shibboleths_lil_helper 1.0.8 → 1.0.9

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2011 University of Minnesota
+Copyright (c) 2012 Regents of University of Minnesota
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.markdown

@@ -2,45 +2,30 @@ About
 =====
 Shibboleth's Lil Helper (slh) is a tool that automates the generation of Apache/IIS Shibboleth Native Service Provider configuration & metadata files.  It provides several benefits over manually configuring each NativeSp instance/server by:
 
-* __Providing a consistent configuration approach__ applied uniformly across all servers in your organization.
+* __Providing a consistent configuration approach__ applied uniformly across all servers in your organization via one easy-to-read config file describing shib config across X web servers (IIS and Apache), Y sites, and Z directory paths.
 
-* __Providing conceptually simple linear process__ that distills the main steps associated with Shibboleth integration.
-
-* __Verifying metadata consistency__ across sites & hosts associated with particular Shibboletht SP entity_id.
+* __Providing conceptually simple linear process__ that distills the main steps associated with Shibboleth integration.  
+  1. initialize a config.rb file
+  2. edit slh config.rb file
+  3. generate shib2.xml (and deploy to web server hosts)
+  4. verify sp metadata correctness
+  5. generate metadata
+  6. send metadata to idp
+  7. verify all is well
 
 * __Dividing high level auth specs from actual NativeSp configuration__
   * Programmers can focus on high level goals like "protect files underneath the '/secure' directory on 'somewebsite.com'" rather than grappeling with the bewildering complexity of the NativeSp's interrelated XML files, the Shibboleth protocal, SAML, etc.
 
-Staying up-to-date
-------------------
-__This code is under active development__.
-
-* Create a Github issue to report problems you might be having with the
-  tool.
-* See CHANGLOG.markdown for the changes associated with each gem release
-* See TODOS.markdown for changes that we're thinking about
-  incorporating.  Send me (Joe) a message on Github (joegoggins) or email
-  if you have other things you are thinking of.
-* Use `gem update shibboleths_lil_helper` to get the most current version.
-
-Why another tool?
------------------
-We needed something that could help manage shibboleth SP
-configuration consistently with minimal manual work for:
-
-* Many web servers
-  * each running iis6, iis7, or Apache 2.2
-  * each hosting many vhosts (aka sites)
-  * each running PHP, Rails 2 + 3, classic ASP, or .NET
-  * each running the Apache/IIS Native Service Provider
 
 Assumptions
 -----------
-* __shibboleth-2.4.3 is installed on your target hosts__.  Versions greater than this should
-  work too, but have not been tested.
-* Each host integrates with a single Identity Provider, not multiple.
+* __shibboleth-2.4.3 is installed on your target hosts__.
+  Versions greater than this should work too, but have not been tested.
+* Each web server host integrates with a single Identity Provider, not multiple.
+* All sites on a particular web server host use the same Service
+  Provider Entity ID.
 * (for Apache) The Shibboleth apache module is loaded globally for all
-  vHosts.  (This doesn't mean that it requires auth globally--just available).
+  vHosts.  (This doesn't mean that it requires auth globally--just available, see lib/slh/templates/shib_apache.conf.erb for what this looks like).
 
 Installation
 ------------
@@ -53,19 +38,21 @@ Installation
   * Then type `slh` -- this provides more detailed/actionable
     documentation
 
-* Via Git: (requires bundler gem)
+* Via Git: (for developers/contributors)
   * this is how developers/contributors should install the tool
-  * `git clone ...git://thisrepo... slh`
+  * `git clone ...git://thisrepo_or_a_fork... slh`
   * `cd slh`
   * `bundle install`
   * then add a symlink to bin/slh (something like below)
-    * `ln -s bin/slh ~/slh`
-  * make sure the slh binary is the right one (not a gem one)
-    * `which slh`
+    * `ln -s bin/slh ~/slh_local`
+  * run commands on your test config.rb with `slh_local generate` or
+    `slh_local generate_metadata`, etc
 
 * Install notes:
   * Tool requires nokogiri gem which in-turn requires libxml2, you may
     run into difficulties there: See http://nokogiri.org/tutorials/installing_nokogiri.html if you have problems.
+  * Doesn't work w JRuby, probably all versions, 1.6.7 confirmed to not
+    work.
 
 Before using this tool
 ----------------------
@@ -100,68 +87,90 @@ requirement, slh will help you with this later too)
     A simple convention is to have a dev entity for "development" or "staging" apps and one for production stuff.
     You might consider https://YOUR_ORG.umn.edu/shibboleth/dev_default or https://YOUR_ORG.umn.edu/shibboleth/prod_default
 
-
-Concept
--------
+Usage
+-----
 
 All configuration and authentication specs for all Shibboleth SP instances are specified in a single ruby parseable `shibboleths_lil_helper/config.rb` file.  From these specs, slh is capable of generating all of the required XML files you will need to integrate with a Shibboleth Identify Provider (Idp).  The following breaks down the essential steps.
 
-
-### Initialization
-It all starts with
+### 1. __Initialize a config.rb file__
 
     mkdir shibboleth_deployer
     cd shibboleth_deployer
     slh initialize
 
-This creates a config file with example code you'll need to change to work.
+  This creates a config file with example code you'll need to change to work.
 
-### SP configuration
-Edit `shibboleths_lil_helper/config.rb` to reflect your setup:
+### 2. edit `shibboleths_lil_helper/config.rb`
+The generated config.rb contains instructions and examples of valid
+configuration options to set your:
+  * sp_entity_id
+  * idp_metadata_url : the URL (NOT the idp entity ID) for you IDP's metadata
+  * strategies, hosts, sites, and paths to protect
 
-  * entity id
-  * idp metadata url
-  * hosts, sites, and paths to protect for each for each site
-
-From here you type:
+### 3. Generate shibboleth2.xml and deploy to web server hosts
+In the directory one up from "shibboleths_lil_helper" (in this case shibboleth_deployer), type
 
     slh generate
 
-This creates:
+This creates files for each web server host:
 
   * shibboleth2.xml
-  * idp_metadata.xml
+  * idp_metadata.xml (this is simply a copy of the IDP metadata at :idp_metadata_url
   * shib_apache.conf (if using apache)
 
-for each host for each entity_id.  shibboleth2.xml contains RequestMap, AssertionConsumer server "endpoints" and other goo needed to integrate with an Shib IDP.
+shibboleth2.xml contains a <RequestMap> and other goo needed to integrate with an Shib IDP to reflect the sites and paths your want protected.
+
+You must deploy these files to each host and restart the shib
+daeman/service and apache/IIS.
+
+You must also arbitrarily __pick one particular site__ in each strategy to `set :is_key_originator,true` for, if you see this more in a strategy, it will NOT WORK.  (also, don't set it to false, just remove the line in all but one site)
+
+`set :is_key_originator, true` tells slh that this site has the authoriative X509Certificate (in the SP metadata) that all other sites should match against (used in the verify_metadata command).
+
+It implies that each host in your strategy has the same sp-key.pem and sp-cert.pem files as the host where the "is_key_originator" site lives.  
+
+It also implies that, when you setup a new web server host: copy the sp-key and sp-cert files from this "is_key_originator" host to the new host.
 
-Go deploy these config files to you hosts. (the tool provides more details)
+### 4. Verify SP metadata correctness
+Once you've deployed you shibboleth2.xml, idp_metadata.xml, shib_apache,
+and sp-key, and sp-cert to all hosts, you can
 
-### Metadata verification
-Verify your metadata data across all hosts:
+Verify your metadata data across all hosts with:
 
     slh verify_metadata
 
-Which will tell some of the things that are probably incorrect with
-  your setup and how to fix it. (like copying the sp-key.pem and sp-cert.pem keys associated with the `:is_key_originator` site to all of the other hosts)
+This command will provide useful output and instructions to get your SP
+metadat setup correctly.
 
-### Metadata generation
-Once verify_metadata is showing all green:
+This command and generate_metadata rely on URLs like `somesite.com/Shibboleth.sso/Metadata`
+
+being publically available.  If this command is erroring out, its likely
+due to the fact that one or more sites does not expose this URL (and
+likely requires a change to shibboleth2.xml, i.e. tweak config.rb, `slh generate`, and redeploy to server).
+
+
+### 5. Generate SP metadata
+If verify_metadata is not showing any errors, you can proceed to
 
     slh generate_metadata
 
-which generates a metadata file for each strategy/entity id you have
-that you can give you your IDP.
+which generates an SP metadata file for each SP entity id in in a file
+like:
+
+    shibboleths_lil_helper/generated/<STRATEGY_NAME>/<STRATEGY_NAME>_sp_metadata_for_idp.xml
 
-Once the IDP has added your metadata, then each site should be able to
-respond to 
+__This SP Metadata file MUST BE INSTALLED on the IDP to proceed!!!__
+Typically this is done by emailing the file to your identity management
+team
 
-    Shibboleth.sso/Login
+### 6. Send SP metadata to IDP folks
+Send the <STRATEGY_NAME>_sp_metadata_for_idp.xml to your IDP folks.
 
-and be happily prompted for login.
+### 7. Verify all is well
+Hit somesite.com/Shibboleth.sso/Login and be happily prompted for login.
 
 
-Deployment automation
+Deployment automation (on Unix/Apache)
 ---------------------
 Once you have the basic stuff working, you may want to automate
 deployment:
@@ -177,6 +186,8 @@ target hosts run SSH (aka default not-IIS setup)
 
 deployment automation example
 -----------------------------
+__Only works on Unix/Apache__
+
 We have a private repo called shibboleth\_deployer that includes the shibboleths\_lil\_helper generated config files and uses Capistrano to push these files out target servers and restarts shibd and httpd.  It's usage looks like:
 
     cap deploy HOST=asr-web-dev4.oit.umn.edu
@@ -204,36 +215,26 @@ from the /etc/httpd/conf.d dir
 
     ln -s /etc/shibboleth_deployer/current/shibboleths_lil_helper/generated/apache_shib_test_server/asr-web-dev4.oit.umn.edu/shib_apache.conf shib_apache.conf
 
-How to Help
------------
-* Let us know the issues you are having with the tool via Github Issues.
-
-* Improve the documentation!  The whole purpose of this tool is to
-  provide a straight-forward path to setting up a Shibboleth SP.
+Staying up-to-date
+------------------
+__This code is under active development__.
 
-How to contribute
-----------------------
-* Fork, implement, issue a pull request for small changes.
+* Use `gem update shibboleths_lil_helper` to get the most current version.
+* See CHANGLOG.markdown for the changes associated with each gem
+  release.
 
-* Email us for big ideas or API changes--we'd like to keep this tool
-  stable and want to collaborate to identify the right way of
-accommodating new features while maintaining backward compatibility.
+How to help/contribute
+-----------
+* To suggest enhancements or changes let us know via Github Issues (preferred) or email.
 
-Contributors
-------------
-* Joe Goggins, Academic Support Resources, goggins@umn.edu
-* Chris Dinger, Academic Support Resources, ding0057@umn.edu
+* To share your experience, tricks, nuances, gotchas, and perspectives, please see and add to the [Github Wiki](https://github.com/umn-asr/shibboleths_lil_helper/wiki).
 
-Acknowledgements
-----------------
-Thanks to these folks for providing feedback and willingness to pilot
-the tool.
+* To add features or fix stuff yourself: fork, implement, issue a pull request.
 
-* David Peterson, Office of Institutional Research
-* Debbie Gillespie, Computer Science and Engineering
-* Eva Young, Office of Institional Compliance
-* Josh Buysse, CLA Office of Information Technology
-* Aaron Zirbes, Environmental Health Sciences
-* Rex Wheeler, University of Minnesota Extension
+* To show your support financially you can [donate a couple bucks to this project here](http://pledgie.com/campaigns/17458).
 
-Copyright (c) Regents of the University of Minnesota
+Author
+------
+* Joe Goggins, Academic Support Resources, goggins@umn.edu
+     
+Copyright (c) 2012 Regents of the University of Minnesota

data/TODOS.txt

@@ -4,6 +4,12 @@ TODOS
   will be expected to snag the X509Data and put it into the config somehow.
 
 DONE
+* Make note that JRuby does not work w SLH.
+* Tweak shib_apache.conf template
+    Include ref to https://spaces.internet2.edu/display/SHIB2/NativeSPApacheConfig in shib_apache.conf 
+  Include 
+    ShibConfig /swadm/etc/shibboleth/shibboleth2.xml
+  "Specific requirements are make" to "are made"
 * Move the set :site_id to the correct area in the config.rb.erb
 * Added note in readme: Broke because of libxml2 lacking http://nokogiri.org/tutorials/installing_nokogiri.html
 * after slh generate, tell the user exactly where they should put the files.

data/VERSION

@@ -1 +1 @@
-1.0.8
+1.0.9

data/lib/slh/cli.rb

@@ -20,7 +20,7 @@ module Slh
 
   This is Shibboleth's Lil Helper.
                                             He'll help you create consistent
-               ___,@                        config XML for your Shibboleth-Native 
+               ___,@                        config XML for your Shibboleth-Native
                /  <                         Service-Provider servers (Apache or IIS)
           ,_  /    \  _,                    without pulling your hair out in frustration.
       ?    \`/______\`/
@@ -81,10 +81,10 @@ OPTIONAL COMMANDS
     Summarizes the configuration described in shibboleths_lil_helper/config.rb
 
 OTHER DOCUMENTATION SOURCES (not just this tool)
-  https://wiki.shibboleth.net/
-    The official Shibboleth Wiki
-  (within this project--the doc folder)
-    There are lots of short little developer oriented tips we used while creating this tool.
+  * The official page of this tool: https://github.com/umn-asr/shibboleths_lil_helper/
+  * The official Shibboleth Wiki: https://wiki.shibboleth.net/
+  * Doc within this project--(the doc folder)
+    There are some short little developer oriented tips that could be useful
 
       EOS
     end

data/lib/slh/cli/generate.rb

@@ -28,6 +28,6 @@ class Slh::Cli::Generate < Slh::Cli::HostFilterableBase
       Slh::Cli.instance.output "  This makes the X509Certificate stuff in all metadata for all sites associated with an entity_id match"
     end
 
-    Slh::Cli.instance.output "You MUST deploy these files your web servers and restart httpd and shibd for subsequent commands to work", :highlight => true
+    Slh::Cli.instance.output "You MUST deploy these files your web servers and restart httpd/IIS and shibd/Shibboleth Service for subsequent commands to work", :highlight => true
   end
 end

data/lib/slh/cli/generate_metadata.rb

@@ -1,27 +1,4 @@
 class Slh::Cli::GenerateMetadata < Slh::Cli::HostFilterableBase
-
-  # def perform_action
-  #   Slh.strategies.each do |strategy|
-  #     strategy.hosts.each do |host|
-  #       next if @options[:filter].kind_of?(String) && !host.name.match(@options[:filter])
-  #       host_dir = strategy.config_dir_for_host(host)
-  #       file_path = 'sp_metadata_for_host_to_give_to_idp.xml'
-  #       @strategy = strategy
-  #       @host = host
-  #       # Global config shared across vhosts like the X509Certificate
-  #       # uses the first site arbirarily
-  #       @first_site_for_host = @host.sites.first
-  #       Slh::Cli.instance.output "Generating metadata for #{host.name}"
-  #       the_written_file = "sp_metadata_for_#{host.name.gsub(/[^a-zA-Z0-9\-_\.]/,'_')}.xml"
-  #       the_written_path = File.join(host_dir, the_written_file)
-  #       File.open(the_written_path,'w') do |f|
-  #         f.write(ERB.new(strategy.config_template_content(file_path)).result(binding))
-  #         Slh::Cli.instance.output "Wrote file to #{the_written_path}"
-  #       end
-  #     end
-  #   end
-  # end
-
   def perform_action
     template_rel_file_path ='sp_metadata_for_entity_id_to_give_to_idp.xml'
     Slh.strategies.each do |strategy|

data/lib/slh/models/site.rb

@@ -67,8 +67,9 @@ class Slh::Models::Site < Slh::Models::Base
     "#{self.to_https_prefixed_name}/Shibboleth.sso/Metadata"
   end
 
-  # Gets interpolated into the sp_metadata_for_host_to_give_to_idp.xml
-  # file
+  # Gets interpolated into the
+  #   sp_metadata_for_entity_id_to_give_to_idp.xml.erb # file
+  #
   def x509_certificate_string
     t=self.metadata_nokogiri.clone
     t.remove_namespaces!

data/lib/slh/templates/config.rb.erb

@@ -1,30 +1,23 @@
-# ABOUT
+# About
 # =====
 # This file is the basis for your shibboleth config for
 # all entities, hosts, sites, and url paths you want to protect for your organization.
 # 
 # All slh commands utilize this file to do its thing.
 #
-# To get started:
-#   * fill in the REQUIRED items
-#   * run slh generate
-#   * deploy the files our to your server to the appropriate place
-#   * fight with your server to get somesite.com/Shibboleth.sso/Metadata spitting out XML
-#     for each host
+# To run slh commands you need to be in the directory above
+# shibboleths_lil_helper/config.rb, aka
 #
-# Then:
-#   * run slh verify_metadata
-#   * copy sp-key, sp-cert, etc
-#   * re-run command until you aren't seeing any errors
-# Then:
-#   * run slh generate_metadata
-#   * give the metadata to your IDP folks
+#   shibboleth_deployer/
+#     <YOU NEED TO BE IN THIS DIRECTORY>
+#     shibboleths_lil_helper/
+#       <NOT THIS ONE>
+#       generated/
+#       config.rb
 #
-# Verify:
-#   * Goto somesite.com/Shibboleth.sso/Login
-#   * You should be prompted to login
-#
-# A strategy
+# Data Model
+# ==========
+# A strategy (you can think of this as a container to hold all config associated with an SP Entity ID)
 #   has one entity
 #   has a metadata url
 #   has many hosts
@@ -32,68 +25,88 @@
 #         a site has many protected paths
 #           a protected path can require auth, optionally use auth, or restrict to a 
 #           particular set of users
+# Usage
+# =====
+# * fill in the REQUIRED items and change stuff that is in ALL CAPS
+# * follow the instructions at https://github.com/umn-asr/shibboleths_lil_helper
 #
 Slh.for_strategy :test_idp do
-  set :sp_entity_id, 'YOUR_ENTITY_ID'                     # REQUIRED, https://yourorg.umn.edu/shibboleth/default
-
-  set :idp_metadata_url, 'YOUR_IDP_METADATA_URL'          # REQUIRED, https://idp-test.shib.umn.edu/metadata.xml
-  set :error_support_contact, 'YOUR_ERROR_SUPPORT_EMAIL_ADDRESS' # OPTIONAL
+  # REQUIRED, https://yourorg.umn.edu/shibboleth/default
+  set :sp_entity_id, 'YOUR_ENTITY_ID'
+  # REQUIRED, https://idp-test.shib.umn.edu/metadata.xml
+  set :idp_metadata_url, 'YOUR_IDP_METADATA_URL'
+  # OPTIONAL
+  set :error_support_contact, 'YOUR_ERROR_SUPPORT_EMAIL_ADDRESS'
 
+  # REQUIRED
   # Can be either
-  # for_apache_host
-  #   or
-  # for_iis_host
-  for_apache_host 'SOMEHOSTNAME.COM' do                          # REQUIRED
+  #   for_apache_host
+  #     or
+  #   for_iis_host
+  # SOMEHOSTNAME.COM does not matter externally and might have the same
+  # name as a site underneath it.  Most of the times the actual hostname of a
+  # server is different than the sites that live on it
+  #
+  for_apache_host 'SOMEHOSTNAME.COM' do
+    # OPTIONAL
     # uncomment if your shib stuff lives in a non-standard location
-    # set :shib_prefix, '/swadm/etc/shibboleth'                  # OPTIONAL
-
+    # set :shib_prefix, '/swadm/etc/shibboleth'
     #
-    # replace with the host name of your server
-    for_site 'SOMESITENAME1.COM' do                              # REQUIRED
-
+    # REQUIRED
+    # replace with the site of your server
+    for_site 'SOMESITENAME1.COM' do
+      # REQUIRED if this site is underneath a "for_iis_host" block
       # uncomment if and fill-in if you are using IIS
-      # set :site_id, "YOU_MUST_SET_THE_SITE_ID_HERE"              # REQUIRED if for_iis_host
-      #
+      # set :site_id, "YOU_MUST_SET_THE_SITE_ID_HERE_IF_ON_IIS" 
       #
-      # Each strategy must set this for exactly one site
-      # its used as the authoritative source to from which all other
+      # REQUIRED
+      # Each strategy must set this for exactly one site.
+      # Its used as the authoritative source to from which all other
       # sites metadata's X509Certificate should match
       # the sp-key.pem and sp-cert.pem files from this host should be
       # copied to all other hosts underneath the strategy
-      set :is_key_originator, true                               # REQUIRED, see instructions
-      protect '/' do                                             # REQUIRED
-        # delete this line if you want to require auth for the whole site 
-        set :flavor, :authentication_optional                    # OPTIONAL
-        # There are three "flavors":
-        #   authentication_required: defaults to this if unspecified
-        #     i.e. (no do-end block required)
-        #       protect 'secure'
-        #
-        #   authentication_optional: Makes it possible for
-        #     the app layer to redirect to Shibboleth.sso/Login
-        #     i.e. 
-        #       protect 'lazy_auth' do
-        #         set :flavor, :authentication_optional
-        #       end 
-        #   authentication_required_for_specific_users: Require auth and restrict to
-        #     a particular set of users (not-tested extensively)
-        #     i.e. 
-        #       protect 'specific_users' do
-        #         set :flavor, :authentication_required_for_specific_users
-        #         set :specific_users, %w(SOMEUSER@SOME.DOMAIN.COM ANOTHERUSER@SOME.DOMAIN.COM)
-        #       end 
-      end
-      # ... for each protected dir for this site ...
-    end
-    # ... for each site on this host ...
-  end
-  # ... for each host within this strategy (using this entity_id)
-end
-# ... for each strategy/aka entity_id ...
-#
-# Uncomment this line if you want to create a new strategy that is identical
-# an existing one but points at a different IDP entity URL
+      set :is_key_originator, true
+
+      # REQUIRED for each path you want to protect (or "/" if the entire site)
+      # You should have at least one of these for each site, but can have many
+      # There are three "flavors" of protection
+      #   authentication_required: Web-server will force login for any path underneath it
+      #     i.e. 
+      #       protect '/' do
+      #         set :flavor, :authentication_required
+      #       end
+      #
+      #   authentication_optional: Makes it possible for
+      #     the app layer to redirect to Shibboleth.sso/Login
+      #     Use this when you want the app/site (rather than the web-server)
+      #     to be in control of authentication
+      #     i.e.
+      #       protect 'lazy_auth' do
+      #         set :flavor, :authentication_optional
+      #       end
+      #
+      #   authentication_required_for_specific_users: Require auth and restrict to
+      #     a particular set of users (not-tested extensively)
+      #     i.e. 
+      #       protect 'specific_users' do
+      #         set :flavor, :authentication_required_for_specific_users
+      #         set :specific_users, %w(SOMEUSER@SOME.DOMAIN.COM ANOTHERUSER@SOME.DOMAIN.COM)
+      #       end
+      #
+      protect '/' do
+        set :flavor, :authentication_optional
+      end # ... for each protected dir for this site ...
+    end # ... for each site on this host ...
+  end # ... for each host within this strategy (using this entity_id)
+end # ... for each strategy/aka entity_id ...
+
+# OPTIONAL
+# Uncomment these 3 lines if you want to create a new strategy that is identical
+# an existing one but integrates against a different IDP.  The third param here
+# should be the URL where the IDP metadata lives (NOT THE IDP ENTITY ID).
 #
-# Slh.clone_strategy_for_new_idp :test_idp,                            # OPTIONAL
-#                                :production_idp,
-#                                'THE_PRODUCTION_IDP_METADATA_URL'
+# This creates a new strategy from an existing one who's only difference is the idp_metadata.xml
+# comes from THE_PRODUCTION_IDP_METADATA_URL rather than the one specified in the strategy you are cloning from (the first param)
+# Slh.clone_strategy_for_new_idp :test_idp,  # The name of the strategy you are cloning from
+#                                :production_idp, # the name of the strategy you are cloning to
+#                                'THE_PRODUCTION_IDP_METADATA_URL'  # the url where the production idp metadata lives

data/lib/slh/templates/shib_apache.conf.erb

@@ -1,7 +1,18 @@
-# Shibboleth Apache Global configuration
+##########################################
+# Shibboleth Apache Global configuration #
+##########################################
+# * See https://spaces.internet2.edu/display/SHIB2/NativeSPApacheConfig
+#   For details on the switches that can be flipped in the mod_shib module
+#
+
+
+# This is required to be on for Native SP.
 UseCanonicalName On
 
-<% unless @host.shib_prefix.nil? %>
+<% if @host.shib_prefix.nil? %>
+# Note: Intentionally not specifying ShibConfig '/some/crazy/path', assumed to be default
+<% else %>
+# Specifying a non-standard config file location
 ShibConfig <%= File.join(@host.shib_prefix, 'shibboleth2.xml') %>
 <% end %>
   
@@ -17,7 +28,8 @@ LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_22.so
 
 # Enable shibboleth for all vhosts, does NOT require auth anywhere
 # just makes it possible.
-# Specific auth requirements are make in the <RequestMap> in shibboleth2.xml
+# Specific auth requirements are made in the <RequestMap> in shibboleth2.xml
+# rather than in apache conf files
 <Location />
   AuthType shibboleth
   Require shibboleth

data/shibboleths_lil_helper.gemspec

@@ -4,15 +4,14 @@
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
-  s.name = %q{shibboleths_lil_helper}
-  s.version = "1.0.8"
+  s.name = "shibboleths_lil_helper"
+  s.version = "1.0.9"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Joe Goggins"]
-  s.date = %q{2011-12-29}
-  s.default_executable = %q{slh}
-  s.description = %q{See the summary text.}
-  s.email = %q{goggins@umn.edu}
+  s.date = "2012-05-24"
+  s.description = "See the summary text."
+  s.email = "goggins@umn.edu"
   s.executables = ["slh"]
   s.extra_rdoc_files = [
     "LICENSE.txt",
@@ -60,7 +59,6 @@ Gem::Specification.new do |s|
     "lib/slh/templates/shib_apache.conf.erb",
     "lib/slh/templates/shibboleth2.xml.erb",
     "lib/slh/templates/sp_metadata_for_entity_id_to_give_to_idp.xml.erb",
-    "lib/slh/templates/sp_metadata_for_host_to_give_to_idp.xml.erb",
     "shibboleths_lil_helper.gemspec",
     "test/fixtures/dummy1.rb",
     "test/fixtures/dummy1_output/attribute-map.xml",
@@ -69,17 +67,16 @@ Gem::Specification.new do |s|
     "test/helper.rb",
     "test/test_shibboleths_lil_helper.rb"
   ]
-  s.homepage = %q{http://github.com/umn-asr/shibboleths_lil_helper}
+  s.homepage = "http://github.com/umn-asr/shibboleths_lil_helper"
   s.licenses = ["MIT"]
   s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.3.6}
-  s.summary = %q{A ruby gem to streamline the setup, deployment, and ongoing management of Apache & IIS web-servers running the Shibboleth Native Service Provider implementations.}
+  s.rubygems_version = "1.8.10"
+  s.summary = "A ruby gem to streamline the setup, deployment, and ongoing management of Apache & IIS web-servers running the Shibboleth Native Service Provider implementations."
 
   if s.respond_to? :specification_version then
-    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
     s.specification_version = 3
 
-    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
       s.add_runtime_dependency(%q<activesupport>, [">= 3.0.9"])
       s.add_runtime_dependency(%q<nokogiri>, [">= 0"])
       s.add_runtime_dependency(%q<i18n>, [">= 0"])

metadata

@@ -1,12 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: shibboleths_lil_helper
 version: !ruby/object:Gem::Version 
-  prerelease: false
+  hash: 5
+  prerelease: 
   segments: 
   - 1
   - 0
-  - 8
-  version: 1.0.8
+  - 9
+  version: 1.0.9
 platform: ruby
 authors: 
 - Joe Goggins
@@ -14,111 +15,126 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-12-29 00:00:00 -06:00
-default_executable: slh
+date: 2012-05-24 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
-  version_requirements: &id001 !ruby/object:Gem::Requirement 
+  type: :runtime
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 21
         segments: 
         - 3
         - 0
         - 9
         version: 3.0.9
-  requirement: *id001
-  prerelease: false
+  version_requirements: *id001
   name: activesupport
-  type: :runtime
 - !ruby/object:Gem::Dependency 
-  version_requirements: &id002 !ruby/object:Gem::Requirement 
+  type: :runtime
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
         segments: 
         - 0
         version: "0"
-  requirement: *id002
-  prerelease: false
+  version_requirements: *id002
   name: nokogiri
-  type: :runtime
 - !ruby/object:Gem::Dependency 
-  version_requirements: &id003 !ruby/object:Gem::Requirement 
+  type: :runtime
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
         segments: 
         - 0
         version: "0"
-  requirement: *id003
-  prerelease: false
+  version_requirements: *id003
   name: i18n
-  type: :runtime
 - !ruby/object:Gem::Dependency 
-  version_requirements: &id004 !ruby/object:Gem::Requirement 
+  type: :development
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
         segments: 
         - 0
         version: "0"
-  requirement: *id004
-  prerelease: false
+  version_requirements: *id004
   name: shoulda
-  type: :development
 - !ruby/object:Gem::Dependency 
-  version_requirements: &id005 !ruby/object:Gem::Requirement 
+  type: :development
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 23
         segments: 
         - 1
         - 0
         - 0
         version: 1.0.0
-  requirement: *id005
-  prerelease: false
+  version_requirements: *id005
   name: bundler
-  type: :development
 - !ruby/object:Gem::Dependency 
-  version_requirements: &id006 !ruby/object:Gem::Requirement 
+  type: :development
+  prerelease: false
+  requirement: &id006 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 7
         segments: 
         - 1
         - 6
         - 4
         version: 1.6.4
-  requirement: *id006
-  prerelease: false
+  version_requirements: *id006
   name: jeweler
-  type: :development
 - !ruby/object:Gem::Dependency 
-  version_requirements: &id007 !ruby/object:Gem::Requirement 
+  type: :development
+  prerelease: false
+  requirement: &id007 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
         segments: 
         - 0
         version: "0"
-  requirement: *id007
-  prerelease: false
+  version_requirements: *id007
   name: rcov
-  type: :development
 - !ruby/object:Gem::Dependency 
-  version_requirements: &id008 !ruby/object:Gem::Requirement 
+  type: :development
+  prerelease: false
+  requirement: &id008 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
         segments: 
         - 0
         version: "0"
-  requirement: *id008
-  prerelease: false
+  version_requirements: *id008
   name: ruby-debug
-  type: :development
 description: See the summary text.
 email: goggins@umn.edu
 executables: 
@@ -170,7 +186,6 @@ files:
 - lib/slh/templates/shib_apache.conf.erb
 - lib/slh/templates/shibboleth2.xml.erb
 - lib/slh/templates/sp_metadata_for_entity_id_to_give_to_idp.xml.erb
-- lib/slh/templates/sp_metadata_for_host_to_give_to_idp.xml.erb
 - shibboleths_lil_helper.gemspec
 - test/fixtures/dummy1.rb
 - test/fixtures/dummy1_output/attribute-map.xml
@@ -178,7 +193,6 @@ files:
 - test/fixtures/dummy1_output/shibboleth2.xml
 - test/helper.rb
 - test/test_shibboleths_lil_helper.rb
-has_rdoc: true
 homepage: http://github.com/umn-asr/shibboleths_lil_helper
 licenses: 
 - MIT
@@ -188,23 +202,27 @@ rdoc_options: []
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
       segments: 
       - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
       segments: 
       - 0
       version: "0"
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.6
+rubygems_version: 1.8.10
 signing_key: 
 specification_version: 3
 summary: A ruby gem to streamline the setup, deployment, and ongoing management of Apache & IIS web-servers running the Shibboleth Native Service Provider implementations.

data/lib/slh/templates/sp_metadata_for_host_to_give_to_idp.xml.erb

@@ -1,33 +0,0 @@
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="<%= Slh::Models::Version::VERSION %>" entityID="<%= @strategy.sp_entity_id %>">
-
-  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
-    <md:Extensions>
-      <% @host.sites.each do |site| %>
-        <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/Login"/>
-      <% end %>
-    </md:Extensions>
-    <md:KeyDescriptor>
-      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-        <ds:KeyName><%= @host.name %></ds:KeyName>
-        <ds:X509Data>
-          <ds:X509SubjectName>CN=<%= @host.name %></ds:X509SubjectName>
-          <ds:X509Certificate><%= @first_site_for_host.x509_certificate_string %></ds:X509Certificate>
-        </ds:X509Data>
-      </ds:KeyInfo>
-    </md:KeyDescriptor>
-
-    <% @host.sites.each do |site| %>
-      <!-- BEGIN <%= site.name %> -->
-      <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/Artifact/SOAP" index="0"/>
-      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML2/POST" index="0"/>
-      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML2/POST-SimpleSign" index="1"/>
-      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML2/Artifact" index="2"/>
-      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML2/ECP" index="3"/>
-      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML/POST" index="4"/>
-      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML/Artifact" index="5"/>
-      <!-- END <%= site.name %> -->
-    <% end %>
-  </md:SPSSODescriptor>
-</md:EntityDescriptor>
-
-