honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Replace Vagrant with Docker for idp-fixture (#39948) 

The change replaces the Vagrant box based fixture with a fixture
based on docker compose and 2 docker images, one for an openldap
server and one for a Shibboleth SAML Identity Provider.

The configuration of both openldap and shibboleth is identical to
the previous one, in order to minimize required changes in the
tests
This commit is contained in:
Ioannis Kakavas 2019-03-12 23:54:23 +02:00 committed by Ioannis Kakavas
parent b10dd3769c
commit b8733eab00
144 changed files with 5883 additions and 1083 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
x-pack/qa/openldap-tests/build.gradle
View File

@ -1,8 +1,5 @@
Project idpFixtureProject = xpackProject("test:idp-fixture")
evaluationDependsOn(idpFixtureProject.path)
apply plugin: 'elasticsearch.standalone-test'
apply plugin: 'elasticsearch.vagrantsupport'
apply plugin: 'elasticsearch.test.fixtures'
dependencies {
// "org.elasticsearch.plugin:x-pack-core:${version}" doesn't work with idea because the testArtifacts are also here
@ -11,21 +8,13 @@ dependencies {
testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
}
task openLdapFixture {
dependsOn "vagrantCheckVersion", "virtualboxCheckVersion", idpFixtureProject.up
}
testFixtures.useFixture ":x-pack:test:idp-fixture"
Project idpFixtureProject = xpackProject("test:idp-fixture")
String outputDir = "${project.buildDir}/generated-resources/${project.name}"
task copyIdpTrust(type: Copy) {
from idpFixtureProject.file('src/main/resources/certs/idptrust.jks');
from idpFixtureProject.file('src/main/resources/certs/ca.crt');
from idpFixtureProject.file('openldap/certs/ca.jks');
from idpFixtureProject.file('openldap/certs/ca_server.pem');
into outputDir
}
if (project.rootProject.vagrantSupported) {
project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpTrust)
unitTest.dependsOn openLdapFixture
unitTest.finalizedBy idpFixtureProject.halt
} else {
unitTest.enabled = false
testingConventions.enabled = false
}
project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpTrust)

2
x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java
View File

@ -57,7 +57,7 @@ public class OpenLdapTests extends ESTestCase {
public static final String PASSWORD = "NickFuryHeartsES";
private static final String HAWKEYE_DN = "uid=hawkeye,ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com";
public static final String LDAPTRUST_PATH = "/idptrust.jks";
public static final String LDAPTRUST_PATH = "/ca.jks";
private static final SecureString PASSWORD_SECURE_STRING = new SecureString(PASSWORD.toCharArray());
public static final String REALM_NAME = "oldap-test";

2
x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java
View File

@ -48,7 +48,7 @@ public class OpenLdapUserSearchSessionFactoryTests extends ESTestCase {
private Settings globalSettings;
private ThreadPool threadPool;
private static final String LDAPCACERT_PATH = "/ca.crt";
private static final String LDAPCACERT_PATH = "/ca_server.pem";
@Before
public void init() {

2
x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverTests.java
View File

@ -181,6 +181,6 @@ public class SearchGroupsResolverTests extends GroupsResolverTestCase {
@Override
protected String trustPath() {
return "/idptrust.jks";
return "/ca.jks";
}
}

20
x-pack/qa/saml-idp-tests/build.gradle
View File

@ -1,9 +1,9 @@
Project idpFixtureProject = xpackProject("test:idp-fixture")
evaluationDependsOn(idpFixtureProject.path)
apply plugin: 'elasticsearch.vagrantsupport'
apply plugin: 'elasticsearch.standalone-rest-test'
apply plugin: 'elasticsearch.rest-test'
apply plugin: 'elasticsearch.test.fixtures'
dependencies {
// "org.elasticsearch.plugin:x-pack-core:${version}" doesn't work with idea because the testArtifacts are also here
@ -12,24 +12,16 @@ dependencies {
testCompile project(path: xpackModule('security'), configuration: 'testArtifacts')
testCompile 'com.google.jimfs:jimfs:1.1'
}
testFixtures.useFixture ":x-pack:test:idp-fixture"
task idpFixture {
dependsOn "vagrantCheckVersion", "virtualboxCheckVersion", idpFixtureProject.up
}
String outputDir = "${project.buildDir}/generated-resources/${project.name}"
task copyIdpCertificate(type: Copy) {
from idpFixtureProject.file('src/main/resources/certs/ca.crt');
from idpFixtureProject.file('idp/shibboleth-idp/credentials/idp-browser.pem');
into outputDir
}
if (project.rootProject.vagrantSupported) {
project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpCertificate)
integTestCluster.dependsOn idpFixture, copyIdpCertificate
integTest.finalizedBy idpFixtureProject.halt
} else {
integTest.enabled = false
testingConventions.enabled = false
}
project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpCertificate)
integTestCluster.dependsOn copyIdpCertificate
integTestCluster {
setting 'xpack.license.self_generated.type', 'trial'
@ -60,7 +52,7 @@ integTestCluster {
setting 'xpack.ml.enabled', 'false'
extraConfigFile 'idp-metadata.xml', idpFixtureProject.file("src/main/resources/provision/generated/idp-metadata.xml")
extraConfigFile 'idp-metadata.xml', idpFixtureProject.file("idp/shibboleth-idp/metadata/idp-metadata.xml")
setupCommand 'setupTestAdmin',
'bin/elasticsearch-users', 'useradd', "test_admin", '-p', 'x-pack-test-password', '-r', "superuser"

5
x-pack/qa/saml-idp-tests/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticationIT.java
View File

@ -367,7 +367,7 @@ public class SamlAuthenticationIT extends ESRestTestCase {
private URI submitLoginForm(CloseableHttpClient client, BasicHttpContext context, URI formUri) throws IOException {
final HttpPost form = new HttpPost(formUri);
List<NameValuePair> params = new ArrayList<>();
params.add(new BasicNameValuePair("j_username", "Thor"));
params.add(new BasicNameValuePair("j_username", "thor"));
params.add(new BasicNameValuePair("j_password", "NickFuryHeartsES"));
params.add(new BasicNameValuePair("_eventId_proceed", ""));
form.setEntity(new UrlEncodedFormEntity(params));
@ -376,7 +376,6 @@ public class SamlAuthenticationIT extends ESRestTestCase {
assertThat(response.getStatusLine().getStatusCode(), equalTo(302));
return response.getFirstHeader("Location").getValue();
});
assertThat(redirect, startsWith("/"));
String target = execute(client, new HttpGet(formUri.resolve(redirect)), context, response -> {
assertHttpOk(response.getStatusLine());
@ -620,7 +619,7 @@ public class SamlAuthenticationIT extends ESRestTestCase {
}
private SSLContext getClientSslContext() throws Exception {
final Path pem = getDataPath("/ca.crt");
final Path pem = getDataPath("/idp-browser.pem");
final Certificate[] certificates = CertParsingUtils.readCertificates(Collections.singletonList(pem));
final X509ExtendedTrustManager trustManager = CertParsingUtils.trustManager(certificates);
SSLContext context = SSLContext.getInstance("TLS");

7
x-pack/test/idp-fixture/README.txt
View File

@ -1,6 +1 @@
Provisions OpenLDAP + shibboleth IDP 3.3.1 .
Uses ansible on the guest.
Run: `vagrant up --provision`
Any issues: albert.zaharovits@elastic.co
Provisions OpenLDAP + shibboleth IDP 3.4.2 using docker compose

24
x-pack/test/idp-fixture/Vagrantfile vendored
View File

@ -1,24 +0,0 @@
Vagrant.configure("2") do |config|
config.vm.define "test.shibboleth.elastic.local" do |config|
config.vm.box = "elastic/ubuntu-16.04-x86_64"
end
config.vm.hostname = "localhost"
if Vagrant.has_plugin?("vagrant-cachier")
config.cache.scope = :box
end
config.vm.network "forwarded_port", guest: 389, host: 60389, protocol: "tcp"
config.vm.network "forwarded_port", guest: 636, host: 60636, protocol: "tcp"
config.vm.network "forwarded_port", guest: 8080, host: 60080, protocol: "tcp"
config.vm.network "forwarded_port", guest: 8443, host: 60443, protocol: "tcp"
config.vm.provision "ansible_local" do |ansible|
ansible.verbose = "v"
ansible.playbook = "src/main/resources/provision/playbook.yml"
ansible.install_mode = "pip"
end
end

42
x-pack/test/idp-fixture/build.gradle
View File

@ -1,42 +1,4 @@
apply plugin: 'elasticsearch.build'
apply plugin: 'elasticsearch.test.fixtures'
Map<String, String> vagrantEnvVars = [
'VAGRANT_CWD' : "${project.projectDir.absolutePath}",
'VAGRANT_VAGRANTFILE' : 'Vagrantfile',
'VAGRANT_PROJECT_DIR' : "${project.projectDir.absolutePath}"
]
String box = "test.shibboleth.elastic.local"
task update(type: org.elasticsearch.gradle.vagrant.VagrantCommandTask) {
command 'box'
subcommand 'update'
boxName box
environmentVars vagrantEnvVars
}
task up(type: org.elasticsearch.gradle.vagrant.VagrantCommandTask) {
command 'up'
args '--provision', '--provider', 'virtualbox'
boxName box
environmentVars vagrantEnvVars
dependsOn update
}
task halt(type: org.elasticsearch.gradle.vagrant.VagrantCommandTask) {
command 'halt'
boxName box
environmentVars vagrantEnvVars
}
task destroy(type: org.elasticsearch.gradle.vagrant.VagrantCommandTask) {
command 'destroy'
args '-f'
boxName box
environmentVars vagrantEnvVars
dependsOn halt
}
thirdPartyAudit.enabled = false
unitTest.enabled = false
jarHell.enabled = false
unitTest.enabled = false

40
x-pack/test/idp-fixture/docker-compose.yml Normal file
View File

@ -0,0 +1,40 @@
version: '3.1'
services:
openldap:
command: --copy-service --loglevel debug
image: "osixia/openldap:1.2.3"
ports:
- "30389:389"
- "60636:636"
environment:
LDAP_ADMIN_PASSWORD: "NickFuryHeartsES"
LDAP_DOMAIN: "oldap.test.elasticsearch.com"
LDAP_BASE_DN: "DC=oldap,DC=test,DC=elasticsearch,DC=com"
LDAP_TLS: "true"
LDAP_TLS_CRT_FILENAME: "ldap_server.pem"
LDAP_TLS_CA_CRT_FILENAME: "ca_server.pem"
LDAP_TLS_KEY_FILENAME: "ldap_server.key"
LDAP_TLS_VERIFY_CLIENT: "never"
LDAP_TLS_CIPHER_SUITE: "NORMAL"
LDAP_LOG_LEVEL: 256
volumes:
- ./openldap/ldif/users.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/20-bootstrap-users.ldif
- ./openldap/ldif/config.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/10-bootstrap-config.ldif
- ./openldap/certs:/container/service/slapd/assets/certs
shibboleth-idp:
image: "unicon/shibboleth-idp:3.4.2"
depends_on:
- openldap
environment:
- JETTY_MAX_HEAP=64m
- JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=secret
- JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=secret
ports:
- "4443:4443"
links:
- openldap:openldap
volumes:
- ./idp/shibboleth-idp/conf:/opt/shibboleth-idp/conf
- ./idp/shibboleth-idp/credentials:/opt/shibboleth-idp/credentials
- ./idp/shib-jetty-base/start.d/ssl.ini:/opt/shib-jetty-base/start.d/ssl.ini

4
x-pack/test/idp-fixture/idp/shib-jetty-base/start.d/ssl.ini Normal file
View File

@ -0,0 +1,4 @@
--module=ssl
jetty.ssl.port=4443
jetty.sslContext.keyStorePath=/opt/shibboleth-idp/credentials/idp-browser.p12
jetty.sslContext.keyStoreType=PKCS12

68
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/access-control.xml Normal file
View File

@ -0,0 +1,68 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
Map of access control policies used to limit access to administrative functions.
The purpose of the map is to label policies with a key/name so they can be reused.
-->
<!--
Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control.
The ranges provided MUST be CIDR network expressions. To specify a single address,
add "/32" or "/128" for IPv4 or IPv6 respectively.
The additional examples below demonstrate how to control access by username
and by attribute(s), in the case of authenticated access to admin functions.
-->
<util:map id="shibboleth.AccessControlPolicies">
<entry key="AccessByIPAddress">
<bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
</entry>
<!--
<entry key="AccessByUser">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
<bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
</constructor-arg>
</bean>
</entry>
-->
<!--
<entry key="AccessByAttribute">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
<bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
<property name="attributeValueMap">
<map>
<entry key="eduPersonEntitlement">
<list>
<value>https://example.org/entitlement/idpadmin</value>
</list>
</entry>
</map>
</property>
</bean>
</constructor-arg>
</bean>
</entry>
-->
</util:map>
</beans>

74
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/admin/general-admin.xml Normal file
View File

@ -0,0 +1,74 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<util:list id="shibboleth.AvailableAdminFlows">
<!-- Status Page -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/status"
p:loggingId="%{idp.service.logging.status:Status}"
p:policyName="%{idp.status.accessPolicy:AccessByIPAddress}" />
<!-- Service Reload -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/reload-service-configuration"
p:loggingId="%{idp.service.logging.serviceReload:Reload}"
p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />
<!-- MetadataResolver Reload -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/reload-metadata"
p:loggingId="%{idp.service.logging.serviceReload:Reload}"
p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />
<!-- AttributeResolver Debugging -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/resolvertest"
p:loggingId="%{idp.service.logging.resolvertest:ResolverTest}"
p:policyName="%{idp.resolvertest.accessPolicy:AccessByIPAddress}" />
<!-- Metadata Query -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/mdquery"
p:loggingId="MetadataQuery"
p:policyName="AccessByIPAddress" />
<!-- REST AccountLockoutManager Access -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/lockout-manager"
p:loggingId="Lockout"
p:policyName="AccessByIPAddress" />
<!-- REST StorageService Access -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/storage"
p:loggingId="Storage"
p:policyName="AccessByIPAddress" />
<!-- REST Interface to Metrics -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/metrics"
p:loggingId="Metrics"
p:policyNameLookupStrategy-ref="shibboleth.metrics.AccessPolicyStrategy" />
<!-- Attended Startup Unlock -->
<!--
<bean parent="shibboleth.OneTimeAdminFlow"
c:id="http://shibboleth.net/ns/profiles/unlock-keys"
p:loggingId="UnlockKeys"
p:authenticated="true"
p:policyName="AccessByAdminUser" />
-->
</util:list>
</beans>

129
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/admin/metrics.xml Normal file
View File

@ -0,0 +1,129 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- Metrics enablement / activation. -->
<!--
Register one or more of the built-in system metric sets available.
-->
<bean parent="shibboleth.metrics.RegisterMetricSets">
<property name="arguments">
<list>
<ref bean="shibboleth.metrics.CoreGaugeSet" />
<ref bean="shibboleth.metrics.IdPGaugeSet" />
<ref bean="shibboleth.metrics.LoggingGaugeSet" />
<ref bean="shibboleth.metrics.AccessControlGaugeSet" />
<ref bean="shibboleth.metrics.MetadataGaugeSet" />
<ref bean="shibboleth.metrics.NameIdentifierGaugeSet" />
<ref bean="shibboleth.metrics.RelyingPartyGaugeSet" />
<ref bean="shibboleth.metrics.AttributeResolverGaugeSet" />
<ref bean="shibboleth.metrics.AttributeFilterGaugeSet" />
<!--
<bean class="com.codahale.metrics.jvm.CachedThreadStatesGaugeSet"
c:_0="1" c:_1="#{T(java.util.concurrent.TimeUnit).MINUTES}" />
<bean class="com.codahale.metrics.jvm.ClassLoadingGaugeSet" />
<bean class="com.codahale.metrics.jvm.GarbageCollectorMetricSet" />
<bean class="com.codahale.metrics.jvm.MemoryUsageGaugeSet" />
-->
</list>
</property>
</bean>
<!-- Metrics REST API Configuration -->
<!--
The global metric set is available by default at /idp/profile/admin/metrics
Any pathinfo after that is assumed to identify specific named metrics. You can
create mappings here between a logical "group" name and an implementation of the
com.codahale.metrics.MetricFilter interface to specify which metrics to include.
-->
<util:map id="shibboleth.metrics.MetricGroups">
<entry key="core" value-ref="shibboleth.metrics.CoreGaugeSet" />
<entry key="idp" value-ref="shibboleth.metrics.IdPGaugeSet" />
<entry key="logging" value-ref="shibboleth.metrics.LoggingGaugeSet" />
<entry key="access" value-ref="shibboleth.metrics.AccessControlGaugeSet" />
<entry key="metadata" value-ref="shibboleth.metrics.MetadataGaugeSet" />
<entry key="nameid" value-ref="shibboleth.metrics.NameIdentifierGaugeSet" />
<entry key="relyingparty" value-ref="shibboleth.metrics.RelyingPartyGaugeSet" />
<entry key="resolver" value-ref="shibboleth.metrics.AttributeResolverGaugeSet" />
<entry key="filter" value-ref="shibboleth.metrics.AttributeFilterGaugeSet" />
</util:map>
<!-- If you don't specify an alternate access policy, this named policy will be enforced. -->
<bean id="shibboleth.metrics.DefaultAccessPolicy" class="java.lang.String" c:_0="AccessByIPAddress" />
<!--
To override the default access policy, map a metric name or
mapped group above to an alternative policy name.
-->
<util:map id="shibboleth.metrics.AccessPolicyMap">
</util:map>
<!--
In addition to the "pull" REST API for accessing metrics, a "push" reporter is also
available to upload a JSON feed to a URL. The example shown relies on standard JVM
trust configuration for TLS server verification.
The "start" method triggers the timer thread; the example pushes every 30 minutes.
-->
<!--
<bean id="PushReporter" parent="shibboleth.metrics.HTTPReporter" c:name="MyCollector"
p:collectorURL="https://log.example.org/cgi-bin/collector.cgi" />
<bean class="org.springframework.beans.factory.config.MethodInvokingBean"
p:targetObject-ref="PushReporter"
p:targetMethod="start">
<property name="arguments">
<list>
<value>30</value>
<util:constant static-field="java.util.concurrent.TimeUnit.MINUTES" />
</list>
</property>
</bean>
-->
<!-- IdP Metrics Configuration -->
<!--
A bean named shibboleth.metrics.MetricStrategy of type Function<ProfileRequestContext,Boolean>
can be defined to add timers and counters to a large range of objects in the system. Each timer is
defined by a triple (timer name, start object, stop object). Counters are just object/counter pairs.
The most common example is to start a timer when a particular flow action bean starts and
stop it when the same or different action bean stops, to measure how long the execution takes.
If you want to leave a timer in place but disabled to prevent overhead, you can turn off a
logging category named "metrics.<timername>" in your logging configuration.
-->
<!--
<bean id="shibboleth.metrics.MetricStrategy" parent="shibboleth.ContextFunctions.Scripted"
factory-method="inlineScript">
<constructor-arg>
<value>
<![CDATA[
metricCtx = input.getSubcontext("org.opensaml.profile.context.MetricContext");
metricCtx.addTimer("idp.attribute.resolution",
"ResolveAttributes",
"FilterAttributes"
);
true; // Signals success.
]]>
</value>
</constructor-arg>
</bean>
-->
</beans>

1
x-pack/test/idp-fixture/src/main/resources/provision/roles/shibboleth/files/attribute-filter.xml → x-pack/test/idp-fixture/idp/shibboleth-idp/conf/attribute-filter.xml
View File

@ -13,7 +13,6 @@
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
<!-- Release some attributes to an SP. -->
<AttributeFilterPolicy id="toAll">
<PolicyRequirementRule xsi:type="ANY" />

85
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/attribute-resolver.xml Normal file
View File

@ -0,0 +1,85 @@
<?xml version="1.0" encoding="UTF-8"?>
<AttributeResolver
xmlns="urn:mace:shibboleth:2.0:resolver"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
<!-- ========================================== -->
<!-- Attribute Definitions -->
<!-- ========================================== -->
<AttributeDefinition id="uid" xsi:type="Simple">
<InputDataConnector ref="myLDAP" attributeNames="uid" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition id="mail" xsi:type="Simple" >
<InputDataConnector ref="myLDAP" attributeNames="mail" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition id="cn" xsi:type="Simple">
<InputDataConnector ref="myLDAP" attributeNames="cn" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="displayName" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition id="groupMembership" xsi:type="Simple">
<InputDataConnector ref="SearchGroupLDAP" attributeNames="cn" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113719.1.1.4.1.25" friendlyName="groupMembership" encodeType="false" />
</AttributeDefinition>
<!-- ========================================== -->
<!-- Data Connectors -->
<!-- ========================================== -->
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
<FilterTemplate>
<![CDATA[
(uid=$resolutionContext.principal)
]]>
</FilterTemplate>
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize:3}"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
<ReturnAttributes>uid mail cn</ReturnAttributes>
</DataConnector>
<DataConnector id="SearchGroupLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
maxResultSize="1000"
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
<FilterTemplate>
<![CDATA[
(&(objectclass=posixGroup)(memberUid=$resolutionContext.principal))
]]>
</FilterTemplate>
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize:3}"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
<ReturnAttributes>cn</ReturnAttributes>
</DataConnector>
</AttributeResolver>

33
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/audit.xml Normal file
View File

@ -0,0 +1,33 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
This bean defines a mapping between audit log categories and formatting strings. The default entry is
for compatibility with V2 audit logging.
-->
<util:map id="shibboleth.AuditFormattingMap">
<entry key="Shibboleth-Audit" value="%T|%b|%I|%SP|%P|%IDP|%bb|%III|%u|%ac|%attr|%n|%i|%X" />
</util:map>
<!-- Override the format of date/time fields in the log and/or convert to default time zone. -->
<!--
<bean id="shibboleth.AuditDateTimeFormat" class="java.lang.String" c:_0="YYYY-MM-dd'T'HH:mm:ss.SSSZZ" />
<util:constant id="shibboleth.AuditDefaultTimeZone" static-field="java.lang.Boolean.TRUE" />
-->
<!-- Allows auditing to be disabled selectively for particular profiles/flows. -->
<util:list id="shibboleth.AuditSuppressedProfiles">
<value>http://shibboleth.net/ns/profiles/status</value>
<value>http://shibboleth.net/ns/profiles/mdquery</value>
</util:list>
</beans>

77
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/authn-comparison.xml Normal file
View File

@ -0,0 +1,77 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
These beans can be used in the AuthnComparisonRules map below instead of the defaults to
support more advanced matching rules. The top example shows how to configure a matching rule,
in this case a rule that the two listed classes are "better" than the password class.
To use these beans, configure the matchingRules map as desired, and then reference the bean id in the
desired value-ref slot in the AuthnComparisonRules map.
-->
<bean id="shibboleth.BetterClassRefMatchFactory" parent="shibboleth.InexactMatchFactory">
<!--
<property name="matchingRules">
<map>
<entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:Password">
<list>
<value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</value>
<value>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</value>
</list>
</entry>
</map>
</property>
-->
</bean>
<bean id="shibboleth.MinimumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
<bean id="shibboleth.MaximumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
<!-- DeclRefs are rarely used in SAML, so you likely won't bother with these. -->
<bean id="shibboleth.BetterDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
<bean id="shibboleth.MinimumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
<bean id="shibboleth.MaximumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
<!-- Registry of matching rules. -->
<util:map id="shibboleth.AuthnComparisonRules">
<!-- Exact matching, should be left alone to avoid tricking the IdP into behaving incorrectly. -->
<entry key-ref="shibboleth.SAMLAuthnMethodExact" value-ref="shibboleth.ExactMatchFactory"/>
<entry key-ref="shibboleth.SAMLACClassRefExact" value-ref="shibboleth.ExactMatchFactory"/>
<entry key-ref="shibboleth.SAMLACDeclRefExact" value-ref="shibboleth.ExactMatchFactory"/>
<!-- Minimum matching, leave to allow degeneration into exact, or replace with custom rules. -->
<entry key-ref="shibboleth.SAMLACClassRefMinimum" value-ref="shibboleth.ExactMatchFactory"/>
<entry key-ref="shibboleth.SAMLACDeclRefMinimum" value-ref="shibboleth.ExactMatchFactory"/>
<!-- Maximum matching, leave to allow degeneration into exact, or replace with custom rules. -->
<entry key-ref="shibboleth.SAMLACClassRefMaximum" value-ref="shibboleth.ExactMatchFactory"/>
<entry key-ref="shibboleth.SAMLACDeclRefMaximum" value-ref="shibboleth.ExactMatchFactory"/>
<!-- Better matching, refers to empty ruleset that has to be populated to work. -->
<entry key-ref="shibboleth.SAMLACClassRefBetter" value-ref="shibboleth.BetterClassRefMatchFactory"/>
<entry key-ref="shibboleth.SAMLACDeclRefBetter" value-ref="shibboleth.BetterDeclRefMatchFactory"/>
</util:map>
<!-- List of context classes or declarations to ignore if an SP requests them. -->
<util:list id="shibboleth.IgnoredContexts">
<value>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</value>
</util:list>
</beans>

22
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/authn-events-flow.xml Normal file
View File

@ -0,0 +1,22 @@
<flow xmlns="http://www.springframework.org/schema/webflow"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
abstract="true">
<!-- ADVANCED USE ONLY -->
<!--
You can ignore this file unless you are creating your own custom login subflows that want to
report custom events in response to unusual error or warning conditions.
-->
<!-- Custom error events to reflect back from user-supplied login subflows. -->
<!-- <end-state id="MyCustomEvent" /> -->
<global-transitions>
<!-- <transition on="MyCustomEvent" to="MyCustomEvent" /> -->
<transition on="#{!'proceed'.equals(currentEvent.id)}" to="InvalidEvent" />
</global-transitions>
</flow>

29
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/duo-authn-config.xml Normal file
View File

@ -0,0 +1,29 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize" default-destroy-method="destroy">
<!--
By default, the Duo flow will use statically-defined integrations defined with the
duo.properties file. If you need more flexibility, you can define a function bean
called "shibboleth.authn.Duo.DuoIntegrationStrategy" to return an instance of
net.shibboleth.idp.authn.duo.DuoIntegration based on the state of the request.
A second bean, "shibboleth.authn.Duo.NonBrowser.DuoIntegrationStrategy", can be
supplied to use the AuthAPI for non-browser profiles.
The Duo flow is designed to operate in conjunction with some other login flow,
usually orchestrated by the MFA login flow. It obtains the username to send to
Duo based on the output of the other login flow or a previous session with the
user. You can override that approach using a function bean called
"shibboleth.authn.Duo.UsernameLookupStrategy" to supply the username from a
different source.
Various other beans are supported, per the documentation.
-->
</beans>

30
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/duo.properties Normal file
View File

@ -0,0 +1,30 @@
## Duo integration settings
## Note: If upgrading from pre-3.3 IdP versions, you will need to manually add a pointer
## to this property file to idp.properties.
## The first set of properties support DuoWeb "iframe" integration.
idp.duo.apiHost = hostname
idp.duo.applicationKey = key
idp.duo.integrationKey = key
idp.duo.secretKey = key
## The second set are used for direct AuthAPI usage for ECP support.
## A seperate integration has to be created for this to work.
#idp.duo.nonbrowser.apiHost = %{idp.duo.apiHost}
#idp.duo.nonbrowser.applicationKey = key
#idp.duo.nonbrowser.integrationKey = key
#idp.duo.nonbrowser.secretKey = key
## Request header names for Duo non-browser credentials.
# idp.duo.nonbrowser.header.factor = X-Shibboleth-Duo-Factor
# idp.duo.nonbrowser.header.device = X-Shibboleth-Duo-Device
# idp.duo.nonbrowser.header.factor = X-Shibboleth-Duo-Passcode
## Enables auto selection of factor/device if not specified by client.
# idp.duo.nonbrowser.auto = true
## Enables transmission of client address to Duo during authentication.
# idp.duo.nonbrowser.clientAddressTrusted = true

70
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/external-authn-config.xml Normal file
View File

@ -0,0 +1,70 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- Servlet context-relative path to wherever your implementation lives. -->
<bean id="shibboleth.authn.External.externalAuthnPath" class="java.lang.String"
c:_0="contextRelative:Authn/External" />
<!--
Default is to always use the path in the bean above. If you want to determine it
dynamically, define a bean called "shibboleth.authn.External.externalAuthnPathStrategy"
of type Function<ProfileRequestContext,String> that returns the path to use.
-->
<!--
Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject?
You would normally only unset this if you plan to return a fully decorated Java Subject from your
external authentication source.
-->
<util:constant id="shibboleth.authn.External.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" />
<!--
<bean id="shibboleth.authn.External.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
c:_0="^(.+)@example\.edu]$" />
-->
<!--
Define entries here to map error messages returned by external modules and classify them as particular
kinds of errors for use in your templates and as events in flows.
Keys are events to signal, values are error codes.
The examples here just allow external signaling of the exact type of condition to record.
If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow".
-->
<util:map id="shibboleth.authn.External.ClassifiedMessageMap">
<entry key="UnknownUsername">
<list>
<value>UnknownUsername</value>
</list>
</entry>
<entry key="InvalidPassword">
<list>
<value>InvalidPassword</value>
</list>
</entry>
<entry key="ExpiredPassword">
<list>
<value>ExpiredPassword</value>
</list>
</entry>
<entry key="ExpiringPassword">
<list>
<value>ExpiringPassword</value>
</list>
</entry>
</util:map>
</beans>

37
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/function-authn-config.xml Normal file
View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject?
You would normally only unset this if you plan to return a completely constructed Subject from
your authentication function.
-->
<util:constant id="shibboleth.authn.Function.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" />
<!--
The entire flow depends on the execution of a function bean you supply. A pathological script example
is below. The function may return a String, Principal, Subject, or a null to signal failure.
-->
<bean id="shibboleth.authn.Function.ResultLookupStrategy"
parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript">
<constructor-arg>
<value>
<![CDATA[
null;
]]>
</value>
</constructor-arg>
</bean>
</beans>

158
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/general-authn.xml Normal file
View File

@ -0,0 +1,158 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
This file provisions the IdP with information about the configured login mechanisms available for use.
The actual beans and subflows that make up those mechanisms are in their own files, but this pulls them
together with deployer-supplied metadata to describe them to the system.
You can turn on and off individual mechanisms by adding and remove them here. Nothing left out will
be used, regardless any other files loaded by the Spring container.
Flow defaults include: no support for IsPassive/ForceAuthn, support for non-browser clients enabled,
and default timeout and lifetime values set via properties. We also default to supporting the SAML 1/2
expressions for password-based authentication over a secure channel, so anything more exotic requires
customization, as the examples below for IP address and SPNEGO authentication illustrate.
-->
<util:list id="shibboleth.AvailableAuthenticationFlows">
<bean id="authn/IPAddress" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:lifetime="PT60S" p:inactivityTimeout="PT60S">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
</list>
</property>
</bean>
<bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:ietf:rfc:1510" />
</list>
</property>
</bean>
<bean id="authn/External" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false" />
<bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false" />
<bean id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow" />
<bean id="authn/Function" parent="shibboleth.AuthenticationFlow" />
<bean id="authn/X509" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:ietf:rfc:2246" />
</list>
</property>
</bean>
<bean id="authn/X509Internal" parent="shibboleth.AuthenticationFlow">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:ietf:rfc:2246" />
</list>
</property>
</bean>
<bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true" />
<bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
p:forcedAuthenticationSupported="true"
p:nonBrowserSupported="false">
<!--
The list below should be changed to reflect whatever locally- or
community-defined values are appropriate to represent MFA. It is
strongly advised that the value not be specific to Duo or any
particular technology.
-->
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="http://example.org/ac/classes/mfa" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="http://example.org/ac/classes/mfa" />
</list>
</property>
</bean>
<bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true">
<!--
The list below almost certainly requires changes, and should generally be the
union of any of the separate factors you combine in your particular MFA flow
rules. The example corresponds to the example in mfa-authn-config.xml that
combines IPAddress with Password.
-->
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</list>
</property>
</bean>
</util:list>
<!--
This is a map used to "weight" particular methods above others if the IdP has to randomly select one
to insert into a SAML authentication statement. The typical use shown below is to bias the IdP in favor
of expressing the SAML 2 PasswordProtectedTransport class over the more vanilla Password class on the
assumption that the IdP doesn't accept passwords via an insecure channel. This map never causes the IdP
to violate its matching rules if an RP requests a particular value; it only matters when nothing specific
is chosen. Anything not in the map has a weight of zero.
-->
<util:map id="shibboleth.AuthenticationPrincipalWeightMap">
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
</key>
<value>1</value>
</entry>
</util:map>
</beans>

37
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/ipaddress-authn-config.xml Normal file
View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- Apply any regular expression replacement pairs to address before validation. -->
<util:list id="shibboleth.authn.IPAddress.Transforms" />
<!--
Configure the address range(s) and principal name(s) for IP-based login here.
The ranges provided MUST be CIDR network expressions. To specify a single address,
add "/32" or "/128" for IPv4 or IPv6 respectively.
-->
<util:map id="shibboleth.authn.IPAddress.Mappings">
<!--
<entry key="jdoe">
<list>
<value>127.0.0.1/32</value>
<value>::1/128</value>
</list>
</entry>
-->
</util:map>
</beans>

27
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/jaas-authn-config.xml Normal file
View File

@ -0,0 +1,27 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- Specify your JAAS config. -->
<bean id="JAASConfig" class="org.springframework.core.io.FileSystemResource" c:path="%{idp.home}/conf/authn/jaas.config" />
<util:property-path id="shibboleth.authn.JAAS.JAASConfigURI" path="JAASConfig.URI" />
<!-- Specify the application name(s) in the JAAS config. -->
<util:list id="shibboleth.authn.JAAS.LoginConfigNames">
<value>ShibUserPassAuth</value>
</util:list>
<alias name="ValidateUsernamePasswordAgainstJAAS" alias="ValidateUsernamePassword"/>
</beans>

11
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/jaas.config Normal file
View File

@ -0,0 +1,11 @@
ShibUserPassAuth {
/*
com.sun.security.auth.module.Krb5LoginModule required;
*/
org.ldaptive.jaas.LdapLoginModule required
ldapUrl="ldap://localhost:10389"
baseDn="ou=people,dc=example,dc=org"
userFilter="uid={user}";
};

31
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/krb5-authn-config.xml Normal file
View File

@ -0,0 +1,31 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<util:constant id="shibboleth.authn.Krb5.RefreshConfig" static-field="java.lang.Boolean.FALSE" />
<util:constant id="shibboleth.authn.Krb5.PreserveTicket" static-field="java.lang.Boolean.FALSE" />
<!--
Uncomment these beans to perform KDC verification using a service principal and keytab.
The keytab bean must be an absolute file pathname and not a reference to a classpath resource,
so if idp.home is not a path, don't use it in the value.
-->
<!--
<bean id="shibboleth.authn.Krb5.ServicePrincipal" class="java.lang.String" c:_0="SERVICE/principal" />
<bean id="shibboleth.authn.Krb5.Keytab" class="java.lang.String" c:_0="%{idp.home}/credentials/keytab" />
-->
<alias name="ValidateUsernamePasswordAgainstKerberos" alias="ValidateUsernamePassword"/>
</beans>

135
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/ldap-authn-config.xml Normal file
View File

@ -0,0 +1,135 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy"
default-lazy-init="true">
<alias name="%{idp.authn.LDAP.authenticator:anonSearchAuthenticator}" alias="shibboleth.authn.LDAP.authenticator" />
<bean id="shibboleth.authn.LDAP.returnAttributes" parent="shibboleth.CommaDelimStringArray">
<constructor-arg type="java.lang.String" value="%{idp.authn.LDAP.returnAttributes:1.1}" />
</bean>
<alias name="ValidateUsernamePasswordAgainstLDAP" alias="ValidateUsernamePassword" />
<!-- Connection Configuration -->
<bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" abstract="true" p:ldapUrl="%{idp.authn.LDAP.ldapURL}"
p:useStartTLS="%{idp.authn.LDAP.useStartTLS:true}"
p:useSSL="%{idp.authn.LDAP.useSSL:false}"
p:connectTimeoutDuration="%{idp.authn.LDAP.connectTimeout:PT3S}"
p:responseTimeoutDuration="%{idp.authn.LDAP.responseTimeout:PT3S}"
p:sslConfig-ref="sslConfig" />
<alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="sslConfig" />
<bean id="jvmTrust" class="org.ldaptive.ssl.SslConfig" />
<bean id="certificateTrust" class="org.ldaptive.ssl.SslConfig">
<property name="credentialConfig">
<bean parent="shibboleth.X509ResourceCredentialConfig" p:trustCertificates="%{idp.authn.LDAP.trustCertificates:undefined}" />
</property>
</bean>
<bean id="keyStoreTrust" class="org.ldaptive.ssl.SslConfig">
<property name="credentialConfig">
<bean parent="shibboleth.KeystoreResourceCredentialConfig" p:truststore="%{idp.authn.LDAP.trustStore:undefined}" />
</property>
</bean>
<!-- Authentication handler -->
<bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler" p:connectionFactory-ref="bindPooledConnectionFactory" />
<bean id="bindPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" p:connectionPool-ref="bindConnectionPool" />
<bean id="bindConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
p:connectionFactory-ref="bindConnectionFactory" p:name="bind-pool" />
<bean id="bindConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindConnectionConfig" />
<bean id="bindConnectionConfig" parent="connectionConfig" />
<!-- Format DN resolution -->
<bean id="formatDnResolver" class="org.ldaptive.auth.FormatDnResolver" p:format="%{idp.authn.LDAP.dnFormat:undefined}" />
<!-- Pool Configuration -->
<bean id="connectionPool" class="org.ldaptive.pool.BlockingConnectionPool" abstract="true"
p:blockWaitTimeDuration="%{idp.pool.LDAP.blockWaitTime:PT3S}"
p:poolConfig-ref="poolConfig"
p:pruneStrategy-ref="pruneStrategy"
p:validator-ref="searchValidator"
p:failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
<bean id="poolConfig" class="org.ldaptive.pool.PoolConfig"
p:minPoolSize="%{idp.pool.LDAP.minSize:3}"
p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}"
p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
p:validatePeriodDuration="%{idp.pool.LDAP.validatePeriod:PT5M}" />
<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
p:prunePeriodDuration="%{idp.pool.LDAP.prunePeriod:PT5M}"
p:idleTimeDuration="%{idp.pool.LDAP.idleTime:PT10M}" />
<bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
<!-- Anonymous Search Configuration -->
<bean name="anonSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
<constructor-arg index="0" ref="anonSearchDnResolver" />
<constructor-arg index="1" ref="authHandler" />
</bean>
<bean id="anonSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver"
p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
p:connectionFactory-ref="anonSearchPooledConnectionFactory" >
<constructor-arg index="0" ref="shibboleth.VelocityEngine" />
<constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" />
</bean>
<bean id="anonSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="anonSearchConnectionPool" />
<bean id="anonSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
p:connectionFactory-ref="anonSearchConnectionFactory" p:name="search-pool" />
<bean id="anonSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="anonSearchConnectionConfig" />
<bean id="anonSearchConnectionConfig" parent="connectionConfig" />
<!-- Bind Search Configuration -->
<bean name="bindSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
<constructor-arg index="0" ref="bindSearchDnResolver" />
<constructor-arg index="1" ref="authHandler" />
</bean>
<bean id="bindSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver"
p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
p:connectionFactory-ref="bindSearchPooledConnectionFactory" >
<constructor-arg index="0" ref="shibboleth.VelocityEngine" />
<constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" />
</bean>
<bean id="bindSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="bindSearchConnectionPool" />
<bean id="bindSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
p:connectionFactory-ref="bindSearchConnectionFactory" p:name="search-pool" />
<bean id="bindSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindSearchConnectionConfig" />
<bean id="bindSearchConnectionConfig" parent="connectionConfig" p:connectionInitializer-ref="bindConnectionInitializer" />
<bean id="bindConnectionInitializer" class="org.ldaptive.BindConnectionInitializer"
p:bindDn="#{'%{idp.authn.LDAP.bindDN:undefined}'.trim()}">
<property name="bindCredential">
<bean class="org.ldaptive.Credential">
<constructor-arg value="%{idp.authn.LDAP.bindDNCredential:undefined}" />
</bean>
</property>
</bean>
<!-- Direct Search Configuration -->
<bean name="directAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
<constructor-arg index="0" ref="formatDnResolver" />
<constructor-arg index="1" ref="authHandler" />
</bean>
<!-- Want to use ppolicy? Configure support by adding <bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler"
/> add p:authenticationResponseHandlers-ref="authenticationResponseHandler" to the authenticator <bean id="authenticationControl"
class="org.ldaptive.control.PasswordPolicyControl" /> add p:authenticationControls-ref="authenticationControl" to the authHandler -->
<!-- Active Directory Configuration -->
<bean id="adAuthenticator" class="org.ldaptive.auth.Authenticator" p:authenticationResponseHandlers-ref="authenticationResponseHandler"
p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
<constructor-arg index="0" ref="formatDnResolver" />
<constructor-arg index="1" ref="authHandler" />
</bean>
<bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler" />
</beans>

101
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/mfa-authn-config.xml Normal file
View File

@ -0,0 +1,101 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
This is a map of transition rules that guide the behavior of the MFA flow
and controls how factors are sequenced, skipped, etc. The key of each entry
is the name of the step/flow out of which control is passing. The starting
rule has an empty key.
Each entry is a bean inherited from "shibboleth.authn.MFA.Transition". Per
the Javadoc for net.shibboleth.idp.authn.MultiFactorAuthenticationTransition:
p:nextFlow (String)
- A flow to run if the previous step signaled a "proceed" event, for simple
transitions.
p:nextFlowStrategy (Function<ProfileRequestContext,String>)
- A function to run if the previous step signaled a "proceed" event, for dynamic
transitions. Returning null ends the MFA process.
p:nextFlowStrategyMap (Map<String,Object> where Object is String or Function<ProfileRequestContext,String>)
- Fully dynamic way of expressing control paths. Map is keyed by a previously
signaled event and the value is a flow to run or a function to
return the flow to run. Returning null ends the MFA process.
When no rule is provided, there's an implicit "null" that ends the MFA flow
with whatever event was last signaled. If the "proceed" event from a step is
the final event, then the MFA process attempts to complete itself successfully.
-->
<util:map id="shibboleth.authn.MFA.TransitionMap">
<!-- First rule runs the IPAddress login flow. -->
<entry key="">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/IPAddress" />
</entry>
<!--
Second rule runs a function if IPAddress succeeds, to determine whether an additional
factor is required.
-->
<entry key="authn/IPAddress">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" />
</entry>
<!-- An implicit final rule will return whatever the final flow returns. -->
</util:map>
<!-- Example script to see if second factor is required. -->
<bean id="checkSecondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
p:customObject-ref="shibboleth.AttributeResolverService">
<constructor-arg>
<value>
<![CDATA[
nextFlow = "authn/Password";
// Go straight to second factor if we have to, or set up for an attribute lookup first.
authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
if (mfaCtx.isAcceptable()) {
// Attribute check is required to decide if first factor alone is enough.
resCtx = input.getSubcontext(
"net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);
rpCtx = input.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext");
resCtx.setAttributeRecipientID(rpCtx.getRelyingPartyId());
// Look up the username using a standard function.
usernameLookupStrategyClass
= Java.type("net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy");
usernameLookupStrategy = new usernameLookupStrategyClass();
resCtx.setPrincipal(usernameLookupStrategy.apply(input));
resCtx.getRequestedIdPAttributeNames().add("allowedLoginMethods");
resCtx.resolveAttributes(custom);
// Check for an attribute that authorizes use of first factor.
attribute = resCtx.getResolvedIdPAttributes().get("allowedLoginMethods");
valueType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
if (attribute != null && attribute.getValues().contains(new valueType("IPAddress"))) {
nextFlow = null;
}
input.removeSubcontext(resCtx); // cleanup
}
nextFlow; // pass control to second factor or end with the first
]]>
</value>
</constructor-arg>
</bean>
</beans>

121
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/password-authn-config.xml Normal file
View File

@ -0,0 +1,121 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- Choose an import based on the back-end you want to use. -->
<!-- <import resource="jaas-authn-config.xml" /> -->
<!-- <import resource="krb5-authn-config.xml" /> -->
<import resource="ldap-authn-config.xml" />
<!-- Names of form fields to pull username and password from. -->
<bean id="shibboleth.authn.Password.UsernameFieldName" class="java.lang.String" c:_0="j_username" />
<bean id="shibboleth.authn.Password.PasswordFieldName" class="java.lang.String" c:_0="j_password" />
<bean id="shibboleth.authn.Password.SSOBypassFieldName" class="java.lang.String" c:_0="donotcache" />
<!-- Simple transforms to apply to username before validation. -->
<util:constant id="shibboleth.authn.Password.Lowercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.authn.Password.Uppercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.authn.Password.Trim" static-field="java.lang.Boolean.TRUE"/>
<!-- Set to TRUE if you want the password kept in the resulting Subject as a private credential. -->
<util:constant id="shibboleth.authn.Password.RetainAsPrivateCredential" static-field="java.lang.Boolean.FALSE"/>
<!-- Apply any regular expression replacement pairs to username before validation. -->
<util:list id="shibboleth.authn.Password.Transforms">
<!--
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
-->
</util:list>
<!-- Uncomment to configure account lockout backed by in-memory storage. -->
<!--
<bean id="shibboleth.authn.Password.AccountLockoutManager"
parent="shibboleth.StorageBackedAccountLockoutManager"
p:maxAttempts="5"
p:counterInterval="PT5M"
p:lockoutDuration="PT5M"
p:extendLockoutDuration="false" />
-->
<!--
Define entries here to map error messages detected by validation actions and classify them as particular
kinds of errors for use in your templates and as events in flows.
Keys are events to signal, values are error codes.
-->
<util:map id="shibboleth.authn.Password.ClassifiedMessageMap">
<entry key="UnknownUsername">
<list>
<value>NoCredentials</value>
<value>CLIENT_NOT_FOUND</value>
<value>Client not found</value>
<value>DN_RESOLUTION_FAILURE</value>
</list>
</entry>
<entry key="InvalidPassword">
<list>
<value>InvalidCredentials</value>
<value>PREAUTH_FAILED</value>
<value>INVALID_CREDENTIALS</value>
<value>Checksum failed</value>
</list>
</entry>
<entry key="AccountLocked">
<list>
<value>AccountLocked</value>
<value>Clients credentials have been revoked</value>
</list>
</entry>
<entry key="ExpiredPassword">
<list>
<value>PASSWORD_EXPIRED</value>
</list>
</entry>
<entry key="ExpiringPassword">
<list>
<value>ACCOUNT_WARNING</value>
</list>
</entry>
</util:map>
<!--
Configuration of "extended" login methods to offer in the password login form.
The String bean is a regular expression identifying the flows to offer. These flows
must also be enabled at the "top" level to be available for use.
The ExtendedFlowParameters bean can be used to transfer custom parameters from the
login form into the context tree for use later by other flows.
The last bean provides the set of custom Principals to use for results produced by the
Password flow itself. You would use this if you need the Password flow to run as a shell
to run the "extended" login methods, but want to limit its own results more narrowly.
-->
<!--
<bean id="shibboleth.authn.Password.ExtendedFlows" class="java.lang.String" c:_0="" />
<util:list id="shibboleth.authn.Password.ExtendedFlowParameters">
</util:list>
<util:list id="shibboleth.authn.Password.PrincipalOverride">
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</util:list>
-->
</beans>

75
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/remoteuser-authn-config.xml Normal file
View File

@ -0,0 +1,75 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- Servlet context-relative path to wherever your implementation lives. -->
<bean id="shibboleth.authn.RemoteUser.externalAuthnPath" class="java.lang.String"
c:_0="contextRelative:Authn/RemoteUser" />
<!--
Default is to always use the path in the bean above. If you want to determine it
dynamically, define a bean called "shibboleth.authn.RemoteUser.externalAuthnPathStrategy"
of type Function<ProfileRequestContext,String> that returns the path to use.
-->
<!--
Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject?
You would normally only unset this if you plan to use the authnMethodHeader servlet parameter to
supply authentication method string(s) from the external authentication system.
-->
<util:constant id="shibboleth.authn.RemoteUser.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" />
<!--
<bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
c:_0="^(.+)@example\.edu]$" />
-->
<!--
Define entries here to map error messages returned by external modules and classify them as particular
kinds of errors for use in your templates and as events in flows.
Keys are events to signal, values are error codes.
The examples here just allow external signaling of an exact condition.
If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow".
-->
<util:map id="shibboleth.authn.RemoteUser.ClassifiedMessageMap">
<entry key="ReselectFlow">
<list>
<value>NoCredentials</value>
</list>
</entry>
<entry key="UnknownUsername">
<list>
<value>UnknownUsername</value>
</list>
</entry>
<entry key="InvalidPassword">
<list>
<value>InvalidPassword</value>
</list>
</entry>
<entry key="ExpiredPassword">
<list>
<value>ExpiredPassword</value>
</list>
</entry>
<entry key="ExpiringPassword">
<list>
<value>ExpiringPassword</value>
</list>
</entry>
</util:map>
</beans>

63
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/remoteuser-internal-authn-config.xml Normal file
View File

@ -0,0 +1,63 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- Check getRemoteUser() for identity (the typical case). -->
<util:constant id="shibboleth.authn.RemoteUser.checkRemoteUser" static-field="java.lang.Boolean.TRUE"/>
<!-- Populate one or both of the lists below to define HTTP headers or Servlet Attributes to check. -->
<util:list id="shibboleth.authn.RemoteUser.checkHeaders">
<!--
<value>User-Identity</value>
-->
</util:list>
<util:list id="shibboleth.authn.RemoteUser.checkAttributes">
<!--
<value>User-Identity</value>
-->
</util:list>
<!-- Simple transforms to apply to username before validation. -->
<util:constant id="shibboleth.authn.RemoteUser.Lowercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.authn.RemoteUser.Uppercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.authn.RemoteUser.Trim" static-field="java.lang.Boolean.TRUE"/>
<!-- Apply any regular expression replacement pairs before validation. -->
<util:list id="shibboleth.authn.RemoteUser.Transforms">
<!--
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
-->
</util:list>
<!-- Uncomment/configure to install username whitelist, blacklist, and/or match expressions. -->
<util:list id="shibboleth.authn.RemoteUser.whitelistedUsernames">
<!--
<value>goodguy</value>
-->
</util:list>
<util:list id="shibboleth.authn.RemoteUser.blacklistedUsernames">
<!--
<value>badguy</value>
-->
</util:list>
<!--
<bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
c:_0="^(.+)@example\.edu]$" />
-->
</beans>

74
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/spnego-authn-config.xml Normal file
View File

@ -0,0 +1,74 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- General Configuration -->
<!--
Enforce running SPNEGO for all users, independent of user's autologin state.
TRUE means that SPNEGO login is always tried (if available).
FALSE means that SPNEGO login is run only if the user has enabled autologin.
-->
<util:constant id="shibboleth.authn.SPNEGO.EnforceRun" static-field="java.lang.Boolean.FALSE" />
<!-- Kerberos Configuration-->
<!-- General Kerberos Settings -->
<util:constant id="shibboleth.authn.SPNEGO.Krb5.RefreshConfig" static-field="java.lang.Boolean.FALSE" />
<!-- Kerberos Service Principal(s) -->
<!--
For each service principal/realm, a "RealmSettings" bean must be created.
For each "RealmSettings" bean, the following settings are supported:
p:servicePrincipal: - kerberos service principal (required)
p:keytab: - path to the keytab file containing the kerberos service principal's credentials
(optional; either "p:keytab" or "p:password" is required)
p:password: - kerberos service principal's password
(optional; either "p:keytab" or "p:password" is required)
-->
<util:list id="shibboleth.authn.SPNEGO.Krb5.Realms">
<bean parent="shibboleth.KerberosRealmSettings"
p:servicePrincipal="HTTP/aai-logon.domain_a.com@DOMAIN_A.COM"
p:keytab="%{idp.home}/credentials/http_domainA.keytab" />
</util:list>
<!--
<bean id="shibboleth.authn.SPNEGO.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
c:_0="^(.+)@example\.edu]$" />
-->
<!--
Define entries here to map events or error messages returned by the SPNEGO module
and classify them as particular kinds of errors for use in your templates and as
events in flows.
Keys are events to signal, values are error codes.
-->
<util:map id="shibboleth.authn.SPNEGO.ClassifiedMessageMap">
<entry key="SPNEGONotAvailable">
<list>
<value>SPNEGONotAvailable</value>
</list>
</entry>
<entry key="NTLMUnsupported">
<list>
<value>NTLMUnsupported</value>
</list>
</entry>
</util:map>
</beans>

44
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/x509-authn-config.xml Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- Servlet context-relative path to wherever your implementation lives. -->
<bean id="shibboleth.authn.X509.externalAuthnPath" class="java.lang.String"
c:_0="contextRelative:x509-prompt.jsp" />
<!--
Default is to always use the path in the bean above. If you want to determine it
dynamically, define a bean called "shibboleth.authn.X509.externalAuthnPathStrategy"
of type Function<ProfileRequestContext,String> that returns the path to use.
-->
<!--
Define entries here to map error messages returned by external modules and classify them as particular
kinds of errors for use in your templates and as events in flows.
Keys are events to signal, values are error codes.
The examples here just allow external signaling of an exact condition.
If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow".
-->
<util:map id="shibboleth.authn.X509.ClassifiedMessageMap">
<entry key="ReselectFlow">
<list>
<value>NoCredentials</value>
<value>InvalidCredentials</value>
</list>
</entry>
</util:map>
</beans>

21
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/authn/x509-internal-authn-config.xml Normal file
View File

@ -0,0 +1,21 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
You can define a TrustEngine to apply to any candidate certificates by defining a bean named
"shibboleth.authn.X509.TrustEngine". You could also define that in conf/global.xml if you need
to share one between the internal and external versions of this flow.
-->
</beans>

44
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/c14n/attribute-sourced-subject-c14n-config.xml Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
A list of attributes to resolve for normalizing the subject. For example, you might
intend to lookup a uid in a directory based on what the user entered. You can make this
an empty list if you just want to resolve everything you normally would.
-->
<util:list id="shibboleth.c14n.attribute.AttributesToResolve">
<value>altuid</value>
</util:list>
<!--
A list of attributes to search for a value to produce as the normalized subject name.
This will normally be something you resolve above.
-->
<util:list id="shibboleth.c14n.attribute.AttributeSourceIds">
<value>altuid</value>
</util:list>
<!-- Simple transforms to apply to attribute value used for canonicalization result. -->
<util:constant id="shibboleth.c14n.attribute.Lowercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.c14n.attribute.Uppercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.c14n.attribute.Trim" static-field="java.lang.Boolean.TRUE"/>
<!-- Apply any regular expression replacement pairs. -->
<util:list id="shibboleth.c14n.attribute.Transforms">
<!--
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
-->
</util:list>
</beans>

27
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/c14n/simple-subject-c14n-config.xml Normal file
View File

@ -0,0 +1,27 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- Simple transforms to apply to username after authentication. -->
<util:constant id="shibboleth.c14n.simple.Lowercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.c14n.simple.Uppercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.c14n.simple.Trim" static-field="java.lang.Boolean.TRUE"/>
<!-- Apply any regular expression replacement pairs after authentication. -->
<util:list id="shibboleth.c14n.simple.Transforms">
<!--
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
-->
</util:list>
</beans>

22
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/c14n/subject-c14n-events-flow.xml Normal file
View File

@ -0,0 +1,22 @@
<flow xmlns="http://www.springframework.org/schema/webflow"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
abstract="true">
<!-- ADVANCED USE ONLY -->
<!--
You can ignore this file unless you are creating your own custom c14n subflows that want to
report custom events in response to unusual error or warning conditions.
-->
<!-- Custom error events to reflect back from user-supplied c14n subflows. -->
<!-- <end-state id="MyCustomEvent" /> -->
<global-transitions>
<!-- <transition on="MyCustomEvent" to="MyCustomEvent" /> -->
<transition on="#{!'proceed'.equals(currentEvent.id)}" to="InvalidEvent" />
</global-transitions>
</flow>

109
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/c14n/subject-c14n.xml Normal file
View File

@ -0,0 +1,109 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- ========================= Java Subject -> Principal Mapping ========================= -->
<!--
These are lists of Subject Canonicalization flows that turn complex Subject data into a string-based
principal name that the rest of the IdP can operate on. They're used both after authentication and
during operations like SAML attribute queries, to map the SAML Subject into a principal name.
Flows are identified with an ID that corresponds to a Spring Web Flow subflow name.
-->
<!-- Flows used after authentication to produce canonical principal name. -->
<util:list id="shibboleth.PostLoginSubjectCanonicalizationFlows">
<!--
This is an advanced post-login step that performs attribute resolution and then produces a username
from an attribute value. Most of this configuration is handled by attribute-sourced-c14n-config.xml.
To enable universally, just uncomment, but if you want it to run under more specific conditions,
set an activationCondition property to a condition function to use to control when it should run.
-->
<!-- <bean id="c14n/attribute" parent="shibboleth.PostLoginSubjectCanonicalizationFlow" /> -->
<!--
This is an alternative that handles Subjects containing an X500Principal object and
allows extraction from the DN.
-->
<ref bean="c14n/x500" />
<!--
This is the standard post-login step that returns a username derived from the login process. If you
have more complex needs such as mapping a certificate DN into a principal name, an alternative may
be required such as that above, but you can configure simple transforms in simple-subject-c14n-config.xml
-->
<ref bean="c14n/simple" />
</util:list>
<!--
Flows used during SAML requests to reverse-map NameIdentifiers/NameIDs. The actual beans defining these
flows are in a system file. Below the list are some settings that might be useful to adjust.
-->
<util:list id="shibboleth.SAMLSubjectCanonicalizationFlows">
<!--
This is installed to support the old mechanism of using PrincipalConnectors in the attribute resolver
to map SAML Subjects back into principals. If you don't use those (or this is a new install) you can
remove this.
-->
<ref bean="c14n/LegacyPrincipalConnector" />
<!-- The next four are for handling transient IDs (in-storage and stateless variants). -->
<ref bean="c14n/SAML2Transient" />
<ref bean="c14n/SAML2CryptoTransient" />
<ref bean="c14n/SAML1Transient" />
<ref bean="c14n/SAML1CryptoTransient" />
<!-- Handle a SAML 2 persistent ID, provided a stored strategy is in use. -->
<!-- <ref bean="c14n/SAML2Persistent" /> -->
<!--
Finally we have beans for decoding arbitrary SAML formats directly. By default, these are turned off,
having *no* circumstances for which they apply (see shibboleth.TransformNamePredicate below).
-->
<ref bean="c14n/SAML2Transform" />
<ref bean="c14n/SAML1Transform" />
</util:list>
<!-- What SAML NameID formats do you want to support direct transformations for? -->
<util:list id="shibboleth.NameTransformFormats">
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</value>
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</value>
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</value>
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</value>
<value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</value>
</util:list>
<!--
Under what conditions should direct NameID mapping be allowed? By default, never.
Any condition can be used here; the example is suitable for enumerating a number of SPs to allow.
-->
<bean id="shibboleth.NameTransformPredicate" parent="shibboleth.Conditions.RelyingPartyId">
<constructor-arg name="candidates">
<list>
<!-- <value>https://sp.example.org</value> -->
</list>
</constructor-arg>
</bean>
<!--
Regular expression transforms to apply to incoming subject names. The default empty list just
echoes the name through unmodified.
-->
<util:list id="shibboleth.NameTransforms">
<!--
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
-->
</util:list>
</beans>

37
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/c14n/x500-subject-c14n-config.xml Normal file
View File

@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- First priority is given to any subjectAltNames specified (emailAddress is 1) -->
<util:list id="shibboleth.c14n.x500.SubjectAltNameTypes">
<!-- <value>1</value> -->
</util:list>
<!-- Second priority is a list of Certificate Subject RDN OIDs to look for. -->
<util:list id="shibboleth.c14n.x500.ObjectIDs">
<value>2.5.4.3</value>
</util:list>
<!-- Simple transforms to apply to username after authentication. -->
<util:constant id="shibboleth.c14n.x500.Lowercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.c14n.x500.Uppercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.c14n.x500.Trim" static-field="java.lang.Boolean.TRUE"/>
<!-- Apply any regular expression replacement pairs after authentication. -->
<util:list id="shibboleth.c14n.x500.Transforms">
<!--
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
-->
</util:list>
</beans>

108
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/cas-protocol.xml Normal file
View File

@ -0,0 +1,108 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
| The CAS service registry defines verified relying parties by endpoint URI.
| The default implementation treats the ID of each entry as a regular expression defining a logical group of
| services whose URIs match the expression.
|
| This bean is reloaded periodically according to %{idp.home}/conf/services.properties.
-->
<bean id="reloadableServiceRegistry"
class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}">
<property name="definitions">
<list>
<!--
<bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
c:regex="https://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
p:group="proxying-services"
p:authorizedToProxy="true"
p:singleLogoutParticipant="true" />
<bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
c:regex="http://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
p:group="non-proxying-services"
p:authorizedToProxy="false" /
-->
</list>
</property>
</bean>
<!--
| Uncomment this bean if you want to override the default list of CAS service registries.
| The default configuration tries to find the relying party in a SAML metadata source and falls back to
| reloadableServiceRegistry if a match is not found.
-->
<!--<util:list id="shibboleth.CASServiceRegistries">
<ref bean="shibboleth.CASMetadataServiceRegistry" />
<ref bean="shibboleth.CASServiceRegistry" />
</util:list>-->
<!--
| The default ticket service as of 3.3.0 serializes ticket data into the opaque section of the ticket ID
| for service tickets and proxy tickets. Proxy-granting tickets still require server-side storage, and
| a StorageService defined by the idp.cas.StorageService is used. Thus for deployers that do not require
| CAS proxy capabilities, no stateful storage mechanism is required; that means no memcached or database
| is required for HA deployments that want CAS (without proxy) support. A notable limitation of the new
| component is that the one-time use feature of service and proxy tickets is not available due to the lack
| of a ticket-tracking mechanism. Instead, tickets expire when their expiration period is exceeded.
| If this limitation is of concern, one may consider decreasing ticketValidityPeriod on the profile
| configuration from the default 15000ms.
-->
<alias name="encodingTicketService" alias="shibboleth.CASTicketService" />
<!--
| Uncomment the following element and comment out the above to enable the previous default ticket service
| that uses a StorageService for ticket persistence. Use this if the one-time use limitation of
| EncodingTicketService is problematic and can't be mitigated by decreasing ticketValidityPeriod.
-->
<!--<alias name="simpleTicketService" alias="shibboleth.CASTicketService" /> -->
<!--
| The predicate used to determine whether IdP session validation is performed during the process of granting
| a proxy ticket. When the predicate evaluates to true, an IdP session is resolved and validated prior to
| granting a proxy ticket. This feature prevents issuing proxy tickets when an IdP session is expired, but comes
| at the cost of requiring server-side storage of IdP session data. If this is configured to a predicate that
| evaluates to true under any condition, a server-side storage service must be enabled for IdP session
| storage. The most common non-default value is "alwaysTrue."
-->
<bean id="shibboleth.CASProxyValidateIdPSessionPredicate"
class="com.google.common.base.Predicates"
factory-method="alwaysFalse" />
<!--
| Uncomment the following bean if you want to ignore jsessionid artifacts in service URLs.
| Those sorts of URLs are commonly emitted by Java servlet-based web applications.
-->
<!--<bean id="shibboleth.CASServiceComparator"
class="net.shibboleth.idp.cas.service.impl.DefaultServiceComparator"
c:parameterNames="[a-z]+sessionid" />-->
<!--
| Define the list of static certificates that you trust to secure CAS proxy callback endpoints.
| Typically these are CA certificates and apply to _all_ CAS proxy callback endpoints.
| This facility complements the capability to supply relying-party-specific certificates in SAML metadata,
| which is the preferred mechanism to specify CAS proxy trust material. In the case of metadata, self-signed
| certificates are recommended.
-->
<util:list id="shibboleth.CASProxyTrustedCertificates" value-type="java.lang.String">
<!--<value>%{idp.home}/credentials/your_ca.pem</value>-->
</util:list>
<!-- ============== Advanced CAS Configuration ============== -->
<!-- Configure a third-party ticket service. -->
<!--
<bean id="shibboleth.CASTicketService"
class="org.example.idp.cas.CustomTicketService" />
-->
</beans>

68
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/credentials.xml Normal file
View File

@ -0,0 +1,68 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
NOTE: if you're using a legacy relying-party.xml file from a V2 configuration, this file is ignored.
This defines the signing and encryption key and certificate pairs referenced by your relying-party.xml
configuration. You don't normally need to touch this, unless you have advanced requirements such as
supporting multiple sets of keys for different relying parties, in which case you may want to define
all your credentials here for convenience.
-->
<!--
The list of ALL of your IdP's signing credentials. If you define additional signing credentials,
for example for specific relying parties or different key types, make sure to include them within this list.
-->
<util:list id="shibboleth.SigningCredentials">
<ref bean="shibboleth.DefaultSigningCredential" />
</util:list>
<!-- Your IdP's default signing key, set via property file. -->
<bean id="shibboleth.DefaultSigningCredential"
class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.signing.key}"
p:certificateResource="%{idp.signing.cert}"
p:entityId-ref="entityID" />
<!-- Your IdP's default client TLS credential, by default the same as the default signing credential. -->
<alias alias="shibboleth.DefaultClientTLSCredential" name="shibboleth.DefaultSigningCredential" />
<!--
The list of ALL of your IdP's encryption credentials. By default this is just an alias
for 'shibboleth.DefaultEncryptionCredentials'. It could be re-defined as
a list with additional credentials if needed.
-->
<alias alias="shibboleth.EncryptionCredentials" name="shibboleth.DefaultEncryptionCredentials" />
<!-- Your IdP's default encryption (really decryption) keys, set via property file. -->
<util:list id="shibboleth.DefaultEncryptionCredentials">
<bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.encryption.key}"
p:certificateResource="%{idp.encryption.cert}"
p:entityId-ref="entityID" />
<!--
For key rollover, uncomment and point to your original keypair, and use the one above
to point to your new keypair. Once metadata has propagated, comment this one out again.
-->
<!--
<bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.encryption.key.2}"
p:certificateResource="%{idp.encryption.cert.2}"
p:entityId-ref="entityID" />
-->
</util:list>
</beans>

122
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/errors.xml Normal file
View File

@ -0,0 +1,122 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<bean id="shibboleth.DefaultErrorView" class="java.lang.String" c:_0="%{idp.errors.defaultView:error}" />
<!-- Map local events to alternate view templates. -->
<util:map id="shibboleth.EventViewMap">
<!-- <entry key="EventToChange" value="viewname" /> -->
</util:map>
<!--
Map of events to trap and handle with local views, without returning to SPs.
The map values are flags indicating whether to write an audit log record.
-->
<util:map id="shibboleth.LocalEventMap">
<entry key="ContextCheckDenied" value="true" />
<entry key="ImpersonationViolation" value="true" />
<entry key="AttributeReleaseRejected" value="true" />
<entry key="TermsRejected" value="true" />
<entry key="RuntimeException" value="false" />
<entry key="InvalidEvent" value="false" />
<!--
<entry key="IdentitySwitch" value="false" />
<entry key="NoPotentialFlow" value="false" />
-->
</util:map>
<!-- Mappings of error events during requests to SAML status codes and SOAP fault codes. -->
<util:map id="shibboleth.SAML1StatusMappings">
<entry key="InvalidMessageVersion" value-ref="shibboleth.SAML1Status.VersionMismatch" />
<entry key="UnableToDecode" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="UnableToEncode" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="MessageReplay" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="MessageExpired" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="MessageAuthenticationError" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="RequestUnsupported" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="NoPassive" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="NoPotentialFlow" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="NoCredentials" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="InvalidCredentials" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="AccountError" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="IdentitySwitch" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="AuthenticationException" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="InvalidSubject" value-ref="shibboleth.SAML1Status.Requester" />
<entry key="SubjectCanonicalizationError" value-ref="shibboleth.SAML1Status.Requester" />
</util:map>
<util:map id="shibboleth.SAML2StatusMappings">
<entry key="InvalidMessageVersion" value-ref="shibboleth.SAML2Status.VersionMismatch" />
<entry key="UnableToDecode" value-ref="shibboleth.SAML2Status.RequestUnsupported" />
<entry key="UnableToEncode" value-ref="shibboleth.SAML2Status.UnsupportedBinding" />
<entry key="MessageReplay" value-ref="shibboleth.SAML2Status.RequestDenied" />
<entry key="MessageExpired" value-ref="shibboleth.SAML2Status.RequestDenied" />
<entry key="MessageAuthenticationError" value-ref="shibboleth.SAML2Status.RequestDenied" />
<entry key="RequestUnsupported" value-ref="shibboleth.SAML2Status.NoAuthnContext" />
<entry key="NoPassive" value-ref="shibboleth.SAML2Status.NoPassive" />
<entry key="NoPotentialFlow" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="NoCredentials" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="InvalidCredentials" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="AccountError" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="IdentitySwitch" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="AuthenticationException" value-ref="shibboleth.SAML2Status.AuthnFailed" />
<entry key="InvalidSubject" value-ref="shibboleth.SAML2Status.UnknownPrincipal" />
<entry key="SubjectCanonicalizationError" value-ref="shibboleth.SAML2Status.UnknownPrincipal" />
<entry key="SessionNotFound" value-ref="shibboleth.SAML2Status.UnknownPrincipal" />
<entry key="InvalidNameIDPolicy" value-ref="shibboleth.SAML2Status.InvalidNameIDPolicy" />
<entry key="ChannelBindingsError" value-ref="shibboleth.SAML2Status.ChannelBindingsError" />
</util:map>
<util:map id="shibboleth.SOAPFaultCodeMappings">
<entry key="InvalidMessageVersion" value-ref="shibboleth.SOAP.VersionMismatch" />
<entry key="UnableToDecode" value-ref="shibboleth.SOAP.Client" />
<entry key="MessageReplay" value-ref="shibboleth.SOAP.Client" />
<entry key="MessageExpired" value-ref="shibboleth.SOAP.Client" />
<entry key="MessageAuthenticationError" value-ref="shibboleth.SOAP.Client" />
<entry key="RequestUnsupported" value-ref="shibboleth.SOAP.Client" />
<entry key="NoPassive" value-ref="shibboleth.SOAP.Client" />
<entry key="NoPotentialFlow" value-ref="shibboleth.SOAP.Client" />
<entry key="NoCredentials" value-ref="shibboleth.SOAP.Client" />
<entry key="InvalidCredentials" value-ref="shibboleth.SOAP.Client" />
<entry key="AccountError" value-ref="shibboleth.SOAP.Client" />
<entry key="AuthenticationException" value-ref="shibboleth.SOAP.Client" />
<entry key="InvalidSubject" value-ref="shibboleth.SOAP.Client" />
<entry key="SubjectCanonicalizationError" value-ref="shibboleth.SOAP.Client" />
<entry key="InvalidNameIDPolicy" value-ref="shibboleth.SOAP.Client" />
<entry key="ChannelBindingsError" value-ref="shibboleth.SOAP.Client" />
</util:map>
</beans>

52
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/global.xml Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- Use this file to define any custom beans needed globally. -->
<!--
Algorithm whitelists and blacklists that override or merge with library defaults. Normally you can leave
these empty or commented and use the system defaults, but you can override those defaults using these lists.
Each <value> element is an algorithm URI, or you can use <util:constant> elements in place of literal values.
-->
<!--
<util:list id="shibboleth.SignatureWhitelist">
</util:list>
<util:list id="shibboleth.SignatureBlacklist">
</util:list>
<util:list id="shibboleth.EncryptionWhitelist">
</util:list>
<util:list id="shibboleth.EncryptionBlacklist">
</util:list>
-->
<!--
If you need to define and inject custom Java object(s) into the various views used throughout the
system (errors, login, logout, etc.), you can uncomment and define the bean below to be of any
type required. It will appear in the view scope as a variable named "custom".
The example below defines the bean as a map, which allows you to inject multiple objects under
named keys to expand the feature to support multiple injected objects.
-->
<!--
<util:map id="shibboleth.CustomViewContext">
<entry key="foo" value="bar"/>
</util:map>
-->
</beans>

212
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/idp.properties Normal file
View File

@ -0,0 +1,212 @@
# Load any additional property resources from a comma-delimited list
idp.additionalProperties=/conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties
# In most cases (and unless noted in the surrounding comments) the
# commented settings in the distributed files are the default
# behavior for V3.
#
# Uncomment them and change the value to change functionality.
# Set the entityID of the IdP
idp.entityID=https://test.shibboleth.elastic.local/
# Set the file path which backs the IdP's own metadata publishing endpoint at /shibboleth.
# Set to empty value to disable and return a 404.
#idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml
# Set the scope used in the attribute resolver for scoped attributes
idp.scope=test.elastic.co
# General cookie properties (maxAge only applies to persistent cookies)
# Note the default for idp.cookie.secure, you will usually want it set.
#idp.cookie.secure = false
#idp.cookie.httpOnly = true
#idp.cookie.domain =
#idp.cookie.path =
#idp.cookie.maxAge = 31536000
# HSTS/CSP response headers
#idp.hsts = max-age=0
# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing
#idp.frameoptions = DENY
# Content-Security-Policy value, set to match X-Frame-Options default
#idp.csp = frame-ancestors 'none';
# Set the location of user-supplied web flow definitions
#idp.webflows = %{idp.home}/flows
# Set the location of Velocity view templates
#idp.views = %{idp.home}/views
# Settings for internal AES encryption key
#idp.sealer.storeType = JCEKS
#idp.sealer.updateInterval = PT15M
#idp.sealer.aliasBase = secret
idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks
idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver
idp.sealer.storePassword=secret
idp.sealer.keyPassword=secret
# Settings for public/private signing and encryption key(s)
# During decryption key rollover, point the ".2" properties at a second
# keypair, uncomment in credentials.xml, then publish it in your metadata.
idp.signing.key=%{idp.home}/credentials/idp-signing.key
idp.signing.cert=%{idp.home}/credentials/idp-signing.crt
idp.encryption.key=%{idp.home}/credentials/idp-encryption.key
idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt
# Sets the bean ID to use as a default security configuration set
#idp.security.config = shibboleth.DefaultSecurityConfiguration
# To downgrade to SHA-1, set to shibboleth.SigningConfiguration.SHA1
#idp.signing.config = shibboleth.SigningConfiguration.SHA256
# To upgrade to AES-GCM encryption, set to shibboleth.EncryptionConfiguration.GCM
# This is unlikely to work for all SPs, but this is a quick way to test them.
#idp.encryption.config = shibboleth.EncryptionConfiguration.CBC
# Configures trust evaluation of keys used by services at runtime
# Defaults to supporting both explicit key and PKIX using SAML metadata.
#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine
# To pick only one set to one of:
# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
#idp.trust.certificates = shibboleth.ChainingX509TrustEngine
# To pick only one set to one of:
# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine
# If true, encryption will happen whenever a key to use can be located, but
# failure to encrypt won't result in request failure.
#idp.encryption.optional = false
# Configuration of client- and server-side storage plugins
#idp.storage.cleanupInterval = PT10M
#idp.storage.htmlLocalStorage = false
# Set to true to expose more detailed errors in responses to SPs
#idp.errors.detailed = false
# Set to false to skip signing of SAML response messages that signal errors
#idp.errors.signed = true
# Name of bean containing a list of Java exception classes to ignore
#idp.errors.excludedExceptions = ExceptionClassListBean
# Name of bean containing a property set mapping exception names to views
#idp.errors.exceptionMappings = ExceptionToViewPropertyBean
# Set if a different default view name for events and exceptions is needed
#idp.errors.defaultView = error
# Set to false to disable the IdP session layer
#idp.session.enabled = true
# Set to "shibboleth.StorageService" for server-side storage of user sessions
#idp.session.StorageService = shibboleth.ClientSessionStorageService
# Size of session IDs
#idp.session.idSize = 32
# Bind sessions to IP addresses
#idp.session.consistentAddress = true
# Inactivity timeout
#idp.session.timeout = PT60M
# Extra time to store sessions for logout
#idp.session.slop = PT0S
# Tolerate storage-related errors
#idp.session.maskStorageFailure = false
# Track information about SPs logged into
#idp.session.trackSPSessions = false
# Support lookup by SP for SAML logout
#idp.session.secondaryServiceIndex = false
# Length of time to track SP sessions
#idp.session.defaultSPlifetime = PT2H
# Regular expression matching login flows to enable, e.g. IPAddress|Password
idp.authn.flows=Password
# Default lifetime and timeout of various authentication methods
#idp.authn.defaultLifetime = PT60M
#idp.authn.defaultTimeout = PT30M
# Whether to populate relying party user interface information for display
# during authentication, consent, terms-of-use.
#idp.authn.rpui = true
# Whether to prioritize "active" results when an SP requests more than
# one possible matching login method (V2 behavior was to favor them)
#idp.authn.favorSSO = false
# Whether to fail requests when a user identity after authentication
# doesn't match the identity in a pre-existing session.
#idp.authn.identitySwitchIsError = false
# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
#idp.consent.StorageService = shibboleth.ClientPersistentStorageService
# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute
# to key user consent storage records (and set the attribute name)
#idp.consent.attribute-release.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
#idp.consent.attribute-release.userStorageKeyAttribute = uid
#idp.consent.terms-of-use.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
#idp.consent.terms-of-use.userStorageKeyAttribute = uid
# Suffix of message property used as value of consent storage records when idp.consent.compareValues is true.
# Defaults to text displayed to the user.
#idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text
# Flags controlling how built-in attribute consent feature operates
#idp.consent.allowDoNotRemember = true
#idp.consent.allowGlobal = true
#idp.consent.allowPerAttribute = false
# Whether attribute values and terms of use text are compared
#idp.consent.compareValues = false
# Maximum number of consent records for space-limited storage (e.g. cookies)
#idp.consent.maxStoredRecords = 10
# Maximum number of consent records for larger/server-side storage (0 = no limit)
#idp.consent.expandedMaxStoredRecords = 0
# Time in milliseconds to expire consent storage records.
#idp.consent.storageRecordLifetime = P1Y
# Whether to lookup metadata, etc. for every SP involved in a logout
# for use by user interface logic; adds overhead so off by default.
#idp.logout.elaboration = false
# Whether to require logout requests/responses be signed/authenticated.
#idp.logout.authenticated = true
# Message freshness and replay cache tuning
#idp.policy.messageLifetime = PT3M
#idp.policy.clockSkew = PT3M
# Set to custom bean for alternate storage of replay cache
#idp.replayCache.StorageService = shibboleth.StorageService
#idp.replayCache.strict = true
# Toggles whether to allow outbound messages via SAML artifact
#idp.artifact.enabled = true
# Suppresses typical signing/encryption when artifact binding used
#idp.artifact.secureChannel = true
# May differ to direct SAML 2 artifact lookups to specific server nodes
#idp.artifact.endpointIndex = 2
# Set to custom bean for alternate storage of artifact map state
#idp.artifact.StorageService = shibboleth.StorageService
# Comma-delimited languages to use if not match can be found with the
# browser-supported languages, defaults to an empty list.
idp.ui.fallbackLanguages=en,fr,de
# Storage service used by CAS protocol
# Defaults to shibboleth.StorageService (in-memory)
# MUST be server-side storage (e.g. in-memory, memcached, database)
# NOTE that idp.session.StorageService requires server-side storage
# when CAS protocol is enabled
#idp.cas.StorageService=shibboleth.StorageService
# CAS service registry implementation class
#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry
# F-TICKS auditing - set a salt to include hashed username
#idp.fticks.federation=MyFederation
#idp.fticks.algorithm=SHA-256
#idp.fticks.salt=somethingsecret
#idp.fticks.loghost=localhost
#idp.fticks.logport=514

121
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/intercept/consent-intercept-config.xml Normal file
View File

@ -0,0 +1,121 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- Terms of Use configuration -->
<!--
Terms of use is driven by a lookup function returning a key into messages/consent-messages.properties
The default mapping returns the relying party / SP name as the key. The second example below
demonstrates use of a custom mapping table from the relying party name to the key to use.
-->
<alias alias="shibboleth.consent.terms-of-use.Key" name="shibboleth.RelyingPartyIdLookup.Simple" />
<!--
<bean id="shibboleth.consent.terms-of-use.Key"
class="com.google.common.base.Functions" factory-method="compose">
<constructor-arg name="g">
<bean class="com.google.common.base.Functions" factory-method="forMap" c:defaultValue="terms-of-use">
<constructor-arg name="map">
<map>
<entry key="https://sp.example.org/shibboleth" value="example-terms" />
</map>
</constructor-arg>
</bean>
</constructor-arg>
<constructor-arg name="f">
<ref bean="shibboleth.RelyingPartyIdLookup.Simple" />
</constructor-arg>
</bean>
-->
<!-- Attribute Release configuration -->
<!--
Attribute release whitelist, blacklist, and match expressions to determine
whether consent should be obtained for an attribute based on the attribute ID.
-->
<util:list id="shibboleth.consent.attribute-release.WhitelistedAttributeIDs">
<!--
<value>mail</value>
-->
</util:list>
<util:list id="shibboleth.consent.attribute-release.BlacklistedAttributeIDs">
<value>transientId</value>
<value>persistentId</value>
<value>eduPersonTargetedID</value>
</util:list>
<!--
<bean id="shibboleth.consent.attribute-release.MatchExpression" class="java.util.regex.Pattern" factory-method="compile"
c:_0="^exampleAttribute.*$" />
-->
<!--
Customize the order in which attributes are displayed.
Attribute IDs not present in this list will be sorted according to their
natural order and displayed subsequent to any attribute IDs specified here.
-->
<!--
<util:list id="shibboleth.consent.attribute-release.AttributeDisplayOrder">
<value>mail</value>
</util:list>
-->
<!--
These beans define mappings between audit log categories and formatting strings.
-->
<!--
For terms-of-use acceptance, the default entry is :
'YYYYMMDDTHHMMSSZ|TermsAccepted|jdoe|example-tou-1|rHo...rrw=|true'
For terms-of-use refusal, the default entry is :
'YYYYMMDDTHHMMSSZ|TermsRejected|jdoe|example-tou-1|rHo...rrw=|false'
-->
<util:map id="shibboleth.consent.terms-of-use.AuditFormattingMap">
<entry key="Shibboleth-Consent-Audit" value="%T|%SP|%e|%u|%CCI|%CCV|%CCA" />
</util:map>
<!--
For attribute-release consent, the default entry is :
'YYYYMMDDTHHMMSSZ|https://sp.example.org|AttributeReleaseConsent|jdoe|email,eduPersonAffiliation|rHo...rrw=,rHo...rrw=|false,false'
-->
<util:map id="shibboleth.consent.attribute-release.AuditFormattingMap">
<entry key="Shibboleth-Consent-Audit" value="%T|%SP|%e|%u|%CCI|%CCV|%CCA" />
</util:map>
<!--
Specify custom symbolic replacements for attribute names to shrink the size of results saved to client-side storage
such as cookies.
-->
<bean id="shibboleth.consent.AttributeSymbolics" parent="shibboleth.consent.DefaultAttributeSymbolics" lazy-init="true">
<property name="sourceMap">
<map merge="true">
<!--
<entry key="myAttribute" value="900" />
-->
</map>
</property>
</bean>
<!--
Condition to evaluate to apply attribute-release consent to attribute queries.
-->
<bean id="shibboleth.consent.AttributeQuery.Condition" parent="shibboleth.Conditions.FALSE" />
</beans>

63
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/intercept/context-check-intercept-config.xml Normal file
View File

@ -0,0 +1,63 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
Condition to evaluate to interrupt SSO flows to check the state of the transaction before allowing.
Typically the flow itself will be activated based on configuration in relying-party.xml, and this controls
whether to proceed if the flow is activated. The most common use for this flow is to check the set of
resolved/filtered attributes and values to see if the user is authorized or provisioned into a service.
-->
<bean id="shibboleth.context-check.Condition" parent="shibboleth.Conditions.AND">
<constructor-arg>
<list>
<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'https://sp.example.org'}}" />
<bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate"
p:useUnfilteredAttributes="true">
<property name="attributeValueMap">
<map>
<entry key="eppn">
<list>
<value>*</value>
</list>
</entry>
</map>
</property>
</bean>
</list>
</constructor-arg>
</bean>
<!--
More general purpose approach using a Function that returns either "proceed" or a custom error Event.
This is a cleaner way of applying multiple conditions in different cases or triggering different events.
-->
<!--
<bean id="shibboleth.context-check.Function" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
p:customObject-ref="shibboleth.context-check.Condition">
<constructor-arg>
<value>
<![CDATA[
var event = "proceed";
if (!custom.apply(input)) {
event = "ContextCheckDenied";
}
event;
]]>
</value>
</constructor-arg>
</bean>
-->
</beans>

31
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/intercept/expiring-password-intercept-config.xml Normal file
View File

@ -0,0 +1,31 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
Condition to evaluate to determine if expiring password view should be displayed, false means to notify.
The example uses a built-in class to evaluate an attribute containing a date/time of password expiration.
The format pattern parses the value and the negative offset determines how soon to warn the user beforehand.
-->
<bean id="shibboleth.expiring-password.Condition" class="net.shibboleth.idp.profile.logic.DateAttributePredicate"
c:attribute="passwordExpiration" c:formatString="yyyyMMddHHmmss'T'"
p:resultIfMissing="true" p:offset="-P14D" />
<!-- Name of cookie to track when user was last notified. -->
<bean id="shibboleth.expiring-password.NotifyCookieName" class="java.lang.String" c:_0="shib_idp_exp_pwd" />
<!-- Interval (milliseconds) between notifications, default is 8 hours. -->
<bean id="shibboleth.expiring-password.NotifyInterval" class="java.lang.Long" c:_0="28800000" />
</beans>

25
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/intercept/impersonate-intercept-config.xml Normal file
View File

@ -0,0 +1,25 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
Names of access control policies defined in access-control.xml to control impersonation.
The general policy runs first and determines whether to offer the impersonation option.
The specific policy runs second and determines whether to allow the requested impersonation.
-->
<bean id="shibboleth.impersonate.GeneralPolicy" class="java.lang.String" c:_0="GeneralImpersonationPolicy" />
<bean id="shibboleth.impersonate.SpecificPolicy" class="java.lang.String" c:_0="SpecificImpersonationPolicy" />
</beans>

20
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/intercept/intercept-events-flow.xml Normal file
View File

@ -0,0 +1,20 @@
<flow xmlns="http://www.springframework.org/schema/webflow"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
abstract="true">
<!-- ADVANCED USE ONLY -->
<!--
You can ignore this file unless you are creating your own custom intercept subflows that want to
report custom events in response to unusual conditions.
-->
<!-- <end-state id="MyCustomEvent" /> -->
<global-transitions>
<!-- <transition on="MyCustomEvent" to="MyCustomEvent" /> -->
<transition on="#{!'proceed'.equals(currentEvent.id)}" to="InvalidEvent" />
</global-transitions>
</flow>

40
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/intercept/profile-intercept.xml Normal file
View File

@ -0,0 +1,40 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
Intercept flows are used at various injection points to modify processing. This is the master list
of flows available that provide interesting features to deployers, but flows are actually enabled by
specifying them in various profile configuration beans via relying-party.xml
This list of flows is merged with a built-in set defined in a system configuration file, and may be
empty, but should not be removed. You must add your own custom flows to this list if you create any.
-->
<bean id="shibboleth.AvailableInterceptFlows" parent="shibboleth.DefaultInterceptFlows" lazy-init="true">
<property name="sourceList">
<list merge="true">
<bean id="intercept/context-check" parent="shibboleth.InterceptFlow" />
<bean id="intercept/expiring-password" parent="shibboleth.InterceptFlow" />
<bean id="intercept/terms-of-use" parent="shibboleth.consent.TermsOfUseFlow" />
<bean id="intercept/attribute-release" parent="shibboleth.consent.AttributeReleaseFlow" />
<bean id="intercept/impersonate" parent="shibboleth.InterceptFlow" />
</list>
</property>
</bean>
</beans>

24
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/ldap.properties Normal file
View File

@ -0,0 +1,24 @@
idp.authn.LDAP.authenticator = bindSearchAuthenticator
idp.authn.LDAP.ldapURL = ldap://openldap:389
idp.authn.LDAP.useStartTLS = false
idp.authn.LDAP.sslConfig = certificateTrust
idp.authn.LDAP.trustCertificates= %{idp.home}/credentials/ca_server.pem
idp.authn.LDAP.baseDN = ou=people,DC=oldap,DC=test,DC=elasticsearch,DC=com
idp.authn.LDAP.subtreeSearch = true
idp.authn.LDAP.userFilter = (uid={user})
idp.authn.LDAP.bindDN = cn=admin,DC=oldap,DC=test,DC=elasticsearch,DC=com
idp.authn.LDAP.bindDNCredential = NickFuryHeartsES
idp.authn.LDAP.dnFormat = uid=%s,ou=people,DC=oldap,DC=test,DC=elasticsearch,DC=com
idp.attribute.resolver.LDAP.ldapURL = ldap://openldap:389
idp.attribute.resolver.LDAP.useStartTLS = false
idp.attribute.resolver.LDAP.sslConfig = certificateTrust
idp.attribute.resolver.LDAP.trustCertificates= %{idp.home}/credentials/ca_server.pem
idp.attribute.resolver.LDAP.baseDN = ou=people,DC=oldap,DC=test,DC=elasticsearch,DC=com
idp.attribute.resolver.LDAP.subtreeSearch = true
idp.attribute.resolver.LDAP.userFilter = (uid={user})
idp.attribute.resolver.LDAP.bindDN = cn=admin,DC=oldap,DC=test,DC=elasticsearch,DC=com
idp.attribute.resolver.LDAP.bindDNCredential = NickFuryHeartsES
idp.attribute.resolver.LDAP.dnFormat = uid=%s,ou=people,DC=oldap,DC=test,DC=elasticsearch,DC=com
idp.attribute.resolver.LDAP.searchFilter = (uid={user})
idp.attribute.resolver.LDAP.connectTimeout = 5
idp.attribute.resolver.LDAP.responseTimeout = 5

124
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/logback.xml Normal file
View File

@ -0,0 +1,124 @@
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<!--
Variables for simplifying logging configuration.
http://logback.qos.ch/manual/configuration.html#variableSubstitution
-->
<!--
If you want to use custom properties in this config file,
we load the main property file for you.
-->
<variable file="${idp.home}/conf/idp.properties" />
<!-- Location and retention. -->
<variable name="idp.logfiles" value="${idp.logfiles:-${idp.home}/logs}" />
<variable name="idp.loghistory" value="${idp.loghistory:-180}" />
<!-- Much higher performance if you operate on DEBUG. -->
<!-- <variable name="idp.process.appender" value="ASYNC_PROCESS" /> -->
<!-- Logging level shortcuts. -->
<variable name="idp.loglevel.idp" value="${idp.loglevel.idp:-INFO}" />
<variable name="idp.loglevel.ldap" value="${idp.loglevel.ldap:-WARN}" />
<variable name="idp.loglevel.messages" value="${idp.loglevel.messages:-INFO}" />
<variable name="idp.loglevel.encryption" value="${idp.loglevel.encryption:-INFO}" />
<variable name="idp.loglevel.opensaml" value="${idp.loglevel.opensaml:-INFO}" />
<variable name="idp.loglevel.props" value="${idp.loglevel.props:-INFO}" />
<variable name="idp.loglevel.httpclient" value="${idp.loglevel.httpclient:-INFO}" />
<!-- Don't turn these up unless you want a *lot* of noise. -->
<variable name="idp.loglevel.spring" value="${idp.loglevel.spring:-ERROR}" />
<variable name="idp.loglevel.container" value="${idp.loglevel.container:-ERROR}" />
<variable name="idp.loglevel.xmlsec" value="${idp.loglevel.xmlsec:-INFO}" />
<!-- =========================================================== -->
<!-- ============== Logging Categories and Levels ============== -->
<!-- =========================================================== -->
<!-- Logs IdP, but not OpenSAML, messages -->
<logger name="net.shibboleth.idp" level="${idp.loglevel.idp}"/>
<!-- Logs OpenSAML, but not IdP, messages -->
<logger name="org.opensaml.saml" level="${idp.loglevel.opensaml}"/>
<!-- Logs LDAP related messages -->
<logger name="org.ldaptive" level="${idp.loglevel.ldap}"/>
<!-- Logs embedded HTTP client messages -->
<logger name="org.apache.http" level="${idp.loglevel.httpclient}"/>
<!-- Logs inbound and outbound protocols messages at DEBUG level -->
<logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages}" />
<!-- Logs unencrypted SAML at DEBUG level -->
<logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption}" />
<!-- Logs system properties during startup at DEBUG level -->
<logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props}" />
<!-- Especially chatty. -->
<logger name="net.shibboleth.idp.saml.attribute.mapping" level="INFO" />
<logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec}" />
<logger name="org.springframework" level="${idp.loglevel.spring}"/>
<logger name="org.apache.catalina" level="${idp.loglevel.container}"/>
<logger name="org.eclipse.jetty" level="${idp.loglevel.container}"/>
<!-- =========================================================== -->
<!-- ============== Low Level Details or Changes =============== -->
<!-- =========================================================== -->
<!-- Process log. -->
<appender name="IDP_PROCESS" class="ch.qos.logback.core.ConsoleAppender">
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
<charset>UTF-8</charset>
<Pattern>%date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
</encoder>
<!-- Ignore Velocity status page error. -->
<filter class="ch.qos.logback.core.filter.EvaluatorFilter">
<evaluator>
<matcher>
<Name>VelocityStatusMatcher</Name>
<regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
</matcher>
<expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
</evaluator>
<OnMatch>DENY</OnMatch>
</filter>
</appender>
<appender name="ASYNC_PROCESS" class="ch.qos.logback.classic.AsyncAppender">
<appender-ref ref="IDP_PROCESS" />
<discardingThreshold>0</discardingThreshold>
</appender>
<!-- F-TICKS syslog destination. -->
<appender name="IDP_FTICKS" class="ch.qos.logback.classic.net.SyslogAppender">
<syslogHost>${idp.fticks.loghost:-localhost}</syslogHost>
<port>${idp.fticks.logport:-514}</port>
<facility>AUTH</facility>
<suffixPattern>[%thread] %logger %msg</suffixPattern>
</appender>
<logger name="Shibboleth-Audit" level="ALL">
<appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/>
</logger>
<logger name="Shibboleth-FTICKS" level="ALL" additivity="false">
<appender-ref ref="${idp.fticks.appender:-IDP_FTICKS}"/>
</logger>
<logger name="Shibboleth-Consent-Audit" level="ALL">
<appender-ref ref="${idp.consent.appender:-IDP_CONSENT_AUDIT}"/>
</logger>
<root level="${idp.loglevel.root:-INFO}">
<appender-ref ref="${idp.process.appender:-IDP_PROCESS}"/>
<appender-ref ref="${idp.warn.appender:-IDP_WARN}" />
</root>
</configuration>

78
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/metadata-providers.xml Normal file
View File

@ -0,0 +1,78 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- This file is an EXAMPLE metadata configuration file. -->
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
xmlns:resource="urn:mace:shibboleth:2.0:resource"
xmlns:security="urn:mace:shibboleth:2.0:security"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
<!-- ========================================================================================== -->
<!-- Metadata Configuration -->
<!-- -->
<!-- Below you place the mechanisms which define how to load the metadata for SP(s) you will -->
<!-- provide service to. -->
<!-- -->
<!-- Two examples are provided. The Shibboleth Documentation at -->
<!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration -->
<!-- provides more details. -->
<!-- -->
<!-- NOTE. This file SHOULD NOT contain the metadata for this IdP. -->
<!-- ========================================================================================== -->
<!--
Example HTTP metadata provider. Use this if you want to download the metadata
from a remote source.
You *MUST* provide the SignatureValidationFilter in order to function securely.
Get the public key certificate from the party publishing the metadata, and validate
it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
The EntityRoleWhiteList saves memory by only loading metadata from SAML roles
that the IdP needs to interoperate with.
-->
<!--
<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
metadataURL="http://WHATEVER">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
-->
<!--
Example file metadata provider. Use this if you want to load metadata
from a local file. You might use this if you have some local SPs
which are not "federated" but you wish to offer a service to.
If you do not provide a SignatureValidation filter, then you have the
responsibility to ensure that the contents on disk are trustworthy.
-->
<!--
<MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
-->
<!--
Example CAS metadata source.
-->
<!--
<MetadataProvider id="CasMetadata"
xsi:type="FilesystemMetadataProvider"
metadataFile="PATH_TO_YOUR_METADATA"
indexesRef="shibboleth.CASMetadataIndices" />
-->
</MetadataProvider>

0
x-pack/test/idp-fixture/src/main/resources/provision/roles/shibboleth/files/relying-party.xml → x-pack/test/idp-fixture/idp/shibboleth-idp/conf/relying-party.xml
View File

37
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/saml-nameid.properties Normal file
View File

@ -0,0 +1,37 @@
# Properties involving SAML NameIdentifier/NameID generation/consumption
# For the most part these settings only deal with "transient" and "persistent"
# identifiers. See saml-nameid.xml and c14n/subject-c14n.xml for advanced
# settings
# Comment out to disable legacy NameID generation via Attribute Resolver
#idp.nameid.saml2.legacyGenerator = shibboleth.LegacySAML2NameIDGenerator
#idp.nameid.saml1.legacyGenerator = shibboleth.LegacySAML1NameIdentifierGenerator
# Default NameID Formats to use when nothing else is called for.
# Don't change these just to change the Format used for a single SP!
#idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
#idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier
# Set to shibboleth.StoredTransientIdGenerator for server-side transient ID storage
#idp.transientId.generator = shibboleth.CryptoTransientIdGenerator
# Persistent IDs can be computed on the fly with a hash, or managed in a database
# For computed IDs, set a source attribute and a secret salt:
#idp.persistentId.sourceAttribute = changethistosomethingreal
#idp.persistentId.useUnfilteredAttributes = true
# Do *NOT* share the salt with other people, it's like divulging your private key.
#idp.persistentId.algorithm = SHA
#idp.persistentId.salt = changethistosomethingrandom
# BASE64 will match V2 values, we recommend BASE32 encoding for new installs.
idp.persistentId.encoding = BASE32
# To use a database, use shibboleth.StoredPersistentIdGenerator
#idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator
# For basic use, set this to a JDBC DataSource bean name:
#idp.persistentId.dataSource = PersistentIdDataSource
# For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore
#idp.persistentId.store = MyPersistentIdStore
# Set to an empty property to skip hash-based generation of first stored ID
#idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator

64
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/saml-nameid.xml Normal file
View File

@ -0,0 +1,64 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- ========================= SAML NameID Generation ========================= -->
<!--
These generator lists handle NameID/Nameidentifier generation going forward. By default,
transient IDs for both SAML versions are enabled. The commented examples are for persistent IDs
and generating more one-off formats based on resolved attributes. The suggested approach is to
control their use via release of the underlying source attribute in the filter policy rather
than here, but you can set a property on any generator called "activationCondition" to limit
use in the most generic way.
Most of the relevant configuration settings are controlled using properties; an exception is
the generation of arbitrary/custom formats based on attribute information, examples of which
are shown below.
-->
<!-- SAML 2 NameID Generation -->
<util:list id="shibboleth.SAML2NameIDGenerators">
<ref bean="shibboleth.SAML2TransientGenerator" />
<!-- Uncommenting this bean requires configuration in saml-nameid.properties. -->
<!--
<ref bean="shibboleth.SAML2PersistentGenerator" />
-->
<!--
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
-->
</util:list>
<!-- SAML 1 NameIdentifier Generation -->
<util:list id="shibboleth.SAML1NameIdentifierGenerators">
<ref bean="shibboleth.SAML1TransientGenerator" />
<!--
<bean parent="shibboleth.SAML1AttributeSourcedGenerator"
p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
-->
</util:list>
</beans>

65
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/services.properties Normal file
View File

@ -0,0 +1,65 @@
# Configure the resources to load for various services,
# and the settings for failure handling and auto-reload.
# failFast=true prevents IdP startup if a configuration is bad
# checkInterval = PT0S means never reload (this is the default)
# Global default for fail-fast behavior of most subsystems
# with individual override possible below.
#idp.service.failFast = false
#idp.service.logging.resource = %{idp.home}/conf/logback.xml
#idp.service.logging.failFast = true
idp.service.logging.checkInterval = PT5M
# Set to shibboleth.LegacyRelyingPartyResolverResources with legacy V2 relying-party.xml
#idp.service.relyingparty.resources = shibboleth.RelyingPartyResolverResources
#idp.service.relyingparty.failFast = false
idp.service.relyingparty.checkInterval = PT15M
#idp.service.metadata.resources = shibboleth.MetadataResolverResources
#idp.service.metadata.failFast = false
#idp.service.metadata.checkInterval = PT0S
#idp.service.attribute.resolver.resources = shibboleth.AttributeResolverResources
#idp.service.attribute.resolver.failFast = false
idp.service.attribute.resolver.checkInterval = PT15M
#idp.service.attribute.resolver.maskFailures = true
#idp.service.attribute.resolver.stripNulls = false
#idp.service.attribute.filter.resources = shibboleth.AttributeFilterResources
# NOTE: Failing the filter fast leaves no filters enabled.
#idp.service.attribute.filter.failFast = false
idp.service.attribute.filter.checkInterval = PT15M
#idp.service.attribute.filter.maskFailures = true
#idp.service.nameidGeneration.resources = shibboleth.NameIdentifierGenerationResources
#idp.service.nameidGeneration.failFast = false
idp.service.nameidGeneration.checkInterval = PT15M
#idp.service.access.resources = shibboleth.AccessControlResources
#idp.service.access.failFast = true
idp.service.access.checkInterval = PT5M
#idp.service.cas.registry.resources = shibboleth.CASServiceRegistryResources
#idp.service.cas.registry.failFast = false
idp.service.cas.registry.checkInterval = PT15M
#idp.message.resources = shibboleth.MessageSourceResources
#idp.message.cacheSeconds = 300
# Parameters for pre-defined HttpClient instances which perform in-memory and filesystem caching.
# These are used with components such as remote configuration resources that are explicitly wired
# with these client instances, *not* by default with HTTP metadata resolvers.
#idp.httpclient.useSecurityEnhancedTLSSocketFactory = false
#idp.httpclient.connectionDisregardTLSCertificate = false
#idp.httpclient.connectionRequestTimeout = PT1M
#idp.httpclient.connectionTimeout = PT1M
#idp.httpclient.socketTimeout = PT1M
#idp.httpclient.maxConnectionsTotal = 100
#idp.httpclient.maxConnectionsPerRoute = 100
#idp.httpclient.memorycaching.maxCacheEntries = 50
#idp.httpclient.memorycaching.maxCacheEntrySize = 1048576
#idp.httpclient.filecaching.maxCacheEntries = 100
#idp.httpclient.filecaching.maxCacheEntrySize = 10485760
idp.httpclient.filecaching.cacheDirectory = %{idp.home}/tmp/httpClientCache

100
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/services.xml Normal file
View File

@ -0,0 +1,100 @@
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- Advanced configuration of services from HTTP.
To use an HTTP resource you first need to configure the Apache HttpClient which will be used
to communicate with the web server. Any HttpClient can be used, but two Factory Beans allow simple
configuration of in-memory or file-based caching clients.
Examples are:
A resource which will be supplied from an in-memory cache for as long as the file on the webserver does not change.
If the webserver becomes unavailable the resource will be unavailable.
<bean id="inMemoryResource" class="net.shibboleth.ext.spring.resource.HTTPResource"
c:client-ref="shibboleth.MemoryCachingHttpClient"
c:url="http://example.org/path/to/file.xml" />
Two resources which will be supplied from an on disk cache (suitable for multiple or large files) for as long
as the file on the webserver does not change. If the webserver becomes unavailable the last used contents
of the file will be returned (even if that was in a previous IdP lifetime).
<bean id="fileResource" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource"
c:client-ref="shibboleth.FileCachingHttpClient"
c:url="http://example.org/path/to/file.xml"
c:backingFile="/var/shibboleth/caches/resourcecache/file.xml"/>
<bean id="otherFileResource" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource"
c:client-ref="shibboleth.FileCachingHttpClient"
c:url="http://another.server.example.org/path/to/different/file.xml"
c:backingFile="/var/shibboleth/caches/resourcecache/differentFile.xml"/>
In all cases you should review the "idp.httpclient.*" properties defined in services.properties
-->
<!--
Otherwise by default we look at resources whose names are derived from %{idp.home}. Services not configured
using native Spring syntax also need to load the property-placeholder file in order to pull settings from
property sources.
-->
<!-- This set of resources supports a native Spring relying-party.xml file. -->
<util:list id="shibboleth.RelyingPartyResolverResources">
<value>%{idp.home}/conf/relying-party.xml</value>
<value>%{idp.home}/conf/credentials.xml</value>
<value>%{idp.home}/system/conf/relying-party-system.xml</value>
</util:list>
<!-- This set of resources supports a legacy 2.x relying-party.xml file. -->
<util:list id="shibboleth.LegacyRelyingPartyResolverResources">
<value>%{idp.home}/conf/relying-party.xml</value>
<value>%{idp.home}/system/conf/legacy-relying-party-defaults.xml</value>
</util:list>
<util:list id="shibboleth.MetadataResolverResources">
<value>%{idp.home}/conf/metadata-providers.xml</value>
<value>%{idp.home}/system/conf/metadata-providers-system.xml</value>
</util:list>
<util:list id ="shibboleth.AttributeResolverResources">
<value>%{idp.home}/conf/attribute-resolver.xml</value>
</util:list>
<util:list id ="shibboleth.AttributeFilterResources">
<value>%{idp.home}/conf/attribute-filter.xml</value>
</util:list>
<util:list id ="shibboleth.NameIdentifierGenerationResources">
<value>%{idp.home}/conf/saml-nameid.xml</value>
<value>%{idp.home}/system/conf/saml-nameid-system.xml</value>
</util:list>
<util:list id="shibboleth.AccessControlResources">
<value>%{idp.home}/conf/access-control.xml</value>
<value>%{idp.home}/system/conf/access-control-system.xml</value>
</util:list>
<util:list id="shibboleth.CASServiceRegistryResources">
<value>%{idp.home}/conf/cas-protocol.xml</value>
</util:list>
<!--
This collection of resources differs slightly in that it should not include the file extension.
Message sources are internationalized, and Spring will search for a compatible language extension
and fall back to one with only a .properties extension.
-->
<util:list id="shibboleth.MessageSourceResources">
<value>%{idp.home}/messages/messages</value>
<value>%{idp.home}/system/messages/messages</value>
</util:list>
</beans>

29
x-pack/test/idp-fixture/idp/shibboleth-idp/conf/session-manager.xml Normal file
View File

@ -0,0 +1,29 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!-- Flows that propagate logout to additional services using supported protocols. -->
<util:list id="shibboleth.LogoutPropagationFlows">
<ref bean="logoutprop/cas" />
<ref bean="logoutprop/saml2" />
</util:list>
<!--
List of client-side storage service plugins. If you use server-side storage and don't need these
services, you can remove or comment out the <ref> elements, but don't remove the list bean or
a default list will be substituted for backward compatibility.
-->
<util:list id="shibboleth.ClientStorageServices">
<ref bean="shibboleth.ClientSessionStorageService" />
<ref bean="shibboleth.ClientPersistentStorageService" />
</util:list>
</beans>

2
x-pack/test/idp-fixture/idp/shibboleth-idp/credentials/README Normal file
View File

@ -0,0 +1,2 @@
openssl req -x509 -newkey rsa:4096 -nodes -keyout idp-browser.key -out idp-browser.pem -days 10000 -subj "/CN=localhost"
openssl pkcs12 -in idp-browser.pem -inkey idp-browser.key -export -out idp-browser.p12

24
x-pack/test/idp-fixture/idp/shibboleth-idp/credentials/ca_server.pem Normal file
View File

@ -0,0 +1,24 @@
-----BEGIN CERTIFICATE-----
MIIEAzCCAmugAwIBAgIUGJBYO12hG0Uo/jCDsHqz9KNR25cwDQYJKoZIhvcNAQEL
BQAwGTEXMBUGA1UEAxMOTERBUCBTZXJ2ZXIgQ0EwHhcNMTkwMzA4MTY1MzI2WhcN
MjAwMzA3MTY1MzI2WjAZMRcwFQYDVQQDEw5MREFQIFNlcnZlciBDQTCCAaIwDQYJ
KoZIhvcNAQEBBQADggGPADCCAYoCggGBALtPoq9PwkRZyV2ZKU98RoVxERWOfVw3
W5QmU+jBDD7vz0xRvjD2Xz+AtAqLyYCE90d8xnaxY42rZ7IXjd9K56rwVuvjgBfV
6iVV1Vo5q5yxsZTsiR+Zrjd3F/AvhTXRsn2GLo2rS2Q64CjodJqzhPvLiZSoUCXs
sdv+sGCZ8H4Wjomygu4HzoS+y+b6wEfcynd7c0thEsYcqacGcvsxXOSU2bnyx8Z4
T3VeYb2i+DWXBtFACzC/bzVzft+Kui+buktgkdCTkJe2Q/TWjqlhGH/o3A98xZRm
+UDnyJG3Et4MDLNmhpizSsFw8gB4DsK7OrcepcPzsAYvG0VoI5flQnraMNTlTZ5X
bwgtzpRolDEx4qKKPfcYauLEuP5YsteVbPcZwUBNxF+YWi800XDN2D8abUrQ1NyK
fKAoOf7xAHGzZm78lvuhWxKL7/L0TFMCtxdYxzNXQsT4ZgvbtKT3moc8Rw0Jyc3p
/C45CpEwlqDdYcEx2bM/gaFR/KkUbEGyawIDAQABo0MwQTAPBgNVHRMBAf8EBTAD
AQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFP+p8954Rx6o/i4G/3U6qVKu
lsDJMA0GCSqGSIb3DQEBCwUAA4IBgQCdoxcQxfKd209+TsXjymbrMSWBbfDHLQml
ocKF2EF92hOBJnAm5E8Z2+ZHAZ0hbsl8r1dSIhZuqb7GGE7KfN+mFTP0YlteciPg
0NDM0GsaryftkWe9Lwkt9M72vHP8sCjorskpmYWhHBWgkTfd5Uzso0w3wYNJpeuX
qGOjrjcfpRrDk/fyWUgVPkTBmmEEFWCJHSZF8N+BMHrTiw9UsJXBwbHa983Sm9Lq
pK61y2LTo9OHBHCFl0DmzHiH7AEg9RmJlUqMomn8b/gquIoplUchUtS/h7BVPgqz
w6vS3fE8FgHODthGv55xqhaPV23ZFv6QUlc80yzY3BhYyfu21O/gzo3wmKC6fq9L
pWK2CYgdtDAV0vjTchkYM12iJDLJBdNoLzVZrXqxFMWjVZN2N7GVyc3PGzyOAquf
LuuvSAhErt84mh8MwAbVie09iDTbqPgFjn+D1AK70ocfMVGM2lwOmk0vvCLHtxE7
fh/9Tf0GS1BHkmgzWwXqTkCK71mJQvs=
-----END CERTIFICATE-----

26
x-pack/test/idp-fixture/idp/shibboleth-idp/credentials/idp-backchannel.crt Normal file
View File

@ -0,0 +1,26 @@
-----BEGIN CERTIFICATE-----
MIIEUjCCArqgAwIBAgIVALjpmEEY4k5+2/JXwk5y+MoDnWiAMA0GCSqGSIb3DQEB
CwUAMCgxJjAkBgNVBAMMHXRlc3Quc2hpYmJvbGV0aC5lbGFzdGljLmxvY2FsMB4X
DTE5MDMwODEzMTg1OVoXDTM5MDMwODEzMTg1OVowKDEmMCQGA1UEAwwddGVzdC5z
aGliYm9sZXRoLmVsYXN0aWMubG9jYWwwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAw
ggGKAoIBgQC98CVCuq4MBwBGia77i7tdUMFql+KbY5mY/eENspY59aPZbI6/oMSU
v4Uu3iJux8gGlBmkzxoefhuIA93lE+RS3k1iezxtS0fQW8drYCtJRT9j8xuEdzo9
hHV3wa4lhnC8Mfn6K79jzj0Y6PkDCSS3wn80YYAQpI0sV6baxGuRByL7BMjHITFw
EbFYsph6zQ/3SZu1OWocVdgZkF+n3zraUDuj87M+Tn6RRhWF0Jq/vFAUNCTWr7Iw
GTUib9LWx3v5IqXttu9NBMSd5Q5mIoPWW+/RA3mpcsN51rVRa2od6HABpiEv7I7B
yEtBVNPkYfOPF2TIxefeyIl3UCD5sF/2nDAZfe/ENnJFQwqnPAXwXrlPlLCoWsOl
OOHfyE7tbORkVXNuWYq9TcTNLEIuB081Utxsoa+iiWGyn0/uYDg2NGxJ2V2/PISf
LhUilCJSmNbMUFirVSUJD8mntn8VRidn1/Wx7RCphPGmMmJtAN080/+zCOJVE4/G
6JnRMFpNZO0CAwEAAaNzMHEwHQYDVR0OBBYEFH9wTxThSEj7nswt0sIjbpw86itt
MFAGA1UdEQRJMEeCHXRlc3Quc2hpYmJvbGV0aC5lbGFzdGljLmxvY2FshiZodHRw
czovL3Rlc3Quc2hpYmJvbGV0aC5lbGFzdGljLmxvY2FsLzANBgkqhkiG9w0BAQsF
AAOCAYEApBpPTKvKUwcZ8Tfm3TZPINmSXI05OWU1Xu8gdFB0EoUDFE9/uHTJgfmS
5ZjUT8YGhHH883XKNq9JhmyCb5V5ZSjONzMGplcsTAkk0guU0DqKvabyVsQuyne6
nCkbAr/srtJFutiFJDGmfAmhTSFTVmpI4stpyC+y5Y0PhcUQa6Ytz8wGTMJvftv5
2S5zhX9IDaWo4C97WWnSXaFepi5n1i4wlCj5HgDkEhoeEt5byJMxzDdN9whEI5Ju
VPMUcRcJNajnSKA1SVAznUpJbHSu0WAfM/MQ9ucX3o3A5J/bA9xlknsEWtugtvRK
KCwuibrOddrv/cQQbpPjDhWk/VF7tOA1kuSHHdYICB+WjWU463bv0rLm6QXqkDU4
f3XuG2zJTmVQEzBdmv9ATlqQ+sADV216Vyy5I/delW0WnmePGTuxBj+Xm7VrbYNi
WOveqK14343Bpbo8H/V2UvTPGF+oICnmw0fgG7SChtcDY9won6mRVCcy+01TeOua
TSYuiKRN
-----END CERTIFICATE-----

BIN
x-pack/test/idp-fixture/idp/shibboleth-idp/credentials/idp-backchannel.p12 Normal file
View File

Binary file not shown.

54
x-pack/test/idp-fixture/idp/shibboleth-idp/credentials/idp-browser.key Normal file
View File

@ -0,0 +1,54 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,448E229091A1814C
2GcUr2daklgGwVg37U/wo1qdWQhr1PYL6q77UWyWTnjgMC00hHwPF7ChkLmD8jXa
eSxk3Myih85SudgOFydnDAecj3WZ5s1T1LuH1jXN5yg2WAjQKwzoxKvAELfjbX4A
gM5cNMI62DfpFJHnj4WVJioFvXuNB58TM30D1yFZbqUm5I2nThxzoNVKUuOwZ+Ct
Xr/rpX0AaKLJJ7iIws/iByBLvf75/mmharHWTqJV/dh/mqvpstvMXtlr/YpL0jq7
I1nF9jutGGCkdUmCnXEjE5eGOdgOd8hPuHIHgDAWILqbaGNSmMs3KaJWrOxSp0i2
ilQPmjqSSI7KKGDay9UeEF9FPuLQvSk1S9/e4IC2lG30wqZpJ8kY7DJmhXXvG7eg
6BGUOpZ/haXqltI9gNRa/PlME7zk26S0KPSqorh5ajDeMKcX7g8aQEh4kM7Rp5Ne
94dW2mwUj1mqHrkgPJewExlRq6TE23DUA4fbm45VnducaIhz6nw6deQNzArnl61+
yLXjd6R+usRJubh2NK5yKWAJczI7bzyTU1B+wYFK9m9HTGi3JQFFG4hGwktjSy39
2HHO5swES2di18Yq0unzAagK9+ngAkWECIRjswqaFSfFW9FZdsACiS62BTcXygHv
AP6dm1ofL1kO8/QYF+fTKmLP+mTtVYs0TE219u5gAXODHIMDIdpM4O/weAcoAjP+
WVDefvFC/A986ZogG/xePyh01fkQFRWjSUq73IWOxflWQOZC6ur65YDhFhcNRfq7
+pEv5oourj4613ei1THhA/OZKedn3oqTxCZcp4BeTksI3lwJKWxlO799UHb2hiKR
ICnNskE7jvYEQLJS7oesqJjtme3ERaevRVZJXf9h+/1Ohv4PZOtNHS4EKVzECPJn
OLtr221QRkyqME4PeI5u6pTkTQj8y2sC6jZ17nlNXDtP6bCiLUsB64HDAhu1+7gm
ahsFcwe66iNo8UHptKSlVl+3kjSHLO6MvDvFSxuk5ZbA/6leXEnl/9sm0vjE/dgj
n+Q+WbE0+plfP91AR3KeH/NNPF6R6n6aFAIo6ZK4inUKTSe7QEK9qgJo5I3nIhoa
hwKkf3rvcNYsPrB0n98ncoR7CSjjfjzou6m5oXgtsdiC8IrnjsUXY8VsfHqrBbJD
usqa0E0R1n2atfiFs7Lmm2tJLIfYnTyfxCoU9U6IbPbwgoD11vy6wZV138BXL4Vq
E/7JZGP1E7/M3TziFgg8tQRVw9Y7tKI1AFXH5FPbTLubqqp8oiH5QSSUC2lsDTRV
I6DA43W2Et2gn16moW3qFekO6qkQh3XYLiyH76zLQ44ebsB3wdwONxOcCpDIvikw
UWKnJ4XXAHbVs8B4myShjUN3yiDMHQ5g0dkJDgd0oJv5lYZJD2LH/xn+FJfVN+Xr
csD6Dgv7mAsvaOTtv3s4zBNtWEdnZpOy4agsFr+dCH9V/Wqq3Cp8y6nOAGHW1Yw7
HS7s7cZqssEhSAoQUgtqLr4MsfysDM9LhPSc/wHGt9lOfTyJkp1B8rWuIkMy/A2C
YU92pHLXtd1VW0gJd410GUXKNRB8gw4MakRvKCEQgaARXMFVYUJGfTPP43ZcDgeK
FBpeYT+7lJxm0GN9B8hzcTI3BiD+efZRXVw+qltOq/I0m7896lMJjoigF1i8y/ou
537CyaCmasK6V4b2omF78omRYa8xG/6UUTV5n3RA7+KTEvk8RyCl1+Hqu1Yk9Tnk
bjR2xMnF6PG7MUWzOaDFjlL+LWb5OF9gsmkBOz+Gf8wc0ZKFvkoqgv65Q/miklKO
A/jPY8KzWFMAXHo3JP+PiFlLAmJHVpnMumUCycd62P3Omp8HWgyz3dG68ubwlQlU
OwYaJapke1SazUBNdGIxFw4PPJbd/AuoTb0hKznVZrAGW/QmH6vtQLIL38t3i97b
ZW3SmhF1CmBngcVe4jmWtv+ElWNfB83XpLdF8Az7JxKruwvQpsIkn8lZKpEaibP8
RyqbDIdIvgetcHgSZTZrHROzk+a2XFBxvX0FG48I15yY5KG2/uZrg5KWztXF/wh8
GB2m6OVko2+6jb9ffs3ur+NTYBbWHgt0VaZW/TJMduIar6z7KRPahCdPJE+ZJL9B
Y1UzzmQhyp5bgTtrn9/NwXotM62OCiTNm7+asdUOkj5Yg8NG//CbRcjPmIO9zLkt
qZnyvf187oFZoaoqAcxrBCBHVUC5iqi3gJ3IVtjKM/qN+uqazuayzEl5XqCXCIIY
EQycYGOXzGZJp9ZpUlbnsazUAwxqo+eoxpzRXw66dLAZRcriXGhvcittVKuVAbxr
rRs8rYXvGYyUlNH15qiGzU7zRiKIzjV43m6KSFxGPX0vQdKif9kNc66YJ5C3FmwD
RZT3u/YED+QUg9QGNIhIJX+boV6yBjiZp+TUGiEfymPPbf7MXiUdGo1TWuSYjC+r
GOI80Bt6np5gXeQxW8vIEVspiPkiFqag9xrG3XfWZjYnLg1ue8sufrSu7B9oRwXJ
1E4l02nSCrb+PHlrEDC0BfK+3cGyahu58ayX1LfgMMGoYn1Z5lirIRlZr+lFNq7V
F001QMJLCAwoUv2pNheJTD2GuvJDY4F+BepQe0GiMhRKTxiUEyHpuVPUenBn+yKj
S1Jo12oVxNZvPx1z4dbqbeQBu1uLwLpGj39HW+FvuQYA1pi+sAyBGV5mTnOaAyyK
qRVevAYOVqToXmIrmwqFirl4q/UHX+8KKXZE7+t5l6jx1ik9fbwPBk9xYTguRUDR
JMLlwq6z9wz405z4yL4wcr988kqEp8rflUEBOP7uQXHAqHPVRV8eidkuW/Q7XmbP
s3lxo3CW22txdZvrhkIRTAPuHAoVf06F/DSKufpwTYDEd6vwRgupC1K8Cj8irVjV
PzZmwQDzgIhp3PvuiIxqiQRRGbu2uZa4YnryFG5ROY32S8u4CJ/3YrdnK9x5ZhwI
L2KVja++t1EAcq7lvAelV5+5k4CMGYkiHVRZc8oM6H6DQFeanD3wo/wJExOwp07M
y3Lg8snXFFKbwpIPoMFvo8tc+AvxpNR3ByycxcuEdjKPCLZaAZ7WpjWDm5INJRmc
QpYqhhwVWGLITtrW0z8vJEIffDT7dx/Z1pPkmBhqXgfQgr6650sravzrvWooYmmL
-----END RSA PRIVATE KEY-----

BIN
x-pack/test/idp-fixture/idp/shibboleth-idp/credentials/idp-browser.p12 Normal file
View File

Binary file not shown.

29
x-pack/test/idp-fixture/idp/shibboleth-idp/credentials/idp-browser.pem Normal file
View File

@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIFCTCCAvGgAwIBAgIUXgnF25GwdlFAe0byzIYbN3AT2WIwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE5MDMwODIxMTAzMFoXDTQ2MDcy
NDIxMTAzMFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAth/Euk/QuccVqvRBivjqn6T/1KRRxnAeSVnbfaww1XS2
aIj7CjAmuOblA3MPZcnpO9l3xTwcLGCzoel/BopjF6rbQM92U/XcZO3i5p9SrXZ3
tLn0RWbv3+0yN3J8tbsBNsoIoOCdBurBmwRMCtQn+WaX04BIVDOeRRPGrtnQaKGk
vtKigxf5GOLsVlvmb4749MUdtR+PrmtNWpN47MLpMCLEWK0OS1CyAgUyu+ktJCMV
aBX29aHK3y7oIURgFrXtsMWavCtMhGHZYvuKOhfoBszWM6zEC73NyuKX8CewIoRO
HnV+r9SpHuTqVS0Pcrts8TtBcLWCbGUlHl2IYc36tiWw5H0/85im0h62o+b2OXoj
1PV2xSPBQf970YvjJhPu7OIxde3uIGcITWfcMTYINdpuguII0WJnVXbzNnluUoNg
c1QudVfFbNU0M9WexL7JRp3++IZKynuCzJ8g/LAUArt5OetYz8CsGkR9ijd4S42P
9t9DrMb71XWwV8aKxjTcfh2GEYbG/ZRZdZnXyuNrt04uoCrNp8q5yv+xtJeKG2So
PfgpzckpZhk9P4WqSz0JXLn1WweCjEOdJ31NVbGqWjQAPYmGNjb6k0Jf/wdopmtV
UehZUnUg1zeI39JSd189Z9NR/Up7yi/Mn/TVCC8TOouWs4QYcuWal/B1JF2PZlEC
AwEAAaNTMFEwHQYDVR0OBBYEFKSTsih4bvNakB2hY87W4PZj5fK2MB8GA1UdIwQY
MBaAFKSTsih4bvNakB2hY87W4PZj5fK2MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggIBACfJSHzEx2fTGFrHDh5DCacixQmK5NDNh8kpQyuTLFyF2LZ+
+iYqEQjd8Mqd3i6NDzv199P9RrrpnKG+SfrIKRff98sHAssxwLXzHTZJePJMWauP
JfCX2wxojPHWa/3cXBcxPQa3T/HAvN4U9GMIziQllmr/7R8LBqtkWBwei7/3lQAH
RYStfdC1ROG4rbrLgVhEKf0SQ8cFcHkrxxTsomVI+8aS9cCLPdKo0N4jaV4hVocv
nD6QpDIFzqpLYYFTRSNK3niJ30pxHbwlzluj9oYQcdX9zS+CkiX6N+ELPcR7J3/h
0Pt7HkII5XU43yf3ApRVodIW2bdEL1i4ccH86gzvoijaJJdGazXXNjnCsL6zuJPT
tLfQEbMHPzGOUnkfVC6eO/4POqXva9cZd+bk+SpbDJCJowOHTpl7U3SEFgttiJXo
N4+BZhHVBhUxjLGXqiZmtaffXeXXuWzVbYj/ve3ymL++hCkh3niqajpdu2cKvRaN
VDNi5tO7nwruMaAmsUi6KJVui8tFB9CtDbK/UTeNfi2xUrFrPUJICyUW7wnb1ayL
w+FPAjV5+OBZ1HOsnP3ktC4e7WWfo/8pENMRPMr62oJS244Docdzg6HCdu2SBSK+
ulX+uylH2rmBDIQ6IAj8cSBYVKyQZFbUCERCoF1KxmChL+49h9cSB0SJTiFa
-----END CERTIFICATE-----

26
x-pack/test/idp-fixture/idp/shibboleth-idp/credentials/idp-encryption.crt Normal file
View File

@ -0,0 +1,26 @@
-----BEGIN CERTIFICATE-----
MIIEUTCCArmgAwIBAgIUcpV0WDMWve6/1FPqzjYJnMLDLRIwDQYJKoZIhvcNAQEL
BQAwKDEmMCQGA1UEAwwddGVzdC5zaGliYm9sZXRoLmVsYXN0aWMubG9jYWwwHhcN
MTkwMzA4MTMxODU5WhcNMzkwMzA4MTMxODU5WjAoMSYwJAYDVQQDDB10ZXN0LnNo
aWJib2xldGguZWxhc3RpYy5sb2NhbDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCC
AYoCggGBAI4haOiDT0q1eBqwKWbOUfxTVQ2d3nC4wpPekB8YixcePBHu1GEKnCmO
E1/EHyhc5EA0p+IV4GRfwEC4bwWOFt5xY2XJREeXg21G1pQ0R2aHIb9cmJWuHHBt
4pIaEiOw1se4zfiTNgcO2WOc6ixmx/cJYjd+FvMPP3Y96JFycVt7f4DTUZ/IGUTO
jOjwRet9vpBHBzIIN+MEnarwd3mPt3FLhsMU09Q/C3Jfw9x+HcSrCQn7d/3ucvZL
iRdYfGxr6YVapwij5eRkVDx6pRi4jTWgNy7BGieWJLElDoPTapmPZxhTIkxnv9/A
HqZmOc2hErU/aPKe/H5doC9Sfj9jEhXURVYeK7Rsmq8IVW6WnVxODjO62/mS58Uu
slkLiNBd0GDx+PRm7YG1k3khJFihtL1xfKIE8PUEqemYIvoHY3/xTujplUDTdHlC
VRaf5/QhT+vgcn7JEXnWtgW1SzSg//lmN1htfOlPb4pXa/Y/Gg2JrsMXXgu098X8
u++qOorK2QIDAQABo3MwcTAdBgNVHQ4EFgQUUxIigNlOHt4GZvE4XwmwPq0H2xsw
UAYDVR0RBEkwR4IddGVzdC5zaGliYm9sZXRoLmVsYXN0aWMubG9jYWyGJmh0dHBz
Oi8vdGVzdC5zaGliYm9sZXRoLmVsYXN0aWMubG9jYWwvMA0GCSqGSIb3DQEBCwUA
A4IBgQB3V3QLkSEnix65cZVH1x4ayZfkyYUeXqQEpjsnz4wGPmWXQp/vJ313mWsV
dtA6uCEHAhAi1It8QpOw0DkQQ39GYLANkra1skjGqOgqjsqCsEX9haaIVvRrG1YP
GA5C6nq88C4KgAYzhfzmOTkDvCLeM/adSV9q8y4juPsrOod81zBjp5GhLfraVUXq
6gwMjRqE+eEgX1RGiYDNl3oar4WB6+cCiTsbkJwHsmGc2LviHxlkPRSIPkJtTUAW
bTCN38FxQda9Ao6ZavSn2Da/HhQm1yxpOdEfTeBSFS5e6NSqj+X1Mc8y0L5cLUyZ
kqQ+q2xhMap2WyDxUm5db9OR5VkrpejR7+f+CYVD7CTt7bqoHQZgaOrGJLje0ZQX
cAeMgEFja4nK0TY8+eD+ijEZ3y/LRMsIl5Hetxaw1atgoVKociuhoF5wZSK0OsDQ
Qx/AEkhqDaSUfSZvSJlD645k/E20NGiK/a8nsquJ3Tkl8rQDEk8r/IKJVmo+vkuX
NgQpDdo=
-----END CERTIFICATE-----

39
x-pack/test/idp-fixture/idp/shibboleth-idp/credentials/idp-encryption.key Normal file
View File

@ -0,0 +1,39 @@
-----BEGIN RSA PRIVATE KEY-----
MIIG4wIBAAKCAYEAjiFo6INPSrV4GrApZs5R/FNVDZ3ecLjCk96QHxiLFx48Ee7U
YQqcKY4TX8QfKFzkQDSn4hXgZF/AQLhvBY4W3nFjZclER5eDbUbWlDRHZochv1yY
la4ccG3ikhoSI7DWx7jN+JM2Bw7ZY5zqLGbH9wliN34W8w8/dj3okXJxW3t/gNNR
n8gZRM6M6PBF632+kEcHMgg34wSdqvB3eY+3cUuGwxTT1D8Lcl/D3H4dxKsJCft3
/e5y9kuJF1h8bGvphVqnCKPl5GRUPHqlGLiNNaA3LsEaJ5YksSUOg9NqmY9nGFMi
TGe/38AepmY5zaEStT9o8p78fl2gL1J+P2MSFdRFVh4rtGyarwhVbpadXE4OM7rb
+ZLnxS6yWQuI0F3QYPH49GbtgbWTeSEkWKG0vXF8ogTw9QSp6Zgi+gdjf/FO6OmV
QNN0eUJVFp/n9CFP6+ByfskReda2BbVLNKD/+WY3WG186U9vildr9j8aDYmuwxde
C7T3xfy776o6isrZAgMBAAECggGAOUyk06AkdlUEj5XXixfAm74ouu2bQMxrvVtr
tO2bHX3V79DeFCVH4cTicKhLe2U/q9bOm+n/5ddoVW9FavLmq1UBIobqnQYrOQHm
/ia5Zk8yPsigxy9DTdwvDIGwMG1ZmXkaqI0Iqf3FjFA1ZCMnmKNS0lZmACV0i0HY
IdMGekAmnhQTgxwTe9bdngdH2PF/wwCvmO8RQNeajNCXCg3zgZxWPw2FfLrR7ZFI
D/tUGvZtFXYo4NmhxUOciCnnN3qlNq4toWZdejQvy0nKUzjRyy/fRpA0CZY7eiIh
/jlOdEM4ZKnDi9i0PU9eqWNBvwM4I5qd5EOYUjZZ4rySGcSW9eoKAYIEcjhu93hl
o1YUjL/R74ySxluX/dC6WBR2GFJsQdUSm3vIoXUl64Fbhro0dgbUhXQI/fO15yeQ
lTYzQygFrDs3z9xvl0/ajvGQC9v63SfADkUvE3pUExqTVkYLj7vNBMQRcXYGZnyO
Ltp2DfkZ+P4/Y8mYOM8xG6VebEf1AoHBANQsx3Z7c4WE3yHcKcqvqKzzTmWZBwEd
NzGA2ARzVuYJhJxtpHSiY21qrV84xqqtEmYVrfXmB0f0iy+rARg8MbYUHXrrn3Ro
FC4HRX6c7uof66nDRjSIWIVYuU93k/H+5n9EvJ22keSANm5yCHnNViYDiJmrwS2B
vE9t3iGoJQzz+tPJ6Z9i71giZRRByePwQBEOsrbn5W57lStTDDAINlAwqMxqJcSg
4boNJURVAEFba2iGUvcDzuh6Zgep+KAx2wKBwQCrfOBmCvapiqW4WEvgMiPGkGEw
pJXwH2hzqNzM9E5xFj0ZXWToDmDpyWneO+KtPRX54+KqdzNrYoV9eX7a3w12hTd4
U/dwqLBS3rtuJFWstZ93/RXcxsAvlHjKzZijfmhkS2Er/Aoifv+ItaYYvDZcBZW7
5Qv8wb66E7cBmhoDm9Y09DkuJ39T9cLtVMH47+n84X39kMHr0EGoHoiIJ2fUpIVJ
xsLYEHcdzf7EgvgakzTUIre2zaBoUECoxiGE1lsCgcBwv6L3GT8YMrWH/sDOjm3q
Chkc8CbCts2/pqIkK06AS4qGvdTojeqcGFYtBbS8ud/PE7Ivu58e45qbKBoa0NHx
2dqYmWFQsIYYt5B8adSj4XaP7c7+132CztUan4ak0DmYY+R/Qqdgb6l9I2fRogYn
iTUrxBORpSF2bAHgjMOzkGs35FIbeq2Jfi2MiDFKyT6iUdcyTySig1WPgkA1vgdu
sYzho36ScJPDFH07RJgwIu5+yvKHhSSMcY6KgA44woUCgcAQeB+87RSfV7duqtwu
neIdscQDverAcuO/J9p8vIHEDpSzmOqV9ruL+FH4i9vLM3Cm3SHpqSUBDScw07hB
IObUGRsorTe4VBsK+mUZwNeRjKfSCDZPS68tYp7vKyubmApCh5K/fKckhPnZkUhw
W7MEx2yH7Qlnrtu4VyheOQSCkDbUQxgyvIxX7eRYkqlGVRQtuyI0dfCJyyhjEvud
x9sK6vn6CeKwiXRHIn9zM/jL5JNQRD1Mixb6rapoCw8xCL0CgcEAsYHLgf5lZYaB
ZON5w3+OJUEBypASaR8J0w8Na2uqs3KBTtclG6v7OiaWm8o9D/08W6VqA0X+lzCR
93gJuC2r+j+GTkfY77I7JV5AJzUaGSIPqbm7XWzGVsy/jKYksASMh9qgUaYdWjv9
7Agqr4L/Jv0iwauDjd5y8EIkJ0vDHKceeupwzXO3aMPf9gi9n9VcFg7lcWc/jjCW
T4fbuKUAPUb/ttjBWKUhBiTBMg9aLbbGNbPO8WM/2Scrkepr7De0
-----END RSA PRIVATE KEY-----

26
x-pack/test/idp-fixture/idp/shibboleth-idp/credentials/idp-signing.crt Normal file
View File

@ -0,0 +1,26 @@
-----BEGIN CERTIFICATE-----
MIIEUjCCArqgAwIBAgIVAMo/bS4nTf4TlWhmWu7auvJhceTMMA0GCSqGSIb3DQEB
CwUAMCgxJjAkBgNVBAMMHXRlc3Quc2hpYmJvbGV0aC5lbGFzdGljLmxvY2FsMB4X
DTE5MDMwODEzMTg1OVoXDTM5MDMwODEzMTg1OVowKDEmMCQGA1UEAwwddGVzdC5z
aGliYm9sZXRoLmVsYXN0aWMubG9jYWwwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAw
ggGKAoIBgQCGXWD/YD5VD52S6vmy1iRzYI7ZxAsyiDSOP3qQgRtcHssgNluTae6r
GIoj5m3tfQayHmh7ctI3zLhwReD9GlLZuV2JxaIfn/4e1N2dsLFvgYMmao9g41DE
/RG2Zjl/K9Ux3v0xUx5uoK0p68GR3ykYjf/Ea0AIJCx+SfRt6uOQ0nlAC19/gffJ
G1pzcbWxZMxx5jJ8bULtxbAgC7tW21V9kq6fBKwTpJS7XVC4xwou8Vi5NnoPwjbv
f9Agg1TuLI+Loa0+gK3exh0jGlHfvBZMobX8fZI7yDkt60hFe5g97R2yJuVekHR3
VUyAG1xYWcS2l6tJ7XVQKRrwlwUumG0bsnBfa918p6V7pOsS5quKTCQpWkxpXO37
BSbd3TrlpSde0ncFHg3bAxIPtlxbJe87CA4y9JuyrjqCqw8WC5clNCvlGBx5aKgu
986/TWK8neeJZTQRpo+Nwf+Q8tuNb21tYA7B04h2MMumdRcVJ5IXDuVuVZJecNZp
LZODW3bHiGECAwEAAaNzMHEwHQYDVR0OBBYEFGtVRTYHCuBUetx2T2KF8MkvAcwQ
MFAGA1UdEQRJMEeCHXRlc3Quc2hpYmJvbGV0aC5lbGFzdGljLmxvY2FshiZodHRw
czovL3Rlc3Quc2hpYmJvbGV0aC5lbGFzdGljLmxvY2FsLzANBgkqhkiG9w0BAQsF
AAOCAYEAe5fL8bstZsj6p1lZ3fIMjeRcz60BmDyIobQFTQu9PkRa3hcLZdCRtuNL
BfQbNr4Kymo8GP9c/RkmjIxl32cyCrt7kLWLurUptfYO8IgXpvnQ8EfdSO9PBDag
x5WVg8SHVJ+IeL2k+D/EnyQUisQPau0JmJCNQsAuzGrg8FmHa7IBDvWtAmO4BRRd
pZgyC/mfEwF8mbGoRJt7oHs30a+5RVHUhRDLhQD0+L3efgEvq+9lsDKIQHzG2ITg
Z5qqLkYP6nlNlMHU+xS9by4DT4u9IOOsQJ2DS/PNrYFRLNUwDKkdBFrhy3uM0UYl
e8Gvcow0paET4e1i50Urk7Yrnadcr7B9nNqHCrqW6QyuZmurhxyhAIiwYlc+fCVy
BUM9IlZ9yuQNRmTLr9irWbajfKSTtfzJDwid9ZKmKCDzDMci3oobVc8xTOGckoyB
QEyPGpCHu0JACjMUt/qqt/qD0xJTIibRrwPEOBKrxrCFwMfzdKnlmVUGNhI4cA88
TvpYlz3p
-----END CERTIFICATE-----

39
x-pack/test/idp-fixture/idp/shibboleth-idp/credentials/idp-signing.key Normal file
View File

@ -0,0 +1,39 @@
-----BEGIN RSA PRIVATE KEY-----
MIIG5AIBAAKCAYEAhl1g/2A+VQ+dkur5stYkc2CO2cQLMog0jj96kIEbXB7LIDZb
k2nuqxiKI+Zt7X0Gsh5oe3LSN8y4cEXg/RpS2bldicWiH5/+HtTdnbCxb4GDJmqP
YONQxP0RtmY5fyvVMd79MVMebqCtKevBkd8pGI3/xGtACCQsfkn0berjkNJ5QAtf
f4H3yRtac3G1sWTMceYyfG1C7cWwIAu7VttVfZKunwSsE6SUu11QuMcKLvFYuTZ6
D8I273/QIINU7iyPi6GtPoCt3sYdIxpR37wWTKG1/H2SO8g5LetIRXuYPe0dsibl
XpB0d1VMgBtcWFnEtperSe11UCka8JcFLphtG7JwX2vdfKele6TrEuarikwkKVpM
aVzt+wUm3d065aUnXtJ3BR4N2wMSD7ZcWyXvOwgOMvSbsq46gqsPFguXJTQr5Rgc
eWioLvfOv01ivJ3niWU0EaaPjcH/kPLbjW9tbWAOwdOIdjDLpnUXFSeSFw7lblWS
XnDWaS2Tg1t2x4hhAgMBAAECggGAVHAgQbxYz5m1m5tg+dsLIxqeCwnhQ4tHA9Gu
k1sfN3/+hKrEV9pta0ZLoY3wrRsx9wOXA2U/6GMV0TCI2GYPhNWxi6AQZzFjQDrj
XnKovvsz0ROMMQYJPxIObILHRTzliKaqlLG4YStGRx7qEWKdb9nkzqnbnoIlF+Qf
4GeJRPyPyAidpgKmFdLDv+LInMdMl5NjTMBZHBVsvmbA/y9tBTIF3NbR0LJP6YMV
9FjY9HElIZezk22omk/HGneOCvMi/ywPyyniw+0DkEBpfh32k9jAMBmIfK0+xL7g
PKUDGhvLgAKrh0s1Vu4xpIWlhR+71ImHNJfPLvRv4H39uzDZDkAA5sIvLFfctweF
wTzudDapDQbqvZubjmj8KoGzThuTxQL/dxOnR6I0nFLNTQdVGf5k4tyMeMr1Lb4C
mKpqGrmkkcgl4GLqE9FNcgXGY2nqLhJboQ7J+9ApT391rESbHHTaqCzeEAtcjLwJ
c+OE/n3J35u5PnvrTvFtkY9n01UBAoHBAOiry2q0B1rPWboR6tLu8ejhit9H1kYy
VosWieOyoH4XhyIwkNna2EXABoI5ZN2xGgjAud/ilbtMr5IoSszfBGeQvQVp0aYI
njWWi+xC2+/7wGIj4ButDhl11d8UUhOfZW23cwVAVQAT6nzeaQ/2c7I9rqvIMHNq
8s+CauT6Q9P4NT4X2JvoYmjkUqeoKyNfgXATOjez2NReG97KaSg7kD5FLAkwi9iG
8Lh0O4SwQu+SkqLMwMsG0CvZOV4RvW4AUQKBwQCT1kGOa4c1F6E1gOeaYIWgHfP5
Y8C0+SyysjPIp+g/Ct3dmnmglTvowtNqqInFTbEV/xlbR5wg5Oe0f4Js6++nzIx0
ScC1031oGukQSI06nsa5Xr2UJ2xNqaF4CDgXpzpFWbfcapVl77TOlnmR1Lla7t4A
HNo0SG7mHXtX1GYptYzMxsug7cltXgYNHt15R6m4pdxd8gYHThb0OLZyvS6saSFO
+e7EepekeOwGPO/T68iriaihdgKEYnPl5IPbkxECgcBTp2jUrXOzf7eoAccnHcgW
TflLPB3bUT/ydCERn+i6TSVF8qYx3dBCi78LVS1h08ojeX+a8nGZTQIXD6uNK2X/
AngjmR9KjfCsHbujL4q6Jw7Nek6aRMc7+jTyJvE3ouip4PpW2gF1rLNzP9gQaDDC
1hCWLLzW0o4Ic8CRITX/4U7rS1GTBKNVSTo6k2knJ7B3JkKZQm1kNY3ZtXbHg1ri
OKaTi0PMjv+/ofLAS0tVraJRLELo/EMecNSCcOhlw3ECgcEAgmwdz6BrWtpq3UHI
kTggCt8B8v0e8El3NnriFl6TFLLogu0Z6iJeBP2D+G+Rg6AD32z7GL03LwnipClt
jdwjxHw/WQQL4B0hYKuE+1mWRqX2mWjMhRy2flltWvCdU7izPqVlAC6DeLedYjf8
Ljxl/aQH9D9//Wn9dEOEIjr+mkNRYQLseB/veO3fFsopByrCv2SL4dF3ohAxTemO
g/EEcRQaT4tNKscgavhG+UXfKq2zjinWvALZO6ODrcgIz7iRAoHBAMqWH5QzlffH
mDhvm4gm7FcriNLSsS3OkoQ2u0DLmSIGlIdUUJLy9PVgJCV7RpGQM0pCm79l+Htz
DZzRtGX+qp1xQbM7TuDcD5Ft8a7ZvAZ0Jb/Jz3CKgqPOIkEqZvnCgPY349aopqlA
AKHavKVIyMYws2FpzXU7C59GW0xKq6F3OXbJig5HiRzltwb7sTyTPDYtX4GzHxBM
VRKTMpJhCjx+kUEmENE75PV8xMcNn3wZyAIpoK4l2NNvP2Ryzd1J6w==
-----END RSA PRIVATE KEY-----

BIN
x-pack/test/idp-fixture/idp/shibboleth-idp/credentials/sealer.jks Normal file
View File

Binary file not shown.

2
x-pack/test/idp-fixture/idp/shibboleth-idp/credentials/sealer.kver Normal file
View File

@ -0,0 +1,2 @@
#Fri Mar 08 13:19:00 UTC 2019
CurrentVersion=1

121
x-pack/test/idp-fixture/idp/shibboleth-idp/metadata/idp-metadata.xml Normal file
View File

@ -0,0 +1,121 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This is example metadata only. Do *NOT* supply it as is without review,
and do *NOT* provide it in real time to your partners.
This metadata is not dynamic - it will not change as your configuration changes.
-->
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr" entityID="https://test.shibboleth.elastic.local/">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">test.elastic.co</shibmd:Scope>
</Extensions>
<!-- First signing certificate is BackChannel, the Second is FrontChannel -->
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEUjCCArqgAwIBAgIVALjpmEEY4k5+2/JXwk5y+MoDnWiAMA0GCSqGSIb3DQEB
CwUAMCgxJjAkBgNVBAMMHXRlc3Quc2hpYmJvbGV0aC5lbGFzdGljLmxvY2FsMB4X
DTE5MDMwODEzMTg1OVoXDTM5MDMwODEzMTg1OVowKDEmMCQGA1UEAwwddGVzdC5z
aGliYm9sZXRoLmVsYXN0aWMubG9jYWwwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAw
ggGKAoIBgQC98CVCuq4MBwBGia77i7tdUMFql+KbY5mY/eENspY59aPZbI6/oMSU
v4Uu3iJux8gGlBmkzxoefhuIA93lE+RS3k1iezxtS0fQW8drYCtJRT9j8xuEdzo9
hHV3wa4lhnC8Mfn6K79jzj0Y6PkDCSS3wn80YYAQpI0sV6baxGuRByL7BMjHITFw
EbFYsph6zQ/3SZu1OWocVdgZkF+n3zraUDuj87M+Tn6RRhWF0Jq/vFAUNCTWr7Iw
GTUib9LWx3v5IqXttu9NBMSd5Q5mIoPWW+/RA3mpcsN51rVRa2od6HABpiEv7I7B
yEtBVNPkYfOPF2TIxefeyIl3UCD5sF/2nDAZfe/ENnJFQwqnPAXwXrlPlLCoWsOl
OOHfyE7tbORkVXNuWYq9TcTNLEIuB081Utxsoa+iiWGyn0/uYDg2NGxJ2V2/PISf
LhUilCJSmNbMUFirVSUJD8mntn8VRidn1/Wx7RCphPGmMmJtAN080/+zCOJVE4/G
6JnRMFpNZO0CAwEAAaNzMHEwHQYDVR0OBBYEFH9wTxThSEj7nswt0sIjbpw86itt
MFAGA1UdEQRJMEeCHXRlc3Quc2hpYmJvbGV0aC5lbGFzdGljLmxvY2FshiZodHRw
czovL3Rlc3Quc2hpYmJvbGV0aC5lbGFzdGljLmxvY2FsLzANBgkqhkiG9w0BAQsF
AAOCAYEApBpPTKvKUwcZ8Tfm3TZPINmSXI05OWU1Xu8gdFB0EoUDFE9/uHTJgfmS
5ZjUT8YGhHH883XKNq9JhmyCb5V5ZSjONzMGplcsTAkk0guU0DqKvabyVsQuyne6
nCkbAr/srtJFutiFJDGmfAmhTSFTVmpI4stpyC+y5Y0PhcUQa6Ytz8wGTMJvftv5
2S5zhX9IDaWo4C97WWnSXaFepi5n1i4wlCj5HgDkEhoeEt5byJMxzDdN9whEI5Ju
VPMUcRcJNajnSKA1SVAznUpJbHSu0WAfM/MQ9ucX3o3A5J/bA9xlknsEWtugtvRK
KCwuibrOddrv/cQQbpPjDhWk/VF7tOA1kuSHHdYICB+WjWU463bv0rLm6QXqkDU4
f3XuG2zJTmVQEzBdmv9ATlqQ+sADV216Vyy5I/delW0WnmePGTuxBj+Xm7VrbYNi
WOveqK14343Bpbo8H/V2UvTPGF+oICnmw0fgG7SChtcDY9won6mRVCcy+01TeOua
TSYuiKRN
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEUjCCArqgAwIBAgIVAMo/bS4nTf4TlWhmWu7auvJhceTMMA0GCSqGSIb3DQEB
CwUAMCgxJjAkBgNVBAMMHXRlc3Quc2hpYmJvbGV0aC5lbGFzdGljLmxvY2FsMB4X
DTE5MDMwODEzMTg1OVoXDTM5MDMwODEzMTg1OVowKDEmMCQGA1UEAwwddGVzdC5z
aGliYm9sZXRoLmVsYXN0aWMubG9jYWwwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAw
ggGKAoIBgQCGXWD/YD5VD52S6vmy1iRzYI7ZxAsyiDSOP3qQgRtcHssgNluTae6r
GIoj5m3tfQayHmh7ctI3zLhwReD9GlLZuV2JxaIfn/4e1N2dsLFvgYMmao9g41DE
/RG2Zjl/K9Ux3v0xUx5uoK0p68GR3ykYjf/Ea0AIJCx+SfRt6uOQ0nlAC19/gffJ
G1pzcbWxZMxx5jJ8bULtxbAgC7tW21V9kq6fBKwTpJS7XVC4xwou8Vi5NnoPwjbv
f9Agg1TuLI+Loa0+gK3exh0jGlHfvBZMobX8fZI7yDkt60hFe5g97R2yJuVekHR3
VUyAG1xYWcS2l6tJ7XVQKRrwlwUumG0bsnBfa918p6V7pOsS5quKTCQpWkxpXO37
BSbd3TrlpSde0ncFHg3bAxIPtlxbJe87CA4y9JuyrjqCqw8WC5clNCvlGBx5aKgu
986/TWK8neeJZTQRpo+Nwf+Q8tuNb21tYA7B04h2MMumdRcVJ5IXDuVuVZJecNZp
LZODW3bHiGECAwEAAaNzMHEwHQYDVR0OBBYEFGtVRTYHCuBUetx2T2KF8MkvAcwQ
MFAGA1UdEQRJMEeCHXRlc3Quc2hpYmJvbGV0aC5lbGFzdGljLmxvY2FshiZodHRw
czovL3Rlc3Quc2hpYmJvbGV0aC5lbGFzdGljLmxvY2FsLzANBgkqhkiG9w0BAQsF
AAOCAYEAe5fL8bstZsj6p1lZ3fIMjeRcz60BmDyIobQFTQu9PkRa3hcLZdCRtuNL
BfQbNr4Kymo8GP9c/RkmjIxl32cyCrt7kLWLurUptfYO8IgXpvnQ8EfdSO9PBDag
x5WVg8SHVJ+IeL2k+D/EnyQUisQPau0JmJCNQsAuzGrg8FmHa7IBDvWtAmO4BRRd
pZgyC/mfEwF8mbGoRJt7oHs30a+5RVHUhRDLhQD0+L3efgEvq+9lsDKIQHzG2ITg
Z5qqLkYP6nlNlMHU+xS9by4DT4u9IOOsQJ2DS/PNrYFRLNUwDKkdBFrhy3uM0UYl
e8Gvcow0paET4e1i50Urk7Yrnadcr7B9nNqHCrqW6QyuZmurhxyhAIiwYlc+fCVy
BUM9IlZ9yuQNRmTLr9irWbajfKSTtfzJDwid9ZKmKCDzDMci3oobVc8xTOGckoyB
QEyPGpCHu0JACjMUt/qqt/qD0xJTIibRrwPEOBKrxrCFwMfzdKnlmVUGNhI4cA88
TvpYlz3p
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEUTCCArmgAwIBAgIUcpV0WDMWve6/1FPqzjYJnMLDLRIwDQYJKoZIhvcNAQEL
BQAwKDEmMCQGA1UEAwwddGVzdC5zaGliYm9sZXRoLmVsYXN0aWMubG9jYWwwHhcN
MTkwMzA4MTMxODU5WhcNMzkwMzA4MTMxODU5WjAoMSYwJAYDVQQDDB10ZXN0LnNo
aWJib2xldGguZWxhc3RpYy5sb2NhbDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCC
AYoCggGBAI4haOiDT0q1eBqwKWbOUfxTVQ2d3nC4wpPekB8YixcePBHu1GEKnCmO
E1/EHyhc5EA0p+IV4GRfwEC4bwWOFt5xY2XJREeXg21G1pQ0R2aHIb9cmJWuHHBt
4pIaEiOw1se4zfiTNgcO2WOc6ixmx/cJYjd+FvMPP3Y96JFycVt7f4DTUZ/IGUTO
jOjwRet9vpBHBzIIN+MEnarwd3mPt3FLhsMU09Q/C3Jfw9x+HcSrCQn7d/3ucvZL
iRdYfGxr6YVapwij5eRkVDx6pRi4jTWgNy7BGieWJLElDoPTapmPZxhTIkxnv9/A
HqZmOc2hErU/aPKe/H5doC9Sfj9jEhXURVYeK7Rsmq8IVW6WnVxODjO62/mS58Uu
slkLiNBd0GDx+PRm7YG1k3khJFihtL1xfKIE8PUEqemYIvoHY3/xTujplUDTdHlC
VRaf5/QhT+vgcn7JEXnWtgW1SzSg//lmN1htfOlPb4pXa/Y/Gg2JrsMXXgu098X8
u++qOorK2QIDAQABo3MwcTAdBgNVHQ4EFgQUUxIigNlOHt4GZvE4XwmwPq0H2xsw
UAYDVR0RBEkwR4IddGVzdC5zaGliYm9sZXRoLmVsYXN0aWMubG9jYWyGJmh0dHBz
Oi8vdGVzdC5zaGliYm9sZXRoLmVsYXN0aWMubG9jYWwvMA0GCSqGSIb3DQEBCwUA
A4IBgQB3V3QLkSEnix65cZVH1x4ayZfkyYUeXqQEpjsnz4wGPmWXQp/vJ313mWsV
dtA6uCEHAhAi1It8QpOw0DkQQ39GYLANkra1skjGqOgqjsqCsEX9haaIVvRrG1YP
GA5C6nq88C4KgAYzhfzmOTkDvCLeM/adSV9q8y4juPsrOod81zBjp5GhLfraVUXq
6gwMjRqE+eEgX1RGiYDNl3oar4WB6+cCiTsbkJwHsmGc2LviHxlkPRSIPkJtTUAW
bTCN38FxQda9Ao6ZavSn2Da/HhQm1yxpOdEfTeBSFS5e6NSqj+X1Mc8y0L5cLUyZ
kqQ+q2xhMap2WyDxUm5db9OR5VkrpejR7+f+CYVD7CTt7bqoHQZgaOrGJLje0ZQX
cAeMgEFja4nK0TY8+eD+ijEZ3y/LRMsIl5Hetxaw1atgoVKociuhoF5wZSK0OsDQ
Qx/AEkhqDaSUfSZvSJlD645k/E20NGiK/a8nsquJ3Tkl8rQDEk8r/IKJVmo+vkuX
NgQpDdo=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" req-attr:supportsRequestedAttributes="true"
Location="https://localhost:4443/idp/profile/SAML2/Redirect/SSO"/>
</IDPSSODescriptor>
</EntityDescriptor>

96
x-pack/test/idp-fixture/idp/shibboleth-idp/views/admin/unlock-keys.vm Normal file
View File

@ -0,0 +1,96 @@
##
## Velocity Template for Attended Startup Unlock Utility
##
## Velocity context will contain the following properties:
## flowRequestContext - the Spring Web Flow RequestContext
## request - HttpServletRequest
## response - HttpServletResponse
## profileRequestContext
## environment - Spring Environment object for property resolution
## custom - arbitrary object injected by deployer
##
#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service"))
#set ($titleSuffix = $springMacroRequestContext.getMessage("idp.unlock-keys.title", "Attended Restart Key Unlock"))
#set ($eventId = $profileRequestContext.getSubcontext("org.opensaml.profile.context.EventContext").getEvent())
#set ($state = $flowRequestContext.getCurrentState().getId())
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>$title - $titleSuffix</title>
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
</head>
<body>
<div class="wrapper">
<div class="container">
<header>
<img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
<h3>$title - $titleSuffix</h3>
</header>
<div class="content">
#if ($state == "end")
<strong>#springMessageText("idp.unlock-keys.complete", "The system is unlocked and ready for use.")</strong>
<p><a href="$request.getContextPath()/profile/SAML2/Unsolicited/SSO?providerId=https://sp.example.org/shibboleth">Validation Link</a></p>
#else
#if ($eventId == "InvalidMessage")
<p class="form-element form-error">
#springMessageText("idp.unlock-keys.error", "Unlock failed; check log for specific message.")
</p>
<br/><br/>
#end
<form action="$flowExecutionUrl" method="post">
<!--
If you have multiple key strategies defined, you'll need multiple pairs of form fields for
the passwords, labeled in the order they're fed into the shibboleth.unlock-keys.KeyStrategies
bean. If you have none, remove the fields.
-->
<div class="form-element-wrapper">
<label for="password">#springMessageText("idp.unlock-keys.keystorePassword", "DataSealer Keystore Password")</label>
<input class="form-element form-field" id="password" name="keystorePassword" type="password">
</div>
<div class="form-element-wrapper">
<label for="password">#springMessageText("idp.unlock-keys.keyPassword", "DataSealer Key Password")</label>
<input class="form-element form-field" id="password" name="keyPassword" type="password">
</div>
<!--
If you have multiple private keys defined, you'll need a form field for each passwords, labeled in the order
they're fed into the shibboleth.unlock-keys.Credentials/PrivateKeys beans. If you have none, remove the fields.
-->
<div class="form-element-wrapper">
<label for="password">#springMessageText("idp.unlock-keys.privateKeyPassword", "Private Key Password")</label>
<input class="form-element form-field" id="password" name="privateKeyPassword" type="password">
</div>
<div class="form-element-wrapper">
<button class="form-element form-button" type="submit" name="_eventId_proceed"
>#springMessageText("idp.unlock-keys.unlock", "Unlock")</button>
</div>
<div class="form-element-wrapper">
<button class="form-element form-button" type="submit" name="_eventId_cancel"
>#springMessageText("idp.unlock-keys.cancel", "Cancel")</button>
</div>
</form>
#end
</div>
</div>
<footer>
<div class="container container-footer">
<p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
</footer>
</div>
</body>
</html>

53
x-pack/test/idp-fixture/idp/shibboleth-idp/views/client-storage/client-storage-read.vm Normal file
View File

@ -0,0 +1,53 @@
##
## Velocity template to read from local storage.
##
## Velocity context will contain the following properties
## flowExecutionUrl - the form action location
## flowRequestContext - the Spring Web Flow RequestContext
## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
## profileRequestContext - root of context tree
## loadContext - context with details about the storage keys to load
## encoder - HTMLEncoder class
## request - HttpServletRequest
## response - HttpServletResponse
## environment - Spring Environment object for property resolution
#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service"))
#set ($titleSuffix = $springMacroRequestContext.getMessage("idp.client-storage-read.suffix", "Loading Session Information"))
##
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>$title - $titleSuffix</title>
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
<script>
<!--
#include( "client-storage/local-storage-read.js" )
// -->
</script>
</head>
<body onload="doLoad()">
<div class="wrapper">
<div class="container">
<header>
<h3>$title - $titleSuffix</h3>
</header>
<div class="content">
$springMacroRequestContext.getMessage("idp.client-storage-read.text", "Loading login session information from the browser...")
</div>
<noscript>
<div class="content">
$springMacroRequestContext.getMessage("idp.client-storage.no-js", "Since your browser does not support JavaScript, you must press the Continue button once to proceed.")
</div>
</noscript>
#parse( "client-storage/read.vm" )
</div>
<footer>
<div class="container container-footer">
<p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
</footer>
</div>
</body>
</html>

53
x-pack/test/idp-fixture/idp/shibboleth-idp/views/client-storage/client-storage-write.vm Normal file
View File

@ -0,0 +1,53 @@
##
## Velocity template to write to local storage.
##
## Velocity context will contain the following properties
## flowExecutionUrl - the form action location
## flowRequestContext - the Spring Web Flow RequestContext
## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
## profileRequestContext - root of context tree
## saveContext - context with details about the storage data to save
## encoder - HTMLEncoder class
## request - HttpServletRequest
## response - HttpServletResponse
## environment - Spring Environment object for property resolution
#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service"))
#set ($titleSuffix = $springMacroRequestContext.getMessage("idp.client-storage-write.suffix", "Saving Session Information..."))
##
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>$title - $titleSuffix</title>
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
<script>
<!--
#include( "client-storage/local-storage-write.js" )
// -->
</script>
</head>
<body onload="doSave()">
<div class="wrapper">
<div class="container">
<header>
<h3>$title - $titleSuffix</h3>
</header>
<div class="content">
$springMacroRequestContext.getMessage("idp.client-storage-write.text", "Saving login session information to the browser...")
</div>
<noscript>
<div class="content">
$springMacroRequestContext.getMessage("idp.client-storage.no-js", "Since your browser does not support JavaScript, you must press the Continue button once to proceed.")
</div>
</noscript>
#parse( "client-storage/write.vm" )
</div>
<footer>
<div class="container container-footer">
<p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
</footer>
</div>
</body>
</html>

83
x-pack/test/idp-fixture/idp/shibboleth-idp/views/duo.vm Normal file
View File

@ -0,0 +1,83 @@
##
## Velocity Template for Duo login view-state
##
## Velocity context will contain the following properties
## flowExecutionUrl - the form action location
## flowRequestContext - the Spring Web Flow RequestContext
## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
## profileRequestContext - root of context tree
## authenticationContext - context with authentication request information
## rpUIContext - the context with SP UI information from the metadata
## canonicalUsername - name of user passed to Duo
## duoHost - API hostname for Duo frame
## duoRequest - signed Duo request message
## duoScriptPath - path to Duo JavaScript source
## encoder - HTMLEncoder class
## request - HttpServletRequest
## response - HttpServletResponse
## environment - Spring Environment object for property resolution
## custom - arbitrary object injected by deployer
##
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>#springMessageText("idp.title", "Web Login Service")</title>
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
<style>
#duo_iframe {
width: 100%;
min-width: 304px;
max-width: 620px;
height: 330px;
}
</style>
</head>
<body>
<div class="wrapper">
<div class="container">
<header>
<img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
</header>
<div class="content">
<div class="column one">
<h3>#springMessageText("idp.login.duoRequired", "Authentication with Duo is required for the requested service.")</h3>
<noscript>#springMessageText("idp.login.duoNoScript", "The Duo service requires JavaScript.")</noscript>
<script src="$request.getContextPath()$duoScriptPath"></script>
<iframe id="duo_iframe"
data-host="$duoHost"
data-sig-request="$duoRequest"
data-post-action="$flowExecutionUrl"
frameborder="0"
>
</iframe>
<form id="duo_form" method="post">
<input type="hidden" name="_eventId" value="proceed" />
</form>
<h3 style="text-align: center">
<a href="$flowExecutionUrl&_eventId=cancel">#springMessageText("idp.login.duoCancel", "Cancel this Request")</a>
</h3>
</div>
<div class="column two">
<ul class="list list-help">
<li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", "#")"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li>
</ul>
</div>
</div>
</div>
<footer>
<div class="container container-footer">
<p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
</footer>
</div>
</body>
</html>

73
x-pack/test/idp-fixture/idp/shibboleth-idp/views/error.vm Normal file
View File

@ -0,0 +1,73 @@
##
## Velocity Template for error end-state
##
## Velocity context will contain the following properties
## flowRequestContext - the Spring Web Flow RequestContext
## profileRequestContext - root of context tree
## encoder - HTMLEncoder class
## request - HttpServletRequest
## response - HttpServletResponse
## environment - Spring Environment object for property resolution
## custom - arbitrary object injected by deployer
##
#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service"))
#set ($defaultTitleSuffix = $springMacroRequestContext.getMessage("idp.title.suffix", "Error"))
##
#if ($flowRequestContext)
## This handles flow events, the most common case.
#set ($eventId = $flowRequestContext.getCurrentEvent().getId())
#set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error"))
#set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix"))
#set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId"))
#if ($eventId == "AccessDenied" or $eventId == "ContextCheckDenied")
$response.setStatus(403)
#elseif ($eventId == "AttributeReleaseRejected" || $eventId == "TermsRejected")
$response.setStatus(200)
#elseif ($eventKey == "unexpected" || $eventKey == "runtime-error" || $eventKey == "error")
$response.setStatus(500)
#else
$response.setStatus(400)
#end
#elseif ($exception)
## This handles exceptions that reach the Spring-MVC exception handler.
#set ($eventId = $exception.getClass().getSimpleName())
#set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error"))
#set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix"))
#set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId"))
#else
## This is a catch-all that theoretically shouldn't happen?
#set ($titleSuffix = $defaultTitleSuffix)
#set ($message = $springMacroRequestContext.getMessage("idp.message", "An unidentified error occurred."))
#end
##
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>$title - $titleSuffix</title>
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
</head>
<body>
<div class="wrapper">
<div class="container">
<header>
<img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
<h3>$title - $titleSuffix</h3>
</header>
<div class="content">
#evaluate($message)
</div>
</div>
<footer>
<div class="container container-footer">
<p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
</footer>
</div>
</body>
</html>

159
x-pack/test/idp-fixture/idp/shibboleth-idp/views/intercept/attribute-release.vm Normal file
View File

@ -0,0 +1,159 @@
##
## Velocity Template for DisplayAttributeReleasePage view-state
##
## Velocity context will contain the following properties :
##
## attributeReleaseContext - context holding consentable attributes
## attributeReleaseFlowDescriptor - attribute consent flow descriptor
## attributeDisplayNameFunction - function to display attribute name
## attributeDisplayDescriptionFunction - function to display attribute description
## consentContext - context representing the state of a consent flow
## encoder - HTMLEncoder class
## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl)
## flowExecutionUrl - form action location
## flowRequestContext - Spring Web Flow RequestContext
## profileRequestContext - OpenSAML profile request context
## request - HttpServletRequest
## response - HttpServletResponse
## rpUIContext - context with SP UI information from the metadata
## environment - Spring Environment object for property resolution
#set ($serviceName = $rpUIContext.serviceName)
#set ($serviceDescription = $rpUIContext.serviceDescription)
#set ($informationURL = $rpUIContext.informationURL)
#set ($privacyStatementURL = $rpUIContext.privacyStatementURL)
#set ($rpOrganizationLogo = $rpUIContext.getLogo())
#set ($rpOrganizationName = $rpUIContext.organizationName)
#set ($replaceDollarWithNewline = true)
##
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/consent.css">
<title>#springMessageText("idp.attribute-release.title", "Information Release")</title>
</head>
<body>
<form action="$flowExecutionUrl" method="post" style="padding:10px" >
<div class="box">
<header>
<img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")" class="federation_logo">
#if ($rpOrganizationLogo)
<img src="$encoder.encodeForHTMLAttribute($rpOrganizationLogo)" alt="logo for $encoder.encodeForHTMLAttribute($serviceName)" class="organization_logo">
#end
</header>
#if ($serviceName)
<p style="margin-top: 70px;">
#springMessageText("idp.attribute-release.serviceNameLabel", "You are about to access the service:")<br>
<span class="service_name">$serviceName</span>
#if ($rpOrganizationName)
#springMessageText("idp.attribute-release.of", "of") <span class="organization_name">$encoder.encodeForHTML($rpOrganizationName)</span>
#end
</p>
#end
#if ($serviceDescription)
<p style="margin-top: 10px;">
#springMessageText("idp.attribute-release.serviceDescriptionLabel", "Description as provided by this service:")<br>
<span class="service_description">$encoder.encodeForHTML($serviceDescription)</span>
<br>
</p>
#end
#if ($informationURL)
<p style="margin-top: 10px;">
<a href="$informationURL">#springMessageText("idp.attribute-release.informationURLLabel", "Additional information about the service")</a>
</p>
#end
<div id="attributeRelease">
<table>
<thead>
<tr>
<th colspan="3">
#springMessageText("idp.attribute-release.attributesHeader", "Information to be Provided to Service")
</th>
</tr>
</thead>
<tbody>
#foreach ($attribute in $attributeReleaseContext.getConsentableAttributes().values())
<tr>
<td>$encoder.encodeForHTML($attributeDisplayNameFunction.apply($attribute))</td>
<td>
#foreach ($value in $attribute.values)
#if ($replaceDollarWithNewline)
#set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue()).replaceAll($encoder.encodeForHTML("$"),"<br>"))
#else
#set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue()))
#end
#if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled)
<label for="$attribute.id"><strong>$encodedValue</strong></label>
#else
<strong>$encodedValue</strong>
#end
<br>
#end
</td>
<td style="vertical-align: top">
#if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled)
#set ($inputType = "checkbox")
#else
#set ($inputType = "hidden")
#end
<input id="$attribute.id" type="$inputType" name="_shib_idp_consentIds" value="$encoder.encodeForHTML($attribute.id)" checked>
</td>
</tr>
#end
</tbody>
</table>
</div>
#if ($privacyStatementURL)
<p style="margin-top: 10px;">
<a href="$privacyStatementURL">#springMessageText("idp.attribute-release.privacyStatementURLLabel", "Data privacy information of the service")</a>
</p>
#end
<div style="float:left;">
<p>
#springMessageText("idp.attribute-release.confirmationQuestion", "The information above would be shared with the service if you proceed. Do you agree to release this information to the service every time you access it?")
</p>
#if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed)
<div id="generalConsentDiv" style="display: block; background-color: #F6F6F6;border: 1px gray solid; padding: 10px; width: 92%;">
#springMessageText("idp.attribute-release.consentMethod", "Select an information release consent duration:")
#end
#if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed)
<p>
<input id="_shib_idp_doNotRememberConsent" type="radio" name="_shib_idp_consentOptions" value="_shib_idp_doNotRememberConsent">
<label for="_shib_idp_doNotRememberConsent">#springMessageText("idp.attribute-release.doNotRememberConsent", "Ask me again at next login")</label>
<ul>
<li>#springMessageText("idp.attribute-release.doNotRememberConsentItem", "I agree to send my information this time.")</li>
</ul>
</p>
#end
#if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed)
<p>
<input id="_shib_idp_rememberConsent" type="radio" name="_shib_idp_consentOptions" value="_shib_idp_rememberConsent" checked>
<label for="_shib_idp_rememberConsent">#springMessageText("idp.attribute-release.rememberConsent", "Ask me again if information changes")</label>
<ul>
<li>#springMessageText("idp.attribute-release.rememberConsentItem", "I agree that the same information will be sent automatically to this service in the future.")</li>
</ul>
</p>
#end
#if ($attributeReleaseFlowDescriptor.globalConsentAllowed)
<p>
<input id="_shib_idp_globalConsent" type="radio" name="_shib_idp_consentOptions" value="_shib_idp_globalConsent">
<label for="_shib_idp_globalConsent">#springMessageText("idp.attribute-release.globalConsent", "Do not ask me again")</label>
<ul>
<li>#springMessageText("idp.attribute-release.globalConsentItem", "I agree that <strong>all</strong> of my information will be released to <strong>any</strong> service.")</li>
</ul>
</p>
#end
#if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed)
#springMessageText("idp.attribute-release.consentMethodRevoke", "This setting can be revoked at any time with the checkbox on the login page.")
</div>
#end
<p style="text-align: center;">
<input type="submit" name="_eventId_AttributeReleaseRejected" value="#springMessageText("idp.attribute-release.reject", "Reject")" style="margin-right: 30px;">
<input type="submit" name="_eventId_proceed" value="#springMessageText("idp.attribute-release.accept", "Accept")">
</p>
</div>
</div>
</form>
</body>
</html>

54
x-pack/test/idp-fixture/idp/shibboleth-idp/views/intercept/expiring-password.vm Normal file
View File

@ -0,0 +1,54 @@
##
## Velocity Template for expiring password view
##
## Velocity context will contain the following properties
## flowExecutionUrl - the form action location
## flowRequestContext - the Spring Web Flow RequestContext
## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
## profileRequestContext - root of context tree
## authenticationContext - context with authentication request information
## authenticationErrorContext - context with login error state
## authenticationWarningContext - context with login warning state
## ldapResponseContext - context with LDAP state (if using native LDAP)
## encoder - HTMLEncoder class
## request - HttpServletRequest
## response - HttpServletResponse
## environment - Spring Environment object for property resolution
## custom - arbitrary object injected by deployer
##
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>#springMessageText("idp.title", "Web Login Service")</title>
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
<meta http-equiv="refresh" content="20;url=$flowExecutionUrl&_eventId_proceed=1">
</head>
<body>
<div class="wrapper">
<div class="container">
<header>
<img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
<h3>#springMessageText("idp.login.expiringSoon", "Your password will be expiring soon!")</h3>
</header>
<div class="content">
<p>#springMessageText("idp.login.changePassword", "To create a new password now, go to")
<strong><a href="#" target="_blank">#</a></strong>.</p>
<p>#springMessageText("idp.login.proceedBegin", "Your login will proceed in 20 seconds or you may click")
<strong><a href="$flowExecutionUrl&_eventId_proceed=1">#springMessageText("idp.login.proceedHere", "here")</a></strong>
#springMessageText("idp.login.proceedEnd", "to continue").</p>
</div>
</div>
<footer>
<div class="container container-footer">
<p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
</footer>
</div>
</body>
</html>

90
x-pack/test/idp-fixture/idp/shibboleth-idp/views/intercept/impersonate.vm Normal file
View File

@ -0,0 +1,90 @@
##
## Velocity Template for expiring password view
##
## Velocity context will contain the following properties
## flowExecutionUrl - the form action location
## flowRequestContext - the Spring Web Flow RequestContext
## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
## profileRequestContext - root of context tree
## rpUIContext - the context with SP UI information from the metadata
## encoder - HTMLEncoder class
## request - HttpServletRequest
## response - HttpServletResponse
## environment - Spring Environment object for property resolution
## custom - arbitrary object injected by deployer
##
#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext'))
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>#springMessageText("idp.title", "Web Login Service")</title>
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
</head>
<body>
<div class="wrapper">
<div class="container">
<header>
<img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
<h3>#springMessageText("idp.impersonate.header", "Account Impersonation")</h3>
</header>
<div class="content">
<form action="$flowExecutionUrl" method="post">
#set ($serviceName = $rpUIContext.serviceName)
#if ($serviceName && !$rpContext.getRelyingPartyId().contains($serviceName))
<legend>
$encoder.encodeForHTML($serviceName)
</legend>
#end
<legend>
#springMessageText("idp.impersonate.text", "Enter an account name to impersonate to this service or continue normally.")
</legend>
<div class="form-element-wrapper">
<label for="impersonation">#springMessageText("idp.impersonate.login-as", "Login as")</label>
<input class="form-element form-field" id="impersonation" name="principal" type="text">
<!-- Defaults to input box above, example below populates a select list from an IdPAttribute. -->
<!--
#set ($attributeContext = $rpContext.getSubcontext('net.shibboleth.idp.attribute.context.AttributeContext'))
#set ($usernamesAttribute = $attributeContext.getUnfilteredIdPAttributes().get("impersonatableUsernames"))
<select class="form-element form-field" id="impersonation" name="principal">
#if ($usernamesAttribute)
#foreach ($username in $usernamesAttribute.getValues())
<option value="$encoder.encodeForHTML($username.getValue())">$encoder.encodeForHTML($username.getValue())</option>
#end
#end
</select>
-->
</div>
<div class="form-element-wrapper">
<button class="form-element form-button" type="submit" name="_eventId_impersonate"
>#springMessageText("idp.impersonate.impersonate", "Impersonate")</button>
</div>
<div class="form-element-wrapper">
<button class="form-element form-button" type="submit" name="_eventId_proceed"
>#springMessageText("idp.impersonate.continue", "Continue Normally")</button>
</div>
</form>
</div>
</div>
<footer>
<div class="container container-footer">
<p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
</footer>
</div>
</body>
</html>

67
x-pack/test/idp-fixture/idp/shibboleth-idp/views/intercept/terms-of-use.vm Normal file
View File

@ -0,0 +1,67 @@
##
## Velocity Template for DisplayTermsOfUsePage view-state
##
## Velocity context will contain the following properties :
##
## encoder - HTMLEncoder class
## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl)
## flowExecutionUrl - form action location
## flowRequestContext - Spring Web Flow RequestContext
## request - HttpServletRequest
## response - HttpServletResponse
## rpUIContext - context with SP UI information from the metadata
## termsOfUseId - terms of use ID to lookup message strings
## environment - Spring Environment object for property resolution
#set ($serviceName = $rpUIContext.serviceName)
#set ($rpOrganizationLogo = $rpUIContext.getLogo())
##
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/consent.css">
<title>#springMessageText("${termsOfUseId}.title", "Terms of Use")</title>
</head>
<body>
<div class="box">
<header>
<img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")" class="federation_logo">
#if ($rpOrganizationLogo)
<img src="$encoder.encodeForHTMLAttribute($rpOrganizationLogo)" alt="$encoder.encodeForHTMLAttribute($serviceName)" class="organization_logo">
#end
</header>
#if ($rpOrganizationLogo)
<div style="float:left;">
<h1>#springMessageText("${termsOfUseId}.title", "Terms of Use")</h1>
</div>
#end
<div id="tou-content">
#springMessageText("${termsOfUseId}.text", "Terms of Use Text...")
</div>
<div id="tou-acceptance">
<div style="float:left;">
<form action="$flowExecutionUrl" method="post" >
<input type="submit" name="_eventId_TermsRejected" value="#springMessageText("idp.terms-of-use.reject", "Refuse")" style="margin-right: 30px;">
</form>
</div>
<div style="float:right;">
<form action="$flowExecutionUrl" method="post" >
<input id="accept" type="checkbox" name="_shib_idp_consentIds" value="$encoder.encodeForHTML($termsOfUseId)" required>
<label for="accept">#springMessageText("idp.terms-of-use.accept", "I accept the terms of use")</label>
#if ($requireCheckbox)
<p class="form-error">#springMessageText("idp.terms-of-use.required", "Please check this box if you want to proceed.")</p>
#end
<input type="submit" name="_eventId_proceed" value="#springMessageText("idp.terms-of-use.submit", "Submit")">
</form>
</div>
<div style="clear:both;"></div>
</div>
<footer>
<div class="container container-footer">
<p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
</footer>
</div>
</body>
</html>

24
x-pack/test/idp-fixture/idp/shibboleth-idp/views/login-error.vm Normal file
View File

@ -0,0 +1,24 @@
## Velocity Template for login error message production, included by login.vm
##
## authenticationErrorContext - context containing error data, if available
##
#if ($authenticationErrorContext && $authenticationErrorContext.getClassifiedErrors().size() > 0 && $authenticationErrorContext.getClassifiedErrors().iterator().next() != "ReselectFlow")
## This handles errors that are classified by the message maps in the authentication config.
#set ($eventId = $authenticationErrorContext.getClassifiedErrors().iterator().next())
#set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "login"))
#set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "Login Failure: $eventId"))
#elseif ($authenticationErrorContext && $authenticationErrorContext.getExceptions().size() > 0)
## This handles login exceptions that are left unclassified.
#set ($loginException = $authenticationErrorContext.getExceptions().get(0))
#if ($loginException.getMessage())
#set ($message = "Login Failure: $loginException.getMessage()")
#else
#set ($message = $loginException.toString())
#end
#end
#if ($message)
<section>
<p class="form-element form-error">$encoder.encodeForHTML($message)</p>
</section>
#end

144
x-pack/test/idp-fixture/idp/shibboleth-idp/views/login.vm Normal file
View File

@ -0,0 +1,144 @@
##
## Velocity Template for DisplayUsernamePasswordPage view-state
##
## Velocity context will contain the following properties
## flowExecutionUrl - the form action location
## flowRequestContext - the Spring Web Flow RequestContext
## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
## profileRequestContext - root of context tree
## authenticationContext - context with authentication request information
## authenticationErrorContext - context with login error state
## authenticationWarningContext - context with login warning state
## ldapResponseContext - context with LDAP state (if using native LDAP)
## rpUIContext - the context with SP UI information from the metadata
## extendedAuthenticationFlows - collection of "extended" AuthenticationFlowDescriptor objects
## passwordPrincipals - contents of the shibboleth.authn.Password.PrincipalOverride bean
## encoder - HTMLEncoder class
## request - HttpServletRequest
## response - HttpServletResponse
## environment - Spring Environment object for property resolution
## custom - arbitrary object injected by deployer
##
#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext'))
#set ($username = $authenticationContext.getSubcontext('net.shibboleth.idp.authn.context.UsernamePasswordContext', true).getUsername())
#set ($passwordEnabled = false)
#if (!$passwordPrincipals or $passwordPrincipals.isEmpty() or $authenticationContext.isAcceptable($passwordPrincipals))
#set ($passwordEnabled = true)
#end
##
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>#springMessageText("idp.title", "Web Login Service")</title>
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
</head>
<body>
<div class="wrapper">
<div class="container">
<header>
<img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
</header>
<div class="content">
<div class="column one">
#parse("login-error.vm")
<form action="$flowExecutionUrl" method="post">
#set ($serviceName = $rpUIContext.serviceName)
#if ($serviceName && !$rpContext.getRelyingPartyId().contains($serviceName))
<legend>
#springMessageText("idp.login.loginTo", "Login to") $encoder.encodeForHTML($serviceName)
</legend>
#end
#if ($passwordEnabled)
<div class="form-element-wrapper">
<label for="username">#springMessageText("idp.login.username", "Username")</label>
<input class="form-element form-field" id="username" name="j_username" type="text"
value="#if($username)$encoder.encodeForHTML($username)#end">
</div>
<div class="form-element-wrapper">
<label for="password">#springMessageText("idp.login.password", "Password")</label>
<input class="form-element form-field" id="password" name="j_password" type="password" value="">
</div>
## You may need to modify this to taste, such as changing the flow name its checking for to authn/MFA.
#if (!$authenticationContext.getActiveResults().containsKey('authn/Password'))
<div class="form-element-wrapper">
<input type="checkbox" name="donotcache" value="1" id="donotcache">
<label for="donotcache">#springMessageText("idp.login.donotcache", "Don't Remember Login")</label>
</div>
#end
#end
<div class="form-element-wrapper">
<input id="_shib_idp_revokeConsent" type="checkbox" name="_shib_idp_revokeConsent" value="true">
<label for="_shib_idp_revokeConsent">#springMessageText("idp.attribute-release.revoke", "Clear prior granting of permission for release of your information to this service.")</label>
</div>
#if ($passwordEnabled)
<div class="form-element-wrapper">
<button class="form-element form-button" type="submit" name="_eventId_proceed"
onClick="this.childNodes[0].nodeValue='#springMessageText("idp.login.pleasewait", "Logging in, please wait...")'"
>#springMessageText("idp.login.login", "Login")</button>
</div>
#end
#foreach ($extFlow in $extendedAuthenticationFlows)
#if ($authenticationContext.isAcceptable($extFlow) and $extFlow.apply(profileRequestContext))
<div class="form-element-wrapper">
<button class="form-element form-button" type="submit" name="_eventId_$extFlow.getId()">
#springMessageText("idp.login.$extFlow.getId().replace('authn/','')", $extFlow.getId().replace('authn/',''))
</button>
</div>
#end
#end
</form>
#*
//
// SP Description & Logo (optional)
// These idpui lines will display added information (if available
// in the metadata) about the Service Provider (SP) that requested
// authentication. These idpui lines are "active" in this example
// (not commented out) - this extra SP info will be displayed.
// Remove or comment out these lines to stop the display of the
// added SP information.
//
*#
#set ($logo = $rpUIContext.getLogo())
#if ($logo)
<img src= "$encoder.encodeForHTMLAttribute($logo)"
alt="$encoder.encodeForHTMLAttribute($serviceName)">
#end
#set ($desc = $rpUIContext.getServiceDescription())
#if ($desc)
$encoder.encodeForHTML($desc)
#end
</div>
<div class="column two">
<ul class="list list-help">
#if ($passwordEnabled)
<li class="list-help-item"><a href="#springMessageText("idp.url.password.reset", "#")"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
#end
<li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", "#")"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li>
</ul>
</div>
</div>
</div>
<footer>
<div class="container container-footer">
<p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
</footer>
</div>
</body>
</html>

59
x-pack/test/idp-fixture/idp/shibboleth-idp/views/logout-complete.vm Normal file
View File

@ -0,0 +1,59 @@
##
## Velocity Template for logout flow's concluding view-state (no propagation)
##
## Velocity context will contain the following properties
## flowExecutionUrl - the form action location
## flowRequestContext - the Spring Web Flow RequestContext
## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
## profileRequestContext - root of context tree
## logoutContext - context with SPSession details for logout operation
## multiRPContext - context with RelyingPartyContexts and possibly SP UI information from the metadata
## encoder - HTMLEncoder class
## request - HttpServletRequest
## response - HttpServletResponse
## environment - Spring Environment object for property resolution
## custom - arbitrary object injected by deployer
##
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>#springMessageText("idp.title", "Web Login Service")</title>
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
</head>
<body>
<div class="wrapper">
<div class="container">
<header>
<img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
</header>
<div class="content">
<div class="column one">
<p>#springMessageText("idp.logout.local", "You elected not to log out of all the applications accessed during your session.")</p>
</div>
<div class="column two">
<ul class="list list-help">
<li class="list-help-item"><a href="#springMessageText("idp.url.password.reset", "#")"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
<li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", "#")"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li>
</ul>
</div>
</div>
</div>
<!-- If SAML logout, complete the flow by adding a hidden iframe. -->
#if ( $profileRequestContext.getProfileId().contains("saml2/logout") )
<iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed"></iframe>
#end
<footer>
<div class="container container-footer">
<p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
</footer>
</div>
</body>
</html>

58
x-pack/test/idp-fixture/idp/shibboleth-idp/views/logout-propagate.vm Normal file
View File

@ -0,0 +1,58 @@
##
## Velocity Template for logout flow's concluding view-state (with propagation)
##
## Velocity context will contain the following properties
## flowExecutionUrl - the form action location
## flowRequestContext - the Spring Web Flow RequestContext
## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
## profileRequestContext - root of context tree
## logoutContext - context with SPSession details for logout operation
## multiRPContext - context with RelyingPartyContexts and possibly SP UI information from the metadata
## htmlEncoder - HTMLEncoder class
## urlEncoder - urlEncoder class
## codecUtil - CodecUtil class
## request - HttpServletRequest
## response - HttpServletResponse
## environment - Spring Environment object for property resolution
## custom - arbitrary object injected by deployer
##
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>#springMessageText("idp.title", "Web Login Service")</title>
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/logout.css">
</head>
<body>
<div class="wrapper">
<div class="container">
<header>
<img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
</header>
<div class="content">
<div class="column one">
<p>#springMessageText("idp.logout.attempt", "Attempting to log out of the following services:")</p>
#parse("logout/propagate.vm")
</div>
<div class="column two">
<ul class="list list-help">
<li class="list-help-item"><a href="#springMessageText("idp.url.password.reset", "#")"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
<li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", "#")"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li>
</ul>
</div>
</div>
</div>
<footer>
<div class="container container-footer">
<p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
</footer>
</div>
</body>
</html>

107
x-pack/test/idp-fixture/idp/shibboleth-idp/views/logout.vm Normal file
View File

@ -0,0 +1,107 @@
##
## Velocity Template for logout flow's starting view-state
##
## Velocity context will contain the following properties
## flowExecutionUrl - the form action location
## flowRequestContext - the Spring Web Flow RequestContext
## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
## profileRequestContext - root of context tree
## logoutContext - context with SPSession details for logout operation
## multiRPContext - context with RelyingPartyContexts and possibly SP UI information from the metadata
## encoder - HTMLEncoder class
## request - HttpServletRequest
## response - HttpServletResponse
## environment - Spring Environment object for property resolution
## custom - arbitrary object injected by deployer
##
#set ($rpContext = $profileRequestContext.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext"))
#if ($rpContext)
#set ($rpUIContext = $rpContext.getSubcontext("net.shibboleth.idp.ui.context.RelyingPartyUIContext"))
#end
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
#if ( $logoutContext and !$logoutContext.getSessionMap().isEmpty() )
<meta http-equiv="refresh" content="10;url=$flowExecutionUrl&_eventId=propagate">
#end
<title>#springMessageText("idp.title", "Web Login Service")</title>
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
</head>
<body>
<div class="wrapper">
<div class="container">
<header>
<img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
</header>
<div class="content">
<div class="column one">
<p>This page is displayed when a logout operation at the Identity Provider completes. This page is an example
and should be customized. It is not fully internationalized because the presentation will be a highly localized
decision, and we don't have a good suggestion for a default.</p>
<br>
#if ($rpContext)
<p>#springMessageText("idp.logout.sp-initiated", "You have been logged out of the following service:")</p>
<blockquote>
#if ($rpUIContext)
$encoder.encodeForHTML($rpUIContext.getServiceName())
#else
$encoder.encodeForHTML($rpContext.getRelyingPartyId())
#end
</blockquote>
<br>
#end
#if ( $logoutContext and !$logoutContext.getSessionMap().isEmpty() )
<p>#springMessageText("idp.logout.ask", "Would you like to attempt to log out of all services accessed during your session? Please select <strong>Yes</strong> or <strong>No</strong> to ensure the logout operation completes, or wait a few seconds for Yes.")</p>
<br>
<form id="propagate_form" method="POST" action="$flowExecutionUrl">
<button id="propagate_yes" type="submit" name="_eventId" value="propagate">Yes</button>
<button id="propagate_no" type="submit" name="_eventId" value="end">No</button>
</form>
<br>
<p>#springMessageText("idp.logout.contactServices", "If you proceed, the system will attempt to contact the following services:")</p>
<ol>
#foreach ($sp in $logoutContext.getSessionMap().keySet())
#set ($rpCtx = $multiRPContext.getRelyingPartyContextById($sp))
#if ($rpCtx)
#set ($rpUIContext = $rpCtx.getSubcontext("net.shibboleth.idp.ui.context.RelyingPartyUIContext"))
#end
#if ($rpUIContext and $rpUIContext.getServiceName())
<li>$encoder.encodeForHTML($rpUIContext.getServiceName())</li>
#else
<li>$encoder.encodeForHTML($sp)</li>
#end
#end
</ol>
#else
<p><strong>#springMessageText("idp.logout.complete", "The logout operation is complete, and no other services appear to have been accessed during this session.")</strong></p>
<!-- Complete the flow by adding a hidden iframe. -->
<iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed"></iframe>
#end
</div>
<div class="column two">
<ul class="list list-help">
<li class="list-help-item"><a href="#springMessageText("idp.url.password.reset", "#")"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
<li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", "#")"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li>
</ul>
</div>
</div>
</div>
<footer>
<div class="container container-footer">
<p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
</footer>
</div>
</body>
</html>

49
x-pack/test/idp-fixture/idp/shibboleth-idp/views/spnego-unavailable.vm Normal file
View File

@ -0,0 +1,49 @@
##
## Velocity Template for SPNEGO unauthorized page
##
## This is not a Spring Webflow view, but a special view internal to the
## SPNEGO login flow, so it doesn't contain all of the usual SWF variables.
##
## Velocity context will contain the following properties
## encoder - HTMLEncoder class
## request - HttpServletRequest
## response - HttpServletResponse
## profileRequestContext - root of context tree
## errorUrl - URL to call to indicate error and return back to the login flow
##
#set ($eventKey = $springMacroRequestContext.getMessage("SPNEGOUnavailable", "spnego-unavailable"))
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>#springMessageText("idp.title", "Web Login Sevice") - #springMessageText("${eventKey}.title", "Error")</title>
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
</head>
<body onload="window.location = '$errorUrl'">
<div class="wrapper">
<div class="container">
<header>
<img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
<h3>#springMessageText("idp.title", "Web Login Sevice") - #springMessage("idp.title.suffix", "Error")</h3>
</header>
<div class="content">
#springMessageText("${eventKey}.message", "Your web browser doesn't support authentication with your desktop login credentials.")
<ul class="list list-help">
<li class="list-help-item">
<a href="$errorUrl"><span class="item-marker">&rsaquo;</span> #springMessageText("spnego-unavailable.return", "Cancel the attempt.")</a>
</li>
</ul>
</div>
</div>
<footer>
<div class="container container-footer">
<p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
</footer>
</div>
</body>
</html>

60
x-pack/test/idp-fixture/idp/shibboleth-idp/views/user-prefs.vm Normal file
View File

@ -0,0 +1,60 @@
##
## Velocity Template for user preferences view
##
## Velocity context will contain the following properties
## request - HttpServletRequest
## response - HttpServletResponse
## environment - Spring Environment object for property resolution
## custom - arbitrary object injected by deployer
##
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>#springMessageText("idp.userprefs.title", "Web Login Service") - #springMessageText("idp.userprefs.title.suffix", "Login Preferences")</title>
<link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
<script language="Javascript">
<!--
#parse( "user-prefs.js" )
// -->
</script>
</head>
<body onLoad="document.getElementById('content').style.display='block'; load('spnego')">
<div class="wrapper">
<div class="container">
<header>
<img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
<h3>#springMessageText("idp.title", "Web Login Service") - #springMessageText("idp.userprefs.title.suffix", "Login Preferences")</h3>
<p>
#springMessage("idp.userprefs.info")
</p>
</header>
<noscript>
<div id="content" class="content">
$springMacroRequestContext.getMessage("idp.userprefs.no-js", "This feature requires Javascript.")
</div>
</noscript>
<div id="content" class="content" style="display:none">
<div class="form-element-wrapper">
<h4>#springMessageText("idp.userprefs.options", "The following options are available:")</h4>
</div>
<div class="form-element-wrapper">
<input type="checkbox" id="spnego" name="_idp_spnego_autologin" value="1" onClick="check(this)">
#springMessageText("idp.userprefs.spnego", "Automatically try desktop login when available.")
</div>
</div>
</div>
<footer>
<div class="container container-footer">
<p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
</div>
</footer>
</div>
</body>
</html>

150
x-pack/test/idp-fixture/idp/shibboleth-idp/webapp/css/consent.css Normal file
View File

@ -0,0 +1,150 @@
.box {
width:600px;
margin-left: auto;
margin-right: auto;
margin-top: 50px;
background-color: white;
-webkit-box-shadow: 1px 1px 15px #999999;
-moz-box-shadow: 1px 1px 15px #999999;
box-shadow: 1px 1px 15px #999999;
-webkit-border-radius: 8px;
-moz-border-radius: 8px;
border-radius: 8px;
overflow: auto;
padding: 1.268em;
}
body {
font-family:Verdana, Geneva, sans-serif;
font-size: 12px;
}
h1 {
font-size: 13px;
padding-bottom: 12px;
}
a {
color: #00247D;
text-decoration: underline;
}
a:visited {
color: #00247D;
text-decoration: underline;
}
a:focus, a:hover, a:active {
color: #F39800;
text-decoration: underline;
}
#tou-content {
font-family:monospace;
width: 95%;
border: solid 1px #666;
margin: 4px;
padding: 10px;
overflow: hidden;
}
#tou-content li{
margin-bottom:10px;
}
#tou-acceptance {
width: 95%;
border: solid 1px #666;
background-color: #F0F0F0;
margin: 4px;
padding: 10px;
text-align: left;
overflow: hidden;
}
.service_name {
font-weight: bold;
}
.service_description {
font-style: italic;
}
.organization_name {
}
#attributeRelease-consent {
width: 95%;
border: solid 1px #666;
background-color: #F0F0F0;
margin: 4px;
overflow: hidden;
}
#attributeRelease {
width: 95%;
margin: 4px;
border: solid 1px black;
overflow: auto;
}
#attributeRelease table {
border-collapse: collapse;
border: none 0px white;
width: 100%;
}
#attributeRelease td {
padding: 3px 7px;
vertical-align: top;
}
#attributeRelease th {
text-align: left;
font-size: 18px;
padding: 5px 7px;
background-color:#00247D;
color: white;
}
#attributeRelease tr:nth-of-type(even) {
background-color: #E4E5E3;
}
.federation_logo
{
width: 50%;
float: left;
padding-top: 35px;
border: 0;
}
.organization_logo
{
width: 50%;
float: right;
border: 0;
}
.form-error {
padding: 0;
color: #B61601;
}
/* Device specific styles */
@media only screen and (max-device-width: 721px){
.box {
width: auto;
box-shadow: none;
border-radius: 0;
-webkit-box-shadow: none;
-webkit-border-radius: 0;
-moz-box-shadow: none;
-moz-border-radius: 0;
padding: 0;
margin-top:0;
}
#tou-content, #tou-acceptance{
/*width:87%;*/
width:auto;
}
}

12
x-pack/test/idp-fixture/idp/shibboleth-idp/webapp/css/logout.css Normal file
View File

@ -0,0 +1,12 @@
/* Success/Failure indicators for logout propagation. */
.success {
background: url(../images/success-32x32.png) no-repeat left center;
line-height: 36px;
padding-left: 36px;
}
.failure {
background: url(../images/failure-32x32.png) no-repeat left center;
line-height: 36px;
padding-left: 36px;
}

165
x-pack/test/idp-fixture/idp/shibboleth-idp/webapp/css/main.css Normal file
View File

@ -0,0 +1,165 @@
* {
margin: 0;
padding: 0;
}
header, footer, section, nav {
display: block;
}
html, body {
height: 100%;
}
body {
font-family:Verdana, Geneva, sans-serif;
font-size: 12px;
line-height: 1.5;
color: #717171;
background: #717171;
}
a:link,
a:visited {
text-decoration: none;
color: #717171;
}
img {
max-width: 100%;
margin-bottom: 12px;
}
.wrapper {
background: #ffffff;
}
.container {
position: relative;
left: 34%;
width: 540px;
margin-left: -270px;
}
.container-footer {
padding-top: 12px;
}
@media only screen and (max-width: 1020px) {
.container {
left: 45%;
}
}
@media only screen and (max-width: 650px) {
.container {
position: static;
margin: 0 auto;
width: 280px;
}
}
header {
padding: 20px 0;
}
.logo img {
border: none;
}
@media only screen and (max-width: 650px) {
.logo img {
display: none;
}
.logo {
background: url(../images/dummylogo-mobile.png) no-repeat top center;
display: block;
height: 115px;
width: 100px;
margin: 0 auto;
}
}
.content {
padding-bottom: 80px;
overflow: hidden;
}
.column {
float: left;
}
.column.one {
width: 50%;
margin-right: 48px;
}
form {
width: 240px;
padding-bottom: 21px;
}
form label { /* labels are hidden */
font-weight: bold;
}
form legend {
font-size:1.2em;
margin-bottom: 12px;
}
.form-element-wrapper {
margin-bottom: 12px;
}
.form-element {
width: 100%;
padding: 13px 12px;
border: none;
font-size: 14px;
border-radius: 4px;
-webkit-border-radius: 4px;
-moz-border-radius: 4px;
}
.form-field {
color: #B7B7B7;
border: 1px solid #B7B7B7;
}
.form-field-focus,
.form-field:focus,
input[type="text"]:focus {
color: #333333;
border-color: #333;
}
.form-button {
background: #B61601;
box-sizing: content-box;
-moz-box-sizing: content-box;
color: #ffffff;
cursor: pointer;
}
.form-button:hover {
background: #FF6400;
}
.form-error {
padding: 0;
color: #B61601;
}
.list-help {
margin-top: 40px; /* offset padding on first anchor */
list-style: none;
}
.list-help-item a {
display: block;
padding: 6px 0;
}
.item-marker {
color: #be0000;
}
footer {
color: #ffffff;
font-size: 11px;
background: #717171;
}
.footer-text {
margin-bottom: 12px;
}
.footer-links a:link,
.footer-links a:visited {
color: #ffffff;
font-weight: bold;
}
.footer-links a:after {
content: "\00a0\00a0\00a0|\00a0\00a0";
}
.footer-links a.last:after {
content: "";
}

BIN
x-pack/test/idp-fixture/idp/shibboleth-idp/webapp/images/dummylogo-mobile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.0 KiB

BIN
x-pack/test/idp-fixture/idp/shibboleth-idp/webapp/images/dummylogo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
x-pack/test/idp-fixture/idp/shibboleth-idp/webapp/images/failure-32x32.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.5 KiB

BIN
x-pack/test/idp-fixture/idp/shibboleth-idp/webapp/images/success-32x32.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.4 KiB

5
x-pack/test/idp-fixture/openldap/certs/README Normal file
View File

@ -0,0 +1,5 @@
certtool -p --outfile ca_server.key
certtool -s --load-privkey ca_server.key --template templates/ca_server.conf --outfile ca_server.pem
certtool -p --sec-param high --outfile ldap_server.key
certtool -c --load-privkey ldap_server.key --load-ca-certificate ca_server.pem --load-ca-privkey ca_server.key --template templates/ldap_server.conf --outfile ldap_server.pem
keytool -importcert -file ca_server.pem -alias idp-fixture-ca -keystore ca.jks -noprompt -storepass changeit

BIN
x-pack/test/idp-fixture/openldap/certs/ca.jks Normal file
View File

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show More