Skip to content

Instantly share code, notes, and snippets.

@iogbole

iogbole/attribute-filter.xml

Last active May 26, 2017 08:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save iogbole/944996b728af4464c21ecdb7625351a1 to your computer and use it in GitHub Desktop.
Save iogbole/944996b728af4464c21ecdb7625351a1 to your computer and use it in GitHub Desktop.
Download ZIP
Shibboleth 3.3.1 Configuration
Raw
attribute-filter.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is an EXAMPLE policy file. While the policy presented in this
example file is illustrative of some simple cases, it relies on the names of
non-existent example services and the example attributes demonstrated in the
default attribute-resolver.xml file.
Deployers should refer to the documentation for a complete list of components
and their options.
-->
<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
xmlns="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
<!-- Release some attributes to an SP. -->
<AttributeFilterPolicy id="releaseToAppD">
<PolicyRequirementRule xsi:type="Requester" value="http://192.168.33.1:8090/controller" />
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- Release eduPersonAffiliation to two specific SPs. -->
<!--
<AttributeFilterPolicy id="example2">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="Requester" value="https://sp.example.org" />
<Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
-->
</AttributeFilterPolicyGroup>
Raw
attribute-resolver-full.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is an EXAMPLE configuration file containing lots of commented
example attributes, encoders, and a couple of example data connectors.
Not all attribute definitions or data connectors are demonstrated, but
a variety of LDAP attributes, some common to Shibboleth deployments and
many not, are included.
Deployers should refer to the Identity Provider 3 documentation
https://wiki.shibboleth.net/confluence/display/IDP30/AttributeResolverConfiguration
for a complete list of components and their options.
-->
<AttributeResolver
xmlns="urn:mace:shibboleth:2.0:resolver"
xmlns:sec="urn:mace:shibboleth:2.0:security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
<!-- ========================================== -->
<!-- Attribute Definitions -->
<!-- ========================================== -->
<!-- Schema: Core schema attributes-->
<AttributeDefinition xsi:type="Simple" id="uid" sourceAttributeID="uid">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="mail" sourceAttributeID="mail">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="homePhone" sourceAttributeID="homePhone">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="homePostalAddress" sourceAttributeID="homePostalAddress">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePostalAddress" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="mobileNumber" sourceAttributeID="mobile">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="pagerNumber" sourceAttributeID="pager">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="surname" sourceAttributeID="sn">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="locality" sourceAttributeID="l">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="stateProvince" sourceAttributeID="st">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:st" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.8" friendlyName="st" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="street" sourceAttributeID="street">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:street" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.9" friendlyName="street" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="organizationName" sourceAttributeID="o">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="organizationalUnit" sourceAttributeID="ou">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:ou" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.11" friendlyName="ou" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="title" sourceAttributeID="title">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="postalAddress" sourceAttributeID="postalAddress">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalAddress" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.16" friendlyName="postalAddress" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="postalCode" sourceAttributeID="postalCode">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalCode" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.17" friendlyName="postalCode" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="postOfficeBox" sourceAttributeID="postOfficeBox">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postOfficeBox" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="telephoneNumber" sourceAttributeID="telephoneNumber">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="givenName" sourceAttributeID="givenName">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="initials" sourceAttributeID="initials">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" />
</AttributeDefinition>
<!-- Schema: inetOrgPerson attributes-->
<!--
<AttributeDefinition xsi:type="Simple" id="departmentNumber" sourceAttributeID="departmentNumber">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="displayName" sourceAttributeID="displayName">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="employeeNumber" sourceAttributeID="employeeNumber">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="employeeType" sourceAttributeID="employeeType">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="jpegPhoto" sourceAttributeID="jpegPhoto">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:jpegPhoto" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="preferredLanguage" sourceAttributeID="preferredLanguage">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" />
</AttributeDefinition>
-->
<!-- Schema: eduPerson attributes -->
<!--
<AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation" sourceAttributeID="eduPersonAffiliation">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="eduPersonEntitlement" sourceAttributeID="eduPersonEntitlement">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="eduPersonNickname" sourceAttributeID="eduPersonNickname">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonNickname" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="eduPersonPrimaryAffiliation" sourceAttributeID="eduPersonPrimaryAffiliation">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Scoped" id="eduPersonUniqueId" scope="%{idp.scope}" sourceAttributeID="localUniqueId">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" encodeType="false" />
<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName" sourceAttributeID="eduPersonPrincipalName">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalNamePrior" sourceAttributeID="eduPersonPrincipalNamePrior">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" encodeType="false" />
<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" friendlyName="eduPersonPrincipalNamePrior" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}" sourceAttributeID="eduPersonAffiliation">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="eduPersonAssurance" sourceAttributeID="eduPersonAssurance">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" encodeType="false" />
</AttributeDefinition>
-->
<!-- ========================================== -->
<!-- Data Connectors -->
<!-- ========================================== -->
<!-- Example Static Connector -->
<!--
<DataConnector id="staticAttributes" xsi:type="Static">
<Attribute id="eduPersonAffiliation">
<Value>member</Value>
</Attribute>
</DataConnector>
-->
<!-- Example Relational Database Connector -->
<!--
<DataConnector id="mySIS" xsi:type="RelationalDatabase">
<ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB"
jdbcUserName="myid"
jdbcPassword="mypassword" />
<QueryTemplate>
<![CDATA[
SELECT * FROM student WHERE gzbtpid = '$resolutionContext.principal'
]]>
</QueryTemplate>
<Column columnName="gzbtpid" attributeID="uid" />
<Column columnName="fqlft" attributeID="gpa" />
</DataConnector>
-->
<!-- Example LDAP Connector -->
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="LDAP password in plain text - because reading the password from the property file failed"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
<!-- <StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked">
<sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate>
</StartTLSTrustCredential> -->
</DataConnector>
</AttributeResolver>
Raw
controller.xml
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2018-05-15T20:32:30Z"
cacheDuration="PT1440M"
entityID="http://192.168.33.1:8090/controller">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://192.168.33.1:8090/controller/saml-auth?accountName=customer1" />
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://192.168.33.1:8090/controller/saml-auth?accountName=customer1"
index="1" />
</md:SPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>AppDynamics Support</md:GivenName>
<md:EmailAddress>support@appdynamics.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
Raw
idp.properties
# Load any additional property resources from a comma-delimited list
idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties
# Set the entityID of the IdP
idp.entityID= https://idp.localhost.com/idp/shibboleth
# Set the scope used in the attribute resolver for scoped attributes
idp.scope= localhost.com
# General cookie properties (maxAge only applies to persistent cookies)
#idp.cookie.secure = false
#idp.cookie.httpOnly = true
#idp.cookie.domain =
#idp.cookie.path =
#idp.cookie.maxAge = 31536000
# Set the location of user-supplied web flow definitions
#idp.webflows = %{idp.home}/flows
# Set the location of Velocity view templates
#idp.views = %{idp.home}/views
# Settings for internal AES encryption key
#idp.sealer.storeType = JCEKS
#idp.sealer.updateInterval = PT15M
#idp.sealer.aliasBase = secret
idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks
idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver
idp.sealer.storePassword= appdynamics
idp.sealer.keyPassword= appdynamics
# Settings for public/private signing and encryption key(s)
# During decryption key rollover, point the ".2" properties at a second
# keypair, uncomment in credentials.xml, then publish it in your metadata.
idp.signing.key= %{idp.home}/credentials/idp-signing.key
idp.signing.cert= %{idp.home}/credentials/idp-signing.crt
idp.encryption.key= %{idp.home}/credentials/idp-encryption.key
idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt
#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt
# Sets the bean ID to use as a default security configuration set
#idp.security.config = shibboleth.DefaultSecurityConfiguration
# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1
#idp.signing.config = shibboleth.SigningConfiguration.SHA256
# Configures trust evaluation of keys used by services at runtime
# Defaults to supporting both explicit key and PKIX using SAML metadata.
#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine
# To pick only one set to one of:
# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
#idp.trust.certificates = shibboleth.ChainingX509TrustEngine
# To pick only one set to one of:
# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine
# If true, encryption will happen whenever a key to use can be located, but
# failure to encrypt won't result in request failure.
idp.encryption.optional = true
# Configuration of client- and server-side storage plugins
#idp.storage.cleanupInterval = PT10M
#idp.storage.htmlLocalStorage = false
# Set to true to expose more detailed errors in responses to SPs
#idp.errors.detailed = false
# Set to false to skip signing of SAML response messages that signal errors
#idp.errors.signed = true
# Name of bean containing a list of Java exception classes to ignore
#idp.errors.excludedExceptions = ExceptionClassListBean
# Name of bean containing a property set mapping exception names to views
#idp.errors.exceptionMappings = ExceptionToViewPropertyBean
# Set if a different default view name for events and exceptions is needed
#idp.errors.defaultView = error
# Set to false to disable the IdP session layer
#idp.session.enabled = true
# Set to "shibboleth.StorageService" for server-side storage of user sessions
#idp.session.StorageService = shibboleth.ClientSessionStorageService
# Size of session IDs
#idp.session.idSize = 32
# Bind sessions to IP addresses
#idp.session.consistentAddress = true
# Inactivity timeout
#idp.session.timeout = PT60M
# Extra time to store sessions for logout
#idp.session.slop = PT0S
# Tolerate storage-related errors
#idp.session.maskStorageFailure = false
# Track information about SPs logged into
#idp.session.trackSPSessions = false
# Support lookup by SP for SAML logout
#idp.session.secondaryServiceIndex = false
# Length of time to track SP sessions
#idp.session.defaultSPlifetime = PT2H
# Regular expression matching login flows to enable, e.g. IPAddress|Password
idp.authn.flows= Password
# Regular expression of forced "initial" methods when no session exists,
# usually in conjunction with the idp.authn.resolveAttribute property below.
#idp.authn.flows.initial = Password
# Set to an attribute ID to resolve prior to selecting authentication flows;
# its values are used to filter the flows to allow.
#idp.authn.resolveAttribute = eduPersonAssurance
# Default lifetime and timeout of various authentication methods
#idp.authn.defaultLifetime = PT60M
#idp.authn.defaultTimeout = PT30M
# Whether to populate relying party user interface information for display
# during authentication, consent, terms-of-use.
#idp.authn.rpui = true
# Whether to prioritize "active" results when an SP requests more than
# one possible matching login method (V2 behavior was to favor them)
#idp.authn.favorSSO = false
# Whether to fail requests when a user identity after authentication
# doesn't match the identity in a pre-existing session.
#idp.authn.identitySwitchIsError = false
# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
#idp.consent.StorageService = shibboleth.ClientPersistentStorageService
# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute
# to key user consent storage records (and set the attribute name)
#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
#idp.consent.userStorageKeyAttribute = uid
# Flags controlling how built-in attribute consent feature operates
#idp.consent.allowDoNotRemember = true
#idp.consent.allowGlobal = true
#idp.consent.allowPerAttribute = false
# Whether attribute values and terms of use text are compared
#idp.consent.compareValues = false
# Maximum number of consent records for space-limited storage (e.g. cookies)
#idp.consent.maxStoredRecords = 10
# Maximum number of consent records for larger/server-side storage (0 = no limit)
#idp.consent.expandedMaxStoredRecords = 0
# Time in milliseconds to expire consent storage records.
#idp.consent.storageRecordLifetime = P1Y
# Whether to lookup metadata, etc. for every SP involved in a logout
# for use by user interface logic; adds overhead so off by default.
#idp.logout.elaboration = false
# Whether to require logout requests/responses be signed/authenticated.
#idp.logout.authenticated = true
# Message freshness and replay cache tuning
#idp.policy.messageLifetime = PT3M
#idp.policy.clockSkew = PT3M
# Set to custom bean for alternate storage of replay cache
#idp.replayCache.StorageService = shibboleth.StorageService
# Toggles whether to allow outbound messages via SAML artifact
#idp.artifact.enabled = true
# Suppresses typical signing/encryption when artifact binding used
#idp.artifact.secureChannel = true
# May differ to direct SAML 2 artifact lookups to specific server nodes
#idp.artifact.endpointIndex = 2
# Set to custom bean for alternate storage of artifact map state
#idp.artifact.StorageService = shibboleth.StorageService
# Comma-delimited languages to use if not match can be found with the
# browser-supported languages, defaults to an empty list.
idp.ui.fallbackLanguages= en,fr,de
# Storage service used by CAS protocol
# Defaults to shibboleth.StorageService (in-memory)
# MUST be server-side storage (e.g. in-memory, memcached, database)
# NOTE that idp.session.StorageService requires server-side storage
# when CAS protocol is enabled
#idp.cas.StorageService=shibboleth.StorageService
# CAS service registry implementation class
#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry
# Profile flows in which the ProfileRequestContext should be exposed
# in servlet request under the key "opensamlProfileRequestContext"
#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO
# F-TICKS auditing - set a salt to include hashed username
#idp.fticks.federation=MyFederation
#idp.fticks.algorithm=SHA-256
#idp.fticks.salt=somethingsecret
#idp.fticks.loghost=localhost
#idp.fticks.logport=514
Raw
idp.xml
<Context docBase="/opt/shibboleth-idp/war/idp.war"
privileged="true"
antiResourceLocking="false"
unpackWAR="false"
swallowOutput="true" />
Raw
ldap.properties
# LDAP authentication configuration, see authn/ldap-authn-config.xml
# Note, this doesn't apply to the use of JAAS
## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
#idp.authn.LDAP.authenticator = anonSearchAuthenticator
## Connection properties ##
idp.authn.LDAP.ldapURL = ldap://192.168.33.16:389
#idp.authn.LDAP.useStartTLS = true
#idp.authn.LDAP.useSSL = false
# Time in milliseconds that connects will block
#idp.authn.LDAP.connectTimeout = PT3S
# Time in milliseconds to wait for responses
#idp.authn.LDAP.responseTimeout = PT3S
## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
#idp.authn.LDAP.sslConfig = certificateTrust
## If using certificateTrust above, set to the trusted certificate's path
#idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
## If using keyStoreTrust above, set to the truststore path
#idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore
## Return attributes during authentication
idp.authn.LDAP.returnAttributes = cn,givenName
## DN resolution properties ##
# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
# for AD: CN=Users,DC=example,DC=org
idp.authn.LDAP.baseDN = ou=uk,dc=appd,dc=com
#idp.authn.LDAP.subtreeSearch = false
idp.authn.LDAP.userFilter = (uid={user})
# bind search configuration
# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
idp.authn.LDAP.bindDN = cn=admin,dc=appd,dc=com
idp.authn.LDAP.bindDNCredential = appdynamics
# Format DN resolution, used by directAuthenticator, adAuthenticator
# for AD use idp.authn.LDAP.dnFormat=%s@domain.com
idp.authn.LDAP.dnFormat = uid=%s,ou=uk,dc=appd,dc=com
# LDAP attribute configuration, see attribute-resolver.xml
# Note, this likely won't apply to the use of legacy V2 resolver configurations
idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout = %{idp.authn.LDAP.connectTimeout:PT3S}
idp.attribute.resolver.LDAP.responseTimeout = %{idp.authn.LDAP.responseTimeout:PT3S}
idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN:undefined}
idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN:undefined}
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}
idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined}
idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.principal)
# LDAP pool configuration, used for both authn and DN resolution
#idp.pool.LDAP.minSize = 3
#idp.pool.LDAP.maxSize = 10
#idp.pool.LDAP.validateOnCheckout = false
#idp.pool.LDAP.validatePeriodically = true
#idp.pool.LDAP.validatePeriod = PT5M
#idp.pool.LDAP.prunePeriod = PT5M
#idp.pool.LDAP.idleTime = PT10M
#idp.pool.LDAP.blockWaitTime = PT3S
#idp.pool.LDAP.failFastInitialize = false
Raw
logback.xml
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<!--
Variables for simplifying logging configuration.
http://logback.qos.ch/manual/configuration.html#variableSubstitution
-->
<variable name="idp.logfiles" value="${idp.home}/logs" />
<variable name="idp.loghistory" value="180" />
<!-- Much higher performance if you operate on DEBUG. -->
<!-- <variable name="idp.process.appender" value="ASYNC_PROCESS" /> -->
<!-- Logging level shortcuts. -->
<variable name="idp.loglevel.idp" value="TRACE" />
<variable name="idp.loglevel.ldap" value="TRACE" />
<variable name="idp.loglevel.messages" value="INFO" />
<variable name="idp.loglevel.encryption" value="INFO" />
<variable name="idp.loglevel.opensaml" value="INFO" />
<variable name="idp.loglevel.props" value="INFO" />
<!-- Don't turn these up unless you want a *lot* of noise. -->
<variable name="idp.loglevel.spring" value="ERROR" />
<variable name="idp.loglevel.container" value="ERROR" />
<variable name="idp.loglevel.xmlsec" value="INFO" />
<!--
If you want to use custom properties in this config file,
we load the main property file for you.
-->
<variable file="${idp.home}/conf/idp.properties" />
<!-- =========================================================== -->
<!-- ============== Logging Categories and Levels ============== -->
<!-- =========================================================== -->
<!-- Logs IdP, but not OpenSAML, messages -->
<logger name="net.shibboleth.idp" level="${idp.loglevel.idp:-TRACE}"/>
<!-- Logs OpenSAML, but not IdP, messages -->
<logger name="org.opensaml.saml" level="${idp.loglevel.opensaml:-INFO}"/>
<!-- Logs LDAP related messages -->
<logger name="org.ldaptive" level="${idp.loglevel.ldap:-TRACE}"/>
<!-- Logs inbound and outbound protocols messages at DEBUG level -->
<logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages:-INFO}" />
<!-- Logs unencrypted SAML at DEBUG level -->
<logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption:-INFO}" />
<!-- Logs system properties during startup at DEBUG level -->
<logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props:-INFO}" />
<!-- Especially chatty. -->
<logger name="net.shibboleth.idp.saml.attribute.mapping" level="INFO" />
<logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec:-INFO}" />
<logger name="org.springframework" level="${idp.loglevel.spring:-ERROR}"/>
<logger name="org.apache.catalina" level="${idp.loglevel.container:-ERROR}"/>
<logger name="org.eclipse.jetty" level="${idp.loglevel.container:-ERROR}"/>
<!-- =========================================================== -->
<!-- ============== Low Level Details or Changes =============== -->
<!-- =========================================================== -->
<!-- Process log. -->
<appender name="IDP_PROCESS" class="ch.qos.logback.core.rolling.RollingFileAppender">
<File>${idp.logfiles}/idp-process.log</File>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
<maxHistory>${idp.loghistory:-180}</maxHistory>
</rollingPolicy>
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
<charset>UTF-8</charset>
<Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
</encoder>
<!-- Ignore Velocity status page error. -->
<filter class="ch.qos.logback.core.filter.EvaluatorFilter">
<evaluator>
<matcher>
<Name>VelocityStatusMatcher</Name>
<regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
</matcher>
<expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
</evaluator>
<OnMatch>DENY</OnMatch>
</filter>
</appender>
<appender name="ASYNC_PROCESS" class="ch.qos.logback.classic.AsyncAppender">
<appender-ref ref="IDP_PROCESS" />
<discardingThreshold>0</discardingThreshold>
</appender>
<appender name="IDP_WARN" class="ch.qos.logback.core.rolling.RollingFileAppender">
<!-- Suppress anything below WARN. -->
<filter class="ch.qos.logback.classic.filter.ThresholdFilter">
<level>WARN</level>
</filter>
<File>${idp.logfiles}/idp-warn.log</File>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
<maxHistory>${idp.loghistory:-180}</maxHistory>
</rollingPolicy>
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
<charset>UTF-8</charset>
<Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
</encoder>
<!-- Ignore Velocity status page error. -->
<filter class="ch.qos.logback.core.filter.EvaluatorFilter">
<evaluator>
<matcher>
<Name>VelocityStatusMatcher</Name>
<regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
</matcher>
<expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
</evaluator>
<OnMatch>DENY</OnMatch>
</filter>
</appender>
<!-- Audit log. -->
<appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
<File>${idp.logfiles}/idp-audit.log</File>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
<maxHistory>${idp.loghistory:-180}</maxHistory>
</rollingPolicy>
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
<charset>UTF-8</charset>
<Pattern>%msg%n</Pattern>
</encoder>
</appender>
<!-- Consent audit log. -->
<appender name="IDP_CONSENT_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
<File>${idp.logfiles}/idp-consent-audit.log</File>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
<maxHistory>${idp.loghistory:-180}</maxHistory>
</rollingPolicy>
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
<charset>UTF-8</charset>
<Pattern>%msg%n</Pattern>
</encoder>
</appender>
<!-- F-TICKS syslog destination. -->
<appender name="IDP_FTICKS" class="ch.qos.logback.classic.net.SyslogAppender">
<syslogHost>${idp.fticks.loghost:-localhost}</syslogHost>
<port>${idp.fticks.logport:-514}</port>
<facility>AUTH</facility>
<suffixPattern>[%thread] %logger %msg</suffixPattern>
</appender>
<logger name="Shibboleth-Audit" level="ALL">
<appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/>
</logger>
<logger name="Shibboleth-FTICKS" level="ALL" additivity="false">
<appender-ref ref="${idp.fticks.appender:-IDP_FTICKS}"/>
</logger>
<logger name="Shibboleth-Consent-Audit" level="ALL">
<appender-ref ref="${idp.consent.appender:-IDP_CONSENT_AUDIT}"/>
</logger>
<root level="${idp.loglevel.root:-INFO}">
<appender-ref ref="${idp.process.appender:-IDP_PROCESS}"/>
<appender-ref ref="${idp.warn.appender:-IDP_WARN}" />
</root>
</configuration>
Raw
metadata-provider.xml
<?xml version="1.0" encoding="UTF-8"?>
<!-- This file is an EXAMPLE metadata configuration file. -->
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
xmlns:resource="urn:mace:shibboleth:2.0:resource"
xmlns:security="urn:mace:shibboleth:2.0:security"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
<!-- ========================================================================================== -->
<!-- Metadata Configuration -->
<!-- -->
<!-- Below you place the mechanisms which define how to load the metadata for SP(s) you will -->
<!-- provide service to. -->
<!-- -->
<!-- Two examples are provided. The Shibboleth Documentation at -->
<!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration -->
<!-- provides more details. -->
<!-- -->
<!-- NOTE. This file SHOULD NOT contain the metadata for this IdP. -->
<!-- ========================================================================================== -->
<!--
Example HTTP metadata provider. Use this if you want to download the metadata
from a remote source.
You *MUST* provide the SignatureValidationFilter in order to function securely.
Get the public key certificate from the party publishing the metadata, and validate
it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
The EntityRoleWhiteList saves memory by only loading metadata from SAML roles
that the IdP needs to interoperate with.
-->
<!--
<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
metadataURL="http://WHATEVER">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
-->
<!--
Example file metadata provider. Use this if you want to load metadata
from a local file. You might use this if you have some local SPs
which are not "federated" but you wish to offer a service to.
If you do not provide a SignatureValidation filter, then you have the
responsibility to ensure that the contents on disk are trustworthy.
-->
<MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/controller.xml"/>
</MetadataProvider>
Raw
server.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<!--
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/opt/shibboleth-idp/credentials/idp-backchannel.p12" keystorePass="appdynamics"
clientAuth="false" sslProtocol="TLS"
/>
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t &quot;%r&quot; %s %b" />
</Host>
</Engine>
</Service>
</Server>
Raw
services.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
<!-- Advanced configuration of services from SVN.
To use an SVN resource you need to construct it and then inject it into
The appropriate bean. To use property replacement you will need a separate
resource pointing to the replacement phrase.
For example:
<bean id="AuthnMgr" class="org.tmatesoft.svn.core.auth.BasicAuthenticationManager">
<constructor-arg>
<null />
</constructor-arg>
</bean>
<bean id="ClientMgr" factory-method="newInstance"
class="org.tmatesoft.svn.core.wc.SVNClientManager"
p:authenticationManager-ref="AuthnMgr" />
<bean id="TheSVNURL" factory-method="create"
class="org.tmatesoft.svn.core.SVNURL">
<constructor-arg value="https" />
<constructor-arg>
<null />
</constructor-arg>
<constructor-arg value="svn.shibboleth.net" />
<constructor-arg value="-1" />
<constructor-arg
value="/utilities/spring-extensions/trunk/src/test/resources/data/" />
<constructor-arg value="false" />
</bean>
<bean id="TheSVNResource" class="net.shibboleth.ext.spring.resource.SVNResource">
<constructor-arg ref="ClientMgr" />
<constructor-arg ref="TheSVNURL" />
<constructor-arg value="D:/testdir/dir" />
<constructor-arg value="-1" />
<constructor-arg value="TestResource.txt" />
</bean>
<util:list id="shibboleth.AttributeResolverResources">
<ref bean="TheSVNResource"/>
<value>path_to_properties_specifyingBean_file</value>
</util:list>
see also https://wiki.shibboleth.net/confluence/display/IDP30/SVNResource
http://svnkit.com/javadoc/org/tmatesoft/svn/core/auth/BasicAuthenticationManager.html#constructor_detail
http://svnkit.com/javadoc/org/tmatesoft/svn/core/SVNURL.html
-->
<!-- Advanced configuration of services from HTTP.
To use an HTTP resource you first need to configure the Apache HttpClient which will be used
to communicate with the web server. Any HttpClient can be used, but two Factory Beans allow simple
configuration of in-memory or file-based caching clients.
Examples are:
A resource which will be supplied from an in-memory cache for as long as the file on the webserver does not change.
If the webserver becomes unavailable the resource will be unavailable.
<bean id="inMemoryResource" class="net.shibboleth.ext.spring.resource.HTTPResource"
c:client-ref="shibboleth.MemoryCachingHttpClient"
c:url="http://example.org/path/to/file.xml" />
Two resources which will be supplied from an on disk cache (suitable for multiple or large files) for as long
as the file on the webserver does not change. If the webserver becomes unavailable the last used contents
of the file will be returned (even if that was in a previous IdP lifetime).
<bean id="fileResource" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource"
c:client-ref="shibboleth.FileCachingHttpClient"
c:url="http://example.org/path/to/file.xml"
c:backingFile="/var/shibboleth/caches/resourcecache/file.xml"/>
<bean id="otherFileResource" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource"
c:client-ref="shibboleth.FileCachingHttpClient"
c:url="http://another.server.example.org/path/to/different/file.xml"
c:backingFile="/var/shibboleth/caches/resourcecache/differentFile.xml"/>
In all cases you should review the "idp.httpclient.*" properties defined in services.properties
-->
<!--
Otherwise by default we look at resources whose names are derived from %{idp.home}. Services not configured
using native Spring syntax also need to load the property-placeholder file in order to pull settings from
property sources.
-->
<!-- This set of resources supports a native Spring relying-party.xml file. -->
<util:list id="shibboleth.RelyingPartyResolverResources">
<value>%{idp.home}/conf/relying-party.xml</value>
<value>%{idp.home}/conf/credentials.xml</value>
<value>%{idp.home}/system/conf/relying-party-system.xml</value>
</util:list>
<!-- This set of resources supports a legacy 2.x relying-party.xml file. -->
<util:list id="shibboleth.LegacyRelyingPartyResolverResources">
<value>%{idp.home}/conf/relying-party.xml</value>
<value>%{idp.home}/system/conf/legacy-relying-party-defaults.xml</value>
</util:list>
<util:list id="shibboleth.MetadataResolverResources">
<value>%{idp.home}/conf/metadata-providers.xml</value>
<value>%{idp.home}/system/conf/metadata-providers-system.xml</value>
</util:list>
<util:list id ="shibboleth.AttributeResolverResources">
<value>%{idp.home}/conf/attribute-resolver-full.xml</value>
</util:list>
<util:list id ="shibboleth.AttributeFilterResources">
<value>%{idp.home}/conf/attribute-filter.xml</value>
</util:list>
<util:list id ="shibboleth.NameIdentifierGenerationResources">
<value>%{idp.home}/conf/saml-nameid.xml</value>
<value>%{idp.home}/system/conf/saml-nameid-system.xml</value>
</util:list>
<util:list id="shibboleth.AccessControlResources">
<value>%{idp.home}/conf/access-control.xml</value>
<value>%{idp.home}/system/conf/access-control-system.xml</value>
</util:list>
<util:list id="shibboleth.CASServiceRegistryResources">
<value>%{idp.home}/conf/cas-protocol.xml</value>
</util:list>
<!--
This collection of resources differs slightly in that it should not include the file extension.
Message sources are internationalized, and Spring will search for a compatible language extension
and fall back to one with only a .properties extension.
-->
<util:list id="shibboleth.MessageSourceResources">
<value>%{idp.home}/messages/messages</value>
<value>%{idp.home}/system/messages/messages</value>
</util:list>
</beans>
Raw
setenv.sh
#! /bin/sh
# ==================================================================
# Multi-instance Apache Tomcat installation with a focus
# on best-practices as defined by Apache, SpringSource, and MuleSoft
# and enterprise use with large-scale deployments.
# Based On:
# http://www.springsource.com/files/uploads/tomcat/tomcatx-performance-tuning.pdf
# http://www.springsource.com/files/u1/PerformanceTuningApacheTomcat-Part2.pdf
# http://www.springsource.com/files/uploads/tomcat/tomcatx-large-scale-deployments.pdf
# ==================================================================
#appDynamics
#export CATALINA_OPTS="$CATALINA_OPTS -javaagent:/Users/israel.ogbole/appDynamics/appagent/tomcat7app/javaagent.jar"
#apr
#export CATALINA_OPTS="$CATALINA_OPTS -Djava.library.path=/usr/local/opt/tomcat-native/lib"
#export CATALINA_OPTS="$CATALINA_OPTS -Didp.home=/Users/israel.ogbole/projects/shibboleth-idp"
# discourage address map swapping by setting Xms and Xmx to the same value
# http://confluence.atlassian.com/display/DOC/Garbage+Collector+Performance+Issues
export CATALINA_OPTS="$CATALINA_OPTS -Xms256m"
export CATALINA_OPTS="$CATALINA_OPTS -Xmx1g"
# Increase maximum perm size for web base applications to 4x the default amount
# http://wiki.apache.org/tomcat/FAQ/Memoryhttp://wiki.apache.org/tomcat/FAQ/Memory
export CATALINA_OPTS="$CATALINA_OPTS -XX:MaxPermSize=256m"
# Reset the default stack size for threads to a lower value (by 1/10th original)
# By default this can be anywhere between 512k -> 1024k depending on x32 or x64
# bit Java version.
# http://www.springsource.com/files/uploads/tomcat/tomcatx-large-scale-deployments.pdf
# http://www.oracle.com/technetwork/java/hotspotfaq-138619.html
export CATALINA_OPTS="$CATALINA_OPTS -Xss300k"
# Oracle Java as default, uses the serial garbage collector on the
# Full Tenured heap. The Young space is collected in parallel, but the
# Tenured is not. This means that at a time of load if a full collection
# event occurs, since the event is a 'stop-the-world' serial event then
# all application threads other than the garbage collector thread are
# taken off the CPU. This can have severe consequences if requests continue
# to accrue during these 'outage' periods. (specifically webservices, webapps)
# [Also enables adaptive sizing automatically]
export CATALINA_OPTS="$CATALINA_OPTS -XX:+UseParallelGC"
# This is interpreted as a hint to the garbage collector that pause times
# of <nnn> milliseconds or less are desired. The garbage collector will
# adjust the Java heap size and other garbage collection related parameters
# in an attempt to keep garbage collection pauses shorter than <nnn> milliseconds.
# http://java.sun.com/docs/hotspot/gc5.0/ergo5.html
export CATALINA_OPTS="$CATALINA_OPTS -XX:MaxGCPauseMillis=1500"
# A hint to the virtual machine that it.s desirable that not more than:
# 1 / (1 + GCTimeRation) of the application execution time be spent in
# the garbage collector.
# http://themindstorms.wordpress.com/2009/01/21/advanced-jvm-tuning-for-low-pause/
export CATALINA_OPTS="$CATALINA_OPTS -XX:GCTimeRatio=9"
# The hotspot server JVM has specific code-path optimizations
# which yield an approximate 10% gain over the client version.
export CATALINA_OPTS="$CATALINA_OPTS -server"
# Disable remote (distributed) garbage collection by Java clients
# and remove ability for applications to call explicit GC collection
export CATALINA_OPTS="$CATALINA_OPTS -XX:+DisableExplicitGC"
# Check for application specific parameters at startup
if [ -r "$CATALINA_BASE/bin/appenv.sh" ]; then
. "$CATALINA_BASE/bin/appenv.sh"
fi
echo "Using CATALINA_OPTS:"
for arg in $CATALINA_OPTS
do
echo ">> " $arg
done
echo ""
echo "Using JAVA_OPTS:"
for arg in $JAVA_OPTS
do
echo ">> " $arg
done
echo "_______________________________________________"
echo ""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment