dariahsp.yml 4.68 KB
Newer Older
1
auth:
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  local: 
    users:  
      - username: 'admin'
        passhash: '$2a$10$nbXRnAx5wKurTrbaUkT/MOLXKAJgpT8R71/jujzPwgXXrG.OqlBKW'
        roles: ["ROLE_ADMINISTRATOR"]
      - username: 'tgradl'
        passhash: '$2a$10$EeajSQQUepa7H7.g4xQCaeO.hjUwh0yzYCMrfOkWCZGe1IiWaexa6'
        roles: ["ROLE_CONTRIBUTOR"]
  saml:
    keystore:
      path: /data/_srv/schereg/key/dfa-de-dariah-eu.jks
      # Uncomment if keystore is protected by password
      #pass: 'somepass'
      alias: dfa.de.dariah.eu
      aliaspass: ''
    metadata:
      url: https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-test-metadata.xml
      #url: https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-basic-metadata.xml
    sp:
      local: true
      alias: schereg
      baseUrl: https://schereg.de.dariah.eu/schereg
      entityId: https://schereg.de.dariah.eu
      #externalMetadata : /home/tobias/Downloads/spring_saml_metadata.xml
      #securityProfile: metaiop
      #sslSecurityProfile: pkix
      #requireArtifactResolveSigned: false
      #requireLogoutRequestSigned: false
      #requireLogoutResponseSigned: false
31
      requireAttributeQuerySigned: false
32
      maxAuthAge: -1 # in seconds
33
34
35
36
37
38
39
40
      signMetadata    : true
      #signingAlgorithm : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
      discovery:
        enabled: true
        url: https://wayf.aai.dfn.de/DFN-AAI-Test/wayf
        #url: https://auth.dariah.eu/CDS/WAYF
        return: https://schereg.de.dariah.eu/schereg/saml/login/alias/schereg?disco:true
      ecpEnabled: true
41
42
      allowedNameIds: EMAIL, TRANSIENT, PERSISTENT, UNSPECIFIED, X509_SUBJECT
      #allowedNameIds: EMAIL, PERSISTENT, X509_SUBJECT
43
44
45
      signingKey: dfa.de.dariah.eu
      encryptionKey: dfa.de.dariah.eu
      tlsKey: dfa.de.dariah.eu
46
47
48
49
      attributeQuery:
        enabled: true
        excludedEndpoints: 
          urls: ["https://ldap-dariah-clone.esc.rzg.mpg.de/idp/shibboleth", "https://idp.de.dariah.eu/idp/shibboleth"]
50
          assumeAttributesComplete: true
51
        queryIdp: https://ldap-dariah-clone.esc.rzg.mpg.de/idp/shibboleth
52
        #queryIdp: https://idp.de.dariah.eu/idp/shibboleth
53
54
55
56
57
        queryByNameID: false
        queryAttribute:
          friendlyName: eduPersonPrincipalName
          name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
          nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
58
59
60
61
        # For now without parameters bc DARIAH Self Service is broken 
        incompleteAttributesRedirect: "https://dariah.daasi.de/Shibboleth.sso/Login?target=/cgi-bin/selfservice/ldapportal.pl"
        #incompleteAttributesRedirect: "https://dariah.daasi.de/Shibboleth.sso/Login?target=/cgi-bin/selfservice/ldapportal.pl%3Fmode%3Dauthenticate%3Bshibboleth%3D1%3Bnextpage%3Dregistration%3Breturnurl%3D{returnUrl}&entityID={entityId}"
        #incompleteAttributesRedirect: "https://auth.dariah.eu/Shibboleth.sso/Login?target=/cgi-bin/selfservice/ldapportal.pl%3Fmode%3Dauthenticate%3Bshibboleth%3D1%3Bnextpage%3Dregistration%3Breturnurl%3D{returnUrl}&entityID={entityId}"
62
63
64
65
66
67
      requiredAttributes:
        - stage: ATTRIBUTES
          required: true
          attributeGroup:
            - check: AND
              attributes:
68
69
                - friendlyName: mail
                  name: urn:oid:0.9.2342.19200300.100.1.3
70
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
71
        - stage: ATTRIBUTES
72
73
          required: true
          attributeGroup:
74
            - check: OR
75
              attributes:
76
77
                - friendlyName: dariahTermsOfUse
                  name: urn:oid:1.3.6.1.4.1.10126.1.52.4.15
78
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
79
80
81
                  value: Terms_of_Use_v5.pdf
                - friendlyName: dariahTermsOfUse
                  name: urn:oid:1.3.6.1.4.1.10126.1.52.4.15
82
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
83
                  value: foobar-service-agreement_version1.pdf     
84
        - stage: AUTHENTICATION
85
          required: true
86
          attributeGroup:
87
            - check: AND
88
              attributes:
89
90
91
                - friendlyName: eduPersonPrincipalName
                  name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
92
93
94
95
96
        - stage: AUTHENTICATION
          required: false
          attributeGroup:
            - check: OPTIONAL
              attributes:
97
98
99
                - friendlyName: mail
                  name: urn:oid:0.9.2342.19200300.100.1.3
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
100
101
102
                - friendlyName: displayName
                  name: urn:oid:2.16.840.1.113730.3.1.241
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri