From 03bfb979ff21dd5bafd1367493f99c4a12d81da4 Mon Sep 17 00:00:00 2001
From: Robin Sonnabend <robin@fsmpi.rwth-aachen.de>
Date: Mon, 30 Apr 2018 15:30:06 +0200
Subject: [PATCH] Add shibboleth role
---
shibboleth/defaults/main.yml | 10 ++
shibboleth/files/attribute-map.xml | 175 ++++++++++++++++++++++++
shibboleth/files/nginx-snippet.conf | 24 ++++
shibboleth/files/shibauthorizer.conf | 8 ++
shibboleth/files/shibresponder.conf | 8 ++
shibboleth/handlers/main.yml | 10 ++
shibboleth/tasks/main.yml | 98 ++++++++++++++
shibboleth/templates/shibboleth2.xml | 193 +++++++++++++++++++++++++++
8 files changed, 526 insertions(+)
create mode 100644 shibboleth/defaults/main.yml
create mode 100644 shibboleth/files/attribute-map.xml
create mode 100644 shibboleth/files/nginx-snippet.conf
create mode 100644 shibboleth/files/shibauthorizer.conf
create mode 100644 shibboleth/files/shibresponder.conf
create mode 100644 shibboleth/handlers/main.yml
create mode 100644 shibboleth/tasks/main.yml
create mode 100644 shibboleth/templates/shibboleth2.xml
diff --git a/shibboleth/defaults/main.yml b/shibboleth/defaults/main.yml
new file mode 100644
index 0000000..55385ba
--- /dev/null
+++ b/shibboleth/defaults/main.yml
@@ -0,0 +1,10 @@
+---
+# file: webservices/shibboleth/defaults/main.yml
+
+shibboleth_hostname: "www.example.com"
+shibboleth_url: "/shib/login"
+shibboleth_entity_id: "https://www.example.com/shibboleth"
+shibboleth_home_url: "https://www.example.com/"
+shibboleth_support_contact: "admin@example.com"
+shibboleth_key: "/etc/ssl/private/private-example.pem"
+shibboleth_certificate: "/etc/ssl/private/cert-example.pem"
diff --git a/shibboleth/files/attribute-map.xml b/shibboleth/files/attribute-map.xml
new file mode 100644
index 0000000..d80c6b3
--- /dev/null
+++ b/shibboleth/files/attribute-map.xml
@@ -0,0 +1,175 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ <!--
+ The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+ community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+ few exceptions for newer attributes where the name is the same for both versions. You will
+ usually want to uncomment or map the names for both SAML versions as a unit.
+ -->
+
+ <!-- First some useful eduPerson attributes that many sites might use. -->
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ </Attribute>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ </Attribute>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+
+ <!-- A persistent id attribute that supports personalized anonymous access. -->
+
+ <!-- First, the deprecated/incorrect version, decoded as a scoped string: -->
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ <!-- <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> -->
+ </Attribute>
+
+ <!-- Second, an alternate decoder that will decode the incorrect form into the newer form. -->
+ <!--
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+ -->
+
+ <!-- Third, the new version (note the OID-style name): -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+
+ <!-- Fourth, the SAML 2.0 NameID Format: -->
+ <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+
+ <!-- https://doc.itc.rwth-aachen.de/display/SHI/RWTH+-+OID -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.1" id="ikz" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.4" id="rwthGender" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.5" id="rwthMatrikelnummer" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.39" id="rwthStudienfach" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.49" id="rwthDateOfBirth" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.50" id="rwthLocalityOfBirth" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.52" id="rwthCountry" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.64" id="rwthID" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.68" id="rwthPersonalNummer" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.89" id="rwthFachInfo2" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.94" id="rwthAssociate" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.96" id="rwthRufname" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.97" id="rwthSVAPersonStatus" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.113" id="rwthCampusAddress" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.114" id="rwthSystemIDs" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.100" id="rwthDienstEmail" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.99" id="rwthTelefonNummer" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.117" id="rwthStudienInfo" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.118" id="rwthEmploymentStart" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.119" id="rwthEmploymentEnd" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.120" id="rwthRetirementStart" />
+ <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.121" id="rwthEntryDate" />
+
+ <!-- Some more eduPerson attributes, uncomment these to use them... -->
+ <!--
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+ -->
+
+ <!-- SCHAC attributes, uncomment to use... -->
+ <!--
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization"/>
+ -->
+
+ <!-- Examples of LDAP-based attributes, uncomment to use these... -->
+ <!--
+ <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+ <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+ <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+ <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.12" id="title"/>
+ <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+ <Attribute name="urn:oid:2.5.4.13" id="description"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+ <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+ <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.9" id="street"/>
+ <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+ <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+ <Attribute name="urn:oid:2.5.4.8" id="st"/>
+ <Attribute name="urn:oid:2.5.4.7" id="l"/>
+ <Attribute name="urn:oid:2.5.4.10" id="o"/>
+ <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+ <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+ <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+
+ <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+ <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+ <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+ <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+ <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
+ <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+ <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+ <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+ <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+ <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+ <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+ <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+ <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+ <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+ <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+ <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+ <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+ <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+ <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+ <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+ <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+ <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+ <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
+ -->
+
+</Attributes>
diff --git a/shibboleth/files/nginx-snippet.conf b/shibboleth/files/nginx-snippet.conf
new file mode 100644
index 0000000..df30d14
--- /dev/null
+++ b/shibboleth/files/nginx-snippet.conf
@@ -0,0 +1,24 @@
+more_clear_input_headers Rwthmatrikelnummer Shib-Session-Index Shib-Session-Id Shib-Identity-Provider Shib-Handler Shib-Application-Id Affiliation Shib-Authentication-Instant Shib-Authncontext-Class Entitlement; # add other headers here against spoofing
+
+location / {
+ shib_request /shibauthorizer;
+ shib_request_use_headers on;
+ shib_request_set $shib_matrikelnr $upstream_http_Rwthmatrikelnummer;
+ proxy_set_header Host $host;
+ proxy_pass http://unix:/run/nginx/wahlsystem; # change this
+}
+
+location = /shibauthorizer {
+ internal;
+ include fastcgi_params;
+ fastcgi_pass unix:/run/shibboleth/shibauthorizer.sock;
+}
+
+location /Shibboleth.sso {
+ include fastcgi_params;
+ fastcgi_pass unix:/run/shibboleth/shibresponder.sock;
+}
+
+location /shibboleth-sp {
+ alias /etc/shibboleth/;
+}
diff --git a/shibboleth/files/shibauthorizer.conf b/shibboleth/files/shibauthorizer.conf
new file mode 100644
index 0000000..e7eef3a
--- /dev/null
+++ b/shibboleth/files/shibauthorizer.conf
@@ -0,0 +1,8 @@
+[fcgi-program:shibauthorizer]
+command=/usr/lib/x86_64-linux-gnu/shibboleth/shibauthorizer
+socket=unix:///run/shibboleth/shibauthorizer.sock
+socket_owner=_shibd:nginx-proxy
+socket_mode=0660
+user=_shibd
+stdout_logfile=/var/log/shibboleth/shibauthorizer.log
+stderr_logfile=/var/log/shibboleth/shibauthorizer.error.log
diff --git a/shibboleth/files/shibresponder.conf b/shibboleth/files/shibresponder.conf
new file mode 100644
index 0000000..c35f1f1
--- /dev/null
+++ b/shibboleth/files/shibresponder.conf
@@ -0,0 +1,8 @@
+[fcgi-program:shibresponder]
+command=/usr/lib/x86_64-linux-gnu/shibboleth/shibresponder
+socket=unix:///run/shibboleth/shibresponder.sock
+socket_owner=_shibd:nginx-proxy
+socket_mode=0660
+user=_shibd
+stdout_logfile=/var/log/shibboleth/shibresponder.log
+stderr_logfile=/var/log/shibboleth/shibresponder.error.log
diff --git a/shibboleth/handlers/main.yml b/shibboleth/handlers/main.yml
new file mode 100644
index 0000000..edeb5b0
--- /dev/null
+++ b/shibboleth/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+
+- name: update apt cache
+ apt: update_cache=yes
+
+- name: reload supervisor
+ systemd: name=supervisor state=reloaded
+
+- name: reload shibd
+ systemd: name=shibd state=reloaded
diff --git a/shibboleth/tasks/main.yml b/shibboleth/tasks/main.yml
new file mode 100644
index 0000000..19bacac
--- /dev/null
+++ b/shibboleth/tasks/main.yml
@@ -0,0 +1,98 @@
+---
+# file: webservices/shibboleth/tasks/main.yml
+
+- name: activate the shibboleth apt repository
+ apt_repository:
+ repo: "deb [arch=amd64] https://repo.fsmpi.rwth-aachen.de/ {{ansible_distribution_release}} shibboleth"
+ state: present
+ notify:
+ - update apt cache
+ tags:
+ - packages
+ - repos
+ - shibboleth
+
+- meta: flush_handlers
+
+- name: install the required packages for shibboleth
+ apt: name="{{item}}" state=present
+ with_items:
+ - nginx-extras
+ - libnginx-mod-http-shibboleth
+ - libnginx-mod-http-headers-more-filter
+ - supervisor
+ - shibboleth-sp2-utils
+ - shibboleth-sp2-common
+ notify:
+ - reload shibd
+ tags:
+ - shibboleth
+ - supervisor
+ - packages
+
+- name: install our configuration
+ template:
+ src: shibboleth2.xml
+ dest: /etc/shibboleth/shibboleth2.xml
+ owner: root
+ group: root
+ mode: 0644
+ notify:
+ - reload shibd
+ tags:
+ - shibboleth
+ - config
+
+- name: configure the known attributes
+ copy:
+ src: attribute-map.xml
+ dest: /etc/shibboleth/attribute-map.xml
+ owner: root
+ group: root
+ mode: 0644
+ notify:
+ - reload shibd
+ tags:
+ - shibboleth
+ - config
+
+- name: configure the supervisor tasks for authorizer/responder
+ copy:
+ src: "{{item}}"
+ dest: /etc/supervisor/conf.d/
+ owner: root
+ group: root
+ mode: 0644
+ with_items:
+ - shibauthorizer.conf
+ - shibresponder.conf
+ notify:
+ - reload supervisor
+ tags:
+ - shibboleth
+ - supervisor
+ - config
+
+- name: put the nginx example snippet there
+ copy:
+ src: nginx-snippet.conf
+ dest: /etc/nginx/snippets/
+ owner: root
+ group: root
+ mode: 0644
+ tags:
+ - shibboleth
+ - nginx
+ - config
+
+- name: ensure the services are running
+ systemd:
+ name: "{{item}}"
+ enabled: yes
+ state: started
+ with_items:
+ - supervisor
+ - shibd
+ tags:
+ - shibboleth
+ - services
diff --git a/shibboleth/templates/shibboleth2.xml b/shibboleth/templates/shibboleth2.xml
new file mode 100644
index 0000000..c744358
--- /dev/null
+++ b/shibboleth/templates/shibboleth2.xml
@@ -0,0 +1,193 @@
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+ xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ clockSkew="180">
+
+
+ <OutOfProcess logger="shibd.logger">
+ </OutOfProcess>
+
+ <InProcess logger="native.logger">
+ <ISAPI normalizeRequest="true" safeHeaderNames="true">
+ <Site id="1" name="{{shibboleth_hostname}}"/>
+ </ISAPI>
+ </InProcess>
+
+ <UnixListener address="shibd.sock"/>
+
+ <RequestMapper type="Native">
+ <RequestMap applicationId="default" target="{{shibboleth_url}}">
+ <Host name="{{shibboleth_hostname}}">
+ <Path name="{{shibboleth_url}}" authType="shibboleth" requireSession="true" />
+ </Host>
+ </RequestMap>
+ </RequestMapper>
+
+ <ApplicationDefaults entityID="{{shibboleth_entity_id}}"
+ REMOTE_USER="eppn persistent-id targeted-id"
+ homeURL="{{shibboleth_home_url}}"
+ signing="false"
+ encryption="false"
+ id="default"
+ policyId="default">
+
+
+ <Sessions lifetime="28800"
+ timeout="3600"
+ checkAddress="false"
+ handlerURL="/Shibboleth.sso"
+ handlerSSL="true"
+ cookieProps="; path=/; secure; HttpOnly"
+ exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
+ exportACL="127.0.0.1"
+ idpHistory="false"
+ idpHistoryDays="7">
+
+
+ <SessionInitiator type="Chaining"
+ Location="/Login"
+ id="Intranet"
+ relayState="cookie"
+ entityID="https://login.rz.rwth-aachen.de/shibboleth"
+ target="https://{{shibboleth_hostname}}/Shibboleth.sso/Session">
+
+ <SessionInitiator type="SAML2"
+ acsIndex="1"
+ template="bindingTemplate.html"/>
+
+ <SessionInitiator type="Shib1"
+ acsIndex="5"/>
+ </SessionInitiator>
+
+ <md:AssertionConsumerService
+ Location="/SAML2/POST"
+ index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+ <md:AssertionConsumerService
+ Location="/SAML2/POST-SimpleSign"
+ index="2"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
+ <md:AssertionConsumerService
+ Location="/SAML2/Artifact"
+ index="3"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+ <md:AssertionConsumerService
+ Location="/SAML2/ECP"
+ index="4"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
+ <md:AssertionConsumerService
+ Location="/SAML/POST"
+ index="5"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
+ <md:AssertionConsumerService
+ Location="/SAML/Artifact"
+ index="6"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+
+ <LogoutInitiator type="Chaining"
+ Location="/Logout"
+ relayState="cookie">
+ <LogoutInitiator type="SAML2"
+ template="bindingTemplate.html"/>
+ <LogoutInitiator type="Local"/>
+ </LogoutInitiator>
+
+ <md:SingleLogoutService
+ Location="/SLO/SOAP"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+ <md:SingleLogoutService
+ Location="/SLO/Redirect"
+ conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+ <md:SingleLogoutService
+ Location="/SLO/POST"
+ conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+ <md:SingleLogoutService
+ Location="/SLO/Artifact"
+ conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+
+ <md:ManageNameIDService
+ Location="/NIM/SOAP"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+ <md:ManageNameIDService
+ Location="/NIM/Redirect"
+ conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+ <md:ManageNameIDService
+ Location="/NIM/POST"
+ conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+ <md:ManageNameIDService
+ Location="/NIM/Artifact"
+ conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+ <md:ArtifactResolutionService
+ Location="/Artifact/SOAP"
+ index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+
+ <Handler type="MetadataGenerator"
+ Location="/Metadata"
+ signing="false"/>
+
+ <Handler type="Status"
+ Location="/Status"
+ acl="127.0.0.1 134.130.3.70"/>
+
+ <Handler type="Session"
+ Location="/Session"
+ showAttributeValues="false"/>
+
+ <Handler type="DiscoveryFeed"
+ Location="/DiscoFeed"/>
+ </Sessions>
+
+
+
+ <Errors supportContact="{{shibboleth_support_contact}}"
+ helpLocation="/about.html"
+ styleSheet="/shibboleth-sp/main.css"/>
+
+ <MetadataProvider type="XML"
+ uri="https://sso.rwth-aachen.de/metadata/rwth.metadata.xml"
+ backingFilePath="rwth.metadata.xml"
+ reloadInterval="7200">
+ <!-- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> -->
+ <MetadataFilter type="Signature"
+ certificate="sso.rwth-aachen.de.pem"/>
+ </MetadataProvider>
+
+ <TrustEngine type="Chaining">
+ <TrustEngine type="ExplicitKey"/>
+ <TrustEngine type="PKIX"/>
+ </TrustEngine>
+
+ <AttributeExtractor type="XML"
+ reloadChanges="false"
+ path="attribute-map.xml"/>
+
+ <AttributeResolver type="Query"/>
+
+ <AttributeFilter type="XML"
+ path="attribute-policy.xml"/>
+
+ <CredentialResolver type="File"
+ key="{{shibboleth_key}}"
+ certificate="{{shibboleth_cert}}"/>
+
+ </ApplicationDefaults>
+
+ <SecurityPolicyProvider type="XML"
+ validate="true"
+ path="security-policy.xml"/>
+
+ <ProtocolProvider type="XML"
+ validate="true"
+ reloadChanges="false"
+ path="protocols.xml"/>
+
+</SPConfig>
--
GitLab