config.sample.yml 4.78 KB
Newer Older
1
2
3
# Config options of the dariahsp core library
# Commented properties reflect default values
auth:
4
  # Base externally visible URL
5
  #baseUrl: http://localhost:8080
6
  # Default redirected URL post login
7
  #defaultLoginUrl: ${auth.baseUrl}
8
  # Default redirected URL post logout
9
  #defaultLogoutUrl: ${auth.baseUrl}
10
  # Salt for signing and encryption purposes
11
  salt: Qmwp4CO7LDkOUDouAcCcUqd9ZGNbRG5Jyr5lpntOuB9
12
  # Hierarchy used in role-based authorization voting 
13
  permissionHierarchy: ROLE_ADMINISTRATOR > ROLE_CONTRIBUTOR > ROLE_USER
14
  # Permission sets to code against and mapping to 'external' roles
15
  permissionDefinitions:
16
17
18
      # Name of the permission set (internal role)
    - permissionSet: ROLE_ADMINISTRATOR
      # Numerical authorization level allowing security expressions as level gte 50
19
      level: 100
20
      roleMappings: 
21
        # Role mapping to locally configured roles
22
        local: ["application_admin"]
23
        # Role mapping to SAML (typically memberOf) roles
Gradl, Tobias's avatar
Gradl, Tobias committed
24
        saml: ["application_admin"]       
25
    - permissionSet: ROLE_CONTRIBUTOR
26
      level: 50
27
      roleMappings:
28
        local: ["application_contributor"]
Gradl, Tobias's avatar
Gradl, Tobias committed
29
        saml: ["application_contributor"]
30
    - permissionSet: ROLE_USER
31
      level: 10
32
      roleMappings:
33
        local: ["application_user"]
Gradl, Tobias's avatar
Gradl, Tobias committed
34
        saml: ["application_user"]
35
  local:
36
    # Enable local authentication
37
    enabled: true
38
39
    # Name of the method
    #authorizerName: local
40
41
    # Same password for each user: 1234
    users:
42
        # Username
43
      - username: 'admin'
44
        # BCrypt hashed password
45
        passhash: '$2y$10$nmTcpRxs.RFUstkJJms6U.AW61Jmr64s9VNQLuhpU8gYrgzCapwka'
46
        # Pseudo-external role
47
48
49
50
51
52
53
54
        roles: ["application_admin"]
      - username: 'contributor'
        passhash: '$2y$10$nmTcpRxs.RFUstkJJms6U.AW61Jmr64s9VNQLuhpU8gYrgzCapwka'
        roles: ["application_contributor"]
      - username: 'user'
        passhash: '$2y$10$nmTcpRxs.RFUstkJJms6U.AW61Jmr64s9VNQLuhpU8gYrgzCapwka'
        roles: ["application_user"]
  saml:
55
    # Enable SAML authentication
56
    enabled: false
57
58
59
    # Name of the method
    #authorizerName: saml
    # Java KeyStore configuration
60
    keystore:
61
62
63
64
      path: /path/to/keystore.jks
      pass: keystore_password
      alias: keypair_alias
      aliaspass: private_key_password
65
    # IdP configuration
66
    metadata:
67
      # URL of IdP metadata
68
      url: https://aaiproxy.de.dariah.eu/idp/
69
    # Hosted SP configuration
70
    sp:
71
      # Metadata in filesystem (if available, otherwise generated)
72
      #metadataResource: /data/_srv/dariahsp/sp_metadata.xml
73
74
      # Maximum authentication lifetime in seconds
      # maxAuthAge: 3600
75
      #entityId: ${baseUrl}
76
77
      # Signature configuration
      #signMetadata: true
78
79
      #signingMethods: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
      #digestMethods: http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmlenc#sha512
80
81
82
83
84
      #authnRequestSigned: true
      #logoutRequestSigned: true
      #wantsAssertionsSigned: true
      #wantsResponsesSigned: false
      # SAML SP protocol configuration
85
      #supportedProtocols: urn:oasis:names:tc:SAML:2.0:protocol
86
87
88
      # Timeout for interaction with configured IdP
      #httpClientTimoutMs: 2000
      # URL for redirection after RequiredAttributesException is raised
Gradl, Tobias's avatar
Gradl, Tobias committed
89
      attributesIncompleteRedirectUrl: https://auth.de.dariah.eu/cgi-bin/selfservice/ldapportal.pl
90
      # Attribute groups for attribute mapping and required attribute definition
Gradl, Tobias's avatar
Gradl, Tobias committed
91
      attributeGroups:
92
          # All attributes are required
Gradl, Tobias's avatar
Gradl, Tobias committed
93
94
95
96
97
        - check: AND
          attributes:
            - friendlyName: dariahTermsOfUse
              name: urn:oid:1.3.6.1.4.1.10126.1.52.4.15
              nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
98
              # A required value of the attribute can be defined
Gradl, Tobias's avatar
Gradl, Tobias committed
99
100
101
102
103
              #value: Terms_of_Use_germ_engl_v6.pdf
            - friendlyName: eduPersonPrincipalName
              mappedAttribute: id
              name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
              nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
104
105
          # Optional attributes are typically used for mapping SAML attributes to ExtendedUserProfile propeties
          #  like username, externalRoles below
Gradl, Tobias's avatar
Gradl, Tobias committed
106
107
108
109
110
111
112
113
114
115
116
117
118
        - check: OPTIONAL
          attributes:
            - friendlyName: mail
              name: urn:oid:0.9.2342.19200300.100.1.3
              nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
            - friendlyName: displayName
              mappedAttribute: username
              name: urn:oid:2.16.840.1.113730.3.1.241
              nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
            - friendlyName: isMemberOf
              mappedAttribute: externalRoles
              name: urn:oid:1.3.6.1.4.1.5923.1.5.1.1
              nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri