import

conf/c14n/subject-c14n-events-flow.xml

@@ -0,0 +1,22 @@
+<flow xmlns="http://www.springframework.org/schema/webflow"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
+      abstract="true">
+
+    <!-- ADVANCED USE ONLY -->
+    
+    <!--
+    You can ignore this file unless you are creating your own custom c14n subflows that want to
+    report custom events in response to unusual error or warning conditions.
+    -->
+
+    <!-- Custom error events to reflect back from user-supplied c14n subflows. -->
+    
+    <!-- <end-state id="MyCustomEvent" /> -->
+
+    <global-transitions>
+        <!-- <transition on="MyCustomEvent" to="MyCustomEvent" /> -->
+        <transition on="#{!'proceed'.equals(currentEvent.id)}" to="InvalidEvent" />
+    </global-transitions>
+
+</flow>

conf/c14n/subject-c14n.properties

@@ -0,0 +1,40 @@
+# Properties that control the behavior of post-login subject c14n flows.
+# A few more advanced settings require XML configuration, see flow-specific docs.
+
+
+# Simple username -> principal name c14n
+#idp.c14n.simple.lowercase = false
+#idp.c14n.simple.uppercase = false
+#idp.c14n.simple.trim = true
+
+
+# Attribute resolution -> principal name c14n
+#idp.c14n.attribute.lowercase = false
+#idp.c14n.attribute.uppercase = false
+#idp.c14n.attribute.trim = true
+# Lists of attributes to resolve...
+#idp.c14n.attribute.attributesToResolve =
+#  and then select a principal name from
+#idp.c14n.attribute.attributeSourceIds =
+# Allows direct use of attributes via SAML proxy authn, bypasses resolver
+#idp.c14n.attribute.resolveFromSubject = false
+#idp.c14n.attribute.resolutionCondition = shibboleth.Conditions.TRUE
+
+# X.509 certificate -> principal name c14n
+#idp.c14n.x500.lowercase = false
+#idp.c14n.x500.uppercase = false
+#idp.c14n.x500.trim = true
+# Precedence is to check for a subjectAltName and then an OID RDN
+# Comma-delimited list of subjectAltName type numbers
+#  (See https://tools.ietf.org/html/rfc5280#section-4.2.1.6)
+#idp.c14n.x500.subjectAltNameTypes = 
+# Comma-delimited list of OIDS
+#idp.c14n.x500.objectIDs = 
+
+# Proxied SAML NameID -> principal name c14n
+#idp.c14n.saml.proxy.lowercase = false
+#idp.c14n.saml.proxy.uppercase = false
+
+# NameID consumption from SAML requests
+#idp.c14n.saml.lowercase = false
+#idp.c14n.saml.uppercase = false

conf/c14n/subject-c14n.xml

@@ -0,0 +1,151 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+    
+    <!-- ========================= Java Subject -> Principal Mapping ========================= -->
+
+    <!--
+    These are lists of Subject Canonicalization flows that turn complex Subject data into a string-based
+    principal name that the rest of the IdP can operate on. They're used primarily after authentication
+    and also during less common operations like SAML attribute queries, to map the SAML Subject into a
+    principal name.
+    
+    Flows are identified with an ID that corresponds to a Spring Web Flow subflow name.
+    
+    Most of the simple settings that configure these flows are in subject-c14n.properties.
+    -->
+
+    <!--
+    ====================================================================
+    Flows used after authentication to produce canonical principal name.
+    ====================================================================
+    -->
+    <util:list id="shibboleth.PostLoginSubjectCanonicalizationFlows">
+        <!--
+        This is an advanced post-login step that performs attribute resolution and then produces a username
+        from an attribute value. To enable universally, just uncomment, but if you want it to run under more
+        specific conditions, set an activationCondition property to a condition to apply. 
+        -->
+        <!-- <bean id="c14n/attribute" parent="shibboleth.PostLoginSubjectCanonicalizationFlow" /> -->
+
+        <!--
+        This is an advanced option for use with SAML 2 proxy authentication to a second IdP that
+        derives the principal name semi-directly from the incoming NameID value. It is functionally
+        akin to the c14n/SAML2Transform flow for SAML Request scenarios, but separately defined so
+        a suitably restrictive format list and/or condition can be applied to it. 
+        -->
+        <!-- <ref bean="c14n/SAML2ProxyTransform" /> -->
+
+        <!--
+        This is an alternative that handles Subjects containing an X500Principal object and
+        allows extraction from the DN.
+        -->
+        <ref bean="c14n/x500" />
+
+        <!--
+        This is the standard post-login step that returns a username derived from the login process. If you
+        have more complex needs such as mapping a certificate DN into a principal name, an alternative may
+        be required such as that above, but you can use this for simple transforms.
+        -->
+        <ref bean="c14n/simple" />
+    </util:list>
+    
+    <!-- What SAML NameID formats do you want to support direct transformations for while proxying? -->
+    <util:list id="shibboleth.ProxyNameTransformFormats">
+        <value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</value>
+        <value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</value>
+        <value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</value>
+        <value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</value>
+        <value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</value>
+    </util:list>
+    
+    <!--
+    Under what conditions should direct NameID mapping during proxying be allowed? By default, never.
+    Any condition can be used here; the example is suitable for enumerating a number of IdPs to allow.
+    -->
+    <bean id="shibboleth.ProxyNameTransformPredicate" parent="shibboleth.Conditions.ProxyAuthentication">
+        <constructor-arg name="collection">
+            <list>
+                <!-- <value>https://idp-proxy.example.org</value> -->
+            </list>
+        </constructor-arg>
+    </bean>
+    
+    <!--
+    Regular expression transforms to apply to incoming proxied subject names. The default empty list just
+    echoes the name through unmodified.
+    -->
+    <util:list id="shibboleth.ProxyNameTransforms">
+        <!--
+        <bean parent="shibboleth.Pair" p:first="^(.+)@example\.org$" p:second="$1" />
+        -->
+    </util:list>
+    
+    
+    <!--
+    =======================================================================
+    Flows used during SAML requests to reverse-map NameIdentifiers/NameIDs.
+    Below the list are some settings that might be useful to adjust.
+    =======================================================================
+    -->
+    <util:list id="shibboleth.SAMLSubjectCanonicalizationFlows">
+
+        <!-- The next four are for handling transient IDs (in-storage and stateless variants). -->
+        <ref bean="c14n/SAML2Transient" />
+        <ref bean="c14n/SAML2CryptoTransient" />
+        <ref bean="c14n/SAML1Transient" /> 
+        <ref bean="c14n/SAML1CryptoTransient" /> 
+        
+        <!-- Handle a SAML 2 persistent ID, provided a stored strategy is in use. -->
+        <!-- <ref bean="c14n/SAML2Persistent" /> -->
+        
+        <!--
+        Finally we have beans for decoding arbitrary SAML formats directly. By default, these are turned off,
+        having *no* circumstances for which they apply (see shibboleth.TransformNamePredicate below).
+        -->
+        <ref bean="c14n/SAML2Transform" />
+        <ref bean="c14n/SAML1Transform" />
+    </util:list>
+    
+    <!-- What SAML NameID formats do you want to support direct transformations for? -->
+    <util:list id="shibboleth.NameTransformFormats">
+        <value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</value>
+        <value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</value>
+        <value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</value>
+        <value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</value>
+        <value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</value>
+    </util:list>
+
+    <!--
+    Under what conditions should direct NameID mapping be allowed? By default, never.
+    Any condition can be used here; the example is suitable for enumerating a number of SPs to allow.
+    -->
+    <bean id="shibboleth.NameTransformPredicate" parent="shibboleth.Conditions.RelyingPartyId">
+        <constructor-arg name="candidates">
+            <list>
+                <!-- <value>https://sp.example.org</value> -->
+            </list>
+        </constructor-arg>
+    </bean>
+    
+    <!--
+    Regular expression transforms to apply to incoming subject names. The default empty list just
+    echoes the name through unmodified.
+    -->
+    <util:list id="shibboleth.NameTransforms">
+        <!--
+        <bean parent="shibboleth.Pair" p:first="^(.+)@example\.org$" p:second="$1" />
+        -->
+    </util:list>
+    
+</beans>