From 7ac8850d2fa39dc75cb55926cd2d27ce29941262 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 5 Aug 2022 13:33:15 +0000 Subject: [PATCH] import --- .gitignore | 9 + conf/access-control.xml | 68 +++ conf/admin/admin.properties | 73 +++ conf/admin/metrics.xml | 142 ++++++ conf/attribute-filter.xml | 104 +++++ conf/attribute-registry.xml | 29 ++ conf/attribute-resolver.xml | 78 ++++ conf/attributes/custom/README | 9 + conf/attributes/default-rules.xml | 29 ++ conf/attributes/eduCourse.xml | 57 +++ conf/attributes/eduPerson.xml | 273 ++++++++++++ conf/attributes/inetOrgPerson.xml | 517 ++++++++++++++++++++++ conf/attributes/samlSubject.xml | 73 +++ conf/attributes/schac.xml | 237 ++++++++++ conf/audit.xml | 55 +++ conf/authn/authn-comparison.xml | 117 +++++ conf/authn/authn-events-flow.xml | 22 + conf/authn/authn.properties | 218 +++++++++ conf/authn/password-authn-config.xml | 112 +++++ conf/c14n/subject-c14n-events-flow.xml | 22 + conf/c14n/subject-c14n.properties | 40 ++ conf/c14n/subject-c14n.xml | 151 +++++++ conf/credentials.xml | 68 +++ conf/errors.xml | 126 ++++++ conf/examples/attribute-resolver-ldap.xml | 107 +++++ conf/global.xml | 52 +++ conf/idp.properties | 244 ++++++++++ conf/intercept/intercept-events-flow.xml | 20 + conf/ldap.properties | 67 +++ conf/logback.xml | 192 ++++++++ conf/metadata-providers.xml | 89 ++++ conf/relying-party.xml | 72 +++ conf/saml-nameid.properties | 31 ++ conf/saml-nameid.xml | 64 +++ conf/services.properties | 83 ++++ conf/services.xml | 58 +++ messages/messages.properties | 6 + metadata/idp-metadata.xml | 251 +++++++++++ 38 files changed, 3965 insertions(+) create mode 100644 .gitignore create mode 100644 conf/access-control.xml create mode 100644 conf/admin/admin.properties create mode 100644 conf/admin/metrics.xml create mode 100644 conf/attribute-filter.xml create mode 100644 conf/attribute-registry.xml create mode 100644 conf/attribute-resolver.xml create mode 100644 conf/attributes/custom/README create mode 100644 conf/attributes/default-rules.xml create mode 100644 conf/attributes/eduCourse.xml create mode 100644 conf/attributes/eduPerson.xml create mode 100644 conf/attributes/inetOrgPerson.xml create mode 100644 conf/attributes/samlSubject.xml create mode 100644 conf/attributes/schac.xml create mode 100644 conf/audit.xml create mode 100644 conf/authn/authn-comparison.xml create mode 100644 conf/authn/authn-events-flow.xml create mode 100644 conf/authn/authn.properties create mode 100644 conf/authn/password-authn-config.xml create mode 100644 conf/c14n/subject-c14n-events-flow.xml create mode 100644 conf/c14n/subject-c14n.properties create mode 100644 conf/c14n/subject-c14n.xml create mode 100644 conf/credentials.xml create mode 100644 conf/errors.xml create mode 100644 conf/examples/attribute-resolver-ldap.xml create mode 100644 conf/global.xml create mode 100644 conf/idp.properties create mode 100644 conf/intercept/intercept-events-flow.xml create mode 100644 conf/ldap.properties create mode 100644 conf/logback.xml create mode 100644 conf/metadata-providers.xml create mode 100644 conf/relying-party.xml create mode 100644 conf/saml-nameid.properties create mode 100644 conf/saml-nameid.xml create mode 100644 conf/services.properties create mode 100644 conf/services.xml create mode 100644 messages/messages.properties create mode 100644 metadata/idp-metadata.xml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9da6fcf --- /dev/null +++ b/.gitignore @@ -0,0 +1,9 @@ +bin +credentials +dist +doc +edit-webapp +flows +logs +views +war diff --git a/conf/access-control.xml b/conf/access-control.xml new file mode 100644 index 0000000..3853722 --- /dev/null +++ b/conf/access-control.xml @@ -0,0 +1,68 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/conf/admin/admin.properties b/conf/admin/admin.properties new file mode 100644 index 0000000..1e4f3a9 --- /dev/null +++ b/conf/admin/admin.properties @@ -0,0 +1,73 @@ +# Configure properties controlling administrative features + +#idp.status.logging = Status +#idp.status.accessPolicy = AccessByIPAddress +#idp.status.authenticated = false +#idp.status.nonBrowserSupported = false +#idp.status.defaultAuthenticationMethods = +#idp.status.resolveAttributes = false +#idp.status.postAuthenticationFlows = + +#idp.reload.logging = Reload +#idp.reload.accessPolicy = AccessByIPAddress +#idp.reload.authenticated = false +#idp.reload.nonBrowserSupported = false +#idp.reload.defaultAuthenticationMethods = +#idp.reload.resolveAttributes = false +#idp.reload.postAuthenticationFlows = + +#idp.resolvertest.logging = ResolverTest +#idp.resolvertest.accessPolicy = AccessByIPAddress +#idp.resolvertest.authenticated = false +#idp.resolvertest.nonBrowserSupported = false +#idp.resolvertest.defaultAuthenticationMethods = +#idp.resolvertest.resolveAttributes = false +#idp.resolvertest.postAuthenticationFlows = + +#idp.mdquery.logging = MetadataQuery +#idp.mdquery.accessPolicy = AccessByIPAddress +#idp.mdquery.authenticated = false +#idp.mdquery.nonBrowserSupported = false +#idp.mdquery.defaultAuthenticationMethods = +#idp.mdquery.resolveAttributes = false +#idp.mdquery.postAuthenticationFlows = + +#idp.metrics.logging = Metrics +#idp.metrics.authenticated = false +#idp.metrics.nonBrowserSupported = false +#idp.metrics.defaultAuthenticationMethods = +#idp.metrics.resolveAttributes = false +#idp.metrics.postAuthenticationFlows = +# See admin/metrics.xml for other configuration + +#idp.hello.logging = Hello +#idp.hello.accessPolicy = AccessByAdminUser +#idp.hello.authenticated = true +#idp.hello.nonBrowserSupported = false +#idp.hello.defaultAuthenticationMethods = +#idp.hello.resolveAttributes = true +#idp.hello.postAuthenticationFlows = + +#idp.lockout.logging = Lockout +#idp.lockout.accessPolicy = AccessDenied +#idp.lockout.authenticated = false +#idp.lockout.nonBrowserSupported = false +#idp.lockout.defaultAuthenticationMethods = +#idp.lockout.resolveAttributes = false +#idp.lockout.postAuthenticationFlows = + +#idp.storage.logging = Storage +#idp.storage.accessPolicy = AccessDenied +#idp.storage.authenticated = false +#idp.storage.nonBrowserSupported = false +#idp.storage.defaultAuthenticationMethods = +#idp.storage.resolveAttributes = false +#idp.storage.postAuthenticationFlows = + +#idp.unlock-keys.logging = UnlockKeys +#idp.unlock-keys.accessPolicy = AccessDenied +#idp.unlock-keys.authenticated = true +#idp.unlock-keys.nonBrowserSupported = false +#idp.unlock-keys.defaultAuthenticationMethods = +#idp.unlock-keys.resolveAttributes = false +#idp.unlock-keys.postAuthenticationFlows = diff --git a/conf/admin/metrics.xml b/conf/admin/metrics.xml new file mode 100644 index 0000000..208ab6b --- /dev/null +++ b/conf/admin/metrics.xml @@ -0,0 +1,142 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/attribute-filter.xml b/conf/attribute-filter.xml new file mode 100644 index 0000000..c2bf890 --- /dev/null +++ b/conf/attribute-filter.xml @@ -0,0 +1,104 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/attribute-registry.xml b/conf/attribute-registry.xml new file mode 100644 index 0000000..133930b --- /dev/null +++ b/conf/attribute-registry.xml @@ -0,0 +1,29 @@ + + + + + + + + + diff --git a/conf/attribute-resolver.xml b/conf/attribute-resolver.xml new file mode 100644 index 0000000..dd5545f --- /dev/null +++ b/conf/attribute-resolver.xml @@ -0,0 +1,78 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + %{idp.scope} + + + member + + + + diff --git a/conf/attributes/custom/README b/conf/attributes/custom/README new file mode 100644 index 0000000..98977b0 --- /dev/null +++ b/conf/attributes/custom/README @@ -0,0 +1,9 @@ +# You can create custom attribute mapping rules using +# simple property files stored in this directory tree. +# Spring property replacement is NOT supported. + +# As an example, a default SAML 2 rule for eduPersonPrincipalName would be: + +#id=eduPersonPrincipalName +#transcoder=SAML2ScopedStringTranscoder +#saml2.name=urn:oid:1.3.6.1.4.1.5923.1.1.1.6 diff --git a/conf/attributes/default-rules.xml b/conf/attributes/default-rules.xml new file mode 100644 index 0000000..db8f1a1 --- /dev/null +++ b/conf/attributes/default-rules.xml @@ -0,0 +1,29 @@ + + + + + + + + + + + + + + diff --git a/conf/attributes/eduCourse.xml b/conf/attributes/eduCourse.xml new file mode 100644 index 0000000..96341c3 --- /dev/null +++ b/conf/attributes/eduCourse.xml @@ -0,0 +1,57 @@ + + + + + + + + + + + + + eduCourseOffering + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.6.1.1 + urn:oid:1.3.6.1.4.1.5923.1.6.1.1 + Course offering + Unique identifier for a course offering + + + + + + + + eduCourseMember + SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.6.1.2 + urn:oid:1.3.6.1.4.1.5923.1.6.1.2 + false + Course role + Specifies the person's role within a particular course offering + + + + + + + + + diff --git a/conf/attributes/eduPerson.xml b/conf/attributes/eduPerson.xml new file mode 100644 index 0000000..1ce3890 --- /dev/null +++ b/conf/attributes/eduPerson.xml @@ -0,0 +1,273 @@ + + + + + + + + + + + + + eduPersonAffiliation + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.1 + urn:mace:dir:attribute-def:eduPersonAffiliation + Affiliation + Zugehörigkeit + Affiliation + Tipo di membro + 職位 + Affiliation: Type of affiliation with Home Organization + Art der Zugehörigkeit zur Heimatorganisation + Art der Zugehörigkeit zur Heimorganisation + Type d'affiliation dans l'organisation + Tipo di membro: Tipo di lavoro svolto per l'organizzazione + 所属機関における職位(faculty,staff,student,memberなど) + + + + + + + + eduPersonAssurance + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.11 + urn:mace:dir:attribute-def:eduPersonAssurance + Assurance level + Vertrauensgrad + Niveau de confiance + Livello di sicurezza + 保証レベル + Set of URIs that assert compliance with specific standards for identity assurance. + URIs die eine gewisse Zusicherung für spezifische Standards des Vertrauens beinhalten + Un ensemble d'URI qui attestent la conformité selon un standard pour les niveaux d'assurance d'identités + Un insieme di URI che asseriscono l'osservanza dei livelli di sicurezza richiesti + IDの保証レベルに関して特定の基準に準拠していることを示すURI + + + + + + + + eduPersonEntitlement + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.7 + urn:mace:dir:attribute-def:eduPersonEntitlement + Entitlement + Berechtigung + Entitlement + Prerogativa + 資格情報 + Member of: URI (either URL or URN) that indicates a set of rights to specific resources based on an agreement across the releavant community + Zeichenkette, die Rechte für spezifische Ressourcen beschreibt + Membre de: URI (soit une URL ou une URN) décrivant un droit spécific d'accès. + Membro delle seguenti URI (sia URL o URN) che rappresentano diritti specifici d'accesso validi in tutta la communità + 特定のアプリケーションもしくはコミュニティ内の複数リソースへのアクセス権限を持つことを示すURI(URLもしくはURN) + + + + + + + + eduPersonNickname + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.2 + urn:mace:dir:attribute-def:eduPersonNickname + Nickname + Kurzname + Übername + Surnom + Diminutivo + ニックネーム + Person's nickname, or the informal name by which they are accustomed to be hailed. + Kurzname einer Person, oder üblicher Rufname zur Begrüßung. + Übername einer Person, oder üblicher Rufname zur Begrüssung. + Nom personnalisable pour un usage informel. + Diminutivo della persona, o soprannome. + 利用者のニックネームもしくは通称 + + + + + + + + eduPersonOrgDN + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.3 + urn:mace:dir:attribute-def:eduPersonOrgDN + Organization distinguished name + Distinguished name (DN) of the directory entry representing the institution with which the person is associated. + + + + + + + + eduPersonOrgUnitDN + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.4 + urn:mace:dir:attribute-def:eduPersonOrgUnitDN + Organization unit distinguished name + Distinguished name(s) (DN) of the directory entries representing the person's Organizational Unit(s). + + + + + + + + eduPersonOrcid + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.16 + urn:oid:1.3.6.1.4.1.5923.1.1.1.16 + ORCID + ORCID researcher identifier(s) belonging to a person. + + + + + + + + eduPersonPrimaryAffiliation + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.5 + urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation + Primary affiliation + Primäre Zugehörigkeit + Affiliation pricipale + Appartenenza principale + 主要職位 + Specifies the person's primary relationship to the institution in broad categories such as student, faculty, staff, alum, etc. + Spezifiziert der Hauptbeziehung einer Person innerhalb ihrer Organisation in groben Kategorien wie Student, Mitarbeiter, Alumni, etc. + Spécifie la relation principale d'une personne avec l'institution selon des majeures catégories comme étudiant, collaborateur, alumni etc. + Specifica la relazione principale dell persona con l'istituzione secondo le maggiori categorie come studente, collaboratore, alumni, etc. + 所属機関における主要な職位(faculty,staff,student,memberなど) + + + + + + + + eduPersonPrimaryOrgUnitDN + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.8 + urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN + Primary organization unit distinguished name + Distinguished name (DN) of the directory entry representing the person's primary Organizational Unit. + + + + + + + + eduPersonPrincipalName + SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.6 + urn:mace:dir:attribute-def:eduPersonPrincipalName + false + Principal name + Persönliche ID + Principal Name + Principal Name + プリンシパルID + A unique identifier for a person, mainly for inter-institutional user identification. + Eindeutige Benutzeridentifikation + Eindeutige Benützeridentifikation + L'identifiant unique de l'utilisateur + Un ID personale che identifica chiaramente l'utente in seno alla sua organizzazione + フェデレーション内で一意かつ永続的な利用者識別子 + + + + + + + + eduPersonPrincipalNamePrior + SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.12 + urn:oid:1.3.6.1.4.1.5923.1.1.1.12 + false + Prior principal name(s) + eduPersonPrincipalName value(s) previously associated with the entry. + + + + + + + + eduPersonScopedAffiliation + SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.9 + urn:mace:dir:attribute-def:eduPersonScopedAffiliation + false + Scoped affiliation + Zugehörigkeit + Affiliation + Tipo di membro + スコープ付き職位 + Specifies the person's affiliation within a particular security domain + Art der Zugehörigkeit zur Heimatorganisation + Art der Zugehörigkeit zur Heimorganisation + Type d'affiliation dans l'organisation + Tipo di membro: Tipo di lavoro svolto per l'organizzazione + セキュリティドメインのスコープが付いた所属機関における職位 + + + + + + + + eduPersonUniqueId + SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder + urn:oid:1.3.6.1.4.1.5923.1.1.1.13 + urn:oid:1.3.6.1.4.1.5923.1.1.1.13 + false + Unique ID + Eindeutige ID + ID unique + ID unico + ユニークID + A unique identifier for a person, mainly for inter-institutional user identification. + Eindeutige Benutzeridentifikation + Eindeutige Benützeridentifikation + Identifiant unique de l'utilisateur + Un identificativo personale che identifica chiaramente l'utente in seno alla sua organizzazione + フェデレーション内で一意で永続的かつ難読化された利用者識別子(後継はサブジェクトID) + + + + + + + + + diff --git a/conf/attributes/inetOrgPerson.xml b/conf/attributes/inetOrgPerson.xml new file mode 100644 index 0000000..4421354 --- /dev/null +++ b/conf/attributes/inetOrgPerson.xml @@ -0,0 +1,517 @@ + + + + + + + + + + + + + + + cn + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.3 + urn:mace:dir:attribute-def:cn + Common name + Common name of a person + + + + + + + + departmentNumber + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.16.840.1.113730.3.1.2 + urn:mace:dir:attribute-def:departmentNumber + Department number + Abteilungsnummer + Department number + Nummer der Abteilung + + + + + + + + displayName + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.16.840.1.113730.3.1.241 + urn:mace:dir:attribute-def:displayName + Display name + Anzeigename + Nom + Nome + 表示名 + The name that should appear in white-pages-like applications for this person. + Anzeigename + Nom complet d'affichage + Nome + アプリケーションでの表示に用いられる英字氏名 + + + + + + + + employeeNumber + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.16.840.1.113730.3.1.3 + urn:mace:dir:attribute-def:employeeNumber + Employee number + Mitarbeiternummer + Numéro d'employé + Numero dell'utente + 従業員番号 + Identifies an employee within an organization + Identifiziert einen Mitarbeiter innerhalb der Organisation + Identifie un employé au sein de l'organisation + Identifica l' utente presso l'organizzazione + 所属機関における利用者の従業員番号 + + + + + + + + employeeType + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.16.840.1.113730.3.1.4 + urn:mace:dir:attribute-def:employeeType + Employee type + Employee type + + + + + + + + givenName + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.42 + urn:mace:dir:attribute-def:givenName + Given name + Vorname + Prénom + Nome + + Given name of a person + Vorname + Prénom de l'utilisateur + Nome + 氏名(名)の英語表記 + + + + + + + + homePhone + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:0.9.2342.19200300.100.1.20 + urn:mace:dir:attribute-def:homePhone + Private phone number + Telefon Privat + Teléphone personnel + Numero di telefono privato + 自宅電話番号 + Private phone number + Private Telefonnummer + Numéro de téléphone de domicile de la personne + Numero di telefono privato + 自宅の電話番号 + + + + + + + + homePostalAddress + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:0.9.2342.19200300.100.1.39 + urn:mace:dir:attribute-def:homePostalAddress + Home postal address + Heimatadresse + Heimadresse + Adresse personnelle + Indirizzo personale + 自宅住所 + Home postal address: Home address of the user + Heimatadresse + Heimadresse + Adresse postale de domicile de la personne + Indirizzo personale: indirizzo dove abita l'utente + 自宅の住所 + + + + + + + + initials + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.43 + urn:mace:dir:attribute-def:initials + Initials + Initialen + Initiales + イニシャル + Initials + Anfangsbuchstaben des Namens + Die Anfangsbuchstaben + L' initiales + イニシャル + + + + + + + + l + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.7 + urn:mace:dir:attribute-def:l + Locality name + Ort + Locality name + 場所(L) + Locality name + Ort + Nom de la localité où réside l'objet + 場所の名前 日本の場合は市区町村名 + + + + + + + + mail + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:0.9.2342.19200300.100.1.3 + urn:mace:dir:attribute-def:mail + E-mail + E-Mail + Email + E-mail + メールアドレス + E-Mail: Preferred address for e-mail to be sent to this person + E-Mail-Adresse + E-Mail Adresse + Adresse de courrier électronique + E-Mail: l'indirizzo e-mail preferito dall'utente + メールアドレス + + + + + + + + mobile + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:0.9.2342.19200300.100.1.41 + urn:mace:dir:attribute-def:mobile + Mobile phone number + Telefon Mobil + Numéro de mobile + Numero di cellulare + 携帯電話番号 + Mobile phone number + Mobile Telefonnummer + Numéro de teléphone mobile + Numero di cellulare + 携帯電話の電話番号 + + + + + + + + o + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.10 + urn:mace:dir:attribute-def:o + Organization name + Organisationsname + Nom de l'organisation + 所属機関名 + Organization name + Name der Organisation + Nom de l'organisation + 所属機関名称の英語表記 + + + + + + + + ou + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.11 + urn:mace:dir:attribute-def:ou + Organizational unit + Organisationseinheit + Unité organisationnelle + 機関内所属名 + Organizational unit + Name der Organisationseinheit + Nom de l'unité organisationnelle + 機関内所属名称の英語表記 + + + + + + + + pager + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:0.9.2342.19200300.100.1.42 + urn:mace:dir:attribute-def:pager + Pager number + Pager number + + + + + + + + postalAddress + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.16 + urn:mace:dir:attribute-def:postalAddress + Business postal address + Geschäftsadresse + Adresse professionnelle + Indirizzo professionale + 所属機関住所 + Business postal address: Campus or office address + Geschäftliche Adresse + Adresse am Arbeitsplatz + Adresse de l'institut, de l'université + Indirizzo professionale: indirizzo dell'istituto o dell'ufficio + 所属機関の住所 + + + + + + + + postalCode + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.17 + urn:mace:dir:attribute-def:postalCode + Postal code + ZIP code + Postleitzahl + Code postal + 郵便番号 + Postal code + ZIP code + Postleitzahl + Code postal + 郵便番号 + + + + + + + + postOfficeBox + SAML2StringTranscoder SAML1StringTranscoder + urn:mace:dir:attribute-def:postOfficeBox + urn:oid:2.5.4.18 + Postal box + Postfach + Boite postale + Case postale + 私書箱 + Postal box identifier + Postfach + Boite postale + Case postale + 私書箱 + + + + + + + + preferredLanguage + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.16.840.1.113730.3.1.39 + urn:mace:dir:attribute-def:preferredLanguage + Preferred Language + Bevorzugte Sprache + Langue préférée + Lingua preferita + 希望言語 + Preferred language: Users preferred language (see RFC1766) + Bevorzugte Sprache (siehe RFC1766) + Exemple: fr, de, it, en, ... (voir RFC1766) + Lingua preferita: la lingua preferita dall'utente (cfr. RFC1766) + 利用者が希望する言語(RFC1766 を参照) + + + + + + + + sn + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.4 + urn:mace:dir:attribute-def:sn + Surname + Nachname + Nom de famille + Cognome + + Surname or family name + Familienname + Nom de famille de l'utilisateur. + Cognome dell'utilizzatore + 氏名(姓)の英語表記 + + + + + + + + st + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.8 + urn:mace:dir:attribute-def:st + State or province name + 都道府県もしくは州や省(ST) + State or province name + 州名や省名 国によって異なり日本の場合は都道府県名 + + + + + + + + street + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.9 + urn:mace:dir:attribute-def:street + Street + Straße + Strasse + Rue + 通り + Street address + Name der Straße + Strassenadresse + Nom de rue + 通りおよび番地 + + + + + + + + + telephoneNumber + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.20 + urn:mace:dir:attribute-def:telephoneNumber + Business phone number + Telefon Geschäft + Teléphone professionnel + Numero di telefono dell'ufficio + 所属機関内電話番号 + Business phone number: Office or campus phone number + Telefonnummer am Arbeitsplatz + Teléphone de l'institut, de l'université + Numero di telefono dell'ufficio + 所属機関での利用者の電話番号 + + + + + + + + title + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:2.5.4.12 + urn:mace:dir:attribute-def:title + Title + Titel + Title + 肩書き + Title of a person + Titel der Person + Titre de la personne + 利用者の肩書き + + + + + + + + uid + SAML2StringTranscoder SAML1StringTranscoder + urn:oid:0.9.2342.19200300.100.1.1 + urn:mace:dir:attribute-def:uid + User ID + Benutzer-ID + ID utilisateur + ID dell'utente + ユーザID + A unique identifier for a person, mainly used for user identification within the user's home organization. + Eine eindeutige Nummer für eine Person, welche hauptsächlich zur Identifikation innerhalb der Organisation benutzt wird. + Identifiant de connexion d'une personnes sur les systèmes informatiques. + Identificativo unico della persona, usato per l'identificazione dell'utente all'interno della organizzazione di appartenenza. + 所属機関内で一意の利用者識別子 + + + + + + + + + diff --git a/conf/attributes/samlSubject.xml b/conf/attributes/samlSubject.xml new file mode 100644 index 0000000..8caeeb6 --- /dev/null +++ b/conf/attributes/samlSubject.xml @@ -0,0 +1,73 @@ + + + + + + + + + + + + + + + samlSubjectID + SAML2ScopedStringTranscoder + urn:oasis:names:tc:SAML:attribute:subject-id + Unique ID + Eindeutige ID + ID unique + ID unico + サブジェクトID + A unique identifier for a person, mainly for inter-institutional user identification. + Eindeutige Benutzeridentifikation + Eindeutige Benützeridentifikation + Identifiant unique de l'utilisateur + Un identificativo personale che identifica chiaramente l'utente in seno alla sua organizzazione + フェデレーション内で一意で永続的かつ難読化された利用者識別子(eduPersonUniqueIdの後継) + + + + + + + + samlPairwiseID + SAML2ScopedStringTranscoder + urn:oasis:names:tc:SAML:attribute:pairwise-id + Pairwise ID + Pairwise ID + Pairwise ID + Pairwise ID + ペアワイズID + Pairwise ID: A unique identifier for a person, different for each service provider. + Pairwise ID: Eindeutige Benutzeridentifikation, unterschiedlich pro Service Provider. + Pairwise ID: Eindeutige Benützeridentifikation, unterschiedlich pro Service Provider. + Pairwise ID: Un identifiant unique de l'utilisateur, différent pour chaque fournisseur de service. + Pairwise ID: identificativo unico della persona, differente per ogni fornitore di servizio. + フェデレーション内で一意かつSP毎に送出される値が異なる利用者識別子(eduPersonTargetedIDの後継) + + + + + + + + + diff --git a/conf/attributes/schac.xml b/conf/attributes/schac.xml new file mode 100644 index 0000000..c60b85b --- /dev/null +++ b/conf/attributes/schac.xml @@ -0,0 +1,237 @@ + + + + + + + + + + + + schacMotherTongue + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.1 + urn:oid:1.3.6.1.4.1.25178.1.2.1 + Mother Tongue + + + + + + + + schacGender + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.2 + urn:oid:1.3.6.1.4.1.25178.1.2.2 + Gender + + + + + + + + schacDateOfBirth + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.3 + urn:oid:1.3.6.1.4.1.25178.1.2.3 + Date or Birth + + + + + + + + schacPlaceOfBirth + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.4 + urn:oid:1.3.6.1.4.1.25178.1.2.4 + Place of Birth + + + + + + + + schacCountryOfCitizenship + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.5 + urn:oid:1.3.6.1.4.1.25178.1.2.5 + Country of Citizenship + + + + + + + + schacHomeOrganization + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.9 + urn:oid:1.3.6.1.4.1.25178.1.2.9 + Home Organization + Kotiorganisaatio + The domain name of the person's home organisation + Henkilön kotiorganisaation domain-nimi + + + + + + + + schacHomeOrganizationType + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.10 + urn:oid:1.3.6.1.4.1.25178.1.2.10 + Home organization type + Kotiorganisaation tyyppi + Home organisation type: university, polytechnic, etc + Kotiorganisaation tyyppi: yliopisto, ammattikorkeakoulu jne + + + + + + + + schacCountryOfResidence + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.11 + urn:oid:1.3.6.1.4.1.25178.1.2.11 + Country of Reseidence + + + + + + + + schacUserPresenceID + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.12 + urn:oid:1.3.6.1.4.1.25178.1.2.12 + User Presence ID + + + + + + + + schacPersonalPosition + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.13 + urn:oid:1.3.6.1.4.1.25178.1.2.13 + Personal Position + + + + + + + + schacPersonalUniqueCode + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.14 + urn:oid:1.3.6.1.4.1.25178.1.2.14 + Personal Unique Code + + + + + + + + schacPersonalUniqueID + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.15 + urn:oid:1.3.6.1.4.1.25178.1.2.15 + Personal Unique ID + + + + + + + + schacExpiryDate + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.17 + urn:oid:1.3.6.1.4.1.25178.1.2.17 + Expiry Date + + + + + + + + schacUserPrivateAttribute + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.18 + urn:oid:1.3.6.1.4.1.25178.1.2.18 + User Private Attribute + + + + + + + + schacUserStatus + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.19 + urn:oid:1.3.6.1.4.1.25178.1.2.19 + User Status + + + + + + + + schacProjectMembership + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.20 + urn:oid:1.3.6.1.4.1.25178.1.2.20 + Project Membership + + + + + + + + schacProjectSpecificRole + SAML2StringTranscoder + urn:oid:1.3.6.1.4.1.25178.1.2.21 + urn:oid:1.3.6.1.4.1.25178.1.2.21 + Project Specific Role + + + + + + + diff --git a/conf/audit.xml b/conf/audit.xml new file mode 100644 index 0000000..3c9c408 --- /dev/null +++ b/conf/audit.xml @@ -0,0 +1,55 @@ + + + + + + + + + + + + + + http://shibboleth.net/ns/profiles/status + http://shibboleth.net/ns/profiles/mdquery + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/authn/authn-comparison.xml b/conf/authn/authn-comparison.xml new file mode 100644 index 0000000..0730bcb --- /dev/null +++ b/conf/authn/authn-comparison.xml @@ -0,0 +1,117 @@ + + + + + + + + + + + 1 + + + + + + + + + + urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified + + + + + + + + + + + + + diff --git a/conf/authn/authn-events-flow.xml b/conf/authn/authn-events-flow.xml new file mode 100644 index 0000000..8846677 --- /dev/null +++ b/conf/authn/authn-events-flow.xml @@ -0,0 +1,22 @@ + + + + + + + + + + + + + + + + diff --git a/conf/authn/authn.properties b/conf/authn/authn.properties new file mode 100644 index 0000000..97a7525 --- /dev/null +++ b/conf/authn/authn.properties @@ -0,0 +1,218 @@ +# Properties that control authentication generally and the behavior of +# specific methods. + +# Regular expression matching login flows to enable, e.g. IPAddress|Password +#idp.authn.flows = Password + +# Default settings for most authentication methods. +#idp.authn.defaultLifetime = PT1H +#idp.authn.defaultTimeout = PT30M +#idp.authn.proxyRestrictionsEnforced = true + +# Whether to populate relying party user interface information for display +# during authentication, consent, terms-of-use. +#idp.authn.rpui = true + +# Whether to prioritize "active" results when an SP requests more than +# one possible matching login method (V2 behavior was to favor them) +#idp.authn.favorSSO = false + +# Whether to fail requests when a user identity after authentication +# doesn't match the identity in a pre-existing session. +#idp.authn.identitySwitchIsError = false + +# If using IdP discovery feature, provides a discovery location to use. +#idp.authn.discoveryURL = https://ds.example.org/shibboleth-ds/index.html + +# Properties below override specific method behavior, as an alternative +# to defining Spring beans in XML. Refer to the documentation for a complete +# list. Many of the properties below are mentioned only because they are +# atypical defaults assumed for a given method. + +# Flow selection among multiple equivalent options can be managed with +# the order properties, lower will be tried first. + +#### Password #### + +#idp.authn.Password.order = 1000 +#idp.authn.Password.passiveAuthenticationSupported = true +#idp.authn.Password.forcedAuthenticationSupported = true +# Override this and removeAfterValidation to require all validators to succeed +#idp.authn.Password.requireAll = false +# Override to keep the password around +#idp.authn.Password.removeAfterValidation = true +# Override to store password in Java Subject +#idp.authn.Password.retainAsPrivateCredential = false +# Simple username transforms before validation +#idp.authn.Password.trim = true +#idp.authn.Password.lowercase = false +#idp.authn.Password.uppercase = false +#idp.authn.Password.matchExpression = +# Override default form field names +#idp.authn.Password.usernameFieldName = j_username +#idp.authn.Password.passwordFieldName = j_password +#idp.authn.Password.ssoBypassFieldName = donotcache +# Unset if using customized Principals per validator +#idp.authn.Password.addDefaultPrincipals = true +# The Principal collection below is the typical default if not otherwise noted. +#idp.authn.Password.supportedPrincipals = \ +# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \ +# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \ +# saml1/urn:oasis:names:tc:SAML:1.0:am:password +# Validators are controlled in password-authn-config.xml + +#### Password Backends #### + +# See ldap.properties for LDAP authn properties +# Kerberos settings +#idp.authn.Krb5.refreshConfig = false +#idp.authn.Krb5.preserveTicket = false +# Set next two for KDC verification +#idp.authn.Krb5.servicePrincipal = +#idp.authn.Krb5.keytab = +# JAAS settings +#idp.authn.JAAS.loginConfigNames = ShibUserPassAuth +#idp.authn.JAAS.loginConfig = %{idp.home}/conf/authn/jaas.config + +#### External #### + +#idp.authn.External.order = 1000 +#idp.authn.External.nonBrowserSupported = false +#idp.authn.External.matchExpression = +# Unset if you plan to return full Java Subject from external source +#idp.authn.External.addDefaultPrincipals = true +# Servlet context-relative path to wherever your implementation lives +idp.authn.External.externalAuthnPath = contextRelative:external.jsp + +#### RemoteUser #### + +#idp.authn.RemoteUser.order = 1000 +#idp.authn.RemoteUser.nonBrowserSupported = false +#idp.authn.RemoteUser.matchExpression = +# Unset in most cases only if using the authnMethodHeader or +# subjectAttribute settings +#idp.authn.RemoteUser.addDefaultPrincipals = true +# Most other settings need to be supplied via web.xml to the servlet + +#### RemoteUserInternal #### + +#idp.authn.RemoteUserInternal.order = 1000 +#idp.authn.RemoteUserInternal.nonBrowserSupported = true +# Unset in most cases only if using the authnMethodHeader feature +#idp.authn.RemoteUserInternal.addDefaultPrincipals = true +#idp.authn.RemoteUserInternal.checkRemoteUser = true +# Comma-delimited lists of attributes or headers to pull from +#idp.authn.RemoteUserInternal.checkAttributes = +#idp.authn.RemoteUserInternal.checkHeaders = +# Simple transforms to apply +#idp.authn.RemoteUserInternal.trim = true +#idp.authn.RemoteUserInternal.lowercase = false +#idp.authn.RemoteUserInternal.uppercase = false +#idp.authn.RemoteUserInternal.matchExpression = +#idp.authn.RemoteUserInternal.allowedUsernames = +#idp.authn.RemoteUserInternal.deniedUsernames = + +#### SPNEGO #### + +#idp.authn.SPNEGO.order = 1000 +#idp.authn.SPNEGO.nonBrowserSupported = false +#idp.authn.SPNEGO.enforceRun = false +#idp.authn.SPNEGO.refreshKrbConfig = false +#idp.authn.SPNEGO.matchExpression = +idp.authn.SPNEGO.supportedPrincipals = \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, \ + saml1/urn:ietf:rfc:1510 + +#### X509 #### + +#idp.authn.X509.order = 1000 +#idp.authn.X509.nonBrowserSupported = false +# Servlet context-relative path to wherever your implementation lives +#idp.authn.X509.externalAuthnPath = contextRelative:x509-prompt.jsp +idp.authn.X509.supportedPrincipals = \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \ + saml1/urn:ietf:rfc:2246 + +#### X509Internal #### + +#idp.authn.X509Internal.order = 1000 +#idp.authn.X509Internal.nonBrowserSupported = false +#idp.authn.X509Internal.saveCertificateToCredentialSet = true +idp.authn.X509Internal.supportedPrincipals = \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \ + saml1/urn:ietf:rfc:2246 + +#### IPAddress #### + +#idp.authn.IPAddress.order = 1000 +#idp.authn.IPAddress.passiveAuthenticationSupported = true +#idp.authn.IPAddress.lifetime = PT60S +#idp.authn.IPAddress.inactivityTimeout = PT60S +idp.authn.IPAddress.supportedPrincipals = \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol + +#### Function #### + +#idp.authn.Function.order = 1000 +#idp.authn.Function.passiveAuthenticationSupported = true +# Unset if you plan to return full Java Subject from function +#idp.authn.Function.addDefaultPrincipals = true + +#### Duo #### + +#idp.authn.Duo.order = 1000 +#idp.authn.Duo.nonBrowserSupported = false +#idp.authn.Duo.forcedAuthenticationSupported = true +# Unset if you have advanced Duo integrations with individualized Principals +#idp.authn.Duo.addDefaultPrincipals = true +# The list below should be changed to reflect whatever locally- or +# community-defined values are appropriate to represent Duo. It is +# strongly advised that the value not be specific to Duo or any +# particular technology to avoid lock-in. +idp.authn.Duo.supportedPrincipals = \ + saml2/http://example.org/ac/classes/mfa, \ + saml1/http://example.org/ac/classes/mfa +# Default Duo integration settings are defined separately +# in duo.properties due to the sensitivity of the secret key. + + +#### SAML #### + +#idp.authn.SAML.order = 1000 +#idp.authn.SAML.nonBrowserSupported = false +#idp.authn.SAML.passiveAuthenticationSupported = true +#idp.authn.SAML.forcedAuthenticationSupported = true +#idp.authn.SAML.proxyScopingEnforced = true +# Discovery options: +# Define shibboleth.authn.SAML.discoveryFunction bean +# Set proxyEntityID property +# Fall through to discovery via discoveryRequired property +#idp.authn.SAML.proxyEntityID = https://idp.example.org/idp/shibboleth +#idp.authn.SAML.discoveryRequired = true +# Generally left false with bidirectional mappings in +# conf/authn/authn-comparison.xml across the proxy boundary. +# Adjust as needed to reflect IdP's capabilities/support. +#idp.authn.SAML.addDefaultPrincipals = false +#idp.authn.SAML.supportedPrincipals = \ +# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \ +# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \ +# saml1/urn:oasis:names:tc:SAML:1.0:am:password + +#### MFA #### + +#idp.authn.MFA.order = 1000 +#idp.authn.MFA.passiveAuthenticationSupported = true +#idp.authn.MFA.forcedAuthenticationSupported = true +#idp.authn.MFA.validateLoginTransitions = true +# The list below almost certainly requires changes, and should generally be the +# union of any of the separate factors you combine in your particular MFA flow +# rules. The example corresponds to the example in mfa-authn-config.xml that +# combines IPAddress with Password. +idp.authn.MFA.supportedPrincipals = \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \ + saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \ + saml1/urn:oasis:names:tc:SAML:1.0:am:password +# Most actual setup via mfa-authn-config.xml diff --git a/conf/authn/password-authn-config.xml b/conf/authn/password-authn-config.xml new file mode 100644 index 0000000..2c648ec --- /dev/null +++ b/conf/authn/password-authn-config.xml @@ -0,0 +1,112 @@ + + + + + + + + + + + + + + + + + + + + + + + + NoCredentials + UnknownUsername + CLIENT_NOT_FOUND + Client not found + Cannot get kdc for realm + Client not found in Kerberos database + DN_RESOLUTION_FAILURE + Cannot authenticate dn, invalid dn + Cannot authenticate dn, invalid credential + AcceptSecurityContext error, data 525 + + + + + InvalidCredentials + PREAUTH_FAILED + INVALID_CREDENTIALS + Checksum failed + Integrity check on decrypted field failed + Pre-authentication information was invalid + Key bytes cannot be null + AcceptSecurityContext error, data 52e + + + + + AccountLocked + Clients credentials have been revoked + AcceptSecurityContext error, data 775 + + + + + AcceptSecurityContext error, data 533 + + + + + PASSWORD_EXPIRED + CLIENT KEY EXPIRED + AcceptSecurityContext error, data 532 + AcceptSecurityContext error, data 773 + AcceptSecurityContext error, data 701 + + + + + ACCOUNT_WARNING + + + + + RequestUnsupported + + + + + diff --git a/conf/c14n/subject-c14n-events-flow.xml b/conf/c14n/subject-c14n-events-flow.xml new file mode 100644 index 0000000..c4936f3 --- /dev/null +++ b/conf/c14n/subject-c14n-events-flow.xml @@ -0,0 +1,22 @@ + + + + + + + + + + + + + + + + diff --git a/conf/c14n/subject-c14n.properties b/conf/c14n/subject-c14n.properties new file mode 100644 index 0000000..3811493 --- /dev/null +++ b/conf/c14n/subject-c14n.properties @@ -0,0 +1,40 @@ +# Properties that control the behavior of post-login subject c14n flows. +# A few more advanced settings require XML configuration, see flow-specific docs. + + +# Simple username -> principal name c14n +#idp.c14n.simple.lowercase = false +#idp.c14n.simple.uppercase = false +#idp.c14n.simple.trim = true + + +# Attribute resolution -> principal name c14n +#idp.c14n.attribute.lowercase = false +#idp.c14n.attribute.uppercase = false +#idp.c14n.attribute.trim = true +# Lists of attributes to resolve... +#idp.c14n.attribute.attributesToResolve = +# and then select a principal name from +#idp.c14n.attribute.attributeSourceIds = +# Allows direct use of attributes via SAML proxy authn, bypasses resolver +#idp.c14n.attribute.resolveFromSubject = false +#idp.c14n.attribute.resolutionCondition = shibboleth.Conditions.TRUE + +# X.509 certificate -> principal name c14n +#idp.c14n.x500.lowercase = false +#idp.c14n.x500.uppercase = false +#idp.c14n.x500.trim = true +# Precedence is to check for a subjectAltName and then an OID RDN +# Comma-delimited list of subjectAltName type numbers +# (See https://tools.ietf.org/html/rfc5280#section-4.2.1.6) +#idp.c14n.x500.subjectAltNameTypes = +# Comma-delimited list of OIDS +#idp.c14n.x500.objectIDs = + +# Proxied SAML NameID -> principal name c14n +#idp.c14n.saml.proxy.lowercase = false +#idp.c14n.saml.proxy.uppercase = false + +# NameID consumption from SAML requests +#idp.c14n.saml.lowercase = false +#idp.c14n.saml.uppercase = false diff --git a/conf/c14n/subject-c14n.xml b/conf/c14n/subject-c14n.xml new file mode 100644 index 0000000..b354535 --- /dev/null +++ b/conf/c14n/subject-c14n.xml @@ -0,0 +1,151 @@ + + + + + + + + + + + + + + + + + + + + + + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName + urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName + urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName + urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName + urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos + + + + + + + + + + + + + + + + + diff --git a/conf/credentials.xml b/conf/credentials.xml new file mode 100644 index 0000000..dde530b --- /dev/null +++ b/conf/credentials.xml @@ -0,0 +1,68 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/errors.xml b/conf/errors.xml new file mode 100644 index 0000000..a9730c0 --- /dev/null +++ b/conf/errors.xml @@ -0,0 +1,126 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/examples/attribute-resolver-ldap.xml b/conf/examples/attribute-resolver-ldap.xml new file mode 100644 index 0000000..bf4123a --- /dev/null +++ b/conf/examples/attribute-resolver-ldap.xml @@ -0,0 +1,107 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/global.xml b/conf/global.xml new file mode 100644 index 0000000..c485f3f --- /dev/null +++ b/conf/global.xml @@ -0,0 +1,52 @@ + + + + + + + + + + + + + + diff --git a/conf/idp.properties b/conf/idp.properties new file mode 100644 index 0000000..73a7473 --- /dev/null +++ b/conf/idp.properties @@ -0,0 +1,244 @@ +# Auto-load all files matching conf/**/*.properties +# Disable if you want to manually maintain a list of sources. +idp.searchForProperties=true + +# Load any "outside-tree" property sources from a comma-delimited list +idp.additionalProperties=/credentials/secrets.properties + +# In most cases (and unless noted in the surrounding comments) the +# commented settings in the distributed files document default behavior. +# Uncomment them and change the value to change functionality. +# +# Uncommented properties are either required or ship non-defaulted. + +# Set the entityID of the IdP +idp.entityID=https://idp-cluster.mafoo.org.uk/idp/storedid + +# Set the file path which backs the IdP's own metadata publishing endpoint at /shibboleth. +# Set to empty value to disable and return a 404. +#idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml + +# Set the scope used in the attribute resolver for scoped attributes +idp.scope=dev.mafoo.org.uk + +# General cookie properties (maxAge only applies to persistent cookies) +#idp.cookie.secure = true +#idp.cookie.httpOnly = true +#idp.cookie.domain = +#idp.cookie.path = +#idp.cookie.maxAge = 31536000 +# These control operation of the SameSite filter, which is off by default. +#idp.cookie.sameSite = None +#idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE + +# Enable cross-site request forgery mitigation for views. +idp.csrf.enabled=true +# Name of the HTTP parameter that stores the CSRF token. +#idp.csrf.token.parameter = csrf_token + +# HSTS/CSP response headers +#idp.hsts = max-age=0 +# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing +#idp.frameoptions = DENY +# Content-Security-Policy value, set to match X-Frame-Options default +#idp.csp = frame-ancestors 'none'; + +# Set the location of user-supplied web flow definitions +#idp.webflows = %{idp.home}/flows + +# Set the location of Velocity view templates +#idp.views = %{idp.home}/views + +# Do we fail on velocity "syntax errors" +#idp.velocity.runtime.strictmode=false + +# Settings for internal AES encryption key +#idp.sealer.keyStrategy = shibboleth.DataSealerKeyStrategy +#idp.sealer.storeType = JCEKS +#idp.sealer.updateInterval = PT15M +#idp.sealer.aliasBase = secret +idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks +idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver + +# Settings for public/private signing and encryption key(s) +# During decryption key rollover, point the ".2" properties at a second +# keypair, uncomment in credentials.xml, then publish it in your metadata. +idp.signing.key=%{idp.home}/credentials/idp-signing.key +idp.signing.cert=%{idp.home}/credentials/idp-signing.crt +idp.encryption.key=%{idp.home}/credentials/idp-encryption.key +idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt +#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key +#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt + +# Sets the bean ID to use as a default security configuration set +#idp.security.config = shibboleth.DefaultSecurityConfiguration + +# To downgrade to SHA-1, set to shibboleth.SigningConfiguration.SHA1 +#idp.signing.config = shibboleth.SigningConfiguration.SHA256 + +# The new install default for encryption is now AES-GCM. +idp.encryption.config=shibboleth.EncryptionConfiguration.GCM + +# Sets the default strategy for key agreement key wrap usage for credentials from metadata, +# if not otherwise configured on the security configuration +#idp.encryption.keyagreement.metadata.defaultUseKeyWrap = Default + +# Configures trust evaluation of keys used by services at runtime +# Internal default is Chaining, overriden for new installs +idp.trust.signatures=shibboleth.ExplicitKeySignatureTrustEngine +# Other options: +# shibboleth.ChainingSignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine +idp.trust.certificates=shibboleth.ExplicitKeyX509TrustEngine +# Other options: +# shibboleth.ChainingX509TrustEngine, shibboleth.PKIXX509TrustEngine + +# If true, encryption will happen whenever a key to use can be located, but +# failure to encrypt won't result in request failure. +#idp.encryption.optional = false + +# Configuration of client- and server-side storage plugins +#idp.storage.cleanupInterval = PT10M +idp.storage.htmlLocalStorage=true +#idp.storage.clientSessionStorageName = shib_idp_session_ss +#idp.storage.clientPersistentStorageName = shib_idp_persistent_ss + +# Set to true to expose more detailed errors in responses to SPs +#idp.errors.detailed = false +# Set to false to skip signing of SAML response messages that signal errors +#idp.errors.signed = true +# Name of bean containing a list of Java exception classes to ignore +#idp.errors.excludedExceptions = ExceptionClassListBean +# Name of bean containing a property set mapping exception names to views +#idp.errors.exceptionMappings = ExceptionToViewPropertyBean +# Set if a different default view name for events and exceptions is needed +#idp.errors.defaultView = error + +# Set to false to disable the IdP session layer +#idp.session.enabled = true + +# Set to "shibboleth.StorageService" for server-side storage of user sessions +#idp.session.StorageService = shibboleth.ClientSessionStorageService + +# Name of cookie used for session +#idp.session.cookieName = shib_idp_session +# Size of session IDs +#idp.session.idSize = 32 +# Bind sessions to IP addresses +#idp.session.consistentAddress = true +# Inactivity timeout +#idp.session.timeout = PT60M +# Extra time to store sessions for logout +#idp.session.slop = PT0S +# Tolerate storage-related errors +#idp.session.maskStorageFailure = false +# Track information about SPs logged into +idp.session.trackSPSessions=true +# Support lookup by SP for SAML logout +idp.session.secondaryServiceIndex=true +# Length of time to track SP sessions +#idp.session.defaultSPlifetime = PT2H + +# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent +#idp.consent.StorageService = shibboleth.ClientPersistentStorageService + +# Default consent auditing formats +#idp.consent.terms-of-use.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA +#idp.consent.attribute-release.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA + +# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute +# to key user consent storage records (and set the attribute name) +#idp.consent.attribute-release.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey +#idp.consent.attribute-release.userStorageKeyAttribute = uid +#idp.consent.terms-of-use.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey +#idp.consent.terms-of-use.userStorageKeyAttribute = uid + +# Suffix of message property used as value of consent storage records when idp.consent.compareValues is true. +# Defaults to text displayed to the user. +#idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text + +# Flags controlling how built-in attribute consent feature operates +#idp.consent.allowDoNotRemember = true +#idp.consent.allowGlobal = true +#idp.consent.allowPerAttribute = false + +# Whether attribute values and terms of use text are compared +#idp.consent.compareValues = false +# Maximum number of consent records for space-limited storage (e.g. cookies) +#idp.consent.maxStoredRecords = 10 +# Maximum number of consent records for larger/server-side storage (0 = no limit) +#idp.consent.expandedMaxStoredRecords = 0 + +# Time in milliseconds to expire consent storage records. +# Leave commented out for the default of infinite +#idp.consent.storageRecordLifetime = + +# Path to use with External interceptor flow +#idp.intercept.External.externalPath = contextRelative:intercept.jsp + +# Policies to use with Impersonate interceptor flow +#idp.impersonate.generalPolicy = GeneralImpersonationPolicy +#idp.impersonate.specificPolicy = SpecificImpersonationPolicy + +# Picks outbound bindings more sensibly than based on metadata order +idp.bindings.inMetadataOrder=false + +# Whether to lookup metadata, etc. for every SP involved in a logout +# for use by user interface logic; adds overhead so off by default. +#idp.logout.elaboration = false + +# Whether to require logout requests/responses be signed/authenticated. +#idp.logout.authenticated = true + +# Whether to handle logout lacking response endpoonts as asynchronous. +#idp.logout.assumeAsync = false + +# Whether to hide logout propagation status reporting. +#idp.logout.propagationHidden = false + +# Bean to determine whether user should be allowed to cancel logout +#idp.logout.promptUser=shibboleth.Conditions.FALSE + +# Message freshness and replay cache tuning +#idp.policy.messageLifetime = PT3M +#idp.policy.assertionLifetime = PT3M +#idp.policy.clockSkew = PT3M + +# Set to custom bean for alternate storage of replay cache +#idp.replayCache.StorageService = shibboleth.StorageService +#idp.replayCache.strict = true + +# Toggles whether to allow outbound messages via SAML artifact +#idp.artifact.enabled = true +# Suppresses typical signing/encryption when artifact binding used +#idp.artifact.secureChannel = true +# May differ to direct SAML 2 artifact lookups to specific server nodes +#idp.artifact.endpointIndex = 2 +# Set to custom bean for alternate storage of artifact map state +#idp.artifact.StorageService = shibboleth.StorageService + +# Comma-delimited languages to use if not match can be found with the +# browser-supported languages, defaults to an empty list. +idp.ui.fallbackLanguages=en,fr,de + +# Storage service used by CAS protocol for chained proxy-granting tickets +# and when using server-managed "simple" TicketService. +# Defaults to shibboleth.StorageService (in-memory) +# MUST be server-side storage (e.g. in-memory, memcached, database) +#idp.cas.StorageService=shibboleth.StorageService + +# CAS service registry implementation class +#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry + +# If true, CAS services provisioned with SAML metadata are identified via entityID +#idp.cas.relyingPartyIdFromMetadata=false + +# F-TICKS auditing - set a salt to include hashed username +#idp.fticks.federation = MyFederation +#idp.fticks.condition = MyFTICKSCondition +#idp.fticks.algorithm = SHA-256 +#idp.fticks.salt = somethingsecret +#idp.fticks.loghost = localhost +#idp.fticks.logport = 514 + +# Set false if you want SAML bindings "spelled out" in audit log +idp.audit.shortenBindings=true diff --git a/conf/intercept/intercept-events-flow.xml b/conf/intercept/intercept-events-flow.xml new file mode 100644 index 0000000..6214e80 --- /dev/null +++ b/conf/intercept/intercept-events-flow.xml @@ -0,0 +1,20 @@ + + + + + + + + + + + + + + diff --git a/conf/ldap.properties b/conf/ldap.properties new file mode 100644 index 0000000..5792a3e --- /dev/null +++ b/conf/ldap.properties @@ -0,0 +1,67 @@ +# LDAP authentication (and possibly attribute resolver) configuration +# Note, this doesn't apply to the use of JAAS authentication via LDAP + +## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator +#idp.authn.LDAP.authenticator = anonSearchAuthenticator + +## Connection properties ## +idp.authn.LDAP.ldapURL = ldap://localhost:10389 +#idp.authn.LDAP.useStartTLS = true +# Time in milliseconds that connects will block +#idp.authn.LDAP.connectTimeout = PT3S +# Time in milliseconds to wait for responses +#idp.authn.LDAP.responseTimeout = PT3S +# Connection strategy to use when multiple URLs are supplied, either ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM +#idp.authn.LDAP.connectionStrategy = ACTIVE_PASSIVE + +## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust +#idp.authn.LDAP.sslConfig = certificateTrust +## If using certificateTrust above, set to the trusted certificate's path +idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt +## If using keyStoreTrust above, set to the truststore path +idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore + +## Return attributes during authentication +idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining + +## DN resolution properties ## + +# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator +# for AD: CN=Users,DC=example,DC=org +idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org +#idp.authn.LDAP.subtreeSearch = false +idp.authn.LDAP.userFilter = (uid={user}) +# bind search configuration +# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com +idp.authn.LDAP.bindDN = uid=myservice,ou=system + +# Format DN resolution, used by directAuthenticator, adAuthenticator +# for AD use idp.authn.LDAP.dnFormat=%s@domain.com +idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org + +# pool passivator, either none, bind or anonymousBind +#idp.authn.LDAP.bindPoolPassivator = none + +# LDAP attribute configuration, see attribute-resolver.xml +# Note, this likely won't apply to the use of legacy V2 resolver configurations +idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL} +idp.attribute.resolver.LDAP.connectTimeout = %{idp.authn.LDAP.connectTimeout:PT3S} +idp.attribute.resolver.LDAP.responseTimeout = %{idp.authn.LDAP.responseTimeout:PT3S} +idp.attribute.resolver.LDAP.connectionStrategy = %{idp.authn.LDAP.connectionStrategy:ACTIVE_PASSIVE} +idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN:undefined} +idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN:undefined} +idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true} +idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined} +idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.principal) + +# LDAP pool configuration, used for both authn and DN resolution +#idp.pool.LDAP.minSize = 3 +#idp.pool.LDAP.maxSize = 10 +#idp.pool.LDAP.validateOnCheckout = false +#idp.pool.LDAP.validatePeriodically = true +#idp.pool.LDAP.validatePeriod = PT5M +#idp.pool.LDAP.validateDN = +#idp.pool.LDAP.validateFilter = (objectClass=*) +#idp.pool.LDAP.prunePeriod = PT5M +#idp.pool.LDAP.idleTime = PT10M +#idp.pool.LDAP.blockWaitTime = PT3S diff --git a/conf/logback.xml b/conf/logback.xml new file mode 100644 index 0000000..50450db --- /dev/null +++ b/conf/logback.xml @@ -0,0 +1,192 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ${idp.logfiles}/idp-process.log + + + ${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{short} + + + + + + + VelocityStatusMatcher + ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\. + + VelocityStatusMatcher.matches(formattedMessage) + + DENY + + + + + + 0 + + + + + + WARN + + + ${idp.logfiles}/idp-warn.log + + + ${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{full} + + + + + + + VelocityStatusMatcher + ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\. + + VelocityStatusMatcher.matches(formattedMessage) + + DENY + + + + + + ${idp.logfiles}/idp-audit.log + + + ${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %msg%n + + + + + + ${idp.logfiles}/idp-consent-audit.log + + + ${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz + ${idp.loghistory} + + + + UTF-8 + %msg%n + + + + + + ${idp.fticks.loghost:-localhost} + ${idp.fticks.logport:-514} + AUTH + [%thread] %logger %msg + + + + + + + + + + + + + + + + + + + + diff --git a/conf/metadata-providers.xml b/conf/metadata-providers.xml new file mode 100644 index 0000000..d5cb34b --- /dev/null +++ b/conf/metadata-providers.xml @@ -0,0 +1,89 @@ + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/relying-party.xml b/conf/relying-party.xml new file mode 100644 index 0000000..439e7f1 --- /dev/null +++ b/conf/relying-party.xml @@ -0,0 +1,72 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/saml-nameid.properties b/conf/saml-nameid.properties new file mode 100644 index 0000000..08b66c5 --- /dev/null +++ b/conf/saml-nameid.properties @@ -0,0 +1,31 @@ +# Properties involving SAML NameIdentifier/NameID generation/consumption + +# For the most part these settings only deal with "transient" and "persistent" +# identifiers. See saml-nameid.xml and c14n/subject-c14n.xml for advanced +# settings + +# Default NameID Formats to use when nothing else is called for. +# Don't change these just to change the Format used for a single SP! +#idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient +#idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier + +# Set to shibboleth.StoredTransientIdGenerator for server-side transient ID storage +#idp.transientId.generator = shibboleth.CryptoTransientIdGenerator + +# Persistent IDs can be computed on the fly with a hash, or managed in a database + +# For computed IDs, set a source attribute, and a secret salt in secrets.properties +#idp.persistentId.sourceAttribute = changethistosomethingreal +#idp.persistentId.useUnfilteredAttributes = true +#idp.persistentId.algorithm = SHA +# BASE64 will match V2 values, we recommend BASE32 encoding for new installs. +idp.persistentId.encoding = BASE32 + +# To use a database, use shibboleth.StoredPersistentIdGenerator +#idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator +# For basic use, set this to a JDBC DataSource bean name: +#idp.persistentId.dataSource = PersistentIdDataSource +# Controls which JDBC error codes are treated as retryable +#idp.persistentId.retryableErrors = 23000,23505 +# Set to an empty property to skip hash-based generation of first stored ID +#idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator diff --git a/conf/saml-nameid.xml b/conf/saml-nameid.xml new file mode 100644 index 0000000..7d82cf5 --- /dev/null +++ b/conf/saml-nameid.xml @@ -0,0 +1,64 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/conf/services.properties b/conf/services.properties new file mode 100644 index 0000000..2928dda --- /dev/null +++ b/conf/services.properties @@ -0,0 +1,83 @@ +# Configure the resources to load for various services, +# and the settings for failure handling and auto-reload. + +# failFast=true prevents IdP startup if a configuration is bad +# checkInterval = PT0S means never reload (this is the default) + +# Global default for fail-fast behavior of most subsystems +# with individual override possible below. +#idp.service.failFast = false + +#idp.service.logging.resource = %{idp.home}/conf/logback.xml +#idp.service.logging.failFast = true +idp.service.logging.checkInterval = PT5M + +#idp.service.relyingparty.resources = shibboleth.RelyingPartyResolverResources +#idp.service.relyingparty.failFast = false +idp.service.relyingparty.checkInterval = PT15M +# See MetadataDrivenConfiguration wiki topic for details +idp.service.relyingparty.ignoreUnmappedEntityAttributes=true + +#idp.service.metadata.resources = shibboleth.MetadataResolverResources +#idp.service.metadata.failFast = false +#idp.service.metadata.checkInterval = PT0S +# Set to false if not using ByReference MetadataFilters for a small perf gain +#idp.service.metadata.enableByReferenceFilters = true + +#idp.service.attribute.registry.resources = shibboleth.AttributeRegistryResources +#idp.service.attribute.registry.failFast = false +idp.service.attribute.registry.checkInterval = PT15M +# Default control of whether to encode XML attribute data with xsi:type +idp.service.attribute.registry.encodeType = false + +#idp.service.attribute.resolver.resources = shibboleth.AttributeResolverResources +#idp.service.attribute.resolver.failFast = false +idp.service.attribute.resolver.checkInterval = PT15M +#idp.service.attribute.resolver.maskFailures = true +#idp.service.attribute.resolver.stripNulls = false +#idp.service.attribute.resolver.suppressDisplayInfo = true + +#idp.service.attribute.filter.resources = shibboleth.AttributeFilterResources +# NOTE: Failing the filter fast leaves no filters enabled. +#idp.service.attribute.filter.failFast = false +idp.service.attribute.filter.checkInterval = PT15M +#idp.service.attribute.filter.maskFailures = true + +#idp.service.nameidGeneration.resources = shibboleth.NameIdentifierGenerationResources +#idp.service.nameidGeneration.failFast = false +idp.service.nameidGeneration.checkInterval = PT15M + +#idp.service.access.resources = shibboleth.AccessControlResources +#idp.service.access.failFast = true +idp.service.access.checkInterval = PT5M + +#idp.service.cas.registry.resources = shibboleth.CASServiceRegistryResources +#idp.service.cas.registry.failFast = false +idp.service.cas.registry.checkInterval = PT15M + +#idp.service.managedBean.resources = shibboleth.ManagedBeanResources +#idp.service.managedBean.failFast = false +idp.service.managedBean.checkInterval = PT15M + +#idp.message.resources = shibboleth.MessageSourceResources +#idp.message.cacheSeconds = 300 + +# These settings impact the behavior of the internal HTTP Client used by default +# with some internal components, but notably *not* for metadata acquisition. +#idp.httpclient.useSecurityEnhancedTLSSocketFactory = false +#idp.httpclient.connectionDisregardTLSCertificate = false +#idp.httpclient.connectionRequestTimeout = PT1M +#idp.httpclient.connectionTimeout = PT1M +#idp.httpclient.socketTimeout = PT1M +#idp.httpclient.maxConnectionsTotal = 100 +#idp.httpclient.maxConnectionsPerRoute = 100 + +# These are deprecated properties that configure the old caching HttpClient +# beans that are no longer supported. If you want to manually configure +# the caching clients, you should define the beans yourself and if desired +# rely on properties of your own devising. +#idp.httpclient.memorycaching.maxCacheEntries = 50 +#idp.httpclient.memorycaching.maxCacheEntrySize = 1048576 +#idp.httpclient.filecaching.maxCacheEntries = 100 +#idp.httpclient.filecaching.maxCacheEntrySize = 10485760 +idp.httpclient.filecaching.cacheDirectory = %{idp.home}/tmp/httpClientCache \ No newline at end of file diff --git a/conf/services.xml b/conf/services.xml new file mode 100644 index 0000000..24e2b1e --- /dev/null +++ b/conf/services.xml @@ -0,0 +1,58 @@ + + + + + + %{idp.home}/conf/relying-party.xml + %{idp.home}/conf/credentials.xml + + + + %{idp.home}/conf/metadata-providers.xml + + + + %{idp.home}/conf/attribute-resolver.xml + + + + + %{idp.home}/conf/attribute-registry.xml + %{idp.home}/conf/attributes/default-rules.xml + %{idp.home}/conf/attribute-resolver.xml + + + + %{idp.home}/conf/attribute-filter.xml + + + + %{idp.home}/conf/saml-nameid.xml + + + + %{idp.home}/conf/access-control.xml + + + + + %{idp.home}/messages/messages + + + diff --git a/messages/messages.properties b/messages/messages.properties new file mode 100644 index 0000000..b59fc89 --- /dev/null +++ b/messages/messages.properties @@ -0,0 +1,6 @@ +# You can define message properties here to override messages defined in +# the system-supplied message file or to add your own messages. + +# You should alter these to point to different files of your own choosing. +#idp.css = /css/placeholder.css +#idp.logo = /images/placeholder-logo.png diff --git a/metadata/idp-metadata.xml b/metadata/idp-metadata.xml new file mode 100644 index 0000000..5fda831 --- /dev/null +++ b/metadata/idp-metadata.xml @@ -0,0 +1,251 @@ + + + + + + + + dev.mafoo.org.uk + + + + + + + + +MIIETDCCArSgAwIBAgIVAKG5mmaoA2ZYQJULhNoiNa1ovyl+MA0GCSqGSIb3DQEB +CwUAMCMxITAfBgNVBAMMGGlkcC1jbHVzdGVyLm1hZm9vLm9yZy51azAeFw0yMjA4 +MDUxMzMyMDJaFw00MjA4MDUxMzMyMDJaMCMxITAfBgNVBAMMGGlkcC1jbHVzdGVy +Lm1hZm9vLm9yZy51azCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALkS +pIebis25mpjh2bBDBLhTMdYEDl9qX2zEAeZ2XM9Pb7xMbeuLR6N9vtsjyMiWK+yb +cZdpXGG628uxCk3pviIpVD5k4qfBndOS1PgtH4qyOgcmHoZ7rc4QZY1vmBoj21Yn +CdSB4f69QnOuc+CZ5h54p8UZlmyPfuLG3Y2tHQZc7jePJLE6NtHfYcp6XQGDGeGx +ZUHt8F2R6wVwHSXNve3qjDzAG+Ny8tsYLuM2bHLq00Htpo+c4XHmZ8gMu+oayivc +SUCBgxnl0szdKYE5MrzfcEJVIP2SS3Zkgh5L4xcO4e5dlkyGnnhaRzv56cX2ZGSh +8TcnJT8aCh9ip1v/66btHHuRCPXr4dPWTKkXPbrVhbYTPt6xWi/BWPBodpjMygAr +Dyr4nAZU3X9DkDYUKBSUXbSXyMjC42KfwViBLlnXSBmmDQ64+zwusvs8TwKq8mbR +oinXr/37PHvBgCTT+nLV9YTJ8aG/pKVMOrTCYcb/d/hUbOsaxXjScDJrshK6fQID +AQABo3cwdTAdBgNVHQ4EFgQUNOw37BGQLIEy4V0I6OP10clXxCMwVAYDVR0RBE0w +S4IYaWRwLWNsdXN0ZXIubWFmb28ub3JnLnVrhi9odHRwczovL2lkcC1jbHVzdGVy +Lm1hZm9vLm9yZy51ay9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAYEA +EGvcsVd3TXDAb+ii80UNldCMM3VBU/erXXHYqASeEbhQK9/BeDpv0qIjHIcPdBjL +NR4KtSuCpNbZyKepu4VGtHozzWhY/FiL2SzOePNeTRqN2dKZOzafmQbIvkIzdtYW +gp7eJxUeNL5CaizNF0r4Ojj1KThccV8bwch2gahF9hvUox1jin4nHeHC6Avnn6MW +prW9SsPdOSFyx3xJ26AiicfNvMjfPwM1dakq+rJ/y1n+m/ec4D8DDNWy7420uF+e +cr43WQqC4B0NjxI/gSxq6VJexI30MSqWfOSumeLqFNaFvqh0E+xXbo4hsw6Zsd9x +Lpom30BOqVG5FE74FcmnJybsI7zvhDq1trU2lVYs0d+ypCyDpKBmbhNX/INWmiIX +MlUIyDVCYR3CsILS6HHU+qfVERz6Km1lA6HD+qo7irY1GFo8m19JpdtB/K7WdXnC +XSySYJU0ZDCIIaNjhtmh1oQeCmy+L9ATtW0r3Y6N0ZEm/wls5piTGYVKougweN95 + + + + + + + + + +MIIESzCCArOgAwIBAgIUOSgsBql9Vez9kTLTLJy4S1e2dyYwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYaWRwLWNsdXN0ZXIubWFmb28ub3JnLnVrMB4XDTIyMDgw +NTEzMzE1OFoXDTQyMDgwNTEzMzE1OFowIzEhMB8GA1UEAwwYaWRwLWNsdXN0ZXIu +bWFmb28ub3JnLnVrMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAhPzC +VZ8lRPrHxfhz1XmGbzgQngV/Ua+6QL6zqC7fFO0bMCFz79c/xgS3YSqEAQa9971u +rI+T7YXJ5D5wFtTHMEbtB7B9ZR/pkAvj/FIiaWsVfVjv/c0cWTKKKdLKqQ2sFWzx +hnhoaaoXJWguQdm1UQ7rd0JrRllmlKhlUeCB6ecSblAOxsvNeA5+yDXAfj+8j/wp ++VMCyA80QUo5HyyBfQXOrAQVWTWWFw2x5+sfDVvfxfOD88dvhQM5cN3+XxBsSysE +m3q4PmpbfZdXlXgGdIwyYk3EiB/Qen+iat4i3QwVAHRV1TY8FVehHLTVkN9v/PoB +5637rFEhSKcswpN1b6nuvUHNfJunu7KghVl6xRQsBg6z1/K6GBl5r7vzSvwzalTG +DqW/x9pkCfPhD7ZtvdNvplaAF1aG3CU8zsYA5w1uLvWuqGlsWFfm2aLSOIsNotW/ +uvB1AO1Chc8vm5N+QKgoC2SQiqttgF04a1h5KGF7b/8rPX8RUkE0YJxeaD8NAgMB +AAGjdzB1MB0GA1UdDgQWBBTXom6CZDuB3vgQYqplZphLaD4OfjBUBgNVHREETTBL +ghhpZHAtY2x1c3Rlci5tYWZvby5vcmcudWuGL2h0dHBzOi8vaWRwLWNsdXN0ZXIu +bWFmb28ub3JnLnVrL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBgQAs +aJGGpMRYfTtCCsEvmAXhrSrrXZq2dHeETX6TgQh21cd810lEwewXtSIWbSqbzB5Y +RaQo9mV8TzVk0sa5yYXNz5cIAOxSfDZuN3zYL1T+Db5GIqrUtNbmU/TOabwS0YsW +LCxhblJV2XVeqqlMjMdq413EEyKeAvofnWCnROGimrR7DLdd4iI3EXC2N8zOfNj0 +kA4hNKktsm/T7nBJMfrqlfLKxrgt+SqhYkJyzSTu5j8lb9tt1dvBvXKfuls9uoa/ +nYBGSlPBEi8uyleSQcw/mR6lbvvW1AL6sAy7cDhTZh1jJFgHn39kZ9IIFOC1kbHt +rStp19ng60OL8xSS6Mnhzkf09zQdnzkI9ngLcYXqwwyMQCXRANJZ6twGbfwCzfgq +UqxR4Lg7sd4JXA8YAeNOgu3HwFw+RsBgEDoI16+1NrnliYQYD6Bvqx71z+CianNq +yAPojc2UQSeT7H9GFWbgNnQF6XsRW7xtNPnZmbZ9Og3Wok1nT38hEr+4UqtC8n8= + + + + + + + + + +MIIESzCCArOgAwIBAgIUC9wy4S7aa3PVBUkskC6TbAMIE1IwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYaWRwLWNsdXN0ZXIubWFmb28ub3JnLnVrMB4XDTIyMDgw +NTEzMzE1OVoXDTQyMDgwNTEzMzE1OVowIzEhMB8GA1UEAwwYaWRwLWNsdXN0ZXIu +bWFmb28ub3JnLnVrMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtiS6 +AFIP3HB2orq7ywGx5flACG1SSLD5FmYtUXJRhSOexFYIqiPBUW9ZTRqWiKyHdHbP +AQwQHAczU8NAmA9c4tgoQfhmmpSHRl66U4pAq7c8cwr82ZIkAJUBUtwUfLW1l1rl +sNuGojwpE+d0R4kNnYfkSpt+QX+Sh5peGVuT3F267W1wE8eGTELvwemeHbpdtMDp +ExyrLjBfbndsk4GHlrnHs9yx912yte/dAHPnFOvz1JOXhA7CIfzak+Tbf3/3tAX+ +gDZ7DY+r3VTYTVL32JDvAliYLVKt5CweP46Ad8HassrUhv3gTkIf72uoZt7F8XuI +H8YoQheYOG9vFZ89P1SVEwsGvCRJExaYOjv1FbAsWMG6xCSdoAfcrhvrLxtu4tkb +uPum8bmMked1actC7wo8R4o2CGmDJ2n5lUZNUgMRix4Tn92l5MYWyFbo4zPW8sfF +e3gSFzsLt1OhuJV1Hd6vl35izACaU0pr0GWSyVJpaebkPTWw19Hwpz9FYArBAgMB +AAGjdzB1MB0GA1UdDgQWBBR0GeOz/XAhDhLcYJyFEAWes+P6vDBUBgNVHREETTBL +ghhpZHAtY2x1c3Rlci5tYWZvby5vcmcudWuGL2h0dHBzOi8vaWRwLWNsdXN0ZXIu +bWFmb28ub3JnLnVrL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBgQAj +YoK2BNmXK3KOQwQPY6/3DqoFzEU9F4S8cdDjrbpjHA+UmsmA7PHQC+mE3PJoNY6A +LnRJ2RDpnAZLSK1K/enRJdGSyWaD+gshhAUBie6xrFamXe5IG9QiF6O7VKsu+kpM +Qtp6iLK/B+Jos8zq0NJrKpCtixepMG1IbAcMcVnqkteiT+a9fmyIMaHcTLY+aEvW +2bfgvszgJ4rcdY5xSDiVcPtcTGuoDsyQW686tImn0sqmOJLB8q+Fo2ULFxPVc8UE +HXngmqrZ5c9I5pa8TmL1VybSxSuQ2CUiTsgbpatiL6S8dK8ex3mUCpdMW5vKO0uQ ++8JiI8ur72059JpJzbTuKezT+8A124QiUOkfsJdwqHD3+APDVXiFGUGRPFHe4a/g +YQnrYa1KOgO83dl6K0GT1pA3+RnZZEBgq7lTYHpxcavTYRy6Dvj8Of8gu7EZo7fJ ++Ety/QGKzDDc+h5bLNo2PuDx2wXdbpPQxpYgWdVNgVOdW9vumrWhcxLtNfe9vyQ= + + + + + + + + + + + + + + + + + + + +