grahamb/DefaultSecurityPolicy.xml Secret

## DefaultSecurityPolicy.xml
<securityPolicy xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="00000000-0000-0000-0000-000000000120" version="1" >
    <name>Default Security Policy</name>
    <metadata>
        <requestTimestamp>2024-01-03T11:43:44.368-08:00</requestTimestamp>
        <createTimestamp>2024-01-03T11:43:44.384-08:00</createTimestamp>
        <createChannel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#init</createChannel>
    </metadata>
    <operationExecution>
        <recordType>simple</recordType>
        <timestamp>2024-01-03T11:43:44.412-08:00</timestamp>
        <operation>
            <objectDelta>
                <t:changeType>add</t:changeType>
                <t:objectType>c:SecurityPolicyType</t:objectType>
            </objectDelta>
            <executionResult>
                <operation>com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta</operation>
                <status>success</status>
                <importance>normal</importance>
                <token>1000000000000000016</token>
            </executionResult>
            <objectName>Default Security Policy</objectName>
        </operation>
        <status>success</status>
        <channel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#init</channel>
    </operationExecution>
    <iteration>0</iteration>
    <iterationToken/>
    <authentication>
        <modules>
            <loginForm>
                <identifier>loginForm</identifier>
            </loginForm>
            <httpBasic>
                <identifier>httpBasic</identifier>
            </httpBasic>
            <saml2>
                <identifier>saml2</identifier>
                <description>SFU Shibboleth SSO</description>
                <serviceProvider>
                    <entityId>midpoint_test_sp</entityId>
                    <signRequests>true</signRequests>
                    <keys>
                        <activeKeyStoreKey>
                            <keyStorePath>/opt/midpoint/midpoint_home/saml2/saml2-keys.jks</keyStorePath>
                            <keyStorePassword>
                                <t:clearValue>$(saml2KeystorePassword)</t:clearValue>
                            </keyStorePassword>
                            <keyAlias>midpoint-test-sp-signing</keyAlias>
                            <keyPassword>
                                <t:clearValue>$(saml2signingKeyPassword)</t:clearValue>
                            </keyPassword>
                        </activeKeyStoreKey>
                    </keys>
                    <identityProvider>
                        <entityId>https://idp-stage.its.sfu.ca/idp/shibboleth</entityId>
                        <metadata>
                            <pathToFile>/opt/midpoint/midpoint_home/saml2/idp-stage.xml</pathToFile>
                        </metadata>
                         <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
                        <linkText>SFU CAS</linkText>
                        <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
                    </identityProvider>
                </serviceProvider>
            </saml2>
        </modules>

        <sequence>
            <identifier>admin-gui-saml2</identifier>
            <displayName>SAML2 GUI authentication sequence</displayName>
            <channel>
                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
                <default>true</default>
                <urlSuffix>gui-saml2</urlSuffix>
            </channel>
            <module>
                <identifier>saml2</identifier>
                <order>30</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>

        <sequence>
            <identifier>admin-gui-emergency</identifier>
            <displayName>Emergency GUI authentication sequence using internal accounts</displayName>
            <channel>
                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
                <urlSuffix>emergency</urlSuffix>
                <default>false</default>
            </channel>
            <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType" />
            <module>
                <identifier>loginForm</identifier>
                <order>30</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>

        <sequence>
            <identifier>admin-gui-default</identifier>
            <displayName>Default gui sequence</displayName>
            <channel>
                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
                <default>false</default>
                <urlSuffix>gui-default</urlSuffix>
            </channel>
            <module>
                <identifier>loginForm</identifier>
                <order>1</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>

        <sequence>
            <identifier>rest-default</identifier>
            <channel>
                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
                <default>true</default>
                <urlSuffix>rest-default</urlSuffix>
            </channel>
            <module>
                <identifier>httpBasic</identifier>
                <order>1</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>

        <sequence>
            <identifier>actuator-default</identifier>
            <channel>
                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#actuator</channelId>
                <default>true</default>
                <urlSuffix>actuator-default</urlSuffix>
            </channel>
            <module>
                <identifier>httpBasic</identifier>
                <order>1</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>

        <ignoredLocalPath>/actuator/health</ignoredLocalPath>
    </authentication>
    <credentials>
        <password>
            <minOccurs>0</minOccurs>
            <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
            <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
            <lockoutDuration>PT15M</lockoutDuration>
            <valuePolicyRef oid="00000000-0000-0000-0000-000000000003" relation="org:default" type="c:ValuePolicyType"/>
        </password>
    </credentials>
</securityPolicy>
	<securityPolicy xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="00000000-0000-0000-0000-000000000120" version="1" >
	<name>Default Security Policy</name>
	<metadata>
	<requestTimestamp>2024-01-03T11:43:44.368-08:00</requestTimestamp>
	<createTimestamp>2024-01-03T11:43:44.384-08:00</createTimestamp>
	<createChannel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#init</createChannel>
	</metadata>
	<operationExecution>
	<recordType>simple</recordType>
	<timestamp>2024-01-03T11:43:44.412-08:00</timestamp>
	<operation>
	<objectDelta>
	<t:changeType>add</t:changeType>
	<t:objectType>c:SecurityPolicyType</t:objectType>
	</objectDelta>
	<executionResult>
	<operation>com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta</operation>
	<status>success</status>
	<importance>normal</importance>
	<token>1000000000000000016</token>
	</executionResult>
	<objectName>Default Security Policy</objectName>
	</operation>
	<status>success</status>
	<channel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#init</channel>
	</operationExecution>
	<iteration>0</iteration>
	<iterationToken/>
	<authentication>
	<modules>
	<loginForm>
	<identifier>loginForm</identifier>
	</loginForm>
	<httpBasic>
	<identifier>httpBasic</identifier>
	</httpBasic>
	<saml2>
	<identifier>saml2</identifier>
	<description>SFU Shibboleth SSO</description>
	<serviceProvider>
	<entityId>midpoint_test_sp</entityId>
	<signRequests>true</signRequests>
	<keys>
	<activeKeyStoreKey>
	<keyStorePath>/opt/midpoint/midpoint_home/saml2/saml2-keys.jks</keyStorePath>
	<keyStorePassword>
	<t:clearValue>$(saml2KeystorePassword)</t:clearValue>
	</keyStorePassword>
	<keyAlias>midpoint-test-sp-signing</keyAlias>
	<keyPassword>
	<t:clearValue>$(saml2signingKeyPassword)</t:clearValue>
	</keyPassword>
	</activeKeyStoreKey>
	</keys>
	<identityProvider>
	<entityId>https://idp-stage.its.sfu.ca/idp/shibboleth</entityId>
	<metadata>
	<pathToFile>/opt/midpoint/midpoint_home/saml2/idp-stage.xml</pathToFile>
	</metadata>
	<authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
	<linkText>SFU CAS</linkText>
	<nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
	</identityProvider>
	</serviceProvider>
	</saml2>
	</modules>

	<sequence>
	<identifier>admin-gui-saml2</identifier>
	<displayName>SAML2 GUI authentication sequence</displayName>
	<channel>
	<channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
	<default>true</default>
	<urlSuffix>gui-saml2</urlSuffix>
	</channel>
	<module>
	<identifier>saml2</identifier>
	<order>30</order>
	<necessity>sufficient</necessity>
	</module>
	</sequence>

	<sequence>
	<identifier>admin-gui-emergency</identifier>
	<displayName>Emergency GUI authentication sequence using internal accounts</displayName>
	<channel>
	<channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
	<urlSuffix>emergency</urlSuffix>
	<default>false</default>
	</channel>
	<requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType" />
	<module>
	<identifier>loginForm</identifier>
	<order>30</order>
	<necessity>sufficient</necessity>
	</module>
	</sequence>

	<sequence>
	<identifier>admin-gui-default</identifier>
	<displayName>Default gui sequence</displayName>
	<channel>
	<channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
	<default>false</default>
	<urlSuffix>gui-default</urlSuffix>
	</channel>
	<module>
	<identifier>loginForm</identifier>
	<order>1</order>
	<necessity>sufficient</necessity>
	</module>
	</sequence>

	<sequence>
	<identifier>rest-default</identifier>
	<channel>
	<channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
	<default>true</default>
	<urlSuffix>rest-default</urlSuffix>
	</channel>
	<module>
	<identifier>httpBasic</identifier>
	<order>1</order>
	<necessity>sufficient</necessity>
	</module>
	</sequence>

	<sequence>
	<identifier>actuator-default</identifier>
	<channel>
	<channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#actuator</channelId>
	<default>true</default>
	<urlSuffix>actuator-default</urlSuffix>
	</channel>
	<module>
	<identifier>httpBasic</identifier>
	<order>1</order>
	<necessity>sufficient</necessity>
	</module>
	</sequence>

	<ignoredLocalPath>/actuator/health</ignoredLocalPath>
	</authentication>
	<credentials>
	<password>
	<minOccurs>0</minOccurs>
	<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
	<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
	<lockoutDuration>PT15M</lockoutDuration>
	<valuePolicyRef oid="00000000-0000-0000-0000-000000000003" relation="org:default" type="c:ValuePolicyType"/>
	</password>
	</credentials>
	</securityPolicy>