-
Notifications
You must be signed in to change notification settings - Fork 36
/
remoteUserAuthenticator.properties
268 lines (247 loc) · 12.3 KB
/
remoteUserAuthenticator.properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
# Configuration file for Confluence HTTP Authenticator
# Whether or not to support local logins
# Acceptable values: true, false
local.login.supported=true
# Whether to create user accounts for new users
# Acceptable values: true, false
# Check and set adminUserId below, if set true.
create.users=true
# Whether existing accounts should have their name and email address updated upon login. This is strongly suggested if
# create.users is true.
# Acceptable values: true, false
update.info=true
# Whether new and existing accounts should have their last login date and previous login date updated in user properties
# upon login.
# Acceptable values: true, false
update.last.login.date=true
# Whether the configuration file should be automatically reloaded when it's changed.
reload.config=false
# When reloading the configuration file, how long to wait (in milliseconds) between checking the configuration file for
# changes.
reload.config.check.interval=5000
# The default group(s) to for newly created users, only used if create.users is true.
#
# Notes:
# * Group name list can be comma or semicolon delimited.
# * Currently groups must pre-exist.
default.roles=confluence-users
# Name of the admin user account with which to execute createUser transaction call. Should be at least a Confluence Administrator
# role as given at https://confluence.atlassian.com/doc/global-permissions-overview-138709.html
# required if users.create is true, since Confluence v8
adminUserId=
# HTTP header/attr. names where the user's full name, email address and username will come from. The full name and email
# address headers need not be populated (can be provided as empty values in the headers by Shibboleth for example if
# Shibboleth can provide no full name or email address for a user). If header.fullname is unspecified or the full name
# provided by the header value is empty or null then it will default to specifying the user id as the full name. If the
# header.email is unspecified or the value of the header is null the user's email address will be null.
#
# Although these two user fields may not seem so important at first, note that whenever a user modifies a wiki page,
# their full name is displayed as the person that last modified the page, and similarly their full name is noted next to
# any comment that they add to a page. Email address is important because when a user chooses to put a "watch" on a wiki
# page, they get emails when that page is changed.
#
# The headers matching the Shibboleth defaults would be:
# header.fullname=Shib-InetOrgPerson-displayName
# header.email=Shib-InetOrgPerson-mail
#
# Note: if the header value contains commas or semicolons, then it will choose the first value in the comma or
# semicolon-delimited list.
#
# Note: if fullname mapping is used (see below) then it will try using that first to get full name using this header.
#
# Each supports a strategy to get this value. All default to 0. Strategy codes mean the following:
# 0 - Try request.getAttribute then request.getHeader
# 1 - Use request.getAttribute
# 2 - Use request.getHeader
header.remote_user=REMOTE_USER
#header.remote_user.strategy=0
header.email=CONF_EMAIL
#header.email.strategy=0
header.fullname=CONF_FULLNAME
#header.fullname.strategy=0
# Whether or not to force the username we receive from Shibboleth to be all-lowercase. This was always true in
# versions <= 1.7.2 and still defaults to true
username.convertcase=true
# Regex search term to extract user_id from specific attribute. Default is "^CN=(.*)".
#
# This filter supports a strategy to get user id attribute value by default as first attribute or use custom one. Strategy codes mean the following:
# 0 - Get user id attribute value as first attribute from the header
# 1 - Use username.filter to get custom attribute
username.filter=CN=([A-Za-z0-9]*)
#username.filter.strategy=0
# Indication whether the group memberships of the user should be updated after creation. Acceptable values: true/false.
# If true, then group memberships will be added (default.roles, and dynamicroles.header depending on the mapping
# headers) whenever the user authenticates, and not just if the user is created by the authenticator.
update.roles=true
# Indication whether HTTP header values should be converted to UTF-8 to avoid an issue noted by Helsinki University:
# "where there is something not using utf-8 involved, 16-bit characters get bytes 83 c2 inserted between."
convert.to.utf8=false
# OPTIONAL
# This feature takes effect only when update.roles is true. List of dynamicroles headers, along side with the labels of
# their group-mapper. Each header can have a set of mapper labels to be activated. A header entry without appropriate
# assigned label will be ignored
#
# e.g. say we'd like to perform automatic group provisioning based on headers: "SHIB-EP-ENTITLEMENT", "affiliation", and
# our defined "fix-role-header" (note these have to match whatever defined in AAP), then we can define the following:
#
#dynamicroles.header.SHIB-EP-ENTITLEMENT = label1, label2, label4, label3
#dynamicroles.header.affiliation = label1, label5
# Whether the dynamicroles attempt to automatically create the role in confluence if such role does not exist.
dynamicroles.auto_create_role=false
# Instruct to convert all output groups into lowercase before creating them on confluence. This is necessary to overcome
# some versions of Confluence's limitation of disallowing group names in upper case. Defaults to true.
dynamicroles.output.tolowercase=true
# Define mapper label and its logic for dynamicroles. Each mapper has to define either
# "match" or "transform" property, otherwise it will not be included in the
# dynamicroles processing.
#
# Notes:
#
# * Colons need to be escaped by \
# * Attribute names are case-insensitive.
# * Value list can be comma or semicolon delimited.
#
# Description of each property:
#
# * match = java regex string to match against the ENTIRE input, you can use java
# regex groupings (http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html#cg)
# e.g. to explicitly match a fix string: match= Hello World
# to match with grouping: match = some\:urn\:(\\w+):(.*)
#
# * casesensitive = boolean, whether the match regex should care about case
# sensitivity matching, default to true
#
# * transform = a fix string replacement of the input (e.g. the group or groups).
# when not specified, it will simply take the input value.
# transform can be a list of groups separated by comma or semicolon e.g.
# transform= A, B, C which means if this mapper matches, the output
# would be group A, B, and C. You can also use $1..$N to represent
# a matched regex group (as done by "match" regex). $0 refers to
# the entire input string.
# e.g. spit out a fix output: transform = Hello There
# reuse some regex grouping: transform = confluence-$1, confluence-$2
# (suppose the input is "some:urn:users:administrators", then
# using the last example match regex we are converting
# this to "confluence-users" and "confluence-administrators"
#
# You can leave the .match property empty, which simply means the input is
# passed directly for .transform to process. Similarly, if you leave .transform
# undefined, then there won't be transformation performed on the input (e.g.
# you may want to allow those inputs matching your regex to be included in
# confluence and filter out those that don't match.
#
# examples:
#
# map "some:urn:group1:group2" to groups called "group1" and "group2"
#
#dynamicroles.mapper.label1.match=some\:urn\:(\\w+)\:(.*)
#dynamicroles.mapper.label1.transform=$1, $2
#
# map "StaFF" to "cs100"
#
#dynamicroles.mapper.map2.match = staff
#dynamicroles.mapper.map2.casesensitive = false
#dynamicroles.mapper.map2.transform = cs100
#
# OPTIONAL
# Normally, users added to a group based on Shibboleth attributes would stay in
# the group forever, even if they no longer have the attribute. The
# purge.roles feature allows to specify a list of groups which should be
# automatically purged of any users who no longer have the attributes to regain
# entry (comma or semicolon separated).
# When logging in, a user will be automatically removed from the group IFF the
# user would not be added to the group (either via dynamicroles.header or
# default.roles). This feature takes effect only when update.roles is true.
#
# Example:
# remove members from role starting with "alum", "alumni",
# or any other "alum*", as well as from cs101. (ignore case sensitivity).
#
#purge.roles = alum.* , cs101
# OPTIONAL
# Maximum roles to purge, since purging too many at once could delay login.
#purge.roles.limit = 5
# OPTIONAL
# Do mapping on values presented in REMOTE_USER to something understandable
# by confluence. Sometimes remote user is mapped to an attribute containing
# characters invalid in confluence, use this feature below to do transformation
# for it (assuming the original remote-user value hits your confluence without
# much of your control).
#
# This feature has similar syntax to dynamic roles.
#
# Please make sure that the resultant remote user is:
# - unique & single-value
# - accepted by confluence (fit into 128 chars length, no weird chars, etc)
#
# If a regex map doesn't match the input provided, then
# the mapping is not performed (e.g. the input is untouched; make sure
# you understand the mapping logic).
#
# Example: suppose the remote user has initial value
# "https://idp.edu/idp!https://sp.edu/shibboleth!1234-56789-#00%00-TTT"
# and we would like it to be transformed to
# "123456789A00c00@idp.edu"
# then we can define the following:
#
#remoteuser=remoteusermap
#remoteuser.replace=#,A,%,c,(-|TTT),,
#remoteuser.map.remoteusermap.match = ^(http|https)://(.*?)(:|/)?[^!]*?!([^!]*?)!(.*)
#remoteuser.map.remoteusermap.casesensitive = false
#remoteuser.map.remoteusermap.transform = $5@$2
#
# remoteusermap is the mapping label to be used, multiple labels
# can be used but only 1st result from the label is chosen as remote user)
#
# .replace is pair-wise regex & replacement strings to be applied to the FINAL
# remote-user once the mapping has been performed. null (as replacement string)
# can be represented by simply empty string (e.g. '-' and 'TTT' above are removed)
#
# OPTIONAL
# Do mapping on values presented in header defined as value of header.fullname. This is for those that don't have a
# "display name" type attribute that can be exposed to Confluence's Shibboleth SP, but must put a full name together
# from multiple values, etc.
#
# This feature has similar syntax to dynamic roles.
#
# If a regex map doesn't match the input provided, then
# the mapping is not performed, and it will use the first value of that header.
#
# Example 1: suppose the full name has the header value
# "Doe; John"
# and we would like it to be transformed to
# "John Doe"
# then we can define the following:
#
#fullname=fullnamemap
#fullname.map.fullnamemap.match = ^(.*);(.*)
#fullname.map.fullnamemap.casesensitive = false
#fullname.map.fullnamemap.transform = $2 $1
#
# Note: if the expression doesn't match, it will split the string by comma or semi-colon and get the first value, so
# the fullname would be:
# "Doe"
#
# Example 2: suppose the full name has the header value
# "Doe#,%John"
# and we would like it to be transformed to
# "John Doe"
# then we can define the following:
#
#fullname=fullnamemap
#fullname.replace=#,,%,,
#fullname.map.fullnamemap.match = ^(.*),(.*)
#fullname.map.fullnamemap.casesensitive = false
#fullname.map.fullnamemap.transform = $2 $1
#
# Note: if the expression doesn't match, it will split the string by comma or semi-colon and get the first value, so
# the fullname would be:
# "Doe#"
#
# fullnamemap is the mapping label to be used, multiple labels
# can be used but only 1st result from the label is chosen as remote user)
#
# .replace is pair-wise regex & replacement strings to be applied to the FINAL
# full name once the mapping has been performed. null (as replacement string)
# can be represented by simply empty string (e.g. '-' and 'TTT' above are removed)
#