.ebextensions/05_shib_xml.config
files:
"/etc/shibboleth/shibboleth2.xml":
mode: "000755"
owner: root
group: root
content: |
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180">
<!--
READ ME!
This configuration file is based on Shibboleth SP v2.4.4. Stanford
runs both a production and development IdP (identity provider)
system, each with a pair of load balanced servers. This file is
pre-configured against the production IdP. If you ever want to
authenticate against dev instead, replace 'idp.stanford.edu' with
'idp-dev.stanford.edu' in the two locations below (SSO link and
metadata download).
More information:
* https://itservices.stanford.edu/service/shibboleth/sp
* http://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
-->
<!--
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-->
<!--
To customize behavior for specific resources on Apache, and to link vhosts or
resources to ApplicationOverride settings below, use web server options/commands.
See https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationElements for help.
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
file, and the https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo topic.
-->
<RequestMapper type="XML">
<RequestMap>
<Host name="hydrox-dev.sul.stanford.edu"
authType="shibboleth"
requireSession="true"
redirectToSSL="443">
<Path name="/secure" />
</Host>
</RequestMap>
</RequestMapper>
<!--
The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
-->
<ApplicationDefaults entityID="https://hydrox-dev.sul.stanford.edu/shibboleth" REMOTE_USER="eppn persistent-id targeted-id">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
in that case. Note that while we default checkAddress to "false", this has a negative
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<SSO entityID="https://idp.stanford.edu/">SAML2 SAML1</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!--
Extension service that generates "approximate" metadata based on SP configuration.
-->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed" cacheToDisk="false"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="sul-webmaster@lists.stanford.edu" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>
<!--
Example of remotely supplied batch of signed metadata.
-->
<!--
<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
</MetadataProvider>
-->
<!--
Automatically download and refresh the IDP's metadata.
-->
<MetadataProvider type="XML" uri="https://idp.stanford.edu/metadata.xml" backingFilePath="/etc/shibboleth/metadata/metadata.xml" reloadInterval="7200"></MetadataProvider>
<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" file="partner-metadata.xml"/>
-->
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
<!--
Use a SAML query if no attributes are supplied during SSO.
-->
<AttributeResolver type="Query" subjectMatch="true"/>
<!--
Default filtering policy for recognized attributes, lets other data pass.
-->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!--
Simple file-based resolver for using a single keypair.
-->
<CredentialResolver type="File" key="/etc/shibboleth/shibd.key" certificate="/etc/shibboleth/shibd.crt"/>
<!--
The default settings can be overridden by creating ApplicationOverride elements (see
the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).
Resource requests are mapped by web server commands, or the RequestMapper, to an
applicationId setting.
Example of a second application (for a second vhost) that has a different entityID.
Resources on the vhost would map to an applicationId of "admin":
-->
<!--
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-->
</ApplicationDefaults>
<!--
Policies that determine how to process and authenticate runtime messages.
-->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!--
Low-level configuration about protocols and bindings available for use.
-->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
"/etc/shibboleth/attribute-map.xml":
mode: "000755"
owner: root
group: root
content: |
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!--
First some useful eduPerson attributes that many sites might use.
-->
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="eduPersonEntitlement"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="eduPersonEntitlement"/>
<!--
A persistent id attribute that supports personalized anonymous access.
-->
<!-- First, the deprecated version: -->
<!--
Using SAML2 so comment out SAML1 definition.
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
-->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="targeted-id">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<!-- Second, the new version (note the OID-style name): -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
</Attribute>
<!-- Third, the SAML 2.0 NameID Format: -->
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
</Attribute>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
<Attribute name="urn:mace:dir:attribute-def:uid" id="uid-alt"/>
<Attribute name="urn:oid:2.5.4.3" id="cn"/>
<Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
<Attribute name="urn:oid:2.5.4.4" id="sn"/>
<Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
<Attribute name="urn:oid:2.5.4.42" id="givenName"/>
<Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
<Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
<Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
<Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
<Attribute name="urn:oid:2.5.4.12" id="title"/>
<Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
<Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
<Attribute name="urn:mace:dir:attribute-def:suDisplayNameLF" id="suDisplayNameLF"/>
<Attribute name="urn:mace:dir:attribute-def:postalAddress" id="postalAddress"/>
<Attribute name="urn:oid:2.5.4.16" id="postalAddress"/>
<Attribute name="urn:oid:2.5.4.11" id="ou"/>
<Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
<Attribute name="urn:mace:dir:attribute-def:suUnivID" id="suUnivID"/>
<Attribute name="urn:mace:dir:attribute-def:suPrimaryOrganizationID" id="suPrimaryOrganizationID" />
<Attribute name="urn:oid:1.3.6.1.4.1.299.11.1.1.1" id="suRegID" />
<Attribute name="suAffiliation" id="suAffiliation"/>
<Attribute name="urn:mace:dir:attribute-def:suPrimaryOrganizationName" id="suPrimaryOrganizationName"/>
<Attribute name="urn:oid:1.3.6.1.4.1.299.11.1.204" id="suPrimaryOrganizationName" />
<Attribute name="urn:mace:dir:attribute-def:suDisplayNameLF" id="suDisplayNameLF" />
<Attribute name="urn:mace:dir:attribute-def:suDisplayNameLast" id="suDisplayNameLast" />
<Attribute name="urn:oid:1.3.6.1.4.1.299.11.1.25" id="suDisplayNameLast" />
<Attribute name="urn:mace:dir:attribute-def:suDisplayNameFirst" id="suDisplayNameFirst"/>
<Attribute name="urn:oid:1.3.6.1.4.1.299.11.1.23" id="suDisplayNameFirst" />
<Attribute name="urn:mace:dir:attribute-def:o" id="o" />
<Attribute name="urn:oid:2.5.4.10" id="o" />
<Attribute name="urn:mace:dir:attribute-def:description" id="description" />
<Attribute name="urn:oid:2.5.4.13" id="description" />
</Attributes>