Imported all shibboleth stuff from openstack-test05

This commit is contained in:
Egon Rijpkema 2018-08-10 16:15:48 +02:00
parent c6c947ce3c
commit 167d755724
12 changed files with 691 additions and 9 deletions

8
keystone/.gitignore vendored
View File

@ -1,8 +0,0 @@
# ---> Vim
[._]*.s[a-w][a-z]
[._]s[a-w][a-z]
*.un~
Session.vim
.netrwhist
*~

View File

@ -13,16 +13,36 @@ RUN set -x \
&& apt-get -y update \ && apt-get -y update \
&& apt-get -y install \ && apt-get -y install \
&& apt-get -y install keystone python-openstackclient \ && apt-get -y install keystone python-openstackclient \
&& apt-get -y install libapache2-mod-shib2 \
&& apt-get -y clean && apt-get -y clean
# set admin token TODO: make this a secret # set admin token TODO: make this a secret
# in volume of met env # in volume of met env
COPY keystone.conf /etc/keystone/keystone.conf COPY keystone.conf /etc/keystone/keystone.conf
COPY apache-keystone.conf /etc/apache2/sites-available/keystone.conf
COPY shibboleth2.xml /etc/shibboleth/shibboleth2.xml
COPY attribute-map.xml /etc/shibboleth/attribute-map.xml
COPY attribute-policy.xml /etc/shibboleth/attribute-policy.xml
COPY sso_callback_template.html /etc/keystone/sso_callback_template.html
RUN mkdir /var/run/shibboleth
COPY run.sh /etc/run.sh
RUN mkdir /etc/keystone/fernet-keys RUN mkdir /etc/keystone/fernet-keys
RUN chown keystone: /etc/keystone/fernet-keys RUN chown keystone: /etc/keystone/fernet-keys
RUN a2enmod shib2
COPY bootstrap.sh /etc/bootstrap.sh COPY bootstrap.sh /etc/bootstrap.sh
CMD apachectl -DFOREGROUND # Testing only!!!
RUN mkdir -p /var/www/html/secure
RUN apt-get -y install php libapache2-mod-php
COPY test.php /var/www/html/secure/test.php
CMD /etc/run.sh

View File

@ -0,0 +1,126 @@
LoadModule ssl_module modules/mod_ssl.so
Listen 5000
Listen 35357
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
Alias "/secure" "/var/www/html/secure"
<VirtualHost *:5000>
ServerName https://merlin.hpc.rug.nl:5000
SSLEngine on
SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
UseCanonicalName On
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LimitRequestBody 114688
# Added for federation.
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<Location /v3/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/auth>
ShibRequestSetting requireSession 1
AuthType shibboleth
ShibExportAssertion Off
Require valid-user
<IfVersion < 2.4>
ShibRequireSession On
ShibRequireAll On
</IfVersion>
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
AuthType shibboleth
Require valid-user
ShibRequestSetting requireSession 1
ShibRequireSession On
ShibExportAssertion Off
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/websso/">
AuthType shibboleth
Require valid-user
</Location>
</VirtualHost>
<VirtualHost *:35357>
ServerName https://merlin.hpc.rug.nl:35357
SSLEngine on
SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
UseCanonicalName On
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LimitRequestBody 114688
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
Alias /identity /usr/bin/keystone-wsgi-public
<Location /identity>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
Alias /identity_admin /usr/bin/keystone-wsgi-admin
<Location /identity_admin>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>

View File

@ -0,0 +1,30 @@
<?xml version="1.0"?>
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true"/>
</Attribute>
<Attribute name="eduPersonPrincipalName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="eppn"/>
<!-- Added for nikhef -->
<Attribute name="openstackGroupEntitlements" id="openstackGroupEntitlements" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-user"/>
<Attribute name="urn:oid:2.5.4.4" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-surName"/>
<Attribute name="urn:oid:2.5.4.42" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-givenName"/>
<Attribute name="urn:oid:2.5.4.3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-commonName"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-displayName"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-email"/>
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-HomeOrg"/>
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-HomeOrgType"/>
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-PersonalUnqiueCode"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-Affiliation"/>
<Attribute name="urn:oid:1.3.6.1.4.1.1466.115.121.1.15" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-ScopedAffiliation"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-Entitlement"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-eduPersonPN"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-memberOf"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-uid"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.39" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-language"/>
</Attributes>

View File

@ -0,0 +1,71 @@
<afp:AttributeFilterPolicyGroup
xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:afp="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Shared rule for affiliation values. -->
<afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
<Rule xsi:type="AttributeValueString" value="faculty"/>
<Rule xsi:type="AttributeValueString" value="student"/>
<Rule xsi:type="AttributeValueString" value="staff"/>
<Rule xsi:type="AttributeValueString" value="alum"/>
<Rule xsi:type="AttributeValueString" value="member"/>
<Rule xsi:type="AttributeValueString" value="affiliate"/>
<Rule xsi:type="AttributeValueString" value="employee"/>
<Rule xsi:type="AttributeValueString" value="library-walk-in"/>
</afp:PermitValueRule>
<!--
Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
an AttributeRule for each attribute you want to check.
-->
<afp:PermitValueRule id="ScopingRules" xsi:type="basic:ANY"/>
<!-- # Hacked for Nikhef federation
<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
<Rule xsi:type="NOT">
<Rule xsi:type="AttributeValueRegex" regex="@"/>
</Rule>
<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
</afp:PermitValueRule>
-->
<afp:AttributeFilterPolicy>
<!-- This policy is in effect in all cases. -->
<afp:PolicyRequirementRule xsi:type="ANY"/>
<!-- Filter out undefined affiliations and ensure only one primary. -->
<afp:AttributeRule attributeID="affiliation">
<afp:PermitValueRule xsi:type="AND">
<RuleReference ref="eduPersonAffiliationValues"/>
<RuleReference ref="ScopingRules"/>
</afp:PermitValueRule>
</afp:AttributeRule>
<afp:AttributeRule attributeID="unscoped-affiliation">
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="primary-affiliation">
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eppn">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="targeted-id">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
<!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
<afp:AttributeRule attributeID="persistent-id">
<afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
</afp:AttributeRule>
<!-- Catch-all that passes everything else through unmolested. -->
<afp:AttributeRule attributeID="*">
<afp:PermitValueRule xsi:type="ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
</afp:AttributeFilterPolicyGroup>

View File

@ -1,6 +1,7 @@
[DEFAULT] [DEFAULT]
verbose = true verbose = true
log_file = /var/log/keystone/keystone.log
[database] [database]
connection = mysql+pymysql://keystone:keystone@mariadb/keystone connection = mysql+pymysql://keystone:keystone@mariadb/keystone
@ -8,5 +9,15 @@ connection = mysql+pymysql://keystone:keystone@mariadb/keystone
[token] [token]
provider = fernet provider = fernet
[auth]
methods = password,token,mapped,openid,saml2
[federation]
trusted_dashboard = http://merlin.hpc.rug.nl/horizon/auth/websso/
sso_calback_template = /etc/keystone/sso_calback_template.html
[mapped]
remote_id_attribute = Shib-Identity-Provider
[identity] [identity]
default_domain_id = default default_domain_id = default

252
keystone/routers.py Normal file
View File

@ -0,0 +1,252 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import functools
from keystone.common import json_home
from keystone.common import wsgi
from keystone.federation import controllers
build_resource_relation = functools.partial(
json_home.build_v3_extension_resource_relation,
extension_name='OS-FEDERATION', extension_version='1.0')
build_parameter_relation = functools.partial(
json_home.build_v3_extension_parameter_relation,
extension_name='OS-FEDERATION', extension_version='1.0')
IDP_ID_PARAMETER_RELATION = build_parameter_relation(parameter_name='idp_id')
PROTOCOL_ID_PARAMETER_RELATION = build_parameter_relation(
parameter_name='protocol_id')
SP_ID_PARAMETER_RELATION = build_parameter_relation(parameter_name='sp_id')
class Routers(wsgi.RoutersBase):
"""API Endpoints for the Federation extension.
The API looks like::
PUT /OS-FEDERATION/identity_providers/{idp_id}
GET /OS-FEDERATION/identity_providers
GET /OS-FEDERATION/identity_providers/{idp_id}
DELETE /OS-FEDERATION/identity_providers/{idp_id}
PATCH /OS-FEDERATION/identity_providers/{idp_id}
PUT /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
GET /OS-FEDERATION/identity_providers/
{idp_id}/protocols
GET /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
PATCH /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
DELETE /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
PUT /OS-FEDERATION/mappings
GET /OS-FEDERATION/mappings
PATCH /OS-FEDERATION/mappings/{mapping_id}
GET /OS-FEDERATION/mappings/{mapping_id}
DELETE /OS-FEDERATION/mappings/{mapping_id}
GET /OS-FEDERATION/projects
GET /OS-FEDERATION/domains
PUT /OS-FEDERATION/service_providers/{sp_id}
GET /OS-FEDERATION/service_providers
GET /OS-FEDERATION/service_providers/{sp_id}
DELETE /OS-FEDERATION/service_providers/{sp_id}
PATCH /OS-FEDERATION/service_providers/{sp_id}
GET /OS-FEDERATION/identity_providers/{idp_id}/
protocols/{protocol_id}/auth
POST /OS-FEDERATION/identity_providers/{idp_id}/
protocols/{protocol_id}/auth
GET /auth/OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}/websso
?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}/websso
?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/saml2
POST /auth/OS-FEDERATION/saml2/ecp
GET /OS-FEDERATION/saml2/metadata
GET /auth/OS-FEDERATION/websso/{protocol_id}
?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/websso/{protocol_id}
?origin=https%3A//horizon.example.com
"""
def _construct_url(self, suffix):
return "/OS-FEDERATION/%s" % suffix
def append_v3_routers(self, mapper, routers):
auth_controller = controllers.Auth()
idp_controller = controllers.IdentityProvider()
protocol_controller = controllers.FederationProtocol()
mapping_controller = controllers.MappingController()
project_controller = controllers.ProjectAssignmentV3()
domain_controller = controllers.DomainV3()
saml_metadata_controller = controllers.SAMLMetadataV3()
sp_controller = controllers.ServiceProvider()
# Identity Provider CRUD operations
self._add_resource(
mapper, idp_controller,
path=self._construct_url('identity_providers/{idp_id}'),
get_action='get_identity_provider',
put_action='create_identity_provider',
patch_action='update_identity_provider',
delete_action='delete_identity_provider',
rel=build_resource_relation(resource_name='identity_provider'),
path_vars={
'idp_id': IDP_ID_PARAMETER_RELATION,
})
self._add_resource(
mapper, idp_controller,
path=self._construct_url('identity_providers'),
get_action='list_identity_providers',
rel=build_resource_relation(resource_name='identity_providers'))
# Protocol CRUD operations
self._add_resource(
mapper, protocol_controller,
path=self._construct_url('identity_providers/{idp_id}/protocols/'
'{protocol_id}'),
get_action='get_protocol',
put_action='create_protocol',
patch_action='update_protocol',
delete_action='delete_protocol',
rel=build_resource_relation(
resource_name='identity_provider_protocol'),
path_vars={
'idp_id': IDP_ID_PARAMETER_RELATION,
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
})
self._add_resource(
mapper, protocol_controller,
path=self._construct_url('identity_providers/{idp_id}/protocols'),
get_action='list_protocols',
rel=build_resource_relation(
resource_name='identity_provider_protocols'),
path_vars={
'idp_id': IDP_ID_PARAMETER_RELATION,
})
# Mapping CRUD operations
self._add_resource(
mapper, mapping_controller,
path=self._construct_url('mappings/{mapping_id}'),
get_action='get_mapping',
put_action='create_mapping',
patch_action='update_mapping',
delete_action='delete_mapping',
rel=build_resource_relation(resource_name='mapping'),
path_vars={
'mapping_id': build_parameter_relation(
parameter_name='mapping_id'),
})
self._add_resource(
mapper, mapping_controller,
path=self._construct_url('mappings'),
get_action='list_mappings',
rel=build_resource_relation(resource_name='mappings'))
# Service Providers CRUD operations
self._add_resource(
mapper, sp_controller,
path=self._construct_url('service_providers/{sp_id}'),
get_action='get_service_provider',
put_action='create_service_provider',
patch_action='update_service_provider',
delete_action='delete_service_provider',
rel=build_resource_relation(resource_name='service_provider'),
path_vars={
'sp_id': SP_ID_PARAMETER_RELATION,
})
self._add_resource(
mapper, sp_controller,
path=self._construct_url('service_providers'),
get_action='list_service_providers',
rel=build_resource_relation(resource_name='service_providers'))
self._add_resource(
mapper, domain_controller,
path=self._construct_url('domains'),
new_path='/auth/domains',
get_action='list_domains_for_user',
rel=build_resource_relation(resource_name='domains'))
self._add_resource(
mapper, project_controller,
path=self._construct_url('projects'),
new_path='/auth/projects',
get_action='list_projects_for_user',
rel=build_resource_relation(resource_name='projects'))
# Auth operations
self._add_resource(
mapper, auth_controller,
path=self._construct_url('identity_providers/{idp_id}/'
'protocols/{protocol_id}/auth'),
get_post_action='federated_authentication',
rel=build_resource_relation(
resource_name='identity_provider_protocol_auth'),
path_vars={
'idp_id': IDP_ID_PARAMETER_RELATION,
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
})
self._add_resource(
mapper, auth_controller,
path='/auth' + self._construct_url('saml2'),
post_action='create_saml_assertion',
rel=build_resource_relation(resource_name='saml2'))
self._add_resource(
mapper, auth_controller,
path='/auth' + self._construct_url('saml2/ecp'),
post_action='create_ecp_assertion',
rel=build_resource_relation(resource_name='ecp'))
self._add_resource(
mapper, auth_controller,
path='/auth' + self._construct_url('websso/{protocol_id}'),
get_post_action='federated_sso_auth',
rel=build_resource_relation(resource_name='websso'),
path_vars={
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
})
self._add_resource(
mapper, auth_controller,
path='/auth' + self._construct_url(
'identity_providers/{idp_id}/protocols/{protocol_id}/websso'),
get_post_action='federated_idp_specific_sso_auth',
rel=build_resource_relation(resource_name='identity_providers'),
path_vars={
'idp_id': IDP_ID_PARAMETER_RELATION,
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
})
# Keystone-Identity-Provider metadata endpoint
self._add_resource(
mapper, saml_metadata_controller,
path=self._construct_url('saml2/metadata'),
get_action='get_metadata',
rel=build_resource_relation(resource_name='metadata'))

20
keystone/rules.json Normal file
View File

@ -0,0 +1,20 @@
[
{
"local": [
{
"group_ids": "{1}",
"user": {
"name": "{0}"
}
}
],
"remote": [
{
"type": "REMOTE_USER"
},
{
"type": "openstackGroupEntitlements"
}
]
}
]

20
keystone/run.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/bash
# start nova compute service
chown keystone: /etc/keystone/fernet-keys
chmod 700 /etc/keystone/fernet-keys
# Start apache
a2enmod ssl
apachectl -DFOREGROUND &
chown _shibd: /etc/shibboleth/sp*.pem
shibd -f -F &
# If any process fails, kill the rest.
# This insures the container stops and systemd will restart it.
wait -n
pkill -P $$

114
keystone/shibboleth2.xml Normal file
View File

@ -0,0 +1,114 @@
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!--
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-->
<!--
To customize behavior for specific resources on Apache, and to link vhosts or
resources to ApplicationOverride settings below, use web server options/commands.
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
-->
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://merlin.hpc.rug.nl"
REMOTE_USER="eppn persistent-id targeted-id">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
Note that while we default checkAddress to "false", this has a negative impact on the
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<SSO entityID="https://osfedpx.nikhef.nl/simplesaml/saml2/idp/metadata.php">
SAML2
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. -->
<MetadataProvider type="XML" uri="https://osfedpx.nikhef.nl/simplesaml/saml2/idp/metadata.php"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
</MetadataProvider>
<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" file="partner-metadata.xml"/>
-->
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
<!--
The default settings can be overridden by creating ApplicationOverride elements (see
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
Resource requests are mapped by web server commands, or the RequestMapper, to an
applicationId setting.
Example of a second application (for a second vhost) that has a different entityID.
Resources on the vhost would map to an applicationId of "admin":
-->
<!--
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-->
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

View File

@ -0,0 +1,22 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Keystone WebSSO redirect</title>
</head>
<body>
<form id="sso" name="sso" action="$host" method="post">
Please wait...
<br/>
<input type="hidden" name="token" id="token" value="$token"/>
<noscript>
<input type="submit" name="submit_no_javascript" id="submit_no_javascript"
value="If your JavaScript is disabled, please click to continue"/>
</noscript>
</form>
<script type="text/javascript">
window.onload = function() {
document.forms['sso'].submit();
}
</script>
</body>
</html>

4
keystone/test.php Normal file
View File

@ -0,0 +1,4 @@
<html>
<head><title>Shibboleth test</title></head>
<body><pre><?php print_r($_SERVER); ?></pre></body>
</html>