source: TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/securedapp/application.ini_tmpl @ 7681

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/securedapp/application.ini_tmpl@7681
Revision 7681, 23.4 KB checked in by pjkersha, 10 years ago (diff)

Incomplete - task 16: NDG Security 2.0.1 - incl. updated Paster templates

  • Fix mutable keyword defaults
  • Property svn:keywords set to Id
Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined SAML Attribute Authority and Authorisation
5# Services, OpenID Relying Party and Provider services and SSL client
6# authentication filters.  This is for test purposes only.  A production system
7# might deploy these on different hosts or separate WSGI scripts.
8#
9# The %(here)s variable will be replaced with the parent directory of this file
10#
11# Author: P J Kershaw
12# date: 01/07/09
13# Copyright: (C) 2009 Science and Technology Facilities Council
14# license: BSD - see LICENSE file in top-level directory
15# Contact: Philip.Kershaw@stfc.ac.uk
16# Revision: $Id$
17
18[DEFAULT]
19portNum = 7443
20hostname = localhost
21scheme = https
22baseURI = %(scheme)s://%(hostname)s:%(portNum)s
23openIDProviderIDBase = /openid
24openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
25testConfigDir = %(here)s/../../config
26beakerSessionKeyName = beaker.session.ndg.security.services
27cookieSecret = ${authkitCookieSecret}
28
29# Global Attribute Authority Settings
30attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface
31
32# ... and Authorisation Service
33authzDecisionQueryInterfaceEnvironKeyName = ndg.security.server.wsgi.authz.service.authzDecisionQueryInterface
34
35dbConnectionString = sqlite:///%(testConfigDir)s/user.db
36
37[server:main]
38use = egg:Paste#http
39host = 0.0.0.0
40port = %(portNum)s
41
42# Uncomment and replace OpenIDProviderApp with OpenIDProviderFilterApp in the
43# pipeline below if the RelyingParty filter is removed.  The RelyingParty
44# provides static content to both it and the Provider in this configuration.
45# See the staticContentDir setting in the OpenIDRelyingPartyFilter section
46#[filter-app:OpenIDProviderFilterApp]
47#use = egg:Paste#httpexceptions
48#next = cascade
49#
50## Composite for OpenID Provider to enable settings for picking up static
51## content
52#[composit:cascade]
53#use = egg:Paste#cascade
54#app1 = OpenIDProviderStaticContent
55#catch = 404
56#
57#[app:OpenIDProviderStaticContent]
58#use = egg:Paste#static
59#document_root = %(here)s/openidprovider
60
61# Ordering of filters and app is critical
62[pipeline:main]
63pipeline = AttributeAuthorityFilter
64           AttributeAuthoritySamlSoapBindingFilter
65           AuthorisationServiceFilter
66           AuthorisationSamlSoapBindingFilter
67                   SessionMiddlewareFilter
68                   SSLClientAuthKitFilter
69                   SSLClientAuthenticationFilter
70                   SSLCientAuthnRedirectResponseFilter
71                   OpenIDRelyingPartyFilter
72                   OpenIDProviderApp
73
74#______________________________________________________________________________
75# Beaker Session Middleware (used by OpenID Provider Filter)
76[filter:SessionMiddlewareFilter]
77paste.filter_app_factory=beaker.middleware:SessionMiddleware
78beaker.session.key = openid
79beaker.session.secret = ${beakerSessionSecret}
80
81# If you'd like to fine-tune the individual locations of the cache data dirs
82# for the Cache data, or the Session saves, un-comment the desired settings
83# here:
84beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
85beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
86beaker.session.cookie_expires = True
87
88#beaker.session.cookie_domain = .localhost
89
90# Key name for keying into environ dictionary
91environ_key = %(beakerSessionKeyName)s
92
93[filter:SSLClientAuthKitFilter]
94paste.filter_app_factory = authkit.authenticate:middleware
95
96# AuthKit Set-up
97setup.method=cookie
98
99# This cookie name and secret MUST agree with the name used by the
100# Authentication Filter used to secure a given app
101cookie.name=ndg.security.auth
102
103cookie.secret=%(cookieSecret)s
104cookie.signoutpath = /logout
105
106# Disable inclusion of client IP address from cookie signature due to
107# suspected problem with AuthKit setting it when a HTTP Proxy is in place
108cookie.includeip = False
109
110#cookie.params.domain = .localhost
111
112# SSL Client Certificate based authentication is invoked if the client passed
113# a certificate with request.  This bypasses OpenID based authn.
114[filter:SSLClientAuthenticationFilter]
115paste.filter_app_factory = ndg.security.server.wsgi.ssl:AuthKitSSLAuthnMiddleware
116prefix = ssl.
117
118# Apply verification against a list of trusted CAs.  To skip this step, comment
119# out or remove this item.  e.g. set CA verification in the Apache config file.
120ssl.caCertFilePathList = %(testConfigDir)s/ca/d573507a.0
121#ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=mytest /O=gabriel/OU=BADC/CN=test /O=NDG/OU=BADC/CN=test
122
123# 'HTTP_' prefix is set when passed through an Apache proxy
124#ssl.sslKeyName = HTTP_HTTPS
125#ssl.sslClientCertKeyName = HTTP_SSL_CLIENT_CERT
126
127# Set the URI pattern match here to interrupt a redirect to the OpenID Relying
128# Party from the service running over HTTP and see if a client certificate has
129# been set
130ssl.rePathMatchList = ^/verify.*
131
132[filter:OpenIDRelyingPartyFilter]
133paste.filter_app_factory =
134        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
135
136openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
137
138# Uncomment to restrict sign in to a whitelist of trusted OpenID Providers.
139#openid.relyingparty.idpWhitelistConfigFilePath = %(here)s/openidrelyingparty/ssl-idp-validator.xml
140
141openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.genshi.GenshiSigninTemplate
142
143# Nb. in this configuration, this directory is provider static content for both
144# this filter and the OpenID Provider app downstream in the WSGI stack.
145openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/public
146
147openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
148openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
149openid.relyingparty.signinInterface.heading = OpenID Sign-in
150#openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
151#openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
152#openid.relyingparty.signinInterface.leftLink = http://ndg.nerc.ac.uk/
153#openid.relyingparty.signinInterface.leftImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
154
155# This setting will accept HTML mark-up
156openid.relyingparty.signinInterface.footerText = This site is for test purposes only.   <a class="FooterLink" href="http://openid.net/what/" target="_blank"><small>What is OpenID?</small></a>
157openid.relyingparty.signinInterface.rightLink = http://ceda.ac.uk/
158openid.relyingparty.signinInterface.rightImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/CEDA_RightButton60.png
159openid.relyingparty.signinInterface.rightAlt = Centre for Environmental Data Archival
160openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
161
162cache_dir = %(here)s/data
163
164# AuthKit Set-up
165authkit.setup.method=openid, cookie
166
167# This cookie name and secret MUST agree with the name used by the
168# Authentication Filter used to secure a given app
169authkit.cookie.name=ndg.security.auth
170
171authkit.cookie.secret=%(cookieSecret)s
172authkit.cookie.signoutpath = /logout
173#authkit.cookie.params.domain = .localhost
174
175# Disable inclusion of client IP address from cookie signature due to
176# suspected problem with AuthKit setting it when a HTTP Proxy is in place
177authkit.cookie.includeip = False
178
179authkit.openid.path.signedin=/
180authkit.openid.store.type=file
181authkit.openid.store.config=%(here)s/openidrelyingparty/store
182authkit.openid.session.key = authkit_openid
183authkit.openid.session.secret = random string
184
185# Key name for dereferencing beaker.session object held in environ
186authkit.openid.session.middleware = %(beakerSessionKeyName)s
187
188authkit.openid.baseurl = %(baseURI)s
189
190# Template for signin
191#authkit.openid.template.obj =
192
193# Handler for parsing OpenID and creating a session from it
194#authkit.openid.urltouser =
195
196# Attribute Exchange - all are optional unless the relevant ax.required.<name>
197# is set to True.  The alias defers to the parameter name given unless explicity
198# specified - see commented out entry for firstName below.  The number of
199# attributes for each attribute name defaults to 1 unless otherwise set
200#authkit.openid.ax.typeuri.firstName=http://openid.net/schema/namePerson/first
201#authkit.openid.ax.alias.firstName=firstName
202##authkit.openid.ax.count.firstName=1
203#authkit.openid.ax.required.firstName=True
204#authkit.openid.ax.typeuri.lastName=http://openid.net/schema/namePerson/last
205#authkit.openid.ax.alias.lastName=lastName
206#authkit.openid.ax.required.lastName=True
207#authkit.openid.ax.typeuri.emailAddress=http://openid.net/schema/contact/internet/email
208#authkit.openid.ax.alias.emailAddress=emailAddress
209#authkit.openid.ax.required.emailAddress=True
210
211# ESG Gateway requested parameters
212authkit.openid.ax.typeuri.uuid:http://openid.net/schema/person/guid
213authkit.openid.ax.alias.uuid=uuid
214authkit.openid.ax.typeuri.username:http://openid.net/schema/namePerson/friendly
215authkit.openid.ax.alias.username=username
216authkit.openid.ax.typeuri.firstname:http://openid.net/schema/namePerson/first
217authkit.openid.ax.alias.firstname=firstname
218authkit.openid.ax.required.firstname:True
219authkit.openid.ax.typeuri.middlename:http://openid.net/schema/namePerson/middle
220authkit.openid.ax.alias.middlename=middlename
221authkit.openid.ax.typeuri.lastname:http://openid.net/schema/namePerson/last
222authkit.openid.ax.required.lastname:True
223authkit.openid.ax.alias.lastname=lastname
224authkit.openid.ax.typeuri.email:http://openid.net/schema/contact/internet/email
225authkit.openid.ax.required.email:True
226authkit.openid.ax.alias.email=email
227authkit.openid.ax.typeuri.gateway:http://www.earthsystemgrid.org/gateway
228authkit.openid.ax.alias.gateway=gateway
229authkit.openid.ax.typeuri.organization:http://openid.net/schema/company/name
230authkit.openid.ax.alias.organization=organization
231authkit.openid.ax.typeuri.city:http://openid.net/schema/contact/city/home
232authkit.openid.ax.alias.city=city
233authkit.openid.ax.typeuri.state:http://openid.net/schema/contact/state/home
234authkit.openid.ax.alias.state=state
235authkit.openid.ax.typeuri.country:http://openid.net/schema/contact/country/home
236authkit.openid.ax.alias.country=country
237
238[filter:SSLCientAuthnRedirectResponseFilter]
239# Redirect to original requested URI following SSL Client Authentication.  This
240# filter must be placed AFTER the AuthKit cookie setting middleware.  In this
241# case its configured in the OpenIDRelyingPartyMiddleware filter.  If the
242# OpenID Relying Party filter is removed, a separate AuthKit middleware entry
243# would need to be made so that this redirect filter can still function
244paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthKitRedirectResponseMiddleware
245prefix = ssl.
246ssl.sessionKey = %(beakerSessionKeyName)s
247
248#______________________________________________________________________________
249# OpenID Provider WSGI Settings
250[app:OpenIDProviderApp]
251paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
252
253openid.provider.path.openidserver=/OpenID/Provider/server
254openid.provider.path.login=/OpenID/Provider/login
255openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
256
257# Yadis based discovery only - the 'id' path is configured may be set to page
258# with <link rel="openid.server" href="..."> and Yadis
259# <meta http-equiv="x-xrds-location" content="..."> links if required but in
260# this implementation it set to return 404 not found - see
261# ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
262# class
263openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
264openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
265
266# Yadis based discovery for idselect mode - this is where the user has entered
267# a URI at the Relying Party which identifies their Provider only and not their
268# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
269# https://badc.nerc.ac.uk/John
270openid.provider.path.serveryadis=%(openIDProviderIDBase)s
271openid.provider.path.allow=/OpenID/Provider/allow
272openid.provider.path.decide=/OpenID/Provider/decide
273openid.provider.path.mainpage=/OpenID/Provider/home
274
275openid.provider.session_middleware=%(beakerSessionKeyName)s
276openid.provider.base_url=%(baseURI)s
277
278# Enable login to construct an identity URI if IDSelect mode was chosen and
279# no identity URI was passed from the Relying Party.  This value should
280# match openid.provider.path.id and/or openid.provider.path.yadis - see above
281identityUriTemplate=%(baseURI)s%(openIDProviderIDBase)s/${userIdentifier}
282
283openid.provider.trace=False
284openid.provider.consumer_store_dirpath=%(here)s/openidprovider
285openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
286#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
287
288# Templates
289openid.provider.rendering.templateRootDir = %(here)s/openidprovider/templates
290
291# Layout
292openid.provider.rendering.baseURL = %(openid.provider.base_url)s
293#openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
294#openid.provider.rendering.leftAlt = Natural Environment Research Council
295#openid.provider.rendering.leftLink = http://ndg.nerc.ac.uk/
296#openid.provider.rendering.leftImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
297openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
298openid.provider.rendering.footerText = This site is for test purposes only.
299openid.provider.rendering.rightLink = http://ceda.ac.uk/
300openid.provider.rendering.rightImage = %(openid.provider.rendering.baseURL)s/layout/CEDA_RightButton60.png
301openid.provider.rendering.rightAlt = Centre for Environmental Data Archival
302
303# Basic Authentication interface to demonstrate capabilities
304#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
305openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sqlalchemy_authn.SQLAlchemyAuthnInterface
306openid.provider.authN.connectionString=%(dbConnectionString)s
307openid.provider.authN.logonSqlQuery=select count(*) from users where username = '${username}' and md5password = '${password}'
308openid.provider.authN.username2UserIdentifierSqlQuery=select openid_identifier from users where username = '${username}'
309openid.provider.authN.isMD5EncodedPwd=True
310
311# user login details format is:
312# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
313# Each user entry is delimited by a space. username, password and OpenID name
314# list are delimited by a colon.  The list of OpenID names are delimited by
315# commas.  The OpenID name represents the unique part of the OpenID URL for the
316# individual user.  Each username may have more than one OpenID alias but only
317# alias at a time may be registered with a given Attribute Authority
318openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
319
320# Basic authentication for testing/admin - comma delimited list of
321# <username>:<password> pairs
322#openid.provider.usercreds=pjk:test
323
324# Attribute Exchange interface
325#openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.csv.CSVFileAXInterface
326#openid.provider.axResponse.csvFilePath=%(here)s/openidprovider/attributeexchange.csv
327openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.sqlalchemy_ax.SQLAlchemyAXInterface
328openid.provider.axResponse.connectionString=%(dbConnectionString)s
329openid.provider.axResponse.sqlQuery = select firstname, lastname, emailaddress from users where username = '${username}'
330openid.provider.axResponse.attributeNames=http://openid.net/schema/namePerson/first
331    http://openid.net/schema/namePerson/last
332    http://openid.net/schema/contact/internet/email
333   
334openid.provider.trustedRelyingParties=https://localhost:7443, https://ndg.somewhere.ac.uk,
335        https://badc.somewhere.ac.uk
336
337#______________________________________________________________________________
338# Attribute Authority WSGI settings
339#
340[filter:AttributeAuthorityFilter]
341# This filter publishes an Attribute Authority instance as a key in environ
342# to enable other middleware to access it
343paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
344prefix = attributeAuthority.
345
346# Lifetime is measured in seconds
347attributeAuthority.assertionLifetime: 28800
348
349# Settings for custom AttributeInterface derived class to get user roles for given
350# user ID
351#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
352#attributeAuthority.attributeInterface.modName: siteAUserRoles
353#attributeAuthority.attributeInterface.className: TestUserRoles
354
355# Key name for the SAML SOAP binding based interface to reference this
356# service's attribute query method
357attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
358
359# SQLAlchemy Attribute Interface
360attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s
361attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface
362attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}'
363attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'"
364attributeAuthority.attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'"
365attributeAuthority.attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'"
366attributeAuthority.attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where openid = '${userId}'"
367attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority,
368                                                           /O=Site B/CN=Authorisation Service,
369                                                           /CN=test/O=NDG/OU=BADC,
370                                                           /O=NDG/OU=Security/CN=localhost
371
372# SAML SOAP Binding to the Attribute Authority
373[filter:AttributeAuthoritySamlSoapBindingFilter]
374paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
375prefix = saml.soapbinding.
376
377saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.fromXML
378
379# Specialisation to incorporate ESG Group/Role type
380saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
381
382saml.soapbinding.mountPath = /AttributeAuthority
383saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
384
385# Clock skew for SAML Attribute Queries - allow clockSkew number of seconds
386# tolerance for query issueInstant parameter. Set here to 3 minutes
387saml.soapbinding.clockSkewTolerance: 180.0
388
389saml.soapbinding.issuerName: /O=Site A/CN=Attribute Authority
390saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
391
392#______________________________________________________________________________
393# SAML/SOAP query interface to the Authorisation Service
394[filter:AuthorisationSamlSoapBindingFilter]
395paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
396prefix = saml.
397
398# The URI path for this service
399saml.mountPath = /AuthorisationService
400
401# The key name in environ which the upstream authorisation service must assign
402# to its authorisation query callback - see the AuthorisationServiceFilter
403# settings below...
404saml.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s
405
406# ElementTree based XML parsing and serialisation used for SAML messages
407saml.deserialise = ndg.saml.xml.etree:AuthzDecisionQueryElementTree.fromXML
408saml.serialise = ndg.saml.xml.etree:ResponseElementTree.toXML
409
410# Sets the identity of THIS authorisation service when filling in SAML responses
411saml.issuerName = /O=Site A/CN=Authorisation Service
412saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
413
414#______________________________________________________________________________
415# Authorisation Service WSGI settings
416[filter:AuthorisationServiceFilter]
417# This filter is a container for a binding to a SOAP/SAML based interface to the
418# Authorisation Service.  It contains a XACML Context handler which manages
419# requests from Policy Enforcement Points to the PDP and also enables the PDP
420# to make attribute queries to Policy Information Point
421paste.filter_app_factory = ndg.security.server.wsgi.authz.service:AuthorisationServiceMiddleware.filter_app_factory
422prefix = authz.
423
424# Expose this filter's authorisation decision query callback via this key name
425# in environ
426authz.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s
427
428# Lifetime for authorisation assertions issued from this service
429authz.xacmlContext.assertionLifetime = 86400
430
431#
432# XACML Context handler manages PEP (Policy Information Point) requests and the
433# PDP's (Policy Decision Point's) interface to the PIP (Policy Information
434# Point)
435
436# XACML Policy file
437authz.ctx_handler.policyFilePath = %(here)s/policy.xml
438
439# Settings for SAML authorisation decision response to a Policy Enforcement Point
440# making a decision query
441authz.ctx_handler.issuerName = /O=Site A/CN=Authorisation Service
442authz.ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
443authz.ctx_handler.assertionLifetime = 86400
444
445#
446# Policy Information Point interface settings
447#
448# The Context handler is a client to the PIP, passing on attribute queries
449# on behalf of the PDP onwards to the PIP
450
451# The PIP can cache assertions retrieved from Attribute Authority calls to
452# optimise performance.  Set this flag to True/False to enable/disable caching
453# respectively.  If this setting is omitted it defaults to True
454authz.ctx_handler.pip.cacheSessions = True
455
456# Set the directory for cached information to be stored.  This options is
457# ignored if 'cacheSessions' is set to False.  If this setting is omitted, then
458# sessions will be cached in memory only.  If the service is stopped all cached
459# information would be lost
460authz.ctx_handler.pip.sessionCacheDataDir = %(here)s/pip-session-cache
461
462#
463# Attribute ID -> Attribute Authority mapping file.  The PIP, on receipt of a
464# query from the XACML context handler, checks the attribute(s) being queried
465# for and looks up this mapping to determine which attribute authority to query
466# to find out if the subject has the attribute in their entitlement
467authz.ctx_handler.pip.mappingFilePath = %(here)s/pip-mapping.txt
468
469# The attribute ID of the subject value to extract from the XACML request
470# context and pass in the SAML attribute query
471authz.ctx_handler.pip.subjectAttributeId = urn:esg:openid
472
473# The context handler
474authz.ctx_handler.pip.attributeQuery.issuerName = %(authz.ctx_handler.issuerName)s
475authz.ctx_handler.pip.attributeQuery.issuerFormat = %(authz.ctx_handler.issuerFormat)s
476
477# These settings configure SSL mutual authentication for the query to the SAML Attribute Authority
478authz.ctx_handler.pip.attributeQuery.sslCertFilePath = %(testConfigDir)s/pki/localhost.crt
479authz.ctx_handler.pip.attributeQuery.sslPriKeyFilePath = %(testConfigDir)s/pki/localhost.key
480authz.ctx_handler.pip.attributeQuery.sslCACertDir = %(testConfigDir)s/ca
481
482# Logging configuration
483[loggers]
484keys = root, ndg
485
486[handlers]
487keys = console
488
489[formatters]
490keys = generic
491
492[logger_root]
493level = INFO
494handlers = console
495
496[logger_ndg]
497level = DEBUG
498handlers =
499qualname = ndg
500
501[handler_console]
502class = StreamHandler
503args = (sys.stderr,)
504level = NOTSET
505formatter = generic
506
507[formatter_generic]
508format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s:%(lineno)s] %(message)s
509datefmt = %Y-%m-%d %H:%M:%S
510
Note: See TracBrowser for help on using the repository browser.