dariahsp.yml 4.27 KB
Newer Older
1
auth:
2
  
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  local: 
    users:  
      - username: 'admin'
        passhash: '$2a$10$nbXRnAx5wKurTrbaUkT/MOLXKAJgpT8R71/jujzPwgXXrG.OqlBKW'
        roles: ["ROLE_ADMINISTRATOR"]
      - username: 'tgradl'
        passhash: '$2a$10$EeajSQQUepa7H7.g4xQCaeO.hjUwh0yzYCMrfOkWCZGe1IiWaexa6'
        roles: ["ROLE_CONTRIBUTOR"]
  saml:
    keystore:
      path: /data/_srv/schereg/key/dfa-de-dariah-eu.jks
      # Uncomment if keystore is protected by password
      #pass: 'somepass'
      alias: dfa.de.dariah.eu
      aliaspass: ''
    metadata:
      url: https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-test-metadata.xml
      #url: https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-basic-metadata.xml
    sp:
      local: true
      alias: schereg
      baseUrl: https://schereg.de.dariah.eu/schereg
      entityId: https://schereg.de.dariah.eu
      #externalMetadata : /home/tobias/Downloads/spring_saml_metadata.xml
      #securityProfile: metaiop
      #sslSecurityProfile: pkix
      #requireArtifactResolveSigned: false
      #requireLogoutRequestSigned: false
      #requireLogoutResponseSigned: false
32
      requireAttributeQuerySigned: false
33
      maxAuthAge: -1 # in seconds
34
35
36
37
38
39
40
41
42
      signMetadata    : true
      #signingAlgorithm : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
      discovery:
        enabled: true
        url: https://wayf.aai.dfn.de/DFN-AAI-Test/wayf
        #url: https://auth.dariah.eu/CDS/WAYF
        return: https://schereg.de.dariah.eu/schereg/saml/login/alias/schereg?disco:true
      ecpEnabled: true
      #allowedNameIds: EMAIL, TRANSIENT, PERSISTENT, UNSPECIFIED, X509_SUBJECT
43
      allowedNameIds: EMAIL, PERSISTENT, X509_SUBJECT
44
45
46
      signingKey: dfa.de.dariah.eu
      encryptionKey: dfa.de.dariah.eu
      tlsKey: dfa.de.dariah.eu
47
48
49
50
      attributeQuery:
        enabled: true
        excludedEndpoints: 
          urls: ["https://ldap-dariah-clone.esc.rzg.mpg.de/idp/shibboleth", "https://idp.de.dariah.eu/idp/shibboleth"]
51
          assumeAttributesComplete: true
52
        queryIdp: https://ldap-dariah-clone.esc.rzg.mpg.de/idp/shibboleth
53
        #queryIdp: https://idp.de.dariah.eu/idp/shibboleth
54
55
56
57
58
59
60
61
62
63
64
        queryByNameID: false
        queryAttribute:
          friendlyName: eduPersonPrincipalName
          name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
          nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
      requiredAttributes:
        - stage: ATTRIBUTES
          required: true
          attributeGroup:
            - check: AND
              attributes:
65
66
                - friendlyName: mail
                  name: urn:oid:0.9.2342.19200300.100.1.3
67
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
68
        - stage: ATTRIBUTES
69
70
          required: true
          attributeGroup:
71
            - check: OR
72
              attributes:
73
74
                - friendlyName: dariahTermsOfUse
                  name: urn:oid:1.3.6.1.4.1.10126.1.52.4.15
75
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
76
77
78
                  value: Terms_of_Use_v5.pdf
                - friendlyName: dariahTermsOfUse
                  name: urn:oid:1.3.6.1.4.1.10126.1.52.4.15
79
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
80
                  value: foobar-service-agreement_version1.pdf     
81
82
83
84
85
        - stage: AUTHENTICATION
          required: false
          attributeGroup:
            - check: OPTIONAL
              attributes:
86
87
88
89
90
91
                - friendlyName: eduPersonPrincipalName
                  name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
                - friendlyName: mail
                  name: urn:oid:0.9.2342.19200300.100.1.3
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
92
93
94
95
96
97
98
99
100
                - friendlyName: eduPersonEntitlement
                  name: urn:oid:1.3.6.1.4.1.5923.1.1.1.7
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
                - friendlyName: eduPersonScopedAffiliation
                  name: urn:oid:1.3.6.1.4.1.5923.1.1.1.9
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
                - friendlyName: displayName
                  name: urn:oid:2.16.840.1.113730.3.1.241
                  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri