From b446c181f747758a71c1cfc9a525b4d11842500d Mon Sep 17 00:00:00 2001
From: Henrik Lund Kramshoej <hlk@kramse.org>
Date: Mon, 17 Jul 2017 08:48:24 +0200
Subject: sync before more changes

---
 apache-sp/Dockerfile              |   1 +
 apache-sp/apache-conf/sp.conf     |   6 +-
 apache-sp/secure/index.shtml      |  16 ++---
 apache-sp/shibd/attribute-map.xml | 142 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 154 insertions(+), 11 deletions(-)
 create mode 100644 apache-sp/shibd/attribute-map.xml

(limited to 'apache-sp')

diff --git a/apache-sp/Dockerfile b/apache-sp/Dockerfile
index 34db59a..e433a5f 100644
--- a/apache-sp/Dockerfile
+++ b/apache-sp/Dockerfile
@@ -8,6 +8,7 @@ RUN a2enmod shib2 headers ssl include
 RUN rm -f /etc/apache2/sites-available/* /etc/apache2/sites-enabled/*
 ADD apache-conf/*.conf /etc/apache2/sites-available/
 ADD shibd/shibboleth2.xml /etc/shibboleth/
+ADD shibd/attribute-map.xml /etc/shibboleth/
 ADD secure /var/www/secure
 ADD entrypoint.sh /entrypoint.sh
 ADD nordunet.png /usr/share/shibboleth/nordunet.png
diff --git a/apache-sp/apache-conf/sp.conf b/apache-sp/apache-conf/sp.conf
index f4ba576..9a2d196 100644
--- a/apache-sp/apache-conf/sp.conf
+++ b/apache-sp/apache-conf/sp.conf
@@ -43,12 +43,12 @@ SSLHonorCipherOrder     on
            ShibRequireSession On
            require valid-user
            Options +Includes
-           Header set X_REMOTE_USER %{eppn}e
-           Header set EPPN %{eppn}e
+           Header set X_REMOTE_USER %{eduPersonPrincipalName}e
+           Header set EPPN %{eduPersonPrincipalName}e
+           Header set MAIL %{mail}e
            Header set GIVENNAME %{givenName}e
            Header set DISPLAYNAME %{displayName}e
            Header set SN %{sn}e
-           Header set MAIL %{mail}e
            Header set AFFILIATION %{affiliation}e
            Header set UNSCOPED_AFFILIATION %{unscoped_affiliation}e
            Header set UID %{uid}e
diff --git a/apache-sp/secure/index.shtml b/apache-sp/secure/index.shtml
index 77ef369..d800991 100644
--- a/apache-sp/secure/index.shtml
+++ b/apache-sp/secure/index.shtml
@@ -9,14 +9,14 @@
         <h1>Test</h1>
         <p><!--#echo var="DATE_LOCAL" --></p>
         <ul>
-          <li>UID: <!--#echo var="HTTP_UID" --></li>
-          <li>eduPersonPrincipalName: <!--#echo var="HTTP_EPPN" --></li>
-          <li>Display name: <!--#echo var="HTTP_DISPLAYNAME" --></li>
-          <li>Givenname: <!--#echo var="HTTP_GIVENNAME" --></li>
-          <li>Surname: <!--#echo var="HTTP_SN" --></li>
-          <li>Mail: <!--#echo var="HTTP_MAIL" --></li>
-          <li>Affiliation: <!--#echo var="HTTP_AFFILIATION" --></li>
-          <li>Unscoped affiliation: <!--#echo var="HTTP_UNSCOPED_AFFILIATION" --></li>
+          <li>CN: <!--#echo var="CN" --></li>
+          <li>eduPersonPrincipalName: <!--#echo var="EPPN" --></li>
+          <li>Display name: <!--#echo var="DISPLAYNAME" --></li>
+          <li>Givenname: <!--#echo var="GIVENNAME" --></li>
+          <li>Surname: <!--#echo var="SN" --></li>
+          <li>Mail: <!--#echo var="MAIL" --></li>
+          <li>Affiliation: <!--#echo var="AFFILIATION" --></li>
+          <li>Unscoped affiliation: <!--#echo var="UNSCOPED_AFFILIATION" --></li>
         </ul>
         <pre><!--#printenv --></pre>
       </div>
diff --git a/apache-sp/shibd/attribute-map.xml b/apache-sp/shibd/attribute-map.xml
new file mode 100644
index 0000000..9d48917
--- /dev/null
+++ b/apache-sp/shibd/attribute-map.xml
@@ -0,0 +1,142 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!--
+    The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+    community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+    few exceptions for newer attributes where the name is the same for both versions. You will
+    usually want to uncomment or map the names for both SAML versions as a unit.
+    -->
+
+    <!-- First some useful eduPerson attributes that many sites might use. -->
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+
+    <!-- A persistent id attribute that supports personalized anonymous access. -->
+
+    <!-- First, the deprecated/incorrect version, decoded as a scoped string: -->
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+        <!-- <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> -->
+    </Attribute>
+
+    <!-- Second, an alternate decoder that will decode the incorrect form into the newer form. -->
+    <!--
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+    -->
+
+    <!-- Third, the new version (note the OID-style name): -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- Fourth, the SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- Some more eduPerson attributes, uncomment these to use them... -->
+    <!--
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+    -->
+
+    <!-- Examples of LDAP-based attributes, uncomment to use these... -->
+    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+    <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+    <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+    <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+    <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+    <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+    <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+    <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+    <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+    <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+    <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+    <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+    <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+    <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+    <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+    <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
+
+    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.12" id="title"/>
+    <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+    <Attribute name="urn:oid:2.5.4.13" id="description"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+    <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+    <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.9" id="street"/>
+    <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+    <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+    <Attribute name="urn:oid:2.5.4.8" id="st"/>
+    <Attribute name="urn:oid:2.5.4.7" id="l"/>
+    <Attribute name="urn:oid:2.5.4.10" id="o"/>
+    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+    <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+    <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+
+</Attributes>
-- 
cgit v1.1