From 35751e3cf89abf69f11dff7f9a3396d8068becc8 Mon Sep 17 00:00:00 2001
From: Markus Krogh <markus@nordu.net>
Date: Fri, 29 Sep 2017 17:42:03 +0200
Subject: Use ENV for persistentiId, logging

---
 compose-prod.yml                               |  22 ++
 idp/Dockerfile                                 |   8 +-
 idp/shib-entrypoint.sh                         |  64 ++++-
 idp/template-config/attribute-filter.xml       | 384 ++++++++++++++++---------
 idp/template-config/attribute-resolver.xml     | 225 ++++++---------
 idp/template-config/edupersontargetdid.xml.add |  16 ++
 idp/template-config/logback.xml                | 199 +++++++++++++
 7 files changed, 651 insertions(+), 267 deletions(-)
 create mode 100644 compose-prod.yml
 create mode 100644 idp/template-config/edupersontargetdid.xml.add
 create mode 100644 idp/template-config/logback.xml

diff --git a/compose-prod.yml b/compose-prod.yml
new file mode 100644
index 0000000..b3094d2
--- /dev/null
+++ b/compose-prod.yml
@@ -0,0 +1,22 @@
+version: '3'
+services:
+  shibboleth-docker:
+    build: ./idp
+    environment:
+      - JAVA_OPTIONS=-Xmx1G
+      - IDP_HOSTNAME=idp.nordu.net
+      - IDP_SCOPE=nordu.net
+      - IDP_DEBUG=true
+    env_file: ./data/production/env
+    volumes:
+      - ./data/production/idp-data:/opt/data
+  nginx:
+    image: nginx
+    volumes:
+      - ./data/production/certs:/opt/certs
+      - ./data/production/nginx:/etc/nginx/conf.d
+    links:
+      - shibboleth-docker
+    ports:
+      - '80:80'
+      - '443:443'
diff --git a/idp/Dockerfile b/idp/Dockerfile
index 3dd2d6c..908233f 100644
--- a/idp/Dockerfile
+++ b/idp/Dockerfile
@@ -1,7 +1,7 @@
 FROM jetty:9-alpine
-EXPOSE 80 443
 MAINTAINER Jesper B. Rosenkilde <jbr@nordu.net>
 
+USER root
 ENV IDP_VERSION 3.3.0
 COPY install.properties /opt/
 COPY nordu-ldap.properties /opt/
@@ -10,7 +10,7 @@ COPY shibboleth-identity-provider-${IDP_VERSION}.tar.gz /opt/
 COPY template-config/ /opt/template-config
 COPY shibboleth.db.ddl /tmp/
 WORKDIR /opt
-RUN apk --no-cache add bash apache-ant sqlite curl && \
+RUN echo $(id) && apk --no-cache add bash apache-ant sqlite curl && \
     #curl -O https://shibboleth.net/downloads/identity-provider/${IDP_VERSION}/shibboleth-identity-provider-${IDP_VERSION}.tar.gz && \
     sha256sum -c shibboleth-identity-provider-$IDP_VERSION.tar.gz.sha256 && \
     tar xf shibboleth-identity-provider-$IDP_VERSION.tar.gz && \
@@ -28,5 +28,7 @@ RUN chown -R jetty:jetty /opt/shibboleth-idp
 
 COPY jetty_base $JETTY_BASE
 COPY shib-entrypoint.sh /shib-entrypoint.sh
-ENTRYPOINT /shib-entrypoint.sh
+USER jetty
+ENTRYPOINT ["/shib-entrypoint.sh"]
 WORKDIR $JETTY_BASE
+CMD ["java","-jar","/usr/local/jetty/start.jar"]
diff --git a/idp/shib-entrypoint.sh b/idp/shib-entrypoint.sh
index eec7dcd..7803c11 100755
--- a/idp/shib-entrypoint.sh
+++ b/idp/shib-entrypoint.sh
@@ -6,4 +6,66 @@ if [ -f /metadata/sp-metadata.xml ]; then
   sed -i -e '/sp.nordu.dev/ s/<!--//' -e '/sp.nordu.dev/ s/-->//' /opt/shibboleth-idp/conf/metadata-providers.xml
 fi
 
-/docker-entrypoint.sh "$@"
+IDP_PROPERTIES=${IDP_PROPERTIES:-/opt/shibboleth-idp/conf/idp.properties}
+if [ -n "$IDP_HOSTNAME" ]; then
+  sed -i -e "s/idp.nordu.dev/$IDP_HOSTNAME/" $IDP_PROPERTIES
+fi
+if [ -n "$IDP_SCOPE" ]; then
+  sed -i -e "/idp.scope=/ s/nordu.dev/$IDP_HOSTNAME/" $IDP_PROPERTIES
+fi
+
+# FTICKS
+if [ -n "$FTICKS_FEDERATION" ]; then
+  sed -i -e '/idp.fticks.federation=/ s/^#//' \
+         -e "/idp.fticks.federation=/ s/MyFederation/$FTICKS_FEDERATION/" \
+         -e '/idp.fticks.algorithm=/ s/^#//' $IDP_PROPERTIES
+  if [ -n "$FTICKS_SALT" ]; then
+    sed -i -e '/idp.fticks.salt=/ s/^#//' \
+           -e "/idp.fticks.salt=/ s/=.*/=$FTICKS_SALT/" $IDP_PROPERTIES
+  fi
+
+  if [ -n "$FTICKS_HOST" ]; then
+    sed -i -e '/idp.fticks.loghost=/ s/^#//' \
+           -e "/idp.fticks.loghost=/ s/=.*/=$FTICKS_HOST/" $IDP_PROPERTIES
+  fi
+  if [ -n "$FTICKS_PORT" ]; then
+    sed -i -e '/idp.fticks.logport=/ s/^#//' \
+           -e "/idp.fticks.logport=/ s/=.*/=$FTICKS_PORT/" $IDP_PROPERTIES
+  fi
+fi
+
+# PersistentID
+
+if [ -n "$IDP_PERSISTENTID_SALT" ]; then
+  if ! grep '<ref bean="shibboleth.SAML2PersistentGenerator"  />' /opt/shibboleth-idp/conf/saml-nameid.xml ; then
+    sed -i -e '/<util:list id="shibboleth.SAML2NameIDGenerators">/ a <ref bean="shibboleth.SAML2PersistentGenerator"  />' /opt/shibboleth-idp/conf/saml-nameid.xml
+  fi
+
+  source_attr=${IDP_PERSISTENTID_SOURCE:-uid}
+  sed -i -e '/idp.persistentId.sourceAttribute/ s/^#//' \
+         -e "/idp.persistentId.sourceAttribute/ s/changethistosomethingreal/$source_attr/" \
+         -e '/idp.persistentId.salt/ s/^#//' \
+         -e "/idp.persistentId.salt/ s/changethistosomethingrandom/$IDP_PERSISTENTID_SALT/"  /opt/shibboleth-idp/conf/saml-nameid.properties
+  # add xml conf to attribute-resolver
+  if ! grep "%{idp.persistentId.sourceAttribute}" /opt/shibboleth-idp/conf/attribute-resolver.xml ; then
+    sed -i '/<!-- eduPersonTargetdID placeholder -->/r /opt/template-config/edupersontargetdid.xml.add' /opt/shibboleth-idp/conf/attribute-resolver.xml
+  fi
+fi
+
+if [ -n "$IDP_DEBUG" ]; then
+  echo "idp.loglevel.messages=DEBUG" >> $IDP_PROPERTIES
+  echo "idp.loglevel.encryption=DEBUG" >> $IDP_PROPERTIES
+fi
+
+DATADIR=/opt/data
+# overwrite signing keys if present
+if [ -f ${DATADIR}/credentials/idp-signing.key -a -f ${DATADIR}/credentials/idp-signing.crt ]; then
+  cp ${DATADIR}/credentials/idp-signing.key /opt/shibboleth-idp/credentials/idp-signing.key
+  cp ${DATADIR}/credentials/idp-signing.crt /opt/shibboleth-idp/credentials/idp-signing.crt
+fi
+
+if [ $IDP_DEBUG ]; then
+  sed -i -e '/idp.loglevel.messages/ s/INFO/DEBUG/' -e '/idp.loglevel.encryption/ s/INFO/DEBUG/' /opt/shibboleth-idp/conf/logback.xml
+fi
+
+/docker-entrypoint.sh java -jar /usr/local/jetty/start.jar $JAVA_OPTIONS
diff --git a/idp/template-config/attribute-filter.xml b/idp/template-config/attribute-filter.xml
index eae2abe..3514282 100644
--- a/idp/template-config/attribute-filter.xml
+++ b/idp/template-config/attribute-filter.xml
@@ -9,9 +9,9 @@
     and their options.
 -->
 <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
-        xmlns="urn:mace:shibboleth:2.0:afp"
-        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+  xmlns="urn:mace:shibboleth:2.0:afp"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
 
   <AttributeFilterPolicy id="releaseTransientIdToAnyone">
     <PolicyRequirementRule xsi:type="ANY" />
@@ -19,139 +19,265 @@
     <AttributeRule attributeID="transientId">
       <PermitValueRule xsi:type="ANY" />
     </AttributeRule>
+    <AttributeRule attributeID="persistentId">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
   </AttributeFilterPolicy>
 
 
-	<!-- GEANT Data protection Code of Conduct -->
-	<AttributeFilterPolicy id="releaseToCoCo">
-  	<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
-    											 attributeName="http://macedir.org/entity-category"
-    											 attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
-  	<AttributeRule attributeID="displayName">
-  	  <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
-  	</AttributeRule>
-  	<AttributeRule attributeID="cn">
-  	  <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
-  	</AttributeRule>
-  	<AttributeRule attributeID="email">
-  	  <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
-  	</AttributeRule>
-  	<AttributeRule attributeID="eduPersonPrincipalName">
-  	  <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
-  	</AttributeRule>
-  	<AttributeRule attributeID="eduPersonScopedAffiliation">
-  	  <PermitValueRule xsi:type="AND">
-  	    <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
-  	    <Rule xsi:type="OR">
-  	      <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
-  	      <Rule xsi:type="Value" value="student" ignoreCase="true" />
-  	      <Rule xsi:type="Value" value="staff" ignoreCase="true" />
-  	      <Rule xsi:type="Value" value="alum" ignoreCase="true" />
-  	      <Rule xsi:type="Value" value="member" ignoreCase="true" />
-  	      <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
-  	      <Rule xsi:type="Value" value="employee" ignoreCase="true" />
-  	      <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
-  	    </Rule>
-  	  </PermitValueRule>
-  	</AttributeRule>
-  	<AttributeRule attributeID="eduPersonAffiliation">
-  	  <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
-  	</AttributeRule>
-  	<AttributeRule attributeID="schacHomeOrganization">
-  	  <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
-  	</AttributeRule>
-  	<AttributeRule attributeID="schacHomeOrganizationType">
-  	  <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
-  	</AttributeRule>
-	</AttributeFilterPolicy>
+  <!-- GEANT Data protection Code of Conduct -->
+  <AttributeFilterPolicy id="releaseToCoCo">
+    <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+      attributeName="http://macedir.org/entity-category"
+      attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="cn">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="AND">
+        <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+        <Rule xsi:type="OR">
+          <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+          <Rule xsi:type="Value" value="student" ignoreCase="true" />
+          <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+          <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+          <Rule xsi:type="Value" value="member" ignoreCase="true" />
+          <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+          <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+          <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+        </Rule>
+      </PermitValueRule>
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonAffiliation">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="schacHomeOrganization">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="schacHomeOrganizationType">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+  </AttributeFilterPolicy>
 
-	<!-- REFEDS Research and Schoolarship -->
-	<AttributeFilterPolicy id="releaseToRandS">
-	  <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
-	    attributeName="http://macedir.org/entity-category"
-	    attributeValue="http://refeds.org/category/research-and-scholarship" />
-	
-	  <AttributeRule attributeID="displayName">
-	    <PermitValueRule xsi:type="ANY" />
-	  </AttributeRule>
-	  <AttributeRule attributeID="givenName">
-	    <PermitValueRule xsi:type="ANY" />
-	  </AttributeRule>
-	  <AttributeRule attributeID="surname">
-	    <PermitValueRule xsi:type="ANY" />
-	  </AttributeRule>
-	  <AttributeRule attributeID="email">
-	    <PermitValueRule xsi:type="ANY" />
-	  </AttributeRule>
-	  <AttributeRule attributeID="eduPersonPrincipalName">
-	    <PermitValueRule xsi:type="ANY" />
-	  </AttributeRule>
-	  <AttributeRule attributeID="eduPersonScopedAffiliation">
-	    <PermitValueRule xsi:type="OR">
-	      <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
-	      <Rule xsi:type="Value" value="student" ignoreCase="true" />
-	      <Rule xsi:type="Value" value="staff" ignoreCase="true" />
-	      <Rule xsi:type="Value" value="alum" ignoreCase="true" />
-	      <Rule xsi:type="Value" value="member" ignoreCase="true" />
-	      <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
-	      <Rule xsi:type="Value" value="employee" ignoreCase="true" />
-	      <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
-	    </PermitValueRule>
-	  </AttributeRule>
-	</AttributeFilterPolicy>
+  <!-- REFEDS Research and Schoolarship -->
+  <AttributeFilterPolicy id="releaseToRandS">
+    <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+      attributeName="http://macedir.org/entity-category"
+      attributeValue="http://refeds.org/category/research-and-scholarship" />
+
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="givenName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="surname">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+        <Rule xsi:type="Value" value="student" ignoreCase="true" />
+        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+        <Rule xsi:type="Value" value="member" ignoreCase="true" />
+        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+      </PermitValueRule>
+    </AttributeRule>
+  </AttributeFilterPolicy>
+
+  <!-- entity-category-swamid-research-and-education -->
+  <AttributeFilterPolicy id="entity-category-research-and-education">
+    <PolicyRequirementRule xsi:type="AND">
+      <Rule xsi:type="OR">
+        <Rule xsi:type="EntityAttributeExactMatch"
+          attributeName="http://macedir.org/entity-category"
+          attributeValue="http://www.swamid.se/category/eu-adequate-protection" />
+        <Rule xsi:type="EntityAttributeExactMatch"
+          attributeName="http://macedir.org/entity-category"
+          attributeValue="http://www.swamid.se/category/nren-service" />
+        <Rule xsi:type="EntityAttributeExactMatch"
+          attributeName="http://macedir.org/entity-category"
+          attributeValue="http://www.swamid.se/category/hei-service" />
+      </Rule>
+      <Rule xsi:type="EntityAttributeExactMatch"
+        attributeName="http://macedir.org/entity-category"
+        attributeValue="http://www.swamid.se/category/research-and-education" />
+    </PolicyRequirementRule>
+
+    <AttributeRule attributeID="givenName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="surname">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonAssurance">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+        <Rule xsi:type="Value" value="student" ignoreCase="true" />
+        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+        <Rule xsi:type="Value" value="member" ignoreCase="true" />
+        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+      </PermitValueRule>
+    </AttributeRule>
+    <AttributeRule attributeID="organizationName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="norEduOrgAcronym">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="countryName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="friendlyCountryName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="schacHomeOrganization">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+  </AttributeFilterPolicy>
 
   <!-- Release some attributes to an SP. -->
   <!-- Note: requester seems to need the path /shibboleth to be included to match this! -->
   <AttributeFilterPolicy id="sp.nordu.dev">
-      <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
-      <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
-      <AttributeRule attributeID="eduPersonPrincipalName">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="uid">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="mail">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="givenName">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="surname">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="displayName">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="commonName">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="employeeType">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="email">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="eduPersonEntitlement">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="mailLocalAddress">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="eduPersonScopedAffiliation">
-          <PermitValueRule xsi:type="OR">
-              <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
-              <Rule xsi:type="Value" value="student" ignoreCase="true" />
-              <Rule xsi:type="Value" value="staff" ignoreCase="true" />
-              <Rule xsi:type="Value" value="alum" ignoreCase="true" />
-              <Rule xsi:type="Value" value="member" ignoreCase="true" />
-              <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
-              <Rule xsi:type="Value" value="employee" ignoreCase="true" />
-              <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
-          </PermitValueRule>
-      </AttributeRule>
-      <AttributeRule attributeID="organizationName">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
+    <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
+    <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="uid">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="mail">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="givenName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="surname">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="commonName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="employeeType">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonEntitlement">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="mailLocalAddress">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+        <Rule xsi:type="Value" value="student" ignoreCase="true" />
+        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+        <Rule xsi:type="Value" value="member" ignoreCase="true" />
+        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+      </PermitValueRule>
+    </AttributeRule>
+    <AttributeRule attributeID="organizationName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+  </AttributeFilterPolicy>
+
+  <!-- ukfederation + incommon -->
+  <AttributeFilterPolicy id="everyoneInSwamidFeed">
+    <PolicyRequirementRule xsi:type="InEntityGroup" groupID="http://mds.swamid.se/md/swamid-2.0.xml" />
+    <AttributeRule attributeID="givenName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="surname">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="commonName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonEntitlement">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonTargetedID">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+        <Rule xsi:type="Value" value="student" ignoreCase="true" />
+        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+        <Rule xsi:type="Value" value="member" ignoreCase="true" />
+        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+      </PermitValueRule>
+    </AttributeRule>
+    <AttributeRule attributeID="organizationName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="norEduOrgAcronym">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="countryName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="friendlyCountryName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="schacHomeOrganization">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
   </AttributeFilterPolicy>
+
 </AttributeFilterPolicyGroup>
diff --git a/idp/template-config/attribute-resolver.xml b/idp/template-config/attribute-resolver.xml
index 1020fc4..92fb1bb 100644
--- a/idp/template-config/attribute-resolver.xml
+++ b/idp/template-config/attribute-resolver.xml
@@ -17,38 +17,31 @@
 
 -->
 <AttributeResolver
-        xmlns="urn:mace:shibboleth:2.0:resolver"
-        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
+  xmlns="urn:mace:shibboleth:2.0:resolver"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
 
 
-    <!-- ========================================== -->
-    <!--      Attribute Definitions                 -->
-    <!-- ========================================== -->
+  <!-- ========================================== -->
+  <!--      Attribute Definitions                 -->
+  <!-- ========================================== -->
 
-    <!--
+  <!--
     The EPPN is the "standard" federated username in higher ed.
     For guidelines on the implementation of this attribute, refer
     to the Shibboleth and eduPerson documentation. Above all, do
     not expose a value for this attribute without considering the
     long term implications.
     -->
-    <!-- This version not used at NORDUnet, see below
-    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
-    </AttributeDefinition>
-    -->
     <!--
     The uid is the closest thing to a "standard" LDAP attribute
     representing a local username, but you should generally *never*
     expose uid to federated services, as it is rarely globally unique.
     -->
     <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
     </AttributeDefinition>
 
     <!--
@@ -57,52 +50,52 @@
     the same as your official email addresses whenever possible.
     -->
     <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
     </AttributeDefinition>
 
     <AttributeDefinition id="email" xsi:type="Simple" sourceAttributeID="mail">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
     </AttributeDefinition>
 
     <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn">
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" encodeType="false" />
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" />
     </AttributeDefinition>
 
     <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct -->
-        <Dependency ref="myLDAP" />
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" />
     </AttributeDefinition>
 
     <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn">
       <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" />
     </AttributeDefinition>
 
     <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o">
       <Dependency ref="staticAttributes" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" />
     </AttributeDefinition>
 
     <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName">
       <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" />
     </AttributeDefinition>
 
     <!-- Schema: inetOrgPerson attributes-->
     <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType">
       <Dependency ref="myLDAP" />
-      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" />
-      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" />
     </AttributeDefinition>
 
     <!-- Schema: eduPerson attributes -->
@@ -129,101 +122,91 @@
       <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
       <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
     </AttributeDefinition>
-	  <!-- Idp-Installer: the source for this attribute is from the database StoredId and no longer the classic computedID  -->
-    <!--
-    <AttributeDefinition xsi:type="ad:SAML2NameID" id="eduPersonTargetedID"
-                                  nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="persistentId">
-        <Dependency ref="StoredId" />
-        <AttributeEncoder xsi:type="enc:SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
-        <AttributeEncoder xsi:type="enc:SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
-    </AttributeDefinition>
-    -->
-
 
-<AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation">
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
-</AttributeDefinition>
+    <AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" />
+    </AttributeDefinition>
 
-<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Simple" sourceAttributeID="uid"><!-- In ndn it is uid -->
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
-</AttributeDefinition>
+    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid"><!-- In ndn it is uid+scope -->
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
+      <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
+    </AttributeDefinition>
 
-<AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="nordu.net" sourceAttributeID="employeeType">
-    <Dependency ref="myLDAP" />
-    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
-    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
-</AttributeDefinition>
+    <AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="employeeType">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
+      <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" />
+    </AttributeDefinition>
 
-	<!-- from swamid installer -->
+<!-- from swamid installer -->
   <AttributeDefinition id="norEduOrgAcronym" xsi:type="Simple" sourceAttributeID="norEduOrgAcronym">
     <Dependency ref="staticAttributes" />
     <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgAcronym" />
     <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.6" friendlyName="norEduOrgAcronym" />
   </AttributeDefinition>
 
-	<AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization">
-		<Dependency ref="staticAttributes" />
-		<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
-		<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
-	</AttributeDefinition>
+  <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization">
+    <Dependency ref="staticAttributes" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
+  </AttributeDefinition>
 
-	<AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType">
-		<Dependency ref="staticAttributes" />
-		<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
-		<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
-	</AttributeDefinition>
+  <AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType">
+    <Dependency ref="staticAttributes" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
+  </AttributeDefinition>
 
-	<!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal -->
+  <!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal -->
 
 
 
-    <!-- ========================================== -->
-    <!--      Data Connectors                       -->
-    <!-- ========================================== -->
+  <!-- ========================================== -->
+  <!--      Data Connectors                       -->
+  <!-- ========================================== -->
 
-    <!--
+  <!--
     Example LDAP Connector
 
     The connectivity details can be specified in ldap.properties to
     share them with your authentication settings if desired.
     -->
     <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
-        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
-        baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
-        <FilterTemplate>
-            <![CDATA[
-                %{idp.attribute.resolver.LDAP.searchFilter}
-            ]]>
-        </FilterTemplate>
+      ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+      baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
+      <FilterTemplate>
+        <![CDATA[
+        %{idp.attribute.resolver.LDAP.searchFilter}
+        ]]>
+      </FilterTemplate>
     </DataConnector>
     <DataConnector id="myLDAPGROUPS" xsi:type="LDAPDirectory"
-        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
-        baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
-        <FilterTemplate>
-            <![CDATA[
-                %{idp.attribute.resolver.LDAP.searchFilter}
-            ]]>
-        </FilterTemplate>
-        <ReturnAttributes>memberOf</ReturnAttributes>
+      ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+      baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
+      <FilterTemplate>
+        <![CDATA[
+        %{idp.attribute.resolver.LDAP.searchFilter}
+        ]]>
+      </FilterTemplate>
+      <ReturnAttributes>memberOf</ReturnAttributes>
     </DataConnector>
 
-  	<DataConnector id="staticAttributes" xsi:type="Static">
-			<Attribute id="o">
-				<Value>NORDUnet A/S</Value>
-			</Attribute>
-  	  <Attribute id="schacHomeOrganization">
-  	    <Value>nordu.net</Value>
-  	  </Attribute>
-  	  <Attribute id="schacHomeOrganizationType">
-  	    <Value>urn:schac:homeOrganizationType:int:NREN</Value>
-  	  </Attribute>
-			<Attribute id="norEduOrgAcronym">
-				<Value>NORDUNet</Value>
-			</Attribute>
+    <DataConnector id="staticAttributes" xsi:type="Static">
+      <Attribute id="o">
+        <Value>NORDUnet A/S</Value>
+      </Attribute>
+      <Attribute id="schacHomeOrganization">
+        <Value>nordu.net</Value>
+      </Attribute>
+      <Attribute id="schacHomeOrganizationType">
+        <Value>urn:schac:homeOrganizationType:int:NREN</Value>
+      </Attribute>
+      <Attribute id="norEduOrgAcronym">
+        <Value>NORDUNet</Value>
+      </Attribute>
       <Attribute id="staticeduPersonEntitlement">
         <Value>urn:mace:dir:entitlement:common-lib-terms</Value>
         <Value>urn:mace:terena.org:tcs:escience-user</Value>
@@ -233,34 +216,8 @@
         <Value>urn:mace:swami.se:gmai:sunet-iaas:admin</Value>
         <Value>urn:mace:swami.se:gmai:sunet-iaas:user</Value>
       </Attribute>
-  	</DataConnector>
-
-
-  <!-- Computed targeted ID connector -->
-<!--  The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.-->
-
-<!--  <DataConnector id="ComputedId" xsi:type="ComputedId"
-      generatedAttributeID="computedId"
-      sourceAttributeID="uid"
-      salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym">
-      <resolver:Dependency ref="myLDAP" />
-  </DataConnector>
-
-also in old format the next block
-<resolver:DataConnector id="StoredId"
-    xsi:type="StoredId"
-    xmlns="urn:mace:shibboleth:2.0:resolver:dc"
-    generatedAttributeID="persistentId"
-    sourceAttributeID="uid"
-    salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym">
-    <resolver:Dependency ref="uid" />
-    <ApplicationManagedConnection
-        jdbcDriver="com.mysql.jdbc.Driver"
-        jdbcURL="jdbc:mysql://mysql:3306/shibboleth?autoReconnect=true&amp;useSSL=false"
-        jdbcUserName="idp"
-        jdbcPassword="shibboleth" />
-</resolver:DataConnector>
--->
+    </DataConnector>
 
+  <!-- eduPersonTargetdID placeholder -->
 
 </AttributeResolver>
diff --git a/idp/template-config/edupersontargetdid.xml.add b/idp/template-config/edupersontargetdid.xml.add
new file mode 100644
index 0000000..8601da6
--- /dev/null
+++ b/idp/template-config/edupersontargetdid.xml.add
@@ -0,0 +1,16 @@
+    <AttributeDefinition xsi:type="SAML2NameID" id="eduPersonTargetedID"
+                         nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
+                         sourceAttributeID="computedId">
+        <Dependency ref="ComputedId" />
+        <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
+        <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
+    </AttributeDefinition>
+
+
+    <!--  The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.-->
+  <DataConnector id="ComputedId" xsi:type="ComputedId"
+      generatedAttributeID="computedId"
+      sourceAttributeID="%{idp.persistentId.sourceAttribute}"
+      salt="%{idp.persistentId.salt}">
+      <Dependency ref="myLDAP" />
+  </DataConnector>
diff --git a/idp/template-config/logback.xml b/idp/template-config/logback.xml
new file mode 100644
index 0000000..6afa4ef
--- /dev/null
+++ b/idp/template-config/logback.xml
@@ -0,0 +1,199 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+
+    <!--
+    Variables for simplifying logging configuration.
+    http://logback.qos.ch/manual/configuration.html#variableSubstitution
+    -->
+    
+    <variable name="idp.logfiles" value="${idp.home}/logs" />
+    <variable name="idp.loghistory" value="180" />
+    
+    <!-- Much higher performance if you operate on DEBUG. -->
+    <!-- <variable name="idp.process.appender" value="ASYNC_PROCESS" /> -->
+    
+    <!-- Logging level shortcuts. -->
+    <variable name="idp.loglevel.idp" value="INFO" />
+    <variable name="idp.loglevel.ldap" value="WARN" />
+    <variable name="idp.loglevel.messages" value="INFO" />
+    <variable name="idp.loglevel.encryption" value="INFO" />
+    <variable name="idp.loglevel.opensaml" value="INFO" />
+    <variable name="idp.loglevel.props" value="INFO" />
+    
+    <!-- Don't turn these up unless you want a *lot* of noise. -->
+    <variable name="idp.loglevel.spring" value="ERROR" />
+    <variable name="idp.loglevel.container" value="ERROR" />
+    <variable name="idp.loglevel.xmlsec" value="INFO" />
+
+    <!--
+    If you want to use custom properties in this config file,
+    we load the main property file for you.
+    -->
+    <variable file="${idp.home}/conf/idp.properties" />
+    
+    <!-- =========================================================== -->
+    <!-- ============== Logging Categories and Levels ============== -->
+    <!-- =========================================================== -->
+
+    <!-- Logs IdP, but not OpenSAML, messages -->
+    <logger name="net.shibboleth.idp" level="${idp.loglevel.idp:-INFO}"/>
+
+    <!-- Logs OpenSAML, but not IdP, messages -->
+    <logger name="org.opensaml.saml" level="${idp.loglevel.opensaml:-INFO}"/>
+    
+    <!-- Logs LDAP related messages -->
+    <logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/>
+    
+    <!-- Logs inbound and outbound protocols messages at DEBUG level -->
+    <logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages:-INFO}" />
+
+    <!-- Logs unencrypted SAML at DEBUG level -->
+    <logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption:-INFO}" />
+
+    <!-- Logs system properties during startup at DEBUG level -->
+    <logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props:-INFO}" />
+
+    <!-- Especially chatty. -->
+    <logger name="net.shibboleth.idp.saml.attribute.mapping" level="INFO" />
+    <logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec:-INFO}" />
+    <logger name="org.springframework" level="${idp.loglevel.spring:-ERROR}"/>
+    <logger name="org.apache.catalina" level="${idp.loglevel.container:-ERROR}"/>
+    <logger name="org.eclipse.jetty" level="${idp.loglevel.container:-ERROR}"/>
+
+
+    <!-- =========================================================== -->
+    <!-- ============== Low Level Details or Changes =============== -->
+    <!-- =========================================================== -->
+    
+    <!-- Process log. -->
+    <appender name="IDP_PROCESS" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <File>${idp.logfiles}/idp-process.log</File>
+        
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory:-180}</maxHistory>
+        </rollingPolicy>
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
+        </encoder>
+
+        <!-- Ignore Velocity status page error. -->
+        <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
+            <evaluator>
+                <matcher>
+                    <Name>VelocityStatusMatcher</Name>
+                    <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
+                </matcher>
+                <expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
+            </evaluator>
+            <OnMatch>DENY</OnMatch>
+        </filter>
+    </appender>
+
+    <appender name="ASYNC_PROCESS" class="ch.qos.logback.classic.AsyncAppender">
+        <appender-ref ref="IDP_PROCESS" />
+        <discardingThreshold>0</discardingThreshold>
+    </appender>
+
+    <appender name="IDP_WARN" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <!-- Suppress anything below WARN. -->
+        <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+            <level>WARN</level>
+        </filter>
+        
+        <File>${idp.logfiles}/idp-warn.log</File>
+        
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory:-180}</maxHistory>
+        </rollingPolicy>
+        
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
+        </encoder>
+        
+        <!-- Ignore Velocity status page error. -->
+        <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
+            <evaluator>
+                <matcher>
+                    <Name>VelocityStatusMatcher</Name>
+                    <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
+                </matcher>
+                <expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
+            </evaluator>
+            <OnMatch>DENY</OnMatch>
+        </filter>
+    </appender>
+    
+    <!-- Audit log. -->
+    <appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <File>${idp.logfiles}/idp-audit.log</File>
+
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory:-180}</maxHistory>
+        </rollingPolicy>
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%msg%n</Pattern>
+        </encoder>
+    </appender>
+    
+    <!-- Consent audit log. -->
+    <appender name="IDP_CONSENT_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <File>${idp.logfiles}/idp-consent-audit.log</File>
+
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory:-180}</maxHistory>
+        </rollingPolicy>
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%msg%n</Pattern>
+        </encoder>
+    </appender>
+
+    <!-- F-TICKS syslog destination. -->
+    <appender name="IDP_AUDIT_FTICKS" class="ch.qos.logback.core.rolling.RollingFileAppender">
+    <File>${idp.home}/logs/idp-audit-fticks.log</File>
+    <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+        <fileNamePattern>${idp.home}/logs/idp-audit-fticks%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+        <maxHistory>180</maxHistory>
+    </rollingPolicy>
+    <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+        <charset>UTF-8</charset>
+        <Pattern>%msg%n</Pattern>
+    </encoder>
+    </appender>
+
+    <appender name="IDP_FTICKS" class="ch.qos.logback.classic.net.SyslogAppender">
+        <syslogHost>${idp.fticks.loghost:-localhost}</syslogHost>
+        <port>${idp.fticks.logport:-514}</port>
+        <facility>AUTH</facility>
+        <suffixPattern>[%thread] %logger %msg</suffixPattern>
+    </appender>
+
+    <logger name="Shibboleth-Audit" level="ALL">
+        <appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/>
+    </logger>
+
+    <logger name="Shibboleth-FTICKS" level="ALL" additivity="false">
+        <appender-ref ref="${idp.fticks.appender:-IDP_FTICKS}"/>
+        <appender-ref ref="IDP_AUDIT_FTICKS"/>
+    </logger>
+
+    <logger name="Shibboleth-Consent-Audit" level="ALL">
+        <appender-ref ref="${idp.consent.appender:-IDP_CONSENT_AUDIT}"/>
+    </logger>
+    
+    <root level="${idp.loglevel.root:-INFO}">
+        <appender-ref ref="${idp.process.appender:-IDP_PROCESS}"/>
+        <appender-ref ref="${idp.warn.appender:-IDP_WARN}" />
+    </root>
+
+</configuration>
-- 
cgit v1.1