diff --git a/.eclipse-pass.JHUAWSdemo_env b/.eclipse-pass.JHUAWSdemo_env index 8ffc715..b66748d 100644 --- a/.eclipse-pass.JHUAWSdemo_env +++ b/.eclipse-pass.JHUAWSdemo_env @@ -12,3 +12,10 @@ PASS_CORE_SP_ACS=https://demo.eclipse-pass.org/login/saml2/sso/pass IDP_HOST=https://demo.eclipse-pass.org:9080 SP_LOGIN=https://demo.eclipse-pass.org/login/saml2/sso/pass + +################################################### +# LDAP config ####################### +################################################### + +DS_DM_PASSWORD=password +DS_SUFFIX_NAME="dc=pass" \ No newline at end of file diff --git a/.eclipse-pass.local_env b/.eclipse-pass.local_env index d2b5c36..ec15324 100644 --- a/.eclipse-pass.local_env +++ b/.eclipse-pass.local_env @@ -65,31 +65,8 @@ IDP_HOST=http://localhost:9080 SP_LOGIN=http://localhost:8080/login/saml2/sso/pass ################################################### -# LDAP / Mail server config ####################### +# LDAP config ####################### ################################################### -MAIL_SMTP=11025 -MAIL_IMAPS=11993 -MAIL_MSP=11587 -OVERRIDE_HOSTNAME=mail.jhu.edu -ENABLE_SPAMASSASSIN=0 -ENABLE_CLAMAV=0 -ENABLE_FAIL2BAN=0 -ENABLE_POSTGREY=0 -SMTP_ONLY=0 -ONE_DIR=1 -DMS_DEBUG=0 -ENABLE_LDAP=1 -TLS_LEVEL=intermediate -LDAP_SERVER_HOST=ldap -LDAP_SEARCH_BASE=ou=People,dc=pass -LDAP_BIND_DN=cn=admin,dc=pass -LDAP_BIND_PW=password -LDAP_QUERY_FILTER_USER=(&(objectClass=posixAccount)(mail=%s)) -LDAP_QUERY_FILTER_GROUP=(&(objectClass=posixAccount)(mailGroupMember=%s)) -LDAP_QUERY_FILTER_ALIAS=(&(objectClass=posixAccount)(mailAlias=%s)) -LDAP_QUERY_FILTER_DOMAIN=(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s)) -ENABLE_SASLAUTHD=0 -POSTMASTER_ADDRESS=root -SSL_TYPE=manual -SSL_CERT_PATH=/tmp/docker-mailserver/cert.pem -SSL_KEY_PATH=/tmp/docker-mailserver/key.rsa + +DS_DM_PASSWORD=password +DS_SUFFIX_NAME="dc=pass" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4cfb311..6b5d684 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,7 +10,7 @@ on: required: true description: Next development version (e.g. 0.5.0-SNAPSHOT) runtests: - description: 'Run acceptance tests against release version before pushing images?' + description: 'Run acceptance tests against release version?' type: boolean jobs: @@ -42,18 +42,12 @@ jobs: with: version: $RELEASE - - name: Build new images - run: docker compose -f docker-compose.yml -f eclipse-pass.local.yml build idp ldap - - name: Acceptance tests if: ${{ inputs.runtests }} uses: ./.github/actions/acceptance-test with: pullimages: 'missing' - - name: Push release images - run: docker compose -f docker-compose.yml -f eclipse-pass.local.yml push idp ldap - - name: Bump image versions to next development version uses: ./.github/actions/update-pass-version with: @@ -65,7 +59,3 @@ jobs: - name: Push release tag to GitHub run: git push origin $RELEASE - - - name: Build and push next development image tags - run: docker compose -f docker-compose.yml -f eclipse-pass.local.yml build --push idp ldap - diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml deleted file mode 100644 index c33f830..0000000 --- a/.github/workflows/update-docker-images.yml +++ /dev/null @@ -1,36 +0,0 @@ - # Update Docker images in pass-docker that are build in this repository: - # * idp - # * ldap -name: update-docker-images - -on: - workflow_dispatch: - pull_request: - types: - - closed - -concurrency: - group: ci-${{ github.head_ref || github.ref }} - cancel-in-progress: true - -jobs: - update-images: - if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' - runs-on: ubuntu-latest - timeout-minutes: 10 - - steps: - - uses: actions/checkout@v3 - - - name: Login to GHCR - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build set of Docker images - run: docker compose -f docker-compose.yml -f eclipse-pass.local.yml build --no-cache idp ldap - - - name: Publish Docker images - run: docker compose -f docker-compose.yml -f eclipse-pass.local.yml push idp ldap diff --git a/README.md b/README.md index b0f24d3..3d02d98 100644 --- a/README.md +++ b/README.md @@ -52,10 +52,10 @@ docker compose -p pass-docker -f docker-compose.yml -f eclipse-pass.local.yml -f ## Services: -### [`idp`](https://github.com/eclipse-pass/pass-docker/idp) +### `idp` -Repository: https://github.com/eclipse-pass/pass-docker -Package: https://github.com/orgs/eclipse-pass/packages/container/package/idp +This service runs a Shibboleth Identity Provider using an image from [https://spaces.at.internet2.edu/display/ITAP/InCommon+Trusted+Access+Platform+Release]. +Configuration files in the image are overridden on startup by using files in `idp/`. Environment variables: * `IDP_HOST=http://localhost:9080` @@ -65,6 +65,15 @@ Separately there is a non-container environment variable `IDP_INTERNAL_PORT` whi The default is 8080. This can be used to make 9080 support https by setting it to 4443 in the docker compose environment. One way to do this is by adding `IDP_INTERNAL_PORT=4443` to the docker compose command. Note that `-e` should not be used because it is for container environment variables. +This service is intended for testing only. + +### `ldap` + +This service runs the 389 Directory Server which is a LDAP server. It is used by the IDP as a source of information on users. +The users in ` ldap/pass.ldif` are loaded on startup. + +This service is intended for testing only. + ### [`pass-core`](https://github.com/eclipse-pass/pass-core) Repository: https://github.com/eclipse-pass/pass-core @@ -124,39 +133,6 @@ Environment variables: A basic Docker image where we can run a `curl` command to bootstrap the environment with data from `demo_data.json` -### `idp`, `ldap` - -Other related images that work together with `pass-auth` to handle authentication. Based on services of the same name in the older `docker-compose` environment. - -Environment variables: - -* `MAIL_SMTP=11025` -* `MAIL_IMAPS=11993` -* `MAIL_MSP=11587` -* `OVERRIDE_HOSTNAME=mail.jhu.edu` -* `ENABLE_SPAMASSASSIN=0` -* `ENABLE_CLAMAV=0` -* `ENABLE_FAIL2BAN=0` -* `ENABLE_POSTGREY=0` -* `SMTP_ONLY=0` -* `ONE_DIR=1` -* `DMS_DEBUG=0` -* `ENABLE_LDAP=1` -* `TLS_LEVEL=intermediate` -* `LDAP_SERVER_HOST=ldap` -* `LDAP_SEARCH_BASE=ou=People,dc=pass` -* `LDAP_BIND_DN=cn=admin,dc=pass` -* `LDAP_BIND_PW=password` -* `LDAP_QUERY_FILTER_USER=(&(objectClass=posixAccount)(mail=%s))` -* `LDAP_QUERY_FILTER_GROUP=(&(objectClass=posixAccount)(mailGroupMember=%s))` -* `LDAP_QUERY_FILTER_ALIAS=(&(objectClass=posixAccount)(mailAlias=%s))` -* `LDAP_QUERY_FILTER_DOMAIN=(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))` -* `ENABLE_SASLAUTHD=0` -* `POSTMASTER_ADDRESS=root` -* `SSL_TYPE=manual` -* `SSL_CERT_PATH=/tmp/docker-mailserver/cert.pem` -* `SSL_KEY_PATH=/tmp/docker-mailserver/key.rsa` - ## Running Acceptance Tests Repository: https://github.com/eclipse-pass/pass-acceptance-testing diff --git a/eclipse-pass.local.yml b/eclipse-pass.local.yml index c688dc5..2e95e72 100644 --- a/eclipse-pass.local.yml +++ b/eclipse-pass.local.yml @@ -15,7 +15,8 @@ services: - .eclipse-pass.local_env healthcheck: test: 'curl -u "$$PASS_CORE_BACKEND_USER:$$PASS_CORE_BACKEND_PASSWORD" -f http://pass-core:8080/data/user || exit 1' - start_period: 30s + start_period: 60s + interval: 5s ports: - 8080:8080 extra_hosts: @@ -39,46 +40,59 @@ services: - ./postgres/demo/init_postgres.sh:/docker-entrypoint-initdb.d/init_postgres.sh idp: - build: - context: ./idp - args: - TENANT: jhu - image: "ghcr.io/eclipse-pass/idp:${PASS_VERSION}" + image: "tier/shib-idp:4.3.3_20240415" container_name: idp depends_on: - - ldap - environment: - - JETTY_MAX_HEAP=64m - - JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=password - - JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=password - ports: - - 9080:${IDP_INTERNAL_PORT-8080} + ldap: + condition: service_healthy env_file: - .env - .eclipse-pass.local_env + ports: + - 9080:${IDP_INTERNAL_PORT-8080} + command: + - /bin/bash + - -c + - | + cp /idp-config/config/tomcat/* /usr/local/tomcat/conf + cp /idp-config/credentials/tomcat/* /opt/certs + cp /idp-config/config/shib-idp/conf/* /opt/shibboleth-idp/conf + cp /idp-config/credentials/shib-idp/* /opt/shibboleth-idp/credentials + cp /idp-config/config/shib-idp/metadata/* /opt/shibboleth-idp/metadata + cp /idp-config/dummylogo.png /opt/shibboleth-idp/edit-webapp/images/placeholder-logo.png + + sed -i "s#IDP_HOST#$$IDP_HOST#g" /opt/shibboleth-idp/metadata/idp-metadata.xml + sed -i "s#IDP_HOST#$$IDP_HOST#g" /opt/shibboleth-idp/conf/idp.properties + sed -i "s#SP_LOGIN#$$SP_LOGIN#g" /opt/shibboleth-idp/metadata/sp-metadata.xml + + /usr/bin/startup.sh healthcheck: - test: 'curl -f http://idp:8080/idp/shibboleth || exit 1' - start_period: 10s + start_period: 60s + interval: 5s + volumes: + - ./idp:/idp-config networks: - back - secrets: - - source: idp_backchannel - - source: idp_browser - - source: idp_encryption - - source: idp_signing - - source: idp_sealer - - source: idp_cert ldap: - build: - context: ./ldap - args: - TENANT: jhu - image: "ghcr.io/eclipse-pass/demo-ldap:${PASS_VERSION}" + image: "389ds/dirsrv:3.1" container_name: ldap env_file: - .env - .eclipse-pass.local_env + # Start the container, wait for it to start, create the suffix, and then load users + command: + - /bin/bash + - -c + - | + set -m + /usr/lib/dirsrv/dscontainer -r & + while !(/usr/lib/dirsrv/dscontainer -H) >/dev/null 2>&1; do sleep 5; done; + dsconf -D "cn=Directory Manager" localhost backend create --suffix="$$DS_SUFFIX_NAME" --be-name="pass" + ldapadd -f /pass.ldif -H ldap://localhost:3389 -w "$$DS_DM_PASSWORD" -D "cn=Directory Manager" + fg + volumes: + - ./ldap/pass.ldif:/pass.ldif networks: - back @@ -110,21 +124,3 @@ services: - "./localstack/aws_bootstrap.sh:/etc/localstack/init/ready.d/init-aws.sh" networks: - back - -secrets: - idp_cert: - file: ./secrets/idp/idp-signing.crt - sp_key: - file: ./secrets/sp/sp-key.pem - sp_cert: - file: ./secrets/sp/sp-cert.pem - idp_backchannel: - file: ./secrets/idp/idp-backchannel.p12 - idp_browser: - file: ./secrets/idp/idp-browser.p12 - idp_encryption: - file: ./secrets/idp/idp-encryption.key - idp_signing: - file: ./secrets/idp/idp-signing.key - idp_sealer: - file: ./secrets/idp/sealer.jks \ No newline at end of file diff --git a/idp/Dockerfile b/idp/Dockerfile deleted file mode 100644 index cd614e1..0000000 --- a/idp/Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -FROM unicon/shibboleth-idp@sha256:397941df7098b44c939b6d7e0a94afde627a79c27863e0a99f4ae8d8ec069134 - -ARG TENANT -ARG IDP_ENV - -COPY common/shibboleth-idp/ /opt/shibboleth-idp/ -COPY common/shib-jetty-base/ /opt/shib-jetty-base/ - -COPY ${TENANT}/shibboleth-idp/ /opt/shibboleth-idp/ - -COPY styling/main.css /opt/shibboleth-idp/webapp/css/main.css -COPY styling/dummylogo.png /opt/shibboleth-idp/webapp/images/dummylogo.png -COPY styling/login.vm /opt/shibboleth-idp/views/login.vm -COPY styling/error.vm /opt/shibboleth-idp/views/error.vm - -# Update metadata for deploy target -COPY metadata/*.xml /opt/shibboleth-idp/metadata/ - -COPY entrypoint.sh . - -RUN chmod +x entrypoint.sh - -ENTRYPOINT ["./entrypoint.sh"] diff --git a/idp/common/shib-jetty-base/start.d/backchannel.ini b/idp/common/shib-jetty-base/start.d/backchannel.ini deleted file mode 100644 index 1a91571..0000000 --- a/idp/common/shib-jetty-base/start.d/backchannel.ini +++ /dev/null @@ -1,8 +0,0 @@ ---module=backchannel - -jetty.backchannel.port=8443 -jetty.backchannel.sslContext.keyStorePath=/run/secrets/idp_backchannel -jetty.backchannel.sslContext.keyStoreType=PKCS12 - -# specified by $IDP_HOME/ext-conf/idp-secrets.properties or the 'docker run' command line -# jetty.backchannel.sslContext.keyStorePassword=CHANGEME \ No newline at end of file diff --git a/idp/common/shib-jetty-base/start.d/ssl.ini b/idp/common/shib-jetty-base/start.d/ssl.ini deleted file mode 100644 index 0e2cc1a..0000000 --- a/idp/common/shib-jetty-base/start.d/ssl.ini +++ /dev/null @@ -1,7 +0,0 @@ ---module=ssl -jetty.ssl.port=4443 -jetty.sslContext.keyStorePath=/run/secrets/idp_browser -jetty.sslContext.keyStoreType=PKCS12 - -# specified by $IDP_HOME/ext-conf/idp-secrets.properties or the 'docker run' command line -# jetty.sslContext.keyStorePassword=$JETTY_BROWSER_SSL_KEYSTORE_PASSWORD \ No newline at end of file diff --git a/idp/common/shibboleth-idp/conf/attribute-filter.xml b/idp/common/shibboleth-idp/conf/attribute-filter.xml deleted file mode 100644 index c1d4793..0000000 --- a/idp/common/shibboleth-idp/conf/attribute-filter.xml +++ /dev/null @@ -1,67 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/idp/common/shibboleth-idp/conf/attribute-resolver.xml b/idp/common/shibboleth-idp/conf/attribute-resolver.xml deleted file mode 100644 index 112e6e6..0000000 --- a/idp/common/shibboleth-idp/conf/attribute-resolver.xml +++ /dev/null @@ -1,296 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/idp/common/shibboleth-idp/conf/cas-protocol.xml b/idp/common/shibboleth-idp/conf/cas-protocol.xml deleted file mode 100644 index 1169141..0000000 --- a/idp/common/shibboleth-idp/conf/cas-protocol.xml +++ /dev/null @@ -1,54 +0,0 @@ - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/idp/common/shibboleth-idp/conf/ldap.properties b/idp/common/shibboleth-idp/conf/ldap.properties deleted file mode 100644 index 3dc9cd5..0000000 --- a/idp/common/shibboleth-idp/conf/ldap.properties +++ /dev/null @@ -1,58 +0,0 @@ -# LDAP authentication configuration, see authn/ldap-authn-config.xml - -## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator -#idp.authn.LDAP.authenticator = anonSearchAuthenticator - -## Connection properties ## -idp.authn.LDAP.ldapURL = ldap://ldap:389 -idp.authn.LDAP.useStartTLS = false -idp.authn.LDAP.useSSL = false -idp.authn.LDAP.connectTimeout = 60000 - -## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust -#idp.authn.LDAP.sslConfig = certificateTrust -## If using certificateTrust above, set to the trusted certificate's path -idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt -## If using keyStoreTrust above, set to the truststore path -idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore - -## Return attributes during authentication -## NOTE: this is not used during attribute resolution; configure that directly in the -## attribute-resolver.xml configuration via a DataConnector's element -idp.authn.LDAP.returnAttributes = cn,businessCategory,mail - -## DN resolution properties ## - -# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator -# for AD: CN=Users,DC=example,DC=org -idp.authn.LDAP.baseDN = ou=people,dc=pass -#idp.authn.LDAP.subtreeSearch = false -idp.authn.LDAP.userFilter = (uid={user}) -# bind search configuration -# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com -idp.authn.LDAP.bindDN = cn=admin,dc=pass -idp.authn.LDAP.bindDNCredential = password - -# Format DN resolution, used by directAuthenticator, adAuthenticator -# for AD use idp.authn.LDAP.dnFormat=%s@domain.com -idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=pass - -# LDAP attribute configuration, see attribute-resolver.xml -idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL} -idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN} -idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN} -idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential} -idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true} -idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates} -idp.attribute.resolver.LDAP.searchFilter = (uid=$requestContext.principalName) - -# LDAP pool configuration, used for both authn and DN resolution -#idp.pool.LDAP.minSize = 3 -#idp.pool.LDAP.maxSize = 10 -#idp.pool.LDAP.validateOnCheckout = false -#idp.pool.LDAP.validatePeriodically = true -#idp.pool.LDAP.validatePeriod = 300 -#idp.pool.LDAP.prunePeriod = 300 -#idp.pool.LDAP.idleTime = 600 -#idp.pool.LDAP.blockWaitTime = 3000 -#idp.pool.LDAP.failFastInitialize = false diff --git a/idp/common/shibboleth-idp/conf/logback.xml b/idp/common/shibboleth-idp/conf/logback.xml deleted file mode 100644 index 7440bf7..0000000 --- a/idp/common/shibboleth-idp/conf/logback.xml +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - UTF-8 - %date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short} - - - - - - - VelocityStatusMatcher - ResourceManager : unable to find resource 'status.vm' in any resource loader. - - VelocityStatusMatcher.matches(formattedMessage) - - DENY - - - - - - 0 - - - - - - WARN - - - ${idp.logfiles}/idp-warn.log - - - ${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz - ${idp.loghistory:-180} - - - - UTF-8 - %date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short} - - - - - - - VelocityStatusMatcher - ResourceManager : unable to find resource 'status.vm' in any resource loader. - - VelocityStatusMatcher.matches(formattedMessage) - - DENY - - - - - - ${idp.logfiles}/idp-audit.log - - - ${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz - ${idp.loghistory:-180} - - - - UTF-8 - %msg%n - - - - - - ${idp.logfiles}/idp-consent-audit.log - - - ${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz - ${idp.loghistory:-180} - - - - UTF-8 - %msg%n - - - - - - ${idp.fticks.loghost:-localhost} - ${idp.fticks.logport:-514} - AUTH - [%thread] %logger %msg - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/idp/common/shibboleth-idp/conf/metadata-providers.xml b/idp/common/shibboleth-idp/conf/metadata-providers.xml deleted file mode 100644 index f790ba4..0000000 --- a/idp/common/shibboleth-idp/conf/metadata-providers.xml +++ /dev/null @@ -1,80 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/idp/common/shibboleth-idp/conf/relying-party.xml b/idp/common/shibboleth-idp/conf/relying-party.xml deleted file mode 100644 index 6a99926..0000000 --- a/idp/common/shibboleth-idp/conf/relying-party.xml +++ /dev/null @@ -1,79 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/idp/common/shibboleth-idp/credentials/idp-backchannel.crt b/idp/common/shibboleth-idp/credentials/idp-backchannel.crt deleted file mode 100644 index c1f8fab..0000000 --- a/idp/common/shibboleth-idp/credentials/idp-backchannel.crt +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL -BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy -MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH -YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M -SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2 -03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No -5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+ -XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud -DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk -hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL -BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac -ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98 -NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl -j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP -IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E -t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM= ------END CERTIFICATE----- diff --git a/idp/common/shibboleth-idp/credentials/idp-encryption.crt b/idp/common/shibboleth-idp/credentials/idp-encryption.crt deleted file mode 100644 index 15d764f..0000000 --- a/idp/common/shibboleth-idp/credentials/idp-encryption.crt +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL -BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy -MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD -cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ -l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG -ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8 -9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX -VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud -DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk -hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL -BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni -QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN -jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r -xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8 -+PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H -p+tGUbGS2l873J5PrsbpeKEVR/IIoKo= ------END CERTIFICATE----- diff --git a/idp/common/shibboleth-idp/credentials/sealer.kver b/idp/common/shibboleth-idp/credentials/sealer.kver deleted file mode 100644 index d64b0e4..0000000 --- a/idp/common/shibboleth-idp/credentials/sealer.kver +++ /dev/null @@ -1,2 +0,0 @@ -#Fri Dec 11 02:20:32 UTC 2015 -CurrentVersion=1 diff --git a/idp/config/shib-idp/conf/attribute-filter.xml b/idp/config/shib-idp/conf/attribute-filter.xml new file mode 100644 index 0000000..5bd0506 --- /dev/null +++ b/idp/config/shib-idp/conf/attribute-filter.xml @@ -0,0 +1,200 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/idp/config/shib-idp/conf/attribute-resolver.xml b/idp/config/shib-idp/conf/attribute-resolver.xml new file mode 100644 index 0000000..4faf30b --- /dev/null +++ b/idp/config/shib-idp/conf/attribute-resolver.xml @@ -0,0 +1,279 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/idp/config/shib-idp/conf/idp.properties b/idp/config/shib-idp/conf/idp.properties new file mode 100644 index 0000000..a096d44 --- /dev/null +++ b/idp/config/shib-idp/conf/idp.properties @@ -0,0 +1,230 @@ +# Auto-load all files matching conf/**/*.properties +# Disable if you want to manually maintain a list of sources. +idp.searchForProperties=true + +# Load any "outside-tree" property sources from a comma-delimited list +idp.additionalProperties=/credentials/secrets.properties + +# In most cases (and unless noted in the surrounding comments) the +# commented settings in the distributed files document default behavior. +# Uncomment them and change the value to change functionality. +# +# Uncommented properties are either required or ship non-defaulted. + +# Set the entityID of the IdP +idp.entityID=IDP_HOST/idp/shibboleth + +# Set the file path which backs the IdP's own metadata publishing endpoint at /shibboleth. +# Set to empty value to disable and return a 404. +#idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml + +# Set the scope used in the attribute resolver for scoped attributes +idp.scope=johnshopkins.edu + +# General cookie properties (maxAge only applies to persistent cookies) +#idp.cookie.secure = true +#idp.cookie.httpOnly = true +#idp.cookie.domain = +#idp.cookie.path = +#idp.cookie.maxAge = 31536000 +# These control operation of the SameSite filter, which is off by default. +#idp.cookie.sameSite = None +#idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE + +# Enable cross-site request forgery mitigation for views. +idp.csrf.enabled=true +# Name of the HTTP parameter that stores the CSRF token. +#idp.csrf.token.parameter = csrf_token + +# HSTS/CSP response headers +#idp.hsts = max-age=0 +# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing +#idp.frameoptions = DENY +# Content-Security-Policy value, set to match X-Frame-Options default +#idp.csp = frame-ancestors 'none'; + +# Set the location of user-supplied web flow definitions +#idp.webflows = %{idp.home}/flows + +# Set the location of Velocity view templates +#idp.views = %{idp.home}/views + +# Settings for internal AES encryption key +#idp.sealer.keyStrategy = shibboleth.DataSealerKeyStrategy +#idp.sealer.storeType = JCEKS +#idp.sealer.updateInterval = PT15M +#idp.sealer.aliasBase = secret +idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks +idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver + +# Settings for public/private signing and encryption key(s) +# During decryption key rollover, point the ".2" properties at a second +# keypair, uncomment in credentials.xml, then publish it in your metadata. +idp.signing.key=%{idp.home}/credentials/idp-signing.key +idp.signing.cert=%{idp.home}/credentials/idp-signing.crt +idp.encryption.key=%{idp.home}/credentials/idp-encryption.key +idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt +#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key +#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt + +# Sets the bean ID to use as a default security configuration set +#idp.security.config = shibboleth.DefaultSecurityConfiguration + +# To downgrade to SHA-1, set to shibboleth.SigningConfiguration.SHA1 +#idp.signing.config = shibboleth.SigningConfiguration.SHA256 + +# The new install default for encryption is now AES-GCM. +idp.encryption.config=shibboleth.EncryptionConfiguration.GCM + +# Sets the default strategy for key agreement key wrap usage for credentials from metadata, +# if not otherwise configured on the security configuration +#idp.encryption.keyagreement.metadata.defaultUseKeyWrap = Default + +# Configures trust evaluation of keys used by services at runtime +# Internal default is Chaining, overriden for new installs +idp.trust.signatures=shibboleth.ExplicitKeySignatureTrustEngine +# Other options: +# shibboleth.ChainingSignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine +idp.trust.certificates=shibboleth.ExplicitKeyX509TrustEngine +# Other options: +# shibboleth.ChainingX509TrustEngine, shibboleth.PKIXX509TrustEngine + +# If true, encryption will happen whenever a key to use can be located, but +# failure to encrypt won't result in request failure. +#idp.encryption.optional = false + +# Configuration of client- and server-side storage plugins +#idp.storage.cleanupInterval = PT10M +idp.storage.htmlLocalStorage=true + +# Set to true to expose more detailed errors in responses to SPs +#idp.errors.detailed = false +# Set to false to skip signing of SAML response messages that signal errors +#idp.errors.signed = true +# Name of bean containing a list of Java exception classes to ignore +#idp.errors.excludedExceptions = ExceptionClassListBean +# Name of bean containing a property set mapping exception names to views +#idp.errors.exceptionMappings = ExceptionToViewPropertyBean +# Set if a different default view name for events and exceptions is needed +#idp.errors.defaultView = error + +# Set to false to disable the IdP session layer +#idp.session.enabled = true + +# Set to "shibboleth.StorageService" for server-side storage of user sessions +#idp.session.StorageService = shibboleth.ClientSessionStorageService + +# Size of session IDs +#idp.session.idSize = 32 +# Bind sessions to IP addresses +#idp.session.consistentAddress = true +# Inactivity timeout +#idp.session.timeout = PT60M +# Extra time to store sessions for logout +#idp.session.slop = PT0S +# Tolerate storage-related errors +#idp.session.maskStorageFailure = false +# Track information about SPs logged into +idp.session.trackSPSessions=true +# Support lookup by SP for SAML logout +idp.session.secondaryServiceIndex=true +# Length of time to track SP sessions +#idp.session.defaultSPlifetime = PT2H + +# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent +#idp.consent.StorageService = shibboleth.ClientPersistentStorageService + +# Default consent auditing formats +#idp.consent.terms-of-use.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA +#idp.consent.attribute-release.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA + +# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute +# to key user consent storage records (and set the attribute name) +#idp.consent.attribute-release.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey +#idp.consent.attribute-release.userStorageKeyAttribute = uid +#idp.consent.terms-of-use.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey +#idp.consent.terms-of-use.userStorageKeyAttribute = uid + +# Suffix of message property used as value of consent storage records when idp.consent.compareValues is true. +# Defaults to text displayed to the user. +#idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text + +# Flags controlling how built-in attribute consent feature operates +#idp.consent.allowDoNotRemember = true +#idp.consent.allowGlobal = true +#idp.consent.allowPerAttribute = false + +# Whether attribute values and terms of use text are compared +#idp.consent.compareValues = false +# Maximum number of consent records for space-limited storage (e.g. cookies) +#idp.consent.maxStoredRecords = 10 +# Maximum number of consent records for larger/server-side storage (0 = no limit) +#idp.consent.expandedMaxStoredRecords = 0 + +# Time in milliseconds to expire consent storage records. +# Leave commented out for the default of infinite +#idp.consent.storageRecordLifetime = + +# Path to use with External interceptor flow +#idp.intercept.External.externalPath = contextRelative:intercept.jsp + +# Policies to use with Impersonate interceptor flow +#idp.impersonate.generalPolicy = GeneralImpersonationPolicy +#idp.impersonate.specificPolicy = SpecificImpersonationPolicy + +# Picks outbound bindings more sensibly than based on metadata order +idp.bindings.inMetadataOrder=false + +# Whether to lookup metadata, etc. for every SP involved in a logout +# for use by user interface logic; adds overhead so off by default. +#idp.logout.elaboration = false + +# Whether to require logout requests/responses be signed/authenticated. +#idp.logout.authenticated = true + +# Bean to determine whether user should be allowed to cancel logout +#idp.logout.promptUser=shibboleth.Conditions.FALSE + +# Message freshness and replay cache tuning +#idp.policy.messageLifetime = PT3M +#idp.policy.clockSkew = PT3M + +# Set to custom bean for alternate storage of replay cache +#idp.replayCache.StorageService = shibboleth.StorageService +#idp.replayCache.strict = true + +# Toggles whether to allow outbound messages via SAML artifact +#idp.artifact.enabled = true +# Suppresses typical signing/encryption when artifact binding used +#idp.artifact.secureChannel = true +# May differ to direct SAML 2 artifact lookups to specific server nodes +#idp.artifact.endpointIndex = 2 +# Set to custom bean for alternate storage of artifact map state +#idp.artifact.StorageService = shibboleth.StorageService + +# Comma-delimited languages to use if not match can be found with the +# browser-supported languages, defaults to an empty list. +idp.ui.fallbackLanguages=en,fr,de + +# Storage service used by CAS protocol for chained proxy-granting tickets +# and when using server-managed "simple" TicketService. +# Defaults to shibboleth.StorageService (in-memory) +# MUST be server-side storage (e.g. in-memory, memcached, database) +#idp.cas.StorageService=shibboleth.StorageService + +# CAS service registry implementation class +#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry + +# If true, CAS services provisioned with SAML metadata are identified via entityID +#idp.cas.relyingPartyIdFromMetadata=false + +# F-TICKS auditing - set a salt to include hashed username +#idp.fticks.federation = MyFederation +#idp.fticks.condition = MyFTICKSCondition +#idp.fticks.algorithm = SHA-256 +#idp.fticks.salt = somethingsecret +#idp.fticks.loghost = localhost +#idp.fticks.logport = 514 + +# Set false if you want SAML bindings "spelled out" in audit log +idp.audit.shortenBindings=true diff --git a/idp/config/shib-idp/conf/ldap.properties b/idp/config/shib-idp/conf/ldap.properties new file mode 100644 index 0000000..b3d776a --- /dev/null +++ b/idp/config/shib-idp/conf/ldap.properties @@ -0,0 +1,67 @@ +# LDAP authentication configuration, see authn/ldap-authn-config.xml +# Note, this doesn't apply to the use of JAAS + +## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator +idp.authn.LDAP.authenticator = bindSearchAuthenticator + +## Connection properties ## +idp.authn.LDAP.ldapURL=ldap://ldap:3389 +idp.authn.LDAP.useStartTLS = false +# Time in milliseconds that connects will block +#idp.authn.LDAP.connectTimeout = PT3S +# Time in milliseconds to wait for responses +#idp.authn.LDAP.responseTimeout = PT3S +# Connection strategy to use when multiple URLs are supplied, either ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM +#idp.authn.LDAP.connectionStrategy = ACTIVE_PASSIVE + +## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust +#idp.authn.LDAP.sslConfig = certificateTrust +## If using certificateTrust above, set to the trusted certificate's path +idp.authn.LDAP.trustCertificates=%{idp.home}/credentials/ldap-server.crt +## If using keyStoreTrust above, set to the truststore path +idp.authn.LDAP.trustStore=%{idp.home}/credentials/ldap-server.truststore + +## Return attributes during authentication +idp.authn.LDAP.returnAttributes=passwordExpirationTime,loginGraceRemaining + +## DN resolution properties ## + +# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator +# for AD: CN=Users,DC=example,DC=org +idp.authn.LDAP.baseDN=ou=people,dc=pass +#idp.authn.LDAP.subtreeSearch = false +idp.authn.LDAP.userFilter=(uid={user}) +# bind search configuration +# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com +idp.authn.LDAP.bindDN=cn=Directory Manager + +# Format DN resolution, used by directAuthenticator, adAuthenticator +# for AD use idp.authn.LDAP.dnFormat=%s@domain.com +idp.authn.LDAP.dnFormat=uid=%s,ou=people,dc=pass + +# pool passivator, either none, bind or anonymousBind +#idp.authn.LDAP.bindPoolPassivator = none + +# LDAP attribute configuration, see attribute-resolver.xml +# Note, this likely won't apply to the use of legacy V2 resolver configurations +idp.attribute.resolver.LDAP.ldapURL=%{idp.authn.LDAP.ldapURL} +idp.attribute.resolver.LDAP.connectTimeout=%{idp.authn.LDAP.connectTimeout:PT3S} +idp.attribute.resolver.LDAP.responseTimeout=%{idp.authn.LDAP.responseTimeout:PT3S} +idp.attribute.resolver.LDAP.connectionStrategy=%{idp.authn.LDAP.connectionStrategy:ACTIVE_PASSIVE} +idp.attribute.resolver.LDAP.baseDN=%{idp.authn.LDAP.baseDN:undefined} +idp.attribute.resolver.LDAP.bindDN=%{idp.authn.LDAP.bindDN:undefined} +idp.attribute.resolver.LDAP.useStartTLS=%{idp.authn.LDAP.useStartTLS:true} +idp.attribute.resolver.LDAP.trustCertificates=%{idp.authn.LDAP.trustCertificates:undefined} +idp.attribute.resolver.LDAP.searchFilter=(uid=$resolutionContext.principal) + +# LDAP pool configuration, used for both authn and DN resolution +#idp.pool.LDAP.minSize = 3 +#idp.pool.LDAP.maxSize = 10 +#idp.pool.LDAP.validateOnCheckout = false +#idp.pool.LDAP.validatePeriodically = true +#idp.pool.LDAP.validatePeriod = PT5M +#idp.pool.LDAP.validateDN = +#idp.pool.LDAP.validateFilter = (objectClass=*) +#idp.pool.LDAP.prunePeriod = PT5M +#idp.pool.LDAP.idleTime = PT10M +#idp.pool.LDAP.blockWaitTime = PT3S diff --git a/idp/config/shib-idp/conf/metadata-providers.xml b/idp/config/shib-idp/conf/metadata-providers.xml new file mode 100644 index 0000000..e072b1b --- /dev/null +++ b/idp/config/shib-idp/conf/metadata-providers.xml @@ -0,0 +1,89 @@ + + + + + + + + + + + + + + + + + + + + + diff --git a/idp/config/shib-idp/metadata/idp-metadata.xml b/idp/config/shib-idp/metadata/idp-metadata.xml new file mode 100644 index 0000000..f3a3fb9 --- /dev/null +++ b/idp/config/shib-idp/metadata/idp-metadata.xml @@ -0,0 +1,36 @@ + + + + localhost + + + + + +MIIDBDCCAeygAwIBAgIJAM2cyyljMfMnMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV +BAMMCWxvY2FsaG9zdDAeFw0yNDA4MTYxNDQxMTFaFw0yOTA4MTUxNDQxMTFaMBQx +EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAKzSK7b0SetfH6rVihh3TAbyO9v+60jx6GvvvKkG+70ieGvowTkSQsk849+U +f33B4HkGn9x91flVuBigYKekrq+X8DSA9WadlHu6TmBokUuJM5rq8P37ooEzL97K +m5EAj0P6TBT8SRnjHjY/QI2zN+L6YeNtCt8hha6R1NmvnqisbiNf+3pBKuHTYr0K +On9+3HOCzRuimEw1lz0HaljrYlpgF32ef49zpdKeKqZJY5Q3YM8PlM8j8lVexSG0 +K9qSPfSuBRh+iPlwMzFQ2f/WTASkNnZ0wfStkK3KFkepUJVd3GVSFsjKXjLrvnJR +TCgQC//D2NxrSH8d4F8flD6JCf8CAwEAAaNZMFcwNgYDVR0RBC8wLYIJbG9jYWxo +b3N0hiBodHRwczovL2xvY2FsaG9zdC9pZHAvc2hpYmJvbGV0aDAdBgNVHQ4EFgQU +DqI9gGGOjAR3uSjv2/D5VzTVgM0wDQYJKoZIhvcNAQELBQADggEBAC+yeh7eVz/I +MQGhhav2SsRuUgCqGYpD6hVQVRNWVIKYt8zz346G7E3aCKuy5f6r56qaake1woBd +VbJ67lUY7o0A2XZRwZ4ZTZ2L4NF0wfWkBh5F4bcjgHKYhkfICySH0Y4gG08AqV5b +M2Fg6zLijIpWD3kKZZmqN8Xjlp/ro+HEs0GAuWZTJjxImbjebNRQhqjJg5Mcrvd2 +2c0srJq+fi7KCoL9Rl6Nh0gfbc4ruPFhyIX83U8jjItOhq/U8vHB2bftmvfjUqfQ +QPi3hyCpaiSVrhQs+wo2CD8BVkmWjL7hBzRjR/iXb7SQFKlOqcLdLHrwZ6Bw8VxS +eQcNE/3wu8k= + + + + + + + + + + diff --git a/idp/metadata/sp-metadata.xml b/idp/config/shib-idp/metadata/sp-metadata.xml similarity index 100% rename from idp/metadata/sp-metadata.xml rename to idp/config/shib-idp/metadata/sp-metadata.xml diff --git a/idp/config/tomcat/server.xml b/idp/config/tomcat/server.xml new file mode 100644 index 0000000..851b7a2 --- /dev/null +++ b/idp/config/tomcat/server.xml @@ -0,0 +1,29 @@ + + + + + + + + + + + + + + + + + + + diff --git a/idp/credentials/shib-idp/idp-encryption.crt b/idp/credentials/shib-idp/idp-encryption.crt new file mode 100644 index 0000000..cec9707 --- /dev/null +++ b/idp/credentials/shib-idp/idp-encryption.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBDCCAeygAwIBAgIJAOfPrheG4i/ZMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV +BAMMCWxvY2FsaG9zdDAeFw0yNDA4MTYxNDQxMTFaFw0yOTA4MTUxNDQxMTFaMBQx +EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAOaqpxttTpUDO8iA1DeMfDVvfW6AnTChoRp8aLDDVBjo6Wt+XwqF3ogQ3Sma +p2tfcnl+6wx3Gyydv410pl5LLDAdjdPfNzmuhQ72gJQNW5/JNdM0BG0U1w1ltTPk +MKdbD62An1I3gROOtBWmy0MU7bq9nlBL3DciIxtKN3eZFHiRkI6bfoVtUz9yM8gN +Qe6u+6Za2ukTZcTRpjPfPmuTXqMSUg1ZGOVV0u1oh1mfleccRqZNpZeeaTmrB66y +2jZMbxNyUdkvLoLBOvldzSbLe/86ED9mhHuZEQ5Pc8eA9pMLgLP8t7l3TetqB7tx +9AHpDZXD7OOYGKxq+hWnayX5NpECAwEAAaNZMFcwNgYDVR0RBC8wLYIJbG9jYWxo +b3N0hiBodHRwczovL2xvY2FsaG9zdC9pZHAvc2hpYmJvbGV0aDAdBgNVHQ4EFgQU +mkG82kaf1DqyVnsESoba2WLis4swDQYJKoZIhvcNAQELBQADggEBAMOTbF1tmAyc +f2Cj62Tk3OunIwFyFZEoQpsQcH1bj0GwBxHVdnUdo7akKHSY3UA3BVF+BYmfbY7V +XCpU1ErXmtNZzxXtAh+qCHzvlzmgZ5JIWHIT65wK3W05ALzkU2ad9YDzUe0/5DnA +0y2I338leXcuVHVniL7LjUCHtTjWrNdTVGtFvKWVsuYuCWv4THdz7tWtSu/4JIP9 +GFevtrr0cdModasTxU053hsHjTIlO/lPtjqj7X4HKK4u1Fm9weu76FDYgjOmJfEU +PLSZfQQAGEcpuI7Zzf1oXM6rnJYck/d3F6Re0Ko0hkOkROO4iclR71K+1b45eSgS +lNz0/Y1gcUQ= +-----END CERTIFICATE----- diff --git a/idp/credentials/shib-idp/idp-encryption.key b/idp/credentials/shib-idp/idp-encryption.key new file mode 100644 index 0000000..b7660bb --- /dev/null +++ b/idp/credentials/shib-idp/idp-encryption.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDmqqcbbU6VAzvI +gNQ3jHw1b31ugJ0woaEafGiww1QY6Olrfl8Khd6IEN0pmqdrX3J5fusMdxssnb+N +dKZeSywwHY3T3zc5roUO9oCUDVufyTXTNARtFNcNZbUz5DCnWw+tgJ9SN4ETjrQV +pstDFO26vZ5QS9w3IiMbSjd3mRR4kZCOm36FbVM/cjPIDUHurvumWtrpE2XE0aYz +3z5rk16jElINWRjlVdLtaIdZn5XnHEamTaWXnmk5qweusto2TG8TclHZLy6CwTr5 +Xc0my3v/OhA/ZoR7mREOT3PHgPaTC4Cz/Le5d03rage7cfQB6Q2Vw+zjmBisavoV +p2sl+TaRAgMBAAECggEAXDxVAfSdfZyDZVOOiH/Wkw932p33PSEEaLDis/wHPsaz +v9YSbwTEzSfhJ+e9loPeJJMJrjxaU2bo18mTVRU+ICdRNS2GybvtXORY2drVjnlI +2qFsO6ofrC3FXXCbu+//vuM10gx7wrRHcnj1wmc2AHweOAF9l1ZBL4Jn150QwHzC +LrDyuDP3cvaSOuOgoeacLex0f/O336QKH+OZMBdjmMrIO44a2iPo3oQg5L5ikTt2 +31JE/QgZTz/8+XV1b0kA+P00MhtnRtL5Wm/FLJxUcd1hrQQY31wIX3QweUGTUoNu ++/kBxxZzrcbdvCFHNpn5HGCJWnqszTAQcvx1itBTOQKBgQD3v26lHrlrEIQdLvCJ +0BOvjfkSKqSnvx+Ne3QhNhUi5irk1F93qDzBmxyZ65XD9nRhXo+OJiBNV61TUw/z +gXbV2XsTQIzaHGsCIDVTiLoNlNjkt9A5gZqfoY1OwBJsQb44aTAh7n3yOksT/9rh +10x3wXbq7rvW6w+4zVzm9kRlvwKBgQDuWZFgHuBMsdnG8u1xb/zd5gIQ1VQTRUqH +z7W3ou/E1LJuUDixZM9rwaaRV03CPFMGDneJ4aCW27Tx1A+yZa8CapzLNuRQWm+e +fPgan1LGIxbBkubJ28KzMW/fdhx/JCmwoNeqU2v6LYzL9tZmAMowShiNU8D4UKzY +4hnc38yXrwKBgQC4dVyRLjYJhAuJmvhW84ikrgUjRILBrqh0c9V8IMNN76dCJulJ +swZBdBawd1pTxDzUfk5OHQ7x5vTS1EZNHDh5cmqTY/07K+t0cryhjGxSTl/Ksx0i +o9+XOPZ4CsPsvGo/n/nJWcOGRWa+5kF24xE5HN9IfiV3GB7ljmm8QOGeCwKBgGrd +rdiy/05jz4jsEpnx5CZ5oiN6AqBBSRFrh8Y2P9q4oufjAAhJctaVlOFFi4+zDGaC +xgYEK8R37cEfm4oZHUawFmzmx6dfZPxie7s0BCDiSqmv+9o1ti4x1D8U7eHzjN2s +wAWWMauSELbCjY5efEj6b9et3a94PIdhmMb3cPvxAoGAXu4vsuRAOAbVmz6bG8Fx +oMS2kGGsv485v+jymohNw70fZO+rX3MW0pazSMEXCe5LyJGadCva3CE2lRKbTiaV +GH4h/3U/kgMS58ZUzt2uTQJ0MrvCsSWMGauW24eyOajzZ+LiCpNURYh3yU0qccpW +K7X7oICIttFI3Ipj9wUMNOs= +-----END PRIVATE KEY----- diff --git a/idp/credentials/shib-idp/idp-signing.crt b/idp/credentials/shib-idp/idp-signing.crt new file mode 100644 index 0000000..27d0018 --- /dev/null +++ b/idp/credentials/shib-idp/idp-signing.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBDCCAeygAwIBAgIJAM2cyyljMfMnMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV +BAMMCWxvY2FsaG9zdDAeFw0yNDA4MTYxNDQxMTFaFw0yOTA4MTUxNDQxMTFaMBQx +EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAKzSK7b0SetfH6rVihh3TAbyO9v+60jx6GvvvKkG+70ieGvowTkSQsk849+U +f33B4HkGn9x91flVuBigYKekrq+X8DSA9WadlHu6TmBokUuJM5rq8P37ooEzL97K +m5EAj0P6TBT8SRnjHjY/QI2zN+L6YeNtCt8hha6R1NmvnqisbiNf+3pBKuHTYr0K +On9+3HOCzRuimEw1lz0HaljrYlpgF32ef49zpdKeKqZJY5Q3YM8PlM8j8lVexSG0 +K9qSPfSuBRh+iPlwMzFQ2f/WTASkNnZ0wfStkK3KFkepUJVd3GVSFsjKXjLrvnJR +TCgQC//D2NxrSH8d4F8flD6JCf8CAwEAAaNZMFcwNgYDVR0RBC8wLYIJbG9jYWxo +b3N0hiBodHRwczovL2xvY2FsaG9zdC9pZHAvc2hpYmJvbGV0aDAdBgNVHQ4EFgQU +DqI9gGGOjAR3uSjv2/D5VzTVgM0wDQYJKoZIhvcNAQELBQADggEBAC+yeh7eVz/I +MQGhhav2SsRuUgCqGYpD6hVQVRNWVIKYt8zz346G7E3aCKuy5f6r56qaake1woBd +VbJ67lUY7o0A2XZRwZ4ZTZ2L4NF0wfWkBh5F4bcjgHKYhkfICySH0Y4gG08AqV5b +M2Fg6zLijIpWD3kKZZmqN8Xjlp/ro+HEs0GAuWZTJjxImbjebNRQhqjJg5Mcrvd2 +2c0srJq+fi7KCoL9Rl6Nh0gfbc4ruPFhyIX83U8jjItOhq/U8vHB2bftmvfjUqfQ +QPi3hyCpaiSVrhQs+wo2CD8BVkmWjL7hBzRjR/iXb7SQFKlOqcLdLHrwZ6Bw8VxS +eQcNE/3wu8k= +-----END CERTIFICATE----- diff --git a/idp/credentials/shib-idp/idp-signing.key b/idp/credentials/shib-idp/idp-signing.key new file mode 100644 index 0000000..65d27f6 --- /dev/null +++ b/idp/credentials/shib-idp/idp-signing.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCs0iu29EnrXx+q +1YoYd0wG8jvb/utI8ehr77ypBvu9Inhr6ME5EkLJPOPflH99weB5Bp/cfdX5VbgY +oGCnpK6vl/A0gPVmnZR7uk5gaJFLiTOa6vD9+6KBMy/eypuRAI9D+kwU/EkZ4x42 +P0CNszfi+mHjbQrfIYWukdTZr56orG4jX/t6QSrh02K9Cjp/ftxzgs0bophMNZc9 +B2pY62JaYBd9nn+Pc6XSniqmSWOUN2DPD5TPI/JVXsUhtCvakj30rgUYfoj5cDMx +UNn/1kwEpDZ2dMH0rZCtyhZHqVCVXdxlUhbIyl4y675yUUwoEAv/w9jca0h/HeBf +H5Q+iQn/AgMBAAECggEAT5u88VkUl+zInJwjMeP6TJTXCB8kaQSuKNJVWJNT8Sro +x+R+5XhI9YQr//jaxaZCbd2kVCBPKbzXwdhWzcKpiU93IehpoqxiEqCerABfNals +8SbaflSk5dkbawhvotrcI9cvptcUIW2ipCB87wkobFEkOGwpfuFlQCYDI4enkVCi +2vKnwIc3EK+DVOLW9LvhtmO8ETvSxObU53PmD8aKNzIV+wmbgGzniue0DZPWByj7 +NtwyAjn2+oLUZAS2h8aPBT64J62pfmoDovxBFlF875BgYwVegJtz4A32XwC+PUPl +TGqzIabNhVjFMorPigpr86lOICvxR29U6vQyK+QsCQKBgQDVAibXccrw+hdqYJtQ +kFI/6lbahzKECbjzu9pxV2rqU6gBnsOxsPvQf6p1TiTaCBcdukuv5ZcCSyERT4ZY +6K7ZVfpM1P8MWiXWOukso6dkxMmBSQjWtfWQ4a1Aa0PLoXZkSQnXndlXrLRb7bPv +X2luoT0NFcIGvsePDPFKpZG4wwKBgQDPs5cxqKFxeZNIjVxi9GY2Mq5oOM4JWTDj +qUMKoT/v0v00JIvM/sxt3L1tx6vjc49E9N5pd3h0+bt117crH5GbJb0Cp4/+6CvG +kkIX9vQiqMPfKqRoW5fdX4DaMcehPd1j6J9j39GL7dAcpBM5WPZXyEtWMIYWOq4d +m6zbiTl2FQKBgBEH8wMW3hsWY/jlcIWohGsH2ZnvZWKZRGh4hKa7TpkdxzkZ8Jus +gvXQv1hRvzCPpQmDc7nEqaZNS3+O1DcXo6NM9I5gGWRrcMsIOsyO6TttYI8tv78r +HU9QPAICkZEef9DU5iyPOmmALYuMHe7tughWbAM30iOn7VzKtCA7zMLxAoGAAXLG +JiF/5rOrVEEwGLyNjekykCV9QlFt5tiCUCupr3lwLJHoq6hHMqjsZTyUNUTUBe4T +MvcTTvWC2iKD83gH4uYTeFZEyclCrOLONS6Sqz80BnVcqiGhYHjPBDZ+puAwkAbK +Pb8MzgX9goWeYLL/HMOXyuURukv0dN5mCS3eybUCgYAIaf3kl/tCq3uEjRZJ3rv3 +Hdm29vr70UiJlpdCzaXJ3+k6zIVILw4X2I9354dS9CG8KRTzkSElMuR8FLbt0+zo +05PrtQ54SPMNTUr60QIBKSIS53M89nqEGJYJYUN+v+Eq0PB4uzWtm1UHO0voNGLQ +FZo0Ud+RocVfj22ncP/WmQ== +-----END PRIVATE KEY----- diff --git a/idp/credentials/shib-idp/sealer.jks b/idp/credentials/shib-idp/sealer.jks new file mode 100644 index 0000000..2dad6a7 Binary files /dev/null and b/idp/credentials/shib-idp/sealer.jks differ diff --git a/idp/credentials/shib-idp/sealer.kver b/idp/credentials/shib-idp/sealer.kver new file mode 100644 index 0000000..aa1fae9 --- /dev/null +++ b/idp/credentials/shib-idp/sealer.kver @@ -0,0 +1,2 @@ +#Wed Mar 24 15:54:24 UTC 2021 +CurrentVersion=1 diff --git a/idp/credentials/shib-idp/secrets.properties b/idp/credentials/shib-idp/secrets.properties new file mode 100644 index 0000000..ef936ad --- /dev/null +++ b/idp/credentials/shib-idp/secrets.properties @@ -0,0 +1,13 @@ +# This should only be used for testing + +# Access to internal AES encryption key +idp.sealer.storePassword = 71a42bf8-81b2-47ff-aa22-5bdc163304f2 +idp.sealer.keyPassword = 71a42bf8-81b2-47ff-aa22-5bdc163304f2 + +# Default access to LDAP authn and attribute stores. +idp.authn.LDAP.bindDNCredential = password +idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined} + +# Salt used to generate persistent/pairwise IDs, must be kept secret +#idp.persistentId.salt = changethistosomethingrandom + diff --git a/idp/credentials/tomcat/keystore.jks b/idp/credentials/tomcat/keystore.jks new file mode 100644 index 0000000..adbf102 Binary files /dev/null and b/idp/credentials/tomcat/keystore.jks differ diff --git a/idp/styling/dummylogo.png b/idp/dummylogo.png similarity index 100% rename from idp/styling/dummylogo.png rename to idp/dummylogo.png diff --git a/idp/entrypoint.sh b/idp/entrypoint.sh deleted file mode 100755 index 22c5397..0000000 --- a/idp/entrypoint.sh +++ /dev/null @@ -1,11 +0,0 @@ -#! /bin/sh -echo "IDP_HOST: $IDP_HOST" -echo "SP_LOGIN: $SP_LOGIN" -echo "Updating metadata files..." -sed -i "s#https://pass.local#$IDP_HOST#g" /opt/shibboleth-idp/metadata/idp-metadata.xml -sed -i "s#SP_LOGIN#$SP_LOGIN#g" /opt/shibboleth-idp/metadata/sp-metadata.xml -sed -i "s#https://pass.local#$IDP_HOST#g" /opt/shibboleth-idp/conf/cas-protocol.xml -sed -i "s#https://pass.local#$IDP_HOST#g" /opt/shibboleth-idp/conf/idp.properties - -echo "Starting Jetty" -/usr/local/bin/run-jetty.sh diff --git a/idp/jhu/shibboleth-idp/conf/idp.properties b/idp/jhu/shibboleth-idp/conf/idp.properties deleted file mode 100644 index 403a2d4..0000000 --- a/idp/jhu/shibboleth-idp/conf/idp.properties +++ /dev/null @@ -1,210 +0,0 @@ -# -# Copyright 2019 Johns Hopkins University -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Load any additional property resources from a comma-delimited list -idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties - -# Set the entityID of the IdP -idp.entityID= https://pass.local/idp/shibboleth - -# Set the scope used in the attribute resolver for scoped attributes -idp.scope= johnshopkins.edu - -# General cookie properties (maxAge only applies to persistent cookies) -#idp.cookie.secure = false -#idp.cookie.httpOnly = true -#idp.cookie.domain = -#idp.cookie.path = -#idp.cookie.maxAge = 31536000 - -# Set the location of user-supplied web flow definitions -#idp.webflows = %{idp.home}/flows - -# Set the location of Velocity view templates -#idp.views = %{idp.home}/views - -# Settings for internal AES encryption key -#idp.sealer.storeType = JCEKS -#idp.sealer.updateInterval = PT15M -#idp.sealer.aliasBase = secret -idp.sealer.storeResource= /run/secrets/idp_sealer -idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver -idp.sealer.storePassword= password -idp.sealer.keyPassword= password - -# Settings for public/private signing and encryption key(s) -# During decryption key rollover, point the ".2" properties at a second -# keypair, uncomment in credentials.xml, then publish it in your metadata. -idp.signing.key= /run/secrets/idp_signing -idp.signing.cert= /run/secrets/idp_cert -idp.encryption.key= /run/secrets/idp_encryption -idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt -#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key -#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt - -# Sets the bean ID to use as a default security configuration set -#idp.security.config = shibboleth.DefaultSecurityConfiguration - -# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1 -#idp.signing.config = shibboleth.SigningConfiguration.SHA256 - -# Configures trust evaluation of keys used by services at runtime -# Defaults to supporting both explicit key and PKIX using SAML metadata. -#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine -# To pick only one set to one of: -# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine -#idp.trust.certificates = shibboleth.ChainingX509TrustEngine -# To pick only one set to one of: -# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine - -# If true, encryption will happen whenever a key to use can be located, but -# failure to encrypt won't result in request failure. -#idp.encryption.optional = false - -# Configuration of client- and server-side storage plugins -#idp.storage.cleanupInterval = PT10M -#idp.storage.htmlLocalStorage = false - -# Set to true to expose more detailed errors in responses to SPs -idp.errors.detailed = true -# Set to false to skip signing of SAML response messages that signal errors -#idp.errors.signed = true -# Name of bean containing a list of Java exception classes to ignore -#idp.errors.excludedExceptions = ExceptionClassListBean -# Name of bean containing a property set mapping exception names to views -#idp.errors.exceptionMappings = ExceptionToViewPropertyBean -# Set if a different default view name for events and exceptions is needed -#idp.errors.defaultView = error - -# Set to false to disable the IdP session layer -#idp.session.enabled = true - -# Set to "shibboleth.StorageService" for server-side storage of user sessions -#idp.session.StorageService = shibboleth.ClientSessionStorageService -idp.session.StorageService = shibboleth.StorageService - -# Size of session IDs -#idp.session.idSize = 32 -# Bind sessions to IP addresses -#idp.session.consistentAddress = true -# Inactivity timeout -#idp.session.timeout = PT60M -# Extra time to store sessions for logout -#idp.session.slop = PT0S -# Tolerate storage-related errors -#idp.session.maskStorageFailure = false -# Track information about SPs logged into -#idp.session.trackSPSessions = false -# Support lookup by SP for SAML logout -#idp.session.secondaryServiceIndex = false -# Length of time to track SP sessions -#idp.session.defaultSPlifetime = PT2H - -# Regular expression matching login flows to enable, e.g. IPAddress|Password -idp.authn.flows= Password - -# Regular expression of forced "initial" methods when no session exists, -# usually in conjunction with the idp.authn.resolveAttribute property below. -#idp.authn.flows.initial = Password - -# Set to an attribute ID to resolve prior to selecting authentication flows; -# its values are used to filter the flows to allow. -#idp.authn.resolveAttribute = eduPersonAssurance - -# Default lifetime and timeout of various authentication methods -#idp.authn.defaultLifetime = PT60M -#idp.authn.defaultTimeout = PT30M - -# Whether to prioritize "active" results when an SP requests more than -# one possible matching login method (V2 behavior was to favor them) -#idp.authn.favorSSO = true - -# Whether to fail requests when a user identity after authentication -# doesn't match the identity in a pre-existing session. -#idp.authn.identitySwitchIsError = false - -# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent -#idp.consent.StorageService = shibboleth.ClientPersistentStorageService - -# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute -# to key user consent storage records (and set the attribute name) -#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey -#idp.consent.userStorageKeyAttribute = uid - -# Flags controlling how built-in attribute consent feature operates -#idp.consent.allowDoNotRemember = true -#idp.consent.allowGlobal = true -#idp.consent.allowPerAttribute = false - -# Whether attribute values and terms of use text are compared -#idp.consent.compareValues = false -# Maximum number of consent records for space-limited storage (e.g. cookies) -#idp.consent.maxStoredRecords = 10 -# Maximum number of consent records for larger/server-side storage (0 = no limit) -#idp.consent.expandedMaxStoredRecords = 0 - -# Time in milliseconds to expire consent storage records. -#idp.consent.storageRecordLifetime = P1Y - -# Whether to lookup metadata, etc. for every SP involved in a logout -# for use by user interface logic; adds overhead so off by default. -#idp.logout.elaboration = false - -# Whether to require logout requests be signed/authenticated. -#idp.logout.authenticated = true - -# Message freshness and replay cache tuning -#idp.policy.messageLifetime = PT3M -#idp.policy.clockSkew = PT3M - -# Set to custom bean for alternate storage of replay cache -#idp.replayCache.StorageService = shibboleth.StorageService - -# Toggles whether to allow outbound messages via SAML artifact -#idp.artifact.enabled = true -# Suppresses typical signing/encryption when artifact binding used -#idp.artifact.secureChannel = true -# May differ to direct SAML 2 artifact lookups to specific server nodes -#idp.artifact.endpointIndex = 2 -# Set to custom bean for alternate storage of artifact map state -#idp.artifact.StorageService = shibboleth.StorageService - -# Name of access control policy for various admin flows -idp.status.accessPolicy= AccessByIPAddress -idp.resolvertest.accessPolicy= AccessByIPAddress -idp.reload.accessPolicy= AccessByIPAddress - -# Comma-delimited languages to use if not match can be found with the -# browser-supported languages, defaults to an empty list. -idp.ui.fallbackLanguages= en,fr,de - -# Storage service used by CAS protocol -# Defaults to shibboleth.StorageService (in-memory) -# MUST be server-side storage (e.g. in-memory, memcached, database) -# NOTE that idp.session.StorageService requires server-side storage -# when CAS protocol is enabled -idp.cas.StorageService=shibboleth.StorageService - -# CAS service registry implementation class -#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry - -# Profile flows in which the ProfileRequestContext should be exposed -# in servlet request under the key "opensamlProfileRequestContext" -#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO - -# F-TICKS auditing - set salt to include hashed username -#idp.fticks.federation=MyFederation -#idp.fticks.algorithm=SHA-256 -#idp.fticks.salt=somethingsecret diff --git a/idp/metadata/idp-metadata.xml b/idp/metadata/idp-metadata.xml deleted file mode 100644 index 548b0a7..0000000 --- a/idp/metadata/idp-metadata.xml +++ /dev/null @@ -1,232 +0,0 @@ - - - - - - - - - - johnshopkins.edu - - - - - - - -MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL -BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy -MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH -YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M -SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2 -03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No -5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+ -XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud -DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk -hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL -BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac -ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98 -NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl -j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP -IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E -t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM= - - - - - - - - - -MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB -CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx -MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g -u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2 -Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ -Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+ -MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs -uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV -HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl -ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB -CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X -sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s -RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ -Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B -DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i -s00xrv14zLifcc8oj5DYzOhYRifRXgHX - - - - - - - - - -MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL -BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy -MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD -cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ -l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG -ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8 -9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX -VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud -DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk -hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL -BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni -QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN -jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r -xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8 -+PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H -p+tGUbGS2l873J5PrsbpeKEVR/IIoKo= - - - - - - - - - - - - urn:mace:shibboleth:1.0:nameIdentifier - urn:oasis:names:tc:SAML:2.0:nameid-format:transient - - - - - - - - - - - - - johnshopkins.edu - - - - - - -MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL -BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy -MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH -YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M -SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2 -03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No -5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+ -XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud -DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk -hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL -BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac -ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98 -NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl -j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP -IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E -t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM= - - - - - - - - - -MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB -CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx -MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g -u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2 -Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ -Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+ -MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs -uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV -HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl -ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB -CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X -sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s -RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ -Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B -DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i -s00xrv14zLifcc8oj5DYzOhYRifRXgHX - - - - - - - - - -MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL -BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy -MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD -cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ -l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG -ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8 -9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX -VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud -DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk -hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL -BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni -QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN -jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r -xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8 -+PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H -p+tGUbGS2l873J5PrsbpeKEVR/IIoKo= - - - - - - - - - - - - - diff --git a/idp/styling/error.vm b/idp/styling/error.vm deleted file mode 100644 index 1b39f6c..0000000 --- a/idp/styling/error.vm +++ /dev/null @@ -1,75 +0,0 @@ -## -## Velocity Template for error end-state -## -## Velocity context will contain the following properties -## flowRequestContext - the Spring Web Flow RequestContext -## profileRequestContext - root of context tree -## encoder - HTMLEncoder class -## request - HttpServletRequest -## response - HttpServletResponse -## environment - Spring Environment object for property resolution -## custom - arbitrary object injected by deployer -## -#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service")) -#set ($defaultTitleSuffix = $springMacroRequestContext.getMessage("idp.title.suffix", "Error")) -## -#if ($flowRequestContext) - ## This handles flow events, the most common case. - #set ($eventId = $flowRequestContext.getCurrentEvent().getId()) - #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error")) - #set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix")) - #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId")) - #if ($eventId == "AccessDenied" or $eventId == "ContextCheckDenied") - $response.setStatus(403) - #elseif ($eventId == "AttributeReleaseRejected" || $eventId == "TermsRejected") - $response.setStatus(200) - #elseif ($eventKey == "unexpected" || $eventKey == "runtime-error" || $eventKey == "error") - $response.setStatus(500) - #else - $response.setStatus(400) - #end -#elseif ($exception) - ## This handles exceptions that reach the Spring-MVC exception handler. - #set ($eventId = $exception.getClass().getSimpleName()) - #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error")) - #set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix")) - #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId")) -#else - ## This is a catch-all that theoretically shouldn't happen? - #set ($titleSuffix = $defaultTitleSuffix) - #set ($message = $springMacroRequestContext.getMessage("idp.message", "An unidentified error occurred.")) -#end -## - - - - - - $title - $titleSuffix - - - - - - - - - - - \ No newline at end of file diff --git a/idp/styling/login.vm b/idp/styling/login.vm deleted file mode 100644 index 51d5a2a..0000000 --- a/idp/styling/login.vm +++ /dev/null @@ -1,130 +0,0 @@ -## -## Velocity Template for DisplayUsernamePasswordPage view-state -## -## Velocity context will contain the following properties -## flowExecutionUrl - the form action location -## flowRequestContext - the Spring Web Flow RequestContext -## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) -## profileRequestContext - root of context tree -## authenticationContext - context with authentication request information -## authenticationErrorContext - context with login error state -## authenticationWarningContext - context with login warning state -## ldapResponseContext - context with LDAP state (if using native LDAP) -## rpUIContext - the context with SP UI information from the metadata -## extendedAuthenticationFlows - collection of "extended" AuthenticationFlowDescriptor objects -## passwordPrincipals - contents of the shibboleth.authn.Password.PrincipalOverride bean -## encoder - HTMLEncoder class -## request - HttpServletRequest -## response - HttpServletResponse -## environment - Spring Environment object for property resolution -## custom - arbitrary object injected by deployer -## -#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext')) -#set ($username = $authenticationContext.getSubcontext('net.shibboleth.idp.authn.context.UsernamePasswordContext', true).getUsername()) -#set ($passwordEnabled = false) -#if (!$passwordPrincipals or $passwordPrincipals.isEmpty() or $authenticationContext.isAcceptable($passwordPrincipals)) - #set ($passwordEnabled = true) -#end -## - - - - - - #springMessageText("idp.title", "Web Login Service") - - - - - - - - - - - - \ No newline at end of file diff --git a/idp/styling/main.css b/idp/styling/main.css deleted file mode 100644 index ee988ac..0000000 --- a/idp/styling/main.css +++ /dev/null @@ -1,154 +0,0 @@ -@import url('https://fonts.googleapis.com/css2?family=Roboto:wght@300;400;500;700&display=swap'); - -* { - margin: 0; - padding: 0; -} -header, footer, section, nav { - display: block; -} -html, body { - height: 100%; -} -body { - font-family: 'Roboto', san serif !important; - font-size: 12px; - line-height: 1.5; - color: white; - background: #3D3935; -} -a:link, -a:visited { - text-decoration: none; - color: #717171; -} -img { - max-width: 100%; - margin-bottom: 12px; -} - -.login-container { - background: #3D3935; -} - -#brand-logo { - max-width: 450px; -} - -#brand-header-title { - font-weight: 200; -} - -header { - padding: 20px 0; -} - -.logo img { - border: none; -} -@media only screen and (max-width: 650px) { - .logo img { - display: none; - } - .logo { - background: url(../images/dummylogo-mobile.png) no-repeat top center; - display: block; - height: 115px; - width: 100px; - margin: 0 auto; - } -} - -.content { - overflow: hidden; -} - -.column { - float: left; -} -.column.one { - width: 50%; - margin-right: 48px; -} - -form { - width: 100%; - padding-bottom: 21px; -} -form label { /* labels are hidden */ - font-weight: bold; -} -form legend { - font-size:1.2em; - margin-bottom: 12px; -} -.form-element-wrapper { - margin-bottom: 12px; -} -.form-element { - width: 100%; - padding: 13px 12px; - border: none; - font-size: 14px; - border-radius: 4px; - -webkit-border-radius: 4px; - -moz-border-radius: 4px; -} -.form-field { - color: #B7B7B7; - border: 1px solid #B7B7B7; - border-radius: 0px; -} -.form-field-focus, -.form-field:focus, -input[type="text"]:focus { - color: #333333; - border-color: #333; -} -.form-button { - border-radius: 0px; - background: #F88D2B; - box-sizing: content-box; - -moz-box-sizing: content-box; - color: #ffffff; - cursor: pointer; -} -.form-button:hover { - background: #E37108; -} -.form-error { - padding: 0; - color: #B61601; -} - -.list-help { - margin-top: 40px; /* offset padding on first anchor */ - list-style: none; -} -.list-help-item a { - display: block; - padding: 6px 0; -} -.item-marker { - color: #be0000; -} - -footer { - color: #ffffff; - font-size: 11px; - background: #717171; -} -.footer-text { - margin-bottom: 12px; -} -.footer-links a:link, -.footer-links a:visited { - color: #ffffff; - font-weight: bold; -} -.footer-links a:after { - content: "\00a0\00a0\00a0|\00a0\00a0"; -} -.footer-links a.last:after { - content: ""; -} \ No newline at end of file diff --git a/ldap/Dockerfile b/ldap/Dockerfile deleted file mode 100644 index e9a640c..0000000 --- a/ldap/Dockerfile +++ /dev/null @@ -1,37 +0,0 @@ -FROM centos@sha256:2671f7a3eea36ce43609e9fe7435ade83094291055f1c96d9d1d1d7c0b986a5d - -MAINTAINER John Gasper - -ARG TENANT - -# Hack to handle change in CentOS mirror -RUN sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-* \ - && sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-* - -RUN yum install -y epel-release \ - && yum update -y \ - && yum install -y 389-ds-base 389-adminutil \ - && yum clean all - -COPY common/ds-setup.inf /ds-setup.inf -COPY ${TENANT}/users.ldif /users.ldif -COPY entrypoint.sh . - -# The 389-ds setup will fail because the hostname can't reliable be determined, so we'll bypass it and then install. -RUN useradd ldapadmin \ - && rm -fr /var/lock /usr/lib/systemd/system \ - # The 389-ds setup will fail because the hostname can't reliable be determined, so we'll bypass it and then install. \ - && sed -i 's/checkHostname {/checkHostname {\nreturn();/g' /usr/lib64/dirsrv/perl/DSUtil.pm \ - # Not doing SELinux \ - && sed -i 's/updateSelinuxPolicy($inf);//g' /usr/lib64/dirsrv/perl/* \ - # Do not restart at the end \ - && sed -i '/if (@errs = startServer($inf))/,/}/d' /usr/lib64/dirsrv/perl/* \ - && setup-ds.pl --silent --file /ds-setup.inf \ - && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir \ - && sleep 10 \ - && ldapadd -H ldap:/// -f /users.ldif -x -D "cn=Directory Manager" -w password \ - && chmod +x entrypoint.sh - -EXPOSE 389 - -ENTRYPOINT ["./entrypoint.sh"] diff --git a/ldap/common/ds-setup.inf b/ldap/common/ds-setup.inf deleted file mode 100644 index 2c145cf..0000000 --- a/ldap/common/ds-setup.inf +++ /dev/null @@ -1,28 +0,0 @@ -[General] -AdminDomain =pass -ConfigDirectoryAdminID = admin -ConfigDirectoryAdminPwd = admin -ConfigDirectoryLdapURL = ldap://localhost:389/o=NetscapeRoot -FullMachineName = localhost -ServerRoot = /usr/lib64/dirsrv -SuiteSpotGroup = nobody -SuiteSpotUserID = nobody - -[admin] -Port = 9830 -ServerAdminID = admin -ServerAdminPwd = admin -ServerIpAddress = 0.0.0.0 -SysUser = nobody - -[slapd] -AddOrgEntries = Yes -AddSampleEntries = No -InstallLdifFile = suggest -RootDN = cn=Directory Manager -RootDNPwd = password -ServerIdentifier = dir -ServerPort = 389 -SlapdConfigForMC = yes -Suffix = dc=pass -UseExistingMC = No diff --git a/ldap/entrypoint.sh b/ldap/entrypoint.sh deleted file mode 100644 index 22cec11..0000000 --- a/ldap/entrypoint.sh +++ /dev/null @@ -1,2 +0,0 @@ -#! /bin/sh -/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir && tail -F /var/log/dirsrv/slapd-dir/access diff --git a/ldap/jhu/users.ldif b/ldap/pass.ldif similarity index 98% rename from ldap/jhu/users.ldif rename to ldap/pass.ldif index 7da54a7..76d6475 100644 --- a/ldap/jhu/users.ldif +++ b/ldap/pass.ldif @@ -1,9 +1,12 @@ -dn: cn=admin,dc=pass -objectClass: simpleSecurityObject -objectClass: organizationalRole -cn: admin -userPassword: password -description: LDAP administrator +dn: dc=pass +dc: pass +description: PASS +objectClass: top +objectClass: domain + +dn: ou=People,dc=pass +objectClass: organizationalUnit +ou: People dn: uid=staff1,ou=People,dc=pass uid: staff1 @@ -780,4 +783,4 @@ eduPersonUniqueId: FAKE0020 employeeNumber: 99000020 displayName: tsande16@example.com employeeType: STAFF -homeDirectory: /home/tsande16 \ No newline at end of file +homeDirectory: /home/tsande16 diff --git a/secrets/idp/idp-backchannel.p12 b/secrets/idp/idp-backchannel.p12 deleted file mode 100644 index 112540a..0000000 Binary files a/secrets/idp/idp-backchannel.p12 and /dev/null differ diff --git a/secrets/idp/idp-browser.p12 b/secrets/idp/idp-browser.p12 deleted file mode 100644 index 032be0b..0000000 Binary files a/secrets/idp/idp-browser.p12 and /dev/null differ diff --git a/secrets/idp/idp-encryption.key b/secrets/idp/idp-encryption.key deleted file mode 100644 index 8bb5cc6..0000000 --- a/secrets/idp/idp-encryption.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAgV79KN35k/Ipbsi4yeJQQFQlvmUVchFz2ELkYu73w3DuGund -ZMYiS7GitFvPFTcYxUEa/D4A5Fq9vL8KB9a4JOKS7LMyw+PAwcw/eNqXiZf0uhZ7 -CCY5mh3AYeKWzYVOMqMLut4ipL7ba3GQBG6RK6OmfAs4lhMfLMsKGmBEBonz5K/T -kVegp97cavvYDAXjxuNRq7Wa1BiLvsa53S9EoYeD6tHqv/TALFZSCFxGvPVnx/Cd -pBXEzn6FrSHO9G+0y2ULMeGJzXJ6xi0lBHLLRcjy1/l7b+UjWRfPTjiMV1TYzb4B -OQ2yW/YTDOFABaiPtW6PUKrccE4Y3P7DryMczQIDAQABAoIBAF/IflMllcUtw/Nb -9USzpIscQh2nJaugtE5nqER/fT1cfU273Mjh0T6NtFMorjec5WAWBe6/0VVAwb3f -C4QmO4xDnFhXjLxwAaT6nfvSi+O5d93XCxxLgNZUNL3ET7a2feELyoF+OdQT4sy3 -9dLyMdVHgtnQTQMAAVLeuQoyP+s+Zax4Gca6ln8QxIIvDoD7NITnpl8887Hghhzl -CvKtRiPRtoI2JTXWgWuLI6xXfVsDvFT+Up+ki9TMLWLACcmMU1d+lUBOKIqhhQHG -+np9iKxVausJwYaLwwT3h8SItNon7ltbV6kcqyZxMAA+uN8CVgIb5UaUrlW7Nvze -1iUNudkCgYEAxpnBg8YxdEHFSMTqjEOYapn18cs3n32EBPtvPaUcvw3mGC1+ZVx1 -9WqnVsgykBOWI0qSBVF7Kke8yOqgqWtYQUFqLiMgCC9e/QcXnrm/bzAmKDgLVcCR -KzgqU2ECQDkNSS0qeODjLGX4SEabDbLhN59WykHKM0i/RcrbhuvT1BcCgYEApsMD -TFQBaiaEmLVm252piZf8b5g3DrUHeqGktHkHXTW4Iyyn8zEknoiCosk/Tej73zga -cTT3zQgEh63DMC9Ag8IbIJiDpYLMkt1QvZYtq95E/94GVEfRRok6/pyagGYB351R -PXcykrDyy26FSofmtaXU37Wxaj3ow+WROaPgULsCgYEArFoFScG3a2gkuRlDX8TN -wj2o5lTxCbWY2+YEzR+8icWbGQJqPbb3G6uaW8LTtpt44Vm2zWzAEZo+KLMOCNmC -tub5Kd8Lzm6l5brA8dvLWcgUZTT2CU5b7YEJomB+3pNkh0vuHwczv3Ui+j5kE4hY -0bezT0W3H7iTXhNFXprMs7MCgYEAlIZn75l6URLRUjluzPdVQoktei72CpFNgflp -+ps45dmskRd61mzUkqY+w8G+MiPqANu1IVLtyZz0e+tVRxsuuKsvAg8UYVtn3P5k -pRaWwtaKWeFjfbkhOVOMSa0tJmK0FHfHHZmGX4ReGrXq3YDBCNQUDtOCmn9dSuyy -NcYxSXUCgYB+yo6dg8nyHDSqKDdrQQiAKv7jNsbecQ/rYrt8l0n9FBiwn5R7v6kp -afsimCVou5i06L2Cr5Xs+XSf11KVkDh+qM70ZFubWEsHCDrS1KrxUzfFbrQczKof -qX7ZsBuOT72RwVEa8fpT6IZ6IpOOEPmUid/f2VM2aAcXgaF//vMjxA== ------END RSA PRIVATE KEY----- diff --git a/secrets/idp/idp-signing.crt b/secrets/idp/idp-signing.crt deleted file mode 100644 index 6a032c1..0000000 --- a/secrets/idp/idp-signing.crt +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB -CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx -MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g -u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2 -Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ -Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+ -MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs -uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV -HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl -ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB -CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X -sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s -RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ -Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B -DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i -s00xrv14zLifcc8oj5DYzOhYRifRXgHX ------END CERTIFICATE----- diff --git a/secrets/idp/idp-signing.key b/secrets/idp/idp-signing.key deleted file mode 100644 index 011c27c..0000000 --- a/secrets/idp/idp-signing.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7gu6eo4dua -eLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2Z6dzJsul -JZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJCb/Q6dYz -RWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+MNkv6aId -cHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBsuYlY7lEr -89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABAoIBAGpInLarQ0+X+ZXK -+aoC+tNO9DUiHq/z2OD4ALGhXSTvr4mgBWNWTkc0F+qJD8MlM8zNkJxaoNGTyLjY -Z95NQJPXAx2k15HwCENdulvV1oiX0dkTjgmscRmj6FwNAZ0EnWtien45mxZHxEyW -FkbB9+OHc6JzNvzG9ps1Vk1FtFtO8w4exXuJVATJeArQmMvAUHMJYPb7Qs+/NX9R -RlDvFfXDzQv5eAzudT1SyFSa5W+Bsw6BtEoeiqdp+xQh4yc733nwN7KG2Z/TpGse -jVe6akbULuCXOe9uPa7kv8hnQEUH38QVlIw8pK1SsgNq7S0U44WU5uF8gbDBYle/ -OoPBvSECgYEAvCwVEa8ryLzee5FaX4PBxk10lEl/Yp9jC88wPUQ+ZpfniIIQIfwl -csRE9D3/dJOVAxw/Ac32F72SLVDzLabAhlBRINYLB0ZkVuJi1CIoDHIf9nfh/pOx -b96VMUe/mpAL4hZnZkmBKjesX5URPEKtBD0aSeCw9aFqhORjRrxCJg0CgYEAuNaD -LOuTPKsC6nxRtiL9r0CA5gCCdpALxwJA7wHAeh03i5xmy61i4iOMaunxKZhG+nzz -PhcI8Uhwwk+l3tbYAf1rrtmMKNcyjy+UqWXGt4ZkWFlIyIungyLiH9L32IMhXNF0 -fBgOZNtFTmQBU18a78uIir9xASUbtaakzOtJ2+cCgYAgfawVpZ11x8bSp0Jng6SN -zQn4IMiyCrtbaqb1rTbpGAmOdIa8l4EP0/vkAGB/jIwKQXJPqXR4nO8EjBmxJD3R -80RO2yaEVw80QVq3Lj6kB4ClWgXXo0DcBB7Wp4DZ+01R+HRaIQ8AbySATIjxUsH1 -HWfQoc9sWja+Q4Ew0YjKcQKBgGLoPsdBw8b6B5RsM9lPvgoSbScmbKl/CR5TwWVj -vZhanAd0CLnCrSAvP4tSZf8JAio1xH+cGefrCJOhxTOKKYpfDklBFjQge2iNYHKJ -CJ3aJ0XzePP/bwLIHtJCtOdBvA+L8VYaFVG418xLzT3MrYBVnFoKeTDQp5Q7eQJC -gYJPAoGBAKHcuXWzvXoHKnOg8Ljg2xZ6/SfjwNDIIrpXVTAQifmK3q4+Ua2Q+Cjq -97tPMxF2bVRcbnCSNKpTMOTrsWs8Z3GpMyCh6XgYMSlclXusDVUkRkPpWj8hVTR4 -opm/rxS83hCrTsIX3Il3T8Fpb97kdF+unCiWEaxrPEurjW8lB506 ------END RSA PRIVATE KEY----- diff --git a/secrets/idp/sealer.jks b/secrets/idp/sealer.jks deleted file mode 100644 index 89957e0..0000000 Binary files a/secrets/idp/sealer.jks and /dev/null differ diff --git a/secrets/sp/sp-cert.pem b/secrets/sp/sp-cert.pem deleted file mode 100644 index 71bd521..0000000 --- a/secrets/sp/sp-cert.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC6zCCAdOgAwIBAgIJAOy0nki3WAOVMA0GCSqGSIb3DQEBBQUAMBcxFTATBgNV -BAMTDDc5OTQzZmVlNzg2NTAeFw0xNTEyMTEwMzAwNDJaFw0yNTEyMDgwMzAwNDJa -MBcxFTATBgNVBAMTDDc5OTQzZmVlNzg2NTCCASIwDQYJKoZIhvcNAQEBBQADggEP -ADCCAQoCggEBALPBzAz0DTn+j2YsQKfqWI+m08lP5UzwVsE9ZKzLqO3PRHZqiOBm -EaFmRrYCZCAOcJ0TXcxPGtNSo8HC4uw5/Y5lJGuI3jN7X7KB1VUQDpUSwfgOqtro -uDoVRKrsaYZTnlNV8KbZ0WQz5s4Uw6CxKRB9RZ5iQMP1fuxc8B6GSOb3x69MiY6c -1jlgVAc6rV4zGfpafacxOLM8qcYhY8u3TiSd0H+oiGEqi1mFLK8yp6FKzX8OUkQf -We49YHz6wBxFOe+/p+7ziym1rBs/lGfenEo8ziCIMmjnoo257fz00bcz9rFl1rTx -KLFfgy72xTlG72l6u+pB9VqK3YNJS52Ns5UCAwEAAaM6MDgwFwYDVR0RBBAwDoIM -Nzk5NDNmZWU3ODY1MB0GA1UdDgQWBBRiDMNPjiAMC50WWubI3PMjP45S/DANBgkq -hkiG9w0BAQUFAAOCAQEAYZM/iWgC93vAq0d98egEzvESKodxHffkDOagd4Kxt/S0 -AAHsVQCmAK/9kmRhsWzR3f1KIw98q4EX7nH/K68BFrerUvaL5+fEGE9W6Ki6QdW8 -bM17GQkLyRDKZzGPm/hsaG1Oxru2kDf7qSvv59aRZlZ8skrDEnx8+dZ8JKC02ZDU -ClC+xWl1UPfO2BL4tJei/siSymGpiRqznQ2JMoTFu5CUUpoxyCVz1bl9lCVceoJ9 -FaL38knS0p5DnXcm+I8wqNEVGLDPbDalBQryhJT9fIMm1/B85gB3AWAvcu9PPfHK -lQQUhxyEXTBJx3luLlpIjoloFKIute9K7pE5qAENjg== ------END CERTIFICATE----- \ No newline at end of file diff --git a/secrets/sp/sp-key.pem b/secrets/sp/sp-key.pem deleted file mode 100644 index 8cd45e9..0000000 --- a/secrets/sp/sp-key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzwcwM9A05/o9m -LECn6liPptPJT+VM8FbBPWSsy6jtz0R2aojgZhGhZka2AmQgDnCdE13MTxrTUqPB -wuLsOf2OZSRriN4ze1+ygdVVEA6VEsH4Dqra6Lg6FUSq7GmGU55TVfCm2dFkM+bO -FMOgsSkQfUWeYkDD9X7sXPAehkjm98evTImOnNY5YFQHOq1eMxn6Wn2nMTizPKnG -IWPLt04kndB/qIhhKotZhSyvMqehSs1/DlJEH1nuPWB8+sAcRTnvv6fu84sptawb -P5Rn3pxKPM4giDJo56KNue389NG3M/axZda08SixX4Mu9sU5Ru9pervqQfVait2D -SUudjbOVAgMBAAECggEBAK0pysTLsZYlmMSHar2XbjrsLecnVTA58ojy+HHRO2nj -mgMs+7CYAvHlUcbyJLwQzQEz787qgWADowb8E5gXASBUZLJGxi738adHlVf9QN7w -k/S/RG3fc+FYLa8uUTV6hfGnv00sVZ9etD/gFthM8c8VrqQ16EgdzWgq25G8MKx1 -dRHT7fRlehiwnuCvUc9dKEkeunaBfDp2QG+jI0aKrjeP+N/0zSyMDiySCr/yIwWn -GmmYdDjNKXullZTDgRn25xfHsQJSVW+RbEFOwALt5+cqecN6NVI53u23XNov8liD -YDkv8sGB1KlJYitGMTEuW21GwOgtjoUkBy83nmHoTAECgYEA5g6fQp3LCFN/c0W9 -Y68RwpQ1SHHCQXIJoajARzLzIqjou29Hgot/waYlFPbiqEI5pPy9cMBMu7LmVyEn -evAPzVheeYrJGeJ1azhdIEQ0e+tLYAQKkVvTPjyfJmtz51g/tSnNzz4HEcOkW5K5 -jkt6UUel61d/JPGL9UbGEt3BtJUCgYEAyAcXn2TG1GOkriD2Q8PjN5tyhmEgJKI2 -LcHULclyJ+Gn2nNCg1EwAn7d/zptdwE+VoijW+VSbrRoZhsRUsh/doPZDtoaInFX -fSsAY9LVeW7flavgliMz3I8zXcoIwOlTY8mZbrFv1jUX+GNRjmeIwpAqTuSOIS1w -UG5P3yQlQwECgYBKHDvBwgM902gjQjwYeLVH8WaYx8zEOHBR24LVbNxWNgODHf3z -V+z3/QXFEyNBANSBCcodIFWXwbHiL5QAToVIqUcF8GeIJyOcPrQBSPd/U/UcITEm -UmZijjTWs5bK1+rt+WGLeXfdiSDRPxr3c+kbdfFFNxKGXCmyAfKc8UMNYQKBgGnG -VleTkxD9IDh0dcWf8KeXLBijg7vbi4rm1KzhudwdGAYMrT+Dzz+ClyJAY2Jq5ewc -lUYjHlQsUoisB50fKUgisMWJ0Agmp30pICupcfmlB9a97SV3uBUKJL+T9s0MlWxP -TzOZ4OoFaYeP/bCwT0GTusu9UOt6e8oMi3AUTSABAoGAAKJh6VI/B4D6piPEKJmA -dOvpDjQoqpKn3arWet6mcrP4ftcIpH/uj2Azp53cAtyszAHhluN7rbcBnXOLePQz -AKAGupEsvFhlLUGoX1+lPfugzIukZKiMl8Koi/66Vf4Dfz4pWhc/oR2TOVZyzqhj -HPxmTTEX5graPtXeDM3hz5A= ------END PRIVATE KEY-----