diff options
| author | Markus Krogh <markus@nordu.net> | 2017-09-29 17:42:03 +0200 |
|---|---|---|
| committer | Markus Krogh <markus@nordu.net> | 2017-09-29 17:42:03 +0200 |
| commit | 35751e3cf89abf69f11dff7f9a3396d8068becc8 (patch) | |
| tree | 9f20b007e8e787ea1a5345c2b7200018a2727a59 | |
| parent | af0294d5f773bc071128b1ec1712c62f587c7b0a (diff) | |
Use ENV for persistentiId, logging
| -rw-r--r-- | compose-prod.yml | 22 | ||||
| -rw-r--r-- | idp/Dockerfile | 8 | ||||
| -rwxr-xr-x | idp/shib-entrypoint.sh | 64 | ||||
| -rw-r--r-- | idp/template-config/attribute-filter.xml | 384 | ||||
| -rw-r--r-- | idp/template-config/attribute-resolver.xml | 225 | ||||
| -rw-r--r-- | idp/template-config/edupersontargetdid.xml.add | 16 | ||||
| -rw-r--r-- | idp/template-config/logback.xml | 199 |
7 files changed, 651 insertions, 267 deletions
diff --git a/compose-prod.yml b/compose-prod.yml new file mode 100644 index 0000000..b3094d2 --- /dev/null +++ b/compose-prod.yml @@ -0,0 +1,22 @@ +version: '3' +services: + shibboleth-docker: + build: ./idp + environment: + - JAVA_OPTIONS=-Xmx1G + - IDP_HOSTNAME=idp.nordu.net + - IDP_SCOPE=nordu.net + - IDP_DEBUG=true + env_file: ./data/production/env + volumes: + - ./data/production/idp-data:/opt/data + nginx: + image: nginx + volumes: + - ./data/production/certs:/opt/certs + - ./data/production/nginx:/etc/nginx/conf.d + links: + - shibboleth-docker + ports: + - '80:80' + - '443:443' diff --git a/idp/Dockerfile b/idp/Dockerfile index 3dd2d6c..908233f 100644 --- a/idp/Dockerfile +++ b/idp/Dockerfile @@ -1,7 +1,7 @@ FROM jetty:9-alpine -EXPOSE 80 443 MAINTAINER Jesper B. Rosenkilde <jbr@nordu.net> +USER root ENV IDP_VERSION 3.3.0 COPY install.properties /opt/ COPY nordu-ldap.properties /opt/ @@ -10,7 +10,7 @@ COPY shibboleth-identity-provider-${IDP_VERSION}.tar.gz /opt/ COPY template-config/ /opt/template-config COPY shibboleth.db.ddl /tmp/ WORKDIR /opt -RUN apk --no-cache add bash apache-ant sqlite curl && \ +RUN echo $(id) && apk --no-cache add bash apache-ant sqlite curl && \ #curl -O https://shibboleth.net/downloads/identity-provider/${IDP_VERSION}/shibboleth-identity-provider-${IDP_VERSION}.tar.gz && \ sha256sum -c shibboleth-identity-provider-$IDP_VERSION.tar.gz.sha256 && \ tar xf shibboleth-identity-provider-$IDP_VERSION.tar.gz && \ @@ -28,5 +28,7 @@ RUN chown -R jetty:jetty /opt/shibboleth-idp COPY jetty_base $JETTY_BASE COPY shib-entrypoint.sh /shib-entrypoint.sh -ENTRYPOINT /shib-entrypoint.sh +USER jetty +ENTRYPOINT ["/shib-entrypoint.sh"] WORKDIR $JETTY_BASE +CMD ["java","-jar","/usr/local/jetty/start.jar"] diff --git a/idp/shib-entrypoint.sh b/idp/shib-entrypoint.sh index eec7dcd..7803c11 100755 --- a/idp/shib-entrypoint.sh +++ b/idp/shib-entrypoint.sh @@ -6,4 +6,66 @@ if [ -f /metadata/sp-metadata.xml ]; then sed -i -e '/sp.nordu.dev/ s/<!--//' -e '/sp.nordu.dev/ s/-->//' /opt/shibboleth-idp/conf/metadata-providers.xml fi -/docker-entrypoint.sh "$@" +IDP_PROPERTIES=${IDP_PROPERTIES:-/opt/shibboleth-idp/conf/idp.properties} +if [ -n "$IDP_HOSTNAME" ]; then + sed -i -e "s/idp.nordu.dev/$IDP_HOSTNAME/" $IDP_PROPERTIES +fi +if [ -n "$IDP_SCOPE" ]; then + sed -i -e "/idp.scope=/ s/nordu.dev/$IDP_HOSTNAME/" $IDP_PROPERTIES +fi + +# FTICKS +if [ -n "$FTICKS_FEDERATION" ]; then + sed -i -e '/idp.fticks.federation=/ s/^#//' \ + -e "/idp.fticks.federation=/ s/MyFederation/$FTICKS_FEDERATION/" \ + -e '/idp.fticks.algorithm=/ s/^#//' $IDP_PROPERTIES + if [ -n "$FTICKS_SALT" ]; then + sed -i -e '/idp.fticks.salt=/ s/^#//' \ + -e "/idp.fticks.salt=/ s/=.*/=$FTICKS_SALT/" $IDP_PROPERTIES + fi + + if [ -n "$FTICKS_HOST" ]; then + sed -i -e '/idp.fticks.loghost=/ s/^#//' \ + -e "/idp.fticks.loghost=/ s/=.*/=$FTICKS_HOST/" $IDP_PROPERTIES + fi + if [ -n "$FTICKS_PORT" ]; then + sed -i -e '/idp.fticks.logport=/ s/^#//' \ + -e "/idp.fticks.logport=/ s/=.*/=$FTICKS_PORT/" $IDP_PROPERTIES + fi +fi + +# PersistentID + +if [ -n "$IDP_PERSISTENTID_SALT" ]; then + if ! grep '<ref bean="shibboleth.SAML2PersistentGenerator" />' /opt/shibboleth-idp/conf/saml-nameid.xml ; then + sed -i -e '/<util:list id="shibboleth.SAML2NameIDGenerators">/ a <ref bean="shibboleth.SAML2PersistentGenerator" />' /opt/shibboleth-idp/conf/saml-nameid.xml + fi + + source_attr=${IDP_PERSISTENTID_SOURCE:-uid} + sed -i -e '/idp.persistentId.sourceAttribute/ s/^#//' \ + -e "/idp.persistentId.sourceAttribute/ s/changethistosomethingreal/$source_attr/" \ + -e '/idp.persistentId.salt/ s/^#//' \ + -e "/idp.persistentId.salt/ s/changethistosomethingrandom/$IDP_PERSISTENTID_SALT/" /opt/shibboleth-idp/conf/saml-nameid.properties + # add xml conf to attribute-resolver + if ! grep "%{idp.persistentId.sourceAttribute}" /opt/shibboleth-idp/conf/attribute-resolver.xml ; then + sed -i '/<!-- eduPersonTargetdID placeholder -->/r /opt/template-config/edupersontargetdid.xml.add' /opt/shibboleth-idp/conf/attribute-resolver.xml + fi +fi + +if [ -n "$IDP_DEBUG" ]; then + echo "idp.loglevel.messages=DEBUG" >> $IDP_PROPERTIES + echo "idp.loglevel.encryption=DEBUG" >> $IDP_PROPERTIES +fi + +DATADIR=/opt/data +# overwrite signing keys if present +if [ -f ${DATADIR}/credentials/idp-signing.key -a -f ${DATADIR}/credentials/idp-signing.crt ]; then + cp ${DATADIR}/credentials/idp-signing.key /opt/shibboleth-idp/credentials/idp-signing.key + cp ${DATADIR}/credentials/idp-signing.crt /opt/shibboleth-idp/credentials/idp-signing.crt +fi + +if [ $IDP_DEBUG ]; then + sed -i -e '/idp.loglevel.messages/ s/INFO/DEBUG/' -e '/idp.loglevel.encryption/ s/INFO/DEBUG/' /opt/shibboleth-idp/conf/logback.xml +fi + +/docker-entrypoint.sh java -jar /usr/local/jetty/start.jar $JAVA_OPTIONS diff --git a/idp/template-config/attribute-filter.xml b/idp/template-config/attribute-filter.xml index eae2abe..3514282 100644 --- a/idp/template-config/attribute-filter.xml +++ b/idp/template-config/attribute-filter.xml @@ -9,9 +9,9 @@ and their options. --> <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" - xmlns="urn:mace:shibboleth:2.0:afp" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> + xmlns="urn:mace:shibboleth:2.0:afp" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> <AttributeFilterPolicy id="releaseTransientIdToAnyone"> <PolicyRequirementRule xsi:type="ANY" /> @@ -19,139 +19,265 @@ <AttributeRule attributeID="transientId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> + <AttributeRule attributeID="persistentId"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> </AttributeFilterPolicy> - <!-- GEANT Data protection Code of Conduct --> - <AttributeFilterPolicy id="releaseToCoCo"> - <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" - attributeName="http://macedir.org/entity-category" - attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" /> - <AttributeRule attributeID="displayName"> - <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> - </AttributeRule> - <AttributeRule attributeID="cn"> - <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> - </AttributeRule> - <AttributeRule attributeID="email"> - <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> - </AttributeRule> - <AttributeRule attributeID="eduPersonPrincipalName"> - <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> - </AttributeRule> - <AttributeRule attributeID="eduPersonScopedAffiliation"> - <PermitValueRule xsi:type="AND"> - <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> - <Rule xsi:type="OR"> - <Rule xsi:type="Value" value="faculty" ignoreCase="true" /> - <Rule xsi:type="Value" value="student" ignoreCase="true" /> - <Rule xsi:type="Value" value="staff" ignoreCase="true" /> - <Rule xsi:type="Value" value="alum" ignoreCase="true" /> - <Rule xsi:type="Value" value="member" ignoreCase="true" /> - <Rule xsi:type="Value" value="affiliate" ignoreCase="true" /> - <Rule xsi:type="Value" value="employee" ignoreCase="true" /> - <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> - </Rule> - </PermitValueRule> - </AttributeRule> - <AttributeRule attributeID="eduPersonAffiliation"> - <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> - </AttributeRule> - <AttributeRule attributeID="schacHomeOrganization"> - <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> - </AttributeRule> - <AttributeRule attributeID="schacHomeOrganizationType"> - <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> - </AttributeRule> - </AttributeFilterPolicy> + <!-- GEANT Data protection Code of Conduct --> + <AttributeFilterPolicy id="releaseToCoCo"> + <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" + attributeName="http://macedir.org/entity-category" + attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" /> + <AttributeRule attributeID="displayName"> + <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> + </AttributeRule> + <AttributeRule attributeID="cn"> + <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> + </AttributeRule> + <AttributeRule attributeID="email"> + <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonPrincipalName"> + <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonScopedAffiliation"> + <PermitValueRule xsi:type="AND"> + <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> + <Rule xsi:type="OR"> + <Rule xsi:type="Value" value="faculty" ignoreCase="true" /> + <Rule xsi:type="Value" value="student" ignoreCase="true" /> + <Rule xsi:type="Value" value="staff" ignoreCase="true" /> + <Rule xsi:type="Value" value="alum" ignoreCase="true" /> + <Rule xsi:type="Value" value="member" ignoreCase="true" /> + <Rule xsi:type="Value" value="affiliate" ignoreCase="true" /> + <Rule xsi:type="Value" value="employee" ignoreCase="true" /> + <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> + </Rule> + </PermitValueRule> + </AttributeRule> + <AttributeRule attributeID="eduPersonAffiliation"> + <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> + </AttributeRule> + <AttributeRule attributeID="schacHomeOrganization"> + <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> + </AttributeRule> + <AttributeRule attributeID="schacHomeOrganizationType"> + <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> + </AttributeRule> + </AttributeFilterPolicy> - <!-- REFEDS Research and Schoolarship --> - <AttributeFilterPolicy id="releaseToRandS"> - <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" - attributeName="http://macedir.org/entity-category" - attributeValue="http://refeds.org/category/research-and-scholarship" /> - - <AttributeRule attributeID="displayName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="givenName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="surname"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="email"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="eduPersonPrincipalName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="eduPersonScopedAffiliation"> - <PermitValueRule xsi:type="OR"> - <Rule xsi:type="Value" value="faculty" ignoreCase="true" /> - <Rule xsi:type="Value" value="student" ignoreCase="true" /> - <Rule xsi:type="Value" value="staff" ignoreCase="true" /> - <Rule xsi:type="Value" value="alum" ignoreCase="true" /> - <Rule xsi:type="Value" value="member" ignoreCase="true" /> - <Rule xsi:type="Value" value="affiliate" ignoreCase="true" /> - <Rule xsi:type="Value" value="employee" ignoreCase="true" /> - <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> - </PermitValueRule> - </AttributeRule> - </AttributeFilterPolicy> + <!-- REFEDS Research and Schoolarship --> + <AttributeFilterPolicy id="releaseToRandS"> + <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" + attributeName="http://macedir.org/entity-category" + attributeValue="http://refeds.org/category/research-and-scholarship" /> + + <AttributeRule attributeID="displayName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="givenName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="surname"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="email"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonPrincipalName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonScopedAffiliation"> + <PermitValueRule xsi:type="OR"> + <Rule xsi:type="Value" value="faculty" ignoreCase="true" /> + <Rule xsi:type="Value" value="student" ignoreCase="true" /> + <Rule xsi:type="Value" value="staff" ignoreCase="true" /> + <Rule xsi:type="Value" value="alum" ignoreCase="true" /> + <Rule xsi:type="Value" value="member" ignoreCase="true" /> + <Rule xsi:type="Value" value="affiliate" ignoreCase="true" /> + <Rule xsi:type="Value" value="employee" ignoreCase="true" /> + <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> + </PermitValueRule> + </AttributeRule> + </AttributeFilterPolicy> + + <!-- entity-category-swamid-research-and-education --> + <AttributeFilterPolicy id="entity-category-research-and-education"> + <PolicyRequirementRule xsi:type="AND"> + <Rule xsi:type="OR"> + <Rule xsi:type="EntityAttributeExactMatch" + attributeName="http://macedir.org/entity-category" + attributeValue="http://www.swamid.se/category/eu-adequate-protection" /> + <Rule xsi:type="EntityAttributeExactMatch" + attributeName="http://macedir.org/entity-category" + attributeValue="http://www.swamid.se/category/nren-service" /> + <Rule xsi:type="EntityAttributeExactMatch" + attributeName="http://macedir.org/entity-category" + attributeValue="http://www.swamid.se/category/hei-service" /> + </Rule> + <Rule xsi:type="EntityAttributeExactMatch" + attributeName="http://macedir.org/entity-category" + attributeValue="http://www.swamid.se/category/research-and-education" /> + </PolicyRequirementRule> + + <AttributeRule attributeID="givenName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="surname"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="displayName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonPrincipalName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonAssurance"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="email"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonScopedAffiliation"> + <PermitValueRule xsi:type="OR"> + <Rule xsi:type="Value" value="faculty" ignoreCase="true" /> + <Rule xsi:type="Value" value="student" ignoreCase="true" /> + <Rule xsi:type="Value" value="staff" ignoreCase="true" /> + <Rule xsi:type="Value" value="alum" ignoreCase="true" /> + <Rule xsi:type="Value" value="member" ignoreCase="true" /> + <Rule xsi:type="Value" value="affiliate" ignoreCase="true" /> + <Rule xsi:type="Value" value="employee" ignoreCase="true" /> + <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> + </PermitValueRule> + </AttributeRule> + <AttributeRule attributeID="organizationName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="norEduOrgAcronym"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="countryName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="friendlyCountryName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="schacHomeOrganization"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + </AttributeFilterPolicy> <!-- Release some attributes to an SP. --> <!-- Note: requester seems to need the path /shibboleth to be included to match this! --> <AttributeFilterPolicy id="sp.nordu.dev"> - <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" /> - <!-- <PolicyRequirementRule xsi:type="ANY" /> --> - <AttributeRule attributeID="eduPersonPrincipalName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="uid"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="mail"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="givenName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="surname"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="displayName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="commonName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="employeeType"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="email"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="eduPersonEntitlement"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="mailLocalAddress"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="eduPersonScopedAffiliation"> - <PermitValueRule xsi:type="OR"> - <Rule xsi:type="Value" value="faculty" ignoreCase="true" /> - <Rule xsi:type="Value" value="student" ignoreCase="true" /> - <Rule xsi:type="Value" value="staff" ignoreCase="true" /> - <Rule xsi:type="Value" value="alum" ignoreCase="true" /> - <Rule xsi:type="Value" value="member" ignoreCase="true" /> - <Rule xsi:type="Value" value="affiliate" ignoreCase="true" /> - <Rule xsi:type="Value" value="employee" ignoreCase="true" /> - <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> - </PermitValueRule> - </AttributeRule> - <AttributeRule attributeID="organizationName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> + <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" /> + <!-- <PolicyRequirementRule xsi:type="ANY" /> --> + <AttributeRule attributeID="eduPersonPrincipalName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="uid"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="mail"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="givenName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="surname"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="displayName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="commonName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="employeeType"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="email"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonEntitlement"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="mailLocalAddress"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonScopedAffiliation"> + <PermitValueRule xsi:type="OR"> + <Rule xsi:type="Value" value="faculty" ignoreCase="true" /> + <Rule xsi:type="Value" value="student" ignoreCase="true" /> + <Rule xsi:type="Value" value="staff" ignoreCase="true" /> + <Rule xsi:type="Value" value="alum" ignoreCase="true" /> + <Rule xsi:type="Value" value="member" ignoreCase="true" /> + <Rule xsi:type="Value" value="affiliate" ignoreCase="true" /> + <Rule xsi:type="Value" value="employee" ignoreCase="true" /> + <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> + </PermitValueRule> + </AttributeRule> + <AttributeRule attributeID="organizationName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + </AttributeFilterPolicy> + + <!-- ukfederation + incommon --> + <AttributeFilterPolicy id="everyoneInSwamidFeed"> + <PolicyRequirementRule xsi:type="InEntityGroup" groupID="http://mds.swamid.se/md/swamid-2.0.xml" /> + <AttributeRule attributeID="givenName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="surname"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="displayName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="commonName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonPrincipalName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="email"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonEntitlement"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonTargetedID"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonScopedAffiliation"> + <PermitValueRule xsi:type="OR"> + <Rule xsi:type="Value" value="faculty" ignoreCase="true" /> + <Rule xsi:type="Value" value="student" ignoreCase="true" /> + <Rule xsi:type="Value" value="staff" ignoreCase="true" /> + <Rule xsi:type="Value" value="alum" ignoreCase="true" /> + <Rule xsi:type="Value" value="member" ignoreCase="true" /> + <Rule xsi:type="Value" value="affiliate" ignoreCase="true" /> + <Rule xsi:type="Value" value="employee" ignoreCase="true" /> + <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> + </PermitValueRule> + </AttributeRule> + <AttributeRule attributeID="organizationName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="norEduOrgAcronym"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="countryName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="friendlyCountryName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="schacHomeOrganization"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> </AttributeFilterPolicy> + </AttributeFilterPolicyGroup> diff --git a/idp/template-config/attribute-resolver.xml b/idp/template-config/attribute-resolver.xml index 1020fc4..92fb1bb 100644 --- a/idp/template-config/attribute-resolver.xml +++ b/idp/template-config/attribute-resolver.xml @@ -17,38 +17,31 @@ --> <AttributeResolver - xmlns="urn:mace:shibboleth:2.0:resolver" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> + xmlns="urn:mace:shibboleth:2.0:resolver" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> - <!-- ========================================== --> - <!-- Attribute Definitions --> - <!-- ========================================== --> + <!-- ========================================== --> + <!-- Attribute Definitions --> + <!-- ========================================== --> - <!-- + <!-- The EPPN is the "standard" federated username in higher ed. For guidelines on the implementation of this attribute, refer to the Shibboleth and eduPerson documentation. Above all, do not expose a value for this attribute without considering the long term implications. --> - <!-- This version not used at NORDUnet, see below - <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> - </AttributeDefinition> - --> <!-- The uid is the closest thing to a "standard" LDAP attribute representing a local username, but you should generally *never* expose uid to federated services, as it is rarely globally unique. --> <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" /> </AttributeDefinition> <!-- @@ -57,52 +50,52 @@ the same as your official email addresses whenever possible. --> <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" /> </AttributeDefinition> <AttributeDefinition id="email" xsi:type="Simple" sourceAttributeID="mail"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" /> </AttributeDefinition> <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" encodeType="false" /> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" /> </AttributeDefinition> <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct --> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" /> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" /> </AttributeDefinition> <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn"> <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" /> </AttributeDefinition> <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o"> <Dependency ref="staticAttributes" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" /> </AttributeDefinition> <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName"> <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" /> </AttributeDefinition> <!-- Schema: inetOrgPerson attributes--> <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType"> <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" /> </AttributeDefinition> <!-- Schema: eduPerson attributes --> @@ -129,101 +122,91 @@ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" /> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" /> </AttributeDefinition> - <!-- Idp-Installer: the source for this attribute is from the database StoredId and no longer the classic computedID --> - <!-- - <AttributeDefinition xsi:type="ad:SAML2NameID" id="eduPersonTargetedID" - nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="persistentId"> - <Dependency ref="StoredId" /> - <AttributeEncoder xsi:type="enc:SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> - <AttributeEncoder xsi:type="enc:SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> - </AttributeDefinition> - --> - -<AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" /> -</AttributeDefinition> + <AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" /> + </AttributeDefinition> -<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Simple" sourceAttributeID="uid"><!-- In ndn it is uid --> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> -</AttributeDefinition> + <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid"><!-- In ndn it is uid+scope --> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" /> + <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" /> + </AttributeDefinition> -<AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="nordu.net" sourceAttributeID="employeeType"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" /> -</AttributeDefinition> + <AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="employeeType"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" /> + <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" /> + </AttributeDefinition> - <!-- from swamid installer --> +<!-- from swamid installer --> <AttributeDefinition id="norEduOrgAcronym" xsi:type="Simple" sourceAttributeID="norEduOrgAcronym"> <Dependency ref="staticAttributes" /> <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgAcronym" /> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.6" friendlyName="norEduOrgAcronym" /> </AttributeDefinition> - <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization"> - <Dependency ref="staticAttributes" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" /> - </AttributeDefinition> + <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" /> + </AttributeDefinition> - <AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType"> - <Dependency ref="staticAttributes" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" /> - </AttributeDefinition> + <AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" /> + </AttributeDefinition> - <!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal --> + <!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal --> - <!-- ========================================== --> - <!-- Data Connectors --> - <!-- ========================================== --> + <!-- ========================================== --> + <!-- Data Connectors --> + <!-- ========================================== --> - <!-- + <!-- Example LDAP Connector The connectivity details can be specified in ldap.properties to share them with your authentication settings if desired. --> <DataConnector id="myLDAP" xsi:type="LDAPDirectory" - ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" - baseDN="%{idp.attribute.resolver.LDAP.baseDN}"> - <FilterTemplate> - <![CDATA[ - %{idp.attribute.resolver.LDAP.searchFilter} - ]]> - </FilterTemplate> + ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" + baseDN="%{idp.attribute.resolver.LDAP.baseDN}"> + <FilterTemplate> + <![CDATA[ + %{idp.attribute.resolver.LDAP.searchFilter} + ]]> + </FilterTemplate> </DataConnector> <DataConnector id="myLDAPGROUPS" xsi:type="LDAPDirectory" - ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" - baseDN="%{idp.attribute.resolver.LDAP.baseDN}"> - <FilterTemplate> - <![CDATA[ - %{idp.attribute.resolver.LDAP.searchFilter} - ]]> - </FilterTemplate> - <ReturnAttributes>memberOf</ReturnAttributes> + ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" + baseDN="%{idp.attribute.resolver.LDAP.baseDN}"> + <FilterTemplate> + <![CDATA[ + %{idp.attribute.resolver.LDAP.searchFilter} + ]]> + </FilterTemplate> + <ReturnAttributes>memberOf</ReturnAttributes> </DataConnector> - <DataConnector id="staticAttributes" xsi:type="Static"> - <Attribute id="o"> - <Value>NORDUnet A/S</Value> - </Attribute> - <Attribute id="schacHomeOrganization"> - <Value>nordu.net</Value> - </Attribute> - <Attribute id="schacHomeOrganizationType"> - <Value>urn:schac:homeOrganizationType:int:NREN</Value> - </Attribute> - <Attribute id="norEduOrgAcronym"> - <Value>NORDUNet</Value> - </Attribute> + <DataConnector id="staticAttributes" xsi:type="Static"> + <Attribute id="o"> + <Value>NORDUnet A/S</Value> + </Attribute> + <Attribute id="schacHomeOrganization"> + <Value>nordu.net</Value> + </Attribute> + <Attribute id="schacHomeOrganizationType"> + <Value>urn:schac:homeOrganizationType:int:NREN</Value> + </Attribute> + <Attribute id="norEduOrgAcronym"> + <Value>NORDUNet</Value> + </Attribute> <Attribute id="staticeduPersonEntitlement"> <Value>urn:mace:dir:entitlement:common-lib-terms</Value> <Value>urn:mace:terena.org:tcs:escience-user</Value> @@ -233,34 +216,8 @@ <Value>urn:mace:swami.se:gmai:sunet-iaas:admin</Value> <Value>urn:mace:swami.se:gmai:sunet-iaas:user</Value> </Attribute> - </DataConnector> - - - <!-- Computed targeted ID connector --> -<!-- The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.--> - -<!-- <DataConnector id="ComputedId" xsi:type="ComputedId" - generatedAttributeID="computedId" - sourceAttributeID="uid" - salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym"> - <resolver:Dependency ref="myLDAP" /> - </DataConnector> - -also in old format the next block -<resolver:DataConnector id="StoredId" - xsi:type="StoredId" - xmlns="urn:mace:shibboleth:2.0:resolver:dc" - generatedAttributeID="persistentId" - sourceAttributeID="uid" - salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym"> - <resolver:Dependency ref="uid" /> - <ApplicationManagedConnection - jdbcDriver="com.mysql.jdbc.Driver" - jdbcURL="jdbc:mysql://mysql:3306/shibboleth?autoReconnect=true&useSSL=false" - jdbcUserName="idp" - jdbcPassword="shibboleth" /> -</resolver:DataConnector> ---> + </DataConnector> + <!-- eduPersonTargetdID placeholder --> </AttributeResolver> diff --git a/idp/template-config/edupersontargetdid.xml.add b/idp/template-config/edupersontargetdid.xml.add new file mode 100644 index 0000000..8601da6 --- /dev/null +++ b/idp/template-config/edupersontargetdid.xml.add @@ -0,0 +1,16 @@ + <AttributeDefinition xsi:type="SAML2NameID" id="eduPersonTargetedID" + nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" + sourceAttributeID="computedId"> + <Dependency ref="ComputedId" /> + <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> + <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> + </AttributeDefinition> + + + <!-- The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.--> + <DataConnector id="ComputedId" xsi:type="ComputedId" + generatedAttributeID="computedId" + sourceAttributeID="%{idp.persistentId.sourceAttribute}" + salt="%{idp.persistentId.salt}"> + <Dependency ref="myLDAP" /> + </DataConnector> diff --git a/idp/template-config/logback.xml b/idp/template-config/logback.xml new file mode 100644 index 0000000..6afa4ef --- /dev/null +++ b/idp/template-config/logback.xml @@ -0,0 +1,199 @@ +<?xml version="1.0" encoding="UTF-8"?> +<configuration> + + <!-- + Variables for simplifying logging configuration. + http://logback.qos.ch/manual/configuration.html#variableSubstitution + --> + + <variable name="idp.logfiles" value="${idp.home}/logs" /> + <variable name="idp.loghistory" value="180" /> + + <!-- Much higher performance if you operate on DEBUG. --> + <!-- <variable name="idp.process.appender" value="ASYNC_PROCESS" /> --> + + <!-- Logging level shortcuts. --> + <variable name="idp.loglevel.idp" value="INFO" /> + <variable name="idp.loglevel.ldap" value="WARN" /> + <variable name="idp.loglevel.messages" value="INFO" /> + <variable name="idp.loglevel.encryption" value="INFO" /> + <variable name="idp.loglevel.opensaml" value="INFO" /> + <variable name="idp.loglevel.props" value="INFO" /> + + <!-- Don't turn these up unless you want a *lot* of noise. --> + <variable name="idp.loglevel.spring" value="ERROR" /> + <variable name="idp.loglevel.container" value="ERROR" /> + <variable name="idp.loglevel.xmlsec" value="INFO" /> + + <!-- + If you want to use custom properties in this config file, + we load the main property file for you. + --> + <variable file="${idp.home}/conf/idp.properties" /> + + <!-- =========================================================== --> + <!-- ============== Logging Categories and Levels ============== --> + <!-- =========================================================== --> + + <!-- Logs IdP, but not OpenSAML, messages --> + <logger name="net.shibboleth.idp" level="${idp.loglevel.idp:-INFO}"/> + + <!-- Logs OpenSAML, but not IdP, messages --> + <logger name="org.opensaml.saml" level="${idp.loglevel.opensaml:-INFO}"/> + + <!-- Logs LDAP related messages --> + <logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/> + + <!-- Logs inbound and outbound protocols messages at DEBUG level --> + <logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages:-INFO}" /> + + <!-- Logs unencrypted SAML at DEBUG level --> + <logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption:-INFO}" /> + + <!-- Logs system properties during startup at DEBUG level --> + <logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props:-INFO}" /> + + <!-- Especially chatty. --> + <logger name="net.shibboleth.idp.saml.attribute.mapping" level="INFO" /> + <logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec:-INFO}" /> + <logger name="org.springframework" level="${idp.loglevel.spring:-ERROR}"/> + <logger name="org.apache.catalina" level="${idp.loglevel.container:-ERROR}"/> + <logger name="org.eclipse.jetty" level="${idp.loglevel.container:-ERROR}"/> + + + <!-- =========================================================== --> + <!-- ============== Low Level Details or Changes =============== --> + <!-- =========================================================== --> + + <!-- Process log. --> + <appender name="IDP_PROCESS" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <File>${idp.logfiles}/idp-process.log</File> + + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz</fileNamePattern> + <maxHistory>${idp.loghistory:-180}</maxHistory> + </rollingPolicy> + + <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <charset>UTF-8</charset> + <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern> + </encoder> + + <!-- Ignore Velocity status page error. --> + <filter class="ch.qos.logback.core.filter.EvaluatorFilter"> + <evaluator> + <matcher> + <Name>VelocityStatusMatcher</Name> + <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex> + </matcher> + <expression>VelocityStatusMatcher.matches(formattedMessage)</expression> + </evaluator> + <OnMatch>DENY</OnMatch> + </filter> + </appender> + + <appender name="ASYNC_PROCESS" class="ch.qos.logback.classic.AsyncAppender"> + <appender-ref ref="IDP_PROCESS" /> + <discardingThreshold>0</discardingThreshold> + </appender> + + <appender name="IDP_WARN" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <!-- Suppress anything below WARN. --> + <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> + <level>WARN</level> + </filter> + + <File>${idp.logfiles}/idp-warn.log</File> + + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz</fileNamePattern> + <maxHistory>${idp.loghistory:-180}</maxHistory> + </rollingPolicy> + + <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <charset>UTF-8</charset> + <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern> + </encoder> + + <!-- Ignore Velocity status page error. --> + <filter class="ch.qos.logback.core.filter.EvaluatorFilter"> + <evaluator> + <matcher> + <Name>VelocityStatusMatcher</Name> + <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex> + </matcher> + <expression>VelocityStatusMatcher.matches(formattedMessage)</expression> + </evaluator> + <OnMatch>DENY</OnMatch> + </filter> + </appender> + + <!-- Audit log. --> + <appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <File>${idp.logfiles}/idp-audit.log</File> + + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern> + <maxHistory>${idp.loghistory:-180}</maxHistory> + </rollingPolicy> + + <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <charset>UTF-8</charset> + <Pattern>%msg%n</Pattern> + </encoder> + </appender> + + <!-- Consent audit log. --> + <appender name="IDP_CONSENT_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <File>${idp.logfiles}/idp-consent-audit.log</File> + + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern> + <maxHistory>${idp.loghistory:-180}</maxHistory> + </rollingPolicy> + + <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <charset>UTF-8</charset> + <Pattern>%msg%n</Pattern> + </encoder> + </appender> + + <!-- F-TICKS syslog destination. --> + <appender name="IDP_AUDIT_FTICKS" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <File>${idp.home}/logs/idp-audit-fticks.log</File> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${idp.home}/logs/idp-audit-fticks%d{yyyy-MM-dd}.log.gz</fileNamePattern> + <maxHistory>180</maxHistory> + </rollingPolicy> + <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <charset>UTF-8</charset> + <Pattern>%msg%n</Pattern> + </encoder> + </appender> + + <appender name="IDP_FTICKS" class="ch.qos.logback.classic.net.SyslogAppender"> + <syslogHost>${idp.fticks.loghost:-localhost}</syslogHost> + <port>${idp.fticks.logport:-514}</port> + <facility>AUTH</facility> + <suffixPattern>[%thread] %logger %msg</suffixPattern> + </appender> + + <logger name="Shibboleth-Audit" level="ALL"> + <appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/> + </logger> + + <logger name="Shibboleth-FTICKS" level="ALL" additivity="false"> + <appender-ref ref="${idp.fticks.appender:-IDP_FTICKS}"/> + <appender-ref ref="IDP_AUDIT_FTICKS"/> + </logger> + + <logger name="Shibboleth-Consent-Audit" level="ALL"> + <appender-ref ref="${idp.consent.appender:-IDP_CONSENT_AUDIT}"/> + </logger> + + <root level="${idp.loglevel.root:-INFO}"> + <appender-ref ref="${idp.process.appender:-IDP_PROCESS}"/> + <appender-ref ref="${idp.warn.appender:-IDP_WARN}" /> + </root> + +</configuration> |