shibboleth/files/shibboleth2.xml - salt-formulas/shibboleth - Gitiles

 {%- from "shibboleth/map.jinja" import server with context %}
 <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
     xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     clockSkew="18000">

     <!--
     By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
     are used. See example-shibboleth2.xml for samples of explicitly configuring them.
     -->

     <!--
     To customize behavior for specific resources on Apache, and to link vhosts or
     resources to ApplicationOverride settings below, use web server options/commands.
     See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.

     For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
     file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
     -->
     {%- if server.outofprocess is defined %}
     <OutOfProcess>
     {%- if server.outofprocess.extensions is defined %}
       <Extensions>
     {%- if server.outofprocess.extensions.library is defined %}
        {%- for name, plugin in server.get('outofprocess', {}).get('extensions', {}).get('library', {}).iteritems() %}
         <Library path="{{ plugin.get('path', '') }}" fatal="{{ plugin.get('fatal', "true") }}"/>
        {%- endfor %}
     {%- endif %}
       </Extensions>
     {%- endif %}
     </OutOfProcess>
     {%- endif %}
     {%- if server.storageservice is defined %}
       {%- for id, attributes in server.get('storageservice').iteritems() %}
         {%- if attributes.type == "MEMCACHE" %}
      <StorageService type="MEMCACHE" id="{{ id }}" buildMap="{{ attributes.get('buildmap', "0") }}" sendTimeout="{{ attributes.get('sendtimeout', "999999") }}"
                 recvTimeout="{{ attributes.get('recvtimeout', "999999") }}" pollTimeout="{{ attributes.get('polltimeout', "1000") }}"
                 failLimit="{{ attributes.get('failtimeout', "5") }}"
                 prefix="{{ attributes.get('prefix', "SHIBD") }}" retryTimeout="{{ attributes.get('retrytimeout', "30") }}">
        <Hosts>
         {{ attributes.hosts }}
        </Hosts>
      </StorageService>
         {%- elif server.attributes.type == "Memory" %}
      <StorageService type="Memory" id="{{ id }}" cleanupInterval="{{ attributes.get('cleanupinterval', "900") }}"/>
         {%- endif %}
       {% endfor %}
     {%- endif %}
     {%- if server.sessioncache is defined %}
     <SessionCache type="{{ server.sessioncache.get('type', "StorageService") }}" cacheTimeout="{{ server.sessioncache.get('cachetimeout', "900") }}"
       StorageService="{{ server.sessioncache.get('storageservice', "mem") }}" {%- if server.sessioncache.storageservicelite is defined %}StorageServiceLite="{{ server.sessioncache.get('storageservicelite', "mem") }}"{%- endif %} />
     {%- endif %}
     {%- if server.replaycache is defined %}
     <ReplayCache StorageService="{{ server.replaycache.get('storageservice', "mem") }}"/>
     {%- endif %}
     {%- if server.artifactmap is defined %}
     <ArtifactMap StorageService="{{ server.artifactmap.get('storageservice', "mem") }}" artifactTTL="{{ server.artifactmap.get('artifactttl', "180") }}" />
     {%- endif %}
     <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
     {%- if server.app.entity_id is defined %}
     <ApplicationDefaults entityID="{{ server.app.entity_id }}" signing="{{ server.app.signing }}" encryption="{{ server.app.encryption }}">
     {%- else %}
     <ApplicationDefaults entityID="{{ server.keystone_protocol }}://{{ server.keystone_public_address }}:{{ server.keystone_port }}">
     {%- endif %}
         <!--
         Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
         You MUST supply an effectively unique handlerURL value for each of your applications.
         The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
         a relative value based on the virtual host. Using handlerSSL="true", the default, will force
         the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
         Note that while we default checkAddress to "false", this has a negative impact on the
         security of your site. Stealing sessions via cookie theft is much easier with this disabled.
         -->
         <Sessions lifetime="{{ server.get('sessions', {}).get('lifetime', 28800) }}" timeout="{{ server.get('sessions', {}).get('timeout', 3600) }}"
                   relayState="{{ server.get('sessions', {}).get('relaystate', "ss:mem") }}"
                   checkAddress="{{ server.get('sessions', {}).get('checkaddress', "false") }}" handlerSSL="{{ server.get('sessions', {}).get('handlerssl', "false") }}"
                   cookieProps="{{ server.get('sessions', {}).get('cookieprops', "http") }}">

             <!--
             Configures SSO for a default IdP. To allow for >1 IdP, remove
             entityID property and adjust discoveryURL to point to discovery service.
             (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
             You can also override entityID on /Login query string, or in RequestMap/htaccess.
             -->
             <SSO entityID="{{ server.idp_url }}" ECP="true">
               SAML2 SAML1
             </SSO>

             <!-- SAML and local-only logout. -->
             <Logout>SAML2 Local</Logout>

             <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
             <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

             <!-- Status reporting service. -->
             <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

             <!-- Session diagnostic service. -->
             <Handler type="Session" Location="/Session" showAttributeValues="true"/>

             <!-- JSON feed of discovery information. -->
             <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
         </Sessions>

         <!--
         Allows overriding of error template information/filenames. You can
         also add attributes with values that can be plugged into the templates.
         -->
         <Errors supportContact="root@localhost"
             helpLocation="/about.html"
             styleSheet="/shibboleth-sp/main.css"/>

         {%- if server.idp_metadata_file is defined %}
         <MetadataProvider type="XML" file="/etc/shibboleth/idp-metadata.xml"/>
         {% elif server.idp_metadata_url is defined %}
         <MetadataProvider type="XML" uri="{{ server.idp_metadata_url }}"
               backingFilePath="/var/cache/shibboleth/metadata.xml" reloadInterval="180000">
             {%- if server.idp_certificate is defined %}
             <MetadataFilter type="Signature" certificate="/etc/shibboleth/fedsigner.pem"/>
             {%- endif %}
             {%- if server.proxy is defined %}
             <TransportOption provider="CURL" option="10004">"{{ server.proxy }}"</TransportOption>
             {%- endif %}
         </MetadataProvider>
         {%- endif %}

         <!-- Example of locally maintained metadata. -->
         <!--
         <MetadataProvider type="XML" file="partner-metadata.xml"/>
         -->

         <!-- Map to extract attributes from SAML assertions. -->
         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

         <!-- Use a SAML query if no attributes are supplied during SSO. -->
         <AttributeResolver type="Query" subjectMatch="true"/>

         {%- if server.attributeresolver is defined %}
         {%- if server.attributeresolver.transform is defined %}
         {%- for source, regex in server.get('attributeresolver', {}).get('transform', {}).iteritems() %}
          <AttributeResolver type="Transform" source="{{ source }}">
         {%- for match, attr in regex.iteritems() %}
         {%- if attr.destination_name is defined %}
              <Regex match="{{ attr.get('match', "") }}" dest="{{ attr.get('destination_name', "") }}">{{ attr.get('destination', "") }}</Regex>
                {% else %}
              <Regex match="{{ attr.get('match', "") }}" >{{ attr.get('destination', "") }}</Regex>
             {%- endif %}
           {%- endfor %}
           {%- endfor %}
         </AttributeResolver>
         {%- endif %}
         {%- endif %}

         <!-- Default filtering policy for recognized attributes, lets other data pass. -->
         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

         {%- if server.certificate is defined and server.key is defined %}
         <!-- Simple file-based resolver for using a single keypair. -->
         <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
         {%- endif %}

         <!--
         The default settings can be overridden by creating ApplicationOverride elements (see
         the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
         Resource requests are mapped by web server commands, or the RequestMapper, to an
         applicationId setting.

         Example of a second application (for a second vhost) that has a different entityID.
         Resources on the vhost would map to an applicationId of "admin":
         -->
         <!--
         <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
         -->
     </ApplicationDefaults>

     <!-- Policies that determine how to process and authenticate runtime messages. -->
     <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

     <!-- Low-level configuration about protocols and bindings available for use. -->
     <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

 </SPConfig>
	{%- from "shibboleth/map.jinja" import server with context %}
	<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
	xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
	clockSkew="18000">

	<!--
	By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
	are used. See example-shibboleth2.xml for samples of explicitly configuring them.
	-->

	<!--
	To customize behavior for specific resources on Apache, and to link vhosts or
	resources to ApplicationOverride settings below, use web server options/commands.
	See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.

	For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
	file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
	-->
	{%- if server.outofprocess is defined %}
	<OutOfProcess>
	{%- if server.outofprocess.extensions is defined %}
	<Extensions>
	{%- if server.outofprocess.extensions.library is defined %}
	{%- for name, plugin in server.get('outofprocess', {}).get('extensions', {}).get('library', {}).iteritems() %}
	<Library path="{{ plugin.get('path', '') }}" fatal="{{ plugin.get('fatal', "true") }}"/>
	{%- endfor %}
	{%- endif %}
	</Extensions>
	{%- endif %}
	</OutOfProcess>
	{%- endif %}
	{%- if server.storageservice is defined %}
	{%- for id, attributes in server.get('storageservice').iteritems() %}
	{%- if attributes.type == "MEMCACHE" %}
	<StorageService type="MEMCACHE" id="{{ id }}" buildMap="{{ attributes.get('buildmap', "0") }}" sendTimeout="{{ attributes.get('sendtimeout', "999999") }}"
	recvTimeout="{{ attributes.get('recvtimeout', "999999") }}" pollTimeout="{{ attributes.get('polltimeout', "1000") }}"
	failLimit="{{ attributes.get('failtimeout', "5") }}"
	prefix="{{ attributes.get('prefix', "SHIBD") }}" retryTimeout="{{ attributes.get('retrytimeout', "30") }}">
	<Hosts>
	{{ attributes.hosts }}
	</Hosts>
	</StorageService>
	{%- elif server.attributes.type == "Memory" %}
	<StorageService type="Memory" id="{{ id }}" cleanupInterval="{{ attributes.get('cleanupinterval', "900") }}"/>
	{%- endif %}
	{% endfor %}
	{%- endif %}
	{%- if server.sessioncache is defined %}
	<SessionCache type="{{ server.sessioncache.get('type', "StorageService") }}" cacheTimeout="{{ server.sessioncache.get('cachetimeout', "900") }}"
	StorageService="{{ server.sessioncache.get('storageservice', "mem") }}" {%- if server.sessioncache.storageservicelite is defined %}StorageServiceLite="{{ server.sessioncache.get('storageservicelite', "mem") }}"{%- endif %} />
	{%- endif %}
	{%- if server.replaycache is defined %}
	<ReplayCache StorageService="{{ server.replaycache.get('storageservice', "mem") }}"/>
	{%- endif %}
	{%- if server.artifactmap is defined %}
	<ArtifactMap StorageService="{{ server.artifactmap.get('storageservice', "mem") }}" artifactTTL="{{ server.artifactmap.get('artifactttl', "180") }}" />
	{%- endif %}
	<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
	{%- if server.app.entity_id is defined %}
	<ApplicationDefaults entityID="{{ server.app.entity_id }}" signing="{{ server.app.signing }}" encryption="{{ server.app.encryption }}">
	{%- else %}
	<ApplicationDefaults entityID="{{ server.keystone_protocol }}://{{ server.keystone_public_address }}:{{ server.keystone_port }}">
	{%- endif %}
	<!--
	Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
	You MUST supply an effectively unique handlerURL value for each of your applications.
	The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
	a relative value based on the virtual host. Using handlerSSL="true", the default, will force
	the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
	Note that while we default checkAddress to "false", this has a negative impact on the
	security of your site. Stealing sessions via cookie theft is much easier with this disabled.
	-->
	<Sessions lifetime="{{ server.get('sessions', {}).get('lifetime', 28800) }}" timeout="{{ server.get('sessions', {}).get('timeout', 3600) }}"
	relayState="{{ server.get('sessions', {}).get('relaystate', "ss:mem") }}"
	checkAddress="{{ server.get('sessions', {}).get('checkaddress', "false") }}" handlerSSL="{{ server.get('sessions', {}).get('handlerssl', "false") }}"
	cookieProps="{{ server.get('sessions', {}).get('cookieprops', "http") }}">

	<!--
	Configures SSO for a default IdP. To allow for >1 IdP, remove
	entityID property and adjust discoveryURL to point to discovery service.
	(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
	You can also override entityID on /Login query string, or in RequestMap/htaccess.
	-->
	<SSO entityID="{{ server.idp_url }}" ECP="true">
	SAML2 SAML1
	</SSO>

	<!-- SAML and local-only logout. -->
	<Logout>SAML2 Local</Logout>

	<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
	<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

	<!-- Status reporting service. -->
	<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

	<!-- Session diagnostic service. -->
	<Handler type="Session" Location="/Session" showAttributeValues="true"/>

	<!-- JSON feed of discovery information. -->
	<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
	</Sessions>

	<!--
	Allows overriding of error template information/filenames. You can
	also add attributes with values that can be plugged into the templates.
	-->
	<Errors supportContact="root@localhost"
	helpLocation="/about.html"
	styleSheet="/shibboleth-sp/main.css"/>

	{%- if server.idp_metadata_file is defined %}
	<MetadataProvider type="XML" file="/etc/shibboleth/idp-metadata.xml"/>
	{% elif server.idp_metadata_url is defined %}
	<MetadataProvider type="XML" uri="{{ server.idp_metadata_url }}"
	backingFilePath="/var/cache/shibboleth/metadata.xml" reloadInterval="180000">
	{%- if server.idp_certificate is defined %}
	<MetadataFilter type="Signature" certificate="/etc/shibboleth/fedsigner.pem"/>
	{%- endif %}
	{%- if server.proxy is defined %}
	<TransportOption provider="CURL" option="10004">"{{ server.proxy }}"</TransportOption>
	{%- endif %}
	</MetadataProvider>
	{%- endif %}

	<!-- Example of locally maintained metadata. -->
	<!--
	<MetadataProvider type="XML" file="partner-metadata.xml"/>
	-->

	<!-- Map to extract attributes from SAML assertions. -->
	<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

	<!-- Use a SAML query if no attributes are supplied during SSO. -->
	<AttributeResolver type="Query" subjectMatch="true"/>

	{%- if server.attributeresolver is defined %}
	{%- if server.attributeresolver.transform is defined %}
	{%- for source, regex in server.get('attributeresolver', {}).get('transform', {}).iteritems() %}
	<AttributeResolver type="Transform" source="{{ source }}">
	{%- for match, attr in regex.iteritems() %}
	{%- if attr.destination_name is defined %}
	<Regex match="{{ attr.get('match', "") }}" dest="{{ attr.get('destination_name', "") }}">{{ attr.get('destination', "") }}</Regex>
	{% else %}
	<Regex match="{{ attr.get('match', "") }}" >{{ attr.get('destination', "") }}</Regex>
	{%- endif %}
	{%- endfor %}
	{%- endfor %}
	</AttributeResolver>
	{%- endif %}
	{%- endif %}

	<!-- Default filtering policy for recognized attributes, lets other data pass. -->
	<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

	{%- if server.certificate is defined and server.key is defined %}
	<!-- Simple file-based resolver for using a single keypair. -->
	<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
	{%- endif %}

	<!--
	The default settings can be overridden by creating ApplicationOverride elements (see
	the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
	Resource requests are mapped by web server commands, or the RequestMapper, to an
	applicationId setting.

	Example of a second application (for a second vhost) that has a different entityID.
	Resources on the vhost would map to an applicationId of "admin":
	-->
	<!--
	<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
	-->
	</ApplicationDefaults>

	<!-- Policies that determine how to process and authenticate runtime messages. -->
	<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

	<!-- Low-level configuration about protocols and bindings available for use. -->
	<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

	</SPConfig>