summaryrefslogtreecommitdiff
path: root/template-config
diff options
context:
space:
mode:
Diffstat (limited to 'template-config')
-rw-r--r--template-config/README.md5
-rw-r--r--template-config/attribute-filter.xml122
-rw-r--r--template-config/attribute-resolver.xml373
-rw-r--r--template-config/metadata-providers.xml64
-rw-r--r--template-config/relying-party.xml78
5 files changed, 0 insertions, 642 deletions
diff --git a/template-config/README.md b/template-config/README.md
deleted file mode 100644
index 6002238..0000000
--- a/template-config/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-# IDP config templates
-
-This directory contains the files which are being replaced after running install.
-
-Dockerfile should install these after running install.
diff --git a/template-config/attribute-filter.xml b/template-config/attribute-filter.xml
deleted file mode 100644
index f2aa5f7..0000000
--- a/template-config/attribute-filter.xml
+++ /dev/null
@@ -1,122 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- This file is an EXAMPLE policy file. While the policy presented in this
- example file is illustrative of some simple cases, it relies on the names of
- non-existent example services and the example attributes demonstrated in the
- default attribute-resolver.xml file.
-
- Deployers should refer to the documentation for a complete list of components
- and their options.
--->
-<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
- xmlns="urn:mace:shibboleth:2.0:afp"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
-
- <!-- Release some attributes to an SP. -->
- <!-- Note: requester seems to need the path /shibboleth to be included to match this! -->
- <AttributeFilterPolicy id="sp.nordu.dev">
- <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
- <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
- <AttributeRule attributeID="eduPersonPrincipalName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="uid">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="mail">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="givenName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="surname">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="displayName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="commonName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="employeeType">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="email">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="eduPersonEntitlement">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="mailLocalAddress">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
-
- </AttributeFilterPolicy>
-
- <!-- Release the transient ID to anyone -->
-<!-- <AttributeFilterPolicy id="releaseTransientAndPermanentIdToAnyone">
- <PolicyRequirementRule xsi:type="ANY" />
- <AttributeRule attributeID="transientId">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="persistentId">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="eduPersonTargetedID">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- </AttributeFilterPolicy>
--->
- <!-- recommended initial attribute filter policy for swamid.se + same rule for edugain, incommon, uk and kalmar2 -->
-<!-- <AttributeFilterPolicy id="releaseStandardAttributesToFederations">
- <PolicyRequirementRule xsi:type="OR">
- <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="urn:mace:incommon" />
- <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="http://ukfederation.org.uk" />
- <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="http://md.swamid.se/md/swamid-1.0.xml" />
- <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="http://mds.swamid.se/md/swamid-2.0.xml" />
- <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="kalmarcentral2" />
- <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="edugain" />
- </PolicyRequirementRule>
- <AttributeRule attributeID="givenName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="surname">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="displayName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="commonName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="eduPersonPrincipalName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="email">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="eduPersonEntitlement">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="mailLocalAddress">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="eduPersonScopedAffiliation">
- <PermitValueRule xsi:type="OR">
- <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" />
- <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" />
- <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" />
- <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" />
- <basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" />
- <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" />
- <basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" />
- <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" />
- </PermitValueRule>
- </AttributeRule>
- <AttributeRule attributeID="organizationName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- </AttributeFilterPolicy>-->
-
-</AttributeFilterPolicyGroup>
diff --git a/template-config/attribute-resolver.xml b/template-config/attribute-resolver.xml
deleted file mode 100644
index 9d7b8de..0000000
--- a/template-config/attribute-resolver.xml
+++ /dev/null
@@ -1,373 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- This file is an EXAMPLE configuration file. While the configuration
- presented in this example file is semi-functional, it isn't very
- interesting. It is here only as a starting point for your deployment
- process.
-
- Very few attribute definitions and data connectors are demonstrated,
- and the data is derived statically from the logged-in username and a
- static example connector.
-
- Attribute-resolver-full.xml contains more examples of attributes,
- encoders, and data connectors. Deployers should refer to the Shibboleth
- documentation for a complete list of components and their options.
-
- NOTE: This file is from the Nordunet template-config
-
--->
-<AttributeResolver
- xmlns="urn:mace:shibboleth:2.0:resolver"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
-
-
- <!-- ========================================== -->
- <!-- Attribute Definitions -->
- <!-- ========================================== -->
-
- <!--
- The EPPN is the "standard" federated username in higher ed.
- For guidelines on the implementation of this attribute, refer
- to the Shibboleth and eduPerson documentation. Above all, do
- not expose a value for this attribute without considering the
- long term implications.
- -->
- <!-- This version not used at NORDUnet, see below
- <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
- </AttributeDefinition>
- -->
- <!--
- The uid is the closest thing to a "standard" LDAP attribute
- representing a local username, but you should generally *never*
- expose uid to federated services, as it is rarely globally unique.
- -->
- <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
- </AttributeDefinition>
-
- <!--
- In the rest of the world, the email address is the standard identifier,
- despite the problems with that practice. Consider making the EPPN value
- the same as your official email addresses whenever possible.
- -->
- <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="mailLocalAddress" xsi:type="Simple" sourceAttributeID="mailLocalAddress">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mailLocalAddress" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.13" friendlyName="mailLocalAddress" encodeType="false" />
- </AttributeDefinition>
-
-<!-- old format from IDPv2 - still works? -->
- <AttributeDefinition id="homePhone" xsi:type="Simple" sourceAttributeID="homePhone">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="homePostalAddress" xsi:type="Simple" sourceAttributeID="homePostalAddress">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePostalAddress" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="mobileNumber" xsi:type="Simple" sourceAttributeID="mobile">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="pagerNumber" xsi:type="Simple" sourceAttributeID="pager">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct -->
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
- </AttributeDefinition>
-
-
- <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="locality" xsi:type="Simple" sourceAttributeID="l">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="stateProvince" xsi:type="Simple" sourceAttributeID="st">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:st" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.8" friendlyName="st" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="street" xsi:type="Simple" sourceAttributeID="street">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:street" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.9" friendlyName="street" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="organizationalUnit" xsi:type="Simple" sourceAttributeID="ou">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:ou" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.11" friendlyName="ou" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="title" xsi:type="Simple" sourceAttributeID="title">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="postalAddress" xsi:type="Simple" sourceAttributeID="postalAddress">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalAddress" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.16" friendlyName="postalAddress" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="postalCode" xsi:type="Simple" sourceAttributeID="postalCode">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalCode" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.17" friendlyName="postalCode" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="postOfficeBox" xsi:type="Simple" sourceAttributeID="postOfficeBox">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postOfficeBox" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="telephoneNumber" xsi:type="Simple" sourceAttributeID="telephoneNumber">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="initials" xsi:type="Simple" sourceAttributeID="initials">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" />
- </AttributeDefinition>
-
-
- <!-- Schema: inetOrgPerson attributes-->
- <AttributeDefinition id="departmentNumber" xsi:type="Simple" sourceAttributeID="departmentNumber">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="employeeNumber" xsi:type="Simple" sourceAttributeID="employeeNumber">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="jpegPhoto" xsi:type="Simple" sourceAttributeID="jpegPhoto">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:jpegPhoto" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="preferredLanguage" xsi:type="Simple" sourceAttributeID="preferredLanguage">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" />
- </AttributeDefinition>
-
- <!-- Schema: eduPerson attributes -->
- <AttributeDefinition id="eduPersonAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonAffiliation">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" />
- </AttributeDefinition>
-
- <AttributeDefinition id="memberOf" xsi:type="Simple" sourceAttributeID="memberOf">
- <Dependency ref="myLDAPGROUPS" />
- </AttributeDefinition>
-
-<!-- placeholder for scripted scriptEduPersonEntitlement -->
-
-<AttributeDefinition id="eduPersonNickname" xsi:type="Simple" sourceAttributeID="eduPersonNickname">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonNickname" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonOrgDN" xsi:type="Simple" sourceAttributeID="eduPersonOrgDN">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonOrgDN" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" friendlyName="eduPersonOrgDN" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonOrgUnitDN" xsi:type="Simple" sourceAttributeID="eduPersonOrgUnitDN">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" friendlyName="eduPersonOrgUnitDN" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonPrimaryOrgUnitDN" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryOrgUnitDN">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" friendlyName="eduPersonPrimaryOrgUnitDN" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Simple" sourceAttributeID="uid">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
-</AttributeDefinition>
-
-<AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="nordu.net" sourceAttributeID="employeeType">
- <Dependency ref="myLDAP" />
- <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
- <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
-</AttributeDefinition>
-
-<!-- placeholder for eduPersonTargetedID and persistentId and transientId -->
-
-
- <!-- ========================================== -->
- <!-- Data Connectors -->
- <!-- ========================================== -->
-
- <!--
- Example LDAP Connector
-
- The connectivity details can be specified in ldap.properties to
- share them with your authentication settings if desired.
- -->
- <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
- ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
- baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
- <FilterTemplate>
- <![CDATA[
- %{idp.attribute.resolver.LDAP.searchFilter}
- ]]>
- </FilterTemplate>
- <!-- Do we even need a connection pool? Got this:
- WARN [org.ldaptive.pool.BlockingConnectionPool:882] - org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@6ec7349e failed validation
-
- <ConnectionPool
- minPoolSize="%{idp.pool.LDAP.minSize:3}"
- maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
- blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
- validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
- validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
- expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
- failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />-->
-
-
- </DataConnector>
-<!-- <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
- ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
- baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
- principal="%{idp.attribute.resolver.LDAP.bindDN}"
- principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
- useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
- connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
- trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
- responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
- <FilterTemplate>
- <![CDATA[
- %{idp.attribute.resolver.LDAP.searchFilter}
- ]]>
- </FilterTemplate>
- <ConnectionPool
- minPoolSize="%{idp.pool.LDAP.minSize:3}"
- maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
- blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
- validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
- validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
- expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
- failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
- </DataConnector>
- -->
-
- <DataConnector id="myLDAPGROUPS" xsi:type="LDAPDirectory"
- ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
- baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
- <FilterTemplate>
- <![CDATA[
- %{idp.attribute.resolver.LDAP.searchFilter}
- ]]>
- </FilterTemplate>
- <ReturnAttributes>memberOf</ReturnAttributes>
- </DataConnector>
-
-
- <!-- Computed targeted ID connector -->
-<!-- The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.-->
-
-<!-- <DataConnector id="ComputedId" xsi:type="ComputedId"
- generatedAttributeID="computedId"
- sourceAttributeID="uid"
- salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym">
- <resolver:Dependency ref="myLDAP" />
- </DataConnector>
-
-also in old format the next block
-<resolver:DataConnector id="StoredId"
- xsi:type="StoredId"
- xmlns="urn:mace:shibboleth:2.0:resolver:dc"
- generatedAttributeID="persistentId"
- sourceAttributeID="uid"
- salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym">
- <resolver:Dependency ref="uid" />
- <ApplicationManagedConnection
- jdbcDriver="com.mysql.jdbc.Driver"
- jdbcURL="jdbc:mysql://mysql:3306/shibboleth?autoReconnect=true&amp;useSSL=false"
- jdbcUserName="idp"
- jdbcPassword="shibboleth" />
-</resolver:DataConnector>
--->
-
-
-</AttributeResolver>
diff --git a/template-config/metadata-providers.xml b/template-config/metadata-providers.xml
deleted file mode 100644
index 71b5967..0000000
--- a/template-config/metadata-providers.xml
+++ /dev/null
@@ -1,64 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- This file is an EXAMPLE metadata configuration file. -->
-<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
- xmlns="urn:mace:shibboleth:2.0:metadata"
- xmlns:resource="urn:mace:shibboleth:2.0:resource"
- xmlns:security="urn:mace:shibboleth:2.0:security"
- xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
- urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
- urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
- urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
-
- <!-- ========================================================================================== -->
- <!-- Metadata Configuration -->
- <!-- -->
- <!-- Below you place the mechanisms which define how to load the metadata for SP(s) you will -->
- <!-- provide service to. -->
- <!-- -->
- <!-- Two examples are provided. The Shibboleth Documentation at -->
- <!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration -->
- <!-- provides more details. -->
- <!-- -->
- <!-- NOTE. This file SHOULD NOT contain the metadata for this IdP. -->
- <!-- ========================================================================================== -->
-
- <!--
- Example HTTP metadata provider. Use this if you want to download the metadata
- from a remote source.
-
- You *MUST* provide the SignatureValidationFilter in order to function securely.
- Get the public key certificate from the party publishing the metadata, and validate
- it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
-
- The EntityRoleWhiteList saves memory by only loading metadata from SAML roles
- that the IdP needs to interoperate with.
- -->
-
- <!--
- <MetadataProvider id="HTTPMetadata"
- xsi:type="FileBackedHTTPMetadataProvider"
- backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
- metadataURL="http://WHATEVER">
-
- <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
- <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
- <MetadataFilter xsi:type="EntityRoleWhiteList">
- <RetainedRole>md:SPSSODescriptor</RetainedRole>
- </MetadataFilter>
- </MetadataProvider>
- -->
-
- <!--
- Example file metadata provider. Use this if you want to load metadata
- from a local file. You might use this if you have some local SPs
- which are not "federated" but you wish to offer a service to.
-
- If you do not provide a SignatureValidation filter, then you have the
- responsibility to ensure that the contents on disk are trustworthy.
- -->
-
- <MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/apache-sp/sp-metadata.xml"/>
-
-</MetadataProvider>
diff --git a/template-config/relying-party.xml b/template-config/relying-party.xml
deleted file mode 100644
index 327c8e2..0000000
--- a/template-config/relying-party.xml
+++ /dev/null
@@ -1,78 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!--
- Unverified RP configuration, defaults to no support for any profiles. Add <ref> elements to the list
- to enable specific default profile settings (as below), or create new beans inline to override defaults.
-
- "Unverified" typically means the IdP has no metadata, or equivalent way of assuring the identity and
- legitimacy of a requesting system. To run an "open" IdP, you can enable profiles here.
- -->
- <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
- <property name="profileConfigurations">
- <list>
- <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
- <ref bean="SAML1.AttributeQuery" />
- <ref bean="SAML1.ArtifactResolution" />
- <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
- <ref bean="SAML2.ECP" />
- <ref bean="SAML2.Logout" />
- <ref bean="SAML2.AttributeQuery" />
- <ref bean="SAML2.ArtifactResolution" />
- <ref bean="Liberty.SSOS" />
- </list>
- </property>
- </bean>
-
- <!--
- Default configuration, with default settings applied for all profiles, and enables
- the attribute-release consent flow.
- -->
- <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
- <property name="profileConfigurations">
- <list>
- <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
- <ref bean="SAML1.AttributeQuery" />
- <ref bean="SAML1.ArtifactResolution" />
- <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
- <ref bean="SAML2.ECP" />
- <ref bean="SAML2.Logout" />
- <ref bean="SAML2.AttributeQuery" />
- <ref bean="SAML2.ArtifactResolution" />
- <ref bean="Liberty.SSOS" />
- </list>
- </property>
- </bean>
-
- <!-- Container for any overrides you want to add. -->
-
- <util:list id="shibboleth.RelyingPartyOverrides">
-
- <!--
- Override example that identifies a single RP by name and configures it
- for SAML 2 SSO without encryption. This is a common "vendor" scenario.
- -->
- <!--
- <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org">
- <property name="profileConfigurations">
- <list>
- <bean parent="SAML2.SSO" p:encryptAssertions="false" />
- </list>
- </property>
- </bean>
- -->
-
- </util:list>
-
-</beans>
generated by cgit v1.1 at 2025-07-18 16:26:35 +0000