Merge pull request #535 from nextcloud/add/user_saml_shib-idp

standalone shibboleth image

user_saml-dirsrv/Dockerfile

@@ -0,0 +1,29 @@
+FROM quay.io/389ds/dirsrv:latest
+
+ENV DS_DM_PASSWORD admin
+ENV DS_SUFFIX_NAME dc=idptestbed
+
+ADD conf/* /var/opt/
+
+RUN rm -Rf /data/*
+RUN /usr/libexec/dirsrv/dscontainer -r & \
+    sleep 60; \
+    WAIT_TIME=60; \
+    while : ; do \
+    	if /usr/libexec/dirsrv/dscontainer -H; then \
+    		break; \
+    	fi; \
+    	sleep 5; \
+    	WAIT_TIME=$((WAIT_TIME + 5)); \
+    	if [ ${WAIT_TIME} -gt 180 ]; then \
+    		echo "dirsrv not ready – giving up checking after 3min"; \
+    		exit 3 ;\
+    	fi; \
+    done; \
+    dsconf localhost backend create --suffix dc=idptestbed --be-name ci_root; \
+    mv /var/opt/98nextcloud-schema.ldif /etc/dirsrv/slapd-localhost/schema/; \
+    dsconf localhost schema reload; \
+    dsconf localhost backend import "dc=idptestbed" /var/opt/entries.ldif; \
+    rm /var/opt/entries.ldif;
+
+EXPOSE 3389

user_saml-dirsrv/conf/98nextcloud-schema.ldif

@@ -0,0 +1,13 @@
+dn: cn=schema
+objectClass: top
+objectClass: ldapSubentry
+objectClass: subschema
+cn: schema
+aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
+modifiersName: cn=Directory Manager
+modifyTimestamp: 20230412120423Z
+objectClasses: ( 1.3.6.1.4.1.49213.1.2.1 NAME 'nextcloudUser' AUXILIARY MUST cn MAY (nextcloudEnabled $ nextcloudQuota ) X-ORIGIN 'user defined' )
+objectClasses: ( 1.3.6.1.4.1.49213.1.2.2 NAME 'nextcloudGroup' AUXILIARY MUST cn MAY nextcloudEnabled X-ORIGIN 'user defined' )
+attributeTypes: ( 1.3.6.1.4.1.49213.1.1.1 NAME 'nextcloudEnabled' DESC 'whether user or group should be available in Nextcloud' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' )
+attributeTypes: ( 1.3.6.1.4.1.49213.1.1.2 NAME 'nextcloudQuota' DESC 'defines how much disk space is available for the user (e.g. 2 GB)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
+nsSchemaCSN: 64369e47000000000000

user_saml_shibboleth/ldap/users.ldif → user_saml-dirsrv/conf/entries.ldif

@@ -1,44 +1,62 @@
+
+dn: dc=idptestbed
+objectClass: top
+objectClass: domain
+dc: idptestbed
+description: dc=idptestbed
+aci: (targetattr = *) (targetfilter = "(objectclass=*)") (version 3.0; acl "Any read"; allow (search, read, compare) (userdn = "ldap:///anyone" );)
+
 dn: cn=admin,dc=idptestbed
 objectClass: simpleSecurityObject
 objectClass: organizationalRole
 cn: admin
 userPassword: password
 description: LDAP administrator
 
+dn: ou=Groups,dc=idptestbed
+objectClass: top
+objectClass: organizationalunit
+ou: Groups
+
+dn: ou=People,dc=idptestbed
+objectClass: top
+objectClass: organizationalunit
+ou: People
+
 dn: uid=student1,ou=People,dc=idptestbed
 objectClass: organizationalPerson
 objectClass: person
 objectClass: top
 objectClass: inetOrgPerson
-objectClass: ownCloud
+objectClass: nextcloudUser
 givenName: Stud
 uid: student1
 sn: Ent
 cn: Stud Ent
 mail: [email protected]
 userPassword: password
-quota: 200 MB
+nextcloudQuota: 200 MB
 
 dn: uid=student2,ou=People,dc=idptestbed
 objectClass: organizationalPerson
 objectClass: person
 objectClass: top
 objectClass: inetOrgPerson
-objectClass: ownCloud
+objectClass: nextcloudUser
 givenName: Stud
 uid: student2
 sn: Ent2
 cn: Stud Ent2
 mail: [email protected]
 userPassword: password
-quota: 1 GB
+nextcloudQuota: 1 GB
 
 dn: uid=staff1,ou=People,dc=idptestbed
 objectClass: organizationalPerson
 objectClass: person
 objectClass: top
 objectClass: inetOrgPerson
-objectClass: ownCloud
+objectClass: nextcloudUser
 givenName: St
 uid: staff1
 sn: aff

user_saml_shibboleth-idp/Dockerfile

@@ -0,0 +1,8 @@
+FROM cscfi/shibboleth-idp:release-4.1.4
+
+ADD shibboleth-idp/ /opt/shibboleth-idp/
+ADD start.sh /usr/local/bin/
+
+RUN chmod a+x /usr/local/bin/start.sh
+
+CMD "start.sh"

user_saml_shibboleth-idp/shibboleth-idp/conf/attribute-filter.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This file is an EXAMPLE policy file.  While the policy presented in this
+    example file is illustrative of some simple cases, it relies on the names of
+    non-existent example services and the example attributes demonstrated in the
+    default attribute-resolver.xml file.
+
+    Deployers should refer to the documentation for a complete list of components
+    and their options.
+-->
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+        xmlns="urn:mace:shibboleth:2.0:afp"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+
+    <!-- Release some attributes to an SP. -->
+    <AttributeFilterPolicy id="example1">
+        <PolicyRequirementRule xsi:type="Requester" value="http://localhost:8080/index.php/apps/user_saml/saml/metadata" />
+
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="uid">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="surname">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="givenName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+</AttributeFilterPolicyGroup>

user_saml_shibboleth/shibboleth/conf/attribute-resolver.xml → user_saml_shibboleth-idp/shibboleth-idp/conf/attribute-resolver.xml

@@ -1,46 +1,36 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- 
+<!--
     This file is an EXAMPLE configuration file containing lots of commented
     example attributes, encoders, and a couple of example data connectors.
-    
+
     Not all attribute definitions or data connectors are demonstrated, but
     a variety of LDAP attributes, some common to Shibboleth deployments and
     many not, are included.
-    
+
     Deployers should refer to the Shibboleth 2 documentation for a complete
     list of components  and their options.
 -->
-<resolver:AttributeResolver
-        xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
-        xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
-        xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
-        xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
-        xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
-        xmlns:sec="urn:mace:shibboleth:2.0:security"
+<AttributeResolver
+        xmlns="urn:mace:shibboleth:2.0:resolver"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
-                            urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
-                            urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
-                            urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
-                            urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
-                            urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
 
     <!-- ========================================== -->
     <!--      Attribute Definitions                 -->
     <!-- ========================================== -->
 
     <!-- Schema: Core schema attributes-->
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="mail" sourceAttributeID="mail">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
-    </resolver:AttributeDefinition>
+    <AttributeDefinition xsi:type="Simple" id="uid">
+		<InputDataConnector ref="myLDAP" attributeNames="uid" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="mail">
+        <InputDataConnector ref="myLDAP" attributeNames="mail" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+    </AttributeDefinition>
 <!--
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="homePhone" sourceAttributeID="homePhone">
         <resolver:Dependency ref="myLDAP" />
@@ -66,11 +56,11 @@
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" />
     </resolver:AttributeDefinition>
 -->
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
-    </resolver:AttributeDefinition>
+    <AttributeDefinition xsi:type="Simple" id="surname">
+        <InputDataConnector ref="myLDAP" attributeNames="sn" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
+    </AttributeDefinition>
 <!--
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="locality" sourceAttributeID="l">
         <resolver:Dependency ref="myLDAP" />
@@ -132,17 +122,17 @@
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" />
     </resolver:AttributeDefinition>
 -->
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
-    </resolver:AttributeDefinition>
-
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="quota" sourceAttributeID="quota">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:quota" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:quota" friendlyName="quota" encodeType="false" />
-    </resolver:AttributeDefinition>
+    <AttributeDefinition xsi:type="Simple" id="givenName">
+        <InputDataConnector ref="myLDAP" attributeNames="givenName" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="quota">
+		<InputDataConnector ref="myLDAP" attributeNames="quota" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:quota" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:quota" friendlyName="quota" encodeType="false" />
+    </AttributeDefinition>
 <!--
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="initials" sourceAttributeID="initials">
         <resolver:Dependency ref="myLDAP" />
@@ -158,12 +148,12 @@
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" />
     </resolver:AttributeDefinition>
-    
+
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="displayName" sourceAttributeID="displayName">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
-    </resolver:AttributeDefinition> 
+    </resolver:AttributeDefinition>
 
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="employeeNumber" sourceAttributeID="employeeNumber">
         <resolver:Dependency ref="myLDAP" />
@@ -222,11 +212,11 @@
         <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" />
     </resolver:AttributeDefinition>
 -->
-    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}" sourceAttributeID="eduPersonPrincipalName">
-        <resolver:Dependency ref="myLDAP" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
-    </resolver:AttributeDefinition>
+    <AttributeDefinition xsi:type="Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}">
+		<InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName" />
+        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+    </AttributeDefinition>
 <!--
     <resolver:AttributeDefinition xsi:type="ad:Prescoped" id="eduPersonPrincipalNamePrior" sourceAttributeID="eduPersonPrincipalNamePrior">
         <resolver:Dependency ref="myLDAP" />
@@ -239,7 +229,7 @@
         <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
     </resolver:AttributeDefinition>
-    
+
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAssurance" sourceAttributeID="eduPersonAssurance">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" encodeType="false" />
@@ -264,8 +254,8 @@
     <!--
     <resolver:DataConnector id="mySIS" xsi:type="dc:RelationalDatabase">
         <dc:ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
-                                         jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB" 
-                                         jdbcUserName="myid" 
+                                         jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB"
+                                         jdbcUserName="myid"
                                          jdbcPassword="mypassword" />
         <dc:QueryTemplate>
             <![CDATA[
@@ -278,22 +268,22 @@
     </resolver:DataConnector>
      -->
 
-    <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
+    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
         ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
-        baseDN="%{idp.attribute.resolver.LDAP.baseDN}" 
+        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
         principal="%{idp.attribute.resolver.LDAP.bindDN}"
         principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
         useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}">
-        <dc:FilterTemplate>
+        <FilterTemplate>
             <![CDATA[
                 %{idp.attribute.resolver.LDAP.searchFilter}
             ]]>
-        </dc:FilterTemplate>
+        </FilterTemplate>
         <!--
         <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked">
             <sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate>
         </dc:StartTLSTrustCredential>
     -->
-    </resolver:DataConnector>
+    </DataConnector>
 
-</resolver:AttributeResolver>
+</AttributeResolver>

user_saml_shibboleth-idp/shibboleth-idp/conf/attributes/default-rules.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"
+
+	   default-init-method="initialize"
+	   default-destroy-method="destroy">
+
+	<!--
+	This file is empty since we stick with the Attribute encoders. Cf:
+	- https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631499/ReleaseNotes#Attribute-Related-Changes
+	-->
+
+</beans>

user_saml_shibboleth/shibboleth/conf/idp.properties → user_saml_shibboleth-idp/shibboleth-idp/conf/idp.properties

@@ -193,3 +193,9 @@ idp.ui.fallbackLanguages= en,fr,de
 #idp.fticks.salt=somethingsecret
 #idp.fticks.loghost=localhost
 #idp.fticks.logport=514
+
+idp.loglevel.idp = DEBUG
+idp.loglevel.messages = DEBUG
+idp.loglevel.opensaml = DEBUG
+idp.loglevel.encryption = DEBUG
+idp.loglevel.ldap = INFO

user_saml_shibboleth/shibboleth/conf/ldap.properties → user_saml_shibboleth-idp/shibboleth-idp/conf/ldap.properties

@@ -5,7 +5,8 @@
 #idp.authn.LDAP.authenticator                   = anonSearchAuthenticator
 
 ## Connection properties ##
-idp.authn.LDAP.ldapURL                          = ldap://localhost:389
+# the LDAP server is typically a service container, reachable via "directory"
+idp.authn.LDAP.ldapURL                          = ldap://directory:3389
 idp.authn.LDAP.useStartTLS                     = false
 idp.authn.LDAP.useSSL                          = false
 #idp.authn.LDAP.connectTimeout                  = 3000
@@ -56,4 +57,4 @@ idp.attribute.resolver.LDAP.searchFilter        = (uid=$requestContext.principal
 #idp.pool.LDAP.prunePeriod                      = 300
 #idp.pool.LDAP.idleTime                         = 600
 #idp.pool.LDAP.blockWaitTime                    = 3000
-#idp.pool.LDAP.failFastInitialize               = false
+#idp.pool.LDAP.failFastInitialize               = false