Browse Source

Revert "Test 3.3.3"

This reverts commit 35be99a990.
fix-logs
Teddy Cornaut 11 months ago
parent
commit
82c7276f66
100 changed files with 1381 additions and 287 deletions
  1. 0
    0
      src/.gitkeep
  2. 0
    0
      src/shibboleth-identity-provider-3.2.1/LICENSE.txt
  3. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/aacli.bat
  4. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/aacli.sh
  5. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/ant-jetty.xml
  6. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/ant.bat
  7. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/ant.sh
  8. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/build.bat
  9. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/build.sh
  10. 1
    1
      src/shibboleth-identity-provider-3.2.1/bin/build.xml
  11. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/install.bat
  12. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/install.sh
  13. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/keygen.bat
  14. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/keygen.sh
  15. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/lib/ant-1.9.4.jar
  16. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/lib/ant-launcher-1.9.4.jar
  17. BIN
      src/shibboleth-identity-provider-3.2.1/bin/lib/bcpkix-jdk15on-1.53.jar
  18. BIN
      src/shibboleth-identity-provider-3.2.1/bin/lib/idp-installer-3.2.1.jar
  19. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/lib/jcommander-1.48.jar
  20. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/reload-metadata.bat
  21. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/reload-metadata.sh
  22. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/reload-service.bat
  23. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/reload-service.sh
  24. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/runclass.bat
  25. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/runclass.sh
  26. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/seckeygen.bat
  27. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/seckeygen.sh
  28. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/status.bat
  29. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/status.sh
  30. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/version.bat
  31. 0
    0
      src/shibboleth-identity-provider-3.2.1/bin/version.sh
  32. 32
    0
      src/shibboleth-identity-provider-3.2.1/conf/access-control.xml
  33. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/attribute-filter.xml
  34. 295
    0
      src/shibboleth-identity-provider-3.2.1/conf/attribute-resolver-full.xml
  35. 97
    0
      src/shibboleth-identity-provider-3.2.1/conf/attribute-resolver-ldap.xml
  36. 95
    0
      src/shibboleth-identity-provider-3.2.1/conf/attribute-resolver.xml
  37. 103
    0
      src/shibboleth-identity-provider-3.2.1/conf/audit.xml
  38. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/authn/authn-comparison.xml
  39. 1
    4
      src/shibboleth-identity-provider-3.2.1/conf/authn/authn-events-flow.xml
  40. 2
    10
      src/shibboleth-identity-provider-3.2.1/conf/authn/external-authn-config.xml
  41. 0
    42
      src/shibboleth-identity-provider-3.2.1/conf/authn/general-authn.xml
  42. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/authn/ipaddress-authn-config.xml
  43. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/authn/jaas-authn-config.xml
  44. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/authn/jaas.config
  45. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/authn/krb5-authn-config.xml
  46. 11
    16
      src/shibboleth-identity-provider-3.2.1/conf/authn/ldap-authn-config.xml
  47. 1
    13
      src/shibboleth-identity-provider-3.2.1/conf/authn/password-authn-config.xml
  48. 3
    11
      src/shibboleth-identity-provider-3.2.1/conf/authn/remoteuser-authn-config.xml
  49. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/authn/remoteuser-internal-authn-config.xml
  50. 0
    5
      src/shibboleth-identity-provider-3.2.1/conf/authn/spnego-authn-config.xml
  51. 2
    5
      src/shibboleth-identity-provider-3.2.1/conf/authn/x509-authn-config.xml
  52. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/authn/x509-internal-authn-config.xml
  53. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/c14n/attribute-sourced-subject-c14n-config.xml
  54. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/c14n/simple-subject-c14n-config.xml
  55. 0
    4
      src/shibboleth-identity-provider-3.2.1/conf/c14n/subject-c14n-events-flow.xml
  56. 1
    1
      src/shibboleth-identity-provider-3.2.1/conf/c14n/subject-c14n.xml
  57. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/c14n/x500-subject-c14n-config.xml
  58. 53
    0
      src/shibboleth-identity-provider-3.2.1/conf/cas-protocol.xml
  59. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/credentials.xml
  60. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/errors.xml
  61. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/global.xml
  62. 10
    12
      src/shibboleth-identity-provider-3.2.1/conf/idp.properties
  63. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/intercept/consent-intercept-config.xml
  64. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/intercept/context-check-intercept-config.xml
  65. 1
    4
      src/shibboleth-identity-provider-3.2.1/conf/intercept/intercept-events-flow.xml
  66. 0
    2
      src/shibboleth-identity-provider-3.2.1/conf/intercept/profile-intercept.xml
  67. 10
    10
      src/shibboleth-identity-provider-3.2.1/conf/ldap.properties
  68. 4
    24
      src/shibboleth-identity-provider-3.2.1/conf/logback.xml
  69. 12
    7
      src/shibboleth-identity-provider-3.2.1/conf/metadata-providers.xml
  70. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/mvc-beans.xml
  71. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/relying-party.xml
  72. 0
    2
      src/shibboleth-identity-provider-3.2.1/conf/saml-nameid.properties
  73. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/saml-nameid.xml
  74. 1
    5
      src/shibboleth-identity-provider-3.2.1/conf/services.properties
  75. 4
    3
      src/shibboleth-identity-provider-3.2.1/conf/services.xml
  76. 0
    0
      src/shibboleth-identity-provider-3.2.1/conf/session-manager.xml
  77. 32
    0
      src/shibboleth-identity-provider-3.2.1/dist/conf/access-control.xml.dist
  78. 0
    0
      src/shibboleth-identity-provider-3.2.1/dist/conf/attribute-filter.xml.dist
  79. 295
    0
      src/shibboleth-identity-provider-3.2.1/dist/conf/attribute-resolver-full.xml.dist
  80. 97
    0
      src/shibboleth-identity-provider-3.2.1/dist/conf/attribute-resolver-ldap.xml.dist
  81. 95
    0
      src/shibboleth-identity-provider-3.2.1/dist/conf/attribute-resolver.xml.dist
  82. 103
    0
      src/shibboleth-identity-provider-3.2.1/dist/conf/audit.xml.dist
  83. 0
    0
      src/shibboleth-identity-provider-3.2.1/dist/conf/authn/authn-comparison.xml.dist
  84. 1
    4
      src/shibboleth-identity-provider-3.2.1/dist/conf/authn/authn-events-flow.xml.dist
  85. 2
    10
      src/shibboleth-identity-provider-3.2.1/dist/conf/authn/external-authn-config.xml.dist
  86. 0
    42
      src/shibboleth-identity-provider-3.2.1/dist/conf/authn/general-authn.xml.dist
  87. 0
    0
      src/shibboleth-identity-provider-3.2.1/dist/conf/authn/ipaddress-authn-config.xml.dist
  88. 0
    0
      src/shibboleth-identity-provider-3.2.1/dist/conf/authn/jaas-authn-config.xml.dist
  89. 0
    0
      src/shibboleth-identity-provider-3.2.1/dist/conf/authn/jaas.config.dist
  90. 0
    0
      src/shibboleth-identity-provider-3.2.1/dist/conf/authn/krb5-authn-config.xml.dist
  91. 11
    16
      src/shibboleth-identity-provider-3.2.1/dist/conf/authn/ldap-authn-config.xml.dist
  92. 1
    13
      src/shibboleth-identity-provider-3.2.1/dist/conf/authn/password-authn-config.xml.dist
  93. 3
    11
      src/shibboleth-identity-provider-3.2.1/dist/conf/authn/remoteuser-authn-config.xml.dist
  94. 0
    0
      src/shibboleth-identity-provider-3.2.1/dist/conf/authn/remoteuser-internal-authn-config.xml.dist
  95. 0
    5
      src/shibboleth-identity-provider-3.2.1/dist/conf/authn/spnego-authn-config.xml.dist
  96. 2
    5
      src/shibboleth-identity-provider-3.2.1/dist/conf/authn/x509-authn-config.xml.dist
  97. 0
    0
      src/shibboleth-identity-provider-3.2.1/dist/conf/authn/x509-internal-authn-config.xml.dist
  98. 0
    0
      src/shibboleth-identity-provider-3.2.1/dist/conf/c14n/attribute-sourced-subject-c14n-config.xml.dist
  99. 0
    0
      src/shibboleth-identity-provider-3.2.1/dist/conf/c14n/simple-subject-c14n-config.xml.dist
  100. 0
    0
      src/shibboleth-identity-provider-3.2.1/dist/conf/c14n/subject-c14n-events-flow.xml.dist

+ 0
- 0
src/.gitkeep View File


src/shibboleth-identity-provider-3.3.3/LICENSE.txt → src/shibboleth-identity-provider-3.2.1/LICENSE.txt View File


src/shibboleth-identity-provider-3.3.3/bin/aacli.bat → src/shibboleth-identity-provider-3.2.1/bin/aacli.bat View File


src/shibboleth-identity-provider-3.3.3/bin/aacli.sh → src/shibboleth-identity-provider-3.2.1/bin/aacli.sh View File


src/shibboleth-identity-provider-3.3.3/bin/ant-jetty.xml → src/shibboleth-identity-provider-3.2.1/bin/ant-jetty.xml View File


src/shibboleth-identity-provider-3.3.3/bin/ant.bat → src/shibboleth-identity-provider-3.2.1/bin/ant.bat View File


src/shibboleth-identity-provider-3.3.3/bin/ant.sh → src/shibboleth-identity-provider-3.2.1/bin/ant.sh View File


src/shibboleth-identity-provider-3.3.3/bin/build.bat → src/shibboleth-identity-provider-3.2.1/bin/build.bat View File


src/shibboleth-identity-provider-3.3.3/bin/build.sh → src/shibboleth-identity-provider-3.2.1/bin/build.sh View File


src/shibboleth-identity-provider-3.3.3/bin/build.xml → src/shibboleth-identity-provider-3.2.1/bin/build.xml View File

@@ -116,7 +116,7 @@
116 116
     <target name="getsource" unless="idp.src.dir">
117 117
         <TGT>getsource</TGT>
118 118
         <fail if="idp.noprompt">Input needed, silence demanded</fail>
119
-        <input message="Source (Distribution) Directory (press &lt;enter&gt; to accept default):" addproperty="idp.src.dir" defaultvalue="${basedir}" />
119
+        <input message="Source (Distribution) Directory:" addproperty="idp.src.dir" defaultvalue="${basedir}" />
120 120
     </target>
121 121
 
122 122
     <target name="gettarget" depends="target-properties, setmerge, setservicemerge, target-src-default, target-nosrc-default, prompttarget, settarget, setfilemode" />

src/shibboleth-identity-provider-3.3.3/bin/install.bat → src/shibboleth-identity-provider-3.2.1/bin/install.bat View File


src/shibboleth-identity-provider-3.3.3/bin/install.sh → src/shibboleth-identity-provider-3.2.1/bin/install.sh View File


src/shibboleth-identity-provider-3.3.3/bin/keygen.bat → src/shibboleth-identity-provider-3.2.1/bin/keygen.bat View File


src/shibboleth-identity-provider-3.3.3/bin/keygen.sh → src/shibboleth-identity-provider-3.2.1/bin/keygen.sh View File


src/shibboleth-identity-provider-3.3.3/bin/lib/ant-1.9.4.jar → src/shibboleth-identity-provider-3.2.1/bin/lib/ant-1.9.4.jar View File


src/shibboleth-identity-provider-3.3.3/bin/lib/ant-launcher-1.9.4.jar → src/shibboleth-identity-provider-3.2.1/bin/lib/ant-launcher-1.9.4.jar View File


BIN
src/shibboleth-identity-provider-3.3.3/bin/lib/bcpkix-jdk15on-1.54.jar → src/shibboleth-identity-provider-3.2.1/bin/lib/bcpkix-jdk15on-1.53.jar View File


BIN
src/shibboleth-identity-provider-3.2.1/bin/lib/idp-installer-3.2.1.jar View File


src/shibboleth-identity-provider-3.3.3/webapp/WEB-INF/lib/jcommander-1.48.jar → src/shibboleth-identity-provider-3.2.1/bin/lib/jcommander-1.48.jar View File


src/shibboleth-identity-provider-3.3.3/bin/reload-metadata.bat → src/shibboleth-identity-provider-3.2.1/bin/reload-metadata.bat View File


src/shibboleth-identity-provider-3.3.3/bin/reload-metadata.sh → src/shibboleth-identity-provider-3.2.1/bin/reload-metadata.sh View File


src/shibboleth-identity-provider-3.3.3/bin/reload-service.bat → src/shibboleth-identity-provider-3.2.1/bin/reload-service.bat View File


src/shibboleth-identity-provider-3.3.3/bin/reload-service.sh → src/shibboleth-identity-provider-3.2.1/bin/reload-service.sh View File


src/shibboleth-identity-provider-3.3.3/bin/runclass.bat → src/shibboleth-identity-provider-3.2.1/bin/runclass.bat View File


src/shibboleth-identity-provider-3.3.3/bin/runclass.sh → src/shibboleth-identity-provider-3.2.1/bin/runclass.sh View File


src/shibboleth-identity-provider-3.3.3/bin/seckeygen.bat → src/shibboleth-identity-provider-3.2.1/bin/seckeygen.bat View File


src/shibboleth-identity-provider-3.3.3/bin/seckeygen.sh → src/shibboleth-identity-provider-3.2.1/bin/seckeygen.sh View File


src/shibboleth-identity-provider-3.3.3/bin/status.bat → src/shibboleth-identity-provider-3.2.1/bin/status.bat View File


src/shibboleth-identity-provider-3.3.3/bin/status.sh → src/shibboleth-identity-provider-3.2.1/bin/status.sh View File


src/shibboleth-identity-provider-3.3.3/bin/version.bat → src/shibboleth-identity-provider-3.2.1/bin/version.bat View File


src/shibboleth-identity-provider-3.3.3/bin/version.sh → src/shibboleth-identity-provider-3.2.1/bin/version.sh View File


+ 32
- 0
src/shibboleth-identity-provider-3.2.1/conf/access-control.xml View File

@@ -0,0 +1,32 @@
1
+<?xml version="1.0" encoding="UTF-8"?>
2
+<beans xmlns="http://www.springframework.org/schema/beans"
3
+       xmlns:context="http://www.springframework.org/schema/context"
4
+       xmlns:util="http://www.springframework.org/schema/util"
5
+       xmlns:p="http://www.springframework.org/schema/p"
6
+       xmlns:c="http://www.springframework.org/schema/c"
7
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
8
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
9
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
10
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
11
+                           
12
+       default-init-method="initialize"
13
+       default-destroy-method="destroy">
14
+
15
+    <!-- Map of access control policies used to limit access to administrative functions. -->
16
+
17
+    <!--
18
+    The only built-in implementation of the AccessControl interface is IP-based, as below.
19
+    The ranges provided MUST be CIDR network expressions. To specify a single address,
20
+    add "/32" or "/128" for IPv4 or IPv6 respectively.
21
+    -->
22
+
23
+    <util:map id="shibboleth.AccessControlPolicies">
24
+    
25
+        <entry key="AccessByIPAddress">
26
+            <bean parent="shibboleth.IPRangeAccessControl"
27
+                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
28
+        </entry>
29
+    
30
+    </util:map>
31
+
32
+</beans>

src/shibboleth-identity-provider-3.3.3/conf/attribute-filter.xml → src/shibboleth-identity-provider-3.2.1/conf/attribute-filter.xml View File


+ 295
- 0
src/shibboleth-identity-provider-3.2.1/conf/attribute-resolver-full.xml View File

@@ -0,0 +1,295 @@
1
+<?xml version="1.0" encoding="UTF-8"?>
2
+<!-- 
3
+    This file is an EXAMPLE configuration file containing lots of commented
4
+    example attributes, encoders, and a couple of example data connectors.
5
+    
6
+    Not all attribute definitions or data connectors are demonstrated, but
7
+    a variety of LDAP attributes, some common to Shibboleth deployments and
8
+    many not, are included.
9
+    
10
+    Deployers should refer to the Shibboleth 2 documentation for a complete
11
+    list of components  and their options.
12
+-->
13
+<resolver:AttributeResolver
14
+        xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
15
+        xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
16
+        xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
17
+        xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
18
+        xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
19
+        xmlns:sec="urn:mace:shibboleth:2.0:security"
20
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
21
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
22
+                            urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
23
+                            urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
24
+                            urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
25
+                            urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
26
+                            urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
27
+
28
+    <!-- ========================================== -->
29
+    <!--      Attribute Definitions                 -->
30
+    <!-- ========================================== -->
31
+
32
+    <!-- Schema: Core schema attributes-->
33
+    <!--
34
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid">
35
+        <resolver:Dependency ref="myLDAP" />
36
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
37
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
38
+    </resolver:AttributeDefinition>
39
+
40
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="mail" sourceAttributeID="mail">
41
+        <resolver:Dependency ref="myLDAP" />
42
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
43
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
44
+    </resolver:AttributeDefinition>
45
+
46
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="homePhone" sourceAttributeID="homePhone">
47
+        <resolver:Dependency ref="myLDAP" />
48
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" />
49
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" encodeType="false" />
50
+    </resolver:AttributeDefinition>
51
+
52
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="homePostalAddress" sourceAttributeID="homePostalAddress">
53
+        <resolver:Dependency ref="myLDAP" />
54
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:homePostalAddress" encodeType="false" />
55
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" encodeType="false" />
56
+    </resolver:AttributeDefinition>
57
+
58
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="mobileNumber" sourceAttributeID="mobile">
59
+        <resolver:Dependency ref="myLDAP" />
60
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" />
61
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" />
62
+    </resolver:AttributeDefinition>
63
+
64
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="pagerNumber" sourceAttributeID="pager">
65
+        <resolver:Dependency ref="myLDAP" />
66
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" />
67
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" />
68
+    </resolver:AttributeDefinition>
69
+
70
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
71
+        <resolver:Dependency ref="myLDAP" />
72
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
73
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
74
+    </resolver:AttributeDefinition>
75
+
76
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="locality" sourceAttributeID="l">
77
+        <resolver:Dependency ref="myLDAP" />
78
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
79
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" />
80
+    </resolver:AttributeDefinition>
81
+
82
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="stateProvince" sourceAttributeID="st">
83
+        <resolver:Dependency ref="myLDAP" />
84
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:st" encodeType="false" />
85
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.8" friendlyName="st" encodeType="false" />
86
+    </resolver:AttributeDefinition>
87
+
88
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="street" sourceAttributeID="street">
89
+        <resolver:Dependency ref="myLDAP" />
90
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:street" encodeType="false" />
91
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.9" friendlyName="street" encodeType="false" />
92
+    </resolver:AttributeDefinition>
93
+
94
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="organizationName" sourceAttributeID="o">
95
+        <resolver:Dependency ref="myLDAP" />
96
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
97
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
98
+    </resolver:AttributeDefinition>
99
+
100
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="organizationalUnit" sourceAttributeID="ou">
101
+        <resolver:Dependency ref="myLDAP" />
102
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:ou" encodeType="false" />
103
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.11" friendlyName="ou" encodeType="false" />
104
+    </resolver:AttributeDefinition>
105
+
106
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="title" sourceAttributeID="title">
107
+        <resolver:Dependency ref="myLDAP" />
108
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" />
109
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" />
110
+    </resolver:AttributeDefinition>
111
+
112
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="postalAddress" sourceAttributeID="postalAddress">
113
+        <resolver:Dependency ref="myLDAP" />
114
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:postalAddress" encodeType="false" />
115
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.16" friendlyName="postalAddress" encodeType="false" />
116
+    </resolver:AttributeDefinition>
117
+
118
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="postalCode" sourceAttributeID="postalCode">
119
+        <resolver:Dependency ref="myLDAP" />
120
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:postalCode" encodeType="false" />
121
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.17" friendlyName="postalCode" encodeType="false" />
122
+    </resolver:AttributeDefinition>
123
+
124
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="postOfficeBox" sourceAttributeID="postOfficeBox">
125
+        <resolver:Dependency ref="myLDAP" />
126
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:postOfficeBox" encodeType="false" />
127
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" encodeType="false" />
128
+    </resolver:AttributeDefinition>
129
+
130
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="telephoneNumber" sourceAttributeID="telephoneNumber">
131
+        <resolver:Dependency ref="myLDAP" />
132
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" />
133
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" />
134
+    </resolver:AttributeDefinition>
135
+
136
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName">
137
+        <resolver:Dependency ref="myLDAP" />
138
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
139
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
140
+    </resolver:AttributeDefinition>
141
+
142
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="initials" sourceAttributeID="initials">
143
+        <resolver:Dependency ref="myLDAP" />
144
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" />
145
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" />
146
+    </resolver:AttributeDefinition>
147
+     -->
148
+
149
+    <!-- Schema: inetOrgPerson attributes-->
150
+    <!--
151
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="departmentNumber" sourceAttributeID="departmentNumber">
152
+        <resolver:Dependency ref="myLDAP" />
153
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" />
154
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" />
155
+    </resolver:AttributeDefinition>
156
+    
157
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="displayName" sourceAttributeID="displayName">
158
+        <resolver:Dependency ref="myLDAP" />
159
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
160
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
161
+    </resolver:AttributeDefinition> 
162
+
163
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="employeeNumber" sourceAttributeID="employeeNumber">
164
+        <resolver:Dependency ref="myLDAP" />
165
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" encodeType="false" />
166
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" encodeType="false" />
167
+    </resolver:AttributeDefinition>
168
+
169
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="employeeType" sourceAttributeID="employeeType">
170
+        <resolver:Dependency ref="myLDAP" />
171
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" />
172
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" />
173
+    </resolver:AttributeDefinition>
174
+
175
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="jpegPhoto" sourceAttributeID="jpegPhoto">
176
+        <resolver:Dependency ref="myLDAP" />
177
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:jpegPhoto" encodeType="false" />
178
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" encodeType="false" />
179
+    </resolver:AttributeDefinition>
180
+
181
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="preferredLanguage" sourceAttributeID="preferredLanguage">
182
+        <resolver:Dependency ref="myLDAP" />
183
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" />
184
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" />
185
+    </resolver:AttributeDefinition>
186
+    -->
187
+
188
+    <!-- Schema: eduPerson attributes -->
189
+    <!--
190
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAffiliation" sourceAttributeID="eduPersonAffiliation">
191
+        <resolver:Dependency ref="myLDAP" />
192
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
193
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" />
194
+    </resolver:AttributeDefinition>
195
+
196
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonEntitlement" sourceAttributeID="eduPersonEntitlement">
197
+        <resolver:Dependency ref="myLDAP" />
198
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
199
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" />
200
+    </resolver:AttributeDefinition>
201
+
202
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonNickname" sourceAttributeID="eduPersonNickname">
203
+        <resolver:Dependency ref="myLDAP" />
204
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonNickname" encodeType="false" />
205
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" encodeType="false" />
206
+    </resolver:AttributeDefinition>
207
+
208
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonPrimaryAffiliation" sourceAttributeID="eduPersonPrimaryAffiliation">
209
+        <resolver:Dependency ref="myLDAP" />
210
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" />
211
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
212
+    </resolver:AttributeDefinition>
213
+
214
+    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonUniqueId" scope="%{idp.scope}" sourceAttributeID="localUniqueId">
215
+        <resolver:Dependency ref="myLDAP" />
216
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" encodeType="false" />
217
+        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" />
218
+    </resolver:AttributeDefinition>
219
+
220
+    <resolver:AttributeDefinition xsi:type="ad:Prescoped" id="eduPersonPrincipalName" sourceAttributeID="eduPersonPrincipalName">
221
+        <resolver:Dependency ref="myLDAP" />
222
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
223
+        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
224
+    </resolver:AttributeDefinition>
225
+
226
+    <resolver:AttributeDefinition xsi:type="ad:Prescoped" id="eduPersonPrincipalNamePrior" sourceAttributeID="eduPersonPrincipalNamePrior">
227
+        <resolver:Dependency ref="myLDAP" />
228
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" encodeType="false" />
229
+        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" friendlyName="eduPersonPrincipalNamePrior" encodeType="false" />
230
+    </resolver:AttributeDefinition>
231
+
232
+    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}" sourceAttributeID="eduPersonAffiliation">
233
+        <resolver:Dependency ref="myLDAP" />
234
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
235
+        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
236
+    </resolver:AttributeDefinition>
237
+    
238
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAssurance" sourceAttributeID="eduPersonAssurance">
239
+        <resolver:Dependency ref="myLDAP" />
240
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" encodeType="false" />
241
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" encodeType="false" />
242
+    </resolver:AttributeDefinition>
243
+    -->
244
+
245
+    <!-- ========================================== -->
246
+    <!--      Data Connectors                       -->
247
+    <!-- ========================================== -->
248
+
249
+    <!-- Example Static Connector -->
250
+    <!--
251
+    <resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
252
+        <dc:Attribute id="eduPersonAffiliation">
253
+            <dc:Value>member</dc:Value>
254
+        </dc:Attribute>
255
+    </resolver:DataConnector>
256
+    -->
257
+
258
+    <!-- Example Relational Database Connector -->
259
+    <!--
260
+    <resolver:DataConnector id="mySIS" xsi:type="dc:RelationalDatabase">
261
+        <dc:ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
262
+                                         jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB" 
263
+                                         jdbcUserName="myid" 
264
+                                         jdbcPassword="mypassword" />
265
+        <dc:QueryTemplate>
266
+            <![CDATA[
267
+                SELECT * FROM student WHERE gzbtpid = '$resolutionContext.principal'
268
+            ]]>
269
+        </dc:QueryTemplate>
270
+
271
+        <dc:Column columnName="gzbtpid" attributeID="uid" />
272
+        <dc:Column columnName="fqlft" attributeID="gpa" />
273
+    </resolver:DataConnector>
274
+     -->
275
+
276
+    <!-- Example LDAP Connector -->
277
+    <!--
278
+    <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
279
+        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
280
+        baseDN="%{idp.attribute.resolver.LDAP.baseDN}" 
281
+        principal="%{idp.attribute.resolver.LDAP.bindDN}"
282
+        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
283
+        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}">
284
+        <dc:FilterTemplate>
285
+            <![CDATA[
286
+                %{idp.attribute.resolver.LDAP.searchFilter}
287
+            ]]>
288
+        </dc:FilterTemplate>
289
+        <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked">
290
+            <sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate>
291
+        </dc:StartTLSTrustCredential>
292
+    </resolver:DataConnector>
293
+    -->
294
+
295
+</resolver:AttributeResolver>

+ 97
- 0
src/shibboleth-identity-provider-3.2.1/conf/attribute-resolver-ldap.xml View File

@@ -0,0 +1,97 @@
1
+<?xml version="1.0" encoding="UTF-8"?>
2
+<!-- 
3
+    This file is an EXAMPLE configuration file. While the configuration
4
+    presented in this example file is semi-functional, it isn't very
5
+    interesting. It is here only as a starting point for your deployment
6
+    process.
7
+    
8
+    Very few attribute definitions and data connectors are demonstrated,
9
+    and use of LDAP is assumed, with the LDAP configuration primarily
10
+    supplied from the ldap.properties file.
11
+
12
+    Attribute-resolver-full.xml contains more examples of attributes,
13
+    encoders, and data connectors. Deployers should refer to the Shibboleth
14
+    documentation for a complete list of components and their options.
15
+-->
16
+<resolver:AttributeResolver
17
+        xmlns:resolver="urn:mace:shibboleth:2.0:resolver" 
18
+        xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
19
+        xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" 
20
+        xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
21
+        xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" 
22
+        xmlns:sec="urn:mace:shibboleth:2.0:security"
23
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
24
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
25
+                            urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
26
+                            urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
27
+                            urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
28
+                            urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
29
+                            urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
30
+
31
+    <!-- ========================================== -->
32
+    <!--      Attribute Definitions                 -->
33
+    <!-- ========================================== -->
34
+
35
+    <!--
36
+    The EPPN is the "standard" federated username in higher ed.
37
+    For guidelines on the implementation of this attribute, refer
38
+    to the Shibboleth and eduPerson documentation. Above all, do
39
+    not expose a value for this attribute without considering the
40
+    long term implications. 
41
+    -->
42
+    <resolver:AttributeDefinition id="eduPersonPrincipalName" xsi:type="ad:Prescoped" sourceAttributeID="eduPersonPrincipalName">
43
+        <resolver:Dependency ref="myLDAP" />
44
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
45
+        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
46
+    </resolver:AttributeDefinition>
47
+
48
+    <!--
49
+    The uid is the closest thing to a "standard" LDAP attribute
50
+    representing a local username, but you should generally *never*
51
+    expose uid to federated services, as it is rarely globally unique.
52
+    -->
53
+    <resolver:AttributeDefinition id="uid" xsi:type="ad:Simple" sourceAttributeID="uid">
54
+        <resolver:Dependency ref="myLDAP" />
55
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
56
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
57
+    </resolver:AttributeDefinition>
58
+
59
+    <!--
60
+    In the rest of the world, the email address is the standard identifier,
61
+    despite the problems with that practice. Consider making the EPPN value
62
+    the same as your official email addresses whenever possible.
63
+    -->
64
+    <resolver:AttributeDefinition id="mail" xsi:type="ad:Simple" sourceAttributeID="mail">
65
+        <resolver:Dependency ref="myLDAP" />
66
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
67
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
68
+    </resolver:AttributeDefinition>
69
+        
70
+    <!-- ========================================== -->
71
+    <!--      Data Connectors                       -->
72
+    <!-- ========================================== -->
73
+    
74
+    <!--
75
+    Example LDAP Connector
76
+    
77
+    The connectivity details can be specified in ldap.properties to
78
+    share them with your authentication settings if desired.
79
+    -->
80
+    <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
81
+        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
82
+        baseDN="%{idp.attribute.resolver.LDAP.baseDN}" 
83
+        principal="%{idp.attribute.resolver.LDAP.bindDN}"
84
+        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
85
+        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}">
86
+        <dc:FilterTemplate>
87
+            <![CDATA[
88
+                %{idp.attribute.resolver.LDAP.searchFilter}
89
+            ]]>
90
+        </dc:FilterTemplate>
91
+        <dc:ReturnAttributes>%{idp.attribute.resolver.LDAP.returnAttributes}</dc:ReturnAttributes>
92
+        <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked">
93
+            <sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate>
94
+        </dc:StartTLSTrustCredential>
95
+    </resolver:DataConnector>
96
+
97
+</resolver:AttributeResolver>

+ 95
- 0
src/shibboleth-identity-provider-3.2.1/conf/attribute-resolver.xml View File

@@ -0,0 +1,95 @@
1
+<?xml version="1.0" encoding="UTF-8"?>
2
+<!-- 
3
+    This file is an EXAMPLE configuration file. While the configuration
4
+    presented in this example file is semi-functional, it isn't very
5
+    interesting. It is here only as a starting point for your deployment
6
+    process.
7
+    
8
+    Very few attribute definitions and data connectors are demonstrated,
9
+    and the data is derived statically from the logged-in username and a
10
+    static example connector.
11
+
12
+    Attribute-resolver-full.xml contains more examples of attributes,
13
+    encoders, and data connectors. Deployers should refer to the Shibboleth
14
+    documentation for a complete list of components and their options.
15
+-->
16
+<resolver:AttributeResolver
17
+        xmlns:resolver="urn:mace:shibboleth:2.0:resolver" 
18
+        xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
19
+        xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" 
20
+        xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
21
+        xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" 
22
+        xmlns:sec="urn:mace:shibboleth:2.0:security"
23
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
24
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
25
+                            urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
26
+                            urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
27
+                            urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
28
+                            urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
29
+                            urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
30
+
31
+    <!-- ========================================== -->
32
+    <!--      Attribute Definitions                 -->
33
+    <!-- ========================================== -->
34
+
35
+    <!--
36
+    The EPPN is the "standard" federated username in higher ed.
37
+    For guidelines on the implementation of this attribute, refer
38
+    to the Shibboleth and eduPerson documentation. Above all, do
39
+    not expose a value for this attribute without considering the
40
+    long term implications. 
41
+    -->
42
+    <resolver:AttributeDefinition id="eduPersonPrincipalName" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
43
+        <resolver:Dependency ref="uid" />
44
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
45
+        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
46
+    </resolver:AttributeDefinition>
47
+
48
+    <!--
49
+    The uid is the closest thing to a "standard" LDAP attribute
50
+    representing a local username, but you should generally *never*
51
+    expose uid to federated services, as it is rarely globally unique.
52
+    -->
53
+    <resolver:AttributeDefinition id="uid" xsi:type="ad:PrincipalName">
54
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
55
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
56
+    </resolver:AttributeDefinition>
57
+
58
+    <!--
59
+    In the rest of the world, the email address is the standard identifier,
60
+    despite the problems with that practice. Consider making the EPPN
61
+    value the same as your official email addresses whenever possible.
62
+    -->
63
+    <resolver:AttributeDefinition id="mail" xsi:type="ad:Template">
64
+        <resolver:Dependency ref="uid" />
65
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
66
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
67
+        <ad:Template>
68
+          <![CDATA[
69
+               ${uid}@example.org
70
+          ]]>
71
+        </ad:Template>
72
+        <ad:SourceAttribute>uid</ad:SourceAttribute>
73
+    </resolver:AttributeDefinition>
74
+
75
+    <!--
76
+    This is an example of an attribute sourced from a data connector.
77
+    -->
78
+    <resolver:AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="affiliation">
79
+        <resolver:Dependency ref="staticAttributes" />
80
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
81
+        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
82
+    </resolver:AttributeDefinition>
83
+
84
+
85
+    <!-- ========================================== -->
86
+    <!--      Data Connectors                       -->
87
+    <!-- ========================================== -->
88
+
89
+    <resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
90
+        <dc:Attribute id="affiliation">
91
+            <dc:Value>member</dc:Value>
92
+        </dc:Attribute>
93
+    </resolver:DataConnector>
94
+
95
+</resolver:AttributeResolver>

+ 103
- 0
src/shibboleth-identity-provider-3.2.1/conf/audit.xml View File

@@ -0,0 +1,103 @@
1
+<?xml version="1.0" encoding="UTF-8"?>
2
+<beans xmlns="http://www.springframework.org/schema/beans"
3
+    xmlns:context="http://www.springframework.org/schema/context"
4
+    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
5
+    xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
6
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
7
+                        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
8
+                        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
9
+
10
+    default-init-method="initialize"
11
+    default-destroy-method="destroy">
12
+
13
+    <!--
14
+    This bean defines a mapping between audit log categories and formatting strings. The default entry is
15
+    for compatibility with V2 audit logging.
16
+    -->
17
+    <util:map id="shibboleth.AuditFormattingMap">
18
+        <entry key="Shibboleth-Audit" value="%T|%b|%I|%SP|%P|%IDP|%bb|%III|%u|%ac|%attr|%n|%i|" />
19
+    </util:map>
20
+
21
+    <!-- Allows auditing to be disabled selectively for particular profiles/flows. -->
22
+    <util:list id="shibboleth.AuditSuppressedProfiles">
23
+        <value>http://shibboleth.net/ns/profiles/status</value>
24
+    </util:list>
25
+
26
+    <!--
27
+    The beans below need to be defined, even if left empty. They can be ignored in most cases.
28
+    
29
+    If you write your own function to extract a new piece of data for auditing, you can install it into one or more
30
+    of the maps below to add it to the auditing framework, keyed by an audit field label to be used in formatting.
31
+    -->
32
+
33
+    <bean id="shibboleth.PostDecodeAuditExtractors" parent="shibboleth.DefaultPostDecodeAuditExtractors" lazy-init="true">
34
+        <property name="sourceMap">
35
+            <map merge="true">
36
+            </map>
37
+        </property>
38
+    </bean>
39
+
40
+    <bean id="shibboleth.PostLookupAuditExtractors" parent="shibboleth.DefaultPostLookupAuditExtractors" lazy-init="true">
41
+        <property name="sourceMap">
42
+            <map merge="true">
43
+            </map>
44
+        </property>
45
+    </bean>
46
+
47
+    <bean id="shibboleth.PostAssertionAuditExtractors" parent="shibboleth.DefaultPostAssertionAuditExtractors" lazy-init="true">
48
+        <property name="sourceMap">
49
+            <map merge="true">
50
+            </map>
51
+        </property>
52
+    </bean>
53
+
54
+    <bean id="shibboleth.PostResponseAuditExtractors" parent="shibboleth.DefaultPostResponseAuditExtractors" lazy-init="true">
55
+        <property name="sourceMap">
56
+            <map merge="true">
57
+            </map>
58
+        </property>
59
+    </bean>
60
+
61
+    <bean id="shibboleth.LogoutRequestAuditExtractors" parent="shibboleth.DefaultLogoutRequestAuditExtractors" lazy-init="true">
62
+        <property name="sourceMap">
63
+            <map merge="true">
64
+            </map>
65
+        </property>
66
+    </bean>
67
+    
68
+    <bean id="shibboleth.LogoutAuditExtractors" parent="shibboleth.DefaultLogoutAuditExtractors" lazy-init="true">
69
+        <property name="sourceMap">
70
+            <map merge="true">
71
+            </map>
72
+        </property>
73
+    </bean>
74
+
75
+    <bean id="shibboleth.ErrorViewAuditExtractors" parent="shibboleth.DefaultErrorViewAuditExtractors" lazy-init="true">
76
+        <property name="sourceMap">
77
+            <map merge="true">
78
+            </map>
79
+        </property>
80
+    </bean>
81
+
82
+    <bean id="shibboleth.CASLoginAuditExtractors" parent="shibboleth.DefaultCASLoginAuditExtractors" lazy-init="true">
83
+        <property name="sourceMap">
84
+            <map merge="true">
85
+            </map>
86
+        </property>
87
+    </bean>
88
+
89
+    <bean id="shibboleth.CASValidationAuditExtractors" parent="shibboleth.DefaultCASValidationAuditExtractors" lazy-init="true">
90
+        <property name="sourceMap">
91
+            <map merge="true">
92
+            </map>
93
+        </property>
94
+    </bean>
95
+
96
+    <bean id="shibboleth.CASProxyAuditExtractors" parent="shibboleth.DefaultCASProxyAuditExtractors" lazy-init="true">
97
+        <property name="sourceMap">
98
+            <map merge="true">
99
+            </map>
100
+        </property>
101
+    </bean>
102
+    
103
+</beans>

src/shibboleth-identity-provider-3.3.3/conf/authn/authn-comparison.xml → src/shibboleth-identity-provider-3.2.1/conf/authn/authn-comparison.xml View File


src/shibboleth-identity-provider-3.3.3/conf/authn/authn-events-flow.xml → src/shibboleth-identity-provider-3.2.1/conf/authn/authn-events-flow.xml View File

@@ -13,9 +13,6 @@
13 13
     <!-- Custom error events to reflect back from user-supplied login subflows. -->
14 14
     <!--
15 15
     <end-state id="MyCustomEvent" />
16
-
17
-    <global-transitions>
18
-        <transition on="MyCustomEvent" to="MyCustomEvent" />
19
-    </global-transitions>
20 16
     -->
17
+
21 18
 </flow>

src/shibboleth-identity-provider-3.3.3/conf/authn/external-authn-config.xml → src/shibboleth-identity-provider-3.2.1/conf/authn/external-authn-config.xml View File

@@ -16,11 +16,8 @@
16 16
     <bean id="shibboleth.authn.External.externalAuthnPath" class="java.lang.String"
17 17
         c:_0="contextRelative:Authn/External" />
18 18
 
19
-    <!--
20
-    Default is to always use the path in the bean above. If you want to determine it
21
-    dynamically, define a bean called "shibboleth.authn.External.externalAuthnPathStrategy"
22
-    of type Function<ProfileRequestContext,String> that returns the path to use.
23
-    -->
19
+    <!-- Populate RP UI info from metadata? -->
20
+    <util:constant id="shibboleth.authn.External.populateUIInfo" static-field="java.lang.Boolean.FALSE" />
24 21
 
25 22
     <!--
26 23
     Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject?
@@ -30,11 +27,6 @@
30 27
     <util:constant id="shibboleth.authn.External.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" />
31 28
 
32 29
     <!--
33
-    <bean id="shibboleth.authn.External.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
34
-        c:_0="^(.+)@example\.edu]$" />
35
-    -->
36
-
37
-    <!--
38 30
     Define entries here to map error messages returned by external modules and classify them as particular
39 31
     kinds of errors for use in your templates and as events in flows.
40 32
 

src/shibboleth-identity-provider-3.3.3/conf/authn/general-authn.xml → src/shibboleth-identity-provider-3.2.1/conf/authn/general-authn.xml View File

@@ -90,48 +90,6 @@
90 90
                 p:passiveAuthenticationSupported="true"
91 91
                 p:forcedAuthenticationSupported="true" />
92 92
 
93
-        <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
94
-                p:forcedAuthenticationSupported="true"
95
-                p:nonBrowserSupported="false">
96
-            <!--
97
-            The list below should be changed to reflect whatever locally- or
98
-            community-defined values are appropriate to represent MFA. It is
99
-            strongly advised that the value not be specific to Duo or any
100
-            particular technology.
101
-            -->
102
-            <property name="supportedPrincipals">
103
-                <list>
104
-                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
105
-                        c:classRef="http://example.org/ac/classes/mfa" />
106
-                    <bean parent="shibboleth.SAML1AuthenticationMethod"
107
-                        c:method="http://example.org/ac/classes/mfa" />
108
-                </list>
109
-            </property>
110
-        </bean>
111
-
112
-        <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
113
-                p:passiveAuthenticationSupported="true"
114
-                p:forcedAuthenticationSupported="true">
115
-            <!--
116
-            The list below almost certainly requires changes, and should generally be the
117
-            union of any of the separate factors you combine in your particular MFA flow
118
-            rules. The example corresponds to the example in mfa-authn-config.xml that
119
-            combines IPAddress with Password.
120
-            -->
121
-            <property name="supportedPrincipals">
122
-                <list>
123
-                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
124
-                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
125
-                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
126
-                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
127
-                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
128
-                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
129
-                    <bean parent="shibboleth.SAML1AuthenticationMethod"
130
-                        c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
131
-                </list>
132
-            </property>
133
-        </bean>
134
-
135 93
     </util:list>
136 94
 
137 95
     <!--

src/shibboleth-identity-provider-3.3.3/conf/authn/ipaddress-authn-config.xml → src/shibboleth-identity-provider-3.2.1/conf/authn/ipaddress-authn-config.xml View File


src/shibboleth-identity-provider-3.3.3/conf/authn/jaas-authn-config.xml → src/shibboleth-identity-provider-3.2.1/conf/authn/jaas-authn-config.xml View File


src/shibboleth-identity-provider-3.3.3/conf/authn/jaas.config → src/shibboleth-identity-provider-3.2.1/conf/authn/jaas.config View File


src/shibboleth-identity-provider-3.3.3/conf/authn/krb5-authn-config.xml → src/shibboleth-identity-provider-3.2.1/conf/authn/krb5-authn-config.xml View File


src/shibboleth-identity-provider-3.3.3/conf/authn/ldap-authn-config.xml → src/shibboleth-identity-provider-3.2.1/conf/authn/ldap-authn-config.xml View File

@@ -21,8 +21,7 @@
21 21
     <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" abstract="true" p:ldapUrl="%{idp.authn.LDAP.ldapURL}"
22 22
         p:useStartTLS="%{idp.authn.LDAP.useStartTLS:true}"
23 23
         p:useSSL="%{idp.authn.LDAP.useSSL:false}"
24
-        p:connectTimeoutDuration="%{idp.authn.LDAP.connectTimeout:PT3S}"
25
-        p:responseTimeoutDuration="%{idp.authn.LDAP.responseTimeout:PT3S}"
24
+        p:connectTimeout="%{idp.authn.LDAP.connectTimeout:3000}"
26 25
         p:sslConfig-ref="sslConfig" />
27 26
 
28 27
     <alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="sslConfig" />
@@ -52,7 +51,7 @@
52 51
 
53 52
     <!-- Pool Configuration -->
54 53
     <bean id="connectionPool" class="org.ldaptive.pool.BlockingConnectionPool" abstract="true"
55
-        p:blockWaitTimeDuration="%{idp.pool.LDAP.blockWaitTime:PT3S}"
54
+        p:blockWaitTime="%{idp.pool.LDAP.blockWaitTime:3000}"
56 55
         p:poolConfig-ref="poolConfig"
57 56
         p:pruneStrategy-ref="pruneStrategy"
58 57
         p:validator-ref="searchValidator"
@@ -62,10 +61,10 @@
62 61
         p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
63 62
         p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}"
64 63
         p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
65
-        p:validatePeriodDuration="%{idp.pool.LDAP.validatePeriod:PT5M}" />
64
+        p:validatePeriod="%{idp.pool.LDAP.validatePeriod:300}" />
66 65
     <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
67
-        p:prunePeriodDuration="%{idp.pool.LDAP.prunePeriod:PT5M}"
68
-        p:idleTimeDuration="%{idp.pool.LDAP.idleTime:PT10M}" />
66
+        p:prunePeriod="%{idp.pool.LDAP.prunePeriod:300}"
67
+        p:idleTime="%{idp.pool.LDAP.idleTime:600}" />
69 68
     <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
70 69
 
71 70
     <!-- Anonymous Search Configuration -->
@@ -73,13 +72,11 @@
73 72
         <constructor-arg index="0" ref="anonSearchDnResolver" />
74 73
         <constructor-arg index="1" ref="authHandler" />
75 74
     </bean>
76
-    <bean id="anonSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver"
75
+    <bean id="anonSearchDnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"
77 76
         p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
78 77
         p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
79
-        p:connectionFactory-ref="anonSearchPooledConnectionFactory" >
80
-        <constructor-arg index="0" ref="shibboleth.VelocityEngine" />
81
-        <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" />
82
-    </bean>
78
+        p:userFilter="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}"
79
+        p:connectionFactory-ref="anonSearchPooledConnectionFactory" />
83 80
     <bean id="anonSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"
84 81
         p:connectionPool-ref="anonSearchConnectionPool" />
85 82
     <bean id="anonSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
@@ -92,13 +89,11 @@
92 89
         <constructor-arg index="0" ref="bindSearchDnResolver" />
93 90
         <constructor-arg index="1" ref="authHandler" />
94 91
     </bean>
95
-    <bean id="bindSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver"
92
+    <bean id="bindSearchDnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"
96 93
         p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
97 94
         p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
98
-        p:connectionFactory-ref="bindSearchPooledConnectionFactory" >
99
-        <constructor-arg index="0" ref="shibboleth.VelocityEngine" />
100
-        <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" />
101
-    </bean>
95
+        p:userFilter="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}"
96
+        p:connectionFactory-ref="bindSearchPooledConnectionFactory" />
102 97
     <bean id="bindSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"
103 98
         p:connectionPool-ref="bindSearchConnectionPool" />
104 99
     <bean id="bindSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"

src/shibboleth-identity-provider-3.3.3/conf/authn/password-authn-config.xml → src/shibboleth-identity-provider-3.2.1/conf/authn/password-authn-config.xml View File

@@ -31,22 +31,12 @@
31 31
     <!-- Set to TRUE if you want the password kept in the resulting Subject as a private credential. -->
32 32
     <util:constant id="shibboleth.authn.Password.RetainAsPrivateCredential" static-field="java.lang.Boolean.FALSE"/>
33 33
 
34
-    <!-- Apply any regular expression replacement pairs to username before validation. -->
34
+    <!-- Apply any regular expression replacement pairs before validation. -->
35 35
     <util:list id="shibboleth.authn.Password.Transforms">
36 36
         <!--
37 37
         <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
38 38
         -->
39 39
     </util:list>
40
-    
41
-    <!-- Uncomment to configure account lockout backed by in-memory storage. -->
42
-    <!--
43
-    <bean id="shibboleth.authn.Password.AccountLockoutManager"
44
-        parent="shibboleth.StorageBackedAccountLockoutManager"
45
-        p:maxAttempts="5"
46
-        p:counterInterval="PT5M"
47
-        p:lockoutDuration="PT5M"
48
-        p:extendLockoutDuration="false" />
49
-    -->
50 40
 
51 41
     <!--
52 42
     Define entries here to map error messages detected by validation actions and classify them as particular
@@ -68,12 +58,10 @@
68 58
                 <value>InvalidCredentials</value>
69 59
                 <value>PREAUTH_FAILED</value>
70 60
                 <value>INVALID_CREDENTIALS</value>
71
-                <value>Checksum failed</value>
72 61
             </list>
73 62
         </entry>
74 63
         <entry key="AccountLocked">
75 64
             <list>
76
-                <value>AccountLocked</value>
77 65
                 <value>Clients credentials have been revoked</value>
78 66
             </list>
79 67
         </entry>

src/shibboleth-identity-provider-3.3.3/conf/authn/remoteuser-authn-config.xml → src/shibboleth-identity-provider-3.2.1/conf/authn/remoteuser-authn-config.xml View File

@@ -15,12 +15,9 @@
15 15
     <!-- Servlet context-relative path to wherever your implementation lives. -->
16 16
     <bean id="shibboleth.authn.RemoteUser.externalAuthnPath" class="java.lang.String"
17 17
         c:_0="contextRelative:Authn/RemoteUser" />
18
-    
19
-    <!--
20
-    Default is to always use the path in the bean above. If you want to determine it
21
-    dynamically, define a bean called "shibboleth.authn.RemoteUser.externalAuthnPathStrategy"
22
-    of type Function<ProfileRequestContext,String> that returns the path to use.
23
-    -->
18
+
19
+    <!-- Populate RP UI info from metadata? -->
20
+    <util:constant id="shibboleth.authn.RemoteUser.populateUIInfo" static-field="java.lang.Boolean.FALSE" />
24 21
 
25 22
     <!--
26 23
     Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject?
@@ -30,11 +27,6 @@
30 27
     <util:constant id="shibboleth.authn.RemoteUser.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" />
31 28
 
32 29
     <!--
33
-    <bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
34
-        c:_0="^(.+)@example\.edu]$" />
35
-    -->
36
-
37
-    <!--
38 30
     Define entries here to map error messages returned by external modules and classify them as particular
39 31
     kinds of errors for use in your templates and as events in flows.
40 32
 

src/shibboleth-identity-provider-3.3.3/conf/authn/remoteuser-internal-authn-config.xml → src/shibboleth-identity-provider-3.2.1/conf/authn/remoteuser-internal-authn-config.xml View File


src/shibboleth-identity-provider-3.3.3/conf/authn/spnego-authn-config.xml → src/shibboleth-identity-provider-3.2.1/conf/authn/spnego-authn-config.xml View File

@@ -47,11 +47,6 @@
47 47
     </util:list>
48 48
 
49 49
     <!--
50
-    <bean id="shibboleth.authn.SPNEGO.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
51
-        c:_0="^(.+)@example\.edu]$" />
52
-    -->
53
-
54
-    <!--
55 50
     Define entries here to map events or error messages returned by the SPNEGO module
56 51
     and classify them as particular kinds of errors for use in your templates and as
57 52
     events in flows.

src/shibboleth-identity-provider-3.3.3/conf/authn/x509-authn-config.xml → src/shibboleth-identity-provider-3.2.1/conf/authn/x509-authn-config.xml View File

@@ -16,11 +16,8 @@
16 16
     <bean id="shibboleth.authn.X509.externalAuthnPath" class="java.lang.String"
17 17
         c:_0="contextRelative:x509-prompt.jsp" />
18 18
 
19
-    <!--
20
-    Default is to always use the path in the bean above. If you want to determine it
21
-    dynamically, define a bean called "shibboleth.authn.X509.externalAuthnPathStrategy"
22
-    of type Function<ProfileRequestContext,String> that returns the path to use.
23
-    -->
19
+    <!-- Populate RP UI info from metadata? -->
20
+    <util:constant id="shibboleth.authn.X509.populateUIInfo" static-field="java.lang.Boolean.TRUE" />
24 21
 
25 22
     <!--
26 23
     Define entries here to map error messages returned by external modules and classify them as particular

src/shibboleth-identity-provider-3.3.3/conf/authn/x509-internal-authn-config.xml → src/shibboleth-identity-provider-3.2.1/conf/authn/x509-internal-authn-config.xml View File


src/shibboleth-identity-provider-3.3.3/conf/c14n/attribute-sourced-subject-c14n-config.xml → src/shibboleth-identity-provider-3.2.1/conf/c14n/attribute-sourced-subject-c14n-config.xml View File


src/shibboleth-identity-provider-3.3.3/conf/c14n/simple-subject-c14n-config.xml → src/shibboleth-identity-provider-3.2.1/conf/c14n/simple-subject-c14n-config.xml View File


src/shibboleth-identity-provider-3.3.3/conf/c14n/subject-c14n-events-flow.xml → src/shibboleth-identity-provider-3.2.1/conf/c14n/subject-c14n-events-flow.xml View File

@@ -13,10 +13,6 @@
13 13
     <!-- Custom error events to reflect back from user-supplied c14n subflows. -->
14 14
     <!--
15 15
     <end-state id="MyCustomEvent" />
16
-
17
-    <global-transitions>
18
-        <transition on="MyCustomEvent" to="MyCustomEvent" />
19
-    </global-transitions>
20 16
     -->
21 17
 
22 18
 </flow>

src/shibboleth-identity-provider-3.3.3/conf/c14n/subject-c14n.xml → src/shibboleth-identity-provider-3.2.1/conf/c14n/subject-c14n.xml View File

@@ -89,7 +89,7 @@
89 89
     Any condition can be used here; the example is suitable for enumerating a number of SPs to allow.
90 90
     -->
91 91
     <bean id="shibboleth.NameTransformPredicate" parent="shibboleth.Conditions.RelyingPartyId">
92
-        <constructor-arg name="candidates">
92
+        <constructor-arg>
93 93
             <list>
94 94
                 <!-- <value>https://sp.example.org</value> -->
95 95
             </list>

src/shibboleth-identity-provider-3.3.3/conf/c14n/x500-subject-c14n-config.xml → src/shibboleth-identity-provider-3.2.1/conf/c14n/x500-subject-c14n-config.xml View File


+ 53
- 0
src/shibboleth-identity-provider-3.2.1/conf/cas-protocol.xml View File

@@ -0,0 +1,53 @@
1
+<?xml version="1.0" encoding="UTF-8"?>
2
+<beans xmlns="http://www.springframework.org/schema/beans"
3
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4
+       xmlns:c="http://www.springframework.org/schema/c"
5
+       xmlns:p="http://www.springframework.org/schema/p"
6
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
7
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
8
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
9
+       default-init-method="initialize"
10
+       default-destroy-method="destroy">
11
+
12
+    <!--
13
+       | The CAS service registry defines verified relying parties by endpoint URI.
14
+       | The default implementation treats the ID of each entry as a regular expression defining a logical group of
15
+       | services whose URIs match the expression.
16
+       |
17
+       | This bean is reloaded periodically according to %{idp.home}/conf/services.properties.
18
+       -->
19
+    <bean id="reloadableServiceRegistry"
20
+          class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}">
21
+        <property name="definitions">
22
+            <list>
23
+                <!--
24
+                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
25
+                      c:regex="https://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
26
+                      p:group="proxying-services"
27
+                      p:authorizedToProxy="true"
28
+                      p:singleLogoutParticipant="true" />
29
+                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
30
+                      c:regex="http://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
31
+                      p:group="non-proxying-services"
32
+                      p:authorizedToProxy="false" /
33
+                -->
34
+            </list>
35
+        </property>
36
+    </bean>
37
+
38
+    <!--
39
+       | Advanced CAS configuration.
40
+       |
41
+       | Override default CAS components by creating aliases to custom components where the alias
42
+       | is the same as the default component bean ID.
43
+       -->
44
+    <!--
45
+    <bean id="cas.CustomTicketService"
46
+          class="org.example.idp.cas.CustomTicketService" />
47
+    <alias name="cas.CustomTicketService" alias="cas.TicketService" />
48
+
49
+    <bean id="cas.CustomProxyAuthenticator"
50
+          class="org.example.idp.cas.CustomProxyAuthenticator" />
51
+    <alias name="cas.CustomProxyAuthenticator" alias="cas.ProxyAuthenticator" />
52
+    -->
53
+</beans>

src/shibboleth-identity-provider-3.3.3/conf/credentials.xml → src/shibboleth-identity-provider-3.2.1/conf/credentials.xml View File


src/shibboleth-identity-provider-3.3.3/conf/errors.xml → src/shibboleth-identity-provider-3.2.1/conf/errors.xml View File


src/shibboleth-identity-provider-3.3.3/conf/global.xml → src/shibboleth-identity-provider-3.2.1/conf/global.xml View File


src/shibboleth-identity-provider-3.3.3/conf/idp.properties → src/shibboleth-identity-provider-3.2.1/conf/idp.properties View File

@@ -1,5 +1,5 @@
1 1
 # Load any additional property resources from a comma-delimited list
2
-idp.additionalProperties = /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties
2
+idp.additionalProperties = /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties
3 3
 
4 4
 # Set the entityID of the IdP
5 5
 idp.entityID = https://idp.example.org
@@ -8,7 +8,6 @@ idp.entityID = https://idp.example.org
8 8
 idp.scope = example.org
9 9
 
10 10
 # General cookie properties (maxAge only applies to persistent cookies)
11
-# Note the default for idp.cookie.secure, you will usually want it set.
12 11
 #idp.cookie.secure = false
13 12
 #idp.cookie.httpOnly = true
14 13
 #idp.cookie.domain =
@@ -112,13 +111,9 @@ idp.authn.flows = Password
112 111
 #idp.authn.defaultLifetime = PT60M
113 112
 #idp.authn.defaultTimeout = PT30M
114 113
 
115
-# Whether to populate relying party user interface information for display
116
-# during authentication, consent, terms-of-use.
117
-#idp.authn.rpui = true
118
-
119 114
 # Whether to prioritize "active" results when an SP requests more than
120 115
 # one possible matching login method (V2 behavior was to favor them)
121
-#idp.authn.favorSSO = false
116
+#idp.authn.favorSSO = true
122 117
 
123 118
 # Whether to fail requests when a user identity after authentication
124 119
 # doesn't match the identity in a pre-existing session.
@@ -151,7 +146,7 @@ idp.authn.flows = Password
151 146
 # for use by user interface logic; adds overhead so off by default.
152 147
 #idp.logout.elaboration = false
153 148
 
154
-# Whether to require logout requests/responses be signed/authenticated.
149
+# Whether to require logout requests be signed/authenticated.
155 150
 #idp.logout.authenticated = true
156 151
 
157 152
 # Message freshness and replay cache tuning
@@ -170,6 +165,11 @@ idp.authn.flows = Password
170 165
 # Set to custom bean for alternate storage of artifact map state
171 166
 #idp.artifact.StorageService = shibboleth.StorageService
172 167
 
168
+# Name of access control policy for various admin flows
169
+idp.status.accessPolicy = AccessByIPAddress
170
+idp.resolvertest.accessPolicy = AccessByIPAddress
171
+idp.reload.accessPolicy = AccessByIPAddress
172
+
173 173
 # Comma-delimited languages to use if not match can be found with the
174 174
 # browser-supported languages, defaults to an empty list.
175 175
 idp.ui.fallbackLanguages=en,fr,de
@@ -188,9 +188,7 @@ idp.ui.fallbackLanguages=en,fr,de
188 188
 # in servlet request under the key "opensamlProfileRequestContext"
189 189
 #idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO
190 190
 
191
-# F-TICKS auditing - set a salt to include hashed username
191
+# F-TICKS auditing - set salt to include hashed username
192 192
 #idp.fticks.federation=MyFederation
193 193
 #idp.fticks.algorithm=SHA-256
194
-#idp.fticks.salt=somethingsecret
195
-#idp.fticks.loghost=localhost
196
-#idp.fticks.logport=514
194
+#idp.fticks.salt=somethingsecret

src/shibboleth-identity-provider-3.3.3/conf/intercept/consent-intercept-config.xml → src/shibboleth-identity-provider-3.2.1/conf/intercept/consent-intercept-config.xml View File


src/shibboleth-identity-provider-3.3.3/conf/intercept/context-check-intercept-config.xml → src/shibboleth-identity-provider-3.2.1/conf/intercept/context-check-intercept-config.xml View File


src/shibboleth-identity-provider-3.3.3/conf/intercept/intercept-events-flow.xml → src/shibboleth-identity-provider-3.2.1/conf/intercept/intercept-events-flow.xml View File

@@ -10,12 +10,9 @@
10 10
     report custom events in response to unusual conditions.
11 11
     -->
12 12
 
13
+    <!-- Custom error events to reflect back from user-supplied intercept subflows. -->
13 14
     <!--
14 15
     <end-state id="MyCustomEvent" />
15
-
16
-    <global-transitions>
17
-        <transition on="MyCustomEvent" to="MyCustomEvent" />
18
-    </global-transitions>
19 16
     -->
20 17
 
21 18
 </flow>

src/shibboleth-identity-provider-3.3.3/conf/intercept/profile-intercept.xml → src/shibboleth-identity-provider-3.2.1/conf/intercept/profile-intercept.xml View File

@@ -25,8 +25,6 @@
25 25
         <property name="sourceList">
26 26
             <list merge="true">
27 27
                 <bean id="intercept/context-check" parent="shibboleth.InterceptFlow" />
28
-                
29
-                <bean id="intercept/expiring-password" parent="shibboleth.InterceptFlow" />
30 28
         
31 29
                 <bean id="intercept/terms-of-use" parent="shibboleth.consent.TermsOfUseFlow" />
32 30
         

src/shibboleth-identity-provider-3.3.3/conf/ldap.properties → src/shibboleth-identity-provider-3.2.1/conf/ldap.properties View File

@@ -8,10 +8,7 @@
8 8
 idp.authn.LDAP.ldapURL                          = ldap://localhost:10389
9 9
 #idp.authn.LDAP.useStartTLS                     = true
10 10
 #idp.authn.LDAP.useSSL                          = false
11
-# Time in milliseconds that connects will block
12
-#idp.authn.LDAP.connectTimeout                  = PT3S
13
-# Time in milliseconds to wait for responses
14
-#idp.authn.LDAP.responseTimeout                 = PT3S
11
+#idp.authn.LDAP.connectTimeout                  = 3000
15 12
 
16 13
 ## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
17 14
 #idp.authn.LDAP.sslConfig                       = certificateTrust
@@ -21,6 +18,7 @@ idp.authn.LDAP.trustCertificates                = %{idp.home}/credentials/ldap-s
21 18
 idp.authn.LDAP.trustStore                       = %{idp.home}/credentials/ldap-server.truststore
22 19
 
23 20
 ## Return attributes during authentication
21
+## NOTE: there is a separate property used for attribute resolution
24 22
 idp.authn.LDAP.returnAttributes                 = passwordExpirationTime,loginGraceRemaining
25 23
 
26 24
 ## DN resolution properties ##
@@ -42,22 +40,24 @@ idp.authn.LDAP.dnFormat                         = uid=%s,ou=people,dc=example,dc
42 40
 # LDAP attribute configuration, see attribute-resolver.xml
43 41
 # Note, this likely won't apply to the use of legacy V2 resolver configurations
44 42
 idp.attribute.resolver.LDAP.ldapURL             = %{idp.authn.LDAP.ldapURL}
45
-idp.attribute.resolver.LDAP.connectTimeout      = %{idp.authn.LDAP.connectTimeout:PT3S}
46
-idp.attribute.resolver.LDAP.responseTimeout     = %{idp.authn.LDAP.responseTimeout:PT3S}
47 43
 idp.attribute.resolver.LDAP.baseDN              = %{idp.authn.LDAP.baseDN:undefined}
48 44
 idp.attribute.resolver.LDAP.bindDN              = %{idp.authn.LDAP.bindDN:undefined}
49 45
 idp.attribute.resolver.LDAP.bindDNCredential    = %{idp.authn.LDAP.bindDNCredential:undefined}
50 46
 idp.attribute.resolver.LDAP.useStartTLS         = %{idp.authn.LDAP.useStartTLS:true}
51 47
 idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates:undefined}
52 48
 idp.attribute.resolver.LDAP.searchFilter        = (uid=$resolutionContext.principal)
49
+idp.attribute.resolver.LDAP.returnAttributes    = cn,homephone,mail
53 50
 
54 51
 # LDAP pool configuration, used for both authn and DN resolution
55 52
 #idp.pool.LDAP.minSize                          = 3
56 53
 #idp.pool.LDAP.maxSize                          = 10
57 54
 #idp.pool.LDAP.validateOnCheckout               = false
58 55
 #idp.pool.LDAP.validatePeriodically             = true
59
-#idp.pool.LDAP.validatePeriod                   = PT5M
60
-#idp.pool.LDAP.prunePeriod                      = PT5M
61
-#idp.pool.LDAP.idleTime                         = PT10M
62
-#idp.pool.LDAP.blockWaitTime                    = PT3S
56
+#idp.pool.LDAP.validatePeriod                   = 300
57
+#idp.pool.LDAP.prunePeriod                      = 300
58
+#idp.pool.LDAP.idleTime                         = 600
59
+#idp.pool.LDAP.blockWaitTime                    = 3000
63 60
 #idp.pool.LDAP.failFastInitialize               = false
61
+
62
+idp.authn.defaultLifetime = %%idpAuthnDefaultLifetime
63
+idp.authn.defaultTimeout = %%idpAuthnDefaultTimeout

src/shibboleth-identity-provider-3.3.3/conf/logback.xml → src/shibboleth-identity-provider-3.2.1/conf/logback.xml View File

@@ -24,6 +24,10 @@
24 24
     <variable name="idp.loglevel.spring" value="ERROR" />
25 25
     <variable name="idp.loglevel.container" value="ERROR" />
26 26
     <variable name="idp.loglevel.xmlsec" value="INFO" />
27
+    
28
+    <!-- Syslog address for F-TICKS (see FTICKSLoggingConfiguration). -->
29
+    <variable name="idp.fticks.loghost" value="localhost" />
30
+    <variable name="idp.fticks.logport" value="514" />
27 31
 
28 32
     <!--
29 33
     If you want to use custom properties in this config file,
@@ -78,18 +82,6 @@
78 82
             <charset>UTF-8</charset>
79 83
             <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
80 84
         </encoder>
81
-
82
-        <!-- Ignore Velocity status page error. -->
83
-        <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
84
-            <evaluator>
85
-                <matcher>
86
-                    <Name>VelocityStatusMatcher</Name>
87
-                    <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
88
-                </matcher>
89
-                <expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
90
-            </evaluator>
91
-            <OnMatch>DENY</OnMatch>
92
-        </filter>
93 85
     </appender>
94 86
 
95 87
     <appender name="ASYNC_PROCESS" class="ch.qos.logback.classic.AsyncAppender">
@@ -114,18 +106,6 @@
114 106
             <charset>UTF-8</charset>
115 107
             <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
116 108
         </encoder>
117
-        
118
-        <!-- Ignore Velocity status page error. -->
119
-        <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
120
-            <evaluator>
121
-                <matcher>
122
-                    <Name>VelocityStatusMatcher</Name>
123
-                    <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
124
-                </matcher>
125
-                <expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
126
-            </evaluator>
127
-            <OnMatch>DENY</OnMatch>
128
-        </filter>
129 109
     </appender>
130 110
     
131 111
     <!-- Audit log. -->

src/shibboleth-identity-provider-3.3.3/conf/metadata-providers.xml → src/shibboleth-identity-provider-3.2.1/conf/metadata-providers.xml View File

@@ -14,14 +14,15 @@
14 14
     <!-- ========================================================================================== -->
15 15
     <!--                             Metadata Configuration                                         -->
16 16
     <!--                                                                                            -->
17
-    <!--  Below you place the mechanisms which define how to load the metadata for SP(s) you will   -->
18
-    <!--  provide service to.                                                                       -->
17
+    <!--  Below you place the mechanisms which define how to load the metadata for the SP you will  -->
18
+    <!--  provide a service to.                                                                     -->
19 19
     <!--                                                                                            -->
20 20
     <!--  Two examples are provided.  The Shibboleth Documentation at                               -->
21 21
     <!--  https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration                -->
22 22
     <!--  provides more details.                                                                    --> 
23 23
     <!--                                                                                            -->
24 24
     <!--  NOTE.  This file SHOULD NOT contain the metadata for this IdP.                            -->
25
+    <!--                                                                                            -->
25 26
     <!-- ========================================================================================== -->
26 27
 
27 28
     <!--
@@ -29,8 +30,8 @@
29 30
     from a remote source.
30 31
 
31 32
     You *MUST* provide the SignatureValidationFilter in order to function securely.
32
-    Get the public key certificate from the party publishing the metadata, and validate
33
-    it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
33
+    Get the public key from the party publishing the metadata, and validate it
34
+    with them via some out of band mechanism.
34 35
 
35 36
     The EntityRoleWhiteList saves memory by only loading metadata from SAML roles
36 37
     that the IdP needs to interoperate with. 
@@ -42,7 +43,11 @@
42 43
                       backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
43 44
                       metadataURL="http://WHATEVER"> 
44 45
         
45
-        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
46
+        <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
47
+            <PublicKey>
48
+                MIIBI.....
49
+            </PublicKey>
50
+        </MetadataFilter>
46 51
         <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
47 52
         <MetadataFilter xsi:type="EntityRoleWhiteList">
48 53
             <RetainedRole>md:SPSSODescriptor</RetainedRole>
@@ -55,8 +60,8 @@
55 60
     from a local file.  You might use this if you have some local SPs
56 61
     which are not "federated" but you wish to offer a service to.
57 62
     
58
-    If you do not provide a SignatureValidation filter, then you have the
59
-    responsibility to ensure that the contents on disk are trustworthy.
63
+    If you do not provide a SignatureValidation filter, then you have the responsibility to
64
+    ensure that the contents are trustworthy.
60 65
     -->
61 66
     
62 67
     <!--

src/shibboleth-identity-provider-3.3.3/conf/mvc-beans.xml → src/shibboleth-identity-provider-3.2.1/conf/mvc-beans.xml View File


src/shibboleth-identity-provider-3.3.3/conf/relying-party.xml → src/shibboleth-identity-provider-3.2.1/conf/relying-party.xml View File


src/shibboleth-identity-provider-3.3.3/conf/saml-nameid.properties → src/shibboleth-identity-provider-3.2.1/conf/saml-nameid.properties View File

@@ -24,8 +24,6 @@
24 24
 # Do *NOT* share the salt with other people, it's like divulging your private key.
25 25
 #idp.persistentId.algorithm = SHA
26 26
 #idp.persistentId.salt = changethistosomethingrandom
27
-# BASE64 will match V2 values, we recommend BASE32 encoding for new installs.
28
-idp.persistentId.encoding = BASE32
29 27
 
30 28
 # To use a database, use shibboleth.StoredPersistentIdGenerator
31 29
 #idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator

src/shibboleth-identity-provider-3.3.3/conf/saml-nameid.xml → src/shibboleth-identity-provider-3.2.1/conf/saml-nameid.xml View File


src/shibboleth-identity-provider-3.3.3/conf/services.properties → src/shibboleth-identity-provider-3.2.1/conf/services.properties View File

@@ -53,11 +53,7 @@ idp.service.cas.registry.checkInterval = PT15M
53 53
 #idp.httpclient.useTrustEngineTLSSocketFactory = false
54 54
 #idp.httpclient.useSecurityEnhancedTLSSocketFactory = false
55 55
 #idp.httpclient.connectionDisregardTLSCertificate = false
56
-#idp.httpclient.connectionRequestTimeout = 60000
57
-#idp.httpclient.connectionTimeout = 60000
58
-#idp.httpclient.socketTimeout = 60000
59
-#idp.httpclient.maxConnectionsTotal = 100
60
-#idp.httpclient.maxConnectionsPerRoute = 100
56
+#idp.httpclient.connectionTimeout = -1
61 57
 #idp.httpclient.memorycaching.maxCacheEntries = 50
62 58
 #idp.httpclient.memorycaching.maxCacheEntrySize = 1048576
63 59
 #idp.httpclient.filecaching.maxCacheEntries = 100

src/shibboleth-identity-provider-3.3.3/conf/services.xml → src/shibboleth-identity-provider-3.2.1/conf/services.xml View File

@@ -134,11 +134,12 @@
134 134
     <!--
135 135
     This collection of resources differs slightly in that it should not include the file extension.
136 136
     Message sources are internationalized, and Spring will search for a compatible language extension
137
-    and fall back to one with only a .properties extension.
137
+    and fall back to one with a .properties extension.
138 138
     -->
139 139
     <util:list id="shibboleth.MessageSourceResources">
140
-        <value>%{idp.home}/messages/messages</value>
141
-        <value>%{idp.home}/system/messages/messages</value>
140
+        <value>%{idp.home}/messages/authn-messages</value>
141
+        <value>%{idp.home}/messages/consent-messages</value>
142
+        <value>%{idp.home}/messages/error-messages</value>
142 143
     </util:list>
143 144
     
144 145
 </beans>

src/shibboleth-identity-provider-3.3.3/conf/session-manager.xml → src/shibboleth-identity-provider-3.2.1/conf/session-manager.xml View File


+ 32
- 0
src/shibboleth-identity-provider-3.2.1/dist/conf/access-control.xml.dist View File

@@ -0,0 +1,32 @@
1
+<?xml version="1.0" encoding="UTF-8"?>
2
+<beans xmlns="http://www.springframework.org/schema/beans"
3
+       xmlns:context="http://www.springframework.org/schema/context"
4
+       xmlns:util="http://www.springframework.org/schema/util"
5
+       xmlns:p="http://www.springframework.org/schema/p"
6
+       xmlns:c="http://www.springframework.org/schema/c"
7
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
8
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
9
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
10
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
11
+                           
12
+       default-init-method="initialize"
13
+       default-destroy-method="destroy">
14
+
15
+    <!-- Map of access control policies used to limit access to administrative functions. -->
16
+
17
+    <!--
18
+    The only built-in implementation of the AccessControl interface is IP-based, as below.
19
+    The ranges provided MUST be CIDR network expressions. To specify a single address,
20
+    add "/32" or "/128" for IPv4 or IPv6 respectively.
21
+    -->
22
+
23
+    <util:map id="shibboleth.AccessControlPolicies">
24
+    
25
+        <entry key="AccessByIPAddress">
26
+            <bean parent="shibboleth.IPRangeAccessControl"
27
+                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
28
+        </entry>
29
+    
30
+    </util:map>
31
+
32
+</beans>

src/shibboleth-identity-provider-3.3.3/dist/conf/attribute-filter.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/attribute-filter.xml.dist View File


+ 295
- 0
src/shibboleth-identity-provider-3.2.1/dist/conf/attribute-resolver-full.xml.dist View File

@@ -0,0 +1,295 @@
1
+<?xml version="1.0" encoding="UTF-8"?>
2
+<!-- 
3
+    This file is an EXAMPLE configuration file containing lots of commented
4
+    example attributes, encoders, and a couple of example data connectors.
5
+    
6
+    Not all attribute definitions or data connectors are demonstrated, but
7
+    a variety of LDAP attributes, some common to Shibboleth deployments and
8
+    many not, are included.
9
+    
10
+    Deployers should refer to the Shibboleth 2 documentation for a complete
11
+    list of components  and their options.
12
+-->
13
+<resolver:AttributeResolver
14
+        xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
15
+        xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
16
+        xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
17
+        xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
18
+        xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
19
+        xmlns:sec="urn:mace:shibboleth:2.0:security"
20
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
21
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
22
+                            urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
23
+                            urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
24
+                            urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
25
+                            urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
26
+                            urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
27
+
28
+    <!-- ========================================== -->
29
+    <!--      Attribute Definitions                 -->
30
+    <!-- ========================================== -->
31
+
32
+    <!-- Schema: Core schema attributes-->
33
+    <!--
34
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid">
35
+        <resolver:Dependency ref="myLDAP" />
36
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
37
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
38
+    </resolver:AttributeDefinition>
39
+
40
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="mail" sourceAttributeID="mail">
41
+        <resolver:Dependency ref="myLDAP" />
42
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
43
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
44
+    </resolver:AttributeDefinition>
45
+
46
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="homePhone" sourceAttributeID="homePhone">
47
+        <resolver:Dependency ref="myLDAP" />
48
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" />
49
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" encodeType="false" />
50
+    </resolver:AttributeDefinition>
51
+
52
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="homePostalAddress" sourceAttributeID="homePostalAddress">
53
+        <resolver:Dependency ref="myLDAP" />
54
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:homePostalAddress" encodeType="false" />
55
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" encodeType="false" />
56
+    </resolver:AttributeDefinition>
57
+
58
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="mobileNumber" sourceAttributeID="mobile">
59
+        <resolver:Dependency ref="myLDAP" />
60
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" />
61
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" />
62
+    </resolver:AttributeDefinition>
63
+
64
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="pagerNumber" sourceAttributeID="pager">
65
+        <resolver:Dependency ref="myLDAP" />
66
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" />
67
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" />
68
+    </resolver:AttributeDefinition>
69
+
70
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
71
+        <resolver:Dependency ref="myLDAP" />
72
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
73
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
74
+    </resolver:AttributeDefinition>
75
+
76
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="locality" sourceAttributeID="l">
77
+        <resolver:Dependency ref="myLDAP" />
78
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
79
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" />
80
+    </resolver:AttributeDefinition>
81
+
82
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="stateProvince" sourceAttributeID="st">
83
+        <resolver:Dependency ref="myLDAP" />
84
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:st" encodeType="false" />
85
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.8" friendlyName="st" encodeType="false" />
86
+    </resolver:AttributeDefinition>
87
+
88
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="street" sourceAttributeID="street">
89
+        <resolver:Dependency ref="myLDAP" />
90
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:street" encodeType="false" />
91
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.9" friendlyName="street" encodeType="false" />
92
+    </resolver:AttributeDefinition>
93
+
94
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="organizationName" sourceAttributeID="o">
95
+        <resolver:Dependency ref="myLDAP" />
96
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
97
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
98
+    </resolver:AttributeDefinition>
99
+
100
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="organizationalUnit" sourceAttributeID="ou">
101
+        <resolver:Dependency ref="myLDAP" />
102
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:ou" encodeType="false" />
103
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.11" friendlyName="ou" encodeType="false" />
104
+    </resolver:AttributeDefinition>
105
+
106
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="title" sourceAttributeID="title">
107
+        <resolver:Dependency ref="myLDAP" />
108
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" />
109
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" />
110
+    </resolver:AttributeDefinition>
111
+
112
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="postalAddress" sourceAttributeID="postalAddress">
113
+        <resolver:Dependency ref="myLDAP" />
114
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:postalAddress" encodeType="false" />
115
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.16" friendlyName="postalAddress" encodeType="false" />
116
+    </resolver:AttributeDefinition>
117
+
118
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="postalCode" sourceAttributeID="postalCode">
119
+        <resolver:Dependency ref="myLDAP" />
120
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:postalCode" encodeType="false" />
121
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.17" friendlyName="postalCode" encodeType="false" />
122
+    </resolver:AttributeDefinition>
123
+
124
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="postOfficeBox" sourceAttributeID="postOfficeBox">
125
+        <resolver:Dependency ref="myLDAP" />
126
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:postOfficeBox" encodeType="false" />
127
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" encodeType="false" />
128
+    </resolver:AttributeDefinition>
129
+
130
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="telephoneNumber" sourceAttributeID="telephoneNumber">
131
+        <resolver:Dependency ref="myLDAP" />
132
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" />
133
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" />
134
+    </resolver:AttributeDefinition>
135
+
136
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName">
137
+        <resolver:Dependency ref="myLDAP" />
138
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
139
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
140
+    </resolver:AttributeDefinition>
141
+
142
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="initials" sourceAttributeID="initials">
143
+        <resolver:Dependency ref="myLDAP" />
144
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" />
145
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" />
146
+    </resolver:AttributeDefinition>
147
+     -->
148
+
149
+    <!-- Schema: inetOrgPerson attributes-->
150
+    <!--
151
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="departmentNumber" sourceAttributeID="departmentNumber">
152
+        <resolver:Dependency ref="myLDAP" />
153
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" />
154
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" />
155
+    </resolver:AttributeDefinition>
156
+    
157
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="displayName" sourceAttributeID="displayName">
158
+        <resolver:Dependency ref="myLDAP" />
159
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
160
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
161
+    </resolver:AttributeDefinition> 
162
+
163
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="employeeNumber" sourceAttributeID="employeeNumber">
164
+        <resolver:Dependency ref="myLDAP" />
165
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" encodeType="false" />
166
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" encodeType="false" />
167
+    </resolver:AttributeDefinition>
168
+
169
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="employeeType" sourceAttributeID="employeeType">
170
+        <resolver:Dependency ref="myLDAP" />
171
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" />
172
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" />
173
+    </resolver:AttributeDefinition>
174
+
175
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="jpegPhoto" sourceAttributeID="jpegPhoto">
176
+        <resolver:Dependency ref="myLDAP" />
177
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:jpegPhoto" encodeType="false" />
178
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" encodeType="false" />
179
+    </resolver:AttributeDefinition>
180
+
181
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="preferredLanguage" sourceAttributeID="preferredLanguage">
182
+        <resolver:Dependency ref="myLDAP" />
183
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" />
184
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" />
185
+    </resolver:AttributeDefinition>
186
+    -->
187
+
188
+    <!-- Schema: eduPerson attributes -->
189
+    <!--
190
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAffiliation" sourceAttributeID="eduPersonAffiliation">
191
+        <resolver:Dependency ref="myLDAP" />
192
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
193
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" />
194
+    </resolver:AttributeDefinition>
195
+
196
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonEntitlement" sourceAttributeID="eduPersonEntitlement">
197
+        <resolver:Dependency ref="myLDAP" />
198
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
199
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" />
200
+    </resolver:AttributeDefinition>
201
+
202
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonNickname" sourceAttributeID="eduPersonNickname">
203
+        <resolver:Dependency ref="myLDAP" />
204
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonNickname" encodeType="false" />
205
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" encodeType="false" />
206
+    </resolver:AttributeDefinition>
207
+
208
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonPrimaryAffiliation" sourceAttributeID="eduPersonPrimaryAffiliation">
209
+        <resolver:Dependency ref="myLDAP" />
210
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" />
211
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
212
+    </resolver:AttributeDefinition>
213
+
214
+    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonUniqueId" scope="%{idp.scope}" sourceAttributeID="localUniqueId">
215
+        <resolver:Dependency ref="myLDAP" />
216
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" encodeType="false" />
217
+        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" />
218
+    </resolver:AttributeDefinition>
219
+
220
+    <resolver:AttributeDefinition xsi:type="ad:Prescoped" id="eduPersonPrincipalName" sourceAttributeID="eduPersonPrincipalName">
221
+        <resolver:Dependency ref="myLDAP" />
222
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
223
+        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
224
+    </resolver:AttributeDefinition>
225
+
226
+    <resolver:AttributeDefinition xsi:type="ad:Prescoped" id="eduPersonPrincipalNamePrior" sourceAttributeID="eduPersonPrincipalNamePrior">
227
+        <resolver:Dependency ref="myLDAP" />
228
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" encodeType="false" />
229
+        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" friendlyName="eduPersonPrincipalNamePrior" encodeType="false" />
230
+    </resolver:AttributeDefinition>
231
+
232
+    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}" sourceAttributeID="eduPersonAffiliation">
233
+        <resolver:Dependency ref="myLDAP" />
234
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
235
+        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
236
+    </resolver:AttributeDefinition>
237
+    
238
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAssurance" sourceAttributeID="eduPersonAssurance">
239
+        <resolver:Dependency ref="myLDAP" />
240
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" encodeType="false" />
241
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" encodeType="false" />
242
+    </resolver:AttributeDefinition>
243
+    -->
244
+
245
+    <!-- ========================================== -->
246
+    <!--      Data Connectors                       -->
247
+    <!-- ========================================== -->
248
+
249
+    <!-- Example Static Connector -->
250
+    <!--
251
+    <resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
252
+        <dc:Attribute id="eduPersonAffiliation">
253
+            <dc:Value>member</dc:Value>
254
+        </dc:Attribute>
255
+    </resolver:DataConnector>
256
+    -->
257
+
258
+    <!-- Example Relational Database Connector -->
259
+    <!--
260
+    <resolver:DataConnector id="mySIS" xsi:type="dc:RelationalDatabase">
261
+        <dc:ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
262
+                                         jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB" 
263
+                                         jdbcUserName="myid" 
264
+                                         jdbcPassword="mypassword" />
265
+        <dc:QueryTemplate>
266
+            <![CDATA[
267
+                SELECT * FROM student WHERE gzbtpid = '$resolutionContext.principal'
268
+            ]]>
269
+        </dc:QueryTemplate>
270
+
271
+        <dc:Column columnName="gzbtpid" attributeID="uid" />
272
+        <dc:Column columnName="fqlft" attributeID="gpa" />
273
+    </resolver:DataConnector>
274
+     -->
275
+
276
+    <!-- Example LDAP Connector -->
277
+    <!--
278
+    <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
279
+        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
280
+        baseDN="%{idp.attribute.resolver.LDAP.baseDN}" 
281
+        principal="%{idp.attribute.resolver.LDAP.bindDN}"
282
+        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
283
+        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}">
284
+        <dc:FilterTemplate>
285
+            <![CDATA[
286
+                %{idp.attribute.resolver.LDAP.searchFilter}
287
+            ]]>
288
+        </dc:FilterTemplate>
289
+        <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked">
290
+            <sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate>
291
+        </dc:StartTLSTrustCredential>
292
+    </resolver:DataConnector>
293
+    -->
294
+
295
+</resolver:AttributeResolver>

+ 97
- 0
src/shibboleth-identity-provider-3.2.1/dist/conf/attribute-resolver-ldap.xml.dist View File

@@ -0,0 +1,97 @@
1
+<?xml version="1.0" encoding="UTF-8"?>
2
+<!-- 
3
+    This file is an EXAMPLE configuration file. While the configuration
4
+    presented in this example file is semi-functional, it isn't very
5
+    interesting. It is here only as a starting point for your deployment
6
+    process.
7
+    
8
+    Very few attribute definitions and data connectors are demonstrated,
9
+    and use of LDAP is assumed, with the LDAP configuration primarily
10
+    supplied from the ldap.properties file.
11
+
12
+    Attribute-resolver-full.xml contains more examples of attributes,
13
+    encoders, and data connectors. Deployers should refer to the Shibboleth
14
+    documentation for a complete list of components and their options.
15
+-->
16
+<resolver:AttributeResolver
17
+        xmlns:resolver="urn:mace:shibboleth:2.0:resolver" 
18
+        xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
19
+        xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" 
20
+        xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
21
+        xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" 
22
+        xmlns:sec="urn:mace:shibboleth:2.0:security"
23
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
24
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
25
+                            urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
26
+                            urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
27
+                            urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
28
+                            urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
29
+                            urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
30
+
31
+    <!-- ========================================== -->
32
+    <!--      Attribute Definitions                 -->
33
+    <!-- ========================================== -->
34
+
35
+    <!--
36
+    The EPPN is the "standard" federated username in higher ed.
37
+    For guidelines on the implementation of this attribute, refer
38
+    to the Shibboleth and eduPerson documentation. Above all, do
39
+    not expose a value for this attribute without considering the
40
+    long term implications. 
41
+    -->
42
+    <resolver:AttributeDefinition id="eduPersonPrincipalName" xsi:type="ad:Prescoped" sourceAttributeID="eduPersonPrincipalName">
43
+        <resolver:Dependency ref="myLDAP" />
44
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
45
+        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
46
+    </resolver:AttributeDefinition>
47
+
48
+    <!--
49
+    The uid is the closest thing to a "standard" LDAP attribute
50
+    representing a local username, but you should generally *never*
51
+    expose uid to federated services, as it is rarely globally unique.
52
+    -->
53
+    <resolver:AttributeDefinition id="uid" xsi:type="ad:Simple" sourceAttributeID="uid">
54
+        <resolver:Dependency ref="myLDAP" />
55
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
56
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
57
+    </resolver:AttributeDefinition>
58
+
59
+    <!--
60
+    In the rest of the world, the email address is the standard identifier,
61
+    despite the problems with that practice. Consider making the EPPN value
62
+    the same as your official email addresses whenever possible.
63
+    -->
64
+    <resolver:AttributeDefinition id="mail" xsi:type="ad:Simple" sourceAttributeID="mail">
65
+        <resolver:Dependency ref="myLDAP" />
66
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
67
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
68
+    </resolver:AttributeDefinition>
69
+        
70
+    <!-- ========================================== -->
71
+    <!--      Data Connectors                       -->
72
+    <!-- ========================================== -->
73
+    
74
+    <!--
75
+    Example LDAP Connector
76
+    
77
+    The connectivity details can be specified in ldap.properties to
78
+    share them with your authentication settings if desired.
79
+    -->
80
+    <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
81
+        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
82
+        baseDN="%{idp.attribute.resolver.LDAP.baseDN}" 
83
+        principal="%{idp.attribute.resolver.LDAP.bindDN}"
84
+        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
85
+        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}">
86
+        <dc:FilterTemplate>
87
+            <![CDATA[
88
+                %{idp.attribute.resolver.LDAP.searchFilter}
89
+            ]]>
90
+        </dc:FilterTemplate>
91
+        <dc:ReturnAttributes>%{idp.attribute.resolver.LDAP.returnAttributes}</dc:ReturnAttributes>
92
+        <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked">
93
+            <sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate>
94
+        </dc:StartTLSTrustCredential>
95
+    </resolver:DataConnector>
96
+
97
+</resolver:AttributeResolver>

+ 95
- 0
src/shibboleth-identity-provider-3.2.1/dist/conf/attribute-resolver.xml.dist View File

@@ -0,0 +1,95 @@
1
+<?xml version="1.0" encoding="UTF-8"?>
2
+<!-- 
3
+    This file is an EXAMPLE configuration file. While the configuration
4
+    presented in this example file is semi-functional, it isn't very
5
+    interesting. It is here only as a starting point for your deployment
6
+    process.
7
+    
8
+    Very few attribute definitions and data connectors are demonstrated,
9
+    and the data is derived statically from the logged-in username and a
10
+    static example connector.
11
+
12
+    Attribute-resolver-full.xml contains more examples of attributes,
13
+    encoders, and data connectors. Deployers should refer to the Shibboleth
14
+    documentation for a complete list of components and their options.
15
+-->
16
+<resolver:AttributeResolver
17
+        xmlns:resolver="urn:mace:shibboleth:2.0:resolver" 
18
+        xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
19
+        xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" 
20
+        xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
21
+        xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" 
22
+        xmlns:sec="urn:mace:shibboleth:2.0:security"
23
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
24
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
25
+                            urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
26
+                            urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
27
+                            urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
28
+                            urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
29
+                            urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
30
+
31
+    <!-- ========================================== -->
32
+    <!--      Attribute Definitions                 -->
33
+    <!-- ========================================== -->
34
+
35
+    <!--
36
+    The EPPN is the "standard" federated username in higher ed.
37
+    For guidelines on the implementation of this attribute, refer
38
+    to the Shibboleth and eduPerson documentation. Above all, do
39
+    not expose a value for this attribute without considering the
40
+    long term implications. 
41
+    -->
42
+    <resolver:AttributeDefinition id="eduPersonPrincipalName" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
43
+        <resolver:Dependency ref="uid" />
44
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
45
+        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
46
+    </resolver:AttributeDefinition>
47
+
48
+    <!--
49
+    The uid is the closest thing to a "standard" LDAP attribute
50
+    representing a local username, but you should generally *never*
51
+    expose uid to federated services, as it is rarely globally unique.
52
+    -->
53
+    <resolver:AttributeDefinition id="uid" xsi:type="ad:PrincipalName">
54
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
55
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
56
+    </resolver:AttributeDefinition>
57
+
58
+    <!--
59
+    In the rest of the world, the email address is the standard identifier,
60
+    despite the problems with that practice. Consider making the EPPN
61
+    value the same as your official email addresses whenever possible.
62
+    -->
63
+    <resolver:AttributeDefinition id="mail" xsi:type="ad:Template">
64
+        <resolver:Dependency ref="uid" />
65
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
66
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
67
+        <ad:Template>
68
+          <![CDATA[
69
+               ${uid}@example.org
70
+          ]]>
71
+        </ad:Template>
72
+        <ad:SourceAttribute>uid</ad:SourceAttribute>
73
+    </resolver:AttributeDefinition>
74
+
75
+    <!--
76
+    This is an example of an attribute sourced from a data connector.
77
+    -->
78
+    <resolver:AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="affiliation">
79
+        <resolver:Dependency ref="staticAttributes" />
80
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
81
+        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
82
+    </resolver:AttributeDefinition>
83
+
84
+
85
+    <!-- ========================================== -->
86
+    <!--      Data Connectors                       -->
87
+    <!-- ========================================== -->
88
+
89
+    <resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
90
+        <dc:Attribute id="affiliation">
91
+            <dc:Value>member</dc:Value>
92
+        </dc:Attribute>
93
+    </resolver:DataConnector>
94
+
95
+</resolver:AttributeResolver>

+ 103
- 0
src/shibboleth-identity-provider-3.2.1/dist/conf/audit.xml.dist View File

@@ -0,0 +1,103 @@
1
+<?xml version="1.0" encoding="UTF-8"?>
2
+<beans xmlns="http://www.springframework.org/schema/beans"
3
+    xmlns:context="http://www.springframework.org/schema/context"
4
+    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
5
+    xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
6
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
7
+                        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
8
+                        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
9
+
10
+    default-init-method="initialize"
11
+    default-destroy-method="destroy">
12
+
13
+    <!--
14
+    This bean defines a mapping between audit log categories and formatting strings. The default entry is
15
+    for compatibility with V2 audit logging.
16
+    -->
17
+    <util:map id="shibboleth.AuditFormattingMap">
18
+        <entry key="Shibboleth-Audit" value="%T|%b|%I|%SP|%P|%IDP|%bb|%III|%u|%ac|%attr|%n|%i|" />
19
+    </util:map>
20
+
21
+    <!-- Allows auditing to be disabled selectively for particular profiles/flows. -->
22
+    <util:list id="shibboleth.AuditSuppressedProfiles">
23
+        <value>http://shibboleth.net/ns/profiles/status</value>
24
+    </util:list>
25
+
26
+    <!--
27
+    The beans below need to be defined, even if left empty. They can be ignored in most cases.
28
+    
29
+    If you write your own function to extract a new piece of data for auditing, you can install it into one or more
30
+    of the maps below to add it to the auditing framework, keyed by an audit field label to be used in formatting.
31
+    -->
32
+
33
+    <bean id="shibboleth.PostDecodeAuditExtractors" parent="shibboleth.DefaultPostDecodeAuditExtractors" lazy-init="true">
34
+        <property name="sourceMap">
35
+            <map merge="true">
36
+            </map>
37
+        </property>
38
+    </bean>
39
+
40
+    <bean id="shibboleth.PostLookupAuditExtractors" parent="shibboleth.DefaultPostLookupAuditExtractors" lazy-init="true">
41
+        <property name="sourceMap">
42
+            <map merge="true">
43
+            </map>
44
+        </property>
45
+    </bean>
46
+
47
+    <bean id="shibboleth.PostAssertionAuditExtractors" parent="shibboleth.DefaultPostAssertionAuditExtractors" lazy-init="true">
48
+        <property name="sourceMap">
49
+            <map merge="true">
50
+            </map>
51
+        </property>
52
+    </bean>
53
+
54
+    <bean id="shibboleth.PostResponseAuditExtractors" parent="shibboleth.DefaultPostResponseAuditExtractors" lazy-init="true">
55
+        <property name="sourceMap">
56
+            <map merge="true">
57
+            </map>
58
+        </property>
59
+    </bean>
60
+
61
+    <bean id="shibboleth.LogoutRequestAuditExtractors" parent="shibboleth.DefaultLogoutRequestAuditExtractors" lazy-init="true">
62
+        <property name="sourceMap">
63
+            <map merge="true">
64
+            </map>
65
+        </property>
66
+    </bean>
67
+    
68
+    <bean id="shibboleth.LogoutAuditExtractors" parent="shibboleth.DefaultLogoutAuditExtractors" lazy-init="true">
69
+        <property name="sourceMap">
70
+            <map merge="true">
71
+            </map>
72
+        </property>
73
+    </bean>
74
+
75
+    <bean id="shibboleth.ErrorViewAuditExtractors" parent="shibboleth.DefaultErrorViewAuditExtractors" lazy-init="true">
76
+        <property name="sourceMap">
77
+            <map merge="true">
78
+            </map>
79
+        </property>
80
+    </bean>
81
+
82
+    <bean id="shibboleth.CASLoginAuditExtractors" parent="shibboleth.DefaultCASLoginAuditExtractors" lazy-init="true">
83
+        <property name="sourceMap">
84
+            <map merge="true">
85
+            </map>
86
+        </property>
87
+    </bean>
88
+
89
+    <bean id="shibboleth.CASValidationAuditExtractors" parent="shibboleth.DefaultCASValidationAuditExtractors" lazy-init="true">
90
+        <property name="sourceMap">
91
+            <map merge="true">
92
+            </map>
93
+        </property>
94
+    </bean>
95
+
96
+    <bean id="shibboleth.CASProxyAuditExtractors" parent="shibboleth.DefaultCASProxyAuditExtractors" lazy-init="true">
97
+        <property name="sourceMap">
98
+            <map merge="true">
99
+            </map>
100
+        </property>
101
+    </bean>
102
+    
103
+</beans>

src/shibboleth-identity-provider-3.3.3/dist/conf/authn/authn-comparison.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/authn/authn-comparison.xml.dist View File


src/shibboleth-identity-provider-3.3.3/dist/conf/authn/authn-events-flow.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/authn/authn-events-flow.xml.dist View File

@@ -13,9 +13,6 @@
13 13
     <!-- Custom error events to reflect back from user-supplied login subflows. -->
14 14
     <!--
15 15
     <end-state id="MyCustomEvent" />
16
-
17
-    <global-transitions>
18
-        <transition on="MyCustomEvent" to="MyCustomEvent" />
19
-    </global-transitions>
20 16
     -->
17
+
21 18
 </flow>

src/shibboleth-identity-provider-3.3.3/dist/conf/authn/external-authn-config.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/authn/external-authn-config.xml.dist View File

@@ -16,11 +16,8 @@
16 16
     <bean id="shibboleth.authn.External.externalAuthnPath" class="java.lang.String"
17 17
         c:_0="contextRelative:Authn/External" />
18 18
 
19
-    <!--
20
-    Default is to always use the path in the bean above. If you want to determine it
21
-    dynamically, define a bean called "shibboleth.authn.External.externalAuthnPathStrategy"
22
-    of type Function<ProfileRequestContext,String> that returns the path to use.
23
-    -->
19
+    <!-- Populate RP UI info from metadata? -->
20
+    <util:constant id="shibboleth.authn.External.populateUIInfo" static-field="java.lang.Boolean.FALSE" />
24 21
 
25 22
     <!--
26 23
     Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject?
@@ -30,11 +27,6 @@
30 27
     <util:constant id="shibboleth.authn.External.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" />
31 28
 
32 29
     <!--
33
-    <bean id="shibboleth.authn.External.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
34
-        c:_0="^(.+)@example\.edu]$" />
35
-    -->
36
-
37
-    <!--
38 30
     Define entries here to map error messages returned by external modules and classify them as particular
39 31
     kinds of errors for use in your templates and as events in flows.
40 32
 

src/shibboleth-identity-provider-3.3.3/dist/conf/authn/general-authn.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/authn/general-authn.xml.dist View File

@@ -90,48 +90,6 @@
90 90
                 p:passiveAuthenticationSupported="true"
91 91
                 p:forcedAuthenticationSupported="true" />
92 92
 
93
-        <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
94
-                p:forcedAuthenticationSupported="true"
95
-                p:nonBrowserSupported="false">
96
-            <!--
97
-            The list below should be changed to reflect whatever locally- or
98
-            community-defined values are appropriate to represent MFA. It is
99
-            strongly advised that the value not be specific to Duo or any
100
-            particular technology.
101
-            -->
102
-            <property name="supportedPrincipals">
103
-                <list>
104
-                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
105
-                        c:classRef="http://example.org/ac/classes/mfa" />
106
-                    <bean parent="shibboleth.SAML1AuthenticationMethod"
107
-                        c:method="http://example.org/ac/classes/mfa" />
108
-                </list>
109
-            </property>
110
-        </bean>
111
-
112
-        <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
113
-                p:passiveAuthenticationSupported="true"
114
-                p:forcedAuthenticationSupported="true">
115
-            <!--
116
-            The list below almost certainly requires changes, and should generally be the
117
-            union of any of the separate factors you combine in your particular MFA flow
118
-            rules. The example corresponds to the example in mfa-authn-config.xml that
119
-            combines IPAddress with Password.
120
-            -->
121
-            <property name="supportedPrincipals">
122
-                <list>
123
-                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
124
-                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
125
-                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
126
-                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
127
-                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
128
-                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
129
-                    <bean parent="shibboleth.SAML1AuthenticationMethod"
130
-                        c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
131
-                </list>
132
-            </property>
133
-        </bean>
134
-
135 93
     </util:list>
136 94
 
137 95
     <!--

src/shibboleth-identity-provider-3.3.3/dist/conf/authn/ipaddress-authn-config.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/authn/ipaddress-authn-config.xml.dist View File


src/shibboleth-identity-provider-3.3.3/dist/conf/authn/jaas-authn-config.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/authn/jaas-authn-config.xml.dist View File


src/shibboleth-identity-provider-3.3.3/dist/conf/authn/jaas.config.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/authn/jaas.config.dist View File


src/shibboleth-identity-provider-3.3.3/dist/conf/authn/krb5-authn-config.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/authn/krb5-authn-config.xml.dist View File


src/shibboleth-identity-provider-3.3.3/dist/conf/authn/ldap-authn-config.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/authn/ldap-authn-config.xml.dist View File

@@ -21,8 +21,7 @@
21 21
     <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" abstract="true" p:ldapUrl="%{idp.authn.LDAP.ldapURL}"
22 22
         p:useStartTLS="%{idp.authn.LDAP.useStartTLS:true}"
23 23
         p:useSSL="%{idp.authn.LDAP.useSSL:false}"
24
-        p:connectTimeoutDuration="%{idp.authn.LDAP.connectTimeout:PT3S}"
25
-        p:responseTimeoutDuration="%{idp.authn.LDAP.responseTimeout:PT3S}"
24
+        p:connectTimeout="%{idp.authn.LDAP.connectTimeout:3000}"
26 25
         p:sslConfig-ref="sslConfig" />
27 26
 
28 27
     <alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="sslConfig" />
@@ -52,7 +51,7 @@
52 51
 
53 52
     <!-- Pool Configuration -->
54 53
     <bean id="connectionPool" class="org.ldaptive.pool.BlockingConnectionPool" abstract="true"
55
-        p:blockWaitTimeDuration="%{idp.pool.LDAP.blockWaitTime:PT3S}"
54
+        p:blockWaitTime="%{idp.pool.LDAP.blockWaitTime:3000}"
56 55
         p:poolConfig-ref="poolConfig"
57 56
         p:pruneStrategy-ref="pruneStrategy"
58 57
         p:validator-ref="searchValidator"
@@ -62,10 +61,10 @@
62 61
         p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
63 62
         p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}"
64 63
         p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
65
-        p:validatePeriodDuration="%{idp.pool.LDAP.validatePeriod:PT5M}" />
64
+        p:validatePeriod="%{idp.pool.LDAP.validatePeriod:300}" />
66 65
     <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
67
-        p:prunePeriodDuration="%{idp.pool.LDAP.prunePeriod:PT5M}"
68
-        p:idleTimeDuration="%{idp.pool.LDAP.idleTime:PT10M}" />
66
+        p:prunePeriod="%{idp.pool.LDAP.prunePeriod:300}"
67
+        p:idleTime="%{idp.pool.LDAP.idleTime:600}" />
69 68
     <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
70 69
 
71 70
     <!-- Anonymous Search Configuration -->
@@ -73,13 +72,11 @@
73 72
         <constructor-arg index="0" ref="anonSearchDnResolver" />
74 73
         <constructor-arg index="1" ref="authHandler" />
75 74
     </bean>
76
-    <bean id="anonSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver"
75
+    <bean id="anonSearchDnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"
77 76
         p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
78 77
         p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
79
-        p:connectionFactory-ref="anonSearchPooledConnectionFactory" >
80
-        <constructor-arg index="0" ref="shibboleth.VelocityEngine" />
81
-        <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" />
82
-    </bean>
78
+        p:userFilter="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}"
79
+        p:connectionFactory-ref="anonSearchPooledConnectionFactory" />
83 80
     <bean id="anonSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"
84 81
         p:connectionPool-ref="anonSearchConnectionPool" />
85 82
     <bean id="anonSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
@@ -92,13 +89,11 @@
92 89
         <constructor-arg index="0" ref="bindSearchDnResolver" />
93 90
         <constructor-arg index="1" ref="authHandler" />
94 91
     </bean>
95
-    <bean id="bindSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver"
92
+    <bean id="bindSearchDnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"
96 93
         p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
97 94
         p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
98
-        p:connectionFactory-ref="bindSearchPooledConnectionFactory" >
99
-        <constructor-arg index="0" ref="shibboleth.VelocityEngine" />
100
-        <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" />
101
-    </bean>
95
+        p:userFilter="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}"
96
+        p:connectionFactory-ref="bindSearchPooledConnectionFactory" />
102 97
     <bean id="bindSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"
103 98
         p:connectionPool-ref="bindSearchConnectionPool" />
104 99
     <bean id="bindSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"

src/shibboleth-identity-provider-3.3.3/dist/conf/authn/password-authn-config.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/authn/password-authn-config.xml.dist View File

@@ -31,22 +31,12 @@
31 31
     <!-- Set to TRUE if you want the password kept in the resulting Subject as a private credential. -->
32 32
     <util:constant id="shibboleth.authn.Password.RetainAsPrivateCredential" static-field="java.lang.Boolean.FALSE"/>
33 33
 
34
-    <!-- Apply any regular expression replacement pairs to username before validation. -->
34
+    <!-- Apply any regular expression replacement pairs before validation. -->
35 35
     <util:list id="shibboleth.authn.Password.Transforms">
36 36
         <!--
37 37
         <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
38 38
         -->
39 39
     </util:list>
40
-    
41
-    <!-- Uncomment to configure account lockout backed by in-memory storage. -->
42
-    <!--
43
-    <bean id="shibboleth.authn.Password.AccountLockoutManager"
44
-        parent="shibboleth.StorageBackedAccountLockoutManager"
45
-        p:maxAttempts="5"
46
-        p:counterInterval="PT5M"
47
-        p:lockoutDuration="PT5M"
48
-        p:extendLockoutDuration="false" />
49
-    -->
50 40
 
51 41
     <!--
52 42
     Define entries here to map error messages detected by validation actions and classify them as particular
@@ -68,12 +58,10 @@
68 58
                 <value>InvalidCredentials</value>
69 59
                 <value>PREAUTH_FAILED</value>
70 60
                 <value>INVALID_CREDENTIALS</value>
71
-                <value>Checksum failed</value>
72 61
             </list>
73 62
         </entry>
74 63
         <entry key="AccountLocked">
75 64
             <list>
76
-                <value>AccountLocked</value>
77 65
                 <value>Clients credentials have been revoked</value>
78 66
             </list>
79 67
         </entry>

src/shibboleth-identity-provider-3.3.3/dist/conf/authn/remoteuser-authn-config.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/authn/remoteuser-authn-config.xml.dist View File

@@ -15,12 +15,9 @@
15 15
     <!-- Servlet context-relative path to wherever your implementation lives. -->
16 16
     <bean id="shibboleth.authn.RemoteUser.externalAuthnPath" class="java.lang.String"
17 17
         c:_0="contextRelative:Authn/RemoteUser" />
18
-    
19
-    <!--
20
-    Default is to always use the path in the bean above. If you want to determine it
21
-    dynamically, define a bean called "shibboleth.authn.RemoteUser.externalAuthnPathStrategy"
22
-    of type Function<ProfileRequestContext,String> that returns the path to use.
23
-    -->
18
+
19
+    <!-- Populate RP UI info from metadata? -->
20
+    <util:constant id="shibboleth.authn.RemoteUser.populateUIInfo" static-field="java.lang.Boolean.FALSE" />
24 21
 
25 22
     <!--
26 23
     Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject?
@@ -30,11 +27,6 @@
30 27
     <util:constant id="shibboleth.authn.RemoteUser.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" />
31 28
 
32 29
     <!--
33
-    <bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
34
-        c:_0="^(.+)@example\.edu]$" />
35
-    -->
36
-
37
-    <!--
38 30
     Define entries here to map error messages returned by external modules and classify them as particular
39 31
     kinds of errors for use in your templates and as events in flows.
40 32
 

src/shibboleth-identity-provider-3.3.3/dist/conf/authn/remoteuser-internal-authn-config.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/authn/remoteuser-internal-authn-config.xml.dist View File


src/shibboleth-identity-provider-3.3.3/dist/conf/authn/spnego-authn-config.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/authn/spnego-authn-config.xml.dist View File

@@ -47,11 +47,6 @@
47 47
     </util:list>
48 48
 
49 49
     <!--
50
-    <bean id="shibboleth.authn.SPNEGO.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
51
-        c:_0="^(.+)@example\.edu]$" />
52
-    -->
53
-
54
-    <!--
55 50
     Define entries here to map events or error messages returned by the SPNEGO module
56 51
     and classify them as particular kinds of errors for use in your templates and as
57 52
     events in flows.

src/shibboleth-identity-provider-3.3.3/dist/conf/authn/x509-authn-config.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/authn/x509-authn-config.xml.dist View File

@@ -16,11 +16,8 @@
16 16
     <bean id="shibboleth.authn.X509.externalAuthnPath" class="java.lang.String"
17 17
         c:_0="contextRelative:x509-prompt.jsp" />
18 18
 
19
-    <!--
20
-    Default is to always use the path in the bean above. If you want to determine it
21
-    dynamically, define a bean called "shibboleth.authn.X509.externalAuthnPathStrategy"
22
-    of type Function<ProfileRequestContext,String> that returns the path to use.
23
-    -->
19
+    <!-- Populate RP UI info from metadata? -->
20
+    <util:constant id="shibboleth.authn.X509.populateUIInfo" static-field="java.lang.Boolean.TRUE" />
24 21
 
25 22
     <!--
26 23
     Define entries here to map error messages returned by external modules and classify them as particular

src/shibboleth-identity-provider-3.3.3/dist/conf/authn/x509-internal-authn-config.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/authn/x509-internal-authn-config.xml.dist View File


src/shibboleth-identity-provider-3.3.3/dist/conf/c14n/attribute-sourced-subject-c14n-config.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/c14n/attribute-sourced-subject-c14n-config.xml.dist View File


src/shibboleth-identity-provider-3.3.3/dist/conf/c14n/simple-subject-c14n-config.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/c14n/simple-subject-c14n-config.xml.dist View File


src/shibboleth-identity-provider-3.3.3/dist/conf/c14n/subject-c14n-events-flow.xml.dist → src/shibboleth-identity-provider-3.2.1/dist/conf/c14n/subject-c14n-events-flow.xml.dist View File


Some files were not shown because too many files changed in this diff

Loading…
Cancel
Save