From f3b9059f4f08f038b940149f8b85c186a7229868 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johan=20Bj=C3=B6rklund?= <bjorklund@sunet.se>
Date: Thu, 28 Nov 2024 13:58:23 +0100
Subject: [PATCH] Add missing shib config

---
 global/overlay/etc/puppet/cosmos-rules.yaml   |  2 +-
 .../files/naemon_monitor/attribute-map.xml    | 22 +++++
 .../files/naemon_monitor/attribute-policy.xml | 82 +++++++++++++++++++
 .../soc/files/naemon_monitor/frontend.xml     | 12 +++
 .../modules/soc/manifests/naemon_monitor.pp   | 20 ++++-
 .../naemon_monitor/docker-compose.yml.erb     |  2 +
 6 files changed, 135 insertions(+), 5 deletions(-)
 create mode 100644 global/overlay/etc/puppet/modules/soc/files/naemon_monitor/attribute-map.xml
 create mode 100644 global/overlay/etc/puppet/modules/soc/files/naemon_monitor/attribute-policy.xml
 create mode 100644 global/overlay/etc/puppet/modules/soc/files/naemon_monitor/frontend.xml

diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index 5493325..eeb867e 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -50,5 +50,5 @@ monitor-dev.cert.sunet.se:
     domain: monitor-dev.cert.sunet.se
     thruk_admins:
       - bjorklund@sunet.se
-    default_host_group: sunet::nagios:nrpe
+    default_host_group: sunet::nagios::nrpe
     nrpe_group: sunet::nagios::nrpe
diff --git a/global/overlay/etc/puppet/modules/soc/files/naemon_monitor/attribute-map.xml b/global/overlay/etc/puppet/modules/soc/files/naemon_monitor/attribute-map.xml
new file mode 100644
index 0000000..6555029
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/soc/files/naemon_monitor/attribute-map.xml
@@ -0,0 +1,22 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!--
+    SWAMID standard attribute-map.xml for SAML 2.0
+    ==============================================
+    The mappings are agreed to within the Shibboleth community or directly LDAP attribute names.
+
+    Version: 2017-01-04
+
+    REMEMBER to notify SWAMID saml-admins list when updating this file!
+    -->
+
+    <!-- eduPerson attributes until version 201310 -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+
+    <!-- Attribute to extract SWAMID Assurance Profiles -->
+    <Attribute name="urn:oasis:names:tc:SAML:attribute:assurance-certification" id="Assurance-Certification"/>
+
+</Attributes>
diff --git a/global/overlay/etc/puppet/modules/soc/files/naemon_monitor/attribute-policy.xml b/global/overlay/etc/puppet/modules/soc/files/naemon_monitor/attribute-policy.xml
new file mode 100644
index 0000000..00b1455
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/soc/files/naemon_monitor/attribute-policy.xml
@@ -0,0 +1,82 @@
+<afp:AttributeFilterPolicyGroup
+    xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
+    xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
+    xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
+    xmlns:afp="urn:mace:shibboleth:2.0:afp"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!-- Shared rule for affiliation values. -->
+    <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
+        <Rule xsi:type="AttributeValueString" value="faculty"/>
+        <Rule xsi:type="AttributeValueString" value="student"/>
+        <Rule xsi:type="AttributeValueString" value="staff"/>
+        <Rule xsi:type="AttributeValueString" value="alum"/>
+        <Rule xsi:type="AttributeValueString" value="member"/>
+        <Rule xsi:type="AttributeValueString" value="affiliate"/>
+        <Rule xsi:type="AttributeValueString" value="employee"/>
+        <Rule xsi:type="AttributeValueString" value="library-walk-in"/>
+    </afp:PermitValueRule>
+    
+    <!--
+    Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
+    an AttributeRule for each attribute you want to check.
+    -->
+    <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
+        <Rule xsi:type="NOT">
+            <Rule xsi:type="AttributeValueRegex" regex="@"/>
+        </Rule>
+        <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
+    </afp:PermitValueRule>
+
+    <afp:AttributeFilterPolicy>
+        <!-- This policy is in effect in all cases. -->
+        <afp:PolicyRequirementRule xsi:type="ANY"/>
+
+        <!-- Filter out undefined affiliations and ensure only one primary. -->
+        <afp:AttributeRule attributeID="affiliation">
+            <afp:PermitValueRule xsi:type="AND">
+                <RuleReference ref="eduPersonAffiliationValues"/>
+                <RuleReference ref="ScopingRules"/>
+            </afp:PermitValueRule>
+        </afp:AttributeRule>
+        <afp:AttributeRule attributeID="unscoped-affiliation">
+            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+        </afp:AttributeRule>
+        <afp:AttributeRule attributeID="primary-affiliation">
+            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+        </afp:AttributeRule>
+
+        <afp:AttributeRule attributeID="subject-id">
+            <afp:PermitValueRuleReference ref="ScopingRules"/>
+        </afp:AttributeRule>
+
+        <afp:AttributeRule attributeID="pairwise-id">
+            <afp:PermitValueRuleReference ref="ScopingRules"/>
+        </afp:AttributeRule>
+        
+        <afp:AttributeRule attributeID="eppn">
+	<!-- Disabled scope check since the proxy does it for us and the proxies metadata doesn't include scopes from our customers.
+            <afp:PermitValueRuleReference ref="ScopingRules"/>
+	-->
+        </afp:AttributeRule>
+
+        <afp:AttributeRule attributeID="targeted-id">
+            <afp:PermitValueRuleReference ref="ScopingRules"/>
+        </afp:AttributeRule>
+
+        <!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
+        <afp:AttributeRule attributeID="persistent-id">
+            <afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
+        </afp:AttributeRule>
+        
+        <!-- Enforce that the values of schacHomeOrganization are a valid Scope. -->
+        <afp:AttributeRule attributeID="schacHomeOrganization">
+            <afp:PermitValueRule xsi:type="saml:AttributeValueMatchesShibMDScope" />
+        </afp:AttributeRule>
+
+        <!-- Catch-all that passes everything else through unmolested. -->
+        <afp:AttributeRule attributeID="*" permitAny="true"/>
+        
+    </afp:AttributeFilterPolicy>
+
+</afp:AttributeFilterPolicyGroup>
diff --git a/global/overlay/etc/puppet/modules/soc/files/naemon_monitor/frontend.xml b/global/overlay/etc/puppet/modules/soc/files/naemon_monitor/frontend.xml
new file mode 100644
index 0000000..7c26f81
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/soc/files/naemon_monitor/frontend.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns1="http://www.w3.org/2000/09/xmldsig#" xmlns:ns2="urn:oasis:names:tc:SAML:metadata:algsupport" entityID="https://test-sso-proxy.cert.sunet.se/idp" ID="id-fQprzzBaKC28YHbhN"><ns1:Signature Id="Signature1"><ns1:SignedInfo><ns1:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns1:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns1:Reference URI="#id-fQprzzBaKC28YHbhN"><ns1:Transforms><ns1:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns1:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns1:Transforms><ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns1:DigestValue>ZqwJCbHnSlUSiKB2w0hoaUuhBQc=</ns1:DigestValue></ns1:Reference></ns1:SignedInfo><ns1:SignatureValue>bi9wDKY5SbE47zpXcshvQoVF20mWeBqqftEfiLpDGar0GtEzgAdZ3k1CbIbu5rHH
+8UgIg0o1c1ZbB4oi815Ioj+YU1/MyVAXl97AV0cPCtVYEnd/nUZ5LIArIn9KcKh0
+zg1pijMYP1VFL09WPuGSIYhG4fc+jMgzCqtE9t/brtPwWMOKfUeB3ZIqSlxsaVGF
+2n8pskrI021l7r0kCqyxxF8wIo75Hy8+21UgUuIZ+R3Fsu05FYiVDt5gHpqMmDP2
+vSDHcNuQ9pbx5bqGmOWG92XBy63O1pngiPsHiqXlVKurP1vzhqRlxH2HO24FXbAM
+IWQQ3zI2UnyFLKarwkGIgy5W5qq5/TZTDl7g/sew8vCXvyN86JTaIK+51+v93nKq
+0hv6wCg0ggybq6NDtakO0QNQcR8B7sPt4AN+UxYgqNAvueEQC78YuqLLjBLKdDQR
+Af2UXmTDaMbUz//9X8raLZX9phNOKPe7hxR+LyFuPF4cAfYV0HFYKCv9tPDeoiiN
+LnEKE8UNotWUuF3Bc9go2NfVgWTmKlEKdOLOjaCdJ/INTDAdom8eJzJqXkIRrXRt
+xovVz2kAdY+nLcS38Bj/Goq4M9lBk4IkbmvawHi8V8IKkpbT7zMLsNa3nmUNjuOG
+Hz7G3pWwglxekj6e/EQ7nEk2bo7QPP9hLXtX16iNx3M=</ns1:SignatureValue><ns1:KeyInfo><ns1:X509Data><ns1:X509Certificate>MIIFFTCCAv2gAwIBAgIUaPhsQpj7XhL4ydnikGQEzVI5x8YwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPc2F0b3NhX21ldGFkYXRhMB4XDTI0MTAzMDEyMTMyMVoXDTM0MTAyODEyMTMyMVowGjEYMBYGA1UEAwwPc2F0b3NhX21ldGFkYXRhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyhEgpwXLwiQErxg6qbsAVfyR+f6akvl56tmuIkn+vequDOMmKSeJ8bXTa43aYkixIZoL3BZakZQB9uUqx0pLTfPSS24alR5jZnEXem5c8/NBIUXyX+o0IKo2WrOcHk4p/O1owyYmqNfvu7PUu0hO65of42zrW97RYNoI01PQ8FBO/pzgkbv/9rOBKk78z1lW+k4FQej73GA+XmMFzwYiQRfWMmTqZuIv7oi52lgtcc1UIAoKZSKECGBCthpfixXZQV/O7NIUeNi76domGkjvg9smkDFCzsvgHoAu1HKsQV2IcvGf9pspqspRmckEqL+OomIXQhpZzxMqYSdAv1IKbPBWZf/vTzfGPMx+BUpGBJbf00lODn8uHenJp3V3ZOn9ze78DgbRqWCdix5+8jWkZHi4j+nJwGXubB0cNFgCqNFrVt6JejSZjg/4fKySPjZzNeA80gD77cav+YMq9lmw4n3YqjExweXuWFvuqc741zrl9GJw3IuU+IHkjwCo8Ls3mdmJD1u55Z+wbSxYMl80szlqj68qeG/jTy60Z/II91zeE6OcbgNh9MVo14A9wuI5rOtJN6mDZ53ZI/nWCkusok7t0PUhXV0zs4hj483vCTywR2HAU8LSVp+HMwsTeRC1ckRif9Nt7gmVCHcYDYOdJvcSbo92Z7hpIEDSHbLxQO0CAwEAAaNTMFEwHQYDVR0OBBYEFClsBiNqmeM3ZdYSFV/LHcAhy8LrMB8GA1UdIwQYMBaAFClsBiNqmeM3ZdYSFV/LHcAhy8LrMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAJMsrgCjszKIJKgWvS0fmjvB721GSr19BRHgSD4Y1RqbRPxvSX5M/aIBhOJBih8B0O5+0vF66I2HxK7EASxmLxzQccRQ+xZyim8dWeeMzxIPal9Oi67zta4WroEdAQFL8nDbdJwA6C1eMHSg2IALN7/yIxxiQdNuepyT/9xZOt/so5AeowR6Ru3RZijhdvjhr5+EKHUJNwUewoR9iUC7XAYXWaQzeVqRXg6XtPBMVUIiVEVjPmudYNfj35/RnZy6GYrZijetUbqNy1fONkmCbxiYeLbr2TAApD8u3bJoYZAzKJGtG4LzKB+cX8UqIa3DN7sbRzmWm1z0MQ0BQHLhJGxjM2Jv3/0mxFB4Z/zZ+TilhrP2NyPcwYoI3ovl98oASJjTD7AQ+iEZ/0iMvK+HDLVuHq8kbOgvxjjg60S+SYM1t/Ul5bbAMaxABCmRoA+S6JLR2lGpHSA38ZzajdvnLeKLMTpZbEsy+/oaVR4DQcmUjKLAsj7VpIq4xjfz2RXIlh+9HNg18Lg+F+tnduf2KtUDUkY8woFb7+4NNQhGkUoAlAMTYQrTQkYI7T3fTccpo7FY078SGFx78t7uVmF6NXyrj22yi37pzIwP9C3iH08Un2iBXNNMjAOWIbbZ8Y1P3ImmkIhQWZQa0I2vOq//oKEstvgDIFWKq6XgeMM+EBKB</ns1:X509Certificate></ns1:X509Data></ns1:KeyInfo></ns1:Signature><ns0:Extensions><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/><ns2:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/><ns2:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/><ns2:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/></ns0:Extensions><ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false"><ns0:KeyDescriptor use="signing"><ns1:KeyInfo><ns1:X509Data><ns1:X509Certificate>MIIFFTCCAv2gAwIBAgIUA8ivWRCE3JnzQOsKWqbEuZmoytIwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPc2F0b3NhX2Zyb250ZW5kMB4XDTI0MTAzMDEyMTMyMFoXDTM0MTAyODEyMTMyMFowGjEYMBYGA1UEAwwPc2F0b3NhX2Zyb250ZW5kMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApuI3TLwWOnEReXU8Q3FZS7r6aRQoqdmf9nhjEWkrgvg6/leGh15APr2YIT+jPkhLaGT1wbzyONPvxAZDDPFWl4IvDFQfI0C3zdVZqlm/wpCauRzmwNtaKRgT92egqcJo0TIg8FvLZOHkW2fEWbNhRp5fMgnwEp41SeQQ5LK9VkSaU7DUtbk2CFC0SNjZ+nHjofIShJcGkF7l0rCojbhrUuVJ6dTjLr6GAjSQjOxuanzX0x4cFvJUzUkjaQNGNCCoTP/X3Jy6+bvePI3icJMHo6aaJw5l27VoBKkH7Wget9YB9RlDDpXiReQqWSjTFqHei+FFzlR4PNIzZMmyQ2cgU/h7IYEt3C3/Vtvwz002gSrXmNJFhqxXYx7dIOtGcEOYPaGbM929JZ0m2ORPcHDuT25mP71FxaYvsEVUoTalazmiov+1ykmDTYRj2puBnacr/CaJ0u/S6P7fZvgjDkyWEFUsupaPJZC+tso9e5rsQzIGrcU0gU0rcq1cWtIJcutcXHws2PU46iDrLCsuhYEjdTYr2VrKIykDlAIyciiu4qW3yVyS4CX+fGgkUHU8QprKO3IQ576UaMEC/nYGHV+SqzXB0vSf6EjGvB1piht0BY6BOvUEBMn1MM1bIei/spIDxxYE8WY0Cc/GoqD7lz7M6l/1LpQetOFR94j+cn24A/UCAwEAAaNTMFEwHQYDVR0OBBYEFNc38V1SAlnSemXRMulraf+Af1h0MB8GA1UdIwQYMBaAFNc38V1SAlnSemXRMulraf+Af1h0MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBADoDfxStqezcslsGgLdPfKEnCROdpOZi8OXcgW37lDRczsbjq1dZdTUorF/dku9UHa4Y8Qf4d4zz0qDeSz9JiItPZ4wps77o79zFA9wgn+uDXROoi+BhlC2NnJER4T0CnQHR3b+7z/mxlCyyh9bzrTYqwY4sq2r3nUcZSudTZnXd/vKTcfgBSziggmF6K/YbfsLyUc/opyH60KFxbPBoQvgPrQADtrgvB54zBS79VpytQ89KW7XkNr/hUndt0Jf8fEk/ShgZe5xtxa8Hemf9cophS9wnvBDtRD8e8v0/i9QKluCmaJjcQATeAUjAtORBb5pwkzVfwAk90hz88BQ10ThO/OrjPe6cilLzkBSV2m/9Ve+IDI8axhKtSKqoGJyuIkMmlQc7Kf6IuFKP59rH6l2EcR3oXGOmffz+u4JYSxuvqYsbIQM2DvYw5qbOAYL6jz6hCp99F/mKeYupXbexXJjncXPBAB/KOXzE2acGMBjAm7KB62a2RGYWaclsctuEXzZD/q+K42Y81vXa3ysCmRaSR3KaU04YSn/e8/U6ZBwqmzm2rqmvw3uO4EYEOAyefHMKO51dhdtW4nzAnPjFojZS6aNnBlZR38X1YQMfWW/CSinrurrUvIoEAvpF0C7OiJFAuQoc4SND2ZJ83uEW3AfMN6GXz4OWdxtk6+2TMBzA</ns1:X509Certificate></ns1:X509Data></ns1:KeyInfo></ns0:KeyDescriptor><ns0:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</ns0:NameIDFormat><ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test-sso-proxy1.cert.sunet.se/Saml2SP/sso/post"/><ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://test-sso-proxy1.cert.sunet.se/Saml2SP/sso/redirect"/></ns0:IDPSSODescriptor></ns0:EntityDescriptor>
diff --git a/global/overlay/etc/puppet/modules/soc/manifests/naemon_monitor.pp b/global/overlay/etc/puppet/modules/soc/manifests/naemon_monitor.pp
index 1e9a2d6..76417b3 100644
--- a/global/overlay/etc/puppet/modules/soc/manifests/naemon_monitor.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/naemon_monitor.pp
@@ -100,10 +100,22 @@ class soc::naemon_monitor (
     # assume cert is in cosmos repo (overlay)
   }
   if $custom_shib {
-    file { '/opt/naemon_monitor/shibboleth2.xml':
-      ensure  => file,
-      content => template('soc/naemon_monitor/shibboleth2.xml.erb'),
-      mode    => '0444',
+    file {
+      '/opt/naemon_monitor/shibboleth2.xml':
+        ensure  => file,
+        content => template('soc/naemon_monitor/shibboleth2.xml.erb'),
+        mode    => '0444',
+        ;
+      '/opt/naemon_monitor/attribute-map.xml':
+        ensure  => file,
+        content => file('soc/naemon_monitor/attribute-map.xml'),
+        mode    => '0444',
+        ;
+      '/opt/naemon_monitor/attribute-policy.xml':
+        ensure  => file,
+        content => file('soc/naemon_monitor/attribute-policy.xml'),
+        mode    => '0444',
+        ;
     }
   }
 
diff --git a/global/overlay/etc/puppet/modules/soc/templates/naemon_monitor/docker-compose.yml.erb b/global/overlay/etc/puppet/modules/soc/templates/naemon_monitor/docker-compose.yml.erb
index cf33c6c..3013a2f 100644
--- a/global/overlay/etc/puppet/modules/soc/templates/naemon_monitor/docker-compose.yml.erb
+++ b/global/overlay/etc/puppet/modules/soc/templates/naemon_monitor/docker-compose.yml.erb
@@ -60,6 +60,8 @@ services:
       - '/opt/naemon_monitor/menu_local.conf:/etc/thruk/menu_local.conf'
 <%- if @custom_shib -%>
       - '/opt/naemon_monitor/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml:ro'
+      - '/opt/naemon_monitor/attribute-map.xml:/etc/shibboleth/attribute-map.xml:ro'
+      - '/opt/naemon_monitor/attribute-policy.xml:/etc/shibboleth/attribute-policy.xml:ro'
 <% end -%>
 <%- @thruk_extra_volumes.each do |extra_volume| -%>
       - "<%= extra_volume %>"