Eolisation d'un Fournisseur d'identité Shibboleth / Eole Shibboleth IDP integration
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

70_shibboleth_idp.xml 18KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293
  1. <?xml version="1.0" encoding="utf-8"?>
  2. <creole>
  3. <files>
  4. <!-- System configuration -->
  5. <file filelist='idp' name='/etc/environement' source='env-idp-shibboleth.conf' mkdir='True' rm='True'/>
  6. <file filelist='idplog' name='/etc/rsyslog.d/eole-traps/shib-idp.conf' source='idp-rsyslog-shibboleth.conf' mkdir='True' rm='True'/>
  7. <!-- Apache configuration -->
  8. <file filelist='idp' name='/etc/apache2/ports.conf' source='apache-ports.conf' mkdir='True' rm='True'/>
  9. <file filelist='idp' name='/etc/apache2/sites-available/default-ssl.conf' source='idp-default-ssl.conf' mkdir='True' rm='True'/>
  10. <file filelist='idp' name='/etc/apache2/sites-available/idp.conf' source='apache-idp.conf' mkdir='True' rm='True'/>
  11. <file filelist='idp' name='/etc/apache2/mods-available/mpm_worker.conf' mkdir='True' rm='True'/>
  12. <file filelist='idp' name='/var/www/html/error/index.html' source='error.html' mkdir='True' rm='True'/>
  13. <!-- Tomcat configuration -->
  14. <file filelist='idp' name='/etc/default/tomcat8' source='tomcat8.default' mkdir='True' rm='True'/>
  15. <file filelist='idp' name='/etc/tomcat8/catalina.properties' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  16. <file filelist='idp' name='/etc/tomcat8/server.xml' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  17. <file filelist='idp' name='/etc/tomcat8/context.xml' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  18. <file filelist='idp' name='/etc/tomcat8/Catalina/localhost/idp.xml' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  19. <!-- Shibboleth IDP configuration -->
  20. <file filelist='idp' name='/opt/shibboleth-idp/conf/metadata-providers.xml' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  21. <file filelist='idp' name='/opt/shibboleth-idp/conf/ldap.properties' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  22. <file filelist='idp' name='/opt/shibboleth-idp/conf/attribute-resolver-ldap.xml' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  23. <file filelist='idp' name='/opt/shibboleth-idp/conf/relying-party.xml' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  24. <file filelist='idp' name='/opt/shibboleth-idp/conf/services.xml' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  25. <file filelist='idp' name='/opt/shibboleth-idp/conf/attribute-filter.xml' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  26. <file filelist='idp' name='/opt/shibboleth-idp/conf/logback.xml' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  27. <file filelist='idp' name='/opt/shibboleth-idp/messages/authn-messages.properties' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  28. <file filelist='idp' name='/opt/shibboleth-idp/system/views/logout/propagate.vm' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  29. <file filelist='idp' name='/opt/shibboleth-idp/views/login.vm' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  30. <file filelist='idp' name='/opt/shibboleth-idp/views/login-error.vm' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  31. <file filelist='idp' name='/opt/shibboleth-idp/views/error.vm' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  32. <file filelist='idp' name='/opt/shibboleth-idp/views/logout.vm' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  33. <file filelist='idp' name='/opt/shibboleth-idp/views/logout-propagate.vm' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  34. <file filelist='idp' name='/opt/shibboleth-idp/views/logout-complete.vm' owner='tomcat8' group='adm' mode='700' mkdir='True' rm='True'/>
  35. <service servicelist="svIdp">apache2</service>
  36. <service servicelist="svIdp">tomcat8</service>
  37. <service servicelist='svIdpDisab' method='apache'>000-default</service>
  38. <service servicelist='svIdp' method='apache'>default-ssl</service>
  39. <service servicelist='svIdp' method='apache'>idp</service>
  40. <service_access service='apache2'>
  41. <port service_accesslist="saidp">80</port>
  42. <port service_accesslist="saidp">443</port>
  43. </service_access>
  44. </files>
  45. <variables>
  46. <family name='Services'>
  47. <variable name='activer_idp' type='oui/non' description="Activer le service Shibboleth IDP">
  48. <value>oui</value>
  49. </variable>
  50. </family>
  51. <family name="Identity provider">
  52. <variable name='activer_nginx_web' redefine='True' hidden='True' remove_condition='True'>
  53. <value>non</value>
  54. </variable>
  55. <variable name='idpBehindRevproxy' type='oui/non' description="L'IDP est derrière un reverse proxy ?">
  56. <value>non</value>
  57. </variable>
  58. <variable name='shibbolethIDPSrc' type='string' description='IDP Source location' mode='expert' hidden='True'>
  59. <value>/usr/src/shibboleth-identity-provider-3.2.1</value>
  60. </variable>
  61. <variable name='logDebug' type='oui/non' description='Activer les logs de debug'>
  62. <value>non</value>
  63. </variable>
  64. <variable name='ajpPort' type='number' description='AJP Proxy port' mode='expert'>
  65. <value>8009</value>
  66. </variable>
  67. <variable name='javaHome' type='string' description='Java VM home directory' mode='expert'>
  68. <value>/usr/lib/jvm/java-8-openjdk-amd64/jre</value>
  69. </variable>
  70. <variable name='javaHeapSize' type='number' description='Mémoire minimum pour le processus Java (Mo)' mode='expert'>
  71. <value>128</value>
  72. </variable>
  73. <variable name='javaHeapMaxSize' type='number' description='Mémoire maximum pour le processus Java (Mo)' mode='expert'>
  74. <value>2048</value>
  75. </variable>
  76. <variable name='speedUpTomcat' type='oui/non' description='Accèlérer le démarrage de Tomcat'>
  77. <value>oui</value>
  78. </variable>
  79. <variable name='idpDomain' type='string' description="Nom de domaine d'accès à l'IDP" mandatory="True"/>
  80. <variable name='entityID' type='string' description="Entity ID SAML2" mandatory="True"/>
  81. <variable name='samlScope' type='string' description="Scope SAML2" mandatory="True"/>
  82. <variable name='idpAuthnDefaultLifetime' type='string' description="Durée de vie de la session IDP en minutes (PTXXM)" mode='expert'>
  83. <value>PT60M</value>
  84. </variable>
  85. <variable name='idpAuthnDefaultTimeout' type='string' description="Expiration de la session IDP en minutes (PTXXM)" mode='expert'>
  86. <value>PT60M</value>
  87. </variable>
  88. <variable name='idpUrlPasswordReset' type='string' description='URL de reset du mot de passe'>
  89. <value>https://mselocal.cadoles.com/envole/mdp/raz</value>
  90. </variable>
  91. <variable name='idpUrlMse' type='string' description='URL du MSE'>
  92. <value>https://mselocal.cadoles.com</value>
  93. </variable>
  94. <variable name='idpUrlEmailChange' type='string' description="URL de changement d'email">
  95. <value>https://mselocal.cadoles.com/envole/courriel/raz</value>
  96. </variable>
  97. <variable name='idpUrlEmailRecover' type='string' description="URL de récupération d'email">
  98. <value>https://mselocal.cadoles.com/envole/recuperation/email</value>
  99. </variable>
  100. <variable name='idpUrlInscription' type='string' description="URL d'inscription">
  101. <value>https://mselocal.cadoles.com/envole/enregistrement</value>
  102. </variable>
  103. <variable name='idpUrlFacebookCnousCrous' type='string' description='URL facebook'>
  104. <value>https://www.facebook.com/cnouscrous</value>
  105. </variable>
  106. <variable name='idpUrlTwitterCnousCrous' type='string' description='URL twitter'>
  107. <value>https://twitter.com/CNOUS_CROUS</value>
  108. </variable>
  109. <variable name='idpUrlEtudiant' type='string' description="URL de l'application Etudiant">
  110. <value>http://www.etudiant.gouv.fr/</value>
  111. </variable>
  112. <variable name='idpUrlDonnees' type='string' description="URL des données personnelles">
  113. <value>https://mselocal.cadoles.com/envole/page/?t=mentions_legales#InfosDonneesPersonnelles</value>
  114. </variable>
  115. <variable name='idpUrlAssistance' type='string' description="URL du formulaire d'assistance">
  116. <value>https://mselocal.cadoles.com/envole/message/new</value>
  117. </variable>
  118. <variable name='idpUrlFaq' type='string' description='URL de la FAQ'>
  119. <value>https://mselocal.cadoles.com/envole/page/faq</value>
  120. </variable>
  121. <variable name='idpUrlLogout' type='string' description='URL de logout'>
  122. <value>https://mselocal.cadoles.com/envole/saml/log-out</value>
  123. </variable>
  124. <variable name='idpUrlConnexion' type='string' description='URL de connexion'>
  125. <value>https://mselocal.cadoles.com/envole/saml/login</value>
  126. </variable>
  127. <variable name='idpUrlLiens' type='string' description='URL des liens utiles'>
  128. <value>https://mselocal.cadoles.com/envole/page/?t=liens_utiles</value>
  129. </variable>
  130. <variable name='idpUrlMentions' type='string' description='URL des mentions légales'>
  131. <value>https://mselocal.cadoles.com/envole/page/?t=mentions_legales</value>
  132. </variable>
  133. <variable name='idpUserprefsTitle' type='string' description='Balise title HTML par défaut'>
  134. <value>messervices.etudiant.gouv.fr</value>
  135. </variable>
  136. <variable name='serviceProvider' type='string' description='ID du fournisseur de service' multi='True'/>
  137. <!-- <variable name='spType' type='string' description='Type de fournisseur de service'/> -->
  138. <variable name='spMetadataDownload' type='oui/non' description='Télécharger les métadata du fournisseur'>
  139. <value>oui</value>
  140. </variable>
  141. <variable name='spMetadataDisregardTLSCertificate' type='oui/non' description='Ignorer la vérification du certificat SSL'>
  142. <value>non</value>
  143. </variable>
  144. <variable name='spMetadataFile' type='string' description='Fichier de metadata du fournisseur'/>
  145. <variable name='spMetadataURL' type='string' description='URL de téléchargement du fichier de metadata du fournisseur'/>
  146. <variable name='ldapProto' type='string' description="Protocole"/>
  147. <variable name='ldapAddr' type='string' description="Adresse du serveur LDAP"/>
  148. <variable name='ldapPort' type='number' description="Port du serveur LDAP"/>
  149. <variable name='ldapBaseDN' type='string' description="DN de base de l'annuaire"/>
  150. <variable name='ldapUserFilter' type='string' description="Filtre utilisateurs">
  151. <value>(mail={user})</value>
  152. </variable>
  153. <variable name='ldapReaderBindDN' type='string' description="DN de l'utilisateur lecteur de l'annuaire"/>
  154. <variable name='ldapPoolMinSize' type='string' description="Taille minimum du pool de connexions LDAP">
  155. <value>3</value>
  156. </variable>
  157. <variable name='ldapPoolMaxSize' type='string' description="Taille maximum du pool de connexions LDAP">
  158. <value>10</value>
  159. </variable>
  160. <variable name='ldapReaderPassword' type='string' description="Mot de passe ou fichier de mot de passe de l'utilisateur lecteur de l'annuaire">
  161. <value>/root/.reader</value>
  162. </variable>
  163. <variable name="defineLDAPAttr" type='oui/non' description="Definir des attributs de fédération" mode='expert'>
  164. <value>non</value>
  165. </variable>
  166. </family>
  167. <family name="Attributs de fédération" mode='expert'>
  168. <variable name="attrID" type='string' description="Identifiant de l'attribut" multi='True'/>
  169. <variable name="attrType" type='string' description="Type de l'attribut"/>
  170. <variable name="attrSource" type='string' description="Source de l'attribut"/>
  171. <variable name="attrOID" type='string' description="OID de l'attribut"/>
  172. <variable name="attrEncoding" type='string' description="Attribut encodé ?"/>
  173. </family>
  174. <family name='IDP-Apache'>
  175. <variable name='idpApacheServerLimit' type='string' description='Limite supérieure de la définition du nombre de processus (ServerLimit)' >
  176. <value>16</value>
  177. </variable>
  178. <variable name='idpApacheStartServers' type='string' description='Nombre initial de process' >
  179. <value>2</value>
  180. </variable>
  181. <variable name='idpApacheMinSpareThreads' type='string' description='Nombre minimum de threads disponibles' >
  182. <value>25</value>
  183. </variable>
  184. <variable name='idpApacheMaxSpareThreads' type='string' description='Nombre maximum de threads disponibles' >
  185. <value>75</value>
  186. </variable>
  187. <variable name='idpApacheThreadLimit' type='string' description='Nombre maximum de threads par process' >
  188. <value>64</value>
  189. </variable>
  190. <variable name='idpApacheThreadsPerChild' type='string' description='Nombre de threads par process par défaut' >
  191. <value>25</value>
  192. </variable>
  193. <variable name='idpApacheMaxRequestWorkers' type='string' description='Nombre maximum de threads total' >
  194. <value>150</value>
  195. </variable>
  196. <variable name='idpApacheMaxConnectionsPerChild' type='string' description='Nombre maximum de requêtes par process' >
  197. <value>0</value>
  198. </variable>
  199. <variable name='apacheTimeout' type='string' description='Durée de vie des requêtes traitées par Apache (Timeout en s)'>
  200. <value>300</value>
  201. </variable>
  202. <variable name='enableKeepAlive' type='oui/non' description='Activer le KeepAlive (maintenir les threads en vie)'>
  203. <value>non</value>
  204. </variable>
  205. <variable name='apacheMaxKeepAliveRequests' type='string' description='Nombre maximum de requêtes keep alive' >
  206. <value>100</value>
  207. </variable>
  208. <variable name='apacheKeepAliveTimeout' type='string' description='Durée de requête keep alive'>
  209. <value>15</value>
  210. </variable>
  211. <variable name="apachelogXForwaredFor" type='oui/non' description="Ecrire la valeur de X-Forwared-For dans les logs ?">
  212. <value>oui</value>
  213. </variable>
  214. </family>
  215. <separators>
  216. <separator name="serviceProvider">Fournisseurs de services</separator>
  217. <separator name="ldapProto">Serveur LDAP</separator>
  218. </separators>
  219. </variables>
  220. <constraints>
  221. <condition name='disabled_if_in' source='activer_idp'>
  222. <param>non</param>
  223. <target type='filelist'>idp</target>
  224. <target type='family'>Identity provider</target>
  225. <target type='service_accesslist'>saidp</target>
  226. <target type='servicelist'>svIdp</target>
  227. </condition>
  228. <condition name='disabled_if_in' source='activer_idp'>
  229. <param>oui</param>
  230. <target type='servicelist'>svIdpDisab</target>
  231. </condition>
  232. <condition name='disabled_if_in' source='spMetadataDownload'>
  233. <param>non</param>
  234. <target type='variable'>spMetadataURL</target>
  235. </condition>
  236. <condition name='disabled_if_in' source='spMetadataDownload'>
  237. <param>oui</param>
  238. <target type='variable'>spMetadataFile</target>
  239. </condition>
  240. <condition name='disabled_if_in' source='defineLDAPAttr'>
  241. <param>non</param>
  242. <target type='family'>Attributs de fédération</target>
  243. </condition>
  244. <condition name='disabled_if_in' source='activer_log_distant'>
  245. <param>non</param>
  246. <target type='filelist'>idplog</target>
  247. </condition>
  248. <group master='serviceProvider'>
  249. <!-- <slave>spType</slave> -->
  250. <slave>spMetadataDownload</slave>
  251. <slave>spMetadataDisregardTLSCertificate</slave>
  252. <slave>spMetadataFile</slave>
  253. <slave>spMetadataURL</slave>
  254. </group>
  255. <group master="attrID">
  256. <slave>attrType</slave>
  257. <slave>attrSource</slave>
  258. <slave>attrOID</slave>
  259. <slave>attrEncoding</slave>
  260. </group>
  261. <check name="valid_enum" target="attrType">
  262. <param>['', 'Simple', 'Prescoped']</param>
  263. </check>
  264. <check name="valid_enum" target="attrEncoding">
  265. <param>['false', 'true']</param>
  266. </check>
  267. <check name="valid_enum" target="ldapProto">
  268. <param>['ldaps', 'ldap']</param>
  269. </check>
  270. <fill name='calc_val' target='samlScope'>
  271. <param type='eole' name='valeur'>nom_domaine_local</param>
  272. </fill>
  273. <fill name='calc_val' target='activer_nginx_web'>
  274. <param>non</param>
  275. </fill>
  276. </constraints>
  277. <help>
  278. <variable name='activer_idp'>Activer l'hébergement d'une place de marché HTTP pour OpenNebula</variable>
  279. </help>
  280. </creole>