Merge pull request #297 from ausaccessfed/develop

Merge develop to master to prepare for 1.5.0+idp-3.4.6 release

assets/idp.example.edu.dist/idp/conf/authn/general-authn.xml

@@ -52,7 +52,20 @@
         </bean>
 
         <bean id="authn/External" parent="shibboleth.AuthenticationFlow"
-            p:nonBrowserSupported="false" />
+            {% if enable_shibcas == "true" %}
+             p:passiveAuthenticationSupported="true"
+             p:forcedAuthenticationSupported="true"
+            {% endif %}
+            p:nonBrowserSupported="false">
+            {% if enable_shibcas == "true" %}
+            <property name="supportedPrincipals">
+                <list>
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
+                </list>
+            </property>
+            {% endif %}
+        </bean>
 
         <bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow"
             p:nonBrowserSupported="false" />

assets/idp.example.edu.dist/idp/conf/idp.properties

@@ -120,20 +120,31 @@ idp.encryption.cert = %{idp.home}/credentials/idp-encryption.crt
 
 # Regular expression matching login flows to enable, e.g. IPAddress|Password
 # Enable ShibCas if you want to off-load authentication to your CAS IdP.
-idp.authn.flows= Password
-#idp.authn.flows= Shibcas
-
-# CAS Client properties (usage loosely matches that of the Java CAS Client)
-## CAS Server Properties
-# shibcas.casServerUrlPrefix = https://cassserver.example.edu/cas
-# shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login
-
-## Shibboleth Server Properties
-# shibcas.serverName = https://shibserver.example.edu
-
-# By default you always get the AuthenticatedNameTranslator, add additional code to cover your custom needs.
-# Takes a comma separated list of fully qualified class names
-# shibcas.casToShibTranslators = com.your.institution.MyCustomNamedTranslatorClass
+{% if enable_shibcas == "false" %}
+    idp.authn.flows= Password
+{% else %}
+    idp.authn.flows= External
+
+    # CAS Client properties (usage loosely matches that of the Java CAS Client)
+    ## CAS Server Properties
+    # shibcas.casServerUrlPrefix = https://cassserver.example.edu/cas
+    # shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login
+
+    ## Shibboleth Server Properties
+    # shibcas.serverName = https://shibserver.example.edu
+
+    # By default you always get the AuthenticatedNameTranslator, add additional code to cover your custom needs.
+    # Takes a comma separated list of fully qualified class names
+    # shibcas.casToShibTranslators = com.your.institution.MyCustomNamedTranslatorClass
+    # shibcas.parameterBuilders = com.your.institution.MyParameterBuilderClass
+
+    # Specify CAS validator to use - either 'cas10', 'cas20' or 'cas30' (default)
+    # shibcas.ticketValidatorName = cas30
+
+    # Specify if the Relying Party/Service Provider entityId should be appended as a separate entityId query string parameter
+    # or embedded in the "service" querystring parameter - `append` (default) or `embed`
+    # shibcas.entityIdLocation = append
+{% endif %}
 
 # Default lifetime and timeout of various authentication methods
 #idp.authn.defaultLifetime = PT60M

assets/idp.example.edu.dist/idp/conf/metadata-providers.xml

@@ -107,7 +107,7 @@
       <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D" />
 
       <MetadataFilter xsi:type="SignatureValidation"
-        certificateFile="/opt/shibboleth/shibboleth-idp/current/credentials/federation-metadata-cert.pem"
+        certificateFile="{{ shib_idp.home }}/credentials/federation-metadata-cert.pem"
         requireSignedRoot="true">
       </MetadataFilter>
 

bootstrap.sh

@@ -132,6 +132,11 @@ ENABLE_BACKCHANNEL=false
 #
 ENABLE_EDUGAIN=false
 
+# Enable your IdP to off load authentications to your CAS IdP. Note: Additioanl
+# configuration will be required on compelation of the Bootstrap process.
+#
+ENABLE_SHIBCAS=false
+
 #
 # ------------------------ END BOOTRAP CONFIGURATION ---------------------------
 
@@ -157,7 +162,7 @@ FR_PROD_REG=https://manager.aaf.edu.au/federationregistry/registration/idp
 function ensure_mandatory_variables_set {
   for var in HOST_NAME ENVIRONMENT ORGANISATION_NAME ORGANISATION_BASE_DOMAIN \
     HOME_ORG_TYPE SOURCE_ATTRIBUTE_ID INSTALL_BASE YUM_UPDATE FIREWALL \
-    ENABLE_BACKCHANNEL ENABLE_EDUGAIN; do
+    ENABLE_BACKCHANNEL ENABLE_EDUGAIN ENABLE_SHIBCAS; do
     if [ ! -n "${!var:-}" ]; then
       echo "Variable '$var' is not set! Set this in `basename $0`"
       exit 1
@@ -198,6 +203,12 @@ function ensure_mandatory_variables_set {
      echo "Variable ENABLE_EDUGAIN must be either true or false"
      exit 1
   fi
+
+  if [ $ENABLE_SHIBCAS != "true" ] && [ $ENABLE_SHIBCAS != "false" ]
+  then
+     echo "Variable ENABLE_SHIBCAS must be either true or false"
+     exit 1
+  fi
 }
 
 function ensure_install_base_exists {
@@ -213,7 +224,7 @@ function install_yum_dependencies {
   then
     yum -y update
   else
-    count_updates=`yum check-update --quiet | grep '^[a-Z0-9]' | wc -l`
+    count_updates=`yum check-update --quiet | grep '^[[:alnum:]]' | wc -l`
 
     echo "WARNING: Automatic server software updates performed by this"
     echo "         installer have been disabled!"
@@ -326,6 +337,8 @@ function set_ansible_host_vars {
     $ANSIBLE_HOST_VARS
   replace_property 'enable_edugain:' "\"$ENABLE_EDUGAIN\"" \
     $ANSIBLE_HOST_VARS
+  replace_property 'enable_shibcas:' "\"$ENABLE_SHIBCAS\"" \
+    $ANSIBLE_HOST_VARS
 }
 
 function set_ansible_cfg_log_path {

host_vars/idp.example.edu.dist.production

@@ -50,3 +50,6 @@ edugain_metadata_url: "https://md.aaf.edu.au/aaf-edugain-metadata.xml"
 
 # Enable eduGAIN
 enable_edugain: "false"
+
+# Enable shibcas
+enable_shibcas: "false"

host_vars/idp.example.edu.dist.test

@@ -49,3 +49,6 @@ edugain_metadata_url: "https://md.test.aaf.edu.au/aaf-edugain-test-metadata.xml"
 
 # Enable eduGAIN
 enable_edugain: "false"
+
+# Enable shibcas
+enable_shibcas: "false"

site.yml

@@ -60,12 +60,12 @@
         sha256sum: ae4185b2f0bb1af00abc6a4502fbfbdc6a90aec65c7bcee08e37a1bc20de5ac1 
       cas_client_core:
         baseurl: "{{ aaf_binaries.baseurl }}/jars/cas_extensions"
-        version: 3.4.1
-        sha256sum: 840a860da8e1cd65bb2b66c38222518e87158edfe8c3dc5a94f6e1183511c445
+        version: 3.6.0
+        sha256sum: 21c46f083530a494fb3f94c91d1c817851608409717382c9e3673c44acada522
       shib_cas_authenticator:
         baseurl: "{{ aaf_binaries.baseurl }}/jars/cas_extensions"
-        version: 3.2.3
-        sha256sum: a21766ff6010f15177760d2cfc4409c81e068447ce1f62281586e5daf07c23a0
+        version: 3.3.0
+        sha256sum: 435aebc3e301341e31c22e73ee5dee42c36bb1ea88483b5db182b13170a79ff2
     urls:
       jetty:
         url: "{{ download.jetty.baseurl }}/jetty-distribution-{{ download.jetty.version }}.tar.gz"

tasks/idp.yml

@@ -719,7 +719,7 @@
     mode: 0640
 
 - name: 'Set authn/general-authn.xml'
-  copy:
+  template:
     src: 'assets/{{inventory_hostname}}/idp/conf/authn/general-authn.xml'
     dest: '{{ shib_idp.home }}/conf/authn/general-authn.xml'
     owner: root

update.yml

@@ -209,3 +209,12 @@
         line: "\n# Enable eduGAIN\nenable_edugain: \"false\""
         insertafter: EOF
       when: enable_edugain is not defined
+
+    - name: 'Add enable_shibcas to host_vars if it does not exist'
+      lineinfile:
+        path: '{{ installer.repository }}/host_vars/{{inventory_hostname}}'
+        line: "\n# Enable shibCAS\nenable_shibcas: \"false\""
+        insertafter: EOF
+      when: enable_shibcas is not defined
+
+