forked from DSpace/DSpace
-
Notifications
You must be signed in to change notification settings - Fork 0
/
saml-relying-party.cfg
77 lines (68 loc) · 5.27 KB
/
saml-relying-party.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#---------------------------------------------------------------#
#----------------SAML RELYING PARTY CONFIGURATIONS--------------#
#---------------------------------------------------------------#
# Configuration of SAML relying parties. #
#---------------------------------------------------------------#
# This is mostly modeled on Spring Boot SAML configuration:
# https://github.com/spring-projects/spring-boot/blob/2.7.x/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyProperties.java
#
# Multiple relying parties may be configured. For each relying party, select a unique ID, and add
# configuration properties starting with "saml-relying-party.{id}." The examples below use the
# relying party ID "auth0".
#
# Configuring a relying party exposes three API endpoints under /server/saml2:
#
# 👉 /server/saml2/service-provider-metadata/{id}
# Produces metadata about the relying party. This URL can be provided to the administrator of the
# IdP to simplify setup.
# 👉 /server/saml2/authenticate/{id}
# Initiates a login with the IdP.
# 👉 /server/saml2/assertion-consumer/{id}
# Receives the identity assertion from the IdP after a user has successfully authenticated with
# the IdP.
# The URI where metadata for the asserting party (IdP) can be retrieved. Ideally, this is the only
# asserting party configuration that is needed, because all of the other asserting party
# configuration properties will be set automatically from the metadata.
# saml-relying-party.auth0.asserting-party.metadata-uri = https://dev-vynkcnqhac3c0s10.us.auth0.com/samlp/metadata/Vn8jWX0iFHtepmXi7rjZa9h5M1kqXNWY
# The following asserting-party configuration properties can be set to override what is retrieved
# from the metadata URI. It is sometimes necessary to set one or more of these, if the metadata
# provided by the IdP is incomplete or incorrect.
#
# At a minimum, entity-id, single-sign-on.url, and single-sign-on.binding must be set for the
# asserting party, either using the properties below, or by setting a metadata-uri that points to
# metadata containing those settings.
#
# If a verification certificate is configured, the certificate-location should contain the URL of
# an X509 certificate. This can be a file, http(s), or classpath URL.
#
# Note that single logout information can be configured for the asserting party, but SAML single
# logout is not currently supported by DSpace.
# saml-relying-party.auth0.asserting-party.entity-id = urn:dev-vynkcnqhac3c0s10.us.auth0.com
# saml-relying-party.auth0.asserting-party.single-sign-on.url = https://dev-vynkcnqhac3c0s10.us.auth0.com/samlp/Vn8jWX0iFHtepmXi7rjZa9h5M1kqXNWY
# saml-relying-party.auth0.asserting-party.single-sign-on.binding = POST
# saml-relying-party.auth0.asserting-party.single-sign-on.sign-request = false
# saml-relying-party.auth0.asserting-party.single-logout.url = https://dev-vynkcnqhac3c0s10.us.auth0.com/samlp/Vn8jWX0iFHtepmXi7rjZa9h5M1kqXNWY/logout
# saml-relying-party.auth0.asserting-party.single-logout.binding = POST
# saml-relying-party.auth0.asserting-party.single-logout.response-url =
# saml-relying-party.auth0.asserting-party.verification.credentials.0.certificate-location = file:///opt/dspace/cert/auth0-ap-certificate.crt
# The following configuration properties can be set to sign and/or encrypt/decrypt communications
# from the relying party to the IdP. Provide private key and certificate pairs, specifying a URL
# for each. These can be file, http(s), or classpath URLs. Each private key should be a PEM file
# containing a PKCS8-encoded private key. Each certificate should be X509 formatted. Signing and
# decryption certificates are automatically published in the relying party metadata, so that the
# IdP can use them to verify the signatures and decrypt the contents of requests from the relying
# party. Signing and decryption credentials are typically the same, but can be different.
# saml-relying-party.auth0.signing.credentials.0.private-key-location = file:///opt/dspace/secrets/rp-private.key
# saml-relying-party.auth0.signing.credentials.0.certificate-location = file:///opt/dspace/cert/rp-certificate.crt
# saml-relying-party.auth0.decryption.credentials.0.private-key-location = file:///opt/dspace/secrets/rp-private.key
# saml-relying-party.auth0.decryption.credentials.0.certificate-location = file:///opt/dspace/cert/rp-certificate.crt
# Mapping of SAML assertion attributes to request attributes. The left side is the name of an
# attribute in the assertion received from the IdP. The right side is the name of the request
# attribute to map the SAML attribute to, before forwarding the request to the authentication
# endpoint. A mapping to org.dspace.saml.EMAIL must be supplied in order for the authentication
# endpoint to associate a SAML user to a DSpace user. Mappings for org.dspace.saml.GIVEN_NAME
# and org.dspace.saml.SURNAME are required for new users to be registered automatically.
# saml-relying-party.auth0.attributes = \
# http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress => org.dspace.saml.EMAIL, \
# http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname => org.dspace.saml.GIVEN_NAME, \
# http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname => org.dspace.saml.SURNAME