From 89ea9572b52d69efeb45d3f7e2f51d5d80cf8ab3 Mon Sep 17 00:00:00 2001 From: Alex Piggott Date: Mon, 5 Feb 2018 17:30:29 -0500 Subject: [PATCH 1/2] Demonstrate configuration needed to use a custom JaaS login module --- idp/Dockerfile | 1 + .../conf/attribute-resolver.xml | 9 +- idp/shibboleth-idp/conf/authn/jaas.config | 3 + .../conf/authn/password-authn-config.xml | 104 ++++++++++++++++++ .../lib/authn-extensions-1.1-SNAPSHOT.jar | Bin 0 -> 4832 bytes 5 files changed, 115 insertions(+), 2 deletions(-) create mode 100644 idp/shibboleth-idp/conf/authn/jaas.config create mode 100644 idp/shibboleth-idp/conf/authn/password-authn-config.xml create mode 100644 idp/shibboleth-idp/lib/authn-extensions-1.1-SNAPSHOT.jar diff --git a/idp/Dockerfile b/idp/Dockerfile index 49d469a..62f589c 100644 --- a/idp/Dockerfile +++ b/idp/Dockerfile @@ -2,5 +2,6 @@ FROM unicon/shibboleth-idp:latest MAINTAINER Unicon, Inc. +ADD shibboleth-idp/lib/*.jar /opt/shibboleth-idp/webapp/WEB-INF/lib/ COPY shibboleth-idp/ /opt/shibboleth-idp/ COPY shib-jetty-base/ /opt/shib-jetty-base/ diff --git a/idp/shibboleth-idp/conf/attribute-resolver.xml b/idp/shibboleth-idp/conf/attribute-resolver.xml index 761cb8d..5f93d99 100644 --- a/idp/shibboleth-idp/conf/attribute-resolver.xml +++ b/idp/shibboleth-idp/conf/attribute-resolver.xml @@ -30,6 +30,11 @@ + + + + + - \ No newline at end of file + diff --git a/idp/shibboleth-idp/conf/authn/jaas.config b/idp/shibboleth-idp/conf/authn/jaas.config new file mode 100644 index 0000000..5b61cdc --- /dev/null +++ b/idp/shibboleth-idp/conf/authn/jaas.config @@ -0,0 +1,3 @@ +ShibUserPassAuth { + net.unicon.authn.jaas.NotAsSimpleLoginModule required; +}; diff --git a/idp/shibboleth-idp/conf/authn/password-authn-config.xml b/idp/shibboleth-idp/conf/authn/password-authn-config.xml new file mode 100644 index 0000000..54db33a --- /dev/null +++ b/idp/shibboleth-idp/conf/authn/password-authn-config.xml @@ -0,0 +1,104 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + NoCredentials + CLIENT_NOT_FOUND + Client not found + DN_RESOLUTION_FAILURE + + + + + InvalidCredentials + PREAUTH_FAILED + INVALID_CREDENTIALS + + + + + Clients credentials have been revoked + + + + + PASSWORD_EXPIRED + + + + + ACCOUNT_WARNING + + + + + + + + diff --git a/idp/shibboleth-idp/lib/authn-extensions-1.1-SNAPSHOT.jar b/idp/shibboleth-idp/lib/authn-extensions-1.1-SNAPSHOT.jar new file mode 100644 index 0000000000000000000000000000000000000000..43983e8ec8a749774c4b592e257f7fec0491bfe9 GIT binary patch literal 4832 zcmbVQ2{@GN`<}*^o5m8Zu?1L5Lv=Wlh#NNwRN=QTAmT zkqBd7BC5!jMO_) z6{Retp{*vZ`z?(DaFLpZ7xApQK>Zm{{c`@8hE&$pP*XKP!H{b6$mS+3gcOX#ijab| zHn-*L!#fTRj9h|hw$?)tQYs8PhtmwBxFw(O$Cf5&9>i#RBtmjH+41@nX057OH$}4~ ztiW}CwZjAyU4QMG&D8fSLOT~XwJhUCWOB(Bs0A4 z?uabtloo?B$Ns>8c(jTceDeJa0}Zj&!AtDuhvm8& z7;jpM=ji#Ka7dSql?ghyNQ5olhm(swwIb;&c@;#OktRtL@#&KIs0^_%V{$W3>SHf4 zj=V90@Wb!5dm6w;DGJ;zq}rsSi8sZJg8`k3ZKGy+fh%!3)lagb>T^&@%@6b`&)#R+ zie-ic-z~aB&aC-TP$_1kBaUp-F&LRyKYw*)`lzsox}khczwARoo{GVq{HH}1S;AQR z2&S?E>SIcTiiGA*SyAyzk52dX*|;b=wVJNb(YZ|dhjB9+Trq8IwnLXp)K&prt^$TG za-N28H8(uO-d*AM8XI#-Dl<`tlpne>!AQ0aK}&w@eUdn5$Iea5>CwR1+WaQ(-jq@A zozTFBvkIf$F)~p+N_WRQnJaj*YmhLD8ADOO^J~BO00`>6(H}Wwm@} z#2nWaZ*hRu? z@1-yE=$wJk zrFEVPB;)Cb#S`VO?q{lR1|c<+Clt86JaM-KP`zY#y7QiE2P)n?i;YjIJ#SmuvtU&! zXQyAJm%;-P7Y(&Bd<^0@eA(`AkFwyj9~FP0^4XzL{uY_QpQjR#apbZ{{q$78UB$lf zxl)AFL2Vz;w;yYbty2O_1Pa1LZvj^hRyQ5%kU#uXQggx7N*fOSu{h4uY5_@rN z=PO8!8JvT0&g#kWSQN^IjVn5CN0<9UNf;2{&-?cD4o;@>u2Oj}XRz5v-WNH=V-ii3 zA~6pKOf|*S56>7m@O@t4zj(tB4$%{u1mBO~O4;9#bXH^OU1^ePs1MhOG4aj5u`b3| z$@hh`vQchUU@j#@w|FhT_iQE4FwGq8nX88E;-sde-H_D-Lb@|ga_#y#(Wa*bd!Gec zmDqx#DWe0z*|at%g^y@tDLR`5=ik+N?c=zg8Gj8L8gXj3NcEXWk?Myk;k238`56tB z6JmzeOnj|#?qAf=6w?6@v9yjtzl4_4c3Ya?;LFLiP-~fm6gc|0Sn;l^f7(qe=}U}p zOqOD2EjnZPq!75A=TczH*fW!Avaslaa5Q=m?)aIV?=Gnz;LHrkXTJ&9EMgxE)Gc3) zKHZ;IwVzmw?M$zH)3^j`5E#`|Z}fl%B=YYac^H&->&|8A214Y3sD7-~n~d?KiaYWe zRsfwllkUg(qSA6l`7?$5FxbGfJ?=?WLNhr0ymG7Auy4sgh*Flg*$K@~u4Q;hNFvGp z5Luu+WwHG3+_<{wXQn08KqJH?WzqX?o@;^s@N(|p$pTy6o!6 zQ}qcyzE~^Bbhho&LkG>54qCaeXz%tXH?^~n;*RIaw-T(PjvT@Gunftjo6bU$L{gpy zw+jekQ;$8)#Aw96u4vYiA>RZV_*)7`LWl^tr@HkYAjhseK2R))dHw=^jtTBxn*S;y zwbHK+y8x7(rEAZT<=f4Gjnor>0bLK!e68pR{YtZ?g`4V9nlwjg1Ofn6RE3fHqq_V_ zSWu=q9D1N6GP+zh#`N_i4%Ep5%Os0O@p|=pG4~B+`dsIpB8c^M<7yW@Brorsj6q5+l$!QA z%O4}e_o}hH{wuH-Lj#;Q2YcuxS3YGrvs2;o4X-w4R|Y%jOfXNcYHdUrMaEOObLSqT zC7ZgZ76SVe!S+705ht&PmLKmGi)fbK%b|O@^0r-r`DM`AkY-L1 zHkm2A*I6PV(pXKT31l2-cd?|vk1_w8ILZlxTUcYq<1)+b^l?2eo)55nRY3{12gwVm z5A}-)VG&^+GDo1(V4Pa~8dR(1a7p-A)`_upfr}sOz>&emDG43&WY{56?cT*5X>N7&C5;m>H9{{j6shm<|m!yb)saz+1GEOuU3)hfyI zw-=_q&hc~rfZTtfb8~fpVO^YWpv+x+1UY@$a%b1r_9MlSTo1BQ$oP&&(XX_daOMFey6^)K?9SQ_hlH_*kJ<>^5WU&^^m6>a~-oV{hJ7jpk)S zkIvJr7G8Uc4U7T82g|YhlWh#% zuh-|4%}Ex79qP0QKa#zVe$vY~zS%2sysK;|noM~qJw(IXU#Zlnedu;f?S(p^J<~O_ ziD}(6na4hkkgU=i)2G+g2qaOQ1k0CGylUikyXxn{;qn&N$DK0LD4okT4WdbuWkyBm zn^`N|Q25{-(vxHHzHg(=JQ5nzffN42yOs6`hupj_$t>ywL%r z5u_*-#?HWeifl6^(K?BJ%OSV!L9V?U6!(^}i&SWyIR6+ufG`lo8nL zw+JkCzu~A~rT@C`+%CDg*K;Q7o{MqbMXGRSWU|MSlldUzCZ|=B8oY9_ohS-pbjyZ&=pN*g%X> zn;VGl2KLXu4GX&&8$h-l{{U_sUw?*gSlVs4;_u+!4DJ@k?=9{YO99^fj~xGIc(+&c z_eIV&f7{OAO!4nA{-NaArvCNskPWHW3=m*_eVDq9zCY?M;nYxCh^k3+|3C;F;Za%7?50dR(xY_>y gCHZ9%8@+5FE4m0eYMBcFuu?z$GyuR9l@b8>KZMX}$N&HU literal 0 HcmV?d00001 From b9f8e67882efa3f93688d8140745cd8a3daf149d Mon Sep 17 00:00:00 2001 From: Alex Piggott Date: Wed, 7 Feb 2018 15:54:52 -0500 Subject: [PATCH 2/2] Got ES/Kibana working vs the IDP testbed --- .../docker-compose.yaml | 45 ++++ elasticsearch-saml-testbed/elasticsearch.yml | 28 +++ elasticsearch-saml-testbed/idp-metadata.xml | 216 ++++++++++++++++++ elasticsearch-saml-testbed/kibana.yml | 17 ++ .../saml-elasticsearch-metadata.xml | 12 + idp/shibboleth-idp/conf/attribute-filter.xml | 1 + idp/shibboleth-idp/conf/idp.properties | 2 +- .../conf/metadata-providers.xml | 1 + .../metadata/saml-elasticsearch-metadata.xml | 12 + 9 files changed, 333 insertions(+), 1 deletion(-) create mode 100644 elasticsearch-saml-testbed/docker-compose.yaml create mode 100644 elasticsearch-saml-testbed/elasticsearch.yml create mode 100644 elasticsearch-saml-testbed/idp-metadata.xml create mode 100644 elasticsearch-saml-testbed/kibana.yml create mode 100644 elasticsearch-saml-testbed/saml-elasticsearch-metadata.xml create mode 100644 idp/shibboleth-idp/metadata/saml-elasticsearch-metadata.xml diff --git a/elasticsearch-saml-testbed/docker-compose.yaml b/elasticsearch-saml-testbed/docker-compose.yaml new file mode 100644 index 0000000..5bfc005 --- /dev/null +++ b/elasticsearch-saml-testbed/docker-compose.yaml @@ -0,0 +1,45 @@ +version: '2.2' +services: + elasticsearch: + image: docker.elastic.co/elasticsearch/elasticsearch-platinum:6.2.0 + container_name: elasticsearch + environment: + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - "ELASTIC_PASSWORD=password" + ulimits: + memlock: + soft: -1 + hard: -1 + volumes: + - esdata1:/usr/share/elasticsearch/data + - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml + - ./idp-metadata.xml:/usr/share/elasticsearch/config/idp-metadata.xml + ports: + - 9200:9200 + extra_hosts: + - "idptestbed:10.0.2.15" + networks: + - esnet + + kibana: + image: docker.elastic.co/kibana/kibana:6.2.0 + volumes: + - ./kibana.yml:/usr/share/kibana/config/kibana.yml + ports: + - 5601:5601 + networks: + - esnet + extra_hosts: + - "idptestbed:10.0.2.15" + depends_on: + - elasticsearch + +volumes: + esdata1: + driver: local + esdata2: + driver: local + +networks: + esnet: + driver: bridge diff --git a/elasticsearch-saml-testbed/elasticsearch.yml b/elasticsearch-saml-testbed/elasticsearch.yml new file mode 100644 index 0000000..85e252e --- /dev/null +++ b/elasticsearch-saml-testbed/elasticsearch.yml @@ -0,0 +1,28 @@ +cluster.name: "docker-cluster" +network.host: 0.0.0.0 + +# minimum_master_nodes need to be explicitly set when bound on a public IP +# set to 1 to allow single node clusters +# Details: https://github.com/elastic/elasticsearch/pull/17288 +#discovery.zen.minimum_master_nodes: 1 + +#use this to run in development mode instead of production mode, meaning we don't need ssl enabled +discovery.type: single-node +xpack.license.self_generated.type: trial + +xpack.security.authc.realms.native1: + type: native + order: 0 + +xpack.security.authc.realms.saml1: + type: saml + order: 2 + idp.metadata.path: "/usr/share/elasticsearch/config/idp-metadata.xml" + idp.entity_id: "https://idptestbed/idp/shibboleth" + sp.entity_id: "http://idptestbed:5601/" + sp.acs: "http://idptestbed:5601/api/security/v1/saml" + sp.logout: "http://idptestbed:5601/logout" + attributes.principal: "urn:oid:0.9.2342.19200300.100.1.1" +# attributes.groups: "urn:oid:1.3.6.1.4.1.5923.1.5.1." + +xpack.security.authc.token.enabled: true diff --git a/elasticsearch-saml-testbed/idp-metadata.xml b/elasticsearch-saml-testbed/idp-metadata.xml new file mode 100644 index 0000000..0692d2a --- /dev/null +++ b/elasticsearch-saml-testbed/idp-metadata.xml @@ -0,0 +1,216 @@ + + + + + + + + example.org + + + + + + + +MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy +MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH +YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M +SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2 +03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No +5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+ +XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud +DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk +hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL +BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac +ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98 +NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl +j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP +IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E +t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM= + + + + + + + + + +MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB +CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx +MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g +u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2 +Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ +Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+ +MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs +uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV +HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl +ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB +CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X +sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s +RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ +Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B +DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i +s00xrv14zLifcc8oj5DYzOhYRifRXgHX + + + + + + + + + +MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy +MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD +cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ +l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG +ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8 +9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX +VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud +DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk +hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL +BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni +QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN +jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r +xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8 ++PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H +p+tGUbGS2l873J5PrsbpeKEVR/IIoKo= + + + + + + + + + + + + urn:mace:shibboleth:1.0:nameIdentifier + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + + + + + + + + + + + example.org + + + + + + +MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy +MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH +YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M +SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2 +03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No +5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+ +XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud +DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk +hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL +BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac +ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98 +NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl +j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP +IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E +t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM= + + + + + + + + + +MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB +CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx +MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g +u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2 +Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ +Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+ +MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs +uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV +HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl +ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB +CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X +sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s +RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ +Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B +DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i +s00xrv14zLifcc8oj5DYzOhYRifRXgHX + + + + + + + + + +MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy +MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD +cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ +l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG +ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8 +9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX +VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud +DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk +hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL +BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni +QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN +jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r +xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8 ++PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H +p+tGUbGS2l873J5PrsbpeKEVR/IIoKo= + + + + + + + + + + + + + diff --git a/elasticsearch-saml-testbed/kibana.yml b/elasticsearch-saml-testbed/kibana.yml new file mode 100644 index 0000000..5e05bb8 --- /dev/null +++ b/elasticsearch-saml-testbed/kibana.yml @@ -0,0 +1,17 @@ +# Default Kibana configuration from kibana-docker. + +server.name: kibana +#server.host: "idptestbed" +server.host: "0.0.0.0" +elasticsearch.url: http://idptestbed:9200 +elasticsearch.username: elastic +elasticsearch.password: password +xpack.monitoring.ui.container.elasticsearch.enabled: true + +xpack.security.authProviders: [saml] +server.xsrf.whitelist: [/api/security/v1/saml] + +xpack.security.public: + protocol: http + hostname: idptestbed + port: 5601 diff --git a/elasticsearch-saml-testbed/saml-elasticsearch-metadata.xml b/elasticsearch-saml-testbed/saml-elasticsearch-metadata.xml new file mode 100644 index 0000000..35d72f3 --- /dev/null +++ b/elasticsearch-saml-testbed/saml-elasticsearch-metadata.xml @@ -0,0 +1,12 @@ + + + + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + docker-cluster + + + + + diff --git a/idp/shibboleth-idp/conf/attribute-filter.xml b/idp/shibboleth-idp/conf/attribute-filter.xml index b14d041..014e5c5 100644 --- a/idp/shibboleth-idp/conf/attribute-filter.xml +++ b/idp/shibboleth-idp/conf/attribute-filter.xml @@ -18,6 +18,7 @@ + diff --git a/idp/shibboleth-idp/conf/idp.properties b/idp/shibboleth-idp/conf/idp.properties index 0d6b5fa..1d7bfe2 100644 --- a/idp/shibboleth-idp/conf/idp.properties +++ b/idp/shibboleth-idp/conf/idp.properties @@ -56,7 +56,7 @@ idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt # If true, encryption will happen whenever a key to use can be located, but # failure to encrypt won't result in request failure. -#idp.encryption.optional = false +idp.encryption.optional = true # Configuration of client- and server-side storage plugins #idp.storage.cleanupInterval = PT10M diff --git a/idp/shibboleth-idp/conf/metadata-providers.xml b/idp/shibboleth-idp/conf/metadata-providers.xml index 3965da0..b550f4b 100644 --- a/idp/shibboleth-idp/conf/metadata-providers.xml +++ b/idp/shibboleth-idp/conf/metadata-providers.xml @@ -27,6 +27,7 @@ +