Commit 0f626737 authored by Scotty Logan's avatar Scotty Logan
Browse files

initial checkin

parents
<Attributes
xmlns="urn:mace:shibboleth:2.0:attribute-map"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!--
This is a stripped down attribute-map for Stanford Shibboleth SPs.
Extra attribute mappings can be added for additional attributes.
Some attributes have multiple mappings, because IdPs can release
well-known attributes using either the OID or name.
-->
<!--
eppn aka eduPersonPrincipalName
A username with a scope (domain); for Stanford people it is
SUNetID@stanford.edu
-->
<Attribute
name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
id="eppn">
<AttributeDecoder
xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
id="eppn">
<AttributeDecoder
xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<!--
affiliation aka eduPersonScopedAffiliation
Simplified affiliation values, with a scope.
For Stanford people, normal values are
faculty@stanford.edu
staff@stanford.edu
student@stanford.edu
-->
<Attribute
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
id="affiliation">
<AttributeDecoder
xsi:type="ScopedAttributeDecoder"
caseSensitive="false"/>
</Attribute>
<Attribute
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
id="affiliation">
<AttributeDecoder
xsi:type="ScopedAttributeDecoder"
caseSensitive="false"/>
</Attribute>
<!--
unscoped-affiliation aka eduPersonAffiliation
Simplified affilation values, but without the scope
For Stanford people, normal values are
faculty
staff
student
-->
<Attribute
name="urn:mace:dir:attribute-def:eduPersonAffiliation"
id="unscoped-affiliation">
<AttributeDecoder
xsi:type="StringAttributeDecoder"
caseSensitive="false"/>
</Attribute>
<Attribute
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
id="unscoped-affiliation">
<AttributeDecoder
xsi:type="StringAttributeDecoder"
caseSensitive="false"/>
</Attribute>
<!--
entitlement aka eduPersonEntitlement
Arbitrary strings representing entitlements
For Stanford people these are normally workgroup memberships
organization:businessaffairs
deptfw-docs:itlab
-->
<Attribute
name="urn:mace:dir:attribute-def:eduPersonEntitlement"
id="entitlement"/>
<Attribute
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
id="entitlement"/>
<!--
uid (SUNetID)
Normally uid would be mapped to uid, which is then mapped to
REMOTE_USER by the ApplicationDefaults settings in shibboleth2.xml.
-->
<Attribute
name="urn:mace:dir:attribute-def:uid"
id="uid"/>
<Attribute
name="urn:oid:0.9.2342.19200300.100.1.1"
id="uid"/>
<!--
uid (SUNetID)
If you have an existing app that uses WEBAUTH_USER rather than
REMOTE_USER use this mapping instead to create a WEBAUTH_USER
environment variable. Ensure that the REMOTE_USER attribute on the
ApplicationDefaults element in shibboleth2.xml includes WEBAUTH_USER:
<ApplicationDefaults
...
REMOTE_USER="uid WEBAUTH_USER">
-->
<!--
<Attribute
name="urn:mace:dir:attribute-def:uid"
id="WEBAUTH_USER"/>
<Attribute
name="urn:oid:0.9.2342.19200300.100.1.1"
id="WEBAUTH_USER"/>
-->
<!-- other commonly used attributes -->
<!--
displayName - person's preferred formatting of their name
-->
<Attribute
name="urn:mace:dir:attribute-def:displayName"
id="displayName"/>
<Attribute
name="urn:oid:2.16.840.1.113730.3.1.241"
id="displayName"/>
<!--
mail - person's email address
NOTE: Stanford people can change their email address at any time,
so applications should not use the mail attribute as a persistent
identifier for users.
-->
<Attribute
name="urn:mace:dir:attribute-def:mail"
id="mail"/>
<Attribute
name="urn:oid:0.9.2342.19200300.100.1.3"
id="mail"/>
<!--
telephoneNumber - person's preferred phone number
-->
<Attribute
name="urn:mace:dir:attribute-def:telephoneNumber"
id="telephoneNumber"/>
<Attribute
name="urn:oid:2.5.4.20"
id="telephoneNumber"/>
<!--
suAffiliation - person's full "Stanford" affiliation(s)
This attribute may be multi-valued; for example:
stanford:staff
stanford:student:nonactive
-->
<Attribute
name="urn:mace:stanford.edu:directory:suPerson:suAffiliation"
id="suAffiliation"/>
</Attributes>
<Protocols xmlns="urn:mace:shibboleth:2.0:native:sp:protocols">
<!--
This is a stripped down protocol configuration for Stanford
Shibboleth SPs.
It only supports the SAML 2.0 HTTP-POST binding for authentication,
and it only supports local logout (federated single logout rarely
works, and when it does, it rarely works as expected).
-->
<!-- SAML 2.0 -->
<Protocol id="SAML2">
<Service id="SSO">
<Initiator id="SAML2" />
<Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" path="/SAML2/POST" />
</Service>
</Protocol>
<!-- Local Logout -->
<Protocol id="Local">
<Service id="Logout">
<Initiator id="Local" />
</Service>
</Protocol>
</Protocols>
# configure a Simple Shibboleth SP
class shibboleth_sp (
$idp = 'idp',
$contact = undef,
){
case $idp {
'dev': {
$entity_id = 'https://idp.stanford.edu/'
$metadata_url = 'https://idp-dev.stanford.edu/metadata.xml'
}
'itlab': {
$entity_id = 'https://idp.itlab.stanford.edu/idp/shibboleth'
$metadata_url = 'https://idp.itlab.stanford.edu/idp/profile/Metadata/SAML'
}
default: {
$entity_id = 'https://idp.stanford.edu/'
$metadata_url = 'https://idp.stanford.edu/metadata.xml'
}
}
package { 'libapache2-mod-shib2':
ensure => 'latest',
require => Package['httpd'],
}
file { '/etc/shibboleth/shibboleth2.xml':
ensure => file,
owner => 0,
group => 0,
mode => '0644',
content => template('puppet://modules/shibboleth-sp/shibboleth2.xml.erb'),
require => Package['libapache2-mod-shib2'],
}
file { '/etc/shibboleth/protocols.xml':
ensure => file,
owner => 0,
group => 0,
mode => '0644',
source => 'puppet:///modules/shibboleth-sp/protocols.xml',
require => Package['libapache2-mod-shib2'],
}
file { '/etc/shibboleth/attribute-map.xml':
ensure => file,
owner => 0,
group => 0,
mode => '0644',
source => 'puppet:///modules/shibboleth-sp/attribute-map.xml',
require => Package['libapache2-mod-shib2'],
}
}
{
"name": "suet-shibboleth_sp",
"description": "Simple Stanford Shibboleth SP configuration",
"version": "1.0.0",
"author": "Stanford University Emerging Technologies",
"summary": "Configures Stanford Shibboleth SPs",
"license": "Apache 2.0",
"source": "https://code.stanford.edu/et/puppet-shibboleth-sp",
"project_page": "https://code.stanford.edu/et/puppet-shibboleth-sp",
"issues_url": "https://code.stanford.edu/et/puppet-shibboleth-sp/issues",
"operatingsystem_support": [
{
"operatingsystem": "Ubuntu",
"operatingsystemrelease": [
"14.04"
]
}
],
"dependencies": [
{
"name": "puppetlabs-concat",
"version_requirement": ">=2.1.0"
},
{
"name": "puppetlabs-apache",
"version_requirement": ">=1.8.0"
}
]
}
<SPConfig
xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<ApplicationDefaults
entityID="https://<%= @fqdn %>/"
REMOTE_USER="uid WEBAUTH_USER">
<Sessions
lifetime="28800"
timeout="3600"
relayState="ss:mem"
checkAddress="false"
handlerSSL="true"
cookieProps="; path=/; secure; HttpOnly">
<SSO entityID="<%= @entity_id %>">SAML2</SSO>
<Logout>Local</Logout>
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
</Sessions>
<Errors
supportContact="<%= @contact %>"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider
type="XML"
uri="<%= @metadata_url %>"
backingFilePath="idp-metata.xml"
reloadInterval="7200" />
<AttributeExtractor
type="XML"
validate="true"
reloadChanges="false"
path="attribute-map.xml"/>
<AttributeFilter
type="XML"
validate="true"
path="attribute-policy.xml"/>
<CredentialResolver
type="File"
key="sp-key.pem"
certificate="sp-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider
type="XML"
validate="true"
path="security-policy.xml"/>
<ProtocolProvider
type="XML"
validate="true"
reloadChanges="false"
path="protocols.xml"/>
</SPConfig>
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment