Merge pull request #30 from ausaccessfed/develop

Develop

VERSION

@@ -1,3 +1,3 @@
-AAF_IdP_Installer_version= 1.0.0
-Shibboleth_IdP_version=    4.1.0
-Jetty_version=             9.4.38.v20210224
+AAF_IdP_Installer_version= 1.1.0
+Shibboleth_IdP_version=    4.1.2
+Jetty_version=             9.4.43.v20210629

assets/idp.example.edu.dist/idp/branding/messages/messages.properties

@@ -1,5 +1,5 @@
 # You can define message properties here to override messages defined in
-# system/messages/ or to add your own messages.
+# the system-supplied message file or to add your own messages.
 
 idp.title = {{ organisation_name }} Login Service
 idp.logo = /images/logo.png

assets/idp.example.edu.dist/idp/branding/views/error.vm

@@ -34,10 +34,12 @@
     #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error"))
     #set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix"))
     #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId"))
+    $response.setStatus(500)
 #else
 	## This is a catch-all that theoretically shouldn't happen?
     #set ($titleSuffix = $defaultTitleSuffix)
     #set ($message = $springMacroRequestContext.getMessage("idp.message", "An unidentified error occurred."))
+    $response.setStatus(500)
 #end
 ##
 <!DOCTYPE html>
@@ -70,4 +72,4 @@
 
     </div>
     </body>
-</html>
+</html>

assets/idp.example.edu.dist/idp/branding/views/logout.vm

@@ -25,13 +25,11 @@
     <head>
         <meta charset="utf-8">
         <meta name="viewport" content="width=device-width,initial-scale=1.0">
-        #*
         #if ($promptForSP)
             <meta http-equiv="refresh" content="10;url=$flowExecutionUrl&_eventId=propagate">
         #elseif ($promptForIdP)
             <meta http-equiv="refresh" content="10;url=$flowExecutionUrl&_eventId=local">
         #end
-        *#
         <title>#springMessageText("idp.title", "Web Login Service")</title>
         <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
     </head>
@@ -130,4 +128,4 @@
     </div>
 
   </body>
-</html>
+</html>

assets/idp.example.edu.dist/idp/conf/admin/admin.properties

@@ -0,0 +1,55 @@
+# Configure properties controlling administrative features
+
+#idp.status.logging = Status
+#idp.status.accessPolicy = AccessByIPAddress
+#idp.status.authenticated = false
+#idp.status.nonBrowserSupported = false
+#idp.status.resolveAttributes = false
+
+#idp.reload.logging = Reload
+#idp.reload.accessPolicy = AccessByIPAddress
+#idp.reload.authenticated = false
+#idp.reload.nonBrowserSupported = false
+#idp.reload.resolveAttributes = false
+
+#idp.resolvertest.logging = ResolverTest
+#idp.resolvertest.accessPolicy = AccessByIPAddress
+#idp.resolvertest.authenticated = false
+#idp.resolvertest.nonBrowserSupported = false
+#idp.resolvertest.resolveAttributes = false
+
+#idp.mdquery.logging = MetadataQuery
+#idp.mdquery.accessPolicy = AccessByIPAddress
+#idp.mdquery.authenticated = false
+#idp.mdquery.nonBrowserSupported = false
+#idp.mdquery.resolveAttributes = false
+
+#idp.metrics.logging = Metrics
+#idp.metrics.authenticated = false
+#idp.metrics.nonBrowserSupported = false
+#idp.metrics.resolveAttributes = false
+# See admin/metrics.xml for other configuration
+
+#idp.hello.logging = Hello
+#idp.hello.accessPolicy = AccessByAdminUser
+#idp.hello.authenticated = true
+#idp.hello.nonBrowserSupported = false
+#idp.hello.resolveAttributes = true
+
+#idp.lockout.logging = Lockout
+#idp.lockout.accessPolicy = AccessDenied
+#idp.lockout.authenticated = false
+#idp.lockout.nonBrowserSupported = false
+#idp.lockout.resolveAttributes = false
+
+#idp.storage.logging = Storage
+#idp.storage.accessPolicy = AccessDenied
+#idp.storage.authenticated = false
+#idp.storage.nonBrowserSupported = false
+#idp.storage.resolveAttributes = false
+
+#idp.unlock-keys.logging = UnlockKeys
+#idp.unlock-keys.accessPolicy = AccessDenied
+#idp.unlock-keys.authenticated = true
+#idp.unlock-keys.nonBrowserSupported = false
+#idp.unlock-keys.resolveAttributes = false

assets/idp.example.edu.dist/idp/conf/admin/metrics.xml

@@ -73,7 +73,7 @@
         <value>idp.entityID</value>
     </util:set>
     -->
-
+    
     <!-- If you don't specify an alternate access policy, this named policy will be enforced. -->
     <bean id="shibboleth.metrics.DefaultAccessPolicy" class="java.lang.String" c:_0="AccessByIPAddress" />
 

assets/idp.example.edu.dist/idp/conf/global.xml

@@ -15,9 +15,9 @@
     <!-- Use this file to define any custom beans needed globally. -->
 
     <!--
-    Algorithm whitelists and blacklists that override or merge with library defaults. Normally you can leave
-    these empty or commented and use the system defaults, but you can override those defaults using these lists.
-    Each <value> element is an algorithm URI, or you can use <util:constant> elements in place of literal values.
+    Algorithm include/exclude sets that override or merge with library defaults. Normally you can leave these
+    empty or commented and use the system defaults, but you can override those defaults using these beans.
+    Each <value> element is an algorithm URI; you can also use <util:constant> elements in place of literal values.
     -->
 
     <!--

assets/idp.example.edu.dist/idp/conf/idp.properties

@@ -1,9 +1,9 @@
 # Auto-load all files matching conf/**/*.properties
 # Disable if you want to manually maintain a list of sources.
-idp.searchForProperties=true
+idp.searchForProperties = true
 
 # Load any "outside-tree" property sources from a comma-delimited list
-idp.additionalProperties=/credentials/secrets.properties
+idp.additionalProperties = /credentials/secrets.properties
 
 # In most cases (and unless noted in the surrounding comments) the
 # commented settings in the distributed files document default behavior.
@@ -12,15 +12,15 @@ idp.additionalProperties=/credentials/secrets.properties
 # Uncommented properties are either required or ship non-defaulted.
 
 # Set the entityID of the IdP
-idp.entityID={{ idp_entity_id }}
+idp.entityID = {{ idp_entity_id }}
 
 # Set the file path which backs the IdP's own metadata publishing endpoint at /shibboleth.
 # Set to empty value to disable and return a 404.
 #idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml
 idp.entityID.metadataFile=
 
-# Set the scope used in the attribute resolver for scoped attributes
-idp.scope={{ idp_attribute_scope }}
+# Set the scope used in the attribute resolver for scoped attributes 
+idp.scope = {{ idp_attribute_scope }}
 
 # General cookie properties (maxAge only applies to persistent cookies)
 #idp.cookie.secure = true
@@ -32,8 +32,8 @@ idp.scope={{ idp_attribute_scope }}
 #idp.cookie.sameSite = None
 #idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE
 
-# Enable cross-site request forgery mitigation for views.
-idp.csrf.enabled=true
+# Enable cross-site request forgery mitigation for views. 
+idp.csrf.enabled = true
 # Name of the HTTP parameter that stores the CSRF token.
 #idp.csrf.token.parameter = csrf_token
 
@@ -55,16 +55,16 @@ idp.csrf.enabled=true
 #idp.sealer.storeType = JCEKS
 #idp.sealer.updateInterval = PT15M
 #idp.sealer.aliasBase = secret
-idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks
-idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver
+idp.sealer.storeResource = %{idp.home}/credentials/sealer.jks
+idp.sealer.versionResource = %{idp.home}/credentials/sealer.kver
 
 # Settings for public/private signing and encryption key(s)
 # During decryption key rollover, point the ".2" properties at a second
 # keypair, uncomment in credentials.xml, then publish it in your metadata.
-idp.signing.key=%{idp.home}/credentials/idp-signing.key
-idp.signing.cert=%{idp.home}/credentials/idp-signing.crt
-idp.encryption.key=%{idp.home}/credentials/idp-encryption.key
-idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
+idp.signing.key = %{idp.home}/credentials/idp-signing.key
+idp.signing.cert = %{idp.home}/credentials/idp-signing.crt
+idp.encryption.key = %{idp.home}/credentials/idp-encryption.key
+idp.encryption.cert = %{idp.home}/credentials/idp-encryption.crt
 #idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
 #idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt
 
@@ -75,15 +75,19 @@ idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
 #idp.signing.config = shibboleth.SigningConfiguration.SHA256
 
 # The new install default for encryption is now AES-GCM.
-#idp.encryption.config=shibboleth.EncryptionConfiguration.GCM
-idp.encryption.config=shibboleth.EncryptionConfiguration.CBC
+#idp.encryption.config = shibboleth.EncryptionConfiguration.GCM
+idp.encryption.config = shibboleth.EncryptionConfiguration.{{ default_encryption }}
+
+# Sets the default strategy for key agreement key wrap usage for credentials from metadata,
+# if not otherwise configured on the security configuration
+#idp.encryption.keyagreement.metadata.defaultUseKeyWrap = Default
 
 # Configures trust evaluation of keys used by services at runtime
 # Internal default is Chaining, overriden for new installs
-idp.trust.signatures=shibboleth.ExplicitKeySignatureTrustEngine
+idp.trust.signatures = shibboleth.ExplicitKeySignatureTrustEngine
 # Other options:
 #   shibboleth.ChainingSignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
-idp.trust.certificates=shibboleth.ExplicitKeyX509TrustEngine
+idp.trust.certificates = shibboleth.ExplicitKeyX509TrustEngine
 # Other options:
 #   shibboleth.ChainingX509TrustEngine, shibboleth.PKIXX509TrustEngine
 
@@ -93,7 +97,7 @@ idp.trust.certificates=shibboleth.ExplicitKeyX509TrustEngine
 
 # Configuration of client- and server-side storage plugins
 #idp.storage.cleanupInterval = PT10M
-idp.storage.htmlLocalStorage=true
+idp.storage.htmlLocalStorage = true
 
 # Set to true to expose more detailed errors in responses to SPs
 #idp.errors.detailed = false
@@ -124,9 +128,9 @@ idp.session.StorageService = shibboleth.StorageService
 # Tolerate storage-related errors
 #idp.session.maskStorageFailure = false
 # Track information about SPs logged into
-idp.session.trackSPSessions=true
+idp.session.trackSPSessions = true
 # Support lookup by SP for SAML logout
-idp.session.secondaryServiceIndex=true
+idp.session.secondaryServiceIndex = true
 # Length of time to track SP sessions
 #idp.session.defaultSPlifetime = PT2H
 
@@ -149,7 +153,7 @@ idp.consent.StorageService = shibboleth.JPAStorageService
 # Defaults to text displayed to the user.
 #idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text
 
-# Flags controlling how built-in attribute consent feature operates
+# Flags controlling how built-in attribute consent feature operates 
 #idp.consent.allowDoNotRemember = true
 #idp.consent.allowGlobal = true
 #idp.consent.allowPerAttribute = false
@@ -174,7 +178,7 @@ idp.consent.compareValues = true
 #idp.impersonate.specificPolicy = SpecificImpersonationPolicy
 
 # Picks outbound bindings more sensibly than based on metadata order
-idp.bindings.inMetadataOrder=false
+idp.bindings.inMetadataOrder = false
 
 # Whether to lookup metadata, etc. for every SP involved in a logout
 # for use by user interface logic; adds overhead so off by default.
@@ -228,4 +232,4 @@ idp.ui.fallbackLanguages=en,fr,de
 #idp.fticks.logport = 514
 
 # Set false if you want SAML bindings "spelled out" in audit log
-idp.audit.shortenBindings=true
+idp.audit.shortenBindings = true

assets/idp.example.edu.dist/idp/conf/services.properties

@@ -15,7 +15,7 @@ idp.service.logging.checkInterval = PT5M
 #idp.service.relyingparty.resources = shibboleth.RelyingPartyResolverResources
 #idp.service.relyingparty.failFast = false
 idp.service.relyingparty.checkInterval = PT15M
-# Set true to limit metadata-driven settings lookup to decoded EntityAttributes
+# See MetadataDrivenConfiguration wiki topic for details
 idp.service.relyingparty.ignoreUnmappedEntityAttributes=true
 
 #idp.service.metadata.resources = shibboleth.MetadataResolverResources

assets/idp.example.edu.dist/idp/conf/services.xml

@@ -11,7 +11,6 @@
 
     <!-- By default we look at resources whose names are derived from %{idp.home}. -->
 
-    <!-- This set of resources supports a native Spring relying-party.xml file. -->
     <util:list id="shibboleth.RelyingPartyResolverResources">
         <value>%{idp.home}/conf/relying-party.xml</value>
         <value>%{idp.home}/conf/credentials.xml</value>

bootstrap-v4.ini

@@ -154,3 +154,27 @@ ENABLE_BACKCHANNEL=false
 # addition to making the technical changes.
 #
 ENABLE_EDUGAIN=false
+
+#
+
+# If your IdP is behind a load balancer that is SSL Offloading, set the following
+# value to true. The will enable the IdP to recieve requests on port 80 from the
+# load balancer. Note: The IdP MUST be within your DMZ or similarly protected area
+# that will not allow general access to port 80 on the IdP.
+
+IDP_BEHIND_PROXY=false
+
+#
+
+# The following option allows you to downgrade encryption from GCM to CBC for all
+# services. Some older services will fail as they are unable to process newer 
+# encryption. The recommended approach is to leave the default seti at GMC, and 
+# carve out exceptions for each SP that doesn't support GCM. Use the he Algorithm 
+# Metadata Filter (https://wiki.shibboleth.net/confluence/display/IDP4/AlgorithmFilter)
+# to achieve this. 
+#
+# Changing the global setting to CBC is is NOT recommended for production deployments! 
+# Please see: https://wiki.shibboleth.net/confluence/display/IDP4/GCMEncryption for
+# more details.
+
+DEFAULT_ENCRYPTION=GCM