true
-ENV AJP_PORT 9090
-
-# Other parameters
-
-ENV MP_KEYSTORE_PASSWORD_FILE /run/secrets/mp_keystore_password.txt
-ENV MP_MEM_MAX 2048m
-ENV MP_MEM_INIT 1024m
-ENV TIMEZONE UTC
-ENV TIER_RELEASE not-released-yet
-ENV TIER_MAINTAINER tier
-
-# TIER Beacon Opt-out
-# Completely uncomment the following ENV line to prevent the containers from sending analytics information to Internet2.
-# With the default/release configuration, it will only send product (Shibb/Grouper/COmanage/midPoint) and version (4.0, etc)
-# once daily between midnight and 4am. There is no configuration or private information collected or sent.
-# This data helps with the scaling and funding of TIER. Please do not disable it if you find the TIER tools useful.
-# To keep it commented, keep multiple comments on the following line (to prevent other scripts from processing it).
-##### ENV TIER_BEACON_OPT_OUT true
-
-# requires MP_VERSION and TIER_xyz variables so we have to execute it here
-
-RUN /opt/tier/setenv.sh
-
-HEALTHCHECK --interval=1m --timeout=30s --start-period=2m CMD /usr/local/bin/healthcheck.sh
-
-CMD ["/usr/local/bin/startup.sh"]
diff --git a/Jenkinsfile b/Jenkinsfile
deleted file mode 100644
index 5aa7067..0000000
--- a/Jenkinsfile
+++ /dev/null
@@ -1,118 +0,0 @@
-pipeline {
- agent any
- environment {
- maintainer = "t"
- imagename = 'm'
- tag = 'l'
- }
- stages {
- stage ('Setting build context') {
- steps {
- script {
- maintainer = maintain()
- imagename = imagename()
- if (env.BRANCH_NAME == "master") {
- tag = "latest"
- } else {
- tag = env.BRANCH_NAME
- }
- if (!imagename) {
- echo "You must define imagename in common.bash"
- currentBuild.result = 'FAILURE'
- }
- sh 'mkdir -p bin'
- sh 'mkdir -p tmp'
- dir ('tmp') {
- git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ])
- sh 'ls -l'
- sh 'ls -lR ../bin'
- sh 'rm -r ../bin/windows || true'
- sh 'mv bin/* ../bin/.'
- }
- // Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing.
- // We don't care if there are more 'tag' assignments there. The latest one wins.
- sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash"
- }
- }
- }
- stage ('Build') {
- steps {
- script {
- try {
- // using custom ./build.sh instead of bin/rebuild.sh because the bin/ version does not support building specific tag yet
- sh './build.sh -r 2>&1 | tee -a debug ; test ${PIPESTATUS[0]} -eq 0'
- } catch (error) {
- def error_details = readFile('./debug')
- def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}"
- sh "rm -f ./debug"
- handleError(message)
- }
- }
- }
- }
- stage ('Test') {
- steps {
- script {
- try {
- sh 'echo Docker containers before root tests ; docker ps -a' // temporary
- sh 'bin/test.sh 2>&1 | tee debug ; test ${PIPESTATUS[0]} -eq 0'
- sh 'echo Docker containers before compositions tests ; docker ps -a' // temporary
-
- sh '(cd demo/simple ; bats tests ) 2>&1 | tee -a debug ; test ${PIPESTATUS[0]} -eq 0'
- sh '(cd demo/shibboleth ; bats tests ) 2>&1 | tee -a debug ; test ${PIPESTATUS[0]} -eq 0'
- sh '(cd demo/postgresql ; bats tests ) 2>&1 | tee -a debug ; test ${PIPESTATUS[0]} -eq 0'
- sh '(cd demo/grouper ; bats tests ) 2>&1 | tee -a debug ; test ${PIPESTATUS[0]} -eq 0'
- } catch (error) {
- def error_details = readFile('./debug')
- def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}"
- sh "rm -f ./debug"
- handleError(message)
- }
- }
- }
- }
- stage ('Push') {
- steps {
- script {
- docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$maintainer") {
- def baseImg = docker.build("$maintainer/$imagename")
- baseImg.push("$tag")
- }
- }
- }
- }
- stage ('Notify') {
- steps {
- echo "$maintainer"
- slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
- }
- }
- }
- post {
- always {
- echo 'Done Building.'
- }
- failure {
- // slackSend color: 'good', message: "Build failed"
- handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.")
- }
- }
-}
-
-
-def maintain() {
- def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
- matcher ? matcher[0][1] : 'tier'
-}
-
-def imagename() {
- def matcher = readFile('common.bash') =~ 'imagename="(.+)"'
- matcher ? matcher[0][1] : null
-}
-
-def handleError(String message) {
- echo "${message}"
- currentBuild.setResult("FAILED")
- slackSend color: 'danger', message: "${message}"
- sh 'exit 1'
-}
diff --git a/README.md b/README.md
index 144ec64..657fa3c 100644
--- a/README.md
+++ b/README.md
@@ -1,27 +1,5 @@
-[](https://jenkins.testbed.tier.internet2.edu/buildStatus/icon?job=docker/midPoint_container/3.9)
+This repository contains demos for midPoint in InCommon Trusted Access Platform.
-This repository contains sources for TIER-supported [midPoint](http://midpoint.evolveum.com) image.
-
-The image contains the midPoint application along with some TIER-specific components: Apache reverse proxy with optional Shibboleth filter and TIER Beacon.
-
-# Supported tags
-- latest
-- midPoint version-specific branches, e.g. 3.9, 3.9.1, 4.0, etc.
-
-# Content
-- the root directory contains build instructions for the `midpoint` image
-- `demo` directory contains a couple of demonstration scenarios:
- - `simple` to show simple composition of midPoint with the repository,
- - `shibboleth` to show integration with Shibboleth IdP,
- - `postgresql` to show how to use alternative dockerized repository,
- - `extrepo` to show how to use external repository,
- - `grouper` to demonstrate more complex deployment of midPoint in a sample university environment, featuring midPoint along with Grouper, LDAP directory, RabbitMQ, Shibboleth IdP, source and target systems.
-
-# Build instructions
-```
-$ ./build.sh
-```
-You can then continue with one of demo compositions.
# Documentation
Please see the [Getting Started with midPoint](https://spaces.at.internet2.edu/x/fBbtBw) wiki page.
diff --git a/build.sh b/build.sh
deleted file mode 100755
index d7951c6..0000000
--- a/build.sh
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/bin/bash
-
-cd "$(dirname "$0")"
-source common.bash
-
-SKIP_DOWNLOAD=0
-REFRESH=""
-while getopts "nhr?" opt; do
- case $opt in
- n)
- SKIP_DOWNLOAD=1
- ;;
- r)
- result=$(docker ps -a | grep $maintainer/$imagename:$tag)
- if [ ! -z "$result" ]; then
- echo "Cleaning up $maintainer/$imagename:$tag..."
- docker rm -f $(docker ps -a | grep $maintainer/$imagename:$tag | awk '{print $1}')
- docker rmi -f $maintainer/$imagename:$tag
- echo "Done"
- fi
- REFRESH="--no-cache --pull"
- echo "Using 'refresh' mode: $REFRESH"
- ;;
- h | ?)
- echo "Options: -n skip download"
- echo " -r refresh mode: uses --no-cache --pull and removes container and image before build"
- exit 0
- ;;
- *)
- echo "Unknown option: $opt"
- exit 1
- ;;
- esac
-done
-if [ "$SKIP_DOWNLOAD" = "0" ]; then ./download-midpoint.sh || exit 1; fi
-docker build $REFRESH --tag $maintainer/$imagename:$tag --build-arg maintainer=$maintainer --build-arg imagename=$imagename . || exit 1
-echo "---------------------------------------------------------------------------------------"
-echo "The midPoint containers were successfully built. To start them, execute the following:"
-echo ""
-echo "(for simple demo)"
-echo ""
-echo "$ cd" $(pwd)/demo/simple
-echo "$ docker-compose up"
-echo ""
-echo "(for Grouper integration demo)"
-echo ""
-echo "$ cd" $(pwd)/demo/grouper
-echo "$ docker-compose up --build"
diff --git a/common.bash b/common.bash
deleted file mode 100644
index f61b220..0000000
--- a/common.bash
+++ /dev/null
@@ -1,3 +0,0 @@
-maintainer="tier"
-imagename="midpoint"
-tag="latest"
diff --git a/container_files/httpd/conf/midpoint.conf b/container_files/httpd/conf/midpoint.conf
deleted file mode 100644
index 656489c..0000000
--- a/container_files/httpd/conf/midpoint.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-
-Timeout 2400
-ProxyTimeout 2400
-ProxyBadHeader Ignore
-
-ProxyPass /midpoint ajp://localhost:9090/midpoint secret=s3cr3t timeout=2400 retry=0
diff --git a/container_files/httpd/conf/midpoint.conf.auth.internal b/container_files/httpd/conf/midpoint.conf.auth.internal
deleted file mode 100644
index 57a9992..0000000
--- a/container_files/httpd/conf/midpoint.conf.auth.internal
+++ /dev/null
@@ -1,6 +0,0 @@
-
-Timeout 2400
-ProxyTimeout 2400
-ProxyBadHeader Ignore
-
-ProxyPass /midpoint ajp://localhost:9090/midpoint secret=s3cr3t timeout=2400 retry=0
diff --git a/container_files/httpd/conf/ssl-enable.conf b/container_files/httpd/conf/ssl-enable.conf
deleted file mode 100644
index a756e78..0000000
--- a/container_files/httpd/conf/ssl-enable.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# modern configuration, tweak to your needs
-SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
-SSLHonorCipherOrder on
-SSLCompression off
-
-# OCSP Stapling, only in httpd 2.3.3 and later
-SSLUseStapling on
-SSLStaplingResponderTimeout 5
-SSLStaplingReturnResponderErrors off
-SSLStaplingCache shmcb:/var/run/ocsp(128000)
-
-Listen 443 https
-<VirtualHost *:443>
- RewriteEngine on
- RewriteRule "^/$" "/midpoint/" [R]
-
-
- SSLEngine on
- SSLCertificateChainFile /etc/pki/tls/certs/cachain.pem
-
- SSLCertificateFile /etc/pki/tls/certs/host-cert.pem
-
- SSLCertificateKeyFile /etc/pki/tls/private/host-key.pem
-
- # HSTS (mod_headers is required) (15768000 seconds = 6 months)
- Header always set Strict-Transport-Security "max-age=15768000"
-
- IncludeOptional conf.d/vhosts/*.conf
-</VirtualHost>
diff --git a/container_files/mp-dir/active-spring-profiles b/container_files/mp-dir/active-spring-profiles
deleted file mode 100755
index 40058e6..0000000
--- a/container_files/mp-dir/active-spring-profiles
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-
-case $AUTHENTICATION in
- shibboleth)
- echo "default,sso"
- ;;
- internal)
- echo "default"
- ;;
- *)
- echo "default"
-esac
-
diff --git a/container_files/mp-dir/repository-url b/container_files/mp-dir/repository-url
deleted file mode 100755
index 6977cbf..0000000
--- a/container_files/mp-dir/repository-url
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/bin/bash
-
-function resolvePort() {
- if [[ $REPO_PORT == "default" ]]; then
- case $REPO_DATABASE_TYPE in
- mariadb)
- echo 3306
- ;;
- mysql)
- echo 3306
- ;;
- oracle)
- echo 1521
- ;;
- postgresql)
- echo 5432
- ;;
- sqlserver)
- echo 1433
- ;;
- *)
- echo "~~~~~ please supply JDBC port for your repository ~~~~~"
- esac
- else
- echo $REPO_PORT
- fi
-}
-
-if [[ $REPO_JDBC_URL == "default" ]]; then
- REPO_PORT=$( resolvePort )
- case $REPO_DATABASE_TYPE in
- mariadb)
- echo "jdbc:mariadb://$REPO_HOST:$REPO_PORT/$REPO_DATABASE?characterEncoding=utf8"
- ;;
- mysql)
- echo "jdbc:mysql://$REPO_HOST:$REPO_PORT/$REPO_DATABASE?characterEncoding=utf8"
- ;;
- oracle)
- echo "jdbc:oracle:thin:@$REPO_HOST:$REPO_PORT/xe"
- ;;
- postgresql)
- echo "jdbc:postgresql://$REPO_HOST:$REPO_PORT/$REPO_DATABASE"
- ;;
- sqlserver)
- echo "jdbc:sqlserver://$REPO_HOST:$REPO_PORT;database=$REPO_DATABASE"
- ;;
- *)
- echo "~~~~~ please supply JDBC URL for your repository ~~~~~"
- esac
-else
- echo $REPO_JDBC_URL
-fi
diff --git a/container_files/opt-tier/setenv.sh b/container_files/opt-tier/setenv.sh
deleted file mode 100755
index f876f7a..0000000
--- a/container_files/opt-tier/setenv.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^MP_VERSION" > /opt/tier/env.bash
-printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^TIER_RELEASE" >> /opt/tier/env.bash
-printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^TIER_MAINTAINER" >> /opt/tier/env.bash
-
-echo "/opt/tier/env.bash is:"
-cat /opt/tier/env.bash
diff --git a/container_files/supervisor/supervisord.conf b/container_files/supervisor/supervisord.conf
deleted file mode 100644
index a1dc9bf..0000000
--- a/container_files/supervisor/supervisord.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-[supervisord]
-logfile=/tmp/logsuperd
-logfile_maxbytes=0
-loglevel=error
-nodaemon=true
-user=root
-
-[program:httpd]
-command=/bin/bash -c "/usr/local/bin/start-httpd.sh"
-stdout_logfile=/tmp/loghttpd
-stdout_logfile_maxbytes=0
-redirect_stderr=true
-
-[program:midpoint]
-command=/bin/bash -c "/usr/local/bin/start-midpoint.sh"
-stdout_logfile=/dev/fd/2
-stdout_logfile_maxbytes=0
-redirect_stderr=true
-autorestart=false
-
-[program:shibboleth]
-command=/usr/sbin/shibd -f
-stdout_logfile=/dev/fd/2
-stdout_logfile_maxbytes=0
-redirect_stderr=true
-autorestart=false
-
-[program:crond]
-command=/usr/sbin/crond -n -i -m off
-stdout_logfile=/tmp/logcrond
-stdout_logfile_maxbytes=0
-redirect_stderr=true
diff --git a/container_files/usr-local-bin/healthcheck.sh b/container_files/usr-local-bin/healthcheck.sh
deleted file mode 100755
index 99f8963..0000000
--- a/container_files/usr-local-bin/healthcheck.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-
-(set -o pipefail ; curl -k -f https://localhost:443/midpoint/actuator/health | tr -d '[:space:]' | grep -q "\"status\":\"UP\"") || exit 1
diff --git a/container_files/usr-local-bin/setup-cron.sh b/container_files/usr-local-bin/setup-cron.sh
deleted file mode 100755
index 9ec9705..0000000
--- a/container_files/usr-local-bin/setup-cron.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-CRONFILE=/opt/tier/tier-cron
-
-echo "#send daily \"beacon\" to central" > ${CRONFILE}
-echo $(expr $RANDOM % 60) $(expr $RANDOM % 4) "* * * /usr/local/bin/sendtierbeacon.sh >> /tmp/logcrond 2>&1" >> ${CRONFILE}
-#echo "* * * * * /usr/local/bin/sendtierbeacon.sh >> /tmp/logcrond 2>&1" >> ${CRONFILE} # for testing
-
-chmod 644 ${CRONFILE}
-crontab ${CRONFILE}
diff --git a/container_files/usr-local-bin/setup-timezone.sh b/container_files/usr-local-bin/setup-timezone.sh
deleted file mode 100755
index b01eb8e..0000000
--- a/container_files/usr-local-bin/setup-timezone.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-
-if [[ -n $TIMEZONE ]]; then
- echo "*** Setting timezone to '$TIMEZONE'"
- if [[ -e /usr/share/zoneinfo/$TIMEZONE ]]; then
- unlink /etc/localtime
- ln -s /usr/share/zoneinfo/$TIMEZONE /etc/localtime
- echo "date (UTC) is: $(date -u)"
- echo "date (current timezone) is $(date)"
- else
- echo "Error: time zone '$TIMEZONE' is unknown; not setting it."
- fi
-fi
diff --git a/container_files/usr-local-bin/start-httpd.sh b/container_files/usr-local-bin/start-httpd.sh
deleted file mode 100755
index 787d293..0000000
--- a/container_files/usr-local-bin/start-httpd.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-
-echo "Linking secrets"
-for filepath in /run/secrets/*; do
- label_file=`basename $filepath`
- if [ "$label_file" == "mp_host-key.pem" ]; then
- ln -sf /run/secrets/mp_host-key.pem /etc/pki/tls/private/host-key.pem
- fi
-done
-
-rm -f /etc/httpd/logs/httpd.pid /run/httpd/httpd.pid
-httpd -DFOREGROUND
diff --git a/container_files/usr-local-bin/start-midpoint.sh b/container_files/usr-local-bin/start-midpoint.sh
deleted file mode 100755
index 15d9aa7..0000000
--- a/container_files/usr-local-bin/start-midpoint.sh
+++ /dev/null
@@ -1,61 +0,0 @@
-#!/bin/bash
-
-function check () {
- local VARNAME=$1
- if [ -z ${!VARNAME} ]; then
- echo "*** Couldn't start midPoint: $VARNAME variable is undefined. Please check your Docker composition."
- exit 1
- fi
-}
-
-echo "Linking secrets"
-for filepath in /run/secrets/*; do
- label_file=`basename $filepath`
- if [ "$label_file" == "mp_shibboleth_sp_keys.jks" ]; then
- if [ ! -d "/etc/pki/mp" ]; then
- mkdir /etc/pki/mp
- fi
- ln -sf /run/secrets/mp_shibboleth_sp_keys.jks /etc/pki/mp/sp-shibboleth-keys.jks
- fi
-done
-
-# These variables have reasonable defaults in Dockerfile. So we will _not_ supply defaults here.
-# The composer or user has to make sure they are well defined.
-
-check MP_MEM_MAX
-check MP_MEM_INIT
-check MP_DIR
-check REPO_DATABASE_TYPE
-check REPO_USER
-check REPO_PASSWORD_FILE
-check REPO_MISSING_SCHEMA_ACTION
-check REPO_UPGRADEABLE_SCHEMA_ACTION
-check MP_KEYSTORE_PASSWORD_FILE
-check AJP_ENABLED
-check AJP_PORT
-
-java -Xmx$MP_MEM_MAX -Xms$MP_MEM_INIT -Dfile.encoding=UTF8 \
- -Dmidpoint.home=$MP_DIR/var \
- -Dmidpoint.repository.database=$REPO_DATABASE_TYPE \
- -Dmidpoint.repository.jdbcUsername=$REPO_USER \
- -Dmidpoint.repository.jdbcPassword_FILE=$REPO_PASSWORD_FILE \
- -Dmidpoint.repository.jdbcUrl="`$MP_DIR/repository-url`" \
- -Dmidpoint.repository.hibernateHbm2ddl=none \
- -Dmidpoint.repository.missingSchemaAction=$REPO_MISSING_SCHEMA_ACTION \
- -Dmidpoint.repository.upgradeableSchemaAction=$REPO_UPGRADEABLE_SCHEMA_ACTION \
- $(if [ -n "$REPO_SCHEMA_VERSION_IF_MISSING" ]; then echo "-Dmidpoint.repository.schemaVersionIfMissing=$REPO_SCHEMA_VERSION_IF_MISSING"; fi) \
- $(if [ -n "$REPO_SCHEMA_VARIANT" ]; then echo "-Dmidpoint.repository.schemaVariant=$REPO_SCHEMA_VARIANT"; fi) \
- -Dmidpoint.repository.initializationFailTimeout=60000 \
- -Dmidpoint.keystore.keyStorePassword_FILE=$MP_KEYSTORE_PASSWORD_FILE \
- -Dmidpoint.logging.alt.enabled=true \
- -Dmidpoint.logging.alt.filename=/tmp/logmidpoint \
- -Dspring.profiles.active="`$MP_DIR/active-spring-profiles`" \
- -Dserver.tomcat.ajp.enabled=$AJP_ENABLED \
- -Dserver.tomcat.ajp.port=$AJP_PORT \
- -Dserver.tomcat.ajp.secret=s3cr3t \
- -Dlogging.path=/tmp/logtomcat \
- -cp $MP_DIR/lib/midpoint.war \
- -Dloader.path="WEB-INF/classes,WEB-INF/lib,WEB-INF/lib-provided,$MP_DIR/var/lib" \
- org.springframework.boot.loader.PropertiesLauncher \
- $MP_JAVA_OPTS \
- -jar $MP_DIR/lib/midpoint.war &>/tmp/logmidpoint-console
diff --git a/container_files/usr-local-bin/startup.sh b/container_files/usr-local-bin/startup.sh
deleted file mode 100755
index 9f11831..0000000
--- a/container_files/usr-local-bin/startup.sh
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/bash
-
-# normalizing logging variables as required by TIER
-export ENV=${ENV//[; ]/_}
-export USERTOKEN=${USERTOKEN//[; ]/_}
-
-/usr/local/bin/setup-timezone.sh
-
-# this is to be executed at run time, not at build time -- to ensure sufficient variability of execution times
-/usr/local/bin/setup-cron.sh
-
-# generic console logging pipe for anyone
-mkfifo -m 666 /tmp/logpipe
-cat <> /tmp/logpipe 1>&2 &
-
-mkfifo -m 666 /tmp/loghttpd
-(cat <> /tmp/loghttpd | awk '{printf "%s\n", $0; fflush()}' 1>/tmp/logpipe) &
-
-mkfifo -m 666 /tmp/logshib
-(cat <> /tmp/logshib | awk '{printf "%s\n", $0; fflush()}' 1>/tmp/logpipe) &
-
-mkfifo -m 666 /tmp/logcrond
-(cat <> /tmp/logcrond | awk -v ENV="$ENV" -v USERTOKEN="$USERTOKEN" '{line=sprintf ("crond;console;%s;%s;%s:%s", ENV, USERTOKEN, strftime("%F %T%z", systime(), 1), $0); print line >> "/tmp/logpipe"; print line >> "/var/log/cron.log"; fflush()}') &
-
-mkfifo -m 666 /tmp/logsuperd
-(cat <> /tmp/logsuperd | awk -v ENV="$ENV" -v USERTOKEN="$USERTOKEN" '{printf "supervisord;console;%s;%s;%s\n", ENV, USERTOKEN, $0; fflush()}' 1>/tmp/logpipe) &
-
-mkfifo -m 666 /tmp/logtomcat
-(cat <> /tmp/logtomcat | awk -v ENV="$ENV" -v USERTOKEN="$USERTOKEN" '{printf "tomcat;console;%s;%s;%s\n", ENV, USERTOKEN, $0; fflush()}' 1>/tmp/logpipe) &
-
-mkfifo -m 666 /tmp/logmidpoint
-(cat <> /tmp/logmidpoint | awk -v ENV="$ENV" -v USERTOKEN="$USERTOKEN" '{printf "midpoint;midpoint.log;%s;%s;%s\n", ENV, USERTOKEN, $0; fflush()}' 1>/tmp/logpipe) &
-
-mkfifo -m 666 /tmp/logmidpoint-console
-(cat <> /tmp/logmidpoint-console | awk -v ENV="$ENV" -v USERTOKEN="$USERTOKEN" '{printf "midpoint;console;%s;%s;%s\n", ENV, USERTOKEN, $0; fflush()}' 1>/tmp/logpipe) &
-
-/usr/bin/supervisord -c /etc/supervisor/supervisord.conf
diff --git a/demo/extrepo/.env b/demo/extrepo/.env
deleted file mode 100644
index 589cfcf..0000000
--- a/demo/extrepo/.env
+++ /dev/null
@@ -1,10 +0,0 @@
-# These parameters can be overridden by setting environment variables before calling docker-compose up
-ENV=demo
-USERTOKEN=
-REPO_JDBC_URL=default
-REPO_PORT=default
-REPO_MISSING_SCHEMA_ACTION=create
-REPO_UPGRADEABLE_SCHEMA_ACTION=stop
-MP_MEM_MAX=2048m
-MP_MEM_INIT=1024m
-TIMEZONE=UTC
diff --git a/demo/extrepo/configs-and-secrets/midpoint/application/database_password.txt b/demo/extrepo/configs-and-secrets/midpoint/application/database_password.txt
deleted file mode 100644
index d71d29d..0000000
--- a/demo/extrepo/configs-and-secrets/midpoint/application/database_password.txt
+++ /dev/null
@@ -1 +0,0 @@
-oracle
diff --git a/demo/extrepo/configs-and-secrets/midpoint/application/keystore_password.txt b/demo/extrepo/configs-and-secrets/midpoint/application/keystore_password.txt
deleted file mode 100644
index 1d40192..0000000
--- a/demo/extrepo/configs-and-secrets/midpoint/application/keystore_password.txt
+++ /dev/null
@@ -1 +0,0 @@
-changeit
diff --git a/demo/extrepo/configs-and-secrets/midpoint/httpd/host-cert.pem b/demo/extrepo/configs-and-secrets/midpoint/httpd/host-cert.pem
deleted file mode 100644
index 9b1021b..0000000
--- a/demo/extrepo/configs-and-secrets/midpoint/httpd/host-cert.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDqDCCApCgAwIBAgIJAMOSkn4oS2aAMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
-BAYTAlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRcwFQYDVQQK
-DA5JbnRlcm5ldDIvVElFUjEgMB4GA1UEAwwXbWlkcG9pbnQuc3AuZXhhbXBsZS5v
-cmcwHhcNMTgwOTE0MDU1OTQ1WhcNMTkwOTE0MDU1OTQ1WjBpMQswCQYDVQQGEwJV
-UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEXMBUGA1UECgwOSW50
-ZXJuZXQyL1RJRVIxIDAeBgNVBAMMF21pZHBvaW50LnNwLmV4YW1wbGUub3JnMIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApj/b7MEUSfu3oXMfNgRwTse7
-a5UV7Jswf1M/ZN/ZZkAkIxNBevZgozjesvLPWrmsTgONi7XigJUJvCjdjmlW9eDM
-lri/rkD8HuOR1DQCVKL9nvoS2c3D7sq5Emda3V8Tlj82VqfEmePd3sajx7mcTfbH
-8jwAL9NhkC+WMib5IpjLGpG0FEAC0ha7Lxb+7jIiqHVJaqLXJGCyGN4mh6c1Q9S1
-f8RVTiW2a8x22G+9wnZYbkiA2Kxls177imHlhSz8EdvV4IpGw1amrEWhhuDEum7B
-vZ1xQDLatgRqh4qAKLIVYeRnJ8H1FelMa90qB4G08MIPifmTsQwqJyBYaEdgWQID
-AQABo1MwUTAdBgNVHQ4EFgQUqb9BteODF6wv5R57aEON/wGXMiowHwYDVR0jBBgw
-FoAUqb9BteODF6wv5R57aEON/wGXMiowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
-9w0BAQsFAAOCAQEAAcKhxI+tSItrXmqC0PSmgWyAYpqbkz6W/cefTutXqhIgY09f
-h0LSv7ogTahoGpyiZk9vy6u3OE9bYwxapEfa4KBjO6HxBMIVBBb3RegVjoPzjElN
-BDwAx0VGFcZTXwMxDWycWdG8ql7rCZBvS50w04uTaIgnGmqXAdWWmBgfJ9cRbxW+
-JwO/mOl1QM1lR/5142NpvuUVWlmZSKEGydE5A1qPz2wpDbBR1ym1BQNS4NEqw6Kp
-GSB8jKyCS1Ve0v2wVze2038Wukz02dq9uKPTIO3T+B+ibZmxn6Op/kFCc1/kK5NS
-Q6JdO1B6KquGAYdGmKAcQ19mv+jqGktqWEEf0g==
------END CERTIFICATE-----
diff --git a/demo/extrepo/configs-and-secrets/midpoint/httpd/host-key.pem b/demo/extrepo/configs-and-secrets/midpoint/httpd/host-key.pem
deleted file mode 100644
index 5746e59..0000000
--- a/demo/extrepo/configs-and-secrets/midpoint/httpd/host-key.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmP9vswRRJ+7eh
-cx82BHBOx7trlRXsmzB/Uz9k39lmQCQjE0F69mCjON6y8s9auaxOA42LteKAlQm8
-KN2OaVb14MyWuL+uQPwe45HUNAJUov2e+hLZzcPuyrkSZ1rdXxOWPzZWp8SZ493e
-xqPHuZxN9sfyPAAv02GQL5YyJvkimMsakbQUQALSFrsvFv7uMiKodUlqotckYLIY
-3iaHpzVD1LV/xFVOJbZrzHbYb73CdlhuSIDYrGWzXvuKYeWFLPwR29XgikbDVqas
-RaGG4MS6bsG9nXFAMtq2BGqHioAoshVh5GcnwfUV6Uxr3SoHgbTwwg+J+ZOxDCon
-IFhoR2BZAgMBAAECggEAEIRBpjjceiku6jRUwnoYaks/nIWYQwR8AfpUTwJKR/VR
-Yca097Fokm7A+UhUP3A45RtHQb0VPq8P44iv0kk24YCu8r5yFK7SHYOAZnOwU5ZJ
-2jSAEPF3aM7tKh3okhuzB3dKP7u1NZDE5zAW723KUJiW7sL1RcsbY0bHBj6G+9/H
-NplmsjuGt684vRBB0qOBfKF7EiG7mT69tHuNj4gRza9SMY31UtKbZdt2fNY6mp5V
-HscMba7egZP+Ke0pVX4+go9j7K8GG8hYaQDLjrzlPqrxZ2c5X9cC+CRDI/CHuL/s
-V/2yGZJ6n6UabwZoH83RdFrbQ94rU8Hkli6EvxXvMQKBgQDRpheNW5jDG5TfeJKh
-yfKTDQqH2Tk3BsBYYBN7Hf3m7vbkzlxnAKJAoSLmtRMuoeXvI5MrhzaHGsNIUS76
-LDIZnvB7DLUxhFUZsCPkpAA1QHuTWY96oR3PHnPjpk8lSUvtbOPwDLdzVApeFJgZ
-VqMNArZ7AHsK3Kkyi+f4WVQjbQKBgQDLAWiGb5dx6fAM2W6B6HjNmzjBWOuVEXa2
-76to9jzupBZmETfZgxtWUaWUDuNS+f7dtVUTE+p6v/w8clrHEhEZYkqunIOLo/UA
-LFPiuoTfEsWb1rh+nsCjCgy4uimixj/bSkf7NC6NyKTvCygA1mGnVVJUEPegYlDy
-LXCkaKWxHQKBgQCmyHSKL2lrJkEcOwakEU2acNCE3Gno/cT9SYmV83kvQ8JEqmrW
-QqnRsp9aXIljGscapPmKsmnNt5vNp1AxFAHTYh88NRLczsMIyZj0ZwgHVUI6KhC7
-5Psa78YQQBlMt2/g9TSsnuE+rYgF6mpKFiNm0Vasqeg47uzn2mdzqlUGTQKBgE04
-JutkTUY+h1pL5vYxWKpVDfy19z7H2tFxT1FowPrBneeLSyRI88Ac5I/yLdRlVeY9
-0LOmEr5Igwj3MsKgg7KVKfVLgdo/LrW3Jt2Kt3onKNXDkoBPoNUjwH0QC0Boiue+
-VK0gR0kVdm+bXccbxR+im+NwZNE0NLg6Qqu3RredAoGBALuVoqbPPmTCZXYG328H
-bzOs2aiR7BzPSVByV+qG6jW7w03RAnFPJZp7HMU+ViI5VY0wabUscMSvz5163+gM
-4KwY3v9ZjZzZGukIfLuudkdqtaiVOx/KeAC0n+nG21YU+wpZww8gkfHh1/sa2CME
-CWYCgOnmiTHcj83UaTqEXtmv
------END PRIVATE KEY-----
diff --git a/demo/extrepo/docker-compose.yml b/demo/extrepo/docker-compose.yml
deleted file mode 100644
index ae4ad6a..0000000
--- a/demo/extrepo/docker-compose.yml
+++ /dev/null
@@ -1,54 +0,0 @@
-version: "3.3"
-
-services:
- midpoint_server:
- image: tier/midpoint:latest
- ports:
- - 8443:443
- environment:
- - ENV
- - USERTOKEN
- - REPO_DATABASE_TYPE
- - REPO_JDBC_URL
- - REPO_HOST
- - REPO_PORT
- - REPO_DATABASE
- - REPO_USER
- - REPO_MISSING_SCHEMA_ACTION
- - REPO_UPGRADEABLE_SCHEMA_ACTION
- - REPO_SCHEMA_VERSION_IF_MISSING
- - REPO_SCHEMA_VARIANT
- - MP_MEM_MAX
- - MP_MEM_INIT
- - MP_JAVA_OPTS
- - TIER_BEACON_OPT_OUT
- - TIMEZONE
- networks:
- - net
- secrets:
- - mp_database_password.txt
- - mp_keystore_password.txt
- - mp_host-key.pem
- volumes:
- - midpoint_home:/opt/midpoint/var
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
- target: /etc/pki/tls/certs/host-cert.pem
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
- target: /etc/pki/tls/certs/cachain.pem
-
-networks:
- net:
- driver: bridge
-
-secrets:
- mp_database_password.txt:
- file: ./configs-and-secrets/midpoint/application/database_password.txt
- mp_keystore_password.txt:
- file: ./configs-and-secrets/midpoint/application/keystore_password.txt
- mp_host-key.pem:
- file: ./configs-and-secrets/midpoint/httpd/host-key.pem
-
-volumes:
- midpoint_home:
diff --git a/demo/grouper/.env b/demo/grouper/.env
deleted file mode 100644
index 6cca1f1..0000000
--- a/demo/grouper/.env
+++ /dev/null
@@ -1,12 +0,0 @@
-ENV=demo
-REPO_DATABASE_TYPE=mariadb
-REPO_JDBC_URL=default
-REPO_HOST=midpoint_data
-REPO_PORT=default
-REPO_DATABASE=registry
-REPO_USER=registry_user
-REPO_MISSING_SCHEMA_ACTION=create
-REPO_UPGRADEABLE_SCHEMA_ACTION=stop
-MP_MEM_MAX=2048m
-MP_MEM_INIT=1024m
-TIMEZONE=UTC
diff --git a/demo/grouper/README.md b/demo/grouper/README.md
deleted file mode 100644
index a0e5d88..0000000
--- a/demo/grouper/README.md
+++ /dev/null
@@ -1,9 +0,0 @@
-This is a demonstration of using midPoint dockerization for TIER environment in a broader context. It is a work in progress.
-
-# Building and execution
-```
-$ ../../build.sh
-$ docker-compose up --build
-```
-
-Please see a detailed description [here](https://spaces.at.internet2.edu/x/VhLtBw).
diff --git a/demo/grouper/add-ref-groups.gsh b/demo/grouper/add-ref-groups.gsh
deleted file mode 100644
index b4561f9..0000000
--- a/demo/grouper/add-ref-groups.gsh
+++ /dev/null
@@ -1,21 +0,0 @@
-
-def addGroups(gs,stem,owner,regexp) {
- for (group in stem.childGroups) {
- if (!group.name.endsWith('_includes') &&
- !group.name.endsWith('_excludes') &&
- !group.name.endsWith('_systemOfRecord') &&
- !group.name.endsWith('_systemOfRecordAndIncludes') &&
- (regexp == null || group.extension ==~ regexp)) {
- println 'Adding: ' + group
- def s = SubjectFinder.findById(group.getId(), 'group', 'g:gsa')
- owner.addMember(s, false)
- } else {
- println 'Ignoring: ' + group
- }
- }
-}
-
-gs = GrouperSession.startRootSession()
-def cs = GroupFinder.findByName(gs, "app:cs", true)
-
-addGroups(gs, StemFinder.findByName(gs, 'ref:course'), cs, /CS.*/)
diff --git a/demo/grouper/add-ref-groups.sh b/demo/grouper/add-ref-groups.sh
deleted file mode 100755
index bfb93cf..0000000
--- a/demo/grouper/add-ref-groups.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/bash
-source ../../library.bash
-
-execute_gsh grouper_grouper_daemon_1 add-ref-groups.gsh
diff --git a/demo/grouper/after-installation.sh b/demo/grouper/after-installation.sh
deleted file mode 100755
index aefe3b1..0000000
--- a/demo/grouper/after-installation.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/bash
-
-B='\033[1;33m'
-N='\033[0m'
-
-echo -e "${B} * Uploading objects...${N}"
-$(dirname "$0")/upload-objects.sh
-
-echo -e "${B} * Testing resources...${N}"
-$(dirname "$0")/test-resources.sh
-
-echo -e "${B} * Recomputing Grouper admin group and user object...${N}"
-$(dirname "$0")/recompute.sh
-
-echo -e "${B} * Done${N}"
diff --git a/demo/grouper/beacon/Dockerfile b/demo/grouper/beacon/Dockerfile
new file mode 100644
index 0000000..256352c
--- /dev/null
+++ b/demo/grouper/beacon/Dockerfile
@@ -0,0 +1,15 @@
+FROM rockylinux:9.3
+
+COPY container_files/* /opt/tier/
+
+RUN dnf update -y --disablerepo=\* --enablerepo=baseos && \
+ dnf install -y cronie-anacron crontabs cronie --disablerepo=\* --enablerepo=baseos && \
+ dnf clean all -y ; \
+ rm -rf /var/cache/dnf ; \
+ /opt/tier/setup-cron.sh ;
+
+ENV TIER_RELEASE=not-released-yet \
+ TIER_MAINTAINER=tier \
+ MP_VERSION=4.8
+
+CMD [ "/usr/sbin/crond", "-n", "-i", "-m", "off" ]
diff --git a/container_files/usr-local-bin/sendtierbeacon.sh b/demo/grouper/beacon/container_files/sendtierbeacon.sh
similarity index 85%
rename from container_files/usr-local-bin/sendtierbeacon.sh
rename to demo/grouper/beacon/container_files/sendtierbeacon.sh
index 2f263bb..8f066f7 100755
--- a/container_files/usr-local-bin/sendtierbeacon.sh
+++ b/demo/grouper/beacon/container_files/sendtierbeacon.sh
@@ -25,13 +25,15 @@ EOF
# echo "going to send TIER beacon to ${LOGHOST}:${LOGPORT}:"
# cat $messagefile
- curl -s -XPOST "${LOGHOST}:${LOGPORT}/" -H 'Content-Type: application/json' -T $messagefile 1>/dev/null 2>&1
+ curl -s -XPOST "${LOGHOST}:${LOGPORT}/" -H 'Content-Type: application/json' -T $messagefile >/dev/null 2>&1
if [ $? -eq 0 ]; then
- echo "TIER beacon sent"
+ echo "TIER beacon sent"
else
echo "Failed to send TIER beacon"
fi
rm -f $messagefile 1>/dev/null 2>&1
+else
+ echo "TIER beacon skipped - scheduled but Opted out"
fi
diff --git a/demo/grouper/beacon/container_files/setup-cron.sh b/demo/grouper/beacon/container_files/setup-cron.sh
new file mode 100755
index 0000000..2d33d3a
--- /dev/null
+++ b/demo/grouper/beacon/container_files/setup-cron.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+CRONFILE=/opt/tier/tier-cron
+
+echo "#send daily \"beacon\" to central" > ${CRONFILE}
+echo "" >> ${CRONFILE}
+echo "# ┌───────────── minute (0–59)" >> ${CRONFILE}
+echo "# │ ┌───────────── hour (0–23)" >> ${CRONFILE}
+echo "# │ │ ┌───────────── day of the month (1–31)" >> ${CRONFILE}
+echo "# │ │ │ ┌───────────── month (1–12)" >> ${CRONFILE}
+echo "# │ │ │ │ ┌───────────── day of the week (0–6) (Sunday to Saturday;" >> ${CRONFILE}
+echo "# │ │ │ │ │ 7 is also Sunday on some systems)" >> ${CRONFILE}
+echo "# │ │ │ │ │" >> ${CRONFILE}
+echo "# │ │ │ │ │" >> ${CRONFILE}
+echo "# * * * * * <command to execute>" >> ${CRONFILE}
+echo "" >> ${CRONFILE}
+echo "$(expr $RANDOM % 60) $(expr $RANDOM % 4) * * * /opt/tier/sendtierbeacon.sh 2>&1 | tee /proc/1/fd/1 >> /tmp/logcrond" >> ${CRONFILE}
+echo "" >> ${CRONFILE}
+echo "# List the current setting of the crontab to the log (when is the beacon scheduled)" >> ${CRONFILE}
+echo "@reboot crontab -l >/proc/1/fd/1" >> ${CRONFILE}
+echo "" >> ${CRONFILE}
+
+chmod 644 ${CRONFILE}
+crontab ${CRONFILE}
diff --git a/demo/grouper/configs-and-secrets/grouper/application/grouper-loader.properties b/demo/grouper/configs-and-secrets/grouper/application/grouper-loader.properties
old mode 100644
new mode 100755
index 62ef5f0..fe0865b
--- a/demo/grouper/configs-and-secrets/grouper/application/grouper-loader.properties
+++ b/demo/grouper/configs-and-secrets/grouper/application/grouper-loader.properties
@@ -51,6 +51,57 @@ db.sis.pass = 49321420423
db.sis.url = jdbc:mysql://sources:3306/sis
db.sis.driver = com.mysql.jdbc.Driver
+# midpoint External System
+db.midPoint.driver = org.postgresql.Driver
+#db.midPoint.pass = ${java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE') != null ? org.apache.commons.io.FileUtils.readFileToString(java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE'), "utf-8") : java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD') }
+db.midPoint.pass = password
+db.midPoint.url = jdbc:postgresql://grouper_data:5432/grouper_to_midpoint?CharSet=utf8
+db.midPoint.user = grouper
+
+# provisioner midpoint
+provisioner.midPoint.class = edu.internet2.middleware.grouper.app.midpointProvisioning.MidPointProvisioner
+provisioner.midPoint.configureMetadata = true
+provisioner.midPoint.customizeEntityCrud = true
+provisioner.midPoint.customizeGroupCrud = true
+provisioner.midPoint.customizeMembershipCrud = true
+provisioner.midPoint.dbExternalSystemConfigId = midPoint
+provisioner.midPoint.deleteEntities = true
+provisioner.midPoint.deleteEntitiesIfNotExistInGrouper = false
+provisioner.midPoint.deleteEntitiesIfGrouperDeleted = true
+provisioner.midPoint.deleteGroups = true
+provisioner.midPoint.deleteGroupsIfNotExistInGrouper = true
+provisioner.midPoint.deleteMemberships = true
+provisioner.midPoint.deleteMembershipsIfNotExistInGrouper = false
+provisioner.midPoint.deleteMembershipsIfGrouperDeleted = true
+provisioner.midPoint.makeChangesToEntities = true
+provisioner.midPoint.metadata.0.name = md_grouper_emailListName
+provisioner.midPoint.metadata.0.showForGroup = true
+provisioner.midPoint.midPointDeletedColumnName = deleted
+provisioner.midPoint.midPointLastModifiedColumnName = last_modified
+provisioner.midPoint.midPointLastModifiedColumnType = long
+provisioner.midPoint.midPointTablesPrefix = gr
+provisioner.midPoint.numberOfGroupAttributes = 1
+provisioner.midPoint.numberOfMetadata = 1
+provisioner.midPoint.operateOnGrouperEntities = true
+provisioner.midPoint.operateOnGrouperGroups = true
+provisioner.midPoint.operateOnGrouperMemberships = true
+provisioner.midPoint.provisioningType = membershipObjects
+provisioner.midPoint.selectAllEntities = true
+provisioner.midPoint.startWith = this is start with read only
+provisioner.midPoint.subjectSourcesToProvision = ldap
+provisioner.midPoint.targetGroupAttribute.0.name = emailListName
+provisioner.midPoint.targetGroupAttribute.0.translateExpression = \u0024{grouperProvisioningGroup.retrieveAttributeValueString('md_grouper_emailListName')}
+provisioner.midPoint.targetGroupAttribute.0.translateExpressionType = translationScript
+
+# changeLog/FullSync midPoint
+changeLog.consumer.midPoint.class = edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer
+changeLog.consumer.midPoint.provisionerConfigId = midPoint
+changeLog.consumer.midPoint.publisher.class = edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer
+changeLog.consumer.midPoint.quartzCron = 0/10 * * * * ?
+otherJob.midPoint_FullSync.class = edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob
+otherJob.midPoint_FullSync.provisionerConfigId = midPoint
+otherJob.midPoint_FullSync.quartzCron = 0 0 4 * * ?
+
#####################################
## Messaging integration with change log
diff --git a/demo/grouper/configs-and-secrets/grouper/application/grouper.hibernate.properties b/demo/grouper/configs-and-secrets/grouper/application/grouper.hibernate.properties
old mode 100644
new mode 100755
index deb0d75..a334fda
--- a/demo/grouper/configs-and-secrets/grouper/application/grouper.hibernate.properties
+++ b/demo/grouper/configs-and-secrets/grouper/application/grouper.hibernate.properties
@@ -20,10 +20,13 @@
# e.g. hsqldb (b): jdbc:hsqldb:hsql://localhost:9001/grouper
# e.g. postgres: jdbc:postgresql://localhost:5432/database
# e.g. mssql: jdbc:sqlserver://localhost:3280;databaseName=grouper
-hibernate.connection.url = jdbc:mysql://grouper_data:3306/grouper?CharSet=utf8&useUnicode=true&characterEncoding=utf8
+hibernate.connection.url = jdbc:postgresql://grouper-data:5432/grouper
-hibernate.connection.username = root
+hibernate.connection.username = grouper
# If you are using an empty password, depending upon your version of
# Java and Ant you may need to specify a password of "".
# Note: you can keep passwords external and encrypted: https://bugs.internet2.edu/jira/browse/GRP-122
-hibernate.connection.password.elConfig = ${java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE') != null ? org.apache.commons.io.FileUtils.readFileToString(java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE'), "utf-8") : java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD') }
+# hibernate.connection.password.elConfig = ${java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE') != null ? org.apache.commons.io.FileUtils.readFileToString(java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE'), "utf-8") : java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD') }
+hibernate.connection.password = password
+hibernate.c3p0.max_size = 200
+
diff --git a/demo/grouper/configs-and-secrets/grouper/application/grouper.properties b/demo/grouper/configs-and-secrets/grouper/application/grouper.properties
old mode 100644
new mode 100755
index c931287..086d9a6
--- a/demo/grouper/configs-and-secrets/grouper/application/grouper.properties
+++ b/demo/grouper/configs-and-secrets/grouper/application/grouper.properties
@@ -23,3 +23,9 @@ groups.wheel.group = etc:sysadmingroup
# Used to allow Include Exclude groups
grouperIncludeExclude.use = true
grouperIncludeExclude.requireGroups.use = true
+
+# to allow periods in id paths, changed with grouper 2.5.49
+stem.validateExtensionByDefault = false
+group.validateExtensionByDefault = false
+attributeDef.validateExtensionByDefault = false
+attributeDefName.validateExtensionByDefault = false
diff --git a/demo/grouper/configs-and-secrets/grouper/application/grouper.text.en.us.properties b/demo/grouper/configs-and-secrets/grouper/application/grouper.text.en.us.properties
new file mode 100644
index 0000000..148ca04
--- /dev/null
+++ b/demo/grouper/configs-and-secrets/grouper/application/grouper.text.en.us.properties
@@ -0,0 +1,3 @@
+md_grouper_emailListName_midPoint_description = Enter the email list description
+md_grouper_emailListName_midPoint_label = Email list name
+
diff --git a/demo/grouper/configs-and-secrets/grouper/application/rabbitmq_password.txt b/demo/grouper/configs-and-secrets/grouper/application/rabbitmq_password.txt
index 158f675..f3097ab 100644
--- a/demo/grouper/configs-and-secrets/grouper/application/rabbitmq_password.txt
+++ b/demo/grouper/configs-and-secrets/grouper/application/rabbitmq_password.txt
@@ -1 +1 @@
-guest
\ No newline at end of file
+password
diff --git a/demo/grouper/configs-and-secrets/grouper/application/subject.properties b/demo/grouper/configs-and-secrets/grouper/application/subject.properties
old mode 100644
new mode 100755
index 577db03..5bd2388
--- a/demo/grouper/configs-and-secrets/grouper/application/subject.properties
+++ b/demo/grouper/configs-and-secrets/grouper/application/subject.properties
@@ -56,7 +56,7 @@ subjectApi.source.ldap.param.searchAttribute0.value = searchAttribute0
#searchSubject: find a subject by ID. ID is generally an opaque and permanent identifier, e.g. 12345678.
# Each subject has one and only on ID. Returns one result when searching for one ID.
-subjectApi.source.ldap.search.searchSubject.param.filter.value = (&(uid=%TERM%)(objectclass=person))
+subjectApi.source.ldap.search.searchSubject.param.filter.value = (&(uid=%TERM%)(objectClass=person))
subjectApi.source.ldap.search.searchSubject.param.scope.value = SUBTREE_SCOPE
subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people
@@ -64,7 +64,7 @@ subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people
# identifies the user, e.g. jsmith or jsmith@institution.edu.
# Subjects can have multiple identifiers. Note: it is nice to have if identifiers are unique
# even across sources. Returns one result when searching for one identifier.
-subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(|(uid=%TERM%)(employeeNumber=%TERM%))(objectclass=person))
+subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(|(uid=%TERM%)(employeeNumber=%TERM%)(incwbPersonEmployeeID=%TERM%)(incwbPersonStudentID=%TERM%)(incwbPersonGuestID=%TERM%))(objectClass=person))
subjectApi.source.ldap.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE
subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people
diff --git a/demo/grouper/configs-and-secrets/grouper/httpd/cachain-cer.pem b/demo/grouper/configs-and-secrets/grouper/grouperWebapp/WEB-INF/classes/grouper-loader.properties
old mode 100644
new mode 100755
similarity index 100%
rename from demo/grouper/configs-and-secrets/grouper/httpd/cachain-cer.pem
rename to demo/grouper/configs-and-secrets/grouper/grouperWebapp/WEB-INF/classes/grouper-loader.properties
diff --git a/demo/grouper/configs-and-secrets/grouper/grouperWebapp/WEB-INF/classes/grouper.client.properties b/demo/grouper/configs-and-secrets/grouper/grouperWebapp/WEB-INF/classes/grouper.client.properties
new file mode 100755
index 0000000..e69de29
diff --git a/demo/grouper/configs-and-secrets/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties b/demo/grouper/configs-and-secrets/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties
new file mode 100755
index 0000000..e69de29
diff --git a/demo/grouper/configs-and-secrets/grouper/grouperWebapp/WEB-INF/classes/grouper.properties b/demo/grouper/configs-and-secrets/grouper/grouperWebapp/WEB-INF/classes/grouper.properties
new file mode 100755
index 0000000..e69de29
diff --git a/demo/grouper/configs-and-secrets/grouper/grouperWebapp/WEB-INF/classes/grouperText/grouper.text.en.us.properties b/demo/grouper/configs-and-secrets/grouper/grouperWebapp/WEB-INF/classes/grouperText/grouper.text.en.us.properties
new file mode 100755
index 0000000..e69de29
diff --git a/demo/grouper/configs-and-secrets/grouper/grouperWebapp/WEB-INF/classes/subject.properties b/demo/grouper/configs-and-secrets/grouper/grouperWebapp/WEB-INF/classes/subject.properties
new file mode 100755
index 0000000..e69de29
diff --git a/demo/grouper/configs-and-secrets/grouper/httpd/host-cert.pem b/demo/grouper/configs-and-secrets/grouper/httpd/host-cert.pem
deleted file mode 100644
index 9cc228a..0000000
--- a/demo/grouper/configs-and-secrets/grouper/httpd/host-cert.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPDCCAiQCCQDNZe8r0hVtuTANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJV
-UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEXMBUGA1UECgwOSW50
-ZXJuZXQyL1RJRVIxFzAVBgNVBAMMDnNwLmV4YW1wbGUub3JnMB4XDTE3MDkyMjE5
-NTAzNVoXDTI3MDkyMDE5NTAzNVowYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1J
-MRIwEAYDVQQHDAlBbm4gQXJib3IxFzAVBgNVBAoMDkludGVybmV0Mi9USUVSMRcw
-FQYDVQQDDA5zcC5leGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAMTNJmsNpTpR4NrDJwOgK/o3UYlNdi1c6xBflt+liLAsQc160QReV4dS
-SGK8LZvN58a/BTIsH8dLhQlUQ8qQUY2AfolVrNxb7Waumeh/POzYUTRylnoGpU3W
-bGMEPxE/AdgP5U/adYvyu4XI5epv7wjZJOTqcVag15SalY+aso+ZC/5l+UzRxmWB
-ZxKTsSL1y7PFehY4/Zl3Y3oGVsVl/zspt5lteoZQeeVxUX29S3Af11yHY4xpEp+7
-rvAzY/nlsTiHAsUoCFK/NFQ2evvSRx52B9Fk1cWP1MDVDm2QjQqD9xBGYSnX6bhQ
-ejVx7JUJHlblu2Q5p5XdW0BihgFluoECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA
-n/qhYnIviPs4tglCdrw+M7gbqKNWadDC3F9HDYzlJMFeS/ae2turhEUgQPbYPDQQ
-eO3oOILtvCXNFUPM58jf8V5YFRrOqrTgx44kexQDaHO5YYNft5tF5TdvBYE2gOVr
-GdYrH2iSP8WX+Yy7JH5uqkfwWzEntWHJdey39rCWKAUCCB35+/2b4N53Qmlv2+ug
-CpNJYFtXInd4YMmM5HjXLyoWXtjnKiwDqYUCeYPSwAajnCqRqRXUX0gYTFDRiwRP
-HbmO9We0nqoc/71nikmGGoSRMO/zWVMFjwmAx1fGiWdU61sjGX8sHifzmVyJVEBI
-Z75p+JrWYZJYrx/vpWxL8g==
------END CERTIFICATE-----
diff --git a/demo/grouper/configs-and-secrets/grouper/httpd/host-key.pem b/demo/grouper/configs-and-secrets/grouper/httpd/host-key.pem
deleted file mode 100644
index 1b0b579..0000000
--- a/demo/grouper/configs-and-secrets/grouper/httpd/host-key.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEzSZrDaU6UeDa
-wycDoCv6N1GJTXYtXOsQX5bfpYiwLEHNetEEXleHUkhivC2bzefGvwUyLB/HS4UJ
-VEPKkFGNgH6JVazcW+1mrpnofzzs2FE0cpZ6BqVN1mxjBD8RPwHYD+VP2nWL8ruF
-yOXqb+8I2STk6nFWoNeUmpWPmrKPmQv+ZflM0cZlgWcSk7Ei9cuzxXoWOP2Zd2N6
-BlbFZf87KbeZbXqGUHnlcVF9vUtwH9dch2OMaRKfu67wM2P55bE4hwLFKAhSvzRU
-Nnr70kcedgfRZNXFj9TA1Q5tkI0Kg/cQRmEp1+m4UHo1ceyVCR5W5btkOaeV3VtA
-YoYBZbqBAgMBAAECggEAA/5t0ypZug9DUu0283niqpdIzlKGHXGPS6vE8hD37ytW
-wobFiyMm/5YJ5gcPnePV2lCyGEyQ8Ih10LSnE4tOPGLpLnxQn8A11ymf8fnzEJNr
-Qnc42o0b+bJqTLAfX4g5z1qzOqWiUQ7CA3sKP3G6FiHh/8tKNYnaFif09Q8cpJFb
-YDDkvm48NJgsrIoCgmaFIQIn+yDzGQKWwTNMIks+RByWpc67j1x1kiyQM1RfrEev
-Yyq/ZkP66IYZzmZKpFCWGs5qbRZdxyXNpq85DjwA99lAH7vxtMJHQM4z1h1eDH4L
-Ma5hEnmmHu4D5lF2GDQYflvuFdDGH5tThO6MV0IrSQKBgQD+kvEtNxJCMxLOVFyV
-NWF3pk/i2nkD+53t/VPXjMPtW7IesouEGzU82I/fT2wUTkNwFdkVpv37qoLypKZm
-npJFxr6abQNjiDh2Fsh8/iuJfvdZUFJbCEY6NS58qgjix8XCQKRD06EugK7uekIZ
-zJnttF3qVBBD8Z8Uwxz8i+jF1wKBgQDF51y/5XB6Bz47cdxw7P8NsfnTz2V3H0HU
-OnlEBANbhmBadjU8dqbM54Nxbn7VOdooXPuSnAKJ9vPDg1n5Y/GO+lgldNzfyK6g
-HnbldSu0zBvAaGvmAjLjetEtOkBqYkrHJlT6JAems/Kc/YX5uooAz9/jNJFXP9++
-KbjH3CzHZwKBgQC6ppxEDZPKi83nD/2NvMTIyFzcNFj0LaEepFW7vc7NkiSn0zrt
-0lEXWqUqEv5oaPWTEcHH2VdxFRTLuSL0LKGMnWqUqQcKDA9xrcSzuFvNhRTwHC81
-5XwwI1wBNV4sgFKj2WdW/6y2/szDt0oNxnC50zvkmlwOpPKBc4kmNaKmowKBgBmC
-uXIDIXyZcmw3QTNNWZNqXcnv8iRo4xN4dilOWyBxMfp3QmWI5feD4G2+0Jqr2nNZ
-iRRdB/bA3qtVQ0PinkDQBIzPg6lVNS1uv+TUNc4YgXtL+pyrq+Om8U/jMmqEQR9q
-0YltG49houSZyatnYGK6aSHgpNuaYD0jI66fsyYBAoGAMefyD0I/ncArjuf58hVQ
-zSjxfcvlja9okrC8ZgqsVluezcm4rQNcSjBnESGTCjJC7O29AofGLHkvnsBQDiGk
-hE38IRisd+okXdApr41ifWDhmtASud5q6wlhOpMmQxg+OALf1rTvFYhbnFEXV/KY
-e5A4iXLRIbxbmXZDa35Rebw=
------END PRIVATE KEY-----
diff --git a/demo/grouper/configs-and-secrets/grouper/httpd/shib.conf b/demo/grouper/configs-and-secrets/grouper/httpd/shib.conf
new file mode 100755
index 0000000..9c33671
--- /dev/null
+++ b/demo/grouper/configs-and-secrets/grouper/httpd/shib.conf
@@ -0,0 +1,54 @@
+# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
+
+# RPM installations on platforms with a conf.d directory will
+# result in this file being copied into that directory for you
+# and preserved across upgrades.
+
+# For non-RPM installs, you should copy the relevant contents of
+# this file to a configuration location you control.
+
+#
+# Load the Shibboleth module.
+#
+LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
+
+#
+# Turn this on to support "require valid-user" rules from other
+# mod_authn_* modules, and use "require shib-session" for anonymous
+# session-based authorization in mod_shib.
+#
+ShibCompatValidUser Off
+
+#
+# Ensures handler will be accessible.
+#
+<Location /grouperSSO/Shibboleth.sso>
+ AuthType None
+ Require all granted
+ SetHandler shib
+</Location>
+
+#
+# Used for example style sheet in error templates.
+#
+<IfModule mod_alias.c>
+ <Location /shibboleth-sp>
+ AuthType None
+ Require all granted
+ </Location>
+ Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
+</IfModule>
+
+#
+# Configure the module for content.
+#
+# You MUST enable AuthType shibboleth for the module to process
+# any requests, and there MUST be a require command as well. To
+# enable Shibboleth but not specify any session/access requirements
+# use "require shibboleth".
+#
+<Location /secure>
+ AuthType shibboleth
+ ShibRequestSetting requireSession 1
+ require shib-session
+</Location>
diff --git a/demo/grouper/configs-and-secrets/grouper/shibboleth/idp-metadata.xml b/demo/grouper/configs-and-secrets/grouper/shibboleth/idp-metadata.xml
deleted file mode 100644
index 4fa67a7..0000000
--- a/demo/grouper/configs-and-secrets/grouper/shibboleth/idp-metadata.xml
+++ /dev/null
@@ -1,207 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- This is example metadata only. Do *NOT* supply it as is without review,
- and do *NOT* provide it in real time to your partners.
-
- This metadata is not dynamic - it will not change as your configuration changes.
--->
-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://idptestbed/idp/shibboleth">
-
- <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
-
- <Extensions>
- <shibmd:Scope regexp="false">example.org</shibmd:Scope>
-<!--
- Fill in the details for your IdP here
-
- <mdui:UIInfo>
- <mdui:DisplayName xml:lang="en">A Name for the IdP at idptestbed</mdui:DisplayName>
- <mdui:Description xml:lang="en">Enter a description of your IdP at idptestbed</mdui:Description>
- <mdui:Logo height="80" width="80">https://localhost/Path/To/Logo.png</mdui:Logo>
- </mdui:UIInfo>
--->
- </Extensions>
-
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy
-MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH
-YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M
-SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2
-03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No
-5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+
-XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud
-DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk
-hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
-BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac
-ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98
-NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl
-j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP
-IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E
-t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB
-CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx
-MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g
-u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2
-Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ
-Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+
-MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs
-uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV
-HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl
-ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB
-CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X
-sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s
-RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ
-Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B
-DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i
-s00xrv14zLifcc8oj5DYzOhYRifRXgHX
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
- <KeyDescriptor use="encryption">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy
-MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD
-cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ
-l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG
-ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8
-9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX
-VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud
-DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk
-hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
-BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni
-QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN
-jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r
-xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8
-+PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H
-p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
-
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
- <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-
- <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://localhost/idp/profile/Shibboleth/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/idp/profile/SAML2/POST/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost/idp/profile/SAML2/POST-SimpleSign/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/idp/profile/SAML2/Redirect/SSO"/>
-
- </IDPSSODescriptor>
-
-
- <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
-
- <Extensions>
- <shibmd:Scope regexp="false">localhost</shibmd:Scope>
- </Extensions>
-
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy
-MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH
-YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M
-SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2
-03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No
-5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+
-XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud
-DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk
-hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
-BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac
-ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98
-NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl
-j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP
-IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E
-t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB
-CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx
-MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g
-u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2
-Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ
-Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+
-MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs
-uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV
-HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl
-ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB
-CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X
-sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s
-RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ
-Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B
-DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i
-s00xrv14zLifcc8oj5DYzOhYRifRXgHX
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
- <KeyDescriptor use="encryption">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy
-MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD
-cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ
-l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG
-ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8
-9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX
-VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud
-DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk
-hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
-BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni
-QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN
-jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r
-xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8
-+PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H
-p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
-
-
- <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://localhost/idp/profile/SAML1/SOAP/AttributeQuery"/>
- <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost/idp/profile/SAML2/SOAP/AttributeQuery"/>
- <!-- If you uncomment the above you should add urn:oasis:names:tc:SAML:2.0:protocol to the protocolSupportEnumeration above -->
-
- </AttributeAuthorityDescriptor>
-
-</EntityDescriptor>
diff --git a/demo/grouper/configs-and-secrets/grouper/shibboleth/shibboleth2.xml b/demo/grouper/configs-and-secrets/grouper/shibboleth/shibboleth2.xml
old mode 100644
new mode 100755
index 0c38f82..e2d12ab
--- a/demo/grouper/configs-and-secrets/grouper/shibboleth/shibboleth2.xml
+++ b/demo/grouper/configs-and-secrets/grouper/shibboleth/shibboleth2.xml
@@ -1,60 +1,53 @@
-<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
- xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
- xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
- xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
- xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+ xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
clockSkew="180">
+ <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
+
<!--
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-->
- <!--
- To customize behavior for specific resources on Apache, and to link vhosts or
- resources to ApplicationOverride settings below, use web server options/commands.
- See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
-
- For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
- file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
- -->
<TCPListener address="127.0.0.1" port="1600"/>
-
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://grouperdemo/shibboleth"
- REMOTE_USER="uid">
+ REMOTE_USER="uid"
+ cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
- You MUST supply an effectively unique handlerURL value for each of your applications.
- The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
- a relative value based on the virtual host. Using handlerSSL="true", the default, will force
- the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
- Note that while we default checkAddress to "false", this has a negative impact on the
- security of your site. Stealing sessions via cookie theft is much easier with this disabled.
+ Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
+ and should be a relative path, with the SP computing the full value based on the virtual
+ host. Using handlerSSL="true" will force the protocol to be https. You should also set
+ cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
+ "false", this makes an assertion stolen in transit easier for attackers to misuse.
-->
- <Sessions lifetime="28800" timeout="28800" relayState="ss:mem"
- checkAddress="false" handlerSSL="true" cookieProps="https">
+ <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" handlerURL="/grouperSSO/Shibboleth.sso"
+ checkAddress="false" handlerSSL="true" cookieProps="https"
+ redirectLimit="exact">
<!--
- Configures SSO for a default IdP. To allow for >1 IdP, remove
+ Configures SSO for a default IdP. To properly allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
- (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
- -->
- <SSO entityID="https://idptestbed/idp/shibboleth">
- SAML2
- </SSO>
+ -->
+ <SSO entityID="https://idptestbed/idp/shibboleth">
+ SAML2
+ </SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
-
+
+ <!-- Administrative logout. -->
+ <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
+
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
- <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+ <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 172.16.0.0/12 192.168.0.0/16"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
@@ -65,19 +58,25 @@
<!--
Allows overriding of error template information/filenames. You can
- also add attributes with values that can be plugged into the templates.
+ also add your own attributes with values that can be plugged into the
+ templates, e.g., helpLocation below.
-->
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
-
+
+ <!-- Example of locally maintained metadata. -->
+ <!--
+ <MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
+ -->
+
<!-- Example of remotely supplied batch of signed metadata. -->
<!--
<MetadataProvider type="XML" validate="true"
- uri="http://example.org/federation-metadata.xml"
- backingFilePath="federation-metadata.xml" reloadInterval="7200">
+ url="http://federation.org/federation-metadata.xml"
+ backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
- <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+ <MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
@@ -85,46 +84,29 @@
</MetadataProvider>
-->
- <MetadataProvider type="XML" validate="true" file="idp-metadata.xml"/>
-
+ <!-- Example of remotely supplied "on-demand" signed metadata. -->
<!--
- InCommon
- <MetadataProvider type="XML" validate="true"
- uri="http://md.incommon.org/InCommon/InCommon-metadata.xml"
- backingFilePath="federation-metadata.xml" reloadInterval="7200">
+ <MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
+ baseUrl="http://mdq.federation.org" ignoreTransport="true">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
- <MetdataFilter type="Signature" certificate="inc-md-cert.pem"/>
- <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
- attributeName="http://macedir.org/entity-category"
- attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
- attributeValue="http://refeds.org/category/hide-from-discovery" />
+ <MetadataFilter type="Signature" certificate="mdqsigner.pem" />
</MetadataProvider>
-->
+
+ <MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
-
- <!-- Use a SAML query if no attributes are supplied during SSO. -->
- <AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
- <!-- Simple file-based resolver for using a single keypair. -->
- <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
-
- <!--
- The default settings can be overridden by creating ApplicationOverride elements (see
- the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
- Resource requests are mapped by web server commands, or the RequestMapper, to an
- applicationId setting.
+ <!-- Simple file-based resolvers for separate signing/encryption keys. -->
+ <CredentialResolver type="File" use="signing"
+ key="sp-key.pem" certificate="sp-cert.pem"/>
+ <CredentialResolver type="File" use="encryption"
+ key="sp-key.pem" certificate="sp-cert.pem"/>
- Example of a second application (for a second vhost) that has a different entityID.
- Resources on the vhost would map to an applicationId of "admin":
- -->
- <!--
- <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
- -->
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
diff --git a/demo/grouper/configs-and-secrets/grouper/shibboleth/sp-cert.pem b/demo/grouper/configs-and-secrets/grouper/shibboleth/sp-cert.pem
deleted file mode 100644
index 9cc228a..0000000
--- a/demo/grouper/configs-and-secrets/grouper/shibboleth/sp-cert.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPDCCAiQCCQDNZe8r0hVtuTANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJV
-UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEXMBUGA1UECgwOSW50
-ZXJuZXQyL1RJRVIxFzAVBgNVBAMMDnNwLmV4YW1wbGUub3JnMB4XDTE3MDkyMjE5
-NTAzNVoXDTI3MDkyMDE5NTAzNVowYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1J
-MRIwEAYDVQQHDAlBbm4gQXJib3IxFzAVBgNVBAoMDkludGVybmV0Mi9USUVSMRcw
-FQYDVQQDDA5zcC5leGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAMTNJmsNpTpR4NrDJwOgK/o3UYlNdi1c6xBflt+liLAsQc160QReV4dS
-SGK8LZvN58a/BTIsH8dLhQlUQ8qQUY2AfolVrNxb7Waumeh/POzYUTRylnoGpU3W
-bGMEPxE/AdgP5U/adYvyu4XI5epv7wjZJOTqcVag15SalY+aso+ZC/5l+UzRxmWB
-ZxKTsSL1y7PFehY4/Zl3Y3oGVsVl/zspt5lteoZQeeVxUX29S3Af11yHY4xpEp+7
-rvAzY/nlsTiHAsUoCFK/NFQ2evvSRx52B9Fk1cWP1MDVDm2QjQqD9xBGYSnX6bhQ
-ejVx7JUJHlblu2Q5p5XdW0BihgFluoECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA
-n/qhYnIviPs4tglCdrw+M7gbqKNWadDC3F9HDYzlJMFeS/ae2turhEUgQPbYPDQQ
-eO3oOILtvCXNFUPM58jf8V5YFRrOqrTgx44kexQDaHO5YYNft5tF5TdvBYE2gOVr
-GdYrH2iSP8WX+Yy7JH5uqkfwWzEntWHJdey39rCWKAUCCB35+/2b4N53Qmlv2+ug
-CpNJYFtXInd4YMmM5HjXLyoWXtjnKiwDqYUCeYPSwAajnCqRqRXUX0gYTFDRiwRP
-HbmO9We0nqoc/71nikmGGoSRMO/zWVMFjwmAx1fGiWdU61sjGX8sHifzmVyJVEBI
-Z75p+JrWYZJYrx/vpWxL8g==
------END CERTIFICATE-----
diff --git a/demo/grouper/configs-and-secrets/grouper/shibboleth/sp-key.pem b/demo/grouper/configs-and-secrets/grouper/shibboleth/sp-key.pem
deleted file mode 100644
index 1b0b579..0000000
--- a/demo/grouper/configs-and-secrets/grouper/shibboleth/sp-key.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEzSZrDaU6UeDa
-wycDoCv6N1GJTXYtXOsQX5bfpYiwLEHNetEEXleHUkhivC2bzefGvwUyLB/HS4UJ
-VEPKkFGNgH6JVazcW+1mrpnofzzs2FE0cpZ6BqVN1mxjBD8RPwHYD+VP2nWL8ruF
-yOXqb+8I2STk6nFWoNeUmpWPmrKPmQv+ZflM0cZlgWcSk7Ei9cuzxXoWOP2Zd2N6
-BlbFZf87KbeZbXqGUHnlcVF9vUtwH9dch2OMaRKfu67wM2P55bE4hwLFKAhSvzRU
-Nnr70kcedgfRZNXFj9TA1Q5tkI0Kg/cQRmEp1+m4UHo1ceyVCR5W5btkOaeV3VtA
-YoYBZbqBAgMBAAECggEAA/5t0ypZug9DUu0283niqpdIzlKGHXGPS6vE8hD37ytW
-wobFiyMm/5YJ5gcPnePV2lCyGEyQ8Ih10LSnE4tOPGLpLnxQn8A11ymf8fnzEJNr
-Qnc42o0b+bJqTLAfX4g5z1qzOqWiUQ7CA3sKP3G6FiHh/8tKNYnaFif09Q8cpJFb
-YDDkvm48NJgsrIoCgmaFIQIn+yDzGQKWwTNMIks+RByWpc67j1x1kiyQM1RfrEev
-Yyq/ZkP66IYZzmZKpFCWGs5qbRZdxyXNpq85DjwA99lAH7vxtMJHQM4z1h1eDH4L
-Ma5hEnmmHu4D5lF2GDQYflvuFdDGH5tThO6MV0IrSQKBgQD+kvEtNxJCMxLOVFyV
-NWF3pk/i2nkD+53t/VPXjMPtW7IesouEGzU82I/fT2wUTkNwFdkVpv37qoLypKZm
-npJFxr6abQNjiDh2Fsh8/iuJfvdZUFJbCEY6NS58qgjix8XCQKRD06EugK7uekIZ
-zJnttF3qVBBD8Z8Uwxz8i+jF1wKBgQDF51y/5XB6Bz47cdxw7P8NsfnTz2V3H0HU
-OnlEBANbhmBadjU8dqbM54Nxbn7VOdooXPuSnAKJ9vPDg1n5Y/GO+lgldNzfyK6g
-HnbldSu0zBvAaGvmAjLjetEtOkBqYkrHJlT6JAems/Kc/YX5uooAz9/jNJFXP9++
-KbjH3CzHZwKBgQC6ppxEDZPKi83nD/2NvMTIyFzcNFj0LaEepFW7vc7NkiSn0zrt
-0lEXWqUqEv5oaPWTEcHH2VdxFRTLuSL0LKGMnWqUqQcKDA9xrcSzuFvNhRTwHC81
-5XwwI1wBNV4sgFKj2WdW/6y2/szDt0oNxnC50zvkmlwOpPKBc4kmNaKmowKBgBmC
-uXIDIXyZcmw3QTNNWZNqXcnv8iRo4xN4dilOWyBxMfp3QmWI5feD4G2+0Jqr2nNZ
-iRRdB/bA3qtVQ0PinkDQBIzPg6lVNS1uv+TUNc4YgXtL+pyrq+Om8U/jMmqEQR9q
-0YltG49houSZyatnYGK6aSHgpNuaYD0jI66fsyYBAoGAMefyD0I/ncArjuf58hVQ
-zSjxfcvlja9okrC8ZgqsVluezcm4rQNcSjBnESGTCjJC7O29AofGLHkvnsBQDiGk
-hE38IRisd+okXdApr41ifWDhmtASud5q6wlhOpMmQxg+OALf1rTvFYhbnFEXV/KY
-e5A4iXLRIbxbmXZDa35Rebw=
------END PRIVATE KEY-----
diff --git a/demo/grouper/configs-and-secrets/midpoint/application/database_password.txt b/demo/grouper/configs-and-secrets/midpoint/application/database_password.txt
deleted file mode 100644
index 11bff19..0000000
--- a/demo/grouper/configs-and-secrets/midpoint/application/database_password.txt
+++ /dev/null
@@ -1 +0,0 @@
-WJzesbe3poNZ91qIbmR7
diff --git a/demo/grouper/configs-and-secrets/midpoint/application/keystore_password.txt b/demo/grouper/configs-and-secrets/midpoint/application/keystore_password.txt
deleted file mode 100644
index 1d40192..0000000
--- a/demo/grouper/configs-and-secrets/midpoint/application/keystore_password.txt
+++ /dev/null
@@ -1 +0,0 @@
-changeit
diff --git a/demo/grouper/configs-and-secrets/midpoint/httpd/host-cert.pem b/demo/grouper/configs-and-secrets/midpoint/httpd/host-cert.pem
deleted file mode 100644
index 9b1021b..0000000
--- a/demo/grouper/configs-and-secrets/midpoint/httpd/host-cert.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDqDCCApCgAwIBAgIJAMOSkn4oS2aAMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
-BAYTAlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRcwFQYDVQQK
-DA5JbnRlcm5ldDIvVElFUjEgMB4GA1UEAwwXbWlkcG9pbnQuc3AuZXhhbXBsZS5v
-cmcwHhcNMTgwOTE0MDU1OTQ1WhcNMTkwOTE0MDU1OTQ1WjBpMQswCQYDVQQGEwJV
-UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEXMBUGA1UECgwOSW50
-ZXJuZXQyL1RJRVIxIDAeBgNVBAMMF21pZHBvaW50LnNwLmV4YW1wbGUub3JnMIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApj/b7MEUSfu3oXMfNgRwTse7
-a5UV7Jswf1M/ZN/ZZkAkIxNBevZgozjesvLPWrmsTgONi7XigJUJvCjdjmlW9eDM
-lri/rkD8HuOR1DQCVKL9nvoS2c3D7sq5Emda3V8Tlj82VqfEmePd3sajx7mcTfbH
-8jwAL9NhkC+WMib5IpjLGpG0FEAC0ha7Lxb+7jIiqHVJaqLXJGCyGN4mh6c1Q9S1
-f8RVTiW2a8x22G+9wnZYbkiA2Kxls177imHlhSz8EdvV4IpGw1amrEWhhuDEum7B
-vZ1xQDLatgRqh4qAKLIVYeRnJ8H1FelMa90qB4G08MIPifmTsQwqJyBYaEdgWQID
-AQABo1MwUTAdBgNVHQ4EFgQUqb9BteODF6wv5R57aEON/wGXMiowHwYDVR0jBBgw
-FoAUqb9BteODF6wv5R57aEON/wGXMiowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
-9w0BAQsFAAOCAQEAAcKhxI+tSItrXmqC0PSmgWyAYpqbkz6W/cefTutXqhIgY09f
-h0LSv7ogTahoGpyiZk9vy6u3OE9bYwxapEfa4KBjO6HxBMIVBBb3RegVjoPzjElN
-BDwAx0VGFcZTXwMxDWycWdG8ql7rCZBvS50w04uTaIgnGmqXAdWWmBgfJ9cRbxW+
-JwO/mOl1QM1lR/5142NpvuUVWlmZSKEGydE5A1qPz2wpDbBR1ym1BQNS4NEqw6Kp
-GSB8jKyCS1Ve0v2wVze2038Wukz02dq9uKPTIO3T+B+ibZmxn6Op/kFCc1/kK5NS
-Q6JdO1B6KquGAYdGmKAcQ19mv+jqGktqWEEf0g==
------END CERTIFICATE-----
diff --git a/demo/grouper/configs-and-secrets/midpoint/httpd/host-key.pem b/demo/grouper/configs-and-secrets/midpoint/httpd/host-key.pem
deleted file mode 100644
index 5746e59..0000000
--- a/demo/grouper/configs-and-secrets/midpoint/httpd/host-key.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmP9vswRRJ+7eh
-cx82BHBOx7trlRXsmzB/Uz9k39lmQCQjE0F69mCjON6y8s9auaxOA42LteKAlQm8
-KN2OaVb14MyWuL+uQPwe45HUNAJUov2e+hLZzcPuyrkSZ1rdXxOWPzZWp8SZ493e
-xqPHuZxN9sfyPAAv02GQL5YyJvkimMsakbQUQALSFrsvFv7uMiKodUlqotckYLIY
-3iaHpzVD1LV/xFVOJbZrzHbYb73CdlhuSIDYrGWzXvuKYeWFLPwR29XgikbDVqas
-RaGG4MS6bsG9nXFAMtq2BGqHioAoshVh5GcnwfUV6Uxr3SoHgbTwwg+J+ZOxDCon
-IFhoR2BZAgMBAAECggEAEIRBpjjceiku6jRUwnoYaks/nIWYQwR8AfpUTwJKR/VR
-Yca097Fokm7A+UhUP3A45RtHQb0VPq8P44iv0kk24YCu8r5yFK7SHYOAZnOwU5ZJ
-2jSAEPF3aM7tKh3okhuzB3dKP7u1NZDE5zAW723KUJiW7sL1RcsbY0bHBj6G+9/H
-NplmsjuGt684vRBB0qOBfKF7EiG7mT69tHuNj4gRza9SMY31UtKbZdt2fNY6mp5V
-HscMba7egZP+Ke0pVX4+go9j7K8GG8hYaQDLjrzlPqrxZ2c5X9cC+CRDI/CHuL/s
-V/2yGZJ6n6UabwZoH83RdFrbQ94rU8Hkli6EvxXvMQKBgQDRpheNW5jDG5TfeJKh
-yfKTDQqH2Tk3BsBYYBN7Hf3m7vbkzlxnAKJAoSLmtRMuoeXvI5MrhzaHGsNIUS76
-LDIZnvB7DLUxhFUZsCPkpAA1QHuTWY96oR3PHnPjpk8lSUvtbOPwDLdzVApeFJgZ
-VqMNArZ7AHsK3Kkyi+f4WVQjbQKBgQDLAWiGb5dx6fAM2W6B6HjNmzjBWOuVEXa2
-76to9jzupBZmETfZgxtWUaWUDuNS+f7dtVUTE+p6v/w8clrHEhEZYkqunIOLo/UA
-LFPiuoTfEsWb1rh+nsCjCgy4uimixj/bSkf7NC6NyKTvCygA1mGnVVJUEPegYlDy
-LXCkaKWxHQKBgQCmyHSKL2lrJkEcOwakEU2acNCE3Gno/cT9SYmV83kvQ8JEqmrW
-QqnRsp9aXIljGscapPmKsmnNt5vNp1AxFAHTYh88NRLczsMIyZj0ZwgHVUI6KhC7
-5Psa78YQQBlMt2/g9TSsnuE+rYgF6mpKFiNm0Vasqeg47uzn2mdzqlUGTQKBgE04
-JutkTUY+h1pL5vYxWKpVDfy19z7H2tFxT1FowPrBneeLSyRI88Ac5I/yLdRlVeY9
-0LOmEr5Igwj3MsKgg7KVKfVLgdo/LrW3Jt2Kt3onKNXDkoBPoNUjwH0QC0Boiue+
-VK0gR0kVdm+bXccbxR+im+NwZNE0NLg6Qqu3RredAoGBALuVoqbPPmTCZXYG328H
-bzOs2aiR7BzPSVByV+qG6jW7w03RAnFPJZp7HMU+ViI5VY0wabUscMSvz5163+gM
-4KwY3v9ZjZzZGukIfLuudkdqtaiVOx/KeAC0n+nG21YU+wpZww8gkfHh1/sa2CME
-CWYCgOnmiTHcj83UaTqEXtmv
------END PRIVATE KEY-----
diff --git a/demo/grouper/configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks b/demo/grouper/configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks
deleted file mode 100644
index af2e8f4..0000000
Binary files a/demo/grouper/configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks and /dev/null differ
diff --git a/demo/grouper/create-ref-loaders.gsh b/demo/grouper/create-ref-loaders.gsh
deleted file mode 100644
index 0cfdcdf..0000000
--- a/demo/grouper/create-ref-loaders.gsh
+++ /dev/null
@@ -1,31 +0,0 @@
-gs = GrouperSession.startRootSession()
-
-group = new GroupSave(gs).assignName("etc:affiliationLoader").assignCreateParentStemsIfNotExist(true).save()
-group.addType(GroupTypeFinder.find("grouperLoader"))
-group.setAttribute("grouperLoaderDbName", "sis")
-group.setAttribute("grouperLoaderType", "SQL_GROUP_LIST")
-group.setAttribute("grouperLoaderScheduleType", "CRON")
-group.setAttribute("grouperLoaderQuartzCron", "0 * * * * ?")
-group.setAttribute("grouperLoaderDbName", "sis")
-group.setAttribute("grouperLoaderGroupTypes", "addIncludeExclude")
-group.setAttribute("grouperLoaderQuery", "SELECT concat('ref:affiliation:',affiliation,'_systemOfRecord') as GROUP_NAME, uid as SUBJECT_ID, 'ldap' as SUBJECT_SOURCE_ID from SIS_AFFILIATIONS")
-
-group = new GroupSave(gs).assignName("etc:deptLoader").assignCreateParentStemsIfNotExist(true).save()
-group.addType(GroupTypeFinder.find("grouperLoader"))
-group.setAttribute("grouperLoaderDbName", "sis")
-group.setAttribute("grouperLoaderType", "SQL_GROUP_LIST")
-group.setAttribute("grouperLoaderScheduleType", "CRON")
-group.setAttribute("grouperLoaderQuartzCron", "0 * * * * ?")
-group.setAttribute("grouperLoaderDbName", "sis")
-group.setAttribute("grouperLoaderQuery", "SELECT concat('ref:dept:',department) as GROUP_NAME, uid as SUBJECT_ID, 'ldap' as SUBJECT_SOURCE_ID from SIS_PERSONS where department is not null")
-
-group = new GroupSave(gs).assignName("etc:coursesLoader").assignCreateParentStemsIfNotExist(true).save()
-group.addType(GroupTypeFinder.find("grouperLoader"))
-group.setAttribute("grouperLoaderDbName", "sis")
-group.setAttribute("grouperLoaderType", "SQL_GROUP_LIST")
-group.setAttribute("grouperLoaderScheduleType", "CRON")
-group.setAttribute("grouperLoaderQuartzCron", "0 * * * * ?")
-group.setAttribute("grouperLoaderDbName", "sis")
-group.setAttribute("grouperLoaderQuery", "SELECT concat('ref:course:',courseId) as GROUP_NAME, uid as SUBJECT_ID, 'ldap' as SUBJECT_SOURCE_ID from SIS_COURSES")
-
-edu.internet2.middleware.grouper.app.loader.GrouperLoaderType.scheduleLoads()
diff --git a/demo/grouper/create-ref-loaders.sh b/demo/grouper/create-ref-loaders.sh
deleted file mode 100755
index c9cd9cc..0000000
--- a/demo/grouper/create-ref-loaders.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-
-source ../../library.bash
-
-execute_gsh grouper_grouper_daemon_1 create-ref-loaders.gsh
diff --git a/demo/grouper/directory/Dockerfile b/demo/grouper/directory/Dockerfile
index 6e34ead..9a0948d 100644
--- a/demo/grouper/directory/Dockerfile
+++ b/demo/grouper/directory/Dockerfile
@@ -1,28 +1,39 @@
-FROM centos:centos7
-
-LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
-
-RUN yum install -y epel-release \
- && yum update -y \
- && yum install -y 389-ds-base \
- && yum clean all \
- && rm -rf /var/cache/yum
-
-COPY container_files/seed-data/ /seed-data/
-
-RUN useradd ldapadmin \
- && rm -fr /var/lock /usr/lib/systemd/system \
- # The 389-ds setup will fail because the hostname can't reliable be determined, so we'll bypass it and then install. \
- && sed -i 's/checkHostname {/checkHostname {\nreturn();/g' /usr/lib64/dirsrv/perl/DSUtil.pm \
- # Not doing SELinux \
- && sed -i 's/updateSelinuxPolicy($inf);//g' /usr/lib64/dirsrv/perl/* \
- # Do not restart at the end \
- && sed -i '/if (@errs = startServer($inf))/,/}/d' /usr/lib64/dirsrv/perl/* \
- && setup-ds.pl --silent --file /seed-data/ds-setup.inf \
- && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir \
- && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
- ldapadd -H ldap:/// -f /seed-data/data.ldif -x -D "cn=Directory Manager" -w password
-
-EXPOSE 389
-
-CMD rm -rf /var/lock/dirsrv/slapd-dir/server/* && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir && sleep infinity
+FROM rockylinux:9.3 as baseinst
+
+RUN dnf update -y && \
+ dnf install -y --enablerepo=devel openldap openldap-clients openldap-servers && \
+ dnf clean all && \
+ rm -rf /var/cache/dnf
+
+EXPOSE 389/tcp
+
+VOLUME /var/lib/ldap
+
+FROM baseinst
+
+#LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
+
+ARG ldapDomain="dc=internet2,dc=edu"
+ARG ldapPw="password"
+
+ADD https://raw.githubusercontent.com/REFEDS/eduperson/master/schema/openldap/eduperson.ldif /etc/openldap/schema
+
+COPY container_files/* /opt
+
+RUN cd /opt ; \
+ /opt/update_schema /etc/openldap/slapd.d/cn\=config/cn\=schema/cn\=\{0\}core.ldif groupOfUniqueNames uniqueMember cn ; \
+ /opt/update_schema /etc/openldap/slapd.d/cn\=config/cn\=schema/cn\=\{0\}core.ldif groupOfNames member cn ; \
+ /opt/slapd.sh -init ; \
+ /opt/gen_config_update "${ldapDomain}" "${ldapPw}" "0" "0" ;\
+ cat 999_schema-list | while read line ; do \
+ ldapadd -H ldapi:/// -f /etc/openldap/schema/${line}.ldif ; \
+ done ; \
+ for s in 0 1 2 3 4 5 6 7 8 9 ; do \
+ find -type f -name "${s}[0-4]?_*.ldif" -exec ldapmodify -H ldapi:/// -f /opt/\{\} \; ; \
+ find -type f -name "${s}[5-9]?_*.ldif" -exec ldapadd -H ldapi:/// -f /opt/\{\} \; ; \
+ done ; \
+ rm /opt/[0-9]* && \
+ /opt/slapd.sh -stop ;
+
+CMD [ "/opt/slapd.sh", "-limit", "1024", "-debug", "256" ]
+
diff --git a/demo/grouper/directory/container_files/gen_config_update b/demo/grouper/directory/container_files/gen_config_update
new file mode 100755
index 0000000..a2d5647
--- /dev/null
+++ b/demo/grouper/directory/container_files/gen_config_update
@@ -0,0 +1,241 @@
+#!/bin/bash
+domain="${1:-dc=example,dc=com}"
+if [ $(echo -n ${domain} | wc -c ) -eq $(echo -n ${domain} | tr -d "," | wc -c) ]
+then
+ subDomain="${domain:4}"
+else
+ subDomain="$(echo -n ${domain:4} | cut -d , -f 1)"
+fi
+userpw="${2:-change_me}"
+cleartext="${3:-0}"
+locDebug="${4:-0}"
+
+function genPass() {
+ retVal="userPassword:"
+ if [ "${cleartext}" != "1" ]
+ then
+ secPw="$(slappasswd -s ${userpw})"
+ secPw2="$(echo -n ${secPw} | base64 )"
+ [ "${locDebug}" != "0" ] && echo "${userpw} => ${secPw} => ${secPw2}" >&2
+ retVal="${retVal}: ${secPw2}"
+ else
+ [ "${locDebug}" != "0" ] && echo "${userpw}" >&2
+ retVal="${retVal} ${userpw}"
+ fi
+ while [ ${#retVal} -gt 78 ]
+ do
+ echo "${retVal:0:78}"
+ retVal=" ${retVal:78}"
+ done
+ if [ ${#retVal} -gt 2 ]
+ then
+ echo "${retVal}"
+ fi
+}
+
+cat >999_schema-list <<EOF
+cosine
+inetorgperson
+nis
+eduperson
+EOF
+
+cat >001_monitor-diff.ldif <<EOF
+dn: olcDatabase={1}monitor,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to *
+ by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
+ by dn.base="cn=admin,${domain}" read
+ by * none
+EOF
+
+cat >101_mdb-diff.ldif <<EOF
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcSuffix
+olcSuffix: ${domain}
+-
+replace: olcRootDN
+olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+-
+replace: olcAccess
+olcAccess: {0}to dn="cn=admin,${domain}"
+ by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
+ by anonymous auth
+ by self write
+ by * none
+olcAccess: {1}to attrs=userPassword,shadowLastChange
+ by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
+ by dn="cn=admin,${domain}" write
+ by dn="uid=administrator,ou=People,${domain}" write
+ by anonymous auth
+ by self write
+ by * none
+olcAccess: {2}to dn.subtree="ou=people,${domain}"
+ by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
+ by dn="cn=admin,${domain}" write
+ by dn="uid=administrator,ou=People,${domain}" write
+ by * read
+olcAccess: {3}to dn.base=""
+ by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
+ by dn="cn=admin,${domain}" write
+ by * read
+olcAccess: {4}to *
+ by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
+ by dn="uid=administrator,ou=people,${domain}" write
+ by dn="cn=admin,${domain}" write
+ by anonymous auth
+ by self read
+ by * none
+EOF
+
+cat >251_mod_config.ldif <<EOF
+dn: cn=module{0},cn=config
+objectClass: olcModuleList
+cn: module{0}
+olcModulePath: /usr/lib64/openldap
+olcModuleLoad: {0}memberof
+olcModuleLoad: {1}refint
+olcModuleLoad: {2}ppolicy
+olcModuleLoad: {3}sssvlv
+
+dn: olcOverlay={0}memberof,olcDatabase={2}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcMemberOf
+olcOverlay: {0}memberof
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: TRUE
+olcMemberOfGroupOC: groupOfUniqueNames
+olcMemberOfMemberAD: uniqueMember
+olcMemberOfMemberOfAD: memberOf
+
+dn: olcOverlay={1}refint,olcDatabase={2}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+olcOverlay: {1}refint
+olcRefintAttribute: owner
+olcRefintAttribute: manager
+olcRefintAttribute: uniqueMember
+olcRefintAttribute: member
+olcRefintAttribute: memberOf
+
+dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config
+objectClass: olcPPolicyConfig
+objectClass: olcOverlayConfig
+olcOverlay: {2}ppolicy
+olcPPolicyDefault: cn=defaultpw,ou=policies,${domain}
+olcPPolicyHashCleartext: TRUE
+olcPPolicyUseLockout: TRUE
+
+dn: olcOverlay={3}sssvlv,olcDatabase={2}mdb,cn=config
+objectClass: olcSssVlvConfig
+objectClass: olcOverlayConfig
+olcOverlay: {3}sssvlv
+EOF
+
+cat >151_default_structure.ldif <<EOF
+dn: ${domain}
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+o: ${subDomain}
+
+dn: ou=Groups,${domain}
+objectClass: top
+objectClass: organizationalUnit
+ou: Groups
+
+dn: ou=Affiliations,ou=Groups,${domain}
+objectClass: top
+objectClass: organizationalUnit
+ou: Affiliations
+
+dn: ou=Courses,ou=Groups,${domain}
+objectClass: top
+objectClass: organizationalUnit
+ou: Courses
+
+dn: ou=midpoint,ou=Groups,${domain}
+objectClass: top
+objectClass: organizationalUnit
+ou: midpoint
+
+dn: ou=Generic,ou=Groups,${domain}
+objectClass: top
+objectClass: organizationalUnit
+ou: Generic
+
+dn: ou=People,${domain}
+objectClass: top
+objectClass: organizationalUnit
+ou: people
+
+dn: ou=policies,${domain}
+objectClass: organizationalUnit
+ou: policies
+EOF
+
+cat >252_default_policy.ldif <<EOF
+dn: cn=defaultpw,ou=policies,${domain}
+objectClass: pwdPolicy
+objectClass: organizationalRole
+cn: defaultpw
+pwdAttribute: userPassword
+pwdMinLength: 3
+pwdLockout: TRUE
+pwdMaxFailure: 3
+pwdLockoutDuration: 30
+EOF
+
+cat >851_default_structure.ldif <<EOF
+dn: cn=admin,${domain}
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: admin
+$(genPass)
+description: LDAP administrator
+
+dn: uid=banderson,ou=People,${domain}
+objectClass: eduPerson
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: Bob Anderson
+sn: Anderson
+givenName: Bob
+$(genPass)
+description: LDAP administrator
+
+dn: uid=administrator,ou=People,${domain}
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+givenName: Administrator
+uid: administrator
+sn: Administrator
+cn: Administrator
+$(genPass)
+EOF
+
+cat >959_default_structure.ldif <<EOF
+dn: cn=users,ou=Groups,${domain}
+objectClass: groupOfUniqueNames
+objectClass: top
+uniqueMember: uid=banderson,ou=People,${domain}
+cn: users
+
+dn: cn=sysadmingroup,ou=midpoint,ou=Groups,${domain}
+objectClass: groupOfUniqueNames
+objectClass: top
+uniqueMember: uid=banderson,ou=People,${domain}
+cn: sysadmingroup
+
+dn: cn=admins,ou=Groups,${domain}
+objectClass: groupOfUniqueNames
+objectClass: top
+uniqueMember: uid=administrator,ou=people,${domain}
+cn: admins
+EOF
diff --git a/demo/grouper/directory/container_files/seed-data/data.ldif b/demo/grouper/directory/container_files/seed-data/data.ldif
deleted file mode 100644
index 1b53642..0000000
--- a/demo/grouper/directory/container_files/seed-data/data.ldif
+++ /dev/null
@@ -1,51 +0,0 @@
-dn: cn=admin,dc=internet2,dc=edu
-objectClass: simpleSecurityObject
-objectClass: organizationalRole
-cn: admin
-userPassword: password
-description: LDAP administrator
-
-dn: uid=banderson,ou=People,dc=internet2,dc=edu
-objectClass: eduPerson
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-objectClass: person
-objectClass: top
-cn: Bob Anderson
-sn: Anderson
-givenName: Bob
-userPassword: password
-description: LDAP administrator
-
-dn: ou=Affiliations,ou=Groups,dc=internet2,dc=edu
-objectClass: top
-objectClass: organizationalUnit
-ou: Affiliations
-
-dn: ou=Courses,ou=Groups,dc=internet2,dc=edu
-objectClass: top
-objectClass: organizationalUnit
-ou: Courses
-
-dn: ou=midpoint,ou=Groups,dc=internet2,dc=edu
-objectClass: top
-objectClass: organizationalUnit
-ou: midpoint
-
-dn: ou=Generic,ou=Groups,dc=internet2,dc=edu
-objectClass: top
-objectClass: organizationalUnit
-ou: Generic
-
-dn: cn=users,ou=Groups,dc=internet2,dc=edu
-objectClass: groupOfUniqueNames
-objectClass: top
-uniqueMember: uid=banderson,ou=People,dc=internet2,dc=edu
-cn: users
-
-dn: cn=sysadmingroup,ou=midpoint,ou=Groups,dc=internet2,dc=edu
-objectClass: groupOfUniqueNames
-objectClass: top
-uniqueMember: uid=banderson,ou=People,dc=internet2,dc=edu
-cn: sysadmingroup
-
diff --git a/demo/grouper/directory/container_files/seed-data/ds-setup.inf b/demo/grouper/directory/container_files/seed-data/ds-setup.inf
deleted file mode 100644
index 96c29a1..0000000
--- a/demo/grouper/directory/container_files/seed-data/ds-setup.inf
+++ /dev/null
@@ -1,28 +0,0 @@
-[General]
-AdminDomain = internet2.edu
-ConfigDirectoryAdminID = admin
-ConfigDirectoryAdminPwd = admin
-ConfigDirectoryLdapURL = ldap://localhost:389/o=NetscapeRoot
-FullMachineName = localhost
-ServerRoot = /usr/lib64/dirsrv
-SuiteSpotGroup = nobody
-SuiteSpotUserID = nobody
-
-[admin]
-Port = 9830
-ServerAdminID = admin
-ServerAdminPwd = admin
-ServerIpAddress = 0.0.0.0
-SysUser = nobody
-
-[slapd]
-AddOrgEntries = No
-AddSampleEntries = No
-InstallLdifFile = suggest
-RootDN = cn=Directory Manager
-RootDNPwd = password
-ServerIdentifier = dir
-ServerPort = 389
-SlapdConfigForMC = yes
-Suffix = dc=internet2,dc=edu
-UseExistingMC = No
diff --git a/demo/grouper/directory/container_files/slapd.sh b/demo/grouper/directory/container_files/slapd.sh
new file mode 100755
index 0000000..bfd935e
--- /dev/null
+++ b/demo/grouper/directory/container_files/slapd.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+localLimit=${LDAP_LIMIT:-1024}
+debugLevel=${LDAP_DEBUG:-256}
+
+while [ "${1:0:1}" = "-" ]
+do
+ case ${1:1} in
+ limit)
+ localLimit=${2}
+ [ ! -z ${LDAP_LIMIT+x} ] && localLimit=${LDAP_LIMIT}
+ shift 2
+ ;;
+ debug)
+ debugLevel=${2}
+ [ ! -z ${LDAP_DEBUG+x} ] && debugLevel=${LDAP_DEBUG}
+ shift 2
+ ;;
+ init)
+ [ ! -z ${LDAP_INFO+x} ] && echo "uLimit : ${localLimit}" >&2
+ ulimit -n ${localLimit}
+ exec /usr/sbin/slapd -4 -h "ldapi:///" -u ldap -g ldap
+ exit 0
+ ;;
+ stop)
+ while read line
+ do
+ kill ${line}
+ count=0
+ while [ -e /proc/${line} ]
+ do
+ [ ${count} -gt 10 ] && kill -9 ${line}
+ echo "Waiting to terminate the process"
+ count=$(( ${count} + 1 ))
+ sleep 1
+ done
+ echo "Terminated..."
+ ${0} -stop
+ done < <( grep "^slapd$" /proc/*/comm | head -1 | cut -d / -f 3 )
+ exit 0
+ ;;
+ esac
+done
+
+ulimit -n ${localLimit}
+
+
+if [ -z ${LDAP_INIT+x} ]
+then
+ [ ! -z ${LDAP_INFO+x} ] && echo "uLimit : ${localLimit} / debug level : ${debugLevel}" >&2
+ exec /usr/sbin/slapd -h "ldap://0.0.0.0:389 ldapi:///" -u ldap -g ldap -d ${debugLevel}
+else
+ [ ! -z ${LDAP_INFO+x} ] && echo "uLimit : ${localLimit}" >&2
+ exec /usr/sbin/slapd -4 -h "ldapi:///" -u ldap -g ldap
+fi
+
diff --git a/demo/grouper/directory/container_files/update_schema b/demo/grouper/directory/container_files/update_schema
new file mode 100755
index 0000000..9fccca9
--- /dev/null
+++ b/demo/grouper/directory/container_files/update_schema
@@ -0,0 +1,103 @@
+#!/bin/bash
+[ "${1}" == "" ] && exit 1
+
+function getLines {
+ nLine=1
+ grep -n ^olc "${1}" | \
+ grep -A 1 "${2}" | \
+ cut -d : -f 1 | \
+ while read line
+ do
+ if [ ${nLine} -eq 1 ]
+ then
+ echo -n "${line},"
+ else
+ echo "$(( ${line} - 1))"
+ fi
+ nLine=$(( ${nLine} + 1 ))
+ done
+}
+
+function getCurrent {
+ sed -n "${2}p" "${1}" | sed "s/^ //g" | tr -d "\n"
+ echo
+}
+
+function convertToOptional {
+ if [ "${2}" != "" ]
+ then
+ original="${1} \$ ${2}"
+ else
+ original="${1}"
+ fi
+ read line
+ if [ $( echo "${line}" | grep -c "MUST ( ${original} )" ) -gt 0 ]
+ then
+ echo "${line}" | sed "s/MUST ( ${original} )/MUST ( ${2:-} )/; s/MAY (/MAY ( ${1} \$/"
+ else
+ echo "${line}"
+ fi
+}
+
+function wrapLine() {
+ lineToWrap="${1:-}"
+ while [ ${#lineToWrap} -gt 0 ]
+ do
+ if [ ${#lineToWrap} -ge 78 ]
+ then
+ echo "${lineToWrap:0:78}"
+ lineToWrap=" ${lineToWrap:78}"
+ else
+ echo "${lineToWrap}"
+ lineToWrap=""
+ fi
+ done
+}
+
+function replaceLine {
+ newline=$( echo -n ${2} | cut -d , -f 1)
+ sed -i "${2}d" "${1}"
+ firstLine=1
+ while read line
+ do
+ if [ ${firstLine} -eq 1 ]
+ then
+ sed -i "${newline} i ${line}" "${1}"
+ firstLine=0
+ else
+ sed -i "${newline} i\ ${line}" "${1}"
+ fi
+ newline=$(( ${newline} + 1 ))
+ done
+}
+
+function updateModifyTimestamp {
+ sed -i "s/^modifyTimestamp:.*/modifyTimestamp: $(date -u +%Y%m%d%H%M%SZ)/" "${1}"
+}
+
+
+function calculateCRC {
+ tail -n +3 "${1}" | \
+ gzip -1 -c | \
+ tail -c8 | \
+ hexdump -n4 | \
+ head -1 | \
+ sed "s/[^[:space:]]*[[:space:]]\([^[:space:]]*\)[[:space:]]\([^[:space:]]*\)/# CRC32 \2\1/"
+}
+
+function updateCRC {
+ sed -i "s/# CRC32.*/$(calculateCRC "${1}")/" "${1}"
+}
+
+lines="$(getLines "${1}" "${2}")"
+origLine="$(getCurrent "${1}" "${lines}")"
+newLine="$(echo ${origLine} | convertToOptional "${3}" "${4}")"
+if [ "${origLine}" != "${newLine}" ]
+then
+ echo "updating... / ${1} : ${2} ( ${3} : MUST => MAY) "
+ wrapLine "${newLine}" | replaceLine "${1}" "${lines}"
+ updateModifyTimestamp "${1}"
+ updateCRC "${1}"
+else
+ echo "nothing to update... / ${1} : ${2} ( ${3} : MUST => MAY) "
+fi
diff --git a/demo/grouper/docker-compose.yml b/demo/grouper/docker-compose.yml
index 83071fc..ba37b67 100644
--- a/demo/grouper/docker-compose.yml
+++ b/demo/grouper/docker-compose.yml
@@ -1,164 +1,326 @@
version: "3.3"
services:
+ prereq:
+ image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux
+ command: >
+ bash -c "
+ echo ' - - - - - - -' ;
+ cd /mnt/security ;
+ if [ ! -e key.pem ] ;
+ then
+ echo 'Certificate has not been found. Generating of the new one...' ;
+ if [ -e /mnt/grouper-http/host-cert.pem -a -e /mnt/grouper-http/host-key.pem ] ;
+ then
+ echo 'Taking existing http certs... ';
+ cp /mnt/grouper-http/host-cert.pem cert.pem ;
+ cp /mnt/grouper-http/host-key.pem key.pem ;
+ else
+ echo 'Generating existing http certs... ';
+ openssl req -newkey rsa:2048 -keyout key.pem -nodes -subj '/C=US/ST=MI/L=Ann Arbor/O=Internet2\\/TIER/CN=midpoint.sp.example.org' -addext 'subjectAltName = DNS:midpoint.sp.example.org, DNS:midpoint_server, DNS:directory, DNS:idp, DNS: localhost, DNS: localhost.localdomain, IP:127.0.0.1, IP:::1' -out cert.pem -days 1825 -x509 -addext "basicConstraints=CA:FALSE";
+ fi ;
+ openssl req -newkey rsa:2048 -keyout sp-key.pem -nodes -subj '/C=US/ST=MI/L=Ann Arbor/O=Internet2\\/TIER/CN=sp.example.org' -out sp-cert.pem -days 3650 -x509 ;
+ openssl req -newkey rsa:3072 -keyout sp-signing-key.pem -nodes -subj '/CN=sptest.example.edu' -addext 'subjectAltName = DNS:sptest.example.edu' -out sp-signing-cert.pem -days 3650 -x509 ;
+ openssl req -newkey rsa:2048 -keyout idp-backchannel.key -nodes -subj '/CN=idptestbed' -addext 'subjectAltName = DNS:idptestbed, URI:https://idptestbed/idp/shibboleth' -out idp-backchannel.crt -days 7300 -x509 ;
+ openssl req -newkey rsa:2048 -keyout idp-encryption.key -nodes -subj '/CN=idptestbed' -addext 'subjectAltName = DNS:idptestbed, URI:https://idptestbed/idp/shibboleth' -out idp-encryption.crt -days 7300 -x509 ;
+ openssl req -newkey rsa:2048 -keyout idp-signing.key -nodes -subj '/CN=idptestbed' -addext 'subjectAltName = DNS:idptestbed, URI:https://idptestbed/idp/shibboleth' -out idp-signing.crt -days 7300 -x509 ;
+ openssl req -newkey rsa:2048 -keyout idp-browser.key -nodes -subj '/CN=idp.ccc.local' -addext 'authorityKeyIdentifier = keyid:always,issuer:always' -out idp-browser.crt -days 10585 -x509 ;
+ openssl x509 -noout -fingerprint -sha256 -in cert.pem ;
+ openssl pkcs12 -export -in sp-signing-cert.pem -inkey sp-signing-key.pem -out signing-key.p12 -passout pass:password -name signing-key ;
+ openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.p12 -passout pass:password -name selfsigned ;
+ keytool -importkeystore -srckeystore signing-key.p12 -srcstoretype pkcs12 -srcstorepass password -srcalias signing-key -destkeystore shibboleth_sp_keys.jks -deststoretype jks -deststorepass changeit -noprompt -destalias signing-key ;
+ keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -srcstorepass password -srcalias selfsigned -destkeystore keystore.jks -deststoretype jks -deststorepass password -noprompt -destalias selfsigned ;
+ keytool -list -keystore shibboleth_sp_keys.jks -storetype jceks -storepass changeit ;
+ keytool -list -keystore keystore.jks -storetype jceks -storepass password ;
+ openssl pkcs12 -export -in idp-backchannel.crt -inkey idp-backchannel.key -out idp-backchannel.p12 -passout pass:password -name idptestbed ;
+ openssl pkcs12 -export -in idp-browser.crt -inkey idp-browser.key -out idp-browser.p12 -passout pass:password -name myAlias ;
+ for s in *ert.pem *.crt ; do echo ' - - - - - ' ; echo $${s} ; openssl x509 -noout -fingerprint -sha256 -in $${s} ; echo ; openssl x509 -noout -subject -subject_hash -dates -in $${s} ; done ;
+ echo ' - - - - - ' ;
+ mkdir /mnt/midpoint/var/shibboleth ;
+ cp shibboleth_sp_keys.jks /mnt/midpoint/var/shibboleth ;
+ cp cert.pem /mnt/midpoint/var ;
+ cp key.pem /mnt/midpoint/var ;
+ cp cert.pem /mnt/nginx-cert ;
+ cp key.pem /mnt/nginx-cert ;
+ echo ' server {' >> /mnt/nginx-conf/default.conf ;
+ echo ' listen 80 default_server;' >> /mnt/nginx-conf/default.conf ;
+ echo ' server_name localhost;' >> /mnt/nginx-conf/default.conf ;
+ echo '' >> /mnt/nginx-conf/default.conf ;
+ echo ' return 301 https://$server_name$request_uri;' >> /mnt/nginx-conf/default.conf ;
+ echo '}' >> /mnt/nginx-conf/default.conf ;
+ echo ' server {' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' listen 443 ssl default_server;' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' server_name localhost;' >> /mnt/nginx-conf/midpoint.conf ;
+ echo '' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' ssl_certificate /etc/nginx/certs/cert.pem;' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' ssl_certificate_key /etc/nginx/certs/key.pem;' >> /mnt/nginx-conf/midpoint.conf ;
+ echo '' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' location / {' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' rewrite ^/$ /midpoint/ last;' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' rewrite ^/midpoint$ /midpoint/ last;' >> /mnt/nginx-conf/midpoint.conf ;
+ echo '' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' proxy_set_header X-Real-IP $$remote_addr;' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' proxy_set_header X-Forwarded-Host: $$host;' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' proxy_set_header X-Forwarded-Proto: $$scheme;' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' proxy_pass http://midpoint-container:8080/;' >> /mnt/nginx-conf/midpoint.conf ;
+ echo '' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' }' >> /mnt/nginx-conf/midpoint.conf ;
+ echo '' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' location /idp {' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' proxy_set_header Host localhost;' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' proxy_pass https://idp:443/idp ;' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' }' >> /mnt/nginx-conf/midpoint.conf ;
+ echo '' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' location /grouper {' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' rewrite ^/(.*)$ https://localhost:4443/$1 ;' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' }' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' location /grouperSSO {' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' rewrite ^/(.*)$ https://localhost:4443/$1 ;' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' }' >> /mnt/nginx-conf/midpoint.conf ;
+ echo ' }' >> /mnt/nginx-conf/midpoint.conf ;
+ cp idp-backchannel.crt /mnt/shibboleth-idp/credentials ;
+ cp idp-backchannel.p12 /mnt/shibboleth-idp/credentials ;
+ cp idp-browser.p12 /mnt/shibboleth-idp/credentials ;
+ cp idp-encryption.crt /mnt/shibboleth-idp/credentials ;
+ cp idp-encryption.key /mnt/shibboleth-idp/credentials ;
+ cp idp-signing.crt /mnt/shibboleth-idp/credentials ;
+ cp idp-signing.key /mnt/shibboleth-idp/credentials ;
+ cp sp-signing-cert.pem /mnt/shibboleth-idp/credentials ;
+ cp sp-cert.pem /mnt/shibboleth-idp/credentials ;
+ cp keystore.jks /mnt/shibboleth/certs ;
+ cp cert.pem /mnt/grouper-http/host-cert.pem ;
+ cp key.pem /mnt/grouper-http/host-key.pem ;
+ chmod -R 744 /mnt/grouper-http ;
+ chown -R --reference=/mnt/grouper-http /mnt/grouper-http ;
+ cp sp-cert.pem /mnt/grouper-shibboleth/sp-cert.pem ;
+ cp sp-key.pem /mnt/grouper-shibboleth/sp-key.pem ;
+ chmod -R 744 /mnt/grouper-shibboleth ;
+ chown -R --reference=/mnt/grouper-shibboleth /mnt/grouper-shibboleth ;
+ echo ' - - - - - ' ;
+ find -type f ;
+ echo ' - - - - - - -' ;
+ find /mnt/shibboleth-idp/ -type f ;
+ echo ' - - - - - - -' ;
+ find /mnt/shibboleth -type f ;
+ echo ' - - - - - - -' ;
+ find /mnt/midpoint/ -type f ;
+ echo ' - - - - - - -' ;
+ find /mnt/grouper*/ -type f ;
+ echo ' - - - - - - -' ;
+ else echo 'certificate already exists... (skip new cert generation)' ;
+ fi ;
+ if [ ! -e /mnt/shared_pw/db_pass ] ; then
+ echo 'Generating password for DB connection...';
+ dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d -c [0-9a-z] | cut -c 1-32 | tr -d [[:space:]] > /mnt/shared_pw/db_pass ;
+ fi ;
+ "
+ networks:
+ - net
+ volumes:
+ - security_object:/mnt/security
+ - shared_pw:/mnt/shared_pw
+ - idp_credentials:/mnt/shibboleth-idp/credentials
+ - idp_certs:/mnt/shibboleth/certs
+ - proxy_conf:/mnt/nginx-conf
+ - proxy_cert:/mnt/nginx-cert
+ - midpoint_home:/mnt/midpoint/var
+ - ./configs-and-secrets/grouper/httpd:/mnt/grouper-http
+ - ./configs-and-secrets/grouper/shibboleth:/mnt/grouper-shibboleth
+
grouper_daemon:
- build: ./grouper_daemon/
- command: bash -c "while ! curl -s grouper_data:3306 > /dev/null; do echo waiting for mysql on grouper_data to start; sleep 3; done; while ! curl -s ldap://directory:389 > /dev/null; do echo waiting for ldap on directory to start; sleep 3; done; /usr/local/bin/startup.sh"
+ image: i2incommon/grouper:4.12.0
+ command: [ "daemon" ]
depends_on:
- - grouper_data
- - directory
+ grouper_data:
+ condition: service_healthy
+ grouper_data_init:
+ condition: service_completed_successfully
+ directory:
+ condition: service_healthy
+ sources:
+ condition: service_started
environment:
- ENV
- USERTOKEN
- GROUPER_CLIENT_WEBSERVICE_PASSWORD_FILE=password
- GROUPER_DATABASE_PASSWORD_FILE=/run/secrets/g_database_password.txt
- - RABBITMQ_PASSWORD_FILE=/run/secrets/rabbitmq_password.txt
+ - RABBITMQ_PASSWORD=password
- SUBJECT_SOURCE_LDAP_PASSWORD=password
+ ulimits:
+ nofile:
+ soft: 1024
+ hard: 2048
networks:
net:
aliases:
- grouper-daemon
healthcheck:
- test: curl -s grouper_data:3306
+ test: gsh
interval: 30s
timeout: 30s
retries: 3
secrets:
- g_database_password.txt
- - rabbitmq_password.txt
- - source: grouper.hibernate.properties
- target: grouper_grouper.hibernate.properties
- - source: grouper-loader.properties
- target: grouper_grouper-loader.properties
- - source: subject.properties
- target: grouper_subject.properties
volumes:
- - type: bind
- source: ./configs-and-secrets/grouper/application/grouper.properties
- target: /opt/grouper/conf/grouper.properties
- - type: bind
- source: ./configs-and-secrets/grouper/application/grouper.client.properties
- target: /opt/grouper/conf/grouper.client.properties
+ - ./configs-and-secrets/grouper/application/grouper.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.properties
+ - ./configs-and-secrets/grouper/application/grouper.client.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.client.properties
+ - ./configs-and-secrets/grouper/application/grouper.hibernate.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties
+ - ./configs-and-secrets/grouper/application/grouper-loader.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-loader.properties
+ - ./configs-and-secrets/grouper/application/subject.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/subject.properties
+ - ./configs-and-secrets/grouper/application/grouper.text.en.us.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouperText/grouper.text.en.us.properties
grouper_ui:
- build: ./grouper_ui/
- command: bash -c "while ! curl -s grouper_data:3306 > /dev/null; do echo waiting for mysql on grouper_data to start; sleep 3; done; while ! curl -s ldap://directory:389 > /dev/null; do echo waiting for ldap on directory to start; sleep 3; done; exec ui"
+ image: i2incommon/grouper:4.12.0
+ command: [ "ui" ]
depends_on:
- - grouper_data
- - directory
+ grouper_data:
+ condition: service_healthy
+ grouper_data_init:
+ condition: service_completed_successfully
+ directory:
+ condition: service_healthy
environment:
- ENV
- USERTOKEN
- GROUPER_DATABASE_PASSWORD_FILE=/run/secrets/g_database_password.txt
- SUBJECT_SOURCE_LDAP_PASSWORD=password
+ ulimits:
+ nofile:
+ soft: 1024
+ hard: 2048
networks:
net:
aliases:
- grouper-ui
ports:
- 4443:443
+ healthcheck:
+ test: curl -k -f https://127.0.0.1/grouper/grouperUi/ || exit 1
+ interval: 30s
+ timeout: 30s
+ retries: 3
secrets:
- g_database_password.txt
- - source: grouper.hibernate.properties
- target: grouper_grouper.hibernate.properties
- - source: grouper-loader.properties
- target: grouper_grouper-loader.properties
- - source: subject.properties
- target: grouper_subject.properties
- - source: g_sp-key.pem
- target: shib_sp-key.pem
- - source: g_host-key.pem
- target: host-key.pem
volumes:
- - type: bind
- source: ./configs-and-secrets/grouper/application/grouper.properties
- target: /opt/grouper/conf/grouper.properties
- - type: bind
- source: ./configs-and-secrets/grouper/application/grouper.client.properties
- target: /opt/grouper/conf/grouper.client.properties
- - type: bind
- source: ./configs-and-secrets/grouper/shibboleth/sp-cert.pem
- target: /etc/shibboleth/sp-cert.pem
- - type: bind
- source: ./configs-and-secrets/grouper/shibboleth/shibboleth2.xml
- target: /etc/shibboleth/shibboleth2.xml
- - type: bind
- source: ./configs-and-secrets/grouper/shibboleth/idp-metadata.xml
- target: /etc/shibboleth/idp-metadata.xml
- - type: bind
- source: ./configs-and-secrets/grouper/httpd/host-cert.pem
- target: /etc/pki/tls/certs/host-cert.pem
- - type: bind
- source: ./configs-and-secrets/grouper/httpd/host-cert.pem
- target: /etc/pki/tls/certs/cachain.pem
+ - ./configs-and-secrets/grouper/application/grouper.properties:/opt/grouper/conf/grouper.properties
+ - ./configs-and-secrets/grouper/application/grouper.client.properties:/opt/grouper/conf/grouper.client.properties
+ - ./configs-and-secrets/grouper/application/grouper.hibernate.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties
+ - ./configs-and-secrets/grouper/application/grouper-loader.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-loader.properties
+ - ./configs-and-secrets/grouper/application/subject.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/subject.properties
+ - ./configs-and-secrets/grouper/application/grouper.text.en.us.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouperText/grouper.text.en.us.properties
+ - ./configs-and-secrets/grouper/shibboleth/idp-metadata.xml:/etc/shibboleth/idp-metadata.xml
+ - ./configs-and-secrets/grouper/shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem
+ - ./configs-and-secrets/grouper/shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem
+ - ./configs-and-secrets/grouper/shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml
+# Note: due to a bug in https://github.internet2.edu/docker/grouper/blob/2.5.57/container_files/usr-local-bin/librarySetupFilesForProcess.sh#L72
+# This file had to be mounted as shib2.conf, instead of shib.conf (bind mounts don't want to be moved)
+ - ./configs-and-secrets/grouper/httpd/shib.conf:/etc/httpd/conf.d/shib2.conf
+ - ./configs-and-secrets/grouper/httpd/host-cert.pem:/etc/pki/tls/certs/host-cert.pem
+ - ./configs-and-secrets/grouper/httpd/host-cert.pem:/etc/pki/tls/certs/cachain.pem
+ - ./configs-and-secrets/grouper/httpd/host-key.pem:/etc/pki/tls/private/host-key.pem
grouper_ws:
- build: ./grouper_ws/
- command: bash -c "while ! curl -s grouper_data:3306 > /dev/null; do echo waiting for mysql to start; sleep 3; done; while ! curl -s ldap://directory:389 > /dev/null; do echo waiting for ldap to start; sleep 3; done; exec ws"
+ image: i2incommon/grouper:4.12.0
+ command: [ "ws" ]
depends_on:
- - grouper_data
- - directory
+ grouper_data:
+ condition: service_healthy
+ directory:
+ condition: service_healthy
+ prereq:
+ condition: service_completed_successfully
+ idp_vol_init:
+ condition: service_completed_successfully
+ grouper_data_init:
+ condition: service_completed_successfully
environment:
- ENV
- GROUPER_DATABASE_PASSWORD_FILE=/run/secrets/g_database_password.txt
- SUBJECT_SOURCE_LDAP_PASSWORD=password
- USERTOKEN
+ ulimits:
+ nofile:
+ soft: 1024
+ hard: 2048
networks:
net:
aliases:
- grouper-ws
ports:
- 9443:443
+ healthcheck:
+ test: curl -k -f https://127.0.0.1/grouper-ws/status?diagnosticType=trivial || exit 1
+ interval: 30s
+ timeout: 30s
+ retries: 3
secrets:
- g_database_password.txt
- - source: grouper.hibernate.properties
- target: grouper_grouper.hibernate.properties
- - source: grouper-loader.properties
- target: grouper_grouper-loader.properties
- - source: subject.properties
- target: grouper_subject.properties
- - source: g_sp-key.pem
- target: shib_sp-key.pem
- - source: g_host-key.pem
- target: host-key.pem
+# - source: g_sp-key.pem
+# target: shib_sp-key.pem
+# - source: g_host-key.pem
+# target: host-key.pem
+ volumes:
+ - ./configs-and-secrets/grouper/application/grouper.properties:/opt/grouper/conf/grouper.properties
+ - ./configs-and-secrets/grouper/application/grouper.client.properties:/opt/grouper/conf/grouper.client.properties
+ - ./configs-and-secrets/grouper/application/grouper.hibernate.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties
+ - ./configs-and-secrets/grouper/application/grouper-loader.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-loader.properties
+ - ./configs-and-secrets/grouper/application/subject.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/subject.properties
+ - ./configs-and-secrets/grouper/application/grouper.text.en.us.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouperText/grouper.text.en.us.properties
+ - ./grouper_ws/web.xml:/opt/grouper/grouperWebapp/WEB-INF/web.xml
+ - ./grouper_ws/tomcat-users.xml:/opt/tomee/conf/tomcat-users.xml
+ - ./grouper_ws/server.xml:/opt/tomee/conf/server.xml
+ - ./configs-and-secrets/grouper/shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem
+ - ./configs-and-secrets/grouper/shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem
+ - ./configs-and-secrets/grouper/httpd/host-cert.pem:/etc/pki/tls/certs/host-cert.pem
+ - ./configs-and-secrets/grouper/httpd/host-cert.pem:/etc/pki/tls/certs/cachain.pem
+ - ./configs-and-secrets/grouper/httpd/host-key.pem:/etc/pki/tls/private/host-key.pem
+
+ grouper_data_init:
+ image: i2incommon/grouper:4.12.0
+ command: >
+ bash -c "
+ if [ ! -e /var/lib/postgresql/data/initialized ] ; then
+ echo 'processing init...' ;
+ echo ' - - - - - -';
+ /opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh -registry -check -runscript -noprompt &&
+ /opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh /tmp-bin/initialize.gsh &&
+ /opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh /tmp-bin/set-prov.gsh &&
+ touch /var/lib/postgresql/data/initialized ;
+ else echo 'init skipped....' ;
+ fi
+ "
+ depends_on:
+ grouper_data:
+ condition: service_healthy
+ networks:
+ - net
volumes:
- - type: bind
- source: ./configs-and-secrets/grouper/application/grouper.properties
- target: /opt/grouper/conf/grouper.properties
- - type: bind
- source: ./configs-and-secrets/grouper/application/grouper.client.properties
- target: /opt/grouper/conf/grouper.client.properties
- - type: bind
- source: ./configs-and-secrets/grouper/httpd/host-cert.pem
- target: /etc/pki/tls/certs/host-cert.pem
- - type: bind
- source: ./configs-and-secrets/grouper/httpd/host-cert.pem
- target: /etc/pki/tls/certs/cachain.pem
+ - ./grouper_data_init/bootstrap:/tmp-bin
+ - ./grouper_data_init/conf/grouper.hibernate.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties
+ - ./grouper_data_init/conf/grouper.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.properties
+ - grouper_data:/var/lib/postgresql/data
grouper_data:
- build: ./grouper_data/
+ image: postgres:16-alpine
networks:
net:
aliases:
- grouper-data
- ports:
- - 3306:3306
+ environment:
+ - POSTGRES_HOST_AUTH_METHOD=trust
+ - POSTGRES_USER=postgres
+ - POSTGRES_PASSWORD=password
+ - PGDATA=/var/lib/postgresql/data/pgdata
healthcheck:
- test: curl -s grouper_data:3306
- interval: 30s
- timeout: 30s
- retries: 3
- volumes:
- - grouper_data:/var/lib/mysql
-
- directory:
- build: ./directory/
- ports:
- - 389:389
- networks:
- - net
+ test: [ "CMD-SHELL", "pg_isready -d grouper -U grouper" ]
+ interval: 1s
+ timeout: 5s
+ retries: 10
volumes:
- - ldap:/var/lib/dirsrv
+ - grouper_data:/var/lib/postgresql/data
+ - ./grouper_data_init/sql:/docker-entrypoint-initdb.d
sources:
build: ./sources/
@@ -173,82 +335,266 @@ services:
- CREATE_NEW_DATABASE=if_needed
midpoint_data:
- image: tier/mariadb:mariadb10
- ports:
- - 33306:3306
+ image: postgres:16-alpine
+ depends_on:
+ prereq:
+ condition: service_completed_successfully
+ environment:
+ - POSTGRES_PASSWORD_FILE=/mnt/shared_pw/db_pass
+ - POSTGRES_USER=midpoint
+ - POSTGRES_INITDB_ARGS=--lc-collate=en_US.utf8 --lc-ctype=en_US.utf8
+ healthcheck:
+ test: [ "CMD-SHELL", "pg_isready -d midpoint -U midpoint" ]
+ interval: 1s
+ timeout: 5s
+ retries: 10
networks:
- net:
- aliases:
- - midpoint-data
+ - net
volumes:
- - midpoint_mysql:/var/lib/mysql
- - midpoint_data:/var/lib/mysqlmounted
+ - midpoint_data:/var/lib/postgresql/data
+ - shared_pw:/mnt/shared_pw
+
+ data_init:
+ image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux
+ depends_on:
+ prereq:
+ condition: service_completed_successfully
+ midpoint_data:
+ condition: service_healthy
+ command: >
+ bash -c "
+ cd /opt/midpoint ;
+ bin/midpoint.sh init-native ;
+ echo ' - - - - - - ' ;
+ bin/ninja.sh -B info >/dev/null 2>/tmp/ninja.log ;
+ grep -q \"ERROR\" /tmp/ninja.log && (
+ bin/ninja.sh run-sql --create --mode REPOSITORY ;
+ bin/ninja.sh run-sql --create --mode AUDIT ;
+ tar -cC /opt/midpoint-init . | tar -xvC /opt/midpoint/var ;
+ ) ||
+ echo -e '\\n Repository init is not needed...' ;
+ if [ $$(keytool -list -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass:file /opt/midpoint/var/keystorepw | grep -c 'local_gen_cert') -eq 0 ] ;
+ then
+ keytool -importcert -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass:file /opt/midpoint/var/keystorepw -trustcacerts -alias 'local_gen_cert' -file /opt/midpoint/var/cert.pem -noprompt ;
+ else
+ echo 'Certificate exists in the cert store' ;
+ fi ;
+ "
environment:
- - CREATE_NEW_DATABASE=if_needed
+ - MP_SET_midpoint_repository_jdbcUsername=midpoint
+ - MP_SET_midpoint_repository_jdbcPassword_FILE=/mnt/shared_pw/db_pass
+ - MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint
+ - MP_SET_midpoint_repository_database=postgresql
+ - MP_INIT_CFG=/opt/midpoint/var
+ - MP_PW_DEF=/opt/midpoint/var/keystorepw
+ - MP_KEYSTORE=/opt/midpoint/var/keystore.jceks
+ networks:
+ - net
+ volumes:
+ - midpoint_home:/opt/midpoint/var
+ - shared_pw:/mnt/shared_pw
+ - ./midpoint_server:/opt/midpoint-init:ro
midpoint_server:
- build: ./midpoint_server/
+ image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux
+ container_name: midpoint_server
+ hostname: midpoint-container
depends_on:
- - midpoint_data
+ data_init:
+ condition: service_completed_successfully
+ idp_vol_init:
+ condition: service_completed_successfully
+ midpoint_data:
+ condition: service_healthy
+ command: [ "/opt/midpoint/bin/midpoint.sh", "container" ]
ports:
- - 8443:443
+ - 8080:8080
environment:
- - ENV
- - USERTOKEN
- - REPO_DATABASE_TYPE
- - REPO_JDBC_URL
- - REPO_HOST
- - REPO_PORT
- - REPO_DATABASE
- - REPO_USER
- - REPO_MISSING_SCHEMA_ACTION
- - REPO_UPGRADEABLE_SCHEMA_ACTION
- - REPO_SCHEMA_VERSION_IF_MISSING
- - REPO_SCHEMA_VARIANT
- - MP_MEM_MAX
- - MP_MEM_INIT
- - MP_JAVA_OPTS
- - TIER_BEACON_OPT_OUT
- - TIMEZONE
+ - MP_SET_midpoint_repository_jdbcUsername=midpoint
+ - MP_SET_midpoint_repository_jdbcPassword_FILE=/mnt/shared_pw/db_pass
+ - MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint
+ - MP_SET_midpoint_repository_database=postgresql
+ - MP_SET_midpoint_keystore_keyStorePassword_FILE=/opt/midpoint/var/keystorepw
+ - MP_SET_midpoint_administrator_initialPassword=Test5ecr3t
+ - MP_UNSET_midpoint_repository_hibernateHbm2ddl=1
+ - MP_NO_ENV_COMPAT=1
networks:
net:
aliases:
- midpoint-server
- secrets:
- - mp_database_password.txt
- - mp_keystore_password.txt
- - mp_host-key.pem
- - mp_shibboleth_sp_keys.jks
volumes:
- midpoint_home:/opt/midpoint/var
- - type: bind
- source: ./configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
- target: /etc/shibboleth/idp-metadata.xml
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
- target: /etc/pki/tls/certs/host-cert.pem
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
- target: /etc/pki/tls/certs/cachain.pem
+ - shared_pw:/mnt/shared_pw
+
+ directory:
+ build: ./directory/
+ ports:
+ - 389:389
+ networks:
+ - net
+ healthcheck:
+ test: [ "CMD-SHELL", "cat > /dev/tcp/localhost/389" ]
+ interval: 30s
+ timeout: 5s
+ retries: 10
+ volumes:
+ - ldap:/var/lib/ldap
+
+ idp_vol_init:
+ image: tier/shib-idp:3.4.6_20191002
+ depends_on:
+ prereq:
+ condition: service_completed_successfully
+ ulimits:
+ nofile:
+ soft: 1024
+ hard: 2048
+ command: >
+ bash -c "
+ echo 'Updating configuration...' ;
+ if [ -e /mnt/shibboleth-diff/conf ] ;
+ then
+ cp -vu /mnt/shibboleth-diff/conf/* /opt/shibboleth-idp/conf ;
+ fi ;
+ if [ -e /mnt/shibboleth-diff/credentials ] ;
+ then
+ cp -vu /mnt/shibboleth-diff/credentials/* /opt/shibboleth-idp/credentials ;
+ fi ;
+ if [ -e /mnt/shibboleth-diff/metadata ] ;
+ then
+ cp -vu /mnt/shibboleth-diff/metadata/* /opt/shibboleth-idp/metadata ;
+ fi ;
+ echo ' - - - - - - -' ;
+ echo 'Updating idp-metadata.xml file...' ;
+ grep -n 'X509Certificate' /mnt/shibboleth-diff/metadata/idp-metadata.xml | sed \"s/\\([0-9]*\\).*/\\1/\" > /tmp/checkpoints ;
+ wc -l /mnt/shibboleth-diff/metadata/idp-metadata.xml | sed \"s/\\([0-9]*\\).*/\\1/\" >> /tmp/checkpoints ;
+ current_line=1 ;
+ id=0 ;
+ file_path=( - idp-backchannel.crt - idp-signing.crt - idp-encryption.crt - idp-backchannel.crt - idp-signing.crt - idp-encryption.crt - ) ;
+ rm /opt/shibboleth-idp/metadata/idp-metadata.xml ;
+ cat /tmp/checkpoints | while read line ; do
+ if [ \"$${file_path[$${id}]}\" == \"-\" ] ; then
+ sed -n \"$${current_line},$${line}p\" /mnt/shibboleth-diff/metadata/idp-metadata.xml >> /opt/shibboleth-idp/metadata/idp-metadata.xml ;
+ else
+ sed '1d;$$d' /opt/shibboleth-idp/credentials/$${file_path[$${id}]} >> /opt/shibboleth-idp/metadata/idp-metadata.xml ;
+ fi ;
+ current_line=$${line};
+ id=$$(( $${id} + 1 )) ;
+ done ;
+ cp -v /opt/shibboleth-idp/metadata/idp-metadata.xml /opt/midpoint/var/shibboleth/idp-metadata.xml ;
+ cp -v /opt/shibboleth-idp/metadata/idp-metadata.xml /opt/grouper/idp-metadata.xml ;
+ chown --reference=/opt/grouper /opt/grouper/idp-metadata.xml ;
+ echo ' - - - - - - -' ;
+ echo 'Updating midpoint-sp.xml...';
+ grep -n 'X509Certificate' /mnt/shibboleth-diff/metadata/midpoint-sp.xml | sed \"s/\\([0-9]*\\).*/\\1/\" > /tmp/checkpoints ;
+ wc -l /mnt/shibboleth-diff/metadata/midpoint-sp.xml | sed \"s/\\([0-9]*\\).*/\\1/\" >> /tmp/checkpoints ;
+ current_line=1 ;
+ id=0 ;
+ file_path=( - sp-signing-cert.pem - ) ;
+ rm /opt/shibboleth-idp/metadata/midpoint-sp.xml ;
+ cat /tmp/checkpoints | while read line ; do
+ if [ \"$${file_path[$${id}]}\" == \"-\" ] ; then
+ sed -n \"$${current_line},$${line}p\" /mnt/shibboleth-diff/metadata/midpoint-sp.xml >> /opt/shibboleth-idp/metadata/midpoint-sp.xml ;
+ else
+ sed '1d;$$d' /opt/shibboleth-idp/credentials/$${file_path[$${id}]} >> /opt/shibboleth-idp/metadata/midpoint-sp.xml ;
+ fi ;
+ current_line=$${line};
+ id=$$(( $${id} + 1 )) ;
+ done ;
+ sed -i \"s/\\([[:space:]]<ds:X509Certificate>\\).*$$/\\1/g;s/^[[:space:]]\\(<ds:X509Certificate>\\).*$$/\\1/g\" /opt/shibboleth-idp/metadata/midpoint-sp.xml ;
+ echo ' - - - - - - -' ;
+ echo 'Updating grouper-sp.xml...';
+ grep -n 'X509Certificate' /mnt/shibboleth-diff/metadata/grouper-sp.xml | sed \"s/\\([0-9]*\\).*/\\1/\" > /tmp/checkpoints ;
+ wc -l /mnt/shibboleth-diff/metadata/grouper-sp.xml | sed \"s/\\([0-9]*\\).*/\\1/\" >> /tmp/checkpoints ;
+ current_line=1 ;
+ id=0 ;
+ file_path=( - sp-cert.pem - sp-cert.pem - ) ;
+ rm /opt/shibboleth-idp/metadata/grouper-sp.xml ;
+ cat /tmp/checkpoints | while read line ; do
+ if [ \"$${file_path[$${id}]}\" == \"-\" ] ; then
+ sed -n \"$${current_line},$${line}p\" /mnt/shibboleth-diff/metadata/grouper-sp.xml >> /opt/shibboleth-idp/metadata/grouper-sp.xml ;
+ else
+ sed '1d;$$d' /opt/shibboleth-idp/credentials/$${file_path[$${id}]} >> /opt/shibboleth-idp/metadata/grouper-sp.xml ;
+ fi ;
+ current_line=$${line};
+ id=$$(( $${id} + 1 )) ;
+ done ;
+ sed -i \"s/\\([[:space:]]<ds:X509Certificate>\\).*$$/\\1/g;s/^[[:space:]]\\(<ds:X509Certificate>\\).*$$/\\1/g\" /opt/shibboleth-idp/metadata/grouper-sp.xml ;
+ echo ' - - - - - - -' ;
+ echo 'Generating sealer key...' ;
+ rm /opt/shibboleth-idp/credentials/sealer.* ;
+ /opt/shibboleth-idp/bin/rotateSealerKey.sh ;
+ echo ' - - - - - - -' ;
+ echo 'DONE.' ;
+ "
+ volumes:
+ - idp_conf:/opt/shibboleth-idp/conf
+ - idp_credentials:/opt/shibboleth-idp/credentials
+ - idp_metadata:/opt/shibboleth-idp/metadata
+ - ./shibboleth-idp:/mnt/shibboleth-diff:ro
+ - midpoint_home:/opt/midpoint/var
+ - ./configs-and-secrets/grouper/shibboleth:/opt/grouper
- idp:
- build: ./idp/
+ idp:
+ image: tier/shib-idp:3.4.6_20191002
depends_on:
- - directory
+ directory:
+ condition: service_started
+ idp_vol_init:
+ condition: service_completed_successfully
+ ulimits:
+ nofile:
+ soft: 1024
+ hard: 2048
environment:
- JETTY_MAX_HEAP=64m
- JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=password
- JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=password
networks:
- net
+ volumes:
+ - idp_conf:/opt/shibboleth-idp/conf
+ - idp_credentials:/opt/shibboleth-idp/credentials
+ - idp_metadata:/opt/shibboleth-idp/metadata
+ - idp_certs:/opt/certs
+
+ beacon:
+ build: ./beacon/
+ networks:
+ - net
+ environment:
+ - TIER_RELEASE=not-released-yet
+ - TIER_MAINTAINER=tier
+ - MP_VERSION=4.8
+ - TIER_BEACON_OPT_OUT=true
+
+ proxy:
+ image: nginx:stable
+ depends_on:
+ prereq:
+ condition: service_completed_successfully
+ midpoint_server:
+ condition: service_started
+ idp:
+ condition: service_started
ports:
+ - 8180:80
- 443:443
+ networks:
+ - net
+ volumes:
+ - proxy_conf:/etc/nginx/conf.d
+ - proxy_cert:/etc/nginx/certs
mq:
build: ./mq/
environment:
- RABBITMQ_NODENAME=docker-rabbit
hostname: rabbitmq
+ ulimits:
+ nofile:
+ soft: 1024
+ hard: 2048
networks:
- net
ports:
@@ -257,42 +603,36 @@ services:
- mq:/var/lib/rabbitmq
networks:
- net:
+ net:
driver: bridge
secrets:
# grouper
- g_host-key.pem:
- file: ./configs-and-secrets/grouper/httpd/host-key.pem
- g_sp-key.pem:
- file: ./configs-and-secrets/grouper/shibboleth/sp-key.pem
+# g_host-key.pem:
+# file: ./configs-and-secrets/grouper/httpd/host-key.pem
+# g_sp-key.pem:
+# file: ./configs-and-secrets/grouper/shibboleth/sp-key.pem
g_database_password.txt:
file: ./configs-and-secrets/grouper/application/database_password.txt
- rabbitmq_password.txt:
- file: ./configs-and-secrets/grouper/application/rabbitmq_password.txt
- grouper.hibernate.properties:
- file: ./configs-and-secrets/grouper/application/grouper.hibernate.properties
- grouper-loader.properties:
- file: ./configs-and-secrets/grouper/application/grouper-loader.properties
- subject.properties:
- file: ./configs-and-secrets/grouper/application/subject.properties
-# midPoint
- mp_host-key.pem:
- file: ./configs-and-secrets/midpoint/httpd/host-key.pem
- mp_database_password.txt:
- file: ./configs-and-secrets/midpoint/application/database_password.txt
- mp_keystore_password.txt:
- file: ./configs-and-secrets/midpoint/application/keystore_password.txt
- mp_shibboleth_sp_keys.jks:
- file: ./configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks
-
+# rabbitmq_password.txt:
+# file: ./configs-and-secrets/grouper/application/rabbitmq_password.txt
+
volumes:
+ security_object:
+ midpoint_data:
+ midpoint_home:
+ idp_conf:
+ idp_credentials:
+ idp_metadata:
+ idp_certs:
+ proxy_conf:
+ proxy_cert:
+ ldap:
+ shared_pw:
grouper_data:
source_data:
source_mysql:
target_data:
- ldap:
- midpoint_data:
- midpoint_mysql:
- midpoint_home:
mq:
+ grouper-external_data:
+
diff --git a/demo/grouper/get-import-sis-persons-status.sh b/demo/grouper/get-import-sis-persons-status.sh
deleted file mode 100755
index 26d3fcd..0000000
--- a/demo/grouper/get-import-sis-persons-status.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-
-source ../../library.bash
-
-get_task_execution_status "Import from SIS persons"
diff --git a/demo/grouper/grouper_daemon/Dockerfile b/demo/grouper/grouper_daemon/Dockerfile
deleted file mode 100644
index f2811ea..0000000
--- a/demo/grouper/grouper_daemon/Dockerfile
+++ /dev/null
@@ -1,6 +0,0 @@
-FROM tier/grouper:2.4.0-a47-u25-w5-p6-20190611
-
-LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
-
-COPY container_files/tmp/* /tmp/
-COPY container_files/usr-local-bin/* /usr/local/bin/
diff --git a/demo/grouper/grouper_daemon/container_files/tmp/initialize.gsh b/demo/grouper/grouper_daemon/container_files/tmp/initialize.gsh
deleted file mode 100644
index 67ebc1a..0000000
--- a/demo/grouper/grouper_daemon/container_files/tmp/initialize.gsh
+++ /dev/null
@@ -1,33 +0,0 @@
-System.out.println("************** initialize.gsh starting...")
-
-gs = GrouperSession.startRootSession()
-
-addStem("", "app", "app")
-addStem("", "basis", "basis")
-addStem("", "bundle", "bundle")
-addStem("", "org", "org")
-addStem("", "test", "test")
-
-addRootStem("ref", "ref")
-addStem("ref", "course", "course")
-addStem("ref", "affiliation", "affiliation")
-
-group = GroupFinder.findByName(gs, "etc:sysadmingroup", true)
-group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign()
-attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true)
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?")
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_SIMPLE")
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(cn=sysadmingroup)")
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=midpoint,ou=Groups")
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo")
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSourceIdName(), "ldap")
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), '${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}')
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uniqueMember")
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId")
-
-chess = new GroupSave(gs).assignName("app:mailinglist:chess").assignCreateParentStemsIfNotExist(true).save()
-idmfans = new GroupSave(gs).assignName("app:mailinglist:idm-fans").assignCreateParentStemsIfNotExist(true).save()
-cs = new GroupSave(gs).assignName("app:cs").assignCreateParentStemsIfNotExist(true).save()
-volunteers = new GroupSave(gs).assignName("test:volunteers").assignCreateParentStemsIfNotExist(true).save()
-
-System.out.println("************** initialize.gsh done.")
diff --git a/demo/grouper/grouper_daemon/container_files/usr-local-bin/startup.sh b/demo/grouper/grouper_daemon/container_files/usr-local-bin/startup.sh
deleted file mode 100755
index 5f2a302..0000000
--- a/demo/grouper/grouper_daemon/container_files/usr-local-bin/startup.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-
-if [[ -e /tmp/initialize.gsh ]]
-then
- echo Executing /tmp/initialize.gsh on the first start
- /opt/grouper/grouper.apiBinary/bin/gsh /tmp/initialize.gsh
- rm /tmp/initialize.gsh
-else
- echo Skipping execution of /tmp/initialize.gsh as it is not present
-fi
-
-daemon
diff --git a/demo/grouper/grouper_data/Dockerfile b/demo/grouper/grouper_data/Dockerfile
deleted file mode 100644
index f12245e..0000000
--- a/demo/grouper/grouper_data/Dockerfile
+++ /dev/null
@@ -1,36 +0,0 @@
-FROM tier/grouper:2.4.0-a47-u25-w5-p6-20190611
-
-LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
-
-RUN yum install -y epel-release \
- && yum update -y \
- && yum install -y mariadb-server mariadb \
- && yum clean all \
- && rm -rf /var/cache/yum
-
-COPY container_files/conf/ /opt/grouper/grouper.apiBinary/conf/
-
-RUN ln -s /usr/bin/resolveip /usr/libexec/resolveip
-
-RUN mysql_install_db \
- && chown -R mysql:mysql /var/lib/mysql/ \
- && sed -i 's/^\(bind-address\s.*\)/# \1/' /etc/my.cnf \
- && sed -i 's/^\(log_error\s.*\)/# \1/' /etc/my.cnf \
- && sed -i 's/\[mysqld\]/\[mysqld\]\ncharacter_set_server = utf8/' /etc/my.cnf \
- && sed -i 's/\[mysqld\]/\[mysqld\]\ncollation_server = utf8_general_ci/' /etc/my.cnf \
- && sed -i 's/\[mysqld\]/\[mysqld\]\nport = 3306/' /etc/my.cnf \
- && cat /etc/my.cnf \
- && echo "/usr/bin/mysqld_safe &" > /tmp/config \
- && echo "mysqladmin --silent --wait=30 ping || exit 1" >> /tmp/config \
- && echo "mysql -e 'GRANT ALL PRIVILEGES ON *.* TO \"root\"@\"%\" WITH GRANT OPTION;'" >> /tmp/config \
- && echo "mysql -e 'CREATE DATABASE grouper CHARACTER SET utf8 COLLATE utf8_bin;'" >> /tmp/config \
- && bash /tmp/config \
- && rm -f /tmp/config
-
-RUN (mysqld_safe & ) \
- && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 1; done; \
- bin/gsh -registry -check -runscript -noprompt
-
-EXPOSE 3306
-
-CMD mysqld_safe
diff --git a/demo/grouper/grouper_data_init/bootstrap/initialize.gsh b/demo/grouper/grouper_data_init/bootstrap/initialize.gsh
new file mode 100644
index 0000000..eacf873
--- /dev/null
+++ b/demo/grouper/grouper_data_init/bootstrap/initialize.gsh
@@ -0,0 +1,98 @@
+System.out.println("************** initialize.gsh starting...")
+
+gs = GrouperSession.startRootSession()
+
+addStem("", "app", "app")
+addStem("", "basis", "basis")
+addStem("", "bundle", "bundle")
+addStem("", "org", "org")
+addStem("", "test", "test")
+
+addRootStem("ref", "ref")
+addStem("ref", "course", "Course")
+addStem("ref", "dept", "Department")
+addStem("ref", "affiliation", "Affiliation")
+
+new GroupSave().assignName("ref:affiliation:alum").assignDisplayName("Alumni").assignCreateParentStemsIfNotExist(true).save();
+new GroupSave().assignName("ref:affiliation:community").assignDisplayName("Community").assignCreateParentStemsIfNotExist(true).save();
+new GroupSave().assignName("ref:affiliation:faculty").assignDisplayName("Faculty").assignCreateParentStemsIfNotExist(true).save();
+new GroupSave().assignName("ref:affiliation:member").assignDisplayName("Member").assignCreateParentStemsIfNotExist(true).save();
+new GroupSave().assignName("ref:affiliation:staff").assignDisplayName("Staff").assignCreateParentStemsIfNotExist(true).save();
+new GroupSave().assignName("ref:affiliation:student").assignDisplayName("Student").assignCreateParentStemsIfNotExist(true).save();
+
+group = GroupFinder.findByName(gs, "etc:sysadmingroup", true)
+group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign()
+attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true)
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?")
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_SIMPLE")
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(cn=sysadmingroup)")
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=midpoint,ou=Groups")
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo")
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSourceIdName(), "ldap")
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), '${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}')
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uniqueMember")
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId")
+
+admins = new GroupSave(gs).assignName("app:wordpress:admins").assignCreateParentStemsIfNotExist(true).save()
+editors = new GroupSave(gs).assignName("app:wordpress:editors").assignCreateParentStemsIfNotExist(true).save()
+chess = new GroupSave(gs).assignName("app:mailinglist:chess").assignCreateParentStemsIfNotExist(true).save()
+idmfans = new GroupSave(gs).assignName("app:mailinglist:idm-fans").assignCreateParentStemsIfNotExist(true).save()
+cs = new GroupSave(gs).assignName("app:cs").assignCreateParentStemsIfNotExist(true).save()
+volunteers = new GroupSave(gs).assignName("test:volunteers").assignCreateParentStemsIfNotExist(true).save()
+
+
+group = new GroupSave(gs).assignName("etc:affiliationLoader").assignCreateParentStemsIfNotExist(true).save()
+group.addType(GroupTypeFinder.find("grouperLoader"))
+group.setAttribute("grouperLoaderDbName", "sis")
+group.setAttribute("grouperLoaderType", "SQL_GROUP_LIST")
+group.setAttribute("grouperLoaderScheduleType", "CRON")
+group.setAttribute("grouperLoaderQuartzCron", "0 * * * * ?")
+group.setAttribute("grouperLoaderDbName", "sis")
+group.setAttribute("grouperLoaderGroupTypes", "addIncludeExclude")
+group.setAttribute("grouperLoaderQuery", "SELECT concat('ref:affiliation:',affiliation,'_systemOfRecord') as GROUP_NAME, uid as SUBJECT_IDENTIFIER, 'ldap' as SUBJECT_SOURCE_ID from SIS_AFFILIATIONS")
+
+group = new GroupSave(gs).assignName("etc:deptLoader").assignCreateParentStemsIfNotExist(true).save()
+group.addType(GroupTypeFinder.find("grouperLoader"))
+group.setAttribute("grouperLoaderDbName", "sis")
+group.setAttribute("grouperLoaderType", "SQL_GROUP_LIST")
+group.setAttribute("grouperLoaderScheduleType", "CRON")
+group.setAttribute("grouperLoaderQuartzCron", "0 * * * * ?")
+group.setAttribute("grouperLoaderDbName", "sis")
+group.setAttribute("grouperLoaderQuery", "SELECT concat('ref:dept:',department) as GROUP_NAME, uid as SUBJECT_IDENTIFIER, 'ldap' as SUBJECT_SOURCE_ID from SIS_PERSONS where department is not null")
+
+group = new GroupSave(gs).assignName("etc:coursesLoader").assignCreateParentStemsIfNotExist(true).save()
+group.addType(GroupTypeFinder.find("grouperLoader"))
+group.setAttribute("grouperLoaderDbName", "sis")
+group.setAttribute("grouperLoaderType", "SQL_GROUP_LIST")
+group.setAttribute("grouperLoaderScheduleType", "CRON")
+group.setAttribute("grouperLoaderQuartzCron", "0 * * * * ?")
+group.setAttribute("grouperLoaderDbName", "sis")
+group.setAttribute("grouperLoaderQuery", "SELECT concat('ref:course:',courseId) as GROUP_NAME, uid as SUBJECT_IDENTIFIER, 'ldap' as SUBJECT_SOURCE_ID from SIS_COURSES")
+
+edu.internet2.middleware.grouper.app.loader.GrouperLoaderType.scheduleLoads()
+
+
+
+def addGroups(gs,stem,owner,regexp) {
+ for (group in stem.childGroups) {
+ if (!group.name.endsWith('_includes') &&
+ !group.name.endsWith('_excludes') &&
+ !group.name.endsWith('_systemOfRecord') &&
+ !group.name.endsWith('_systemOfRecordAndIncludes') &&
+ (regexp == null || group.extension ==~ regexp)) {
+ println 'Adding: ' + group
+ def s = SubjectFinder.findById(group.getId(), 'group', 'g:gsa')
+ owner.addMember(s, false)
+ } else {
+ println 'Ignoring: ' + group
+ }
+ }
+}
+
+def cs = GroupFinder.findByName(gs, "app:cs", true)
+
+gs = GrouperSession.startRootSession()
+addGroups(gs, StemFinder.findByName(gs, 'ref:course'), cs, /CS.*/)
+
+System.out.println("************** initialize.gsh done.")
+
diff --git a/demo/grouper/grouper_data_init/bootstrap/set-prov.gsh b/demo/grouper/grouper_data_init/bootstrap/set-prov.gsh
new file mode 100644
index 0000000..e142afe
--- /dev/null
+++ b/demo/grouper/grouper_data_init/bootstrap/set-prov.gsh
@@ -0,0 +1,52 @@
+
+provisioner_name="midPoint";
+GrouperSession grouperSession = GrouperSession.startRootSession();
+
+def setProvOnStem(grouperSession,provisioner_name,folder_name) {
+ AttributeAssign attributeAssignMarker = null;
+ attributeAssignMarker = new AttributeAssignSave(grouperSession).assignOwnerStemName(folder_name).assignNameOfAttributeDefName("etc:provisioning:provisioningMarker").save();
+ new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDirectAssign").addValue("true").save();
+ new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDoProvision").addValue(provisioner_name).save();
+ new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningStemScope").addValue("sub").save();
+ new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningTarget").addValue(provisioner_name).save();
+ new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningMetadataJson").addValue("{\"destination\":\"midpoint\",\"actor\":\"initial load\"}").save();
+
+}
+
+def setProvOnGroup(grouperSession,provisioner_name,group_name) {
+ AttributeAssign attributeAssignMarker = null;
+ attributeAssignMarker = new AttributeAssignSave(grouperSession).assignOwnerGroupName(group_name).assignNameOfAttributeDefName("etc:provisioning:provisioningMarker").save();
+ new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDirectAssign").addValue("true").save();
+ new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDoProvision").addValue(provisioner_name).save();
+ new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningStemScope").addValue("sub").save();
+ new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningTarget").addValue(provisioner_name).save();
+ new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningMetadataJson").addValue("{\"destination\":\"midpoint\",\"actor\":\"initial load\"}").save();
+
+}
+
+def setProvOnGroupWithMailListAttr(grouperSession,provisioner_name,group_name,email_list_name) {
+ AttributeAssign attributeAssignMarker = null;
+ attributeAssignMarker = new AttributeAssignSave(grouperSession).assignOwnerGroupName(group_name).assignNameOfAttributeDefName("etc:provisioning:provisioningMarker").save();
+ new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDirectAssign").addValue("true").save();
+ new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDoProvision").addValue(provisioner_name).save();
+ new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningStemScope").addValue("sub").save();
+ new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningTarget").addValue(provisioner_name).save();
+ new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningMetadataJson").addValue("{\"destination\":\"midpoint\",\"actor\":\"initial load\"}").save();
+ new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningMetadataJson").addValue("{\"md_grouper_emailListName\":\"" + email_list_name + "\"}").save();
+
+}
+
+
+setProvOnStem(grouperSession,provisioner_name,"app")
+setProvOnGroupWithMailListAttr(grouperSession,provisioner_name,"app:mailinglist:chess","chessclub@example.edu")
+setProvOnGroupWithMailListAttr(grouperSession,provisioner_name,"app:mailinglist:idm-fans","idmfans@example.edu")
+setProvOnStem(grouperSession,provisioner_name,"test")
+setProvOnStem(grouperSession,provisioner_name,"ref:dept")
+setProvOnStem(grouperSession,provisioner_name,"ref:course")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:alum")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:community")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:faculty")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:member")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:staff")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:student")
+
diff --git a/demo/grouper/grouper_data/container_files/conf/grouper.hibernate.properties b/demo/grouper/grouper_data_init/conf/grouper.hibernate.properties
similarity index 85%
rename from demo/grouper/grouper_data/container_files/conf/grouper.hibernate.properties
rename to demo/grouper/grouper_data_init/conf/grouper.hibernate.properties
index 154b8eb..bfac95a 100644
--- a/demo/grouper/grouper_data/container_files/conf/grouper.hibernate.properties
+++ b/demo/grouper/grouper_data_init/conf/grouper.hibernate.properties
@@ -20,10 +20,13 @@
# e.g. hsqldb (b): jdbc:hsqldb:hsql://localhost:9001/grouper
# e.g. postgres: jdbc:postgresql://localhost:5432/database
# e.g. mssql: jdbc:sqlserver://localhost:3280;databaseName=grouper
-hibernate.connection.url = jdbc:mysql://localhost:3306/grouper?CharSet=utf8&useUnicode=true&characterEncoding=utf8
+hibernate.connection.url = jdbc:postgresql://grouper_data:5432/grouper
-hibernate.connection.username = root
+hibernate.connection.username = grouper
# If you are using an empty password, depending upon your version of
# Java and Ant you may need to specify a password of "".
# Note: you can keep passwords external and encrypted: https://bugs.internet2.edu/jira/browse/GRP-122
-hibernate.connection.password =
+hibernate.connection.password = password
+registry.auto.ddl.upToVersion = 4.*.*
+hibernate.c3p0.max_size = 200
+
diff --git a/demo/grouper/grouper_data/container_files/conf/grouper.properties b/demo/grouper/grouper_data_init/conf/grouper.properties
similarity index 100%
rename from demo/grouper/grouper_data/container_files/conf/grouper.properties
rename to demo/grouper/grouper_data_init/conf/grouper.properties
diff --git a/demo/grouper/grouper_data_init/sql/010_createSQLuser.sql b/demo/grouper/grouper_data_init/sql/010_createSQLuser.sql
new file mode 100644
index 0000000..9e6bd40
--- /dev/null
+++ b/demo/grouper/grouper_data_init/sql/010_createSQLuser.sql
@@ -0,0 +1,6 @@
+ALTER system SET max_connections=250;
+ALTER system SET shared_buffers='180MB';
+CREATE USER grouper PASSWORD 'password';
+CREATE DATABASE grouper;
+GRANT ALL PRIVILEGES ON DATABASE grouper TO grouper;
+ALTER DATABASE grouper OWNER TO grouper;
diff --git a/demo/grouper/grouper_data_init/sql/015_createDBforMP.sql b/demo/grouper/grouper_data_init/sql/015_createDBforMP.sql
new file mode 100644
index 0000000..471d523
--- /dev/null
+++ b/demo/grouper/grouper_data_init/sql/015_createDBforMP.sql
@@ -0,0 +1,3 @@
+CREATE DATABASE grouper_to_midpoint;
+GRANT ALL PRIVILEGES ON DATABASE grouper_to_midpoint TO grouper;
+ALTER DATABASE grouper_to_midpoint OWNER TO grouper;
diff --git a/demo/grouper/grouper_data_init/sql/020_createDBforMP.sh b/demo/grouper/grouper_data_init/sql/020_createDBforMP.sh
new file mode 100644
index 0000000..db8403b
--- /dev/null
+++ b/demo/grouper/grouper_data_init/sql/020_createDBforMP.sh
@@ -0,0 +1,97 @@
+#!/bin/bash
+set -e
+
+psql -v ON_ERROR_STOP=1 --username "grouper" --dbname "grouper_to_midpoint" <<-EOSQL
+CREATE TABLE gr_mp_groups (
+ group_name varchar(1024) NULL, -- Name of group mapped in some way
+ id_index int8 NOT NULL, -- This is the integer identifier for a group and foreign key to group attributes and memberships
+ display_name varchar(1024) NULL, -- Display name of group mapped in some way
+ description varchar(1024) NULL, -- Description of group mapped in some way
+ last_modified int8 NOT NULL, -- Millis since 1970, will be sequential and unique
+ deleted varchar(1) NOT NULL, -- T or F. Deleted rows will be removed after they have had time to be processed
+ CONSTRAINT gr_mp_groups_pkey PRIMARY KEY (id_index)
+);
+CREATE INDEX gr_mp_groups_ddx ON gr_mp_groups(display_name);
+CREATE INDEX gr_mp_groups_gdx ON gr_mp_groups(group_name);
+CREATE UNIQUE INDEX gr_mp_groups_idx ON gr_mp_groups(id_index);
+CREATE UNIQUE INDEX gr_mp_groups_ldx ON gr_mp_groups(last_modified);
+COMMENT ON TABLE gr_mp_groups IS 'This table holds groups';
+
+COMMENT ON COLUMN gr_mp_groups.group_name IS 'Name of group mapped in some way';
+COMMENT ON COLUMN gr_mp_groups.id_index IS 'This is the integer identifier for a group and foreign key to group attributes and memberships';
+COMMENT ON COLUMN gr_mp_groups.display_name IS 'Display name of group mapped in some way';
+COMMENT ON COLUMN gr_mp_groups.description IS 'Description of group mapped in some way';
+COMMENT ON COLUMN gr_mp_groups.last_modified IS 'Millis since 1970, will be sequential and unique';
+COMMENT ON COLUMN gr_mp_groups.deleted IS 'T or F. Deleted rows will be removed after they have had time to be processed';
+
+CREATE TABLE gr_mp_subjects (
+ subject_id_index int8 NOT NULL, -- This is the integer identifier for a subject and foreign key to subject attributes and memberships
+ subject_id varchar(1024) NULL, -- Subject ID mapped in some way
+ last_modified int8 NOT NULL, -- Millis since 1970, will be sequential and unique
+ deleted varchar(1) NOT NULL, -- T or F. Deleted rows will be removed after they have had time to be processed
+ CONSTRAINT gr_mp_subjects_pkey PRIMARY KEY (subject_id_index)
+);
+CREATE UNIQUE INDEX gr_mp_subjects_idx ON gr_mp_subjects(subject_id_index);
+CREATE UNIQUE INDEX gr_mp_subjects_ldx ON gr_mp_subjects(last_modified);
+CREATE INDEX gr_mp_subjects_sdx ON gr_mp_subjects(subject_id);
+COMMENT ON TABLE gr_mp_subjects IS 'This table holds subjects';
+
+COMMENT ON COLUMN gr_mp_subjects.subject_id_index IS 'This is the integer identifier for a subject and foreign key to subject attributes and memberships';
+COMMENT ON COLUMN gr_mp_subjects.subject_id IS 'Subject ID mapped in some way';
+COMMENT ON COLUMN gr_mp_subjects.last_modified IS 'Millis since 1970, will be sequential and unique';
+COMMENT ON COLUMN gr_mp_subjects.deleted IS 'T or F. Deleted rows will be removed after they have had time to be processed';
+
+CREATE TABLE gr_mp_group_attributes (
+ group_id_index int8 NOT NULL, -- This is the integer identifier for a group and foreign key to groups and memberships
+ attribute_name varchar(1000) NOT NULL, -- Attribute name for attributes not in the main group table
+ attribute_value varchar(4000) NULL, -- Attribute value could be null
+ last_modified int8 NOT NULL, -- Millis since 1970, will be sequential and unique
+ deleted varchar(1) NOT NULL, -- T or F. Deleted rows will be removed after they have had time to be processed
+ CONSTRAINT gr_mp_group_attributes_fk FOREIGN KEY (group_id_index) REFERENCES gr_mp_groups(id_index) ON DELETE CASCADE
+ );
+CREATE UNIQUE INDEX gr_mp_group_attributes_idx ON gr_mp_group_attributes(group_id_index, attribute_name, attribute_value);
+CREATE UNIQUE INDEX gr_mp_group_attributes_ldx ON gr_mp_group_attributes(last_modified);
+COMMENT ON TABLE gr_mp_group_attributes IS 'This table holds group attributes which are one to one or one to many to the groups table';
+
+COMMENT ON COLUMN gr_mp_group_attributes.group_id_index IS 'This is the integer identifier for a group and foreign key to groups and memberships';
+COMMENT ON COLUMN gr_mp_group_attributes.attribute_name IS 'Attribute name for attributes not in the main group table';
+COMMENT ON COLUMN gr_mp_group_attributes.attribute_value IS 'Attribute value could be null';
+COMMENT ON COLUMN gr_mp_group_attributes.last_modified IS 'Millis since 1970, will be sequential and unique';
+COMMENT ON COLUMN gr_mp_group_attributes.deleted IS 'T or F. Deleted rows will be removed after they have had time to be processed';
+
+CREATE TABLE gr_mp_memberships (
+ group_id_index int8 NOT NULL, -- This is the foreign key to groups
+ subject_id_index int8 NOT NULL, -- This is the foreign key to subjects
+ last_modified int8 NOT NULL, -- Millis since 1970, will be sequential and unique
+ deleted varchar(1) NOT NULL, -- T or F. Deleted rows will be removed after they have had time to be processed
+ CONSTRAINT gr_mp_memberships_gfk FOREIGN KEY (group_id_index) REFERENCES gr_mp_groups(id_index) ON DELETE CASCADE,
+ CONSTRAINT gr_mp_memberships_sfk FOREIGN KEY (subject_id_index) REFERENCES gr_mp_subjects(subject_id_index) ON DELETE CASCADE
+ );
+CREATE UNIQUE INDEX gr_mp_memberships_idx ON gr_mp_memberships(group_id_index, subject_id_index);
+CREATE UNIQUE INDEX gr_mp_memberships_ldx ON gr_mp_memberships(last_modified);
+COMMENT ON TABLE gr_mp_memberships IS 'This table holds memberships. The primary key is group_id_index and subject_id_index';
+
+COMMENT ON COLUMN gr_mp_memberships.group_id_index IS 'This is the foreign key to groups';
+COMMENT ON COLUMN gr_mp_memberships.subject_id_index IS 'This is the foreign key to subjects';
+COMMENT ON COLUMN gr_mp_memberships.last_modified IS 'Millis since 1970, will be sequential and unique';
+COMMENT ON COLUMN gr_mp_memberships.deleted IS 'T or F. Deleted rows will be removed after they have had time to be processed';
+
+CREATE TABLE gr_mp_subject_attributes (
+ subject_id_index int8 NOT NULL, -- This is the integer identifier and foreign key to subjects
+ attribute_name varchar(1000) NOT NULL, -- Attribute name for attributes not in the main subject table
+ attribute_value varchar(4000) NULL, -- Attribute value could be null
+ last_modified int8 NOT NULL, -- Millis since 1970, will be sequential and unique
+ deleted varchar(1) NOT NULL, -- T or F. Deleted rows will be removed after they have had time to be processed
+ CONSTRAINT gr_mp_subject_attributes_fk FOREIGN KEY (subject_id_index) REFERENCES gr_mp_subjects(subject_id_index) ON DELETE CASCADE
+ );
+CREATE UNIQUE INDEX gr_mp_subject_attributes_idx ON gr_mp_subject_attributes(subject_id_index, attribute_name, attribute_value);
+CREATE UNIQUE INDEX gr_mp_subject_attributes_ldx ON gr_mp_subject_attributes(last_modified);
+COMMENT ON TABLE gr_mp_subject_attributes IS 'This table holds subject attributes which are one to one or one to many to the subjects table';
+
+COMMENT ON COLUMN gr_mp_subject_attributes.subject_id_index IS 'This is the integer identifier and foreign key to subjects';
+COMMENT ON COLUMN gr_mp_subject_attributes.attribute_name IS 'Attribute name for attributes not in the main subject table';
+COMMENT ON COLUMN gr_mp_subject_attributes.attribute_value IS 'Attribute value could be null';
+COMMENT ON COLUMN gr_mp_subject_attributes.last_modified IS 'Millis since 1970, will be sequential and unique';
+COMMENT ON COLUMN gr_mp_subject_attributes.deleted IS 'T or F. Deleted rows will be removed after they have had time to be processed';
+
+EOSQL
diff --git a/demo/grouper/grouper_ui/Dockerfile b/demo/grouper/grouper_ui/Dockerfile
deleted file mode 100644
index 60c8015..0000000
--- a/demo/grouper/grouper_ui/Dockerfile
+++ /dev/null
@@ -1,7 +0,0 @@
-FROM tier/grouper:2.4.0-a47-u25-w5-p6-20190611
-
-LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
-
-#COPY in custom css, images, etc
-
-CMD ["ui"]
diff --git a/demo/grouper/grouper_ui/container_files/shibboleth/shibd.logger b/demo/grouper/grouper_ui/container_files/shibboleth/shibd.logger
deleted file mode 100644
index 2589b43..0000000
--- a/demo/grouper/grouper_ui/container_files/shibboleth/shibd.logger
+++ /dev/null
@@ -1,69 +0,0 @@
-# set overall behavior
-log4j.rootCategory=DEBUG, shibd_log, warn_log
-
-# fairly verbose for DEBUG, so generally leave at DEBUG
-log4j.category.XMLTooling.XMLObject=DEBUG
-log4j.category.XMLTooling.KeyInfoResolver=DEBUG
-log4j.category.Shibboleth.IPRange=DEBUG
-log4j.category.Shibboleth.PropertySet=DEBUG
-
-# raise for low-level tracing of SOAP client HTTP/SSL behavior
-log4j.category.XMLTooling.libcurl=DEBUG
-
-# useful categories to tune independently:
-#
-# tracing of SAML messages and security policies
-#log4j.category.OpenSAML.MessageDecoder=DEBUG
-#log4j.category.OpenSAML.MessageEncoder=DEBUG
-#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
-#log4j.category.XMLTooling.SOAPClient=DEBUG
-# interprocess message remoting
-#log4j.category.Shibboleth.Listener=DEBUG
-# mapping of requests to applicationId
-#log4j.category.Shibboleth.RequestMapper=DEBUG
-# high level session cache operations
-#log4j.category.Shibboleth.SessionCache=DEBUG
-# persistent storage and caching
-#log4j.category.XMLTooling.StorageService=DEBUG
-
-# logs XML being signed or verified if set to DEBUG
-log4j.category.XMLTooling.Signature.Debugger=DEBUG, sig_log
-log4j.additivity.XMLTooling.Signature.Debugger=false
-
-# the tran log blocks the "default" appender(s) at runtime
-# Level should be left at DEBUG for this category
-log4j.category.Shibboleth-TRANSACTION=DEBUG, tran_log
-log4j.additivity.Shibboleth-TRANSACTION=false
-# uncomment to suppress particular event types
-#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
-#log4j.category.Shibboleth-TRANSACTION.Login=WARN
-#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
-
-# define the appenders
-
-log4j.appender.shibd_log=org.apache.log4j.RollingFileAppender
-log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log
-log4j.appender.shibd_log.maxFileSize=1000000
-log4j.appender.shibd_log.maxBackupIndex=10
-log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.shibd_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-
-log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
-log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log
-log4j.appender.warn_log.maxFileSize=1000000
-log4j.appender.warn_log.maxBackupIndex=10
-log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-log4j.appender.warn_log.threshold=WARN
-
-log4j.appender.tran_log=org.apache.log4j.RollingFileAppender
-log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log
-log4j.appender.tran_log.maxFileSize=1000000
-log4j.appender.tran_log.maxBackupIndex=20
-log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.tran_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-
-log4j.appender.sig_log=org.apache.log4j.FileAppender
-log4j.appender.sig_log.fileName=/var/log/shibboleth/signature.log
-log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.sig_log.layout.ConversionPattern=%m
diff --git a/demo/grouper/grouper_ws/Dockerfile b/demo/grouper/grouper_ws/Dockerfile
deleted file mode 100644
index 272205f..0000000
--- a/demo/grouper/grouper_ws/Dockerfile
+++ /dev/null
@@ -1,9 +0,0 @@
-FROM tier/grouper:2.4.0-a47-u25-w5-p6-20190611
-
-LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
-
-COPY container_files/web.xml /opt/grouper/grouper.ws/WEB-INF/
-COPY container_files/tomcat-users.xml /opt/tomcat/conf/
-COPY container_files/server.xml /opt/tomcat/conf/
-
-CMD ["ws"]
diff --git a/demo/grouper/grouper_ws/container_files/web.xml b/demo/grouper/grouper_ws/container_files/web.xml
deleted file mode 100644
index 03d3deb..0000000
--- a/demo/grouper/grouper_ws/container_files/web.xml
+++ /dev/null
@@ -1,128 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-
-
-<!DOCTYPE web-app PUBLIC
- "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
- "http://java.sun.com/dtd/web-app_2_3.dtd">
-
-<web-app>
- <filter>
- <!-- keeps the request and response in threadlocal so they dont have to be passed around -->
- <filter-name>Grouper service filter</filter-name>
- <filter-class>edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee</filter-class>
- </filter>
-
- <filter>
- <!-- logging filter -->
- <filter-name>Grouper logging filter</filter-name>
- <filter-class>edu.internet2.middleware.grouper.ws.j2ee.ServletFilterLogger</filter-class>
- </filter>
-
- <!-- filter-mapping>
- <filter-name>Grouper logging filter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping -->
- <!-- Map the filter to a Servlet or URL -->
- <filter-mapping>
- <filter-name>Grouper service filter</filter-name>
- <url-pattern>/services/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>Grouper service filter</filter-name>
- <url-pattern>/servicesRest/*</url-pattern>
- </filter-mapping>
- <servlet>
- <servlet-name>AxisServlet</servlet-name>
- <display-name>Apache-Axis Servlet</display-name>
- <servlet-class>edu.internet2.middleware.grouper.ws.GrouperServiceAxisServlet</servlet-class>
- <load-on-startup>1</load-on-startup>
- <!-- hint that this is the wssec servlet -->
- <!-- init-param>
- <param-name>wssec</param-name>
- <param-value>true</param-value>
- </init-param -->
- </servlet>
- <servlet>
- <servlet-name>RestServlet</servlet-name>
- <display-name>WS REST Servlet</display-name>
- <servlet-class>edu.internet2.middleware.grouper.ws.rest.GrouperRestServlet</servlet-class>
- <load-on-startup>1</load-on-startup>
- </servlet>
- <servlet>
- <servlet-name>StatusServlet</servlet-name>
- <display-name>Status Servlet</display-name>
- <servlet-class>edu.internet2.middleware.grouper.j2ee.status.GrouperStatusServlet</servlet-class>
- <load-on-startup>1</load-on-startup>
- </servlet>
- <servlet-mapping>
- <servlet-name>StatusServlet</servlet-name>
- <url-pattern>/status</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>AxisServlet</servlet-name>
- <url-pattern>/services/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>RestServlet</servlet-name>
- <url-pattern>/servicesRest/*</url-pattern>
- </servlet-mapping>
-
- <security-constraint>
- <web-resource-collection>
- <web-resource-name>Web services</web-resource-name>
- <url-pattern>/services/*</url-pattern>
- </web-resource-collection>
- <auth-constraint>
- <role-name>*</role-name>
- </auth-constraint>
- </security-constraint>
-
- <security-constraint>
- <web-resource-collection>
- <web-resource-name>Web services</web-resource-name>
- <url-pattern>/servicesRest/*</url-pattern>
- </web-resource-collection>
- <auth-constraint>
- <!-- NOTE: This role is not present in the default users file -->
- <role-name>*</role-name>
- </auth-constraint>
- </security-constraint>
-
- <!-- Define the Login Configuration for this Application -->
- <login-config>
- <auth-method>BASIC</auth-method>
- <realm-name>Grouper Application</realm-name>
- </login-config>
-
- <!-- Security roles referenced by this web application -->
- <security-role>
- <description>
- The role that is required to log in to web service
- </description>
- <role-name>*</role-name>
- </security-role>
-
- <session-config>
- <session-timeout>1</session-timeout>
- </session-config>
- <!-- config to enable ESB listener servlet
- <servlet>
- <servlet-name>EsbServlet</servlet-name>
- <display-name>Esb Servlet</display-name>
- <servlet-class>edu.internet2.middleware.grouper.esb.EsbHttpHandler</servlet-class>
- <load-on-startup>1</load-on-startup>
- </servlet>
- <servlet-mapping>
- <servlet-name>EsbServlet</servlet-name>
- <url-pattern>/servicesEsb/*</url-pattern>
- </servlet-mapping>
- <security-constraint>
- <web-resource-collection>
- <web-resource-name>Web services</web-resource-name>
- <url-pattern>/servicesEsb/*</url-pattern>
- </web-resource-collection>
- <auth-constraint>
- <role-name>grouper_user</role-name>
- </auth-constraint>
- </security-constraint> -->
-</web-app>
diff --git a/demo/grouper/grouper_ws/container_files/server.xml b/demo/grouper/grouper_ws/server.xml
similarity index 97%
rename from demo/grouper/grouper_ws/container_files/server.xml
rename to demo/grouper/grouper_ws/server.xml
index 112e7d0..17769bf 100644
--- a/demo/grouper/grouper_ws/container_files/server.xml
+++ b/demo/grouper/grouper_ws/server.xml
@@ -113,7 +113,7 @@
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" />
+ <Connector secure="true" scheme="https" secretRequired="false" URIEncoding="UTF-8" tomcatAuthentication="true" port="8009" protocol="AJP/1.3" redirectPort="8443" />
<!-- An Engine represents the entry point (within Catalina) that processes
diff --git a/demo/grouper/grouper_ws/container_files/tomcat-users.xml b/demo/grouper/grouper_ws/tomcat-users.xml
similarity index 100%
rename from demo/grouper/grouper_ws/container_files/tomcat-users.xml
rename to demo/grouper/grouper_ws/tomcat-users.xml
diff --git a/demo/grouper/grouper_ws/web.xml b/demo/grouper/grouper_ws/web.xml
new file mode 100644
index 0000000..99a262e
--- /dev/null
+++ b/demo/grouper/grouper_ws/web.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
+ version="2.4">
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Web services</web-resource-name>
+ <url-pattern>/services/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>grouper_user</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Web services</web-resource-name>
+ <url-pattern>/servicesRest/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <!-- NOTE: This role is not present in the default users file -->
+ <role-name>grouper_user</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <!-- Define the Login Configuration for this Application -->
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>Grouper Application</realm-name>
+ </login-config>
+
+ <!-- Security roles referenced by this web application -->
+ <security-role>
+ <description>
+ The role that is required to log in to web service
+ </description>
+ <role-name>grouper_user</role-name>
+ </security-role>
+
+</web-app>
\ No newline at end of file
diff --git a/demo/grouper/idp/Dockerfile b/demo/grouper/idp/Dockerfile
deleted file mode 100644
index 4968448..0000000
--- a/demo/grouper/idp/Dockerfile
+++ /dev/null
@@ -1,5 +0,0 @@
-FROM tier/shib-idp:3.4.6_20191002
-
-LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
-
-COPY shibboleth-idp/ /opt/shibboleth-idp/
diff --git a/demo/grouper/idp/shibboleth-idp/credentials/idp-backchannel.crt b/demo/grouper/idp/shibboleth-idp/credentials/idp-backchannel.crt
deleted file mode 100644
index c1f8fab..0000000
--- a/demo/grouper/idp/shibboleth-idp/credentials/idp-backchannel.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy
-MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH
-YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M
-SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2
-03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No
-5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+
-XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud
-DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk
-hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
-BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac
-ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98
-NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl
-j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP
-IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E
-t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM=
------END CERTIFICATE-----
diff --git a/demo/grouper/idp/shibboleth-idp/credentials/idp-backchannel.p12 b/demo/grouper/idp/shibboleth-idp/credentials/idp-backchannel.p12
deleted file mode 100644
index 112540a..0000000
Binary files a/demo/grouper/idp/shibboleth-idp/credentials/idp-backchannel.p12 and /dev/null differ
diff --git a/demo/grouper/idp/shibboleth-idp/credentials/idp-browser.p12 b/demo/grouper/idp/shibboleth-idp/credentials/idp-browser.p12
deleted file mode 100644
index 032be0b..0000000
Binary files a/demo/grouper/idp/shibboleth-idp/credentials/idp-browser.p12 and /dev/null differ
diff --git a/demo/grouper/idp/shibboleth-idp/credentials/idp-encryption.crt b/demo/grouper/idp/shibboleth-idp/credentials/idp-encryption.crt
deleted file mode 100644
index 15d764f..0000000
--- a/demo/grouper/idp/shibboleth-idp/credentials/idp-encryption.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy
-MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD
-cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ
-l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG
-ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8
-9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX
-VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud
-DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk
-hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
-BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni
-QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN
-jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r
-xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8
-+PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H
-p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
------END CERTIFICATE-----
diff --git a/demo/grouper/idp/shibboleth-idp/credentials/idp-encryption.key b/demo/grouper/idp/shibboleth-idp/credentials/idp-encryption.key
deleted file mode 100644
index 8bb5cc6..0000000
--- a/demo/grouper/idp/shibboleth-idp/credentials/idp-encryption.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAgV79KN35k/Ipbsi4yeJQQFQlvmUVchFz2ELkYu73w3DuGund
-ZMYiS7GitFvPFTcYxUEa/D4A5Fq9vL8KB9a4JOKS7LMyw+PAwcw/eNqXiZf0uhZ7
-CCY5mh3AYeKWzYVOMqMLut4ipL7ba3GQBG6RK6OmfAs4lhMfLMsKGmBEBonz5K/T
-kVegp97cavvYDAXjxuNRq7Wa1BiLvsa53S9EoYeD6tHqv/TALFZSCFxGvPVnx/Cd
-pBXEzn6FrSHO9G+0y2ULMeGJzXJ6xi0lBHLLRcjy1/l7b+UjWRfPTjiMV1TYzb4B
-OQ2yW/YTDOFABaiPtW6PUKrccE4Y3P7DryMczQIDAQABAoIBAF/IflMllcUtw/Nb
-9USzpIscQh2nJaugtE5nqER/fT1cfU273Mjh0T6NtFMorjec5WAWBe6/0VVAwb3f
-C4QmO4xDnFhXjLxwAaT6nfvSi+O5d93XCxxLgNZUNL3ET7a2feELyoF+OdQT4sy3
-9dLyMdVHgtnQTQMAAVLeuQoyP+s+Zax4Gca6ln8QxIIvDoD7NITnpl8887Hghhzl
-CvKtRiPRtoI2JTXWgWuLI6xXfVsDvFT+Up+ki9TMLWLACcmMU1d+lUBOKIqhhQHG
-+np9iKxVausJwYaLwwT3h8SItNon7ltbV6kcqyZxMAA+uN8CVgIb5UaUrlW7Nvze
-1iUNudkCgYEAxpnBg8YxdEHFSMTqjEOYapn18cs3n32EBPtvPaUcvw3mGC1+ZVx1
-9WqnVsgykBOWI0qSBVF7Kke8yOqgqWtYQUFqLiMgCC9e/QcXnrm/bzAmKDgLVcCR
-KzgqU2ECQDkNSS0qeODjLGX4SEabDbLhN59WykHKM0i/RcrbhuvT1BcCgYEApsMD
-TFQBaiaEmLVm252piZf8b5g3DrUHeqGktHkHXTW4Iyyn8zEknoiCosk/Tej73zga
-cTT3zQgEh63DMC9Ag8IbIJiDpYLMkt1QvZYtq95E/94GVEfRRok6/pyagGYB351R
-PXcykrDyy26FSofmtaXU37Wxaj3ow+WROaPgULsCgYEArFoFScG3a2gkuRlDX8TN
-wj2o5lTxCbWY2+YEzR+8icWbGQJqPbb3G6uaW8LTtpt44Vm2zWzAEZo+KLMOCNmC
-tub5Kd8Lzm6l5brA8dvLWcgUZTT2CU5b7YEJomB+3pNkh0vuHwczv3Ui+j5kE4hY
-0bezT0W3H7iTXhNFXprMs7MCgYEAlIZn75l6URLRUjluzPdVQoktei72CpFNgflp
-+ps45dmskRd61mzUkqY+w8G+MiPqANu1IVLtyZz0e+tVRxsuuKsvAg8UYVtn3P5k
-pRaWwtaKWeFjfbkhOVOMSa0tJmK0FHfHHZmGX4ReGrXq3YDBCNQUDtOCmn9dSuyy
-NcYxSXUCgYB+yo6dg8nyHDSqKDdrQQiAKv7jNsbecQ/rYrt8l0n9FBiwn5R7v6kp
-afsimCVou5i06L2Cr5Xs+XSf11KVkDh+qM70ZFubWEsHCDrS1KrxUzfFbrQczKof
-qX7ZsBuOT72RwVEa8fpT6IZ6IpOOEPmUid/f2VM2aAcXgaF//vMjxA==
------END RSA PRIVATE KEY-----
diff --git a/demo/grouper/idp/shibboleth-idp/credentials/idp-signing.crt b/demo/grouper/idp/shibboleth-idp/credentials/idp-signing.crt
deleted file mode 100644
index 6a032c1..0000000
--- a/demo/grouper/idp/shibboleth-idp/credentials/idp-signing.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB
-CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx
-MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g
-u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2
-Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ
-Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+
-MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs
-uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV
-HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl
-ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB
-CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X
-sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s
-RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ
-Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B
-DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i
-s00xrv14zLifcc8oj5DYzOhYRifRXgHX
------END CERTIFICATE-----
diff --git a/demo/grouper/idp/shibboleth-idp/credentials/idp-signing.key b/demo/grouper/idp/shibboleth-idp/credentials/idp-signing.key
deleted file mode 100644
index 011c27c..0000000
--- a/demo/grouper/idp/shibboleth-idp/credentials/idp-signing.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7gu6eo4dua
-eLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2Z6dzJsul
-JZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJCb/Q6dYz
-RWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+MNkv6aId
-cHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBsuYlY7lEr
-89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABAoIBAGpInLarQ0+X+ZXK
-+aoC+tNO9DUiHq/z2OD4ALGhXSTvr4mgBWNWTkc0F+qJD8MlM8zNkJxaoNGTyLjY
-Z95NQJPXAx2k15HwCENdulvV1oiX0dkTjgmscRmj6FwNAZ0EnWtien45mxZHxEyW
-FkbB9+OHc6JzNvzG9ps1Vk1FtFtO8w4exXuJVATJeArQmMvAUHMJYPb7Qs+/NX9R
-RlDvFfXDzQv5eAzudT1SyFSa5W+Bsw6BtEoeiqdp+xQh4yc733nwN7KG2Z/TpGse
-jVe6akbULuCXOe9uPa7kv8hnQEUH38QVlIw8pK1SsgNq7S0U44WU5uF8gbDBYle/
-OoPBvSECgYEAvCwVEa8ryLzee5FaX4PBxk10lEl/Yp9jC88wPUQ+ZpfniIIQIfwl
-csRE9D3/dJOVAxw/Ac32F72SLVDzLabAhlBRINYLB0ZkVuJi1CIoDHIf9nfh/pOx
-b96VMUe/mpAL4hZnZkmBKjesX5URPEKtBD0aSeCw9aFqhORjRrxCJg0CgYEAuNaD
-LOuTPKsC6nxRtiL9r0CA5gCCdpALxwJA7wHAeh03i5xmy61i4iOMaunxKZhG+nzz
-PhcI8Uhwwk+l3tbYAf1rrtmMKNcyjy+UqWXGt4ZkWFlIyIungyLiH9L32IMhXNF0
-fBgOZNtFTmQBU18a78uIir9xASUbtaakzOtJ2+cCgYAgfawVpZ11x8bSp0Jng6SN
-zQn4IMiyCrtbaqb1rTbpGAmOdIa8l4EP0/vkAGB/jIwKQXJPqXR4nO8EjBmxJD3R
-80RO2yaEVw80QVq3Lj6kB4ClWgXXo0DcBB7Wp4DZ+01R+HRaIQ8AbySATIjxUsH1
-HWfQoc9sWja+Q4Ew0YjKcQKBgGLoPsdBw8b6B5RsM9lPvgoSbScmbKl/CR5TwWVj
-vZhanAd0CLnCrSAvP4tSZf8JAio1xH+cGefrCJOhxTOKKYpfDklBFjQge2iNYHKJ
-CJ3aJ0XzePP/bwLIHtJCtOdBvA+L8VYaFVG418xLzT3MrYBVnFoKeTDQp5Q7eQJC
-gYJPAoGBAKHcuXWzvXoHKnOg8Ljg2xZ6/SfjwNDIIrpXVTAQifmK3q4+Ua2Q+Cjq
-97tPMxF2bVRcbnCSNKpTMOTrsWs8Z3GpMyCh6XgYMSlclXusDVUkRkPpWj8hVTR4
-opm/rxS83hCrTsIX3Il3T8Fpb97kdF+unCiWEaxrPEurjW8lB506
------END RSA PRIVATE KEY-----
diff --git a/demo/grouper/idp/shibboleth-idp/credentials/sealer.jks b/demo/grouper/idp/shibboleth-idp/credentials/sealer.jks
deleted file mode 100644
index 89957e0..0000000
Binary files a/demo/grouper/idp/shibboleth-idp/credentials/sealer.jks and /dev/null differ
diff --git a/demo/grouper/idp/shibboleth-idp/credentials/sealer.kver b/demo/grouper/idp/shibboleth-idp/credentials/sealer.kver
deleted file mode 100644
index d64b0e4..0000000
--- a/demo/grouper/idp/shibboleth-idp/credentials/sealer.kver
+++ /dev/null
@@ -1,2 +0,0 @@
-#Fri Dec 11 02:20:32 UTC 2015
-CurrentVersion=1
diff --git a/demo/grouper/idp/shibboleth-idp/metadata/idp-metadata.xml b/demo/grouper/idp/shibboleth-idp/metadata/idp-metadata.xml
deleted file mode 100644
index 65db47e..0000000
--- a/demo/grouper/idp/shibboleth-idp/metadata/idp-metadata.xml
+++ /dev/null
@@ -1,207 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- This is example metadata only. Do *NOT* supply it as is without review,
- and do *NOT* provide it in real time to your partners.
-
- This metadata is not dynamic - it will not change as your configuration changes.
--->
-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://idptestbed/idp/shibboleth">
-
- <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
-
- <Extensions>
- <shibmd:Scope regexp="false">example.org</shibmd:Scope>
-<!--
- Fill in the details for your IdP here
-
- <mdui:UIInfo>
- <mdui:DisplayName xml:lang="en">A Name for the IdP at idptestbed</mdui:DisplayName>
- <mdui:Description xml:lang="en">Enter a description of your IdP at idptestbed</mdui:Description>
- <mdui:Logo height="80" width="80">https://localhost/Path/To/Logo.png</mdui:Logo>
- </mdui:UIInfo>
--->
- </Extensions>
-
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy
-MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH
-YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M
-SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2
-03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No
-5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+
-XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud
-DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk
-hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
-BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac
-ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98
-NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl
-j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP
-IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E
-t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB
-CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx
-MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g
-u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2
-Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ
-Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+
-MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs
-uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV
-HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl
-ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB
-CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X
-sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s
-RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ
-Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B
-DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i
-s00xrv14zLifcc8oj5DYzOhYRifRXgHX
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
- <KeyDescriptor use="encryption">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy
-MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD
-cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ
-l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG
-ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8
-9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX
-VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud
-DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk
-hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
-BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni
-QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN
-jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r
-xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8
-+PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H
-p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
-
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
- <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-
- <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://localhost/idp/profile/Shibboleth/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/idp/profile/SAML2/POST/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost/idp/profile/SAML2/POST-SimpleSign/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/idp/profile/SAML2/Redirect/SSO"/>
-
- </IDPSSODescriptor>
-
-
- <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
-
- <Extensions>
- <shibmd:Scope regexp="false">localhost</shibmd:Scope>
- </Extensions>
-
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy
-MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH
-YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M
-SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2
-03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No
-5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+
-XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud
-DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk
-hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
-BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac
-ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98
-NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl
-j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP
-IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E
-t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB
-CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx
-MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g
-u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2
-Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ
-Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+
-MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs
-uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV
-HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl
-ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB
-CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X
-sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s
-RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ
-Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B
-DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i
-s00xrv14zLifcc8oj5DYzOhYRifRXgHX
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
- <KeyDescriptor use="encryption">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy
-MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD
-cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ
-l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG
-ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8
-9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX
-VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud
-DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk
-hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
-BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni
-QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN
-jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r
-xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8
-+PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H
-p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
-
-
- <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://localhost:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
- <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>
- <!-- If you uncomment the above you should add urn:oasis:names:tc:SAML:2.0:protocol to the protocolSupportEnumeration above -->
-
- </AttributeAuthorityDescriptor>
-
-</EntityDescriptor>
diff --git a/demo/grouper/idp/shibboleth-idp/metadata/midpoint-sp-new.xml b/demo/grouper/idp/shibboleth-idp/metadata/midpoint-sp-new.xml
deleted file mode 100644
index a819f4b..0000000
--- a/demo/grouper/idp/shibboleth-idp/metadata/midpoint-sp-new.xml
+++ /dev/null
@@ -1,37 +0,0 @@
-<EntityDescriptor entityID="https://midpointdemo/idp/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
- <Extensions>
- <shibmd:Scope regexp="false">midpointdemo</shibmd:Scope>
- </Extensions>
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDHDCCAgSgAwIBAgIJAPEnL5jgbeVoMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV
-BAMMD2lkcC5leGFtcGxlLmVkdTAeFw0xODEwMTAyMDM1NDBaFw0yMzEwMDkyMDM1
-NDBaMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLmVkdTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAKwTrvQhmFX3SUNgJAhQ/YV0UX56Rt53mwbiKuH+Ez83
-7z6XRynBVsfzHfbWe0IpNKx5mIr84dfbGhQKQBEKzQuek7ihW3J6PIVZN1A3icZZ
-B9i7gow902bT0ZfRG8QW49gl7pk3ASutPcO9Dq5Xc/AqWr3OSO/Pei0yBtTdzG3b
-rm0u0gbj3P2tjt7BN77wIB+yjJsND3ITtP0MFXIJxLTlty8thwqQOAOAYcF+rhC5
-znnBLsRNo0E57PtzZs8i/BpEX2uPTxpEyvlU1vtyxcKUiHtK5ZjOsDEkS2rEualr
-+FILYg/Oxw1gi0+mNO1a94Ft+UoLiREztq6MQt8OK98CAwEAAaNlMGMwQgYDVR0R
-BDswOYIPaWRwLmV4YW1wbGUuZWR1hiZodHRwczovL2lkcC5leGFtcGxlLmVkdS9p
-ZHAvc2hpYmJvbGV0aDAdBgNVHQ4EFgQU3ZJ8oHkmlgPtZuZAxnzONccPsb8wDQYJ
-KoZIhvcNAQELBQADggEBAIJ4oZKSMGpF8J3qdfjLZGkc3iVbu/eiE1MD77no0oCz
-nelY0CNUBuFJk1Xv+Bv0fW0cVugtMPz4xi7zv0zkpS2IVxpPZWBosuVabUD9k+V4
-iN5woJdO7e2KRGvhlWmbkmoZUvhygDe0u0vblNfLzDwFQvxHXiWG//P7SanoQrjP
-dE8U21tYz+EFm6s5TvHxVhr9id8c+UacAFCpAtzUB+J8K1abx05XlKsySflkOQV9
-JbM4zOy5gXSI5dY9dGUF77g0muyC+jAhIhLSt/7v3vJgvBurrxPoeBFXOU3D+siT
-VZlKtYzYjJhVqXx1vKrWEE1hkpqm+iYgZe4MvgcdswY=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/idp/profile/SAML2/Redirect/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/idp/profile/SAML2/POST/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost/idp/profile/SAML2/POST-SimpleSign/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost/idp/profile/SAML2/SOAP/ECP"/>
- </IDPSSODescriptor>
-</EntityDescriptor>
-
diff --git a/demo/grouper/midpoint-objects-manual/tasks/task-async-update-grouper.xml b/demo/grouper/midpoint-objects-manual/tasks/task-async-update-grouper.xml
deleted file mode 100644
index 5007ae4..0000000
--- a/demo/grouper/midpoint-objects-manual/tasks/task-async-update-grouper.xml
+++ /dev/null
@@ -1,40 +0,0 @@
-<!--
- ~ Copyright (c) 2010-2019 Evolveum
- ~
- ~ Licensed under the Apache License, Version 2.0 (the "License");
- ~ you may not use this file except in compliance with the License.
- ~ You may obtain a copy of the License at
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing, software
- ~ distributed under the License is distributed on an "AS IS" BASIS,
- ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- ~ See the License for the specific language governing permissions and
- ~ limitations under the License.
- -->
-
-<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
- oid="47fc57bd-8c34-4555-9b9f-7087ff179860">
- <name>Grouper async updates</name>
- <extension xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">
- <mext:workerThreads>1</mext:workerThreads>
- </extension>
- <assignment>
- <targetRef oid="00000000-0000-0000-0000-000000000505" type="ArchetypeType" /> <!-- Asynchronous update task -->
- </assignment>
- <taskIdentifier>1552664339630-0-2</taskIdentifier>
- <ownerRef oid="00000000-0000-0000-0000-000000000002" relation="org:default" type="c:UserType">
- <!-- administrator -->
- </ownerRef>
- <executionStatus>runnable</executionStatus>
- <category>AsynchronousUpdate</category>
- <objectRef oid="1eff65de-5bb6-483d-9edf-8cc2c2ee0233" relation="org:default" type="c:ResourceType">
- <!-- Grouper Resource -->
- </objectRef>
- <recurrence>single</recurrence>
- <binding>loose</binding>
- <threadStopAction>restart</threadStopAction>
-</task>
diff --git a/demo/grouper/midpoint-objects-manual/tasks/task-import-sis-persons.xml b/demo/grouper/midpoint-objects-manual/tasks/task-import-sis-persons.xml
deleted file mode 100644
index 58189c0..0000000
--- a/demo/grouper/midpoint-objects-manual/tasks/task-import-sis-persons.xml
+++ /dev/null
@@ -1,34 +0,0 @@
-<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
- xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
- xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
- xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
- xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
- oid="22c2a3d0-0961-4255-9eec-c550a79aeaaa">
- <name>Import from SIS persons</name>
- <extension xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:type="c:ExtensionType">
- <mext:kind>account</mext:kind>
- <mext:objectclass>ri:AccountObjectClass</mext:objectclass>
-<!--
- <mext:tracing>
- <interval>500</interval>
- </mext:tracing> -->
- </extension>
- <assignment>
- <targetRef oid="00000000-0000-0000-0000-000000000503" type="ArchetypeType" /> <!--Import task-->
- </assignment>
- <taskIdentifier>1535407239440-0-1</taskIdentifier>
- <ownerRef oid="00000000-0000-0000-0000-000000000002"
- relation="org:default"
- type="c:UserType"><!-- administrator --></ownerRef>
- <executionStatus>runnable</executionStatus>
- <category>ImportingAccounts</category>
- <objectRef oid="4d70a0da-02dd-41cf-b0a1-00e75d3eaa15"
- relation="org:default"
- type="c:ResourceType"><!-- SQL SIS persons (sources) --></objectRef>
- <recurrence>single</recurrence>
- <binding>loose</binding>
-</task>
diff --git a/demo/grouper/midpoint-objects-manual/tasks/task-recomputation-users.xml b/demo/grouper/midpoint-objects-manual/tasks/task-recomputation-users.xml
deleted file mode 100644
index 179b565..0000000
--- a/demo/grouper/midpoint-objects-manual/tasks/task-recomputation-users.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
- oid="83a737ea-5eb7-4e78-b431-331cccf02354">
- <name>User recomputation</name>
- <extension xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">
- <mext:objectType>c:UserType</mext:objectType>
- <!-- <mext:tracingInterval>200</mext:tracingInterval> -->
- </extension>
- <assignment>
- <targetRef oid="00000000-0000-0000-0000-000000000502" type="ArchetypeType"/> <!--Recomputation task -->
- </assignment>
- <taskIdentifier>1571729899646-0-1</taskIdentifier>
- <ownerRef oid="00000000-0000-0000-0000-000000000002" relation="org:default" type="c:UserType">
- <!-- administrator -->
- </ownerRef>
- <channel>http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#recompute</channel>
- <executionStatus>runnable</executionStatus>
- <category>Recomputation</category>
- <recurrence>single</recurrence>
- <binding>tight</binding>
-</task>
diff --git a/demo/grouper/midpoint-objects-manual/tasks/task-reconciliation-grouper-groups.xml b/demo/grouper/midpoint-objects-manual/tasks/task-reconciliation-grouper-groups.xml
deleted file mode 100644
index 4e024cc..0000000
--- a/demo/grouper/midpoint-objects-manual/tasks/task-reconciliation-grouper-groups.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<!--
- ~ Copyright (c) 2010-2019 Evolveum
- ~
- ~ Licensed under the Apache License, Version 2.0 (the "License");
- ~ you may not use this file except in compliance with the License.
- ~ You may obtain a copy of the License at
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing, software
- ~ distributed under the License is distributed on an "AS IS" BASIS,
- ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- ~ See the License for the specific language governing permissions and
- ~ limitations under the License.
- -->
-
-<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
- xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
- oid="605a0127-a313-442a-9d5e-151eac8b0745">
- <name>Grouper reconciliation (groups)</name>
- <extension xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">
- <mext:objectclass>ri:Group</mext:objectclass>
- </extension>
- <assignment>
- <targetRef oid="00000000-0000-0000-0000-000000000501" type="ArchetypeType" /> <!-- Reconciliation task -->
- </assignment>
- <taskIdentifier>605a0127-a313-442a-9d5e-151eac8b0745</taskIdentifier>
- <ownerRef oid="00000000-0000-0000-0000-000000000002" relation="org:default" type="c:UserType">
- <!-- administrator -->
- </ownerRef>
- <executionStatus>runnable</executionStatus>
- <category>Reconciliation</category>
- <objectRef oid="1eff65de-5bb6-483d-9edf-8cc2c2ee0233" relation="org:default" type="c:ResourceType">
- <!-- Grouper Resource -->
- </objectRef>
- <recurrence>single</recurrence>
- <binding>loose</binding>
- <threadStopAction>restart</threadStopAction>
-</task>
diff --git a/demo/grouper/midpoint_server/Dockerfile b/demo/grouper/midpoint_server/Dockerfile
deleted file mode 100644
index 34ce0cd..0000000
--- a/demo/grouper/midpoint_server/Dockerfile
+++ /dev/null
@@ -1,9 +0,0 @@
-FROM tier/midpoint:latest
-
-MAINTAINER info@evolveum.com
-
-ENV MP_DIR /opt/midpoint
-
-VOLUME ${MP_DIR}/var
-
-COPY container_files/mp-home/ ${MP_DIR}/var/
diff --git a/demo/grouper/midpoint_server/container_files/httpd/host-cert.pem b/demo/grouper/midpoint_server/container_files/httpd/host-cert.pem
deleted file mode 100644
index 9b1021b..0000000
--- a/demo/grouper/midpoint_server/container_files/httpd/host-cert.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDqDCCApCgAwIBAgIJAMOSkn4oS2aAMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
-BAYTAlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRcwFQYDVQQK
-DA5JbnRlcm5ldDIvVElFUjEgMB4GA1UEAwwXbWlkcG9pbnQuc3AuZXhhbXBsZS5v
-cmcwHhcNMTgwOTE0MDU1OTQ1WhcNMTkwOTE0MDU1OTQ1WjBpMQswCQYDVQQGEwJV
-UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEXMBUGA1UECgwOSW50
-ZXJuZXQyL1RJRVIxIDAeBgNVBAMMF21pZHBvaW50LnNwLmV4YW1wbGUub3JnMIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApj/b7MEUSfu3oXMfNgRwTse7
-a5UV7Jswf1M/ZN/ZZkAkIxNBevZgozjesvLPWrmsTgONi7XigJUJvCjdjmlW9eDM
-lri/rkD8HuOR1DQCVKL9nvoS2c3D7sq5Emda3V8Tlj82VqfEmePd3sajx7mcTfbH
-8jwAL9NhkC+WMib5IpjLGpG0FEAC0ha7Lxb+7jIiqHVJaqLXJGCyGN4mh6c1Q9S1
-f8RVTiW2a8x22G+9wnZYbkiA2Kxls177imHlhSz8EdvV4IpGw1amrEWhhuDEum7B
-vZ1xQDLatgRqh4qAKLIVYeRnJ8H1FelMa90qB4G08MIPifmTsQwqJyBYaEdgWQID
-AQABo1MwUTAdBgNVHQ4EFgQUqb9BteODF6wv5R57aEON/wGXMiowHwYDVR0jBBgw
-FoAUqb9BteODF6wv5R57aEON/wGXMiowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
-9w0BAQsFAAOCAQEAAcKhxI+tSItrXmqC0PSmgWyAYpqbkz6W/cefTutXqhIgY09f
-h0LSv7ogTahoGpyiZk9vy6u3OE9bYwxapEfa4KBjO6HxBMIVBBb3RegVjoPzjElN
-BDwAx0VGFcZTXwMxDWycWdG8ql7rCZBvS50w04uTaIgnGmqXAdWWmBgfJ9cRbxW+
-JwO/mOl1QM1lR/5142NpvuUVWlmZSKEGydE5A1qPz2wpDbBR1ym1BQNS4NEqw6Kp
-GSB8jKyCS1Ve0v2wVze2038Wukz02dq9uKPTIO3T+B+ibZmxn6Op/kFCc1/kK5NS
-Q6JdO1B6KquGAYdGmKAcQ19mv+jqGktqWEEf0g==
------END CERTIFICATE-----
diff --git a/demo/grouper/midpoint_server/container_files/httpd/host-key.pem b/demo/grouper/midpoint_server/container_files/httpd/host-key.pem
deleted file mode 100644
index 5746e59..0000000
--- a/demo/grouper/midpoint_server/container_files/httpd/host-key.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmP9vswRRJ+7eh
-cx82BHBOx7trlRXsmzB/Uz9k39lmQCQjE0F69mCjON6y8s9auaxOA42LteKAlQm8
-KN2OaVb14MyWuL+uQPwe45HUNAJUov2e+hLZzcPuyrkSZ1rdXxOWPzZWp8SZ493e
-xqPHuZxN9sfyPAAv02GQL5YyJvkimMsakbQUQALSFrsvFv7uMiKodUlqotckYLIY
-3iaHpzVD1LV/xFVOJbZrzHbYb73CdlhuSIDYrGWzXvuKYeWFLPwR29XgikbDVqas
-RaGG4MS6bsG9nXFAMtq2BGqHioAoshVh5GcnwfUV6Uxr3SoHgbTwwg+J+ZOxDCon
-IFhoR2BZAgMBAAECggEAEIRBpjjceiku6jRUwnoYaks/nIWYQwR8AfpUTwJKR/VR
-Yca097Fokm7A+UhUP3A45RtHQb0VPq8P44iv0kk24YCu8r5yFK7SHYOAZnOwU5ZJ
-2jSAEPF3aM7tKh3okhuzB3dKP7u1NZDE5zAW723KUJiW7sL1RcsbY0bHBj6G+9/H
-NplmsjuGt684vRBB0qOBfKF7EiG7mT69tHuNj4gRza9SMY31UtKbZdt2fNY6mp5V
-HscMba7egZP+Ke0pVX4+go9j7K8GG8hYaQDLjrzlPqrxZ2c5X9cC+CRDI/CHuL/s
-V/2yGZJ6n6UabwZoH83RdFrbQ94rU8Hkli6EvxXvMQKBgQDRpheNW5jDG5TfeJKh
-yfKTDQqH2Tk3BsBYYBN7Hf3m7vbkzlxnAKJAoSLmtRMuoeXvI5MrhzaHGsNIUS76
-LDIZnvB7DLUxhFUZsCPkpAA1QHuTWY96oR3PHnPjpk8lSUvtbOPwDLdzVApeFJgZ
-VqMNArZ7AHsK3Kkyi+f4WVQjbQKBgQDLAWiGb5dx6fAM2W6B6HjNmzjBWOuVEXa2
-76to9jzupBZmETfZgxtWUaWUDuNS+f7dtVUTE+p6v/w8clrHEhEZYkqunIOLo/UA
-LFPiuoTfEsWb1rh+nsCjCgy4uimixj/bSkf7NC6NyKTvCygA1mGnVVJUEPegYlDy
-LXCkaKWxHQKBgQCmyHSKL2lrJkEcOwakEU2acNCE3Gno/cT9SYmV83kvQ8JEqmrW
-QqnRsp9aXIljGscapPmKsmnNt5vNp1AxFAHTYh88NRLczsMIyZj0ZwgHVUI6KhC7
-5Psa78YQQBlMt2/g9TSsnuE+rYgF6mpKFiNm0Vasqeg47uzn2mdzqlUGTQKBgE04
-JutkTUY+h1pL5vYxWKpVDfy19z7H2tFxT1FowPrBneeLSyRI88Ac5I/yLdRlVeY9
-0LOmEr5Igwj3MsKgg7KVKfVLgdo/LrW3Jt2Kt3onKNXDkoBPoNUjwH0QC0Boiue+
-VK0gR0kVdm+bXccbxR+im+NwZNE0NLg6Qqu3RredAoGBALuVoqbPPmTCZXYG328H
-bzOs2aiR7BzPSVByV+qG6jW7w03RAnFPJZp7HMU+ViI5VY0wabUscMSvz5163+gM
-4KwY3v9ZjZzZGukIfLuudkdqtaiVOx/KeAC0n+nG21YU+wpZww8gkfHh1/sa2CME
-CWYCgOnmiTHcj83UaTqEXtmv
------END PRIVATE KEY-----
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/config.xml b/demo/grouper/midpoint_server/container_files/mp-home/config.xml
deleted file mode 100644
index 5a4e0ea..0000000
--- a/demo/grouper/midpoint_server/container_files/mp-home/config.xml
+++ /dev/null
@@ -1,64 +0,0 @@
-<?xml version="1.0"?>
-<!--
- ~ Copyright (c) 2010-2017 Evolveum
- ~
- ~ Licensed under the Apache License, Version 2.0 (the "License");
- ~ you may not use this file except in compliance with the License.
- ~ You may obtain a copy of the License at
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing, software
- ~ distributed under the License is distributed on an "AS IS" BASIS,
- ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- ~ See the License for the specific language governing permissions and
- ~ limitations under the License.
- -->
-<configuration>
- <midpoint>
- <webApplication>
- <importFolder>${midpoint.home}/import</importFolder>
- </webApplication>
- <repository>
- <repositoryServiceFactoryClass>com.evolveum.midpoint.repo.sql.SqlRepositoryFactory</repositoryServiceFactoryClass>
- <baseDir>${midpoint.home}</baseDir>
- <asServer>true</asServer>
- <enableIndexOnlyItems>true</enableIndexOnlyItems>
- <enableNoFetchExtensionValuesInsertion>true</enableNoFetchExtensionValuesInsertion>
- <enableNoFetchExtensionValuesDeletion>true</enableNoFetchExtensionValuesDeletion>
- </repository>
- <audit>
- <auditService>
- <auditServiceFactoryClass>com.evolveum.midpoint.audit.impl.LoggerAuditServiceFactory</auditServiceFactoryClass>
- </auditService>
- <auditService>
- <auditServiceFactoryClass>com.evolveum.midpoint.repo.sql.SqlAuditServiceFactory</auditServiceFactoryClass>
- </auditService>
- </audit>
- <icf>
- <scanClasspath>true</scanClasspath>
- <scanDirectory>${midpoint.home}/icf-connectors</scanDirectory>
- </icf>
- <keystore>
- <keyStorePath>${midpoint.home}/keystore.jceks</keyStorePath>
- <keyStorePassword>changeit</keyStorePassword>
- <encryptionKeyAlias>default</encryptionKeyAlias>
- <!--
- You can use smaller cipher key size for encryption. For:
- AES_128 "http://www.w3.org/2001/04/xmlenc#aes128-cbc";
- AES_256 "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
- AES_192 "http://www.w3.org/2001/04/xmlenc#aes192-cbc";
-
- in element <xmlCipher></xmlCipher>
- By default AES_128 is used. If you change key size, than
- you must also create secret key in key store with proper key size and change encryptionKeyAlias.
-
- To generate keystore with keytool use command:
- keytool -genseckey -alias default -keystore keystore.jceks -storetype jceks -keyalg AES -keysize 128
-
- secret key password is by default 'midpoint'
- -->
- </keystore>
- <!-- <profilingMode>dynamic</profilingMode> -->
- </midpoint>
-</configuration>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/functionLibraries/100-function-library-grouper.xml b/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/functionLibraries/100-function-library-grouper.xml
deleted file mode 100644
index 2fc89e0..0000000
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/functionLibraries/100-function-library-grouper.xml
+++ /dev/null
@@ -1,197 +0,0 @@
-<!--
- ~ Copyright (c) 2019 Evolveum and contributors
- ~
- ~ This work is dual-licensed under the Apache License 2.0
- ~ and European Union Public License. See LICENSE file for details.
- -->
-
-<functionLibrary oid="2eef4181-25fa-420f-909d-846a36ca90f3"
- xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
- xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
- xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
- xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
- xmlns:xsd='http://www.w3.org/2001/XMLSchema'
- xmlns:piracy='http://midpoint.evolveum.com/xml/ns/samples/piracy'>
- <name>grouper</name>
- <description>Functions for Grouper AMQP connector</description>
- <function>
-
- <!-- Some examples:
- {
- encrypted=false,
- esbEvent=[
- {
- sourceId=ldap,
- membershipType=flattened,
- fieldName=members,
- groupId=00000000000000000000000000000001,
- changeOccurred=false,
- createdOnMicros=1551884863420000,
- subjectId=banderson,
- id=94320942304930294023940329403294,
- sequenceNumber=1000,
- eventType=MEMBERSHIP_ADD,
- groupName=etc:midpointGroups
- }
- ]}
-
-
- {
- "encrypted": false,
- "esbEvent": [
- {
- "displayName": "ref:affiliation:alumni",
- "changeOccurred": false,
- "createdOnMicros": 1551884850499000,
- "parentStemId": "9a7ce40af6c546148b41eec81b8ca18d",
- "id": "00000000000000000000000000000002",
- "sequenceNumber": "110",
- "eventType": "GROUP_ADD",
- "name": "ref:affiliation:alumni"
- }
- ]
- }
- -->
-
-
- <name>createUcfChange</name>
- <parameter>
- <name>message</name>
- <type>c:AsyncUpdateMessageType</type>
- </parameter>
- <parameter>
- <name>groupIncludePattern</name>
- <type>xsd:anyType</type>
- </parameter>
- <parameter>
- <name>groupExcludePattern</name>
- <type>xsd:anyType</type>
- </parameter>
- <parameter>
- <name>relevantSourceId</name>
- <type>xsd:string</type>
- </parameter>
- <script>
- <code>
- import com.evolveum.midpoint.xml.ns._public.common.common_3.*
- import com.evolveum.prism.xml.ns._public.types_3.*
- import static com.evolveum.midpoint.schema.constants.SchemaConstants.*
- import com.evolveum.midpoint.schema.util.*
- import com.evolveum.midpoint.prism.path.*
- import com.evolveum.midpoint.schema.constants.*
- import com.evolveum.midpoint.prism.delta.*
-
- GROUP_OBJECT_CLASS = new ItemName(MidPointConstants.NS_RI, 'Group')
- ATTR_NAME = new ItemName(MidPointConstants.NS_RI, 'name')
- ATTR_UUID = new ItemName(MidPointConstants.NS_RI, 'uuid')
- ATTR_MEMBER = new ItemName(MidPointConstants.NS_RI, 'member')
-
- TRIGGER_FIRE_AFTER = 60000
- TRIGGER_SAFETY_MARGIN = 10000
-
- esbEvent = midpoint.getMessageBodyAsMap(message)['esbEvent'][0]
- log.info('esbEvent = {}', esbEvent)
- eventType = esbEvent['eventType']
- if (eventType == 'MEMBERSHIP_ADD' || eventType == 'MEMBERSHIP_DELETE') {
- groupName = esbEvent['groupName']
- if (groupName == null) {
- log.warn('No group name in membership change message, ignoring it: {}', esbEvent)
- return null
- }
- groupId = esbEvent['groupId']
- if (groupId == null) {
- log.warn('No group ID in membership change message, ignoring it: {}', esbEvent)
- return null
- }
- isExported = matches(groupName, groupIncludePattern, groupExcludePattern)
- if (!isExported) {
- log.info('Irrelevant group membership change, ignoring it: {}', groupName)
- return null
- }
- sourceId = esbEvent['sourceId']
- if (sourceId != relevantSourceId) {
- log.info('Irrelevant subject source ID in membership change message, ignoring it: {}', sourceId)
- return null
- }
- subjectId = esbEvent['subjectId']
- if (subjectId == null) {
- log.info('Null subject ID in membership change message, ignoring it: {}', sourceId)
- return null
- }
- log.info('### {} - {} - {}', subjectId, eventType, groupName)
- identifiers = new HashMap()
- identifiers.put(ATTR_NAME, groupName)
- identifiers.put(ATTR_UUID, groupId)
- ObjectDeltaType delta
- itemDelta = new ItemDeltaType()
- itemDelta.modificationType = eventType == 'MEMBERSHIP_ADD' ? ModificationTypeType.ADD : ModificationTypeType.DELETE
- itemDelta.path = new ItemPathType(ItemPath.create(ShadowType.F_ATTRIBUTES, ATTR_MEMBER))
- itemDelta.value.add(RawType.fromPropertyRealValue(subjectId, null, prismContext))
- delta = new ObjectDeltaType()
- delta.changeType = ChangeTypeType.MODIFY
- delta.itemDelta.add(itemDelta)
-
- added = midpoint
- .getOptimizingTriggerCreator(TRIGGER_FIRE_AFTER, TRIGGER_SAFETY_MARGIN)
- .createForNamedUser(subjectId)
- log.info('Recompute trigger for {}: {}', subjectId, added ? 'added' : 'not added (already present or user not found)')
-
- return UcfChangeUtil.create(GROUP_OBJECT_CLASS, identifiers, delta, prismContext)
- } else if (eventType == 'GROUP_ADD' || eventType == 'GROUP_DELETE') {
- groupName = esbEvent['name']
- groupId = esbEvent['id']
- isExported = matches(groupName, groupIncludePattern, groupExcludePattern)
- if (!isExported) {
- log.info('Irrelevant group add/delete event, ignoring it: {}', groupName)
- return null
- }
- identifiers = new HashMap()
- identifiers.put(ATTR_NAME, groupName)
- identifiers.put(ATTR_UUID, groupId)
- ObjectDeltaType delta
- if (eventType == 'GROUP_DELETE') {
- delta = new ObjectDeltaType()
- delta.changeType = ChangeTypeType.DELETE
- } else {
- delta = null
- }
- return UcfChangeUtil.create(GROUP_OBJECT_CLASS, identifiers, delta, prismContext)
- } else if (eventType == 'GROUP_UPDATE') {
- groupName = esbEvent['name']
- groupId = esbEvent['id']
- isExported = matches(groupName, groupIncludePattern, groupExcludePattern)
- if (!isExported) {
- log.info('Irrelevant group add/delete event, ignoring it: {}', groupName)
- return null
- }
- // Notification-only change: so we fetch current state of this group and synchronize it fully
- identifiers = new HashMap()
- identifiers.put(ATTR_NAME, groupName)
- identifiers.put(ATTR_UUID, groupId)
- return UcfChangeUtil.create(GROUP_OBJECT_CLASS, identifiers, null, prismContext)
- } else {
- log.warn('Unsupported event type: {} -> {}', eventType, esbEvent)
- return null
- }
-
- def matches(String name, Collection includes, Collection excludes) {
- matches(name, includes) && !matches(name, excludes)
- }
-
- def matches(String name, Collection patterns) {
- if (name == null || patterns == null) {
- false
- } else {
- for (pattern in patterns) {
- if (name ==~ pattern) {
- return true
- }
- }
- false
- }
- }
- </code>
- </script>
- <returnType>c:UcfChangeType</returnType>
- </function>
-</functionLibrary>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/objectTemplates/100-template-user.xml b/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/objectTemplates/100-template-user.xml
deleted file mode 100644
index 8d8c362..0000000
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/objectTemplates/100-template-user.xml
+++ /dev/null
@@ -1,92 +0,0 @@
-<?xml version="1.0"?>
-<!--
- ~ Copyright (c) 2019 Evolveum and contributors
- ~
- ~ This work is dual-licensed under the Apache License 2.0
- ~ and European Union Public License. See LICENSE file for details.
- -->
-
-<objectTemplate xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" oid="8098b124-c20c-4965-8adf-e528abedf7a4">
- <name>template-user</name>
- <mapping>
- <strength>strong</strength>
- <source>
- <path>name</path>
- </source>
- <expression>
- <script>
- <code>
- import com.evolveum.midpoint.xml.ns._public.common.common_3.*
- import com.evolveum.midpoint.schema.constants.*
- import com.evolveum.midpoint.schema.*
- import javax.xml.namespace.*
- import com.evolveum.midpoint.util.*
- import com.evolveum.midpoint.prism.path.*
-
- GROUPER_RESOURCE_OID = '1eff65de-5bb6-483d-9edf-8cc2c2ee0233'
- MEMBER_NAME = new QName(MidPointConstants.NS_RI, 'member')
-
- memberDef = prismContext.definitionFactory().createPropertyDefinition(MEMBER_NAME, DOMUtil.XSD_STRING)
- memberDef.setMaxOccurs(-1)
-
- shadowQuery = prismContext.queryFor(ShadowType.class)
- .item(ShadowType.F_RESOURCE_REF).ref(GROUPER_RESOURCE_OID)
- .and().item(ShadowType.F_SYNCHRONIZATION_SITUATION).eq(SynchronizationSituationType.LINKED)
- .and().item(ShadowType.F_KIND).eq(ShadowKindType.ENTITLEMENT)
- .and().item(ShadowType.F_INTENT).eq('group')
- .and().block().item(ShadowType.F_DEAD).isNull().or().item(ShadowType.F_DEAD).eq(false).endBlock()
- .and().item(ItemPath.create(ShadowType.F_ATTRIBUTES, MEMBER_NAME), memberDef).eq(basic.stringify(name))
- .build()
-
- //log.info('shadowQuery = {}\n{}', shadowQuery, shadowQuery.debugDump())
- options = SelectorOptions.createCollection(GetOperationOptions.createNoFetch())
- shadows = midpoint.searchObjects(ShadowType.class, shadowQuery, options)
- //log.info('shadows found for {}: {}', name, shadows)
-
- orgNames = shadows.collect { basic.stringify(it.name) } // todo - use attributes
- log.info('org names = {}', orgNames)
-
- if (!orgNames.isEmpty()) {
- orgQueryBuilder = prismContext.queryFor(OrgType.class)
-
- first = true
- for (orgName in orgNames) {
- if (first) {
- first = false
- } else {
- orgQueryBuilder = orgQueryBuilder.or()
- }
- orgQueryBuilder = orgQueryBuilder.item(ItemPath.create(OrgType.F_EXTENSION, 'grouperName')).eq(orgName)
- }
-
- orgQuery = orgQueryBuilder.build()
- //log.info('org query:\n', orgQuery.debugDump())
-
- orgs = midpoint.searchObjects(OrgType.class, orgQuery, null)
- log.info('orgs found: {}', orgs)
-
- orgs.collect {
- new AssignmentType(prismContext)
- .subtype('grouper-group')
- .targetRef(it.oid, OrgType.COMPLEX_TYPE)
- }
- } else {
- null
- }
- </code>
- </script>
- </expression>
- <target>
- <path>assignment</path>
- <set>
- <condition>
- <script>
- <code>
- assignment?.subtype.contains('grouper-group')
- </code>
- </script>
- </condition>
- </set>
- </target>
- </mapping>
-</objectTemplate>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper.xml b/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper.xml
deleted file mode 100644
index 74fd191..0000000
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper.xml
+++ /dev/null
@@ -1,201 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- ~ Copyright (c) 2019 Evolveum and contributors
- ~
- ~ This work is dual-licensed under the Apache License 2.0
- ~ and European Union Public License. See LICENSE file for details.
- -->
-
-<resource oid="1eff65de-5bb6-483d-9edf-8cc2c2ee0233"
- xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
- xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
- xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
- xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
- xmlns:rest="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-grouper-rest/com.evolveum.polygon.connector.grouper.rest.GrouperConnector"
- xmlns:conf="http://midpoint.evolveum.com/xml/ns/public/connector/builtin-1/bundle/com.evolveum.midpoint.provisioning.ucf.impl.builtin.async/AsyncUpdateConnector"
- xmlns:xsd="http://www.w3.org/2001/XMLSchema"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-
- <name>Grouper Resource</name>
- <connectorRef type="c:ConnectorType">
- <filter>
- <q:equal>
- <q:path>connectorType</q:path>
- <q:value>com.evolveum.polygon.connector.grouper.rest.GrouperConnector</q:value>
- </q:equal>
- </filter>
- </connectorRef>
- <connectorConfiguration>
- <icfc:configurationProperties>
- <rest:baseUrl>https://grouper-ws:443</rest:baseUrl>
- <rest:username>banderson</rest:username>
- <rest:password>password</rest:password>
- <rest:testStem>:</rest:testStem>
- <!-- no testGroup: we cannot be sure that banderson is a member of sysadmingroup when doing the first test -->
- <rest:baseStem>:</rest:baseStem>
- <rest:groupIncludePattern>app:.*</rest:groupIncludePattern>
- <rest:groupIncludePattern>test:.*</rest:groupIncludePattern>
- <rest:groupIncludePattern>ref:.*</rest:groupIncludePattern>
- <rest:groupExcludePattern>.*_(includes|excludes|systemOfRecord|systemOfRecordAndIncludes)</rest:groupExcludePattern>
- <rest:subjectSource>ldap</rest:subjectSource>
- <rest:ignoreSslValidation>true</rest:ignoreSslValidation>
- </icfc:configurationProperties>
- <icfc:resultsHandlerConfiguration>
- <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
- <icfc:enableFilteredResultsHandler>true</icfc:enableFilteredResultsHandler>
- <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
- </icfc:resultsHandlerConfiguration>
- </connectorConfiguration>
- <additionalConnector>
- <name>AMQP async update connector</name>
- <connectorRef type="c:ConnectorType">
- <filter>
- <q:equal>
- <q:path>connectorType</q:path>
- <q:value>AsyncUpdateConnector</q:value>
- </q:equal>
- </filter>
- </connectorRef>
- <connectorConfiguration>
- <conf:sources>
- <amqp091>
- <uri>amqp://mq:5672</uri>
- <username>guest</username>
- <password>guest</password>
- <queue>sampleQueue</queue>
- </amqp091>
- </conf:sources>
- <conf:transformExpression>
- <script>
- <code>
- // ------------------ START OF CONFIGURATION ------------------
-
- parameters = [
- groupIncludePattern: [ 'app:.*', 'test:.*', 'ref:.*' ],
- groupExcludePattern: [ '.*_(includes|excludes|systemOfRecord|systemOfRecordAndIncludes)' ],
- relevantSourceId: 'ldap'
- ]
-
- // ------------------ END OF CONFIGURATION ------------------
-
- parameters.put('message', message)
- grouper.execute('createUcfChange', parameters)
- </code>
- </script>
- </conf:transformExpression>
- </connectorConfiguration>
- </additionalConnector>
- <schemaHandling>
- <objectType>
- <kind>entitlement</kind>
- <intent>group</intent>
- <objectClass>ri:Group</objectClass>
- <default>true</default>
- <attribute>
- <ref>ri:name</ref>
- <inbound>
- <strength>strong</strength>
- <target>
- <path>extension/grouperName</path>
- </target>
- </inbound>
- <inbound>
- <strength>strong</strength>
- <expression>
- <script>
- <code>
- import com.evolveum.midpoint.schema.util.*
- import com.evolveum.midpoint.schema.constants.*
-
- if (input == null) {
- null
- } else {
- archetypeOid = '5f2b96d2-49b5-4a8a-9601-14457309a69b' // generic-grouper-group archetype
- switch (input) {
- case ~/ref:affiliation:.*/: archetypeOid = '56f53812-047d-4b69-83e8-519a73d161e1'; break; // affiliation archetype
- case ~/ref:dept:.*/: archetypeOid = '1cec5f78-8fba-459b-9547-ef7485009f40'; break; // department archetype
- case ~/ref:course:.*/: archetypeOid = '3dab9a72-118b-4e40-a138-bb691c335eca'; break; // course archetype
- case ~/app:mailinglist:.*/: archetypeOid = '1645d1dc-1f7c-4508-b50b-97b501ccdee3'; break; // mailing-list archetype
- }
- ObjectTypeUtil.createAssignmentTo(archetypeOid, ObjectTypes.ARCHETYPE, prismContext)
- }
- </code>
- </script>
- </expression>
- <target>
- <path>assignment</path>
- <set>
- <predefined>all</predefined> <!-- we tolerate no other assignments -->
- </set>
- </target>
- </inbound>
- </attribute>
- <attribute>
- <ref>ri:member</ref>
- <fetchStrategy>explicit</fetchStrategy>
- <storageStrategy>indexOnly</storageStrategy>
- </attribute>
- </objectType>
- </schemaHandling>
- <synchronization>
- <objectSynchronization>
- <enabled>true</enabled>
- <kind>entitlement</kind>
- <intent>group</intent>
- <objectClass>ri:Group</objectClass>
- <focusType>OrgType</focusType>
- <correlation>
- <q:equal>
- <q:path>extension/grouperName</q:path>
- <expression>
- <path>$projection/attributes/name</path>
- </expression>
- </q:equal>
- </correlation>
- <reaction>
- <situation>linked</situation>
- <channel>http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#asyncUpdate</channel>
- <condition>
- <script>
- <code>import com.evolveum.midpoint.prism.path.ItemPath
- import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType
-
- // member-only updates should _NOT_ be synchronized
- resourceObjectDelta != null && resourceObjectDelta.isModify() &&
- resourceObjectDelta.modifications.size() == 1 &&
- ItemPath.create(ShadowType.F_ATTRIBUTES, 'member').equivalent(resourceObjectDelta.modifications.iterator().next().path)
- </code>
- </script>
- </condition>
- <synchronize>false</synchronize>
- </reaction>
- <reaction>
- <situation>linked</situation>
- <synchronize>true</synchronize>
- </reaction>
- <reaction>
- <situation>deleted</situation>
- <!-- a separate task will take care of deleted groups -->
- <!-- we don't even need to unlink the shadow -->
- <synchronize>true</synchronize>
- </reaction>
- <reaction>
- <situation>unlinked</situation>
- <action>
- <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
- </action>
- </reaction>
- <reaction>
- <situation>unmatched</situation>
- <action>
- <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
- </action>
- </reaction>
- </objectSynchronization>
- </synchronization>
- <caching>
- <cachingStategy>passive</cachingStategy>
- </caching>
-</resource>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml b/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml
deleted file mode 100644
index 77aa0f3..0000000
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml
+++ /dev/null
@@ -1,148 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<objects xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3">
- <securityPolicy xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="00000000-0000-0000-0000-000000000120" version="2">
- <name>Default Security Policy</name>
- <authentication>
- <modules>
- <loginForm>
- <name>internalLoginForm</name>
- <description>Internal username/password authentication, default user password, login form</description>
- </loginForm>
- <httpBasic>
- <name>internalBasic</name>
- <description>Internal username/password authentication, using HTTP basic auth</description>
- </httpBasic>
- <saml2>
- <name>mySamlSso</name>
- <description>My internal enterprise SAML-based SSO system.</description>
- <network>
- <readTimeout>10000</readTimeout>
- <connectTimeout>5000</connectTimeout>
- </network>
- <serviceProvider>
- <entityId>midpointdemo-shibboleth</entityId>
- <signRequests>true</signRequests>
- <wantAssertionsSigned>true</wantAssertionsSigned>
- <singleLogoutEnabled>true</singleLogoutEnabled>
- <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
- <keys>
- <activeKeyStoreKey>
- <keyStorePath>/etc/pki/mp/sp-shibboleth-keys.jks</keyStorePath>
- <keyStorePassword>
- <t:clearValue>changeit</t:clearValue>
- </keyStorePassword>
- <keyAlias>signing-key</keyAlias>
- <keyPassword>
- <t:clearValue>password</t:clearValue>
- </keyPassword>
- </activeKeyStoreKey>
- <standByKeyStoreKey>
- <keyStorePath>/etc/pki/mp/sp-shibboleth-keys.jks</keyStorePath>
- <keyStorePassword>
- <t:clearValue>changeit</t:clearValue>
- </keyStorePassword>
- <keyAlias>encrypt-key</keyAlias>
- <keyPassword>
- <t:clearValue>password</t:clearValue>
- </keyPassword>
- <type>encryption</type>
- </standByKeyStoreKey>
- </keys>
- <provider>
- <entityId>https://idptestbed/idp/shibboleth</entityId>
- <alias>idp-shibboleth</alias>
- <metadata>
- <pathToFile>/etc/shibboleth/idp-metadata.xml</pathToFile>
- </metadata>
- <skipSslValidation>true</skipSslValidation>
- <linkText>Shibboleth</linkText>
- <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
- <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
- </provider>
- </serviceProvider>
- </saml2>
- </modules>
- <sequence>
- <name>admin-gui-default</name>
- <description>
- Default GUI authentication sequence.
- </description>
- <channel>
- <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
- <default>true</default>
- <urlSuffix>gui-default</urlSuffix>
- </channel>
- <module>
- <name>internalLoginForm</name>
- <order>30</order>
- <necessity>sufficient</necessity>
- </module>
- </sequence>
- <sequence>
- <name>admin-gui-emergency</name>
- <description>
- Special GUI authentication sequence that is using just the internal user password.
- </description>
- <channel>
- <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
- <default>false</default>
- <urlSuffix>emergency</urlSuffix>
- </channel>
- <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType">
- </requireAssignmentTarget>
- <module>
- <name>internalLoginForm</name>
- <order>30</order>
- <necessity>sufficient</necessity>
- </module>
- </sequence>
- <sequence>
- <name>rest</name>
- <description>
- Authentication sequence for REST service.
- </description>
- <channel>
- <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
- <default>true</default>
- <urlSuffix>rest-default</urlSuffix>
- </channel>
- <module>
- <name>internalBasic</name>
- <order>10</order>
- <necessity>sufficient</necessity>
- </module>
- </sequence>
- <sequence>
- <name>actuator</name>
- <description>
- Authentication sequence for actuator.
- </description>
- <channel>
- <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#actuator</channelId>
- <default>true</default>
- <urlSuffix>actuator-default</urlSuffix>
- </channel>
- <module>
- <name>internalBasic</name>
- <order>10</order>
- <necessity>sufficient</necessity>
- </module>
- </sequence>
- <ignoredLocalPath>/actuator</ignoredLocalPath>
- <ignoredLocalPath>/actuator/health</ignoredLocalPath>
- </authentication>
- <credentials>
- <password>
- <minOccurs>0</minOccurs>
- <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
- <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
- <lockoutDuration>PT15M</lockoutDuration>
- <valuePolicyRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" oid="00000000-0000-0000-0000-000000000003" relation="org:default" type="tns:ValuePolicyType">
- </valuePolicyRef>
- </password>
- </credentials>
-</securityPolicy>
-
-</objects>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml b/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml
deleted file mode 100644
index cfe767f..0000000
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml
+++ /dev/null
@@ -1,783 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- ~ Copyright (c) 2010-2019 Evolveum and contributors
- ~
- ~ This work is dual-licensed under the Apache License 2.0
- ~ and European Union Public License. See LICENSE file for details.
- -->
-<systemConfiguration oid="00000000-0000-0000-0000-000000000001" version="0"
- xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
- xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
- xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
- xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
- xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
- xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
- xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
- <name>SystemConfiguration</name>
- <!-- <globalAccountSynchronizationSettings> -->
- <!-- <assignmentPolicyEnforcement>relative</assignmentPolicyEnforcement> -->
- <!-- </globalAccountSynchronizationSettings> -->
- <globalSecurityPolicyRef oid="00000000-0000-0000-0000-000000000120"/>
- <logging>
- <classLogger>
- <level>ERROR</level>
- <package>ro.isdc.wro.extensions.processor.css.Less4jProcessor</package>
- </classLogger>
- <classLogger>
- <!-- disabled because of MID-744, helper insert messages on ERROR
- level which should not be there (probably should be on TRACE) -->
- <level>OFF</level>
- <package>org.hibernate.engine.jdbc.spi.SqlExceptionHelper</package>
- </classLogger>
- <!-- Disabled because we treat locking-related exceptions in the repository.
- Otherwise the log is filled-in with (innocent but ugly-looking) messages like
- "ERROR (o.h.engine.jdbc.batch.internal.BatchingBatch): HHH000315: Exception executing batch [Deadlock detected.
- The current transaction was rolled back." -->
- <classLogger>
- <level>OFF</level>
- <package>org.hibernate.engine.jdbc.batch.internal.BatchingBatch</package>
- </classLogger>
- <!-- Disabled because of the same reason; this time concerning messages like
- "INFO (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
- HHH000010: On release of batch it still contained JDBC statements" -->
- <classLogger>
- <level>WARN</level>
- <package>org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl</package>
- </classLogger>
- <!-- Diesabled because of MID-4636 -->
- <classLogger>
- <level>OFF</level>
- <package>org.hibernate.internal.ExceptionMapperStandardImpl</package>
- </classLogger>
- <classLogger>
- <!-- disabled because of MID-1612, jasper library needs to be fixed -->
- <level>OFF</level>
- <package>net.sf.jasperreports.engine.fill.JRFillDataset</package>
- </classLogger>
- <classLogger>
- <!-- disabled because we don't need to see every property file
- loading message (unnecessary log pollution) -->
- <level>WARN</level>
- <package>org.apache.wicket.resource.PropertiesFactory</package>
- </classLogger>
- <classLogger>
- <!-- disabled because we don't need to see every log message for every key
- when resource bundle doesn't exist for specific locale (unnecessary log pollution) -->
- <level>ERROR</level>
- <package>org.springframework.context.support.ResourceBundleMessageSource</package>
- </classLogger>
- <classLogger>
- <!-- Standard useful logger -->
- <level>INFO</level>
- <package>com.evolveum.midpoint.model.impl.lens.projector.Projector</package>
- </classLogger>
- <classLogger>
- <!-- Standard useful logger -->
- <level>INFO</level>
- <package>com.evolveum.midpoint.model.impl.lens.Clockwork</package>
- </classLogger>
- <classLogger>
- <level>DEBUG</level>
- <package>com.evolveum.polygon.connector.grouper</package>
- </classLogger>
-
- <appender xsi:type="c:FileAppenderConfigurationType" name="MIDPOINT_LOG"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
- <pattern>%date [%X{subsystem}] [%thread] %level \(%logger\): %msg%n</pattern>
- <fileName>${midpoint.home}/log/midpoint.log</fileName>
- <filePattern>${midpoint.home}/log/midpoint-%d{yyyy-MM-dd}.%i.log</filePattern>
- <maxHistory>10</maxHistory>
- <maxFileSize>100MB</maxFileSize>
- <append>true</append>
- </appender>
- <!-- Appender for profiling purposes -->
- <appender xsi:type="c:FileAppenderConfigurationType" name="MIDPOINT_PROFILE_LOG"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
- <pattern>%date %level: %msg%n</pattern>
- <fileName>${midpoint.home}/log/midpoint-profile.log</fileName>
- <filePattern>${midpoint.home}/log/midpoint-profile-%d{yyyy-MM-dd}.%i.log</filePattern>
- <maxHistory>10</maxHistory>
- <maxFileSize>100MB</maxFileSize>
- <append>true</append>
- </appender>
- <rootLoggerAppender>MIDPOINT_LOG</rootLoggerAppender>
- <rootLoggerLevel>INFO</rootLoggerLevel>
- <auditing>
- <enabled>false</enabled>
- <details>false</details>
- </auditing>
- </logging>
- <defaultObjectPolicyConfiguration id="101">
- <type>UserType</type>
- <objectTemplateRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" oid="8098b124-c20c-4965-8adf-e528abedf7a4" relation="org:default" type="tns:ObjectTemplateType"/>
- </defaultObjectPolicyConfiguration>
- <defaultObjectPolicyConfiguration>
- <type>OrgType</type>
- <lifecycleStateModel>
- <state>
- <name>retired</name>
- <!-- object in this model is active but on its way to deletion -->
- </state>
- </lifecycleStateModel>
- </defaultObjectPolicyConfiguration>
- <cleanupPolicy>
- <auditRecords>
- <maxAge>P3M</maxAge>
- </auditRecords>
- <closedTasks>
- <maxAge>P1M</maxAge>
- </closedTasks>
- </cleanupPolicy>
- <internals>
- <enableExperimentalCode>true</enableExperimentalCode>
- <operationExecutionRecording>
- <skipWhenSuccess>true</skipWhenSuccess>
- </operationExecutionRecording>
- <focusConstraintsChecking>
- <skipWhenNoChange>true</skipWhenNoChange>
- <skipWhenNoIteration>true</skipWhenNoIteration>
- </focusConstraintsChecking>
- <projectionConstraintsChecking>
- <skipWhenNoChange>true</skipWhenNoChange>
- <skipWhenNoIteration>true</skipWhenNoIteration>
- </projectionConstraintsChecking>
- <synchronizationSituationUpdating>
- <skipWhenNoChange>true</skipWhenNoChange>
- </synchronizationSituationUpdating>
- <caching>
- <profile>
- <global>true</global>
- <localRepoCache>
- <statistics>
- <classification>perCacheAndObjectType</classification>
- </statistics>
- </localRepoCache>
- <globalRepoCache>
- <timeToLive>60</timeToLive>
- <objectTypeSettings>
- <objectType>SystemConfigurationType</objectType>
- <objectType>ArchetypeType</objectType>
- <objectType>ObjectTemplateType</objectType>
- <objectType>SecurityPolicyType</objectType>
- <objectType>ValuePolicyType</objectType>
- <objectType>ResourceType</objectType>
- <objectType>RoleType</objectType>
- <objectType>OrgType</objectType>
- <objectType>ServiceType</objectType>
- <objectType>ShadowType</objectType>
- </objectTypeSettings>
- <statistics>
- <classification>perCacheAndObjectType</classification>
- </statistics>
- </globalRepoCache>
- </profile>
- </caching>
- <repository>
- <statistics>
- <classification>perOperationAndObjectType</classification>
- </statistics>
- </repository>
- <tracing>
- <profile>
- <name>performance</name>
- <displayName>Performance tracing</displayName>
- <visible>true</visible>
- <default>true</default>
- <fileNamePattern>performance-trace %{timestamp} %{focusName} %{milliseconds}</fileNamePattern>
- <createRepoObject>true</createRepoObject>
- <compressOutput>true</compressOutput>
- </profile>
- <profile>
- <name>functional</name>
- <displayName>Functional tracing</displayName>
- <visible>true</visible>
- <fileNamePattern>functional-trace %{timestamp} %{focusName}</fileNamePattern>
- <createRepoObject>true</createRepoObject>
- <compressOutput>true</compressOutput>
- <collectLogEntries>true</collectLogEntries>
- <tracingTypeProfile>
- <level>normal</level>
- </tracingTypeProfile>
- </profile>
- <profile>
- <name>functional-model-logging</name>
- <displayName>Functional tracing (with model logging)</displayName>
- <visible>true</visible>
- <fileNamePattern>functional-trace %{timestamp} %{focusName}</fileNamePattern>
- <createRepoObject>true</createRepoObject>
- <compressOutput>true</compressOutput>
- <collectLogEntries>true</collectLogEntries>
- <loggingOverride>
- <levelOverride>
- <logger>com.evolveum.midpoint.model</logger>
- <level>TRACE</level>
- </levelOverride>
- </loggingOverride>
- <tracingTypeProfile>
- <level>normal</level>
- </tracingTypeProfile>
- </profile>
- <profile>
- <name>functional-sql-logging</name>
- <displayName>Functional tracing (with SQL logging)</displayName>
- <visible>true</visible>
- <fileNamePattern>functional-trace %{timestamp} %{focusName}</fileNamePattern>
- <createRepoObject>true</createRepoObject>
- <compressOutput>true</compressOutput>
- <collectLogEntries>true</collectLogEntries>
- <loggingOverride>
- <levelOverride>
- <logger>org.hibernate.SQL</logger>
- <level>TRACE</level>
- </levelOverride>
- </loggingOverride>
- <tracingTypeProfile>
- <level>normal</level>
- </tracingTypeProfile>
- </profile>
- </tracing>
- </internals>
- <deploymentInformation>
- <name>demo/grouper</name>
- </deploymentInformation>
- <adminGuiConfiguration>
- <userDashboardLink>
- <targetUrl>/self/profile</targetUrl>
- <label>Profile</label>
- <description>View/edit your profile</description>
- <icon>
- <cssClass>fa fa-user</cssClass>
- </icon>
- <color>green</color>
- <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfProfile</authorization>
- <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</authorization>
- </userDashboardLink>
- <userDashboardLink>
- <targetUrl>/self/credentials</targetUrl>
- <label>Credentials</label>
- <description>View/edit your credentials</description>
- <icon>
- <cssClass>fa fa-shield</cssClass>
- </icon>
- <color>blue</color>
- <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfCredentials</authorization>
- <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</authorization>
- </userDashboardLink>
- <userDashboardLink>
- <targetUrl>/admin/users</targetUrl>
- <label>List users</label>
- <icon>
- <cssClass>fa fa-users</cssClass>
- </icon>
- <color>red</color>
- <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</authorization>
- </userDashboardLink>
- <userDashboardLink>
- <targetUrl>/admin/resources</targetUrl>
- <label>List resources</label>
- <icon>
- <cssClass>fa fa-database</cssClass>
- </icon>
- <color>purple</color>
- <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#resources</authorization>
- </userDashboardLink>
- <objectCollectionViews>
- <objectCollectionView>
- <identifier>my-cases</identifier>
- <display>
- <label>My cases</label>
- <!-- We need to explicitly specify plural label here. Otherwise it will be overwritten by a plural label from archetype. -->
- <pluralLabel>My cases</pluralLabel>
- <singularLabel>My case</singularLabel>
- <icon>
- <cssClass>fe fe-case-object</cssClass>
- </icon>
- </display>
- <displayOrder>1000</displayOrder>
- <type>CaseType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000344" relation="org:default" type="c:ObjectCollectionType">
- </collectionRef>
- </collection>
- </objectCollectionView>
- <objectCollectionView>
- <identifier>manual-case-view</identifier>
- <display>
- <label>Manual cases</label> <!-- "Manual provisioning cases" is too long for the menu -->
- <!-- We need to explicitly specify plural label here. Otherwise it will be overwritten by a plural label from archetype. -->
- <pluralLabel>All manual cases</pluralLabel>
- <singularLabel>Manual case</singularLabel>
- <tooltip>Manual provisioning cases</tooltip>
- </display>
- <displayOrder>1010</displayOrder>
- <type>CaseType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000340" relation="org:default" type="c:ArchetypeType">
- </collectionRef>
- </collection>
- </objectCollectionView>
- <objectCollectionView>
- <identifier>operation-request-case-view</identifier>
- <display>
- <label>Requests</label> <!-- "Operation requests" is too long for the menu -->
- <!-- We need to explicitly specify plural label here. Otherwise it will be overwritten by a plural label from archetype. -->
- <pluralLabel>All requests</pluralLabel>
- <singularLabel>Request</singularLabel>
- <tooltip>Operation requests</tooltip>
- </display>
- <displayOrder>1020</displayOrder>
- <type>CaseType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000341" relation="org:default" type="c:ArchetypeType">
- </collectionRef>
- </collection>
- </objectCollectionView>
- <objectCollectionView>
- <identifier>approval-case-view</identifier>
- <display>
- <label>Approvals</label> <!-- "Approval cases" is too long for the menu -->
- <!-- We need to explicitly specify plural label here. Otherwise it will be overwritten by a plural label from archetype. -->
- <pluralLabel>All approvals</pluralLabel>
- <singularLabel>Approval</singularLabel>
- <tooltip>Approval cases</tooltip>
- </display>
- <displayOrder>1030</displayOrder>
- <type>CaseType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000342" relation="org:default" type="c:ArchetypeType">
- </collectionRef>
- </collection>
- </objectCollectionView>
- <objectCollectionView>
- <identifier>reconciliation-tasks-view</identifier>
- <refreshInterval>30</refreshInterval>
- <type>TaskType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000501" relation="org:default" type="c:ArchetypeType"/>
- </collection>
- </objectCollectionView>
- <objectCollectionView>
- <identifier>recomputation-tasks-view</identifier>
- <refreshInterval>30</refreshInterval>
- <type>TaskType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000502" relation="org:default" type="c:ArchetypeType"/>
- </collection>
- </objectCollectionView>
- <objectCollectionView>
- <identifier>import-tasks-view</identifier>
- <refreshInterval>30</refreshInterval>
- <type>TaskType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000503" relation="org:default" type="c:ArchetypeType"/>
- </collection>
- </objectCollectionView>
- <objectCollectionView>
- <identifier>live-sync-tasks-view</identifier>
- <refreshInterval>30</refreshInterval>
- <type>TaskType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000504" relation="org:default" type="c:ArchetypeType"/>
- </collection>
- </objectCollectionView>
- <objectCollectionView>
- <identifier>async-update-tasks-view</identifier>
- <refreshInterval>30</refreshInterval>
- <type>TaskType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000505" relation="org:default" type="c:ArchetypeType"/>
- </collection>
- </objectCollectionView>
- <objectCollectionView>
- <identifier>cleanup-tasks-view</identifier>
- <refreshInterval>30</refreshInterval>
- <type>TaskType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000506" relation="org:default" type="c:ArchetypeType"/>
- </collection>
- </objectCollectionView>
- <objectCollectionView>
- <identifier>report-tasks-view</identifier>
- <refreshInterval>30</refreshInterval>
- <type>TaskType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000507" relation="org:default" type="c:ArchetypeType"/>
- </collection>
- </objectCollectionView>
- <objectCollectionView>
- <identifier>single-bulk-action-tasks-view</identifier>
- <refreshInterval>30</refreshInterval>
- <type>TaskType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000508" relation="org:default" type="c:ArchetypeType"/>
- </collection>
- </objectCollectionView>
- <objectCollectionView>
- <identifier>iterative-bulk-action-tasks-view</identifier>
- <refreshInterval>30</refreshInterval>
- <type>TaskType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000509" relation="org:default" type="c:ArchetypeType"/>
- </collection>
- </objectCollectionView>
- <objectCollectionView>
- <identifier>certification-tasks-view</identifier>
- <refreshInterval>30</refreshInterval>
- <type>TaskType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000520" relation="org:default" type="c:ArchetypeType"/>
- </collection>
- </objectCollectionView>
- <objectCollectionView>
- <identifier>approval-tasks-view</identifier>
- <refreshInterval>30</refreshInterval>
- <type>TaskType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000521" relation="org:default" type="c:ArchetypeType"/>
- </collection>
- </objectCollectionView>
- <objectCollectionView>
- <identifier>utility-tasks-view</identifier>
- <refreshInterval>30</refreshInterval>
- <type>TaskType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000528" relation="org:default" type="c:ArchetypeType"/>
- </collection>
- </objectCollectionView>
- <objectCollectionView>
- <identifier>system-tasks-view</identifier>
- <refreshInterval>30</refreshInterval>
- <type>TaskType</type>
- <collection>
- <collectionRef oid="00000000-0000-0000-0000-000000000529" relation="org:default" type="c:ArchetypeType"/>
- </collection>
- </objectCollectionView>
- </objectCollectionViews>
- <objectDetails>
- <objectDetailsPage>
- <type>c:TaskType</type>
- <container>
- <displayOrder>150</displayOrder>
- <display>
- <label>Advanced options</label>
- </display>
- <item>
- <c:path>cleanupAfterCompletion</c:path>
- </item>
- <item>
- <c:path>threadStopAction</c:path>
- </item>
- <item>
- <c:path>binding</c:path>
- </item>
- <item>
- <c:path>dependent</c:path>
- </item>
- </container>
- <container>
- <displayOrder>900</displayOrder>
- <display>
- <label>Operational attributes (state)</label>
- </display>
- <item>
- <c:path>executionStatus</c:path>
- </item>
- <item>
- <c:path>node</c:path>
- </item>
- <item>
- <c:path>nodeAsObserved</c:path>
- </item>
- <item>
- <c:path>resultStatus</c:path>
- </item>
- <item>
- <c:path>result</c:path>
- </item>
- <item>
- <c:path>nextRunStartTimestamp</c:path>
- </item>
- <item>
- <c:path>nextRetryTimestamp</c:path>
- </item>
- <item>
- <c:path>unpauseAction</c:path>
- </item>
- <item>
- <c:path>taskIdentifier</c:path>
- </item>
- <item>
- <c:path>parent</c:path>
- </item>
- <item>
- <c:path>waitingReason</c:path>
- </item>
- <item>
- <c:path>stateBeforeSuspend</c:path>
- </item>
- <item>
- <c:path>category</c:path>
- </item>
- <item>
- <c:path>otherHandlersUriStack</c:path>
- </item>
- <item>
- <c:path>channel</c:path>
- </item>
- <item>
- <c:path>subtaskRef</c:path>
- </item>
- <item>
- <c:path>dependentTaskRef</c:path>
- </item>
- <item>
- <c:path>lastRunStartTimestamp</c:path>
- </item>
- <item>
- <c:path>lastRunFinishTimestamp</c:path>
- </item>
- <item>
- <c:path>completionTimestamp</c:path>
- </item>
- </container>
- <container>
- <displayOrder>910</displayOrder>
- <visibility>hidden</visibility>
- <display>
- <label>Operational attributes (progress)</label>
- </display>
- <item>
- <c:path>progress</c:path>
- </item>
- <item>
- <c:path>expectedTotal</c:path>
- </item>
- <item>
- <c:path>stalledSince</c:path>
- </item>
- </container>
-
- </objectDetailsPage>
- </objectDetails>
- <enableExperimentalFeatures>true</enableExperimentalFeatures>
- </adminGuiConfiguration>
- <workflowConfiguration>
- <useLegacyApproversSpecification>never</useLegacyApproversSpecification>
- <useDefaultApprovalPolicyRules>never</useDefaultApprovalPolicyRules>
- </workflowConfiguration>
-
- <expressions>
- <expressionProfile>
- <identifier>safe</identifier>
- <description>
- "Safe" expression profile. It is supposed to contain only operations that are "safe",
- i.e. operations that have very little risk to harm the system, circumvent midPoint security
- and so on. Use of those operations should be reasonably safe in all expressions.
- However, there are limitations. This profile may incomplete or it may even be not completely secure.
- Proper security testing of this profile was not yet conducted. It is provided here "AS IS",
- without any guarantees. Use at your own risk.
- </description>
- <decision>deny</decision> <!-- default decision of those evaluators that are not explicitly enumerated. -->
- <evaluator>
- <type>asIs</type>
- <decision>allow</decision>
- </evaluator>
- <evaluator>
- <type>path</type>
- <decision>allow</decision>
- </evaluator>
- <evaluator>
- <type>value</type>
- <decision>allow</decision>
- </evaluator>
- <evaluator>
- <type>const</type>
- <decision>allow</decision>
- </evaluator>
- <evaluator>
- <type>script</type>
- <decision>deny</decision> <!-- default decision of those script languages that are not explicitly enumerated. -->
- <script>
- <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
- <decision>allow</decision>
- <typeChecking>true</typeChecking>
- <permissionProfile>script-safe</permissionProfile>
- </script>
- </evaluator>
- </expressionProfile>
- <permissionProfile>
- <identifier>script-safe</identifier>
- <decision>deny</decision> <!-- Default decision for those classes that are not explicitly enumerated. -->
- <package>
- <name>com.evolveum.midpoint.xml.ns._public.common.common_3</name>
- <description>MidPoint common schema - generated bean classes</description>
- <decision>allow</decision>
- </package>
- <package>
- <name>com.evolveum.prism.xml.ns._public.types_3</name>
- <description>Prism schema - bean classes</description>
- <decision>allow</decision>
- </package>
- <class>
- <name>java.lang.Integer</name>
- <decision>allow</decision>
- </class>
- <class>
- <name>java.lang.Object</name>
- <description>Basic Java operations.</description>
- <decision>deny</decision>
- <method>
- <name>equals</name>
- <decision>allow</decision>
- </method><method>
- <name>hashCode</name>
- <decision>allow</decision>
- </method>
- </class>
- <class>
- <name>java.lang.String</name>
- <description>String operations are generally safe. But Groovy is adding execute() method which is very dangerous.</description>
- <decision>allow</decision> <!-- Default decision for those methods that are not explicitly enumerated. -->
- <method>
- <name>execute</name>
- <decision>deny</decision>
- </method>
- </class>
- <class>
- <name>java.lang.CharSequence</name>
- <decision>allow</decision>
- </class>
- <class>
- <name>java.lang.Enum</name>
- <decision>allow</decision>
- </class>
- <class>
- <name>java.util.List</name>
- <description>List operations are generally safe. But Groovy is adding execute() method which is very dangerous.</description>
- <decision>allow</decision>
- <method>
- <name>execute</name>
- <decision>deny</decision>
- </method>
- </class>
- <class>
- <name>java.util.ArrayList</name>
- <description>List operations are generally safe. But Groovy is adding execute() method which is very dangerous.</description>
- <decision>allow</decision>
- <method>
- <name>execute</name>
- <decision>deny</decision>
- </method>
- </class>
- <class>
- <name>java.util.Map</name>
- <decision>allow</decision>
- </class>
- <class>
- <name>java.util.HashMap</name>
- <decision>allow</decision>
- </class>
- <class>
- <name>java.util.Date</name>
- <decision>allow</decision>
- </class>
- <class>
- <name>javax.xml.namespace.QName</name>
- <decision>allow</decision>
- </class>
- <class>
- <name>javax.xml.datatype.XMLGregorianCalendar</name>
- <decision>allow</decision>
- </class>
- <class>
- <name>java.lang.System</name>
- <description>Just a few methods of System are safe enough.</description>
- <decision>deny</decision>
- <method>
- <name>currentTimeMillis</name>
- <decision>allow</decision>
- </method>
- </class>
- <class>
- <name>java.lang.IllegalStateException</name>
- <description>Basic Java exception. Also used in test.</description>
- <decision>allow</decision>
- </class>
- <class>
- <name>java.lang.IllegalArgumentException</name>
- <description>Basic Java exception.</description>
- <decision>allow</decision>
- </class>
- <class>
- <name>com.evolveum.midpoint.model.common.expression.functions.BasicExpressionFunctions</name>
- <description>MidPoint basic functions library</description>
- <decision>allow</decision>
- </class>
- <class>
- <name>com.evolveum.midpoint.model.common.expression.functions.LogExpressionFunctions</name>
- <description>MidPoint logging functions library</description>
- <decision>allow</decision>
- </class>
- <class>
- <name>com.evolveum.midpoint.report.impl.ReportFunctions</name>
- <description>MidPoint report functions library</description>
- <decision>allow</decision>
- </class>
- <class>
- <name>org.apache.commons.lang.StringUtils</name>
- <description>Apache Commons: Strings</description>
- <decision>allow</decision>
- </class>
-
- <!-- Following may be needed for audit reports. But they may not be completely safe.
- Therefore the following section is commented out. Please closely evaluate those rules
- before using them. -->
- <!-- <class>
- <name>com.evolveum.midpoint.schema.expression.VariablesMap</name>
- <description>Expression variables map.</description>
- <decision>deny</decision>
- <method>
- <name>get</name>
- <decision>allow</decision>
- </method>
- <method>
- <name>remove</name>
- <decision>allow</decision>
- </method>
- </class>
- <class>
- <name>com.evolveum.midpoint.schema.expression.TypedValue</name>
- <description>Typed values, holding expression variables. Read-only access.</description>
- <decision>deny</decision>
- <method>
- <name>getValue</name>
- <decision>allow</decision>
- </method>
- </class>
- <class>
- <name>com.evolveum.midpoint.report.impl.ReportUtils</name>
- <decision>deny</decision>
- <method>
- <name>convertDateTime</name>
- <decision>allow</decision>
- </method>
- <method>
- <name>getPropertyString</name>
- <decision>allow</decision>
- </method>
- <method>
- <name>printDelta</name>
- <decision>allow</decision>
- </method>
- </class>
- <class>
- <name>com.evolveum.midpoint.prism.PrismReferenceValue</name>
- <decision>allow</decision>
- </class> -->
- </permissionProfile>
- </expressions>
-
-</systemConfiguration>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/tasks/995-task-group-scavenger.xml b/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/tasks/995-task-group-scavenger.xml
deleted file mode 100644
index 50c98af..0000000
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/tasks/995-task-group-scavenger.xml
+++ /dev/null
@@ -1,86 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- ~ Copyright (c) 2019 Evolveum and contributors
- ~
- ~ This work is dual-licensed under the Apache License 2.0
- ~ and European Union Public License. See LICENSE file for details.
- -->
-
-<!--
-
-Looks for groups with the lifecycleState of 'retired' and completes their deletion:
- - unassigns all the users (simply by recomputing them)
-
--->
-
-<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
- xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
- xmlns:scext="http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3"
- oid="1d7bef40-953e-443e-8e9a-ec6e313668c4">
- <name>Group Scavenger</name>
- <extension>
- <scext:executeScript>
- <s:action>
- <s:type>execute-script</s:type>
- <s:parameter>
- <s:name>script</s:name>
- <c:value xsi:type="c:ScriptExpressionEvaluatorType">
- <c:code>import com.evolveum.midpoint.xml.ns._public.common.common_3.*
-
- result = midpoint.currentResult
- log.info('Processing dead group: {}', input)
- query = prismContext.queryFor(UserType.class)
- .item(UserType.F_ROLE_MEMBERSHIP_REF).ref(input.oid)
- .build()
- members = midpoint.repositoryService.searchObjects(UserType.class, query, null, result)
- log.info('Found {} members: {}', members.size(), members)
-
- for (member in members) {
- log.info('Going to recompute {}', member)
- try {
- midpoint.recompute(UserType.class, member.oid)
- } catch (Throwable t) {
- log.error('Couldn\'t recompute {}: {}', member, t.message, t)
- }
- }
- log.info('Members recomputed; checking if the org is still in "retired" state')
- orgAfter = midpoint.repositoryService.getObject(OrgType.class, input.oid, null, result)
- currentState = orgAfter.asObjectable().lifecycleState
- log.info('Current state = {}', currentState)
- if (currentState == 'retired') {
- log.info('Deleting the org: {}', orgAfter)
- midpoint.deleteObject(OrgType.class, orgAfter.oid, null)
- } else {
- log.info('State has changed, not deleting the org: {}', orgAfter)
- }
- log.info('Dead group processing done: {}', input)
- </c:code>
- </c:value>
- </s:parameter>
- </s:action>
- </scext:executeScript>
- <mext:objectType>OrgType</mext:objectType>
- <mext:objectQuery>
- <q:filter>
- <q:equal>
- <q:path>lifecycleState</q:path>
- <q:value>retired</q:value>
- </q:equal>
- </q:filter>
- </mext:objectQuery>
- </extension>
- <assignment>
- <targetRef oid="00000000-0000-0000-0000-000000000509" type="ArchetypeType" /> <!-- Iterative bulk action task -->
- </assignment>
- <ownerRef oid="00000000-0000-0000-0000-000000000002"/>
- <executionStatus>runnable</executionStatus>
- <category>BulkActions</category>
- <recurrence>recurring</recurrence>
- <schedule>
- <interval>60</interval>
- </schedule>
-</task>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/cs-portal.csv b/demo/grouper/midpoint_server/cs-portal.csv
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/cs-portal.csv
rename to demo/grouper/midpoint_server/cs-portal.csv
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/faculty-portal.csv b/demo/grouper/midpoint_server/faculty-portal.csv
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/faculty-portal.csv
rename to demo/grouper/midpoint_server/faculty-portal.csv
diff --git a/demo/grouper/midpoint_server/icf-connectors/connector-grouper-1.1.1.0.jar b/demo/grouper/midpoint_server/icf-connectors/connector-grouper-1.1.1.0.jar
new file mode 100644
index 0000000..55d7a58
Binary files /dev/null and b/demo/grouper/midpoint_server/icf-connectors/connector-grouper-1.1.1.0.jar differ
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/icf-connectors/connector-grouper-rest-0.6.jar b/demo/grouper/midpoint_server/icf-connectors/connector-grouper-rest-0.7.jar
similarity index 98%
rename from demo/grouper/midpoint_server/container_files/mp-home/icf-connectors/connector-grouper-rest-0.6.jar
rename to demo/grouper/midpoint_server/icf-connectors/connector-grouper-rest-0.7.jar
index e0ba84d..d03a75b 100644
Binary files a/demo/grouper/midpoint_server/container_files/mp-home/icf-connectors/connector-grouper-rest-0.6.jar and b/demo/grouper/midpoint_server/icf-connectors/connector-grouper-rest-0.7.jar differ
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/icf-connectors/net.tirasa.connid.bundles.db.scriptedsql-2.2.6-SNAPSHOT.jar b/demo/grouper/midpoint_server/icf-connectors/net.tirasa.connid.bundles.db.scriptedsql-2.2.6-SNAPSHOT.jar
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/icf-connectors/net.tirasa.connid.bundles.db.scriptedsql-2.2.6-SNAPSHOT.jar
rename to demo/grouper/midpoint_server/icf-connectors/net.tirasa.connid.bundles.db.scriptedsql-2.2.6-SNAPSHOT.jar
diff --git a/demo/grouper/midpoint_server/lib/mariadb-java-client-3.0.6.jar b/demo/grouper/midpoint_server/lib/mariadb-java-client-3.0.6.jar
new file mode 100644
index 0000000..162c510
Binary files /dev/null and b/demo/grouper/midpoint_server/lib/mariadb-java-client-3.0.6.jar differ
diff --git a/demo/grouper/midpoint_server/lib/mysql-connector-java-8.0.30.jar b/demo/grouper/midpoint_server/lib/mysql-connector-java-8.0.30.jar
new file mode 100644
index 0000000..92ebe1b
Binary files /dev/null and b/demo/grouper/midpoint_server/lib/mysql-connector-java-8.0.30.jar differ
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/mailing-lists.csv b/demo/grouper/midpoint_server/mailing-lists.csv
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/mailing-lists.csv
rename to demo/grouper/midpoint_server/mailing-lists.csv
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-affiliation.xml b/demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-affiliation.xml
similarity index 76%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-affiliation.xml
rename to demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-affiliation.xml
index 2461c94..b0b9400 100644
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-affiliation.xml
+++ b/demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-affiliation.xml
@@ -49,24 +49,4 @@
</expression>
</condition>
</inducement>
-<!-- TODO MidPoint Basics Training, LAB 4-10: uncomment the following content -->
-<!--
- <inducement>
- <description>
- This inducement applies for Users assigned to an Org with the "affiliation" archetype.
- It will create an account in "Staff Portal" by assignment of "Staff Portal Basic Role"
- </description>
- <targetRef oid="1620de52-0142-11ea-aa66-9fa873ad13ff" type="c:RoleType" />
- <order>2</order>
- <condition>
- <description>only if the organization's identifier is 'staff'</description>
- <expression>
- <script>
- <code>assignmentPath[0].target.identifier == 'staff'</code>
- </script>
- </expression>
- </condition>
- </inducement>
--->
-<!-- TODO MidPoint Basics Training, LAB 4-10: end of to-be-uncommented content -->
</archetype>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-course.xml b/demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-course.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-course.xml
rename to demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-course.xml
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-department.xml b/demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-department.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-department.xml
rename to demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-department.xml
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-external-person.xml b/demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-external-person.xml
similarity index 86%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-external-person.xml
rename to demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-external-person.xml
index c249f6b..5132def 100644
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-external-person.xml
+++ b/demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-external-person.xml
@@ -6,6 +6,11 @@
xmlns:org='http://midpoint.evolveum.com/xml/ns/public/common/org-3'>
<name>External</name>
<description>Non-academic person with no relation to the academy environment</description>
+ <assignment>
+ <assignmentRelation>
+ <holderType>UserType</holderType>
+ </assignmentRelation>
+ </assignment>
<archetypePolicy>
<display>
<label>External</label>
@@ -17,9 +22,4 @@
</icon>
</display>
</archetypePolicy>
- <assignment>
- <assignmentRelation>
- <holderType>UserType</holderType>
- </assignmentRelation>
- </assignment>
</archetype>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-generic-grouper-group.xml b/demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-generic-grouper-group.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-generic-grouper-group.xml
rename to demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-generic-grouper-group.xml
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-mailing-list.xml b/demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-mailing-list.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-mailing-list.xml
rename to demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-mailing-list.xml
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-midpoint-group.xml b/demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-midpoint-group.xml
similarity index 97%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-midpoint-group.xml
rename to demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-midpoint-group.xml
index e3bc872..bb9c140 100644
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-midpoint-group.xml
+++ b/demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-midpoint-group.xml
@@ -19,7 +19,7 @@
<pluralLabel>midPoint Groups</pluralLabel>
<icon>
<cssClass>fa fa-users</cssClass>
- <color>darkgviolet</color>
+ <color>darkviolet</color>
</icon>
</display>
</archetypePolicy>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-sis-person.xml b/demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-sis-person.xml
similarity index 87%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-sis-person.xml
rename to demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-sis-person.xml
index b4c8a42..de940bc 100644
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/archetypes/300-archetype-sis-person.xml
+++ b/demo/grouper/midpoint_server/post-initial-objects/archetypes/300-archetype-sis-person.xml
@@ -6,6 +6,11 @@
xmlns:org='http://midpoint.evolveum.com/xml/ns/public/common/org-3'>
<name>SIS Person</name>
<description>Person with a relation to the academy environment, coming from the SIS database</description>
+ <assignment>
+ <assignmentRelation>
+ <holderType>UserType</holderType>
+ </assignmentRelation>
+ </assignment>
<archetypePolicy>
<display>
<label>SIS Person</label>
@@ -17,9 +22,4 @@
</icon>
</display>
</archetypePolicy>
- <assignment>
- <assignmentRelation>
- <holderType>UserType</holderType>
- </assignmentRelation>
- </assignment>
</archetype>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/bulkActions/900-test-all-resources.xml b/demo/grouper/midpoint_server/post-initial-objects/bulkActions/900-test-all-resources.xml
similarity index 93%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/bulkActions/900-test-all-resources.xml
rename to demo/grouper/midpoint_server/post-initial-objects/bulkActions/900-test-all-resources.xml
index 5b22670..380bcf5 100644
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/bulkActions/900-test-all-resources.xml
+++ b/demo/grouper/midpoint_server/post-initial-objects/bulkActions/900-test-all-resources.xml
@@ -6,6 +6,7 @@
<s:type>c:ResourceType</s:type>
<s:searchFilter>
<q:inOid>
+ <q:value>fb0bbf07-e33f-4ddd-85a1-16a7edc237f2</q:value>
<q:value>0a37121f-d515-4a23-9b6d-554c5ef61272</q:value>
<q:value>4d70a0da-02dd-41cf-b0a1-00e75d3eaa15</q:value>
<q:value>a343fc2e-3954-4034-ba1a-2b72c21e577a</q:value>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/bulkActions/910-recompute-grouper-objects.xml b/demo/grouper/midpoint_server/post-initial-objects/bulkActions/910-recompute-grouper-objects.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/bulkActions/910-recompute-grouper-objects.xml
rename to demo/grouper/midpoint_server/post-initial-objects/bulkActions/910-recompute-grouper-objects.xml
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/ordering.txt b/demo/grouper/midpoint_server/post-initial-objects/ordering.txt
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/ordering.txt
rename to demo/grouper/midpoint_server/post-initial-objects/ordering.txt
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/orgs/100-org-affiliations.xml b/demo/grouper/midpoint_server/post-initial-objects/orgs/100-org-affiliations.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/orgs/100-org-affiliations.xml
rename to demo/grouper/midpoint_server/post-initial-objects/orgs/100-org-affiliations.xml
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/orgs/100-org-courses.xml b/demo/grouper/midpoint_server/post-initial-objects/orgs/100-org-courses.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/orgs/100-org-courses.xml
rename to demo/grouper/midpoint_server/post-initial-objects/orgs/100-org-courses.xml
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/orgs/100-org-departments.xml b/demo/grouper/midpoint_server/post-initial-objects/orgs/100-org-departments.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/orgs/100-org-departments.xml
rename to demo/grouper/midpoint_server/post-initial-objects/orgs/100-org-departments.xml
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/orgs/100-org-generic-groups.xml b/demo/grouper/midpoint_server/post-initial-objects/orgs/100-org-generic-groups.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/orgs/100-org-generic-groups.xml
rename to demo/grouper/midpoint_server/post-initial-objects/orgs/100-org-generic-groups.xml
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/orgs/100-org-mailing-lists.xml b/demo/grouper/midpoint_server/post-initial-objects/orgs/100-org-mailing-lists.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/orgs/100-org-mailing-lists.xml
rename to demo/grouper/midpoint_server/post-initial-objects/orgs/100-org-mailing-lists.xml
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/orgs/100-org-midpoint-groups.xml b/demo/grouper/midpoint_server/post-initial-objects/orgs/100-org-midpoint-groups.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/orgs/100-org-midpoint-groups.xml
rename to demo/grouper/midpoint_server/post-initial-objects/orgs/100-org-midpoint-groups.xml
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/orgs/400-org-grouper-sysadmin.xml b/demo/grouper/midpoint_server/post-initial-objects/orgs/400-org-grouper-sysadmin.xml
similarity index 99%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/orgs/400-org-grouper-sysadmin.xml
rename to demo/grouper/midpoint_server/post-initial-objects/orgs/400-org-grouper-sysadmin.xml
index 201777a..d2c4d98 100644
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/orgs/400-org-grouper-sysadmin.xml
+++ b/demo/grouper/midpoint_server/post-initial-objects/orgs/400-org-grouper-sysadmin.xml
@@ -8,9 +8,11 @@
<org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
oid="d48ec05b-fffd-4262-acd3-d9ff63365b62">
<name>org-grouper-sysadmin</name>
- <displayName>Grouper Administrators</displayName>
+
<assignment id="1">
<targetRef oid="2be36917-71ad-4c3e-8789-89cadea2d5d6" type="ArchetypeType"/> <!-- archetype midpoint-group -->
</assignment>
+
+ <displayName>Grouper Administrators</displayName>
<identifier>sysadmingroup</identifier>
</org>
diff --git a/demo/grouper/midpoint_server/post-initial-objects/resources/100-grouper-new.xml b/demo/grouper/midpoint_server/post-initial-objects/resources/100-grouper-new.xml
new file mode 100644
index 0000000..c01db8a
--- /dev/null
+++ b/demo/grouper/midpoint_server/post-initial-objects/resources/100-grouper-new.xml
@@ -0,0 +1,379 @@
+<!--
+ ~ Copyright (c) 2010-2023 Evolveum
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<resource xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+ xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+ xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+ xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+ xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+ xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+ xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ oid="fb0bbf07-e33f-4ddd-85a1-16a7edc237f2">
+
+ <name>Source: Groups</name>
+
+ <!--
+<abstract>true</abstract>
+<template>true</template>
+ -->
+
+ <connectorRef relation="org:default" type="c:ConnectorType">
+ <filter>
+ <q:and>
+ <q:equal>
+ <q:path>c:connectorType</q:path>
+ <q:value>com.evolveum.polygon.connector.grouper.GrouperConnector</q:value>
+ </q:equal>
+ <q:equal>
+ <q:path>connectorVersion</q:path>
+ <q:value>1.1.1.0</q:value>
+ </q:equal>
+ </q:and>
+ </filter>
+ </connectorRef>
+ <connectorConfiguration xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
+ <icfc:configurationProperties xmlns:grpconf="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-grouper/com.evolveum.polygon.connector.grouper.GrouperConnector">
+ <grpconf:host>grouper_data</grpconf:host>
+ <grpconf:port>5432</grpconf:port>
+ <grpconf:userName>grouper</grpconf:userName>
+ <grpconf:password>password</grpconf:password>
+ <grpconf:tablePrefix>gr</grpconf:tablePrefix>
+ <grpconf:databaseName>grouper_to_midpoint</grpconf:databaseName>
+ <grpconf:attrsToHaveInAllSearch>members</grpconf:attrsToHaveInAllSearch>
+ <grpconf:attrsToHaveInAllSearch>member_of</grpconf:attrsToHaveInAllSearch>
+ <grpconf:extendedGroupProperties>emailListName</grpconf:extendedGroupProperties>
+ </icfc:configurationProperties>
+ <icfc:resultsHandlerConfiguration>
+ <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
+ <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
+ <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
+ </icfc:resultsHandlerConfiguration>
+ </connectorConfiguration>
+
+ <schemaHandling>
+ <objectType>
+ <kind>account</kind>
+ <intent>default</intent>
+ <displayName>Default Account</displayName>
+ <default>true</default>
+ <objectClass>ri:subject</objectClass>
+
+ <focus>
+ <type>c:UserType</type>
+ </focus>
+
+ <attribute>
+ <ref>ri:subject_id</ref>
+ <inbound>
+ <target>
+ <path>$user/name</path>
+ </target>
+ </inbound>
+ </attribute>
+
+ <!--<attribute>
+ <ref>icfs:uid</ref>
+ <inbound>
+ <target>
+ <path>$user/employeeNumber</path>
+ </target>
+ </inbound>
+ </attribute>-->
+
+ <attribute>
+ <ref>ri:member_of</ref>
+ <fetchStrategy>explicit</fetchStrategy>
+ </attribute>
+ <association>
+ <ref>ri:group</ref>
+ <inbound>
+ <strength>strong</strength>
+ <expression>
+ <assignmentTargetSearch>
+ <targetType>c:OrgType</targetType>
+ <filter>
+ <q:equal>
+ <q:path>name</q:path>
+ <expression>
+ <script>
+ <code>
+
+ def attrs = entitlement.getAttributes();
+ pcvi = attrs.asPrismContainerValue().getItems();
+ def groupName;
+
+ for (obj in pcvi){
+ if (obj.isSingleValue()){
+
+ if("uid".equals(obj?.getElementName().toString())){
+
+ groupName = obj?.getValue()?.getRealValue()
+ return groupName
+ }
+ }
+ }
+ return groupName;
+ </code>
+ </script>
+ </expression>
+ </q:equal>
+ </filter>
+ <populate>
+ <populateItem>
+ <expression>
+ <value>grouper-group</value>
+ </expression>
+ <target>
+ <path>subtype</path>
+ </target>
+ </populateItem>
+ </populate>
+ </assignmentTargetSearch>
+ </expression>
+ <target>
+ <path>assignment</path>
+ <set>
+ <condition>
+ <script>
+ <code>
+ assignment?.subtype?.contains('grouper-group')
+ </code>
+ </script>
+ </condition>
+ </set>
+ </target>
+ </inbound>
+ <kind>entitlement</kind>
+ <intent>group</intent>
+ <direction>objectToSubject</direction>
+ <associationAttribute>ri:members</associationAttribute>
+ <valueAttribute>icfs:uid</valueAttribute>
+ <shortcutAssociationAttribute>ri:member_of</shortcutAssociationAttribute>
+ <shortcutValueAttribute>icfs:uid</shortcutValueAttribute>
+ <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
+ </association>
+
+ <correlation>
+ <correlators>
+ <items>
+ <name>unique_index</name>
+ <item>
+ <ref>name</ref>
+ </item>
+ </items>
+ </correlators>
+ </correlation>
+
+ <synchronization>
+ <reaction>
+ <situation>unmatched</situation>
+ <actions>
+ <addFocus>
+ <synchronize>true</synchronize>
+ </addFocus>
+ </actions>
+ </reaction>
+ <reaction>
+ <situation>unlinked</situation>
+ <actions>
+ <link>
+ <synchronize>true</synchronize>
+ </link>
+ </actions>
+ </reaction>
+ <reaction>
+ <situation>linked</situation>
+ <actions>
+ <synchronize/>
+ </actions>
+ </reaction>
+ <reaction>
+ <situation>deleted</situation>
+ <actions>
+ <synchronize/>
+ </actions>
+ </reaction>
+ </synchronization>
+
+ </objectType>
+
+ <objectType>
+ <kind>entitlement</kind>
+ <intent>group</intent>
+ <displayName>Group</displayName>
+ <default>true</default>
+ <objectClass>ri:group</objectClass>
+
+ <focus>
+ <type>c:OrgType</type>
+ </focus>
+
+ <attribute>
+ <ref>ri:emailListName</ref>
+ <fetchStrategy>explicit</fetchStrategy>
+ <inbound>
+ <strength>strong</strength>
+ <target>
+ <path>emailAddress</path>
+ </target>
+ </inbound>
+ </attribute>
+
+ <attribute>
+ <ref>icfs:uid</ref>
+ <inbound>
+ <target>
+ <path>$focus/name</path>
+ </target>
+ </inbound>
+ </attribute>
+
+ <attribute>
+ <ref>ri:group_name</ref>
+ <inbound>
+ <strength>strong</strength>
+ <target>
+ <path>extension/grouperName</path>
+ </target>
+ </inbound>
+ <inbound>
+ <strength>strong</strength>
+ <expression>
+ <script>
+ <code>
+ import com.evolveum.midpoint.schema.util.*
+ import com.evolveum.midpoint.schema.constants.*
+
+ if (input == null) {
+ null
+ } else {
+ archetypeOid = '5f2b96d2-49b5-4a8a-9601-14457309a69b' // generic-grouper-group archetype
+ switch (input) {
+ case ~/ref:affiliation:.*/: archetypeOid = '56f53812-047d-4b69-83e8-519a73d161e1'; break; // affiliation archetype
+ case ~/ref:dept:.*/: archetypeOid = '1cec5f78-8fba-459b-9547-ef7485009f40'; break; // department archetype
+ case ~/ref:course:.*/: archetypeOid = '3dab9a72-118b-4e40-a138-bb691c335eca'; break; // course archetype
+ case ~/app:mailinglist:.*/: archetypeOid = '1645d1dc-1f7c-4508-b50b-97b501ccdee3'; break; // mailing-list archetype
+ }
+ ObjectTypeUtil.createAssignmentTo(archetypeOid, ObjectTypes.ARCHETYPE, prismContext)
+ }
+ </code>
+ </script>
+ </expression>
+ <target>
+ <path>assignment</path>
+ <set>
+ <predefined>all</predefined>
+ </set>
+ </target>
+ </inbound>
+ </attribute>
+ <attribute>
+ <ref>ri:display_name</ref>
+ <inbound>
+ <target>
+ <path>extension/grouperDisplayName</path>
+ </target>
+ </inbound>
+ <inbound>
+ <target>
+ <path>$focus/displayName</path>
+ </target>
+ </inbound>
+ </attribute>
+ <attribute>
+ <ref>ri:description</ref>
+ <inbound>
+ <target>
+ <path>$focus/description</path>
+ </target>
+ </inbound>
+ </attribute>
+
+ <attribute>
+ <ref>ri:members</ref>
+ <fetchStrategy>explicit</fetchStrategy>
+ </attribute>
+
+ <correlation>
+ <correlators>
+ <items>
+ <name>unique_index</name>
+ <item>
+ <ref>name</ref>
+ </item>
+ </items>
+ </correlators>
+ </correlation>
+
+ <synchronization>
+ <reaction>
+ <situation>unmatched</situation>
+ <actions>
+
+ <addFocus>
+ <synchronize>true</synchronize>
+ </addFocus>
+ </actions>
+ </reaction>
+ <reaction>
+ <situation>unlinked</situation>
+ <actions>
+ <link>
+ <synchronize>true</synchronize>
+ </link>
+ </actions>
+ </reaction>
+ <reaction>
+ <situation>linked</situation>
+ <actions>
+ <synchronize/>
+ </actions>
+ </reaction>
+ <reaction>
+ <situation>deleted</situation>
+ <actions>
+ <deleteFocus>
+ <synchronize>true</synchronize>
+ </deleteFocus>
+ </actions>
+ </reaction>
+ </synchronization>
+ </objectType>
+
+ </schemaHandling>
+
+ <capabilities>
+ <cachingMetadata>
+ <retrievalTimestamp>2023-05-24T13:23:53.145+02:00</retrievalTimestamp>
+ <serialNumber>d991389de17be20e-55b20a5934dbcc31</serialNumber>
+ </cachingMetadata>
+ <native xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
+ <cap:schema/>
+ <cap:read>
+ <cap:returnDefaultAttributesOption>false</cap:returnDefaultAttributesOption>
+ </cap:read>
+ <cap:testConnection/>
+ <cap:script>
+ <cap:host>
+ <cap:type>connector</cap:type>
+ </cap:host>
+ </cap:script>
+ <cap:liveSync/>
+ </native>
+ </capabilities>
+</resource>
+
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-ldap-main.xml b/demo/grouper/midpoint_server/post-initial-objects/resources/100-ldap-main.xml
similarity index 98%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-ldap-main.xml
rename to demo/grouper/midpoint_server/post-initial-objects/resources/100-ldap-main.xml
index c768c90..ffb88a2 100644
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-ldap-main.xml
+++ b/demo/grouper/midpoint_server/post-initial-objects/resources/100-ldap-main.xml
@@ -36,11 +36,11 @@
<icfcldap:host>directory</icfcldap:host>
<!-- <icfcldap:host>192.168.56.101</icfcldap:host> -->
<icfcldap:baseContext>dc=internet2,dc=edu</icfcldap:baseContext>
- <icfcldap:bindDn>cn=Directory Manager</icfcldap:bindDn>
+ <icfcldap:bindDn>cn=admin,dc=internet2,dc=edu</icfcldap:bindDn>
<icfcldap:bindPassword>
<t:clearValue>password</t:clearValue>
</icfcldap:bindPassword>
- <icfcldap:uidAttribute>nsUniqueId</icfcldap:uidAttribute>
+ <icfcldap:uidAttribute>entryUUID</icfcldap:uidAttribute>
<icfcldap:pagingStrategy>spr</icfcldap:pagingStrategy> <!-- spr? -->
<!-- <icfcldap:vlvSortAttribute>uid</icfcldap:vlvSortAttribute> -->
<icfcldap:operationalAttributes>memberOf</icfcldap:operationalAttributes>
@@ -168,7 +168,7 @@
<outbound>
<strength>strong</strength>
<source>
- <path>employeeNumber</path>
+ <path>personalNumber</path>
</source>
</outbound>
</attribute>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-source-sis-persons.xml b/demo/grouper/midpoint_server/post-initial-objects/resources/100-source-sis-persons.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-source-sis-persons.xml
rename to demo/grouper/midpoint_server/post-initial-objects/resources/100-source-sis-persons.xml
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-target-cs-portal.xml b/demo/grouper/midpoint_server/post-initial-objects/resources/100-target-cs-portal.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-target-cs-portal.xml
rename to demo/grouper/midpoint_server/post-initial-objects/resources/100-target-cs-portal.xml
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-target-faculty-portal.xml b/demo/grouper/midpoint_server/post-initial-objects/resources/100-target-faculty-portal.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-target-faculty-portal.xml
rename to demo/grouper/midpoint_server/post-initial-objects/resources/100-target-faculty-portal.xml
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-target-mailing-lists.xml b/demo/grouper/midpoint_server/post-initial-objects/resources/100-target-mailing-lists.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-target-mailing-lists.xml
rename to demo/grouper/midpoint_server/post-initial-objects/resources/100-target-mailing-lists.xml
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-grouper-provided-group.xml b/demo/grouper/midpoint_server/post-initial-objects/roles/200-metarole-grouper-provided-group.xml
similarity index 80%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-grouper-provided-group.xml
rename to demo/grouper/midpoint_server/post-initial-objects/roles/200-metarole-grouper-provided-group.xml
index 2ed2227..291410f 100644
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-grouper-provided-group.xml
+++ b/demo/grouper/midpoint_server/post-initial-objects/roles/200-metarole-grouper-provided-group.xml
@@ -90,6 +90,7 @@
</target>
</mapping>
+ <!--
<mapping>
<name>name</name>
<description>This mapping fills-in org name (e.g. 'affiliation_member') from identifier (e.g. 'member').
@@ -119,6 +120,7 @@
<path>name</path>
</target>
</mapping>
+ -->
<mapping>
<name>displayName</name>
@@ -149,45 +151,8 @@
</target>
</mapping>
- <mapping>
- <name>lifecycle state</name>
- <description>This mapping sets org lifecycle state to be either "active" or "retired", depending on
- whether Grouper group for this org still exists. Orgs in the latter state are on the way to deletion:
- their members are unassigned and after no members are there, the org is automatically deleted.</description>
- <strength>strong</strength>
- <expression>
- <script>
- <code>
- import com.evolveum.midpoint.model.impl.expr.*
- import com.evolveum.midpoint.schema.*
- import com.evolveum.midpoint.xml.ns._public.common.common_3.*
- import com.evolveum.midpoint.model.common.expression.ModelExpressionThreadLocalHolder
-
- GROUPER_RESOURCE_OID = '1eff65de-5bb6-483d-9edf-8cc2c2ee0233'
-
- modelContext = ModelExpressionThreadLocalHolder.lensContext
- rsd = new ResourceShadowDiscriminator(GROUPER_RESOURCE_OID, ShadowKindType.ENTITLEMENT, 'group', null, false)
- if (modelContext.findProjectionContext(rsd) != null) {
- log.info('Projection context for Grouper group found, marking as "active"')
- 'active'
- } else {
- log.info('No projection context for Grouper group, marking as "retired"')
- 'retired'
- }
- </code>
- </script>
- </expression>
- <target>
- <path>lifecycleState</path>
- </target>
- </mapping>
</focusMappings>
- <!--
- Inducement order of 2 means these mappings are to be applied on org object, because the assignment structure is like this:
-
- org -> archetype -> this-metarole
- -->
<order>2</order>
</inducement>
</role>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-ldap-group.xml b/demo/grouper/midpoint_server/post-initial-objects/roles/200-metarole-ldap-group.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-ldap-group.xml
rename to demo/grouper/midpoint_server/post-initial-objects/roles/200-metarole-ldap-group.xml
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-role-ldap-basic.xml b/demo/grouper/midpoint_server/post-initial-objects/roles/200-role-ldap-basic.xml
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-role-ldap-basic.xml
rename to demo/grouper/midpoint_server/post-initial-objects/roles/200-role-ldap-basic.xml
diff --git a/demo/grouper/midpoint_server/post-initial-objects/securityPolicy/000-security-policy.xml b/demo/grouper/midpoint_server/post-initial-objects/securityPolicy/000-security-policy.xml
new file mode 100644
index 0000000..65c6fa7
--- /dev/null
+++ b/demo/grouper/midpoint_server/post-initial-objects/securityPolicy/000-security-policy.xml
@@ -0,0 +1,112 @@
+ <securityPolicy xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="00000000-0000-0000-0000-000000000120" version="2">
+ <name>Default Security Policy</name>
+ <authentication>
+ <modules>
+ <loginForm>
+ <identifier>loginForm</identifier>
+ </loginForm>
+ <httpBasic>
+ <identifier>httpBasic</identifier>
+ </httpBasic>
+ <saml2>
+ <identifier>mySamlSso</identifier>
+ <description>My internal enterprise SAML-based SSO system.</description>
+ <serviceProvider>
+ <entityId>midpointdemo-shibboleth</entityId>
+ <signRequests>true</signRequests>
+ <keys>
+ <activeKeyStoreKey>
+ <keyStorePath>/opt/midpoint/var/shibboleth/shibboleth_sp_keys.jks</keyStorePath>
+ <keyStorePassword>
+ <t:clearValue>changeit</t:clearValue>
+ </keyStorePassword>
+ <keyAlias>signing-key</keyAlias>
+ <keyPassword>
+ <t:clearValue>password</t:clearValue>
+ </keyPassword>
+ </activeKeyStoreKey>
+ </keys>
+ <identityProvider>
+ <entityId>https://idptestbed/idp/shibboleth</entityId>
+ <metadata>
+ <pathToFile>/opt/midpoint/var/shibboleth/idp-metadata.xml</pathToFile>
+ </metadata>
+ <linkText>Shibboleth</linkText>
+ <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
+ <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
+ </identityProvider>
+ </serviceProvider>
+ </saml2>
+ </modules>
+ <sequence>
+ <identifier>admin-gui-saml-internal</identifier>
+ <description>
+ Internal SAML2 GUI authentication sequence.
+ </description>
+ <channel>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
+ <default>true</default>
+ <urlSuffix>saml-internal</urlSuffix>
+ </channel>
+ <module>
+ <identifier>mySamlSso</identifier>
+ <order>30</order>
+ <necessity>sufficient</necessity>
+ </module>
+ </sequence>
+ <sequence>
+ <identifier>admin-gui-emergency</identifier>
+ <description>
+ Special GUI authentication sequence that is using just the internal user password.
+ </description>
+ <channel>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
+ <default>false</default>
+ <urlSuffix>emergency</urlSuffix>
+ </channel>
+ <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType">
+ </requireAssignmentTarget>
+ <module>
+ <identifier>loginForm</identifier>
+ <order>30</order>
+ <necessity>sufficient</necessity>
+ </module>
+ </sequence>
+ <sequence>
+ <identifier>rest-default</identifier>
+ <channel>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
+ <default>true</default>
+ <urlSuffix>rest-default</urlSuffix>
+ </channel>
+ <module>
+ <identifier>httpBasic</identifier>
+ <order>1</order>
+ <necessity>sufficient</necessity>
+ </module>
+ </sequence>
+ <sequence>
+ <identifier>actuator-default</identifier>
+ <channel>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#actuator</channelId>
+ <default>true</default>
+ <urlSuffix>actuator-default</urlSuffix>
+ </channel>
+ <module>
+ <identifier>httpBasic</identifier>
+ <order>1</order>
+ <necessity>sufficient</necessity>
+ </module>
+ </sequence>
+ <ignoredLocalPath>/actuator/health</ignoredLocalPath>
+ </authentication>
+ <credentials>
+ <password>
+ <minOccurs>0</minOccurs>
+ <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
+ <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
+ <lockoutDuration>PT15M</lockoutDuration>
+ <valuePolicyRef oid="00000000-0000-0000-0000-000000000003"/>
+ </password>
+ </credentials>
+</securityPolicy>
diff --git a/demo/grouper/midpoint_server/post-initial-objects/systemConfigurations/000-public-url.xml b/demo/grouper/midpoint_server/post-initial-objects/systemConfigurations/000-public-url.xml
new file mode 100644
index 0000000..d353b5e
--- /dev/null
+++ b/demo/grouper/midpoint_server/post-initial-objects/systemConfigurations/000-public-url.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Copyright (c) 2022 Evolveum
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+<s:search xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
+ xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+ xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+ xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
+ <s:options>
+ <option>
+ <options>
+ <raw>true</raw>
+ </options>
+ </option>
+ </s:options>
+ <s:type>c:SystemConfigurationType</s:type>
+ <s:action>
+ <s:type>modify</s:type>
+ <s:parameter>
+ <s:name>delta</s:name>
+ <c:value>
+ <s:itemDelta>
+ <t:modificationType>add</t:modificationType>
+ <t:path>infrastructure</t:path>
+ <t:value>
+ <publicHttpUrlPattern>https://localhost/midpoint</publicHttpUrlPattern>
+ </t:value>
+ </s:itemDelta>
+ </c:value>
+ </s:parameter>
+ </s:action>
+</s:search>
diff --git a/demo/grouper/midpoint_server/post-initial-objects/tasks/980_import-sis-persons.xml b/demo/grouper/midpoint_server/post-initial-objects/tasks/980_import-sis-persons.xml
new file mode 100644
index 0000000..c4f396b
--- /dev/null
+++ b/demo/grouper/midpoint_server/post-initial-objects/tasks/980_import-sis-persons.xml
@@ -0,0 +1,43 @@
+<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+ xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+ xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+ xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+ xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+ xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+ xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+ oid="22c2a3d0-0961-4255-9eec-c550a79aeaaa">
+ <name>Import from SIS persons</name>
+ <extension xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:ExtensionType">
+ <!--
+ <mext:tracing>
+ <interval>500</interval>
+ </mext:tracing> -->
+ </extension>
+ <assignment>
+ <targetRef oid="00000000-0000-0000-0000-000000000503" type="ArchetypeType"/>
+ <!--Import task-->
+ </assignment>
+ <taskIdentifier>1535407239440-0-1</taskIdentifier>
+ <ownerRef oid="00000000-0000-0000-0000-000000000002" relation="org:default" type="c:UserType">
+ <!-- administrator -->
+ </ownerRef>
+ <executionState>runnable</executionState>
+ <objectRef oid="4d70a0da-02dd-41cf-b0a1-00e75d3eaa15" relation="org:default" type="c:ResourceType">
+ <!-- SQL SIS persons (sources) -->
+ </objectRef>
+ <schedule>
+ <recurrence>single</recurrence>
+ </schedule>
+ <binding>loose</binding>
+ <activity>
+ <work>
+ <import>
+ <resourceObjects>
+ <resourceRef oid="4d70a0da-02dd-41cf-b0a1-00e75d3eaa15"/>
+ <kind>account</kind>
+ <objectclass>ri:AccountObjectClass</objectclass>
+ </resourceObjects>
+ </import>
+ </work>
+ </activity>
+</task>
diff --git a/demo/grouper/midpoint_server/post-initial-objects/tasks/990_task-liveSync-grouper.xml b/demo/grouper/midpoint_server/post-initial-objects/tasks/990_task-liveSync-grouper.xml
new file mode 100644
index 0000000..88a504a
--- /dev/null
+++ b/demo/grouper/midpoint_server/post-initial-objects/tasks/990_task-liveSync-grouper.xml
@@ -0,0 +1,47 @@
+<!--
+ ~ Copyright (c) 2010-2024 Evolveum
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+ xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+ xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+ xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+ oid="bf9f49a0-04c3-464f-98cf-55b3553d9574">
+ <name>Grouper liveSync</name>
+ <assignment>
+ <targetRef oid="00000000-0000-0000-0000-000000000504" type="ArchetypeType"/>
+ <!-- Live synchronization task -->
+ </assignment>
+ <taskIdentifier>bf9f49a0-04c3-464f-98cf-55b3553d9574</taskIdentifier>
+ <ownerRef oid="00000000-0000-0000-0000-000000000002" relation="org:default" type="c:UserType">
+ <!-- administrator -->
+ </ownerRef>
+ <executionState>runnable</executionState>
+ <binding>loose</binding>
+ <threadStopAction>restart</threadStopAction>
+ <schedule>
+ <recurrence>recurring</recurrence>
+ <interval>5</interval>
+ </schedule>
+ <activity>
+ <work>
+ <liveSynchronization>
+ <resourceObjects>
+ <resourceRef oid="fb0bbf07-e33f-4ddd-85a1-16a7edc237f2"/>
+ </resourceObjects>
+ </liveSynchronization>
+ </work>
+ </activity>
+</task>
diff --git a/demo/grouper/midpoint_server/post-initial-objects/tasks/990_task-reconciliation-grouper.xml b/demo/grouper/midpoint_server/post-initial-objects/tasks/990_task-reconciliation-grouper.xml
new file mode 100644
index 0000000..5b9c491
--- /dev/null
+++ b/demo/grouper/midpoint_server/post-initial-objects/tasks/990_task-reconciliation-grouper.xml
@@ -0,0 +1,67 @@
+<!--
+ ~ Copyright (c) 2010-2019 Evolveum
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+ xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+ xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+ xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+ oid="605a0127-a313-442a-9d5e-151eac8b0745">
+ <name>Grouper reconciliation</name>
+ <assignment>
+ <targetRef oid="00000000-0000-0000-0000-000000000501" type="ArchetypeType"/>
+ <!-- Reconciliation task -->
+ </assignment>
+ <taskIdentifier>605a0127-a313-442a-9d5e-151eac8b0745</taskIdentifier>
+ <ownerRef oid="00000000-0000-0000-0000-000000000002" relation="org:default" type="c:UserType">
+ <!-- administrator -->
+ </ownerRef>
+ <executionState>runnable</executionState>
+ <objectRef oid="fb0bbf07-e33f-4ddd-85a1-16a7edc237f2" relation="org:default" type="c:ResourceType">
+ <!-- Grouper Resource -->
+ </objectRef>
+ <schedule>
+ <recurrence>single</recurrence>
+ </schedule>
+ <binding>loose</binding>
+ <threadStopAction>restart</threadStopAction>
+ <activity>
+ <composition>
+ <activity>
+ <order>1</order>
+ <work>
+ <reconciliation>
+ <resourceObjects>
+ <resourceRef oid="fb0bbf07-e33f-4ddd-85a1-16a7edc237f2"/>
+ <objectclass>ri:group</objectclass>
+ </resourceObjects>
+ </reconciliation>
+ </work>
+ </activity>
+ <activity>
+ <order>2</order>
+ <work>
+ <reconciliation>
+ <resourceObjects>
+ <resourceRef oid="fb0bbf07-e33f-4ddd-85a1-16a7edc237f2"/>
+ <objectclass>ri:subject</objectclass>
+ </resourceObjects>
+ </reconciliation>
+ </work>
+ </activity>
+ </composition>
+ </activity>
+
+</task>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/users/600-user-banderson.xml b/demo/grouper/midpoint_server/post-initial-objects/users/600-user-banderson.xml
similarity index 98%
rename from demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/users/600-user-banderson.xml
rename to demo/grouper/midpoint_server/post-initial-objects/users/600-user-banderson.xml
index eb6dd26..3c0352a 100644
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/users/600-user-banderson.xml
+++ b/demo/grouper/midpoint_server/post-initial-objects/users/600-user-banderson.xml
@@ -23,10 +23,12 @@
<fullName>Bob Anderson</fullName>
<givenName>Bob</givenName>
<familyName>Anderson</familyName>
+<!--
<credentials>
<password>
<value>password</value>
</password>
</credentials>
+-->
</user>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/res/sis-persons/SchemaScript.groovy b/demo/grouper/midpoint_server/res/sis-persons/SchemaScript.groovy
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/res/sis-persons/SchemaScript.groovy
rename to demo/grouper/midpoint_server/res/sis-persons/SchemaScript.groovy
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/res/sis-persons/SearchScript.groovy b/demo/grouper/midpoint_server/res/sis-persons/SearchScript.groovy
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/res/sis-persons/SearchScript.groovy
rename to demo/grouper/midpoint_server/res/sis-persons/SearchScript.groovy
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/res/sis-persons/TestScript.groovy b/demo/grouper/midpoint_server/res/sis-persons/TestScript.groovy
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/res/sis-persons/TestScript.groovy
rename to demo/grouper/midpoint_server/res/sis-persons/TestScript.groovy
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/schema/internet2.xsd b/demo/grouper/midpoint_server/schema/internet2.xsd
similarity index 95%
rename from demo/grouper/midpoint_server/container_files/mp-home/schema/internet2.xsd
rename to demo/grouper/midpoint_server/schema/internet2.xsd
index c482436..2433d8b 100644
--- a/demo/grouper/midpoint_server/container_files/mp-home/schema/internet2.xsd
+++ b/demo/grouper/midpoint_server/schema/internet2.xsd
@@ -26,6 +26,7 @@
</xsd:annotation>
<xsd:sequence>
<xsd:element name="grouperName" type="xsd:string" minOccurs="0"/>
+ <xsd:element name="grouperDisplayName" type="xsd:string" minOccurs="0"/>
<xsd:element name="ldapDn" type="xsd:string" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/source-external.csv b/demo/grouper/midpoint_server/source-external.csv
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/source-external.csv
rename to demo/grouper/midpoint_server/source-external.csv
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/staff-portal.csv b/demo/grouper/midpoint_server/staff-portal.csv
similarity index 100%
rename from demo/grouper/midpoint_server/container_files/mp-home/staff-portal.csv
rename to demo/grouper/midpoint_server/staff-portal.csv
diff --git a/demo/grouper/purge-queue.sh b/demo/grouper/purge-queue.sh
deleted file mode 100755
index 2633e4d..0000000
--- a/demo/grouper/purge-queue.sh
+++ /dev/null
@@ -1 +0,0 @@
-docker exec grouper_mq_1 rabbitmqctl purge_queue sampleQueue
diff --git a/demo/grouper/recompute.sh b/demo/grouper/recompute.sh
deleted file mode 100755
index 0d9633e..0000000
--- a/demo/grouper/recompute.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-
-source $(dirname "$0")/../../library.bash
-
-recompute orgs d48ec05b-fffd-4262-acd3-d9ff63365b62
-recompute users e897468f-20bd-419c-8fc5-1fe60e2600de
diff --git a/demo/grouper/idp/shibboleth-idp/conf/attribute-filter.xml b/demo/grouper/shibboleth-idp/conf/attribute-filter.xml
similarity index 100%
rename from demo/grouper/idp/shibboleth-idp/conf/attribute-filter.xml
rename to demo/grouper/shibboleth-idp/conf/attribute-filter.xml
diff --git a/demo/grouper/idp/shibboleth-idp/conf/attribute-resolver.xml b/demo/grouper/shibboleth-idp/conf/attribute-resolver.xml
similarity index 100%
rename from demo/grouper/idp/shibboleth-idp/conf/attribute-resolver.xml
rename to demo/grouper/shibboleth-idp/conf/attribute-resolver.xml
diff --git a/demo/grouper/idp/shibboleth-idp/conf/idp.properties b/demo/grouper/shibboleth-idp/conf/idp.properties
similarity index 100%
rename from demo/grouper/idp/shibboleth-idp/conf/idp.properties
rename to demo/grouper/shibboleth-idp/conf/idp.properties
diff --git a/demo/grouper/idp/shibboleth-idp/conf/ldap.properties b/demo/grouper/shibboleth-idp/conf/ldap.properties
similarity index 100%
rename from demo/grouper/idp/shibboleth-idp/conf/ldap.properties
rename to demo/grouper/shibboleth-idp/conf/ldap.properties
diff --git a/demo/grouper/idp/shibboleth-idp/conf/metadata-providers.xml b/demo/grouper/shibboleth-idp/conf/metadata-providers.xml
similarity index 100%
rename from demo/grouper/idp/shibboleth-idp/conf/metadata-providers.xml
rename to demo/grouper/shibboleth-idp/conf/metadata-providers.xml
diff --git a/demo/grouper/shibboleth-idp/metadata/grouper-sp.xml b/demo/grouper/shibboleth-idp/metadata/grouper-sp.xml
new file mode 100644
index 0000000..59ce891
--- /dev/null
+++ b/demo/grouper/shibboleth-idp/metadata/grouper-sp.xml
@@ -0,0 +1,108 @@
+<!--
+This is example metadata only. Do *NOT* supply it as is without review,
+and do *NOT* provide it in real time to your partners.
+ -->
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_3c9feadeae2ae1ebdab23bba42f24da0cb664b49" entityID="https://grouperdemo/shibboleth">
+
+ <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
+ <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
+ <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
+ <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+ <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
+ <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+ <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
+ </md:Extensions>
+
+ <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+ <md:Extensions>
+ <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://localhost:4443/grouperSSO/Shibboleth.sso/Login"/>
+ </md:Extensions>
+ <md:KeyDescriptor use="signing">
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:KeyName>sp.example.org</ds:KeyName>
+ <ds:X509Data>
+ <ds:X509SubjectName>CN=sp.example.org,O=Internet2/TIER,L=Ann Arbor,ST=MI,C=US</ds:X509SubjectName>
+ <ds:X509Certificate>MIIDoTCCAomgAwIBAgIUXUq8nQrtKzyfKVa4vWPMNypvj3YwDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1JMRIwEAYDVQQHDAlBbm4gQXJi
+b3IxFzAVBgNVBAoMDkludGVybmV0Mi9USUVSMRcwFQYDVQQDDA5zcC5leGFtcGxl
+Lm9yZzAeFw0yNDA1MTcxMDI3NTRaFw0zNDA1MTUxMDI3NTRaMGAxCzAJBgNVBAYT
+AlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRcwFQYDVQQKDA5J
+bnRlcm5ldDIvVElFUjEXMBUGA1UEAwwOc3AuZXhhbXBsZS5vcmcwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdEGX6TqmgRmMsCDNvMyPbjtmpchAsqGDa
+Cfuai7lhc2daXOpIzbQKEdMVZBcANAGKUZyAsX0kOnr2m2QL6Qyo2vCUX6J1kNGA
+eUxymaXAGC5dwqmWxWwcWX0zGRgr/Vf3fckMALTsoJfJRVAYFMmVULA2s+vCzfSK
+lz9S2DGBXL0w32HK5MZtVoE2VTDw4upoMA/qnSId6kD594bfMPJc0UtlrjW854GW
+Nza5zUymXIpFzDNNJWj9Ua02ZmXsz8XVZ8OV3MnFu6+IOyyrJo28OO+HbRznBrJB
+YNVm7Xp9CcjQqHobfLtIdxA6Fx+hj1A8GUJDVywIP+HwgWK3k7TTAgMBAAGjUzBR
+MB0GA1UdDgQWBBRHic4T+LwfBK06uaGCJFcOwmqwETAfBgNVHSMEGDAWgBRHic4T
++LwfBK06uaGCJFcOwmqwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQAAEYXtBlrKj5ma7DeikxBewrVGR71MUUKNWJJAf+bcZqtVh7+O3NB5uJjh
+4zGphzYJOOzFQAqzSwVfVtVD+vD7Kiz6AlA1vMRZYLszaDQfjY/r9NKce2rey/Av
+Atj2CY2jYr/39N0LFvRYMJ48sEIkBGcuupRMej2K8BGFhvTpu5n5wWuUhVQWeJKT
+OVCaU2N8LbRtGtxpZK/O1Da1Wt6eSKbRXvzVWHAElOygc0/GI8d7JY9lBvw45E/+
+nEoKp74+Ny08HQgDVEG+j2mguWprCtnR3zaI/m/6pQSBo8Sw4t4Df3kL+7wU1Tgx
+4ZcnodN4uwnkgzNwTVmH4Eg41CJA
+</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </md:KeyDescriptor>
+ <md:KeyDescriptor use="encryption">
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:KeyName>sp.example.org</ds:KeyName>
+ <ds:X509Data>
+ <ds:X509SubjectName>CN=sp.example.org,O=Internet2/TIER,L=Ann Arbor,ST=MI,C=US</ds:X509SubjectName>
+ <ds:X509Certificate>MIIDoTCCAomgAwIBAgIUXUq8nQrtKzyfKVa4vWPMNypvj3YwDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1JMRIwEAYDVQQHDAlBbm4gQXJi
+b3IxFzAVBgNVBAoMDkludGVybmV0Mi9USUVSMRcwFQYDVQQDDA5zcC5leGFtcGxl
+Lm9yZzAeFw0yNDA1MTcxMDI3NTRaFw0zNDA1MTUxMDI3NTRaMGAxCzAJBgNVBAYT
+AlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRcwFQYDVQQKDA5J
+bnRlcm5ldDIvVElFUjEXMBUGA1UEAwwOc3AuZXhhbXBsZS5vcmcwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdEGX6TqmgRmMsCDNvMyPbjtmpchAsqGDa
+Cfuai7lhc2daXOpIzbQKEdMVZBcANAGKUZyAsX0kOnr2m2QL6Qyo2vCUX6J1kNGA
+eUxymaXAGC5dwqmWxWwcWX0zGRgr/Vf3fckMALTsoJfJRVAYFMmVULA2s+vCzfSK
+lz9S2DGBXL0w32HK5MZtVoE2VTDw4upoMA/qnSId6kD594bfMPJc0UtlrjW854GW
+Nza5zUymXIpFzDNNJWj9Ua02ZmXsz8XVZ8OV3MnFu6+IOyyrJo28OO+HbRznBrJB
+YNVm7Xp9CcjQqHobfLtIdxA6Fx+hj1A8GUJDVywIP+HwgWK3k7TTAgMBAAGjUzBR
+MB0GA1UdDgQWBBRHic4T+LwfBK06uaGCJFcOwmqwETAfBgNVHSMEGDAWgBRHic4T
++LwfBK06uaGCJFcOwmqwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQAAEYXtBlrKj5ma7DeikxBewrVGR71MUUKNWJJAf+bcZqtVh7+O3NB5uJjh
+4zGphzYJOOzFQAqzSwVfVtVD+vD7Kiz6AlA1vMRZYLszaDQfjY/r9NKce2rey/Av
+Atj2CY2jYr/39N0LFvRYMJ48sEIkBGcuupRMej2K8BGFhvTpu5n5wWuUhVQWeJKT
+OVCaU2N8LbRtGtxpZK/O1Da1Wt6eSKbRXvzVWHAElOygc0/GI8d7JY9lBvw45E/+
+nEoKp74+Ny08HQgDVEG+j2mguWprCtnR3zaI/m/6pQSBo8Sw4t4Df3kL+7wU1Tgx
+4ZcnodN4uwnkgzNwTVmH4Eg41CJA
+</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
+ <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+ </md:KeyDescriptor>
+ <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:4443/grouperSSO/Shibboleth.sso/Artifact/SOAP" index="1"/>
+ <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:4443/grouperSSO/Shibboleth.sso/SLO/SOAP"/>
+ <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:4443/grouperSSO/Shibboleth.sso/SLO/Redirect"/>
+ <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:4443/grouperSSO/Shibboleth.sso/SLO/POST"/>
+ <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:4443/grouperSSO/Shibboleth.sso/SLO/Artifact"/>
+ <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:4443/grouperSSO/Shibboleth.sso/SAML2/POST" index="1"/>
+ <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost:4443/grouperSSO/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
+ <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:4443/grouperSSO/Shibboleth.sso/SAML2/Artifact" index="3"/>
+ <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://localhost:4443/grouperSSO/Shibboleth.sso/SAML2/ECP" index="4"/>
+ </md:SPSSODescriptor>
+
+</md:EntityDescriptor>
diff --git a/demo/grouper/configs-and-secrets/midpoint/shibboleth/idp-metadata.xml b/demo/grouper/shibboleth-idp/metadata/idp-metadata.xml
similarity index 98%
rename from demo/grouper/configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
rename to demo/grouper/shibboleth-idp/metadata/idp-metadata.xml
index 28ae7d1..b273997 100644
--- a/demo/grouper/configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
+++ b/demo/grouper/shibboleth-idp/metadata/idp-metadata.xml
@@ -202,8 +202,8 @@ p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
</KeyDescriptor>
- <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://localhost:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
- <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>
+ <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://localhost/idp/profile/SAML1/SOAP/AttributeQuery"/>
+ <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost/idp/profile/SAML2/SOAP/AttributeQuery"/>
<!-- If you uncomment the above you should add urn:oasis:names:tc:SAML:2.0:protocol to the protocolSupportEnumeration above -->
</AttributeAuthorityDescriptor>
diff --git a/demo/grouper/idp/shibboleth-idp/metadata/midpoint-sp.xml b/demo/grouper/shibboleth-idp/metadata/midpoint-sp.xml
similarity index 92%
rename from demo/grouper/idp/shibboleth-idp/metadata/midpoint-sp.xml
rename to demo/grouper/shibboleth-idp/metadata/midpoint-sp.xml
index 5789ed8..fa0b437 100644
--- a/demo/grouper/idp/shibboleth-idp/metadata/midpoint-sp.xml
+++ b/demo/grouper/shibboleth-idp/metadata/midpoint-sp.xml
@@ -25,8 +25,8 @@ and do *NOT* provide it in real time to your partners.
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
<md:Extensions>
- <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://localhost:8443/Shibboleth.sso/Login"/>
- <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://localhost:8443/Shibboleth.sso/Login" index="1"/>
+ <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://localhost/Shibboleth.sso/Login"/>
+ <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://localhost/Shibboleth.sso/Login" index="1"/>
</md:Extensions>
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
@@ -64,8 +64,8 @@ AIW0+dXJ2IyzM+0sv2g4DOsXsnSvinGqjr82A54mXGSr7edhPdlQhILFkJfhTwLq+mjnyQSNe3s2
<md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
</md:KeyDescriptor>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/midpoint/auth/gui-default/mySamlSso/logout/alias/midpointdemo-shibbolet"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/midpoint/auth/gui-default/mySamlSso/SSO/alias/midpointdemo-shibboleth" index="1"/>
+ <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/midpoint/auth/saml-internal/mySamlSso/logout/alias/midpointdemo-shibbolet"/>
+ <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/midpoint/auth/saml-internal/mySamlSso/SSO/alias/midpointdemo-shibboleth" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
diff --git a/demo/grouper/show-queue-size.sh b/demo/grouper/show-queue-size.sh
deleted file mode 100755
index 0af6d80..0000000
--- a/demo/grouper/show-queue-size.sh
+++ /dev/null
@@ -1 +0,0 @@
-docker exec grouper_mq_1 rabbitmqctl list_queues
diff --git a/demo/grouper/ssh-tunnel-redir-fix.sh b/demo/grouper/ssh-tunnel-redir-fix.sh
deleted file mode 100755
index 42409a9..0000000
--- a/demo/grouper/ssh-tunnel-redir-fix.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/bash
-# This file is used for trainings with SSH tunnels.
-# It will change the hard-coded ports for Shibboleth, but will keep localhost.
-
-declare -a fileList=(
-"configs-and-secrets/midpoint/shibboleth/idp-metadata.xml"
-"configs-and-secrets/grouper/shibboleth/idp-metadata.xml"
-"idp/shibboleth-idp/metadata/idp-metadata.xml"
-"idp/shibboleth-idp/metadata/grouper-sp.xml"
-"idp/shibboleth-idp/metadata/midpoint-sp.xml"
-"idp/shibboleth-idp/metadata/midpoint-sp-new.xml"
-)
-
-if [ $# -eq 0 ]
-then
- echo 'Please specify a directory as the first argument (e.g. ".")'
- exit
-fi
-
-echo "Working in directory: $1";
-for f in "${fileList[@]}"
-do
- echo "Replacing in: $1/$f..."
- # We cannot SSH tunnel port 443 without root, so using 10443
- sed -i 's#https://localhost/#https://localhost:10443/#g' $f
-# sed -i 's#https://localhost:4443/#https://localhost:14443/#g' $f
-done
-
-exit
diff --git a/demo/grouper/test-resources.sh b/demo/grouper/test-resources.sh
deleted file mode 100755
index 5551e55..0000000
--- a/demo/grouper/test-resources.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-source $(dirname "$0")/../../library.bash
-
-test_resource 0a37121f-d515-4a23-9b6d-554c5ef61272
-test_resource 4d70a0da-02dd-41cf-b0a1-00e75d3eaa15
-test_resource a343fc2e-3954-4034-ba1a-2b72c21e577a
-test_resource e417225d-8a08-46f3-9b5d-624990b52386
-test_resource fe805d13-481b-43ec-97d8-9d2df72cd38e
-test_resource 1eff65de-5bb6-483d-9edf-8cc2c2ee0233
-
diff --git a/demo/grouper/tests/main.bats b/demo/grouper/tests/main.bats
deleted file mode 100644
index 2065bbf..0000000
--- a/demo/grouper/tests/main.bats
+++ /dev/null
@@ -1,305 +0,0 @@
-#!/usr/bin/env bats
-
-load ../../../common
-load ../../../library
-
-@test "000 Cleanup before running the tests" {
- (cd ../simple ; docker-compose down -v)
- (cd ../shibboleth ; docker-compose down -v)
- (cd ../postgresql ; docker-compose down -v)
- docker-compose down -v
-}
-
-@test "010 Initialize and start the composition" {
- # We want to fail cleanly if there's any interference
- docker ps
- ! (docker ps | grep -E "shibboleth_(idp|directory)_1|(grouper|simple|shibboleth|postgresql)_(midpoint_server|midpoint_data)_1")
- docker-compose build --pull grouper_daemon grouper_ui grouper_data directory sources midpoint_data idp mq
- # Sometimes the tier/midpoint:xyz is not yet in the repository, causing issues with --pull
- docker-compose build midpoint_server
- docker-compose up -d
-}
-
-@test "020 Wait until components are started" {
- touch $BATS_TMPDIR/not-started
- wait_for_midpoint_start grouper_midpoint_server_1 grouper_midpoint_data_1
- wait_for_shibboleth_idp_start grouper_idp_1
- wait_for_grouper_ui_start grouper_grouper_ui_1
- rm $BATS_TMPDIR/not-started
-}
-
-@test "040 Check midPoint health" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
- check_health
-}
-
-@test "050 Check Shibboleth IDP health" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
- check_health_shibboleth_idp
-}
-
-#@test "060 Check Grouper health" {
-# if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-# skip TODO
-#}
-
-@test "100 Get 'administrator'" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
- check_health
- get_and_check_object users 00000000-0000-0000-0000-000000000002 administrator
-}
-
-@test "110 And and get 'test110'" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
- check_health
- echo "<user><name>test110</name></user>" >/tmp/test110.xml
- add_object users /tmp/test110.xml
- rm /tmp/test110.xml
- search_and_check_object users test110
- delete_object_by_name users test110
-}
-
-@test "200 Upload objects" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-
- # reduce data in SIS database so imports will take reasonable time
- docker exec grouper_sources_1 mysql sis -u root -p123321 -e "delete from SIS_COURSES where uid not in ('amorrison', 'banderson', 'cmorrison', 'danderson', 'ddavis', 'jsmith', 'kwhite', 'mroberts', 'whenderson', 'wprice')"
- docker exec grouper_sources_1 mysql sis -u root -p123321 -e "delete from SIS_AFFILIATIONS where uid not in ('amorrison', 'banderson', 'cmorrison', 'danderson', 'ddavis', 'jsmith', 'kwhite', 'mroberts', 'whenderson', 'wprice')"
- docker exec grouper_sources_1 mysql sis -u root -p123321 -e "delete from SIS_PERSONS where uid not in ('amorrison', 'banderson', 'cmorrison', 'danderson', 'ddavis', 'jsmith', 'kwhite', 'mroberts', 'whenderson', 'wprice')"
-
- check_health
- ./upload-objects.sh
-
- search_and_check_object objectTemplates template-user
-
- search_and_check_object archetypes affiliation
- search_and_check_object archetypes course
- search_and_check_object archetypes department
-
- search_and_check_object orgs affiliations
- search_and_check_object orgs courses
- search_and_check_object orgs departments
-
- search_and_check_object resources "LDAP (directory)"
- search_and_check_object resources "Grouper Resource"
- search_and_check_object resources "SQL SIS persons (sources)"
-
- search_and_check_object roles metarole-grouper-provided-group
- search_and_check_object roles metarole-ldap-group
- search_and_check_object roles role-ldap-basic
-}
-
-@test "210 Test resources" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
- test_resource 0a37121f-d515-4a23-9b6d-554c5ef61272
- test_resource 4d70a0da-02dd-41cf-b0a1-00e75d3eaa15
- test_resource a343fc2e-3954-4034-ba1a-2b72c21e577a
- test_resource e417225d-8a08-46f3-9b5d-624990b52386
- test_resource fe805d13-481b-43ec-97d8-9d2df72cd38e
- test_resource 1eff65de-5bb6-483d-9edf-8cc2c2ee0233
-}
-
-@test "215 Recompute banderson and sysadmingroup" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-
- ./recompute.sh
-}
-
-@test "220 Import SIS_PERSONS" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-
- add_object tasks midpoint-objects-manual/tasks/task-import-sis-persons.xml
- search_and_check_object tasks "Import from SIS persons"
- wait_for_task_completion 22c2a3d0-0961-4255-9eec-c550a79aeaaa 6 10
- assert_task_success 22c2a3d0-0961-4255-9eec-c550a79aeaaa
-
- search_and_check_object users jsmith
- search_and_check_object users banderson
- search_and_check_object users kwhite
- search_and_check_object users whenderson
- search_and_check_object users ddavis
- search_and_check_object users cmorrison
- search_and_check_object users danderson
- search_and_check_object users amorrison
- search_and_check_object users wprice
- search_and_check_object users mroberts
-
- check_ldap_account_by_user_name jsmith grouper_directory_1
- check_ldap_account_by_user_name banderson grouper_directory_1
- check_ldap_account_by_user_name kwhite grouper_directory_1
- check_ldap_account_by_user_name whenderson grouper_directory_1
- check_ldap_account_by_user_name ddavis grouper_directory_1
- check_ldap_account_by_user_name cmorrison grouper_directory_1
- check_ldap_account_by_user_name danderson grouper_directory_1
- check_ldap_account_by_user_name amorrison grouper_directory_1
- check_ldap_account_by_user_name wprice grouper_directory_1
- check_ldap_account_by_user_name mroberts grouper_directory_1
-}
-
-@test "230 Create ref loaders" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-
- ./create-ref-loaders.sh
-}
-
-@test "235 Wait for loaders to run" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-
- sleep 120
-}
-
-@test "240 Create additional ref groups" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-
- ./add-ref-groups.sh
-}
-
-#@test "250 Check 'TestUser250' in midPoint and LDAP" {
-# if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-#
-# check_health
-# echo "<user><name>TestUser250</name><fullName>Test User250</fullName><givenName>Test</givenName><familyName>User250</familyName><credentials><password><value><clearValue>password</clearValue></value></password></credentials></user>" >/tmp/testuser250.xml
-# add_object users /tmp/testuser250.xml
-# rm /tmp/testuser250.xml
-# search_and_check_object users TestUser250
-#
-# # probably will not work
-# execute_bulk_action tests/resources/bulk-action/assign-role-grouper-sysadmin-to-test-user.xml grouper_midpoint_server_1
-#
-# check_ldap_account_by_user_name TestUser250 grouper_directory_1
-# check_of_ldap_membership TestUser250 "ou=groups,dc=internet2,dc=edu" "sysadmingroup" grouper_directory_1
-#
-# delete_object_by_name users TestUser250
-#}
-
-@test "310 Import Grouper-to-midPoint async update task" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-
- check_health
- add_object tasks midpoint-objects-manual/tasks/task-async-update-grouper.xml
- search_and_check_object tasks "Grouper async updates"
-}
-
-@test "320 Wait for the queue to become empty" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-
- ATTEMPT=0
- MAX_ATTEMPTS=20
- DELAY=10
-
- get_messages sampleQueue
- echo "Messages: $MESSAGES"
-
- until [[ $ATTEMPT = $MAX_ATTEMPTS ]]; do
- ATTEMPT=$((ATTEMPT+1))
- get_messages sampleQueue
- echo "Messages: $MESSAGES"
- if [ "$MESSAGES" = "0" ]; then return 0; fi
- echo "Waiting $DELAY seconds for the queue to become empty (attempt $ATTEMPT) ..."
- sleep $DELAY
- done
- return 1
-}
-
-@test "330 Check groups in midPoint and LDAP" {
- skip 'Temporarily disabled because it caused problem in I2 buid system'
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-
- search_and_check_object orgs course_ACCT101
- search_and_check_object orgs course_ACCT201
- search_and_check_object orgs course_CS251
- search_and_check_object orgs course_CS252
- search_and_check_object orgs course_MATH100
- search_and_check_object orgs course_MATH101
- search_and_check_object orgs course_SCI123
- search_and_check_object orgs course_SCI404
-
- check_ldap_courses_by_name course_ACCT101 grouper_directory_1
- check_ldap_courses_by_name course_ACCT201 grouper_directory_1
- check_ldap_courses_by_name course_CS251 grouper_directory_1
- check_ldap_courses_by_name course_CS252 grouper_directory_1
- check_ldap_courses_by_name course_MATH100 grouper_directory_1
- check_ldap_courses_by_name course_MATH101 grouper_directory_1
- check_ldap_courses_by_name course_SCI123 grouper_directory_1
- check_ldap_courses_by_name course_SCI404 grouper_directory_1
-}
-
-@test "340 Execute triggers and check group membership in LDAP" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-
- sleep 60
- run_task_now "00000000-0000-0000-0000-000000000007" grouper_midpoint_server_1
- sleep 30
-
-# memberships will be there only after triggers are executed
-
- check_of_ldap_membership amorrison "ou=courses,ou=groups,dc=internet2,dc=edu" "ACCT101" grouper_directory_1
- check_of_ldap_membership cmorrison "ou=courses,ou=groups,dc=internet2,dc=edu" "ACCT101" grouper_directory_1
- check_of_ldap_membership mroberts "ou=courses,ou=groups,dc=internet2,dc=edu" "ACCT101" grouper_directory_1
- check_of_ldap_membership whenderson "ou=courses,ou=groups,dc=internet2,dc=edu" "ACCT101" grouper_directory_1
-
- check_of_ldap_membership amorrison "ou=courses,ou=groups,dc=internet2,dc=edu" "CS251" grouper_directory_1
- check_of_ldap_membership cmorrison "ou=courses,ou=groups,dc=internet2,dc=edu" "CS251" grouper_directory_1
- check_of_ldap_membership ddavis "ou=courses,ou=groups,dc=internet2,dc=edu" "CS251" grouper_directory_1
- check_of_ldap_membership mroberts "ou=courses,ou=groups,dc=internet2,dc=edu" "CS251" grouper_directory_1
-
- check_of_ldap_membership kwhite "ou=courses,ou=groups,dc=internet2,dc=edu" "CS252" grouper_directory_1
-
- check_of_ldap_membership danderson "ou=courses,ou=groups,dc=internet2,dc=edu" "MATH100" grouper_directory_1
- check_of_ldap_membership ddavis "ou=courses,ou=groups,dc=internet2,dc=edu" "MATH100" grouper_directory_1
- check_of_ldap_membership kwhite "ou=courses,ou=groups,dc=internet2,dc=edu" "MATH100" grouper_directory_1
- check_of_ldap_membership wprice "ou=courses,ou=groups,dc=internet2,dc=edu" "MATH100" grouper_directory_1
-
- check_of_ldap_membership amorrison "ou=courses,ou=groups,dc=internet2,dc=edu" "MATH101" grouper_directory_1
- check_of_ldap_membership cmorrison "ou=courses,ou=groups,dc=internet2,dc=edu" "MATH101" grouper_directory_1
- check_of_ldap_membership mroberts "ou=courses,ou=groups,dc=internet2,dc=edu" "MATH101" grouper_directory_1
-
- check_of_ldap_membership danderson "ou=courses,ou=groups,dc=internet2,dc=edu" "SCI123" grouper_directory_1
- check_of_ldap_membership mroberts "ou=courses,ou=groups,dc=internet2,dc=edu" "SCI123" grouper_directory_1
-
- check_of_ldap_membership kwhite "ou=courses,ou=groups,dc=internet2,dc=edu" "SCI404" grouper_directory_1
- check_of_ldap_membership wprice "ou=courses,ou=groups,dc=internet2,dc=edu" "SCI404" grouper_directory_1
-}
-
-@test "400 Suspend async update task" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-
- suspend_task 47fc57bd-8c34-4555-9b9f-7087ff179860 grouper_midpoint_server_1
- wait_for_task_completion 47fc57bd-8c34-4555-9b9f-7087ff179860 5 10
-}
-
-@test "410 Add wprice to 'ref:affiliation:alum_includes' groups" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-
- docker cp tests/resources/grouper/t410.gsh grouper_grouper_daemon_1:/tmp/
- docker exec grouper_grouper_daemon_1 bash -c "/opt/grouper/grouper.apiBinary/bin/gsh /tmp/t410.gsh"
-}
-
-@test "420 Reconcile Grouper" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-
- add_object tasks midpoint-objects-manual/tasks/task-reconciliation-grouper-groups.xml
- search_and_check_object tasks "Grouper reconciliation (groups)"
- wait_for_task_completion 605a0127-a313-442a-9d5e-151eac8b0745 6 10
- assert_task_success 605a0127-a313-442a-9d5e-151eac8b0745
-}
-
-@test "430 Recompute users" {
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-
- add_object tasks midpoint-objects-manual/tasks/task-recomputation-users.xml
- search_and_check_object tasks "User recomputation"
- wait_for_task_completion 83a737ea-5eb7-4e78-b431-331cccf02354 6 10
- assert_task_success 83a737ea-5eb7-4e78-b431-331cccf02354
-}
-
-@test "440 Check wprice group membership in LDAP" {
- skip 'Temporarily disabled because it caused problem in I2 buid system'
- if [ -e $BATS_TMPDIR/not-started ]; then skip 'not started'; fi
-
- check_of_ldap_membership wprice "ou=Affiliations,ou=Groups,dc=internet2,dc=edu" "alum" grouper_directory_1
-}
-
-@test "999 Clean up" {
- docker-compose down -v
-}
diff --git a/demo/grouper/tests/resources/bulk-action/assign-role-grouper-sysadmin-to-banderson.xml b/demo/grouper/tests/resources/bulk-action/assign-role-grouper-sysadmin-to-banderson.xml
deleted file mode 100644
index 9ec69a2..0000000
--- a/demo/grouper/tests/resources/bulk-action/assign-role-grouper-sysadmin-to-banderson.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<scext:executeScript xmlns:scext="http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3">
- <s:search xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
- xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:xsd="http://www.w3.org/2001/XMLSchema">
- <s:type>c:UserType</s:type>
- <s:searchFilter>
- <q:equal>
- <q:path>c:name</q:path>
- <q:value>banderson</q:value>
- </q:equal>
- </s:searchFilter>
- <s:action>
- <s:type>assign</s:type>
- <s:parameter>
- <s:name>role</s:name>
- <c:value xsi:type="xsd:string">d48ec05b-fffd-4262-acd3-d9ff63365b62</c:value>
- </s:parameter>
- </s:action>
- </s:search>
- </scext:executeScript>
diff --git a/demo/grouper/tests/resources/bulk-action/assign-role-grouper-sysadmin-to-test-user.xml b/demo/grouper/tests/resources/bulk-action/assign-role-grouper-sysadmin-to-test-user.xml
deleted file mode 100644
index f8c84b3..0000000
--- a/demo/grouper/tests/resources/bulk-action/assign-role-grouper-sysadmin-to-test-user.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<scext:executeScript xmlns:scext="http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3">
- <s:search xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
- xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:xsd="http://www.w3.org/2001/XMLSchema">
- <s:type>c:UserType</s:type>
- <s:searchFilter>
- <q:equal>
- <q:path>c:name</q:path>
- <q:value>TestUser250</q:value>
- </q:equal>
- </s:searchFilter>
- <s:action>
- <s:type>assign</s:type>
- <s:parameter>
- <s:name>role</s:name>
- <c:value xsi:type="xsd:string">d48ec05b-fffd-4262-acd3-d9ff63365b62</c:value>
- </s:parameter>
- </s:action>
- </s:search>
- </scext:executeScript>
diff --git a/demo/grouper/tests/resources/bulk-action/recompute-role-grouper-sysadmin.xml b/demo/grouper/tests/resources/bulk-action/recompute-role-grouper-sysadmin.xml
deleted file mode 100644
index 1356484..0000000
--- a/demo/grouper/tests/resources/bulk-action/recompute-role-grouper-sysadmin.xml
+++ /dev/null
@@ -1,16 +0,0 @@
-<scext:executeScript xmlns:scext="http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3"
- xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
- xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
- <s:search xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">
- <s:type>c:RoleType</s:type>
- <s:searchFilter>
- <q:equal>
- <q:path>name</q:path>
- <q:value>role-grouper-sysadmin</q:value>
- </q:equal>
- </s:searchFilter>
- <s:action>
- <s:type>recompute</s:type>
- </s:action>
- </s:search>
- </scext:executeScript>
diff --git a/demo/grouper/tests/resources/grouper/old-t410.gsh b/demo/grouper/tests/resources/grouper/old-t410.gsh
deleted file mode 100644
index 69e4b18..0000000
--- a/demo/grouper/tests/resources/grouper/old-t410.gsh
+++ /dev/null
@@ -1,11 +0,0 @@
-System.out.println("************** t410.gsh starting **************");
-
-gs = GrouperSession.startRootSession()
-
-testGroup = GroupFinder.findByName(gs, 'midpoint:test')
-kwhite = SubjectFinder.findById('kwhite', 'person', 'ldap')
-wprice = SubjectFinder.findById('wprice', 'person', 'ldap')
-testGroup.deleteMember(kwhite, false)
-testGroup.deleteMember(wprice, false)
-
-System.out.println("************** t410.gsh done **************");
diff --git a/demo/grouper/tests/resources/grouper/t300.gsh b/demo/grouper/tests/resources/grouper/t300.gsh
deleted file mode 100644
index d2b63e3..0000000
--- a/demo/grouper/tests/resources/grouper/t300.gsh
+++ /dev/null
@@ -1,15 +0,0 @@
-System.out.println("************** t300.gsh starting **************");
-
-gs = GrouperSession.startRootSession()
-
-exportedGroups = GroupFinder.findByName(gs, 'etc:exportedGroups')
-alumSubject = SubjectFinder.findByIdentifier('ref:affiliation:alum', 'group', 'g:gsa')
-exportedGroups.addMember(alumSubject, false)
-
-alumIncludes = GroupFinder.findByName(gs, 'ref:affiliation:alum_includes')
-testGroup = GroupFinder.findByName(gs, 'etc:testGroup')
-wprice = SubjectFinder.findById('wprice', 'person', 'ldap')
-alumIncludes.addMember(wprice, false)
-testGroup.addMember(wprice, false)
-
-System.out.println("************** t300.gsh done **************");
diff --git a/demo/grouper/tests/resources/grouper/t350.gsh b/demo/grouper/tests/resources/grouper/t350.gsh
deleted file mode 100644
index d0d2d3e..0000000
--- a/demo/grouper/tests/resources/grouper/t350.gsh
+++ /dev/null
@@ -1,12 +0,0 @@
-System.out.println("************** t350.gsh starting **************");
-
-gs = GrouperSession.startRootSession()
-
-alumIncludes = GroupFinder.findByName(gs, 'ref:affiliation:alum_includes')
-testGroup = GroupFinder.findByName(gs, 'midpoint:test')
-kwhite = SubjectFinder.findById('kwhite', 'person', 'ldap')
-wprice = SubjectFinder.findById('wprice', 'person', 'ldap')
-testGroup.addMember(kwhite, false)
-alumIncludes.deleteMember(wprice, false)
-
-System.out.println("************** t350.gsh done **************");
diff --git a/demo/grouper/tests/resources/grouper/t410.gsh b/demo/grouper/tests/resources/grouper/t410.gsh
deleted file mode 100644
index 5c803bd..0000000
--- a/demo/grouper/tests/resources/grouper/t410.gsh
+++ /dev/null
@@ -1,9 +0,0 @@
-System.out.println("************** t410.gsh starting **************");
-
-gs = GrouperSession.startRootSession()
-
-alumIncludesGroup = GroupFinder.findByName(gs, 'ref:affiliation:alum_includes')
-wprice = SubjectFinder.findById('wprice', 'person', 'ldap')
-alumIncludesGroup.addMember(wprice, false)
-
-System.out.println("************** t410.gsh done **************");
diff --git a/demo/grouper/tests/resources/rabbitmq/check-samplequeue.sh b/demo/grouper/tests/resources/rabbitmq/check-samplequeue.sh
deleted file mode 100755
index e336a63..0000000
--- a/demo/grouper/tests/resources/rabbitmq/check-samplequeue.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-count=$(rabbitmqctl list_queues | grep sampleQueue | awk '{print $2}')
-if [[ -z $count || $count -eq 0 ]]; then
- echo "ERROR: sampleQueue does not exist or is empty"
- exit 1
-else
- echo "OK: sampleQueue has $count message(s)"
- exit 0
-fi
diff --git a/demo/grouper/tests/resources/tasks/task-livesync-grouper-single.xml b/demo/grouper/tests/resources/tasks/task-livesync-grouper-single.xml
deleted file mode 100644
index 365d007..0000000
--- a/demo/grouper/tests/resources/tasks/task-livesync-grouper-single.xml
+++ /dev/null
@@ -1,29 +0,0 @@
-<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
- xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
- xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
- xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
- xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
- oid="87ffce52-717a-4205-ba01-0a698f0deaee">
- <name>LiveSync from Grouper</name>
- <extension xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
- xmlns:gen437="http://midpoint.evolveum.com/xml/ns/public/provisioning/liveSync-3"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:type="c:ExtensionType">
- <mext:kind>account</mext:kind>
- <mext:objectclass>ri:AccountObjectClass</mext:objectclass>
- </extension>
- <taskIdentifier>1535465478027-0-1</taskIdentifier>
- <ownerRef oid="00000000-0000-0000-0000-000000000002"
- relation="org:default"
- type="c:UserType"><!-- administrator --></ownerRef>
- <executionStatus>runnable</executionStatus>
- <category>LiveSynchronization</category>
- <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/live-sync/handler-3</handlerUri>
- <objectRef oid="6dcb84f5-bf82-4931-9072-fbdf87f96442"
- relation="org:default"
- type="c:ResourceType"><!-- Grouper SQL NEW --></objectRef>
- <recurrence>single</recurrence>
- <binding>loose</binding>
-</task>
diff --git a/demo/grouper/tests/resources/users/user-grouper-admin.xml b/demo/grouper/tests/resources/users/user-grouper-admin.xml
deleted file mode 100644
index d785e47..0000000
--- a/demo/grouper/tests/resources/users/user-grouper-admin.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
- oid="a0c7c01e-c203-4777-9b21-27a4735da3ae">
- <name>grouper-admin</name>
- <assignment id="1">
- <targetRef oid="d48ec05b-fffd-4262-acd3-d9ff63365b62" relation="org:default" type="c:RoleType">
- <!-- role-grouper-sysadmin -->
- </targetRef>
- </assignment>
- <fullName>Grouper admin</fullName>
- <givenName>Grouper</givenName>
- <familyName>Admin</familyName>
- <credentials>
- <password>
- <value>password</value>
- </password>
- </credentials>
-</user>
-
diff --git a/demo/grouper/update-bgasper-in-grouper.gsh b/demo/grouper/update-bgasper-in-grouper.gsh
deleted file mode 100644
index b0ed0b2..0000000
--- a/demo/grouper/update-bgasper-in-grouper.gsh
+++ /dev/null
@@ -1,13 +0,0 @@
-
-def add(gs,groupName,subject) {
- GroupFinder.findByName(gs, groupName, true).addMember(subject, false)
-}
-
-gs = GrouperSession.startRootSession()
-
-def bgasper = SubjectFinder.findById('bgasper', 'user', 'ldap')
-add(gs, 'ref:affiliation:alum_excludes', bgasper)
-add(gs, 'ref:affiliation:faculty_includes', bgasper)
-add(gs, 'app:mailinglist:chess', bgasper)
-add(gs, 'app:mailinglist:idm-fans', bgasper)
-add(gs, 'test:volunteers', bgasper)
diff --git a/demo/grouper/update-bgasper-in-grouper.sh b/demo/grouper/update-bgasper-in-grouper.sh
deleted file mode 100755
index 31abf04..0000000
--- a/demo/grouper/update-bgasper-in-grouper.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-
-source ../../library.bash
-
-execute_gsh grouper_grouper_daemon_1 update-bgasper-in-grouper.gsh
diff --git a/demo/grouper/upload-async-update-task.sh b/demo/grouper/upload-async-update-task.sh
deleted file mode 100755
index bdf8ba2..0000000
--- a/demo/grouper/upload-async-update-task.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-
-source ../../library.bash
-
-upload_from_file midpoint-objects-manual/tasks/task-async-update-grouper.xml
diff --git a/demo/grouper/upload-import-sis-persons.sh b/demo/grouper/upload-import-sis-persons.sh
deleted file mode 100755
index 058c9af..0000000
--- a/demo/grouper/upload-import-sis-persons.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-
-source ../../library.bash
-
-upload_from_file midpoint-objects-manual/tasks/task-import-sis-persons.xml
diff --git a/demo/grouper/upload-objects.sh b/demo/grouper/upload-objects.sh
deleted file mode 100755
index 3f1c9b8..0000000
--- a/demo/grouper/upload-objects.sh
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/bash
-
-function upload () {
- local filename=$1
- local regex="midpoint-objects/(.*)/(.*)"
- if [[ $filename =~ $regex ]]
- then
- type="${BASH_REMATCH[1]}"
- oid=`cat $filename | sed -n 's:.*oid=\"\([A-Za-z0-9\-]*\)\".*:\1:p' | sed -n '1 p'`
- echo "Uploading $filename ($type, $oid)"
- curl -k --user administrator:5ecr3t -H "Content-Type: application/xml" -X PUT "https://localhost:8443/midpoint/ws/rest/$type/$oid?options=overwrite&options=raw" --data-binary @$filename
- else
- echo "Skipping $filename"
- fi
-}
-
-find midpoint-objects -name "*.xml" | while read filename; do upload $filename; done
diff --git a/demo/grouper/upload-recompute-users.sh b/demo/grouper/upload-recompute-users.sh
deleted file mode 100755
index 42b5551..0000000
--- a/demo/grouper/upload-recompute-users.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-
-source ../../library.bash
-
-upload_from_file midpoint-objects-manual/tasks/task-recomputation-users.xml
diff --git a/demo/grouper/upload-reconcile-grouper-groups.sh b/demo/grouper/upload-reconcile-grouper-groups.sh
deleted file mode 100755
index 94deb18..0000000
--- a/demo/grouper/upload-reconcile-grouper-groups.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-
-source ../../library.bash
-
-upload_from_file midpoint-objects-manual/tasks/task-reconciliation-grouper-groups.xml
diff --git a/demo/postgresql/.env b/demo/postgresql/.env
deleted file mode 100644
index 06d99ad..0000000
--- a/demo/postgresql/.env
+++ /dev/null
@@ -1,8 +0,0 @@
-# These parameters can be overridden by setting environment variables before calling docker-compose up
-ENV=demo
-USERTOKEN=
-REPO_MISSING_SCHEMA_ACTION=create
-REPO_UPGRADEABLE_SCHEMA_ACTION=stop
-MP_MEM_MAX=2048m
-MP_MEM_INIT=1024m
-TIMEZONE=UTC
diff --git a/demo/postgresql/configs-and-secrets/midpoint/application/database_password.txt b/demo/postgresql/configs-and-secrets/midpoint/application/database_password.txt
deleted file mode 100644
index 11bff19..0000000
--- a/demo/postgresql/configs-and-secrets/midpoint/application/database_password.txt
+++ /dev/null
@@ -1 +0,0 @@
-WJzesbe3poNZ91qIbmR7
diff --git a/demo/postgresql/configs-and-secrets/midpoint/application/keystore_password.txt b/demo/postgresql/configs-and-secrets/midpoint/application/keystore_password.txt
deleted file mode 100644
index 1d40192..0000000
--- a/demo/postgresql/configs-and-secrets/midpoint/application/keystore_password.txt
+++ /dev/null
@@ -1 +0,0 @@
-changeit
diff --git a/demo/postgresql/configs-and-secrets/midpoint/httpd/host-cert.pem b/demo/postgresql/configs-and-secrets/midpoint/httpd/host-cert.pem
deleted file mode 100644
index 9b1021b..0000000
--- a/demo/postgresql/configs-and-secrets/midpoint/httpd/host-cert.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDqDCCApCgAwIBAgIJAMOSkn4oS2aAMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
-BAYTAlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRcwFQYDVQQK
-DA5JbnRlcm5ldDIvVElFUjEgMB4GA1UEAwwXbWlkcG9pbnQuc3AuZXhhbXBsZS5v
-cmcwHhcNMTgwOTE0MDU1OTQ1WhcNMTkwOTE0MDU1OTQ1WjBpMQswCQYDVQQGEwJV
-UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEXMBUGA1UECgwOSW50
-ZXJuZXQyL1RJRVIxIDAeBgNVBAMMF21pZHBvaW50LnNwLmV4YW1wbGUub3JnMIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApj/b7MEUSfu3oXMfNgRwTse7
-a5UV7Jswf1M/ZN/ZZkAkIxNBevZgozjesvLPWrmsTgONi7XigJUJvCjdjmlW9eDM
-lri/rkD8HuOR1DQCVKL9nvoS2c3D7sq5Emda3V8Tlj82VqfEmePd3sajx7mcTfbH
-8jwAL9NhkC+WMib5IpjLGpG0FEAC0ha7Lxb+7jIiqHVJaqLXJGCyGN4mh6c1Q9S1
-f8RVTiW2a8x22G+9wnZYbkiA2Kxls177imHlhSz8EdvV4IpGw1amrEWhhuDEum7B
-vZ1xQDLatgRqh4qAKLIVYeRnJ8H1FelMa90qB4G08MIPifmTsQwqJyBYaEdgWQID
-AQABo1MwUTAdBgNVHQ4EFgQUqb9BteODF6wv5R57aEON/wGXMiowHwYDVR0jBBgw
-FoAUqb9BteODF6wv5R57aEON/wGXMiowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
-9w0BAQsFAAOCAQEAAcKhxI+tSItrXmqC0PSmgWyAYpqbkz6W/cefTutXqhIgY09f
-h0LSv7ogTahoGpyiZk9vy6u3OE9bYwxapEfa4KBjO6HxBMIVBBb3RegVjoPzjElN
-BDwAx0VGFcZTXwMxDWycWdG8ql7rCZBvS50w04uTaIgnGmqXAdWWmBgfJ9cRbxW+
-JwO/mOl1QM1lR/5142NpvuUVWlmZSKEGydE5A1qPz2wpDbBR1ym1BQNS4NEqw6Kp
-GSB8jKyCS1Ve0v2wVze2038Wukz02dq9uKPTIO3T+B+ibZmxn6Op/kFCc1/kK5NS
-Q6JdO1B6KquGAYdGmKAcQ19mv+jqGktqWEEf0g==
------END CERTIFICATE-----
diff --git a/demo/postgresql/configs-and-secrets/midpoint/httpd/host-key.pem b/demo/postgresql/configs-and-secrets/midpoint/httpd/host-key.pem
deleted file mode 100644
index 5746e59..0000000
--- a/demo/postgresql/configs-and-secrets/midpoint/httpd/host-key.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmP9vswRRJ+7eh
-cx82BHBOx7trlRXsmzB/Uz9k39lmQCQjE0F69mCjON6y8s9auaxOA42LteKAlQm8
-KN2OaVb14MyWuL+uQPwe45HUNAJUov2e+hLZzcPuyrkSZ1rdXxOWPzZWp8SZ493e
-xqPHuZxN9sfyPAAv02GQL5YyJvkimMsakbQUQALSFrsvFv7uMiKodUlqotckYLIY
-3iaHpzVD1LV/xFVOJbZrzHbYb73CdlhuSIDYrGWzXvuKYeWFLPwR29XgikbDVqas
-RaGG4MS6bsG9nXFAMtq2BGqHioAoshVh5GcnwfUV6Uxr3SoHgbTwwg+J+ZOxDCon
-IFhoR2BZAgMBAAECggEAEIRBpjjceiku6jRUwnoYaks/nIWYQwR8AfpUTwJKR/VR
-Yca097Fokm7A+UhUP3A45RtHQb0VPq8P44iv0kk24YCu8r5yFK7SHYOAZnOwU5ZJ
-2jSAEPF3aM7tKh3okhuzB3dKP7u1NZDE5zAW723KUJiW7sL1RcsbY0bHBj6G+9/H
-NplmsjuGt684vRBB0qOBfKF7EiG7mT69tHuNj4gRza9SMY31UtKbZdt2fNY6mp5V
-HscMba7egZP+Ke0pVX4+go9j7K8GG8hYaQDLjrzlPqrxZ2c5X9cC+CRDI/CHuL/s
-V/2yGZJ6n6UabwZoH83RdFrbQ94rU8Hkli6EvxXvMQKBgQDRpheNW5jDG5TfeJKh
-yfKTDQqH2Tk3BsBYYBN7Hf3m7vbkzlxnAKJAoSLmtRMuoeXvI5MrhzaHGsNIUS76
-LDIZnvB7DLUxhFUZsCPkpAA1QHuTWY96oR3PHnPjpk8lSUvtbOPwDLdzVApeFJgZ
-VqMNArZ7AHsK3Kkyi+f4WVQjbQKBgQDLAWiGb5dx6fAM2W6B6HjNmzjBWOuVEXa2
-76to9jzupBZmETfZgxtWUaWUDuNS+f7dtVUTE+p6v/w8clrHEhEZYkqunIOLo/UA
-LFPiuoTfEsWb1rh+nsCjCgy4uimixj/bSkf7NC6NyKTvCygA1mGnVVJUEPegYlDy
-LXCkaKWxHQKBgQCmyHSKL2lrJkEcOwakEU2acNCE3Gno/cT9SYmV83kvQ8JEqmrW
-QqnRsp9aXIljGscapPmKsmnNt5vNp1AxFAHTYh88NRLczsMIyZj0ZwgHVUI6KhC7
-5Psa78YQQBlMt2/g9TSsnuE+rYgF6mpKFiNm0Vasqeg47uzn2mdzqlUGTQKBgE04
-JutkTUY+h1pL5vYxWKpVDfy19z7H2tFxT1FowPrBneeLSyRI88Ac5I/yLdRlVeY9
-0LOmEr5Igwj3MsKgg7KVKfVLgdo/LrW3Jt2Kt3onKNXDkoBPoNUjwH0QC0Boiue+
-VK0gR0kVdm+bXccbxR+im+NwZNE0NLg6Qqu3RredAoGBALuVoqbPPmTCZXYG328H
-bzOs2aiR7BzPSVByV+qG6jW7w03RAnFPJZp7HMU+ViI5VY0wabUscMSvz5163+gM
-4KwY3v9ZjZzZGukIfLuudkdqtaiVOx/KeAC0n+nG21YU+wpZww8gkfHh1/sa2CME
-CWYCgOnmiTHcj83UaTqEXtmv
------END PRIVATE KEY-----
diff --git a/demo/postgresql/docker-compose-tests.yml b/demo/postgresql/docker-compose-tests.yml
deleted file mode 100644
index b0c2363..0000000
--- a/demo/postgresql/docker-compose-tests.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-# Version for running Bats tests.
-# Minimizes the number of ports mapped to localhost, to avoid collisions during testing.
-
-version: "3.3"
-
-services:
- midpoint_data:
- image: postgres:11
- environment:
- - POSTGRES_PASSWORD_FILE=/run/secrets/mp_database_password.txt
- - POSTGRES_USER=midpoint
- - POSTGRES_INITDB_ARGS=--lc-collate=en_US.utf8 --lc-ctype=en_US.utf8
- expose:
- - 5432
- networks:
- - net
- secrets:
- - mp_database_password.txt
- volumes:
- - midpoint_data:/var/lib/postgresql/data
-
- midpoint_server:
- image: tier/midpoint:latest
- ports:
- - 8443:443
- environment:
- - ENV
- - USERTOKEN
- - REPO_DATABASE_TYPE=postgresql
- - REPO_HOST=midpoint_data
- - REPO_DATABASE=midpoint
- - REPO_USER=midpoint
- - REPO_MISSING_SCHEMA_ACTION
- - REPO_UPGRADEABLE_SCHEMA_ACTION
- - REPO_SCHEMA_VERSION_IF_MISSING
- - REPO_SCHEMA_VARIANT
- - MP_MEM_MAX
- - MP_MEM_INIT
- - MP_JAVA_OPTS
- - TIER_BEACON_OPT_OUT
- - TIMEZONE
- networks:
- - net
- secrets:
- - mp_database_password.txt
- - mp_keystore_password.txt
- - mp_host-key.pem
- volumes:
- - midpoint_home:/opt/midpoint/var
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
- target: /etc/pki/tls/certs/host-cert.pem
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
- target: /etc/pki/tls/certs/cachain.pem
-
-networks:
- net:
- driver: bridge
-
-secrets:
- mp_database_password.txt:
- file: ./configs-and-secrets/midpoint/application/database_password.txt
- mp_keystore_password.txt:
- file: ./configs-and-secrets/midpoint/application/keystore_password.txt
- mp_host-key.pem:
- file: ./configs-and-secrets/midpoint/httpd/host-key.pem
-
-volumes:
- midpoint_data:
- midpoint_home:
diff --git a/demo/postgresql/docker-compose.yml b/demo/postgresql/docker-compose.yml
deleted file mode 100644
index 5bab706..0000000
--- a/demo/postgresql/docker-compose.yml
+++ /dev/null
@@ -1,68 +0,0 @@
-version: "3.3"
-
-services:
- midpoint_data:
- image: postgres:11
- environment:
- - POSTGRES_PASSWORD_FILE=/run/secrets/mp_database_password.txt
- - POSTGRES_USER=midpoint
- - POSTGRES_INITDB_ARGS=--lc-collate=en_US.utf8 --lc-ctype=en_US.utf8
- ports:
- - 5432:5432
- networks:
- - net
- secrets:
- - mp_database_password.txt
- volumes:
- - midpoint_data:/var/lib/postgresql/data
-
- midpoint_server:
- image: tier/midpoint:latest
- ports:
- - 8443:443
- environment:
- - ENV
- - USERTOKEN
- - REPO_DATABASE_TYPE=postgresql
- - REPO_HOST=midpoint_data
- - REPO_DATABASE=midpoint
- - REPO_USER=midpoint
- - REPO_MISSING_SCHEMA_ACTION
- - REPO_UPGRADEABLE_SCHEMA_ACTION
- - REPO_SCHEMA_VERSION_IF_MISSING
- - REPO_SCHEMA_VARIANT
- - MP_MEM_MAX
- - MP_MEM_INIT
- - MP_JAVA_OPTS
- - TIER_BEACON_OPT_OUT
- - TIMEZONE
- networks:
- - net
- secrets:
- - mp_database_password.txt
- - mp_keystore_password.txt
- - mp_host-key.pem
- volumes:
- - midpoint_home:/opt/midpoint/var
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
- target: /etc/pki/tls/certs/host-cert.pem
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
- target: /etc/pki/tls/certs/cachain.pem
-
-networks:
- net:
- driver: bridge
-
-secrets:
- mp_database_password.txt:
- file: ./configs-and-secrets/midpoint/application/database_password.txt
- mp_keystore_password.txt:
- file: ./configs-and-secrets/midpoint/application/keystore_password.txt
- mp_host-key.pem:
- file: ./configs-and-secrets/midpoint/httpd/host-key.pem
-
-volumes:
- midpoint_data:
- midpoint_home:
diff --git a/demo/postgresql/tests/main.bats b/demo/postgresql/tests/main.bats
deleted file mode 100755
index e5681f5..0000000
--- a/demo/postgresql/tests/main.bats
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/usr/bin/env bats
-
-load ../../../common
-load ../../../library
-
-@test "000 Cleanup before running the tests" {
- run docker-compose down -v
-}
-
-@test "010 Initialize and start midPoint" {
- docker-compose -f docker-compose-tests.yml up --build -d
- wait_for_midpoint_start postgresql_midpoint_server_1
-}
-
-@test "020 Check health" {
- check_health
-}
-
-@test "100 Get 'administrator'" {
- check_health
- get_and_check_object users 00000000-0000-0000-0000-000000000002 administrator
-}
-
-@test "110 And and get 'test110'" {
- check_health
- echo "<user><name>test110</name></user>" >/tmp/test110.xml
- add_object users /tmp/test110.xml
- rm /tmp/test110.xml
- search_and_check_object users test110
-}
-
-@test "999 Clean up" {
- docker-compose down -v
-}
diff --git a/container_files/httpd/conf/midpoint.conf.auth.shibboleth b/demo/shibboleth-apache-sp/apache/httpd/conf.d/midpoint.conf
similarity index 52%
rename from container_files/httpd/conf/midpoint.conf.auth.shibboleth
rename to demo/shibboleth-apache-sp/apache/httpd/conf.d/midpoint.conf
index e8fcc24..20aa6d2 100644
--- a/container_files/httpd/conf/midpoint.conf.auth.shibboleth
+++ b/demo/shibboleth-apache-sp/apache/httpd/conf.d/midpoint.conf
@@ -3,7 +3,7 @@ Timeout 2400
ProxyTimeout 2400
ProxyBadHeader Ignore
-ProxyPass /midpoint ajp://localhost:9090/midpoint secret=s3cr3t timeout=2400 retry=0
+ProxyPass /midpoint ajp://midpoint_server:9090/midpoint secret=s3cr3t timeout=2400 retry=0
<Location /midpoint>
AuthType shibboleth
@@ -19,3 +19,19 @@ ProxyPass /midpoint ajp://localhost:9090/midpoint secret=s3cr3t timeout=2400 ret
AuthType None
Require all granted
</Location>
+
+<Location /midpoint/auth/shib>
+ AuthType shibboleth
+ ShibRequestSetting requireSession 1
+ ShibRequireSession on
+ ShibUseHeaders On
+ require shibboleth
+</Location>
+
+<Location />
+ AuthType shibboleth
+ ShibRequestSetting requireSession false
+ ShibUseHeaders On
+ require shibboleth
+</Location>
+
diff --git a/demo/shibboleth-apache-sp/apache/httpd/conf.d/ssl-enable.conf b/demo/shibboleth-apache-sp/apache/httpd/conf.d/ssl-enable.conf
new file mode 100644
index 0000000..b529fa2
--- /dev/null
+++ b/demo/shibboleth-apache-sp/apache/httpd/conf.d/ssl-enable.conf
@@ -0,0 +1,18 @@
+<VirtualHost *:443>
+ RewriteEngine on
+ RewriteRule "^/$" "/midpoint/" [R]
+
+
+ SSLEngine on
+
+ SSLCertificateFile /etc/httpd/certs/host-cert.pem
+
+ SSLCertificateKeyFile /etc/httpd/certs/host-key.pem
+
+ # HSTS (mod_headers is required) (15768000 seconds = 6 months)
+ Header always set Strict-Transport-Security "max-age=15768000"
+
+ RewriteRule "^/midpoint/$" "/midpoint/auth/shib" [R]
+
+</VirtualHost>
+
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/attribute-map.xml b/demo/shibboleth-apache-sp/apache/shibboleth/attribute-map.xml
similarity index 100%
rename from demo/shibboleth/configs-and-secrets/midpoint/shibboleth/attribute-map.xml
rename to demo/shibboleth-apache-sp/apache/shibboleth/attribute-map.xml
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml b/demo/shibboleth-apache-sp/apache/shibboleth/shibboleth2.xml
similarity index 100%
rename from demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
rename to demo/shibboleth-apache-sp/apache/shibboleth/shibboleth2.xml
diff --git a/demo/shibboleth-apache-sp/beacon/Dockerfile b/demo/shibboleth-apache-sp/beacon/Dockerfile
new file mode 100644
index 0000000..68339b6
--- /dev/null
+++ b/demo/shibboleth-apache-sp/beacon/Dockerfile
@@ -0,0 +1,14 @@
+FROM rockylinux:9.3
+
+COPY container_files/* /opt/tier/
+
+RUN dnf update -y --disablerepo=\* --enablerepo=baseos && \
+ dnf install -y cronie-anacron crontabs cronie --disablerepo=\* --enablerepo=baseos && \
+ dnf clean all -y ; \
+ /opt/tier/setup-cron.sh ;
+
+ENV TIER_RELEASE=not-released-yet \
+ TIER_MAINTAINER=tier \
+ MP_VERSION=4.8
+
+CMD [ "/usr/sbin/crond", "-n", "-i", "-m", "off" ]
diff --git a/demo/shibboleth-apache-sp/beacon/container_files/sendtierbeacon.sh b/demo/shibboleth-apache-sp/beacon/container_files/sendtierbeacon.sh
new file mode 100755
index 0000000..8f066f7
--- /dev/null
+++ b/demo/shibboleth-apache-sp/beacon/container_files/sendtierbeacon.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+LOGHOST="collector.testbed.tier.internet2.edu"
+LOGPORT="5001"
+
+if [ -s /opt/tier/env.bash ]; then
+ . /opt/tier/env.bash
+fi
+
+messagefile="/tmp/beaconmsg"
+
+if [ -z "$TIER_BEACON_OPT_OUT" ]; then
+ cat > $messagefile <<EOF
+{
+ "msgType" : "TIERBEACON",
+ "msgName" : "TIER",
+ "msgVersion" : "1.0",
+ "tbProduct" : "midPoint",
+ "tbProductVersion" : "$MP_VERSION",
+ "tbTIERRelease" : "$TIER_RELEASE",
+ "tbMaintainer" : "$TIER_MAINTAINER"
+}
+EOF
+
+# echo "going to send TIER beacon to ${LOGHOST}:${LOGPORT}:"
+# cat $messagefile
+
+ curl -s -XPOST "${LOGHOST}:${LOGPORT}/" -H 'Content-Type: application/json' -T $messagefile >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ echo "TIER beacon sent"
+ else
+ echo "Failed to send TIER beacon"
+ fi
+
+ rm -f $messagefile 1>/dev/null 2>&1
+
+else
+ echo "TIER beacon skipped - scheduled but Opted out"
+fi
diff --git a/demo/shibboleth-apache-sp/beacon/container_files/setup-cron.sh b/demo/shibboleth-apache-sp/beacon/container_files/setup-cron.sh
new file mode 100755
index 0000000..2d33d3a
--- /dev/null
+++ b/demo/shibboleth-apache-sp/beacon/container_files/setup-cron.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+CRONFILE=/opt/tier/tier-cron
+
+echo "#send daily \"beacon\" to central" > ${CRONFILE}
+echo "" >> ${CRONFILE}
+echo "# ┌───────────── minute (0–59)" >> ${CRONFILE}
+echo "# │ ┌───────────── hour (0–23)" >> ${CRONFILE}
+echo "# │ │ ┌───────────── day of the month (1–31)" >> ${CRONFILE}
+echo "# │ │ │ ┌───────────── month (1–12)" >> ${CRONFILE}
+echo "# │ │ │ │ ┌───────────── day of the week (0–6) (Sunday to Saturday;" >> ${CRONFILE}
+echo "# │ │ │ │ │ 7 is also Sunday on some systems)" >> ${CRONFILE}
+echo "# │ │ │ │ │" >> ${CRONFILE}
+echo "# │ │ │ │ │" >> ${CRONFILE}
+echo "# * * * * * <command to execute>" >> ${CRONFILE}
+echo "" >> ${CRONFILE}
+echo "$(expr $RANDOM % 60) $(expr $RANDOM % 4) * * * /opt/tier/sendtierbeacon.sh 2>&1 | tee /proc/1/fd/1 >> /tmp/logcrond" >> ${CRONFILE}
+echo "" >> ${CRONFILE}
+echo "# List the current setting of the crontab to the log (when is the beacon scheduled)" >> ${CRONFILE}
+echo "@reboot crontab -l >/proc/1/fd/1" >> ${CRONFILE}
+echo "" >> ${CRONFILE}
+
+chmod 644 ${CRONFILE}
+crontab ${CRONFILE}
diff --git a/demo/shibboleth-apache-sp/directory/Dockerfile b/demo/shibboleth-apache-sp/directory/Dockerfile
new file mode 100644
index 0000000..4880156
--- /dev/null
+++ b/demo/shibboleth-apache-sp/directory/Dockerfile
@@ -0,0 +1,35 @@
+FROM rockylinux:9.3 as baseinst
+
+RUN dnf update -y && \
+ dnf install -y --enablerepo=devel openldap openldap-clients openldap-servers && \
+ dnf clean all && \
+ rm -rf /var/cache/dnf
+
+EXPOSE 389/tcp
+
+VOLUME /var/lib/ldap
+
+FROM baseinst
+
+#LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
+
+ARG ldapDomain="dc=internet2,dc=edu"
+ARG ldapPw="password"
+
+COPY container_files/* /opt
+
+RUN cd /opt ; \
+ /opt/slapd.sh -init ; \
+ /opt/gen_config_update "${ldapDomain}" "${ldapPw}" "0" "0" ;\
+ cat 999_schema-list | while read line ; do \
+ ldapadd -H ldapi:/// -f /etc/openldap/schema/${line}.ldif ; \
+ done ; \
+ for s in 0 1 2 3 4 5 6 7 8 9 ; do \
+ find -type f -name "${s}[0-4]?_*.ldif" -exec ldapmodify -H ldapi:/// -f /opt/\{\} \; ; \
+ find -type f -name "${s}[5-9]?_*.ldif" -exec ldapadd -H ldapi:/// -f /opt/\{\} \; ; \
+ done ; \
+ rm /opt/[0-9]* && \
+ /opt/slapd.sh -stop ;
+
+CMD [ "/opt/slapd.sh", "-limit", "1024", "-debug", "256" ]
+
diff --git a/demo/shibboleth-apache-sp/directory/container_files/gen_config_update b/demo/shibboleth-apache-sp/directory/container_files/gen_config_update
new file mode 100755
index 0000000..a23fccc
--- /dev/null
+++ b/demo/shibboleth-apache-sp/directory/container_files/gen_config_update
@@ -0,0 +1,203 @@
+#!/bin/bash
+domain="${1:-dc=example,dc=com}"
+if [ $(echo -n ${domain} | wc -c ) -eq $(echo -n ${domain} | tr -d "," | wc -c) ]
+then
+ subDomain="${domain:4}"
+else
+ subDomain="$(echo -n ${domain:4} | cut -d , -f 1)"
+fi
+userpw="${2:-change_me}"
+cleartext="${3:-0}"
+locDebug="${4:-0}"
+
+function genPass() {
+ retVal="userPassword:"
+ if [ "${cleartext}" != "1" ]
+ then
+ secPw="$(slappasswd -s ${userpw})"
+ secPw2="$(echo -n ${secPw} | base64 )"
+ [ "${locDebug}" != "0" ] && echo "${userpw} => ${secPw} => ${secPw2}" >&2
+ retVal="${retVal}: ${secPw2}"
+ else
+ [ "${locDebug}" != "0" ] && echo "${userpw}" >&2
+ retVal="${retVal} ${userpw}"
+ fi
+ while [ ${#retVal} -gt 78 ]
+ do
+ echo "${retVal:0:78}"
+ retVal=" ${retVal:78}"
+ done
+ if [ ${#retVal} -gt 2 ]
+ then
+ echo "${retVal}"
+ fi
+}
+
+cat >999_schema-list <<EOF
+cosine
+inetorgperson
+nis
+EOF
+
+cat >001_monitor-diff.ldif <<EOF
+dn: olcDatabase={1}monitor,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to *
+ by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
+ by dn.base="cn=admin,${domain}" read
+ by * none
+EOF
+
+cat >101_mdb-diff.ldif <<EOF
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcSuffix
+olcSuffix: ${domain}
+-
+replace: olcRootDN
+olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+-
+replace: olcAccess
+olcAccess: {0}to dn="cn=admin,${domain}"
+ by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
+ by anonymous auth
+ by self write
+ by * none
+olcAccess: {1}to attrs=userPassword,shadowLastChange
+ by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
+ by dn="cn=admin,${domain}" write
+ by dn="uid=administrator,ou=People,${domain}" write
+ by anonymous auth
+ by self write
+ by * none
+olcAccess: {2}to dn.subtree="ou=people,${domain}"
+ by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
+ by dn="cn=admin,${domain}" write
+ by dn="uid=administrator,ou=People,${domain}" write
+ by * read
+olcAccess: {3}to dn.base=""
+ by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
+ by dn="cn=admin,${domain}" write
+ by * read
+olcAccess: {4}to *
+ by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
+ by dn="uid=administrator,ou=people,${domain}" write
+ by dn="cn=admin,${domain}" write
+ by anonymous auth
+ by self read
+ by * none
+EOF
+
+cat >251_mod_config.ldif <<EOF
+dn: cn=module{0},cn=config
+objectClass: olcModuleList
+cn: module{0}
+olcModulePath: /usr/lib64/openldap
+olcModuleLoad: {0}memberof
+olcModuleLoad: {1}refint
+olcModuleLoad: {2}ppolicy
+olcModuleLoad: {3}sssvlv
+
+dn: olcOverlay={0}memberof,olcDatabase={2}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcMemberOf
+olcOverlay: {0}memberof
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: TRUE
+olcMemberOfGroupOC: groupOfUniqueNames
+olcMemberOfMemberAD: uniqueMember
+olcMemberOfMemberOfAD: memberOf
+
+dn: olcOverlay={1}refint,olcDatabase={2}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+olcOverlay: {1}refint
+olcRefintAttribute: owner
+olcRefintAttribute: manager
+olcRefintAttribute: uniqueMember
+olcRefintAttribute: member
+olcRefintAttribute: memberOf
+
+dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config
+objectClass: olcPPolicyConfig
+objectClass: olcOverlayConfig
+olcOverlay: {2}ppolicy
+olcPPolicyDefault: cn=defaultpw,ou=policies,${domain}
+olcPPolicyHashCleartext: TRUE
+olcPPolicyUseLockout: TRUE
+
+dn: olcOverlay={3}sssvlv,olcDatabase={2}mdb,cn=config
+objectClass: olcSssVlvConfig
+objectClass: olcOverlayConfig
+olcOverlay: {3}sssvlv
+EOF
+
+cat >151_default_structure.ldif <<EOF
+dn: ${domain}
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+o: ${subDomain}
+
+dn: cn=admin,${domain}
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: admin
+$(genPass)
+description: LDAP administrator
+
+dn: ou=groups,${domain}
+objectClass: top
+objectClass: organizationalUnit
+ou: groups
+
+dn: ou=people,${domain}
+objectClass: top
+objectClass: organizationalUnit
+ou: people
+
+dn: ou=policies,${domain}
+objectClass: organizationalUnit
+ou: policies
+EOF
+
+cat >252_default_policy.ldif <<EOF
+dn: cn=defaultpw,ou=policies,${domain}
+objectClass: pwdPolicy
+objectClass: organizationalRole
+cn: defaultpw
+pwdAttribute: userPassword
+pwdMinLength: 3
+pwdLockout: TRUE
+pwdMaxFailure: 3
+pwdLockoutDuration: 30
+EOF
+
+cat >851_default_structure.ldif <<EOF
+dn: uid=administrator,ou=people,${domain}
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+givenName: Administrator
+uid: administrator
+sn: Administrator
+cn: Administrator
+$(genPass)
+EOF
+
+cat >959_default_structure.ldif <<EOF
+dn: cn=users,ou=groups,${domain}
+objectClass: groupOfUniqueNames
+objectClass: top
+uniqueMember: uid=banderson,ou=people,${domain}
+uniqueMember: uid=jsmith,ou=people,${domain}
+cn: users
+
+dn: cn=admins,ou=groups,${domain}
+objectClass: groupOfUniqueNames
+objectClass: top
+uniqueMember: uid=administrator,ou=people,${domain}
+cn: admins
+EOF
diff --git a/demo/shibboleth-apache-sp/directory/container_files/slapd.sh b/demo/shibboleth-apache-sp/directory/container_files/slapd.sh
new file mode 100755
index 0000000..bfd935e
--- /dev/null
+++ b/demo/shibboleth-apache-sp/directory/container_files/slapd.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+localLimit=${LDAP_LIMIT:-1024}
+debugLevel=${LDAP_DEBUG:-256}
+
+while [ "${1:0:1}" = "-" ]
+do
+ case ${1:1} in
+ limit)
+ localLimit=${2}
+ [ ! -z ${LDAP_LIMIT+x} ] && localLimit=${LDAP_LIMIT}
+ shift 2
+ ;;
+ debug)
+ debugLevel=${2}
+ [ ! -z ${LDAP_DEBUG+x} ] && debugLevel=${LDAP_DEBUG}
+ shift 2
+ ;;
+ init)
+ [ ! -z ${LDAP_INFO+x} ] && echo "uLimit : ${localLimit}" >&2
+ ulimit -n ${localLimit}
+ exec /usr/sbin/slapd -4 -h "ldapi:///" -u ldap -g ldap
+ exit 0
+ ;;
+ stop)
+ while read line
+ do
+ kill ${line}
+ count=0
+ while [ -e /proc/${line} ]
+ do
+ [ ${count} -gt 10 ] && kill -9 ${line}
+ echo "Waiting to terminate the process"
+ count=$(( ${count} + 1 ))
+ sleep 1
+ done
+ echo "Terminated..."
+ ${0} -stop
+ done < <( grep "^slapd$" /proc/*/comm | head -1 | cut -d / -f 3 )
+ exit 0
+ ;;
+ esac
+done
+
+ulimit -n ${localLimit}
+
+
+if [ -z ${LDAP_INIT+x} ]
+then
+ [ ! -z ${LDAP_INFO+x} ] && echo "uLimit : ${localLimit} / debug level : ${debugLevel}" >&2
+ exec /usr/sbin/slapd -h "ldap://0.0.0.0:389 ldapi:///" -u ldap -g ldap -d ${debugLevel}
+else
+ [ ! -z ${LDAP_INFO+x} ] && echo "uLimit : ${localLimit}" >&2
+ exec /usr/sbin/slapd -4 -h "ldapi:///" -u ldap -g ldap
+fi
+
diff --git a/demo/shibboleth-apache-sp/docker-compose.yml b/demo/shibboleth-apache-sp/docker-compose.yml
new file mode 100644
index 0000000..ee277ee
--- /dev/null
+++ b/demo/shibboleth-apache-sp/docker-compose.yml
@@ -0,0 +1,328 @@
+version: "3.3"
+
+services:
+ prereq:
+ image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux
+ command: >
+ bash -c "
+ echo ' - - - - - - -' ;
+ cd /mnt/security ;
+ if [ ! -e key.pem ] ;
+ then
+ echo 'Certificate has not been found. Generating of the new one...' ;
+ openssl req -newkey rsa:2048 -keyout key.pem -nodes -subj '/C=US/ST=MI/L=Ann Arbor/O=Internet2\\/TIER/CN=midpoint.sp.example.org' -addext 'subjectAltName = DNS:midpoint.sp.example.org, DNS:midpoint_server, DNS:directory, DNS:idp, DNS: localhost, DNS: localhost.localdomain, IP:127.0.0.1, IP:::1' -out cert.pem -days 1825 -x509 ;
+ openssl req -newkey rsa:3072 -keyout sp-encrypt-key.pem -nodes -subj '/CN=sptest.example.edu' -addext 'subjectAltName = DNS:sptest.example.edu' -out sp-encrypt-cert.pem -days 3650 -x509 ;
+ openssl req -newkey rsa:3072 -keyout sp-signing-key.pem -nodes -subj '/CN=sptest.example.edu' -addext 'subjectAltName = DNS:sptest.example.edu' -out sp-signing-cert.pem -days 3650 -x509 ;
+ openssl req -newkey rsa:2048 -keyout idp-backchannel.key -nodes -subj '/CN=idptestbed' -addext 'subjectAltName = DNS:idptestbed, URI:https://idptestbed/idp/shibboleth' -out idp-backchannel.crt -days 7300 -x509 ;
+ openssl req -newkey rsa:2048 -keyout idp-encryption.key -nodes -subj '/CN=idptestbed' -addext 'subjectAltName = DNS:idptestbed, URI:https://idptestbed/idp/shibboleth' -out idp-encryption.crt -days 7300 -x509 ;
+ openssl req -newkey rsa:2048 -keyout idp-signing.key -nodes -subj '/CN=idptestbed' -addext 'subjectAltName = DNS:idptestbed, URI:https://idptestbed/idp/shibboleth' -out idp-signing.crt -days 7300 -x509 ;
+ openssl req -newkey rsa:2048 -keyout idp-browser.key -nodes -subj '/CN=idp.ccc.local' -addext 'authorityKeyIdentifier = keyid:always,issuer:always' -out idp-browser.crt -days 10585 -x509 ;
+ openssl x509 -noout -fingerprint -sha256 -in cert.pem ;
+ openssl pkcs12 -export -in sp-signing-cert.pem -inkey sp-signing-key.pem -out signing-key.p12 -passout pass:password -name signing-key ;
+ openssl pkcs12 -export -in sp-encrypt-cert.pem -inkey sp-encrypt-key.pem -out encrypt-key.p12 -passout pass:password -name encrypt-key ;
+ openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.p12 -passout pass:password -name selfsigned ;
+ keytool -importkeystore -srckeystore encrypt-key.p12 -srcstoretype pkcs12 -srcstorepass password -srcalias encrypt-key -destkeystore shibboleth_sp_keys.jks -deststoretype jks -deststorepass changeit -noprompt -destalias encrypt-key ;
+ keytool -importkeystore -srckeystore signing-key.p12 -srcstoretype pkcs12 -srcstorepass password -srcalias signing-key -destkeystore shibboleth_sp_keys.jks -deststoretype jks -deststorepass changeit -noprompt -destalias signing-key ;
+ keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -srcstorepass password -srcalias selfsigned -destkeystore keystore.jks -deststoretype jks -deststorepass password -noprompt -destalias selfsigned ;
+ keytool -list -keystore shibboleth_sp_keys.jks -storetype jceks -storepass changeit ;
+ keytool -list -keystore keystore.jks -storetype jceks -storepass password ;
+ openssl pkcs12 -export -in idp-backchannel.crt -inkey idp-backchannel.key -out idp-backchannel.p12 -passout pass:password -name idptestbed ;
+ openssl pkcs12 -export -in idp-browser.crt -inkey idp-browser.key -out idp-browser.p12 -passout pass:password -name myAlias ;
+ for s in *ert.pem *.crt ; do echo ' - - - - - ' ; echo $${s} ; openssl x509 -noout -fingerprint -sha256 -in $${s} ; echo ; openssl x509 -noout -subject -subject_hash -dates -in $${s} ; done ;
+ echo ' - - - - - ' ;
+ mkdir /mnt/httpd/certs ;
+ cp cert.pem /mnt/httpd/certs/host-cert.pem ;
+ cp key.pem /mnt/httpd/certs/host-key.pem ;
+ cp cert.pem /mnt/midpoint/var ;
+ cp -v /mnt/apache/httpd/conf.d/* /mnt/httpd/conf.d ;
+ cp -v /mnt/apache/httpd/conf.modules.d/* /mnt/httpd/conf.modules.d ;
+ cp -v /mnt/apache/shibboleth/* /mnt/shibboleth-sp ;
+ cp -v sp-encrypt-cert.pem /mnt/shibboleth-sp ;
+ cp -v sp-encrypt-key.pem /mnt/shibboleth-sp ;
+ cp -v sp-signing-cert.pem /mnt/shibboleth-sp ;
+ cp -v sp-signing-key.pem /mnt/shibboleth-sp ;
+ cp idp-backchannel.crt /mnt/shibboleth-idp/credentials ;
+ cp idp-backchannel.p12 /mnt/shibboleth-idp/credentials ;
+ cp idp-browser.p12 /mnt/shibboleth-idp/credentials ;
+ cp idp-encryption.crt /mnt/shibboleth-idp/credentials ;
+ cp idp-encryption.key /mnt/shibboleth-idp/credentials ;
+ cp idp-signing.crt /mnt/shibboleth-idp/credentials ;
+ cp idp-signing.key /mnt/shibboleth-idp/credentials ;
+ cp sp-signing-cert.pem /mnt/shibboleth-idp/credentials ;
+ cp sp-encrypt-cert.pem /mnt/shibboleth-idp/credentials ;
+ cp keystore.jks /mnt/shibboleth/certs ;
+ echo ' - - - - - ' ;
+ find -type f ;
+ echo ' - - - - - - -' ;
+ find /mnt/shibboleth-idp/ -type f ;
+ echo ' - - - - - - -' ;
+ find /mnt/shibboleth -type f ;
+ echo ' - - - - - - -' ;
+ find /mnt/midpoint/ -type f ;
+ echo ' - - - - - - -' ;
+ else echo 'certificate already exists... (skip new cert generation)' ;
+ fi ;
+ if [ ! -e /mnt/shared_pw/db_pass ] ; then
+ echo 'Generating password for DB connection...';
+ dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d -c [0-9a-z] | cut -c 1-32 | tr -d [[:space:]] > /mnt/shared_pw/db_pass ;
+ fi ;
+ "
+ networks:
+ - net
+ volumes:
+ - security_object:/mnt/security
+ - shared_pw:/mnt/shared_pw
+ - idp_credentials:/mnt/shibboleth-idp/credentials
+ - idp_certs:/mnt/shibboleth/certs
+ - midpoint_home:/mnt/midpoint/var
+ - apache_conf:/mnt/httpd
+ - shibboleth_conf:/mnt/shibboleth-sp
+ - ./apache:/mnt/apache:ro
+
+ midpoint_data:
+ image: postgres:16-alpine
+ depends_on:
+ prereq:
+ condition: service_completed_successfully
+ environment:
+ - POSTGRES_PASSWORD_FILE=/mnt/shared_pw/db_pass
+ - POSTGRES_USER=midpoint
+ - POSTGRES_INITDB_ARGS=--lc-collate=en_US.utf8 --lc-ctype=en_US.utf8
+ healthcheck:
+ test: [ "CMD-SHELL", "pg_isready -d midpoint -U midpoint" ]
+ interval: 1s
+ timeout: 5s
+ retries: 10
+ networks:
+ - net
+ volumes:
+ - midpoint_data:/var/lib/postgresql/data
+ - shared_pw:/mnt/shared_pw
+
+ data_init:
+ image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux
+ depends_on:
+ prereq:
+ condition: service_completed_successfully
+ midpoint_data:
+ condition: service_healthy
+ command: >
+ bash -c "
+ cd /opt/midpoint ;
+ bin/midpoint.sh init-native ;
+ echo ' - - - - - - ' ;
+ bin/ninja.sh -B info >/dev/null 2>/tmp/ninja.log ;
+ grep -q \"ERROR\" /tmp/ninja.log && (
+ bin/ninja.sh run-sql --create --mode REPOSITORY ;
+ bin/ninja.sh run-sql --create --mode AUDIT
+ ) ||
+ echo -e '\\n Repository init is not needed...' ;
+ if [ $$(keytool -list -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass:file /opt/midpoint/var/keystorepw | grep -c 'local_gen_cert') -eq 0 ] ;
+ then
+ keytool -importcert -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass:file /opt/midpoint/var/keystorepw -trustcacerts -alias 'local_gen_cert' -file /opt/midpoint/var/cert.pem -noprompt ;
+ else
+ echo 'Certificate exists in the cert store' ;
+ fi ;
+ "
+ environment:
+ - MP_SET_midpoint_repository_jdbcUsername=midpoint
+ - MP_SET_midpoint_repository_jdbcPassword_FILE=/mnt/shared_pw/db_pass
+ - MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint
+ - MP_SET_midpoint_repository_database=postgresql
+ - MP_INIT_CFG=/opt/midpoint/var
+ - MP_PW_DEF=/opt/midpoint/var/keystorepw
+ - MP_KEYSTORE=/opt/midpoint/var/keystore.jceks
+ networks:
+ - net
+ volumes:
+ - midpoint_home:/opt/midpoint/var
+ - shared_pw:/mnt/shared_pw
+
+ midpoint_server:
+ image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux
+ container_name: midpoint_server
+ hostname: midpoint-container
+ depends_on:
+ data_init:
+ condition: service_completed_successfully
+ idp_vol_init:
+ condition: service_completed_successfully
+ midpoint_data:
+ condition: service_healthy
+ command: [ "/opt/midpoint/bin/midpoint.sh", "container" ]
+ expose:
+ - 8080
+ environment:
+ - MP_SET_midpoint_repository_jdbcUsername=midpoint
+ - MP_SET_midpoint_repository_jdbcPassword_FILE=/mnt/shared_pw/db_pass
+ - MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint
+ - MP_SET_midpoint_repository_database=postgresql
+ - MP_SET_midpoint_keystore_keyStorePassword_FILE=/opt/midpoint/var/keystorepw
+ - MP_SET_server_port=8080
+ - MP_SET_server_tomcat_ajp_enabled=true
+ - MP_SET_server_tomcat_ajp_address="0.0.0.0"
+ - MP_SET_server_tomcat_ajp_port=9090
+ - MP_SET_server_tomcat_ajp_secret=s3cr3t
+ - MP_SET_midpoint_administrator_initialPassword=Test5ecr3t
+ - MP_UNSET_midpoint_repository_hibernateHbm2ddl=1
+ - MP_NO_ENV_COMPAT=1
+ - MP_ENTRY_POINT=/opt/midpoint-dirs-docker-entrypoint
+ networks:
+ - net
+ volumes:
+ - midpoint_home:/opt/midpoint/var
+ - shared_pw:/mnt/shared_pw
+ - ./midpoint_server/post-initial-objects:/opt/midpoint-dirs-docker-entrypoint/post-initial-objects:ro
+ - ./midpoint_server/shibboleth:/opt/midpoint-dirs-docker-entrypoint/shibboleth:ro
+
+ directory:
+ build: ./directory/
+ ports:
+ - 389:389
+ networks:
+ - net
+ volumes:
+ - ldap:/var/lib/ldap
+
+ idp_vol_init:
+ image: tier/shib-idp:3.4.6_20191002
+ depends_on:
+ prereq:
+ condition: service_completed_successfully
+ ulimits:
+ nofile:
+ soft: 1024
+ hard: 2048
+ command: >
+ bash -c "
+ echo 'Updating configuration...' ;
+ if [ -e /mnt/shibboleth-diff/conf ] ;
+ then
+ cp -vu /mnt/shibboleth-diff/conf/* /opt/shibboleth-idp/conf ;
+ fi ;
+ if [ -e /mnt/shibboleth-diff/credentials ] ;
+ then
+ cp -vu /mnt/shibboleth-diff/credentials/* /opt/shibboleth-idp/credentials ;
+ fi ;
+ if [ -e /mnt/shibboleth-diff/metadata ] ;
+ then
+ cp -vu /mnt/shibboleth-diff/metadata/* /opt/shibboleth-idp/metadata ;
+ fi ;
+ echo ' - - - - - - -' ;
+ echo 'Updating idp-metadata.xml file...' ;
+ grep -n 'X509Certificate' /mnt/shibboleth-diff/metadata/idp-metadata.xml | sed \"s/\\([0-9]*\\).*/\\1/\" > /tmp/checkpoints ;
+ wc -l /mnt/shibboleth-diff/metadata/idp-metadata.xml | sed \"s/\\([0-9]*\\).*/\\1/\" >> /tmp/checkpoints ;
+ current_line=1 ;
+ id=0 ;
+ file_path=( - idp-backchannel.crt - idp-signing.crt - idp-encryption.crt - idp-backchannel.crt - idp-signing.crt - idp-encryption.crt - ) ;
+ rm /opt/shibboleth-idp/metadata/idp-metadata.xml ;
+ cat /tmp/checkpoints | while read line ; do
+ if [ \"$${file_path[$${id}]}\" == \"-\" ] ; then
+ sed -n \"$${current_line},$${line}p\" /mnt/shibboleth-diff/metadata/idp-metadata.xml >> /opt/shibboleth-idp/metadata/idp-metadata.xml ;
+ else
+ sed '1d;$$d' /opt/shibboleth-idp/credentials/$${file_path[$${id}]} >> /opt/shibboleth-idp/metadata/idp-metadata.xml ;
+ fi ;
+ current_line=$${line};
+ id=$$(( $${id} + 1 )) ;
+ done ;
+ cp -v /opt/shibboleth-idp/metadata/idp-metadata.xml /mnt/shibboleth/idp-metadata.xml ;
+ echo ' - - - - - - -' ;
+ echo 'Updating midpoint-shib-sp.xml...';
+ grep -n 'X509Certificate' /mnt/shibboleth-diff/metadata/midpoint-shib-sp.xml | sed \"s/\\([0-9]*\\).*/\\1/\" > /tmp/checkpoints ;
+ wc -l /mnt/shibboleth-diff/metadata/midpoint-shib-sp.xml | sed \"s/\\([0-9]*\\).*/\\1/\" >> /tmp/checkpoints ;
+ current_line=1 ;
+ id=0 ;
+ file_path=( - sp-signing-cert.pem - sp-encrypt-cert.pem - ) ;
+ rm /opt/shibboleth-idp/metadata/midpoint-shib-sp.xml ;
+ cat /tmp/checkpoints | while read line ; do
+ if [ \"$${file_path[$${id}]}\" == \"-\" ] ; then
+ sed -n \"$${current_line},$${line}p\" /mnt/shibboleth-diff/metadata/midpoint-shib-sp.xml >> /opt/shibboleth-idp/metadata/midpoint-shib-sp.xml ;
+ else
+ sed '1d;$$d' /opt/shibboleth-idp/credentials/$${file_path[$${id}]} >> /opt/shibboleth-idp/metadata/midpoint-shib-sp.xml ;
+ fi ;
+ current_line=$${line};
+ id=$$(( $${id} + 1 )) ;
+ done ;
+ sed -i \"s/\\([[:space:]]<ds:X509Certificate>\\).*$$/\\1/g;s/^[[:space:]]\\(<ds:X509Certificate>\\).*$$/\\1/g\" /opt/shibboleth-idp/metadata/midpoint-shib-sp.xml ;
+ echo ' - - - - - - -' ;
+ echo 'Generating sealer key...' ;
+ rm /opt/shibboleth-idp/credentials/sealer.* ;
+ /opt/shibboleth-idp/bin/rotateSealerKey.sh ;
+ echo ' - - - - - - -' ;
+ echo 'DONE.' ;
+ "
+ volumes:
+ - idp_conf:/opt/shibboleth-idp/conf
+ - idp_credentials:/opt/shibboleth-idp/credentials
+ - idp_metadata:/opt/shibboleth-idp/metadata
+ - ./shibboleth-idp:/mnt/shibboleth-diff:ro
+ - shibboleth_conf:/mnt/shibboleth
+
+ idp:
+ image: tier/shib-idp:3.4.6_20191002
+ depends_on:
+ directory:
+ condition: service_started
+ idp_vol_init:
+ condition: service_completed_successfully
+ ports:
+ - 443:443
+ ulimits:
+ nofile:
+ soft: 1024
+ hard: 2048
+ environment:
+ - JETTY_MAX_HEAP=64m
+ - JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=password
+ - JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=password
+ networks:
+ - net
+ volumes:
+ - idp_conf:/opt/shibboleth-idp/conf
+ - idp_credentials:/opt/shibboleth-idp/credentials
+ - idp_metadata:/opt/shibboleth-idp/metadata
+ - idp_certs:/opt/certs
+
+ beacon:
+ build: ./beacon/
+ networks:
+ - net
+ environment:
+ - TIER_RELEASE=not-released-yet
+ - TIER_MAINTAINER=tier
+ - MP_VERSION=4.8
+ - TIER_BEACON_OPT_OUT=true
+
+ proxy:
+ image: i2incommon/shibboleth_sp:3.4.1_06122023_rocky8_multiarch
+ depends_on:
+ idp:
+ condition: service_started
+ idp_vol_init:
+ condition: service_completed_successfully
+ midpoint_server:
+ condition: service_started
+ networks:
+ - net
+ ports:
+ - 8443:443
+ volumes:
+ - apache_conf:/etc/httpd
+ - shibboleth_conf:/etc/shibboleth
+
+networks:
+ net:
+ driver: bridge
+
+volumes:
+ security_object:
+ midpoint_data:
+ midpoint_home:
+ idp_conf:
+ idp_credentials:
+ idp_metadata:
+ idp_certs:
+ apache_conf:
+ shibboleth_conf:
+ ldap:
+ shared_pw:
diff --git a/demo/shibboleth-apache-sp/midpoint_server/post-initial-objects/SecurityPolicy.xml b/demo/shibboleth-apache-sp/midpoint_server/post-initial-objects/SecurityPolicy.xml
new file mode 100644
index 0000000..8396297
--- /dev/null
+++ b/demo/shibboleth-apache-sp/midpoint_server/post-initial-objects/SecurityPolicy.xml
@@ -0,0 +1,88 @@
+ <securityPolicy xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="00000000-0000-0000-0000-000000000120" version="2">
+ <name>Default Security Policy</name>
+ <authentication>
+ <modules>
+ <loginForm>
+ <identifier>loginForm</identifier>
+ </loginForm>
+ <httpBasic>
+ <identifier>httpBasic</identifier>
+ </httpBasic>
+ <httpHeader>
+ <identifier>httpHeader</identifier>
+ <usernameHeader>REMOTE_USER</usernameHeader>
+ <logoutUrl>https://localhost:8443/Shibboleth.sso/Logout</logoutUrl>
+ </httpHeader>
+ </modules>
+ <sequence>
+ <identifier>admin-gui-saml-internal</identifier>
+ <description>
+ Internal SAML2 GUI authentication sequence.
+ </description>
+ <channel>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
+ <default>true</default>
+ <urlSuffix>saml-internal</urlSuffix>
+ </channel>
+ <module>
+ <identifier>httpHeader</identifier>
+ <order>30</order>
+ <necessity>sufficient</necessity>
+ </module>
+ </sequence>
+ <sequence>
+ <identifier>admin-gui-emergency</identifier>
+ <description>
+ Special GUI authentication sequence that is using just the internal user password.
+ </description>
+ <channel>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
+ <default>false</default>
+ <urlSuffix>emergency</urlSuffix>
+ </channel>
+ <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType">
+ </requireAssignmentTarget>
+ <module>
+ <identifier>loginForm</identifier>
+ <order>30</order>
+ <necessity>sufficient</necessity>
+ </module>
+ </sequence>
+ <sequence>
+ <identifier>rest-default</identifier>
+ <channel>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
+ <default>true</default>
+ <urlSuffix>rest-default</urlSuffix>
+ </channel>
+ <module>
+ <identifier>httpBasic</identifier>
+ <order>1</order>
+ <necessity>sufficient</necessity>
+ </module>
+ </sequence>
+ <sequence>
+ <identifier>actuator-default</identifier>
+ <channel>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#actuator</channelId>
+ <default>true</default>
+ <urlSuffix>actuator-default</urlSuffix>
+ </channel>
+ <module>
+ <identifier>httpBasic</identifier>
+ <order>1</order>
+ <necessity>sufficient</necessity>
+ </module>
+ </sequence>
+ <ignoredLocalPath>/actuator/health</ignoredLocalPath>
+ </authentication>
+ <credentials>
+ <password>
+ <minOccurs>0</minOccurs>
+ <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
+ <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
+ <lockoutDuration>PT15M</lockoutDuration>
+ <valuePolicyRef oid="00000000-0000-0000-0000-000000000003"/>
+ </password>
+ </credentials>
+</securityPolicy>
diff --git a/demo/shibboleth/idp/shibboleth-idp/conf/attribute-filter.xml b/demo/shibboleth-apache-sp/shibboleth-idp/conf/attribute-filter.xml
similarity index 100%
rename from demo/shibboleth/idp/shibboleth-idp/conf/attribute-filter.xml
rename to demo/shibboleth-apache-sp/shibboleth-idp/conf/attribute-filter.xml
diff --git a/demo/shibboleth/idp/shibboleth-idp/conf/attribute-resolver.xml b/demo/shibboleth-apache-sp/shibboleth-idp/conf/attribute-resolver.xml
similarity index 100%
rename from demo/shibboleth/idp/shibboleth-idp/conf/attribute-resolver.xml
rename to demo/shibboleth-apache-sp/shibboleth-idp/conf/attribute-resolver.xml
diff --git a/demo/shibboleth/idp/shibboleth-idp/conf/idp.properties b/demo/shibboleth-apache-sp/shibboleth-idp/conf/idp.properties
similarity index 99%
rename from demo/shibboleth/idp/shibboleth-idp/conf/idp.properties
rename to demo/shibboleth-apache-sp/shibboleth-idp/conf/idp.properties
index 2470feb..cf0b2f8 100644
--- a/demo/shibboleth/idp/shibboleth-idp/conf/idp.properties
+++ b/demo/shibboleth-apache-sp/shibboleth-idp/conf/idp.properties
@@ -26,8 +26,8 @@ idp.scope= example.org
#idp.sealer.aliasBase = secret
idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks
idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver
-idp.sealer.storePassword= password
-idp.sealer.keyPassword= password
+idp.sealer.storePassword= changeit
+idp.sealer.keyPassword= changeit
# Settings for public/private signing and encryption key(s)
# During decryption key rollover, point the ".2" properties at a second
diff --git a/demo/shibboleth/idp/shibboleth-idp/conf/ldap.properties b/demo/shibboleth-apache-sp/shibboleth-idp/conf/ldap.properties
similarity index 100%
rename from demo/shibboleth/idp/shibboleth-idp/conf/ldap.properties
rename to demo/shibboleth-apache-sp/shibboleth-idp/conf/ldap.properties
diff --git a/demo/shibboleth-apache-sp/shibboleth-idp/conf/metadata-providers.xml b/demo/shibboleth-apache-sp/shibboleth-idp/conf/metadata-providers.xml
new file mode 100644
index 0000000..4c760b3
--- /dev/null
+++ b/demo/shibboleth-apache-sp/shibboleth-idp/conf/metadata-providers.xml
@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file is an EXAMPLE metadata configuration file. -->
+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+ xmlns="urn:mace:shibboleth:2.0:metadata"
+ xmlns:resource="urn:mace:shibboleth:2.0:resource"
+ xmlns:security="urn:mace:shibboleth:2.0:security"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
+ urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
+ urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
+ urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
+
+ <!-- ========================================================================================== -->
+ <!-- Metadata Configuration -->
+ <!-- -->
+ <!-- Below you place the mechanisms which define how to load the metadata for the SP you will -->
+ <!-- provide a service to. -->
+ <!-- -->
+ <!-- Two examples are provided. The Shibboleth Documentation at -->
+ <!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration -->
+ <!-- provides more details. -->
+ <!-- -->
+ <!-- NOTE. This file SHOULD NOT contain the metadata for this IdP. -->
+ <!-- -->
+ <!-- ========================================================================================== -->
+
+ <MetadataProvider id="Midpoint" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/midpoint-shib-sp.xml"/>
+
+
+ <!-- Example HTTP metadata provider. Use this if you want to download
+ the metadata from a remote service.
+
+ You *MUST* provider the SignatureValidationFilter in order to function securely.
+ Get the PubLic key, and validate it via some out of band mechanism, from the
+ party publishing the metadata
+
+ The EntityRoleWhiteList saves memory by only loading metadata from entity types
+ that you will interoperate with.
+
+ <MetadataProvider id="HTTPMetadata"
+ xsi:type="FileBackedHTTPMetadataProvider"
+ backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
+ metadataURL="http://WHATEVER">
+
+ <MetadataFilter xsi:type="SignatureValidation"
+ requireSignedMetadata="false">
+ <PublicKey>
+ THIS IS AN EXAMPLE
+
+ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxg0TyQAP/tIvOH89EtaX
+ uRRn8SYzTj7W1TbNY4VvBmobjkRmSkki4hH9x4sQpi635wn6WtXTN/FNNmkTK3N/
+ LspmBWxfZS+n+cc7I82E5yvCAPX67QsZgqgglp2W5dvK/FsMMCS6X6SVqzBLMP88
+ NenXKxY+HMxMs0sT0UKYh1cAEqadrHRBO65aDBcm5a0sBVYt9K6pgaOHrp/zSIbh
+ nR5tFFLjBbtFktDpHL3AdGBH3OYidNGKBO3tJ3Ms7LeKXsM0+0Y4P+9fHZINL2X3
+ E2N6GVnKs5PZTg9sP0FtIpAbYm/+zCx7Yj1ET/Er8mDd6tNVGSQsn9s5xUBwGqn1
+ 4wIDAQAB
+ </PublicKey>
+ </MetadataFilter>
+ <MetadataFilter xsi:type="EntityRoleWhiteList">
+ <RetainedRole>md:SPSSODescriptor</RetainedRole>
+ </MetadataFilter>
+
+ </MetadataProvider>
+
+ -->
+
+ <!-- Example file metadata provider. Use this if you want to load metadata
+ from a local file. You might use this if you have some local SPs
+ which are not "federated" but you wish to offer a service to.
+
+ If you do not provide a SignatureValidation filter then you *have*
+ to know that the file is valid.
+
+
+ <MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
+
+ -->
+
+
+</MetadataProvider>
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/idp-metadata.xml b/demo/shibboleth-apache-sp/shibboleth-idp/metadata/idp-metadata.xml
similarity index 97%
rename from demo/shibboleth/configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
rename to demo/shibboleth-apache-sp/shibboleth-idp/metadata/idp-metadata.xml
index 28ae7d1..86de901 100644
--- a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
+++ b/demo/shibboleth-apache-sp/shibboleth-idp/metadata/idp-metadata.xml
@@ -101,12 +101,12 @@ p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
</KeyDescriptor>
- <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/idp/profile/SAML2/Redirect/SLO"/>
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/idp/profile/SAML2/Redirect/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/idp/profile/SAML2/POST/SLO"/>
- <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost/idp/profile/SAML2/POST-SimpleSign/SLO"/>
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost/idp/profile/SAML2/POST-SimpleSign/SLO"/>
+ <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://localhost/idp/profile/Shibboleth/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/idp/profile/SAML2/POST/SSO"/>
diff --git a/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-shib-sp.xml b/demo/shibboleth-apache-sp/shibboleth-idp/metadata/midpoint-shib-sp.xml
similarity index 62%
rename from demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-shib-sp.xml
rename to demo/shibboleth-apache-sp/shibboleth-idp/metadata/midpoint-shib-sp.xml
index c774f35..58f384e 100644
--- a/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-shib-sp.xml
+++ b/demo/shibboleth-apache-sp/shibboleth-idp/metadata/midpoint-shib-sp.xml
@@ -29,60 +29,60 @@ and do *NOT* provide it in real time to your partners.
</md:Extensions>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:KeyName>47abdf273ac1</ds:KeyName>
+ <ds:KeyName>902a9863aa37</ds:KeyName>
<ds:X509Data>
- <ds:X509SubjectName>CN=47abdf273ac1</ds:X509SubjectName>
- <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAN3KLR1rSj7uMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
-BAMTDDQ3YWJkZjI3M2FjMTAeFw0xOTA0MjYxODAzMzRaFw0yOTA0MjMxODAzMzRa
-MBcxFTATBgNVBAMTDDQ3YWJkZjI3M2FjMTCCAaIwDQYJKoZIhvcNAQEBBQADggGP
-ADCCAYoCggGBAMPUEiYPVaEV2CyAdVLjj57vw71o47bkiErWqhh8Flq+JMTA6BUc
-wgXVMSlM6OcB+gGdInNSuCwUGD+/LTiRoaECERPRzYAJjO9nSLmldsvBxnR/E5rw
-n5c+8K3BOAoLZ/mGKHDhjLlbiClKTMl2Nx3okyb1jKdR/mTjTKzrUy9T42o688s2
-CFuEYmVulHww2zgNSIv5nUaYyH/D3jPYf9ANayv60R3JUp0sijywbRTm4VRgV3P3
-jQ4Y7AlWNnqQlqkEvqZfWt87E56Dbo+nuD0uTRSUmUY4j1DJ0ns8jIUfkHCfq4Sh
-bVJQ4eLfc9sTLPE7/42uesT9mH5RGUTB6bZJD2gvKZ9pnbTZUYygOFGcJjkl/Trl
-Q0rXMArffseUEqGNJeslQJQAQXDDVwbzFCpneJmMAUNKUwNRhCaazdFErDTvHytB
-wmpBvcqhEbbocGxxXm6gNEOrWRK3dZD4GBf+vJA8/Z770ZrQWQfUL/DpYm4tCoDJ
-m4/Rsaosv/PqsQIDAQABozowODAXBgNVHREEEDAOggw0N2FiZGYyNzNhYzEwHQYD
-VR0OBBYEFLb8Mqq4XpiJZs3S0cQ/nLLfnkoTMA0GCSqGSIb3DQEBCwUAA4IBgQCc
-u3AKCgPIOY73bWoXeVD1M6qG1asU9E1r5xle5+2vnXfo+fq/EfA2t+9kNsPs/yxG
-O+sL9COXRrTTPhHzbjTQ3AHvd/ar3DUgTTj9rAVmpyXzmu17mFlcx6ihFldYwCFE
-k1ZBXQ6hvZeQpFcTeqiPwPza+XeiJh3qgKBinm7RESTNzM5eiAlOCrEgx1tmRV5p
-mLrPZYPKUIW9IY0a85lm9lw4rWDEqKaiWDF0E/BWPzF7xsx37ofLCabQm2zPc5Nk
-aJD3xxa3OExsIHOa46K72UoaXY2HT8Pf3DucAGp8wBZ8UJBRBmSlbF/U6rjj4L4F
-fRWMX+9yfmNOPCi6196EDQ+K4U/96kiq77WcqsqhU4HHwqR0cqvCHxvrU7Y84aXu
-lfwgC6d8W/YhLAUIs8yFKTFbiufNW7KdqMs97b2QpNX2RHCFhnUBd1opDLTQGByB
-WXrWfdEqrgYwoBN18u0A5migNn5wWpozl84ChRpjTaIangle4Eox8dZq5qV6mf0=
+ <ds:X509SubjectName>CN=902a9863aa37</ds:X509SubjectName>
+ <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAJ+Xet5c0YjjMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDkwMmE5ODYzYWEzNzAeFw0yMTEyMDIyMzAwMjBaFw0zMTExMzAyMzAwMjBa
+MBcxFTATBgNVBAMTDDkwMmE5ODYzYWEzNzCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBALMu8PXgzlNqUuNTamJ6U/jmqGacVetSLhb+/IbTl92NlFMt1ZGZ
+n72Wb01gBHKXUMT9QHFUP0eTwDOTXyKRf8UrAdW3dwQDHthQ7MPWKEcHPApEKu5H
+eo2JSEcyYGXqlr2Il62skfFudEY4xzgNrCc7KYAi8aUPsoqHICqzCGcU8Tw44/N0
+HU9leHBKIlTm5h0mxNX8+/GQCbQvhyIebUNdN12qWhn7wAY7wbgtc23lLKgD++df
+jOywttrrBCojHXdytMunUjbSavET8k0y45+3/r/VeKJBd3CA7glG2fBUW5xizS01
+sfTJanuSL3FcE9lm3U1CCFblHEwAgip0z2cnu0MBy8WNYzDEyaZqE6VD2i0uRvf3
+zCmJ3V77+0/fScgRS7JttyFW20UTVWh3olSXU8ORM1GSab6qWNTZpdVySlHeIdWC
+QicAlADNY9EchvfQCcWl1wgBxWEOl4nTNUzdtE+X/kIR/VXuO+OwXA7qbx/ytwZO
+LqoFarhD5S3X0wIDAQABozowODAXBgNVHREEEDAOggw5MDJhOTg2M2FhMzcwHQYD
+VR0OBBYEFOQ85hdOd14qPZFoKasCsUwh2ktxMA0GCSqGSIb3DQEBCwUAA4IBgQAp
+8GtAv4ZplaSKSGRFSJHM5ozbG5vn9mf7fx4vMMchKbituHB0CsgUL8JWRE4iG6o/
+UKVfg93JaBqTTh8sGcBt9DEvufBsTY/oAQm3lUMk8xVWb6W00xCKOYcukXd8/i+B
+rBbdCTdyYLb6JpdIUYEiUKKYypUiYAvgkiaSfz81Vf5R+X1TkPDvAIBlOzYS4XRG
+zsDsadiiNJKjQbz3AEG/KEtail0L+EwYp+dAB0gMOPi/hfEaAHh7NfNbcHBp8SJZ
+HkdQreNZXScPBmVx6XYv+SkRPHrE2arln3VCYbt2LwY7TVxL8U3Ii2Ui9+lUp18q
+NcxxOBFkIDEJp8tUwxjh8sZRrl14NoYl688+d4oDmWd09VBr3Z3Gi7rPWzBvqDl9
+Cvzm7tk0J5CDJ/pgoJC0DoZw6gyM9d0Eetk5uguLtSyZdRsBdD9gHeDbxZ/zykpT
+VOtn1CstTpGrIu//upz4d9NV+3RWcX8zRsK3mqk/eMBqjdZw0AKVKE4jzzSouZk=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:KeyName>47abdf273ac1</ds:KeyName>
+ <ds:KeyName>902a9863aa37</ds:KeyName>
<ds:X509Data>
- <ds:X509SubjectName>CN=47abdf273ac1</ds:X509SubjectName>
- <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAJsNOvtU9eJFMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
-BAMTDDQ3YWJkZjI3M2FjMTAeFw0xOTA0MjYxODAzMzRaFw0yOTA0MjMxODAzMzRa
-MBcxFTATBgNVBAMTDDQ3YWJkZjI3M2FjMTCCAaIwDQYJKoZIhvcNAQEBBQADggGP
-ADCCAYoCggGBALjZmkfztDJ7HDqewumGwXfh93U8T4rjIw0wtc/Vh3PHMzNmJtie
-MtoUjJaJ99I9UahrWprpdYQIgxDmjnN3mS89HvFHL/vq4r7m5srrxBXNfRuODyj2
-FJ7R6RVrISyBv/zuSzdhqvC2pBsLp/qocSE+4KPQrVT6i+w7fDYtSTJX257YDRj8
-XntvWUaXnCUMJuHbHbt7tDgKVYTsm6zP3ohaaVxFc2wzJ4SGQk/FY088ZShHWP9I
-KJ/0YbSYxTXX3Htq5n54UDAIF1w8lUZvwxfbfWAhH7wTOZK/qAIm0d7RdrsFXs64
-6VyQUhEY4LOsGJKQI+mLnLGrSUELTgsfdFcoArokN7RgCOXLsFDoP2QnXZX83VVG
-1aWJb0rvtr/cDT9FOGrOVXaT/gtAt3rh39hlKRBpXvXZBE0L3gegam3Uq05drdHK
-RFw+CHCXyCOvj/xjTmeQjQlhNPK3HetQqlSNhAgh+sDZkZzz3Qw1jU3D2JUHTPUN
-9eC3c1+XWn5cTQIDAQABozowODAXBgNVHREEEDAOggw0N2FiZGYyNzNhYzEwHQYD
-VR0OBBYEFLDpZ+fBmCN5KDjZ8UyjKHMXRcv2MA0GCSqGSIb3DQEBCwUAA4IBgQCi
-GWsUc75R+jBjZfwbReMUCQkbS/a2A7de3VCyWUeoFnlTka9wUOxfKnTRE6XHvjFk
-Q/4HT+mE+uHXnVoiJg/NM9yVTKPl503va1bm9+kEW1b6CoxTmUF+fTPc5Pxz9Rto
-vlTVTWH8M2YK6nWrWB8xUEVz8hALHBtvN1JUd22mnN6v5s80JLdVc0lwFtcmvcp/
-SnMwkYBIOkEe55uDwODVJtvpdEny0E6ZqofP5bfWfTccX4FOFuA0NqeBullDCjWg
-ErIEnmT+qWYdsS2ru5K52pfSaTB1DHyeoiLnqJOnavg1LB0sIMRQK3O5t/5y59VD
-9UuR9KGj6DZvpc/jN0CQ353NlG8U+a0QrK9Dkr/g/HiUs2819bNo13ZugdrZ758F
-dL+Al2doe9BUzgfZTYm8p2lftfKw4Yycdj+p3DqNk4w1v6I6Oe8PbtwFjZvFFd50
-SZert/PFKIu94m11abs//JPKo0+QcOTn7/5NVD7gRNZY2OpxeERTD2xhtk5zukg=
+ <ds:X509SubjectName>CN=902a9863aa37</ds:X509SubjectName>
+ <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAPyhTN3IjNxAMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDkwMmE5ODYzYWEzNzAeFw0yMTEyMDIyMzAwMjFaFw0zMTExMzAyMzAwMjFa
+MBcxFTATBgNVBAMTDDkwMmE5ODYzYWEzNzCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBALrIjRMDZivNAAEHazkPsOfZKQQ8ikxUlwex4W9jubXXIIKmQZBF
+bU1or3GXSWQHjOmqM38elQ+pjZcyuGifGcT48inq4E57Mg0U6BWJChRwqbuUmF9t
+t0I/oDqWkHfqx/UCP2poVT9b76ZLr9D+NCMFCZEw+eJukPV53c83baRdZUXM550X
+YCNGbUXnifl9ZhlVkQ+teqsXayR+HBBljaJ7vE9pbv8yrVIR+sOsa68dJIMUFiBs
+5OgZvfnto5BcwNwE1opaeORI0mkpZP1u/YOnlrHHIf5nSo5/MiF3gC9oGgWnRbnf
+rWPwAvfcxlBURJsgjO/FSPWW/OmrtL8YafinPoFmWERpHXWmXfDecnHvOjhrwzSr
+BjZciPxfDUfZZnpNX+ZRhZAhxR3IGwxN8tEHyNB6kJZHBY0PqaogcLUzhVbV7jUD
+fWV4oQM14OkBx4bI5EYkTVaI966S1v/5fyltzhjkztC16M2xig3lBG5t+wFDsjUO
+j86XM/lxm6R5CQIDAQABozowODAXBgNVHREEEDAOggw5MDJhOTg2M2FhMzcwHQYD
+VR0OBBYEFP3RZINsIoxMe6LbKdaYexFlpR6XMA0GCSqGSIb3DQEBCwUAA4IBgQAx
+ysr70luutkA31L0J4QF+JuS0UenIRwvlvnPusHqVU/0zS0PmE0gzZxRfdg1L3gNi
+IqvpBk4nTpnL0nio/da+Grm+94DZRP0qalH+oPJaFK+cxGaSu2qaIWc1pZdgO5+8
+r08MBb4d9hHviZ1Ay3r8m9Gs9FeD/BumZKatvTxts+ydP5TiJenz261djyBqBiTC
+XFIW866d90l4QQQwWClkfbEN7fj65ANaHXeaYKdYUeUXAPh6oSDmshVE8VFhkIr0
+JOpzj0wzn3Uy+Sqj9EqLxXxELZ0Ho3t9kwIVatNjbQEUd3yNsyDf8hmjCWJgHa5N
+4PUHrjVIaqBQEE4f4NwKtAnNQ/bQ7EZiaXtPnJ9tMGGXZY1QztFa/Kv5j7zBgeyu
+V5DuUo2gc+mm2oSYuicmZGA9tW6bGkwMM3Me90zNWMk68vFtB/mbGDPiKM7yODqT
+3lF1Jj4UDI0oGK59Z06d9G03sAsDf9JDLQ9PfmEHSh7c2O+F9eEj3hrUMiYzDFA=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
@@ -107,4 +107,4 @@ SZert/PFKIu94m11abs//JPKo0+QcOTn7/5NVD7gRNZY2OpxeERTD2xhtk5zukg=
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://localhost:8443/Shibboleth.sso/SAML2/ECP" index="4"/>
</md:SPSSODescriptor>
-</md:EntityDescriptor>
\ No newline at end of file
+</md:EntityDescriptor>
diff --git a/demo/shibboleth-midpoint-sp/beacon/Dockerfile b/demo/shibboleth-midpoint-sp/beacon/Dockerfile
new file mode 100644
index 0000000..256352c
--- /dev/null
+++ b/demo/shibboleth-midpoint-sp/beacon/Dockerfile
@@ -0,0 +1,15 @@
+FROM rockylinux:9.3
+
+COPY container_files/* /opt/tier/
+
+RUN dnf update -y --disablerepo=\* --enablerepo=baseos && \
+ dnf install -y cronie-anacron crontabs cronie --disablerepo=\* --enablerepo=baseos && \
+ dnf clean all -y ; \
+ rm -rf /var/cache/dnf ; \
+ /opt/tier/setup-cron.sh ;
+
+ENV TIER_RELEASE=not-released-yet \
+ TIER_MAINTAINER=tier \
+ MP_VERSION=4.8
+
+CMD [ "/usr/sbin/crond", "-n", "-i", "-m", "off" ]
diff --git a/demo/shibboleth-midpoint-sp/beacon/container_files/sendtierbeacon.sh b/demo/shibboleth-midpoint-sp/beacon/container_files/sendtierbeacon.sh
new file mode 100755
index 0000000..8f066f7
--- /dev/null
+++ b/demo/shibboleth-midpoint-sp/beacon/container_files/sendtierbeacon.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+LOGHOST="collector.testbed.tier.internet2.edu"
+LOGPORT="5001"
+
+if [ -s /opt/tier/env.bash ]; then
+ . /opt/tier/env.bash
+fi
+
+messagefile="/tmp/beaconmsg"
+
+if [ -z "$TIER_BEACON_OPT_OUT" ]; then
+ cat > $messagefile <<EOF
+{
+ "msgType" : "TIERBEACON",
+ "msgName" : "TIER",
+ "msgVersion" : "1.0",
+ "tbProduct" : "midPoint",
+ "tbProductVersion" : "$MP_VERSION",
+ "tbTIERRelease" : "$TIER_RELEASE",
+ "tbMaintainer" : "$TIER_MAINTAINER"
+}
+EOF
+
+# echo "going to send TIER beacon to ${LOGHOST}:${LOGPORT}:"
+# cat $messagefile
+
+ curl -s -XPOST "${LOGHOST}:${LOGPORT}/" -H 'Content-Type: application/json' -T $messagefile >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ echo "TIER beacon sent"
+ else
+ echo "Failed to send TIER beacon"
+ fi
+
+ rm -f $messagefile 1>/dev/null 2>&1
+
+else
+ echo "TIER beacon skipped - scheduled but Opted out"
+fi
diff --git a/demo/shibboleth-midpoint-sp/beacon/container_files/setup-cron.sh b/demo/shibboleth-midpoint-sp/beacon/container_files/setup-cron.sh
new file mode 100755
index 0000000..2d33d3a
--- /dev/null
+++ b/demo/shibboleth-midpoint-sp/beacon/container_files/setup-cron.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+CRONFILE=/opt/tier/tier-cron
+
+echo "#send daily \"beacon\" to central" > ${CRONFILE}
+echo "" >> ${CRONFILE}
+echo "# ┌───────────── minute (0–59)" >> ${CRONFILE}
+echo "# │ ┌───────────── hour (0–23)" >> ${CRONFILE}
+echo "# │ │ ┌───────────── day of the month (1–31)" >> ${CRONFILE}
+echo "# │ │ │ ┌───────────── month (1–12)" >> ${CRONFILE}
+echo "# │ │ │ │ ┌───────────── day of the week (0–6) (Sunday to Saturday;" >> ${CRONFILE}
+echo "# │ │ │ │ │ 7 is also Sunday on some systems)" >> ${CRONFILE}
+echo "# │ │ │ │ │" >> ${CRONFILE}
+echo "# │ │ │ │ │" >> ${CRONFILE}
+echo "# * * * * * <command to execute>" >> ${CRONFILE}
+echo "" >> ${CRONFILE}
+echo "$(expr $RANDOM % 60) $(expr $RANDOM % 4) * * * /opt/tier/sendtierbeacon.sh 2>&1 | tee /proc/1/fd/1 >> /tmp/logcrond" >> ${CRONFILE}
+echo "" >> ${CRONFILE}
+echo "# List the current setting of the crontab to the log (when is the beacon scheduled)" >> ${CRONFILE}
+echo "@reboot crontab -l >/proc/1/fd/1" >> ${CRONFILE}
+echo "" >> ${CRONFILE}
+
+chmod 644 ${CRONFILE}
+crontab ${CRONFILE}
diff --git a/demo/shibboleth-midpoint-sp/directory/Dockerfile b/demo/shibboleth-midpoint-sp/directory/Dockerfile
new file mode 100644
index 0000000..4880156
--- /dev/null
+++ b/demo/shibboleth-midpoint-sp/directory/Dockerfile
@@ -0,0 +1,35 @@
+FROM rockylinux:9.3 as baseinst
+
+RUN dnf update -y && \
+ dnf install -y --enablerepo=devel openldap openldap-clients openldap-servers && \
+ dnf clean all && \
+ rm -rf /var/cache/dnf
+
+EXPOSE 389/tcp
+
+VOLUME /var/lib/ldap
+
+FROM baseinst
+
+#LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
+
+ARG ldapDomain="dc=internet2,dc=edu"
+ARG ldapPw="password"
+
+COPY container_files/* /opt
+
+RUN cd /opt ; \
+ /opt/slapd.sh -init ; \
+ /opt/gen_config_update "${ldapDomain}" "${ldapPw}" "0" "0" ;\
+ cat 999_schema-list | while read line ; do \
+ ldapadd -H ldapi:/// -f /etc/openldap/schema/${line}.ldif ; \
+ done ; \
+ for s in 0 1 2 3 4 5 6 7 8 9 ; do \
+ find -type f -name "${s}[0-4]?_*.ldif" -exec ldapmodify -H ldapi:/// -f /opt/\{\} \; ; \
+ find -type f -name "${s}[5-9]?_*.ldif" -exec ldapadd -H ldapi:/// -f /opt/\{\} \; ; \
+ done ; \
+ rm /opt/[0-9]* && \
+ /opt/slapd.sh -stop ;
+
+CMD [ "/opt/slapd.sh", "-limit", "1024", "-debug", "256" ]
+
diff --git a/demo/shibboleth-midpoint-sp/directory/container_files/gen_config_update b/demo/shibboleth-midpoint-sp/directory/container_files/gen_config_update
new file mode 100755
index 0000000..a23fccc
--- /dev/null
+++ b/demo/shibboleth-midpoint-sp/directory/container_files/gen_config_update
@@ -0,0 +1,203 @@
+#!/bin/bash
+domain="${1:-dc=example,dc=com}"
+if [ $(echo -n ${domain} | wc -c ) -eq $(echo -n ${domain} | tr -d "," | wc -c) ]
+then
+ subDomain="${domain:4}"
+else
+ subDomain="$(echo -n ${domain:4} | cut -d , -f 1)"
+fi
+userpw="${2:-change_me}"
+cleartext="${3:-0}"
+locDebug="${4:-0}"
+
+function genPass() {
+ retVal="userPassword:"
+ if [ "${cleartext}" != "1" ]
+ then
+ secPw="$(slappasswd -s ${userpw})"
+ secPw2="$(echo -n ${secPw} | base64 )"
+ [ "${locDebug}" != "0" ] && echo "${userpw} => ${secPw} => ${secPw2}" >&2
+ retVal="${retVal}: ${secPw2}"
+ else
+ [ "${locDebug}" != "0" ] && echo "${userpw}" >&2
+ retVal="${retVal} ${userpw}"
+ fi
+ while [ ${#retVal} -gt 78 ]
+ do
+ echo "${retVal:0:78}"
+ retVal=" ${retVal:78}"
+ done
+ if [ ${#retVal} -gt 2 ]
+ then
+ echo "${retVal}"
+ fi
+}
+
+cat >999_schema-list <<EOF
+cosine
+inetorgperson
+nis
+EOF
+
+cat >001_monitor-diff.ldif <<EOF
+dn: olcDatabase={1}monitor,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to *
+ by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
+ by dn.base="cn=admin,${domain}" read
+ by * none
+EOF
+
+cat >101_mdb-diff.ldif <<EOF
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcSuffix
+olcSuffix: ${domain}
+-
+replace: olcRootDN
+olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+-
+replace: olcAccess
+olcAccess: {0}to dn="cn=admin,${domain}"
+ by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
+ by anonymous auth
+ by self write
+ by * none
+olcAccess: {1}to attrs=userPassword,shadowLastChange
+ by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
+ by dn="cn=admin,${domain}" write
+ by dn="uid=administrator,ou=People,${domain}" write
+ by anonymous auth
+ by self write
+ by * none
+olcAccess: {2}to dn.subtree="ou=people,${domain}"
+ by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
+ by dn="cn=admin,${domain}" write
+ by dn="uid=administrator,ou=People,${domain}" write
+ by * read
+olcAccess: {3}to dn.base=""
+ by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
+ by dn="cn=admin,${domain}" write
+ by * read
+olcAccess: {4}to *
+ by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
+ by dn="uid=administrator,ou=people,${domain}" write
+ by dn="cn=admin,${domain}" write
+ by anonymous auth
+ by self read
+ by * none
+EOF
+
+cat >251_mod_config.ldif <<EOF
+dn: cn=module{0},cn=config
+objectClass: olcModuleList
+cn: module{0}
+olcModulePath: /usr/lib64/openldap
+olcModuleLoad: {0}memberof
+olcModuleLoad: {1}refint
+olcModuleLoad: {2}ppolicy
+olcModuleLoad: {3}sssvlv
+
+dn: olcOverlay={0}memberof,olcDatabase={2}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcMemberOf
+olcOverlay: {0}memberof
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: TRUE
+olcMemberOfGroupOC: groupOfUniqueNames
+olcMemberOfMemberAD: uniqueMember
+olcMemberOfMemberOfAD: memberOf
+
+dn: olcOverlay={1}refint,olcDatabase={2}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+olcOverlay: {1}refint
+olcRefintAttribute: owner
+olcRefintAttribute: manager
+olcRefintAttribute: uniqueMember
+olcRefintAttribute: member
+olcRefintAttribute: memberOf
+
+dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config
+objectClass: olcPPolicyConfig
+objectClass: olcOverlayConfig
+olcOverlay: {2}ppolicy
+olcPPolicyDefault: cn=defaultpw,ou=policies,${domain}
+olcPPolicyHashCleartext: TRUE
+olcPPolicyUseLockout: TRUE
+
+dn: olcOverlay={3}sssvlv,olcDatabase={2}mdb,cn=config
+objectClass: olcSssVlvConfig
+objectClass: olcOverlayConfig
+olcOverlay: {3}sssvlv
+EOF
+
+cat >151_default_structure.ldif <<EOF
+dn: ${domain}
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+o: ${subDomain}
+
+dn: cn=admin,${domain}
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: admin
+$(genPass)
+description: LDAP administrator
+
+dn: ou=groups,${domain}
+objectClass: top
+objectClass: organizationalUnit
+ou: groups
+
+dn: ou=people,${domain}
+objectClass: top
+objectClass: organizationalUnit
+ou: people
+
+dn: ou=policies,${domain}
+objectClass: organizationalUnit
+ou: policies
+EOF
+
+cat >252_default_policy.ldif <<EOF
+dn: cn=defaultpw,ou=policies,${domain}
+objectClass: pwdPolicy
+objectClass: organizationalRole
+cn: defaultpw
+pwdAttribute: userPassword
+pwdMinLength: 3
+pwdLockout: TRUE
+pwdMaxFailure: 3
+pwdLockoutDuration: 30
+EOF
+
+cat >851_default_structure.ldif <<EOF
+dn: uid=administrator,ou=people,${domain}
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+givenName: Administrator
+uid: administrator
+sn: Administrator
+cn: Administrator
+$(genPass)
+EOF
+
+cat >959_default_structure.ldif <<EOF
+dn: cn=users,ou=groups,${domain}
+objectClass: groupOfUniqueNames
+objectClass: top
+uniqueMember: uid=banderson,ou=people,${domain}
+uniqueMember: uid=jsmith,ou=people,${domain}
+cn: users
+
+dn: cn=admins,ou=groups,${domain}
+objectClass: groupOfUniqueNames
+objectClass: top
+uniqueMember: uid=administrator,ou=people,${domain}
+cn: admins
+EOF
diff --git a/demo/shibboleth-midpoint-sp/directory/container_files/slapd.sh b/demo/shibboleth-midpoint-sp/directory/container_files/slapd.sh
new file mode 100755
index 0000000..bfd935e
--- /dev/null
+++ b/demo/shibboleth-midpoint-sp/directory/container_files/slapd.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+localLimit=${LDAP_LIMIT:-1024}
+debugLevel=${LDAP_DEBUG:-256}
+
+while [ "${1:0:1}" = "-" ]
+do
+ case ${1:1} in
+ limit)
+ localLimit=${2}
+ [ ! -z ${LDAP_LIMIT+x} ] && localLimit=${LDAP_LIMIT}
+ shift 2
+ ;;
+ debug)
+ debugLevel=${2}
+ [ ! -z ${LDAP_DEBUG+x} ] && debugLevel=${LDAP_DEBUG}
+ shift 2
+ ;;
+ init)
+ [ ! -z ${LDAP_INFO+x} ] && echo "uLimit : ${localLimit}" >&2
+ ulimit -n ${localLimit}
+ exec /usr/sbin/slapd -4 -h "ldapi:///" -u ldap -g ldap
+ exit 0
+ ;;
+ stop)
+ while read line
+ do
+ kill ${line}
+ count=0
+ while [ -e /proc/${line} ]
+ do
+ [ ${count} -gt 10 ] && kill -9 ${line}
+ echo "Waiting to terminate the process"
+ count=$(( ${count} + 1 ))
+ sleep 1
+ done
+ echo "Terminated..."
+ ${0} -stop
+ done < <( grep "^slapd$" /proc/*/comm | head -1 | cut -d / -f 3 )
+ exit 0
+ ;;
+ esac
+done
+
+ulimit -n ${localLimit}
+
+
+if [ -z ${LDAP_INIT+x} ]
+then
+ [ ! -z ${LDAP_INFO+x} ] && echo "uLimit : ${localLimit} / debug level : ${debugLevel}" >&2
+ exec /usr/sbin/slapd -h "ldap://0.0.0.0:389 ldapi:///" -u ldap -g ldap -d ${debugLevel}
+else
+ [ ! -z ${LDAP_INFO+x} ] && echo "uLimit : ${localLimit}" >&2
+ exec /usr/sbin/slapd -4 -h "ldapi:///" -u ldap -g ldap
+fi
+
diff --git a/demo/shibboleth-midpoint-sp/docker-compose.yml b/demo/shibboleth-midpoint-sp/docker-compose.yml
new file mode 100644
index 0000000..f9ee9ca
--- /dev/null
+++ b/demo/shibboleth-midpoint-sp/docker-compose.yml
@@ -0,0 +1,356 @@
+version: "3.3"
+
+services:
+ prereq:
+ image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux
+ command: >
+ bash -c "
+ echo ' - - - - - - -' ;
+ cd /mnt/security ;
+ if [ ! -e key.pem ] ;
+ then
+ echo 'Certificate has not been found. Generating of the new one...' ;
+ openssl req -newkey rsa:2048 -keyout key.pem -nodes -subj '/C=US/ST=MI/L=Ann Arbor/O=Internet2\\/TIER/CN=midpoint.sp.example.org' -addext 'subjectAltName = DNS:midpoint.sp.example.org, DNS:midpoint_server, DNS:directory, DNS:idp, DNS: localhost, DNS: localhost.localdomain, IP:127.0.0.1, IP:::1' -out cert.pem -days 1825 -x509 ;
+ openssl req -newkey rsa:3072 -keyout sp-encrypt-key.pem -nodes -subj '/CN=sptest.example.edu' -addext 'subjectAltName = DNS:sptest.example.edu' -out sp-encrypt-cert.pem -days 3650 -x509 ;
+ openssl req -newkey rsa:3072 -keyout sp-signing-key.pem -nodes -subj '/CN=sptest.example.edu' -addext 'subjectAltName = DNS:sptest.example.edu' -out sp-signing-cert.pem -days 3650 -x509 ;
+ openssl req -newkey rsa:2048 -keyout idp-backchannel.key -nodes -subj '/CN=idptestbed' -addext 'subjectAltName = DNS:idptestbed, URI:https://idptestbed/idp/shibboleth' -out idp-backchannel.crt -days 7300 -x509 ;
+ openssl req -newkey rsa:2048 -keyout idp-encryption.key -nodes -subj '/CN=idptestbed' -addext 'subjectAltName = DNS:idptestbed, URI:https://idptestbed/idp/shibboleth' -out idp-encryption.crt -days 7300 -x509 ;
+ openssl req -newkey rsa:2048 -keyout idp-signing.key -nodes -subj '/CN=idptestbed' -addext 'subjectAltName = DNS:idptestbed, URI:https://idptestbed/idp/shibboleth' -out idp-signing.crt -days 7300 -x509 ;
+ openssl req -newkey rsa:2048 -keyout idp-browser.key -nodes -subj '/CN=idp.ccc.local' -addext 'authorityKeyIdentifier = keyid:always,issuer:always' -out idp-browser.crt -days 10585 -x509 ;
+ openssl x509 -noout -fingerprint -sha256 -in cert.pem ;
+ openssl pkcs12 -export -in sp-signing-cert.pem -inkey sp-signing-key.pem -out signing-key.p12 -passout pass:password -name signing-key ;
+ openssl pkcs12 -export -in sp-encrypt-cert.pem -inkey sp-encrypt-key.pem -out encrypt-key.p12 -passout pass:password -name encrypt-key ;
+ openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.p12 -passout pass:password -name selfsigned ;
+ keytool -importkeystore -srckeystore encrypt-key.p12 -srcstoretype pkcs12 -srcstorepass password -srcalias encrypt-key -destkeystore shibboleth_sp_keys.jks -deststoretype jks -deststorepass changeit -noprompt -destalias encrypt-key ;
+ keytool -importkeystore -srckeystore signing-key.p12 -srcstoretype pkcs12 -srcstorepass password -srcalias signing-key -destkeystore shibboleth_sp_keys.jks -deststoretype jks -deststorepass changeit -noprompt -destalias signing-key ;
+ keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -srcstorepass password -srcalias selfsigned -destkeystore keystore.jks -deststoretype jks -deststorepass password -noprompt -destalias selfsigned ;
+ keytool -list -keystore shibboleth_sp_keys.jks -storetype jceks -storepass changeit ;
+ keytool -list -keystore keystore.jks -storetype jceks -storepass password ;
+ openssl pkcs12 -export -in idp-backchannel.crt -inkey idp-backchannel.key -out idp-backchannel.p12 -passout pass:password -name idptestbed ;
+ openssl pkcs12 -export -in idp-browser.crt -inkey idp-browser.key -out idp-browser.p12 -passout pass:password -name myAlias ;
+ for s in *ert.pem *.crt ; do echo ' - - - - - ' ; echo $${s} ; openssl x509 -noout -fingerprint -sha256 -in $${s} ; echo ; openssl x509 -noout -subject -subject_hash -dates -in $${s} ; done ;
+ echo ' - - - - - ' ;
+ mkdir /mnt/midpoint/var/shibboleth ;
+ cp shibboleth_sp_keys.jks /mnt/midpoint/var/shibboleth ;
+ cp cert.pem /mnt/midpoint/var ;
+ cp key.pem /mnt/midpoint/var ;
+ mkdir /mnt/nginx/certs;
+ cp cert.pem /mnt/nginx/certs ;
+ cp key.pem /mnt/nginx/certs ;
+ echo ' server {' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' listen 443 ssl default_server;' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' server_name localhost;' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo '' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' ssl_certificate /etc/nginx/certs/cert.pem;' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' ssl_certificate_key /etc/nginx/certs/key.pem;' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo '' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' location / {' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' rewrite ^/$ /midpoint/ last;' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' rewrite ^/midpoint$ /midpoint/ last;' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo '' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' proxy_set_header X-Real-IP $$remote_addr;' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' proxy_set_header X-Forwarded-Host: $$host;' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' proxy_set_header X-Forwarded-Proto: $$scheme;' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' proxy_pass http://midpoint-container:8080/;' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo '' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' }' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo '' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' location /idp {' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' proxy_set_header Host localhost;' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' proxy_pass https://idp:443/idp ;' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' }' >> /mnt/nginx/conf.d/midpoint.conf ;
+ echo ' }' >> /mnt/nginx/conf.d/midpoint.conf ;
+ cp idp-backchannel.crt /mnt/shibboleth-idp/credentials ;
+ cp idp-backchannel.p12 /mnt/shibboleth-idp/credentials ;
+ cp idp-browser.p12 /mnt/shibboleth-idp/credentials ;
+ cp idp-encryption.crt /mnt/shibboleth-idp/credentials ;
+ cp idp-encryption.key /mnt/shibboleth-idp/credentials ;
+ cp idp-signing.crt /mnt/shibboleth-idp/credentials ;
+ cp idp-signing.key /mnt/shibboleth-idp/credentials ;
+ cp sp-signing-cert.pem /mnt/shibboleth-idp/credentials ;
+ cp keystore.jks /mnt/shibboleth/certs ;
+ echo ' - - - - - ' ;
+ find -type f ;
+ echo ' - - - - - - -' ;
+ find /mnt/shibboleth-idp/ -type f ;
+ echo ' - - - - - - -' ;
+ find /mnt/shibboleth -type f ;
+ echo ' - - - - - - -' ;
+ find /mnt/midpoint/ -type f ;
+ echo ' - - - - - - -' ;
+ else echo 'certificate already exists... (skip new cert generation)' ;
+ fi ;
+ if [ ! -e /mnt/shared_pw/db_pass ] ; then
+ echo 'Generating password for DB connection...';
+ dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d -c [0-9a-z] | cut -c 1-32 | tr -d [[:space:]] > /mnt/shared_pw/db_pass ;
+ fi ;
+ "
+ networks:
+ - net
+ volumes:
+ - security_object:/mnt/security
+ - shared_pw:/mnt/shared_pw
+ - idp_credentials:/mnt/shibboleth-idp/credentials
+ - idp_certs:/mnt/shibboleth/certs
+ - proxy_conf:/mnt/nginx
+ - midpoint_home:/mnt/midpoint/var
+
+ midpoint_data:
+ image: postgres:16-alpine
+ depends_on:
+ prereq:
+ condition: service_completed_successfully
+ environment:
+ - POSTGRES_PASSWORD_FILE=/mnt/shared_pw/db_pass
+ - POSTGRES_USER=midpoint
+ - POSTGRES_INITDB_ARGS=--lc-collate=en_US.utf8 --lc-ctype=en_US.utf8
+ healthcheck:
+ test: [ "CMD-SHELL", "pg_isready -d midpoint -U midpoint" ]
+ interval: 1s
+ timeout: 5s
+ retries: 10
+ networks:
+ - net
+ volumes:
+ - midpoint_data:/var/lib/postgresql/data
+ - shared_pw:/mnt/shared_pw
+
+ data_init:
+ image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux
+ depends_on:
+ prereq:
+ condition: service_completed_successfully
+ midpoint_data:
+ condition: service_healthy
+ command: >
+ bash -c "
+ cd /opt/midpoint ;
+ bin/midpoint.sh init-native ;
+ echo ' - - - - - - ' ;
+ bin/ninja.sh -B info >/dev/null 2>/tmp/ninja.log ;
+ grep -q \"ERROR\" /tmp/ninja.log && (
+ bin/ninja.sh run-sql --create --mode REPOSITORY ;
+ bin/ninja.sh run-sql --create --mode AUDIT
+ ) ||
+ echo -e '\\n Repository init is not needed...' ;
+ if [ $$(keytool -list -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass:file /opt/midpoint/var/keystorepw | grep -c 'local_gen_cert') -eq 0 ] ;
+ then
+ keytool -importcert -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass:file /opt/midpoint/var/keystorepw -trustcacerts -alias 'local_gen_cert' -file /opt/midpoint/var/cert.pem -noprompt ;
+ else
+ echo 'Certificate exists in the cert store' ;
+ fi ;
+ "
+ environment:
+ - MP_SET_midpoint_repository_jdbcUsername=midpoint
+ - MP_SET_midpoint_repository_jdbcPassword_FILE=/mnt/shared_pw/db_pass
+ - MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint
+ - MP_SET_midpoint_repository_database=postgresql
+ - MP_INIT_CFG=/opt/midpoint/var
+ - MP_PW_DEF=/opt/midpoint/var/keystorepw
+ - MP_KEYSTORE=/opt/midpoint/var/keystore.jceks
+ networks:
+ - net
+ volumes:
+ - midpoint_home:/opt/midpoint/var
+ - shared_pw:/mnt/shared_pw
+
+ midpoint_server:
+ image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux
+ container_name: midpoint_server
+ hostname: midpoint-container
+ depends_on:
+ data_init:
+ condition: service_completed_successfully
+ idp_vol_init:
+ condition: service_completed_successfully
+ midpoint_data:
+ condition: service_healthy
+ command: [ "/opt/midpoint/bin/midpoint.sh", "container" ]
+ ports:
+ - 8080:8080
+ environment:
+ - MP_SET_midpoint_repository_jdbcUsername=midpoint
+ - MP_SET_midpoint_repository_jdbcPassword_FILE=/mnt/shared_pw/db_pass
+ - MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint
+ - MP_SET_midpoint_repository_database=postgresql
+ - MP_SET_midpoint_keystore_keyStorePassword_FILE=/opt/midpoint/var/keystorepw
+ - MP_SET_midpoint_administrator_initialPassword=Test5ecr3t
+ - MP_UNSET_midpoint_repository_hibernateHbm2ddl=1
+ - MP_NO_ENV_COMPAT=1
+ - MP_ENTRY_POINT=/opt/midpoint-dirs-docker-entrypoint
+ networks:
+ - net
+ volumes:
+ - midpoint_home:/opt/midpoint/var
+ - shared_pw:/mnt/shared_pw
+ - ./midpoint_server/post-initial-objects:/opt/midpoint-dirs-docker-entrypoint/post-initial-objects:ro
+ - ./midpoint_server/shibboleth:/opt/midpoint-dirs-docker-entrypoint/shibboleth:ro
+
+ directory:
+ build: ./directory/
+ ports:
+ - 389:389
+ networks:
+ - net
+ volumes:
+ - ldap:/var/lib/ldap
+
+ idp_vol_init:
+ image: tier/shib-idp:3.4.6_20191002
+ depends_on:
+ prereq:
+ condition: service_completed_successfully
+ ulimits:
+ nofile:
+ soft: 1024
+ hard: 2048
+ command: >
+ bash -c "
+ echo 'Updating configuration...' ;
+ if [ -e /mnt/shibboleth-diff/conf ] ;
+ then
+ cp -vu /mnt/shibboleth-diff/conf/* /opt/shibboleth-idp/conf ;
+ fi ;
+ if [ -e /mnt/shibboleth-diff/credentials ] ;
+ then
+ cp -vu /mnt/shibboleth-diff/credentials/* /opt/shibboleth-idp/credentials ;
+ fi ;
+ if [ -e /mnt/shibboleth-diff/metadata ] ;
+ then
+ cp -vu /mnt/shibboleth-diff/metadata/* /opt/shibboleth-idp/metadata ;
+ fi ;
+ echo ' - - - - - - -' ;
+ echo 'Updating idp-metadata.xml file...' ;
+ grep -n 'X509Certificate' /mnt/shibboleth-diff/metadata/idp-metadata.xml | sed \"s/\\([0-9]*\\).*/\\1/\" > /tmp/checkpoints ;
+ wc -l /mnt/shibboleth-diff/metadata/idp-metadata.xml | sed \"s/\\([0-9]*\\).*/\\1/\" >> /tmp/checkpoints ;
+ current_line=1 ;
+ id=0 ;
+ file_path=( - idp-backchannel.crt - idp-signing.crt - idp-encryption.crt - idp-backchannel.crt - idp-signing.crt - idp-encryption.crt - ) ;
+ rm /opt/shibboleth-idp/metadata/idp-metadata.xml ;
+ cat /tmp/checkpoints | while read line ; do
+ if [ \"$${file_path[$${id}]}\" == \"-\" ] ; then
+ sed -n \"$${current_line},$${line}p\" /mnt/shibboleth-diff/metadata/idp-metadata.xml >> /opt/shibboleth-idp/metadata/idp-metadata.xml ;
+ else
+ sed '1d;$$d' /opt/shibboleth-idp/credentials/$${file_path[$${id}]} >> /opt/shibboleth-idp/metadata/idp-metadata.xml ;
+ fi ;
+ current_line=$${line};
+ id=$$(( $${id} + 1 )) ;
+ done ;
+ cp -v /opt/shibboleth-idp/metadata/idp-metadata.xml /opt/midpoint/var/shibboleth/idp-metadata.xml ;
+ echo ' - - - - - - -' ;
+ echo 'Updating midpoint-sp.xml...';
+ grep -n 'X509Certificate' /mnt/shibboleth-diff/metadata/midpoint-sp.xml | sed \"s/\\([0-9]*\\).*/\\1/\" > /tmp/checkpoints ;
+ wc -l /mnt/shibboleth-diff/metadata/midpoint-sp.xml | sed \"s/\\([0-9]*\\).*/\\1/\" >> /tmp/checkpoints ;
+ current_line=1 ;
+ id=0 ;
+ file_path=( - sp-signing-cert.pem - ) ;
+ rm /opt/shibboleth-idp/metadata/midpoint-sp.xml ;
+ cat /tmp/checkpoints | while read line ; do
+ if [ \"$${file_path[$${id}]}\" == \"-\" ] ; then
+ sed -n \"$${current_line},$${line}p\" /mnt/shibboleth-diff/metadata/midpoint-sp.xml >> /opt/shibboleth-idp/metadata/midpoint-sp.xml ;
+ else
+ sed '1d;$$d' /opt/shibboleth-idp/credentials/$${file_path[$${id}]} >> /opt/shibboleth-idp/metadata/midpoint-sp.xml ;
+ fi ;
+ current_line=$${line};
+ id=$$(( $${id} + 1 )) ;
+ done ;
+ sed -i \"s/\\([[:space:]]<ds:X509Certificate>\\).*$$/\\1/g;s/^[[:space:]]\\(<ds:X509Certificate>\\).*$$/\\1/g\" /opt/shibboleth-idp/metadata/midpoint-sp.xml ;
+ echo ' - - - - - - -' ;
+ echo 'Updating midpoint-sp-ssl.xml...';
+ grep -n 'X509Certificate' /mnt/shibboleth-diff/metadata/midpoint-sp-ssl.xml | sed \"s/\\([0-9]*\\).*/\\1/\" > /tmp/checkpoints ;
+ wc -l /mnt/shibboleth-diff/metadata/midpoint-sp-ssl.xml | sed \"s/\\([0-9]*\\).*/\\1/\" >> /tmp/checkpoints ;
+ current_line=1 ;
+ id=0 ;
+ file_path=( - sp-signing-cert.pem - ) ;
+ rm /opt/shibboleth-idp/metadata/midpoint-sp-ssl.xml ;
+ cat /tmp/checkpoints | while read line ; do
+ if [ \"$${file_path[$${id}]}\" == \"-\" ] ; then
+ sed -n \"$${current_line},$${line}p\" /mnt/shibboleth-diff/metadata/midpoint-sp-ssl.xml >> /opt/shibboleth-idp/metadata/midpoint-sp-ssl.xml ;
+ else
+ sed '1d;$$d' /opt/shibboleth-idp/credentials/$${file_path[$${id}]} >> /opt/shibboleth-idp/metadata/midpoint-sp-ssl.xml ;
+ fi ;
+ current_line=$${line};
+ id=$$(( $${id} + 1 )) ;
+ done ;
+ sed -i \"s/\\([[:space:]]<ds:X509Certificate>\\).*$$/\\1/g;s/^[[:space:]]\\(<ds:X509Certificate>\\).*$$/\\1/g\" /opt/shibboleth-idp/metadata/midpoint-sp-ssl.xml ;
+ echo ' - - - - - - -' ;
+ echo 'Generating sealer key...' ;
+ rm /opt/shibboleth-idp/credentials/sealer.* ;
+ /opt/shibboleth-idp/bin/rotateSealerKey.sh ;
+ echo ' - - - - - - -' ;
+ echo 'DONE.' ;
+ "
+ volumes:
+ - idp_conf:/opt/shibboleth-idp/conf
+ - idp_credentials:/opt/shibboleth-idp/credentials
+ - idp_metadata:/opt/shibboleth-idp/metadata
+ - ./shibboleth-idp:/mnt/shibboleth-diff:ro
+ - midpoint_home:/opt/midpoint/var
+
+ idp:
+ image: tier/shib-idp:3.4.6_20191002
+ depends_on:
+ directory:
+ condition: service_started
+ idp_vol_init:
+ condition: service_completed_successfully
+ ulimits:
+ nofile:
+ soft: 1024
+ hard: 2048
+ environment:
+ - JETTY_MAX_HEAP=64m
+ - JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=password
+ - JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=password
+ networks:
+ - net
+ volumes:
+ - idp_conf:/opt/shibboleth-idp/conf
+ - idp_credentials:/opt/shibboleth-idp/credentials
+ - idp_metadata:/opt/shibboleth-idp/metadata
+ - idp_certs:/opt/certs
+
+ beacon:
+ build: ./beacon/
+ networks:
+ - net
+ environment:
+ - TIER_RELEASE=not-released-yet
+ - TIER_MAINTAINER=tier
+ - MP_VERSION=4.8
+ - TIER_BEACON_OPT_OUT=true
+
+ proxy:
+ image: nginx:stable
+ depends_on:
+ prereq:
+ condition: service_completed_successfully
+ midpoint_server:
+ condition: service_started
+ idp:
+ condition: service_started
+ ports:
+ - 8180:80
+ - 443:443
+ networks:
+ - net
+ volumes:
+ - proxy_conf:/etc/nginx
+
+networks:
+ net:
+ driver: bridge
+
+volumes:
+ security_object:
+ midpoint_data:
+ midpoint_home:
+ idp_conf:
+ idp_credentials:
+ idp_metadata:
+ idp_certs:
+ proxy_conf:
+ ldap:
+ shared_pw:
diff --git a/demo/shibboleth-midpoint-sp/midpoint_server/post-initial-objects/SecurityPolicy.xml b/demo/shibboleth-midpoint-sp/midpoint_server/post-initial-objects/SecurityPolicy.xml
new file mode 100644
index 0000000..65c6fa7
--- /dev/null
+++ b/demo/shibboleth-midpoint-sp/midpoint_server/post-initial-objects/SecurityPolicy.xml
@@ -0,0 +1,112 @@
+ <securityPolicy xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="00000000-0000-0000-0000-000000000120" version="2">
+ <name>Default Security Policy</name>
+ <authentication>
+ <modules>
+ <loginForm>
+ <identifier>loginForm</identifier>
+ </loginForm>
+ <httpBasic>
+ <identifier>httpBasic</identifier>
+ </httpBasic>
+ <saml2>
+ <identifier>mySamlSso</identifier>
+ <description>My internal enterprise SAML-based SSO system.</description>
+ <serviceProvider>
+ <entityId>midpointdemo-shibboleth</entityId>
+ <signRequests>true</signRequests>
+ <keys>
+ <activeKeyStoreKey>
+ <keyStorePath>/opt/midpoint/var/shibboleth/shibboleth_sp_keys.jks</keyStorePath>
+ <keyStorePassword>
+ <t:clearValue>changeit</t:clearValue>
+ </keyStorePassword>
+ <keyAlias>signing-key</keyAlias>
+ <keyPassword>
+ <t:clearValue>password</t:clearValue>
+ </keyPassword>
+ </activeKeyStoreKey>
+ </keys>
+ <identityProvider>
+ <entityId>https://idptestbed/idp/shibboleth</entityId>
+ <metadata>
+ <pathToFile>/opt/midpoint/var/shibboleth/idp-metadata.xml</pathToFile>
+ </metadata>
+ <linkText>Shibboleth</linkText>
+ <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
+ <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
+ </identityProvider>
+ </serviceProvider>
+ </saml2>
+ </modules>
+ <sequence>
+ <identifier>admin-gui-saml-internal</identifier>
+ <description>
+ Internal SAML2 GUI authentication sequence.
+ </description>
+ <channel>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
+ <default>true</default>
+ <urlSuffix>saml-internal</urlSuffix>
+ </channel>
+ <module>
+ <identifier>mySamlSso</identifier>
+ <order>30</order>
+ <necessity>sufficient</necessity>
+ </module>
+ </sequence>
+ <sequence>
+ <identifier>admin-gui-emergency</identifier>
+ <description>
+ Special GUI authentication sequence that is using just the internal user password.
+ </description>
+ <channel>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
+ <default>false</default>
+ <urlSuffix>emergency</urlSuffix>
+ </channel>
+ <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType">
+ </requireAssignmentTarget>
+ <module>
+ <identifier>loginForm</identifier>
+ <order>30</order>
+ <necessity>sufficient</necessity>
+ </module>
+ </sequence>
+ <sequence>
+ <identifier>rest-default</identifier>
+ <channel>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
+ <default>true</default>
+ <urlSuffix>rest-default</urlSuffix>
+ </channel>
+ <module>
+ <identifier>httpBasic</identifier>
+ <order>1</order>
+ <necessity>sufficient</necessity>
+ </module>
+ </sequence>
+ <sequence>
+ <identifier>actuator-default</identifier>
+ <channel>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#actuator</channelId>
+ <default>true</default>
+ <urlSuffix>actuator-default</urlSuffix>
+ </channel>
+ <module>
+ <identifier>httpBasic</identifier>
+ <order>1</order>
+ <necessity>sufficient</necessity>
+ </module>
+ </sequence>
+ <ignoredLocalPath>/actuator/health</ignoredLocalPath>
+ </authentication>
+ <credentials>
+ <password>
+ <minOccurs>0</minOccurs>
+ <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
+ <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
+ <lockoutDuration>PT15M</lockoutDuration>
+ <valuePolicyRef oid="00000000-0000-0000-0000-000000000003"/>
+ </password>
+ </credentials>
+</securityPolicy>
diff --git a/demo/shibboleth-midpoint-sp/midpoint_server/post-initial-objects/public-url.xml b/demo/shibboleth-midpoint-sp/midpoint_server/post-initial-objects/public-url.xml
new file mode 100644
index 0000000..d353b5e
--- /dev/null
+++ b/demo/shibboleth-midpoint-sp/midpoint_server/post-initial-objects/public-url.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Copyright (c) 2022 Evolveum
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+<s:search xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
+ xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+ xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+ xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
+ <s:options>
+ <option>
+ <options>
+ <raw>true</raw>
+ </options>
+ </option>
+ </s:options>
+ <s:type>c:SystemConfigurationType</s:type>
+ <s:action>
+ <s:type>modify</s:type>
+ <s:parameter>
+ <s:name>delta</s:name>
+ <c:value>
+ <s:itemDelta>
+ <t:modificationType>add</t:modificationType>
+ <t:path>infrastructure</t:path>
+ <t:value>
+ <publicHttpUrlPattern>https://localhost/midpoint</publicHttpUrlPattern>
+ </t:value>
+ </s:itemDelta>
+ </c:value>
+ </s:parameter>
+ </s:action>
+</s:search>
diff --git a/demo/shibboleth-midpoint-sp/midpoint_server/shibboleth/attribute-map.xml b/demo/shibboleth-midpoint-sp/midpoint_server/shibboleth/attribute-map.xml
new file mode 100644
index 0000000..f0a5f19
--- /dev/null
+++ b/demo/shibboleth-midpoint-sp/midpoint_server/shibboleth/attribute-map.xml
@@ -0,0 +1,168 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ <!--
+ The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+ community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+ few exceptions for newer attributes where the name is the same for both versions. You will
+ usually want to uncomment or map the names for both SAML versions as a unit.
+ -->
+
+ <!-- New standard identifier attributes for SAML. -->
+
+ <Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <!-- The most typical eduPerson attributes. -->
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+
+ <!--
+ Legacy pairwise identifier attribute / NameID format, intended to be replaced by the
+ simpler pairwise-id attribute (see top of file).
+ -->
+
+ <!-- The eduPerson attribute version (note the OID-style name): -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+
+ <!-- The SAML 2.0 NameID Format: -->
+ <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+
+ <!-- Other eduPerson attributes (SAML 2 names followed by SAML 1 names)... -->
+ <!--
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+ -->
+
+ <!-- Older LDAP-defined attributes (SAML 2.0 names followed by SAML 1 names)... -->
+ <!--
+ <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+ <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+ <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+ -->
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+ <!--
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+ <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.12" id="title"/>
+ <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+ <Attribute name="urn:oid:2.5.4.13" id="description"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+ <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+ <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.9" id="street"/>
+ <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+ <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+ <Attribute name="urn:oid:2.5.4.8" id="st"/>
+ <Attribute name="urn:oid:2.5.4.7" id="l"/>
+ <Attribute name="urn:oid:2.5.4.10" id="o"/>
+ <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+ <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+ <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+
+ <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+ <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+ <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+ <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+ <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
+ <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+ <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+ <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+ <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+ <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+ <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+ <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+ <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+ <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+ <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+ <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+ <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+ <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+ <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+ <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+ <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+ <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+ <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
+ -->
+
+ <!-- SCHAC attributes... -->
+ <!--
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" id="schacPersonalUniqueCode">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.15" id="schacPersonalUniqueID"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.19" id="schacUserStatus">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.20" id="schacProjectMembership">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.21" id="schacProjectSpecificRole">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ -->
+
+</Attributes>
diff --git a/demo/shibboleth-midpoint-sp/midpoint_server/shibboleth/shibboleth2.xml b/demo/shibboleth-midpoint-sp/midpoint_server/shibboleth/shibboleth2.xml
new file mode 100644
index 0000000..9ed72c2
--- /dev/null
+++ b/demo/shibboleth-midpoint-sp/midpoint_server/shibboleth/shibboleth2.xml
@@ -0,0 +1,112 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+ xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+ clockSkew="180">
+
+ <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
+
+ <!--
+ By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+ are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+ -->
+
+ <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+ <ApplicationDefaults entityID="https://idptestbed/sp/shibboleth"
+ REMOTE_USER="uid"
+ cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
+
+ <!--
+ Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+ Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
+ and should be a relative path, with the SP computing the full value based on the virtual
+ host. Using handlerSSL="true" will force the protocol to be https. You should also set
+ cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
+ "false", this makes an assertion stolen in transit easier for attackers to misuse.
+ -->
+ <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+ checkAddress="false" handlerSSL="false" cookieProps="http"
+ redirectLimit="exact">
+
+ <!--
+ Configures SSO for a default IdP. To properly allow for >1 IdP, remove
+ entityID property and adjust discoveryURL to point to discovery service.
+ You can also override entityID on /Login query string, or in RequestMap/htaccess.
+ -->
+ <SSO entityID="https://idptestbed/idp/shibboleth">
+ SAML2
+ </SSO>
+
+ <!-- SAML and local-only logout. -->
+ <Logout>SAML2 Local</Logout>
+
+ <!-- Administrative logout. -->
+ <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
+
+ <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+ <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+ <!-- Status reporting service. -->
+ <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+ <!-- Session diagnostic service. -->
+ <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+ <!-- JSON feed of discovery information. -->
+ <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+ </Sessions>
+
+ <!--
+ Allows overriding of error template information/filenames. You can
+ also add your own attributes with values that can be plugged into the
+ templates, e.g., helpLocation below.
+ -->
+ <Errors supportContact="root@localhost"
+ helpLocation="/about.html"
+ styleSheet="/shibboleth-sp/main.css"/>
+
+ <!-- Example of locally maintained metadata. -->
+ <MetadataProvider type="XML" validate="true" path="/etc/shibboleth/idp-metadata.xml"/>
+
+ <!-- Example of remotely supplied batch of signed metadata. -->
+ <!--
+ <MetadataProvider type="XML" validate="true"
+ url="http://federation.org/federation-metadata.xml"
+ backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+ <MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
+ <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
+ attributeName="http://macedir.org/entity-category"
+ attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+ attributeValue="http://refeds.org/category/hide-from-discovery" />
+ </MetadataProvider>
+ -->
+
+ <!-- Example of remotely supplied "on-demand" signed metadata. -->
+ <!--
+ <MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
+ baseUrl="http://mdq.federation.org" ignoreTransport="true">
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+ <MetadataFilter type="Signature" certificate="mdqsigner.pem" />
+ </MetadataProvider>
+ -->
+
+ <!-- Map to extract attributes from SAML assertions. -->
+ <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+ <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+ <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+ <!-- Simple file-based resolvers for separate signing/encryption keys. -->
+ <CredentialResolver type="File" use="signing"
+ key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
+ <CredentialResolver type="File" use="encryption"
+ key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
+
+ </ApplicationDefaults>
+
+ <!-- Policies that determine how to process and authenticate runtime messages. -->
+ <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+ <!-- Low-level configuration about protocols and bindings available for use. -->
+ <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
diff --git a/demo/shibboleth-midpoint-sp/shibboleth-idp/conf/attribute-filter.xml b/demo/shibboleth-midpoint-sp/shibboleth-idp/conf/attribute-filter.xml
new file mode 100644
index 0000000..c7a14c7
--- /dev/null
+++ b/demo/shibboleth-midpoint-sp/shibboleth-idp/conf/attribute-filter.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ This file is an EXAMPLE policy file. While the policy presented in this
+ example file is illustrative of some simple cases, it relies on the names of
+ non-existent example services and the example attributes demonstrated in the
+ default attribute-resolver.xml file.
+
+ Deployers should refer to the documentation for a complete list of components
+ and their options.
+-->
+<afp:AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+ xmlns:afp="urn:mace:shibboleth:2.0:afp"
+ xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
+ xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd
+ urn:mace:shibboleth:2.0:afp:mf:basic http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd
+ urn:mace:shibboleth:2.0:afp:mf:saml http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd">
+
+ <afp:AttributeFilterPolicy id="midpoint">
+ <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="midpointdemo-shibboleth" />
+
+ <afp:AttributeRule attributeID="uid">
+ <afp:PermitValueRule xsi:type="basic:ANY" />
+ </afp:AttributeRule>
+
+ </afp:AttributeFilterPolicy>
+
+ <afp:AttributeFilterPolicy id="midpoint-shib">
+ <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://idptestbed/sp/shibboleth" />
+
+ <afp:AttributeRule attributeID="uid">
+ <afp:PermitValueRule xsi:type="basic:ANY" />
+ </afp:AttributeRule>
+
+ </afp:AttributeFilterPolicy>
+
+</afp:AttributeFilterPolicyGroup>
diff --git a/demo/shibboleth-midpoint-sp/shibboleth-idp/conf/attribute-resolver.xml b/demo/shibboleth-midpoint-sp/shibboleth-idp/conf/attribute-resolver.xml
new file mode 100644
index 0000000..ee9519f
--- /dev/null
+++ b/demo/shibboleth-midpoint-sp/shibboleth-idp/conf/attribute-resolver.xml
@@ -0,0 +1,293 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ This file is an EXAMPLE configuration file containing lots of commented
+ example attributes, encoders, and a couple of example data connectors.
+
+ Not all attribute definitions or data connectors are demonstrated, but
+ a variety of LDAP attributes, some common to Shibboleth deployments and
+ many not, are included.
+
+ Deployers should refer to the Shibboleth 2 documentation for a complete
+ list of components and their options.
+-->
+<resolver:AttributeResolver
+ xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
+ xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
+ xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
+ xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
+ xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
+ xmlns:sec="urn:mace:shibboleth:2.0:security"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
+ urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
+ urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
+ urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
+ urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
+ urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
+
+ <!-- ========================================== -->
+ <!-- Attribute Definitions -->
+ <!-- ========================================== -->
+
+ <!-- Schema: Core schema attributes-->
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="mail" sourceAttributeID="mail">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+ </resolver:AttributeDefinition>
+<!--
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="homePhone" sourceAttributeID="homePhone">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="homePostalAddress" sourceAttributeID="homePostalAddress">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:homePostalAddress" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="mobileNumber" sourceAttributeID="mobile">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="pagerNumber" sourceAttributeID="pager">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" />
+ </resolver:AttributeDefinition>
+-->
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
+ </resolver:AttributeDefinition>
+<!--
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="locality" sourceAttributeID="l">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="stateProvince" sourceAttributeID="st">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:st" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.8" friendlyName="st" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="street" sourceAttributeID="street">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:street" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.9" friendlyName="street" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="organizationName" sourceAttributeID="o">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="organizationalUnit" sourceAttributeID="ou">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:ou" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.11" friendlyName="ou" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="title" sourceAttributeID="title">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="postalAddress" sourceAttributeID="postalAddress">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:postalAddress" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.16" friendlyName="postalAddress" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="postalCode" sourceAttributeID="postalCode">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:postalCode" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.17" friendlyName="postalCode" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="postOfficeBox" sourceAttributeID="postOfficeBox">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:postOfficeBox" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="telephoneNumber" sourceAttributeID="telephoneNumber">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" />
+ </resolver:AttributeDefinition>
+-->
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
+ </resolver:AttributeDefinition>
+<!--
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="initials" sourceAttributeID="initials">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" />
+ </resolver:AttributeDefinition>
+ -->
+
+ <!-- Schema: inetOrgPerson attributes-->
+ <!--
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="departmentNumber" sourceAttributeID="departmentNumber">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="displayName" sourceAttributeID="displayName">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="employeeNumber" sourceAttributeID="employeeNumber">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="employeeType" sourceAttributeID="employeeType">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="jpegPhoto" sourceAttributeID="jpegPhoto">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:jpegPhoto" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="preferredLanguage" sourceAttributeID="preferredLanguage">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" />
+ </resolver:AttributeDefinition>
+ -->
+
+ <!-- Schema: eduPerson attributes -->
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAffiliation" sourceAttributeID="cn">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" />
+ </resolver:AttributeDefinition>
+<!--
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonEntitlement" sourceAttributeID="eduPersonEntitlement">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonNickname" sourceAttributeID="eduPersonNickname">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonNickname" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonPrimaryAffiliation" sourceAttributeID="eduPersonPrimaryAffiliation">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonUniqueId" scope="%{idp.scope}" sourceAttributeID="localUniqueId">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" />
+ </resolver:AttributeDefinition>
+-->
+ <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}" sourceAttributeID="eduPersonPrincipalName">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+ </resolver:AttributeDefinition>
+<!--
+ <resolver:AttributeDefinition xsi:type="ad:Prescoped" id="eduPersonPrincipalNamePrior" sourceAttributeID="eduPersonPrincipalNamePrior">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" friendlyName="eduPersonPrincipalNamePrior" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}" sourceAttributeID="eduPersonAffiliation">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
+ </resolver:AttributeDefinition>
+
+ <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAssurance" sourceAttributeID="eduPersonAssurance">
+ <resolver:Dependency ref="myLDAP" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" encodeType="false" />
+ <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" encodeType="false" />
+ </resolver:AttributeDefinition>
+ -->
+
+ <!-- ========================================== -->
+ <!-- Data Connectors -->
+ <!-- ========================================== -->
+
+ <!-- Example Static Connector -->
+ <!--
+ <resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
+ <dc:Attribute id="eduPersonAffiliation">
+ <dc:Value>member</dc:Value>
+ </dc:Attribute>
+ </resolver:DataConnector>
+ -->
+
+ <!-- Example Relational Database Connector -->
+ <!--
+ <resolver:DataConnector id="mySIS" xsi:type="dc:RelationalDatabase">
+ <dc:ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
+ jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB"
+ jdbcUserName="myid"
+ jdbcPassword="mypassword" />
+ <dc:QueryTemplate>
+ <![CDATA[
+ SELECT * FROM student WHERE gzbtpid = '$requestContext.principalName'
+ ]]>
+ </dc:QueryTemplate>
+
+ <dc:Column columnName="gzbtpid" attributeID="uid" />
+ <dc:Column columnName="fqlft" attributeID="gpa" />
+ </resolver:DataConnector>
+ -->
+
+ <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
+ ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+ baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
+ principal="%{idp.attribute.resolver.LDAP.bindDN}"
+ principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
+ useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}">
+ <dc:FilterTemplate>
+ <![CDATA[
+ %{idp.attribute.resolver.LDAP.searchFilter}
+ ]]>
+ </dc:FilterTemplate>
+ <!--
+ <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked">
+ <sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate>
+ </dc:StartTLSTrustCredential>
+ -->
+ </resolver:DataConnector>
+
+</resolver:AttributeResolver>
\ No newline at end of file
diff --git a/demo/shibboleth-midpoint-sp/shibboleth-idp/conf/idp.properties b/demo/shibboleth-midpoint-sp/shibboleth-idp/conf/idp.properties
new file mode 100644
index 0000000..cf0b2f8
--- /dev/null
+++ b/demo/shibboleth-midpoint-sp/shibboleth-idp/conf/idp.properties
@@ -0,0 +1,195 @@
+# Load any additional property resources from a comma-delimited list
+idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties
+
+# Set the entityID of the IdP
+idp.entityID= https://idptestbed/idp/shibboleth
+
+# Set the scope used in the attribute resolver for scoped attributes
+idp.scope= example.org
+
+# General cookie properties (maxAge only applies to persistent cookies)
+#idp.cookie.secure = false
+#idp.cookie.httpOnly = true
+#idp.cookie.domain =
+#idp.cookie.path =
+#idp.cookie.maxAge = 31536000
+
+# Set the location of user-supplied web flow definitions
+#idp.webflows = %{idp.home}/flows
+
+# Set the location of Velocity view templates
+#idp.views = %{idp.home}/views
+
+# Settings for internal AES encryption key
+#idp.sealer.storeType = JCEKS
+#idp.sealer.updateInterval = PT15M
+#idp.sealer.aliasBase = secret
+idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks
+idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver
+idp.sealer.storePassword= changeit
+idp.sealer.keyPassword= changeit
+
+# Settings for public/private signing and encryption key(s)
+# During decryption key rollover, point the ".2" properties at a second
+# keypair, uncomment in credentials.xml, then publish it in your metadata.
+idp.signing.key= %{idp.home}/credentials/idp-signing.key
+idp.signing.cert= %{idp.home}/credentials/idp-signing.crt
+idp.encryption.key= %{idp.home}/credentials/idp-encryption.key
+idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt
+#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
+#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt
+
+# Sets the bean ID to use as a default security configuration set
+#idp.security.config = shibboleth.DefaultSecurityConfiguration
+
+# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1
+#idp.signing.config = shibboleth.SigningConfiguration.SHA256
+
+# Configures trust evaluation of keys used by services at runtime
+# Defaults to supporting both explicit key and PKIX using SAML metadata.
+#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine
+# To pick only one set to one of:
+# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
+#idp.trust.certificates = shibboleth.ChainingX509TrustEngine
+# To pick only one set to one of:
+# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine
+
+# If true, encryption will happen whenever a key to use can be located, but
+# failure to encrypt won't result in request failure.
+idp.encryption.optional = true
+
+# Configuration of client- and server-side storage plugins
+#idp.storage.cleanupInterval = PT10M
+#idp.storage.htmlLocalStorage = false
+
+# Set to true to expose more detailed errors in responses to SPs
+#idp.errors.detailed = false
+# Set to false to skip signing of SAML response messages that signal errors
+#idp.errors.signed = true
+# Name of bean containing a list of Java exception classes to ignore
+#idp.errors.excludedExceptions = ExceptionClassListBean
+# Name of bean containing a property set mapping exception names to views
+#idp.errors.exceptionMappings = ExceptionToViewPropertyBean
+# Set if a different default view name for events and exceptions is needed
+#idp.errors.defaultView = error
+
+# Set to false to disable the IdP session layer
+#idp.session.enabled = true
+
+# Set to "shibboleth.StorageService" for server-side storage of user sessions
+#idp.session.StorageService = shibboleth.ClientSessionStorageService
+idp.session.StorageService = shibboleth.StorageService
+
+# Size of session IDs
+#idp.session.idSize = 32
+# Bind sessions to IP addresses
+#idp.session.consistentAddress = true
+# Inactivity timeout
+#idp.session.timeout = PT60M
+# Extra time to store sessions for logout
+#idp.session.slop = PT0S
+# Tolerate storage-related errors
+#idp.session.maskStorageFailure = false
+# Track information about SPs logged into
+idp.session.trackSPSessions = true
+# Support lookup by SP for SAML logout
+idp.session.secondaryServiceIndex = true
+# Length of time to track SP sessions
+#idp.session.defaultSPlifetime = PT2H
+
+# Regular expression matching login flows to enable, e.g. IPAddress|Password
+idp.authn.flows= Password
+
+# Regular expression of forced "initial" methods when no session exists,
+# usually in conjunction with the idp.authn.resolveAttribute property below.
+#idp.authn.flows.initial = Password
+
+# Set to an attribute ID to resolve prior to selecting authentication flows;
+# its values are used to filter the flows to allow.
+#idp.authn.resolveAttribute = eduPersonAssurance
+
+# Default lifetime and timeout of various authentication methods
+#idp.authn.defaultLifetime = PT60M
+#idp.authn.defaultTimeout = PT30M
+
+# Whether to prioritize "active" results when an SP requests more than
+# one possible matching login method (V2 behavior was to favor them)
+#idp.authn.favorSSO = true
+
+# Whether to fail requests when a user identity after authentication
+# doesn't match the identity in a pre-existing session.
+#idp.authn.identitySwitchIsError = false
+
+# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
+#idp.consent.StorageService = shibboleth.ClientPersistentStorageService
+
+# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute
+# to key user consent storage records (and set the attribute name)
+#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
+#idp.consent.userStorageKeyAttribute = uid
+
+# Flags controlling how built-in attribute consent feature operates
+#idp.consent.allowDoNotRemember = true
+#idp.consent.allowGlobal = true
+#idp.consent.allowPerAttribute = false
+
+# Whether attribute values and terms of use text are compared
+#idp.consent.compareValues = false
+# Maximum number of consent records for space-limited storage (e.g. cookies)
+#idp.consent.maxStoredRecords = 10
+# Maximum number of consent records for larger/server-side storage (0 = no limit)
+#idp.consent.expandedMaxStoredRecords = 0
+
+# Time in milliseconds to expire consent storage records.
+#idp.consent.storageRecordLifetime = P1Y
+
+# Whether to lookup metadata, etc. for every SP involved in a logout
+# for use by user interface logic; adds overhead so off by default.
+#idp.logout.elaboration = false
+
+# Whether to require logout requests be signed/authenticated.
+#idp.logout.authenticated = true
+
+# Message freshness and replay cache tuning
+#idp.policy.messageLifetime = PT3M
+#idp.policy.clockSkew = PT3M
+
+# Set to custom bean for alternate storage of replay cache
+#idp.replayCache.StorageService = shibboleth.StorageService
+
+# Toggles whether to allow outbound messages via SAML artifact
+#idp.artifact.enabled = true
+# Suppresses typical signing/encryption when artifact binding used
+#idp.artifact.secureChannel = true
+# May differ to direct SAML 2 artifact lookups to specific server nodes
+#idp.artifact.endpointIndex = 2
+# Set to custom bean for alternate storage of artifact map state
+#idp.artifact.StorageService = shibboleth.StorageService
+
+# Name of access control policy for various admin flows
+idp.status.accessPolicy= AccessByIPAddress
+idp.resolvertest.accessPolicy= AccessByIPAddress
+idp.reload.accessPolicy= AccessByIPAddress
+
+# Comma-delimited languages to use if not match can be found with the
+# browser-supported languages, defaults to an empty list.
+idp.ui.fallbackLanguages= en,fr,de
+
+# Storage service used by CAS protocol
+# Defaults to shibboleth.StorageService (in-memory)
+# MUST be server-side storage (e.g. in-memory, memcached, database)
+# NOTE that idp.session.StorageService requires server-side storage
+# when CAS protocol is enabled
+idp.cas.StorageService=shibboleth.StorageService
+
+# CAS service registry implementation class
+#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry
+
+# Profile flows in which the ProfileRequestContext should be exposed
+# in servlet request under the key "opensamlProfileRequestContext"
+#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO
+
+# F-TICKS auditing - set salt to include hashed username
+#idp.fticks.federation=MyFederation
+#idp.fticks.algorithm=SHA-256
+#idp.fticks.salt=somethingsecret
diff --git a/demo/shibboleth-midpoint-sp/shibboleth-idp/conf/ldap.properties b/demo/shibboleth-midpoint-sp/shibboleth-idp/conf/ldap.properties
new file mode 100644
index 0000000..726f145
--- /dev/null
+++ b/demo/shibboleth-midpoint-sp/shibboleth-idp/conf/ldap.properties
@@ -0,0 +1,58 @@
+# LDAP authentication configuration, see authn/ldap-authn-config.xml
+
+## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
+#idp.authn.LDAP.authenticator = anonSearchAuthenticator
+
+## Connection properties ##
+idp.authn.LDAP.ldapURL = ldap://directory:389
+idp.authn.LDAP.useStartTLS = false
+idp.authn.LDAP.useSSL = false
+#idp.authn.LDAP.connectTimeout = 3000
+
+## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
+#idp.authn.LDAP.sslConfig = certificateTrust
+## If using certificateTrust above, set to the trusted certificate's path
+idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
+## If using keyStoreTrust above, set to the truststore path
+idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore
+
+## Return attributes during authentication
+## NOTE: this is not used during attribute resolution; configure that directly in the
+## attribute-resolver.xml configuration via a DataConnector's <dc:ReturnAttributes> element
+idp.authn.LDAP.returnAttributes = cn,businessCategory,mail
+
+## DN resolution properties ##
+
+# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
+# for AD: CN=Users,DC=example,DC=org
+idp.authn.LDAP.baseDN = ou=people,dc=internet2,dc=edu
+#idp.authn.LDAP.subtreeSearch = false
+idp.authn.LDAP.userFilter = (uid={user})
+# bind search configuration
+# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
+idp.authn.LDAP.bindDN = cn=admin,dc=internet2,dc=edu
+idp.authn.LDAP.bindDNCredential = password
+
+# Format DN resolution, used by directAuthenticator, adAuthenticator
+# for AD use idp.authn.LDAP.dnFormat=%s@domain.com
+idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=internet2,dc=edu
+
+# LDAP attribute configuration, see attribute-resolver.xml
+idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL}
+idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN}
+idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN}
+idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential}
+idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true}
+idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates}
+idp.attribute.resolver.LDAP.searchFilter = (uid=$requestContext.principalName)
+
+# LDAP pool configuration, used for both authn and DN resolution
+#idp.pool.LDAP.minSize = 3
+#idp.pool.LDAP.maxSize = 10
+#idp.pool.LDAP.validateOnCheckout = false
+#idp.pool.LDAP.validatePeriodically = true
+#idp.pool.LDAP.validatePeriod = 300
+#idp.pool.LDAP.prunePeriod = 300
+#idp.pool.LDAP.idleTime = 600
+#idp.pool.LDAP.blockWaitTime = 3000
+#idp.pool.LDAP.failFastInitialize = false
diff --git a/demo/shibboleth/idp/shibboleth-idp/conf/metadata-providers.xml b/demo/shibboleth-midpoint-sp/shibboleth-idp/conf/metadata-providers.xml
similarity index 97%
rename from demo/shibboleth/idp/shibboleth-idp/conf/metadata-providers.xml
rename to demo/shibboleth-midpoint-sp/shibboleth-idp/conf/metadata-providers.xml
index 2a44b8d..684b387 100644
--- a/demo/shibboleth/idp/shibboleth-idp/conf/metadata-providers.xml
+++ b/demo/shibboleth-midpoint-sp/shibboleth-idp/conf/metadata-providers.xml
@@ -27,8 +27,6 @@
<MetadataProvider id="MidpointSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/midpoint-sp.xml"/>
- <MetadataProvider id="Midpoint-shib-SP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/midpoint-shib-sp.xml"/>
-
<!-- Example HTTP metadata provider. Use this if you want to download
the metadata from a remote service.
diff --git a/demo/shibboleth/configs-and-secrets/shibboleth/idp-metadata.xml b/demo/shibboleth-midpoint-sp/shibboleth-idp/metadata/idp-metadata.xml
similarity index 95%
rename from demo/shibboleth/configs-and-secrets/shibboleth/idp-metadata.xml
rename to demo/shibboleth-midpoint-sp/shibboleth-idp/metadata/idp-metadata.xml
index 65db47e..86de901 100644
--- a/demo/shibboleth/configs-and-secrets/shibboleth/idp-metadata.xml
+++ b/demo/shibboleth-midpoint-sp/shibboleth-idp/metadata/idp-metadata.xml
@@ -101,6 +101,10 @@ p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
</KeyDescriptor>
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/idp/profile/SAML2/Redirect/SLO"/>
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/idp/profile/SAML2/POST/SLO"/>
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost/idp/profile/SAML2/POST-SimpleSign/SLO"/>
+
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
diff --git a/demo/grouper/idp/shibboleth-idp/metadata/grouper-sp.xml b/demo/shibboleth-midpoint-sp/shibboleth-idp/metadata/midpoint-sp.xml
similarity index 52%
rename from demo/grouper/idp/shibboleth-idp/metadata/grouper-sp.xml
rename to demo/shibboleth-midpoint-sp/shibboleth-idp/metadata/midpoint-sp.xml
index 5b42a7b..fa0b437 100644
--- a/demo/grouper/idp/shibboleth-idp/metadata/grouper-sp.xml
+++ b/demo/shibboleth-midpoint-sp/shibboleth-idp/metadata/midpoint-sp.xml
@@ -2,7 +2,7 @@
This is example metadata only. Do *NOT* supply it as is without review,
and do *NOT* provide it in real time to your partners.
-->
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_57114916ca68943103854cb57a3a3b1c7c38bb81" entityID="https://grouperdemo/shibboleth">
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_57114916ca68943103854cb57a3a3b1c7c38bb81" entityID="midpointdemo-shibboleth">
<md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
@@ -23,34 +23,34 @@ and do *NOT* provide it in real time to your partners.
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
</md:Extensions>
- <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+ <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
<md:Extensions>
- <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://localhost:4443/Shibboleth.sso/Login"/>
- <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://localhost:4443/Shibboleth.sso/Login" index="1"/>
+ <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://localhost/Shibboleth.sso/Login"/>
+ <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://localhost/Shibboleth.sso/Login" index="1"/>
</md:Extensions>
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:KeyName>sp.example.org</ds:KeyName>
+ <ds:KeyName>midpoint.sp.example.org</ds:KeyName>
<ds:X509Data>
- <ds:X509SubjectName>CN=sp.example.org,O=Internet2/TIER,L=Ann Arbor,ST=MI,C=US</ds:X509SubjectName>
- <ds:X509Certificate>MIIDPDCCAiQCCQDNZe8r0hVtuTANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJV
-UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEXMBUGA1UECgwOSW50
-ZXJuZXQyL1RJRVIxFzAVBgNVBAMMDnNwLmV4YW1wbGUub3JnMB4XDTE3MDkyMjE5
-NTAzNVoXDTI3MDkyMDE5NTAzNVowYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1J
-MRIwEAYDVQQHDAlBbm4gQXJib3IxFzAVBgNVBAoMDkludGVybmV0Mi9USUVSMRcw
-FQYDVQQDDA5zcC5leGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAMTNJmsNpTpR4NrDJwOgK/o3UYlNdi1c6xBflt+liLAsQc160QReV4dS
-SGK8LZvN58a/BTIsH8dLhQlUQ8qQUY2AfolVrNxb7Waumeh/POzYUTRylnoGpU3W
-bGMEPxE/AdgP5U/adYvyu4XI5epv7wjZJOTqcVag15SalY+aso+ZC/5l+UzRxmWB
-ZxKTsSL1y7PFehY4/Zl3Y3oGVsVl/zspt5lteoZQeeVxUX29S3Af11yHY4xpEp+7
-rvAzY/nlsTiHAsUoCFK/NFQ2evvSRx52B9Fk1cWP1MDVDm2QjQqD9xBGYSnX6bhQ
-ejVx7JUJHlblu2Q5p5XdW0BihgFluoECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA
-n/qhYnIviPs4tglCdrw+M7gbqKNWadDC3F9HDYzlJMFeS/ae2turhEUgQPbYPDQQ
-eO3oOILtvCXNFUPM58jf8V5YFRrOqrTgx44kexQDaHO5YYNft5tF5TdvBYE2gOVr
-GdYrH2iSP8WX+Yy7JH5uqkfwWzEntWHJdey39rCWKAUCCB35+/2b4N53Qmlv2+ug
-CpNJYFtXInd4YMmM5HjXLyoWXtjnKiwDqYUCeYPSwAajnCqRqRXUX0gYTFDRiwRP
-HbmO9We0nqoc/71nikmGGoSRMO/zWVMFjwmAx1fGiWdU61sjGX8sHifzmVyJVEBI
-Z75p+JrWYZJYrx/vpWxL8g==
+ <ds:X509SubjectName>CN=sptest.example.edu,O=Internet2/TIER,L=Ann Arbor,ST=MI,C=US</ds:X509SubjectName>
+ <ds:X509Certificate>MIID/TCCAmWgAwIBAgIJAJZqOL69C6nRMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNVBAMTEnNwdGVz
+dC5leGFtcGxlLmVkdTAeFw0xODEyMjAyMjM4NDhaFw0yODEyMTcyMjM4NDhaMB0xGzAZBgNVBAMT
+EnNwdGVzdC5leGFtcGxlLmVkdTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBANJ1OC6Q
+l4te2/7PArBkuM/EF1NcQILv7bJaecJDGYBVoWgL0a2KQ0XMESusgkVmVjj/jcbtvwIiXI/6BEu8
+15OF6eSZIwxWdQBpeKbrWTbt07GiGgdXoXot6oMs5a9YXuWLt8pTXrFVMmwXU+ZfWJtuU8OIgm9e
+sAEIQBHvDVOJtdKdBMWJFa5nUzkaVvA0Fr8r+/FHUvSCnlKOMaUIfTgtoS9AQnaRQ1dVl39Z2KAh
+87JYvRIxvbaPaKgar2eGQ+PQD8rqsB5K5wgnADAxYM9Vo0YXSpPH+FvwN3EJgURUSEY2E0Jx8JOx
+368ERNLXx3kfnRxCiZRDkTZF9WP6lBnDwc1WXRwpVCDTRnF+SIh6IC1Bj/qpkpCD3nri7tycejoe
+AtVj1YZHWarf9iqdcLYOAWmeyGbFl3hjv6qcXnIfy1KyHLCAdIrg1TymLovXXKW09pEbVLdsHmLz
+0h+DxPs4FsinK2AQBMn16u8BJJ/+spCzIQ2QNPcGORh6XemBpQIDAQABo0AwPjAdBgNVHREEFjAU
+ghJzcHRlc3QuZXhhbXBsZS5lZHUwHQYDVR0OBBYEFPC8rkASWHQxrtCQ4wwtnsJRy6K5MA0GCSqG
+SIb3DQEBCwUAA4IBgQCks2nY7YzdIKV02NHD9STWD3yPtEwPYZZ3NBno0WW20rS6cU+fxFx37nY8
+ULve4cFQkLR8fOO44e1qIuTgLGCauSGTx/Ts/tbmZXbpGTwV7cjZDCfC7yEFAVrfQFOMNKeQEssu
+LFj+d4STGLorxsM+2YygdOgohJz0e3xOcmCNHqEuC9RbzrnLc/A4/mOHKwnwCCg71zA1/Ew9NUoR
+m2n8IfaONIUaMg9opNiHxX4eu3UFaaPmn/mInuWYYMXzbIbdlU/XhKvXrujWYWj7anTDWvGQmNEe
+csQH92SrO0pf+9WwcWUQTQiWUdq8/OxjXfzs1PrQnSlp0eizgcdKHDKbCUaSuK1i2wdxfEsu5sbZ
+AIW0+dXJ2IyzM+0sv2g4DOsXsnSvinGqjr82A54mXGSr7edhPdlQhILFkJfhTwLq+mjnyQSNe3s2
+4VNeGc76jbHIrkEWuA460QGqz1Fa2CsQo5SH1IkxNIKpBZWt+w2LdAza/NzYyDruY5IJCrZa9Qw=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
@@ -64,15 +64,8 @@ Z75p+JrWYZJYrx/vpWxL8g==
<md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
</md:KeyDescriptor>
- <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:4443/Shibboleth.sso/Artifact/SOAP" index="1"/>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:4443/Shibboleth.sso/SLO/SOAP"/>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:4443/Shibboleth.sso/SLO/Redirect"/>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:4443/Shibboleth.sso/SLO/POST"/>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:4443/Shibboleth.sso/SLO/Artifact"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:4443/Shibboleth.sso/SAML2/POST" index="1"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost:4443/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:4443/Shibboleth.sso/SAML2/Artifact" index="3"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://localhost:4443/Shibboleth.sso/SAML2/ECP" index="4"/>
+ <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/midpoint/auth/saml-internal/mySamlSso/logout/alias/midpointdemo-shibbolet"/>
+ <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/midpoint/auth/saml-internal/mySamlSso/SSO/alias/midpointdemo-shibboleth" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
diff --git a/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-sp.xml b/demo/shibboleth-midpoint-sp/shibboleth-idp/metadata/midpoint-sp.xml.bck
similarity index 100%
rename from demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-sp.xml
rename to demo/shibboleth-midpoint-sp/shibboleth-idp/metadata/midpoint-sp.xml.bck
diff --git a/demo/shibboleth/.env b/demo/shibboleth/.env
deleted file mode 100644
index 9f71d51..0000000
--- a/demo/shibboleth/.env
+++ /dev/null
@@ -1,15 +0,0 @@
-# These parameters can be overridden by setting environment variables before calling docker-compose up
-ENV=demo
-USERTOKEN=
-REPO_DATABASE_TYPE=mariadb
-REPO_JDBC_URL=default
-REPO_HOST=midpoint_data
-REPO_PORT=default
-REPO_DATABASE=registry
-REPO_USER=registry_user
-REPO_MISSING_SCHEMA_ACTION=create
-REPO_UPGRADEABLE_SCHEMA_ACTION=stop
-MP_MEM_MAX=2048m
-MP_MEM_INIT=1024m
-TIMEZONE=UTC
-
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/application/database_password.txt b/demo/shibboleth/configs-and-secrets/midpoint/application/database_password.txt
deleted file mode 100644
index 11bff19..0000000
--- a/demo/shibboleth/configs-and-secrets/midpoint/application/database_password.txt
+++ /dev/null
@@ -1 +0,0 @@
-WJzesbe3poNZ91qIbmR7
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/application/keystore_password.txt b/demo/shibboleth/configs-and-secrets/midpoint/application/keystore_password.txt
deleted file mode 100644
index 1d40192..0000000
--- a/demo/shibboleth/configs-and-secrets/midpoint/application/keystore_password.txt
+++ /dev/null
@@ -1 +0,0 @@
-changeit
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/httpd/00-shib.conf b/demo/shibboleth/configs-and-secrets/midpoint/httpd/00-shib.conf
deleted file mode 100644
index 0e5c7b2..0000000
--- a/demo/shibboleth/configs-and-secrets/midpoint/httpd/00-shib.conf
+++ /dev/null
@@ -1 +0,0 @@
-LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/httpd/host-cert.pem b/demo/shibboleth/configs-and-secrets/midpoint/httpd/host-cert.pem
deleted file mode 100644
index 9b1021b..0000000
--- a/demo/shibboleth/configs-and-secrets/midpoint/httpd/host-cert.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDqDCCApCgAwIBAgIJAMOSkn4oS2aAMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
-BAYTAlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRcwFQYDVQQK
-DA5JbnRlcm5ldDIvVElFUjEgMB4GA1UEAwwXbWlkcG9pbnQuc3AuZXhhbXBsZS5v
-cmcwHhcNMTgwOTE0MDU1OTQ1WhcNMTkwOTE0MDU1OTQ1WjBpMQswCQYDVQQGEwJV
-UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEXMBUGA1UECgwOSW50
-ZXJuZXQyL1RJRVIxIDAeBgNVBAMMF21pZHBvaW50LnNwLmV4YW1wbGUub3JnMIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApj/b7MEUSfu3oXMfNgRwTse7
-a5UV7Jswf1M/ZN/ZZkAkIxNBevZgozjesvLPWrmsTgONi7XigJUJvCjdjmlW9eDM
-lri/rkD8HuOR1DQCVKL9nvoS2c3D7sq5Emda3V8Tlj82VqfEmePd3sajx7mcTfbH
-8jwAL9NhkC+WMib5IpjLGpG0FEAC0ha7Lxb+7jIiqHVJaqLXJGCyGN4mh6c1Q9S1
-f8RVTiW2a8x22G+9wnZYbkiA2Kxls177imHlhSz8EdvV4IpGw1amrEWhhuDEum7B
-vZ1xQDLatgRqh4qAKLIVYeRnJ8H1FelMa90qB4G08MIPifmTsQwqJyBYaEdgWQID
-AQABo1MwUTAdBgNVHQ4EFgQUqb9BteODF6wv5R57aEON/wGXMiowHwYDVR0jBBgw
-FoAUqb9BteODF6wv5R57aEON/wGXMiowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
-9w0BAQsFAAOCAQEAAcKhxI+tSItrXmqC0PSmgWyAYpqbkz6W/cefTutXqhIgY09f
-h0LSv7ogTahoGpyiZk9vy6u3OE9bYwxapEfa4KBjO6HxBMIVBBb3RegVjoPzjElN
-BDwAx0VGFcZTXwMxDWycWdG8ql7rCZBvS50w04uTaIgnGmqXAdWWmBgfJ9cRbxW+
-JwO/mOl1QM1lR/5142NpvuUVWlmZSKEGydE5A1qPz2wpDbBR1ym1BQNS4NEqw6Kp
-GSB8jKyCS1Ve0v2wVze2038Wukz02dq9uKPTIO3T+B+ibZmxn6Op/kFCc1/kK5NS
-Q6JdO1B6KquGAYdGmKAcQ19mv+jqGktqWEEf0g==
------END CERTIFICATE-----
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/httpd/host-key.pem b/demo/shibboleth/configs-and-secrets/midpoint/httpd/host-key.pem
deleted file mode 100644
index 5746e59..0000000
--- a/demo/shibboleth/configs-and-secrets/midpoint/httpd/host-key.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmP9vswRRJ+7eh
-cx82BHBOx7trlRXsmzB/Uz9k39lmQCQjE0F69mCjON6y8s9auaxOA42LteKAlQm8
-KN2OaVb14MyWuL+uQPwe45HUNAJUov2e+hLZzcPuyrkSZ1rdXxOWPzZWp8SZ493e
-xqPHuZxN9sfyPAAv02GQL5YyJvkimMsakbQUQALSFrsvFv7uMiKodUlqotckYLIY
-3iaHpzVD1LV/xFVOJbZrzHbYb73CdlhuSIDYrGWzXvuKYeWFLPwR29XgikbDVqas
-RaGG4MS6bsG9nXFAMtq2BGqHioAoshVh5GcnwfUV6Uxr3SoHgbTwwg+J+ZOxDCon
-IFhoR2BZAgMBAAECggEAEIRBpjjceiku6jRUwnoYaks/nIWYQwR8AfpUTwJKR/VR
-Yca097Fokm7A+UhUP3A45RtHQb0VPq8P44iv0kk24YCu8r5yFK7SHYOAZnOwU5ZJ
-2jSAEPF3aM7tKh3okhuzB3dKP7u1NZDE5zAW723KUJiW7sL1RcsbY0bHBj6G+9/H
-NplmsjuGt684vRBB0qOBfKF7EiG7mT69tHuNj4gRza9SMY31UtKbZdt2fNY6mp5V
-HscMba7egZP+Ke0pVX4+go9j7K8GG8hYaQDLjrzlPqrxZ2c5X9cC+CRDI/CHuL/s
-V/2yGZJ6n6UabwZoH83RdFrbQ94rU8Hkli6EvxXvMQKBgQDRpheNW5jDG5TfeJKh
-yfKTDQqH2Tk3BsBYYBN7Hf3m7vbkzlxnAKJAoSLmtRMuoeXvI5MrhzaHGsNIUS76
-LDIZnvB7DLUxhFUZsCPkpAA1QHuTWY96oR3PHnPjpk8lSUvtbOPwDLdzVApeFJgZ
-VqMNArZ7AHsK3Kkyi+f4WVQjbQKBgQDLAWiGb5dx6fAM2W6B6HjNmzjBWOuVEXa2
-76to9jzupBZmETfZgxtWUaWUDuNS+f7dtVUTE+p6v/w8clrHEhEZYkqunIOLo/UA
-LFPiuoTfEsWb1rh+nsCjCgy4uimixj/bSkf7NC6NyKTvCygA1mGnVVJUEPegYlDy
-LXCkaKWxHQKBgQCmyHSKL2lrJkEcOwakEU2acNCE3Gno/cT9SYmV83kvQ8JEqmrW
-QqnRsp9aXIljGscapPmKsmnNt5vNp1AxFAHTYh88NRLczsMIyZj0ZwgHVUI6KhC7
-5Psa78YQQBlMt2/g9TSsnuE+rYgF6mpKFiNm0Vasqeg47uzn2mdzqlUGTQKBgE04
-JutkTUY+h1pL5vYxWKpVDfy19z7H2tFxT1FowPrBneeLSyRI88Ac5I/yLdRlVeY9
-0LOmEr5Igwj3MsKgg7KVKfVLgdo/LrW3Jt2Kt3onKNXDkoBPoNUjwH0QC0Boiue+
-VK0gR0kVdm+bXccbxR+im+NwZNE0NLg6Qqu3RredAoGBALuVoqbPPmTCZXYG328H
-bzOs2aiR7BzPSVByV+qG6jW7w03RAnFPJZp7HMU+ViI5VY0wabUscMSvz5163+gM
-4KwY3v9ZjZzZGukIfLuudkdqtaiVOx/KeAC0n+nG21YU+wpZww8gkfHh1/sa2CME
-CWYCgOnmiTHcj83UaTqEXtmv
------END PRIVATE KEY-----
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/httpd/midpoint-shib.conf b/demo/shibboleth/configs-and-secrets/midpoint/httpd/midpoint-shib.conf
deleted file mode 100644
index a383349..0000000
--- a/demo/shibboleth/configs-and-secrets/midpoint/httpd/midpoint-shib.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-<Location /midpoint/auth/shib>
- AuthType shibboleth
- ShibRequestSetting requireSession 1
- ShibRequireSession on
- ShibUseHeaders On
- require shibboleth
-</Location>
-
-<Location />
- AuthType shibboleth
- ShibRequestSetting requireSession false
- ShibUseHeaders On
- require shibboleth
-</Location>
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/httpd/vhosts.conf b/demo/shibboleth/configs-and-secrets/midpoint/httpd/vhosts.conf
deleted file mode 100644
index a434bd8..0000000
--- a/demo/shibboleth/configs-and-secrets/midpoint/httpd/vhosts.conf
+++ /dev/null
@@ -1 +0,0 @@
-RewriteRule "^/midpoint/$" "/midpoint/auth/shib" [R]
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks b/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks
deleted file mode 100644
index af2e8f4..0000000
Binary files a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks and /dev/null differ
diff --git a/demo/shibboleth/configs-and-secrets/shibboleth/shibboleth2.xml b/demo/shibboleth/configs-and-secrets/shibboleth/shibboleth2.xml
deleted file mode 100644
index ee05a97..0000000
--- a/demo/shibboleth/configs-and-secrets/shibboleth/shibboleth2.xml
+++ /dev/null
@@ -1,139 +0,0 @@
-<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
- xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
- xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
- xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
- xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
- clockSkew="180">
-
- <!--
- By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
- are used. See example-shibboleth2.xml for samples of explicitly configuring them.
- -->
-
- <!--
- To customize behavior for specific resources on Apache, and to link vhosts or
- resources to ApplicationOverride settings below, use web server options/commands.
- See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
-
- For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
- file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
- -->
- <TCPListener address="127.0.0.1" port="1600"/>
-
-
- <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
- <ApplicationDefaults entityID="https://midpointdemo/shibboleth"
- REMOTE_USER="uid">
-
- <!--
- Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
- You MUST supply an effectively unique handlerURL value for each of your applications.
- The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
- a relative value based on the virtual host. Using handlerSSL="true", the default, will force
- the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
- Note that while we default checkAddress to "false", this has a negative impact on the
- security of your site. Stealing sessions via cookie theft is much easier with this disabled.
- -->
- <Sessions lifetime="28800" timeout="28800" relayState="ss:mem"
- checkAddress="false" handlerSSL="true" cookieProps="https">
-
- <!--
- Configures SSO for a default IdP. To allow for >1 IdP, remove
- entityID property and adjust discoveryURL to point to discovery service.
- (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
- You can also override entityID on /Login query string, or in RequestMap/htaccess.
- -->
- <SSO entityID="https://idptestbed/idp/shibboleth">
- SAML2
- </SSO>
-
- <!-- SAML and local-only logout. -->
- <Logout>SAML2 Local</Logout>
-
- <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
- <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
-
- <!-- Status reporting service. -->
- <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
-
- <!-- Session diagnostic service. -->
- <Handler type="Session" Location="/Session" showAttributeValues="true"/>
-
- <!-- JSON feed of discovery information. -->
- <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
- </Sessions>
-
- <!--
- Allows overriding of error template information/filenames. You can
- also add attributes with values that can be plugged into the templates.
- -->
- <Errors supportContact="root@localhost"
- helpLocation="/about.html"
- styleSheet="/shibboleth-sp/main.css"/>
-
- <!-- Example of remotely supplied batch of signed metadata. -->
- <!--
- <MetadataProvider type="XML" validate="true"
- uri="http://example.org/federation-metadata.xml"
- backingFilePath="federation-metadata.xml" reloadInterval="7200">
- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
- <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
- <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
- attributeName="http://macedir.org/entity-category"
- attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
- attributeValue="http://refeds.org/category/hide-from-discovery" />
- </MetadataProvider>
- -->
-
- <MetadataProvider type="XML" validate="true" file="idp-metadata.xml"/>
-
- <!--
- InCommon
- <MetadataProvider type="XML" validate="true"
- uri="http://md.incommon.org/InCommon/InCommon-metadata.xml"
- backingFilePath="federation-metadata.xml" reloadInterval="7200">
- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
- <MetdataFilter type="Signature" certificate="inc-md-cert.pem"/>
- <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
- attributeName="http://macedir.org/entity-category"
- attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
- attributeValue="http://refeds.org/category/hide-from-discovery" />
- </MetadataProvider>
- -->
-
- <!-- Map to extract attributes from SAML assertions. -->
- <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
-
- <!-- Use a SAML query if no attributes are supplied during SSO. -->
- <AttributeResolver type="Query" subjectMatch="true"/>
-
- <!-- Default filtering policy for recognized attributes, lets other data pass. -->
- <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-
- <!-- Simple file-based resolvers for separate signing/encryption keys. -->
- <CredentialResolver type="File" use="signing"
- key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
- <CredentialResolver type="File" use="encryption"
- key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
-
- <!--
- The default settings can be overridden by creating ApplicationOverride elements (see
- the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
- Resource requests are mapped by web server commands, or the RequestMapper, to an
- applicationId setting.
-
- Example of a second application (for a second vhost) that has a different entityID.
- Resources on the vhost would map to an applicationId of "admin":
- -->
- <!--
- <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
- -->
- </ApplicationDefaults>
-
- <!-- Policies that determine how to process and authenticate runtime messages. -->
- <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
-
- <!-- Low-level configuration about protocols and bindings available for use. -->
- <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
-
-</SPConfig>
diff --git a/demo/shibboleth/configs-and-secrets/shibboleth/sp-encrypt-cert.pem b/demo/shibboleth/configs-and-secrets/shibboleth/sp-encrypt-cert.pem
deleted file mode 100644
index 7a66196..0000000
--- a/demo/shibboleth/configs-and-secrets/shibboleth/sp-encrypt-cert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID/TCCAmWgAwIBAgIJAINng1bI63LGMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-BAMTEnNwdGVzdC5leGFtcGxlLmVkdTAeFw0xODEyMjAyMjM4MDJaFw0yODEyMTcy
-MjM4MDJaMB0xGzAZBgNVBAMTEnNwdGVzdC5leGFtcGxlLmVkdTCCAaIwDQYJKoZI
-hvcNAQEBBQADggGPADCCAYoCggGBAOjmPSBzRsjbPBBA6jYVW+QtsYM5fvIuNErG
-VDRvKHyCTNbmdFZ37qEl/fwsrdF4hn4V7fAZ6jW6R1aMGFl1vQyJ289B8l5HOPjf
-GuB2gL9IxulOmrkYVN8nfgjlbFNNktMQJ8NprYEyl3o786xCCxx3AiA5Mgdv400L
-6vlmEfNHIwsOHAUTNRyCwMS9P6jBJ5IIxD0Mef+3oUjAvVsPZu24EJnzTUasZnI0
-F8aC/YzVbxObBNcymtA2Ipec/gLe1B09eDZUduXPL/as57QWvgJrWj8bCK+Ldj0P
-MPSvWzr4BnN58dxaYgCgRH7tnhZudPvCjBakQzkxo/njsRIKtm3lN9UmUYiXbl+e
-bu0DSQFUaFfO2hOOUTNAr/QuC+GQL+U7VAdybTbP+KcH5LbNUSqYkxSwhbFz5aym
-o5KppnYB9K5iySRWvGIhnwXHNv5yFrmUbet2BPJlMzv7NaePaZ76ypobzNjjNBbg
-aNECsQ1ZD9fe2Q8UBe0m2gQP5Yux5QIDAQABo0AwPjAdBgNVHREEFjAUghJzcHRl
-c3QuZXhhbXBsZS5lZHUwHQYDVR0OBBYEFGcLIl5kg+GFIh9HXeZyLzsv5e7qMA0G
-CSqGSIb3DQEBCwUAA4IBgQAf8/iZXUWtWGMBw2OfonDDWbuhgLnNWddpllcVx7v/
-Yu75+wgfIdNXg6XM4WkGkpbhlkpDLRt2c6rMQpxrQtq/5G3OKEXKyjUOl5pZsYkG
-asVENYPSCfuu3rlK85XaW3H1SSJqSax/UKcYXyB1TIW6mNy3OxuvHak6y4LzFnug
-CO7p/W2jvffwmxfqjbO7wQfXUQz3SZS04sHMqQoStOwy2N5xxQ3uTF34EoXBto+n
-XIEOptKPhV2NkEzj+UUIi1588dck8T0SstbSElbTnJ4sNZFriX6JOPFNW08fezot
-izerOHuAFpFQvtugWoZT87YYaFwG+Zr5QNa4fNOcAL+FHvbOfEqIGs+H6GSf0dZV
-lkcJyzWZvuK/4RGqWbLvfAYRm0PAGTQSLdO8QJSYWdJtJvZFEMgddQ2HoIzeO5wo
-B42FKDSHottI9avilApQBdRCtust8XRPtEAzDB/t/1jbO7u2tkzgY3614mX5xgut
-Ileaae5eVCjw4uYbkh+Mt5M=
------END CERTIFICATE-----
diff --git a/demo/shibboleth/configs-and-secrets/shibboleth/sp-encrypt-key.pem b/demo/shibboleth/configs-and-secrets/shibboleth/sp-encrypt-key.pem
deleted file mode 100644
index 1622ef3..0000000
--- a/demo/shibboleth/configs-and-secrets/shibboleth/sp-encrypt-key.pem
+++ /dev/null
@@ -1,40 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDo5j0gc0bI2zwQ
-QOo2FVvkLbGDOX7yLjRKxlQ0byh8gkzW5nRWd+6hJf38LK3ReIZ+Fe3wGeo1ukdW
-jBhZdb0MidvPQfJeRzj43xrgdoC/SMbpTpq5GFTfJ34I5WxTTZLTECfDaa2BMpd6
-O/OsQgscdwIgOTIHb+NNC+r5ZhHzRyMLDhwFEzUcgsDEvT+owSeSCMQ9DHn/t6FI
-wL1bD2btuBCZ801GrGZyNBfGgv2M1W8TmwTXMprQNiKXnP4C3tQdPXg2VHblzy/2
-rOe0Fr4Ca1o/Gwivi3Y9DzD0r1s6+AZzefHcWmIAoER+7Z4WbnT7wowWpEM5MaP5
-47ESCrZt5TfVJlGIl25fnm7tA0kBVGhXztoTjlEzQK/0LgvhkC/lO1QHcm02z/in
-B+S2zVEqmJMUsIWxc+WspqOSqaZ2AfSuYskkVrxiIZ8Fxzb+cha5lG3rdgTyZTM7
-+zWnj2me+sqaG8zY4zQW4GjRArENWQ/X3tkPFAXtJtoED+WLseUCAwEAAQKCAYBM
-3eCC20kbdbAnNSWX4AjKEIKr6sgJKlK78yVLgPx9y4uMydbPyxmJOj7PgfeEUSEi
-cB5txj/Up7xvxiErNX7FqqJPj1Zs41jcWtZGCxaHC4AK9JSATpWEaUZhrUbJX6r7
-2jMlfbV0FLyF7U+JJOsB5A1hkT7/0V/Vx/8vfQ6jmnDobym0SxiWZlk1Fbjy+30R
-567M71c8nOCwYFyet0CjaMKh7PkuQCw3uRW3wPfqCW91qw438E3ENnnITFpRnDUI
-iZIXJSj3Sqcx/W7Q6xei+y95U4tksT3/SQ7hVXp+BhfyjXdK/k0vNzxZfWk9nCD8
-h7HeiQuLPENzrlOwuWtI+gLDIdFplXUJ+/piK3okdstdHJcWcNUelW8yr7JSpv1I
-a2KMgHI2F4UVcTYLZrevzxd5a0cpvFW7vmvdw2vFrCb5JsVsmqBu5OLeaVGDIbIA
-2SLfJqq12fi2rxk28VtwXXgaCTttSM+8VY7dlT/mPCqX3Sx2eM7EPt6RVHuri4EC
-gcEA+3q6Vht60YXNaw7m4BFISntVm4Z2gGFNswLlrgPRHOacaQVMKhpqt3HmNKAT
-1MD/a5C60HkUjMB95m2nE4k1Iade8EzUPXD1FvFbE9/+ifNx2OrC8pKrEmRiTmCY
-oel45uoXsksNGJynfuRp2TpAVSZrXaIbGKZiMJZv0QZAilVBurZnZyV0jKQYkSFM
-FOt60PDJJEqZzG01dvDJxsIYQURtjNscO0R2ncloLXm7qu1/fcP7CAawWgFYyer2
-WEdVAoHBAO0WAhxCvFoev348Wf33lQi9c6w7WN/WEkhNOJ5p4PKsJphSZbt2bjCt
-RdRmvahSXeiGrDPuaxoWaQqcXprcu3ndFYBcK2xZpIl/mf0wr1QTEHCkRXzfxRjC
-Mmy+yTeKT4L18xKgg6pJn+wC3hwsv2BQPkp+NPJhD2bmVUWorqXq5fiBV2b7lTg0
-q1HHXYtxk22bw7xtstFENGTqa22KwD5Wd6nj9DamLzKhUhOdcJ7yGVu9se7YcGGh
-pg57muigUQKBwQD5feH96Zdo5UFN9GPTavH4ivH8sWNBrMeEUNyDTuAYtyX3/zx4
-DOtRAhwsm5/xFGSTV+wvReDAX3zIroLym85ti/phlyd9qWJOl7cPOcvzGuYZGZe9
-RwuX3KW3MphbEiFTnm1SAqmEgG6gMoZc8DDBCbO9GkWdp/yETcuzaWuAkmL6lVpy
-97LwkSCaY5lyq8iWIDy915FMQhCn5u2YVhnwLq4s73jLx/mSQy4q57nrM2Kn6FZV
-uSUetnVbJdOu810CgcBNCzbaWjF9E7rk2dXguwD6Wx5o3MxPyPAeAMIicIPCOIE+
-RKB8n8rFFLm5gT2mokWUF5eENLknPBsccJ4pswtVWavwD4Oo7SST7hxrc9O1/Y/9
-GtTd9JXHKuxZ/FHFM7QM+cHozrKattw6ROBKxZvXP5xOdt7b2QC5TqZtQZinoELl
-U5rEg4MFRdBafe//LYRcPR8Jb5iJeqGQHcGVUl6Qo2a1lbc5vx1dVaEncKU1cbUd
-4/IbjMhQYchlsnMvn1ECgcEAxwT/UvLwhYeFK6UHRwJ/z1eKGAC8R2B9tlmgddZx
-T93qbVq4lZXKw3osqdi+pgWvvmg9aK9r/dO1E93S11msnoTI+W9xTr+y5y9dN/hx
-5deQMUK+3woLog6LsGiKE2IamCNQBFkgd4VvhXgG+2pTPYJ9nyuEA+na+tfE6bSa
-foJ8KQT1rmRFQYRboBY/xxqtsl6Nh84JK7kCw27NNdhssyuiipfa8NLM4m+yeA6n
-/oz8xKl5PKwOrvk2DH+FwaAg
------END PRIVATE KEY-----
diff --git a/demo/shibboleth/configs-and-secrets/shibboleth/sp-signing-cert.pem b/demo/shibboleth/configs-and-secrets/shibboleth/sp-signing-cert.pem
deleted file mode 100644
index 73aaaab..0000000
--- a/demo/shibboleth/configs-and-secrets/shibboleth/sp-signing-cert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID/TCCAmWgAwIBAgIJAJZqOL69C6nRMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-BAMTEnNwdGVzdC5leGFtcGxlLmVkdTAeFw0xODEyMjAyMjM4NDhaFw0yODEyMTcy
-MjM4NDhaMB0xGzAZBgNVBAMTEnNwdGVzdC5leGFtcGxlLmVkdTCCAaIwDQYJKoZI
-hvcNAQEBBQADggGPADCCAYoCggGBANJ1OC6Ql4te2/7PArBkuM/EF1NcQILv7bJa
-ecJDGYBVoWgL0a2KQ0XMESusgkVmVjj/jcbtvwIiXI/6BEu815OF6eSZIwxWdQBp
-eKbrWTbt07GiGgdXoXot6oMs5a9YXuWLt8pTXrFVMmwXU+ZfWJtuU8OIgm9esAEI
-QBHvDVOJtdKdBMWJFa5nUzkaVvA0Fr8r+/FHUvSCnlKOMaUIfTgtoS9AQnaRQ1dV
-l39Z2KAh87JYvRIxvbaPaKgar2eGQ+PQD8rqsB5K5wgnADAxYM9Vo0YXSpPH+Fvw
-N3EJgURUSEY2E0Jx8JOx368ERNLXx3kfnRxCiZRDkTZF9WP6lBnDwc1WXRwpVCDT
-RnF+SIh6IC1Bj/qpkpCD3nri7tycejoeAtVj1YZHWarf9iqdcLYOAWmeyGbFl3hj
-v6qcXnIfy1KyHLCAdIrg1TymLovXXKW09pEbVLdsHmLz0h+DxPs4FsinK2AQBMn1
-6u8BJJ/+spCzIQ2QNPcGORh6XemBpQIDAQABo0AwPjAdBgNVHREEFjAUghJzcHRl
-c3QuZXhhbXBsZS5lZHUwHQYDVR0OBBYEFPC8rkASWHQxrtCQ4wwtnsJRy6K5MA0G
-CSqGSIb3DQEBCwUAA4IBgQCks2nY7YzdIKV02NHD9STWD3yPtEwPYZZ3NBno0WW2
-0rS6cU+fxFx37nY8ULve4cFQkLR8fOO44e1qIuTgLGCauSGTx/Ts/tbmZXbpGTwV
-7cjZDCfC7yEFAVrfQFOMNKeQEssuLFj+d4STGLorxsM+2YygdOgohJz0e3xOcmCN
-HqEuC9RbzrnLc/A4/mOHKwnwCCg71zA1/Ew9NUoRm2n8IfaONIUaMg9opNiHxX4e
-u3UFaaPmn/mInuWYYMXzbIbdlU/XhKvXrujWYWj7anTDWvGQmNEecsQH92SrO0pf
-+9WwcWUQTQiWUdq8/OxjXfzs1PrQnSlp0eizgcdKHDKbCUaSuK1i2wdxfEsu5sbZ
-AIW0+dXJ2IyzM+0sv2g4DOsXsnSvinGqjr82A54mXGSr7edhPdlQhILFkJfhTwLq
-+mjnyQSNe3s24VNeGc76jbHIrkEWuA460QGqz1Fa2CsQo5SH1IkxNIKpBZWt+w2L
-dAza/NzYyDruY5IJCrZa9Qw=
------END CERTIFICATE-----
diff --git a/demo/shibboleth/configs-and-secrets/shibboleth/sp-signing-key.pem b/demo/shibboleth/configs-and-secrets/shibboleth/sp-signing-key.pem
deleted file mode 100644
index 9e979fe..0000000
--- a/demo/shibboleth/configs-and-secrets/shibboleth/sp-signing-key.pem
+++ /dev/null
@@ -1,40 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDSdTgukJeLXtv+
-zwKwZLjPxBdTXECC7+2yWnnCQxmAVaFoC9GtikNFzBErrIJFZlY4/43G7b8CIlyP
-+gRLvNeThenkmSMMVnUAaXim61k27dOxohoHV6F6LeqDLOWvWF7li7fKU16xVTJs
-F1PmX1ibblPDiIJvXrABCEAR7w1TibXSnQTFiRWuZ1M5GlbwNBa/K/vxR1L0gp5S
-jjGlCH04LaEvQEJ2kUNXVZd/WdigIfOyWL0SMb22j2ioGq9nhkPj0A/K6rAeSucI
-JwAwMWDPVaNGF0qTx/hb8DdxCYFEVEhGNhNCcfCTsd+vBETS18d5H50cQomUQ5E2
-RfVj+pQZw8HNVl0cKVQg00ZxfkiIeiAtQY/6qZKQg9564u7cnHo6HgLVY9WGR1mq
-3/YqnXC2DgFpnshmxZd4Y7+qnF5yH8tSshywgHSK4NU8pi6L11yltPaRG1S3bB5i
-89Ifg8T7OBbIpytgEATJ9ervASSf/rKQsyENkDT3BjkYel3pgaUCAwEAAQKCAYEA
-kmBxGQH8RTVO8eTtS95iJC+QwavyOp/BxUDkWtbsj7P/NSyzQ25c59jNQIEVgktx
-QOeNpoSJS2S22HTeNAc+MR781MAl/ljLu+OfxQj/3hKAIJZMYDr01tPEvkOl5NUj
-+6e3xwNBYzmMfl2jPyGlsUWFAQSbI/bJl44zccXAkQ/A5KHNRc7Yw5qd6aOGQD8a
-axCehOxEqEeI8oZvxQcogMBL0V9yWqEiI0Ymvq6w2n+CzdKmflcWSjloYzNcODbL
-Ef2+8/fBZhHTS0GLCIqQpK+tZxt4K77DK2p2L9dYuHK7vtWn1j0YIwPqD+QVVtuT
-d7BOOmakPj2E7EXq/GvFw8gB/gRLoLuJSq5vvhPrSVuJqWdxDuxSutGgIoN3mQxd
-2AjuBXvqwYaZ3UGHZlBYAQx5ICiAGjxv/1zmKp+9OJHge/a1e6Z8jgQcpS7OWNhU
-dj6qfs+IiWKEaMM7D8dj4ncoArBpE7/BzlVuJ377cqRx35alMcKlawQWF1YqSDrB
-AoHBAPSipCLz4sr3U2jluXehntYsKevWcBtFkEd49Ay5uZTu/aweKWIozjDt7T3L
-mjYi+QGpt28MdNmpoofYOmpt+lrc0HWrv+UB9k/qFxfwgZKaXa1nm/VLfK77L4IB
-8I9dpjvDi724Xg/JJ1jsGM13+jGEfTQTl4Hi0lZwMydUO+O4oWB4kG9qhF8C+yQc
-12CCFH+Da8uwcwM+zCJwRm3qMKceifhEGAuFJ430Rp7cuqlJYfQZ4pVhRxwP6vns
-cLCz+QKBwQDcPB5bCjci/HMe0V19HxPrKh0hGPLIRCPAakT8Mz8N2lVAtWDXFL5q
-eHskl6cf8RQLfrcUiL+jQvD5VV8I7BkolCv0GZT/q36I/Z1QKlQC1O0IGG/hNqwt
-PS85YM6yC84YIKx0rN6O03/nYcslRv19q+MNiR9sZEeN6cScUc6aUINhWjzQ4mb8
-Z9ErguJrq0sCoAVU+t/yRo/YB/d2xdN9XLe+2cgsM6s0TiHo4v2SeFHKewBw+RLp
-yrShY6COzg0CgcEA0EFwt2ylgiGgeSkvhV8qJ6s7GNDZaO4EUEPwhrDJAredbhvT
-IQQZ29+AWl3sbu/AySCgzsFs7CsT+M8jk50CRr26HKJUXvEXrZpbhH6y34nX+5m7
-U8uqXg/ptqROFM4liLUETkMYmBmnDHUY/DmJ3QOrzlxrWyAr7XfgpDd6MHbpsoWQ
-d7jW7UdNYsXGuBqktpS7fJA+qOGZyCuKWWHHf01pKNdXHN+C976fK/g+U4TsBXDP
-ylkgvwvx/kbA/DyJAoHAQxXA/WRYNT0G6B1ISAO+coTKiLlrwtsWtNbqGpSVoWef
-Tm2xiPKVqiL3B8d2LgGmZHX92LBrB5UtiBWcNECOzVCNLvbX7yVTDvGKCNBL9Ozd
-Ivkmo0ifG8ymZOj7LTrxVWImhgfeZ00/icC9O6arMqu4Jvhc7QyCy1SpAiDdOR5L
-Vs1A9zPvwPTyvzlINRnhaHRMC32717XsvRZ4J+LMsEQc6HK4SdaXUQB3zdPO/93M
-tEvRb5g/TZ3kdcC+OKHFAoHAO9R3y6ZjUM8T8/4XcyRD968V4sZIvVQfpSaH86GO
-TrECZp5SqSWUTqAWTJWS0yIctAML60nWF+OPRUlrq0yk2veN9Re6eWfyoyQOFd92
-U+bxh3QEue5LGOwpqrPV/1cJSFdv88eS+F8q7i/dD765Tio6kJjKzXPN3FJqAvNB
-lAnaO4Apbuzob25Qkmm0NVQHap+TJGJMvX2vVX9CjE6haVWq1lJMakkoQOeIlyi5
-iDjt9rDlIwDYeGWk4KFgsKM7
------END PRIVATE KEY-----
diff --git a/demo/shibboleth/directory/Dockerfile b/demo/shibboleth/directory/Dockerfile
deleted file mode 100644
index ada659b..0000000
--- a/demo/shibboleth/directory/Dockerfile
+++ /dev/null
@@ -1,30 +0,0 @@
-FROM centos:centos7
-
-LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
-
-RUN yum install -y epel-release \
- && yum update -y \
- && yum install -y 389-ds-base 389-admin 389-adminutil \
- && yum clean all \
- && rm -rf /var/cache/yum
-
-COPY container_files/seed-data/ /seed-data/
-
-RUN useradd ldapadmin \
- && rm -fr /var/lock /usr/lib/systemd/system \
- # The 389-ds setup will fail because the hostname can't reliable be determined, so we'll bypass it and then install. \
- && sed -i 's/checkHostname {/checkHostname {\nreturn();/g' /usr/lib64/dirsrv/perl/DSUtil.pm \
- # Not doing SELinux \
- && sed -i 's/updateSelinuxPolicy($inf);//g' /usr/lib64/dirsrv/perl/* \
- # Do not restart at the end \
- && sed -i '/if (@errs = startServer($inf))/,/}/d' /usr/lib64/dirsrv/perl/* \
- && setup-ds.pl --silent --file /seed-data/ds-setup.inf \
- && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir \
- && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
- ldapadd -H ldap:/// -f /seed-data/users.ldif -x -D "cn=Directory Manager" -w password
-
-EXPOSE 389
-
-# temporary!
-
-CMD rm -rf /var/lock/dirsrv/slapd-dir/server/* && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir && sleep infinity
diff --git a/demo/shibboleth/directory/container_files/seed-data/ds-setup.inf b/demo/shibboleth/directory/container_files/seed-data/ds-setup.inf
deleted file mode 100644
index 96c29a1..0000000
--- a/demo/shibboleth/directory/container_files/seed-data/ds-setup.inf
+++ /dev/null
@@ -1,28 +0,0 @@
-[General]
-AdminDomain = internet2.edu
-ConfigDirectoryAdminID = admin
-ConfigDirectoryAdminPwd = admin
-ConfigDirectoryLdapURL = ldap://localhost:389/o=NetscapeRoot
-FullMachineName = localhost
-ServerRoot = /usr/lib64/dirsrv
-SuiteSpotGroup = nobody
-SuiteSpotUserID = nobody
-
-[admin]
-Port = 9830
-ServerAdminID = admin
-ServerAdminPwd = admin
-ServerIpAddress = 0.0.0.0
-SysUser = nobody
-
-[slapd]
-AddOrgEntries = No
-AddSampleEntries = No
-InstallLdifFile = suggest
-RootDN = cn=Directory Manager
-RootDNPwd = password
-ServerIdentifier = dir
-ServerPort = 389
-SlapdConfigForMC = yes
-Suffix = dc=internet2,dc=edu
-UseExistingMC = No
diff --git a/demo/shibboleth/directory/container_files/seed-data/users.ldif b/demo/shibboleth/directory/container_files/seed-data/users.ldif
deleted file mode 100644
index 1d57238..0000000
--- a/demo/shibboleth/directory/container_files/seed-data/users.ldif
+++ /dev/null
@@ -1,24 +0,0 @@
-dn: cn=admin,dc=internet2,dc=edu
-objectClass: simpleSecurityObject
-objectClass: organizationalRole
-cn: admin
-userPassword: password
-description: LDAP administrator
-
-dn: cn=users,ou=Groups,dc=internet2,dc=edu
-objectClass: groupOfUniqueNames
-objectClass: top
-uniqueMember: uid=banderson,ou=People,dc=internet2,dc=edu
-uniqueMember: uid=jsmith,ou=People,dc=internet2,dc=edu
-cn: users
-
-dn: uid=administrator,ou=People,dc=internet2,dc=edu
-objectClass: organizationalPerson
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-givenName: Administrator
-uid: administrator
-sn: Administrator
-cn: Administrator
-userPassword: password
diff --git a/demo/shibboleth/docker-compose-tests.yml b/demo/shibboleth/docker-compose-tests.yml
deleted file mode 100644
index 25a28a4..0000000
--- a/demo/shibboleth/docker-compose-tests.yml
+++ /dev/null
@@ -1,116 +0,0 @@
-# Version for running Bats tests.
-# Minimizes the number of ports mapped to localhost, to avoid collisions during testing.
-
-version: "3.3"
-
-services:
-
- midpoint_data:
- image: tier/mariadb:mariadb10
- expose:
- - 3306
- networks:
- - net
- volumes:
- - midpoint_mysql:/var/lib/mysql
- - midpoint_data:/var/lib/mysqlmounted
- environment:
- - CREATE_NEW_DATABASE=if_needed
-
- midpoint_server:
- build: ./midpoint_server/
- ports:
- - 8443:443
- environment:
- - ENV
- - USERTOKEN
- - REPO_DATABASE_TYPE
- - REPO_JDBC_URL
- - REPO_HOST
- - REPO_PORT
- - REPO_DATABASE
- - REPO_USER
- - REPO_MISSING_SCHEMA_ACTION
- - REPO_UPGRADEABLE_SCHEMA_ACTION
- - REPO_SCHEMA_VERSION_IF_MISSING
- - REPO_SCHEMA_VARIANT
- - MP_MEM_MAX
- - MP_MEM_INIT
- - MP_JAVA_OPTS
- - TIER_BEACON_OPT_OUT
- - TIMEZONE
- networks:
- - net
- secrets:
- - mp_database_password.txt
- - mp_keystore_password.txt
- - mp_host-key.pem
- - mp_shibboleth_sp_keys.jks
- volumes:
- - midpoint_home:/opt/midpoint/var
- - type: bind
- source: ./configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
- target: /etc/shibboleth/idp-metadata.xml
- - type: bind
- source: ./configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
- target: /etc/shibboleth/shibboleth2.xml
- - type: bind
- source: ./configs-and-secrets/midpoint/shibboleth/attribute-map.xml
- target: /etc/shibboleth/attribute-map.xml
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
- target: /etc/pki/tls/certs/host-cert.pem
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
- target: /etc/pki/tls/certs/cachain.pem
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/00-shib.conf
- target: /etc/httpd/conf.modules.d/00-shib.conf
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/midpoint-shib.conf
- target: /etc/httpd/conf.d/midpoint-shib.conf
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/vhosts.conf
- target: /etc/httpd/conf.d/vhosts/vhosts.conf
-
- directory:
- build: ./directory/
- expose:
- - 389
- networks:
- - net
- volumes:
- - ldap:/var/lib/dirsrv
-
- idp:
- build: ./idp/
- depends_on:
- - directory
- ports:
- - 443:443
- environment:
- - JETTY_MAX_HEAP=64m
- - JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=password
- - JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=password
- networks:
- - net
-
-networks:
- net:
- driver: bridge
-
-secrets:
- mp_host-key.pem:
- file: ./configs-and-secrets/midpoint/httpd/host-key.pem
- mp_database_password.txt:
- file: ./configs-and-secrets/midpoint/application/database_password.txt
- mp_keystore_password.txt:
- file: ./configs-and-secrets/midpoint/application/keystore_password.txt
- mp_shibboleth_sp_keys.jks:
- file: ./configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks
-
-volumes:
- midpoint_mysql:
- midpoint_data:
- midpoint_home:
- ldap:
diff --git a/demo/shibboleth/docker-compose.yml b/demo/shibboleth/docker-compose.yml
deleted file mode 100644
index 3817e6b..0000000
--- a/demo/shibboleth/docker-compose.yml
+++ /dev/null
@@ -1,114 +0,0 @@
-version: "3.3"
-
-services:
-
- midpoint_data:
- image: tier/mariadb:mariadb10
- ports:
- - 3306:3306
- networks:
- - net
- volumes:
- - midpoint_mysql:/var/lib/mysql
- - midpoint_data:/var/lib/mysqlmounted
- environment:
- - CREATE_NEW_DATABASE=if_needed
-
- midpoint_server:
- build: ./midpoint_server/
- command: /usr/local/bin/startup.sh
- ports:
- - 8443:443
- environment:
- - ENV
- - USERTOKEN
- - REPO_DATABASE_TYPE
- - REPO_JDBC_URL
- - REPO_HOST
- - REPO_PORT
- - REPO_DATABASE
- - REPO_USER
- - REPO_MISSING_SCHEMA_ACTION
- - REPO_UPGRADEABLE_SCHEMA_ACTION
- - REPO_SCHEMA_VERSION_IF_MISSING
- - REPO_SCHEMA_VARIANT
- - MP_MEM_MAX
- - MP_MEM_INIT
- - MP_JAVA_OPTS
- - TIER_BEACON_OPT_OUT
- - TIMEZONE
- networks:
- - net
- secrets:
- - mp_database_password.txt
- - mp_keystore_password.txt
- - mp_host-key.pem
- - mp_shibboleth_sp_keys.jks
- volumes:
- - midpoint_home:/opt/midpoint/var
- - type: bind
- source: ./configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
- target: /etc/shibboleth/idp-metadata.xml
- - type: bind
- source: ./configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
- target: /etc/shibboleth/shibboleth2.xml
- - type: bind
- source: ./configs-and-secrets/midpoint/shibboleth/attribute-map.xml
- target: /etc/shibboleth/attribute-map.xml
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
- target: /etc/pki/tls/certs/host-cert.pem
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
- target: /etc/pki/tls/certs/cachain.pem
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/00-shib.conf
- target: /etc/httpd/conf.modules.d/00-shib.conf
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/midpoint-shib.conf
- target: /etc/httpd/conf.d/midpoint-shib.conf
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/vhosts.conf
- target: /etc/httpd/conf.d/vhosts/vhosts.conf
-
- directory:
- build: ./directory/
- ports:
- - 389:389
- networks:
- - net
- volumes:
- - ldap:/var/lib/dirsrv
-
- idp:
- build: ./idp/
- depends_on:
- - directory
- ports:
- - 443:443
- environment:
- - JETTY_MAX_HEAP=64m
- - JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=password
- - JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=password
- networks:
- - net
-
-networks:
- net:
- driver: bridge
-
-secrets:
- mp_host-key.pem:
- file: ./configs-and-secrets/midpoint/httpd/host-key.pem
- mp_database_password.txt:
- file: ./configs-and-secrets/midpoint/application/database_password.txt
- mp_keystore_password.txt:
- file: ./configs-and-secrets/midpoint/application/keystore_password.txt
- mp_shibboleth_sp_keys.jks:
- file: ./configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks
-
-volumes:
- midpoint_mysql:
- midpoint_data:
- midpoint_home:
- ldap:
diff --git a/demo/shibboleth/idp/Dockerfile b/demo/shibboleth/idp/Dockerfile
deleted file mode 100644
index 4968448..0000000
--- a/demo/shibboleth/idp/Dockerfile
+++ /dev/null
@@ -1,5 +0,0 @@
-FROM tier/shib-idp:3.4.6_20191002
-
-LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
-
-COPY shibboleth-idp/ /opt/shibboleth-idp/
diff --git a/demo/shibboleth/idp/shibboleth-idp/credentials/idp-backchannel.crt b/demo/shibboleth/idp/shibboleth-idp/credentials/idp-backchannel.crt
deleted file mode 100644
index c1f8fab..0000000
--- a/demo/shibboleth/idp/shibboleth-idp/credentials/idp-backchannel.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy
-MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH
-YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M
-SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2
-03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No
-5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+
-XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud
-DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk
-hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
-BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac
-ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98
-NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl
-j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP
-IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E
-t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM=
------END CERTIFICATE-----
diff --git a/demo/shibboleth/idp/shibboleth-idp/credentials/idp-backchannel.p12 b/demo/shibboleth/idp/shibboleth-idp/credentials/idp-backchannel.p12
deleted file mode 100644
index 112540a..0000000
Binary files a/demo/shibboleth/idp/shibboleth-idp/credentials/idp-backchannel.p12 and /dev/null differ
diff --git a/demo/shibboleth/idp/shibboleth-idp/credentials/idp-browser.p12 b/demo/shibboleth/idp/shibboleth-idp/credentials/idp-browser.p12
deleted file mode 100644
index 032be0b..0000000
Binary files a/demo/shibboleth/idp/shibboleth-idp/credentials/idp-browser.p12 and /dev/null differ
diff --git a/demo/shibboleth/idp/shibboleth-idp/credentials/idp-encryption.crt b/demo/shibboleth/idp/shibboleth-idp/credentials/idp-encryption.crt
deleted file mode 100644
index 15d764f..0000000
--- a/demo/shibboleth/idp/shibboleth-idp/credentials/idp-encryption.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy
-MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD
-cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ
-l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG
-ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8
-9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX
-VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud
-DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk
-hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
-BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni
-QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN
-jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r
-xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8
-+PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H
-p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
------END CERTIFICATE-----
diff --git a/demo/shibboleth/idp/shibboleth-idp/credentials/idp-encryption.key b/demo/shibboleth/idp/shibboleth-idp/credentials/idp-encryption.key
deleted file mode 100644
index 8bb5cc6..0000000
--- a/demo/shibboleth/idp/shibboleth-idp/credentials/idp-encryption.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAgV79KN35k/Ipbsi4yeJQQFQlvmUVchFz2ELkYu73w3DuGund
-ZMYiS7GitFvPFTcYxUEa/D4A5Fq9vL8KB9a4JOKS7LMyw+PAwcw/eNqXiZf0uhZ7
-CCY5mh3AYeKWzYVOMqMLut4ipL7ba3GQBG6RK6OmfAs4lhMfLMsKGmBEBonz5K/T
-kVegp97cavvYDAXjxuNRq7Wa1BiLvsa53S9EoYeD6tHqv/TALFZSCFxGvPVnx/Cd
-pBXEzn6FrSHO9G+0y2ULMeGJzXJ6xi0lBHLLRcjy1/l7b+UjWRfPTjiMV1TYzb4B
-OQ2yW/YTDOFABaiPtW6PUKrccE4Y3P7DryMczQIDAQABAoIBAF/IflMllcUtw/Nb
-9USzpIscQh2nJaugtE5nqER/fT1cfU273Mjh0T6NtFMorjec5WAWBe6/0VVAwb3f
-C4QmO4xDnFhXjLxwAaT6nfvSi+O5d93XCxxLgNZUNL3ET7a2feELyoF+OdQT4sy3
-9dLyMdVHgtnQTQMAAVLeuQoyP+s+Zax4Gca6ln8QxIIvDoD7NITnpl8887Hghhzl
-CvKtRiPRtoI2JTXWgWuLI6xXfVsDvFT+Up+ki9TMLWLACcmMU1d+lUBOKIqhhQHG
-+np9iKxVausJwYaLwwT3h8SItNon7ltbV6kcqyZxMAA+uN8CVgIb5UaUrlW7Nvze
-1iUNudkCgYEAxpnBg8YxdEHFSMTqjEOYapn18cs3n32EBPtvPaUcvw3mGC1+ZVx1
-9WqnVsgykBOWI0qSBVF7Kke8yOqgqWtYQUFqLiMgCC9e/QcXnrm/bzAmKDgLVcCR
-KzgqU2ECQDkNSS0qeODjLGX4SEabDbLhN59WykHKM0i/RcrbhuvT1BcCgYEApsMD
-TFQBaiaEmLVm252piZf8b5g3DrUHeqGktHkHXTW4Iyyn8zEknoiCosk/Tej73zga
-cTT3zQgEh63DMC9Ag8IbIJiDpYLMkt1QvZYtq95E/94GVEfRRok6/pyagGYB351R
-PXcykrDyy26FSofmtaXU37Wxaj3ow+WROaPgULsCgYEArFoFScG3a2gkuRlDX8TN
-wj2o5lTxCbWY2+YEzR+8icWbGQJqPbb3G6uaW8LTtpt44Vm2zWzAEZo+KLMOCNmC
-tub5Kd8Lzm6l5brA8dvLWcgUZTT2CU5b7YEJomB+3pNkh0vuHwczv3Ui+j5kE4hY
-0bezT0W3H7iTXhNFXprMs7MCgYEAlIZn75l6URLRUjluzPdVQoktei72CpFNgflp
-+ps45dmskRd61mzUkqY+w8G+MiPqANu1IVLtyZz0e+tVRxsuuKsvAg8UYVtn3P5k
-pRaWwtaKWeFjfbkhOVOMSa0tJmK0FHfHHZmGX4ReGrXq3YDBCNQUDtOCmn9dSuyy
-NcYxSXUCgYB+yo6dg8nyHDSqKDdrQQiAKv7jNsbecQ/rYrt8l0n9FBiwn5R7v6kp
-afsimCVou5i06L2Cr5Xs+XSf11KVkDh+qM70ZFubWEsHCDrS1KrxUzfFbrQczKof
-qX7ZsBuOT72RwVEa8fpT6IZ6IpOOEPmUid/f2VM2aAcXgaF//vMjxA==
------END RSA PRIVATE KEY-----
diff --git a/demo/shibboleth/idp/shibboleth-idp/credentials/idp-signing.crt b/demo/shibboleth/idp/shibboleth-idp/credentials/idp-signing.crt
deleted file mode 100644
index 6a032c1..0000000
--- a/demo/shibboleth/idp/shibboleth-idp/credentials/idp-signing.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB
-CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx
-MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g
-u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2
-Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ
-Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+
-MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs
-uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV
-HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl
-ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB
-CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X
-sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s
-RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ
-Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B
-DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i
-s00xrv14zLifcc8oj5DYzOhYRifRXgHX
------END CERTIFICATE-----
diff --git a/demo/shibboleth/idp/shibboleth-idp/credentials/idp-signing.key b/demo/shibboleth/idp/shibboleth-idp/credentials/idp-signing.key
deleted file mode 100644
index 011c27c..0000000
--- a/demo/shibboleth/idp/shibboleth-idp/credentials/idp-signing.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7gu6eo4dua
-eLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2Z6dzJsul
-JZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJCb/Q6dYz
-RWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+MNkv6aId
-cHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBsuYlY7lEr
-89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABAoIBAGpInLarQ0+X+ZXK
-+aoC+tNO9DUiHq/z2OD4ALGhXSTvr4mgBWNWTkc0F+qJD8MlM8zNkJxaoNGTyLjY
-Z95NQJPXAx2k15HwCENdulvV1oiX0dkTjgmscRmj6FwNAZ0EnWtien45mxZHxEyW
-FkbB9+OHc6JzNvzG9ps1Vk1FtFtO8w4exXuJVATJeArQmMvAUHMJYPb7Qs+/NX9R
-RlDvFfXDzQv5eAzudT1SyFSa5W+Bsw6BtEoeiqdp+xQh4yc733nwN7KG2Z/TpGse
-jVe6akbULuCXOe9uPa7kv8hnQEUH38QVlIw8pK1SsgNq7S0U44WU5uF8gbDBYle/
-OoPBvSECgYEAvCwVEa8ryLzee5FaX4PBxk10lEl/Yp9jC88wPUQ+ZpfniIIQIfwl
-csRE9D3/dJOVAxw/Ac32F72SLVDzLabAhlBRINYLB0ZkVuJi1CIoDHIf9nfh/pOx
-b96VMUe/mpAL4hZnZkmBKjesX5URPEKtBD0aSeCw9aFqhORjRrxCJg0CgYEAuNaD
-LOuTPKsC6nxRtiL9r0CA5gCCdpALxwJA7wHAeh03i5xmy61i4iOMaunxKZhG+nzz
-PhcI8Uhwwk+l3tbYAf1rrtmMKNcyjy+UqWXGt4ZkWFlIyIungyLiH9L32IMhXNF0
-fBgOZNtFTmQBU18a78uIir9xASUbtaakzOtJ2+cCgYAgfawVpZ11x8bSp0Jng6SN
-zQn4IMiyCrtbaqb1rTbpGAmOdIa8l4EP0/vkAGB/jIwKQXJPqXR4nO8EjBmxJD3R
-80RO2yaEVw80QVq3Lj6kB4ClWgXXo0DcBB7Wp4DZ+01R+HRaIQ8AbySATIjxUsH1
-HWfQoc9sWja+Q4Ew0YjKcQKBgGLoPsdBw8b6B5RsM9lPvgoSbScmbKl/CR5TwWVj
-vZhanAd0CLnCrSAvP4tSZf8JAio1xH+cGefrCJOhxTOKKYpfDklBFjQge2iNYHKJ
-CJ3aJ0XzePP/bwLIHtJCtOdBvA+L8VYaFVG418xLzT3MrYBVnFoKeTDQp5Q7eQJC
-gYJPAoGBAKHcuXWzvXoHKnOg8Ljg2xZ6/SfjwNDIIrpXVTAQifmK3q4+Ua2Q+Cjq
-97tPMxF2bVRcbnCSNKpTMOTrsWs8Z3GpMyCh6XgYMSlclXusDVUkRkPpWj8hVTR4
-opm/rxS83hCrTsIX3Il3T8Fpb97kdF+unCiWEaxrPEurjW8lB506
------END RSA PRIVATE KEY-----
diff --git a/demo/shibboleth/idp/shibboleth-idp/credentials/sealer.jks b/demo/shibboleth/idp/shibboleth-idp/credentials/sealer.jks
deleted file mode 100644
index 89957e0..0000000
Binary files a/demo/shibboleth/idp/shibboleth-idp/credentials/sealer.jks and /dev/null differ
diff --git a/demo/shibboleth/idp/shibboleth-idp/credentials/sealer.kver b/demo/shibboleth/idp/shibboleth-idp/credentials/sealer.kver
deleted file mode 100644
index d64b0e4..0000000
--- a/demo/shibboleth/idp/shibboleth-idp/credentials/sealer.kver
+++ /dev/null
@@ -1,2 +0,0 @@
-#Fri Dec 11 02:20:32 UTC 2015
-CurrentVersion=1
diff --git a/demo/shibboleth/idp/shibboleth-idp/metadata/idp-metadata.xml b/demo/shibboleth/idp/shibboleth-idp/metadata/idp-metadata.xml
deleted file mode 100644
index 65db47e..0000000
--- a/demo/shibboleth/idp/shibboleth-idp/metadata/idp-metadata.xml
+++ /dev/null
@@ -1,207 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- This is example metadata only. Do *NOT* supply it as is without review,
- and do *NOT* provide it in real time to your partners.
-
- This metadata is not dynamic - it will not change as your configuration changes.
--->
-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://idptestbed/idp/shibboleth">
-
- <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
-
- <Extensions>
- <shibmd:Scope regexp="false">example.org</shibmd:Scope>
-<!--
- Fill in the details for your IdP here
-
- <mdui:UIInfo>
- <mdui:DisplayName xml:lang="en">A Name for the IdP at idptestbed</mdui:DisplayName>
- <mdui:Description xml:lang="en">Enter a description of your IdP at idptestbed</mdui:Description>
- <mdui:Logo height="80" width="80">https://localhost/Path/To/Logo.png</mdui:Logo>
- </mdui:UIInfo>
--->
- </Extensions>
-
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy
-MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH
-YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M
-SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2
-03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No
-5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+
-XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud
-DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk
-hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
-BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac
-ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98
-NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl
-j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP
-IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E
-t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB
-CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx
-MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g
-u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2
-Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ
-Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+
-MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs
-uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV
-HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl
-ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB
-CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X
-sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s
-RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ
-Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B
-DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i
-s00xrv14zLifcc8oj5DYzOhYRifRXgHX
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
- <KeyDescriptor use="encryption">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy
-MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD
-cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ
-l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG
-ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8
-9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX
-VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud
-DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk
-hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
-BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni
-QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN
-jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r
-xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8
-+PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H
-p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
-
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
- <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-
- <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://localhost/idp/profile/Shibboleth/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/idp/profile/SAML2/POST/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost/idp/profile/SAML2/POST-SimpleSign/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/idp/profile/SAML2/Redirect/SSO"/>
-
- </IDPSSODescriptor>
-
-
- <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
-
- <Extensions>
- <shibmd:Scope regexp="false">localhost</shibmd:Scope>
- </Extensions>
-
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy
-MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH
-YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M
-SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2
-03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No
-5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+
-XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud
-DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk
-hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
-BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac
-ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98
-NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl
-j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP
-IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E
-t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB
-CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx
-MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g
-u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2
-Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ
-Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+
-MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs
-uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV
-HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl
-ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB
-CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X
-sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s
-RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ
-Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B
-DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i
-s00xrv14zLifcc8oj5DYzOhYRifRXgHX
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
- <KeyDescriptor use="encryption">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy
-MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD
-cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ
-l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG
-ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8
-9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX
-VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud
-DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk
-hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL
-BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni
-QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN
-jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r
-xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8
-+PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H
-p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
- </KeyDescriptor>
-
-
- <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://localhost:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
- <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>
- <!-- If you uncomment the above you should add urn:oasis:names:tc:SAML:2.0:protocol to the protocolSupportEnumeration above -->
-
- </AttributeAuthorityDescriptor>
-
-</EntityDescriptor>
diff --git a/demo/shibboleth/midpoint_server/Dockerfile b/demo/shibboleth/midpoint_server/Dockerfile
deleted file mode 100644
index 34ce0cd..0000000
--- a/demo/shibboleth/midpoint_server/Dockerfile
+++ /dev/null
@@ -1,9 +0,0 @@
-FROM tier/midpoint:latest
-
-MAINTAINER info@evolveum.com
-
-ENV MP_DIR /opt/midpoint
-
-VOLUME ${MP_DIR}/var
-
-COPY container_files/mp-home/ ${MP_DIR}/var/
diff --git a/demo/shibboleth/midpoint_server/container_files/httpd/host-cert.pem b/demo/shibboleth/midpoint_server/container_files/httpd/host-cert.pem
deleted file mode 100644
index 9b1021b..0000000
--- a/demo/shibboleth/midpoint_server/container_files/httpd/host-cert.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDqDCCApCgAwIBAgIJAMOSkn4oS2aAMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
-BAYTAlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRcwFQYDVQQK
-DA5JbnRlcm5ldDIvVElFUjEgMB4GA1UEAwwXbWlkcG9pbnQuc3AuZXhhbXBsZS5v
-cmcwHhcNMTgwOTE0MDU1OTQ1WhcNMTkwOTE0MDU1OTQ1WjBpMQswCQYDVQQGEwJV
-UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEXMBUGA1UECgwOSW50
-ZXJuZXQyL1RJRVIxIDAeBgNVBAMMF21pZHBvaW50LnNwLmV4YW1wbGUub3JnMIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApj/b7MEUSfu3oXMfNgRwTse7
-a5UV7Jswf1M/ZN/ZZkAkIxNBevZgozjesvLPWrmsTgONi7XigJUJvCjdjmlW9eDM
-lri/rkD8HuOR1DQCVKL9nvoS2c3D7sq5Emda3V8Tlj82VqfEmePd3sajx7mcTfbH
-8jwAL9NhkC+WMib5IpjLGpG0FEAC0ha7Lxb+7jIiqHVJaqLXJGCyGN4mh6c1Q9S1
-f8RVTiW2a8x22G+9wnZYbkiA2Kxls177imHlhSz8EdvV4IpGw1amrEWhhuDEum7B
-vZ1xQDLatgRqh4qAKLIVYeRnJ8H1FelMa90qB4G08MIPifmTsQwqJyBYaEdgWQID
-AQABo1MwUTAdBgNVHQ4EFgQUqb9BteODF6wv5R57aEON/wGXMiowHwYDVR0jBBgw
-FoAUqb9BteODF6wv5R57aEON/wGXMiowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
-9w0BAQsFAAOCAQEAAcKhxI+tSItrXmqC0PSmgWyAYpqbkz6W/cefTutXqhIgY09f
-h0LSv7ogTahoGpyiZk9vy6u3OE9bYwxapEfa4KBjO6HxBMIVBBb3RegVjoPzjElN
-BDwAx0VGFcZTXwMxDWycWdG8ql7rCZBvS50w04uTaIgnGmqXAdWWmBgfJ9cRbxW+
-JwO/mOl1QM1lR/5142NpvuUVWlmZSKEGydE5A1qPz2wpDbBR1ym1BQNS4NEqw6Kp
-GSB8jKyCS1Ve0v2wVze2038Wukz02dq9uKPTIO3T+B+ibZmxn6Op/kFCc1/kK5NS
-Q6JdO1B6KquGAYdGmKAcQ19mv+jqGktqWEEf0g==
------END CERTIFICATE-----
diff --git a/demo/shibboleth/midpoint_server/container_files/httpd/host-key.pem b/demo/shibboleth/midpoint_server/container_files/httpd/host-key.pem
deleted file mode 100644
index 5746e59..0000000
--- a/demo/shibboleth/midpoint_server/container_files/httpd/host-key.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmP9vswRRJ+7eh
-cx82BHBOx7trlRXsmzB/Uz9k39lmQCQjE0F69mCjON6y8s9auaxOA42LteKAlQm8
-KN2OaVb14MyWuL+uQPwe45HUNAJUov2e+hLZzcPuyrkSZ1rdXxOWPzZWp8SZ493e
-xqPHuZxN9sfyPAAv02GQL5YyJvkimMsakbQUQALSFrsvFv7uMiKodUlqotckYLIY
-3iaHpzVD1LV/xFVOJbZrzHbYb73CdlhuSIDYrGWzXvuKYeWFLPwR29XgikbDVqas
-RaGG4MS6bsG9nXFAMtq2BGqHioAoshVh5GcnwfUV6Uxr3SoHgbTwwg+J+ZOxDCon
-IFhoR2BZAgMBAAECggEAEIRBpjjceiku6jRUwnoYaks/nIWYQwR8AfpUTwJKR/VR
-Yca097Fokm7A+UhUP3A45RtHQb0VPq8P44iv0kk24YCu8r5yFK7SHYOAZnOwU5ZJ
-2jSAEPF3aM7tKh3okhuzB3dKP7u1NZDE5zAW723KUJiW7sL1RcsbY0bHBj6G+9/H
-NplmsjuGt684vRBB0qOBfKF7EiG7mT69tHuNj4gRza9SMY31UtKbZdt2fNY6mp5V
-HscMba7egZP+Ke0pVX4+go9j7K8GG8hYaQDLjrzlPqrxZ2c5X9cC+CRDI/CHuL/s
-V/2yGZJ6n6UabwZoH83RdFrbQ94rU8Hkli6EvxXvMQKBgQDRpheNW5jDG5TfeJKh
-yfKTDQqH2Tk3BsBYYBN7Hf3m7vbkzlxnAKJAoSLmtRMuoeXvI5MrhzaHGsNIUS76
-LDIZnvB7DLUxhFUZsCPkpAA1QHuTWY96oR3PHnPjpk8lSUvtbOPwDLdzVApeFJgZ
-VqMNArZ7AHsK3Kkyi+f4WVQjbQKBgQDLAWiGb5dx6fAM2W6B6HjNmzjBWOuVEXa2
-76to9jzupBZmETfZgxtWUaWUDuNS+f7dtVUTE+p6v/w8clrHEhEZYkqunIOLo/UA
-LFPiuoTfEsWb1rh+nsCjCgy4uimixj/bSkf7NC6NyKTvCygA1mGnVVJUEPegYlDy
-LXCkaKWxHQKBgQCmyHSKL2lrJkEcOwakEU2acNCE3Gno/cT9SYmV83kvQ8JEqmrW
-QqnRsp9aXIljGscapPmKsmnNt5vNp1AxFAHTYh88NRLczsMIyZj0ZwgHVUI6KhC7
-5Psa78YQQBlMt2/g9TSsnuE+rYgF6mpKFiNm0Vasqeg47uzn2mdzqlUGTQKBgE04
-JutkTUY+h1pL5vYxWKpVDfy19z7H2tFxT1FowPrBneeLSyRI88Ac5I/yLdRlVeY9
-0LOmEr5Igwj3MsKgg7KVKfVLgdo/LrW3Jt2Kt3onKNXDkoBPoNUjwH0QC0Boiue+
-VK0gR0kVdm+bXccbxR+im+NwZNE0NLg6Qqu3RredAoGBALuVoqbPPmTCZXYG328H
-bzOs2aiR7BzPSVByV+qG6jW7w03RAnFPJZp7HMU+ViI5VY0wabUscMSvz5163+gM
-4KwY3v9ZjZzZGukIfLuudkdqtaiVOx/KeAC0n+nG21YU+wpZww8gkfHh1/sa2CME
-CWYCgOnmiTHcj83UaTqEXtmv
------END PRIVATE KEY-----
diff --git a/demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml b/demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml
deleted file mode 100644
index 4abf399..0000000
--- a/demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml
+++ /dev/null
@@ -1,169 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<objects xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
- xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3">
- <securityPolicy xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="00000000-0000-0000-0000-000000000120" version="2">
- <name>Default Security Policy</name>
- <authentication>
- <modules>
- <loginForm>
- <name>internalLoginForm</name>
- <description>Internal username/password authentication, default user password, login form</description>
- </loginForm>
- <httpBasic>
- <name>internalBasic</name>
- <description>Internal username/password authentication, using HTTP basic auth</description>
- </httpBasic>
- <saml2>
- <name>mySamlSso</name>
- <description>My internal enterprise SAML-based SSO system.</description>
- <network>
- <readTimeout>10000</readTimeout>
- <connectTimeout>5000</connectTimeout>
- </network>
- <serviceProvider>
- <entityId>midpointdemo-shibboleth</entityId>
- <signRequests>true</signRequests>
- <wantAssertionsSigned>true</wantAssertionsSigned>
- <singleLogoutEnabled>true</singleLogoutEnabled>
- <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
- <keys>
- <activeKeyStoreKey>
- <keyStorePath>/etc/pki/mp/sp-shibboleth-keys.jks</keyStorePath>
- <keyStorePassword>
- <t:clearValue>changeit</t:clearValue>
- </keyStorePassword>
- <keyAlias>signing-key</keyAlias>
- <keyPassword>
- <t:clearValue>password</t:clearValue>
- </keyPassword>
- </activeKeyStoreKey>
- <standByKeyStoreKey>
- <keyStorePath>/etc/pki/mp/sp-shibboleth-keys.jks</keyStorePath>
- <keyStorePassword>
- <t:clearValue>changeit</t:clearValue>
- </keyStorePassword>
- <keyAlias>encrypt-key</keyAlias>
- <keyPassword>
- <t:clearValue>password</t:clearValue>
- </keyPassword>
- <type>encryption</type>
- </standByKeyStoreKey>
- </keys>
- <provider>
- <entityId>https://idptestbed/idp/shibboleth</entityId>
- <alias>idp-shibboleth</alias>
- <metadata>
- <pathToFile>/etc/shibboleth/idp-metadata.xml</pathToFile>
- </metadata>
- <skipSslValidation>true</skipSslValidation>
- <linkText>Shibboleth</linkText>
- <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
- <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
- </provider>
- </serviceProvider>
- </saml2>
- <httpHeader>
- <name>httpHeader</name>
- <logoutUrl>https://localhost:8443/Shibboleth.sso/Logout</logoutUrl>
- <usernameHeader>REMOTE_USER</usernameHeader>
- </httpHeader>
- </modules>
- <sequence>
- <name>admin-gui-saml-internal</name>
- <description>
- Internal SAML2 GUI authentication sequence.
- </description>
- <channel>
- <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
- <default>false</default>
- <urlSuffix>saml-internal</urlSuffix>
- </channel>
- <module>
- <name>mySamlSso</name>
- <order>30</order>
- <necessity>sufficient</necessity>
- </module>
- </sequence>
- <sequence>
- <name>admin-gui-emergency</name>
- <description>
- Special GUI authentication sequence that is using just the internal user password.
- </description>
- <channel>
- <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
- <default>false</default>
- <urlSuffix>emergency</urlSuffix>
- </channel>
- <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType">
- </requireAssignmentTarget>
- <module>
- <name>internalLoginForm</name>
- <order>30</order>
- <necessity>sufficient</necessity>
- </module>
- </sequence>
- <sequence>
- <name>admin-gui-default</name>
- <description>
- Special GUI authentication sequence that is using Shibboleth SP
- </description>
- <channel>
- <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
- <default>true</default>
- <urlSuffix>shib</urlSuffix>
- </channel>
- <module>
- <name>httpHeader</name>
- <order>30</order>
- <necessity>sufficient</necessity>
- </module>
- </sequence>
- <sequence>
- <name>rest</name>
- <description>
- Authentication sequence for REST service.
- </description>
- <channel>
- <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
- <default>true</default>
- <urlSuffix>rest-default</urlSuffix>
- </channel>
- <module>
- <name>internalBasic</name>
- <order>10</order>
- <necessity>sufficient</necessity>
- </module>
- </sequence>
- <sequence>
- <name>actuator</name>
- <description>
- Authentication sequence for actuator.
- </description>
- <channel>
- <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#actuator</channelId>
- <default>true</default>
- <urlSuffix>actuator-default</urlSuffix>
- </channel>
- <module>
- <name>internalBasic</name>
- <order>10</order>
- <necessity>sufficient</necessity>
- </module>
- </sequence>
- <ignoredLocalPath>/actuator</ignoredLocalPath>
- <ignoredLocalPath>/actuator/health</ignoredLocalPath>
- </authentication>
- <credentials>
- <password>
- <minOccurs>0</minOccurs>
- <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
- <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
- <lockoutDuration>PT15M</lockoutDuration>
- <valuePolicyRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" oid="00000000-0000-0000-0000-000000000003" relation="org:default" type="tns:ValuePolicyType">
- </valuePolicyRef>
- </password>
- </credentials>
-</securityPolicy>
-
-</objects>
diff --git a/demo/shibboleth/tests/main.bats b/demo/shibboleth/tests/main.bats
deleted file mode 100755
index dd17314..0000000
--- a/demo/shibboleth/tests/main.bats
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/usr/bin/env bats
-
-load ../../../common
-load ../../../library
-
-@test "000 Cleanup before running the tests" {
- cd ../simple ; docker-compose down -v ; true
- run docker-compose down -v
-}
-
-@test "010 Initialize and start containers" {
- docker-compose -f docker-compose-tests.yml build --pull midpoint_data directory idp
- # Sometimes the tier/midpoint:xyz is not yet in the repository, causing issues with --pull
- docker-compose -f docker-compose-tests.yml build midpoint_server
- docker-compose -f docker-compose-tests.yml up -d
-}
-
-@test "012 Wait for Shibboleth to start up" {
- wait_for_shibboleth_idp_start shibboleth_idp_1
-}
-
-@test "014 Wait for midPoint to start up" {
- wait_for_midpoint_start shibboleth_midpoint_server_1
-}
-
-@test "030 Check health (midPoint)" {
-# docker logs shibboleth_midpoint_server_1
- check_health
-}
-
-@test "035 Check health (Shibboleth IdP)" {
- check_health_shibboleth_idp
-}
-
-@test "040 Check internal SAML redirection (/midpoint/auth/saml-internal)" {
- curl -k --write-out %{redirect_url} --silent --output /dev/null https://localhost:8443/midpoint/auth/saml-internal/ | grep 'https:\/\/localhost:8443\/midpoint\/auth\/saml-internal\/mySamlSso\/discovery?idp=https%3A%2F%2Fidptestbed%2Fidp%2Fshibboleth'
-}
-
-@test "041 Check internal SAML redirection action (midpoint/..../discovery?...)" {
- TMPFILE=$(mktemp /tmp/samlForm.XXXXXX)
- curl -k https://localhost:8443/midpoint/auth/saml-internal/mySamlSso/discovery?idp=https://idptestbed/idp/shibboleth >$TMPFILE || (rm $TMPFILE ; return 1)
- if (grep -q "<input type=\"hidden\" name=\"SAMLRequest\"" <$TMPFILE); then
- echo "SAML REQUEST is OK"
- rm $TMPFILE
- return 0
- else
- echo "SAML Request was not found or not retrieved correctly:"
- cat $TMPFILE
- rm $TMPFILE
- return 1
- fi
-}
-
-@test "044 Check Shibboleth redirection (/midpoint/)" {
- curl -k --write-out %{redirect_url} --silent https://localhost:8443/midpoint/ | grep 'https:\/\/localhost:8443\/midpoint\/auth\/shib'
-}
-
-@test "045 Check Shibboleth redirection (/midpoint/auth/shib/)" {
- curl -k --write-out %{redirect_url} --silent --output /dev/null https://localhost:8443/midpoint/auth/shib/ | grep 'https:\/\/localhost\/idp\/profile\/SAML2\/Redirect\/SSO?SAMLRequest='
-}
-
-@test "100 Check internally-authenticated REST call: get 'administrator'" {
- check_health
- get_and_check_object users 00000000-0000-0000-0000-000000000002 administrator
-}
-
-@test "999 Clean up" {
- docker-compose down -v
-}
diff --git a/demo/simple/.env b/demo/simple/.env
deleted file mode 100644
index c4cb989..0000000
--- a/demo/simple/.env
+++ /dev/null
@@ -1,14 +0,0 @@
-# These parameters can be overridden by setting environment variables before calling docker-compose up
-ENV=demo
-USERTOKEN=
-REPO_DATABASE_TYPE=mariadb
-REPO_JDBC_URL=default
-REPO_HOST=midpoint_data
-REPO_PORT=default
-REPO_DATABASE=registry
-REPO_USER=registry_user
-REPO_MISSING_SCHEMA_ACTION=create
-REPO_UPGRADEABLE_SCHEMA_ACTION=stop
-MP_MEM_MAX=2048m
-MP_MEM_INIT=1024m
-TIMEZONE=UTC
diff --git a/demo/simple/configs-and-secrets/midpoint/application/database_password.txt b/demo/simple/configs-and-secrets/midpoint/application/database_password.txt
deleted file mode 100644
index 11bff19..0000000
--- a/demo/simple/configs-and-secrets/midpoint/application/database_password.txt
+++ /dev/null
@@ -1 +0,0 @@
-WJzesbe3poNZ91qIbmR7
diff --git a/demo/simple/configs-and-secrets/midpoint/application/keystore_password.txt b/demo/simple/configs-and-secrets/midpoint/application/keystore_password.txt
deleted file mode 100644
index 1d40192..0000000
--- a/demo/simple/configs-and-secrets/midpoint/application/keystore_password.txt
+++ /dev/null
@@ -1 +0,0 @@
-changeit
diff --git a/demo/simple/configs-and-secrets/midpoint/httpd/host-cert.pem b/demo/simple/configs-and-secrets/midpoint/httpd/host-cert.pem
deleted file mode 100644
index 9b1021b..0000000
--- a/demo/simple/configs-and-secrets/midpoint/httpd/host-cert.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDqDCCApCgAwIBAgIJAMOSkn4oS2aAMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
-BAYTAlVTMQswCQYDVQQIDAJNSTESMBAGA1UEBwwJQW5uIEFyYm9yMRcwFQYDVQQK
-DA5JbnRlcm5ldDIvVElFUjEgMB4GA1UEAwwXbWlkcG9pbnQuc3AuZXhhbXBsZS5v
-cmcwHhcNMTgwOTE0MDU1OTQ1WhcNMTkwOTE0MDU1OTQ1WjBpMQswCQYDVQQGEwJV
-UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEXMBUGA1UECgwOSW50
-ZXJuZXQyL1RJRVIxIDAeBgNVBAMMF21pZHBvaW50LnNwLmV4YW1wbGUub3JnMIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApj/b7MEUSfu3oXMfNgRwTse7
-a5UV7Jswf1M/ZN/ZZkAkIxNBevZgozjesvLPWrmsTgONi7XigJUJvCjdjmlW9eDM
-lri/rkD8HuOR1DQCVKL9nvoS2c3D7sq5Emda3V8Tlj82VqfEmePd3sajx7mcTfbH
-8jwAL9NhkC+WMib5IpjLGpG0FEAC0ha7Lxb+7jIiqHVJaqLXJGCyGN4mh6c1Q9S1
-f8RVTiW2a8x22G+9wnZYbkiA2Kxls177imHlhSz8EdvV4IpGw1amrEWhhuDEum7B
-vZ1xQDLatgRqh4qAKLIVYeRnJ8H1FelMa90qB4G08MIPifmTsQwqJyBYaEdgWQID
-AQABo1MwUTAdBgNVHQ4EFgQUqb9BteODF6wv5R57aEON/wGXMiowHwYDVR0jBBgw
-FoAUqb9BteODF6wv5R57aEON/wGXMiowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
-9w0BAQsFAAOCAQEAAcKhxI+tSItrXmqC0PSmgWyAYpqbkz6W/cefTutXqhIgY09f
-h0LSv7ogTahoGpyiZk9vy6u3OE9bYwxapEfa4KBjO6HxBMIVBBb3RegVjoPzjElN
-BDwAx0VGFcZTXwMxDWycWdG8ql7rCZBvS50w04uTaIgnGmqXAdWWmBgfJ9cRbxW+
-JwO/mOl1QM1lR/5142NpvuUVWlmZSKEGydE5A1qPz2wpDbBR1ym1BQNS4NEqw6Kp
-GSB8jKyCS1Ve0v2wVze2038Wukz02dq9uKPTIO3T+B+ibZmxn6Op/kFCc1/kK5NS
-Q6JdO1B6KquGAYdGmKAcQ19mv+jqGktqWEEf0g==
------END CERTIFICATE-----
diff --git a/demo/simple/configs-and-secrets/midpoint/httpd/host-key.pem b/demo/simple/configs-and-secrets/midpoint/httpd/host-key.pem
deleted file mode 100644
index 5746e59..0000000
--- a/demo/simple/configs-and-secrets/midpoint/httpd/host-key.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmP9vswRRJ+7eh
-cx82BHBOx7trlRXsmzB/Uz9k39lmQCQjE0F69mCjON6y8s9auaxOA42LteKAlQm8
-KN2OaVb14MyWuL+uQPwe45HUNAJUov2e+hLZzcPuyrkSZ1rdXxOWPzZWp8SZ493e
-xqPHuZxN9sfyPAAv02GQL5YyJvkimMsakbQUQALSFrsvFv7uMiKodUlqotckYLIY
-3iaHpzVD1LV/xFVOJbZrzHbYb73CdlhuSIDYrGWzXvuKYeWFLPwR29XgikbDVqas
-RaGG4MS6bsG9nXFAMtq2BGqHioAoshVh5GcnwfUV6Uxr3SoHgbTwwg+J+ZOxDCon
-IFhoR2BZAgMBAAECggEAEIRBpjjceiku6jRUwnoYaks/nIWYQwR8AfpUTwJKR/VR
-Yca097Fokm7A+UhUP3A45RtHQb0VPq8P44iv0kk24YCu8r5yFK7SHYOAZnOwU5ZJ
-2jSAEPF3aM7tKh3okhuzB3dKP7u1NZDE5zAW723KUJiW7sL1RcsbY0bHBj6G+9/H
-NplmsjuGt684vRBB0qOBfKF7EiG7mT69tHuNj4gRza9SMY31UtKbZdt2fNY6mp5V
-HscMba7egZP+Ke0pVX4+go9j7K8GG8hYaQDLjrzlPqrxZ2c5X9cC+CRDI/CHuL/s
-V/2yGZJ6n6UabwZoH83RdFrbQ94rU8Hkli6EvxXvMQKBgQDRpheNW5jDG5TfeJKh
-yfKTDQqH2Tk3BsBYYBN7Hf3m7vbkzlxnAKJAoSLmtRMuoeXvI5MrhzaHGsNIUS76
-LDIZnvB7DLUxhFUZsCPkpAA1QHuTWY96oR3PHnPjpk8lSUvtbOPwDLdzVApeFJgZ
-VqMNArZ7AHsK3Kkyi+f4WVQjbQKBgQDLAWiGb5dx6fAM2W6B6HjNmzjBWOuVEXa2
-76to9jzupBZmETfZgxtWUaWUDuNS+f7dtVUTE+p6v/w8clrHEhEZYkqunIOLo/UA
-LFPiuoTfEsWb1rh+nsCjCgy4uimixj/bSkf7NC6NyKTvCygA1mGnVVJUEPegYlDy
-LXCkaKWxHQKBgQCmyHSKL2lrJkEcOwakEU2acNCE3Gno/cT9SYmV83kvQ8JEqmrW
-QqnRsp9aXIljGscapPmKsmnNt5vNp1AxFAHTYh88NRLczsMIyZj0ZwgHVUI6KhC7
-5Psa78YQQBlMt2/g9TSsnuE+rYgF6mpKFiNm0Vasqeg47uzn2mdzqlUGTQKBgE04
-JutkTUY+h1pL5vYxWKpVDfy19z7H2tFxT1FowPrBneeLSyRI88Ac5I/yLdRlVeY9
-0LOmEr5Igwj3MsKgg7KVKfVLgdo/LrW3Jt2Kt3onKNXDkoBPoNUjwH0QC0Boiue+
-VK0gR0kVdm+bXccbxR+im+NwZNE0NLg6Qqu3RredAoGBALuVoqbPPmTCZXYG328H
-bzOs2aiR7BzPSVByV+qG6jW7w03RAnFPJZp7HMU+ViI5VY0wabUscMSvz5163+gM
-4KwY3v9ZjZzZGukIfLuudkdqtaiVOx/KeAC0n+nG21YU+wpZww8gkfHh1/sa2CME
-CWYCgOnmiTHcj83UaTqEXtmv
------END PRIVATE KEY-----
diff --git a/demo/simple/docker-compose.yml b/demo/simple/docker-compose.yml
index c098dae..4651103 100644
--- a/demo/simple/docker-compose.yml
+++ b/demo/simple/docker-compose.yml
@@ -2,67 +2,73 @@ version: "3.3"
services:
midpoint_data:
- image: tier/mariadb:mariadb10
- ports:
- - 3306:3306
+ image: postgres:16-alpine
+ environment:
+ - POSTGRES_PASSWORD=db.secret.pw.007
+ - POSTGRES_USER=midpoint
+ - POSTGRES_INITDB_ARGS=--lc-collate=en_US.utf8 --lc-ctype=en_US.utf8
networks:
- net
volumes:
- - midpoint_mysql:/var/lib/mysql
- - midpoint_data:/var/lib/mysqlmounted
+ - midpoint_data:/var/lib/postgresql/data
+
+ data_init:
+ image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux
+ command: >
+ bash -c "
+ cd /opt/midpoint ;
+ bin/midpoint.sh init-native ;
+ echo ' - - - - - - ' ;
+ bin/ninja.sh -B info >/dev/null 2>/tmp/ninja.log ;
+ grep -q \"ERROR\" /tmp/ninja.log && (
+ bin/ninja.sh run-sql --create --mode REPOSITORY ;
+ bin/ninja.sh run-sql --create --mode AUDIT
+ ) ||
+ echo -e '\\n Repository init is not needed...' ;
+ "
+ depends_on:
+ - midpoint_data
environment:
- - CREATE_NEW_DATABASE=if_needed
+ - MP_SET_midpoint_repository_jdbcUsername=midpoint
+ - MP_SET_midpoint_repository_jdbcPassword=db.secret.pw.007
+ - MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint
+ - MP_SET_midpoint_repository_database=postgresql
+ - MP_INIT_CFG=/opt/midpoint/var
+ networks:
+ - net
+ volumes:
+ - midpoint_home:/opt/midpoint/var
midpoint_server:
- image: tier/midpoint:latest
+ image: evolveum/midpoint:${MP_VER:-4.8.4}-rockylinux
+ container_name: midpoint_server
+ hostname: midpoint-container
+ depends_on:
+ data_init:
+ condition: service_completed_successfully
+ midpoint_data:
+ condition: service_started
+ command: [ "/opt/midpoint/bin/midpoint.sh", "container" ]
ports:
- - 8443:443
+ - 8080:8080
environment:
- - ENV
- - USERTOKEN
- - REPO_DATABASE_TYPE
- - REPO_JDBC_URL
- - REPO_HOST
- - REPO_PORT
- - REPO_DATABASE
- - REPO_USER
- - REPO_MISSING_SCHEMA_ACTION
- - REPO_UPGRADEABLE_SCHEMA_ACTION
- - REPO_SCHEMA_VERSION_IF_MISSING
- - REPO_SCHEMA_VARIANT
- - MP_MEM_MAX
- - MP_MEM_INIT
- - MP_JAVA_OPTS
- - TIER_BEACON_OPT_OUT
- - TIMEZONE
+ - MP_SET_midpoint_repository_jdbcUsername=midpoint
+ - MP_SET_midpoint_repository_jdbcPassword=db.secret.pw.007
+ - MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint
+ - MP_SET_midpoint_repository_database=postgresql
+ - MP_SET_midpoint_administrator_initialPassword=Test5ecr3t
+ - MP_UNSET_midpoint_repository_hibernateHbm2ddl=1
+ - MP_NO_ENV_COMPAT=1
+ - MP_ENTRY_POINT=/opt/midpoint-dirs-docker-entrypoint
networks:
- net
- secrets:
- - mp_database_password.txt
- - mp_keystore_password.txt
- - mp_host-key.pem
volumes:
- midpoint_home:/opt/midpoint/var
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
- target: /etc/pki/tls/certs/host-cert.pem
- - type: bind
- source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
- target: /etc/pki/tls/certs/cachain.pem
networks:
net:
driver: bridge
-secrets:
- mp_database_password.txt:
- file: ./configs-and-secrets/midpoint/application/database_password.txt
- mp_keystore_password.txt:
- file: ./configs-and-secrets/midpoint/application/keystore_password.txt
- mp_host-key.pem:
- file: ./configs-and-secrets/midpoint/httpd/host-key.pem
-
volumes:
- midpoint_mysql:
midpoint_data:
midpoint_home:
diff --git a/demo/simple/tests/main.bats b/demo/simple/tests/main.bats
deleted file mode 100755
index 0aae1fa..0000000
--- a/demo/simple/tests/main.bats
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/usr/bin/env bats
-
-load ../../../common
-load ../../../library
-
-@test "000 Cleanup before running the tests" {
- run docker-compose down -v
-}
-
-@test "010 Initialize and start midPoint" {
- docker-compose up -d
- wait_for_midpoint_start simple_midpoint_server_1
-}
-
-@test "010 Check health" {
- check_health
-}
-
-@test "100 Get 'administrator'" {
- check_health
- get_and_check_object users 00000000-0000-0000-0000-000000000002 administrator
-}
-
-@test "110 And and get 'test110'" {
- check_health
- echo "<user><name>test110</name></user>" >/tmp/test110.xml
- add_object users /tmp/test110.xml
- rm /tmp/test110.xml
- search_and_check_object users test110
-}
-
-@test "300 Check repository preserved between restarts" {
- check_health
-
- echo "Creating user test300 and checking its existence"
- echo "<user><name>test300</name></user>" >/tmp/test300.xml
- add_object users /tmp/test300.xml
- rm /tmp/test300.xml
- search_and_check_object users test300
-
- echo "Bringing the containers down"
- docker-compose down
-
- echo "Re-creating the containers"
- docker-compose up --no-start
- docker-compose start
- wait_for_midpoint_start simple_midpoint_server_1
-
- echo "Searching for the user again"
- search_and_check_object users test300
-}
-
-@test "350 Test DB schema version check" {
- echo "Removing version information from m_global_metadata"
- docker exec simple_midpoint_data_1 mysql -p123321 registry -e "drop table m_global_metadata"
-
- echo "Bringing the containers down"
- docker-compose down
-
- echo "Re-creating the containers"
- docker-compose up -d
-
- wait_for_log_message simple_midpoint_server_1 "Database schema is not compatible with the executing code; however, an upgrade path is available."
-}
-
-@test "360 Test DB schema upgrade" {
- skip 'Not supported for 4.0-SNAPSHOT'
- echo "Stopping midpoint_server container"
- docker stop simple_midpoint_server_1
-
- echo "Installing empty 3.8 repository"
- docker exec simple_midpoint_data_1 mysql -p123321 -e "DROP DATABASE registry"
- docker exec simple_midpoint_data_1 bash -c " curl https://raw.githubusercontent.com/Evolveum/midpoint/v3.8/config/sql/_all/mysql-3.8-all-utf8mb4.sql > /tmp/create-3.8-utf8mb4.sql"
- docker exec simple_midpoint_data_1 mysql -p123321 -e "CREATE DATABASE IF NOT EXISTS registry;"
- docker exec simple_midpoint_data_1 mysql -p123321 -e "GRANT ALL ON registry.* TO 'registry_user'@'%' IDENTIFIED BY 'WJzesbe3poNZ91qIbmR7' ;"
- docker exec simple_midpoint_data_1 bash -c "mysql -p123321 registry < /tmp/create-3.8-utf8mb4.sql"
-
- echo "Bringing the containers down"
- docker-compose down
-
- echo "Re-creating the containers"
- env REPO_SCHEMA_VERSION_IF_MISSING=3.8 REPO_UPGRADEABLE_SCHEMA_ACTION=upgrade REPO_SCHEMA_VARIANT=utf8mb4 docker-compose up -d
-
- wait_for_log_message simple_midpoint_server_1 "Schema was successfully upgraded from 3.8 to 3.9 using script 'mysql-upgrade-3.8-3.9-utf8mb4.sql'"
- wait_for_midpoint_start simple_midpoint_server_1
-}
-
-@test "999 Clean up" {
- docker-compose down -v
-}
diff --git a/download-midpoint.sh b/download-midpoint.sh
deleted file mode 100755
index 5964c16..0000000
--- a/download-midpoint.sh
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/bin/bash
-
-DIR=`dirname "$0"`
-source $DIR/common.bash
-if [[ -n "$1" ]]; then
- MP_VERSION=$1
-else
- if [[ $tag == "latest" ]]; then
- # Normally we use last released midPoint version number here, e.g. "4.1".
- # But if we need to incorporate interim changes to I2 distribution during
- # midPoint development cycle, we can specify concrete file from "midpoint-tier"
- # download directory by using its name (like "latest-stable").
- MP_VERSION="4.2"
- else
- MP_VERSION=$tag
- fi
-fi
-
-if [[ $MP_VERSION =~ ^[0-9]+(\.[0-9]+)+$ ]]; then
- URL_BASE="https://download.evolveum.com/midpoint/$MP_VERSION/"
-else
- URL_BASE="https://download.evolveum.com/midpoint-tier/"
-fi
-
-echo "Downloading midPoint $MP_VERSION from $URL_BASE"
-echo "-----------------------------------------"
-curl --output $DIR/midpoint-dist.tar.gz "$URL_BASE/midpoint-$MP_VERSION-dist.tar.gz"
-echo "-----------------------------------------"
-echo "Checking the download..."
-if tar -tf $DIR/midpoint-dist.tar.gz >/dev/null; then
- echo "OK"
- exit 0
-else
- echo "The file was not downloaded correctly"
- exit 1
-fi
diff --git a/library.bash b/library.bash
deleted file mode 100644
index ff08822..0000000
--- a/library.bash
+++ /dev/null
@@ -1,593 +0,0 @@
-#!/bin/bash
-
-#
-# Contains common functions usable for midPoint system tests
-#
-
-# do not use from outside (ugly signature)
-function generic_wait_for_log () {
- CONTAINER_NAME=$1
- MESSAGE="$2"
- WAITING_FOR="$3"
- FAILURE="$4"
- ADDITIONAL_CONTAINER_NAME=$5
- ATTEMPT=0
- MAX_ATTEMPTS=20
- DELAY=10
-
- until [[ $ATTEMPT = $MAX_ATTEMPTS ]]; do
- ATTEMPT=$((ATTEMPT+1))
- docker ps
- ( docker logs $CONTAINER_NAME 2>&1 | grep -F "$MESSAGE" ) && return 0
- echo "Waiting $DELAY seconds for $WAITING_FOR (attempt $ATTEMPT) ..."
- sleep $DELAY
- done
-
- echo "$FAILURE" in $(( $MAX_ATTEMPTS * $DELAY )) seconds in $CONTAINER_NAME
- echo "========== Container log =========="
- docker logs $CONTAINER_NAME 2>&1
- echo "========== End of the container log =========="
- if [ -n "$ADDITIONAL_CONTAINER_NAME" ]; then
- echo "========== Container log ($ADDITIONAL_CONTAINER_NAME) =========="
- docker logs $ADDITIONAL_CONTAINER_NAME 2>&1
- echo "========== End of the container log ($DATABASE_CONTAINER_NAME) =========="
- fi
- return 1
-}
-
-
-function wait_for_log_message () {
- generic_wait_for_log $1 "$2" "log message" "log message has not appeared"
-}
-
-# Waits until midPoint starts
-function wait_for_midpoint_start () {
- generic_wait_for_log $1 "INFO (com.evolveum.midpoint.web.boot.MidPointSpringApplication): Started MidPointSpringApplication in" "midPoint to start" "midPoint did not start" $2
-}
-
-# Waits until Shibboleth IDP starts
-function wait_for_shibboleth_idp_start_old () {
- generic_wait_for_log $1 "INFO:oejs.Server:main: Started" "shibboleth idp to start" "shibboleth idp did not start" $2
-}
-
-# Waits until Shibboleth IDP starts
-function wait_for_shibboleth_idp_start () {
- generic_wait_for_log $1 "[main] INFO org.apache.catalina.startup.Catalina- Server startup in" "shibboleth idp to start" "shibboleth idp did not start" $2
-}
-
-# Waits until Grouper UI starts
-function wait_for_grouper_ui_start () {
- generic_wait_for_log $1 "INFO org.apache.catalina.startup.Catalina- Server startup in" "grouper ui to start" "grouper ui did not start" $2
-}
-
-# Checks the health of midPoint server
-function check_health () {
- echo Checking health...
- (set -o pipefail ; curl -k -f https://localhost:8443/midpoint/actuator/health | tr -d '[:space:]' | grep -q "\"status\":\"UP\"")
- status=$?
- if [ $status -ne 0 ]; then
- echo Error: $status
- docker ps
- return 1
- else
- echo OK
- return 0
- fi
-}
-
-# Checks the health of Shibboleth IDP server
-function check_health_shibboleth_idp_old () {
- echo Checking health of shibboleth idp...
- status="$(curl -k --write-out %{http_code} --silent --output /dev/null https://localhost:4443/idp/)"
- if [ $status -ne 200 ]; then
- echo Error: Http code of response is $status
- docker ps
- return 1
- else
- echo OK
- return 0
- fi
-}
-
-function check_health_shibboleth_idp () {
- echo Checking health of shibboleth idp...
- status="$(curl -k --write-out %{http_code} --silent --output /dev/null https://localhost/idp/)"
- if [ $status -ne 200 ]; then
- echo Error: Http code of response is $status
- docker ps
- return 1
- else
- echo OK
- return 0
- fi
-}
-
-# Result is in OUTFILE
-function get_object () {
- local TYPE=$1
- local OID=$2
- OUTFILE=$(mktemp /tmp/get.XXXXXX)
- echo out file is $OUTFILE
- #FIXME workaround for MID-6721 bug
- if [ "$TYPE" == "tasks" ]; then
- PARAM='?include=result'
- fi
-
- curl -k --user administrator:5ecr3t -H "Content-Type: application/xml" -X GET "https://localhost:8443/midpoint/ws/rest/$TYPE/$OID$PARAM" >$OUTFILE || (rm $OUTFILE ; return 1)
- return 0
-}
-
-# Retrieves XML object and checks if the name matches
-# Object is deleted before return
-function get_and_check_object () {
- local TYPE=$1
- local OID=$2
- local NAME=$3
- local TMPFILE=$(mktemp /tmp/get.XXXXXX)
- echo tmp file is $TMPFILE
- curl -k --user administrator:5ecr3t -H "Content-Type: application/xml" -X GET "https://localhost:8443/midpoint/ws/rest/$TYPE/$OID" >$TMPFILE || (rm $TMPFILE ; return 1)
- if (grep -q "<name>$NAME</name>" <$TMPFILE); then
- echo "Object $TYPE/$OID '$NAME' is OK"
- rm $TMPFILE
- return 0
- else
- echo "Object $TYPE/$OID '$NAME' was not found or not retrieved correctly:"
- cat $TMPFILE
- rm $TMPFILE
- return 1
- fi
-}
-
-# Adds object from a given file
-function add_object () {
- local TYPE=$1
- local FILE=$2
- TMPFILE=$(mktemp /tmp/addobject.XXXXXX)
- echo "Adding to $TYPE from $FILE..."
-
- curl -k -sD - --silent --write-out "%{http_code}" --user administrator:5ecr3t -H "Content-Type: application/xml" -X POST "https://localhost:8443/midpoint/ws/rest/$TYPE" -d @$FILE >$TMPFILE
- local HTTP_CODE=$(sed '$!d' $TMPFILE)
- sed -i '$ d' $TMPFILE
-
- if [ "$HTTP_CODE" -eq 201 ] || [ "$HTTP_CODE" -eq 202 ]; then
-
- OID=$(grep -oP "Location: \K.*" $TMPFILE | awk -F "$TYPE/" '{print $2}') || (echo "Couldn't extract oid from file:" ; cat $TMPFILE ; rm $TMPFILE; return 1)
-
- echo "OID of created object: $OID"
- rm $TMPFILE
- return 0
- else
- echo "Error code: $HTTP_CODE"
- if [ "$HTTP_CODE" -ge 500 ]; then
- echo "Error message: Internal server error. Unexpected error occurred, if necessary please contact system administrator."
- else
- echo $(sed '1,/^\s*$/d' $TMPFILE) >$TMPFILE
- local ERROR_MESSAGE=$(xmllint --xpath "/*/*[local-name()='message']/text()" $TMPFILE) || (echo "Couldn't extract error message from file:" ; cat $TMPFILE ; rm $TMPFILE; return 1)
- echo "Error message: $ERROR_MESSAGE"
- fi
- rm $TMPFILE
- return 1
- fi
-}
-
-# parameter $2 (CONTAINER) is just for diagnostics: it is the container whose logs we want to dump on error (might be omitted)
-function execute_bulk_action () {
- local FILE=$1
- local CONTAINER=$2
- echo "Executing bulk action from $FILE..."
- TMPFILE=$(mktemp /tmp/execbulkaction.XXXXXX)
-
- (curl -k --silent --write-out "%{http_code}" --user administrator:5ecr3t -H "Content-Type: application/xml" -X POST "https://localhost:8443/midpoint/ws/rest/rpc/executeScript" -d @$FILE >$TMPFILE) || (echo "Midpoint logs: " ; ([[ -n "$CONTAINER" ]] && docker logs $CONTAINER ) ; return 1)
- local HTTP_CODE=$(sed '$!d' $TMPFILE)
- sed -i '$ d' $TMPFILE
-
- if [ "$HTTP_CODE" -eq 200 ]; then
-
- local STATUS=$(xmllint --xpath "/*/*/*[local-name()='status']/text()" $TMPFILE) || (echo "Couldn't extract status from file:" ; cat $TMPFILE ; rm $TMPFILE; return 1)
- if [ $STATUS = "success" ]; then
- local CONSOLE_OUTPUT=$(xmllint --xpath "/*/*/*[local-name()='consoleOutput']/text()" $TMPFILE) || (echo "Couldn't extract console output from file:" ; cat $TMPFILE ; rm $TMPFILE; return 1)
- echo "Console output: $CONSOLE_OUTPUT"
- rm $TMPFILE
- return 0
- else
- echo "Bulk action status is not OK: $STATUS"
- local CONSOLE_OUTPUT=$(xmllint --xpath "/*/*/*[local-name()='consoleOutput']/text()" $TMPFILE) || (echo "Couldn't extract console output from file:" ; cat $TMPFILE ; rm $TMPFILE; return 1)
- echo "Console output: $CONSOLE_OUTPUT"
- rm $TMPFILE
- return 1
- fi
-
- else
- echo "Error code: $HTTP_CODE"
- if [[ $HTTP_CODE -ge 500 ]]; then
- echo "Error message: Internal server error. Unexpected error occurred, if necessary please contact system administrator."
- else
- local ERROR_MESSAGE=$(xmllint --xpath "/*/*[local-name()='message']/text()" $TMPFILE) || (echo "Couldn't extract error message from file:" ; cat $TMPFILE ; rm $TMPFILE; return 1)
- echo "Error message: $ERROR_MESSAGE"
- fi
- rm $TMPFILE
- return 1
- fi
-}
-
-# parameter $2 (CONTAINER) is just for diagnostics: it is the container whose logs we want to dump on error (might be omitted)
-function run_task_now () {
- local OID=$1
- local CONTAINER=$2
- echo "Running task $1 now..."
- TMPFILE=$(mktemp /tmp/runtasknow.XXXXXX)
-
- (curl -k --silent --write-out "%{http_code}" --user administrator:5ecr3t -H "Content-Type: application/xml" -X POST "https://localhost:8443/midpoint/ws/rest/tasks/$OID/run" >$TMPFILE) || (echo "Midpoint logs: " ; ([[ -n "$CONTAINER" ]] && docker logs $CONTAINER ) ; return 1)
- local HTTP_CODE=$(sed '$!d' $TMPFILE)
- sed -i '$ d' $TMPFILE
-
- if [[ $HTTP_CODE -ge 200 && $HTTP_CODE -lt 300 ]]; then
- rm $TMPFILE
- return 0
- else
- echo "Error code: $HTTP_CODE"
- cat $TMPFILE
- rm $TMPFILE
- return 1
- fi
-}
-
-# parameter $2 (CONTAINER) is just for diagnostics: it is the container whose logs we want to dump on error (might be omitted)
-function suspend_task () {
- local OID=$1
- local CONTAINER=$2
- echo "Suspending task $OID..."
- TMPFILE=$(mktemp /tmp/suspendtask.XXXXXX)
-
- (curl -k --silent --write-out "%{http_code}" --user administrator:5ecr3t -H "Content-Type: application/xml" -X POST "https://localhost:8443/midpoint/ws/rest/tasks/$OID/suspend" >$TMPFILE) || (echo "Midpoint logs: " ; ([[ -n "$CONTAINER" ]] && docker logs $CONTAINER ) ; return 1)
- local HTTP_CODE=$(sed '$!d' $TMPFILE)
- sed -i '$ d' $TMPFILE
-
- if [[ $HTTP_CODE -ge 200 && $HTTP_CODE -lt 300 ]]; then
- rm $TMPFILE
- return 0
- else
- echo "Error code: $HTTP_CODE"
- cat $TMPFILE
- rm $TMPFILE
- return 1
- fi
-}
-
-function delete_object_by_name () {
- local TYPE=$1
- local NAME=$2
- search_objects_by_name users $NAME
- local OID=$(xmllint --xpath "/*/*[local-name()='object']/@oid" $SEARCH_RESULT_FILE | awk -F"\"" '{print $2}' ) || (echo "Couldn't extract oid from file:" ; cat $SEARCH_RESULT_FILE ; rm $SEARCH_RESULT_FILE; return 1)
- delete_object $TYPE $OID
-}
-
-function delete_object () {
- local TYPE=$1
- local OID=$2
- echo "Deleting object with type $TYPE and oid $OID..."
- TMPFILE=$(mktemp /tmp/delete.XXXXXX)
-
- curl -k --silent --write-out "%{http_code}" --user administrator:5ecr3t -H "Content-Type: application/xml" -X DELETE "https://localhost:8443/midpoint/ws/rest/$TYPE/$OID" >$TMPFILE
- local HTTP_CODE=$(sed '$!d' $TMPFILE)
- sed -i '$ d' $TMPFILE
-
- if [ "$HTTP_CODE" -eq 204 ]; then
- echo "Object with type $TYPE and oid $OID was deleted"
- rm $TMPFILE
- return 0
- else
- echo "Error code: $HTTP_CODE"
- if [[ $HTTP_CODE -ge 500 ]]; then
- echo "Error message: Internal server error. Unexpected error occurred, if necessary please contact system administrator."
- else
- local ERROR_MESSAGE=$(xmllint --xpath "/*/*[local-name()='message']/text()" $TMPFILE) || (echo "Couldn't extract error message from file:" ; cat $TMPFILE ; rm $TMPFILE; return 1)
- echo "Error message: $ERROR_MESSAGE"
- fi
- #rm $TMPFILE
- return 1
- fi
-}
-
-# Tries to find an object with a given name
-# Results of the search are in the $SEARCH_RESULT_FILE
-# TODO check if the result is valid (i.e. not an error) - return 1 if invalid, otherwise return 0 ("no objects" is considered OK here)
-function search_objects_by_name () {
- local TYPE=$1
- local NAME="$2"
- TMPFILE=$(mktemp /tmp/search.XXXXXX)
-
- curl -k --write-out %{http_code} --user administrator:5ecr3t -H "Content-Type: application/xml" -X POST "https://localhost:8443/midpoint/ws/rest/$TYPE/search" -d @- << EOF >$TMPFILE || (rm $TMPFILE ; return 1)
-<q:query xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
- <q:filter>
- <q:equal>
- <q:path>name</q:path>
- <q:value>$NAME</q:value>
- </q:equal>
- </q:filter>
-</q:query>
-EOF
- local HTTP_CODE=$(sed '$!d' <<<"$(cat $TMPFILE)")
- sed -i '$ d' $TMPFILE
- # cat $TMPFILE
-
- if [ "$HTTP_CODE" -eq 200 ]; then
- SEARCH_RESULT_FILE=$TMPFILE
- return 0
- else
- echo "Error code: $HTTP_CODE"
- if [[ $HTTP_CODE -ge 500 ]]; then
- echo "Error message: Internal server error. Unexpected error occurred, if necessary please contact system administrator."
- else
- local ERROR_MESSAGE=$(xmllint --xpath "/*/*[local-name()='message']/text()" $TMPFILE) || (echo "Couldn't extract error message from file:" ; cat $TMPFILE ; rm $TMPFILE; return 1)
- echo "Error message: $ERROR_MESSAGE"
- fi
- rm $SEARCH_RESULT_FILE
- return 1
- fi
-}
-
-# Searches for object with a given name and verifies it was found
-function search_and_check_object () {
- local TYPE=$1
- local NAME="$2"
- search_objects_by_name $TYPE "$NAME" || return 1
- if (grep -q "<name>$NAME</name>" <$SEARCH_RESULT_FILE); then
- echo "Object $TYPE/'$NAME' is OK"
- rm $SEARCH_RESULT_FILE
- return 0
- else
- echo "Object $TYPE/'$NAME' was not found or not retrieved correctly:"
- cat $SEARCH_RESULT_FILE
- rm $SEARCH_RESULT_FILE
- return 1
- fi
-}
-
-# Tests a resource
-function test_resource () {
- local OID=$1
- local TMPFILE=$(mktemp /tmp/test.resource.XXXXXX)
-
- curl -k --silent --user administrator:5ecr3t -H "Content-Type: application/xml" -X POST "https://localhost:8443/midpoint/ws/rest/resources/$OID/test" >$TMPFILE || (rm $TMPFILE ; return 1)
- if [[ $(xmllint --xpath "/*/*[local-name()='status']/text()" $TMPFILE) == "success" ]]; then
- echo "Resource $OID test succeeded"
- rm $TMPFILE
- return 0
- else
- echo "Resource $OID test failed"
- cat $TMPFILE
- rm $TMPFILE
- return 1
- fi
-}
-
-function recompute () {
- local TYPE=$1
- local OID=$2
- local TMPFILE=$(mktemp /tmp/recompute.XXXXXX)
-
- curl -k --silent --write-out "%{http_code}" --user administrator:5ecr3t -H "Content-Type: application/xml" -X POST "https://localhost:8443/midpoint/ws/rest/$TYPE/$OID" -d @- << EOF >$TMPFILE || (rm $TMPFILE ; return 1)
-<objectModification xmlns='http://midpoint.evolveum.com/xml/ns/public/common/api-types-3'></objectModification>
-EOF
- local HTTP_CODE=$(sed '$!d' $TMPFILE)
- sed -i '$ d' $TMPFILE
- if [[ $HTTP_CODE -ge 200 && $HTTP_CODE -lt 300 ]]; then
- echo "Object $TYPE/$OID recomputation succeeded"
- rm $TMPFILE
- return 0
- else
- echo "Object $TYPE/$OID recomputation failed: $HTTP_CODE"
- cat $TMPFILE
- rm $TMPFILE
- return 1
- fi
-}
-
-function assert_task_success () {
- local OID=$1
- get_object tasks $OID
- TASK_STATUS=$(xmllint --xpath "/*/*[local-name()='resultStatus']/text()" $OUTFILE) || (echo "Couldn't extract task status from task $OID" ; cat $OUTFILE ; rm $OUTFILE ; return 1)
- if [[ $TASK_STATUS = "success" ]]; then
- echo "Task $OID status is OK"
- rm $OUTFILE
- return 0
- else
- echo "Task $OID status is not OK: $TASK_STATUS"
- cat $OUTFILE
- rm $OUTFILE
- return 1
- fi
-}
-
-function wait_for_task_completion () {
- local OID=$1
- local ATTEMPT=0
- local MAX_ATTEMPTS=$2
- local DELAY=$3
-
- until [[ $ATTEMPT = $MAX_ATTEMPTS ]]; do
- ATTEMPT=$((ATTEMPT+1))
- echo "Waiting $DELAY seconds for task with oid $OID to finish (attempt $ATTEMPT) ..."
- sleep $DELAY
- get_object tasks $OID
- TASK_EXECUTION_STATUS=$(xmllint --xpath "/*/*[local-name()='executionStatus']/text()" $OUTFILE) || (echo "Couldn't extract task status from task $OID" ; cat $OUTFILE ; rm $OUTFILE ; return 1)
- if [[ $TASK_EXECUTION_STATUS = "suspended" ]] || [[ $TASK_EXECUTION_STATUS = "closed" ]]; then
- echo "Task $OID is finished"
- rm $OUTFILE
- return 0
- fi
- done
- rm $OUTFILE
- echo Task with $OID did not finish in $(( $MAX_ATTEMPTS * $DELAY )) seconds
- return 1
-}
-
-function get_task_execution_status () {
- local NAME=$1
-
- search_objects_by_name tasks "$NAME"
- TASK_EXECUTION_STATUS=$(xmllint --xpath "/*/*/*[local-name()='executionStatus']/text()" $SEARCH_RESULT_FILE) || (echo "Couldn't extract task status from task $NAME" ; cat $SEARCH_RESULT_FILE ; rm $SEARCH_RESULT_FILE ; return 1)
- echo "Task execution status: $TASK_EXECUTION_STATUS"
- return 0
-}
-
-function search_ldap_object_by_filter () {
- local BASE_CONTEXT_FOR_SEARCH=$1
- local FILTER="$2"
- local LDAP_CONTAINER=$3
- TMPFILE=$(mktemp /tmp/ldapsearch.XXXXXX)
-
- docker exec $LDAP_CONTAINER ldapsearch -h localhost -p 389 -D "cn=Directory Manager" -w password -b "$BASE_CONTEXT_FOR_SEARCH" "($FILTER)" >$TMPFILE || (echo "Couldn't search $FILTER" ;rm $TMPFILE ; return 1)
- LDAPSEARCH_RESULT_FILE=$TMPFILE
- return 0
-}
-
-function get_ldap_user () {
- local USER_UID="$1"
- local LDAP_CONTAINER=$2
- search_ldap_object_by_filter "ou=people,dc=internet2,dc=edu" "uid=$USER_UID" $LDAP_CONTAINER || return 1
- if ! grep -F "uid: $USER_UID" $LDAPSEARCH_RESULT_FILE; then
- echo "Couldn't find user '$USER_UID'"
- rm $LDAPSEARCH_RESULT_FILE
- return 1
- else
- return 0
- fi
-}
-
-function assert_ldap_user_has_value () {
- local USER_UID="$1"
- local TYPE=$2 # Entitlement or Affiliation
- local VALUE="$3"
- local LDAP_CONTAINER=$4
- get_ldap_user "$USER_UID" $LDAP_CONTAINER || return 1
- if ! grep -F "eduPerson$TYPE: $VALUE" $LDAPSEARCH_RESULT_FILE; then
- echo "'$USER_UID' has no $TYPE of '$VALUE'"
- cat $LDAPSEARCH_RESULT_FILE
- rm $LDAPSEARCH_RESULT_FILE
- return 1
- else
- rm $LDAPSEARCH_RESULT_FILE
- return 0
- fi
-}
-
-function assert_ldap_user_has_no_value () {
- local USER_UID="$1"
- local TYPE=$2 # Entitlement or Affiliation
- local VALUE="$3"
- local LDAP_CONTAINER=$4
- get_ldap_user "$USER_UID" $LDAP_CONTAINER || return 1
- if grep -F "eduPerson$TYPE: $VALUE" $LDAPSEARCH_RESULT_FILE; then
- echo "'$USER_UID' has an $TYPE of '$VALUE' although it should not have one"
- cat $LDAPSEARCH_RESULT_FILE
- rm $LDAPSEARCH_RESULT_FILE
- return 1
- else
- rm $LDAPSEARCH_RESULT_FILE
- return 0
- fi
-}
-
-function check_ldap_account_by_user_name () {
- local NAME="$1"
- local LDAP_CONTAINER=$2
- search_ldap_object_by_filter "ou=people,dc=internet2,dc=edu" "uid=$NAME" $LDAP_CONTAINER
- search_objects_by_name users $NAME
-
- local MP_FULL_NAME=$(xmllint --xpath "/*/*/*[local-name()='fullName']/text()" $SEARCH_RESULT_FILE) || (echo "Couldn't extract user fullName from file:" ; cat $SEARCH_RESULT_FILE ; rm $SEARCH_RESULT_FILE ; rm $LDAPSEARCH_RESULT_FILE ; return 1)
- local MP_GIVEN_NAME=$(xmllint --xpath "/*/*/*[local-name()='givenName']/text()" $SEARCH_RESULT_FILE) || (echo "Couldn't extract user givenName from file:" ; cat $SEARCH_RESULT_FILE ; rm $SEARCH_RESULT_FILE ; rm $LDAPSEARCH_RESULT_FILE ; return 1)
- local MP_FAMILY_NAME=$(xmllint --xpath "/*/*/*[local-name()='familyName']/text()" $SEARCH_RESULT_FILE) || (echo "Couldn't extract user familyName from file:" ; cat $SEARCH_RESULT_FILE ; rm $SEARCH_RESULT_FILE ; rm $LDAPSEARCH_RESULT_FILE ; return 1)
-
- local LDAP_CN=$(grep -oP "cn: \K.*" $LDAPSEARCH_RESULT_FILE) || (echo "Couldn't extract user cn from file:" ; cat $LDAPSEARCH_RESULT_FILE ; rm $SEARCH_RESULT_FILE ; rm $LDAPSEARCH_RESULT_FILE ; return 1)
- local LDAP_GIVEN_NAME=$(grep -oP "givenName: \K.*" $LDAPSEARCH_RESULT_FILE) || (echo "Couldn't extract user givenName from file:" ; cat $LDAPSEARCH_RESULT_FILE ; rm $SEARCH_RESULT_FILE ; rm $LDAPSEARCH_RESULT_FILE ; return 1)
- local LDAP_SN=$(grep -oP "sn: \K.*" $LDAPSEARCH_RESULT_FILE) || (echo "Couldn't extract user sn from file:" ; cat $LDAPSEARCH_RESULT_FILE ; rm $SEARCH_RESULT_FILE ; rm $LDAPSEARCH_RESULT_FILE ; return 1)
-
- rm $SEARCH_RESULT_FILE
- rm $LDAPSEARCH_RESULT_FILE
-
- if [[ $MP_FULL_NAME = $LDAP_CN ]] && [[ $MP_GIVEN_NAME = $LDAP_GIVEN_NAME ]] && [[ $MP_FAMILY_NAME = $LDAP_SN ]]; then
- return 0
- fi
-
- echo "User in Midpoint and LDAP Account with uid $NAME are not same"
- return 1
-}
-
-function check_ldap_courses_by_name () {
- local NAME="$1"
- local LDAP_CONTAINER=$2
- search_objects_by_name orgs $NAME
-
- local MP_ORG_IDENTIFIER=$(xmllint --xpath "/*/*/*[local-name()='identifier']/text()" $SEARCH_RESULT_FILE) || (echo "Couldn't extract user identifier from file:" ; cat $SEARCH_RESULT_FILE ; rm $SEARCH_RESULT_FILE ; return 1)
-
- search_ldap_object_by_filter "ou=courses,ou=groups,dc=internet2,dc=edu" "cn=$MP_ORG_IDENTIFIER" $LDAP_CONTAINER
-
- local LDAP_CN=$(grep -oP "cn: \K.*" $LDAPSEARCH_RESULT_FILE) || (echo "Couldn't extract user cn from file:" ; cat $LDAPSEARCH_RESULT_FILE ; rm $SEARCH_RESULT_FILE ; rm $LDAPSEARCH_RESULT_FILE ; return 1)
-
- rm $SEARCH_RESULT_FILE
- rm $LDAPSEARCH_RESULT_FILE
- if [[ $MP_ORG_IDENTIFIER = $LDAP_CN ]]; then
- return 0
- fi
-
- echo "Orgs $NAME in Midpoint and LDAP Group(Course) with cn $MP_ORG_IDENTIFIER are not same"
- return 1
-}
-
-
-function check_of_ldap_membership () {
- local NAME_OF_USER="$1"
- local BASE_CONTEXT_FOR_GROUP="$2"
- local NAME_OF_GROUP="$3"
- local LDAP_CONTAINER=$4
- search_ldap_object_by_filter "ou=people,dc=internet2,dc=edu" "uid=$NAME_OF_USER" $LDAP_CONTAINER
-
- local LDAP_ACCOUNT_DN=$(grep -oP "dn: \K.*" $LDAPSEARCH_RESULT_FILE) || (echo "Couldn't extract user dn from file:" ; cat $LDAPSEARCH_RESULT_FILE ; rm $LDAPSEARCH_RESULT_FILE ; return 1)
-
- search_ldap_object_by_filter "$BASE_CONTEXT_FOR_GROUP" "cn=$NAME_OF_GROUP" $LDAP_CONTAINER
-
- local LDAP_MEMBERS_DNS=$(grep -oP "uniqueMember: \K.*" $LDAPSEARCH_RESULT_FILE) || (echo "Couldn't extract user uniqueMember from file:" ; cat $LDAPSEARCH_RESULT_FILE ; rm $LDAPSEARCH_RESULT_FILE ; return 1)
-
- rm $LDAPSEARCH_RESULT_FILE
-
- if [[ $LDAP_MEMBERS_DNS =~ $LDAP_ACCOUNT_DN ]]; then
- return 0
- fi
-
- echo "LDAP Account with uid $NAME_OF_USER is not member of LDAP Group $NAME_OF_GROUP in base context $BASE_CONTEXT_FOR_GROUP"
- return 1
-}
-
-function get_messages () {
- local QUEUE="$1"
- MESSAGES=$(curl -s -i -u guest:guest "http://localhost:15672/api/queues/%2f/$QUEUE" | sed 's/,/\n/g' | grep '"messages"' | sed 's/"messages"://g')
- if [ -z "$MESSAGES" ]; then
- echo "Unable to get number of messages in $QUEUE"
- return 1
- fi
- return 0
-}
-
-function upload_from_file () {
- local FILENAME=$1
- local OPTIONS_TO_ADD=$2
- local REGEX="midpoint-objects.*/(.*)/(.*)"
- if [[ $FILENAME =~ $REGEX ]]
- then
- TYPE="${BASH_REMATCH[1]}"
- OID=`cat $FILENAME | sed -n 's:.*oid=\"\([A-Za-z0-9\-]*\)\".*:\1:p' | sed -n '1 p'`
- echo "Uploading $FILENAME ($TYPE, $OID)"
- curl -k --user administrator:5ecr3t -H "Content-Type: application/xml" -X PUT "https://localhost:8443/midpoint/ws/rest/$TYPE/$OID?options=overwrite$OPTIONS_TO_ADD" --data-binary @$FILENAME
- else
- echo "Skipping $FILENAME"
- fi
-}
-
-function execute_gsh () {
- local CONTAINER=$1
- local FILE=$2
- docker cp $FILE $CONTAINER:/tmp/
- docker exec $CONTAINER bash -c "/opt/grouper/grouper.apiBinary/bin/gsh /tmp/$FILE"
-}
diff --git a/tests/main.bats b/tests/main.bats
deleted file mode 100755
index eadbc5b..0000000
--- a/tests/main.bats
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/env bats
-
-load ../common
-
-@test "010 Image is present" {
- docker image inspect tier/midpoint:$tag
-}
-
-@test "020 Check basic components" {
- docker run -i $maintainer/$imagename:$tag \
- find \
- /usr/local/bin/startup.sh \
- /opt/midpoint/var/ \
- /etc/shibboleth/ \
- /etc/httpd/
-}
-
-@test "100 Cleanup before further tests - demo/simple" {
- docker ps -a
- cd demo/simple ; docker-compose down -v ; true
-}
-
-@test "110 Cleanup before further tests - demo/shibboleth" {
- docker ps -a
- cd demo/shibboleth ; docker-compose down -v ; true
-}
-
-@test "120 Cleanup before further tests - demo/postgresql" {
- docker ps -a
- cd demo/postgresql ; docker-compose down -v ; true
-}
-
-@test "130 Cleanup before further tests - demo/grouper" {
- docker ps -a
- cd demo/grouper ; docker-compose down -v ; true
-}
-
-# not much more to check here, as we cannot start midpoint container without having a repository
-# so continuing with tests in demo/plain directory