rename folders

762e143b · Lubomir Dolezal · 3f73c735 · 3f73c735 · 3f73c735 · 762e143b
Commit 762e143b authored 4 years ago by Lubomir Dolezal
--- a/auth/Dockerfile
+++ b/auth/Dockerfile
-FROM unicon/shibboleth-sp:3.0.4
-
-COPY shibboleth-conf /etc/shibboleth/
-COPY index.html /var/www/html/
-COPY etc-httpd/ /etc/httpd/
--- a/auth/shibboleth-conf/shibboleth2.xml
+++ b/auth/shibboleth-conf/shibboleth2.xml
-<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
-xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
-clockSkew="180">
-<OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
-<ApplicationDefaults entityID="https://samplesp3.eo.esa.int/shibboleth"
-REMOTE_USER="eppn subject-id pairwise-id persistent-id"
-cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSL
-v2:!SSLv3:!TLSv1:!TLSv1.1">
-<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
-checkAddress="false" handlerSSL="true" cookieProps="https">
-<SSO entityID="https://eo-sso-idp.eo.esa.int:443/shibboleth"
-discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
-SAML2
-</SSO>
-<Logout>SAML2 Local</Logout>
-<LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
-<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
-<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 192.168.24.1/24"/>
-<Handler type="Session" Location="/Session" showAttributeValues="false"/>
-<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
-</Sessions>
-<Errors supportContact="root@samplesp3.eo.esa.int"
-helpLocation="/about.html"
-styleSheet="/shibboleth-sp/main.css"/>
-<MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
-<AttributeExtractor type="XML" validate="true" reloadChanges="false"
-path="attribute-map.xml"/>
-<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-<CredentialResolver type="File" use="signing"
-key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
-<CredentialResolver type="File" use="encryption"
-key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
-</ApplicationDefaults>
-<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
-<ProtocolProvider type="XML" validate="true" reloadChanges="false"
-path="protocols.xml"/>
-</SPConfig>
\ No newline at end of file
--- a/shibauth/Dockerfile
+++ b/shibauth/Dockerfile
+#------------------------------------------------------------------------------
+#
+# Project: prism view server
+# Authors: Stephan Meissl <stephan.meissl@eox.at>
+#
+#------------------------------------------------------------------------------
+# Copyright (C) 2020 EOX IT Services GmbH <https://eox.at>
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies of this Software or works derived from this Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+#-----------------------------------------------------------------------------
+
+FROM unicon/shibboleth-sp:3.0.4
+
+MAINTAINER EOX
+LABEL name="prism view server cache" \
+      vendor="EOX IT Services GmbH <https://eox.at>" \
+      license="MIT Copyright (C) 2019 EOX IT Services GmbH <https://eox.at>" \
+      type="prism view server shibauth" \
+      version="0.0.1"
+
+COPY shibboleth-conf /etc/shibboleth/
+COPY index.html /var/www/html/
+COPY conf.d /etc/httpd/etc-httpd/
--- a/auth/etc-httpd/conf.d/sp.conf
+++ b/auth/etc-httpd/conf.d/sp.conf
@@ -5,6 +5,10 @@ ServerName idptestbed
    UseCanonicalName On

    DocumentRoot "/var/www/html"
+    <Location /Shibboleth.sso>
+      Satisfy Any
+      Allow from all
+    </Location>

    <Location />
        AuthType shibboleth

--- a/auth/index.html
+++ b/auth/index.html
--- a/auth/shibboleth-conf/attribute-map.xml
+++ b/auth/shibboleth-conf/attribute-map.xml
--- a/auth/shibboleth-conf/idp-metadata.xml
+++ b/auth/shibboleth-conf/idp-metadata.xml
--- a/shibauth/shibboleth-conf/shibboleth2.xml
+++ b/shibauth/shibboleth-conf/shibboleth2.xml
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+
+    <!--
+    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+    -->
+
+    <!--
+    To customize behavior for specific resources on Apache, and to link vhosts or
+    resources to ApplicationOverride settings below, use web server options/commands.
+    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
+    
+    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
+    -->
+
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+    <ApplicationDefaults entityID="https://sp.idptestbed/shibboleth"
+                         REMOTE_USER="eppn uid persistent-id targeted-id">
+
+        <!--
+        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+        You MUST supply an effectively unique handlerURL value for each of your applications.
+        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+        Note that while we default checkAddress to "false", this has a negative impact on the
+        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
+        -->
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+
+            <!--
+            Configures SSO for a default IdP. To allow for >1 IdP, remove
+            entityID property and adjust discoveryURL to point to discovery service.
+            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
+            You can also override entityID on /Login query string, or in RequestMap/htaccess.
+            -->
+            <SSO entityID="https://idptestbed/idp/shibboleth">
+              SAML2 SAML1
+            </SSO>
+
+            <!-- SAML and local-only logout. -->
+            <Logout>SAML2 Local</Logout>
+            
+            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <!-- Status reporting service. -->
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+            <!-- Session diagnostic service. -->
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+            <!-- JSON feed of discovery information. -->
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+
+        <!--
+        Allows overriding of error template information/filenames. You can
+        also add attributes with values that can be plugged into the templates.
+        -->
+        <Errors supportContact="admin@idptestbed"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+        
+        <!-- Example of remotely supplied batch of signed metadata. -->
+        <!--
+        <MetadataProvider type="XML" validate="true"
+	      url="http://federation.org/federation-metadata.xml"
+              backingFilePath="federation-metadata.xml" reloadInterval="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
+              attributeName="http://macedir.org/entity-category"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="http://refeds.org/category/hide-from-discovery" />
+        </MetadataProvider>
+        -->
+
+        <!-- Example of locally maintained metadata. -->
+        <!--
+        <MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
+        -->
+        
+        <MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>
+
+        <!-- Map to extract attributes from SAML assertions. -->
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        
+        <!-- Use a SAML query if no attributes are supplied during SSO. -->
+        <AttributeResolver type="Query" subjectMatch="true"/>
+
+        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <!-- Simple file-based resolver for using a single keypair. -->
+        <CredentialResolver type="File" key="sp-signing-key-test.pem" certificate="sp-encrypt-cert-test.pem"/>
+
+        <!--
+        The default settings can be overridden by creating ApplicationOverride elements (see
+        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
+        Resource requests are mapped by web server commands, or the RequestMapper, to an
+        applicationId setting.
+        
+        Example of a second application (for a second vhost) that has a different entityID.
+        Resources on the vhost would map to an applicationId of "admin":
+        -->
+        <!--
+        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+        -->
+    </ApplicationDefaults>
+    
+    <!-- Policies that determine how to process and authenticate runtime messages. -->
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <!-- Low-level configuration about protocols and bindings available for use. -->
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
\ No newline at end of file
--- a/auth/shibboleth-conf/shibd.logger
+++ b/auth/shibboleth-conf/shibd.logger