source: TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/services/service.ini_tmpl @ 7817

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/services/service.ini_tmpl@7817
Revision 7817, 29.0 KB checked in by pjkersha, 9 years ago (diff)

Incomplete - task 16: NDG Security 2.x.x - incl. updated Paster templates

  • major progress on independent OpenID Provider template. Requires some fixes to Yadis templates to complete.
Line 
1#
2# Title:        NERC DataGrid Security Paste INI file template for all services
3#
4# Description:  Paste configuration for combined SAML Attribute Authority and
5#               Authorisation Services, OpenID Relying Party and Provider
6#               services and SSL client authentication filters.  This is for
7#               test purposes only.  A production system might deploy these on
8#               different hosts or separate WSGI scripts.
9#
10#               The %(here)s variable will be replaced with the parent directory
11#               of this file
12#
13# Author:       P J Kershaw
14# Date:         01/07/09
15# Copyright:    (C) 2009 Science and Technology Facilities Council
16# license:      BSD - see LICENSE file in top-level directory
17# Contact:      Philip.Kershaw@stfc.ac.uk
18
19
20# Settings global to all sections
21[DEFAULT]
22portNum = %%{portNumber}
23hostname = localhost
24scheme = https
25baseURI = %%{baseURI}
26openIDProviderIDBase = openid/
27
28# The default OpenID set in the Relying Party form text field.  As shown it is
29# set so that the special IDSelect mode can be used where the user enters only
30# the portion of the URI identifying their Provider instead of their full
31# OpenID URI
32openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
33
34
35# Beaker session is used across multiple sections so is set here to ensure
36# consistency
37beakerSessionKeyName = beaker.session.ndg.security.services
38
39# Environ dict key name for Attribute Authority's SAML attribute query callback
40attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface
41
42# Similarly the environ key name for the Authorisation Service's SAML
43# authorisation decision query callback
44authzDecisionQueryInterfaceEnvironKeyName = ndg.security.server.wsgi.authz.service.authzDecisionQueryInterface
45
46# This is set to a test SQLite database alter as needed
47dbConnectionString = sqlite:///%(here)s/user.db
48       
49# AuthKit Cookie secret used to secure it.  This secret must be the same as the
50# one used in the equivalent secured application(s) ini file(s) that use this
51# ini file's OpenID Relying Party and SSL authentication service.  This is
52# because the cookie is shared between the secured app(s) and this app so that
53# a user's OpenID can be communicated between them.
54authkitCookieSecret = %%{authkitCookieSecret}
55
56# Secret for OpenID Provider cookie
57beakerSessionCookieSecret = %%{beakerSessionCookieSecret}
58
59
60[server:main]
61use = egg:Paste#http
62host = 0.0.0.0
63port = %(portNum)s
64
65# Uncomment and replace OpenIDProviderApp with OpenIDProviderFilterApp in the
66# pipeline below if the RelyingParty filter is removed.  The RelyingParty
67# provides static content to both it and the Provider in this configuration.
68# See the staticContentDir setting in the OpenIDRelyingPartyFilter section
69#[filter-app:OpenIDProviderFilterApp]
70#use = egg:Paste#httpexceptions
71#next = cascade
72#
73## Composite for OpenID Provider to enable settings for picking up static
74## content
75#[composit:cascade]
76#use = egg:Paste#cascade
77#app1 = OpenIDProviderApp
78#app2 = OpenIDProviderStaticContent
79#catch = 404
80#
81#[app:OpenIDProviderStaticContent]
82#use = egg:Paste#static
83#document_root = %(here)s/openidprovider
84
85# Ordering of filters and final app is critical
86[pipeline:main]
87pipeline = AttributeAuthorityFilter
88           AttributeAuthoritySamlSoapBindingFilter
89           AuthorisationServiceFilter
90           AuthorisationSamlSoapBindingFilter
91           SessionMiddlewareFilter
92           SSLClientAuthKitFilter
93           SSLClientAuthenticationFilter
94           SSLClientAuthnRedirectResponseFilter
95           OpenIDRelyingPartyFilter
96           OpenIDProviderApp
97
98#______________________________________________________________________________
99# Beaker Session Middleware (used by OpenID Provider)
100[filter:SessionMiddlewareFilter]
101paste.filter_app_factory=beaker.middleware:SessionMiddleware
102beaker.session.key = openid
103beaker.session.secret = %(beakerSessionCookieSecret)s
104
105# If you'd like to fine-tune the individual locations of the cache data dirs
106# for the Cache data, or the Session saves, un-comment the desired settings
107# here:
108beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
109beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
110beaker.session.cookie_expires = True
111
112# Key name for keying into environ dictionary
113environ_key = %(beakerSessionKeyName)s
114
115#______________________________________________________________________________
116# Sets AuthKit cookie for SSL Client based authentication method
117[filter:SSLClientAuthKitFilter]
118paste.filter_app_factory = authkit.authenticate:middleware
119
120# AuthKit Set-up
121setup.method=cookie
122
123# This cookie name and secret MUST agree with the name used by the
124# Authentication Filter used to secure a given app
125cookie.name=ndg.security.auth
126
127cookie.secret=%(authkitCookieSecret)s
128cookie.signoutpath = /logout
129
130# Disable inclusion of client IP address from cookie signature due to
131# suspected problem with AuthKit setting it when a HTTP Proxy is in place
132cookie.includeip = False
133
134#______________________________________________________________________________
135# SSL Client Certificate based authentication is invoked if the client passed
136# a certificate with request.  This bypasses OpenID based authentication
137[filter:SSLClientAuthenticationFilter]
138paste.filter_app_factory = ndg.security.server.wsgi.ssl:AuthKitSSLAuthnMiddleware
139prefix = ssl.
140
141# Apply verification against a list of trusted CAs.  To skip this step, comment
142# out or remove this item.  e.g. set CA verification in the Apache config file.
143ssl.caCertFilePathList = %(here)s/pki/ca/d573507a.0
144
145# Apply whitelisting of client certificate DNs.  This should never be needed in
146# this context.  The only reason to use it might be as a means to set a crude
147# access control list of DNs
148#ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=mytest /O=gabriel/OU=BADC/CN=test /O=NDG/OU=BADC/CN=test
149
150# The 'HTTP_' prefix is set when passed through a proxy with Apache, for example
151# if it's possible to run this ini file with paster and expose it through port
152# 443 via ProxyPass and ProxyPassReverse Apache directives.
153#ssl.sslKeyName = HTTP_HTTPS
154#ssl.sslClientCertKeyName = HTTP_SSL_CLIENT_CERT
155
156# Set the intercept URI.  Request URIs matching this pattern will be processed
157# by this filter.  The pattern is set here to match the URI that would normally
158# be processed by the OpenID Relying Party.  If this filter finds a client
159# cert set from the SSL handshake it will apply authentication based on this, if
160# not it will let the request pass by and on to the OpenID Relying Party.  The
161# latter is then therefore the default and 'catch all' for authentication
162# requests.
163ssl.rePathMatchList = ^/verify.*
164
165#______________________________________________________________________________
166# OpenID Relying Party.  This filter is set to run over SSL so that it can work
167# together with the SSL Client Authentication filter above so that tandem
168# authentication methods are supported.  It can be invoked from a HTTP app by
169# the ndg.security.server.wsgi.authn.AuthenticationMiddleware which causes a
170# redirect to this endpoint.
171[filter:OpenIDRelyingPartyFilter]
172paste.filter_app_factory =
173        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
174
175openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
176
177# Uncomment to restrict sign in to a whitelist of trusted OpenID Providers.
178#openid.relyingparty.idpWhitelistConfigFilePath = %(here)s/openidrelyingparty/ssl-idp-validator.xml
179
180openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.genshi.GenshiSigninTemplate
181
182# Nb. in this configuration, this directory is provider static content for both
183# this filter and the OpenID Provider app downstream in the WSGI stack.
184openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/public
185
186openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
187openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
188openid.relyingparty.signinInterface.heading = OpenID Sign-in
189#openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
190#openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
191#openid.relyingparty.signinInterface.leftLink = http://ndg.nerc.ac.uk/
192#openid.relyingparty.signinInterface.leftImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
193
194# This setting will accept HTML mark-up
195openid.relyingparty.signinInterface.footerText = This site is for test purposes only.   <a class="FooterLink" href="http://openid.net/what/" target="_blank"><small>What is OpenID?</small></a>
196openid.relyingparty.signinInterface.rightLink = http://ceda.ac.uk/
197openid.relyingparty.signinInterface.rightImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/CEDA_RightButton60.png
198openid.relyingparty.signinInterface.rightAlt = Centre for Environmental Data Archival
199openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
200
201cache_dir = %(here)s/data
202
203# AuthKit Set-up
204authkit.setup.method=openid, cookie
205
206# This cookie name and secret MUST agree with the name used by the
207# Authentication Filter used to secure a given app
208authkit.cookie.name=ndg.security.auth
209
210authkit.cookie.secret=%(authkitCookieSecret)s
211authkit.cookie.signoutpath = /logout
212#authkit.cookie.params.domain = .localhost
213
214# Disable inclusion of client IP address from cookie signature due to
215# suspected problem with AuthKit setting it when a HTTP Proxy is in place
216authkit.cookie.includeip = False
217
218authkit.openid.path.signedin=/
219authkit.openid.store.type=file
220authkit.openid.store.config=%(here)s/openidrelyingparty/store
221authkit.openid.session.key = authkit_openid
222authkit.openid.session.secret = %%{openidRelyingPartyCookieSecret}
223
224# Key name for dereferencing beaker.session object held in environ
225authkit.openid.session.middleware = %(beakerSessionKeyName)s
226
227authkit.openid.baseurl = %(baseURI)s
228
229# Attribute Exchange - all are optional unless the relevant ax.required.<name>
230# is set to True.  The alias defers to the parameter name given unless explicity
231# specified - see commented out entry for firstName below.  The number of
232# attributes for each attribute name defaults to 1 unless otherwise set
233#authkit.openid.ax.typeuri.firstName=http://openid.net/schema/namePerson/first
234#authkit.openid.ax.alias.firstName=firstName
235##authkit.openid.ax.count.firstName=1
236#authkit.openid.ax.required.firstName=True
237#authkit.openid.ax.typeuri.lastName=http://openid.net/schema/namePerson/last
238#authkit.openid.ax.alias.lastName=lastName
239#authkit.openid.ax.required.lastName=True
240#authkit.openid.ax.typeuri.emailAddress=http://openid.net/schema/contact/internet/email
241#authkit.openid.ax.alias.emailAddress=emailAddress
242#authkit.openid.ax.required.emailAddress=True
243
244# ESG Gateway requested parameters
245authkit.openid.ax.typeuri.uuid:http://openid.net/schema/person/guid
246authkit.openid.ax.alias.uuid=uuid
247authkit.openid.ax.typeuri.username:http://openid.net/schema/namePerson/friendly
248authkit.openid.ax.alias.username=username
249authkit.openid.ax.typeuri.firstname:http://openid.net/schema/namePerson/first
250authkit.openid.ax.alias.firstname=firstname
251authkit.openid.ax.required.firstname:True
252authkit.openid.ax.typeuri.middlename:http://openid.net/schema/namePerson/middle
253authkit.openid.ax.alias.middlename=middlename
254authkit.openid.ax.typeuri.lastname:http://openid.net/schema/namePerson/last
255authkit.openid.ax.required.lastname:True
256authkit.openid.ax.alias.lastname=lastname
257authkit.openid.ax.typeuri.email:http://openid.net/schema/contact/internet/email
258authkit.openid.ax.required.email:True
259authkit.openid.ax.alias.email=email
260authkit.openid.ax.typeuri.gateway:http://www.earthsystemgrid.org/gateway
261authkit.openid.ax.alias.gateway=gateway
262authkit.openid.ax.typeuri.organization:http://openid.net/schema/company/name
263authkit.openid.ax.alias.organization=organization
264authkit.openid.ax.typeuri.city:http://openid.net/schema/contact/city/home
265authkit.openid.ax.alias.city=city
266authkit.openid.ax.typeuri.state:http://openid.net/schema/contact/state/home
267authkit.openid.ax.alias.state=state
268authkit.openid.ax.typeuri.country:http://openid.net/schema/contact/country/home
269authkit.openid.ax.alias.country=country
270
271#______________________________________________________________________________
272# Redirect to original requested URI following SSL Client Authentication.  This
273# filter must be placed AFTER the AuthKit cookie setting middleware.  In this
274# case here it's configured in the OpenIDRelyingPartyMiddleware filter.  If the
275# OpenID Relying Party filter is removed, a separate AuthKit middleware entry
276# would need to be made so that this redirect filter can still function
277[filter:SSLClientAuthnRedirectResponseFilter]
278paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthKitRedirectResponseMiddleware
279prefix = ssl.
280ssl.sessionKey = %(beakerSessionKeyName)s
281
282#______________________________________________________________________________
283# OpenID Provider WSGI Settings
284[app:OpenIDProviderApp]
285paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
286
287openid.provider.path.openidserver=/OpenID/Provider/server
288openid.provider.path.login=/OpenID/Provider/login
289openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
290
291# Yadis based discovery only - the 'id' path is configured may be set to page
292# with <link rel="openid.server" href="..."> and Yadis
293# <meta http-equiv="x-xrds-location" content="..."> links if required but in
294# this implementation it set to return 404 not found - see
295# ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
296# class
297openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
298openid.provider.path.yadis=%(openIDProviderIDBase)s${userIdentifier}
299
300# Yadis based discovery for idselect mode - this is where the user has entered
301# a URI at the Relying Party which identifies their Provider only and not their
302# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
303# https://badc.nerc.ac.uk/John
304openid.provider.path.serveryadis=%(openIDProviderIDBase)s
305openid.provider.path.allow=/OpenID/Provider/allow
306openid.provider.path.decide=/OpenID/Provider/decide
307openid.provider.path.mainpage=/OpenID/Provider/home
308
309openid.provider.session_middleware=%(beakerSessionKeyName)s
310openid.provider.base_url=%(baseURI)s
311
312# Enable login to construct an identity URI if IDSelect mode was chosen and
313# no identity URI was passed from the Relying Party.  This value should
314# match openid.provider.path.id and/or openid.provider.path.yadis - see above
315identityUriTemplate=%(baseURI)s%(openIDProviderIDBase)s${userIdentifier}
316
317openid.provider.trace=False
318openid.provider.consumer_store_dirpath=%(here)s/openidprovider
319
320# A custom rendering class can be plugged in here.  A Genshi based renderer is
321# currently set
322openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
323#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
324
325# Template directory
326openid.provider.rendering.templateRootDir = %(here)s/openidprovider/templates
327
328# Layout
329openid.provider.rendering.baseURL = %(openid.provider.base_url)s
330openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
331openid.provider.rendering.footerText = This site is for test purposes only.
332openid.provider.rendering.rightLink = http://ceda.ac.uk/
333openid.provider.rendering.rightImage = %(openid.provider.rendering.baseURL)s/layout/CEDA_RightButton60.png
334openid.provider.rendering.rightAlt = Centre for Environmental Data Archival
335
336# SQLAlchemy based authentication interface
337openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sqlalchemy_authn.SQLAlchemyAuthnInterface
338
339# See the connection string setting set in the DEFAULT section
340openid.provider.authN.connectionString=%(dbConnectionString)s
341openid.provider.authN.logonSqlQuery=select count(*) from users where username = '${username}' and md5password = '${password}'
342openid.provider.authN.username2UserIdentifierSqlQuery=select openid_identifier from users where username = '${username}'
343
344# Set to true if the password in the database is MD5 encrypted.
345openid.provider.authN.isMD5EncodedPwd=True
346
347# This is a more interface which makes settings via this INI parameters instead
348# of a database
349#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
350
351# This setting applies to the BasicAuthNInterface only
352# user login details format is:
353# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
354# Each user entry is delimited by a space. username, password and OpenID name
355# list are delimited by a colon.  The list of OpenID names are delimited by
356# commas.  The OpenID name represents the unique part of the OpenID URL for the
357# individual user.  Each username may have more than one OpenID alias but only
358# alias at a time may be registered with a given Attribute Authority
359#openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
360
361# Basic authentication for testing/admin - comma delimited list of
362# <username>:<password> pairs
363#openid.provider.usercreds=pjk:test
364
365# Attribute Exchange interface - extract attributes from a database based on the
366# username of the client
367openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.sqlalchemy_ax.SQLAlchemyAXInterface
368openid.provider.axResponse.connectionString=%(dbConnectionString)s
369
370# Ordering is important here: the query results and names fields should exactly
371# map one to the other
372openid.provider.axResponse.sqlQuery = select firstname, lastname, emailaddress from users where username = '${username}'
373openid.provider.axResponse.attributeNames=http://openid.net/schema/namePerson/first
374    http://openid.net/schema/namePerson/last
375    http://openid.net/schema/contact/internet/email
376   
377# This is an alternative simple CSV file based AX interface class
378#openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.csv.CSVFileAXInterface
379#openid.provider.axResponse.csvFilePath=%(here)s/openidprovider/attributeexchange.csv
380
381# This setting can be used to enable the confirmation form to be omitted for
382# known Relying Parties (RP)s.  The confirmation form is part of the user
383# interface which prompts the user to confirm they wish to return their
384# credentials back to the given RP.
385openid.provider.trustedRelyingParties=https://localhost:7443, https://ndg.somewhere.ac.uk,
386        https://badc.somewhere.ac.uk
387
388#______________________________________________________________________________
389# Attribute Authority WSGI settings
390#
391# This filter publishes an Attribute Authority instance as a key in environ
392# to enable the SAML query interface middleware to access and invoke it.
393[filter:AttributeAuthorityFilter]
394paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
395prefix = attributeAuthority.
396
397# Lifetime is measured in seconds for attribute assertions made
398attributeAuthority.assertionLifetime: 28800
399
400# Key name for the SAML SOAP binding based query interface to reference this
401# service's attribute query method
402attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
403
404# Attribute Interface - determines how a given attribute query interfaces with a
405# backend database or other persistent store.  The one here is an SQLAlchemy
406# based one.  The database connection string is the global setting - see the
407# DEFAULT section.
408attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s
409attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface
410
411# This does a sanity check to ensure the subject of the query is known to this
412# authority.
413attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}'
414
415# Map the given SAML attributes identifiers to the equivalent SQL query to
416# retrieve them.  Any number can be set.  They should have the form,
417#
418# attributeAuthority.attributeInterface.samlAttribute2SqlQuery.<id>
419#
420# where <id> can be any unique string.  The userId string is the value passed
421# from the client subject NameID field
422attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'"
423attributeAuthority.attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'"
424attributeAuthority.attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'"
425attributeAuthority.attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where openid = '${userId}'"
426
427# Set the permissable requestor Distinguished Names as set in the SAML client
428# query issuer field.  Comment out or remove if this is not required.  Nb.
429# filtering of clients can be more securely applied by whitelisting at the SSL
430# level.
431attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority,
432                                                           /O=Site B/CN=Authorisation Service,
433                                                           /CN=test/O=NDG/OU=BADC,
434                                                           /O=NDG/OU=Security/CN=localhost
435
436# Alternate custom AttributeInterface derived class to get user roles for given
437# user ID
438#attributeAuthority.attributeInterface.modFilePath: %(here)s/attributeauthority/sitea
439#attributeAuthority.attributeInterface.modName: siteAUserRoles
440#attributeAuthority.attributeInterface.className: TestUserRoles
441
442# SAML SOAP Binding to the Attribute Authority
443[filter:AttributeAuthoritySamlSoapBindingFilter]
444paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
445prefix = saml.soapbinding.
446
447# Callback to deserialise a string format query received from the client into
448# to the relevant ElementTree instance
449saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.fromXML
450
451# Corresponding callback to serialise an ElementTree instance response into a
452# string ready for dispatch back to the client
453#
454# Specialisation to incorporate ESG Group/Role type.  The deserialise method
455# doesn't need any specialised setting because no custom ESG types are required
456# in order to invoke it
457saml.soapbinding.serialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.toXML
458
459# Equivalent setting if no ESG customisation is required.
460#saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.toXML
461
462# Path following the FQDN from which this service will be mounted
463saml.soapbinding.mountPath = %%{attributeServiceMountPoint}
464
465# The key name for the environ dict item holding the Attribute Authority's
466# query callback method.  See the Attribute Authority filter.
467saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
468
469# Clock skew for SAML Attribute Queries - allow clockSkew number of seconds
470# tolerance for query issueInstant parameter. Set here to 3 minutes
471saml.soapbinding.clockSkewTolerance: 180.0
472
473# The issuer name for this Attribute Authority expressed as a X.509 subject
474# name.  See ndg.saml.saml2.core or the SAML 2.0 spec for alternatives.
475saml.soapbinding.issuerName: /O=Site A/CN=Attribute Authority
476saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
477
478#______________________________________________________________________________
479# SAML/SOAP query interface to the Authorisation Service
480[filter:AuthorisationSamlSoapBindingFilter]
481paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
482prefix = saml.
483
484# The URI path for this service
485saml.mountPath = %%{authorisationServiceMountPoint}
486
487# The key name in environ which the upstream authorisation service must assign
488# to its authorisation query callback - see the AuthorisationServiceFilter
489# settings below...
490saml.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s
491
492# ElementTree based XML parsing and serialisation used for SAML messages
493saml.deserialise = ndg.saml.xml.etree:AuthzDecisionQueryElementTree.fromXML
494saml.serialise = ndg.saml.xml.etree:ResponseElementTree.toXML
495
496# Sets the identity of THIS authorisation service when filling in SAML responses
497samlIssuerName = %%{authorisationServiceIssuerName}
498saml.issuerFormat = %%{authorisationServiceIssuerFormat}
499
500#______________________________________________________________________________
501# Authorisation Service WSGI settings
502#
503# This filter is a container for a binding to a SOAP/SAML based interface to the
504# Authorisation Service.  It contains a XACML Context handler which manages
505# requests from Policy Enforcement Points to the PDP and also enables the PDP
506# to make attribute queries to Policy Information Point
507[filter:AuthorisationServiceFilter]
508paste.filter_app_factory = ndg.security.server.wsgi.authz.service:AuthorisationServiceMiddleware.filter_app_factory
509prefix = authz.
510
511# Expose this filter's authorisation decision query callback via this key name
512# in environ
513authz.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s
514
515# Lifetime for authorisation assertions issued from this service
516authz.xacmlContext.assertionLifetime = 86400
517
518#
519# XACML Context handler manages PEP (Policy Information Point) requests and the
520# PDP's (Policy Decision Point's) interface to the PIP (Policy Information
521# Point)
522
523# XACML Policy file
524authz.ctx_handler.policyFilePath = %(here)s/policy.xml
525
526# Settings for SAML authorisation decision response to a Policy Enforcement Point
527# making a decision query
528authz.ctx_handler.issuerName = /O=Site A/CN=Authorisation Service
529authz.ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
530authz.ctx_handler.assertionLifetime = 86400
531
532#
533# Policy Information Point interface settings
534#
535# The Context handler is a client to the PIP, passing on attribute queries
536# on behalf of the PDP onwards to the PIP
537
538# The PIP can cache assertions retrieved from Attribute Authority calls to
539# optimise performance.  Set this flag to True/False to enable/disable caching
540# respectively.  If this setting is omitted it defaults to True
541authz.ctx_handler.pip.cacheSessions = True
542
543# Set the directory for cached information to be stored.  This options is
544# ignored if 'cacheSessions' is set to False.  If this setting is omitted, then
545# sessions will be cached in memory only.  If the service is stopped all cached
546# information would be lost
547authz.ctx_handler.pip.sessionCacheDataDir = %(here)s/pip-session-cache
548
549# Set timeout (seconds) for a cached session - following the timeout any existing
550# session will be deleted.  This option is ignored if
551# authz.ctx_handler.pip.cacheSessions = False or is omitted.  If this option is
552# omitted, no timeout is set.  If none is set and
553# authz.ctx_handler.pip.sessionCacheDataDir is set, sessions will be effectively
554# cached permanently(!) only an assertion expiry could invalidate a given assertion
555# previously cached.
556authz.ctx_handler.pip.sessionCacheTimeout = 3600
557
558# Allow for a clock skew of +/- 3 seconds when checking validity times of
559# SAML assertions cached from attribute service queries
560authz.ctx_handler.pip.sessionCacheAssertionClockSkewTol = 3.0
561
562#
563# Attribute ID -> Attribute Authority mapping file.  The PIP, on receipt of a
564# query from the XACML context handler, checks the attribute(s) being queried
565# for and looks up this mapping to determine which attribute authority to query
566# to find out if the subject has the attribute in their entitlement
567authz.ctx_handler.pip.mappingFilePath = %(here)s/pip-mapping.txt
568
569# The attribute ID of the subject value to extract from the XACML request
570# context and pass in the SAML attribute query
571authz.ctx_handler.pip.subjectAttributeId = urn:esg:openid
572
573# The context handler
574authz.ctx_handler.pip.attributeQuery.issuerName = %(authz.ctx_handler.issuerName)s
575authz.ctx_handler.pip.attributeQuery.issuerFormat = %(authz.ctx_handler.issuerFormat)s
576
577# Enable support for ESGF Group/Role Attribute Value in SAML Attribute queries
578authz.ctx_handler.pip.attributeQuery.deserialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.fromXML
579
580# These settings configure SSL mutual authentication for the query to the SAML Attribute Authority
581authz.ctx_handler.pip.attributeQuery.sslCertFilePath = %(here)s/pki/localhost.crt
582authz.ctx_handler.pip.attributeQuery.sslPriKeyFilePath = %(here)s/pki/localhost.key
583authz.ctx_handler.pip.attributeQuery.sslCACertDir = %(here)s/pki/ca
584
585#______________________________________________________________________________
586# Logging configuration
587[loggers]
588keys = root, ndg
589
590[handlers]
591keys = console, logfile
592
593[formatters]
594keys = generic
595
596[logger_root]
597level = INFO
598handlers = console
599
600[logger_ndg]
601level = DEBUG
602handlers =
603qualname = ndg
604
605[handler_console]
606class = StreamHandler
607args = (sys.stderr,)
608level = NOTSET
609formatter = generic
610
611[formatter_generic]
612format = %(asctime)s.%(msecs)03d %(levelname)-7.7s [%(name)s:%(lineno)s] %(message)s
613datefmt = %Y-%m-%d %H:%M:%S
614
615[handler_logfile]
616class = handlers.RotatingFileHandler
617level=NOTSET
618formatter=generic
619args=(os.path.join('%(here)s', 'log', 'service.log'), 'a', 50000, 2)
Note: See TracBrowser for help on using the repository browser.