shibboleths_lil_helper 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- data/Gemfile +16 -0
- data/Gemfile.lock +36 -0
- data/LICENSE.txt +20 -0
- data/README.markdown +199 -0
- data/Rakefile +54 -0
- data/TODOS.txt +15 -0
- data/VERSION +1 -0
- data/bin/slh +9 -0
- data/doc/debugging_shibboleth.markdown +8 -0
- data/doc/deprecated_code_that_could_be_useful.rb +32 -0
- data/doc/for_slh_developers.markdown +38 -0
- data/doc/nuances.markdown +13 -0
- data/doc/technical_question_and_answer.markdown +85 -0
- data/lib/shibboleths_lil_helper.rb +9 -0
- data/lib/slh.rb +17 -0
- data/lib/slh/class_methods.rb +83 -0
- data/lib/slh/cli.rb +140 -0
- data/lib/slh/cli/command_base.rb +32 -0
- data/lib/slh/cli/compare_metadata.rb +53 -0
- data/lib/slh/cli/copy_templates_to_override.rb +12 -0
- data/lib/slh/cli/describe_config.rb +75 -0
- data/lib/slh/cli/fetch_metadata.rb +27 -0
- data/lib/slh/cli/generate.rb +20 -0
- data/lib/slh/cli/generate_capistrano_deploy.rb +35 -0
- data/lib/slh/cli/generate_metadata.rb +53 -0
- data/lib/slh/cli/host_filterable_base.rb +16 -0
- data/lib/slh/cli/initialize.rb +30 -0
- data/lib/slh/cli/verify_metadata_encryption.rb +25 -0
- data/lib/slh/models/base.rb +23 -0
- data/lib/slh/models/host.rb +55 -0
- data/lib/slh/models/site.rb +139 -0
- data/lib/slh/models/site_path.rb +17 -0
- data/lib/slh/models/strategy.rb +131 -0
- data/lib/slh/models/version.rb +4 -0
- data/lib/slh/templates/_application_details.erb +33 -0
- data/lib/slh/templates/config.rb.erb +33 -0
- data/lib/slh/templates/deploy.rb.erb +42 -0
- data/lib/slh/templates/shib_apache.conf.erb +24 -0
- data/lib/slh/templates/shibboleth2.xml.erb +44 -0
- data/lib/slh/templates/sp_metadata_for_entity_id_to_give_to_idp.xml.erb +40 -0
- data/lib/slh/templates/sp_metadata_for_host_to_give_to_idp.xml.erb +33 -0
- data/shibboleths_lil_helper.gemspec +111 -0
- data/test/fixtures/dummy1.rb +15 -0
- data/test/fixtures/dummy1_output/attribute-map.xml +5 -0
- data/test/fixtures/dummy1_output/shib_for_vhost.conf +15 -0
- data/test/fixtures/dummy1_output/shibboleth2.xml +27 -0
- data/test/helper.rb +18 -0
- data/test/test_shibboleths_lil_helper.rb +105 -0
- metadata +211 -0
@@ -0,0 +1,17 @@
|
|
1
|
+
class Slh::Models::SitePath < Slh::Models::Base
|
2
|
+
attr_reader :name, :parent_site
|
3
|
+
attr_accessor :flavor,
|
4
|
+
:specific_users # for usage when the flavor is :authentication_required_for_specific_users
|
5
|
+
def initialize(site_path,parent_site,&block)
|
6
|
+
@parent_site = parent_site
|
7
|
+
if site_path.match(/^\/.+/)
|
8
|
+
raise "Invalid site path: #{site_path}, leading slashes are NOT allowed except when protecting an entire site"
|
9
|
+
end
|
10
|
+
@name = site_path
|
11
|
+
@flavor = :authentication_required
|
12
|
+
@specific_users = []
|
13
|
+
if block_given?
|
14
|
+
self.instance_eval(&block)
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
@@ -0,0 +1,131 @@
|
|
1
|
+
class Slh::Models::Strategy < Slh::Models::Base
|
2
|
+
class KeyOriginatorNotSpecified < Exception; end
|
3
|
+
|
4
|
+
##########################
|
5
|
+
# CORE API METHODS BEGIN #
|
6
|
+
##########################
|
7
|
+
def for_apache_host(host_name,&block)
|
8
|
+
@hosts << Slh::Models::Host.new(host_name, self, &block)
|
9
|
+
end
|
10
|
+
|
11
|
+
def for_iis_host(host_name, &block)
|
12
|
+
t=Slh::Models::Host.new(host_name, self, &block)
|
13
|
+
t.host_type = :iis
|
14
|
+
@hosts << t
|
15
|
+
end
|
16
|
+
########################
|
17
|
+
# CORE API METHODS END #
|
18
|
+
########################
|
19
|
+
|
20
|
+
attr_reader :name, :hosts
|
21
|
+
attr_accessor :sp_entity_id, :idp_metadata_url, :error_support_contact
|
22
|
+
VALID_CONFIG_FILES = %w(shibboleth2.xml idp_metadata.xml shib_apache.conf)
|
23
|
+
def initialize(strategy_name, &block)
|
24
|
+
@name = strategy_name
|
25
|
+
@hosts = []
|
26
|
+
if block_given?
|
27
|
+
self.instance_eval(&block)
|
28
|
+
end
|
29
|
+
|
30
|
+
# The following are checks to ensure required "set" commands are done to set required values
|
31
|
+
if self.sp_entity_id.nil?
|
32
|
+
raise "All strategies must specify an entity ID"
|
33
|
+
end
|
34
|
+
if self.idp_metadata_url.nil?
|
35
|
+
raise "All strategies must specify an IDP metadata URL"
|
36
|
+
end
|
37
|
+
if self.error_support_contact.nil?
|
38
|
+
self.error_support_contact = "administrator"
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
def idp_metadata
|
43
|
+
if @idp_metadata.blank?
|
44
|
+
url= URI.parse(self.idp_metadata_url)
|
45
|
+
@http = Net::HTTP.new(url.host, url.port)
|
46
|
+
@http.use_ssl = true
|
47
|
+
@http.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
48
|
+
@http.open_timeout = 60
|
49
|
+
@http.read_timeout = 60
|
50
|
+
@idp_metadata_url_response = @http.get(url.path)
|
51
|
+
case @idp_metadata_url_response
|
52
|
+
when Net::HTTPSuccess
|
53
|
+
@idp_metadata = @idp_metadata_url_response.body
|
54
|
+
else
|
55
|
+
raise "Got a non-200 http status code from #{self.idp_metadata_url}"
|
56
|
+
end
|
57
|
+
end
|
58
|
+
@idp_metadata
|
59
|
+
end
|
60
|
+
|
61
|
+
# Parse it from the idp_metadata
|
62
|
+
def idp_entity_id
|
63
|
+
if @idp_entity_id.blank?
|
64
|
+
doc=Nokogiri::XML(self.idp_metadata)
|
65
|
+
doc.remove_namespaces!
|
66
|
+
element=doc.at('//EntityDescriptor')
|
67
|
+
attr = element.attribute_nodes.detect {|pp| pp.name == 'entityID'}
|
68
|
+
if attr.blank?
|
69
|
+
raise "hopefully not a bug in the XML parsing logic...Could not extract entityID from idp_metadata: #{self.idp_metadata}"
|
70
|
+
end
|
71
|
+
@idp_entity_id = attr.to_s
|
72
|
+
end
|
73
|
+
@idp_entity_id
|
74
|
+
end
|
75
|
+
|
76
|
+
def config_dir
|
77
|
+
File.join(Slh.config_dir,'generated',self.name.to_s)
|
78
|
+
end
|
79
|
+
|
80
|
+
|
81
|
+
def config_file_path(file_base_name,host,site=nil)
|
82
|
+
if site.nil?
|
83
|
+
File.join(host.config_dir,file_base_name)
|
84
|
+
else
|
85
|
+
File.join(site.config_dir,file_base_name)
|
86
|
+
end
|
87
|
+
end
|
88
|
+
|
89
|
+
def generate_config_file_content(file_base_name,host,site=nil)
|
90
|
+
# to be referenced in erb templates below
|
91
|
+
@strategy = self
|
92
|
+
@host = host
|
93
|
+
@site = site
|
94
|
+
case file_base_name
|
95
|
+
when 'idp_metadata.xml'
|
96
|
+
self.idp_metadata
|
97
|
+
else
|
98
|
+
ERB.new(self.config_template_content(file_base_name)).result(binding)
|
99
|
+
end
|
100
|
+
end
|
101
|
+
|
102
|
+
def config_template_file_path(file_base_name)
|
103
|
+
overridden = File.join(Slh.config_dir,'templates',"#{file_base_name}.erb")
|
104
|
+
if File.exists?(overridden)
|
105
|
+
template_file_path = overridden
|
106
|
+
else
|
107
|
+
template_file_path = File.join(File.dirname(__FILE__), '..', 'templates',"#{file_base_name}.erb")
|
108
|
+
end
|
109
|
+
|
110
|
+
if File.exists?(template_file_path)
|
111
|
+
template_file_path
|
112
|
+
else
|
113
|
+
raise "#{template_file_path} does not exist"
|
114
|
+
end
|
115
|
+
end
|
116
|
+
|
117
|
+
def config_template_content(file_base_name)
|
118
|
+
File.read(self.config_template_file_path(file_base_name))
|
119
|
+
end
|
120
|
+
|
121
|
+
def key_originator_site
|
122
|
+
self.hosts.each do |host|
|
123
|
+
host.sites.each do |site|
|
124
|
+
if site.is_key_originator
|
125
|
+
return site
|
126
|
+
end
|
127
|
+
end
|
128
|
+
end
|
129
|
+
raise KeyOriginatorNotSpecified.new("You must specify set :is_key_originator, true, on at least one site in a strategy")
|
130
|
+
end
|
131
|
+
end
|
@@ -0,0 +1,33 @@
|
|
1
|
+
<Sessions lifetime="28800" timeout="3600" checkAddress="true" relayState="ss:mem" handlerSSL="false" idpHistory="false">
|
2
|
+
<SSO entityID="<%= @strategy.idp_entity_id %>">
|
3
|
+
SAML2 SAML1
|
4
|
+
</SSO>
|
5
|
+
<Logout>SAML2 Local</Logout>
|
6
|
+
|
7
|
+
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
|
8
|
+
<Handler type="Status" Location="/Status" />
|
9
|
+
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
|
10
|
+
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
|
11
|
+
</Sessions>
|
12
|
+
<Errors supportContact="<%= @strategy.error_support_contact %>" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>
|
13
|
+
<MetadataProvider type="XML" file="<%= @host.prefixed_filepath_for("idp_metadata.xml") %>" />
|
14
|
+
<AttributeExtractor type="XML" validate="true" path="<%= @host.prefixed_filepath_for("attribute-map.xml") %>"/>
|
15
|
+
<AttributeResolver type="Query" subjectMatch="true"/>
|
16
|
+
<AttributeFilter type="XML" validate="true" path="<%= @host.prefixed_filepath_for("attribute-policy.xml") %>"/>
|
17
|
+
<CredentialResolver type="File">
|
18
|
+
<Certificate>
|
19
|
+
<Path><%= @host.prefixed_filepath_for("sp-cert.pem") %></Path>
|
20
|
+
</Certificate>
|
21
|
+
<Key>
|
22
|
+
<Path><%= @host.prefixed_filepath_for("sp-key.pem") %></Path>
|
23
|
+
<!--
|
24
|
+
This key alias is used by Shibbleth's lil' Helper to
|
25
|
+
determine whether or not a generated SP metadata is
|
26
|
+
up-to-date. It is NOT used by anything Shibboleth.
|
27
|
+
-->
|
28
|
+
<Name><%= Slh::Models::Version::VERSION %></Name>
|
29
|
+
</Key>
|
30
|
+
</CredentialResolver>
|
31
|
+
|
32
|
+
|
33
|
+
|
@@ -0,0 +1,33 @@
|
|
1
|
+
Slh.for_strategy :test_idp do
|
2
|
+
set :sp_entity_id, 'YOUR_ENTITY_ID'
|
3
|
+
set :idp_metadata_url, 'YOUR_IDP_METADATA_URL'
|
4
|
+
set :error_support_contact, 'YOUR_ERROR_SUPPORT_EMAIL_ADDRESS'
|
5
|
+
|
6
|
+
for_apache_host 'SOMEHOSTNAME.COM' do
|
7
|
+
# UNCOMMENT THIS IF YOUR SHIB STUFF LIVES IN A NON-STANDARD LOCATION
|
8
|
+
# set :shib_prefix, '/swadm/etc/shibboleth'
|
9
|
+
for_site 'SOMESITENAME1.COM' do
|
10
|
+
protect 'SOME_PATH_YOU_WANT_TO_REQUIRE_AUTH'
|
11
|
+
end
|
12
|
+
for_site 'SOMESITENAME2.COM' do
|
13
|
+
protect 'SOME_PATH_YOU_WANT_OPTIONAL_AUTH' do
|
14
|
+
set :flavor, :authentication_optional
|
15
|
+
end
|
16
|
+
end
|
17
|
+
for_site 'SOMESITENAME3.COM' do
|
18
|
+
protect 'SOME_PATH_YOU_WANT_TO_RESTRICTED_TO_PARTICULAR_USERS' do
|
19
|
+
set :flavor, :authentication_required_for_specific_users
|
20
|
+
set :specific_users, %w(SOMEUSER@SOME.DOMAIN.COM ANOTHERUSER@SOME.DOMAIN.COM)
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
for_iis_host 'SOMEIISHOSTNAME.COM' do
|
25
|
+
for_site 'SOMEIISSITENAME1.COM' do
|
26
|
+
set :site_id, "YOU_MUST_SET_THE_SITE_ID_HERE"
|
27
|
+
protect 'SOME_PATH_YOU_WANT_TO_REQUIRE_AUTH'
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
Slh.clone_strategy_for_new_idp :test_idp,
|
32
|
+
:production_idp,
|
33
|
+
'THE_PRODUCTION_IDP_METADATA_URL'
|
@@ -0,0 +1,42 @@
|
|
1
|
+
# About
|
2
|
+
# =====
|
3
|
+
# This file is an EXAMPLE you might find handy if you are using capistrano for deployment
|
4
|
+
# Make sure to replace "TODO" with stuff that reflects your environment
|
5
|
+
#
|
6
|
+
set :application, "shibboleth_deployer"
|
7
|
+
set :repository, "TODO: add your repo url here"
|
8
|
+
|
9
|
+
# defaults
|
10
|
+
set :use_sudo, false
|
11
|
+
set :scm, :git
|
12
|
+
# set :git_enable_submodules, 1
|
13
|
+
|
14
|
+
# override this if you want your deployed files to be owned by a different group (or blank if not at all)
|
15
|
+
set :deploy_group, "deploy"
|
16
|
+
|
17
|
+
set :host, ENV['HOST']
|
18
|
+
role :db, host, :primary => true
|
19
|
+
role :web, host
|
20
|
+
role :app, host
|
21
|
+
|
22
|
+
|
23
|
+
set :deploy_to, "TODO: SPECIFY WHERE YOUR FILES ARE GOING"
|
24
|
+
after 'deploy', 'deploy:restart_shibd'
|
25
|
+
namespace :deploy do
|
26
|
+
# Override defaults
|
27
|
+
task :start do ; end
|
28
|
+
task :stop do ; end
|
29
|
+
task :restart do ; end
|
30
|
+
task :finalize_update do ; end # does crap with stylesheets & javascripts dirs
|
31
|
+
|
32
|
+
desc "Restarts shibd"
|
33
|
+
task :restart_shibd, :roles => :web do
|
34
|
+
sudo "/etc/init.d/shibd restart"
|
35
|
+
sudo "/etc/init.d/httpd restart"
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
after 'deploy:update_code' do
|
40
|
+
# Add custom symlinks here
|
41
|
+
end
|
42
|
+
|
@@ -0,0 +1,24 @@
|
|
1
|
+
# Shibboleth Apache Global configuration
|
2
|
+
UseCanonicalName On
|
3
|
+
|
4
|
+
<% unless @host.shib_prefix.nil? %>
|
5
|
+
ShibConfig <%= File.join(@host.shib_prefix, 'shibboleth2.xml') %>
|
6
|
+
<% end %>
|
7
|
+
|
8
|
+
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_22.so
|
9
|
+
|
10
|
+
<IfModule mod_alias.c>
|
11
|
+
<Location /shibboleth-sp>
|
12
|
+
Allow from all
|
13
|
+
</Location>
|
14
|
+
Alias /shibboleth-sp/main.css /usr/share/doc/shibboleth-2.4.3/main.css
|
15
|
+
Alias /shibboleth-sp/logo.jpg /usr/share/doc/shibboleth-2.4.3/logo.jpg
|
16
|
+
</IfModule>
|
17
|
+
|
18
|
+
# Enable shibboleth for all vhosts, does NOT require auth anywhere
|
19
|
+
# just makes it possible.
|
20
|
+
# Specific auth requirements are make in the <RequestMap> in shibboleth2.xml
|
21
|
+
<Location />
|
22
|
+
AuthType shibboleth
|
23
|
+
Require shibboleth
|
24
|
+
</Location>
|
@@ -0,0 +1,44 @@
|
|
1
|
+
<!--
|
2
|
+
DO NOT MODIFY!
|
3
|
+
Auto-generated on <%= Time.now.to_s %> by Shibboleth's Lil Helper:
|
4
|
+
https://github.com/joegoggins/shibboleths_lil_helper
|
5
|
+
Changes should not be made directly to this file. Instead, modify your slh config.rb file, re-generate, and re-deploy
|
6
|
+
This template was originally created by taking the default /etc/shibboleth/shibboleth2.xml and modifying/templating it
|
7
|
+
to accommodate multiple vhosts (for both IIS and Apache) for the shibboleth-2.4.3-2.1.el5 RPM on RHEL 5
|
8
|
+
-->
|
9
|
+
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
|
10
|
+
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
|
11
|
+
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
12
|
+
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
13
|
+
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
|
14
|
+
clockSkew="180">
|
15
|
+
<% if @host.host_type == :iis %>
|
16
|
+
<InProcess logger="<%= @host.prefixed_filepath_for("native.logger") %>">
|
17
|
+
<ISAPI normalizeRequest="true" safeHeaderNames="true">
|
18
|
+
<% @host.sites.each do |site| %>
|
19
|
+
<Site id="<%= site.site_id %>" name="<%= site.name %>"/>
|
20
|
+
<% end %>
|
21
|
+
</ISAPI>
|
22
|
+
</InProcess>
|
23
|
+
<% else %>
|
24
|
+
<OutOfProcess logger="<%= @host.prefixed_filepath_for("shibd.logger") %>" />
|
25
|
+
<InProcess logger="<%= @host.prefixed_filepath_for("native.logger") %>" />
|
26
|
+
<% end %>
|
27
|
+
<RequestMapper type="Native">
|
28
|
+
<RequestMap>
|
29
|
+
<% @host.sites.each do |site| %>
|
30
|
+
<%= site.to_auth_request_map_directive %>
|
31
|
+
<% end %>
|
32
|
+
</RequestMap>
|
33
|
+
</RequestMapper>
|
34
|
+
<ApplicationDefaults entityID="<%= @strategy.sp_entity_id %>" REMOTE_USER="eppn mail">
|
35
|
+
<%= @strategy.generate_config_file_content('_application_details', @host) %>
|
36
|
+
<% @host.sites.each do |site| %>
|
37
|
+
<ApplicationOverride id="<%= site.name %>" homeURL="<%= site.to_https_prefixed_name %>">
|
38
|
+
<%= @strategy.generate_config_file_content('_application_details', @host) %>
|
39
|
+
</ApplicationOverride>
|
40
|
+
<% end %>
|
41
|
+
</ApplicationDefaults>
|
42
|
+
<SecurityPolicyProvider type="XML" validate="true" path="<%= @host.prefixed_filepath_for("security-policy.xml") %>"/>
|
43
|
+
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="<%= @host.prefixed_filepath_for("protocols.xml") %>"/>
|
44
|
+
</SPConfig>
|
@@ -0,0 +1,40 @@
|
|
1
|
+
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="<%= Slh::Models::Version::VERSION %>" entityID="<%= @strategy.sp_entity_id %>">
|
2
|
+
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
|
3
|
+
<md:Extensions>
|
4
|
+
<% @matching_hosts.each do |host| %>
|
5
|
+
<!-- BEGIN host <%= host.name %> -->
|
6
|
+
<% host.sites.each do |site| %>
|
7
|
+
<init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/Login"/>
|
8
|
+
<% end %>
|
9
|
+
<!-- END host <%= host.name %> -->
|
10
|
+
<% end %>
|
11
|
+
</md:Extensions>
|
12
|
+
<md:KeyDescriptor>
|
13
|
+
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
14
|
+
<ds:KeyName>IGNORED</ds:KeyName>
|
15
|
+
<ds:X509Data>
|
16
|
+
<ds:X509SubjectName>IGNORED</ds:X509SubjectName>
|
17
|
+
<ds:X509Certificate><%= @strategy.key_originator_site.x509_certificate_string %></ds:X509Certificate>
|
18
|
+
</ds:X509Data>
|
19
|
+
</ds:KeyInfo>
|
20
|
+
</md:KeyDescriptor>
|
21
|
+
<% @matching_hosts.each do |host| %>
|
22
|
+
<!-- BEGIN host <%= host.name %> -->
|
23
|
+
|
24
|
+
<% host.sites.each do |site| %>
|
25
|
+
<!-- BEGIN site <%= site.name %> -->
|
26
|
+
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/Artifact/SOAP" index="0"/>
|
27
|
+
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML2/POST" index="0"/>
|
28
|
+
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML2/POST-SimpleSign" index="1"/>
|
29
|
+
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML2/Artifact" index="2"/>
|
30
|
+
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML2/ECP" index="3"/>
|
31
|
+
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML/POST" index="4"/>
|
32
|
+
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML/Artifact" index="5"/>
|
33
|
+
<!-- END site <%= site.name %> -->
|
34
|
+
<% end %>
|
35
|
+
<!-- END host <%= host.name %> -->
|
36
|
+
<% end %>
|
37
|
+
</md:SPSSODescriptor>
|
38
|
+
</md:EntityDescriptor>
|
39
|
+
|
40
|
+
|
@@ -0,0 +1,33 @@
|
|
1
|
+
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="<%= Slh::Models::Version::VERSION %>" entityID="<%= @strategy.sp_entity_id %>">
|
2
|
+
|
3
|
+
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
|
4
|
+
<md:Extensions>
|
5
|
+
<% @host.sites.each do |site| %>
|
6
|
+
<init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/Login"/>
|
7
|
+
<% end %>
|
8
|
+
</md:Extensions>
|
9
|
+
<md:KeyDescriptor>
|
10
|
+
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
11
|
+
<ds:KeyName><%= @host.name %></ds:KeyName>
|
12
|
+
<ds:X509Data>
|
13
|
+
<ds:X509SubjectName>CN=<%= @host.name %></ds:X509SubjectName>
|
14
|
+
<ds:X509Certificate><%= @first_site_for_host.x509_certificate_string %></ds:X509Certificate>
|
15
|
+
</ds:X509Data>
|
16
|
+
</ds:KeyInfo>
|
17
|
+
</md:KeyDescriptor>
|
18
|
+
|
19
|
+
<% @host.sites.each do |site| %>
|
20
|
+
<!-- BEGIN <%= site.name %> -->
|
21
|
+
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/Artifact/SOAP" index="0"/>
|
22
|
+
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML2/POST" index="0"/>
|
23
|
+
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML2/POST-SimpleSign" index="1"/>
|
24
|
+
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML2/Artifact" index="2"/>
|
25
|
+
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML2/ECP" index="3"/>
|
26
|
+
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML/POST" index="4"/>
|
27
|
+
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML/Artifact" index="5"/>
|
28
|
+
<!-- END <%= site.name %> -->
|
29
|
+
<% end %>
|
30
|
+
</md:SPSSODescriptor>
|
31
|
+
</md:EntityDescriptor>
|
32
|
+
|
33
|
+
|
@@ -0,0 +1,111 @@
|
|
1
|
+
# Generated by jeweler
|
2
|
+
# DO NOT EDIT THIS FILE DIRECTLY
|
3
|
+
# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
|
4
|
+
# -*- encoding: utf-8 -*-
|
5
|
+
|
6
|
+
Gem::Specification.new do |s|
|
7
|
+
s.name = %q{shibboleths_lil_helper}
|
8
|
+
s.version = "1.0.0"
|
9
|
+
|
10
|
+
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
11
|
+
s.authors = ["Joe Goggins"]
|
12
|
+
s.date = %q{2011-11-01}
|
13
|
+
s.default_executable = %q{slh}
|
14
|
+
s.description = %q{See the summary text.}
|
15
|
+
s.email = %q{goggins@umn.edu}
|
16
|
+
s.executables = ["slh"]
|
17
|
+
s.extra_rdoc_files = [
|
18
|
+
"LICENSE.txt",
|
19
|
+
"README.markdown"
|
20
|
+
]
|
21
|
+
s.files = [
|
22
|
+
"Gemfile",
|
23
|
+
"Gemfile.lock",
|
24
|
+
"LICENSE.txt",
|
25
|
+
"README.markdown",
|
26
|
+
"Rakefile",
|
27
|
+
"TODOS.txt",
|
28
|
+
"VERSION",
|
29
|
+
"bin/slh",
|
30
|
+
"doc/debugging_shibboleth.markdown",
|
31
|
+
"doc/deprecated_code_that_could_be_useful.rb",
|
32
|
+
"doc/for_slh_developers.markdown",
|
33
|
+
"doc/nuances.markdown",
|
34
|
+
"doc/technical_question_and_answer.markdown",
|
35
|
+
"lib/shibboleths_lil_helper.rb",
|
36
|
+
"lib/slh.rb",
|
37
|
+
"lib/slh/class_methods.rb",
|
38
|
+
"lib/slh/cli.rb",
|
39
|
+
"lib/slh/cli/command_base.rb",
|
40
|
+
"lib/slh/cli/compare_metadata.rb",
|
41
|
+
"lib/slh/cli/copy_templates_to_override.rb",
|
42
|
+
"lib/slh/cli/describe_config.rb",
|
43
|
+
"lib/slh/cli/fetch_metadata.rb",
|
44
|
+
"lib/slh/cli/generate.rb",
|
45
|
+
"lib/slh/cli/generate_capistrano_deploy.rb",
|
46
|
+
"lib/slh/cli/generate_metadata.rb",
|
47
|
+
"lib/slh/cli/host_filterable_base.rb",
|
48
|
+
"lib/slh/cli/initialize.rb",
|
49
|
+
"lib/slh/cli/verify_metadata_encryption.rb",
|
50
|
+
"lib/slh/models/base.rb",
|
51
|
+
"lib/slh/models/host.rb",
|
52
|
+
"lib/slh/models/site.rb",
|
53
|
+
"lib/slh/models/site_path.rb",
|
54
|
+
"lib/slh/models/strategy.rb",
|
55
|
+
"lib/slh/models/version.rb",
|
56
|
+
"lib/slh/templates/_application_details.erb",
|
57
|
+
"lib/slh/templates/config.rb.erb",
|
58
|
+
"lib/slh/templates/deploy.rb.erb",
|
59
|
+
"lib/slh/templates/shib_apache.conf.erb",
|
60
|
+
"lib/slh/templates/shibboleth2.xml.erb",
|
61
|
+
"lib/slh/templates/sp_metadata_for_entity_id_to_give_to_idp.xml.erb",
|
62
|
+
"lib/slh/templates/sp_metadata_for_host_to_give_to_idp.xml.erb",
|
63
|
+
"shibboleths_lil_helper.gemspec",
|
64
|
+
"test/fixtures/dummy1.rb",
|
65
|
+
"test/fixtures/dummy1_output/attribute-map.xml",
|
66
|
+
"test/fixtures/dummy1_output/shib_for_vhost.conf",
|
67
|
+
"test/fixtures/dummy1_output/shibboleth2.xml",
|
68
|
+
"test/helper.rb",
|
69
|
+
"test/test_shibboleths_lil_helper.rb"
|
70
|
+
]
|
71
|
+
s.homepage = %q{http://github.com/joegoggins/shibboleths_lil_helper}
|
72
|
+
s.licenses = ["MIT"]
|
73
|
+
s.require_paths = ["lib"]
|
74
|
+
s.rubygems_version = %q{1.3.6}
|
75
|
+
s.summary = %q{A ruby gem to streamline the setup, deployment, and ongoing management of Apache & IIS web-servers running the Shibboleth Native Service Provider implementations.}
|
76
|
+
|
77
|
+
if s.respond_to? :specification_version then
|
78
|
+
current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
|
79
|
+
s.specification_version = 3
|
80
|
+
|
81
|
+
if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
|
82
|
+
s.add_runtime_dependency(%q<activesupport>, ["~> 3.0.9"])
|
83
|
+
s.add_runtime_dependency(%q<nokogiri>, [">= 0"])
|
84
|
+
s.add_runtime_dependency(%q<i18n>, [">= 0"])
|
85
|
+
s.add_development_dependency(%q<shoulda>, [">= 0"])
|
86
|
+
s.add_development_dependency(%q<bundler>, ["~> 1.0.0"])
|
87
|
+
s.add_development_dependency(%q<jeweler>, ["~> 1.6.4"])
|
88
|
+
s.add_development_dependency(%q<rcov>, [">= 0"])
|
89
|
+
s.add_development_dependency(%q<ruby-debug>, [">= 0"])
|
90
|
+
else
|
91
|
+
s.add_dependency(%q<activesupport>, ["~> 3.0.9"])
|
92
|
+
s.add_dependency(%q<nokogiri>, [">= 0"])
|
93
|
+
s.add_dependency(%q<i18n>, [">= 0"])
|
94
|
+
s.add_dependency(%q<shoulda>, [">= 0"])
|
95
|
+
s.add_dependency(%q<bundler>, ["~> 1.0.0"])
|
96
|
+
s.add_dependency(%q<jeweler>, ["~> 1.6.4"])
|
97
|
+
s.add_dependency(%q<rcov>, [">= 0"])
|
98
|
+
s.add_dependency(%q<ruby-debug>, [">= 0"])
|
99
|
+
end
|
100
|
+
else
|
101
|
+
s.add_dependency(%q<activesupport>, ["~> 3.0.9"])
|
102
|
+
s.add_dependency(%q<nokogiri>, [">= 0"])
|
103
|
+
s.add_dependency(%q<i18n>, [">= 0"])
|
104
|
+
s.add_dependency(%q<shoulda>, [">= 0"])
|
105
|
+
s.add_dependency(%q<bundler>, ["~> 1.0.0"])
|
106
|
+
s.add_dependency(%q<jeweler>, ["~> 1.6.4"])
|
107
|
+
s.add_dependency(%q<rcov>, [">= 0"])
|
108
|
+
s.add_dependency(%q<ruby-debug>, [">= 0"])
|
109
|
+
end
|
110
|
+
end
|
111
|
+
|