Compare commits

..

No commits in common. "1c67d893ea6f1f09ed38b0da0474760137d6bbc5" and "7ac8850d2fa39dc75cb55926cd2d27ce29941262" have entirely different histories.

6 changed files with 140 additions and 67 deletions

View File

@ -20,8 +20,85 @@
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
<AttributeRule attributeID="eduPersonTargetedID" permitAny="true" />
</AttributeFilterPolicy>
<!--
Example rule relying on a locally applied tag in metadata to trigger attribute
release of some specific attributes. Add additional attributes as desired.
-->
<AttributeFilterPolicy id="Per-Attribute-singleValued">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="eduPersonPrincipalName" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="mail" />
</AttributeRule>
</AttributeFilterPolicy>
<!--
Same as above but more efficient form for an attribute with multiple values.
-->
<AttributeFilterPolicy id="Per-Attribute-Affiliation">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="eduPersonScopedAffiliation" />
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
</AttributeFilterPolicy>
<!--
Example rule for honoring Subject ID requirement tag in metadata.
The example supplies pairwise-id if subject-id isn't explicitly required.
-->
<AttributeFilterPolicy id="subject-identifiers">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="samlPairwiseID">
<PermitValueRule xsi:type="OR">
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="pairwise-id" />
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="any" />
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="samlSubjectID">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="subject-id" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- Release an additional attribute to an SP. -->
<AttributeFilterPolicy id="example1">
<PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
<AttributeRule attributeID="uid" permitAny="true" />
</AttributeFilterPolicy>
<!-- Release eduPersonScopedAffiliation to two specific SPs. -->
<AttributeFilterPolicy id="example2">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="Requester" value="https://sp.example.org" />
<Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
</AttributeFilterPolicy>
</AttributeFilterPolicyGroup>

View File

@ -61,14 +61,6 @@ list of possible components and their options.
<InputDataConnector ref="staticAttributes" attributeNames="affiliation" />
</AttributeDefinition>
<AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID"
nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
<InputDataConnector ref="sqlite-db" attributeNames="persistentId"/>
<AttributeEncoder xsi:type="SAML2XMLObject"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
</AttributeDefinition>
<!-- ========================================== -->
<!-- Data Connectors -->
@ -83,21 +75,4 @@ list of possible components and their options.
</Attribute>
</DataConnector>
<DataConnector xsi:type="ComputedId" id="computedID"
generatedAttributeID="persistentId"
salt='04D00D29-5FFF-4732-8645-ED8B7678BE4E'>
<InputAttributeDefinition ref="uid" />
</DataConnector>
<DataConnector id="sqlite-db" xsi:type="RelationalDatabase" noResultIsError="true">
<FailoverDataConnector ref="computedID"/>
<SimpleManagedConnection jdbcDriver="%{datasource.driverClass}" jdbcURL="%{datasource.jdbcUrl}" />
<QueryTemplate>
<![CDATA[
SELECT persistentId FROM shibpid WHERE peerEntity='$resolutionContext.attributeRecipientID' AND principalName='$resolutionContext.principal';
]]>
</QueryTemplate>
<Column columnName="persistentId" attributeID="persistentId" />
</DataConnector>
</AttributeResolver>

View File

@ -2,7 +2,7 @@
# specific methods.
# Regular expression matching login flows to enable, e.g. IPAddress|Password
idp.authn.flows = RemoteUser
#idp.authn.flows = Password
# Default settings for most authentication methods.
#idp.authn.defaultLifetime = PT1H

View File

@ -48,14 +48,5 @@
<entry key="foo" value="bar"/>
</util:map>
-->
<bean id="sqlite-dataconnector" class="org.apache.commons.dbcp2.BasicDataSource" destroy-method="close"
p:driverClassName="%{datasource.driverClass}"
p:url="%{datasource.jdbcUrl}"
p:initialSize="5"
p:maxTotal="50"
p:maxIdle="5"
p:maxWaitMillis="2000"
/>
</beans>

View File

@ -242,14 +242,3 @@ idp.ui.fallbackLanguages=en,fr,de
# Set false if you want SAML bindings "spelled out" in audit log
idp.audit.shortenBindings=true
idp.loglevel.idp=DEBUG
idp.loglevel.messages=DEBUG
idp.loglevel.encryption=DEBUG
# database details
datasource.driverClass = org.sqlite.JDBC
datasource.jdbcUrl = jdbc:sqlite:/opt/idp-storedid/db/stored-id.db
# datasource.user = <USER>
# datasource.password = <PASS>

View File

@ -21,28 +21,69 @@
http://www.w3.org/2009/xmlenc11# http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/xenc-schema-11.xsd"
sortKey="1">
<MetadataProvider id="shib-sp-test"
xsi:type="FilesystemMetadataProvider"
metadataFile="/opt/idp4/metadata/shib-sp-test.xml"
/>
<!--
Below you place the mechanisms which define how to load the metadata for SP(s) you will
provide service to.
Some simple examples are provided. The documentation provides more details; in most cases,
the modern replacement for these older plugins are the "DynamicHTTPMetadataProvider" and
"LocalDynamic" variants, which provide dramatic memory savings and more reliable operation.
NOTE: You do NOT need to load metadata for this IdP itself within this configuration.
-->
<!--
Example HTTP metadata provider. Use this if you want to download the metadata
from a remote source.
<MetadataProvider id="app1"
xsi:type="FilesystemMetadataProvider"
metadataFile="/opt/idp4/metadata/app1.xml"
/>
You *MUST* provide the SignatureValidationFilter in order to function securely.
Get the public key certificate from the party publishing the metadata, and validate
it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
<MetadataProvider id="spmetadata"
xsi:type="FilesystemMetadataProvider"
metadataFile="/opt/idp4/metadata/idp-cluster-sp.xml"
/>
The EntityRole filter saves memory by only loading metadata from SAML roles
that the IdP needs to interoperate with.
-->
<!--
<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
metadataURL="http://WHATEVER"
failFastInitialization="false">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
-->
<MetadataProvider id="shib-sp.mafoo.org.uik"
xsi:type="FilesystemMetadataProvider"
metadataFile="/opt/idp4/metadata/shib-sp.mafoo.org.uk.xml"
/>
<!--
Example file metadata provider. Use this if you want to load metadata
from a local file. You use this if you have some local SPs which are not
"federated" but you wish to offer a service to.
If you do not provide a SignatureValidation filter, then you have the
responsibility to ensure that the contents on disk are trustworthy.
-->
<!--
<MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
-->
<MetadataProvider id="upstream-idp-metadata"
xsi:type="FilesystemMetadataProvider"
metadataFile="/opt/idp4/metadata/idp-cluster-sp-idp.xml"/>
<!--
Example CAS metadata source for managing CAS services using SAML metadata.
-->
<!--
<MetadataProvider id="CASMetadata"
xsi:type="FilesystemMetadataProvider"
metadataFile="PATH_TO_YOUR_METADATA"
indexesRef="shibboleth.CASMetadataIndices" />
-->
</MetadataProvider>