diff --git a/group_vars/all.yml b/group_vars/all.yml index 357f05b..b88ae74 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -5,11 +5,11 @@ # ansible-vault encrypt_string 'THE_PASSWORD' --name 'comanage_training_password' comanage_training_password: !vault | $ANSIBLE_VAULT;1.1;AES256 - 32313732343132636531663538353439663964333130616633663761313336636663323938396566 - 6539353462616330626235646530626662333630613635340a323230333133326232326630396263 - 64383336316234656364666630396362313563346364383735303131323266326465623531373637 - 3138373937323761360a323138383436353439633031306438373766303763643630643263356530 - 3638 + 32633234306463303963343034356533353265666533623339646461613233366265303632343131 + 3234303062643464383363656335383966343932303631330a383231626666326366613236633338 + 30396135396232653961653266393862656332633630616233386633396262626461613237306163 + 6537633933333430640a303736336438363439336634626562633732643032653862653130373764 + 3966 # It should not be necessary to change the password salt. comanage_training_password_salt: !vault | @@ -50,7 +50,7 @@ vpc_availability_zone: ssh_bastion_instance_type: t2.nano # Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/ -ssh_bastion_ami_id: ami-07fd151b9eb3b7264 +ssh_bastion_ami_id: ami-0d0d8694ba492c02b ssh_bastion_user: admin ssh_bastion_device_name: /dev/xvda ssh_bastion_volume_type: gp2 @@ -58,7 +58,7 @@ ssh_bastion_volume_size: 10 idp_node_instance_type: t2.small # Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/ -idp_node_ami_id: ami-07fd151b9eb3b7264 +idp_node_ami_id: ami-0d0d8694ba492c02b idp_node_user: admin idp_node_device_name: /dev/xvda idp_node_volume_type: gp2 @@ -68,15 +68,15 @@ training_node_count: 2 training_node_instance_type: t2.small # Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/ -training_node_ami_id: ami-07fd151b9eb3b7264 +training_node_ami_id: ami-0d0d8694ba492c02b training_node_user: admin training_node_device_name: /dev/xvda training_node_volume_type: gp2 training_node_volume_size: 20 # Docker version -docker_ce_package_version: "5:20.10.9~3-0~debian-bullseye" -docker_ce_cli_package_version: "5:20.10.9~3-0~debian-bullseye" -containerd_io_package_version: "1.4.11-1" +docker_ce_package_version: "5:20.10.12~3-0~debian-bullseye" +docker_ce_cli_package_version: "5:20.10.12~3-0~debian-bullseye" +containerd_io_package_version: "1.4.12-1" diff --git a/roles/idp/files/shibboleth-idp-stack.yml b/roles/idp/files/shibboleth-idp-stack.yml index 8298656..86f85cf 100644 --- a/roles/idp/files/shibboleth-idp-stack.yml +++ b/roles/idp/files/shibboleth-idp-stack.yml @@ -2,7 +2,7 @@ version: '3.7' services: shibboleth-idp: - image: i2incommon/shib-idp:4.0.1_20210302 + image: i2incommon/shib-idp:4.1.5_20220119 volumes: - /srv/docker/usr/local/tomcat/conf/server.xml:/usr/local/tomcat/conf/server.xml - /srv/docker/opt/shibboleth-idp/conf/idp.properties:/opt/shibboleth-idp/conf/idp.properties @@ -18,6 +18,7 @@ services: - /srv/docker/opt/shibboleth-idp/credentials/sealer.jks:/opt/shibboleth-idp/credentials/sealer.jks - /srv/docker/opt/shibboleth-idp/credentials/secrets.properties:/opt/shibboleth-idp/credentials/secrets.properties - /srv/docker/opt/shibboleth-idp/metadata/registry-metadata.xml:/opt/shibboleth-idp/metadata/registry-metadata.xml + - /srv/docker/opt/shibboleth-idp/views:/opt/shibboleth-idp/views # Sleep for 10 seconds to give time for LDAP to come up and then start the IdP. entrypoint: - "/usr/bin/bash" @@ -35,7 +36,7 @@ services: tag: "shibboleth-idp_{{.Name}}" ldap: - image: sphericalcowgroup/comanage-registry-slapd:4 + image: sphericalcowgroup/comanage-registry-slapd:8 command: ["slapd", "-d", "256", "-h", "ldapi:/// ldap:///", "-u", "openldap", "-g", "openldap"] volumes: - /srv/docker/var/lib/ldap:/var/lib/ldap diff --git a/roles/idp/files/views/admin/hello.vm b/roles/idp/files/views/admin/hello.vm new file mode 100644 index 0000000..33a0528 --- /dev/null +++ b/roles/idp/files/views/admin/hello.vm @@ -0,0 +1,73 @@ +## +## Velocity Template for Hello World page. +## +## Velocity context will contain the following properties +## flowRequestContext - the Spring Web Flow RequestContext +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## profileRequestContext - root of context tree +## subjectContext - ProfileRequestContext -> SubjectContext +## attributeContext - ProfileRequestContext -> AttributeContext +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## + + + + + + #springMessageText("idp.title", "Web Login Service") - #springMessageText("hello-world.title", "Hello World") + + + + +
+
+
+ #springMessageText( +

#springMessageText("idp.title", "Web Login Service")

+
+ +
+

#springMessageText("hello-world.greeting", "Greetings"), $encoder.encodeForHTML($subjectContext.getPrincipalName())

+
+

Authenticated By

+ #foreach ($result in $subjectContext.getAuthenticationResults().entrySet()) +
$encoder.encodeForHTML($result.getKey())
+ #end +
+

Java Principals in Subjects

+ #foreach ($s in $subjectContext.getSubjects()) + #foreach ($p in $s.getPrincipals()) +
$encoder.encodeForHTML($p)
+ #end + #end + #if ($attributeContext && !$attributeContext.getUnfilteredIdPAttributes().isEmpty()) +
+

Attributes:

+ #foreach ($a in $attributeContext.getUnfilteredIdPAttributes()) + #if (!$a.getValues().isEmpty()) +
+
$encoder.encodeForHTML($a.getId())
+ #foreach ($v in $a.getValues()) +
$encoder.encodeForHTML($v.getDisplayValue())
+ #end + #end + #end + #end +
+ +
+

#springMessageText("hello-world.reload", "Reload the Page")

+
+
+ + +
+ + diff --git a/roles/idp/files/views/client-storage/client-storage-read.vm b/roles/idp/files/views/client-storage/client-storage-read.vm new file mode 100644 index 0000000..1993c14 --- /dev/null +++ b/roles/idp/files/views/client-storage/client-storage-read.vm @@ -0,0 +1,53 @@ +## +## Velocity template to read from local storage. +## +## Velocity context will contain the following properties +## flowExecutionUrl - the form action location +## flowRequestContext - the Spring Web Flow RequestContext +## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) +## profileRequestContext - root of context tree +## loadContext - context with details about the storage keys to load +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service")) +#set ($titleSuffix = $springMacroRequestContext.getMessage("idp.client-storage-read.suffix", "Loading Session Information")) +## + + + + + + $title - $titleSuffix + + + + +
+
+
+

$title - $titleSuffix

+
+
+ $springMacroRequestContext.getMessage("idp.client-storage-read.text", "Loading login session information from the browser...") +
+ + #parse( "client-storage/read.vm" ) +
+ +
+ + diff --git a/roles/idp/files/views/client-storage/client-storage-write.vm b/roles/idp/files/views/client-storage/client-storage-write.vm new file mode 100644 index 0000000..4b92d6b --- /dev/null +++ b/roles/idp/files/views/client-storage/client-storage-write.vm @@ -0,0 +1,53 @@ +## +## Velocity template to write to local storage. +## +## Velocity context will contain the following properties +## flowExecutionUrl - the form action location +## flowRequestContext - the Spring Web Flow RequestContext +## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) +## profileRequestContext - root of context tree +## saveContext - context with details about the storage data to save +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service")) +#set ($titleSuffix = $springMacroRequestContext.getMessage("idp.client-storage-write.suffix", "Saving Session Information...")) +## + + + + + + $title - $titleSuffix + + + + +
+
+
+

$title - $titleSuffix

+
+
+ $springMacroRequestContext.getMessage("idp.client-storage-write.text", "Saving login session information to the browser...") +
+ + #parse( "client-storage/write.vm" ) +
+ +
+ + \ No newline at end of file diff --git a/roles/idp/files/views/error.vm b/roles/idp/files/views/error.vm new file mode 100644 index 0000000..a44bd6f --- /dev/null +++ b/roles/idp/files/views/error.vm @@ -0,0 +1,75 @@ +## +## Velocity Template for error end-state +## +## Velocity context will contain the following properties +## flowRequestContext - the Spring Web Flow RequestContext +## profileRequestContext - root of context tree +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## +#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service")) +#set ($defaultTitleSuffix = $springMacroRequestContext.getMessage("idp.title.suffix", "Error")) +## +#if ($flowRequestContext) + ## This handles flow events, the most common case. + #set ($eventId = $flowRequestContext.getCurrentEvent().getId()) + #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error")) + #set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix")) + #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId")) + #if ($eventId == "AccessDenied" or $eventId == "ContextCheckDenied") + $response.setStatus(403) + #elseif ($eventId == "AttributeReleaseRejected" || $eventId == "TermsRejected") + $response.setStatus(200) + #elseif ($eventKey == "unexpected" || $eventKey == "runtime-error" || $eventKey == "error") + $response.setStatus(500) + #else + $response.setStatus(400) + #end +#elseif ($exception) + ## This handles exceptions that reach the Spring-MVC exception handler. + #set ($eventId = $exception.getClass().getSimpleName()) + #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error")) + #set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix")) + #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId")) + $response.setStatus(500) +#else + ## This is a catch-all that theoretically shouldn't happen? + #set ($titleSuffix = $defaultTitleSuffix) + #set ($message = $springMacroRequestContext.getMessage("idp.message", "An unidentified error occurred.")) + $response.setStatus(500) +#end +## + + + + + + $title - $titleSuffix + + + + +
+
+
+ #springMessageText( +

$title - $titleSuffix

+
+ +
+ #evaluate($message) +
+
+ + + +
+ + \ No newline at end of file diff --git a/roles/idp/files/views/intercept/attribute-release.vm b/roles/idp/files/views/intercept/attribute-release.vm new file mode 100644 index 0000000..c170b69 --- /dev/null +++ b/roles/idp/files/views/intercept/attribute-release.vm @@ -0,0 +1,160 @@ +## +## Velocity Template for DisplayAttributeReleasePage view-state +## +## Velocity context will contain the following properties : +## +## attributeReleaseContext - context holding consentable attributes +## attributeReleaseFlowDescriptor - attribute consent flow descriptor +## attributeDisplayNameFunction - function to display attribute name +## attributeDisplayDescriptionFunction - function to display attribute description +## consentContext - context representing the state of a consent flow +## encoder - HTMLEncoder class +## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl) +## flowExecutionUrl - form action location +## flowRequestContext - Spring Web Flow RequestContext +## profileRequestContext - OpenSAML profile request context +## request - HttpServletRequest +## response - HttpServletResponse +## rpUIContext - context with SP UI information from the metadata +## environment - Spring Environment object for property resolution +#set ($serviceName = $rpUIContext.serviceName) +#set ($serviceDescription = $rpUIContext.serviceDescription) +#set ($informationURL = $rpUIContext.informationURL) +#set ($privacyStatementURL = $rpUIContext.privacyStatementURL) +#set ($rpOrganizationLogo = $rpUIContext.getLogo()) +#set ($rpOrganizationName = $rpUIContext.organizationDisplayName) +#set ($replaceDollarWithNewline = true) +## + + + + + + + #springMessageText("idp.attribute-release.title", "Information Release") + + +
+ #parse("csrf/csrf.vm") +
+
+ + #if ($rpOrganizationLogo) + + #end +
+ #if ($serviceName) +

+ #springMessageText("idp.attribute-release.serviceNameLabel", "You are about to access the service:")
+ $serviceName + #if ($rpOrganizationName) + #springMessageText("idp.attribute-release.of", "of") $encoder.encodeForHTML($rpOrganizationName) + #end +

+ #end + #if ($serviceDescription) +

+ #springMessageText("idp.attribute-release.serviceDescriptionLabel", "Description as provided by this service:")
+ $encoder.encodeForHTML($serviceDescription) +
+

+ #end + #if ($informationURL) +

+ #springMessageText("idp.attribute-release.informationURLLabel", "Additional information about the service") +

+ #end +
+ + + + + + + + #foreach ($attribute in $attributeReleaseContext.getConsentableAttributes().values()) + + + + + + #end + +
+ #springMessageText("idp.attribute-release.attributesHeader", "Information to be Provided to Service") +
$encoder.encodeForHTML($attributeDisplayNameFunction.apply($attribute)) + #foreach ($value in $attribute.values) + #if ($replaceDollarWithNewline) + #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue()).replaceAll($encoder.encodeForHTML('$'),"
")) + #else + #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue())) + #end + #if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled) + + #else + $encodedValue + #end +
+ #end + 		+ #if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled) + #set ($inputType = "checkbox") + #else + #set ($inputType = "hidden") + #end + +
+
+ #if ($privacyStatementURL) +

+ #springMessageText("idp.attribute-release.privacyStatementURLLabel", "Data privacy information of the service") +

+ #end +
+

+ #springMessageText("idp.attribute-release.confirmationQuestion", "The information above would be shared with the service if you proceed. Do you agree to release this information to the service every time you access it?") +

+ #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed) +
+ #springMessageText("idp.attribute-release.consentMethod", "Select an information release consent duration:") + #end + #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed) +

+ + +

    +
  • #springMessageText("idp.attribute-release.doNotRememberConsentItem", "I agree to send my information this time.")
    • +
+

+ #end + #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed) +

+ + +

    +
  • #springMessageText("idp.attribute-release.rememberConsentItem", "I agree that the same information will be sent automatically to this service in the future.")
    • +
+

+ #end + #if ($attributeReleaseFlowDescriptor.globalConsentAllowed) +

+ + +

    +
  • #springMessageText("idp.attribute-release.globalConsentItem", "I agree that all of my information will be released to any service.")
    • +
+

+ #end + #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed) + #springMessageText("idp.attribute-release.consentMethodRevoke", "This setting can be revoked at any time with the checkbox on the login page.") +
+ #end +

+ + +

+
+
+
+ + diff --git a/roles/idp/files/views/intercept/terms-of-use.vm b/roles/idp/files/views/intercept/terms-of-use.vm new file mode 100644 index 0000000..67b2c15 --- /dev/null +++ b/roles/idp/files/views/intercept/terms-of-use.vm @@ -0,0 +1,69 @@ +## +## Velocity Template for DisplayTermsOfUsePage view-state +## +## Velocity context will contain the following properties : +## +## encoder - HTMLEncoder class +## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl) +## flowExecutionUrl - form action location +## flowRequestContext - Spring Web Flow RequestContext +## request - HttpServletRequest +## response - HttpServletResponse +## rpUIContext - context with SP UI information from the metadata +## termsOfUseId - terms of use ID to lookup message strings +## environment - Spring Environment object for property resolution +#set ($serviceName = $rpUIContext.serviceName) +#set ($rpOrganizationLogo = $rpUIContext.getLogo()) +## + + + + + + + #springMessageText("${termsOfUseId}.title", "Terms of Use") + + +
+
+ + #if ($rpOrganizationLogo) + + #end +
+ #if ($rpOrganizationLogo) +
+

#springMessageText("${termsOfUseId}.title", "Terms of Use")

+
+ #end +
+ #springMessageText("${termsOfUseId}.text", "Terms of Use Text...") +
+
+
+
+ #parse("csrf/csrf.vm") + +
+
+
+
+ #parse("csrf/csrf.vm") + + + #if ($requireCheckbox) +

#springMessageText("idp.terms-of-use.required", "Please check this box if you want to proceed.")

+ #end + +
+
+
+
+ +
+ + diff --git a/roles/idp/files/views/login-error.vm b/roles/idp/files/views/login-error.vm new file mode 100644 index 0000000..224976b --- /dev/null +++ b/roles/idp/files/views/login-error.vm @@ -0,0 +1,26 @@ +## Velocity Template for login error message production, included by login.vm +## +## authenticationErrorContext - context containing error data, if available +## +#if ($authenticationErrorContext && $authenticationErrorContext.getClassifiedErrors().size() > 0) + ## This handles errors that are classified by the message maps in the authentication config. + #set ($eventId = $authenticationErrorContext.getClassifiedErrors().iterator().next()) + #if ($eventId != "ReselectFlow") + #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "login")) + #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "Login Failure: $eventId")) + #end +#elseif ($authenticationErrorContext && $authenticationErrorContext.getExceptions().size() > 0) + ## This handles login exceptions that are left unclassified. + #set ($loginException = $authenticationErrorContext.getExceptions().get(0)) + #if ($loginException.getMessage()) + #set ($message = "Login Failure: $loginException.getMessage()") + #else + #set ($message = $loginException.toString()) + #end +#end + +#if ($message) +
+

$encoder.encodeForHTML($message)

+
+#end diff --git a/roles/idp/files/views/login.vm b/roles/idp/files/views/login.vm new file mode 100644 index 0000000..c7b15c9 --- /dev/null +++ b/roles/idp/files/views/login.vm @@ -0,0 +1,144 @@ +## +## Velocity Template for DisplayUsernamePasswordPage view-state +## +## Velocity context will contain the following properties +## flowExecutionUrl - the form action location +## flowRequestContext - the Spring Web Flow RequestContext +## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) +## profileRequestContext - root of context tree +## authenticationContext - context with authentication request information +## authenticationErrorContext - context with login error state +## authenticationWarningContext - context with login warning state +## ldapResponseContext - context with LDAP state (if using native LDAP) +## rpUIContext - the context with SP UI information from the metadata +## extendedAuthenticationFlows - collection of "extended" AuthenticationFlowDescriptor objects +## passwordPrincipals - contents of the shibboleth.authn.Password.PrincipalOverride bean +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## +#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext')) +#set ($username = $authenticationContext.getSubcontext('net.shibboleth.idp.authn.context.UsernamePasswordContext', true).getUsername()) +#set ($passwordEnabled = false) +#if (!$passwordPrincipals or $passwordPrincipals.isEmpty() or $authenticationContext.isAcceptable($passwordPrincipals)) + #set ($passwordEnabled = true) +#end +## + + + + + + #springMessageText("idp.title", "Web Login Service") + + + +
+
+
+ #springMessageText( +
+ +
+
+ #parse("login-error.vm") + +
+ #parse("csrf/csrf.vm") + #set ($serviceName = $rpUIContext.serviceName) + #if ($serviceName && !$rpContext.getRelyingPartyId().contains($serviceName)) + + #springMessageText("idp.login.loginTo", "Login to") $encoder.encodeForHTML($serviceName) + + #end + + #if ($passwordEnabled) +
+ + +
+ +
+ + +
+ + ## You may need to modify this to taste, such as changing the flow name its checking for to authn/MFA. + #if (!$authenticationContext.getActiveResults().containsKey('authn/Password')) +
+ + +
+ #end + + #end + +
+ + +
+ + #if ($passwordEnabled) +
+ +
+ #end + + #foreach ($extFlow in $extendedAuthenticationFlows) + #if ($authenticationContext.isAcceptable($extFlow) and $extFlow.test(profileRequestContext)) +
+ +
+ #end + #end +
+ + #* + // + // SP Description & Logo (optional) + // These idpui lines will display added information (if available + // in the metadata) about the Service Provider (SP) that requested + // authentication. These idpui lines are "active" in this example + // (not commented out) - this extra SP info will be displayed. + // Remove or comment out these lines to stop the display of the + // added SP information. + // + *# + #set ($logo = $rpUIContext.getLogo()) + #if ($logo) + $encoder.encodeForHTMLAttribute($serviceName) + #end + #set ($desc = $rpUIContext.getServiceDescription()) + #if ($desc) + $encoder.encodeForHTML($desc) + #end + +
+
+ +
+
+
+ + +
+ + + \ No newline at end of file diff --git a/roles/idp/files/views/logout-complete.vm b/roles/idp/files/views/logout-complete.vm new file mode 100644 index 0000000..7341e69 --- /dev/null +++ b/roles/idp/files/views/logout-complete.vm @@ -0,0 +1,67 @@ +## +## Velocity Template for logout flow's concluding view-state (no propagation) +## +## Velocity context will contain the following properties +## flowExecutionUrl - the form action location +## flowRequestContext - the Spring Web Flow RequestContext +## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) +## profileRequestContext - root of context tree +## logoutContext - context with SPSession details for logout operation +## multiRPContext - context with RelyingPartyContexts and possibly SP UI information from the metadata +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## +#set ($activeIdPSessions = $logoutContext and !$logoutContext.getIdPSessions().isEmpty()) +#set ($activeSPSessions = $logoutContext and !$logoutContext.getSessionMap().isEmpty()) + + + + + + #springMessageText("idp.title", "Web Login Service") + + + + +
+
+
+ #springMessageText( +
+ +
+
+ #if ($activeIdPSessions) +

#springMessageText("idp.logout.cancelled", "Logout has been cancelled.")

+ #elseif ($activeSPSessions) +

#springMessageText("idp.logout.local", "You elected not to log out of all the applications accessed during your session.")

+ #else +

#springMessageText("idp.logout.complete", "The logout operation is complete, and no other services appear to have been accessed during this session.")

+ #end +
+
+ +
+
+
+ + + #if ( $profileRequestContext.getProfileId().contains("saml2/logout") ) + + #end + + +
+ + + \ No newline at end of file diff --git a/roles/idp/files/views/logout-propagate.vm b/roles/idp/files/views/logout-propagate.vm new file mode 100644 index 0000000..470eff5 --- /dev/null +++ b/roles/idp/files/views/logout-propagate.vm @@ -0,0 +1,58 @@ +## +## Velocity Template for logout flow's concluding view-state (with propagation) +## +## Velocity context will contain the following properties +## flowExecutionUrl - the form action location +## flowRequestContext - the Spring Web Flow RequestContext +## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) +## profileRequestContext - root of context tree +## logoutContext - context with SPSession details for logout operation +## multiRPContext - context with RelyingPartyContexts and possibly SP UI information from the metadata +## htmlEncoder - HTMLEncoder class +## urlEncoder - urlEncoder class +## codecUtil - CodecUtil class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## + + + + + + #springMessageText("idp.title", "Web Login Service") + + + + + +
+
+
+ #springMessageText( +
+ +
+
+

#springMessageText("idp.logout.attempt", "Attempting to log out of the following services:")

+ #parse("logout/propagate.vm") +
+
+ +
+
+
+ + +
+ + + \ No newline at end of file diff --git a/roles/idp/files/views/logout.vm b/roles/idp/files/views/logout.vm new file mode 100644 index 0000000..3d8d50b --- /dev/null +++ b/roles/idp/files/views/logout.vm @@ -0,0 +1,131 @@ +## +## Velocity Template for logout flow's starting view-state +## +## Velocity context will contain the following properties +## flowExecutionUrl - the form action location +## flowRequestContext - the Spring Web Flow RequestContext +## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) +## profileRequestContext - root of context tree +## logoutContext - context with SPSession details for logout operation +## multiRPContext - context with RelyingPartyContexts and possibly SP UI information from the metadata +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## +#set ($rpContext = $profileRequestContext.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext")) +#if ($rpContext) +#set ($rpUIContext = $rpContext.getSubcontext("net.shibboleth.idp.ui.context.RelyingPartyUIContext")) +#end +#set ($promptForIdP = $logoutContext and !$logoutContext.getIdPSessions().isEmpty()) +#set ($promptForSP = $logoutContext and !$logoutContext.getSessionMap().isEmpty()) + + + + + + #if ($promptForSP) + + #elseif ($promptForIdP) + + #end + #springMessageText("idp.title", "Web Login Service") + + + + +
+
+
+ #springMessageText( +
+ +
+
+

This page is displayed when a logout operation at the Identity Provider completes. This page is an example + and should be customized. It is not fully internationalized because the presentation will be a highly localized + decision, and we don't have a good suggestion for a default.

+
+ + #if ($rpContext) +

#springMessageText("idp.logout.sp-initiated", "You have been logged out of the following service:")

+
+ #if ($rpUIContext) + $encoder.encodeForHTML($rpUIContext.getServiceName()) + #else + $encoder.encodeForHTML($rpContext.getRelyingPartyId()) + #end +
+
+ #end + + #if ($promptForIdP or $promptForSP) +

#springMessageText("idp.logout.prompt", "Choose one of the following, or wait a few seconds for the default.")

+
+ +
+ +
+ +

#springMessageText("idp.logout.idponly.caption", "End your SSO session.")

+
+ #end + + #if ($promptForSP) +
+ +

#springMessageText("idp.logout.global.caption", "End your SSO session and attempt logout of services accessed during session.")

+
+

#springMessageText("idp.logout.contactServices", "If instructed, the system will attempt to contact the following services:")

+
    + #foreach ($sp in $logoutContext.getSessionMap().keySet()) + #set ($rpCtx = $multiRPContext.getRelyingPartyContextById($sp)) + #if ($rpCtx) + #set ($rpUIContext = $rpCtx.getSubcontext("net.shibboleth.idp.ui.context.RelyingPartyUIContext")) + #end + #if ($rpUIContext and $rpUIContext.getServiceName()) +
  1. $encoder.encodeForHTML($rpUIContext.getServiceName())
    2. + #else +
  2. $encoder.encodeForHTML($sp)
    3. + #end + #end +
+
+
+ #end + + #if ($promptForIdP) +
+ +

#springMessageText("idp.logout.cancel.caption", "Cancel logout and retain your SSO session.")

+
+ #end + + #if ($promptForIdP or $promptForSP) +
+ #else +

#springMessageText("idp.logout.complete", "The logout operation is complete, and no other services appear to have been accessed during this session.")

+ + + #end + +
+
+ +
+
+
+ + +
+ + + \ No newline at end of file diff --git a/roles/idp/files/views/user-prefs.js b/roles/idp/files/views/user-prefs.js new file mode 100644 index 0000000..ab994f9 --- /dev/null +++ b/roles/idp/files/views/user-prefs.js @@ -0,0 +1,45 @@ +"use strict"; + +function createCookie(name, value, seconds) { + var date = new Date(); + date.setTime(date.getTime() + (seconds * 1000)); + var expires = "; expires=" + date.toGMTString(); + + var path = '$environment.getProperty("idp.cookie.path", $request.getContextPath())'; + if (path.length > 0) + path = "; path=" + path; + document.cookie = name + "=" + value + expires + path; +} + +function eraseCookie(name) { + createCookie(name, "", -31536000); +} + +function readCookie(name) { + var nameEQ = name + "="; + var ca = document.cookie.split(';'); + for (var i = 0; i < ca.length; i++) { + var c = ca[i]; + while (c.charAt(0) == ' ') + c = c.substring(1, c.length); + if (c.indexOf(nameEQ) == 0) + return c.substring(nameEQ.length, c.length); + } + return null; +} + +function load(id) { + var checkbox = document.getElementById(id); + if (checkbox != null) { + var spnego = readCookie(checkbox.name); + checkbox.checked = (spnego == "1"); + } +} + +function check(checkbox) { + if (checkbox.checked) { + createCookie(checkbox.name, checkbox.value, $environment.getProperty("idp.cookie.maxAge","31536000")); + } else { + eraseCookie(checkbox.name); + } +} diff --git a/roles/idp/files/views/user-prefs.vm b/roles/idp/files/views/user-prefs.vm new file mode 100644 index 0000000..8de0503 --- /dev/null +++ b/roles/idp/files/views/user-prefs.vm @@ -0,0 +1,60 @@ +## +## Velocity Template for user preferences view +## +## Velocity context will contain the following properties +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## + + + + + + #springMessageText("idp.userprefs.title", "Web Login Service") - #springMessageText("idp.userprefs.title.suffix", "Login Preferences") + + + + +
+
+
+ #springMessageText( +

#springMessageText("idp.title", "Web Login Service") - #springMessageText("idp.userprefs.title.suffix", "Login Preferences")

+

+ #springMessage("idp.userprefs.info") +

+
+ + + + +
+ + +
+ + + diff --git a/roles/idp/tasks/main.yml b/roles/idp/tasks/main.yml index e7c4b77..099ccc2 100644 --- a/roles/idp/tasks/main.yml +++ b/roles/idp/tasks/main.yml @@ -20,6 +20,10 @@ - /srv/docker/opt/shibboleth-idp/conf - /srv/docker/opt/shibboleth-idp/credentials - /srv/docker/opt/shibboleth-idp/metadata + - /srv/docker/opt/shibboleth-idp/views + - /srv/docker/opt/shibboleth-idp/views/admin + - /srv/docker/opt/shibboleth-idp/views/client-storage + - /srv/docker/opt/shibboleth-idp/views/intercept - name: Copy Tomcat server.xml file copy: @@ -198,3 +202,11 @@ owner: root group: root mode: '0644' + + - name: Copy views files + copy: + src: views + dest: /srv/docker/opt/shibboleth-idp + owner: root + group: root + mode: '0644' diff --git a/roles/idp/templates/idp.properties b/roles/idp/templates/idp.properties index 51a7953..b26f2a0 100644 --- a/roles/idp/templates/idp.properties +++ b/roles/idp/templates/idp.properties @@ -1,11 +1,15 @@ -# Load any additional property resources from a comma-delimited list -idp.additionalProperties=/conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties, /credentials/secrets.properties +# Auto-load all files matching conf/**/*.properties +# Disable if you want to manually maintain a list of sources. +idp.searchForProperties=true + +# Load any "outside-tree" property sources from a comma-delimited list +idp.additionalProperties=/credentials/secrets.properties # In most cases (and unless noted in the surrounding comments) the -# commented settings in the distributed files are the default -# behavior for V3. -# +# commented settings in the distributed files document default behavior. # Uncomment them and change the value to change functionality. +# +# Uncommented properties are either required or ship non-defaulted. # Set the entityID of the IdP idp.entityID=https://login.comanage.incommon.training/idp/shibboleth @@ -18,12 +22,19 @@ idp.entityID=https://login.comanage.incommon.training/idp/shibboleth idp.scope=comanage.incommon.training # General cookie properties (maxAge only applies to persistent cookies) -# Note the default for idp.cookie.secure, you will usually want it set. -#idp.cookie.secure = false +#idp.cookie.secure = true #idp.cookie.httpOnly = true #idp.cookie.domain = #idp.cookie.path = #idp.cookie.maxAge = 31536000 +# These control operation of the SameSite filter, which is off by default. +#idp.cookie.sameSite = None +#idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE + +# Enable cross-site request forgery mitigation for views. +idp.csrf.enabled=true +# Name of the HTTP parameter that stores the CSRF token. +#idp.csrf.token.parameter = csrf_token # HSTS/CSP response headers #idp.hsts = max-age=0 @@ -39,6 +50,7 @@ idp.scope=comanage.incommon.training #idp.views = %{idp.home}/views # Settings for internal AES encryption key +#idp.sealer.keyStrategy = shibboleth.DataSealerKeyStrategy #idp.sealer.storeType = JCEKS #idp.sealer.updateInterval = PT15M #idp.sealer.aliasBase = secret @@ -64,14 +76,18 @@ idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt # The new install default for encryption is now AES-GCM. idp.encryption.config=shibboleth.EncryptionConfiguration.GCM +# Sets the default strategy for key agreement key wrap usage for credentials from metadata, +# if not otherwise configured on the security configuration +#idp.encryption.keyagreement.metadata.defaultUseKeyWrap = Default + # Configures trust evaluation of keys used by services at runtime -# Defaults to supporting both explicit key and PKIX using SAML metadata. -#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine -# To pick only one set to one of: -# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine -#idp.trust.certificates = shibboleth.ChainingX509TrustEngine -# To pick only one set to one of: -# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine +# Internal default is Chaining, overriden for new installs +idp.trust.signatures=shibboleth.ExplicitKeySignatureTrustEngine +# Other options: +# shibboleth.ChainingSignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine +idp.trust.certificates=shibboleth.ExplicitKeyX509TrustEngine +# Other options: +# shibboleth.ChainingX509TrustEngine, shibboleth.PKIXX509TrustEngine # If true, encryption will happen whenever a key to use can be located, but # failure to encrypt won't result in request failure. @@ -79,7 +95,7 @@ idp.encryption.config=shibboleth.EncryptionConfiguration.GCM # Configuration of client- and server-side storage plugins #idp.storage.cleanupInterval = PT10M -idp.storage.htmlLocalStorage = true +idp.storage.htmlLocalStorage=true # Set to true to expose more detailed errors in responses to SPs #idp.errors.detailed = false @@ -109,34 +125,19 @@ idp.storage.htmlLocalStorage = true # Tolerate storage-related errors #idp.session.maskStorageFailure = false # Track information about SPs logged into -#idp.session.trackSPSessions = false +#idp.session.trackSPSessions=true # Support lookup by SP for SAML logout -#idp.session.secondaryServiceIndex = false +#idp.session.secondaryServiceIndex=true # Length of time to track SP sessions #idp.session.defaultSPlifetime = PT2H -# Regular expression matching login flows to enable, e.g. IPAddress|Password -idp.authn.flows=Password - -# Default lifetime and timeout of various authentication methods -#idp.authn.defaultLifetime = PT60M -#idp.authn.defaultTimeout = PT30M - -# Whether to populate relying party user interface information for display -# during authentication, consent, terms-of-use. -#idp.authn.rpui = true - -# Whether to prioritize "active" results when an SP requests more than -# one possible matching login method (V2 behavior was to favor them) -#idp.authn.favorSSO = false - -# Whether to fail requests when a user identity after authentication -# doesn't match the identity in a pre-existing session. -#idp.authn.identitySwitchIsError = false - # Set to "shibboleth.StorageService" or custom bean for alternate storage of consent #idp.consent.StorageService = shibboleth.ClientPersistentStorageService +# Default consent auditing formats +#idp.consent.terms-of-use.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA +#idp.consent.attribute-release.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA + # Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute # to key user consent storage records (and set the attribute name) #idp.consent.attribute-release.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey @@ -161,7 +162,18 @@ idp.authn.flows=Password #idp.consent.expandedMaxStoredRecords = 0 # Time in milliseconds to expire consent storage records. -#idp.consent.storageRecordLifetime = P1Y +# Leave commented out for the default of infinite +#idp.consent.storageRecordLifetime = + +# Path to use with External interceptor flow +#idp.intercept.External.externalPath = contextRelative:intercept.jsp + +# Policies to use with Impersonate interceptor flow +#idp.impersonate.generalPolicy = GeneralImpersonationPolicy +#idp.impersonate.specificPolicy = SpecificImpersonationPolicy + +# Picks outbound bindings more sensibly than based on metadata order +idp.bindings.inMetadataOrder=false # Whether to lookup metadata, etc. for every SP involved in a logout # for use by user interface logic; adds overhead so off by default. @@ -170,6 +182,9 @@ idp.authn.flows=Password # Whether to require logout requests/responses be signed/authenticated. #idp.logout.authenticated = true +# Bean to determine whether user should be allowed to cancel logout +#idp.logout.promptUser=shibboleth.Conditions.FALSE + # Message freshness and replay cache tuning #idp.policy.messageLifetime = PT3M #idp.policy.clockSkew = PT3M @@ -191,22 +206,25 @@ idp.authn.flows=Password # browser-supported languages, defaults to an empty list. idp.ui.fallbackLanguages=en,fr,de -# Storage service used by CAS protocol +# Storage service used by CAS protocol for chained proxy-granting tickets +# and when using server-managed "simple" TicketService. # Defaults to shibboleth.StorageService (in-memory) # MUST be server-side storage (e.g. in-memory, memcached, database) -# NOTE that idp.session.StorageService requires server-side storage -# when CAS protocol is enabled #idp.cas.StorageService=shibboleth.StorageService # CAS service registry implementation class #idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry +# If true, CAS services provisioned with SAML metadata are identified via entityID +#idp.cas.relyingPartyIdFromMetadata=false + # F-TICKS auditing - set a salt to include hashed username -#idp.fticks.federation=MyFederation -#idp.fticks.algorithm=SHA-256 -#idp.fticks.salt=somethingsecret -#idp.fticks.loghost=localhost -#idp.fticks.logport=514 +#idp.fticks.federation = MyFederation +#idp.fticks.condition = MyFTICKSCondition +#idp.fticks.algorithm = SHA-256 +#idp.fticks.salt = somethingsecret +#idp.fticks.loghost = localhost +#idp.fticks.logport = 514 # Set false if you want SAML bindings "spelled out" in audit log idp.audit.shortenBindings=true diff --git a/roles/training/files/comanage-registry-stack.yml b/roles/training/files/comanage-registry-stack.yml index 1b4d5f0..6848732 100644 --- a/roles/training/files/comanage-registry-stack.yml +++ b/roles/training/files/comanage-registry-stack.yml @@ -2,7 +2,7 @@ version: '3.7' services: database: - image: mariadb:10.4.18 + image: mariadb:10.4.22 volumes: - /srv/docker/var/lib/mysql:/var/lib/mysql environment: @@ -21,7 +21,7 @@ services: tag: "mariadb-{{.Name}}" registry: - image: i2incommon/comanage-registry:3.3.4-20210712 + image: i2incommon/comanage-registry:4.0.1-20211223 volumes: - /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local - /srv/docker/etc/shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml @@ -66,7 +66,7 @@ services: tag: "registry_{{.Name}}" cron: - image: i2incommon/comanage-registry-cron:3.3.4-20210712 + image: i2incommon/comanage-registry-cron:4.0.1-20211223 volumes: - /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local environment: @@ -80,7 +80,7 @@ services: tag: "cron_{{.Name}}" ldap: - image: sphericalcowgroup/comanage-registry-slapd:5 + image: sphericalcowgroup/comanage-registry-slapd:8 command: ["slapd", "-d", "256", "-h", "ldapi:/// ldap:///", "-u", "openldap", "-g", "openldap"] volumes: - /srv/docker/var/lib/ldap:/var/lib/ldap diff --git a/roles/training/files/crontab b/roles/training/files/crontab new file mode 100644 index 0000000..1f5b20a --- /dev/null +++ b/roles/training/files/crontab @@ -0,0 +1,62 @@ +SHELL=/bin/bash +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +MAILTO="" +# Run Expiration Policies for CO 1 once a day at 1:00 AM +0 1 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.Expire -s --coid 1 + +# Run Synchronize Org Identity Sources for CO 1 once a day at 1:00 AM +0 1 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.Sync -s --coid 1 + +# Run Validate Group Member for CO 1 once a day at 1:00 AM +0 1 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.ValidateGroupMember -s --coid 1 + +# Run queued jobs for CO 1 every 5 minutes +0-59/5 * * * * cd /srv/comanage-registry/app && ./Console/cake job -q -r -c 1 + +# Run Expiration Policies for CO 2 once a day at 6:00 AM +0 6 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.Expire -s --coid 2 + +# Run Synchronize Org Identity Sources for CO 2 once a day at 6:00 AM +0 6 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.Sync -s --coid 2 + +# Run Validate Group Member for CO 2 once a day at 6:00 AM +0 6 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.ValidateGroupMember -s --coid 2 + +# Run queued jobs for CO 2 every 5 minutes +0-59/5 * * * * cd /srv/comanage-registry/app && ./Console/cake job -q -r -c 2 + +# Run Expiration Policies for CO 3 once a day at 6:00 AM +0 6 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.Expire -s --coid 3 + +# Run Synchronize Org Identity Sources for CO 3 once a day at 6:00 AM +0 6 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.Sync -s --coid 3 + +# Run Validate Group Member for CO 3 once a day at 6:00 AM +0 6 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.ValidateGroupMember -s --coid 3 + +# Run queued jobs for CO 3 every 5 minutes +0-59/5 * * * * cd /srv/comanage-registry/app && ./Console/cake job -q -r -c 3 + +# Run Expiration Policies for CO 4 once a day at 6:00 AM +0 6 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.Expire -s --coid 4 + +# Run Synchronize Org Identity Sources for CO 4 once a day at 6:00 AM +0 6 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.Sync -s --coid 4 + +# Run Validate Group Member for CO 4 once a day at 6:00 AM +0 6 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.ValidateGroupMember -s --coid 4 + +# Run queued jobs for CO 4 every 5 minutes +0-59/5 * * * * cd /srv/comanage-registry/app && ./Console/cake job -q -r -c 4 + +# Run Expiration Policies for CO 5 once a day at 6:00 AM +0 6 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.Expire -s --coid 5 + +# Run Synchronize Org Identity Sources for CO 5 once a day at 6:00 AM +0 6 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.Sync -s --coid 5 + +# Run Validate Group Member for CO 5 once a day at 6:00 AM +0 6 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.ValidateGroupMember -s --coid 5 + +# Run queued jobs for CO 5 every 5 minutes +0-59/5 * * * * cd /srv/comanage-registry/app && ./Console/cake job -q -r -c 5 diff --git a/roles/training/files/hr.csv b/roles/training/files/hr.csv index ef6b718..a50abaa 100644 --- a/roles/training/files/hr.csv +++ b/roles/training/files/hr.csv @@ -1,45 +1,46 @@ -f6735933-81cf-4b71-b335-cb659c09eb4a,,,Fred,,Bair,,,,,,,,,,,,,,,,,,,, -045c03e1-c76c-4638-9151-52c26e23bda5,,,Thelma,,Murphy,,,,,,,,,,,,,,,,,,,, -88f9f30f-82ae-4f99-a295-4f5b86281bcd,,,Elmo,,Sabo,,,,,,,,,,,,,,,,,,,, -85e2ba0e-d992-4010-ad33-a7e12e2bfaf9,,,Shaun,,Plouffe,,,,,,,,,,,,,,,,,,,, -bd42b68b-7f0b-47a0-ab32-1a1b1dd3d656,,,Vera,,Avalos,,,,,,,,,,,,,,,,,,,, -0c84562c-8f37-4ac0-91bf-55ecebe74f13,,,Gerald,,Obrien,,,,,,,,,,,,,,,,,,,, -37e61d08-284d-4258-b2be-3930a8f6436c,,,Randolph,,White,,,,,,,,,,,,,,,,,,,, -23d55341-4a7e-4a0c-9f85-37adeec9e9ce,,,Jeanett,,Porter,,,,,,,,,,,,,,,,,,,, -55cbbd96-8c01-4a6c-9041-d42357d04294,,,Mary,,Aiello,,,,,,,,,,,,,,,,,,,, -e9e1b02a-9324-4fcf-b650-817a51da05f0,,,Elizabeth,,Howe,,,,,,,,,,,,,,,,,,,, -5ac5716d-8a01-4f32-87a5-96da2e31726f,,,Pamela,,Palm,,,,,,,,,,,,,,,,,,,, -6df4ac9d-334f-40a8-be92-f57a58d9e594,,,Edward,,Marzano,,,,,,,,,,,,,,,,,,,, -e0345c78-d8fa-47d6-a96c-cfeda6dfb0ad,,,Ermelinda,,Decoteau,,,,,,,,,,,,,,,,,,,, -b695521b-66de-433a-ab5d-5b4ee8b6bb10,,,Barbara,,Wallace,,,,,,,,,,,,,,,,,,,, -c250b201-6f97-48e5-a7fd-72b9f389dfbf,,,Judith,,Hughes,,,,,,,,,,,,,,,,,,,, -a42e8b0f-2a41-45c7-bf80-93f1dff1406b,,,David,,Reilly,,,,,,,,,,,,,,,,,,,, -c26e9d77-cff8-4fda-8d6a-a1f941d8c50e,,,Catherine,,Johnson,,,,,,,,,,,,,,,,,,,, -ecabb768-111a-4877-9649-c3627ef15ee2,,,Patrick,,Moore,,,,,,,,,,,,,,,,,,,, -9fa83531-d937-4117-893c-9e7e43519f4d,,,Jina,,Delfino,,,,,,,,,,,,,,,,,,,, -323c0cd4-5dc2-4ef5-9152-6bd9fce8d513,,,Carol,,Burgos,,,,,,,,,,,,,,,,,,,, -d57f3d58-4536-4720-913e-bec864fb3817,,,Mary,,Cornett,,,,,,,,,,,,,,,,,,,, -e182408e-cb0c-4a8b-b4ce-fba491e643bd,,,Joshua,,Velez,,,,,,,,,,,,,,,,,,,, -3a02326b-1294-46bf-93a3-4de6943ab37e,,,Chance,,Clark,,,,,,,,,,,,,,,,,,,, -72b413ad-6e77-4231-af91-aff3d0211711,,,James,,Williams,,,,,,,,,,,,,,,,,,,, -e7661152-2872-4d05-a317-d503618314af,,,Anthony,,Dean,,,,,,,,,,,,,,,,,,,, -9ff4449f-43f4-4eae-b840-315b75413b74,,,Matha,,Hiett,,,,,,,,,,,,,,,,,,,, -b7e279c1-4dfc-4aa8-b56e-001cbd5135eb,,,Inez,,Farley,,,,,,,,,,,,,,,,,,,, -d215453f-5e0a-4963-8f7a-89185d3076ac,,,Christopher,,Bond,,,,,,,,,,,,,,,,,,,, -2118c2ae-27eb-4868-b09a-032f81f03b7b,,,Carolyn,,Walters,,,,,,,,,,,,,,,,,,,, -6743287d-8f92-47e6-8cf4-b363b771b372,,,Alicia,,Vargas,,,,,,,,,,,,,,,,,,,, -6d55e9fc-614f-476e-853a-b70ac492e0e1,,,William,,Cintron,,,,,,,,,,,,,,,,,,,, -5f558871-f25c-414b-b687-5290e039360e,,,Issac,,Jones,,,,,,,,,,,,,,,,,,,, -f6b100a3-3f41-412e-a650-2f7ffebd180e,,,Jessica,,Kerns,,,,,,,,,,,,,,,,,,,, -91efc416-f258-411e-a00b-37b756a381c4,,,Cynthia,,Eddy,,,,,,,,,,,,,,,,,,,, -437a4cc1-bf58-4b1d-9661-8a2e8b5882c3,,,Rachel,,Martinez,,,,,,,,,,,,,,,,,,,, -db4e519c-7eea-43e6-b31d-297692882830,,,Brittany,,Garner,,,,,,,,,,,,,,,,,,,, -7629b8e8-cae8-456a-a0c3-c36c8d2d60d3,,,Jesse,,Garvin,,,,,,,,,,,,,,,,,,,, -c7191c7a-dbd0-4051-846d-48ec2453a036,,,Linh,,Finch,,,,,,,,,,,,,,,,,,,, -17505dce-97a7-4b0b-82e0-af5d2ebbae7a,,,Susanne,,Smith,,,,,,,,,,,,,,,,,,,, -e7c76c0e-bef8-487f-8334-b27b65b055e4,,,Susan,,Martin,,,,,,,,,,,,,,,,,,,, -a8139a8f-e4fa-4358-9237-2b2458ef5968,,,Kathy,,Smith,,,,,,,,,,,,,,,,,,,, -6dd8d616-4b7e-444a-8faf-f529b5ffff76,,,Michelle,,Huffman,,,,,,,,,,,,,,,,,,,, -a7f1083c-989b-415a-9164-769eeda3a8a3,,,Michael,,Saulsbury,,,,,,,,,,,,,,,,,,,, -b661f543-0218-4920-8ac1-962eca154f28,,,Lupe,,Brown,,,,,,,,,,,,,,,,,,,, -1c59825f-8693-4387-af3c-d9014e3cb1ba,,,Clay,,Howard,,,,,,,,,,,,,,,,,,,, +SORID,Name.given.official,Name.family.official +f6735933-81cf-4b71-b335-cb659c09eb4a,Fred,Bair, +045c03e1-c76c-4638-9151-52c26e23bda5,Thelma,Murphy, +88f9f30f-82ae-4f99-a295-4f5b86281bcd,Elmo,Sabo, +85e2ba0e-d992-4010-ad33-a7e12e2bfaf9,Shaun,Plouffe, +bd42b68b-7f0b-47a0-ab32-1a1b1dd3d656,Vera,Avalos, +0c84562c-8f37-4ac0-91bf-55ecebe74f13,Gerald,Obrien, +37e61d08-284d-4258-b2be-3930a8f6436c,Randolph,White, +23d55341-4a7e-4a0c-9f85-37adeec9e9ce,Jeanett,Porter, +55cbbd96-8c01-4a6c-9041-d42357d04294,Mary,Aiello, +e9e1b02a-9324-4fcf-b650-817a51da05f0,Elizabeth,Howe, +5ac5716d-8a01-4f32-87a5-96da2e31726f,Pamela,Palm, +6df4ac9d-334f-40a8-be92-f57a58d9e594,Edward,Marzano, +e0345c78-d8fa-47d6-a96c-cfeda6dfb0ad,Ermelinda,Decoteau, +b695521b-66de-433a-ab5d-5b4ee8b6bb10,Barbara,Wallace, +c250b201-6f97-48e5-a7fd-72b9f389dfbf,Judith,Hughes, +a42e8b0f-2a41-45c7-bf80-93f1dff1406b,David,Reilly, +c26e9d77-cff8-4fda-8d6a-a1f941d8c50e,Catherine,Johnson, +ecabb768-111a-4877-9649-c3627ef15ee2,Patrick,Moore, +9fa83531-d937-4117-893c-9e7e43519f4d,Jina,Delfino, +323c0cd4-5dc2-4ef5-9152-6bd9fce8d513,Carol,Burgos, +d57f3d58-4536-4720-913e-bec864fb3817,Mary,Cornett, +e182408e-cb0c-4a8b-b4ce-fba491e643bd,Joshua,Velez, +3a02326b-1294-46bf-93a3-4de6943ab37e,Chance,Clark, +72b413ad-6e77-4231-af91-aff3d0211711,James,Williams, +e7661152-2872-4d05-a317-d503618314af,Anthony,Dean, +9ff4449f-43f4-4eae-b840-315b75413b74,Matha,Hiett, +b7e279c1-4dfc-4aa8-b56e-001cbd5135eb,Inez,Farley, +d215453f-5e0a-4963-8f7a-89185d3076ac,Christopher,Bond, +2118c2ae-27eb-4868-b09a-032f81f03b7b,Carolyn,Walters, +6743287d-8f92-47e6-8cf4-b363b771b372,Alicia,Vargas, +6d55e9fc-614f-476e-853a-b70ac492e0e1,William,Cintron, +5f558871-f25c-414b-b687-5290e039360e,Issac,Jones, +f6b100a3-3f41-412e-a650-2f7ffebd180e,Jessica,Kerns, +91efc416-f258-411e-a00b-37b756a381c4,Cynthia,Eddy, +437a4cc1-bf58-4b1d-9661-8a2e8b5882c3,Rachel,Martinez, +db4e519c-7eea-43e6-b31d-297692882830,Brittany,Garner, +7629b8e8-cae8-456a-a0c3-c36c8d2d60d3,Jesse,Garvin, +c7191c7a-dbd0-4051-846d-48ec2453a036,Linh,Finch, +17505dce-97a7-4b0b-82e0-af5d2ebbae7a,Susanne,Smith, +e7c76c0e-bef8-487f-8334-b27b65b055e4,Susan,Martin, +a8139a8f-e4fa-4358-9237-2b2458ef5968,Kathy,Smith, +6dd8d616-4b7e-444a-8faf-f529b5ffff76,Michelle,Huffman, +a7f1083c-989b-415a-9164-769eeda3a8a3,Michael,Saulsbury, +b661f543-0218-4920-8ac1-962eca154f28,Lupe,Brown, +1c59825f-8693-4387-af3c-d9014e3cb1ba,Clay,Howard, diff --git a/roles/training/files/registrar.csv b/roles/training/files/registrar.csv index 90da587..97c7581 100644 --- a/roles/training/files/registrar.csv +++ b/roles/training/files/registrar.csv @@ -1,45 +1,46 @@ -132748071534397754920022673843444928951,,,Austin,,Savage,,,,,,,,,,,,,,,,,,eppn+login:austin.savage@comanage.incommon.training,, -186954416995897054245760122734502925236,,,Raeann,,Chu,,,,,,,,,,,,,,,,,,eppn+login:raeann.chu@comanage.incommon.training,, -234811137165975059720067018874500792158,,,Celia,,Childress,,,,,,,,,,,,,,,,,,eppn+login:celia.childress@comanage.incommon.training,, -107827452807702761791203103427377814913,,,Emma,,Lister,,,,,,,,,,,,,,,,,,eppn+login:emma.lister@comanage.incommon.training,, -129825814482306832783119517900920270831,,,Paul,,Nitta,,,,,,,,,,,,,,,,,,eppn+login:paul.nitta@comanage.incommon.training,, -82615027870469326568361260356426998603,,,Ruby,,Collier,,,,,,,,,,,,,,,,,,eppn+login:ruby.collier@comanage.incommon.training,, -98190938217164110872407778232584025179,,,Andrew,,Williams,,,,,,,,,,,,,,,,,,eppn+login:andrew.williams@comanage.incommon.training,, -328815086932524017392210158682971856891,,,Colleen,,McCaffrey,,,,,,,,,,,,,,,,,,eppn+login:colleen.mccaffrey@comanage.incommon.training,, -220479725798527189234083099895701559458,,,Cynthia,,Herman,,,,,,,,,,,,,,,,,,eppn+login:cynthia.herman@comanage.incommon.training,, -279151494256898456434459311435686499082,,,Jessica,,Martinez,,,,,,,,,,,,,,,,,,eppn+login:jessica.martinez@comanage.incommon.training,, -214763209246588698462551464796355370255,,,Dianne,,Dysart,,,,,,,,,,,,,,,,,,eppn+login:dianne.dysart@comanage.incommon.training,, -184262837325966988975946551084772413394,,,Sharron,,Ebling,,,,,,,,,,,,,,,,,,eppn+login:sharron.ebling@comanage.incommon.training,, -254727994034585319667716071169511523650,,,Alice,,Schalk,,,,,,,,,,,,,,,,,,eppn+login:alice.schalk@comanage.incommon.training,, -298568081115438296944973855678013237541,,,Philip,,Nestor,,,,,,,,,,,,,,,,,,eppn+login:philip.nestor@comanage.incommon.training,, -207267966862832313153389032705933064023,,,Carla,,Branch,,,,,,,,,,,,,,,,,,eppn+login:carla.branch@comanage.incommon.training,, -149333902873783161192481342169882303973,,,Patrick,,Cole,,,,,,,,,,,,,,,,,,eppn+login:patrick.cole@comanage.incommon.training,, -165215344132691795688185192043357730584,,,Janice,,Gee,,,,,,,,,,,,,,,,,,eppn+login:janice.gee@comanage.incommon.training,, -311356921930659706867427375585999813314,,,Jesse,,Goff,,,,,,,,,,,,,,,,,,eppn+login:jesse.goff@comanage.incommon.training,, -269973704579715580565909994224723165505,,,Clifford,,Brice,,,,,,,,,,,,,,,,,,eppn+login:clifford.brice@comanage.incommon.training,, -176587524970886847172468511596342683229,,,Patricia,,Holmes,,,,,,,,,,,,,,,,,,eppn+login:patricia.holmes@comanage.incommon.training,, -244471078826759302097759899138164866150,,,Corrine,,Martin,,,,,,,,,,,,,,,,,,eppn+login:corrine.martin@comanage.incommon.training,, -300528073953625153560186976874073834025,,,Gladys,,Bryant,,,,,,,,,,,,,,,,,,eppn+login:gladys.bryant@comanage.incommon.training,, -286730770008577281607593506132923981795,,,Johnny,,Willis,,,,,,,,,,,,,,,,,,eppn+login:johnny.willis@comanage.incommon.training,, -323160483591231223314722503812078417195,,,Jeremy,,Fisher,,,,,,,,,,,,,,,,,,eppn+login:jeremy.fisher@comanage.incommon.training,, -146014419312879501433659141966731736543,,,Betty,,White,,,,,,,,,,,,,,,,,,eppn+login:betty.white@comanage.incommon.training,, -331920966485375959736499860242485672757,,,Thomas,,Stubbs,,,,,,,,,,,,,,,,,,eppn+login:thomas.stubbs@comanage.incommon.training,, -138977541110944060198763623559670291847,,,Steven,,Porter,,,,,,,,,,,,,,,,,,eppn+login:steven.porter@comanage.incommon.training,, -109441174844666586004491027608330101033,,,Gwen,,Mendoza,,,,,,,,,,,,,,,,,,eppn+login:gwen.mendoza@comanage.incommon.training,, -337922420952113480667295635761612195756,,,Randy,,Long,,,,,,,,,,,,,,,,,,eppn+login:randy.long@comanage.incommon.training,, -241907150243421029646289162621165832150,,,Brock,,Lemaire,,,,,,,,,,,,,,,,,,eppn+login:brock.lemaire@comanage.incommon.training,, -54383004410079136251494994575391380104,,,Jack,,McLeod,,,,,,,,,,,,,,,,,,eppn+login:jack.mcleod@comanage.incommon.training,, -93694260717283089221516980233153584509,,,Paul,,Guitierrez,,,,,,,,,,,,,,,,,,eppn+login:paul.guitierrez@comanage.incommon.training,, -58127414624285465420294427343761192630,,,Ella,,Stevenson,,,,,,,,,,,,,,,,,,eppn+login:ella.stevenson@comanage.incommon.training,, -84069047373847003501652080921242663451,,,Mary,,Gilbert,,,,,,,,,,,,,,,,,,eppn+login:mary.gilbert@comanage.incommon.training,, -273280318300578977120991937790468760308,,,Salvador,,Villa,,,,,,,,,,,,,,,,,,eppn+login:salvador.villa@comanage.incommon.training,, -66586353721959828609998174823626800135,,,Brian,,Wolford,,,,,,,,,,,,,,,,,,eppn+login:brian.wolford@comanage.incommon.training,, -333660162838557880384557977904197193183,,,Robert,,Brannen,,,,,,,,,,,,,,,,,,eppn+login:robert.brannen@comanage.incommon.training,, -233132799040715876525290039221594249900,,,Mary,,Lee,,,,,,,,,,,,,,,,,,eppn+login:mary.lee@comanage.incommon.training,, -302535670179963912483751457726258337561,,,Susan,,McCray,,,,,,,,,,,,,,,,,,eppn+login:susan.mccray@comanage.incommon.training,, -24767658709010092766545926960549559212,,,Amanda,,Alcala,,,,,,,,,,,,,,,,,,eppn+login:amanda.alcala@comanage.incommon.training,, -84565368334075897350570372081317094732,,,Gloria,,Chipman,,,,,,,,,,,,,,,,,,eppn+login:gloria.chipman@comanage.incommon.training,, -298408199220202798049484999192380228673,,,Jamika,,French,,,,,,,,,,,,,,,,,,eppn+login:jamika.french@comanage.incommon.training,, -13649583839353414205537292908924253500,,,Linda,,Goodman,,,,,,,,,,,,,,,,,,eppn+login:linda.goodman@comanage.incommon.training,, -294869772329081278110037321403866253962,,,Lilly,,Wasser,,,,,,,,,,,,,,,,,,eppn+login:lilly.wasser@comanage.incommon.training,, -282793442442850315227168896135336994027,,,Gregory,,Carlisle,,,,,,,,,,,,,,,,,,eppn+login:gregory.carlisle@comanage.incommon.training,, +SORID,Name.given.official,Name.family.official,Identifier.identifier.eppn+login +132748071534397754920022673843444928951,Austin,Savage,austin.savage@comanage.incommon.training, +186954416995897054245760122734502925236,Raeann,Chu,raeann.chu@comanage.incommon.training, +234811137165975059720067018874500792158,Celia,Childress,celia.childress@comanage.incommon.training, +107827452807702761791203103427377814913,Emma,Lister,emma.lister@comanage.incommon.training, +129825814482306832783119517900920270831,Paul,Nitta,paul.nitta@comanage.incommon.training, +82615027870469326568361260356426998603,Ruby,Collier,ruby.collier@comanage.incommon.training, +98190938217164110872407778232584025179,Andrew,Williams,andrew.williams@comanage.incommon.training, +328815086932524017392210158682971856891,Colleen,McCaffrey,colleen.mccaffrey@comanage.incommon.training, +220479725798527189234083099895701559458,Cynthia,Herman,cynthia.herman@comanage.incommon.training, +279151494256898456434459311435686499082,Jessica,Martinez,jessica.martinez@comanage.incommon.training, +214763209246588698462551464796355370255,Dianne,Dysart,dianne.dysart@comanage.incommon.training, +184262837325966988975946551084772413394,Sharron,Ebling,sharron.ebling@comanage.incommon.training, +254727994034585319667716071169511523650,Alice,Schalk,alice.schalk@comanage.incommon.training, +298568081115438296944973855678013237541,Philip,Nestor,philip.nestor@comanage.incommon.training, +207267966862832313153389032705933064023,Carla,Branch,carla.branch@comanage.incommon.training, +149333902873783161192481342169882303973,Patrick,Cole,patrick.cole@comanage.incommon.training, +165215344132691795688185192043357730584,Janice,Gee,janice.gee@comanage.incommon.training, +311356921930659706867427375585999813314,Jesse,Goff,jesse.goff@comanage.incommon.training, +269973704579715580565909994224723165505,Clifford,Brice,clifford.brice@comanage.incommon.training, +176587524970886847172468511596342683229,Patricia,Holmes,patricia.holmes@comanage.incommon.training, +244471078826759302097759899138164866150,Corrine,Martin,corrine.martin@comanage.incommon.training, +300528073953625153560186976874073834025,Gladys,Bryant,gladys.bryant@comanage.incommon.training, +286730770008577281607593506132923981795,Johnny,Willis,johnny.willis@comanage.incommon.training, +323160483591231223314722503812078417195,Jeremy,Fisher,jeremy.fisher@comanage.incommon.training, +146014419312879501433659141966731736543,Betty,White,betty.white@comanage.incommon.training, +331920966485375959736499860242485672757,Thomas,Stubbs,thomas.stubbs@comanage.incommon.training, +138977541110944060198763623559670291847,Steven,Porter,steven.porter@comanage.incommon.training, +109441174844666586004491027608330101033,Gwen,Mendoza,gwen.mendoza@comanage.incommon.training, +337922420952113480667295635761612195756,Randy,Long,randy.long@comanage.incommon.training, +241907150243421029646289162621165832150,Brock,Lemaire,brock.lemaire@comanage.incommon.training, +54383004410079136251494994575391380104,Jack,McLeod,jack.mcleod@comanage.incommon.training, +93694260717283089221516980233153584509,Paul,Guitierrez,paul.guitierrez@comanage.incommon.training, +58127414624285465420294427343761192630,Ella,Stevenson,ella.stevenson@comanage.incommon.training, +84069047373847003501652080921242663451,Mary,Gilbert,mary.gilbert@comanage.incommon.training, +273280318300578977120991937790468760308,Salvador,Villa,salvador.villa@comanage.incommon.training, +66586353721959828609998174823626800135,Brian,Wolford,brian.wolford@comanage.incommon.training, +333660162838557880384557977904197193183,Robert,Brannen,robert.brannen@comanage.incommon.training, +233132799040715876525290039221594249900,Mary,Lee,mary.lee@comanage.incommon.training, +302535670179963912483751457726258337561,Susan,McCray,susan.mccray@comanage.incommon.training, +24767658709010092766545926960549559212,Amanda,Alcala,amanda.alcala@comanage.incommon.training, +84565368334075897350570372081317094732,Gloria,Chipman,gloria.chipman@comanage.incommon.training, +298408199220202798049484999192380228673,Jamika,French,jamika.french@comanage.incommon.training, +13649583839353414205537292908924253500,Linda,Goodman,linda.goodman@comanage.incommon.training, +294869772329081278110037321403866253962,Lilly,Wasser,lilly.wasser@comanage.incommon.training, +282793442442850315227168896135336994027,Gregory,Carlisle,gregory.carlisle@comanage.incommon.training, diff --git a/roles/training/tasks/main.yml b/roles/training/tasks/main.yml index 9248c0e..f960d8b 100644 --- a/roles/training/tasks/main.yml +++ b/roles/training/tasks/main.yml @@ -173,3 +173,14 @@ mode: '0644' tags: - update_csv + + - name: Copy crontab file + copy: + src: crontab + dest: /srv/docker/srv/comanage-registry/local/crontab + owner: root + group: root + mode: '0644' + tags: + - update_crontab +