foo/shib-storedid2computedid-example
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import

Browse Source
This commit is contained in:
root
2022-08-05 13:33:15 +00:00
commit 7ac8850d2f
38 changed files with 3965 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
.gitignore vendored Normal file
View File

@@ -0,0 +1,9 @@
bin
credentials
dist
doc
edit-webapp
flows
logs
views
war

68
conf/access-control.xml Normal file
View File

@@ -0,0 +1,68 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
Map of access control policies used to limit access to administrative functions.
The purpose of the map is to label policies with a key/name so they can be reused.
-->
<!--
Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control.
The ranges provided MUST be CIDR network expressions. To specify a single address,
add "/32" or "/128" for IPv4 or IPv6 respectively.
The additional examples below demonstrate how to control access by username
and by attribute(s), in the case of authenticated access to admin functions.
-->
<util:map id="shibboleth.AccessControlPolicies">
<entry key="AccessByIPAddress">
<bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
</entry>
<!--
<entry key="AccessByAdminUser">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
<bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
</constructor-arg>
</bean>
</entry>
-->
<!--
<entry key="AccessByAttribute">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
<bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
<property name="attributeValueMap">
<map>
<entry key="eduPersonEntitlement">
<list>
<value>https://example.org/entitlement/idpadmin</value>
</list>
</entry>
</map>
</property>
</bean>
</constructor-arg>
</bean>
</entry>
-->
</util:map>
</beans>

73
conf/admin/admin.properties Normal file
View File

@@ -0,0 +1,73 @@
# Configure properties controlling administrative features
#idp.status.logging = Status
#idp.status.accessPolicy = AccessByIPAddress
#idp.status.authenticated = false
#idp.status.nonBrowserSupported = false
#idp.status.defaultAuthenticationMethods =
#idp.status.resolveAttributes = false
#idp.status.postAuthenticationFlows =
#idp.reload.logging = Reload
#idp.reload.accessPolicy = AccessByIPAddress
#idp.reload.authenticated = false
#idp.reload.nonBrowserSupported = false
#idp.reload.defaultAuthenticationMethods =
#idp.reload.resolveAttributes = false
#idp.reload.postAuthenticationFlows =
#idp.resolvertest.logging = ResolverTest
#idp.resolvertest.accessPolicy = AccessByIPAddress
#idp.resolvertest.authenticated = false
#idp.resolvertest.nonBrowserSupported = false
#idp.resolvertest.defaultAuthenticationMethods =
#idp.resolvertest.resolveAttributes = false
#idp.resolvertest.postAuthenticationFlows =
#idp.mdquery.logging = MetadataQuery
#idp.mdquery.accessPolicy = AccessByIPAddress
#idp.mdquery.authenticated = false
#idp.mdquery.nonBrowserSupported = false
#idp.mdquery.defaultAuthenticationMethods =
#idp.mdquery.resolveAttributes = false
#idp.mdquery.postAuthenticationFlows =
#idp.metrics.logging = Metrics
#idp.metrics.authenticated = false
#idp.metrics.nonBrowserSupported = false
#idp.metrics.defaultAuthenticationMethods =
#idp.metrics.resolveAttributes = false
#idp.metrics.postAuthenticationFlows =
# See admin/metrics.xml for other configuration
#idp.hello.logging = Hello
#idp.hello.accessPolicy = AccessByAdminUser
#idp.hello.authenticated = true
#idp.hello.nonBrowserSupported = false
#idp.hello.defaultAuthenticationMethods =
#idp.hello.resolveAttributes = true
#idp.hello.postAuthenticationFlows =
#idp.lockout.logging = Lockout
#idp.lockout.accessPolicy = AccessDenied
#idp.lockout.authenticated = false
#idp.lockout.nonBrowserSupported = false
#idp.lockout.defaultAuthenticationMethods =
#idp.lockout.resolveAttributes = false
#idp.lockout.postAuthenticationFlows =
#idp.storage.logging = Storage
#idp.storage.accessPolicy = AccessDenied
#idp.storage.authenticated = false
#idp.storage.nonBrowserSupported = false
#idp.storage.defaultAuthenticationMethods =
#idp.storage.resolveAttributes = false
#idp.storage.postAuthenticationFlows =
#idp.unlock-keys.logging = UnlockKeys
#idp.unlock-keys.accessPolicy = AccessDenied
#idp.unlock-keys.authenticated = true
#idp.unlock-keys.nonBrowserSupported = false
#idp.unlock-keys.defaultAuthenticationMethods =
#idp.unlock-keys.resolveAttributes = false
#idp.unlock-keys.postAuthenticationFlows =

142
conf/admin/metrics.xml Normal file
View File

@@ -0,0 +1,142 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- Metrics enablement / activation. -->
<!--
Register one or more of the built-in system metric sets available.
-->
<bean parent="shibboleth.metrics.RegisterMetricSets">
<property name="arguments">
<list>
<ref bean="shibboleth.metrics.CoreGaugeSet" />
<ref bean="shibboleth.metrics.IdPGaugeSet" />
<ref bean="shibboleth.metrics.LoggingGaugeSet" />
<ref bean="shibboleth.metrics.AccessControlGaugeSet" />
<ref bean="shibboleth.metrics.MetadataGaugeSet" />
<ref bean="shibboleth.metrics.NameIdentifierGaugeSet" />
<ref bean="shibboleth.metrics.RelyingPartyGaugeSet" />
<ref bean="shibboleth.metrics.AttributeRegistryGaugeSet" />
<ref bean="shibboleth.metrics.AttributeResolverGaugeSet" />
<ref bean="shibboleth.metrics.AttributeFilterGaugeSet" />
<ref bean="shibboleth.metrics.CASServiceRegistryGaugeSet" />
<ref bean="shibboleth.metrics.ManagedBeanGaugeSet" />
<!--
<bean class="com.codahale.metrics.jvm.CachedThreadStatesGaugeSet"
c:_0="1" c:_1="#{T(java.util.concurrent.TimeUnit).MINUTES}" />
<bean class="com.codahale.metrics.jvm.ClassLoadingGaugeSet" />
<bean class="com.codahale.metrics.jvm.GarbageCollectorMetricSet" />
<bean class="com.codahale.metrics.jvm.MemoryUsageGaugeSet" />
-->
</list>
</property>
</bean>
<!-- Metrics REST API Configuration -->
<!--
The global metric set is available by default at /idp/profile/admin/metrics
Any pathinfo after that is assumed to identify specific named metrics. You can
create mappings here between a logical "group" name and an implementation of the
com.codahale.metrics.MetricFilter interface to specify which metrics to include.
-->
<util:map id="shibboleth.metrics.MetricGroups">
<entry key="core" value-ref="shibboleth.metrics.CoreGaugeSet" />
<entry key="idp" value-ref="shibboleth.metrics.IdPGaugeSet" />
<entry key="logging" value-ref="shibboleth.metrics.LoggingGaugeSet" />
<entry key="access" value-ref="shibboleth.metrics.AccessControlGaugeSet" />
<entry key="metadata" value-ref="shibboleth.metrics.MetadataGaugeSet" />
<entry key="nameid" value-ref="shibboleth.metrics.NameIdentifierGaugeSet" />
<entry key="relyingparty" value-ref="shibboleth.metrics.RelyingPartyGaugeSet" />
<entry key="registry" value-ref="shibboleth.metrics.AttributeRegistryGaugeSet" />
<entry key="resolver" value-ref="shibboleth.metrics.AttributeResolverGaugeSet" />
<entry key="filter" value-ref="shibboleth.metrics.AttributeFilterGaugeSet" />
<entry key="cas" value-ref="shibboleth.metrics.CASServiceRegistryGaugeSet" />
<entry key="bean" value-ref="shibboleth.metrics.ManagedBeanGaugeSet" />
</util:map>
<!-- Add any desired properties into set to expose them as IdP metrics. -->
<!--
<util:set id="shibboleth.metrics.ExposedProperties">
<value>idp.entityID</value>
</util:set>
-->
<!-- If you don't specify an alternate access policy, this named policy will be enforced. -->
<bean id="shibboleth.metrics.DefaultAccessPolicy" class="java.lang.String" c:_0="AccessByIPAddress" />
<!--
To override the default access policy, map a metric name or
mapped group above to an alternative policy name.
-->
<util:map id="shibboleth.metrics.AccessPolicyMap">
</util:map>
<!--
In addition to the "pull" REST API for accessing metrics, a "push" reporter is also
available to upload a JSON feed to a URL. The example shown relies on standard JVM
trust configuration for TLS server verification.
The "start" method triggers the timer thread; the example pushes every 30 minutes.
-->
<!--
<bean id="PushReporter" parent="shibboleth.metrics.HTTPReporter" c:name="MyCollector"
p:collectorURL="https://log.example.org/cgi-bin/collector.cgi" />
<bean class="org.springframework.beans.factory.config.MethodInvokingBean"
p:targetObject-ref="PushReporter"
p:targetMethod="start">
<property name="arguments">
<list>
<value>30</value>
<util:constant static-field="java.util.concurrent.TimeUnit.MINUTES" />
</list>
</property>
</bean>
-->
<!-- IdP Metrics Configuration -->
<!--
A bean named shibboleth.metrics.MetricStrategy of type Function<ProfileRequestContext,Boolean>
can be defined to add timers and counters to a large range of objects in the system. Each timer is
defined by a triple (timer name, start object, stop object). Counters are just object/counter pairs.
The most common example is to start a timer when a particular flow action bean starts and
stop it when the same or different action bean stops, to measure how long the execution takes.
If you want to leave a timer in place but disabled to prevent overhead, you can turn off a
logging category named "metrics.<timername>" in your logging configuration.
-->
<!--
<bean id="shibboleth.metrics.MetricStrategy" parent="shibboleth.ContextFunctions.Scripted"
factory-method="inlineScript">
<constructor-arg>
<value>
<![CDATA[
metricCtx = input.getSubcontext("org.opensaml.profile.context.MetricContext");
metricCtx.addTimer("idp.attribute.resolution",
"ResolveAttributes",
"FilterAttributes"
);
true; // Signals success.
]]>
</value>
</constructor-arg>
</bean>
-->
</beans>

104
conf/attribute-filter.xml Normal file
View File

@@ -0,0 +1,104 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is an EXAMPLE policy file. While the policy presented in this
example file is illustrative of some simple cases, it relies on the names of
non-existent example services and the example attributes demonstrated in the
default attribute-resolver.xml file.
This example does contain some usable "general purpose" policies that may be
useful in conjunction with specific deployment choices, but those policies may
not be applicable to your specific needs or constraints.
-->
<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
xmlns="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
<!-- Release home org signifier to everybody. -->
<AttributeFilterPolicy id="alwaysRelease">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
</AttributeFilterPolicy>
<!--
Example rule relying on a locally applied tag in metadata to trigger attribute
release of some specific attributes. Add additional attributes as desired.
-->
<AttributeFilterPolicy id="Per-Attribute-singleValued">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="eduPersonPrincipalName" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="mail" />
</AttributeRule>
</AttributeFilterPolicy>
<!--
Same as above but more efficient form for an attribute with multiple values.
-->
<AttributeFilterPolicy id="Per-Attribute-Affiliation">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="eduPersonScopedAffiliation" />
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
</AttributeFilterPolicy>
<!--
Example rule for honoring Subject ID requirement tag in metadata.
The example supplies pairwise-id if subject-id isn't explicitly required.
-->
<AttributeFilterPolicy id="subject-identifiers">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="samlPairwiseID">
<PermitValueRule xsi:type="OR">
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="pairwise-id" />
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="any" />
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="samlSubjectID">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="subject-id" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- Release an additional attribute to an SP. -->
<AttributeFilterPolicy id="example1">
<PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
<AttributeRule attributeID="uid" permitAny="true" />
</AttributeFilterPolicy>
<!-- Release eduPersonScopedAffiliation to two specific SPs. -->
<AttributeFilterPolicy id="example2">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="Requester" value="https://sp.example.org" />
<Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
</AttributeFilterPolicy>
</AttributeFilterPolicyGroup>

29
conf/attribute-registry.xml Normal file
View File

@@ -0,0 +1,29 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
The system comes preconfigured to load rules directly from resource files
configured in services.xml so they're monitored for changes.
You can add mappings here, add more XML resource files, or drop property
files into the directory noted below, but they won't be monitored for changes
themselves.
-->
<!-- Default directory for custom mappings. -->
<bean parent="shibboleth.TranscodingRuleLoader"
c:dir="%{idp.home}/conf/attributes/custom"
c:extensions="#{{'.txt', '.props', '.properties', '.rule'}}" />
</beans>

78
conf/attribute-resolver.xml Normal file
View File

@@ -0,0 +1,78 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is a rudimentary example. While it is semi-functional, it isn't very
interesting. It is here only as a starting point for your deployment process
to avoid any dependency on components like an LDAP directory.
Very few attribute definitions and data connectors are demonstrated, and the
data is derived statically from the logged-in username and a static example
connector.
The file(s) in the examples directory contain more examples that involve more
complex approaches. Deployers should refer to the documentation for a complete
list of possible components and their options.
-->
<AttributeResolver
xmlns="urn:mace:shibboleth:2.0:resolver"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
<!-- ========================================== -->
<!-- Attribute Definitions -->
<!-- ========================================== -->
<!--
The EPPN is the "standard" federated username in higher ed.
For guidelines on the implementation of this attribute, refer
to the Shibboleth and eduPerson documentation. Above all, do
not expose a value for this attribute without considering the
long term implications.
-->
<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}">
<InputAttributeDefinition ref="uid" />
</AttributeDefinition>
<!--
The uid is the closest thing to a "standard" LDAP attribute
representing a local username, but you should generally *never*
expose uid to federated services, as it is rarely globally unique.
-->
<AttributeDefinition id="uid" xsi:type="PrincipalName" />
<!--
In the rest of the world, the email address is the standard identifier,
despite the problems with that practice. Consider making the EPPN
value the same as your official email addresses whenever possible.
-->
<AttributeDefinition id="mail" xsi:type="Template">
<InputAttributeDefinition ref="uid" />
<Template>
<![CDATA[
${uid}@example.org
]]>
</Template>
</AttributeDefinition>
<!--
This is an example of an attribute sourced from a data connector.
-->
<AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}">
<InputDataConnector ref="staticAttributes" attributeNames="affiliation" />
</AttributeDefinition>
<!-- ========================================== -->
<!-- Data Connectors -->
<!-- ========================================== -->
<DataConnector id="staticAttributes" xsi:type="Static" exportAttributes="schacHomeOrganization">
<Attribute id="schacHomeOrganization">
<Value>%{idp.scope}</Value>
</Attribute>
<Attribute id="affiliation">
<Value>member</Value>
</Attribute>
</DataConnector>
</AttributeResolver>

9
conf/attributes/custom/README Normal file
View File

@@ -0,0 +1,9 @@
# You can create custom attribute mapping rules using
# simple property files stored in this directory tree.
# Spring property replacement is NOT supported.
# As an example, a default SAML 2 rule for eduPersonPrincipalName would be:
#id=eduPersonPrincipalName
#transcoder=SAML2ScopedStringTranscoder
#saml2.name=urn:oid:1.3.6.1.4.1.5923.1.1.1.6

29
conf/attributes/default-rules.xml Normal file
View File

@@ -0,0 +1,29 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- Default Attribute transcoding rules. -->
<!--
Many if not most of these attributes are not suited or may even be actively discouraged
from use in federated protocols, but this is merely a set of well-known definitions, not
a recommended set to support or use.
-->
<import resource="inetOrgPerson.xml" />
<import resource="eduPerson.xml" />
<import resource="eduCourse.xml" />
<import resource="schac.xml" />
<import resource="samlSubject.xml" />
</beans>

57
conf/attributes/eduCourse.xml Normal file
View File

@@ -0,0 +1,57 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
Note that all built-in rules rely on URI-naming and thus include the implied settings:
<prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</prop>
<prop key="saml1.namespace">urn:mace:shibboleth:1.0:attributeNamespace:uri</prop>
-->
<bean parent="shibboleth.TranscodingRuleLoader">
<constructor-arg>
<list>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">eduCourseOffering</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.6.1.1</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.6.1.1</prop>
<prop key="displayName.en">Course offering</prop>
<prop key="description.en">Unique identifier for a course offering</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">eduCourseMember</prop>
<prop key="transcoder">SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.6.1.2</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.6.1.2</prop>
<prop key="saml1.encodeType">false</prop>
<prop key="displayName.en">Course role</prop>
<prop key="description.en">Specifies the person's role within a particular course offering</prop>
</props>
</property>
</bean>
</list>
</constructor-arg>
</bean>
</beans>

273
conf/attributes/eduPerson.xml Normal file
View File

@@ -0,0 +1,273 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
Note that all built-in rules rely on URI-naming and thus include the implied settings:
<prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</prop>
<prop key="saml1.namespace">urn:mace:shibboleth:1.0:attributeNamespace:uri</prop>
-->
<bean parent="shibboleth.TranscodingRuleLoader">
<constructor-arg>
<list>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">eduPersonAffiliation</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.1</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonAffiliation</prop>
<prop key="displayName.en">Affiliation</prop>
<prop key="displayName.de">Zugehörigkeit</prop>
<prop key="displayName.fr">Affiliation</prop>
<prop key="displayName.it">Tipo di membro</prop>
<prop key="displayName.ja">職位</prop>
<prop key="description.en">Affiliation: Type of affiliation with Home Organization</prop>
<prop key="description.de">Art der Zugehörigkeit zur Heimatorganisation</prop>
<prop key="description.de-ch">Art der Zugehörigkeit zur Heimorganisation</prop>
<prop key="description.fr">Type d'affiliation dans l'organisation</prop>
<prop key="description.it">Tipo di membro: Tipo di lavoro svolto per l'organizzazione</prop>
<prop key="description.ja">所属機関における職位(facultystaffstudentmemberなど)</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">eduPersonAssurance</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.11</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonAssurance</prop>
<prop key="displayName.en">Assurance level</prop>
<prop key="displayName.de">Vertrauensgrad</prop>
<prop key="displayName.fr">Niveau de confiance</prop>
<prop key="displayName.it">Livello di sicurezza</prop>
<prop key="displayName.ja">保証レベル</prop>
<prop key="description.en">Set of URIs that assert compliance with specific standards for identity assurance.</prop>
<prop key="description.de">URIs die eine gewisse Zusicherung für spezifische Standards des Vertrauens beinhalten</prop>
<prop key="description.fr">Un ensemble d'URI qui attestent la conformité selon un standard pour les niveaux d'assurance d'identités</prop>
<prop key="description.it">Un insieme di URI che asseriscono l'osservanza dei livelli di sicurezza richiesti</prop>
<prop key="description.ja">IDの保証レベルに関して特定の基準に準拠していることを示すURI</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">eduPersonEntitlement</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.7</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonEntitlement</prop>
<prop key="displayName.en">Entitlement</prop>
<prop key="displayName.de">Berechtigung</prop>
<prop key="displayName.fr">Entitlement</prop>
<prop key="displayName.it">Prerogativa</prop>
<prop key="displayName.ja">資格情報</prop>
<prop key="description.en">Member of: URI (either URL or URN) that indicates a set of rights to specific resources based on an agreement across the releavant community</prop>
<prop key="description.de">Zeichenkette, die Rechte für spezifische Ressourcen beschreibt</prop>
<prop key="description.fr">Membre de: URI (soit une URL ou une URN) décrivant un droit spécific d'accès.</prop>
<prop key="description.it">Membro delle seguenti URI (sia URL o URN) che rappresentano diritti specifici d'accesso validi in tutta la communità</prop>
<prop key="description.ja">特定のアプリケーションもしくはコミュニティ内の複数リソースへのアクセス権限を持つことを示すURI(URLもしくはURN)</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">eduPersonNickname</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.2</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonNickname</prop>
<prop key="displayName.en">Nickname</prop>
<prop key="displayName.de">Kurzname</prop>
<prop key="displayName.de-ch">Übername</prop>
<prop key="displayName.fr">Surnom</prop>
<prop key="displayName.it">Diminutivo</prop>
<prop key="displayName.ja">ニックネーム</prop>
<prop key="description.en">Person's nickname, or the informal name by which they are accustomed to be hailed.</prop>
<prop key="description.de">Kurzname einer Person, oder üblicher Rufname zur Begrüßung.</prop>
<prop key="description.de-ch">Übername einer Person, oder üblicher Rufname zur Begrüssung.</prop>
<prop key="description.fr">Nom personnalisable pour un usage informel.</prop>
<prop key="description.it">Diminutivo della persona, o soprannome.</prop>
<prop key="description.ja">利用者のニックネームもしくは通称</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">eduPersonOrgDN</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.3</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonOrgDN</prop>
<prop key="displayName.en">Organization distinguished name</prop>
<prop key="description.en">Distinguished name (DN) of the directory entry representing the institution with which the person is associated.</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">eduPersonOrgUnitDN</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.4</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonOrgUnitDN</prop>
<prop key="displayName.en">Organization unit distinguished name</prop>
<prop key="description.en">Distinguished name(s) (DN) of the directory entries representing the person's Organizational Unit(s).</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">eduPersonOrcid</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.16</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.16</prop>
<prop key="displayName.en">ORCID</prop>
<prop key="description.en">ORCID researcher identifier(s) belonging to a person.</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">eduPersonPrimaryAffiliation</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.5</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation</prop>
<prop key="displayName.en">Primary affiliation</prop>
<prop key="displayName.de">Primäre Zugehörigkeit</prop>
<prop key="displayName.fr">Affiliation pricipale</prop>
<prop key="displayName.it">Appartenenza principale</prop>
<prop key="displayName.ja">主要職位</prop>
<prop key="description.en">Specifies the person's primary relationship to the institution in broad categories such as student, faculty, staff, alum, etc.</prop>
<prop key="description.de">Spezifiziert der Hauptbeziehung einer Person innerhalb ihrer Organisation in groben Kategorien wie Student, Mitarbeiter, Alumni, etc.</prop>
<prop key="description.fr">Spécifie la relation principale d'une personne avec l'institution selon des majeures catégories comme étudiant, collaborateur, alumni etc.</prop>
<prop key="description.it">Specifica la relazione principale dell persona con l'istituzione secondo le maggiori categorie come studente, collaboratore, alumni, etc.</prop>
<prop key="description.ja">所属機関における主要な職位(facultystaffstudentmemberなど)</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">eduPersonPrimaryOrgUnitDN</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.8</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN</prop>
<prop key="displayName.en">Primary organization unit distinguished name</prop>
<prop key="description.en">Distinguished name (DN) of the directory entry representing the person's primary Organizational Unit.</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">eduPersonPrincipalName</prop>
<prop key="transcoder">SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.6</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonPrincipalName</prop>
<prop key="saml1.encodeType">false</prop>
<prop key="displayName.en">Principal name</prop>
<prop key="displayName.de">Persönliche ID</prop>
<prop key="displayName.fr">Principal Name</prop>
<prop key="displayName.it">Principal Name</prop>
<prop key="displayName.ja">プリンシパルID</prop>
<prop key="description.en">A unique identifier for a person, mainly for inter-institutional user identification.</prop>
<prop key="description.de">Eindeutige Benutzeridentifikation</prop>
<prop key="description.de-ch">Eindeutige Benützeridentifikation</prop>
<prop key="description.fr">L'identifiant unique de l'utilisateur</prop>
<prop key="description.it">Un ID personale che identifica chiaramente l'utente in seno alla sua organizzazione</prop>
<prop key="description.ja">フェデレーション内で一意かつ永続的な利用者識別子</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">eduPersonPrincipalNamePrior</prop>
<prop key="transcoder">SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.12</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.12</prop>
<prop key="saml1.encodeType">false</prop>
<prop key="displayName.en">Prior principal name(s)</prop>
<prop key="description.en">eduPersonPrincipalName value(s) previously associated with the entry.</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">eduPersonScopedAffiliation</prop>
<prop key="transcoder">SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.9</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:eduPersonScopedAffiliation</prop>
<prop key="saml1.encodeType">false</prop>
<prop key="displayName.en">Scoped affiliation</prop>
<prop key="displayName.de">Zugehörigkeit</prop>
<prop key="displayName.fr">Affiliation</prop>
<prop key="displayName.it">Tipo di membro</prop>
<prop key="displayName.ja">スコープ付き職位</prop>
<prop key="description.en">Specifies the person's affiliation within a particular security domain</prop>
<prop key="description.de">Art der Zugehörigkeit zur Heimatorganisation</prop>
<prop key="description.de-ch">Art der Zugehörigkeit zur Heimorganisation</prop>
<prop key="description.fr">Type d'affiliation dans l'organisation</prop>
<prop key="description.it">Tipo di membro: Tipo di lavoro svolto per l'organizzazione</prop>
<prop key="description.ja">セキュリティドメインのスコープが付いた所属機関における職位</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">eduPersonUniqueId</prop>
<prop key="transcoder">SAML2ScopedStringTranscoder SAML1ScopedStringTranscoder CASScopedStringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.13</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.13</prop>
<prop key="saml1.encodeType">false</prop>
<prop key="displayName.en">Unique ID</prop>
<prop key="displayName.de">Eindeutige ID</prop>
<prop key="displayName.fr">ID unique</prop>
<prop key="displayName.it">ID unico</prop>
<prop key="displayName.ja">ユニークID</prop>
<prop key="description.en">A unique identifier for a person, mainly for inter-institutional user identification.</prop>
<prop key="description.de">Eindeutige Benutzeridentifikation</prop>
<prop key="description.de-ch">Eindeutige Benützeridentifikation</prop>
<prop key="description.fr">Identifiant unique de l'utilisateur</prop>
<prop key="description.it">Un identificativo personale che identifica chiaramente l'utente in seno alla sua organizzazione</prop>
<prop key="description.ja">フェデレーション内で一意で永続的かつ難読化された利用者識別子(後継はサブジェクトID)</prop>
</props>
</property>
</bean>
</list>
</constructor-arg>
</bean>
</beans>

517
conf/attributes/inetOrgPerson.xml Normal file
View File

@@ -0,0 +1,517 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
Note that all built-in rules rely on URI-naming and thus include the implied settings:
<prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</prop>
<prop key="saml1.namespace">urn:mace:shibboleth:1.0:attributeNamespace:uri</prop>
-->
<!-- https://tools.ietf.org/html/rfc2798 -->
<bean parent="shibboleth.TranscodingRuleLoader">
<constructor-arg>
<list>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">cn</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.5.4.3</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:cn</prop>
<prop key="displayName.en">Common name</prop>
<prop key="description.en">Common name of a person</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">departmentNumber</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.16.840.1.113730.3.1.2</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:departmentNumber</prop>
<prop key="displayName.en">Department number</prop>
<prop key="displayName.de">Abteilungsnummer</prop>
<prop key="description.en">Department number</prop>
<prop key="description.de">Nummer der Abteilung</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">displayName</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.16.840.1.113730.3.1.241</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:displayName</prop>
<prop key="displayName.en">Display name</prop>
<prop key="displayName.de">Anzeigename</prop>
<prop key="displayName.fr">Nom</prop>
<prop key="displayName.it">Nome</prop>
<prop key="displayName.ja">表示名</prop>
<prop key="description.en">The name that should appear in white-pages-like applications for this person.</prop>
<prop key="description.de">Anzeigename</prop>
<prop key="description.fr">Nom complet d'affichage</prop>
<prop key="description.it">Nome</prop>
<prop key="description.ja">アプリケーションでの表示に用いられる英字氏名</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">employeeNumber</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.16.840.1.113730.3.1.3</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:employeeNumber</prop>
<prop key="displayName.en">Employee number</prop>
<prop key="displayName.de">Mitarbeiternummer</prop>
<prop key="displayName.fr">Numéro d'employé</prop>
<prop key="displayName.it">Numero dell'utente</prop>
<prop key="displayName.ja">従業員番号</prop>
<prop key="description.en">Identifies an employee within an organization</prop>
<prop key="description.de">Identifiziert einen Mitarbeiter innerhalb der Organisation</prop>
<prop key="description.fr">Identifie un employé au sein de l'organisation</prop>
<prop key="description.it">Identifica l' utente presso l'organizzazione</prop>
<prop key="description.ja">所属機関における利用者の従業員番号</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">employeeType</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.16.840.1.113730.3.1.4</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:employeeType</prop>
<prop key="displayName.en">Employee type</prop>
<prop key="description.en">Employee type</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">givenName</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.5.4.42</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:givenName</prop>
<prop key="displayName.en">Given name</prop>
<prop key="displayName.de">Vorname</prop>
<prop key="displayName.fr">Prénom</prop>
<prop key="displayName.it">Nome</prop>
<prop key="displayName.ja"></prop>
<prop key="description.en">Given name of a person</prop>
<prop key="description.de">Vorname</prop>
<prop key="description.fr">Prénom de l'utilisateur</prop>
<prop key="description.it">Nome</prop>
<prop key="description.ja">氏名(名)の英語表記</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">homePhone</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:0.9.2342.19200300.100.1.20</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:homePhone</prop>
<prop key="displayName.en">Private phone number</prop>
<prop key="displayName.de">Telefon Privat</prop>
<prop key="displayName.fr">Teléphone personnel</prop>
<prop key="displayName.it">Numero di telefono privato</prop>
<prop key="displayName.ja">自宅電話番号</prop>
<prop key="description.en">Private phone number</prop>
<prop key="description.de">Private Telefonnummer</prop>
<prop key="description.fr">Numéro de téléphone de domicile de la personne</prop>
<prop key="description.it">Numero di telefono privato</prop>
<prop key="description.ja">自宅の電話番号</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">homePostalAddress</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:0.9.2342.19200300.100.1.39</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:homePostalAddress</prop>
<prop key="displayName.en">Home postal address</prop>
<prop key="displayName.de">Heimatadresse</prop>
<prop key="displayName.de-ch">Heimadresse</prop>
<prop key="displayName.fr">Adresse personnelle</prop>
<prop key="displayName.it">Indirizzo personale</prop>
<prop key="displayName.ja">自宅住所</prop>
<prop key="description.en">Home postal address: Home address of the user</prop>
<prop key="description.de">Heimatadresse</prop>
<prop key="description.de-ch">Heimadresse</prop>
<prop key="description.fr">Adresse postale de domicile de la personne</prop>
<prop key="description.it">Indirizzo personale: indirizzo dove abita l'utente</prop>
<prop key="description.ja">自宅の住所</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">initials</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.5.4.43</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:initials</prop>
<prop key="displayName.en">Initials</prop>
<prop key="displayName.de">Initialen</prop>
<prop key="displayName.fr">Initiales</prop>
<prop key="displayName.ja">イニシャル</prop>
<prop key="description.en">Initials</prop>
<prop key="description.de">Anfangsbuchstaben des Namens</prop>
<prop key="description.de-ch">Die Anfangsbuchstaben</prop>
<prop key="description.fr">L' initiales</prop>
<prop key="description.ja">イニシャル</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">l</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.5.4.7</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:l</prop>
<prop key="displayName.en">Locality name</prop>
<prop key="displayName.de">Ort</prop>
<prop key="displayName.fr">Locality name</prop>
<prop key="displayName.ja">場所(L)</prop>
<prop key="description.en">Locality name</prop>
<prop key="description.de">Ort</prop>
<prop key="description.fr">Nom de la localité où réside l'objet</prop>
<prop key="description.ja">場所の名前 日本の場合は市区町村名</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">mail</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:0.9.2342.19200300.100.1.3</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:mail</prop>
<prop key="displayName.en">E-mail</prop>
<prop key="displayName.de">E-Mail</prop>
<prop key="displayName.fr">Email</prop>
<prop key="displayName.it">E-mail</prop>
<prop key="displayName.ja">メールアドレス</prop>
<prop key="description.en">E-Mail: Preferred address for e-mail to be sent to this person</prop>
<prop key="description.de">E-Mail-Adresse</prop>
<prop key="description.de-ch">E-Mail Adresse</prop>
<prop key="description.fr">Adresse de courrier électronique</prop>
<prop key="description.it">E-Mail: l'indirizzo e-mail preferito dall'utente</prop>
<prop key="description.ja">メールアドレス</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">mobile</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:0.9.2342.19200300.100.1.41</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:mobile</prop>
<prop key="displayName.en">Mobile phone number</prop>
<prop key="displayName.de">Telefon Mobil</prop>
<prop key="displayName.fr">Numéro de mobile</prop>
<prop key="displayName.it">Numero di cellulare</prop>
<prop key="displayName.ja">携帯電話番号</prop>
<prop key="description.en">Mobile phone number</prop>
<prop key="description.de">Mobile Telefonnummer</prop>
<prop key="description.fr">Numéro de teléphone mobile</prop>
<prop key="description.it">Numero di cellulare</prop>
<prop key="description.ja">携帯電話の電話番号</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">o</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.5.4.10</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:o</prop>
<prop key="displayName.en">Organization name</prop>
<prop key="displayName.de">Organisationsname</prop>
<prop key="displayName.fr">Nom de l'organisation</prop>
<prop key="displayName.ja">所属機関名</prop>
<prop key="description.en">Organization name</prop>
<prop key="description.de">Name der Organisation</prop>
<prop key="description.fr">Nom de l'organisation</prop>
<prop key="description.ja">所属機関名称の英語表記</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">ou</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.5.4.11</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:ou</prop>
<prop key="displayName.en">Organizational unit</prop>
<prop key="displayName.de">Organisationseinheit</prop>
<prop key="displayName.fr">Unité organisationnelle</prop>
<prop key="displayName.ja">機関内所属名</prop>
<prop key="description.en">Organizational unit</prop>
<prop key="description.de">Name der Organisationseinheit</prop>
<prop key="description.fr">Nom de l'unité organisationnelle</prop>
<prop key="description.ja">機関内所属名称の英語表記</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">pager</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:0.9.2342.19200300.100.1.42</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:pager</prop>
<prop key="displayName.en">Pager number</prop>
<prop key="description.en">Pager number</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">postalAddress</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.5.4.16</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:postalAddress</prop>
<prop key="displayName.en">Business postal address</prop>
<prop key="displayName.de">Geschäftsadresse</prop>
<prop key="displayName.fr">Adresse professionnelle</prop>
<prop key="displayName.it">Indirizzo professionale</prop>
<prop key="displayName.ja">所属機関住所</prop>
<prop key="description.en">Business postal address: Campus or office address</prop>
<prop key="description.de">Geschäftliche Adresse</prop>
<prop key="description.de-ch">Adresse am Arbeitsplatz</prop>
<prop key="description.fr">Adresse de l'institut, de l'université</prop>
<prop key="description.it">Indirizzo professionale: indirizzo dell'istituto o dell'ufficio</prop>
<prop key="description.ja">所属機関の住所</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">postalCode</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.5.4.17</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:postalCode</prop>
<prop key="displayName.en">Postal code</prop>
<prop key="displayName.en-us">ZIP code</prop>
<prop key="displayName.de">Postleitzahl</prop>
<prop key="displayName.fr">Code postal</prop>
<prop key="displayName.ja">郵便番号</prop>
<prop key="description.en">Postal code</prop>
<prop key="description.en-us">ZIP code</prop>
<prop key="description.de">Postleitzahl</prop>
<prop key="description.fr">Code postal</prop>
<prop key="description.ja">郵便番号</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">postOfficeBox</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:mace:dir:attribute-def:postOfficeBox</prop>
<prop key="saml1.name">urn:oid:2.5.4.18</prop>
<prop key="displayName.en">Postal box</prop>
<prop key="displayName.de">Postfach</prop>
<prop key="displayName.fr">Boite postale</prop>
<prop key="displayName.fr-ch">Case postale</prop>
<prop key="displayName.ja">私書箱</prop>
<prop key="description.en">Postal box identifier</prop>
<prop key="description.de">Postfach</prop>
<prop key="description.fr">Boite postale</prop>
<prop key="description.fr-ch">Case postale</prop>
<prop key="description.ja">私書箱</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">preferredLanguage</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.16.840.1.113730.3.1.39</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:preferredLanguage</prop>
<prop key="displayName.en">Preferred Language</prop>
<prop key="displayName.de">Bevorzugte Sprache</prop>
<prop key="displayName.fr">Langue préférée</prop>
<prop key="displayName.it">Lingua preferita</prop>
<prop key="displayName.ja">希望言語</prop>
<prop key="description.en">Preferred language: Users preferred language (see RFC1766)</prop>
<prop key="description.de">Bevorzugte Sprache (siehe RFC1766)</prop>
<prop key="description.fr">Exemple: fr, de, it, en, ... (voir RFC1766)</prop>
<prop key="description.it">Lingua preferita: la lingua preferita dall'utente (cfr. RFC1766)</prop>
<prop key="description.ja">利用者が希望する言語(RFC1766 を参照)</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">sn</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.5.4.4</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:sn</prop>
<prop key="displayName.en">Surname</prop>
<prop key="displayName.de">Nachname</prop>
<prop key="displayName.fr">Nom de famille</prop>
<prop key="displayName.it">Cognome</prop>
<prop key="displayName.ja"></prop>
<prop key="description.en">Surname or family name</prop>
<prop key="description.de">Familienname</prop>
<prop key="description.fr">Nom de famille de l'utilisateur.</prop>
<prop key="description.it">Cognome dell'utilizzatore</prop>
<prop key="description.ja">氏名(姓)の英語表記</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">st</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.5.4.8</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:st</prop>
<prop key="displayName.en">State or province name</prop>
<prop key="displayName.ja">都道府県もしくは州や省(ST)</prop>
<prop key="description.en">State or province name</prop>
<prop key="description.ja">州名や省名 国によって異なり日本の場合は都道府県名</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">street</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.5.4.9</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:street</prop>
<prop key="displayName.en">Street</prop>
<prop key="displayName.de">Straße</prop>
<prop key="displayName.de-ch">Strasse</prop>
<prop key="displayName.fr">Rue</prop>
<prop key="displayName.ja">通り</prop>
<prop key="description.en">Street address</prop>
<prop key="description.de">Name der Straße</prop>
<prop key="description.de-ch">Strassenadresse</prop>
<prop key="description.fr">Nom de rue</prop>
<prop key="description.ja">通りおよび番地</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">telephoneNumber</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.5.4.20</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:telephoneNumber</prop>
<prop key="displayName.en">Business phone number</prop>
<prop key="displayName.de">Telefon Geschäft</prop>
<prop key="displayName.fr">Teléphone professionnel</prop>
<prop key="displayName.it">Numero di telefono dell'ufficio</prop>
<prop key="displayName.ja">所属機関内電話番号</prop>
<prop key="description.en">Business phone number: Office or campus phone number</prop>
<prop key="description.de">Telefonnummer am Arbeitsplatz</prop>
<prop key="description.fr">Teléphone de l'institut, de l'université</prop>
<prop key="description.it">Numero di telefono dell'ufficio</prop>
<prop key="description.ja">所属機関での利用者の電話番号</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">title</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:2.5.4.12</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:title</prop>
<prop key="displayName.en">Title</prop>
<prop key="displayName.de">Titel</prop>
<prop key="displayName.fr">Title</prop>
<prop key="displayName.ja">肩書き</prop>
<prop key="description.en">Title of a person</prop>
<prop key="description.de">Titel der Person</prop>
<prop key="description.fr">Titre de la personne</prop>
<prop key="description.ja">利用者の肩書き</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">uid</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:0.9.2342.19200300.100.1.1</prop>
<prop key="saml1.name">urn:mace:dir:attribute-def:uid</prop>
<prop key="displayName.en">User ID</prop>
<prop key="displayName.de">Benutzer-ID</prop>
<prop key="displayName.fr">ID utilisateur</prop>
<prop key="displayName.it">ID dell'utente</prop>
<prop key="displayName.ja">ユーザID</prop>
<prop key="description.en">A unique identifier for a person, mainly used for user identification within the user's home organization.</prop>
<prop key="description.de">Eine eindeutige Nummer für eine Person, welche hauptsächlich zur Identifikation innerhalb der Organisation benutzt wird.</prop>
<prop key="description.fr">Identifiant de connexion d'une personnes sur les systèmes informatiques.</prop>
<prop key="description.it">Identificativo unico della persona, usato per l'identificazione dell'utente all'interno della organizzazione di appartenenza.</prop>
<prop key="description.ja">所属機関内で一意の利用者識別子</prop>
</props>
</property>
</bean>
</list>
</constructor-arg>
</bean>
</beans>

73
conf/attributes/samlSubject.xml Normal file
View File

@@ -0,0 +1,73 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
Note that all built-in rules rely on URI-naming and thus include the implied settings:
<prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</prop>
-->
<!-- https://wiki.oasis-open.org/security/SAMLSubjectIDAttr -->
<bean parent="shibboleth.TranscodingRuleLoader">
<constructor-arg>
<list>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">samlSubjectID</prop>
<prop key="transcoder">SAML2ScopedStringTranscoder</prop>
<prop key="saml2.name">urn:oasis:names:tc:SAML:attribute:subject-id</prop>
<prop key="displayName.en">Unique ID</prop>
<prop key="displayName.de">Eindeutige ID</prop>
<prop key="displayName.fr">ID unique</prop>
<prop key="displayName.it">ID unico</prop>
<prop key="displayName.ja">サブジェクトID</prop>
<prop key="description.en">A unique identifier for a person, mainly for inter-institutional user identification.</prop>
<prop key="description.de">Eindeutige Benutzeridentifikation</prop>
<prop key="description.de-ch">Eindeutige Benützeridentifikation</prop>
<prop key="description.fr">Identifiant unique de l'utilisateur</prop>
<prop key="description.it">Un identificativo personale che identifica chiaramente l'utente in seno alla sua organizzazione</prop>
<prop key="description.ja">フェデレーション内で一意で永続的かつ難読化された利用者識別子(eduPersonUniqueIdの後継)</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">samlPairwiseID</prop>
<prop key="transcoder">SAML2ScopedStringTranscoder</prop>
<prop key="saml2.name">urn:oasis:names:tc:SAML:attribute:pairwise-id</prop>
<prop key="displayName.en">Pairwise ID</prop>
<prop key="displayName.de">Pairwise ID</prop>
<prop key="displayName.fr">Pairwise ID</prop>
<prop key="displayName.it">Pairwise ID</prop>
<prop key="displayName.ja">ペアワイズID</prop>
<prop key="description.en">Pairwise ID: A unique identifier for a person, different for each service provider.</prop>
<prop key="description.de">Pairwise ID: Eindeutige Benutzeridentifikation, unterschiedlich pro Service Provider.</prop>
<prop key="description.de-ch">Pairwise ID: Eindeutige Benützeridentifikation, unterschiedlich pro Service Provider.</prop>
<prop key="description.fr">Pairwise ID: Un identifiant unique de l'utilisateur, différent pour chaque fournisseur de service.</prop>
<prop key="description.it">Pairwise ID: identificativo unico della persona, differente per ogni fornitore di servizio.</prop>
<prop key="description.ja">フェデレーション内で一意かつSP毎に送出される値が異なる利用者識別子(eduPersonTargetedIDの後継)</prop>
</props>
</property>
</bean>
</list>
</constructor-arg>
</bean>
</beans>

237
conf/attributes/schac.xml Normal file
View File

@@ -0,0 +1,237 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
Note that all built-in rules rely on URI-naming and thus include the implied settings:
<prop key="saml2.nameFormat">urn:oasis:names:tc:SAML:2.0:attrname-format:uri</prop>
<prop key="saml1.namespace">urn:mace:shibboleth:1.0:attributeNamespace:uri</prop>
-->
<bean parent="shibboleth.TranscodingRuleLoader">
<constructor-arg>
<list>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacMotherTongue</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.1</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.1</prop>
<prop key="displayName.en">Mother Tongue</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacGender</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.2</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.2</prop>
<prop key="displayName.en">Gender</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacDateOfBirth</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.3</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.3</prop>
<prop key="displayName.en">Date or Birth</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacPlaceOfBirth</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.4</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.4</prop>
<prop key="displayName.en">Place of Birth</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacCountryOfCitizenship</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.5</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.5</prop>
<prop key="displayName.en">Country of Citizenship</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacHomeOrganization</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.9</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.9</prop>
<prop key="displayName.en">Home Organization</prop>
<prop key="displayName.fi">Kotiorganisaatio</prop>
<prop key="displayDescription.en">The domain name of the person's home organisation</prop>
<prop key="displayDescription.fi">Henkilön kotiorganisaation domain-nimi</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacHomeOrganizationType</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.10</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.10</prop>
<prop key="displayName.en">Home organization type</prop>
<prop key="displayName.fi">Kotiorganisaation tyyppi</prop>
<prop key="displayDescription.en">Home organisation type: university, polytechnic, etc</prop>
<prop key="displayDescription.fi">Kotiorganisaation tyyppi: yliopisto, ammattikorkeakoulu jne</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacCountryOfResidence</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.11</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.11</prop>
<prop key="displayName.en">Country of Reseidence</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacUserPresenceID</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.12</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.12</prop>
<prop key="displayName.en">User Presence ID</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacPersonalPosition</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.13</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.13</prop>
<prop key="displayName.en">Personal Position</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacPersonalUniqueCode</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.14</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.14</prop>
<prop key="displayName.en">Personal Unique Code</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacPersonalUniqueID</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.15</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.15</prop>
<prop key="displayName.en">Personal Unique ID</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacExpiryDate</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.17</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.17</prop>
<prop key="displayName.en">Expiry Date</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacUserPrivateAttribute</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.18</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.18</prop>
<prop key="displayName.en">User Private Attribute</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacUserStatus</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.19</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.19</prop>
<prop key="displayName.en">User Status</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacProjectMembership</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.20</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.20</prop>
<prop key="displayName.en">Project Membership</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">schacProjectSpecificRole</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.25178.1.2.21</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.25178.1.2.21</prop>
<prop key="displayName.en">Project Specific Role</prop>
</props>
</property>
</bean>
</list>
</constructor-arg>
</bean>
</beans>

55
conf/audit.xml Normal file
View File

@@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
This bean defines a mapping between audit log categories and formatting strings.
-->
<util:map id="shibboleth.AuditFormattingMap">
<entry key="Shibboleth-Audit" value="%a|%ST|%T|%u|%SP|%i|%ac|%t|%attr|%n|%f|%SSO|%XX|%XA|%b|%bb|%e|%S|%SS|%s|%UA" />
</util:map>
<!-- Override the format of date/time fields in the log and/or convert to default time zone. -->
<!--
<bean id="shibboleth.AuditDateTimeFormat" class="java.lang.String" c:_0="yyyy-MM-dd'T'HH:mm:ss.SSSZZ" />
<util:constant id="shibboleth.AuditDefaultTimeZone" static-field="java.lang.Boolean.TRUE" />
-->
<!-- Allows auditing to be disabled selectively for particular profiles/flows. -->
<util:list id="shibboleth.AuditSuppressedProfiles">
<value>http://shibboleth.net/ns/profiles/status</value>
<value>http://shibboleth.net/ns/profiles/mdquery</value>
</util:list>
<!--
You can freely add/change this map to map constants or frequently appearing strings into
shorter values in the audit log.
-->
<util:map id="shibboleth.AuditFieldReplacementMap">
<entry key="urn:oasis:names:tc:SAML:1.0:am:password" value="password" />
<entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" value="password" />
<entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" value="password" />
<entry key="urn:mace:shibboleth:1.0:nameIdentifier" value="transient" />
<entry key="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" value="transient" />
<entry key="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" value="persistent" />
<entry key="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" value="emailAddress" />
<entry key="urn:oasis:names:tc:SAML:2.0:status:Success" value="Success" />
<entry key="urn:oasis:names:tc:SAML:2.0:status:Requester" value="Requester" />
<entry key="urn:oasis:names:tc:SAML:2.0:status:Responder" value="Responder" />
<entry key="http://www.w3.org/2009/xmlenc11#aes128-gcm" value="AES128-GCM" />
<entry key="http://www.w3.org/2009/xmlenc11#aes192-gcm" value="AES192-GCM" />
<entry key="http://www.w3.org/2009/xmlenc11#aes256-gcm" value="AES256-GCM" />
<entry key="http://www.w3.org/2001/04/xmlenc#aes128-cbc" value="AES128-CBC" />
<entry key="http://www.w3.org/2001/04/xmlenc#aes192-cbc" value="AES192-CBC" />
<entry key="http://www.w3.org/2001/04/xmlenc#aes256-cbc" value="AES256-CBC" />
</util:map>
</beans>

117
conf/authn/authn-comparison.xml Normal file
View File

@@ -0,0 +1,117 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
This is a map used to "weight" particular methods above others if the IdP has to randomly select one
to insert into a SAML authentication statement. The typical use shown below is to bias the IdP in favor
of expressing the SAML 2 PasswordProtectedTransport class over the more vanilla Password class on the
assumption that the IdP doesn't accept passwords via an insecure channel. This map never causes the IdP
to violate its matching rules if an RP requests a particular value; it only matters when nothing specific
is chosen. Anything not in the map has a weight of zero.
-->
<util:map id="shibboleth.AuthenticationPrincipalWeightMap">
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
</key>
<value>1</value>
</entry>
</util:map>
<!--
Uncomment and add entries to this map to support "inexact" SAML RequestedAuthnContext operators.
Please refer to the AuthenticationFlowSelection documentation topic for details and examples.
-->
<!--
<util:map id="shibboleth.AuthnComparisonRules">
</util:map>
-->
<!-- List of context classes or declarations to ignore if an SP requests them. -->
<util:list id="shibboleth.IgnoredContexts">
<value>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</value>
</util:list>
<!--
Mappings to transform custom Principals for proxied AuthnRequests.
Key is the input, value is a collection of possibly empty outputs.
Used by default to transform authentication type values from
SPs -> Proxied IdPs.
-->
<util:map id="shibboleth.PrincipalProxyRequestMappings">
<!--
<entry>
<key>
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:classRef="https://sp.example.org/context" />
</key>
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://proxy.example.org/context1" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://proxy.example.org/context2" />
</list>
</entry>
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://sp.example.org/context" />
</key>
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://proxy.example.org/context1" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://proxy.example.org/context2" />
</list>
</entry>
-->
</util:map>
<!--
Mappings to transform proxied Principals for inclusion in Subjects.
Key is the input, value is a collection of possibly empty outputs.
Used by default to transform values from Proxied IdP. ->
-->
<util:map id="shibboleth.PrincipalProxyResponseMappings">
<!--
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://proxy.example.org/context1" />
</key>
<list>
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:classRef="https://sp.example.org/context" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://sp.example.org/context" />
</list>
</entry>
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://proxy.example.org/context2" />
</key>
<list>
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:classRef="https://sp.example.org/context" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://sp.example.org/context" />
</list>
</entry>
-->
</util:map>
</beans>

22
conf/authn/authn-events-flow.xml Normal file
View File

@@ -0,0 +1,22 @@
<flow xmlns="http://www.springframework.org/schema/webflow"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
abstract="true">
<!-- ADVANCED USE ONLY -->
<!--
You can ignore this file unless you are creating your own custom login subflows that want to
report custom events in response to unusual error or warning conditions.
-->
<!-- Custom error events to reflect back from user-supplied login subflows. -->
<!-- <end-state id="MyCustomEvent" /> -->
<global-transitions>
<!-- <transition on="MyCustomEvent" to="MyCustomEvent" /> -->
<transition on="#{!'proceed'.equals(currentEvent.id)}" to="InvalidEvent" />
</global-transitions>
</flow>

218
conf/authn/authn.properties Normal file
View File

@@ -0,0 +1,218 @@
# Properties that control authentication generally and the behavior of
# specific methods.
# Regular expression matching login flows to enable, e.g. IPAddress|Password
#idp.authn.flows = Password
# Default settings for most authentication methods.
#idp.authn.defaultLifetime = PT1H
#idp.authn.defaultTimeout = PT30M
#idp.authn.proxyRestrictionsEnforced = true
# Whether to populate relying party user interface information for display
# during authentication, consent, terms-of-use.
#idp.authn.rpui = true
# Whether to prioritize "active" results when an SP requests more than
# one possible matching login method (V2 behavior was to favor them)
#idp.authn.favorSSO = false
# Whether to fail requests when a user identity after authentication
# doesn't match the identity in a pre-existing session.
#idp.authn.identitySwitchIsError = false
# If using IdP discovery feature, provides a discovery location to use.
#idp.authn.discoveryURL = https://ds.example.org/shibboleth-ds/index.html
# Properties below override specific method behavior, as an alternative
# to defining Spring beans in XML. Refer to the documentation for a complete
# list. Many of the properties below are mentioned only because they are
# atypical defaults assumed for a given method.
# Flow selection among multiple equivalent options can be managed with
# the order properties, lower will be tried first.
#### Password ####
#idp.authn.Password.order = 1000
#idp.authn.Password.passiveAuthenticationSupported = true
#idp.authn.Password.forcedAuthenticationSupported = true
# Override this and removeAfterValidation to require all validators to succeed
#idp.authn.Password.requireAll = false
# Override to keep the password around
#idp.authn.Password.removeAfterValidation = true
# Override to store password in Java Subject
#idp.authn.Password.retainAsPrivateCredential = false
# Simple username transforms before validation
#idp.authn.Password.trim = true
#idp.authn.Password.lowercase = false
#idp.authn.Password.uppercase = false
#idp.authn.Password.matchExpression =
# Override default form field names
#idp.authn.Password.usernameFieldName = j_username
#idp.authn.Password.passwordFieldName = j_password
#idp.authn.Password.ssoBypassFieldName = donotcache
# Unset if using customized Principals per validator
#idp.authn.Password.addDefaultPrincipals = true
# The Principal collection below is the typical default if not otherwise noted.
#idp.authn.Password.supportedPrincipals = \
# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
# saml1/urn:oasis:names:tc:SAML:1.0:am:password
# Validators are controlled in password-authn-config.xml
#### Password Backends ####
# See ldap.properties for LDAP authn properties
# Kerberos settings
#idp.authn.Krb5.refreshConfig = false
#idp.authn.Krb5.preserveTicket = false
# Set next two for KDC verification
#idp.authn.Krb5.servicePrincipal =
#idp.authn.Krb5.keytab =
# JAAS settings
#idp.authn.JAAS.loginConfigNames = ShibUserPassAuth
#idp.authn.JAAS.loginConfig = %{idp.home}/conf/authn/jaas.config
#### External ####
#idp.authn.External.order = 1000
#idp.authn.External.nonBrowserSupported = false
#idp.authn.External.matchExpression =
# Unset if you plan to return full Java Subject from external source
#idp.authn.External.addDefaultPrincipals = true
# Servlet context-relative path to wherever your implementation lives
idp.authn.External.externalAuthnPath = contextRelative:external.jsp
#### RemoteUser ####
#idp.authn.RemoteUser.order = 1000
#idp.authn.RemoteUser.nonBrowserSupported = false
#idp.authn.RemoteUser.matchExpression =
# Unset in most cases only if using the authnMethodHeader or
# subjectAttribute settings
#idp.authn.RemoteUser.addDefaultPrincipals = true
# Most other settings need to be supplied via web.xml to the servlet
#### RemoteUserInternal ####
#idp.authn.RemoteUserInternal.order = 1000
#idp.authn.RemoteUserInternal.nonBrowserSupported = true
# Unset in most cases only if using the authnMethodHeader feature
#idp.authn.RemoteUserInternal.addDefaultPrincipals = true
#idp.authn.RemoteUserInternal.checkRemoteUser = true
# Comma-delimited lists of attributes or headers to pull from
#idp.authn.RemoteUserInternal.checkAttributes =
#idp.authn.RemoteUserInternal.checkHeaders =
# Simple transforms to apply
#idp.authn.RemoteUserInternal.trim = true
#idp.authn.RemoteUserInternal.lowercase = false
#idp.authn.RemoteUserInternal.uppercase = false
#idp.authn.RemoteUserInternal.matchExpression =
#idp.authn.RemoteUserInternal.allowedUsernames =
#idp.authn.RemoteUserInternal.deniedUsernames =
#### SPNEGO ####
#idp.authn.SPNEGO.order = 1000
#idp.authn.SPNEGO.nonBrowserSupported = false
#idp.authn.SPNEGO.enforceRun = false
#idp.authn.SPNEGO.refreshKrbConfig = false
#idp.authn.SPNEGO.matchExpression =
idp.authn.SPNEGO.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, \
saml1/urn:ietf:rfc:1510
#### X509 ####
#idp.authn.X509.order = 1000
#idp.authn.X509.nonBrowserSupported = false
# Servlet context-relative path to wherever your implementation lives
#idp.authn.X509.externalAuthnPath = contextRelative:x509-prompt.jsp
idp.authn.X509.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \
saml1/urn:ietf:rfc:2246
#### X509Internal ####
#idp.authn.X509Internal.order = 1000
#idp.authn.X509Internal.nonBrowserSupported = false
#idp.authn.X509Internal.saveCertificateToCredentialSet = true
idp.authn.X509Internal.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \
saml1/urn:ietf:rfc:2246
#### IPAddress ####
#idp.authn.IPAddress.order = 1000
#idp.authn.IPAddress.passiveAuthenticationSupported = true
#idp.authn.IPAddress.lifetime = PT60S
#idp.authn.IPAddress.inactivityTimeout = PT60S
idp.authn.IPAddress.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol
#### Function ####
#idp.authn.Function.order = 1000
#idp.authn.Function.passiveAuthenticationSupported = true
# Unset if you plan to return full Java Subject from function
#idp.authn.Function.addDefaultPrincipals = true
#### Duo ####
#idp.authn.Duo.order = 1000
#idp.authn.Duo.nonBrowserSupported = false
#idp.authn.Duo.forcedAuthenticationSupported = true
# Unset if you have advanced Duo integrations with individualized Principals
#idp.authn.Duo.addDefaultPrincipals = true
# The list below should be changed to reflect whatever locally- or
# community-defined values are appropriate to represent Duo. It is
# strongly advised that the value not be specific to Duo or any
# particular technology to avoid lock-in.
idp.authn.Duo.supportedPrincipals = \
saml2/http://example.org/ac/classes/mfa, \
saml1/http://example.org/ac/classes/mfa
# Default Duo integration settings are defined separately
# in duo.properties due to the sensitivity of the secret key.
#### SAML ####
#idp.authn.SAML.order = 1000
#idp.authn.SAML.nonBrowserSupported = false
#idp.authn.SAML.passiveAuthenticationSupported = true
#idp.authn.SAML.forcedAuthenticationSupported = true
#idp.authn.SAML.proxyScopingEnforced = true
# Discovery options:
# Define shibboleth.authn.SAML.discoveryFunction bean
# Set proxyEntityID property
# Fall through to discovery via discoveryRequired property
#idp.authn.SAML.proxyEntityID = https://idp.example.org/idp/shibboleth
#idp.authn.SAML.discoveryRequired = true
# Generally left false with bidirectional mappings in
# conf/authn/authn-comparison.xml across the proxy boundary.
# Adjust as needed to reflect IdP's capabilities/support.
#idp.authn.SAML.addDefaultPrincipals = false
#idp.authn.SAML.supportedPrincipals = \
# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
# saml1/urn:oasis:names:tc:SAML:1.0:am:password
#### MFA ####
#idp.authn.MFA.order = 1000
#idp.authn.MFA.passiveAuthenticationSupported = true
#idp.authn.MFA.forcedAuthenticationSupported = true
#idp.authn.MFA.validateLoginTransitions = true
# The list below almost certainly requires changes, and should generally be the
# union of any of the separate factors you combine in your particular MFA flow
# rules. The example corresponds to the example in mfa-authn-config.xml that
# combines IPAddress with Password.
idp.authn.MFA.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
saml1/urn:oasis:names:tc:SAML:1.0:am:password
# Most actual setup via mfa-authn-config.xml

112
conf/authn/password-authn-config.xml Normal file
View File

@@ -0,0 +1,112 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
Ordered list of CredentialValidators to apply to a request.
The four supplied variants are shown below; the HTPasswd option
is an OOB default for demo account purposes, and you will
want to remove it after initial install and testing.
-->
<util:list id="shibboleth.authn.Password.Validators">
<ref bean="shibboleth.LDAPValidator" />
<!-- <ref bean="shibboleth.KerberosValidator" /> -->
<!-- <ref bean="shibboleth.JAASValidator" /> -->
<!-- <bean parent="shibboleth.HTPasswdValidator" p:resource="%{idp.home}/credentials/demo.htpasswd" /> -->
</util:list>
<!-- Apply any regular expression replacement pairs to username before validation. -->
<util:list id="shibboleth.authn.Password.Transforms">
<!--
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.org$" p:second="$1" />
-->
</util:list>
<!-- Uncomment to configure account lockout backed by in-memory storage. -->
<!--
<bean id="shibboleth.authn.Password.AccountLockoutManager"
parent="shibboleth.StorageBackedAccountLockoutManager"
p:maxAttempts="5"
p:counterInterval="PT5M"
p:lockoutDuration="PT5M"
p:extendLockoutDuration="false" />
-->
<!--
Define entries here to map error messages detected by validation actions and classify them as particular
kinds of errors for use in your templates and as events in flows.
Keys are events to signal, values are error codes.
-->
<util:map id="shibboleth.authn.Password.ClassifiedMessageMap">
<entry key="UnknownUsername">
<list>
<value>NoCredentials</value>
<value>UnknownUsername</value>
<value>CLIENT_NOT_FOUND</value>
<value>Client not found</value>
<value>Cannot get kdc for realm</value>
<value>Client not found in Kerberos database</value>
<value>DN_RESOLUTION_FAILURE</value>
<value>Cannot authenticate dn, invalid dn</value>
<value>Cannot authenticate dn, invalid credential</value>
<value>AcceptSecurityContext error, data 525</value>
</list>
</entry>
<entry key="InvalidPassword">
<list>
<value>InvalidCredentials</value>
<value>PREAUTH_FAILED</value>
<value>INVALID_CREDENTIALS</value>
<value>Checksum failed</value>
<value>Integrity check on decrypted field failed</value>
<value>Pre-authentication information was invalid</value>
<value>Key bytes cannot be null</value>
<value>AcceptSecurityContext error, data 52e</value>
</list>
</entry>
<entry key="AccountLocked">
<list>
<value>AccountLocked</value>
<value>Clients credentials have been revoked</value>
<value>AcceptSecurityContext error, data 775</value>
</list>
</entry>
<entry key="AccountDisabled">
<list>
<value>AcceptSecurityContext error, data 533</value>
</list>
</entry>
<entry key="ExpiredPassword">
<list>
<value>PASSWORD_EXPIRED</value>
<value>CLIENT KEY EXPIRED</value>
<value>AcceptSecurityContext error, data 532</value>
<value>AcceptSecurityContext error, data 773</value>
<value>AcceptSecurityContext error, data 701</value>
</list>
</entry>
<entry key="ExpiringPassword">
<list>
<value>ACCOUNT_WARNING</value>
</list>
</entry>
<entry key="RequestUnsupported">
<list>
<value>RequestUnsupported</value>
</list>
</entry>
</util:map>
</beans>

22
conf/c14n/subject-c14n-events-flow.xml Normal file
View File

@@ -0,0 +1,22 @@
<flow xmlns="http://www.springframework.org/schema/webflow"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
abstract="true">
<!-- ADVANCED USE ONLY -->
<!--
You can ignore this file unless you are creating your own custom c14n subflows that want to
report custom events in response to unusual error or warning conditions.
-->
<!-- Custom error events to reflect back from user-supplied c14n subflows. -->
<!-- <end-state id="MyCustomEvent" /> -->
<global-transitions>
<!-- <transition on="MyCustomEvent" to="MyCustomEvent" /> -->
<transition on="#{!'proceed'.equals(currentEvent.id)}" to="InvalidEvent" />
</global-transitions>
</flow>

40
conf/c14n/subject-c14n.properties Normal file
View File

@@ -0,0 +1,40 @@
# Properties that control the behavior of post-login subject c14n flows.
# A few more advanced settings require XML configuration, see flow-specific docs.
# Simple username -> principal name c14n
#idp.c14n.simple.lowercase = false
#idp.c14n.simple.uppercase = false
#idp.c14n.simple.trim = true
# Attribute resolution -> principal name c14n
#idp.c14n.attribute.lowercase = false
#idp.c14n.attribute.uppercase = false
#idp.c14n.attribute.trim = true
# Lists of attributes to resolve...
#idp.c14n.attribute.attributesToResolve =
# and then select a principal name from
#idp.c14n.attribute.attributeSourceIds =
# Allows direct use of attributes via SAML proxy authn, bypasses resolver
#idp.c14n.attribute.resolveFromSubject = false
#idp.c14n.attribute.resolutionCondition = shibboleth.Conditions.TRUE
# X.509 certificate -> principal name c14n
#idp.c14n.x500.lowercase = false
#idp.c14n.x500.uppercase = false
#idp.c14n.x500.trim = true
# Precedence is to check for a subjectAltName and then an OID RDN
# Comma-delimited list of subjectAltName type numbers
# (See https://tools.ietf.org/html/rfc5280#section-4.2.1.6)
#idp.c14n.x500.subjectAltNameTypes =
# Comma-delimited list of OIDS
#idp.c14n.x500.objectIDs =
# Proxied SAML NameID -> principal name c14n
#idp.c14n.saml.proxy.lowercase = false
#idp.c14n.saml.proxy.uppercase = false
# NameID consumption from SAML requests
#idp.c14n.saml.lowercase = false
#idp.c14n.saml.uppercase = false

151
conf/c14n/subject-c14n.xml Normal file
View File

@@ -0,0 +1,151 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- ========================= Java Subject -> Principal Mapping ========================= -->
<!--
These are lists of Subject Canonicalization flows that turn complex Subject data into a string-based
principal name that the rest of the IdP can operate on. They're used primarily after authentication
and also during less common operations like SAML attribute queries, to map the SAML Subject into a
principal name.
Flows are identified with an ID that corresponds to a Spring Web Flow subflow name.
Most of the simple settings that configure these flows are in subject-c14n.properties.
-->
<!--
====================================================================
Flows used after authentication to produce canonical principal name.
====================================================================
-->
<util:list id="shibboleth.PostLoginSubjectCanonicalizationFlows">
<!--
This is an advanced post-login step that performs attribute resolution and then produces a username
from an attribute value. To enable universally, just uncomment, but if you want it to run under more
specific conditions, set an activationCondition property to a condition to apply.
-->
<!-- <bean id="c14n/attribute" parent="shibboleth.PostLoginSubjectCanonicalizationFlow" /> -->
<!--
This is an advanced option for use with SAML 2 proxy authentication to a second IdP that
derives the principal name semi-directly from the incoming NameID value. It is functionally
akin to the c14n/SAML2Transform flow for SAML Request scenarios, but separately defined so
a suitably restrictive format list and/or condition can be applied to it.
-->
<!-- <ref bean="c14n/SAML2ProxyTransform" /> -->
<!--
This is an alternative that handles Subjects containing an X500Principal object and
allows extraction from the DN.
-->
<ref bean="c14n/x500" />
<!--
This is the standard post-login step that returns a username derived from the login process. If you
have more complex needs such as mapping a certificate DN into a principal name, an alternative may
be required such as that above, but you can use this for simple transforms.
-->
<ref bean="c14n/simple" />
</util:list>
<!-- What SAML NameID formats do you want to support direct transformations for while proxying? -->
<util:list id="shibboleth.ProxyNameTransformFormats">
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</value>
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</value>
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</value>
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</value>
<value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</value>
</util:list>
<!--
Under what conditions should direct NameID mapping during proxying be allowed? By default, never.
Any condition can be used here; the example is suitable for enumerating a number of IdPs to allow.
-->
<bean id="shibboleth.ProxyNameTransformPredicate" parent="shibboleth.Conditions.ProxyAuthentication">
<constructor-arg name="collection">
<list>
<!-- <value>https://idp-proxy.example.org</value> -->
</list>
</constructor-arg>
</bean>
<!--
Regular expression transforms to apply to incoming proxied subject names. The default empty list just
echoes the name through unmodified.
-->
<util:list id="shibboleth.ProxyNameTransforms">
<!--
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.org$" p:second="$1" />
-->
</util:list>
<!--
=======================================================================
Flows used during SAML requests to reverse-map NameIdentifiers/NameIDs.
Below the list are some settings that might be useful to adjust.
=======================================================================
-->
<util:list id="shibboleth.SAMLSubjectCanonicalizationFlows">
<!-- The next four are for handling transient IDs (in-storage and stateless variants). -->
<ref bean="c14n/SAML2Transient" />
<ref bean="c14n/SAML2CryptoTransient" />
<ref bean="c14n/SAML1Transient" />
<ref bean="c14n/SAML1CryptoTransient" />
<!-- Handle a SAML 2 persistent ID, provided a stored strategy is in use. -->
<!-- <ref bean="c14n/SAML2Persistent" /> -->
<!--
Finally we have beans for decoding arbitrary SAML formats directly. By default, these are turned off,
having *no* circumstances for which they apply (see shibboleth.TransformNamePredicate below).
-->
<ref bean="c14n/SAML2Transform" />
<ref bean="c14n/SAML1Transform" />
</util:list>
<!-- What SAML NameID formats do you want to support direct transformations for? -->
<util:list id="shibboleth.NameTransformFormats">
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</value>
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</value>
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</value>
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</value>
<value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</value>
</util:list>
<!--
Under what conditions should direct NameID mapping be allowed? By default, never.
Any condition can be used here; the example is suitable for enumerating a number of SPs to allow.
-->
<bean id="shibboleth.NameTransformPredicate" parent="shibboleth.Conditions.RelyingPartyId">
<constructor-arg name="candidates">
<list>
<!-- <value>https://sp.example.org</value> -->
</list>
</constructor-arg>
</bean>
<!--
Regular expression transforms to apply to incoming subject names. The default empty list just
echoes the name through unmodified.
-->
<util:list id="shibboleth.NameTransforms">
<!--
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.org$" p:second="$1" />
-->
</util:list>
</beans>

68
conf/credentials.xml Normal file
View File

@@ -0,0 +1,68 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
NOTE: if you're using a legacy relying-party.xml file from a V2 configuration, this file is ignored.
This defines the signing and encryption key and certificate pairs referenced by your relying-party.xml
configuration. You don't normally need to touch this, unless you have advanced requirements such as
supporting multiple sets of keys for different relying parties, in which case you may want to define
all your credentials here for convenience.
-->
<!--
The list of ALL of your IdP's signing credentials. If you define additional signing credentials,
for example for specific relying parties or different key types, make sure to include them within this list.
-->
<util:list id="shibboleth.SigningCredentials">
<ref bean="shibboleth.DefaultSigningCredential" />
</util:list>
<!-- Your IdP's default signing key, set via property file. -->
<bean id="shibboleth.DefaultSigningCredential"
class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.signing.key}"
p:certificateResource="%{idp.signing.cert}"
p:entityId-ref="entityID" />
<!-- Your IdP's default client TLS credential, by default the same as the default signing credential. -->
<alias alias="shibboleth.DefaultClientTLSCredential" name="shibboleth.DefaultSigningCredential" />
<!--
The list of ALL of your IdP's encryption credentials. By default this is just an alias
for 'shibboleth.DefaultEncryptionCredentials'. It could be re-defined as
a list with additional credentials if needed.
-->
<alias alias="shibboleth.EncryptionCredentials" name="shibboleth.DefaultEncryptionCredentials" />
<!-- Your IdP's default encryption (really decryption) keys, set via property file. -->
<util:list id="shibboleth.DefaultEncryptionCredentials">
<bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.encryption.key}"
p:certificateResource="%{idp.encryption.cert}"
p:entityId-ref="entityID" />
<!--
For key rollover, uncomment and point to your original keypair, and use the one above
to point to your new keypair. Once metadata has propagated, comment this one out again.
-->
<!--
<bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.encryption.key.2}"
p:certificateResource="%{idp.encryption.cert.2}"
p:entityId-ref="entityID" />
-->
</util:list>
</beans>

126
conf/errors.xml Normal file
View File

@@ -0,0 +1,126 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<bean id="shibboleth.DefaultErrorView" class="java.lang.String" c:_0="%{idp.errors.defaultView:error}" />
<!-- Map local events to alternate view templates. -->
<util:map id="shibboleth.EventViewMap">
<!-- <entry key="EventToChange" value="viewname" /> -->
</util:map>
<!--
Map of events to trap and handle with local views, without returning to SPs.
The map values are flags indicating whether to write an audit log record.
-->
<util:map id="shibboleth.LocalEventMap">
<entry key="ContextCheckDenied" value="true" />
<entry key="ImpersonationViolation" value="true" />
<entry key="AttributeReleaseRejected" value="true" />
<entry key="TermsRejected" value="true" />
<entry key="EndpointResolutionFailed" value="true" />
<entry key="RuntimeException" value="false" />
<entry key="InvalidEvent" value="false" />
<entry key="InvalidCSRFToken" value="false" />
<!--
<entry key="IdentitySwitch" value="false" />
<entry key="NoPotentialFlow" value="false" />
-->
</util:map>
<!-- Mappings of error events during requests to SAML status codes and SOAP fault codes. -->
<util:map id="shibboleth.SAML1StatusMappings">
<entry key="InvalidMessageVersion" value-ref="shibboleth.SAML1Status.VersionMismatch" />
<entry key="UnableToDecode" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="UnableToEncode" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="MessageReplay" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="MessageExpired" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="MessageAuthenticationError" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="RequestUnsupported" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="NoPassive" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="NoPotentialFlow" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="NoCredentials" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="InvalidCredentials" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="AccountError" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="IdentitySwitch" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="AuthenticationException" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="InvalidSubject" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="SubjectCanonicalizationError" value-ref="shibboleth.SAML1Status.Requester" />
</util:map>
<util:map id="shibboleth.SAML2StatusMappings">
<entry key="InvalidMessageVersion" value-ref="shibboleth.SAML2Status.VersionMismatch" />
<entry key="UnableToDecode" value-ref="shibboleth.SAML2Status.RequestUnsupported" />
<entry key="UnableToEncode" value-ref="shibboleth.SAML2Status.UnsupportedBinding" />
<entry key="AccessDenied" value-ref="shibboleth.SAML2Status.RequestDenied" />
<entry key="MessageReplay" value-ref="shibboleth.SAML2Status.RequestDenied" />
<entry key="MessageExpired" value-ref="shibboleth.SAML2Status.RequestDenied" />
<entry key="MessageAuthenticationError" value-ref="shibboleth.SAML2Status.RequestDenied" />
<entry key="RequestUnsupported" value-ref="shibboleth.SAML2Status.NoAuthnContext" />
<entry key="NoPassive" value-ref="shibboleth.SAML2Status.NoPassive" />
<entry key="NoPotentialFlow" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="NoCredentials" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="InvalidCredentials" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="AccountError" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="IdentitySwitch" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="AuthenticationException" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="InvalidSubject" value-ref="shibboleth.SAML2Status.UnknownPrincipal" />
<entry key="SubjectCanonicalizationError" value-ref="shibboleth.SAML2Status.UnknownPrincipal" />
<entry key="SessionNotFound" value-ref="shibboleth.SAML2Status.UnknownPrincipal" />
<entry key="InvalidNameIDPolicy" value-ref="shibboleth.SAML2Status.InvalidNameIDPolicy" />
<entry key="ProxyCountExceeded" value-ref="shibboleth.SAML2Status.ProxyCountExceeded" />
<entry key="ChannelBindingsError" value-ref="shibboleth.SAML2Status.ChannelBindingsError" />
</util:map>
<util:map id="shibboleth.SOAPFaultCodeMappings">
<entry key="InvalidMessageVersion" value-ref="shibboleth.SOAP.VersionMismatch" />
<entry key="UnableToDecode" value-ref="shibboleth.SOAP.Client" />
<entry key="MessageReplay" value-ref="shibboleth.SOAP.Client" />
<entry key="MessageExpired" value-ref="shibboleth.SOAP.Client" />
<entry key="MessageAuthenticationError" value-ref="shibboleth.SOAP.Client" />
<entry key="RequestUnsupported" value-ref="shibboleth.SOAP.Client" />
<entry key="NoPassive" value-ref="shibboleth.SOAP.Client" />
<entry key="NoPotentialFlow" value-ref="shibboleth.SOAP.Client" />
<entry key="NoCredentials" value-ref="shibboleth.SOAP.Client" />
<entry key="InvalidCredentials" value-ref="shibboleth.SOAP.Client" />
<entry key="AccountError" value-ref="shibboleth.SOAP.Client" />
<entry key="AuthenticationException" value-ref="shibboleth.SOAP.Client" />
<entry key="InvalidSubject" value-ref="shibboleth.SOAP.Client" />
<entry key="SubjectCanonicalizationError" value-ref="shibboleth.SOAP.Client" />
<entry key="InvalidNameIDPolicy" value-ref="shibboleth.SOAP.Client" />
<entry key="ChannelBindingsError" value-ref="shibboleth.SOAP.Client" />
</util:map>
</beans>

107
conf/examples/attribute-resolver-ldap.xml Normal file
View File

@@ -0,0 +1,107 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is an EXAMPLE configuration file containing some example attributes
based on some commonly used approaches when LDAP is the principal data source.
Not all attribute definitions or data connectors are demonstrated, but some
LDAP attributes common to Shibboleth deployments (and some not so common) are
included.
This example is in no way usable as a substitute for reading the documentation.
-->
<AttributeResolver
xmlns="urn:mace:shibboleth:2.0:resolver"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
<!-- ========================================== -->
<!-- Attribute Definitions -->
<!-- ========================================== -->
<!-- Simple attributes are exported directly from the LDAP connector. -->
<!-- eduPerson attributes requiring post-lookup manipulation -->
<!--
<AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName">
<InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName"/>
</AttributeDefinition>
<AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalNamePrior">
<InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalNamePrior"/>
</AttributeDefinition>
<AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}">
<InputDataConnector ref="myLDAP" attributeNames="eduPersonAffiliation"/>
</AttributeDefinition>
-->
<!-- Schema: SAML Subject ID Attributes -->
<!--
<AttributeDefinition xsi:type="Scoped" id="samlSubjectID" scope="%{idp.scope}">
<InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}"/>
</AttributeDefinition>
<AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}">
<InputDataConnector ref="computed" attributeNames="computedId"/>
</AttributeDefinition>
-->
<!-- ========================================== -->
<!-- Data Connectors -->
<!-- ========================================== -->
<!-- Example LDAP Connector -->
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
connectionStrategy="%{idp.attribute.resolver.LDAP.connectionStrategy}"
noResultIsError="true"
multipleResultsIsError="true"
excludeResolutionPhases="c14n/attribute"
exportAttributes="mail displayName sn givenName departmentNumber employeeNumber eduPersonEntitlement eduPersonAssurance">
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize:3}"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
validateDN="%{idp.pool.LDAP.validateDN:}"
validateOnCheckout="%{idp.pool.LDAP.validateOnCheckout:false}"
validateFilter="%{idp.pool.LDAP.validateFilter:(objectClass=*)}"
prunePeriod="%{idp.pool.LDAP.prunePeriod:PT5M}"
expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"/>
</DataConnector>
<!--
DataConnector for pairwise-id (example depends in part on saml-nameid.properties).
Note that this relies on BASE32 encoding in accordance with the attribute definition.
Older uses of this plugin for legacy eduPersonTargetedID/NameID values may require
different settings.
-->
<!--
<DataConnector id="computed" xsi:type="ComputedId"
excludeResolutionPhases="c14n/attribute"
generatedAttributeID="computedId"
salt="%{idp.persistentId.salt}"
algorithm="%{idp.persistentId.algorithm:SHA}"
encoding="BASE32">
<InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" />
</DataConnector>
-->
</AttributeResolver>

52
conf/global.xml Normal file
View File

@@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- Use this file to define any custom beans needed globally. -->
<!--
Algorithm include/exclude sets that override or merge with library defaults. Normally you can leave these
empty or commented and use the system defaults, but you can override those defaults using these beans.
Each <value> element is an algorithm URI; you can also use <util:constant> elements in place of literal values.
-->
<!--
<util:set id="shibboleth.IncludedSignatureAlgorithms">
</util:set>
<util:set id="shibboleth.ExcludedSignatureAlgorithms">
</util:set>
<util:set id="shibboleth.IncludedEncryptionAlgorithms">
</util:set>
<util:set id="shibboleth.ExcludedEncryptionAlgorithms">
</util:set>
-->
<!--
If you need to define and inject custom Java object(s) into the various views used throughout the
system (errors, login, logout, etc.), you can uncomment and define the bean below to be of any
type required. It will appear in the view scope as a variable named "custom".
The example below defines the bean as a map, which allows you to inject multiple objects under
named keys to expand the feature to support multiple injected objects.
-->
<!--
<util:map id="shibboleth.CustomViewContext">
<entry key="foo" value="bar"/>
</util:map>
-->
</beans>

244
conf/idp.properties Normal file
View File

@@ -0,0 +1,244 @@
# Auto-load all files matching conf/**/*.properties
# Disable if you want to manually maintain a list of sources.
idp.searchForProperties=true
# Load any "outside-tree" property sources from a comma-delimited list
idp.additionalProperties=/credentials/secrets.properties
# In most cases (and unless noted in the surrounding comments) the
# commented settings in the distributed files document default behavior.
# Uncomment them and change the value to change functionality.
#
# Uncommented properties are either required or ship non-defaulted.
# Set the entityID of the IdP
idp.entityID=https://idp-cluster.mafoo.org.uk/idp/storedid
# Set the file path which backs the IdP's own metadata publishing endpoint at /shibboleth.
# Set to empty value to disable and return a 404.
#idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml
# Set the scope used in the attribute resolver for scoped attributes
idp.scope=dev.mafoo.org.uk
# General cookie properties (maxAge only applies to persistent cookies)
#idp.cookie.secure = true
#idp.cookie.httpOnly = true
#idp.cookie.domain =
#idp.cookie.path =
#idp.cookie.maxAge = 31536000
# These control operation of the SameSite filter, which is off by default.
#idp.cookie.sameSite = None
#idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE
# Enable cross-site request forgery mitigation for views.
idp.csrf.enabled=true
# Name of the HTTP parameter that stores the CSRF token.
#idp.csrf.token.parameter = csrf_token
# HSTS/CSP response headers
#idp.hsts = max-age=0
# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing
#idp.frameoptions = DENY
# Content-Security-Policy value, set to match X-Frame-Options default
#idp.csp = frame-ancestors 'none';
# Set the location of user-supplied web flow definitions
#idp.webflows = %{idp.home}/flows
# Set the location of Velocity view templates
#idp.views = %{idp.home}/views
# Do we fail on velocity "syntax errors"
#idp.velocity.runtime.strictmode=false
# Settings for internal AES encryption key
#idp.sealer.keyStrategy = shibboleth.DataSealerKeyStrategy
#idp.sealer.storeType = JCEKS
#idp.sealer.updateInterval = PT15M
#idp.sealer.aliasBase = secret
idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks
idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver
# Settings for public/private signing and encryption key(s)
# During decryption key rollover, point the ".2" properties at a second
# keypair, uncomment in credentials.xml, then publish it in your metadata.
idp.signing.key=%{idp.home}/credentials/idp-signing.key
idp.signing.cert=%{idp.home}/credentials/idp-signing.crt
idp.encryption.key=%{idp.home}/credentials/idp-encryption.key
idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt
# Sets the bean ID to use as a default security configuration set
#idp.security.config = shibboleth.DefaultSecurityConfiguration
# To downgrade to SHA-1, set to shibboleth.SigningConfiguration.SHA1
#idp.signing.config = shibboleth.SigningConfiguration.SHA256
# The new install default for encryption is now AES-GCM.
idp.encryption.config=shibboleth.EncryptionConfiguration.GCM
# Sets the default strategy for key agreement key wrap usage for credentials from metadata,
# if not otherwise configured on the security configuration
#idp.encryption.keyagreement.metadata.defaultUseKeyWrap = Default
# Configures trust evaluation of keys used by services at runtime
# Internal default is Chaining, overriden for new installs
idp.trust.signatures=shibboleth.ExplicitKeySignatureTrustEngine
# Other options:
# shibboleth.ChainingSignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
idp.trust.certificates=shibboleth.ExplicitKeyX509TrustEngine
# Other options:
# shibboleth.ChainingX509TrustEngine, shibboleth.PKIXX509TrustEngine
# If true, encryption will happen whenever a key to use can be located, but
# failure to encrypt won't result in request failure.
#idp.encryption.optional = false
# Configuration of client- and server-side storage plugins
#idp.storage.cleanupInterval = PT10M
idp.storage.htmlLocalStorage=true
#idp.storage.clientSessionStorageName = shib_idp_session_ss
#idp.storage.clientPersistentStorageName = shib_idp_persistent_ss
# Set to true to expose more detailed errors in responses to SPs
#idp.errors.detailed = false
# Set to false to skip signing of SAML response messages that signal errors
#idp.errors.signed = true
# Name of bean containing a list of Java exception classes to ignore
#idp.errors.excludedExceptions = ExceptionClassListBean
# Name of bean containing a property set mapping exception names to views
#idp.errors.exceptionMappings = ExceptionToViewPropertyBean
# Set if a different default view name for events and exceptions is needed
#idp.errors.defaultView = error
# Set to false to disable the IdP session layer
#idp.session.enabled = true
# Set to "shibboleth.StorageService" for server-side storage of user sessions
#idp.session.StorageService = shibboleth.ClientSessionStorageService
# Name of cookie used for session
#idp.session.cookieName = shib_idp_session
# Size of session IDs
#idp.session.idSize = 32
# Bind sessions to IP addresses
#idp.session.consistentAddress = true
# Inactivity timeout
#idp.session.timeout = PT60M
# Extra time to store sessions for logout
#idp.session.slop = PT0S
# Tolerate storage-related errors
#idp.session.maskStorageFailure = false
# Track information about SPs logged into
idp.session.trackSPSessions=true
# Support lookup by SP for SAML logout
idp.session.secondaryServiceIndex=true
# Length of time to track SP sessions
#idp.session.defaultSPlifetime = PT2H
# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
#idp.consent.StorageService = shibboleth.ClientPersistentStorageService
# Default consent auditing formats
#idp.consent.terms-of-use.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA
#idp.consent.attribute-release.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA
# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute
# to key user consent storage records (and set the attribute name)
#idp.consent.attribute-release.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
#idp.consent.attribute-release.userStorageKeyAttribute = uid
#idp.consent.terms-of-use.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
#idp.consent.terms-of-use.userStorageKeyAttribute = uid
# Suffix of message property used as value of consent storage records when idp.consent.compareValues is true.
# Defaults to text displayed to the user.
#idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text
# Flags controlling how built-in attribute consent feature operates
#idp.consent.allowDoNotRemember = true
#idp.consent.allowGlobal = true
#idp.consent.allowPerAttribute = false
# Whether attribute values and terms of use text are compared
#idp.consent.compareValues = false
# Maximum number of consent records for space-limited storage (e.g. cookies)
#idp.consent.maxStoredRecords = 10
# Maximum number of consent records for larger/server-side storage (0 = no limit)
#idp.consent.expandedMaxStoredRecords = 0
# Time in milliseconds to expire consent storage records.
# Leave commented out for the default of infinite
#idp.consent.storageRecordLifetime =
# Path to use with External interceptor flow
#idp.intercept.External.externalPath = contextRelative:intercept.jsp
# Policies to use with Impersonate interceptor flow
#idp.impersonate.generalPolicy = GeneralImpersonationPolicy
#idp.impersonate.specificPolicy = SpecificImpersonationPolicy
# Picks outbound bindings more sensibly than based on metadata order
idp.bindings.inMetadataOrder=false
# Whether to lookup metadata, etc. for every SP involved in a logout
# for use by user interface logic; adds overhead so off by default.
#idp.logout.elaboration = false
# Whether to require logout requests/responses be signed/authenticated.
#idp.logout.authenticated = true
# Whether to handle logout lacking response endpoonts as asynchronous.
#idp.logout.assumeAsync = false
# Whether to hide logout propagation status reporting.
#idp.logout.propagationHidden = false
# Bean to determine whether user should be allowed to cancel logout
#idp.logout.promptUser=shibboleth.Conditions.FALSE
# Message freshness and replay cache tuning
#idp.policy.messageLifetime = PT3M
#idp.policy.assertionLifetime = PT3M
#idp.policy.clockSkew = PT3M
# Set to custom bean for alternate storage of replay cache
#idp.replayCache.StorageService = shibboleth.StorageService
#idp.replayCache.strict = true
# Toggles whether to allow outbound messages via SAML artifact
#idp.artifact.enabled = true
# Suppresses typical signing/encryption when artifact binding used
#idp.artifact.secureChannel = true
# May differ to direct SAML 2 artifact lookups to specific server nodes
#idp.artifact.endpointIndex = 2
# Set to custom bean for alternate storage of artifact map state
#idp.artifact.StorageService = shibboleth.StorageService
# Comma-delimited languages to use if not match can be found with the
# browser-supported languages, defaults to an empty list.
idp.ui.fallbackLanguages=en,fr,de
# Storage service used by CAS protocol for chained proxy-granting tickets
# and when using server-managed "simple" TicketService.
# Defaults to shibboleth.StorageService (in-memory)
# MUST be server-side storage (e.g. in-memory, memcached, database)
#idp.cas.StorageService=shibboleth.StorageService
# CAS service registry implementation class
#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry
# If true, CAS services provisioned with SAML metadata are identified via entityID
#idp.cas.relyingPartyIdFromMetadata=false
# F-TICKS auditing - set a salt to include hashed username
#idp.fticks.federation = MyFederation
#idp.fticks.condition = MyFTICKSCondition
#idp.fticks.algorithm = SHA-256
#idp.fticks.salt = somethingsecret
#idp.fticks.loghost = localhost
#idp.fticks.logport = 514
# Set false if you want SAML bindings "spelled out" in audit log
idp.audit.shortenBindings=true

20
conf/intercept/intercept-events-flow.xml Normal file
View File

@@ -0,0 +1,20 @@
<flow xmlns="http://www.springframework.org/schema/webflow"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
abstract="true">
<!-- ADVANCED USE ONLY -->
<!--
You can ignore this file unless you are creating your own custom intercept subflows that want to
report custom events in response to unusual conditions.
-->
<!-- <end-state id="MyCustomEvent" /> -->
<global-transitions>
<!-- <transition on="MyCustomEvent" to="MyCustomEvent" /> -->
<transition on="#{!'proceed'.equals(currentEvent.id)}" to="InvalidEvent" />
</global-transitions>
</flow>

67
conf/ldap.properties Normal file
View File

@@ -0,0 +1,67 @@
# LDAP authentication (and possibly attribute resolver) configuration
# Note, this doesn't apply to the use of JAAS authentication via LDAP
## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
#idp.authn.LDAP.authenticator = anonSearchAuthenticator
## Connection properties ##
idp.authn.LDAP.ldapURL = ldap://localhost:10389
#idp.authn.LDAP.useStartTLS = true
# Time in milliseconds that connects will block
#idp.authn.LDAP.connectTimeout = PT3S
# Time in milliseconds to wait for responses
#idp.authn.LDAP.responseTimeout = PT3S
# Connection strategy to use when multiple URLs are supplied, either ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM
#idp.authn.LDAP.connectionStrategy = ACTIVE_PASSIVE
## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
#idp.authn.LDAP.sslConfig = certificateTrust
## If using certificateTrust above, set to the trusted certificate's path
idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
## If using keyStoreTrust above, set to the truststore path
idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore
## Return attributes during authentication
idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining
## DN resolution properties ##
# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
# for AD: CN=Users,DC=example,DC=org
idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org
#idp.authn.LDAP.subtreeSearch = false
idp.authn.LDAP.userFilter = (uid={user})
# bind search configuration
# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
idp.authn.LDAP.bindDN = uid=myservice,ou=system
# Format DN resolution, used by directAuthenticator, adAuthenticator
# for AD use idp.authn.LDAP.dnFormat=%s@domain.com
idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org
# pool passivator, either none, bind or anonymousBind
#idp.authn.LDAP.bindPoolPassivator = none
# LDAP attribute configuration, see attribute-resolver.xml
# Note, this likely won't apply to the use of legacy V2 resolver configurations
idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout = %{idp.authn.LDAP.connectTimeout:PT3S}
idp.attribute.resolver.LDAP.responseTimeout = %{idp.authn.LDAP.responseTimeout:PT3S}
idp.attribute.resolver.LDAP.connectionStrategy = %{idp.authn.LDAP.connectionStrategy:ACTIVE_PASSIVE}
idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN:undefined}
idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN:undefined}
idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined}
idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.principal)
# LDAP pool configuration, used for both authn and DN resolution
#idp.pool.LDAP.minSize = 3
#idp.pool.LDAP.maxSize = 10
#idp.pool.LDAP.validateOnCheckout = false
#idp.pool.LDAP.validatePeriodically = true
#idp.pool.LDAP.validatePeriod = PT5M
#idp.pool.LDAP.validateDN =
#idp.pool.LDAP.validateFilter = (objectClass=*)
#idp.pool.LDAP.prunePeriod = PT5M
#idp.pool.LDAP.idleTime = PT10M
#idp.pool.LDAP.blockWaitTime = PT3S

192
conf/logback.xml Normal file
View File

@@ -0,0 +1,192 @@
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<!--
Variables for simplifying logging configuration.
http://logback.qos.ch/manual/configuration.html#variableSubstitution
-->
<!--
If you want to use custom properties in this config file,
we load the main property file for you.
-->
<variable file="${idp.home}/conf/idp.properties" />
<!-- Location and retention. -->
<variable name="idp.logfiles" value="${idp.logfiles:-${idp.home}/logs}" />
<variable name="idp.loghistory" value="${idp.loghistory:-180}" />
<!-- Much higher performance if you operate on DEBUG. -->
<!-- <variable name="idp.process.appender" value="ASYNC_PROCESS" /> -->
<!-- Logging level shortcuts. -->
<variable name="idp.loglevel.idp" value="${idp.loglevel.idp:-INFO}" />
<variable name="idp.loglevel.ldap" value="${idp.loglevel.ldap:-WARN}" />
<variable name="idp.loglevel.messages" value="${idp.loglevel.messages:-INFO}" />
<variable name="idp.loglevel.encryption" value="${idp.loglevel.encryption:-INFO}" />
<variable name="idp.loglevel.opensaml" value="${idp.loglevel.opensaml:-INFO}" />
<variable name="idp.loglevel.props" value="${idp.loglevel.props:-INFO}" />
<variable name="idp.loglevel.httpclient" value="${idp.loglevel.httpclient:-INFO}" />
<!-- Don't turn these up unless you want a *lot* of noise. -->
<variable name="idp.loglevel.spring" value="${idp.loglevel.spring:-ERROR}" />
<variable name="idp.loglevel.container" value="${idp.loglevel.container:-ERROR}" />
<variable name="idp.loglevel.xmlsec" value="${idp.loglevel.xmlsec:-INFO}" />
<!-- =========================================================== -->
<!-- ============== Logging Categories and Levels ============== -->
<!-- =========================================================== -->
<!-- Logs IdP, but not OpenSAML, messages -->
<logger name="net.shibboleth.idp" level="${idp.loglevel.idp}"/>
<!-- Logs OpenSAML, but not IdP, messages -->
<logger name="org.opensaml.saml" level="${idp.loglevel.opensaml}"/>
<!-- Logs LDAP related messages -->
<logger name="org.ldaptive" level="${idp.loglevel.ldap}"/>
<!-- Logs embedded HTTP client messages -->
<logger name="org.apache.http" level="${idp.loglevel.httpclient}"/>
<!-- Logs inbound and outbound protocols messages at DEBUG level -->
<logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages}" />
<!-- Logs unencrypted SAML at DEBUG level -->
<logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption}" />
<logger name="org.opensaml.saml.saml2.encryption.Decrypter" level="${idp.loglevel.encryption}" />
<!-- Logs system properties during startup at DEBUG level -->
<logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props}" />
<!-- Especially chatty. -->
<logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec}" />
<logger name="org.springframework" level="${idp.loglevel.spring}"/>
<logger name="org.apache.catalina" level="${idp.loglevel.container}"/>
<logger name="org.eclipse.jetty" level="${idp.loglevel.container}"/>
<!-- =========================================================== -->
<!-- ============== Low Level Details or Changes =============== -->
<!-- =========================================================== -->
<!-- Process log. -->
<appender name="IDP_PROCESS" class="ch.qos.logback.core.rolling.RollingFileAppender">
<File>${idp.logfiles}/idp-process.log</File>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
<maxHistory>${idp.loghistory}</maxHistory>
</rollingPolicy>
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
<charset>UTF-8</charset>
<Pattern>%date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
</encoder>
<!-- Ignore Velocity status page error. -->
<filter class="ch.qos.logback.core.filter.EvaluatorFilter">
<evaluator>
<matcher>
<Name>VelocityStatusMatcher</Name>
<regex>ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\.</regex>
</matcher>
<expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
</evaluator>
<OnMatch>DENY</OnMatch>
</filter>
</appender>
<appender name="ASYNC_PROCESS" class="ch.qos.logback.classic.AsyncAppender">
<appender-ref ref="IDP_PROCESS" />
<discardingThreshold>0</discardingThreshold>
</appender>
<appender name="IDP_WARN" class="ch.qos.logback.core.rolling.RollingFileAppender">
<!-- Suppress anything below WARN. -->
<filter class="ch.qos.logback.classic.filter.ThresholdFilter">
<level>WARN</level>
</filter>
<File>${idp.logfiles}/idp-warn.log</File>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
<maxHistory>${idp.loghistory}</maxHistory>
</rollingPolicy>
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
<charset>UTF-8</charset>
<Pattern>%date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{full}</Pattern>
</encoder>
<!-- Ignore Velocity status page error. -->
<filter class="ch.qos.logback.core.filter.EvaluatorFilter">
<evaluator>
<matcher>
<Name>VelocityStatusMatcher</Name>
<regex>ResourceManager\s*: unable to find resource 'status\.vm' in any resource loader\.</regex>
</matcher>
<expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
</evaluator>
<OnMatch>DENY</OnMatch>
</filter>
</appender>
<!-- Audit log. -->
<appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
<File>${idp.logfiles}/idp-audit.log</File>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
<maxHistory>${idp.loghistory}</maxHistory>
</rollingPolicy>
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
<charset>UTF-8</charset>
<Pattern>%msg%n</Pattern>
</encoder>
</appender>
<!-- Consent audit log. -->
<appender name="IDP_CONSENT_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
<File>${idp.logfiles}/idp-consent-audit.log</File>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
<maxHistory>${idp.loghistory}</maxHistory>
</rollingPolicy>
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
<charset>UTF-8</charset>
<Pattern>%msg%n</Pattern>
</encoder>
</appender>
<!-- F-TICKS syslog destination. -->
<appender name="IDP_FTICKS" class="ch.qos.logback.classic.net.SyslogAppender">
<syslogHost>${idp.fticks.loghost:-localhost}</syslogHost>
<port>${idp.fticks.logport:-514}</port>
<facility>AUTH</facility>
<suffixPattern>[%thread] %logger %msg</suffixPattern>
</appender>
<logger name="Shibboleth-Audit" level="ALL">
<appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/>
</logger>
<logger name="Shibboleth-FTICKS" level="ALL" additivity="false">
<appender-ref ref="${idp.fticks.appender:-IDP_FTICKS}"/>
</logger>
<logger name="Shibboleth-Consent-Audit" level="ALL">
<appender-ref ref="${idp.consent.appender:-IDP_CONSENT_AUDIT}"/>
</logger>
<root level="${idp.loglevel.root:-INFO}">
<appender-ref ref="${idp.process.appender:-IDP_PROCESS}"/>
<appender-ref ref="${idp.warn.appender:-IDP_WARN}" />
</root>
</configuration>

89
conf/metadata-providers.xml Normal file
View File

@@ -0,0 +1,89 @@
<?xml version="1.0" encoding="UTF-8"?>
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
xmlns:security="urn:mace:shibboleth:2.0:security"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:ds11="http://www.w3.org/2009/xmldsig11#"
xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
xmlns:enc11="http://www.w3.org/2009/xmlenc11#"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
urn:oasis:names:tc:SAML:2.0:assertion http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd
urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd
urn:oasis:names:tc:SAML:metadata:algsupport http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-algsupport-v1.0.xsd
http://www.w3.org/2000/09/xmldsig# http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
http://www.w3.org/2009/xmldsig11# http://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/xmldsig11-schema.xsd
http://www.w3.org/2001/04/xmlenc# http://www.w3.org/TR/xmlenc-core/xenc-schema.xsd
http://www.w3.org/2009/xmlenc11# http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/xenc-schema-11.xsd"
sortKey="1">
<!--
Below you place the mechanisms which define how to load the metadata for SP(s) you will
provide service to.
Some simple examples are provided. The documentation provides more details; in most cases,
the modern replacement for these older plugins are the "DynamicHTTPMetadataProvider" and
"LocalDynamic" variants, which provide dramatic memory savings and more reliable operation.
NOTE: You do NOT need to load metadata for this IdP itself within this configuration.
-->
<!--
Example HTTP metadata provider. Use this if you want to download the metadata
from a remote source.
You *MUST* provide the SignatureValidationFilter in order to function securely.
Get the public key certificate from the party publishing the metadata, and validate
it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
The EntityRole filter saves memory by only loading metadata from SAML roles
that the IdP needs to interoperate with.
-->
<!--
<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
metadataURL="http://WHATEVER"
failFastInitialization="false">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
-->
<!--
Example file metadata provider. Use this if you want to load metadata
from a local file. You use this if you have some local SPs which are not
"federated" but you wish to offer a service to.
If you do not provide a SignatureValidation filter, then you have the
responsibility to ensure that the contents on disk are trustworthy.
-->
<!--
<MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
-->
<!--
Example CAS metadata source for managing CAS services using SAML metadata.
-->
<!--
<MetadataProvider id="CASMetadata"
xsi:type="FilesystemMetadataProvider"
metadataFile="PATH_TO_YOUR_METADATA"
indexesRef="shibboleth.CASMetadataIndices" />
-->
</MetadataProvider>

72
conf/relying-party.xml Normal file
View File

@@ -0,0 +1,72 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
Unverified RP configuration, defaults to no support for any profiles. Add <ref> elements to the list
to enable specific default profile settings (as below), or create new beans inline to override defaults.
"Unverified" typically means the IdP has no metadata, or equivalent way of assuring the identity and
legitimacy of a requesting system. To run an "open" IdP, you can enable profiles here.
-->
<bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<!-- <bean parent="SAML2.SSO" p:encryptAssertions="false" /> -->
</list>
</property>
</bean>
<!-- Default configuration, with default settings applied for all profiles. -->
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<!-- SAML 1.1 and SAML 2.0 AttributeQuery are disabled by default. -->
<!--
<bean parent="Shibboleth.SSO" />
<ref bean="SAML1.AttributeQuery" />
<ref bean="SAML1.ArtifactResolution" />
-->
<bean parent="SAML2.SSO" />
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<!--
<ref bean="SAML2.AttributeQuery" />
-->
<ref bean="SAML2.ArtifactResolution" />
<ref bean="Liberty.SSOS" />
</list>
</property>
</bean>
<!-- Container for any overrides you want to add. -->
<util:list id="shibboleth.RelyingPartyOverrides">
<!--
Override example that identifies a single RP by name and configures it
for SAML 2 SSO without encryption. This is a common "vendor" scenario.
-->
<!--
<bean id="ExampleSP" parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" p:encryptAssertions="false" />
</list>
</property>
</bean>
-->
</util:list>
</beans>

31
conf/saml-nameid.properties Normal file
View File

@@ -0,0 +1,31 @@
# Properties involving SAML NameIdentifier/NameID generation/consumption
# For the most part these settings only deal with "transient" and "persistent"
# identifiers. See saml-nameid.xml and c14n/subject-c14n.xml for advanced
# settings
# Default NameID Formats to use when nothing else is called for.
# Don't change these just to change the Format used for a single SP!
#idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
#idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier
# Set to shibboleth.StoredTransientIdGenerator for server-side transient ID storage
#idp.transientId.generator = shibboleth.CryptoTransientIdGenerator
# Persistent IDs can be computed on the fly with a hash, or managed in a database
# For computed IDs, set a source attribute, and a secret salt in secrets.properties
#idp.persistentId.sourceAttribute = changethistosomethingreal
#idp.persistentId.useUnfilteredAttributes = true
#idp.persistentId.algorithm = SHA
# BASE64 will match V2 values, we recommend BASE32 encoding for new installs.
idp.persistentId.encoding = BASE32
# To use a database, use shibboleth.StoredPersistentIdGenerator
#idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator
# For basic use, set this to a JDBC DataSource bean name:
#idp.persistentId.dataSource = PersistentIdDataSource
# Controls which JDBC error codes are treated as retryable
#idp.persistentId.retryableErrors = 23000,23505
# Set to an empty property to skip hash-based generation of first stored ID
#idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator

64
conf/saml-nameid.xml Normal file
View File

@@ -0,0 +1,64 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- ========================= SAML NameID Generation ========================= -->
<!--
These generator lists handle NameID/Nameidentifier generation going forward. By default,
transient IDs for both SAML versions are enabled. The commented examples are for persistent IDs
and generating more one-off formats based on resolved attributes. The suggested approach is to
control their use via release of the underlying source attribute in the filter policy rather
than here, but you can set a property on any generator called "activationCondition" to limit
use in the most generic way.
Most of the relevant configuration settings are controlled using properties; an exception is
the generation of arbitrary/custom formats based on attribute information, examples of which
are shown below.
-->
<!-- SAML 2 NameID Generation -->
<util:list id="shibboleth.SAML2NameIDGenerators">
<ref bean="shibboleth.SAML2TransientGenerator" />
<!-- Uncommenting this bean requires configuration in saml-nameid.properties. -->
<!--
<ref bean="shibboleth.SAML2PersistentGenerator" />
-->
<!--
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
-->
</util:list>
<!-- SAML 1 NameIdentifier Generation -->
<util:list id="shibboleth.SAML1NameIdentifierGenerators">
<ref bean="shibboleth.SAML1TransientGenerator" />
<!--
<bean parent="shibboleth.SAML1AttributeSourcedGenerator"
p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
-->
</util:list>
</beans>

83
conf/services.properties Normal file
View File

@@ -0,0 +1,83 @@
# Configure the resources to load for various services,
# and the settings for failure handling and auto-reload.
# failFast=true prevents IdP startup if a configuration is bad
# checkInterval = PT0S means never reload (this is the default)
# Global default for fail-fast behavior of most subsystems
# with individual override possible below.
#idp.service.failFast = false
#idp.service.logging.resource = %{idp.home}/conf/logback.xml
#idp.service.logging.failFast = true
idp.service.logging.checkInterval = PT5M
#idp.service.relyingparty.resources = shibboleth.RelyingPartyResolverResources
#idp.service.relyingparty.failFast = false
idp.service.relyingparty.checkInterval = PT15M
# See MetadataDrivenConfiguration wiki topic for details
idp.service.relyingparty.ignoreUnmappedEntityAttributes=true
#idp.service.metadata.resources = shibboleth.MetadataResolverResources
#idp.service.metadata.failFast = false
#idp.service.metadata.checkInterval = PT0S
# Set to false if not using ByReference MetadataFilters for a small perf gain
#idp.service.metadata.enableByReferenceFilters = true
#idp.service.attribute.registry.resources = shibboleth.AttributeRegistryResources
#idp.service.attribute.registry.failFast = false
idp.service.attribute.registry.checkInterval = PT15M
# Default control of whether to encode XML attribute data with xsi:type
idp.service.attribute.registry.encodeType = false
#idp.service.attribute.resolver.resources = shibboleth.AttributeResolverResources
#idp.service.attribute.resolver.failFast = false
idp.service.attribute.resolver.checkInterval = PT15M
#idp.service.attribute.resolver.maskFailures = true
#idp.service.attribute.resolver.stripNulls = false
#idp.service.attribute.resolver.suppressDisplayInfo = true
#idp.service.attribute.filter.resources = shibboleth.AttributeFilterResources
# NOTE: Failing the filter fast leaves no filters enabled.
#idp.service.attribute.filter.failFast = false
idp.service.attribute.filter.checkInterval = PT15M
#idp.service.attribute.filter.maskFailures = true
#idp.service.nameidGeneration.resources = shibboleth.NameIdentifierGenerationResources
#idp.service.nameidGeneration.failFast = false
idp.service.nameidGeneration.checkInterval = PT15M
#idp.service.access.resources = shibboleth.AccessControlResources
#idp.service.access.failFast = true
idp.service.access.checkInterval = PT5M
#idp.service.cas.registry.resources = shibboleth.CASServiceRegistryResources
#idp.service.cas.registry.failFast = false
idp.service.cas.registry.checkInterval = PT15M
#idp.service.managedBean.resources = shibboleth.ManagedBeanResources
#idp.service.managedBean.failFast = false
idp.service.managedBean.checkInterval = PT15M
#idp.message.resources = shibboleth.MessageSourceResources
#idp.message.cacheSeconds = 300
# These settings impact the behavior of the internal HTTP Client used by default
# with some internal components, but notably *not* for metadata acquisition.
#idp.httpclient.useSecurityEnhancedTLSSocketFactory = false
#idp.httpclient.connectionDisregardTLSCertificate = false
#idp.httpclient.connectionRequestTimeout = PT1M
#idp.httpclient.connectionTimeout = PT1M
#idp.httpclient.socketTimeout = PT1M
#idp.httpclient.maxConnectionsTotal = 100
#idp.httpclient.maxConnectionsPerRoute = 100
# These are deprecated properties that configure the old caching HttpClient
# beans that are no longer supported. If you want to manually configure
# the caching clients, you should define the beans yourself and if desired
# rely on properties of your own devising.
#idp.httpclient.memorycaching.maxCacheEntries = 50
#idp.httpclient.memorycaching.maxCacheEntrySize = 1048576
#idp.httpclient.filecaching.maxCacheEntries = 100
#idp.httpclient.filecaching.maxCacheEntrySize = 10485760
idp.httpclient.filecaching.cacheDirectory = %{idp.home}/tmp/httpClientCache

58
conf/services.xml Normal file
View File

@@ -0,0 +1,58 @@
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- By default we look at resources whose names are derived from %{idp.home}. -->
<util:list id="shibboleth.RelyingPartyResolverResources">
<value>%{idp.home}/conf/relying-party.xml</value>
<value>%{idp.home}/conf/credentials.xml</value>
</util:list>
<util:list id="shibboleth.MetadataResolverResources">
<value>%{idp.home}/conf/metadata-providers.xml</value>
</util:list>
<util:list id ="shibboleth.AttributeResolverResources">
<value>%{idp.home}/conf/attribute-resolver.xml</value>
</util:list>
<!--
This is suitable for new installs but will usually produce duplicate Attribute
output if a legacy resolver file is used that contains AttributeEncoders.
-->
<util:list id ="shibboleth.AttributeRegistryResources">
<value>%{idp.home}/conf/attribute-registry.xml</value>
<value>%{idp.home}/conf/attributes/default-rules.xml</value>
<value>%{idp.home}/conf/attribute-resolver.xml</value>
</util:list>
<util:list id ="shibboleth.AttributeFilterResources">
<value>%{idp.home}/conf/attribute-filter.xml</value>
</util:list>
<util:list id ="shibboleth.NameIdentifierGenerationResources">
<value>%{idp.home}/conf/saml-nameid.xml</value>
</util:list>
<util:list id="shibboleth.AccessControlResources">
<value>%{idp.home}/conf/access-control.xml</value>
</util:list>
<!--
This collection of resources differs slightly in that it should not include the file extension.
Message sources are internationalized, and Spring will search for a compatible language extension
and fall back to one with only a .properties extension.
-->
<util:list id="shibboleth.MessageSourceResources">
<value>%{idp.home}/messages/messages</value>
</util:list>
</beans>

6
messages/messages.properties Normal file
View File

@@ -0,0 +1,6 @@
# You can define message properties here to override messages defined in
# the system-supplied message file or to add your own messages.
# You should alter these to point to different files of your own choosing.
#idp.css = /css/placeholder.css
#idp.logo = /images/placeholder-logo.png

251
metadata/idp-metadata.xml Normal file
View File

@@ -0,0 +1,251 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This is example metadata only. Do *NOT* supply it as is without review,
and do *NOT* provide it in real time to your partners.
This metadata is not dynamic - it will not change as your configuration changes. On Demand Metadata Generation available from the metadatagen plugin.
-->
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr" validUntil="2022-08-05T13:32:20.637Z" entityID="https://idp-cluster.mafoo.org.uk/idp/storedid">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">dev.mafoo.org.uk</shibmd:Scope>
<!--
Fill in the details for your IdP here
<mdui:UIInfo>
<mdui:DisplayName xml:lang="en">A Name for the IdP at idp-cluster.mafoo.org.uk</mdui:DisplayName>
<mdui:Description xml:lang="en">Enter a description of your IdP at idp-cluster.mafoo.org.uk</mdui:Description>
<mdui:Logo height="80" width="80">https://idp-cluster.mafoo.org.uk/Path/To/Logo.png</mdui:Logo>
</mdui:UIInfo>
-->
</Extensions>
<!-- First signing certificate is BackChannel, the Second is FrontChannel-->
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIETDCCArSgAwIBAgIVAKG5mmaoA2ZYQJULhNoiNa1ovyl+MA0GCSqGSIb3DQEB
CwUAMCMxITAfBgNVBAMMGGlkcC1jbHVzdGVyLm1hZm9vLm9yZy51azAeFw0yMjA4
MDUxMzMyMDJaFw00MjA4MDUxMzMyMDJaMCMxITAfBgNVBAMMGGlkcC1jbHVzdGVy
Lm1hZm9vLm9yZy51azCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALkS
pIebis25mpjh2bBDBLhTMdYEDl9qX2zEAeZ2XM9Pb7xMbeuLR6N9vtsjyMiWK+yb
cZdpXGG628uxCk3pviIpVD5k4qfBndOS1PgtH4qyOgcmHoZ7rc4QZY1vmBoj21Yn
CdSB4f69QnOuc+CZ5h54p8UZlmyPfuLG3Y2tHQZc7jePJLE6NtHfYcp6XQGDGeGx
ZUHt8F2R6wVwHSXNve3qjDzAG+Ny8tsYLuM2bHLq00Htpo+c4XHmZ8gMu+oayivc
SUCBgxnl0szdKYE5MrzfcEJVIP2SS3Zkgh5L4xcO4e5dlkyGnnhaRzv56cX2ZGSh
8TcnJT8aCh9ip1v/66btHHuRCPXr4dPWTKkXPbrVhbYTPt6xWi/BWPBodpjMygAr
Dyr4nAZU3X9DkDYUKBSUXbSXyMjC42KfwViBLlnXSBmmDQ64+zwusvs8TwKq8mbR
oinXr/37PHvBgCTT+nLV9YTJ8aG/pKVMOrTCYcb/d/hUbOsaxXjScDJrshK6fQID
AQABo3cwdTAdBgNVHQ4EFgQUNOw37BGQLIEy4V0I6OP10clXxCMwVAYDVR0RBE0w
S4IYaWRwLWNsdXN0ZXIubWFmb28ub3JnLnVrhi9odHRwczovL2lkcC1jbHVzdGVy
Lm1hZm9vLm9yZy51ay9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAYEA
EGvcsVd3TXDAb+ii80UNldCMM3VBU/erXXHYqASeEbhQK9/BeDpv0qIjHIcPdBjL
NR4KtSuCpNbZyKepu4VGtHozzWhY/FiL2SzOePNeTRqN2dKZOzafmQbIvkIzdtYW
gp7eJxUeNL5CaizNF0r4Ojj1KThccV8bwch2gahF9hvUox1jin4nHeHC6Avnn6MW
prW9SsPdOSFyx3xJ26AiicfNvMjfPwM1dakq+rJ/y1n+m/ec4D8DDNWy7420uF+e
cr43WQqC4B0NjxI/gSxq6VJexI30MSqWfOSumeLqFNaFvqh0E+xXbo4hsw6Zsd9x
Lpom30BOqVG5FE74FcmnJybsI7zvhDq1trU2lVYs0d+ypCyDpKBmbhNX/INWmiIX
MlUIyDVCYR3CsILS6HHU+qfVERz6Km1lA6HD+qo7irY1GFo8m19JpdtB/K7WdXnC
XSySYJU0ZDCIIaNjhtmh1oQeCmy+L9ATtW0r3Y6N0ZEm/wls5piTGYVKougweN95
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIESzCCArOgAwIBAgIUOSgsBql9Vez9kTLTLJy4S1e2dyYwDQYJKoZIhvcNAQEL
BQAwIzEhMB8GA1UEAwwYaWRwLWNsdXN0ZXIubWFmb28ub3JnLnVrMB4XDTIyMDgw
NTEzMzE1OFoXDTQyMDgwNTEzMzE1OFowIzEhMB8GA1UEAwwYaWRwLWNsdXN0ZXIu
bWFmb28ub3JnLnVrMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAhPzC
VZ8lRPrHxfhz1XmGbzgQngV/Ua+6QL6zqC7fFO0bMCFz79c/xgS3YSqEAQa9971u
rI+T7YXJ5D5wFtTHMEbtB7B9ZR/pkAvj/FIiaWsVfVjv/c0cWTKKKdLKqQ2sFWzx
hnhoaaoXJWguQdm1UQ7rd0JrRllmlKhlUeCB6ecSblAOxsvNeA5+yDXAfj+8j/wp
+VMCyA80QUo5HyyBfQXOrAQVWTWWFw2x5+sfDVvfxfOD88dvhQM5cN3+XxBsSysE
m3q4PmpbfZdXlXgGdIwyYk3EiB/Qen+iat4i3QwVAHRV1TY8FVehHLTVkN9v/PoB
5637rFEhSKcswpN1b6nuvUHNfJunu7KghVl6xRQsBg6z1/K6GBl5r7vzSvwzalTG
DqW/x9pkCfPhD7ZtvdNvplaAF1aG3CU8zsYA5w1uLvWuqGlsWFfm2aLSOIsNotW/
uvB1AO1Chc8vm5N+QKgoC2SQiqttgF04a1h5KGF7b/8rPX8RUkE0YJxeaD8NAgMB
AAGjdzB1MB0GA1UdDgQWBBTXom6CZDuB3vgQYqplZphLaD4OfjBUBgNVHREETTBL
ghhpZHAtY2x1c3Rlci5tYWZvby5vcmcudWuGL2h0dHBzOi8vaWRwLWNsdXN0ZXIu
bWFmb28ub3JnLnVrL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBgQAs
aJGGpMRYfTtCCsEvmAXhrSrrXZq2dHeETX6TgQh21cd810lEwewXtSIWbSqbzB5Y
RaQo9mV8TzVk0sa5yYXNz5cIAOxSfDZuN3zYL1T+Db5GIqrUtNbmU/TOabwS0YsW
LCxhblJV2XVeqqlMjMdq413EEyKeAvofnWCnROGimrR7DLdd4iI3EXC2N8zOfNj0
kA4hNKktsm/T7nBJMfrqlfLKxrgt+SqhYkJyzSTu5j8lb9tt1dvBvXKfuls9uoa/
nYBGSlPBEi8uyleSQcw/mR6lbvvW1AL6sAy7cDhTZh1jJFgHn39kZ9IIFOC1kbHt
rStp19ng60OL8xSS6Mnhzkf09zQdnzkI9ngLcYXqwwyMQCXRANJZ6twGbfwCzfgq
UqxR4Lg7sd4JXA8YAeNOgu3HwFw+RsBgEDoI16+1NrnliYQYD6Bvqx71z+CianNq
yAPojc2UQSeT7H9GFWbgNnQF6XsRW7xtNPnZmbZ9Og3Wok1nT38hEr+4UqtC8n8=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIESzCCArOgAwIBAgIUC9wy4S7aa3PVBUkskC6TbAMIE1IwDQYJKoZIhvcNAQEL
BQAwIzEhMB8GA1UEAwwYaWRwLWNsdXN0ZXIubWFmb28ub3JnLnVrMB4XDTIyMDgw
NTEzMzE1OVoXDTQyMDgwNTEzMzE1OVowIzEhMB8GA1UEAwwYaWRwLWNsdXN0ZXIu
bWFmb28ub3JnLnVrMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtiS6
AFIP3HB2orq7ywGx5flACG1SSLD5FmYtUXJRhSOexFYIqiPBUW9ZTRqWiKyHdHbP
AQwQHAczU8NAmA9c4tgoQfhmmpSHRl66U4pAq7c8cwr82ZIkAJUBUtwUfLW1l1rl
sNuGojwpE+d0R4kNnYfkSpt+QX+Sh5peGVuT3F267W1wE8eGTELvwemeHbpdtMDp
ExyrLjBfbndsk4GHlrnHs9yx912yte/dAHPnFOvz1JOXhA7CIfzak+Tbf3/3tAX+
gDZ7DY+r3VTYTVL32JDvAliYLVKt5CweP46Ad8HassrUhv3gTkIf72uoZt7F8XuI
H8YoQheYOG9vFZ89P1SVEwsGvCRJExaYOjv1FbAsWMG6xCSdoAfcrhvrLxtu4tkb
uPum8bmMked1actC7wo8R4o2CGmDJ2n5lUZNUgMRix4Tn92l5MYWyFbo4zPW8sfF
e3gSFzsLt1OhuJV1Hd6vl35izACaU0pr0GWSyVJpaebkPTWw19Hwpz9FYArBAgMB
AAGjdzB1MB0GA1UdDgQWBBR0GeOz/XAhDhLcYJyFEAWes+P6vDBUBgNVHREETTBL
ghhpZHAtY2x1c3Rlci5tYWZvby5vcmcudWuGL2h0dHBzOi8vaWRwLWNsdXN0ZXIu
bWFmb28ub3JnLnVrL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBgQAj
YoK2BNmXK3KOQwQPY6/3DqoFzEU9F4S8cdDjrbpjHA+UmsmA7PHQC+mE3PJoNY6A
LnRJ2RDpnAZLSK1K/enRJdGSyWaD+gshhAUBie6xrFamXe5IG9QiF6O7VKsu+kpM
Qtp6iLK/B+Jos8zq0NJrKpCtixepMG1IbAcMcVnqkteiT+a9fmyIMaHcTLY+aEvW
2bfgvszgJ4rcdY5xSDiVcPtcTGuoDsyQW686tImn0sqmOJLB8q+Fo2ULFxPVc8UE
HXngmqrZ5c9I5pa8TmL1VybSxSuQ2CUiTsgbpatiL6S8dK8ex3mUCpdMW5vKO0uQ
+8JiI8ur72059JpJzbTuKezT+8A124QiUOkfsJdwqHD3+APDVXiFGUGRPFHe4a/g
YQnrYa1KOgO83dl6K0GT1pA3+RnZZEBgq7lTYHpxcavTYRy6Dvj8Of8gu7EZo7fJ
+Ety/QGKzDDc+h5bLNo2PuDx2wXdbpPQxpYgWdVNgVOdW9vumrWhcxLtNfe9vyQ=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<!--<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp-cluster.mafoo.org.uk:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
--> <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp-cluster.mafoo.org.uk:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>
<!--
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp-cluster.mafoo.org.uk:8443/idp/profile/SAML2/SOAP/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp-cluster.mafoo.org.uk/idp/profile/SAML2/POST-SimpleSign/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp-cluster.mafoo.org.uk/idp/profile/SAML2/Redirect/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp-cluster.mafoo.org.uk/idp/profile/SAML2/POST/SLO"/>
-->
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" req-attr:supportsRequestedAttributes="true" Location="https://idp-cluster.mafoo.org.uk/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<!--<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp-cluster.mafoo.org.uk/idp/profile/Shibboleth/SSO"/>
--> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" req-attr:supportsRequestedAttributes="true" Location="https://idp-cluster.mafoo.org.uk/idp/profile/SAML2/Redirect/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" req-attr:supportsRequestedAttributes="true" Location="https://idp-cluster.mafoo.org.uk/idp/profile/SAML2/POST/SSO"/>
</IDPSSODescriptor>
<!-- <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
<Extensions>
<shibmd:Scope regexp="false">dev.mafoo.org.uk</shibmd:Scope>
</Extensions>
--> <!-- First signing certificate is BackChannel, the Second is FrontChannel--> <!--
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIETDCCArSgAwIBAgIVAKG5mmaoA2ZYQJULhNoiNa1ovyl+MA0GCSqGSIb3DQEB
CwUAMCMxITAfBgNVBAMMGGlkcC1jbHVzdGVyLm1hZm9vLm9yZy51azAeFw0yMjA4
MDUxMzMyMDJaFw00MjA4MDUxMzMyMDJaMCMxITAfBgNVBAMMGGlkcC1jbHVzdGVy
Lm1hZm9vLm9yZy51azCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALkS
pIebis25mpjh2bBDBLhTMdYEDl9qX2zEAeZ2XM9Pb7xMbeuLR6N9vtsjyMiWK+yb
cZdpXGG628uxCk3pviIpVD5k4qfBndOS1PgtH4qyOgcmHoZ7rc4QZY1vmBoj21Yn
CdSB4f69QnOuc+CZ5h54p8UZlmyPfuLG3Y2tHQZc7jePJLE6NtHfYcp6XQGDGeGx
ZUHt8F2R6wVwHSXNve3qjDzAG+Ny8tsYLuM2bHLq00Htpo+c4XHmZ8gMu+oayivc
SUCBgxnl0szdKYE5MrzfcEJVIP2SS3Zkgh5L4xcO4e5dlkyGnnhaRzv56cX2ZGSh
8TcnJT8aCh9ip1v/66btHHuRCPXr4dPWTKkXPbrVhbYTPt6xWi/BWPBodpjMygAr
Dyr4nAZU3X9DkDYUKBSUXbSXyMjC42KfwViBLlnXSBmmDQ64+zwusvs8TwKq8mbR
oinXr/37PHvBgCTT+nLV9YTJ8aG/pKVMOrTCYcb/d/hUbOsaxXjScDJrshK6fQID
AQABo3cwdTAdBgNVHQ4EFgQUNOw37BGQLIEy4V0I6OP10clXxCMwVAYDVR0RBE0w
S4IYaWRwLWNsdXN0ZXIubWFmb28ub3JnLnVrhi9odHRwczovL2lkcC1jbHVzdGVy
Lm1hZm9vLm9yZy51ay9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAYEA
EGvcsVd3TXDAb+ii80UNldCMM3VBU/erXXHYqASeEbhQK9/BeDpv0qIjHIcPdBjL
NR4KtSuCpNbZyKepu4VGtHozzWhY/FiL2SzOePNeTRqN2dKZOzafmQbIvkIzdtYW
gp7eJxUeNL5CaizNF0r4Ojj1KThccV8bwch2gahF9hvUox1jin4nHeHC6Avnn6MW
prW9SsPdOSFyx3xJ26AiicfNvMjfPwM1dakq+rJ/y1n+m/ec4D8DDNWy7420uF+e
cr43WQqC4B0NjxI/gSxq6VJexI30MSqWfOSumeLqFNaFvqh0E+xXbo4hsw6Zsd9x
Lpom30BOqVG5FE74FcmnJybsI7zvhDq1trU2lVYs0d+ypCyDpKBmbhNX/INWmiIX
MlUIyDVCYR3CsILS6HHU+qfVERz6Km1lA6HD+qo7irY1GFo8m19JpdtB/K7WdXnC
XSySYJU0ZDCIIaNjhtmh1oQeCmy+L9ATtW0r3Y6N0ZEm/wls5piTGYVKougweN95
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIESzCCArOgAwIBAgIUOSgsBql9Vez9kTLTLJy4S1e2dyYwDQYJKoZIhvcNAQEL
BQAwIzEhMB8GA1UEAwwYaWRwLWNsdXN0ZXIubWFmb28ub3JnLnVrMB4XDTIyMDgw
NTEzMzE1OFoXDTQyMDgwNTEzMzE1OFowIzEhMB8GA1UEAwwYaWRwLWNsdXN0ZXIu
bWFmb28ub3JnLnVrMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAhPzC
VZ8lRPrHxfhz1XmGbzgQngV/Ua+6QL6zqC7fFO0bMCFz79c/xgS3YSqEAQa9971u
rI+T7YXJ5D5wFtTHMEbtB7B9ZR/pkAvj/FIiaWsVfVjv/c0cWTKKKdLKqQ2sFWzx
hnhoaaoXJWguQdm1UQ7rd0JrRllmlKhlUeCB6ecSblAOxsvNeA5+yDXAfj+8j/wp
+VMCyA80QUo5HyyBfQXOrAQVWTWWFw2x5+sfDVvfxfOD88dvhQM5cN3+XxBsSysE
m3q4PmpbfZdXlXgGdIwyYk3EiB/Qen+iat4i3QwVAHRV1TY8FVehHLTVkN9v/PoB
5637rFEhSKcswpN1b6nuvUHNfJunu7KghVl6xRQsBg6z1/K6GBl5r7vzSvwzalTG
DqW/x9pkCfPhD7ZtvdNvplaAF1aG3CU8zsYA5w1uLvWuqGlsWFfm2aLSOIsNotW/
uvB1AO1Chc8vm5N+QKgoC2SQiqttgF04a1h5KGF7b/8rPX8RUkE0YJxeaD8NAgMB
AAGjdzB1MB0GA1UdDgQWBBTXom6CZDuB3vgQYqplZphLaD4OfjBUBgNVHREETTBL
ghhpZHAtY2x1c3Rlci5tYWZvby5vcmcudWuGL2h0dHBzOi8vaWRwLWNsdXN0ZXIu
bWFmb28ub3JnLnVrL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBgQAs
aJGGpMRYfTtCCsEvmAXhrSrrXZq2dHeETX6TgQh21cd810lEwewXtSIWbSqbzB5Y
RaQo9mV8TzVk0sa5yYXNz5cIAOxSfDZuN3zYL1T+Db5GIqrUtNbmU/TOabwS0YsW
LCxhblJV2XVeqqlMjMdq413EEyKeAvofnWCnROGimrR7DLdd4iI3EXC2N8zOfNj0
kA4hNKktsm/T7nBJMfrqlfLKxrgt+SqhYkJyzSTu5j8lb9tt1dvBvXKfuls9uoa/
nYBGSlPBEi8uyleSQcw/mR6lbvvW1AL6sAy7cDhTZh1jJFgHn39kZ9IIFOC1kbHt
rStp19ng60OL8xSS6Mnhzkf09zQdnzkI9ngLcYXqwwyMQCXRANJZ6twGbfwCzfgq
UqxR4Lg7sd4JXA8YAeNOgu3HwFw+RsBgEDoI16+1NrnliYQYD6Bvqx71z+CianNq
yAPojc2UQSeT7H9GFWbgNnQF6XsRW7xtNPnZmbZ9Og3Wok1nT38hEr+4UqtC8n8=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIESzCCArOgAwIBAgIUC9wy4S7aa3PVBUkskC6TbAMIE1IwDQYJKoZIhvcNAQEL
BQAwIzEhMB8GA1UEAwwYaWRwLWNsdXN0ZXIubWFmb28ub3JnLnVrMB4XDTIyMDgw
NTEzMzE1OVoXDTQyMDgwNTEzMzE1OVowIzEhMB8GA1UEAwwYaWRwLWNsdXN0ZXIu
bWFmb28ub3JnLnVrMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtiS6
AFIP3HB2orq7ywGx5flACG1SSLD5FmYtUXJRhSOexFYIqiPBUW9ZTRqWiKyHdHbP
AQwQHAczU8NAmA9c4tgoQfhmmpSHRl66U4pAq7c8cwr82ZIkAJUBUtwUfLW1l1rl
sNuGojwpE+d0R4kNnYfkSpt+QX+Sh5peGVuT3F267W1wE8eGTELvwemeHbpdtMDp
ExyrLjBfbndsk4GHlrnHs9yx912yte/dAHPnFOvz1JOXhA7CIfzak+Tbf3/3tAX+
gDZ7DY+r3VTYTVL32JDvAliYLVKt5CweP46Ad8HassrUhv3gTkIf72uoZt7F8XuI
H8YoQheYOG9vFZ89P1SVEwsGvCRJExaYOjv1FbAsWMG6xCSdoAfcrhvrLxtu4tkb
uPum8bmMked1actC7wo8R4o2CGmDJ2n5lUZNUgMRix4Tn92l5MYWyFbo4zPW8sfF
e3gSFzsLt1OhuJV1Hd6vl35izACaU0pr0GWSyVJpaebkPTWw19Hwpz9FYArBAgMB
AAGjdzB1MB0GA1UdDgQWBBR0GeOz/XAhDhLcYJyFEAWes+P6vDBUBgNVHREETTBL
ghhpZHAtY2x1c3Rlci5tYWZvby5vcmcudWuGL2h0dHBzOi8vaWRwLWNsdXN0ZXIu
bWFmb28ub3JnLnVrL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBgQAj
YoK2BNmXK3KOQwQPY6/3DqoFzEU9F4S8cdDjrbpjHA+UmsmA7PHQC+mE3PJoNY6A
LnRJ2RDpnAZLSK1K/enRJdGSyWaD+gshhAUBie6xrFamXe5IG9QiF6O7VKsu+kpM
Qtp6iLK/B+Jos8zq0NJrKpCtixepMG1IbAcMcVnqkteiT+a9fmyIMaHcTLY+aEvW
2bfgvszgJ4rcdY5xSDiVcPtcTGuoDsyQW686tImn0sqmOJLB8q+Fo2ULFxPVc8UE
HXngmqrZ5c9I5pa8TmL1VybSxSuQ2CUiTsgbpatiL6S8dK8ex3mUCpdMW5vKO0uQ
+8JiI8ur72059JpJzbTuKezT+8A124QiUOkfsJdwqHD3+APDVXiFGUGRPFHe4a/g
YQnrYa1KOgO83dl6K0GT1pA3+RnZZEBgq7lTYHpxcavTYRy6Dvj8Of8gu7EZo7fJ
+Ety/QGKzDDc+h5bLNo2PuDx2wXdbpPQxpYgWdVNgVOdW9vumrWhcxLtNfe9vyQ=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
--> <!--<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp-cluster.mafoo.org.uk:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>--> <!--
--> <!-- If you uncomment the above you should add urn:oasis:names:tc:SAML:2.0:protocol to the protocolSupportEnumeration above--> <!--
--> <!--<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp-cluster.mafoo.org.uk:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>--> <!--
</AttributeAuthorityDescriptor>-->
</EntityDescriptor>