summaryrefslogtreecommitdiff
path: root/idp/templates/config
diff options
context:
space:
mode:
Diffstat (limited to 'idp/templates/config')
-rw-r--r--idp/templates/config/README.md5
-rw-r--r--idp/templates/config/attribute-filter.xml283
-rw-r--r--idp/templates/config/attribute-resolver.xml223
-rw-r--r--idp/templates/config/edupersontargetdid.xml.add16
-rw-r--r--idp/templates/config/logback.xml199
-rw-r--r--idp/templates/config/metadata-providers.xml57
6 files changed, 783 insertions, 0 deletions
diff --git a/idp/templates/config/README.md b/idp/templates/config/README.md
new file mode 100644
index 0000000..6002238
--- /dev/null
+++ b/idp/templates/config/README.md
@@ -0,0 +1,5 @@
+# IDP config templates
+
+This directory contains the files which are being replaced after running install.
+
+Dockerfile should install these after running install.
diff --git a/idp/templates/config/attribute-filter.xml b/idp/templates/config/attribute-filter.xml
new file mode 100644
index 0000000..3514282
--- /dev/null
+++ b/idp/templates/config/attribute-filter.xml
@@ -0,0 +1,283 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ This file is an EXAMPLE policy file. While the policy presented in this
+ example file is illustrative of some simple cases, it relies on the names of
+ non-existent example services and the example attributes demonstrated in the
+ default attribute-resolver.xml file.
+
+ Deployers should refer to the documentation for a complete list of components
+ and their options.
+-->
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+ xmlns="urn:mace:shibboleth:2.0:afp"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+
+ <AttributeFilterPolicy id="releaseTransientIdToAnyone">
+ <PolicyRequirementRule xsi:type="ANY" />
+
+ <AttributeRule attributeID="transientId">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="persistentId">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+
+ <!-- GEANT Data protection Code of Conduct -->
+ <AttributeFilterPolicy id="releaseToCoCo">
+ <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+ attributeName="http://macedir.org/entity-category"
+ attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="cn">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="email">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonPrincipalName">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="AND">
+ <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ <Rule xsi:type="OR">
+ <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+ <Rule xsi:type="Value" value="student" ignoreCase="true" />
+ <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+ <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+ <Rule xsi:type="Value" value="member" ignoreCase="true" />
+ <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+ <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+ <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+ </Rule>
+ </PermitValueRule>
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonAffiliation">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="schacHomeOrganization">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="schacHomeOrganizationType">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- REFEDS Research and Schoolarship -->
+ <AttributeFilterPolicy id="releaseToRandS">
+ <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+ attributeName="http://macedir.org/entity-category"
+ attributeValue="http://refeds.org/category/research-and-scholarship" />
+
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="givenName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="surname">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="email">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonPrincipalName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="OR">
+ <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+ <Rule xsi:type="Value" value="student" ignoreCase="true" />
+ <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+ <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+ <Rule xsi:type="Value" value="member" ignoreCase="true" />
+ <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+ <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+ <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+ </PermitValueRule>
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- entity-category-swamid-research-and-education -->
+ <AttributeFilterPolicy id="entity-category-research-and-education">
+ <PolicyRequirementRule xsi:type="AND">
+ <Rule xsi:type="OR">
+ <Rule xsi:type="EntityAttributeExactMatch"
+ attributeName="http://macedir.org/entity-category"
+ attributeValue="http://www.swamid.se/category/eu-adequate-protection" />
+ <Rule xsi:type="EntityAttributeExactMatch"
+ attributeName="http://macedir.org/entity-category"
+ attributeValue="http://www.swamid.se/category/nren-service" />
+ <Rule xsi:type="EntityAttributeExactMatch"
+ attributeName="http://macedir.org/entity-category"
+ attributeValue="http://www.swamid.se/category/hei-service" />
+ </Rule>
+ <Rule xsi:type="EntityAttributeExactMatch"
+ attributeName="http://macedir.org/entity-category"
+ attributeValue="http://www.swamid.se/category/research-and-education" />
+ </PolicyRequirementRule>
+
+ <AttributeRule attributeID="givenName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="surname">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonPrincipalName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonAssurance">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="email">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="OR">
+ <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+ <Rule xsi:type="Value" value="student" ignoreCase="true" />
+ <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+ <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+ <Rule xsi:type="Value" value="member" ignoreCase="true" />
+ <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+ <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+ <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+ </PermitValueRule>
+ </AttributeRule>
+ <AttributeRule attributeID="organizationName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="norEduOrgAcronym">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="countryName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="friendlyCountryName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="schacHomeOrganization">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- Release some attributes to an SP. -->
+ <!-- Note: requester seems to need the path /shibboleth to be included to match this! -->
+ <AttributeFilterPolicy id="sp.nordu.dev">
+ <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
+ <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
+ <AttributeRule attributeID="eduPersonPrincipalName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="uid">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="mail">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="givenName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="surname">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="commonName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="employeeType">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="email">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonEntitlement">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="mailLocalAddress">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="OR">
+ <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+ <Rule xsi:type="Value" value="student" ignoreCase="true" />
+ <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+ <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+ <Rule xsi:type="Value" value="member" ignoreCase="true" />
+ <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+ <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+ <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+ </PermitValueRule>
+ </AttributeRule>
+ <AttributeRule attributeID="organizationName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- ukfederation + incommon -->
+ <AttributeFilterPolicy id="everyoneInSwamidFeed">
+ <PolicyRequirementRule xsi:type="InEntityGroup" groupID="http://mds.swamid.se/md/swamid-2.0.xml" />
+ <AttributeRule attributeID="givenName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="surname">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="commonName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonPrincipalName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="email">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonEntitlement">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonTargetedID">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="OR">
+ <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+ <Rule xsi:type="Value" value="student" ignoreCase="true" />
+ <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+ <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+ <Rule xsi:type="Value" value="member" ignoreCase="true" />
+ <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+ <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+ <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+ </PermitValueRule>
+ </AttributeRule>
+ <AttributeRule attributeID="organizationName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="norEduOrgAcronym">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="countryName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="friendlyCountryName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="schacHomeOrganization">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+</AttributeFilterPolicyGroup>
diff --git a/idp/templates/config/attribute-resolver.xml b/idp/templates/config/attribute-resolver.xml
new file mode 100644
index 0000000..92fb1bb
--- /dev/null
+++ b/idp/templates/config/attribute-resolver.xml
@@ -0,0 +1,223 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ This file is an EXAMPLE configuration file. While the configuration
+ presented in this example file is semi-functional, it isn't very
+ interesting. It is here only as a starting point for your deployment
+ process.
+
+ Very few attribute definitions and data connectors are demonstrated,
+ and the data is derived statically from the logged-in username and a
+ static example connector.
+
+ Attribute-resolver-full.xml contains more examples of attributes,
+ encoders, and data connectors. Deployers should refer to the Shibboleth
+ documentation for a complete list of components and their options.
+
+ NOTE: This file is from the Nordunet template-config
+
+-->
+<AttributeResolver
+ xmlns="urn:mace:shibboleth:2.0:resolver"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
+
+
+ <!-- ========================================== -->
+ <!-- Attribute Definitions -->
+ <!-- ========================================== -->
+
+ <!--
+ The EPPN is the "standard" federated username in higher ed.
+ For guidelines on the implementation of this attribute, refer
+ to the Shibboleth and eduPerson documentation. Above all, do
+ not expose a value for this attribute without considering the
+ long term implications.
+ -->
+ <!--
+ The uid is the closest thing to a "standard" LDAP attribute
+ representing a local username, but you should generally *never*
+ expose uid to federated services, as it is rarely globally unique.
+ -->
+ <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
+ </AttributeDefinition>
+
+ <!--
+ In the rest of the world, the email address is the standard identifier,
+ despite the problems with that practice. Consider making the EPPN value
+ the same as your official email addresses whenever possible.
+ -->
+ <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="email" xsi:type="Simple" sourceAttributeID="mail">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct -->
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o">
+ <Dependency ref="staticAttributes" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" />
+ </AttributeDefinition>
+
+ <!-- Schema: inetOrgPerson attributes-->
+ <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" />
+ </AttributeDefinition>
+
+ <!-- Schema: eduPerson attributes -->
+
+ <AttributeDefinition id="mappedEduPersonEntitlement" xsi:type="Mapped" sourceAttributeID="memberOf" dependencyOnly="true">
+ <Dependency ref="myLDAPGROUPS" />
+ <ValueMap>
+ <ReturnValue>urn:x-ldapgroup:ndn-sysadmin</ReturnValue>
+ <SourceValue>cn=ndn-sysadmin,ou=groups,dc=nordu,dc=net</SourceValue>
+ </ValueMap>
+ <ValueMap>
+ <ReturnValue>urn:x-ldapgroup:ndn-netadmin</ReturnValue>
+ <SourceValue>cn=ndn-netadmin,ou=groups,dc=nordu,dc=net</SourceValue>
+ </ValueMap>
+ <ValueMap>
+ <ReturnValue>urn:x-ldapgroup:ndn-secadmin</ReturnValue>
+ <SourceValue>cn=ndn-secadmin,ou=groups,dc=nordu,dc=net</SourceValue>
+ </ValueMap>
+ </AttributeDefinition>
+
+ <AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple" sourceAttributeID="staticeduPersonEntitlement">
+ <Dependency ref="mappedEduPersonEntitlement" />
+ <Dependency ref="staticAttributes" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid"><!-- In ndn it is uid+scope -->
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
+ <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="employeeType">
+ <Dependency ref="myLDAP" />
+ <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
+ <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" />
+ </AttributeDefinition>
+
+<!-- from swamid installer -->
+ <AttributeDefinition id="norEduOrgAcronym" xsi:type="Simple" sourceAttributeID="norEduOrgAcronym">
+ <Dependency ref="staticAttributes" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgAcronym" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.6" friendlyName="norEduOrgAcronym" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization">
+ <Dependency ref="staticAttributes" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
+ </AttributeDefinition>
+
+ <AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType">
+ <Dependency ref="staticAttributes" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
+ </AttributeDefinition>
+
+ <!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal -->
+
+
+
+ <!-- ========================================== -->
+ <!-- Data Connectors -->
+ <!-- ========================================== -->
+
+ <!--
+ Example LDAP Connector
+
+ The connectivity details can be specified in ldap.properties to
+ share them with your authentication settings if desired.
+ -->
+ <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+ ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+ baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
+ <FilterTemplate>
+ <![CDATA[
+ %{idp.attribute.resolver.LDAP.searchFilter}
+ ]]>
+ </FilterTemplate>
+ </DataConnector>
+ <DataConnector id="myLDAPGROUPS" xsi:type="LDAPDirectory"
+ ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+ baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
+ <FilterTemplate>
+ <![CDATA[
+ %{idp.attribute.resolver.LDAP.searchFilter}
+ ]]>
+ </FilterTemplate>
+ <ReturnAttributes>memberOf</ReturnAttributes>
+ </DataConnector>
+
+ <DataConnector id="staticAttributes" xsi:type="Static">
+ <Attribute id="o">
+ <Value>NORDUnet A/S</Value>
+ </Attribute>
+ <Attribute id="schacHomeOrganization">
+ <Value>nordu.net</Value>
+ </Attribute>
+ <Attribute id="schacHomeOrganizationType">
+ <Value>urn:schac:homeOrganizationType:int:NREN</Value>
+ </Attribute>
+ <Attribute id="norEduOrgAcronym">
+ <Value>NORDUNet</Value>
+ </Attribute>
+ <Attribute id="staticeduPersonEntitlement">
+ <Value>urn:mace:dir:entitlement:common-lib-terms</Value>
+ <Value>urn:mace:terena.org:tcs:escience-user</Value>
+ <Value>urn:mace:terena.org:tcs:personal-user</Value>
+ <Value>urn:mace:rediris.es:entitlement:wiki:tfemc2</Value>
+ <Value>urn:mace:swami.se:gmai:sunet-baas:admin</Value>
+ <Value>urn:mace:swami.se:gmai:sunet-iaas:admin</Value>
+ <Value>urn:mace:swami.se:gmai:sunet-iaas:user</Value>
+ </Attribute>
+ </DataConnector>
+
+ <!-- eduPersonTargetdID placeholder -->
+
+</AttributeResolver>
diff --git a/idp/templates/config/edupersontargetdid.xml.add b/idp/templates/config/edupersontargetdid.xml.add
new file mode 100644
index 0000000..8601da6
--- /dev/null
+++ b/idp/templates/config/edupersontargetdid.xml.add
@@ -0,0 +1,16 @@
+ <AttributeDefinition xsi:type="SAML2NameID" id="eduPersonTargetedID"
+ nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
+ sourceAttributeID="computedId">
+ <Dependency ref="ComputedId" />
+ <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
+ <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
+ </AttributeDefinition>
+
+
+ <!-- The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.-->
+ <DataConnector id="ComputedId" xsi:type="ComputedId"
+ generatedAttributeID="computedId"
+ sourceAttributeID="%{idp.persistentId.sourceAttribute}"
+ salt="%{idp.persistentId.salt}">
+ <Dependency ref="myLDAP" />
+ </DataConnector>
diff --git a/idp/templates/config/logback.xml b/idp/templates/config/logback.xml
new file mode 100644
index 0000000..6afa4ef
--- /dev/null
+++ b/idp/templates/config/logback.xml
@@ -0,0 +1,199 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+
+ <!--
+ Variables for simplifying logging configuration.
+ http://logback.qos.ch/manual/configuration.html#variableSubstitution
+ -->
+
+ <variable name="idp.logfiles" value="${idp.home}/logs" />
+ <variable name="idp.loghistory" value="180" />
+
+ <!-- Much higher performance if you operate on DEBUG. -->
+ <!-- <variable name="idp.process.appender" value="ASYNC_PROCESS" /> -->
+
+ <!-- Logging level shortcuts. -->
+ <variable name="idp.loglevel.idp" value="INFO" />
+ <variable name="idp.loglevel.ldap" value="WARN" />
+ <variable name="idp.loglevel.messages" value="INFO" />
+ <variable name="idp.loglevel.encryption" value="INFO" />
+ <variable name="idp.loglevel.opensaml" value="INFO" />
+ <variable name="idp.loglevel.props" value="INFO" />
+
+ <!-- Don't turn these up unless you want a *lot* of noise. -->
+ <variable name="idp.loglevel.spring" value="ERROR" />
+ <variable name="idp.loglevel.container" value="ERROR" />
+ <variable name="idp.loglevel.xmlsec" value="INFO" />
+
+ <!--
+ If you want to use custom properties in this config file,
+ we load the main property file for you.
+ -->
+ <variable file="${idp.home}/conf/idp.properties" />
+
+ <!-- =========================================================== -->
+ <!-- ============== Logging Categories and Levels ============== -->
+ <!-- =========================================================== -->
+
+ <!-- Logs IdP, but not OpenSAML, messages -->
+ <logger name="net.shibboleth.idp" level="${idp.loglevel.idp:-INFO}"/>
+
+ <!-- Logs OpenSAML, but not IdP, messages -->
+ <logger name="org.opensaml.saml" level="${idp.loglevel.opensaml:-INFO}"/>
+
+ <!-- Logs LDAP related messages -->
+ <logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/>
+
+ <!-- Logs inbound and outbound protocols messages at DEBUG level -->
+ <logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages:-INFO}" />
+
+ <!-- Logs unencrypted SAML at DEBUG level -->
+ <logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption:-INFO}" />
+
+ <!-- Logs system properties during startup at DEBUG level -->
+ <logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props:-INFO}" />
+
+ <!-- Especially chatty. -->
+ <logger name="net.shibboleth.idp.saml.attribute.mapping" level="INFO" />
+ <logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec:-INFO}" />
+ <logger name="org.springframework" level="${idp.loglevel.spring:-ERROR}"/>
+ <logger name="org.apache.catalina" level="${idp.loglevel.container:-ERROR}"/>
+ <logger name="org.eclipse.jetty" level="${idp.loglevel.container:-ERROR}"/>
+
+
+ <!-- =========================================================== -->
+ <!-- ============== Low Level Details or Changes =============== -->
+ <!-- =========================================================== -->
+
+ <!-- Process log. -->
+ <appender name="IDP_PROCESS" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <File>${idp.logfiles}/idp-process.log</File>
+
+ <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <fileNamePattern>${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+ <maxHistory>${idp.loghistory:-180}</maxHistory>
+ </rollingPolicy>
+
+ <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+ <charset>UTF-8</charset>
+ <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
+ </encoder>
+
+ <!-- Ignore Velocity status page error. -->
+ <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
+ <evaluator>
+ <matcher>
+ <Name>VelocityStatusMatcher</Name>
+ <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
+ </matcher>
+ <expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
+ </evaluator>
+ <OnMatch>DENY</OnMatch>
+ </filter>
+ </appender>
+
+ <appender name="ASYNC_PROCESS" class="ch.qos.logback.classic.AsyncAppender">
+ <appender-ref ref="IDP_PROCESS" />
+ <discardingThreshold>0</discardingThreshold>
+ </appender>
+
+ <appender name="IDP_WARN" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <!-- Suppress anything below WARN. -->
+ <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+ <level>WARN</level>
+ </filter>
+
+ <File>${idp.logfiles}/idp-warn.log</File>
+
+ <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <fileNamePattern>${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+ <maxHistory>${idp.loghistory:-180}</maxHistory>
+ </rollingPolicy>
+
+ <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+ <charset>UTF-8</charset>
+ <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
+ </encoder>
+
+ <!-- Ignore Velocity status page error. -->
+ <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
+ <evaluator>
+ <matcher>
+ <Name>VelocityStatusMatcher</Name>
+ <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
+ </matcher>
+ <expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
+ </evaluator>
+ <OnMatch>DENY</OnMatch>
+ </filter>
+ </appender>
+
+ <!-- Audit log. -->
+ <appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <File>${idp.logfiles}/idp-audit.log</File>
+
+ <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <fileNamePattern>${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+ <maxHistory>${idp.loghistory:-180}</maxHistory>
+ </rollingPolicy>
+
+ <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+ <charset>UTF-8</charset>
+ <Pattern>%msg%n</Pattern>
+ </encoder>
+ </appender>
+
+ <!-- Consent audit log. -->
+ <appender name="IDP_CONSENT_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <File>${idp.logfiles}/idp-consent-audit.log</File>
+
+ <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <fileNamePattern>${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+ <maxHistory>${idp.loghistory:-180}</maxHistory>
+ </rollingPolicy>
+
+ <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+ <charset>UTF-8</charset>
+ <Pattern>%msg%n</Pattern>
+ </encoder>
+ </appender>
+
+ <!-- F-TICKS syslog destination. -->
+ <appender name="IDP_AUDIT_FTICKS" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <File>${idp.home}/logs/idp-audit-fticks.log</File>
+ <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <fileNamePattern>${idp.home}/logs/idp-audit-fticks%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+ <maxHistory>180</maxHistory>
+ </rollingPolicy>
+ <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+ <charset>UTF-8</charset>
+ <Pattern>%msg%n</Pattern>
+ </encoder>
+ </appender>
+
+ <appender name="IDP_FTICKS" class="ch.qos.logback.classic.net.SyslogAppender">
+ <syslogHost>${idp.fticks.loghost:-localhost}</syslogHost>
+ <port>${idp.fticks.logport:-514}</port>
+ <facility>AUTH</facility>
+ <suffixPattern>[%thread] %logger %msg</suffixPattern>
+ </appender>
+
+ <logger name="Shibboleth-Audit" level="ALL">
+ <appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/>
+ </logger>
+
+ <logger name="Shibboleth-FTICKS" level="ALL" additivity="false">
+ <appender-ref ref="${idp.fticks.appender:-IDP_FTICKS}"/>
+ <appender-ref ref="IDP_AUDIT_FTICKS"/>
+ </logger>
+
+ <logger name="Shibboleth-Consent-Audit" level="ALL">
+ <appender-ref ref="${idp.consent.appender:-IDP_CONSENT_AUDIT}"/>
+ </logger>
+
+ <root level="${idp.loglevel.root:-INFO}">
+ <appender-ref ref="${idp.process.appender:-IDP_PROCESS}"/>
+ <appender-ref ref="${idp.warn.appender:-IDP_WARN}" />
+ </root>
+
+</configuration>
diff --git a/idp/templates/config/metadata-providers.xml b/idp/templates/config/metadata-providers.xml
new file mode 100644
index 0000000..d813c06
--- /dev/null
+++ b/idp/templates/config/metadata-providers.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file is an EXAMPLE metadata configuration file. -->
+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+ xmlns="urn:mace:shibboleth:2.0:metadata"
+ xmlns:resource="urn:mace:shibboleth:2.0:resource"
+ xmlns:security="urn:mace:shibboleth:2.0:security"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
+ urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
+ urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
+ urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
+
+ <!-- ========================================================================================== -->
+ <!-- Metadata Configuration -->
+ <!-- -->
+ <!-- Below you place the mechanisms which define how to load the metadata for SP(s) you will -->
+ <!-- provide service to. -->
+ <!-- -->
+ <!-- Two examples are provided. The Shibboleth Documentation at -->
+ <!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration -->
+ <!-- provides more details. -->
+ <!-- -->
+ <!-- NOTE. This file SHOULD NOT contain the metadata for this IdP. -->
+ <!-- ========================================================================================== -->
+
+ <!--
+ <MetadataProvider id="HTTPMetadata"
+ xsi:type="FileBackedHTTPMetadataProvider"
+ backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
+ metadataURL="http://WHATEVER">
+
+ <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
+ <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
+ <MetadataFilter xsi:type="EntityRoleWhiteList">
+ <RetainedRole>md:SPSSODescriptor</RetainedRole>
+ </MetadataFilter>
+ </MetadataProvider>
+ -->
+
+ <MetadataProvider id="SWAMID2"
+ xsi:type="FileBackedHTTPMetadataProvider"
+ metadataURL="https://mds.swamid.se/md/swamid-2.0.xml"
+ backingFile="%{idp.home}/metadata/swamid-2.0.xml">
+
+ <MetadataFilter xsi:type="SignatureValidation"
+ requireSignedRoot="true"
+ certificateFile="%{idp.home}/credentials/md-signer2.crt" />
+ <MetadataFilter xsi:type="EntityRoleWhiteList">
+ <RetainedRole>md:SPSSODescriptor</RetainedRole>
+ </MetadataFilter>
+ </MetadataProvider>
+
+
+ <!--<MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/sp-metadata.xml" /> -->
+
+</MetadataProvider>
generated by cgit v1.1 at 2025-07-31 04:38:32 +0000