Update prod shib config to use MDQ

CenterForOpenScience · Dec 26, 2024 · d06074d · d06074d
1 parent c729e3a
commit d06074d
Showing 1 changed file with 70 additions and 129 deletions.
diff --git a/etc/cas/config/shibboleth2-prod.xml b/etc/cas/config/shibboleth2-prod.xml
@@ -7,147 +7,70 @@
 
     <InProcess logger="native.logger" checkSpoofing="true"/>
 
-    <!--
-    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
-    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-    -->
-
-    <!--
-    To customize behavior for specific resources on Apache, and to link vhosts or
-    resources to ApplicationOverride settings below, use web server options/commands.
-    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
-
-    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
-    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
-    -->
-
     <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
     <ApplicationDefaults entityID="https://accounts.osf.io/shibboleth"
                          REMOTE_USER="institutionalidentity eppn oid" attributePrefix="AUTH-">
-
-        <!--
-        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
-        You MUST supply an effectively unique handlerURL value for each of your applications.
-        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
-        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
-        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
-        Note that while we default checkAddress to "false", this has a negative impact on the
-        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-        -->
+        <!-- Controls session lifetimes, address checks, cookie handling, and the protocol handlers. -->
         <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                   checkAddress="false" handlerSSL="false" cookieProps="http">
-
-            <!--
-            Configures SSO for a default IdP. To allow for >1 IdP, remove
-            entityID property and adjust discoveryURL to point to discovery service.
-            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
-            You can also override entityID on /Login query string, or in RequestMap/htaccess.
-            -->
-            <!-- <SSO entityID="https://idp.testshib.org/idp/shibboleth"
-                discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
-              SAML2 SAML1
-            </SSO> -->
-            <!-- <SSO entityID="https://idp.testshib.org/idp/shibboleth">SAML2 SAML1</SSO> -->
-            <!-- <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.incommonfederation.org/DS/WAYF">SAML2 SAML1</SSO> -->
+            <!-- Configures SSO for a default IdP. -->
             <SSO>SAML2 SAML1</SSO>
-
             <!-- SAML and local-only logout. -->
             <Logout>SAML2 Local</Logout>
-
             <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
             <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
-
             <!-- Status reporting service. -->
-            <!-- <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/> -->
             <Handler type="Status" Location="/Status"/>
-
             <!-- Session diagnostic service. -->
-            <!-- <Handler type="Session" Location="/Session" showAttributeValues="false"/> -->
             <Handler type="Session" Location="/Session" showAttributeValues="true"/>
-
             <!-- JSON feed of discovery information. -->
             <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
         </Sessions>
 
-        <!--
-        Allows overriding of error template information/filenames. You can
-        also add attributes with values that can be plugged into the templates.
-        -->
+        <!-- Allows overriding of error template information/filenames. -->
         <Errors supportContact="support@osf.io" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/>
-        <!-- <Errors supportContact="EMAIL" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/> -->
-
-        <!-- Example of remotely supplied batch of signed metadata. -->
-        <!--
-        <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
-              backingFilePath="federation-metadata.xml" reloadInterval="7200">
-            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
-            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
-        </MetadataProvider>
-        -->
 
-        <!-- Example of locally maintained metadata. -->
-        <!--
-        <MetadataProvider type="XML" file="partner-metadata.xml"/>
-        -->
+        <!-- Here goes the non-InCommon/eduGAIN IdPs. -->
+        <!-- This is above InCommon to take precedence for institutions that have Metadata in InCommon but prefer providing their own. -->
 
-        <!-- Albion Collge -->
-        <MetadataProvider type="XML" path="albion-idp-metadata.xml" />
-
-        <!-- Boys Town -->
+        <!-- Boys Town (BT) -->
         <MetadataProvider type="XML"
                           uri="https://login.microsoftonline.com/e2ab7419-36ab-4a95-a19f-ee90b6a9b8ac/federationmetadata/2007-06/federationmetadata.xml?appid=5da6af52-f405-43c2-9f33-10327a488ddc"
-                          backingFilePath="bt-idp-prod-metadata.xml"
+                          backingFilePath="bt-prod-idp-metadata.xml"
                           reloadInterval="180000" >
             <MetadataFilter type="Signature" certificate="bt-idp-prod.pem" />
         </MetadataProvider>
 
-        <!-- California Lutheran University (CALLUTHERAN) -->
+        <!-- Universiteit Gent (UGENT) -->
         <MetadataProvider type="XML"
-                          uri="https://login.callutheran.edu/sso/metadata.ashx"
-                          backingFilePath="callutheran-idp-metadata.xml"
+                          uri="https://identity.ugent.be/simplesaml/saml2/idp/metadata.php"
+                          backingFilePath="ugent-prod-idp-metadata.xml"
                           reloadInterval="180000" />
 
-        <!-- Institut Teknologi Bandung (ITB) -->
-        <MetadataProvider type="XML" uri="https://idp.itb.ac.id/idp/shibboleth"
-                          backingFilePath="itb-idp-metadata.xml" reloadInterval="180000" />
-
-        <!-- Universiteit Gent (UGENT) -->
-        <MetadataProvider type="XML" uri="https://identity.ugent.be/simplesaml/saml2/idp/metadata.php"
-                          backingFilePath="ugent-idp-metadata.xml" reloadInterval="180000" />
-
         <!-- East Carolina University (ECU) [Prod] -->
         <MetadataProvider type="XML"
                           uri="https://login.microsoftonline.com/17143cbb-385c-4c45-a36a-c65b72e3eae8/federationmetadata/2007-06/federationmetadata.xml?appid=307cd716-765f-4c4d-a8db-be6d3046fa10"
                           backingFilePath="ecu-prod-idp-metadata.xml"
-                          reloadInterval="86400">
+                          reloadInterval="180000">
             <MetadataFilter type="Signature" certificate="ecu-prod-idp-cert.cer" />
         </MetadataProvider>
 
-        <!-- Ferris State Univeristy (FERRIS) -->
-        <MetadataProvider type="XML" path="ferris-metadata.xml"/>
-
-        <!-- Illinois Institute of Technology (IIT) -->
-        <MetadataProvider type="XML" file="iit-metadata.xml"/>
-
         <!-- Macquarie University (MQ) -->
         <MetadataProvider type="XML"
                           uri="https://mq.okta.com/app/exk2dzwun7KebsDIV2p7/sso/saml/metadata"
-                          backingFilePath="mq-idp-metadata.xml"
-                          reloadInterval="180000"/>
-
-        <!-- Nesta -->
-        <MetadataProvider type="XML" path="nesta-jumpcloud.xml" />
+                          backingFilePath="mq-prod-idp-metadata.xml"
+                          reloadInterval="180000" />
 
         <!-- Oklahoma State University (OKSTATE) -->
         <MetadataProvider type="XML"
                           uri="https://stwcas.okstate.edu/cas/idp/metadata"
-                          backingFilePath="okstate-idp-metadata.xml"
+                          backingFilePath="okstate-prod-idp-metadata.xml"
                           reloadInterval="180000" />
 
         <!-- Open Universiteit (OUNL) -->
         <MetadataProvider type="XML"
                           uri="https://login.ou.nl/am/saml2/jsp/exportmetadata.jsp?entityid=https://login.ou.nl/am&amp;realm=/ou"
-                          backingFilePath="ounl-idp-metadata.xml"
+                          backingFilePath="ounl-prod-idp-metadata.xml"
                           reloadInterval="180000" />
 
         <!-- University of British Columbia (UBC) -->
@@ -156,44 +79,74 @@
                           backingFilePath="ubc-idp-metadata.xml"
                           reloadInterval="180000" />
 
-        <!-- University of Cape Town (UCT) -->
-        <MetadataProvider type="XML"
-                          uri="https://adfs.uct.ac.za/FederationMetadata/2007-06/FederationMetadata.xml"
-                          backingFilePath="uct-idp-metadata.xml"
-                          reloadInterval="180000" />
-
-        <!-- University of Kent (UNIVERSITYOFKENT) -->
-        <MetadataProvider type="XML"
-                          uri="https://sso.id.kent.ac.uk/idp/saml2/idp/metadata.php"
-                          backingFilePath="universityofkent-idp-metadata.xml"
-                          reloadInterval="180000" />
-
-        <!-- University of South Carolina Libraries (SC) -->
+        <!-- University of South Carolina (SC) -->
         <MetadataProvider type="XML"
                           uri="https://cas.auth.sc.edu/cas/idp/metadata"
                           backingFilePath="sc-idp-metadata.xml"
                           reloadInterval="180000" />
 
-        <!-- Univeristy of Southern California (USC) -->
-        <MetadataProvider type="XML" uri="https://shibboleth.usc.edu/USC-metadata.xml"
-                          backingFilePath="usc-idp-metadata.xml" reloadInterval="180000"/>
-
         <!-- Vrije Universiteit Amsterdam (VUA) [Prod] -->
         <MetadataProvider type="XML"
                           uri="https://stsfed.login.vu.nl/FederationMetadata/2007-06/FederationMetadata.xml"
                           backingFilePath="vua-prod-idp-metadata.xml"
                           reloadInterval="180000" />
 
-        <!-- University-provided metadata takes precedence over InCommon -->
-
-        <!-- InCommon -->
-        <MetadataProvider type="XML" uri="http://md.incommon.org/InCommon/InCommon-metadata.xml"
-                          backingFilePath="incommon-idp-metadata.xml" reloadInterval="86400">
-            <MetadataFilter type="Signature" certificate="incommon-idp-signature.pem"/>
+        <!-- Here is the end of non-InCommon/eduGAIN IdPs. Current total: 9 unique provider and 9 institutions. -->
+
+        <!-- Here goes all InCommon/eduGAIN IdPs, all of which are production IdP server using the MDQ service -->
+        <!-- This is a list of all servers using a Dynamic Metadata Provider configuration with MDQ -->
+        <!-- Arizona State University -->
+        <!-- Brown University -->
+        <!-- Carnegie Mellon University -->
+        <!-- Case Western Reserve University -->
+        <!-- Cornell University -->
+        <!-- Duke University -->
+        <!-- Erasmus University Rotterdam -->
+        <!-- Florida State University -->
+        <!-- National High Magnetic Field Laboratory (Shared SSO via Florida State University) -->
+        <!-- George Mason University -->
+        <!-- George Washington University -->
+        <!-- Georgia Institute of Technology -->
+        <!-- Harvard University -->
+        <!-- James Madison University -->
+        <!-- KU Leuven -->
+        <!-- Massachusetts Institute of Technology -->
+        <!-- New York University -->
+        <!-- Princeton University -->
+        <!-- Purdue University -->
+        <!-- Temple University -->
+        <!-- The University of Oklahoma -->
+        <!-- The University of Texas at Dallas -->
+        <!-- Tufts University -->
+        <!-- Universidade do Algarve -->
+        <!-- Universiteit Gent -->
+        <!-- University of Arizona -->
+        <!-- University of California, Berkeley -->
+        <!-- University of California, Los Angles -->
+        <!-- University of Chicago -->
+        <!-- University of Cincinnati -->
+        <!-- University of Colorado Boulder -->
+        <!-- University of Edinburgh -->
+        <!-- University of London -->
+        <!-- University of Manchester -->
+        <!-- University of Maryland -->
+        <!-- University of Maryland, Baltimore -->
+        <!-- University of North Carolina at Chapel Hill -->
+        <!-- University of Notre Dame -->
+        <!-- University of Rochester -->
+        <!-- University of Sussex -->
+        <!-- University of Virginia -->
+        <!-- Virginia Commonwealth University -->
+        <!-- Virginia Tech -->
+        <!-- Washington University in St. Louis -->
+        <!-- Yale Law School -->
+        <MetadataProvider type="Dynamic" ignoreTransport="true" maxCacheDuration="86400" minCacheDuration="60">
+            <Subst>https://mdq.incommon.org/entities/$entityID</Subst>
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
+            <MetadataFilter type="Signature" certificate="inc-md-cert-mdq.pem"/>
         </MetadataProvider>
 
-        <!-- <MetadataProvider type="XML" uri="http://www.testshib.org/metadata/testshib-providers.xml"
-                          backingFilePath="testshib-two-idp-metadata2.xml" reloadInterval="180000"/> -->
+        <!-- Here is the end of InCommon/eduGAIN IdPs. Current total: 1 dynamic provider for 45 institutions. -->
 
         <!-- Map to extract attributes from SAML assertions. -->
         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
@@ -207,18 +160,6 @@
         <!-- Simple file-based resolver for using a single keypair. -->
         <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
 
-        <!--
-        The default settings can be overridden by creating ApplicationOverride elements (see
-        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
-        Resource requests are mapped by web server commands, or the RequestMapper, to an
-        applicationId setting.
-
-        Example of a second application (for a second vhost) that has a different entityID.
-        Resources on the vhost would map to an applicationId of "admin":
-        -->
-        <!--
-        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-        -->
     </ApplicationDefaults>
 
     <!-- Policies that determine how to process and authenticate runtime messages. -->