remove stale shibboleth.JDBCStorageService so db can be read only

working static stored id and failover to computed
indentation
2022-08-05 15:06:37 +00:00 · 2022-08-05 14:52:07 +00:00 · 2022-08-05 14:32:50 +00:00 · 2022-08-05 14:32:19 +00:00 · 2022-08-05 14:00:14 +00:00
6 changed files with 67 additions and 140 deletions
--- a/conf/attribute-filter.xml
+++ b/conf/attribute-filter.xml
@ -20,85 +20,8 @@
        <PolicyRequirementRule xsi:type="ANY" />
        <AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
        <AttributeRule attributeID="eduPersonTargetedID" permitAny="true" />
    </AttributeFilterPolicy>
    <!--
    Example rule relying on a locally applied tag in metadata to trigger attribute
    release of some specific attributes. Add additional attributes as desired.
    -->
 	<AttributeFilterPolicy id="Per-Attribute-singleValued">
 	    <PolicyRequirementRule xsi:type="ANY" />
 	    <AttributeRule attributeID="eduPersonPrincipalName">
 	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
 	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
 	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
 	            attributeValue="eduPersonPrincipalName" />
 	    </AttributeRule>
 	    <AttributeRule attributeID="mail">
 	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
 	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
 	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
 	            attributeValue="mail" />
 	    </AttributeRule>
 	</AttributeFilterPolicy>
    <!--
    Same as above but more efficient form for an attribute with multiple values.
    -->
    <AttributeFilterPolicy id="Per-Attribute-Affiliation">
        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
            attributeValue="eduPersonScopedAffiliation" />
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
    </AttributeFilterPolicy>
    <!--
    Example rule for honoring Subject ID requirement tag in metadata.
    The example supplies pairwise-id if subject-id isn't explicitly required.
    -->
    <AttributeFilterPolicy id="subject-identifiers">
        <PolicyRequirementRule xsi:type="ANY" />
        <AttributeRule attributeID="samlPairwiseID">
            <PermitValueRule xsi:type="OR">
                <Rule xsi:type="EntityAttributeExactMatch"
                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                    attributeValue="pairwise-id" />
                <Rule xsi:type="EntityAttributeExactMatch"
                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                    attributeValue="any" />
            </PermitValueRule>
        </AttributeRule>
        <AttributeRule attributeID="samlSubjectID">
            <PermitValueRule xsi:type="EntityAttributeExactMatch"
                attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
                attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                attributeValue="subject-id" />
        </AttributeRule>
    </AttributeFilterPolicy>
    <!-- Release an additional attribute to an SP. -->
    <AttributeFilterPolicy id="example1">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
        <AttributeRule attributeID="uid" permitAny="true" />
    </AttributeFilterPolicy>
    <!-- Release eduPersonScopedAffiliation to two specific SPs. -->
    <AttributeFilterPolicy id="example2">
        <PolicyRequirementRule xsi:type="OR">
            <Rule xsi:type="Requester" value="https://sp.example.org" />
            <Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
        </PolicyRequirementRule>
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
    </AttributeFilterPolicy>
 </AttributeFilterPolicyGroup>
--- a/conf/attribute-resolver.xml
+++ b/conf/attribute-resolver.xml
@ -61,6 +61,14 @@ list of possible components and their options.
        <InputDataConnector ref="staticAttributes" attributeNames="affiliation" />
    </AttributeDefinition>
    <AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID"
        nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
        <InputDataConnector ref="sqlite-db" attributeNames="persistentId"/>
        <AttributeEncoder xsi:type="SAML2XMLObject"
                name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
    </AttributeDefinition>
    <!-- ========================================== -->
    <!--      Data Connectors                       -->
@ -75,4 +83,21 @@ list of possible components and their options.
        </Attribute>
    </DataConnector>
    <DataConnector xsi:type="ComputedId" id="computedID"
 	    generatedAttributeID="persistentId"
 	    salt='04D00D29-5FFF-4732-8645-ED8B7678BE4E'>
        <InputAttributeDefinition ref="uid" />
    </DataConnector>
    <DataConnector id="sqlite-db" xsi:type="RelationalDatabase" noResultIsError="true">
 	    <FailoverDataConnector ref="computedID"/>
 	    <SimpleManagedConnection jdbcDriver="%{datasource.driverClass}" jdbcURL="%{datasource.jdbcUrl}" />
 	    <QueryTemplate>
 		    <![CDATA[
 			    SELECT persistentId FROM shibpid WHERE peerEntity='$resolutionContext.attributeRecipientID' AND principalName='$resolutionContext.principal';
 			    ]]>
 	    </QueryTemplate>
 	    <Column columnName="persistentId" attributeID="persistentId" />
    </DataConnector>
 </AttributeResolver>
--- a/conf/authn/authn.properties
+++ b/conf/authn/authn.properties
@ -2,7 +2,7 @@
 # specific methods.
 # Regular expression matching login flows to enable, e.g. IPAddress|Password
-#idp.authn.flows = Password
+idp.authn.flows = RemoteUser
 # Default settings for most authentication methods.
 #idp.authn.defaultLifetime = PT1H
--- a/conf/global.xml
+++ b/conf/global.xml
@ -48,5 +48,14 @@
        <entry key="foo" value="bar"/>
    </util:map>
    -->
-    
+
    <bean id="sqlite-dataconnector" class="org.apache.commons.dbcp2.BasicDataSource" destroy-method="close"
 	    p:driverClassName="%{datasource.driverClass}"
 	    p:url="%{datasource.jdbcUrl}"
 	    p:initialSize="5"
 	    p:maxTotal="50"
 	    p:maxIdle="5"
 	    p:maxWaitMillis="2000"
 	    />
 </beans>
--- a/conf/idp.properties
+++ b/conf/idp.properties
@ -242,3 +242,14 @@ idp.ui.fallbackLanguages=en,fr,de
 # Set false if you want SAML bindings "spelled out" in audit log
 idp.audit.shortenBindings=true
 idp.loglevel.idp=DEBUG
 idp.loglevel.messages=DEBUG
 idp.loglevel.encryption=DEBUG
 # database details
 datasource.driverClass = org.sqlite.JDBC
 datasource.jdbcUrl = jdbc:sqlite:/opt/idp-storedid/db/stored-id.db
 # datasource.user = <USER>
 # datasource.password = <PASS>
--- a/conf/metadata-providers.xml
+++ b/conf/metadata-providers.xml
@ -21,69 +21,28 @@
                        http://www.w3.org/2009/xmlenc11# http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/xenc-schema-11.xsd"
    sortKey="1">
-    <!--
+    <MetadataProvider id="shib-sp-test"
-    Below you place the mechanisms which define how to load the metadata for SP(s) you will
+            xsi:type="FilesystemMetadataProvider"
-    provide service to.
+            metadataFile="/opt/idp4/metadata/shib-sp-test.xml"
-    
+            />
    Some simple examples are provided. The documentation provides more details; in most cases,
    the modern replacement for these older plugins are the "DynamicHTTPMetadataProvider" and
    "LocalDynamic" variants, which provide dramatic memory savings and more reliable operation.
    NOTE: You do NOT need to load metadata for this IdP itself within this configuration.
    -->
    <!--
    Example HTTP metadata provider.  Use this if you want to download the metadata
    from a remote source.
-    You *MUST* provide the SignatureValidationFilter in order to function securely.
+    <MetadataProvider id="app1"
-    Get the public key certificate from the party publishing the metadata, and validate
+            xsi:type="FilesystemMetadataProvider"
-    it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
+            metadataFile="/opt/idp4/metadata/app1.xml"
            />
-    The EntityRole filter saves memory by only loading metadata from SAML roles
+    <MetadataProvider id="spmetadata"
-    that the IdP needs to interoperate with.
+            xsi:type="FilesystemMetadataProvider"
-    -->
+            metadataFile="/opt/idp4/metadata/idp-cluster-sp.xml"
-    
+            />
    <!--
    <MetadataProvider id="HTTPMetadata"
                      xsi:type="FileBackedHTTPMetadataProvider"
                      backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
                      metadataURL="http://WHATEVER"
                      failFastInitialization="false">
        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
        <MetadataFilter xsi:type="EntityRole">
            <RetainedRole>md:SPSSODescriptor</RetainedRole>
        </MetadataFilter>
    </MetadataProvider>
    -->   
-    <!--
+    <MetadataProvider id="shib-sp.mafoo.org.uik"
-    Example file metadata provider.  Use this if you want to load metadata
+            xsi:type="FilesystemMetadataProvider"
-    from a local file. You use this if you have some local SPs which are not
+            metadataFile="/opt/idp4/metadata/shib-sp.mafoo.org.uk.xml"
-    "federated" but you wish to offer a service to.
+            />
    If you do not provide a SignatureValidation filter, then you have the
    responsibility to ensure that the contents on disk are trustworthy.
    -->
    <!--
    <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
    -->
-
+    <MetadataProvider id="upstream-idp-metadata"
-    <!--
+            xsi:type="FilesystemMetadataProvider"
-    Example CAS metadata source for managing CAS services using SAML metadata.
+	    metadataFile="/opt/idp4/metadata/idp-cluster-sp-idp.xml"/>
    -->
    <!--
    <MetadataProvider id="CASMetadata"
                      xsi:type="FilesystemMetadataProvider"
                      metadataFile="PATH_TO_YOUR_METADATA"
                      indexesRef="shibboleth.CASMetadataIndices" />
    -->
 </MetadataProvider>
Author	SHA1	Message	Date
root	1c67d893ea	remove stale shibboleth.JDBCStorageService so db can be read only	2022-08-05 15:06:37 +00:00
root	adc02b1925	working static stored id and failover to computed	2022-08-05 14:52:07 +00:00
root	fdc4e0ec2f	indentation	2022-08-05 14:32:50 +00:00
root	16e9ff7096	storedid working	2022-08-05 14:32:19 +00:00
root	d8367d6a72	prepare	2022-08-05 14:00:14 +00:00