config.sample.yml 4.9 KB
Newer Older
1 2 3
# Config options of the dariahsp core library
# Commented properties reflect default values
auth:
4
  # Base externally visible URL
5
  #baseUrl: http://localhost:8080
6
  # Default redirected URL post login
7
  #defaultLoginUrl: ${auth.baseUrl}
8
  # Default redirected URL post logout
9
  #defaultLogoutUrl: ${auth.baseUrl}
10
  # Salt for signing and encryption purposes
11
  salt: Qmwp4CO7LDkOUDouAcCcUqd9ZGNbRG5Jyr5lpntOuB9
12
  # Hierarchy used in role-based authorization voting 
13
  permissionHierarchy: ROLE_ADMINISTRATOR > ROLE_CONTRIBUTOR > ROLE_USER
14
  # Permission sets to code against and mapping to 'external' roles
15
  permissionDefinitions:
16 17 18
      # Name of the permission set (internal role)
    - permissionSet: ROLE_ADMINISTRATOR
      # Numerical authorization level allowing security expressions as level gte 50
19
      level: 100
20
      roleMappings: 
21
        # Role mapping to locally configured roles
22
        local: ["application_admin"]
23
        # Role mapping to SAML (typically memberOf) roles
Gradl, Tobias's avatar
Gradl, Tobias committed
24
        saml: ["application_admin"]       
25
    - permissionSet: ROLE_CONTRIBUTOR
26
      level: 50
27
      roleMappings:
28
        local: ["application_contributor"]
Gradl, Tobias's avatar
Gradl, Tobias committed
29
        saml: ["application_contributor"]
30
    - permissionSet: ROLE_USER
31
      level: 10
32
      roleMappings:
33
        local: ["application_user"]
Gradl, Tobias's avatar
Gradl, Tobias committed
34
        saml: ["application_user"]
35
  local:
36 37
    # The client with the lowest number here is used when selecting a default authenticator  
    order: 0
38
    # Enable local authentication
39
    enabled: true
40 41
    # Name of the method
    #authorizerName: local
42 43
    # Same password for each user: 1234
    users:
44
        # Username
45
      - username: 'admin'
46
        # BCrypt hashed password
47
        passhash: '$2y$10$nmTcpRxs.RFUstkJJms6U.AW61Jmr64s9VNQLuhpU8gYrgzCapwka'
48
        # Pseudo-external role
49 50 51 52 53 54 55 56
        roles: ["application_admin"]
      - username: 'contributor'
        passhash: '$2y$10$nmTcpRxs.RFUstkJJms6U.AW61Jmr64s9VNQLuhpU8gYrgzCapwka'
        roles: ["application_contributor"]
      - username: 'user'
        passhash: '$2y$10$nmTcpRxs.RFUstkJJms6U.AW61Jmr64s9VNQLuhpU8gYrgzCapwka'
        roles: ["application_user"]
  saml:
57
    order: 1
58
    # Enable SAML authentication
59
    enabled: false
60 61 62
    # Name of the method
    #authorizerName: saml
    # Java KeyStore configuration
63
    keystore:
64 65 66 67
      path: /path/to/keystore.jks
      pass: keystore_password
      alias: keypair_alias
      aliaspass: private_key_password
68
    # IdP configuration
69
    metadata:
70
      # URL of IdP metadata
71
      url: https://aaiproxy.de.dariah.eu/idp/
72
    # Hosted SP configuration
73
    sp:
74
      # Metadata in filesystem (if available, otherwise generated)
75
      #metadataResource: /data/_srv/dariahsp/sp_metadata.xml
76 77
      # Maximum authentication lifetime in seconds
      # maxAuthAge: 3600
78
      #entityId: ${baseUrl}
79 80
      # Signature configuration
      #signMetadata: true
81 82
      #signingMethods: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
      #digestMethods: http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmlenc#sha512
83 84 85 86 87
      #authnRequestSigned: true
      #logoutRequestSigned: true
      #wantsAssertionsSigned: true
      #wantsResponsesSigned: false
      # SAML SP protocol configuration
88
      #supportedProtocols: urn:oasis:names:tc:SAML:2.0:protocol
89 90 91
      # Timeout for interaction with configured IdP
      #httpClientTimoutMs: 2000
      # URL for redirection after RequiredAttributesException is raised
Gradl, Tobias's avatar
Gradl, Tobias committed
92
      attributesIncompleteRedirectUrl: https://auth.de.dariah.eu/cgi-bin/selfservice/ldapportal.pl
93
      # Attribute groups for attribute mapping and required attribute definition
Gradl, Tobias's avatar
Gradl, Tobias committed
94
      attributeGroups:
95
          # All attributes are required
Gradl, Tobias's avatar
Gradl, Tobias committed
96 97 98 99 100
        - check: AND
          attributes:
            - friendlyName: dariahTermsOfUse
              name: urn:oid:1.3.6.1.4.1.10126.1.52.4.15
              nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
101
              # A required value of the attribute can be defined
Gradl, Tobias's avatar
Gradl, Tobias committed
102 103 104 105 106
              #value: Terms_of_Use_germ_engl_v6.pdf
            - friendlyName: eduPersonPrincipalName
              mappedAttribute: id
              name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
              nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
107 108
          # Optional attributes are typically used for mapping SAML attributes to ExtendedUserProfile propeties
          #  like username, externalRoles below
Gradl, Tobias's avatar
Gradl, Tobias committed
109 110 111 112 113 114 115 116 117 118 119 120 121
        - check: OPTIONAL
          attributes:
            - friendlyName: mail
              name: urn:oid:0.9.2342.19200300.100.1.3
              nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
            - friendlyName: displayName
              mappedAttribute: username
              name: urn:oid:2.16.840.1.113730.3.1.241
              nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
            - friendlyName: isMemberOf
              mappedAttribute: externalRoles
              name: urn:oid:1.3.6.1.4.1.5923.1.5.1.1
              nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri