Add example configuration files for shibboleth

Files used for the federation CAFe, used as a base for our shib integration guide.
eric-erki · Oct 3, 2014 · c16fb29 · c16fb29
1 parent 8beb5a8
commit c16fb29
Show file tree

Hide file tree

Showing 4 changed files with 309 additions and 0 deletions.
diff --git a/config/shibboleth/cafe/attribute-map.xml b/config/shibboleth/cafe/attribute-map.xml
@@ -0,0 +1,69 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
+    </Attribute>
+
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
+    </Attribute>
+
+    <!-- Schema: Core schema attributes-->
+    <!-- mail -->
+    <Attribute name="urn:mace:dir:attribute-def:mail"
+               id="Shib-inetOrgPerson-mail"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3"
+               id="Shib-inetOrgPerson-mail"/>
+
+    <!-- cn -->
+    <Attribute name="urn:mace:dir:attribute-def:cn"
+               id="Shib-inetOrgPerson-cn"/>
+    <Attribute name="urn:oid:2.5.4.3"
+               id="Shib-inetOrgPerson-cn"/>
+
+    <!-- sn -->
+    <Attribute name="urn:mace:dir:attribute-def:sn"
+               id="Shib-inetOrgPerson-sn"/>
+    <Attribute name="urn:oid:2.5.4.4"
+               id="Shib-inetOrgPerson-sn"/>
+
+    <!-- Schema: brEduPerson -->
+    <!-- brEduAffiliationType -->
+    <Attribute name="urn:mace:rnp.br:attribute-def:brEduAffiliationType"
+               id="Shib-brEduPerson-brEduAffiliationType"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.15996.100.1.1.2.1"
+               id="Shib-brEduPerson-brEduAffiliationType"/>
+
+    <!-- Atributos brPersonCPF e brPersonPassport não são habilitados na configuração default  -->
+    <!-- brPersonCPF -->
+    <!--
+    <Attribute name="urn:mace:rnp.br:attribute-def:brPersonCPF"
+               id="Shib-brPerson-brPersonCPF"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.15996.100.1.1.1.1"
+               id="Shib-brPerson-brPersonCPF"/>
+    -->
+
+    <!-- brPersonPassport -->
+    <!--
+    <Attribute name="urn:mace:rnp.br:attribute-def:brPersonPassport"
+               id="Shib-brPerson-brPersonPassport"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.15996.100.1.1.1.2"
+               id="Shib-brPerson-brPersonPassport"/>
+    -->
+
+    <!-- Schema: eduPerson attributes -->
+    <!-- eppn - eduPersonPrincipalName -->
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
+               id="Shib-eduPerson-eduPersonPrincipalName">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+               id="Shib-eduPerson-eduPersonPrincipalName">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation"
+               id="Shib-eduPerson-eduPersonAffiliation"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
+               id="Shib-eduPerson-eduPersonAffiliation"/>
+</Attributes>
diff --git a/config/shibboleth/cafe/attribute-policy.xml b/config/shibboleth/cafe/attribute-policy.xml
@@ -0,0 +1,63 @@
+<afp:AttributeFilterPolicyGroup
+    xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
+    xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
+    xmlns:afp="urn:mace:shibboleth:2.0:afp"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!-- Shared rule for affiliation values. -->
+    <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
+        <Rule xsi:type="AttributeValueString" value="faculty"/>
+        <Rule xsi:type="AttributeValueString" value="student"/>
+        <Rule xsi:type="AttributeValueString" value="staff"/>
+        <Rule xsi:type="AttributeValueString" value="alum"/>
+        <Rule xsi:type="AttributeValueString" value="member"/>
+        <Rule xsi:type="AttributeValueString" value="affiliate"/>
+        <Rule xsi:type="AttributeValueString" value="employee"/>
+        <Rule xsi:type="AttributeValueString" value="library-walk-in"/>
+    </afp:PermitValueRule>
+
+    <!--
+    Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
+    an AttributeRule for each attribute you want to check.
+    -->
+    <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
+        <Rule xsi:type="NOT">
+            <Rule xsi:type="AttributeValueRegex" regex="@"/>
+        </Rule>
+        <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"/>
+    </afp:PermitValueRule>
+
+    <afp:AttributeFilterPolicy>
+        <!-- This policy is in effect in all cases. -->
+        <afp:PolicyRequirementRule xsi:type="ANY"/>
+
+        <!-- Filter out undefined affiliations and ensure only one primary. -->
+        <afp:AttributeRule attributeID="affiliation">
+            <afp:PermitValueRule xsi:type="AND">
+                <RuleReference ref="eduPersonAffiliationValues"/>
+                <RuleReference ref="ScopingRules"/>
+            </afp:PermitValueRule>
+        </afp:AttributeRule>
+        <afp:AttributeRule attributeID="unscoped-affiliation">
+            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+        </afp:AttributeRule>
+        <afp:AttributeRule attributeID="primary-affiliation">
+            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+        </afp:AttributeRule>
+
+        <afp:AttributeRule attributeID="eppn">
+            <afp:PermitValueRuleReference ref="ScopingRules"/>
+        </afp:AttributeRule>
+
+        <afp:AttributeRule attributeID="targeted-id">
+            <afp:PermitValueRuleReference ref="ScopingRules"/>
+        </afp:AttributeRule>
+
+        <!-- Catch-all that passes everything else through unmolested. -->
+        <afp:AttributeRule attributeID="*">
+            <afp:PermitValueRule xsi:type="ANY"/>
+        </afp:AttributeRule>
+
+    </afp:AttributeFilterPolicy>
+
+</afp:AttributeFilterPolicyGroup>
diff --git a/config/shibboleth/cafe/metadata-sp.xml b/config/shibboleth/cafe/metadata-sp.xml
@@ -0,0 +1,36 @@
+<EntityDescriptor entityID="https://$DOMAIN/shibboleth-sp2">
+    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+      <Extensions>
+        <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
+          <mdui:DisplayName xml:lang="en">$SERVICE_NAME</mdui:DisplayName>
+          <mdui:Description xml:lang="en">$SERVICE_DESCRIPTION</mdui:Description>
+        </mdui:UIInfo>
+      </Extensions>
+      <KeyDescriptor>
+        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+          <ds:X509Data>
+            <ds:X509Certificate>
+$CERTIFICATE
+$CERTIFICATE
+$CERTIFICATE
+            </ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+      </KeyDescriptor>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://$DOMAIN/Shibboleth.sso/SAML2/POST" index="1"/>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://$DOMAIN/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://$DOMAIN/Shibboleth.sso/SAML2/Artifact" index="3"/>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://$DOMAIN/Shibboleth.sso/SAML2/ECP" index="4"/>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://$DOMAIN/Shibboleth.sso/SAML/POST" index="5"/>
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://$DOMAIN/Shibboleth.sso/SAML/Artifact" index="6"/>
+    </SPSSODescriptor>
+    <Organization>
+      <OrganizationName xml:lang="en">$INSTITUTION</OrganizationName>
+      <OrganizationDisplayName xml:lang="en">$INSTITUTION</OrganizationDisplayName>
+      <OrganizationURL xml:lang="en">http://www.$DOMAIN_INSTITUTION/</OrganizationURL>
+    </Organization>
+   <ContactPerson contactType="technical">
+    <SurName>$ADMIN_NAME</SurName>
+    <EmailAddress>$ADMIN_EMAIL</EmailAddress>
+   </ContactPerson>
+</EntityDescriptor>
diff --git a/config/shibboleth/cafe/shibboleth2.xml b/config/shibboleth/cafe/shibboleth2.xml
@@ -0,0 +1,141 @@
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    logger="syslog.logger" clockSkew="180">
+
+    <OutOfProcess logger="shibd.logger">
+    </OutOfProcess>
+
+    <InProcess logger="native.logger">
+        <ISAPI normalizeRequest="true" safeHeaderNames="true">
+            <Site id="1" name="sp.example.org"/>
+        </ISAPI>
+    </InProcess>
+
+    <UnixListener address="shibd.sock"/>
+
+    <StorageService type="Memory" id="mem" cleanupInterval="900"/>
+    <SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
+    <ReplayCache StorageService="mem"/>
+    <ArtifactMap artifactTTL="180"/>
+
+
+    <RequestMapper type="Native">
+        <RequestMap applicationId="default">
+            <Host name="$DOMAIN">
+                <Path name="secure" authType="shibboleth" requireSession="true"/>
+            </Host>
+        </RequestMap>
+    </RequestMapper>
+
+    <ApplicationDefaults id="default" policyId="default"
+        entityID="https://$DOMAIN/shibboleth-sp2"
+        REMOTE_USER="eppn persistent-id targeted-id"
+        signing="false" encryption="false">
+
+        <Sessions lifetime="28800" timeout="3600" checkAddress="false"
+            handlerURL="/Shibboleth.sso" handlerSSL="false"
+            exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
+            idpHistory="false" idpHistoryDays="7">
+
+
+            <SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie">
+                <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
+                <SessionInitiator type="Shib1" defaultACSIndex="5"/>
+                <SessionInitiator type="SAMLDS" URL="https://ds.chimarrao.cafe.rnp.br/WAYF"/>
+            </SessionInitiator>
+
+            <md:AssertionConsumerService Location="/SAML2/POST" index="1"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+            <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
+            <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+            <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
+            <md:AssertionConsumerService Location="/SAML/POST" index="5"
+                Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
+            <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
+                Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+
+            <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
+                <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
+                <LogoutInitiator type="Local"/>
+            </LogoutInitiator>
+
+            <md:SingleLogoutService Location="/SLO/SOAP"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+            <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+            <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+            <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+
+            <md:ManageNameIDService Location="/NIM/SOAP"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+            <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+            <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+            <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+
+            <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
+
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+        </Sessions>
+
+        <Errors supportContact="root@localhost"
+            logoLocation="/shibboleth-sp2/logo.jpg"
+            styleSheet="/shibboleth-sp2/main.css"/>
+
+
+        <MetadataProvider type="Chaining">
+            <MetadataProvider type="XML" uri="https://ds.chimarrao.cafe.rnp.br/metadata/chimarrao-metadata.xml"
+                 backingFilePath="/etc/shibboleth/chimarrao-metadata.xml" validate="true" reloadInterval="300">
+            </MetadataProvider>
+
+
+        </MetadataProvider>
+
+        <TrustEngine type="Chaining">
+            <TrustEngine type="ExplicitKey"/>
+            <TrustEngine type="PKIX"/>
+        </TrustEngine>
+
+        <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
+
+        <AttributeResolver type="Query" subjectMatch="true"/>
+
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <CredentialResolver type="File" key="sp-key.pem"
+                            certificate="sp-cert.pem"
+                            keyName="$DOMAIN"/>
+
+
+
+    </ApplicationDefaults>
+
+    <SecurityPolicies>
+        <Policy id="default" validate="false">
+            <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
+            <PolicyRule type="Conditions">
+                <PolicyRule type="Audience"/>
+            </PolicyRule>
+            <PolicyRule type="ClientCertAuth" errorFatal="true"/>
+            <PolicyRule type="XMLSigning" errorFatal="true"/>
+            <PolicyRule type="SimpleSigning" errorFatal="true"/>
+        </Policy>
+    </SecurityPolicies>
+
+</SPConfig>