Add missing shib config
This commit is contained in:
parent
3332545dc8
commit
f3b9059f4f
GPG key ID:
5E8401339C7F5037
6 changed files with 135 additions and 5 deletions
|
|
@ -50,5 +50,5 @@ monitor-dev.cert.sunet.se:
|
||||||
domain: monitor-dev.cert.sunet.se
|
domain: monitor-dev.cert.sunet.se
|
||||||
thruk_admins:
|
thruk_admins:
|
||||||
- bjorklund@sunet.se
|
- bjorklund@sunet.se
|
||||||
default_host_group: sunet::nagios:nrpe
|
default_host_group: sunet::nagios::nrpe
|
||||||
nrpe_group: sunet::nagios::nrpe
|
nrpe_group: sunet::nagios::nrpe
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,22 @@
|
||||||
|
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||||
|
|
||||||
|
<!--
|
||||||
|
SWAMID standard attribute-map.xml for SAML 2.0
|
||||||
|
==============================================
|
||||||
|
The mappings are agreed to within the Shibboleth community or directly LDAP attribute names.
|
||||||
|
|
||||||
|
Version: 2017-01-04
|
||||||
|
|
||||||
|
REMEMBER to notify SWAMID saml-admins list when updating this file!
|
||||||
|
-->
|
||||||
|
|
||||||
|
<!-- eduPerson attributes until version 201310 -->
|
||||||
|
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
|
||||||
|
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
|
||||||
|
</Attribute>
|
||||||
|
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
|
||||||
|
|
||||||
|
<!-- Attribute to extract SWAMID Assurance Profiles -->
|
||||||
|
<Attribute name="urn:oasis:names:tc:SAML:attribute:assurance-certification" id="Assurance-Certification"/>
|
||||||
|
|
||||||
|
</Attributes>
|
||||||
|
|
@ -0,0 +1,82 @@
|
||||||
|
<afp:AttributeFilterPolicyGroup
|
||||||
|
xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
|
||||||
|
xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
|
||||||
|
xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
|
||||||
|
xmlns:afp="urn:mace:shibboleth:2.0:afp"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||||
|
|
||||||
|
<!-- Shared rule for affiliation values. -->
|
||||||
|
<afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
|
||||||
|
<Rule xsi:type="AttributeValueString" value="faculty"/>
|
||||||
|
<Rule xsi:type="AttributeValueString" value="student"/>
|
||||||
|
<Rule xsi:type="AttributeValueString" value="staff"/>
|
||||||
|
<Rule xsi:type="AttributeValueString" value="alum"/>
|
||||||
|
<Rule xsi:type="AttributeValueString" value="member"/>
|
||||||
|
<Rule xsi:type="AttributeValueString" value="affiliate"/>
|
||||||
|
<Rule xsi:type="AttributeValueString" value="employee"/>
|
||||||
|
<Rule xsi:type="AttributeValueString" value="library-walk-in"/>
|
||||||
|
</afp:PermitValueRule>
|
||||||
|
|
||||||
|
<!--
|
||||||
|
Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
|
||||||
|
an AttributeRule for each attribute you want to check.
|
||||||
|
-->
|
||||||
|
<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
|
||||||
|
<Rule xsi:type="NOT">
|
||||||
|
<Rule xsi:type="AttributeValueRegex" regex="@"/>
|
||||||
|
</Rule>
|
||||||
|
<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
|
||||||
|
</afp:PermitValueRule>
|
||||||
|
|
||||||
|
<afp:AttributeFilterPolicy>
|
||||||
|
<!-- This policy is in effect in all cases. -->
|
||||||
|
<afp:PolicyRequirementRule xsi:type="ANY"/>
|
||||||
|
|
||||||
|
<!-- Filter out undefined affiliations and ensure only one primary. -->
|
||||||
|
<afp:AttributeRule attributeID="affiliation">
|
||||||
|
<afp:PermitValueRule xsi:type="AND">
|
||||||
|
<RuleReference ref="eduPersonAffiliationValues"/>
|
||||||
|
<RuleReference ref="ScopingRules"/>
|
||||||
|
</afp:PermitValueRule>
|
||||||
|
</afp:AttributeRule>
|
||||||
|
<afp:AttributeRule attributeID="unscoped-affiliation">
|
||||||
|
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
|
||||||
|
</afp:AttributeRule>
|
||||||
|
<afp:AttributeRule attributeID="primary-affiliation">
|
||||||
|
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
|
||||||
|
</afp:AttributeRule>
|
||||||
|
|
||||||
|
<afp:AttributeRule attributeID="subject-id">
|
||||||
|
<afp:PermitValueRuleReference ref="ScopingRules"/>
|
||||||
|
</afp:AttributeRule>
|
||||||
|
|
||||||
|
<afp:AttributeRule attributeID="pairwise-id">
|
||||||
|
<afp:PermitValueRuleReference ref="ScopingRules"/>
|
||||||
|
</afp:AttributeRule>
|
||||||
|
|
||||||
|
<afp:AttributeRule attributeID="eppn">
|
||||||
|
<!-- Disabled scope check since the proxy does it for us and the proxies metadata doesn't include scopes from our customers.
|
||||||
|
<afp:PermitValueRuleReference ref="ScopingRules"/>
|
||||||
|
-->
|
||||||
|
</afp:AttributeRule>
|
||||||
|
|
||||||
|
<afp:AttributeRule attributeID="targeted-id">
|
||||||
|
<afp:PermitValueRuleReference ref="ScopingRules"/>
|
||||||
|
</afp:AttributeRule>
|
||||||
|
|
||||||
|
<!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
|
||||||
|
<afp:AttributeRule attributeID="persistent-id">
|
||||||
|
<afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
|
||||||
|
</afp:AttributeRule>
|
||||||
|
|
||||||
|
<!-- Enforce that the values of schacHomeOrganization are a valid Scope. -->
|
||||||
|
<afp:AttributeRule attributeID="schacHomeOrganization">
|
||||||
|
<afp:PermitValueRule xsi:type="saml:AttributeValueMatchesShibMDScope" />
|
||||||
|
</afp:AttributeRule>
|
||||||
|
|
||||||
|
<!-- Catch-all that passes everything else through unmolested. -->
|
||||||
|
<afp:AttributeRule attributeID="*" permitAny="true"/>
|
||||||
|
|
||||||
|
</afp:AttributeFilterPolicy>
|
||||||
|
|
||||||
|
</afp:AttributeFilterPolicyGroup>
|
||||||
File diff suppressed because one or more lines are too long
|
|
@ -100,10 +100,22 @@ class soc::naemon_monitor (
|
||||||
# assume cert is in cosmos repo (overlay)
|
# assume cert is in cosmos repo (overlay)
|
||||||
}
|
}
|
||||||
if $custom_shib {
|
if $custom_shib {
|
||||||
file { '/opt/naemon_monitor/shibboleth2.xml':
|
file {
|
||||||
ensure => file,
|
'/opt/naemon_monitor/shibboleth2.xml':
|
||||||
content => template('soc/naemon_monitor/shibboleth2.xml.erb'),
|
ensure => file,
|
||||||
mode => '0444',
|
content => template('soc/naemon_monitor/shibboleth2.xml.erb'),
|
||||||
|
mode => '0444',
|
||||||
|
;
|
||||||
|
'/opt/naemon_monitor/attribute-map.xml':
|
||||||
|
ensure => file,
|
||||||
|
content => file('soc/naemon_monitor/attribute-map.xml'),
|
||||||
|
mode => '0444',
|
||||||
|
;
|
||||||
|
'/opt/naemon_monitor/attribute-policy.xml':
|
||||||
|
ensure => file,
|
||||||
|
content => file('soc/naemon_monitor/attribute-policy.xml'),
|
||||||
|
mode => '0444',
|
||||||
|
;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -60,6 +60,8 @@ services:
|
||||||
- '/opt/naemon_monitor/menu_local.conf:/etc/thruk/menu_local.conf'
|
- '/opt/naemon_monitor/menu_local.conf:/etc/thruk/menu_local.conf'
|
||||||
<%- if @custom_shib -%>
|
<%- if @custom_shib -%>
|
||||||
- '/opt/naemon_monitor/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml:ro'
|
- '/opt/naemon_monitor/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml:ro'
|
||||||
|
- '/opt/naemon_monitor/attribute-map.xml:/etc/shibboleth/attribute-map.xml:ro'
|
||||||
|
- '/opt/naemon_monitor/attribute-policy.xml:/etc/shibboleth/attribute-policy.xml:ro'
|
||||||
<% end -%>
|
<% end -%>
|
||||||
<%- @thruk_extra_volumes.each do |extra_volume| -%>
|
<%- @thruk_extra_volumes.each do |extra_volume| -%>
|
||||||
- "<%= extra_volume %>"
|
- "<%= extra_volume %>"
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue