Last active
May 26, 2017 08:32
-
-
Save iogbole/944996b728af4464c21ecdb7625351a1 to your computer and use it in GitHub Desktop.
Shibboleth 3.3.1 Configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!-- | |
This file is an EXAMPLE policy file. While the policy presented in this | |
example file is illustrative of some simple cases, it relies on the names of | |
non-existent example services and the example attributes demonstrated in the | |
default attribute-resolver.xml file. | |
Deployers should refer to the documentation for a complete list of components | |
and their options. | |
--> | |
<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" | |
xmlns="urn:mace:shibboleth:2.0:afp" | |
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> | |
<!-- Release some attributes to an SP. --> | |
<AttributeFilterPolicy id="releaseToAppD"> | |
<PolicyRequirementRule xsi:type="Requester" value="http://192.168.33.1:8090/controller" /> | |
<AttributeRule attributeID="givenName"> | |
<PermitValueRule xsi:type="ANY" /> | |
</AttributeRule> | |
<AttributeRule attributeID="uid"> | |
<PermitValueRule xsi:type="ANY" /> | |
</AttributeRule> | |
<AttributeRule attributeID="mail"> | |
<PermitValueRule xsi:type="ANY" /> | |
</AttributeRule> | |
</AttributeFilterPolicy> | |
<!-- Release eduPersonAffiliation to two specific SPs. --> | |
<!-- | |
<AttributeFilterPolicy id="example2"> | |
<PolicyRequirementRule xsi:type="OR"> | |
<Rule xsi:type="Requester" value="https://sp.example.org" /> | |
<Rule xsi:type="Requester" value="https://another.example.org/shibboleth" /> | |
</PolicyRequirementRule> | |
<AttributeRule attributeID="eduPersonScopedAffiliation"> | |
<PermitValueRule xsi:type="ANY" /> | |
</AttributeRule> | |
</AttributeFilterPolicy> | |
--> | |
</AttributeFilterPolicyGroup> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!-- | |
This file is an EXAMPLE configuration file containing lots of commented | |
example attributes, encoders, and a couple of example data connectors. | |
Not all attribute definitions or data connectors are demonstrated, but | |
a variety of LDAP attributes, some common to Shibboleth deployments and | |
many not, are included. | |
Deployers should refer to the Identity Provider 3 documentation | |
https://wiki.shibboleth.net/confluence/display/IDP30/AttributeResolverConfiguration | |
for a complete list of components and their options. | |
--> | |
<AttributeResolver | |
xmlns="urn:mace:shibboleth:2.0:resolver" | |
xmlns:sec="urn:mace:shibboleth:2.0:security" | |
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd | |
urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd"> | |
<!-- ========================================== --> | |
<!-- Attribute Definitions --> | |
<!-- ========================================== --> | |
<!-- Schema: Core schema attributes--> | |
<AttributeDefinition xsi:type="Simple" id="uid" sourceAttributeID="uid"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="mail" sourceAttributeID="mail"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="homePhone" sourceAttributeID="homePhone"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="homePostalAddress" sourceAttributeID="homePostalAddress"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePostalAddress" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="mobileNumber" sourceAttributeID="mobile"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="pagerNumber" sourceAttributeID="pager"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="surname" sourceAttributeID="sn"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="locality" sourceAttributeID="l"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="stateProvince" sourceAttributeID="st"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:st" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.8" friendlyName="st" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="street" sourceAttributeID="street"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:street" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.9" friendlyName="street" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="organizationName" sourceAttributeID="o"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="organizationalUnit" sourceAttributeID="ou"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:ou" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.11" friendlyName="ou" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="title" sourceAttributeID="title"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="postalAddress" sourceAttributeID="postalAddress"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalAddress" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.16" friendlyName="postalAddress" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="postalCode" sourceAttributeID="postalCode"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalCode" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.17" friendlyName="postalCode" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="postOfficeBox" sourceAttributeID="postOfficeBox"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postOfficeBox" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="telephoneNumber" sourceAttributeID="telephoneNumber"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="givenName" sourceAttributeID="givenName"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="initials" sourceAttributeID="initials"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" /> | |
</AttributeDefinition> | |
<!-- Schema: inetOrgPerson attributes--> | |
<!-- | |
<AttributeDefinition xsi:type="Simple" id="departmentNumber" sourceAttributeID="departmentNumber"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="displayName" sourceAttributeID="displayName"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="employeeNumber" sourceAttributeID="employeeNumber"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="employeeType" sourceAttributeID="employeeType"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="jpegPhoto" sourceAttributeID="jpegPhoto"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:jpegPhoto" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="preferredLanguage" sourceAttributeID="preferredLanguage"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" /> | |
</AttributeDefinition> | |
--> | |
<!-- Schema: eduPerson attributes --> | |
<!-- | |
<AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation" sourceAttributeID="eduPersonAffiliation"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="eduPersonEntitlement" sourceAttributeID="eduPersonEntitlement"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="eduPersonNickname" sourceAttributeID="eduPersonNickname"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonNickname" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="eduPersonPrimaryAffiliation" sourceAttributeID="eduPersonPrimaryAffiliation"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Scoped" id="eduPersonUniqueId" scope="%{idp.scope}" sourceAttributeID="localUniqueId"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName" sourceAttributeID="eduPersonPrincipalName"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalNamePrior" sourceAttributeID="eduPersonPrincipalNamePrior"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" friendlyName="eduPersonPrincipalNamePrior" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}" sourceAttributeID="eduPersonAffiliation"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" /> | |
</AttributeDefinition> | |
<AttributeDefinition xsi:type="Simple" id="eduPersonAssurance" sourceAttributeID="eduPersonAssurance"> | |
<Dependency ref="myLDAP" /> | |
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" encodeType="false" /> | |
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" encodeType="false" /> | |
</AttributeDefinition> | |
--> | |
<!-- ========================================== --> | |
<!-- Data Connectors --> | |
<!-- ========================================== --> | |
<!-- Example Static Connector --> | |
<!-- | |
<DataConnector id="staticAttributes" xsi:type="Static"> | |
<Attribute id="eduPersonAffiliation"> | |
<Value>member</Value> | |
</Attribute> | |
</DataConnector> | |
--> | |
<!-- Example Relational Database Connector --> | |
<!-- | |
<DataConnector id="mySIS" xsi:type="RelationalDatabase"> | |
<ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver" | |
jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB" | |
jdbcUserName="myid" | |
jdbcPassword="mypassword" /> | |
<QueryTemplate> | |
<![CDATA[ | |
SELECT * FROM student WHERE gzbtpid = '$resolutionContext.principal' | |
]]> | |
</QueryTemplate> | |
<Column columnName="gzbtpid" attributeID="uid" /> | |
<Column columnName="fqlft" attributeID="gpa" /> | |
</DataConnector> | |
--> | |
<!-- Example LDAP Connector --> | |
<DataConnector id="myLDAP" xsi:type="LDAPDirectory" | |
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" | |
baseDN="%{idp.attribute.resolver.LDAP.baseDN}" | |
principal="%{idp.attribute.resolver.LDAP.bindDN}" | |
principalCredential="LDAP password in plain text - because reading the password from the property file failed" | |
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" | |
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"> | |
<FilterTemplate> | |
<![CDATA[ | |
%{idp.attribute.resolver.LDAP.searchFilter} | |
]]> | |
</FilterTemplate> | |
<!-- <StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked"> | |
<sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate> | |
</StartTLSTrustCredential> --> | |
</DataConnector> | |
</AttributeResolver> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0"?> | |
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" | |
validUntil="2018-05-15T20:32:30Z" | |
cacheDuration="PT1440M" | |
entityID="http://192.168.33.1:8090/controller"> | |
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> | |
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" | |
Location="http://192.168.33.1:8090/controller/saml-auth?accountName=customer1" /> | |
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> | |
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> | |
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> | |
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> | |
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" | |
Location="http://192.168.33.1:8090/controller/saml-auth?accountName=customer1" | |
index="1" /> | |
</md:SPSSODescriptor> | |
<md:ContactPerson contactType="technical"> | |
<md:GivenName>AppDynamics Support</md:GivenName> | |
<md:EmailAddress>support@appdynamics.com</md:EmailAddress> | |
</md:ContactPerson> | |
</md:EntityDescriptor> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Load any additional property resources from a comma-delimited list | |
idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties | |
# Set the entityID of the IdP | |
idp.entityID= https://idp.localhost.com/idp/shibboleth | |
# Set the scope used in the attribute resolver for scoped attributes | |
idp.scope= localhost.com | |
# General cookie properties (maxAge only applies to persistent cookies) | |
#idp.cookie.secure = false | |
#idp.cookie.httpOnly = true | |
#idp.cookie.domain = | |
#idp.cookie.path = | |
#idp.cookie.maxAge = 31536000 | |
# Set the location of user-supplied web flow definitions | |
#idp.webflows = %{idp.home}/flows | |
# Set the location of Velocity view templates | |
#idp.views = %{idp.home}/views | |
# Settings for internal AES encryption key | |
#idp.sealer.storeType = JCEKS | |
#idp.sealer.updateInterval = PT15M | |
#idp.sealer.aliasBase = secret | |
idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks | |
idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver | |
idp.sealer.storePassword= appdynamics | |
idp.sealer.keyPassword= appdynamics | |
# Settings for public/private signing and encryption key(s) | |
# During decryption key rollover, point the ".2" properties at a second | |
# keypair, uncomment in credentials.xml, then publish it in your metadata. | |
idp.signing.key= %{idp.home}/credentials/idp-signing.key | |
idp.signing.cert= %{idp.home}/credentials/idp-signing.crt | |
idp.encryption.key= %{idp.home}/credentials/idp-encryption.key | |
idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt | |
#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key | |
#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt | |
# Sets the bean ID to use as a default security configuration set | |
#idp.security.config = shibboleth.DefaultSecurityConfiguration | |
# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1 | |
#idp.signing.config = shibboleth.SigningConfiguration.SHA256 | |
# Configures trust evaluation of keys used by services at runtime | |
# Defaults to supporting both explicit key and PKIX using SAML metadata. | |
#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine | |
# To pick only one set to one of: | |
# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine | |
#idp.trust.certificates = shibboleth.ChainingX509TrustEngine | |
# To pick only one set to one of: | |
# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine | |
# If true, encryption will happen whenever a key to use can be located, but | |
# failure to encrypt won't result in request failure. | |
idp.encryption.optional = true | |
# Configuration of client- and server-side storage plugins | |
#idp.storage.cleanupInterval = PT10M | |
#idp.storage.htmlLocalStorage = false | |
# Set to true to expose more detailed errors in responses to SPs | |
#idp.errors.detailed = false | |
# Set to false to skip signing of SAML response messages that signal errors | |
#idp.errors.signed = true | |
# Name of bean containing a list of Java exception classes to ignore | |
#idp.errors.excludedExceptions = ExceptionClassListBean | |
# Name of bean containing a property set mapping exception names to views | |
#idp.errors.exceptionMappings = ExceptionToViewPropertyBean | |
# Set if a different default view name for events and exceptions is needed | |
#idp.errors.defaultView = error | |
# Set to false to disable the IdP session layer | |
#idp.session.enabled = true | |
# Set to "shibboleth.StorageService" for server-side storage of user sessions | |
#idp.session.StorageService = shibboleth.ClientSessionStorageService | |
# Size of session IDs | |
#idp.session.idSize = 32 | |
# Bind sessions to IP addresses | |
#idp.session.consistentAddress = true | |
# Inactivity timeout | |
#idp.session.timeout = PT60M | |
# Extra time to store sessions for logout | |
#idp.session.slop = PT0S | |
# Tolerate storage-related errors | |
#idp.session.maskStorageFailure = false | |
# Track information about SPs logged into | |
#idp.session.trackSPSessions = false | |
# Support lookup by SP for SAML logout | |
#idp.session.secondaryServiceIndex = false | |
# Length of time to track SP sessions | |
#idp.session.defaultSPlifetime = PT2H | |
# Regular expression matching login flows to enable, e.g. IPAddress|Password | |
idp.authn.flows= Password | |
# Regular expression of forced "initial" methods when no session exists, | |
# usually in conjunction with the idp.authn.resolveAttribute property below. | |
#idp.authn.flows.initial = Password | |
# Set to an attribute ID to resolve prior to selecting authentication flows; | |
# its values are used to filter the flows to allow. | |
#idp.authn.resolveAttribute = eduPersonAssurance | |
# Default lifetime and timeout of various authentication methods | |
#idp.authn.defaultLifetime = PT60M | |
#idp.authn.defaultTimeout = PT30M | |
# Whether to populate relying party user interface information for display | |
# during authentication, consent, terms-of-use. | |
#idp.authn.rpui = true | |
# Whether to prioritize "active" results when an SP requests more than | |
# one possible matching login method (V2 behavior was to favor them) | |
#idp.authn.favorSSO = false | |
# Whether to fail requests when a user identity after authentication | |
# doesn't match the identity in a pre-existing session. | |
#idp.authn.identitySwitchIsError = false | |
# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent | |
#idp.consent.StorageService = shibboleth.ClientPersistentStorageService | |
# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute | |
# to key user consent storage records (and set the attribute name) | |
#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey | |
#idp.consent.userStorageKeyAttribute = uid | |
# Flags controlling how built-in attribute consent feature operates | |
#idp.consent.allowDoNotRemember = true | |
#idp.consent.allowGlobal = true | |
#idp.consent.allowPerAttribute = false | |
# Whether attribute values and terms of use text are compared | |
#idp.consent.compareValues = false | |
# Maximum number of consent records for space-limited storage (e.g. cookies) | |
#idp.consent.maxStoredRecords = 10 | |
# Maximum number of consent records for larger/server-side storage (0 = no limit) | |
#idp.consent.expandedMaxStoredRecords = 0 | |
# Time in milliseconds to expire consent storage records. | |
#idp.consent.storageRecordLifetime = P1Y | |
# Whether to lookup metadata, etc. for every SP involved in a logout | |
# for use by user interface logic; adds overhead so off by default. | |
#idp.logout.elaboration = false | |
# Whether to require logout requests/responses be signed/authenticated. | |
#idp.logout.authenticated = true | |
# Message freshness and replay cache tuning | |
#idp.policy.messageLifetime = PT3M | |
#idp.policy.clockSkew = PT3M | |
# Set to custom bean for alternate storage of replay cache | |
#idp.replayCache.StorageService = shibboleth.StorageService | |
# Toggles whether to allow outbound messages via SAML artifact | |
#idp.artifact.enabled = true | |
# Suppresses typical signing/encryption when artifact binding used | |
#idp.artifact.secureChannel = true | |
# May differ to direct SAML 2 artifact lookups to specific server nodes | |
#idp.artifact.endpointIndex = 2 | |
# Set to custom bean for alternate storage of artifact map state | |
#idp.artifact.StorageService = shibboleth.StorageService | |
# Comma-delimited languages to use if not match can be found with the | |
# browser-supported languages, defaults to an empty list. | |
idp.ui.fallbackLanguages= en,fr,de | |
# Storage service used by CAS protocol | |
# Defaults to shibboleth.StorageService (in-memory) | |
# MUST be server-side storage (e.g. in-memory, memcached, database) | |
# NOTE that idp.session.StorageService requires server-side storage | |
# when CAS protocol is enabled | |
#idp.cas.StorageService=shibboleth.StorageService | |
# CAS service registry implementation class | |
#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry | |
# Profile flows in which the ProfileRequestContext should be exposed | |
# in servlet request under the key "opensamlProfileRequestContext" | |
#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO | |
# F-TICKS auditing - set a salt to include hashed username | |
#idp.fticks.federation=MyFederation | |
#idp.fticks.algorithm=SHA-256 | |
#idp.fticks.salt=somethingsecret | |
#idp.fticks.loghost=localhost | |
#idp.fticks.logport=514 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Context docBase="/opt/shibboleth-idp/war/idp.war" | |
privileged="true" | |
antiResourceLocking="false" | |
unpackWAR="false" | |
swallowOutput="true" /> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# LDAP authentication configuration, see authn/ldap-authn-config.xml | |
# Note, this doesn't apply to the use of JAAS | |
## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator | |
#idp.authn.LDAP.authenticator = anonSearchAuthenticator | |
## Connection properties ## | |
idp.authn.LDAP.ldapURL = ldap://192.168.33.16:389 | |
#idp.authn.LDAP.useStartTLS = true | |
#idp.authn.LDAP.useSSL = false | |
# Time in milliseconds that connects will block | |
#idp.authn.LDAP.connectTimeout = PT3S | |
# Time in milliseconds to wait for responses | |
#idp.authn.LDAP.responseTimeout = PT3S | |
## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust | |
#idp.authn.LDAP.sslConfig = certificateTrust | |
## If using certificateTrust above, set to the trusted certificate's path | |
#idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt | |
## If using keyStoreTrust above, set to the truststore path | |
#idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore | |
## Return attributes during authentication | |
idp.authn.LDAP.returnAttributes = cn,givenName | |
## DN resolution properties ## | |
# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator | |
# for AD: CN=Users,DC=example,DC=org | |
idp.authn.LDAP.baseDN = ou=uk,dc=appd,dc=com | |
#idp.authn.LDAP.subtreeSearch = false | |
idp.authn.LDAP.userFilter = (uid={user}) | |
# bind search configuration | |
# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com | |
idp.authn.LDAP.bindDN = cn=admin,dc=appd,dc=com | |
idp.authn.LDAP.bindDNCredential = appdynamics | |
# Format DN resolution, used by directAuthenticator, adAuthenticator | |
# for AD use idp.authn.LDAP.dnFormat=%s@domain.com | |
idp.authn.LDAP.dnFormat = uid=%s,ou=uk,dc=appd,dc=com | |
# LDAP attribute configuration, see attribute-resolver.xml | |
# Note, this likely won't apply to the use of legacy V2 resolver configurations | |
idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL} | |
idp.attribute.resolver.LDAP.connectTimeout = %{idp.authn.LDAP.connectTimeout:PT3S} | |
idp.attribute.resolver.LDAP.responseTimeout = %{idp.authn.LDAP.responseTimeout:PT3S} | |
idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN:undefined} | |
idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN:undefined} | |
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined} | |
idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true} | |
idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined} | |
idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.principal) | |
# LDAP pool configuration, used for both authn and DN resolution | |
#idp.pool.LDAP.minSize = 3 | |
#idp.pool.LDAP.maxSize = 10 | |
#idp.pool.LDAP.validateOnCheckout = false | |
#idp.pool.LDAP.validatePeriodically = true | |
#idp.pool.LDAP.validatePeriod = PT5M | |
#idp.pool.LDAP.prunePeriod = PT5M | |
#idp.pool.LDAP.idleTime = PT10M | |
#idp.pool.LDAP.blockWaitTime = PT3S | |
#idp.pool.LDAP.failFastInitialize = false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<configuration> | |
<!-- | |
Variables for simplifying logging configuration. | |
http://logback.qos.ch/manual/configuration.html#variableSubstitution | |
--> | |
<variable name="idp.logfiles" value="${idp.home}/logs" /> | |
<variable name="idp.loghistory" value="180" /> | |
<!-- Much higher performance if you operate on DEBUG. --> | |
<!-- <variable name="idp.process.appender" value="ASYNC_PROCESS" /> --> | |
<!-- Logging level shortcuts. --> | |
<variable name="idp.loglevel.idp" value="TRACE" /> | |
<variable name="idp.loglevel.ldap" value="TRACE" /> | |
<variable name="idp.loglevel.messages" value="INFO" /> | |
<variable name="idp.loglevel.encryption" value="INFO" /> | |
<variable name="idp.loglevel.opensaml" value="INFO" /> | |
<variable name="idp.loglevel.props" value="INFO" /> | |
<!-- Don't turn these up unless you want a *lot* of noise. --> | |
<variable name="idp.loglevel.spring" value="ERROR" /> | |
<variable name="idp.loglevel.container" value="ERROR" /> | |
<variable name="idp.loglevel.xmlsec" value="INFO" /> | |
<!-- | |
If you want to use custom properties in this config file, | |
we load the main property file for you. | |
--> | |
<variable file="${idp.home}/conf/idp.properties" /> | |
<!-- =========================================================== --> | |
<!-- ============== Logging Categories and Levels ============== --> | |
<!-- =========================================================== --> | |
<!-- Logs IdP, but not OpenSAML, messages --> | |
<logger name="net.shibboleth.idp" level="${idp.loglevel.idp:-TRACE}"/> | |
<!-- Logs OpenSAML, but not IdP, messages --> | |
<logger name="org.opensaml.saml" level="${idp.loglevel.opensaml:-INFO}"/> | |
<!-- Logs LDAP related messages --> | |
<logger name="org.ldaptive" level="${idp.loglevel.ldap:-TRACE}"/> | |
<!-- Logs inbound and outbound protocols messages at DEBUG level --> | |
<logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages:-INFO}" /> | |
<!-- Logs unencrypted SAML at DEBUG level --> | |
<logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption:-INFO}" /> | |
<!-- Logs system properties during startup at DEBUG level --> | |
<logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props:-INFO}" /> | |
<!-- Especially chatty. --> | |
<logger name="net.shibboleth.idp.saml.attribute.mapping" level="INFO" /> | |
<logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec:-INFO}" /> | |
<logger name="org.springframework" level="${idp.loglevel.spring:-ERROR}"/> | |
<logger name="org.apache.catalina" level="${idp.loglevel.container:-ERROR}"/> | |
<logger name="org.eclipse.jetty" level="${idp.loglevel.container:-ERROR}"/> | |
<!-- =========================================================== --> | |
<!-- ============== Low Level Details or Changes =============== --> | |
<!-- =========================================================== --> | |
<!-- Process log. --> | |
<appender name="IDP_PROCESS" class="ch.qos.logback.core.rolling.RollingFileAppender"> | |
<File>${idp.logfiles}/idp-process.log</File> | |
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> | |
<fileNamePattern>${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz</fileNamePattern> | |
<maxHistory>${idp.loghistory:-180}</maxHistory> | |
</rollingPolicy> | |
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> | |
<charset>UTF-8</charset> | |
<Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern> | |
</encoder> | |
<!-- Ignore Velocity status page error. --> | |
<filter class="ch.qos.logback.core.filter.EvaluatorFilter"> | |
<evaluator> | |
<matcher> | |
<Name>VelocityStatusMatcher</Name> | |
<regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex> | |
</matcher> | |
<expression>VelocityStatusMatcher.matches(formattedMessage)</expression> | |
</evaluator> | |
<OnMatch>DENY</OnMatch> | |
</filter> | |
</appender> | |
<appender name="ASYNC_PROCESS" class="ch.qos.logback.classic.AsyncAppender"> | |
<appender-ref ref="IDP_PROCESS" /> | |
<discardingThreshold>0</discardingThreshold> | |
</appender> | |
<appender name="IDP_WARN" class="ch.qos.logback.core.rolling.RollingFileAppender"> | |
<!-- Suppress anything below WARN. --> | |
<filter class="ch.qos.logback.classic.filter.ThresholdFilter"> | |
<level>WARN</level> | |
</filter> | |
<File>${idp.logfiles}/idp-warn.log</File> | |
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> | |
<fileNamePattern>${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz</fileNamePattern> | |
<maxHistory>${idp.loghistory:-180}</maxHistory> | |
</rollingPolicy> | |
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> | |
<charset>UTF-8</charset> | |
<Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern> | |
</encoder> | |
<!-- Ignore Velocity status page error. --> | |
<filter class="ch.qos.logback.core.filter.EvaluatorFilter"> | |
<evaluator> | |
<matcher> | |
<Name>VelocityStatusMatcher</Name> | |
<regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex> | |
</matcher> | |
<expression>VelocityStatusMatcher.matches(formattedMessage)</expression> | |
</evaluator> | |
<OnMatch>DENY</OnMatch> | |
</filter> | |
</appender> | |
<!-- Audit log. --> | |
<appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender"> | |
<File>${idp.logfiles}/idp-audit.log</File> | |
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> | |
<fileNamePattern>${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern> | |
<maxHistory>${idp.loghistory:-180}</maxHistory> | |
</rollingPolicy> | |
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> | |
<charset>UTF-8</charset> | |
<Pattern>%msg%n</Pattern> | |
</encoder> | |
</appender> | |
<!-- Consent audit log. --> | |
<appender name="IDP_CONSENT_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender"> | |
<File>${idp.logfiles}/idp-consent-audit.log</File> | |
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> | |
<fileNamePattern>${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern> | |
<maxHistory>${idp.loghistory:-180}</maxHistory> | |
</rollingPolicy> | |
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> | |
<charset>UTF-8</charset> | |
<Pattern>%msg%n</Pattern> | |
</encoder> | |
</appender> | |
<!-- F-TICKS syslog destination. --> | |
<appender name="IDP_FTICKS" class="ch.qos.logback.classic.net.SyslogAppender"> | |
<syslogHost>${idp.fticks.loghost:-localhost}</syslogHost> | |
<port>${idp.fticks.logport:-514}</port> | |
<facility>AUTH</facility> | |
<suffixPattern>[%thread] %logger %msg</suffixPattern> | |
</appender> | |
<logger name="Shibboleth-Audit" level="ALL"> | |
<appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/> | |
</logger> | |
<logger name="Shibboleth-FTICKS" level="ALL" additivity="false"> | |
<appender-ref ref="${idp.fticks.appender:-IDP_FTICKS}"/> | |
</logger> | |
<logger name="Shibboleth-Consent-Audit" level="ALL"> | |
<appender-ref ref="${idp.consent.appender:-IDP_CONSENT_AUDIT}"/> | |
</logger> | |
<root level="${idp.loglevel.root:-INFO}"> | |
<appender-ref ref="${idp.process.appender:-IDP_PROCESS}"/> | |
<appender-ref ref="${idp.warn.appender:-IDP_WARN}" /> | |
</root> | |
</configuration> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!-- This file is an EXAMPLE metadata configuration file. --> | |
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" | |
xmlns="urn:mace:shibboleth:2.0:metadata" | |
xmlns:resource="urn:mace:shibboleth:2.0:resource" | |
xmlns:security="urn:mace:shibboleth:2.0:security" | |
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" | |
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd | |
urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd | |
urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd | |
urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd"> | |
<!-- ========================================================================================== --> | |
<!-- Metadata Configuration --> | |
<!-- --> | |
<!-- Below you place the mechanisms which define how to load the metadata for SP(s) you will --> | |
<!-- provide service to. --> | |
<!-- --> | |
<!-- Two examples are provided. The Shibboleth Documentation at --> | |
<!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration --> | |
<!-- provides more details. --> | |
<!-- --> | |
<!-- NOTE. This file SHOULD NOT contain the metadata for this IdP. --> | |
<!-- ========================================================================================== --> | |
<!-- | |
Example HTTP metadata provider. Use this if you want to download the metadata | |
from a remote source. | |
You *MUST* provide the SignatureValidationFilter in order to function securely. | |
Get the public key certificate from the party publishing the metadata, and validate | |
it with them via some out of band mechanism (e.g., a fingerprint on a secure page). | |
The EntityRoleWhiteList saves memory by only loading metadata from SAML roles | |
that the IdP needs to interoperate with. | |
--> | |
<!-- | |
<MetadataProvider id="HTTPMetadata" | |
xsi:type="FileBackedHTTPMetadataProvider" | |
backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml" | |
metadataURL="http://WHATEVER"> | |
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" /> | |
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/> | |
<MetadataFilter xsi:type="EntityRoleWhiteList"> | |
<RetainedRole>md:SPSSODescriptor</RetainedRole> | |
</MetadataFilter> | |
</MetadataProvider> | |
--> | |
<!-- | |
Example file metadata provider. Use this if you want to load metadata | |
from a local file. You might use this if you have some local SPs | |
which are not "federated" but you wish to offer a service to. | |
If you do not provide a SignatureValidation filter, then you have the | |
responsibility to ensure that the contents on disk are trustworthy. | |
--> | |
<MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/controller.xml"/> | |
</MetadataProvider> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!-- | |
Licensed to the Apache Software Foundation (ASF) under one or more | |
contributor license agreements. See the NOTICE file distributed with | |
this work for additional information regarding copyright ownership. | |
The ASF licenses this file to You under the Apache License, Version 2.0 | |
(the "License"); you may not use this file except in compliance with | |
the License. You may obtain a copy of the License at | |
http://www.apache.org/licenses/LICENSE-2.0 | |
Unless required by applicable law or agreed to in writing, software | |
distributed under the License is distributed on an "AS IS" BASIS, | |
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
See the License for the specific language governing permissions and | |
limitations under the License. | |
--> | |
<!-- Note: A "Server" is not itself a "Container", so you may not | |
define subcomponents such as "Valves" at this level. | |
Documentation at /docs/config/server.html | |
--> | |
<Server port="8005" shutdown="SHUTDOWN"> | |
<Listener className="org.apache.catalina.startup.VersionLoggerListener" /> | |
<!-- Security listener. Documentation at /docs/config/listeners.html | |
<Listener className="org.apache.catalina.security.SecurityListener" /> | |
--> | |
<!--APR library loader. Documentation at /docs/apr.html --> | |
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> | |
<!-- Prevent memory leaks due to use of particular java/javax APIs--> | |
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> | |
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> | |
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> | |
<!-- Global JNDI resources | |
Documentation at /docs/jndi-resources-howto.html | |
--> | |
<GlobalNamingResources> | |
<!-- Editable user database that can also be used by | |
UserDatabaseRealm to authenticate users | |
--> | |
<Resource name="UserDatabase" auth="Container" | |
type="org.apache.catalina.UserDatabase" | |
description="User database that can be updated and saved" | |
factory="org.apache.catalina.users.MemoryUserDatabaseFactory" | |
pathname="conf/tomcat-users.xml" /> | |
</GlobalNamingResources> | |
<!-- A "Service" is a collection of one or more "Connectors" that share | |
a single "Container" Note: A "Service" is not itself a "Container", | |
so you may not define subcomponents such as "Valves" at this level. | |
Documentation at /docs/config/service.html | |
--> | |
<Service name="Catalina"> | |
<!--The connectors can use a shared executor, you can define one or more named thread pools--> | |
<!-- | |
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-" | |
maxThreads="150" minSpareThreads="4"/> | |
--> | |
<!-- A "Connector" represents an endpoint by which requests are received | |
and responses are returned. Documentation at : | |
Java HTTP Connector: /docs/config/http.html | |
Java AJP Connector: /docs/config/ajp.html | |
APR (HTTP/AJP) Connector: /docs/apr.html | |
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 | |
--> | |
<!-- | |
<Connector port="8080" protocol="HTTP/1.1" | |
connectionTimeout="20000" | |
redirectPort="8443" /> | |
--> | |
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> | |
<Connector | |
protocol="org.apache.coyote.http11.Http11NioProtocol" | |
port="8443" maxThreads="200" | |
scheme="https" secure="true" SSLEnabled="true" | |
keystoreFile="/opt/shibboleth-idp/credentials/idp-backchannel.p12" keystorePass="appdynamics" | |
clientAuth="false" sslProtocol="TLS" | |
/> | |
<!-- A "Connector" using the shared thread pool--> | |
<!-- | |
<Connector executor="tomcatThreadPool" | |
port="8080" protocol="HTTP/1.1" | |
connectionTimeout="20000" | |
redirectPort="8443" /> | |
--> | |
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 | |
This connector uses the NIO implementation. The default | |
SSLImplementation will depend on the presence of the APR/native | |
library and the useOpenSSL attribute of the | |
AprLifecycleListener. | |
Either JSSE or OpenSSL style configuration may be used regardless of | |
the SSLImplementation selected. JSSE style configuration is used below. | |
--> | |
<!-- | |
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" | |
maxThreads="150" SSLEnabled="true"> | |
<SSLHostConfig> | |
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks" | |
type="RSA" /> | |
</SSLHostConfig> | |
</Connector> | |
--> | |
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2 | |
This connector uses the APR/native implementation which always uses | |
OpenSSL for TLS. | |
Either JSSE or OpenSSL style configuration may be used. OpenSSL style | |
configuration is used below. | |
--> | |
<!-- | |
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" | |
maxThreads="150" SSLEnabled="true" > | |
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> | |
<SSLHostConfig> | |
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem" | |
certificateFile="conf/localhost-rsa-cert.pem" | |
certificateChainFile="conf/localhost-rsa-chain.pem" | |
type="RSA" /> | |
</SSLHostConfig> | |
</Connector> | |
--> | |
<!-- Define an AJP 1.3 Connector on port 8009 --> | |
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> | |
<!-- An Engine represents the entry point (within Catalina) that processes | |
every request. The Engine implementation for Tomcat stand alone | |
analyzes the HTTP headers included with the request, and passes them | |
on to the appropriate Host (virtual host). | |
Documentation at /docs/config/engine.html --> | |
<!-- You should set jvmRoute to support load-balancing via AJP ie : | |
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> | |
--> | |
<Engine name="Catalina" defaultHost="localhost"> | |
<!--For clustering, please take a look at documentation at: | |
/docs/cluster-howto.html (simple how to) | |
/docs/config/cluster.html (reference documentation) --> | |
<!-- | |
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> | |
--> | |
<!-- Use the LockOutRealm to prevent attempts to guess user passwords | |
via a brute-force attack --> | |
<Realm className="org.apache.catalina.realm.LockOutRealm"> | |
<!-- This Realm uses the UserDatabase configured in the global JNDI | |
resources under the key "UserDatabase". Any edits | |
that are performed against this UserDatabase are immediately | |
available for use by the Realm. --> | |
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" | |
resourceName="UserDatabase"/> | |
</Realm> | |
<Host name="localhost" appBase="webapps" | |
unpackWARs="true" autoDeploy="true"> | |
<!-- SingleSignOn valve, share authentication between web applications | |
Documentation at: /docs/config/valve.html --> | |
<!-- | |
<Valve className="org.apache.catalina.authenticator.SingleSignOn" /> | |
--> | |
<!-- Access log processes all example. | |
Documentation at: /docs/config/valve.html | |
Note: The pattern used is equivalent to using pattern="common" --> | |
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" | |
prefix="localhost_access_log" suffix=".txt" | |
pattern="%h %l %u %t "%r" %s %b" /> | |
</Host> | |
</Engine> | |
</Service> | |
</Server> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<beans xmlns="http://www.springframework.org/schema/beans" | |
xmlns:context="http://www.springframework.org/schema/context" | |
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" | |
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd | |
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd | |
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"> | |
<!-- Advanced configuration of services from SVN. | |
To use an SVN resource you need to construct it and then inject it into | |
The appropriate bean. To use property replacement you will need a separate | |
resource pointing to the replacement phrase. | |
For example: | |
<bean id="AuthnMgr" class="org.tmatesoft.svn.core.auth.BasicAuthenticationManager"> | |
<constructor-arg> | |
<null /> | |
</constructor-arg> | |
</bean> | |
<bean id="ClientMgr" factory-method="newInstance" | |
class="org.tmatesoft.svn.core.wc.SVNClientManager" | |
p:authenticationManager-ref="AuthnMgr" /> | |
<bean id="TheSVNURL" factory-method="create" | |
class="org.tmatesoft.svn.core.SVNURL"> | |
<constructor-arg value="https" /> | |
<constructor-arg> | |
<null /> | |
</constructor-arg> | |
<constructor-arg value="svn.shibboleth.net" /> | |
<constructor-arg value="-1" /> | |
<constructor-arg | |
value="/utilities/spring-extensions/trunk/src/test/resources/data/" /> | |
<constructor-arg value="false" /> | |
</bean> | |
<bean id="TheSVNResource" class="net.shibboleth.ext.spring.resource.SVNResource"> | |
<constructor-arg ref="ClientMgr" /> | |
<constructor-arg ref="TheSVNURL" /> | |
<constructor-arg value="D:/testdir/dir" /> | |
<constructor-arg value="-1" /> | |
<constructor-arg value="TestResource.txt" /> | |
</bean> | |
<util:list id="shibboleth.AttributeResolverResources"> | |
<ref bean="TheSVNResource"/> | |
<value>path_to_properties_specifyingBean_file</value> | |
</util:list> | |
see also https://wiki.shibboleth.net/confluence/display/IDP30/SVNResource | |
http://svnkit.com/javadoc/org/tmatesoft/svn/core/auth/BasicAuthenticationManager.html#constructor_detail | |
http://svnkit.com/javadoc/org/tmatesoft/svn/core/SVNURL.html | |
--> | |
<!-- Advanced configuration of services from HTTP. | |
To use an HTTP resource you first need to configure the Apache HttpClient which will be used | |
to communicate with the web server. Any HttpClient can be used, but two Factory Beans allow simple | |
configuration of in-memory or file-based caching clients. | |
Examples are: | |
A resource which will be supplied from an in-memory cache for as long as the file on the webserver does not change. | |
If the webserver becomes unavailable the resource will be unavailable. | |
<bean id="inMemoryResource" class="net.shibboleth.ext.spring.resource.HTTPResource" | |
c:client-ref="shibboleth.MemoryCachingHttpClient" | |
c:url="http://example.org/path/to/file.xml" /> | |
Two resources which will be supplied from an on disk cache (suitable for multiple or large files) for as long | |
as the file on the webserver does not change. If the webserver becomes unavailable the last used contents | |
of the file will be returned (even if that was in a previous IdP lifetime). | |
<bean id="fileResource" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource" | |
c:client-ref="shibboleth.FileCachingHttpClient" | |
c:url="http://example.org/path/to/file.xml" | |
c:backingFile="/var/shibboleth/caches/resourcecache/file.xml"/> | |
<bean id="otherFileResource" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource" | |
c:client-ref="shibboleth.FileCachingHttpClient" | |
c:url="http://another.server.example.org/path/to/different/file.xml" | |
c:backingFile="/var/shibboleth/caches/resourcecache/differentFile.xml"/> | |
In all cases you should review the "idp.httpclient.*" properties defined in services.properties | |
--> | |
<!-- | |
Otherwise by default we look at resources whose names are derived from %{idp.home}. Services not configured | |
using native Spring syntax also need to load the property-placeholder file in order to pull settings from | |
property sources. | |
--> | |
<!-- This set of resources supports a native Spring relying-party.xml file. --> | |
<util:list id="shibboleth.RelyingPartyResolverResources"> | |
<value>%{idp.home}/conf/relying-party.xml</value> | |
<value>%{idp.home}/conf/credentials.xml</value> | |
<value>%{idp.home}/system/conf/relying-party-system.xml</value> | |
</util:list> | |
<!-- This set of resources supports a legacy 2.x relying-party.xml file. --> | |
<util:list id="shibboleth.LegacyRelyingPartyResolverResources"> | |
<value>%{idp.home}/conf/relying-party.xml</value> | |
<value>%{idp.home}/system/conf/legacy-relying-party-defaults.xml</value> | |
</util:list> | |
<util:list id="shibboleth.MetadataResolverResources"> | |
<value>%{idp.home}/conf/metadata-providers.xml</value> | |
<value>%{idp.home}/system/conf/metadata-providers-system.xml</value> | |
</util:list> | |
<util:list id ="shibboleth.AttributeResolverResources"> | |
<value>%{idp.home}/conf/attribute-resolver-full.xml</value> | |
</util:list> | |
<util:list id ="shibboleth.AttributeFilterResources"> | |
<value>%{idp.home}/conf/attribute-filter.xml</value> | |
</util:list> | |
<util:list id ="shibboleth.NameIdentifierGenerationResources"> | |
<value>%{idp.home}/conf/saml-nameid.xml</value> | |
<value>%{idp.home}/system/conf/saml-nameid-system.xml</value> | |
</util:list> | |
<util:list id="shibboleth.AccessControlResources"> | |
<value>%{idp.home}/conf/access-control.xml</value> | |
<value>%{idp.home}/system/conf/access-control-system.xml</value> | |
</util:list> | |
<util:list id="shibboleth.CASServiceRegistryResources"> | |
<value>%{idp.home}/conf/cas-protocol.xml</value> | |
</util:list> | |
<!-- | |
This collection of resources differs slightly in that it should not include the file extension. | |
Message sources are internationalized, and Spring will search for a compatible language extension | |
and fall back to one with only a .properties extension. | |
--> | |
<util:list id="shibboleth.MessageSourceResources"> | |
<value>%{idp.home}/messages/messages</value> | |
<value>%{idp.home}/system/messages/messages</value> | |
</util:list> | |
</beans> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/sh | |
# ================================================================== | |
# Multi-instance Apache Tomcat installation with a focus | |
# on best-practices as defined by Apache, SpringSource, and MuleSoft | |
# and enterprise use with large-scale deployments. | |
# Based On: | |
# http://www.springsource.com/files/uploads/tomcat/tomcatx-performance-tuning.pdf | |
# http://www.springsource.com/files/u1/PerformanceTuningApacheTomcat-Part2.pdf | |
# http://www.springsource.com/files/uploads/tomcat/tomcatx-large-scale-deployments.pdf | |
# ================================================================== | |
#appDynamics | |
#export CATALINA_OPTS="$CATALINA_OPTS -javaagent:/Users/israel.ogbole/appDynamics/appagent/tomcat7app/javaagent.jar" | |
#apr | |
#export CATALINA_OPTS="$CATALINA_OPTS -Djava.library.path=/usr/local/opt/tomcat-native/lib" | |
#export CATALINA_OPTS="$CATALINA_OPTS -Didp.home=/Users/israel.ogbole/projects/shibboleth-idp" | |
# discourage address map swapping by setting Xms and Xmx to the same value | |
# http://confluence.atlassian.com/display/DOC/Garbage+Collector+Performance+Issues | |
export CATALINA_OPTS="$CATALINA_OPTS -Xms256m" | |
export CATALINA_OPTS="$CATALINA_OPTS -Xmx1g" | |
# Increase maximum perm size for web base applications to 4x the default amount | |
# http://wiki.apache.org/tomcat/FAQ/Memoryhttp://wiki.apache.org/tomcat/FAQ/Memory | |
export CATALINA_OPTS="$CATALINA_OPTS -XX:MaxPermSize=256m" | |
# Reset the default stack size for threads to a lower value (by 1/10th original) | |
# By default this can be anywhere between 512k -> 1024k depending on x32 or x64 | |
# bit Java version. | |
# http://www.springsource.com/files/uploads/tomcat/tomcatx-large-scale-deployments.pdf | |
# http://www.oracle.com/technetwork/java/hotspotfaq-138619.html | |
export CATALINA_OPTS="$CATALINA_OPTS -Xss300k" | |
# Oracle Java as default, uses the serial garbage collector on the | |
# Full Tenured heap. The Young space is collected in parallel, but the | |
# Tenured is not. This means that at a time of load if a full collection | |
# event occurs, since the event is a 'stop-the-world' serial event then | |
# all application threads other than the garbage collector thread are | |
# taken off the CPU. This can have severe consequences if requests continue | |
# to accrue during these 'outage' periods. (specifically webservices, webapps) | |
# [Also enables adaptive sizing automatically] | |
export CATALINA_OPTS="$CATALINA_OPTS -XX:+UseParallelGC" | |
# This is interpreted as a hint to the garbage collector that pause times | |
# of <nnn> milliseconds or less are desired. The garbage collector will | |
# adjust the Java heap size and other garbage collection related parameters | |
# in an attempt to keep garbage collection pauses shorter than <nnn> milliseconds. | |
# http://java.sun.com/docs/hotspot/gc5.0/ergo5.html | |
export CATALINA_OPTS="$CATALINA_OPTS -XX:MaxGCPauseMillis=1500" | |
# A hint to the virtual machine that it.s desirable that not more than: | |
# 1 / (1 + GCTimeRation) of the application execution time be spent in | |
# the garbage collector. | |
# http://themindstorms.wordpress.com/2009/01/21/advanced-jvm-tuning-for-low-pause/ | |
export CATALINA_OPTS="$CATALINA_OPTS -XX:GCTimeRatio=9" | |
# The hotspot server JVM has specific code-path optimizations | |
# which yield an approximate 10% gain over the client version. | |
export CATALINA_OPTS="$CATALINA_OPTS -server" | |
# Disable remote (distributed) garbage collection by Java clients | |
# and remove ability for applications to call explicit GC collection | |
export CATALINA_OPTS="$CATALINA_OPTS -XX:+DisableExplicitGC" | |
# Check for application specific parameters at startup | |
if [ -r "$CATALINA_BASE/bin/appenv.sh" ]; then | |
. "$CATALINA_BASE/bin/appenv.sh" | |
fi | |
echo "Using CATALINA_OPTS:" | |
for arg in $CATALINA_OPTS | |
do | |
echo ">> " $arg | |
done | |
echo "" | |
echo "Using JAVA_OPTS:" | |
for arg in $JAVA_OPTS | |
do | |
echo ">> " $arg | |
done | |
echo "_______________________________________________" | |
echo "" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment