New parameters support
- add support of tranLogFormat attribute
- add polisbility to configure OpenSAML.MessageDecoder
- make native_format param optional for attributes
Change-Id: Iba59e45cf35fb07e1edf07c3462ee182001ed4ae
Related-Bug: PROD-24385
diff --git a/README.rst b/README.rst
index 5fe15d6..dd7befd 100644
--- a/README.rst
+++ b/README.rst
@@ -14,14 +14,16 @@
enabled: true
app:
entity_id: http://${_param:proxy_vip_address_public}:5000
- signing: false
- encryption: false
+ signing: "false"
+ encryption: "false"
idp_url: "https://saml.example.com/oam/fed"
idp_metadata_url: "https://saml.example.com/oamfed/idp/metadata"
attributes:
- name: test
id: test
name_format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
+ - name: test1
+ id: test1
key: |
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDmM1NIxgQ3Y70Q
@@ -58,6 +60,20 @@
proxy: http://10.10.10.12:8888
+Shibboleth with Transaction logging
+==============
+
+.. code-block:: yaml
+
+ shibboleth:
+ server:
+ enabled: true
+ logging:
+ message_decoder: DEBUG
+ outofprocess:
+ tran_log_format: "%u|%a|%s|%SP|%IDP|%t|%b|%ac|%attr|%E|%e|%S|%SS|%SM|%URI|%URL|%UA|%app|%p|%n|%D|%d|%I|%II"
+
+
Override IdP metadata from file
==============
Sometimes the metadata is not publicly aviailable from IPD. You can define the metadata in pillar. In this case the idp_metadata_url parameter will be ignored.
diff --git a/shibboleth/files/attribute-map.xml b/shibboleth/files/attribute-map.xml
index ade6943..4daf654 100644
--- a/shibboleth/files/attribute-map.xml
+++ b/shibboleth/files/attribute-map.xml
@@ -144,7 +144,7 @@
{%- if server.attributes is defined %}
{%- for attribute in server.attributes %}
- <Attribute name="{{ attribute.name }}" nameFormat="{{ attribute.name_format }}" id="{{ attribute.id }}"/>
+ <Attribute name="{{ attribute.name }}" {% if attribute.name_format is defined %}nameFormat="{{ attribute.name_format }}"{% endif %} id="{{ attribute.id }}"/>
{%- if not loop.last %}
{%- endif %}
{%- endfor %}
diff --git a/shibboleth/files/shibboleth2.xml b/shibboleth/files/shibboleth2.xml
index 574ca92..4036623 100644
--- a/shibboleth/files/shibboleth2.xml
+++ b/shibboleth/files/shibboleth2.xml
@@ -20,7 +20,7 @@
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
-->
{%- if server.outofprocess is defined %}
- <OutOfProcess>
+ <OutOfProcess {% if server.outofprocess.tranlogformat is defined %}tranLogFormat="{{ server.outofprocess.tranlogformat }}"{% endif %}>
{%- if server.outofprocess.extensions is defined %}
<Extensions>
{%- if server.outofprocess.extensions.library is defined %}
diff --git a/shibboleth/files/shibd.logger b/shibboleth/files/shibd.logger
new file mode 100644
index 0000000..7782abe
--- /dev/null
+++ b/shibboleth/files/shibd.logger
@@ -0,0 +1,73 @@
+{%- from "shibboleth/map.jinja" import server with context %}
+# set overall behavior
+log4j.rootCategory=INFO, shibd_log, warn_log
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+{% if server.get('logging', {}).message_decoder is defined %}
+log4j.category.OpenSAML.MessageDecoder={{ server.logging.message_decoder }}
+{%- endif %}
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+#log4j.category.XMLTooling.SOAPClient=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# logs XML being signed or verified if set to DEBUG
+log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
+log4j.additivity.XMLTooling.Signature.Debugger=false
+
+# the tran log blocks the "default" appender(s) at runtime
+# Level should be left at INFO for this category
+log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
+log4j.additivity.Shibboleth-TRANSACTION=false
+# uncomment to suppress particular event types
+#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
+#log4j.category.Shibboleth-TRANSACTION.Login=WARN
+#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
+
+# define the appenders
+
+log4j.appender.shibd_log=org.apache.log4j.RollingFileAppender
+log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log
+log4j.appender.shibd_log.maxFileSize=1000000
+log4j.appender.shibd_log.maxBackupIndex=10
+log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.shibd_log.layout.ConversionPattern={{ '%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n' }}
+
+log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
+log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log
+log4j.appender.warn_log.maxFileSize=1000000
+log4j.appender.warn_log.maxBackupIndex=10
+log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.warn_log.layout.ConversionPattern={{ '%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n' }}
+log4j.appender.warn_log.threshold=WARN
+
+log4j.appender.tran_log=org.apache.log4j.RollingFileAppender
+log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log
+log4j.appender.tran_log.maxFileSize=1000000
+log4j.appender.tran_log.maxBackupIndex=20
+log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.tran_log.layout.ConversionPattern={{ '%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n' }}
+
+log4j.appender.sig_log=org.apache.log4j.FileAppender
+log4j.appender.sig_log.fileName=/var/log/shibboleth/signature.log
+log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.sig_log.layout.ConversionPattern=%m
diff --git a/shibboleth/server.sls b/shibboleth/server.sls
index 87ad1bc..60e314c 100644
--- a/shibboleth/server.sls
+++ b/shibboleth/server.sls
@@ -15,6 +15,16 @@
- service: apache_service
- service: shibboleth_service
+/etc/shibboleth/shibd.logger:
+ file.managed:
+ - source: salt://shibboleth/files/shibd.logger
+ - template: jinja
+ - require:
+ - pkg: apache_packages
+ - watch_in:
+ - service: apache_service
+ - service: shibboleth_service
+
{%- if server.idp_metadata_file is defined %}
/etc/shibboleth/idp-metadata.xml:
file.managed:
diff --git a/tests/pillar/shibboleth.sls b/tests/pillar/shibboleth.sls
index 72b0f2e..2d18185 100644
--- a/tests/pillar/shibboleth.sls
+++ b/tests/pillar/shibboleth.sls
@@ -11,6 +11,10 @@
- name: test
id: test
name_format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
+ - name: test1
+ id: test1
+ logging:
+ message_decoder: DEBUG
idp_metadata_file: |
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
@@ -26,6 +30,7 @@
handlerssl: "false"
cookieprops: "http"
outofprocess:
+ tran_log_format: "%u|%a|%s|%SP|%IDP|%t|%b|%ac|%attr|%E|%e|%S|%SS|%SM|%URI|%URL|%UA|%app|%p|%n|%D|%d|%I|%II"
extensions:
library:
plugin1:
@@ -59,7 +64,8 @@
storageservicelite: "mc"
replaycache:
storageservice: "mc"
- replaycache:
+ artifactTTL: "180" #optional
+ artifactmap:
storageservice: "mc"
artifactTTL: "180" #optional
attributeresolver: