Improve example configs

git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@2262 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

diff --git a/resources/conf/attribute-filter.xml b/resources/conf/attribute-filter.xml
index cc0a372..950d900 100644 (file)
--- a/resources/conf/attribute-filter.xml
+++ b/resources/conf/attribute-filter.xml
@@ -6,15 +6,61 @@
                             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                             xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
                                                 urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd ">
-                                                
-    <AttributeFilterPolicy id="Anyone">
+
+    <!-- 
+          Releases to anyone:
+            * any value of uid
+            * only the member value of affiliation
+    -->
+    <AttributeFilterPolicy id="ReleaseToAnyone">
         <PolicyRequirementRule xsi:type="basic:ANY" />
         
         <AttributeRule attributeID="uid">
             <PermitValueRule xsi:type="basic:ANY" />
         </AttributeRule>
         
-        <AttributeRule attributeID="cn">
+        <AttributeRule attributeID="affiliation">
+            <PermitValueRule value="member"
+                             xsi:type="basic:AttributeValueString"/>
+        </AttributeRule>
+        
+    </AttributeFilterPolicy>
+    
+    <!-- 
+          Releases to only SP 1:
+            * any value of uid
+            * scoped primary affiliation if the scope is the IdP 1 and the value is staff, faculty, or student
+            * any value of affiliation
+            * any value of full name
+    -->
+    <AttributeFilterPolicy id="ReleaseToSP1">
+        <PolicyRequirementRule value="urn:example.org:myFederation:sp1" 
+                               xsi:type="basic:AttributeRequesterString" />
+        
+        <AttributeRule attributeID="uid">
+            <PermitValueRule xsi:type="basic:ANY" />
+        </AttributeRule>
+        
+        <AttributeRule attributeID="scopedPrimaryAffiliation">
+            <PermitValueRule xsi:type="basic:AND">
+                <basic:Rule value="urn:example.org:myFederation:idp1" 
+                            xsi:type="AttributeScopeString" />
+                <basic:Rule xsi:type="basic:OR">
+                    <basic:Rule value="staff"
+                                xsi:type="AttributeValueString" />
+                    <basic:Rule value="faculty"
+                                xsi:type="AttributeValueString" />
+                    <basic:Rule value="student"
+                                xsi:type="AttributeValueString" />
+                </basic:Rule>
+            </PermitValueRule>
+        </AttributeRule>
+        
+        <AttributeRule attributeID="affiliation">
+            <PermitValueRule xsi:type="basic:ANY" />
+        </AttributeRule>
+        
+        <AttributeRule attributeID="fullName">
             <PermitValueRule xsi:type="basic:ANY" />
         </AttributeRule>
         

diff --git a/resources/conf/attribute-resolver.xml b/resources/conf/attribute-resolver.xml
index 5e84696..a76e468 100644 (file)
--- a/resources/conf/attribute-resolver.xml
+++ b/resources/conf/attribute-resolver.xml
@@ -12,32 +12,117 @@
                                        urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd
                                        urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd
                                        urn:mace:shibboleth:2.0:attribute:encoder classpath:/schema/shibboleth-2.0-attribute-encoder.xsd">
-                                       
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid">
-        <resolver:DataConnectorDependency ref="static" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" />
+
+    <!-- ========================================== -->
+    <!--      Attribute Definitions                 -->
+    <!-- ========================================== -->
+    
+    <!-- Example attribute defintions -->
+    <!--
+    <resolver:AttributeDefinition id="uid" xsi:type="ad:Simple">
+        <resolver:DataConnectorDependency ref="myLDAP" />
     </resolver:AttributeDefinition>
+    -->
     
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="cn">
-        <resolver:DataConnectorDependency ref="static" />
+    <!--
+    <resolver:AttributeDefinition id="scopedPrimaryAffiliation" xsi:type="ad:Scoped">
+        <resolver:DataConnectorDependency ref="staticAttributes" sourceAttributeID="staticEPPA" />
+        <resolver:DataConnectorDependency ref="myLDAP" sourceAttribute="eduPersonPrimaryAffiliation" />
+        
+        <resolver:AttributeEncoder xsi:type="SAML1ScopedString"
+                                   name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"/>
+        
+        <resolver:AttributeEncoder xsi:type="SAML2ScopedString"
+                                   name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"/>
+                                   
+        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" />
+        
+        </resolver:AttributeEncoder>
     </resolver:AttributeDefinition>
+    -->
     
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="email">
-        <resolver:DataConnectorDependency ref="static" />
+    <!--
+    <resolver:AttributeDefinition id="affiliation" xsi:type="ad:Simple">
+        <resolver:DataConnectorDependency ref="myLDAP" sourceAttribute="eduPersonAffiliation" />
+        
+        <resolver:AttributeEncoder xsi:type="SAML1String"
+                                   name="urn:mace:dir:attribute-def:eduPersondAffiliation"/>
+        
+        <resolver:AttributeEncoder xsi:type="SAML2String"
+                                   name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
+                                   friendlyName="eduPersonAffiliation"/>
     </resolver:AttributeDefinition>
-                                       
-    <resolver:DataConnector xsi:type="dc:Static" id="static">
-        <dc:Attribute id="uid">
-            <dc:Value>testUser</dc:Value>
-        </dc:Attribute>
-        <dc:Attribute id="cn">
-            <dc:Value>Test User</dc:Value>
+    -->
+    
+    <!--
+    <resolver:AttributeDefinition id="fullName" xsi:type="Script">
+        <resolver:DataConnectorDependency ref="myLDAP" sourceAttribute="eduPersonAffiliation" />
+        
+        <Script>
+            <![CDATA[
+                importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
+                fullname = new BasicAttribute("fullname");
+                fullname.getValues().add(givenName.getValues().first() + " " + sn.getValues().first());
+            ]]>
+        </Script>
+    </resolver:AttributeDefinition>
+    -->
+    
+    
+    <!-- ========================================== -->
+    <!--      Data Connectors                       -->
+    <!-- ========================================== -->
+    
+    <!-- Example Static Connector -->
+    <!--
+    <resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
+        <dc:Attribute id="staticEPPA">
+            <dc:Value>member</dc:Value>
         </dc:Attribute>
-        <dc:Attribute id="email">
-            <dc:Value>t.user@example.org</dc:Value>
+        <dc:Attribute id="staticEPE">
+            <dc:Value>urn:example.org:entitlement:entitlement1</dc:Value>
+            <dc:Value>urn:mace:dir:entitlement:common-lib-terms</dc:Value>
         </dc:Attribute>
     </resolver:DataConnector>
+    -->
+    
+    <!-- Example Relational Database Connector -->
+    <!--
+    <resolver:DataConnector id="mySIS" xsi:type="dc:RelationalDatabase">
+        <dc:ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
+                                         jdbcUrl="jdbc:oracle:thin:@db.example.org:1521:SomeDB"
+                                         jdbcUserName="myid"
+                                         jdbcPassword="mypassword" />
+        <dc:QueryTemplate>
+            <![CDATA[
+                 SELECT * FROM student WHERE gzbtpid = ${principal}
+             ]]>
+        </dc:QueryTemplate>
+    
+        <dc:Column columnName="gzbtpid" attributeID="uid"/>
+        <dc:Column columnName="fqlft" attributeID="gpa" type="Float"/>
+    </resolver:DataConnector>
+    -->
+    
+    <!-- Example LDAP Connector -->
+    <!--
+    <resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+                            ldapUrl="ldap://ldap.example.org"
+                            baseDN="ou=people,dc=example,dc=org"
+                            principal="uid=myservice,ou=system"
+                            principalCredential="myServicePassword">
+        <dc:FilterTemplate>
+            <![CDATA[
+                (uid=${principal})
+            ]]>
+        </dc:FilterTemplate>
+    
+    </resolver:DataConnector>
+    -->
     
+    <!-- ========================================== -->
+    <!--      Principal Connectors                  -->
+    <!-- ========================================== -->
     <resolver:PrincipalConnector xsi:type="pc:Direct" 
                                  id="directPC"
                                  nameIDFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" />

diff --git a/resources/conf/handler.xml b/resources/conf/handler.xml
index df80af9..985d41d 100644 (file)
--- a/resources/conf/handler.xml
+++ b/resources/conf/handler.xml
@@ -14,7 +14,7 @@
     </ProfileHandler>
     
     <ProfileHandler xsi:type="SAML1AttributeQuery">
-        <RequestPath>/saml1/SSO</RequestPath>
+        <RequestPath>/saml1/SOAP/SSO</RequestPath>
     </ProfileHandler>
     
     <ProfileHandler xsi:type="SAML2SSO">
@@ -26,7 +26,6 @@
     </ProfileHandler>
     
     <AuthenticationHandler xsi:type="RemoteUser">
-        <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthenticationMethod>
         <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthenticationMethod>
     </AuthenticationHandler>