Update for May 2020 online training

Update for the May 2020 online training. Includes an upgrade to
Shibboleth IdP version 4.0 and COmanage Registry upgrade to 3.2.4.

.gitignore

@@ -6,4 +6,5 @@ share
 ssh_config
 ssh_mux*
 ec2.py
+.vault_pass.txt
 .*.swp

README.md

@@ -67,24 +67,21 @@ cd comanage-registry-training-deployment
 virtualenv -p python3.7 ./
 source bin/activate
 pip install --upgrade pip
-pip install git+https://github.com/ansible/ansible.git@devel
+pip install ansible==2.9.6
 pip install boto
 pip install boto3
-wget https://raw.githubusercontent.com/ansible/ansible/devel/contrib/inventory/ec2.py
-chmod 755 ec2.py
 cp /path/to/AWS-Trng-1.pem .
 ```
 
 Some ansible files are encrypted using `ansible-vault`. When running
 a playbook ansible needs to be able to find the password for the 
 vault.
 
-Create a file outside of the clone of this repository to hold
-the vault password, e.g.
+Create a file to hold the vault password, e.g.
 
 ```
-touch ~/.vault_pass.txt
-chmod 600 ~/.vault_pass.txt
+touch ./.vault_pass.txt
+chmod 600 ./.vault_pass.txt
 ```
 Find the vault password from and enter it into the file you just created.
 
@@ -96,21 +93,23 @@ to set up the environment:
 ```
 cd comanage-registry-training-deployment
 source bin/activate
+
+export ANSIBLE_CONFIG=`pwd`/ansible.cfg
+export ANSIBLE_INVENTORY=`pwd`/aws_ec2.yml
+export ANSIBLE_SSH_ARGS="-F `pwd`/ssh_config -C -o ControlMaster=auto -o ControlPersist=3600s"
+export ANSIBLE_VAULT_PASSWORD_FILE=`pwd`/.vault_pass.txt
+
 export AWS_ACCESS_KEY_ID='XXXXXXXX'
 export AWS_SECRET_ACCESS_KEY='XXXXXXXX'
-export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt
 export AWS_REGION=us-west-2
-rm ./ssh_mux_*
-kill $SSH_AGENT_PID
-unset SSH_AUTH_SOCK
-eval `ssh-agent -s`
+
 ssh-add ./AWS-Trng-1.pem
 ```
 
 ## Configuration
 
 Most of the configurable details, including the number of training nodes to
-deploye, are set in the file
+deploy, are set in the file
 
 ```
 vars/global.yml
@@ -124,7 +123,7 @@ Review that file before running the playbook.
 To provision the infrastructure execute the playbook:
 
 ```
-ansible-playbook -i ./ec2.py comanage_registry_training.yml
+ansible-playbook comanage_registry_training.yml
 ```
 
 ## SSH Access
@@ -213,3 +212,18 @@ https://registry2.comanage.incommon.training
 ```
 
 for node 2, and so on.
+
+## Interference from existing SSH agent
+
+If you find that your existing SSH agent is interfering with the SSH connections
+used by ansible, it might help to start with a fresh agent when you begin your
+work for the say:
+
+```
+cd comanage-registry-training-deployment
+rm ./ssh_mux_*
+kill $SSH_AGENT_PID
+unset SSH_AUTH_SOCK
+eval `ssh-agent -s`
+ssh-add ./AWS-Trng-1.pem
+```

aws_ec2.yml

@@ -0,0 +1,12 @@
+---
+plugin: aws_ec2
+regions:
+    - us-west-2
+keyed_groups:
+    - prefix: tag
+      key: tags
+hostnames:
+    - private-ip-address
+compose:
+    public_fqdn: tags.public_fqdn 
+    private_fqdn: tags.private_fqdn

hostnames.yml

@@ -7,5 +7,5 @@
   tasks:
 
     - name: Set FQDN for node
-      command: "hostnamectl set-hostname {{ ec2_tag_private_fqdn }}"
-      when: ansible_facts['nodename'] != ec2_tag_private_fqdn 
+      command: "hostnamectl set-hostname {{ private_fqdn }}"
+      when: ansible_facts['nodename'] != private_fqdn 

roles/common/tasks/users.yml

@@ -65,7 +65,7 @@
       comment: COmanage Training User
       uid: 2000
       home: /home/training
-      password: "$6$bvMJpaKk$glM0iapwOVJFiN7//FY9PdXLIs3sGPUkOODrQgXAaCIXP/P6kly9ZucehBryh2j10giTuNmuosQcepZ2a103T."
+      password: "$6$Vi9PQcxYJ.VBZ$RD.yWppXJUvqTBcicu4V1VTwcfpILQ6fisdXbl1VRwezpPr88p5ufW8fL4lmoVKgyGVgFIOQt1LL3Z0KlEOvK/"
       shell: /bin/bash
       group: training
       append: yes

roles/idp/files/attribute-resolver.xml

@@ -6,32 +6,26 @@
 
     <AttributeDefinition id="uid" xsi:type="Simple">
         <InputDataConnector ref="LDAP" attributeNames="uid"/>
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
     </AttributeDefinition>
 
     <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}">
         <InputAttributeDefinition ref="uid"/>
-        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
     </AttributeDefinition>
 
     <AttributeDefinition id="mail" xsi:type="Simple">
         <InputDataConnector ref="LDAP" attributeNames="mail"/>
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
     </AttributeDefinition>
 
     <AttributeDefinition id="givenName" xsi:type="Simple">
         <InputDataConnector ref="LDAP" attributeNames="givenName"/>
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
     </AttributeDefinition>
 
     <AttributeDefinition id="sn" xsi:type="Simple">
         <InputDataConnector ref="LDAP" attributeNames="sn"/>
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
     </AttributeDefinition>
 
     <AttributeDefinition id="displayName" xsi:type="Simple">
         <InputDataConnector ref="LDAP" attributeNames="cn"/>
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
     </AttributeDefinition>
 
     <DataConnector id="LDAP" xsi:type="LDAPDirectory"