foo/shib-storedid2computedid-example
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import

Browse Source
This commit is contained in:
root
2022-08-05 13:33:15 +00:00
commit 7ac8850d2f
38 changed files with 3965 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

117
conf/authn/authn-comparison.xml Normal file
View File

@@ -0,0 +1,117 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
This is a map used to "weight" particular methods above others if the IdP has to randomly select one
to insert into a SAML authentication statement. The typical use shown below is to bias the IdP in favor
of expressing the SAML 2 PasswordProtectedTransport class over the more vanilla Password class on the
assumption that the IdP doesn't accept passwords via an insecure channel. This map never causes the IdP
to violate its matching rules if an RP requests a particular value; it only matters when nothing specific
is chosen. Anything not in the map has a weight of zero.
-->
<util:map id="shibboleth.AuthenticationPrincipalWeightMap">
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
</key>
<value>1</value>
</entry>
</util:map>
<!--
Uncomment and add entries to this map to support "inexact" SAML RequestedAuthnContext operators.
Please refer to the AuthenticationFlowSelection documentation topic for details and examples.
-->
<!--
<util:map id="shibboleth.AuthnComparisonRules">
</util:map>
-->
<!-- List of context classes or declarations to ignore if an SP requests them. -->
<util:list id="shibboleth.IgnoredContexts">
<value>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</value>
</util:list>
<!--
Mappings to transform custom Principals for proxied AuthnRequests.
Key is the input, value is a collection of possibly empty outputs.
Used by default to transform authentication type values from
SPs -> Proxied IdPs.
-->
<util:map id="shibboleth.PrincipalProxyRequestMappings">
<!--
<entry>
<key>
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:classRef="https://sp.example.org/context" />
</key>
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://proxy.example.org/context1" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://proxy.example.org/context2" />
</list>
</entry>
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://sp.example.org/context" />
</key>
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://proxy.example.org/context1" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://proxy.example.org/context2" />
</list>
</entry>
-->
</util:map>
<!--
Mappings to transform proxied Principals for inclusion in Subjects.
Key is the input, value is a collection of possibly empty outputs.
Used by default to transform values from Proxied IdP. ->
-->
<util:map id="shibboleth.PrincipalProxyResponseMappings">
<!--
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://proxy.example.org/context1" />
</key>
<list>
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:classRef="https://sp.example.org/context" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://sp.example.org/context" />
</list>
</entry>
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://proxy.example.org/context2" />
</key>
<list>
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:classRef="https://sp.example.org/context" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://sp.example.org/context" />
</list>
</entry>
-->
</util:map>
</beans>

22
conf/authn/authn-events-flow.xml Normal file
View File

@@ -0,0 +1,22 @@
<flow xmlns="http://www.springframework.org/schema/webflow"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
abstract="true">
<!-- ADVANCED USE ONLY -->
<!--
You can ignore this file unless you are creating your own custom login subflows that want to
report custom events in response to unusual error or warning conditions.
-->
<!-- Custom error events to reflect back from user-supplied login subflows. -->
<!-- <end-state id="MyCustomEvent" /> -->
<global-transitions>
<!-- <transition on="MyCustomEvent" to="MyCustomEvent" /> -->
<transition on="#{!'proceed'.equals(currentEvent.id)}" to="InvalidEvent" />
</global-transitions>
</flow>

218
conf/authn/authn.properties Normal file
View File

@@ -0,0 +1,218 @@
# Properties that control authentication generally and the behavior of
# specific methods.
# Regular expression matching login flows to enable, e.g. IPAddress|Password
#idp.authn.flows = Password
# Default settings for most authentication methods.
#idp.authn.defaultLifetime = PT1H
#idp.authn.defaultTimeout = PT30M
#idp.authn.proxyRestrictionsEnforced = true
# Whether to populate relying party user interface information for display
# during authentication, consent, terms-of-use.
#idp.authn.rpui = true
# Whether to prioritize "active" results when an SP requests more than
# one possible matching login method (V2 behavior was to favor them)
#idp.authn.favorSSO = false
# Whether to fail requests when a user identity after authentication
# doesn't match the identity in a pre-existing session.
#idp.authn.identitySwitchIsError = false
# If using IdP discovery feature, provides a discovery location to use.
#idp.authn.discoveryURL = https://ds.example.org/shibboleth-ds/index.html
# Properties below override specific method behavior, as an alternative
# to defining Spring beans in XML. Refer to the documentation for a complete
# list. Many of the properties below are mentioned only because they are
# atypical defaults assumed for a given method.
# Flow selection among multiple equivalent options can be managed with
# the order properties, lower will be tried first.
#### Password ####
#idp.authn.Password.order = 1000
#idp.authn.Password.passiveAuthenticationSupported = true
#idp.authn.Password.forcedAuthenticationSupported = true
# Override this and removeAfterValidation to require all validators to succeed
#idp.authn.Password.requireAll = false
# Override to keep the password around
#idp.authn.Password.removeAfterValidation = true
# Override to store password in Java Subject
#idp.authn.Password.retainAsPrivateCredential = false
# Simple username transforms before validation
#idp.authn.Password.trim = true
#idp.authn.Password.lowercase = false
#idp.authn.Password.uppercase = false
#idp.authn.Password.matchExpression =
# Override default form field names
#idp.authn.Password.usernameFieldName = j_username
#idp.authn.Password.passwordFieldName = j_password
#idp.authn.Password.ssoBypassFieldName = donotcache
# Unset if using customized Principals per validator
#idp.authn.Password.addDefaultPrincipals = true
# The Principal collection below is the typical default if not otherwise noted.
#idp.authn.Password.supportedPrincipals = \
# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
# saml1/urn:oasis:names:tc:SAML:1.0:am:password
# Validators are controlled in password-authn-config.xml
#### Password Backends ####
# See ldap.properties for LDAP authn properties
# Kerberos settings
#idp.authn.Krb5.refreshConfig = false
#idp.authn.Krb5.preserveTicket = false
# Set next two for KDC verification
#idp.authn.Krb5.servicePrincipal =
#idp.authn.Krb5.keytab =
# JAAS settings
#idp.authn.JAAS.loginConfigNames = ShibUserPassAuth
#idp.authn.JAAS.loginConfig = %{idp.home}/conf/authn/jaas.config
#### External ####
#idp.authn.External.order = 1000
#idp.authn.External.nonBrowserSupported = false
#idp.authn.External.matchExpression =
# Unset if you plan to return full Java Subject from external source
#idp.authn.External.addDefaultPrincipals = true
# Servlet context-relative path to wherever your implementation lives
idp.authn.External.externalAuthnPath = contextRelative:external.jsp
#### RemoteUser ####
#idp.authn.RemoteUser.order = 1000
#idp.authn.RemoteUser.nonBrowserSupported = false
#idp.authn.RemoteUser.matchExpression =
# Unset in most cases only if using the authnMethodHeader or
# subjectAttribute settings
#idp.authn.RemoteUser.addDefaultPrincipals = true
# Most other settings need to be supplied via web.xml to the servlet
#### RemoteUserInternal ####
#idp.authn.RemoteUserInternal.order = 1000
#idp.authn.RemoteUserInternal.nonBrowserSupported = true
# Unset in most cases only if using the authnMethodHeader feature
#idp.authn.RemoteUserInternal.addDefaultPrincipals = true
#idp.authn.RemoteUserInternal.checkRemoteUser = true
# Comma-delimited lists of attributes or headers to pull from
#idp.authn.RemoteUserInternal.checkAttributes =
#idp.authn.RemoteUserInternal.checkHeaders =
# Simple transforms to apply
#idp.authn.RemoteUserInternal.trim = true
#idp.authn.RemoteUserInternal.lowercase = false
#idp.authn.RemoteUserInternal.uppercase = false
#idp.authn.RemoteUserInternal.matchExpression =
#idp.authn.RemoteUserInternal.allowedUsernames =
#idp.authn.RemoteUserInternal.deniedUsernames =
#### SPNEGO ####
#idp.authn.SPNEGO.order = 1000
#idp.authn.SPNEGO.nonBrowserSupported = false
#idp.authn.SPNEGO.enforceRun = false
#idp.authn.SPNEGO.refreshKrbConfig = false
#idp.authn.SPNEGO.matchExpression =
idp.authn.SPNEGO.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, \
saml1/urn:ietf:rfc:1510
#### X509 ####
#idp.authn.X509.order = 1000
#idp.authn.X509.nonBrowserSupported = false
# Servlet context-relative path to wherever your implementation lives
#idp.authn.X509.externalAuthnPath = contextRelative:x509-prompt.jsp
idp.authn.X509.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \
saml1/urn:ietf:rfc:2246
#### X509Internal ####
#idp.authn.X509Internal.order = 1000
#idp.authn.X509Internal.nonBrowserSupported = false
#idp.authn.X509Internal.saveCertificateToCredentialSet = true
idp.authn.X509Internal.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \
saml1/urn:ietf:rfc:2246
#### IPAddress ####
#idp.authn.IPAddress.order = 1000
#idp.authn.IPAddress.passiveAuthenticationSupported = true
#idp.authn.IPAddress.lifetime = PT60S
#idp.authn.IPAddress.inactivityTimeout = PT60S
idp.authn.IPAddress.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol
#### Function ####
#idp.authn.Function.order = 1000
#idp.authn.Function.passiveAuthenticationSupported = true
# Unset if you plan to return full Java Subject from function
#idp.authn.Function.addDefaultPrincipals = true
#### Duo ####
#idp.authn.Duo.order = 1000
#idp.authn.Duo.nonBrowserSupported = false
#idp.authn.Duo.forcedAuthenticationSupported = true
# Unset if you have advanced Duo integrations with individualized Principals
#idp.authn.Duo.addDefaultPrincipals = true
# The list below should be changed to reflect whatever locally- or
# community-defined values are appropriate to represent Duo. It is
# strongly advised that the value not be specific to Duo or any
# particular technology to avoid lock-in.
idp.authn.Duo.supportedPrincipals = \
saml2/http://example.org/ac/classes/mfa, \
saml1/http://example.org/ac/classes/mfa
# Default Duo integration settings are defined separately
# in duo.properties due to the sensitivity of the secret key.
#### SAML ####
#idp.authn.SAML.order = 1000
#idp.authn.SAML.nonBrowserSupported = false
#idp.authn.SAML.passiveAuthenticationSupported = true
#idp.authn.SAML.forcedAuthenticationSupported = true
#idp.authn.SAML.proxyScopingEnforced = true
# Discovery options:
# Define shibboleth.authn.SAML.discoveryFunction bean
# Set proxyEntityID property
# Fall through to discovery via discoveryRequired property
#idp.authn.SAML.proxyEntityID = https://idp.example.org/idp/shibboleth
#idp.authn.SAML.discoveryRequired = true
# Generally left false with bidirectional mappings in
# conf/authn/authn-comparison.xml across the proxy boundary.
# Adjust as needed to reflect IdP's capabilities/support.
#idp.authn.SAML.addDefaultPrincipals = false
#idp.authn.SAML.supportedPrincipals = \
# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
# saml1/urn:oasis:names:tc:SAML:1.0:am:password
#### MFA ####
#idp.authn.MFA.order = 1000
#idp.authn.MFA.passiveAuthenticationSupported = true
#idp.authn.MFA.forcedAuthenticationSupported = true
#idp.authn.MFA.validateLoginTransitions = true
# The list below almost certainly requires changes, and should generally be the
# union of any of the separate factors you combine in your particular MFA flow
# rules. The example corresponds to the example in mfa-authn-config.xml that
# combines IPAddress with Password.
idp.authn.MFA.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
saml1/urn:oasis:names:tc:SAML:1.0:am:password
# Most actual setup via mfa-authn-config.xml

112
conf/authn/password-authn-config.xml Normal file
View File

@@ -0,0 +1,112 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
Ordered list of CredentialValidators to apply to a request.
The four supplied variants are shown below; the HTPasswd option
is an OOB default for demo account purposes, and you will
want to remove it after initial install and testing.
-->
<util:list id="shibboleth.authn.Password.Validators">
<ref bean="shibboleth.LDAPValidator" />
<!-- <ref bean="shibboleth.KerberosValidator" /> -->
<!-- <ref bean="shibboleth.JAASValidator" /> -->
<!-- <bean parent="shibboleth.HTPasswdValidator" p:resource="%{idp.home}/credentials/demo.htpasswd" /> -->
</util:list>
<!-- Apply any regular expression replacement pairs to username before validation. -->
<util:list id="shibboleth.authn.Password.Transforms">
<!--
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.org$" p:second="$1" />
-->
</util:list>
<!-- Uncomment to configure account lockout backed by in-memory storage. -->
<!--
<bean id="shibboleth.authn.Password.AccountLockoutManager"
parent="shibboleth.StorageBackedAccountLockoutManager"
p:maxAttempts="5"
p:counterInterval="PT5M"
p:lockoutDuration="PT5M"
p:extendLockoutDuration="false" />
-->
<!--
Define entries here to map error messages detected by validation actions and classify them as particular
kinds of errors for use in your templates and as events in flows.
Keys are events to signal, values are error codes.
-->
<util:map id="shibboleth.authn.Password.ClassifiedMessageMap">
<entry key="UnknownUsername">
<list>
<value>NoCredentials</value>
<value>UnknownUsername</value>
<value>CLIENT_NOT_FOUND</value>
<value>Client not found</value>
<value>Cannot get kdc for realm</value>
<value>Client not found in Kerberos database</value>
<value>DN_RESOLUTION_FAILURE</value>
<value>Cannot authenticate dn, invalid dn</value>
<value>Cannot authenticate dn, invalid credential</value>
<value>AcceptSecurityContext error, data 525</value>
</list>
</entry>
<entry key="InvalidPassword">
<list>
<value>InvalidCredentials</value>
<value>PREAUTH_FAILED</value>
<value>INVALID_CREDENTIALS</value>
<value>Checksum failed</value>
<value>Integrity check on decrypted field failed</value>
<value>Pre-authentication information was invalid</value>
<value>Key bytes cannot be null</value>
<value>AcceptSecurityContext error, data 52e</value>
</list>
</entry>
<entry key="AccountLocked">
<list>
<value>AccountLocked</value>
<value>Clients credentials have been revoked</value>
<value>AcceptSecurityContext error, data 775</value>
</list>
</entry>
<entry key="AccountDisabled">
<list>
<value>AcceptSecurityContext error, data 533</value>
</list>
</entry>
<entry key="ExpiredPassword">
<list>
<value>PASSWORD_EXPIRED</value>
<value>CLIENT KEY EXPIRED</value>
<value>AcceptSecurityContext error, data 532</value>
<value>AcceptSecurityContext error, data 773</value>
<value>AcceptSecurityContext error, data 701</value>
</list>
</entry>
<entry key="ExpiringPassword">
<list>
<value>ACCOUNT_WARNING</value>
</list>
</entry>
<entry key="RequestUnsupported">
<list>
<value>RequestUnsupported</value>
</list>
</entry>
</util:map>
</beans>