diff options
Diffstat (limited to 'idp/templates')
| -rw-r--r-- | idp/templates/config/README.md | 5 | ||||
| -rw-r--r-- | idp/templates/config/attribute-filter.xml | 283 | ||||
| -rw-r--r-- | idp/templates/config/attribute-resolver.xml | 223 | ||||
| -rw-r--r-- | idp/templates/config/edupersontargetdid.xml.add | 16 | ||||
| -rw-r--r-- | idp/templates/config/logback.xml | 199 | ||||
| -rw-r--r-- | idp/templates/config/metadata-providers.xml | 57 | ||||
| -rw-r--r-- | idp/templates/edit-webapp/css/NORDUnet.css | 302 | ||||
| -rw-r--r-- | idp/templates/edit-webapp/images/nordunet.png | bin | 0 -> 20823 bytes | |||
| -rw-r--r-- | idp/templates/views/layout.vm | 32 | ||||
| -rw-r--r-- | idp/templates/views/login.vm | 116 |
10 files changed, 1233 insertions, 0 deletions
diff --git a/idp/templates/config/README.md b/idp/templates/config/README.md new file mode 100644 index 0000000..6002238 --- /dev/null +++ b/idp/templates/config/README.md @@ -0,0 +1,5 @@ +# IDP config templates + +This directory contains the files which are being replaced after running install. + +Dockerfile should install these after running install. diff --git a/idp/templates/config/attribute-filter.xml b/idp/templates/config/attribute-filter.xml new file mode 100644 index 0000000..3514282 --- /dev/null +++ b/idp/templates/config/attribute-filter.xml @@ -0,0 +1,283 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + This file is an EXAMPLE policy file. While the policy presented in this + example file is illustrative of some simple cases, it relies on the names of + non-existent example services and the example attributes demonstrated in the + default attribute-resolver.xml file. + + Deployers should refer to the documentation for a complete list of components + and their options. +--> +<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" + xmlns="urn:mace:shibboleth:2.0:afp" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> + + <AttributeFilterPolicy id="releaseTransientIdToAnyone"> + <PolicyRequirementRule xsi:type="ANY" /> + + <AttributeRule attributeID="transientId"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="persistentId"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + </AttributeFilterPolicy> + + + <!-- GEANT Data protection Code of Conduct --> + <AttributeFilterPolicy id="releaseToCoCo"> + <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" + attributeName="http://macedir.org/entity-category" + attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" /> + <AttributeRule attributeID="displayName"> + <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> + </AttributeRule> + <AttributeRule attributeID="cn"> + <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> + </AttributeRule> + <AttributeRule attributeID="email"> + <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonPrincipalName"> + <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonScopedAffiliation"> + <PermitValueRule xsi:type="AND"> + <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> + <Rule xsi:type="OR"> + <Rule xsi:type="Value" value="faculty" ignoreCase="true" /> + <Rule xsi:type="Value" value="student" ignoreCase="true" /> + <Rule xsi:type="Value" value="staff" ignoreCase="true" /> + <Rule xsi:type="Value" value="alum" ignoreCase="true" /> + <Rule xsi:type="Value" value="member" ignoreCase="true" /> + <Rule xsi:type="Value" value="affiliate" ignoreCase="true" /> + <Rule xsi:type="Value" value="employee" ignoreCase="true" /> + <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> + </Rule> + </PermitValueRule> + </AttributeRule> + <AttributeRule attributeID="eduPersonAffiliation"> + <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> + </AttributeRule> + <AttributeRule attributeID="schacHomeOrganization"> + <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> + </AttributeRule> + <AttributeRule attributeID="schacHomeOrganizationType"> + <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> + </AttributeRule> + </AttributeFilterPolicy> + + <!-- REFEDS Research and Schoolarship --> + <AttributeFilterPolicy id="releaseToRandS"> + <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" + attributeName="http://macedir.org/entity-category" + attributeValue="http://refeds.org/category/research-and-scholarship" /> + + <AttributeRule attributeID="displayName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="givenName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="surname"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="email"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonPrincipalName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonScopedAffiliation"> + <PermitValueRule xsi:type="OR"> + <Rule xsi:type="Value" value="faculty" ignoreCase="true" /> + <Rule xsi:type="Value" value="student" ignoreCase="true" /> + <Rule xsi:type="Value" value="staff" ignoreCase="true" /> + <Rule xsi:type="Value" value="alum" ignoreCase="true" /> + <Rule xsi:type="Value" value="member" ignoreCase="true" /> + <Rule xsi:type="Value" value="affiliate" ignoreCase="true" /> + <Rule xsi:type="Value" value="employee" ignoreCase="true" /> + <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> + </PermitValueRule> + </AttributeRule> + </AttributeFilterPolicy> + + <!-- entity-category-swamid-research-and-education --> + <AttributeFilterPolicy id="entity-category-research-and-education"> + <PolicyRequirementRule xsi:type="AND"> + <Rule xsi:type="OR"> + <Rule xsi:type="EntityAttributeExactMatch" + attributeName="http://macedir.org/entity-category" + attributeValue="http://www.swamid.se/category/eu-adequate-protection" /> + <Rule xsi:type="EntityAttributeExactMatch" + attributeName="http://macedir.org/entity-category" + attributeValue="http://www.swamid.se/category/nren-service" /> + <Rule xsi:type="EntityAttributeExactMatch" + attributeName="http://macedir.org/entity-category" + attributeValue="http://www.swamid.se/category/hei-service" /> + </Rule> + <Rule xsi:type="EntityAttributeExactMatch" + attributeName="http://macedir.org/entity-category" + attributeValue="http://www.swamid.se/category/research-and-education" /> + </PolicyRequirementRule> + + <AttributeRule attributeID="givenName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="surname"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="displayName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonPrincipalName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonAssurance"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="email"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonScopedAffiliation"> + <PermitValueRule xsi:type="OR"> + <Rule xsi:type="Value" value="faculty" ignoreCase="true" /> + <Rule xsi:type="Value" value="student" ignoreCase="true" /> + <Rule xsi:type="Value" value="staff" ignoreCase="true" /> + <Rule xsi:type="Value" value="alum" ignoreCase="true" /> + <Rule xsi:type="Value" value="member" ignoreCase="true" /> + <Rule xsi:type="Value" value="affiliate" ignoreCase="true" /> + <Rule xsi:type="Value" value="employee" ignoreCase="true" /> + <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> + </PermitValueRule> + </AttributeRule> + <AttributeRule attributeID="organizationName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="norEduOrgAcronym"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="countryName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="friendlyCountryName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="schacHomeOrganization"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + </AttributeFilterPolicy> + + <!-- Release some attributes to an SP. --> + <!-- Note: requester seems to need the path /shibboleth to be included to match this! --> + <AttributeFilterPolicy id="sp.nordu.dev"> + <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" /> + <!-- <PolicyRequirementRule xsi:type="ANY" /> --> + <AttributeRule attributeID="eduPersonPrincipalName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="uid"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="mail"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="givenName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="surname"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="displayName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="commonName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="employeeType"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="email"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonEntitlement"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="mailLocalAddress"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonScopedAffiliation"> + <PermitValueRule xsi:type="OR"> + <Rule xsi:type="Value" value="faculty" ignoreCase="true" /> + <Rule xsi:type="Value" value="student" ignoreCase="true" /> + <Rule xsi:type="Value" value="staff" ignoreCase="true" /> + <Rule xsi:type="Value" value="alum" ignoreCase="true" /> + <Rule xsi:type="Value" value="member" ignoreCase="true" /> + <Rule xsi:type="Value" value="affiliate" ignoreCase="true" /> + <Rule xsi:type="Value" value="employee" ignoreCase="true" /> + <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> + </PermitValueRule> + </AttributeRule> + <AttributeRule attributeID="organizationName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + </AttributeFilterPolicy> + + <!-- ukfederation + incommon --> + <AttributeFilterPolicy id="everyoneInSwamidFeed"> + <PolicyRequirementRule xsi:type="InEntityGroup" groupID="http://mds.swamid.se/md/swamid-2.0.xml" /> + <AttributeRule attributeID="givenName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="surname"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="displayName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="commonName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonPrincipalName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="email"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonEntitlement"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonTargetedID"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonScopedAffiliation"> + <PermitValueRule xsi:type="OR"> + <Rule xsi:type="Value" value="faculty" ignoreCase="true" /> + <Rule xsi:type="Value" value="student" ignoreCase="true" /> + <Rule xsi:type="Value" value="staff" ignoreCase="true" /> + <Rule xsi:type="Value" value="alum" ignoreCase="true" /> + <Rule xsi:type="Value" value="member" ignoreCase="true" /> + <Rule xsi:type="Value" value="affiliate" ignoreCase="true" /> + <Rule xsi:type="Value" value="employee" ignoreCase="true" /> + <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> + </PermitValueRule> + </AttributeRule> + <AttributeRule attributeID="organizationName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="norEduOrgAcronym"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="countryName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="friendlyCountryName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="schacHomeOrganization"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + </AttributeFilterPolicy> + +</AttributeFilterPolicyGroup> diff --git a/idp/templates/config/attribute-resolver.xml b/idp/templates/config/attribute-resolver.xml new file mode 100644 index 0000000..92fb1bb --- /dev/null +++ b/idp/templates/config/attribute-resolver.xml @@ -0,0 +1,223 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + This file is an EXAMPLE configuration file. While the configuration + presented in this example file is semi-functional, it isn't very + interesting. It is here only as a starting point for your deployment + process. + + Very few attribute definitions and data connectors are demonstrated, + and the data is derived statically from the logged-in username and a + static example connector. + + Attribute-resolver-full.xml contains more examples of attributes, + encoders, and data connectors. Deployers should refer to the Shibboleth + documentation for a complete list of components and their options. + + NOTE: This file is from the Nordunet template-config + +--> +<AttributeResolver + xmlns="urn:mace:shibboleth:2.0:resolver" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> + + + <!-- ========================================== --> + <!-- Attribute Definitions --> + <!-- ========================================== --> + + <!-- + The EPPN is the "standard" federated username in higher ed. + For guidelines on the implementation of this attribute, refer + to the Shibboleth and eduPerson documentation. Above all, do + not expose a value for this attribute without considering the + long term implications. + --> + <!-- + The uid is the closest thing to a "standard" LDAP attribute + representing a local username, but you should generally *never* + expose uid to federated services, as it is rarely globally unique. + --> + <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" /> + </AttributeDefinition> + + <!-- + In the rest of the world, the email address is the standard identifier, + despite the problems with that practice. Consider making the EPPN value + the same as your official email addresses whenever possible. + --> + <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" /> + </AttributeDefinition> + + <AttributeDefinition id="email" xsi:type="Simple" sourceAttributeID="mail"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" /> + </AttributeDefinition> + + <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" /> + </AttributeDefinition> + + <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct --> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" /> + </AttributeDefinition> + + <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" /> + </AttributeDefinition> + + <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" /> + </AttributeDefinition> + + <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" /> + </AttributeDefinition> + + <!-- Schema: inetOrgPerson attributes--> + <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" /> + </AttributeDefinition> + + <!-- Schema: eduPerson attributes --> + + <AttributeDefinition id="mappedEduPersonEntitlement" xsi:type="Mapped" sourceAttributeID="memberOf" dependencyOnly="true"> + <Dependency ref="myLDAPGROUPS" /> + <ValueMap> + <ReturnValue>urn:x-ldapgroup:ndn-sysadmin</ReturnValue> + <SourceValue>cn=ndn-sysadmin,ou=groups,dc=nordu,dc=net</SourceValue> + </ValueMap> + <ValueMap> + <ReturnValue>urn:x-ldapgroup:ndn-netadmin</ReturnValue> + <SourceValue>cn=ndn-netadmin,ou=groups,dc=nordu,dc=net</SourceValue> + </ValueMap> + <ValueMap> + <ReturnValue>urn:x-ldapgroup:ndn-secadmin</ReturnValue> + <SourceValue>cn=ndn-secadmin,ou=groups,dc=nordu,dc=net</SourceValue> + </ValueMap> + </AttributeDefinition> + + <AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple" sourceAttributeID="staticeduPersonEntitlement"> + <Dependency ref="mappedEduPersonEntitlement" /> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" /> + </AttributeDefinition> + + <AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" /> + </AttributeDefinition> + + <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid"><!-- In ndn it is uid+scope --> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" /> + <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" /> + </AttributeDefinition> + + <AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="employeeType"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" /> + <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" /> + </AttributeDefinition> + +<!-- from swamid installer --> + <AttributeDefinition id="norEduOrgAcronym" xsi:type="Simple" sourceAttributeID="norEduOrgAcronym"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgAcronym" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.6" friendlyName="norEduOrgAcronym" /> + </AttributeDefinition> + + <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" /> + </AttributeDefinition> + + <AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" /> + </AttributeDefinition> + + <!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal --> + + + + <!-- ========================================== --> + <!-- Data Connectors --> + <!-- ========================================== --> + + <!-- + Example LDAP Connector + + The connectivity details can be specified in ldap.properties to + share them with your authentication settings if desired. + --> + <DataConnector id="myLDAP" xsi:type="LDAPDirectory" + ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" + baseDN="%{idp.attribute.resolver.LDAP.baseDN}"> + <FilterTemplate> + <![CDATA[ + %{idp.attribute.resolver.LDAP.searchFilter} + ]]> + </FilterTemplate> + </DataConnector> + <DataConnector id="myLDAPGROUPS" xsi:type="LDAPDirectory" + ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" + baseDN="%{idp.attribute.resolver.LDAP.baseDN}"> + <FilterTemplate> + <![CDATA[ + %{idp.attribute.resolver.LDAP.searchFilter} + ]]> + </FilterTemplate> + <ReturnAttributes>memberOf</ReturnAttributes> + </DataConnector> + + <DataConnector id="staticAttributes" xsi:type="Static"> + <Attribute id="o"> + <Value>NORDUnet A/S</Value> + </Attribute> + <Attribute id="schacHomeOrganization"> + <Value>nordu.net</Value> + </Attribute> + <Attribute id="schacHomeOrganizationType"> + <Value>urn:schac:homeOrganizationType:int:NREN</Value> + </Attribute> + <Attribute id="norEduOrgAcronym"> + <Value>NORDUNet</Value> + </Attribute> + <Attribute id="staticeduPersonEntitlement"> + <Value>urn:mace:dir:entitlement:common-lib-terms</Value> + <Value>urn:mace:terena.org:tcs:escience-user</Value> + <Value>urn:mace:terena.org:tcs:personal-user</Value> + <Value>urn:mace:rediris.es:entitlement:wiki:tfemc2</Value> + <Value>urn:mace:swami.se:gmai:sunet-baas:admin</Value> + <Value>urn:mace:swami.se:gmai:sunet-iaas:admin</Value> + <Value>urn:mace:swami.se:gmai:sunet-iaas:user</Value> + </Attribute> + </DataConnector> + + <!-- eduPersonTargetdID placeholder --> + +</AttributeResolver> diff --git a/idp/templates/config/edupersontargetdid.xml.add b/idp/templates/config/edupersontargetdid.xml.add new file mode 100644 index 0000000..8601da6 --- /dev/null +++ b/idp/templates/config/edupersontargetdid.xml.add @@ -0,0 +1,16 @@ + <AttributeDefinition xsi:type="SAML2NameID" id="eduPersonTargetedID" + nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" + sourceAttributeID="computedId"> + <Dependency ref="ComputedId" /> + <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> + <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> + </AttributeDefinition> + + + <!-- The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.--> + <DataConnector id="ComputedId" xsi:type="ComputedId" + generatedAttributeID="computedId" + sourceAttributeID="%{idp.persistentId.sourceAttribute}" + salt="%{idp.persistentId.salt}"> + <Dependency ref="myLDAP" /> + </DataConnector> diff --git a/idp/templates/config/logback.xml b/idp/templates/config/logback.xml new file mode 100644 index 0000000..6afa4ef --- /dev/null +++ b/idp/templates/config/logback.xml @@ -0,0 +1,199 @@ +<?xml version="1.0" encoding="UTF-8"?> +<configuration> + + <!-- + Variables for simplifying logging configuration. + http://logback.qos.ch/manual/configuration.html#variableSubstitution + --> + + <variable name="idp.logfiles" value="${idp.home}/logs" /> + <variable name="idp.loghistory" value="180" /> + + <!-- Much higher performance if you operate on DEBUG. --> + <!-- <variable name="idp.process.appender" value="ASYNC_PROCESS" /> --> + + <!-- Logging level shortcuts. --> + <variable name="idp.loglevel.idp" value="INFO" /> + <variable name="idp.loglevel.ldap" value="WARN" /> + <variable name="idp.loglevel.messages" value="INFO" /> + <variable name="idp.loglevel.encryption" value="INFO" /> + <variable name="idp.loglevel.opensaml" value="INFO" /> + <variable name="idp.loglevel.props" value="INFO" /> + + <!-- Don't turn these up unless you want a *lot* of noise. --> + <variable name="idp.loglevel.spring" value="ERROR" /> + <variable name="idp.loglevel.container" value="ERROR" /> + <variable name="idp.loglevel.xmlsec" value="INFO" /> + + <!-- + If you want to use custom properties in this config file, + we load the main property file for you. + --> + <variable file="${idp.home}/conf/idp.properties" /> + + <!-- =========================================================== --> + <!-- ============== Logging Categories and Levels ============== --> + <!-- =========================================================== --> + + <!-- Logs IdP, but not OpenSAML, messages --> + <logger name="net.shibboleth.idp" level="${idp.loglevel.idp:-INFO}"/> + + <!-- Logs OpenSAML, but not IdP, messages --> + <logger name="org.opensaml.saml" level="${idp.loglevel.opensaml:-INFO}"/> + + <!-- Logs LDAP related messages --> + <logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/> + + <!-- Logs inbound and outbound protocols messages at DEBUG level --> + <logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages:-INFO}" /> + + <!-- Logs unencrypted SAML at DEBUG level --> + <logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption:-INFO}" /> + + <!-- Logs system properties during startup at DEBUG level --> + <logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props:-INFO}" /> + + <!-- Especially chatty. --> + <logger name="net.shibboleth.idp.saml.attribute.mapping" level="INFO" /> + <logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec:-INFO}" /> + <logger name="org.springframework" level="${idp.loglevel.spring:-ERROR}"/> + <logger name="org.apache.catalina" level="${idp.loglevel.container:-ERROR}"/> + <logger name="org.eclipse.jetty" level="${idp.loglevel.container:-ERROR}"/> + + + <!-- =========================================================== --> + <!-- ============== Low Level Details or Changes =============== --> + <!-- =========================================================== --> + + <!-- Process log. --> + <appender name="IDP_PROCESS" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <File>${idp.logfiles}/idp-process.log</File> + + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz</fileNamePattern> + <maxHistory>${idp.loghistory:-180}</maxHistory> + </rollingPolicy> + + <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <charset>UTF-8</charset> + <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern> + </encoder> + + <!-- Ignore Velocity status page error. --> + <filter class="ch.qos.logback.core.filter.EvaluatorFilter"> + <evaluator> + <matcher> + <Name>VelocityStatusMatcher</Name> + <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex> + </matcher> + <expression>VelocityStatusMatcher.matches(formattedMessage)</expression> + </evaluator> + <OnMatch>DENY</OnMatch> + </filter> + </appender> + + <appender name="ASYNC_PROCESS" class="ch.qos.logback.classic.AsyncAppender"> + <appender-ref ref="IDP_PROCESS" /> + <discardingThreshold>0</discardingThreshold> + </appender> + + <appender name="IDP_WARN" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <!-- Suppress anything below WARN. --> + <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> + <level>WARN</level> + </filter> + + <File>${idp.logfiles}/idp-warn.log</File> + + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz</fileNamePattern> + <maxHistory>${idp.loghistory:-180}</maxHistory> + </rollingPolicy> + + <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <charset>UTF-8</charset> + <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern> + </encoder> + + <!-- Ignore Velocity status page error. --> + <filter class="ch.qos.logback.core.filter.EvaluatorFilter"> + <evaluator> + <matcher> + <Name>VelocityStatusMatcher</Name> + <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex> + </matcher> + <expression>VelocityStatusMatcher.matches(formattedMessage)</expression> + </evaluator> + <OnMatch>DENY</OnMatch> + </filter> + </appender> + + <!-- Audit log. --> + <appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <File>${idp.logfiles}/idp-audit.log</File> + + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern> + <maxHistory>${idp.loghistory:-180}</maxHistory> + </rollingPolicy> + + <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <charset>UTF-8</charset> + <Pattern>%msg%n</Pattern> + </encoder> + </appender> + + <!-- Consent audit log. --> + <appender name="IDP_CONSENT_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <File>${idp.logfiles}/idp-consent-audit.log</File> + + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern> + <maxHistory>${idp.loghistory:-180}</maxHistory> + </rollingPolicy> + + <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <charset>UTF-8</charset> + <Pattern>%msg%n</Pattern> + </encoder> + </appender> + + <!-- F-TICKS syslog destination. --> + <appender name="IDP_AUDIT_FTICKS" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <File>${idp.home}/logs/idp-audit-fticks.log</File> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${idp.home}/logs/idp-audit-fticks%d{yyyy-MM-dd}.log.gz</fileNamePattern> + <maxHistory>180</maxHistory> + </rollingPolicy> + <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <charset>UTF-8</charset> + <Pattern>%msg%n</Pattern> + </encoder> + </appender> + + <appender name="IDP_FTICKS" class="ch.qos.logback.classic.net.SyslogAppender"> + <syslogHost>${idp.fticks.loghost:-localhost}</syslogHost> + <port>${idp.fticks.logport:-514}</port> + <facility>AUTH</facility> + <suffixPattern>[%thread] %logger %msg</suffixPattern> + </appender> + + <logger name="Shibboleth-Audit" level="ALL"> + <appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/> + </logger> + + <logger name="Shibboleth-FTICKS" level="ALL" additivity="false"> + <appender-ref ref="${idp.fticks.appender:-IDP_FTICKS}"/> + <appender-ref ref="IDP_AUDIT_FTICKS"/> + </logger> + + <logger name="Shibboleth-Consent-Audit" level="ALL"> + <appender-ref ref="${idp.consent.appender:-IDP_CONSENT_AUDIT}"/> + </logger> + + <root level="${idp.loglevel.root:-INFO}"> + <appender-ref ref="${idp.process.appender:-IDP_PROCESS}"/> + <appender-ref ref="${idp.warn.appender:-IDP_WARN}" /> + </root> + +</configuration> diff --git a/idp/templates/config/metadata-providers.xml b/idp/templates/config/metadata-providers.xml new file mode 100644 index 0000000..d813c06 --- /dev/null +++ b/idp/templates/config/metadata-providers.xml @@ -0,0 +1,57 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- This file is an EXAMPLE metadata configuration file. --> +<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" + xmlns="urn:mace:shibboleth:2.0:metadata" + xmlns:resource="urn:mace:shibboleth:2.0:resource" + xmlns:security="urn:mace:shibboleth:2.0:security" + xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd + urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd + urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd + urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd"> + + <!-- ========================================================================================== --> + <!-- Metadata Configuration --> + <!-- --> + <!-- Below you place the mechanisms which define how to load the metadata for SP(s) you will --> + <!-- provide service to. --> + <!-- --> + <!-- Two examples are provided. The Shibboleth Documentation at --> + <!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration --> + <!-- provides more details. --> + <!-- --> + <!-- NOTE. This file SHOULD NOT contain the metadata for this IdP. --> + <!-- ========================================================================================== --> + + <!-- + <MetadataProvider id="HTTPMetadata" + xsi:type="FileBackedHTTPMetadataProvider" + backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml" + metadataURL="http://WHATEVER"> + + <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" /> + <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/> + <MetadataFilter xsi:type="EntityRoleWhiteList"> + <RetainedRole>md:SPSSODescriptor</RetainedRole> + </MetadataFilter> + </MetadataProvider> + --> + + <MetadataProvider id="SWAMID2" + xsi:type="FileBackedHTTPMetadataProvider" + metadataURL="https://mds.swamid.se/md/swamid-2.0.xml" + backingFile="%{idp.home}/metadata/swamid-2.0.xml"> + + <MetadataFilter xsi:type="SignatureValidation" + requireSignedRoot="true" + certificateFile="%{idp.home}/credentials/md-signer2.crt" /> + <MetadataFilter xsi:type="EntityRoleWhiteList"> + <RetainedRole>md:SPSSODescriptor</RetainedRole> + </MetadataFilter> + </MetadataProvider> + + + <!--<MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/sp-metadata.xml" /> --> + +</MetadataProvider> diff --git a/idp/templates/edit-webapp/css/NORDUnet.css b/idp/templates/edit-webapp/css/NORDUnet.css new file mode 100644 index 0000000..f7c3ef2 --- /dev/null +++ b/idp/templates/edit-webapp/css/NORDUnet.css @@ -0,0 +1,302 @@ +#wrapper { + width: 100%; + font-family: Arial, Helvetica, sans-serif; + font-size: 12px; + color: #000; + // background: #fff url('images/pipes_back.jpg') repeat-y top left; +} + +#top { + display: block; + width: 100%; + background: #00B2E4 url('images/top_back.gif') repeat-x bottom left; + overflow: hidden; + +} +#top_table { + margin:0; + padding:0; + margin-top: 33px; + width: 900px; + border-collapse: collapse; + margin-bottom: -1px; + + +} + +#top_table td { + vertical-align:bottom; +} + +#top_table td img { + margin-bottom: 20px; + display: block; + padding-right:10px; + +} + +#main_nav { + margin:0; + padding:0; + list-style:none; + color: #fff; + height: 40px; + display: block; + +} + +#main_nav li { + display: block; + float: left; + background: url('images/main_nav_left.gif') no-repeat bottom left; + padding: 0 0 0 11px; + +} +#main_nav li#selectedPage { + background: url('images/main_nav_left_selected.gif') no-repeat bottom left; +} +#main_nav li a { + display: block; + float: left; + padding: 0 11px 0 0; + height: 40px; + color: #fff; + text-decoration: none; + outline: 0; + background: url('images/main_nav_back.gif') no-repeat bottom right; +} + +#main_nav li#selectedPage a { + background: url('images/main_nav_back_selected.jpg') no-repeat bottom right; + color: #000; + +} +#main_nav li a span { + vertical-align: middle; + display: block; + padding-top: 10px; + +} + +#left { + clear: both; + background: #fff url('images/left_back.gif') repeat-y top left; + width: 200px; + float: left; +} + +#search_form { + padding-left: 8px; + width: 200px; + margin: 10px 0 20px 0; +} + +#search_form .input_image { + + vertical-align: middle; +} + +#nav { + + width: 200px; + font-size: 12px; + clear: both; +} + +#nav #intro { + width: 179px; + background: #fff url('images/intro_top.jpg') no-repeat top left; + padding: 15px 10px 1px 10px; +} + +#nav #intro_footer { + width: 199px; + height:27px; + background: #fff url('images/intro_bottom.jpg') no-repeat top left; +} + + +#nav ul.site_tree, +#nav ul.site_tree ul, +#nav ul.site_tree li { + margin: 0; + padding: 0; + list-style: none; + +} +#nav ul.site_tree { + background: transparent url(images/subnavback.gif) no-repeat bottom left; + padding-bottom:2px; +} + +#nav ul.site_tree a { + color: #4F4E4E; + text-decoration: none; + display: block; +} + +#nav ul.site_tree a:hover { + text-decoration: none; +} + +#nav ul.site_tree strong.level1 { + color: #000; + display: block; + background-color: #59BAE7; +} + +#nav ul.site_tree li.level2 { + background: transparent url(images/subnavback.gif) no-repeat top left; +} + + +#nav ul.site_tree a.level1, +#nav ul.site_tree strong.level1 { + padding:5px 0 5px 10px; + +} + +#nav ul.site_tree li.level2 { + display:block; + padding: 5px 0 2px 15px; +} + +#nav ul.site_tree a.level2 { + +} + +#nav #nav_pic { + display: block; + margin: 0; + padding: 0; +} + + +h1 { + font-size: 20px; + color: #004788; +} + +h2 { + font-size: 18px; + color: #004788; +} + +h3 { + font-size: 16px; + color: #004788; +} + +h4 { + font-size: 14px; + color: #004788; +} + +h5 { + font-size: 12px; + color: #004788; +} + +p { + font-size: 12px; + color: #004788; + +} + +ul { + font-size: 12px; + color: #004788; + +} + +#content { + margin-left: 200px; + padding: 20px; + width: auto; + line-height: 1.5em; +} + +#content table { + border-collapse: collapse; +} + +#content th { + background-color: #f0f0f0; + padding: 5px; + color: #036; +} + +#content td { + vertical-align: middle; + padding: 5px; +} + +*html #content table { width:99%; } + +#footer { + clear: both; + width: 100%; + height: 35px; + background-color: #D8D8D8; + border-top: 1px solid #989898; + border-bottom: 1px solid #989898; +} + +#footer p { + vertical-align: middle; + margin: 12px 10px 10px 200px; + font-size: 10px; + color: #848484; +} + +#footer img { + float: left; + margin: 0px 0px 0px 2px; +} + +hr { + border: 0; + color: #696969; + background-color:#696969; + height: 1px; +} + + +#intro img{ + padding-top: 5px; + border: none; +} + +/* Open trouble tickets */ +#opentickets { + margin-left: 200px; + padding: 0 20px 20px 20px; + width: auto; +} + +.blue { +background:#004788 none repeat scroll 0 0; +} + +.text { + font-size: 12px; + color: #004788; +} + +.group_heading { +color:#004788; +font-size:12px; +font-weight:bolder; +} + +.list_info { +background-color:#D9EFFA; +color:#004788; +padding:0.6em; +} + +.whitebold { +color:#FFFFFF; +font-size:12px; +font-weight:bold; +} diff --git a/idp/templates/edit-webapp/images/nordunet.png b/idp/templates/edit-webapp/images/nordunet.png Binary files differnew file mode 100644 index 0000000..9948f66 --- /dev/null +++ b/idp/templates/edit-webapp/images/nordunet.png diff --git a/idp/templates/views/layout.vm b/idp/templates/views/layout.vm new file mode 100644 index 0000000..7dca3b5 --- /dev/null +++ b/idp/templates/views/layout.vm @@ -0,0 +1,32 @@ +#macro(layout) +<!DOCTYPE html> +<html> + <head> + <meta charset="utf-8"> + <meta name="viewport" content="width=device-width,initial-scale=1.0"> + <title>$title - $titleSuffix</title> + <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css"> + </head> + + <body> + <div class="wrapper"> + <div class="container"> + <header> + <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")"> + #if ($titleSuffix) + <h3>#springMessageText("idp.title", "Web Login Service") - $titleSuffix</h3> + #end + </header> + <div class="content"> + $!bodyContent + </div> + </div> + <footer> + <div class="contatiner container-footer"> + <p class="footer-text">#springMessageText("idp.footer", "Your footer here.")</p> + </div> + </footer> + </div> + </body> +</html> +#end diff --git a/idp/templates/views/login.vm b/idp/templates/views/login.vm new file mode 100644 index 0000000..b4f02d0 --- /dev/null +++ b/idp/templates/views/login.vm @@ -0,0 +1,116 @@ +## +## Velocity Template for DisplayUsernamePasswordPage view-state +## +## Velocity context will contain the following properties +## flowExecutionUrl - the form action location +## flowRequestContext - the Spring Web Flow RequestContext +## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) +## profileRequestContext - root of context tree +## authenticationContext - context with authentication request information +## authenticationErrorContext - context with login error state +## authenticationWarningContext - context with login warning state +## ldapResponseContext - context with LDAP state (if using native LDAP) +## rpUIContext - the context with SP UI information from the metadata +## extendedAuthenticationFlows - collection of "extended" AuthenticationFlowDescriptor objects +## passwordPrincipals - contents of the shibboleth.authn.Password.PrincipalOverride bean +## encoder - HTMLEncoder class +## request - HttpServletRequest +## response - HttpServletResponse +## environment - Spring Environment object for property resolution +## custom - arbitrary object injected by deployer +## +#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext')) +#set ($username = $authenticationContext.getSubcontext('net.shibboleth.idp.authn.context.UsernamePasswordContext', true).getUsername()) +#set ($passwordEnabled = false) +#if (!$passwordPrincipals or $passwordPrincipals.isEmpty() or $authenticationContext.isAcceptable($passwordPrincipals)) + #set ($passwordEnabled = true) +#end +## +#parse("layout.vm") + +#@layout() + <div class="column one"> + #parse("login-error.vm") + + <form action="$flowExecutionUrl" method="post"> + + #set ($serviceName = $rpUIContext.serviceName) + #if ($serviceName && !$rpContext.getRelyingPartyId().contains($serviceName)) + <legend> + #springMessageText("idp.login.loginTo", "Login to") $encoder.encodeForHTML($serviceName) + </legend> + #end + + #if ($passwordEnabled) + <div class="form-element-wrapper"> + <label for="username">#springMessageText("idp.login.username", "Username")</label> + <input class="form-element form-field" id="username" name="j_username" type="text" + value="#if($username)$encoder.encodeForHTML($username)#end"> + </div> + + <div class="form-element-wrapper"> + <label for="password">#springMessageText("idp.login.password", "Password")</label> + <input class="form-element form-field" id="password" name="j_password" type="password" value=""> + </div> + + <div class="form-element-wrapper"> + <input type="checkbox" name="donotcache" value="1" id="donotcache"> + <label for="donotcache">#springMessageText("idp.login.donotcache", "Don't Remember Login")</label> + </div> + #end + + <div class="form-element-wrapper"> + <input id="_shib_idp_revokeConsent" type="checkbox" name="_shib_idp_revokeConsent" value="true"> + <label for="_shib_idp_revokeConsent">#springMessageText("idp.attribute-release.revoke", "Clear prior granting of permission for release of your information to this service.")</label> + </div> + + #if ($passwordEnabled) + <div class="form-element-wrapper"> + <button class="form-element form-button" type="submit" name="_eventId_proceed" + onClick="this.childNodes[0].nodeValue='#springMessageText("idp.login.pleasewait", "Logging in, please wait...")'" + >#springMessageText("idp.login.login", "Login")</button> + </div> + #end + + #foreach ($extFlow in $extendedAuthenticationFlows) + #if ($authenticationContext.isAcceptable($extFlow) and $extFlow.apply(profileRequestContext)) + <div class="form-element-wrapper"> + <button class="form-element form-button" type="submit" name="_eventId_$extFlow.getId()"> + #springMessageText("idp.login.$extFlow.getId().replace('authn/','')", $extFlow.getId().replace('authn/','')) + </button> + </div> + #end + #end + </form> + + #* + // + // SP Description & Logo (optional) + // These idpui lines will display added information (if available + // in the metadata) about the Service Provider (SP) that requested + // authentication. These idpui lines are "active" in this example + // (not commented out) - this extra SP info will be displayed. + // Remove or comment out these lines to stop the display of the + // added SP information. + // + *# + #set ($logo = $rpUIContext.getLogo()) + #if ($logo) + <img src= "$encoder.encodeForHTMLAttribute($logo)" + alt="$encoder.encodeForHTMLAttribute($serviceName)"> + #end + #set ($desc = $rpUIContext.getServiceDescription()) + #if ($desc) + $encoder.encodeForHTML($desc) + #end + + </div> + <div class="column two"> + <ul class="list list-help"> + #if ($passwordEnabled) + <li class="list-help-item"><a href="#springMessageText("idp.url.password.reset", "#")"><span class="item-marker">›</span> #springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li> + #end + <li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", "#")"><span class="item-marker">›</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li> + </ul> + </div> +#end |
