mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-03-07 19:39:53 +00:00
b8733eab00
The change replaces the Vagrant box based fixture with a fixture based on docker compose and 2 docker images, one for an openldap server and one for a Shibboleth SAML Identity Provider. The configuration of both openldap and shibboleth is identical to the previous one, in order to minimize required changes in the tests
110 lines
5.4 KiB
XML
110 lines
5.4 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<beans xmlns="http://www.springframework.org/schema/beans"
|
|
xmlns:context="http://www.springframework.org/schema/context"
|
|
xmlns:util="http://www.springframework.org/schema/util"
|
|
xmlns:p="http://www.springframework.org/schema/p"
|
|
xmlns:c="http://www.springframework.org/schema/c"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
|
|
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
|
|
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
|
|
|
|
default-init-method="initialize"
|
|
default-destroy-method="destroy">
|
|
|
|
<!-- ========================= Java Subject -> Principal Mapping ========================= -->
|
|
|
|
<!--
|
|
These are lists of Subject Canonicalization flows that turn complex Subject data into a string-based
|
|
principal name that the rest of the IdP can operate on. They're used both after authentication and
|
|
during operations like SAML attribute queries, to map the SAML Subject into a principal name.
|
|
Flows are identified with an ID that corresponds to a Spring Web Flow subflow name.
|
|
-->
|
|
|
|
<!-- Flows used after authentication to produce canonical principal name. -->
|
|
<util:list id="shibboleth.PostLoginSubjectCanonicalizationFlows">
|
|
<!--
|
|
This is an advanced post-login step that performs attribute resolution and then produces a username
|
|
from an attribute value. Most of this configuration is handled by attribute-sourced-c14n-config.xml.
|
|
To enable universally, just uncomment, but if you want it to run under more specific conditions,
|
|
set an activationCondition property to a condition function to use to control when it should run.
|
|
-->
|
|
<!-- <bean id="c14n/attribute" parent="shibboleth.PostLoginSubjectCanonicalizationFlow" /> -->
|
|
|
|
<!--
|
|
This is an alternative that handles Subjects containing an X500Principal object and
|
|
allows extraction from the DN.
|
|
-->
|
|
<ref bean="c14n/x500" />
|
|
|
|
<!--
|
|
This is the standard post-login step that returns a username derived from the login process. If you
|
|
have more complex needs such as mapping a certificate DN into a principal name, an alternative may
|
|
be required such as that above, but you can configure simple transforms in simple-subject-c14n-config.xml
|
|
-->
|
|
<ref bean="c14n/simple" />
|
|
</util:list>
|
|
|
|
<!--
|
|
Flows used during SAML requests to reverse-map NameIdentifiers/NameIDs. The actual beans defining these
|
|
flows are in a system file. Below the list are some settings that might be useful to adjust.
|
|
-->
|
|
<util:list id="shibboleth.SAMLSubjectCanonicalizationFlows">
|
|
|
|
<!--
|
|
This is installed to support the old mechanism of using PrincipalConnectors in the attribute resolver
|
|
to map SAML Subjects back into principals. If you don't use those (or this is a new install) you can
|
|
remove this.
|
|
-->
|
|
<ref bean="c14n/LegacyPrincipalConnector" />
|
|
|
|
<!-- The next four are for handling transient IDs (in-storage and stateless variants). -->
|
|
<ref bean="c14n/SAML2Transient" />
|
|
<ref bean="c14n/SAML2CryptoTransient" />
|
|
<ref bean="c14n/SAML1Transient" />
|
|
<ref bean="c14n/SAML1CryptoTransient" />
|
|
|
|
<!-- Handle a SAML 2 persistent ID, provided a stored strategy is in use. -->
|
|
<!-- <ref bean="c14n/SAML2Persistent" /> -->
|
|
|
|
<!--
|
|
Finally we have beans for decoding arbitrary SAML formats directly. By default, these are turned off,
|
|
having *no* circumstances for which they apply (see shibboleth.TransformNamePredicate below).
|
|
-->
|
|
<ref bean="c14n/SAML2Transform" />
|
|
<ref bean="c14n/SAML1Transform" />
|
|
</util:list>
|
|
|
|
<!-- What SAML NameID formats do you want to support direct transformations for? -->
|
|
<util:list id="shibboleth.NameTransformFormats">
|
|
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</value>
|
|
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</value>
|
|
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</value>
|
|
<value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</value>
|
|
<value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</value>
|
|
</util:list>
|
|
|
|
<!--
|
|
Under what conditions should direct NameID mapping be allowed? By default, never.
|
|
Any condition can be used here; the example is suitable for enumerating a number of SPs to allow.
|
|
-->
|
|
<bean id="shibboleth.NameTransformPredicate" parent="shibboleth.Conditions.RelyingPartyId">
|
|
<constructor-arg name="candidates">
|
|
<list>
|
|
<!-- <value>https://sp.example.org</value> -->
|
|
</list>
|
|
</constructor-arg>
|
|
</bean>
|
|
|
|
<!--
|
|
Regular expression transforms to apply to incoming subject names. The default empty list just
|
|
echoes the name through unmodified.
|
|
-->
|
|
<util:list id="shibboleth.NameTransforms">
|
|
<!--
|
|
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
|
|
-->
|
|
</util:list>
|
|
|
|
</beans>
|