1 | # |
---|
2 | # Title: NERC DataGrid Security Paste INI file template for all services |
---|
3 | # |
---|
4 | # Description: Paste configuration for combined SAML Attribute Authority and |
---|
5 | # Authorisation Services, OpenID Relying Party and Provider |
---|
6 | # services and SSL client authentication filters. This is for |
---|
7 | # test purposes only. A production system might deploy these on |
---|
8 | # different hosts or separate WSGI scripts. |
---|
9 | # |
---|
10 | # The %(here)s variable will be replaced with the parent directory |
---|
11 | # of this file |
---|
12 | # |
---|
13 | # Author: P J Kershaw |
---|
14 | # Date: 01/07/09 |
---|
15 | # Copyright: (C) 2009 Science and Technology Facilities Council |
---|
16 | # license: BSD - see LICENSE file in top-level directory |
---|
17 | # Contact: Philip.Kershaw@stfc.ac.uk |
---|
18 | # Revision: $Id$ |
---|
19 | |
---|
20 | # Settings global to all sections |
---|
21 | [DEFAULT] |
---|
22 | portNum = 7443 |
---|
23 | hostname = localhost |
---|
24 | scheme = https |
---|
25 | baseURI = %(scheme)s://%(hostname)s:%(portNum)s/ |
---|
26 | openIDProviderIDBase = openid/ |
---|
27 | |
---|
28 | # The default OpenID set in the Relying Party form text field. As shown it is |
---|
29 | # set so that the special IDSelect mode can be used where the user enters only |
---|
30 | # the portion of the URI identifying their Provider instead of their full |
---|
31 | # OpenID URI |
---|
32 | openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s |
---|
33 | testConfigDir = %(here)s/../../config |
---|
34 | |
---|
35 | # Beaker session is used across multiple sections so is set here to ensure |
---|
36 | # consistency |
---|
37 | beakerSessionKeyName = beaker.session.ndg.security.services |
---|
38 | |
---|
39 | # Environ dict key name for Attribute Authority's SAML attribute query callback |
---|
40 | attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface |
---|
41 | |
---|
42 | # Similarly the environ key name for the Authorisation Service's SAML |
---|
43 | # authorisation decision query callback |
---|
44 | authzDecisionQueryInterfaceEnvironKeyName = ndg.security.server.wsgi.authz.service.authzDecisionQueryInterface |
---|
45 | |
---|
46 | # This is set to a test SQLite database alter as needed |
---|
47 | dbConnectionString = sqlite:///%(testConfigDir)s/user.db |
---|
48 | |
---|
49 | # AuthKit Cookie secret used to secure it. This secret must be the same as the |
---|
50 | # one used in the equivalent secured application(s) ini file(s) that use this |
---|
51 | # ini file's OpenID Relying Party and SSL authentication service. This is |
---|
52 | # because the cookie is shared between the secured app(s) and this app so that |
---|
53 | # a user's OpenID can be communicated between them. |
---|
54 | authkitCookieSecret = 9wvZObs9anUEhSIAnJNoY2iJq59FfYZr |
---|
55 | |
---|
56 | # Secret for OpenID Provider cookie |
---|
57 | beakerSessionCookieSecret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU |
---|
58 | |
---|
59 | |
---|
60 | [server:main] |
---|
61 | use = egg:Paste#http |
---|
62 | host = 0.0.0.0 |
---|
63 | port = %(portNum)s |
---|
64 | |
---|
65 | # Uncomment and replace OpenIDProviderApp with OpenIDProviderFilterApp in the |
---|
66 | # pipeline below if the RelyingParty filter is removed. The RelyingParty |
---|
67 | # provides static content to both it and the Provider in this configuration. |
---|
68 | # See the staticContentDir setting in the OpenIDRelyingPartyFilter section |
---|
69 | #[filter-app:OpenIDProviderFilterApp] |
---|
70 | #use = egg:Paste#httpexceptions |
---|
71 | #next = cascade |
---|
72 | # |
---|
73 | ## Composite for OpenID Provider to enable settings for picking up static |
---|
74 | ## content |
---|
75 | #[composit:cascade] |
---|
76 | #use = egg:Paste#cascade |
---|
77 | #app1 = OpenIDProviderApp |
---|
78 | #app2 = OpenIDProviderStaticContent |
---|
79 | #catch = 404 |
---|
80 | # |
---|
81 | #[app:OpenIDProviderStaticContent] |
---|
82 | #use = egg:Paste#static |
---|
83 | #document_root = %(here)s/openidprovider |
---|
84 | |
---|
85 | # Ordering of filters and final app is critical |
---|
86 | [pipeline:main] |
---|
87 | pipeline = AttributeAuthorityFilter |
---|
88 | AttributeAuthoritySamlSoapBindingFilter |
---|
89 | AuthorisationServiceFilter |
---|
90 | AuthorisationSamlSoapBindingFilter |
---|
91 | SessionMiddlewareFilter |
---|
92 | SSLClientAuthKitFilter |
---|
93 | SSLClientAuthenticationFilter |
---|
94 | SSLClientAuthnRedirectResponseFilter |
---|
95 | OpenIDRelyingPartyFilter |
---|
96 | OpenIDProviderApp |
---|
97 | |
---|
98 | #______________________________________________________________________________ |
---|
99 | # Beaker Session Middleware (used by OpenID Provider) |
---|
100 | [filter:SessionMiddlewareFilter] |
---|
101 | paste.filter_app_factory=beaker.middleware:SessionMiddleware |
---|
102 | beaker.session.key = openid |
---|
103 | beaker.session.secret = %(beakerSessionCookieSecret)s |
---|
104 | |
---|
105 | # If you'd like to fine-tune the individual locations of the cache data dirs |
---|
106 | # for the Cache data, or the Session saves, un-comment the desired settings |
---|
107 | # here: |
---|
108 | beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache |
---|
109 | beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions |
---|
110 | beaker.session.cookie_expires = True |
---|
111 | |
---|
112 | # Key name for keying into environ dictionary |
---|
113 | environ_key = %(beakerSessionKeyName)s |
---|
114 | |
---|
115 | #______________________________________________________________________________ |
---|
116 | # Sets AuthKit cookie for SSL Client based authentication method |
---|
117 | [filter:SSLClientAuthKitFilter] |
---|
118 | paste.filter_app_factory = authkit.authenticate:middleware |
---|
119 | |
---|
120 | # AuthKit Set-up |
---|
121 | setup.method=cookie |
---|
122 | |
---|
123 | # This cookie name and secret MUST agree with the name used by the |
---|
124 | # Authentication Filter used to secure a given app |
---|
125 | cookie.name=ndg.security.auth |
---|
126 | |
---|
127 | cookie.secret=%(authkitCookieSecret)s |
---|
128 | cookie.signoutpath = /logout |
---|
129 | |
---|
130 | # Disable inclusion of client IP address from cookie signature due to |
---|
131 | # suspected problem with AuthKit setting it when a HTTP Proxy is in place |
---|
132 | cookie.includeip = False |
---|
133 | |
---|
134 | #______________________________________________________________________________ |
---|
135 | # SSL Client Certificate based authentication is invoked if the client passed |
---|
136 | # a certificate with request. This bypasses OpenID based authentication |
---|
137 | [filter:SSLClientAuthenticationFilter] |
---|
138 | paste.filter_app_factory = ndg.security.server.wsgi.ssl:AuthKitSSLAuthnMiddleware |
---|
139 | prefix = ssl. |
---|
140 | |
---|
141 | # Apply verification against a list of trusted CAs. To skip this step, comment |
---|
142 | # out or remove this item. e.g. set CA verification in the Apache config file. |
---|
143 | ssl.caCertFilePathList = %(testConfigDir)s/pki/ca/d573507a.0 |
---|
144 | |
---|
145 | # Apply whitelisting of client certificate DNs. This should never be needed in |
---|
146 | # this context. The only reason to use it might be as a means to set a crude |
---|
147 | # access control list of DNs |
---|
148 | #ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=mytest /O=gabriel/OU=BADC/CN=test /O=NDG/OU=BADC/CN=test |
---|
149 | |
---|
150 | # The 'HTTP_' prefix is set when passed through a proxy with Apache, for example |
---|
151 | # if it's possible to run this ini file with paster and expose it through port |
---|
152 | # 443 via ProxyPass and ProxyPassReverse Apache directives. |
---|
153 | #ssl.sslKeyName = HTTP_HTTPS |
---|
154 | #ssl.sslClientCertKeyName = HTTP_SSL_CLIENT_CERT |
---|
155 | |
---|
156 | # Set the intercept URI. Request URIs matching this pattern will be processed |
---|
157 | # by this filter. The pattern is set here to match the URI that would normally |
---|
158 | # be processed by the OpenID Relying Party. If this filter finds a client |
---|
159 | # cert set from the SSL handshake it will apply authentication based on this, if |
---|
160 | # not it will let the request pass by and on to the OpenID Relying Party. The |
---|
161 | # latter is then therefore the default and 'catch all' for authentication |
---|
162 | # requests. |
---|
163 | ssl.rePathMatchList = ^/verify.* |
---|
164 | |
---|
165 | #______________________________________________________________________________ |
---|
166 | # OpenID Relying Party. This filter is set to run over SSL so that it can work |
---|
167 | # together with the SSL Client Authentication filter above so that tandem |
---|
168 | # authentication methods are supported. It can be invoked from a HTTP app by |
---|
169 | # the ndg.security.server.wsgi.authn.AuthenticationMiddleware which causes a |
---|
170 | # redirect to this endpoint. |
---|
171 | [filter:OpenIDRelyingPartyFilter] |
---|
172 | paste.filter_app_factory = |
---|
173 | ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory |
---|
174 | |
---|
175 | openid.relyingparty.baseURL = %(authkit.openid.baseurl)s |
---|
176 | |
---|
177 | # Uncomment to restrict sign in to a whitelist of trusted OpenID Providers. |
---|
178 | #openid.relyingparty.idpWhitelistConfigFilePath = %(here)s/openidrelyingparty/ssl-idp-validator.xml |
---|
179 | |
---|
180 | openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.genshi.GenshiSigninTemplate |
---|
181 | |
---|
182 | # Nb. in this configuration, this directory is provider static content for both |
---|
183 | # this filter and the OpenID Provider app downstream in the WSGI stack. |
---|
184 | openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/public |
---|
185 | |
---|
186 | openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s |
---|
187 | openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s |
---|
188 | openid.relyingparty.signinInterface.heading = OpenID Sign-in |
---|
189 | #openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif |
---|
190 | #openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council |
---|
191 | #openid.relyingparty.signinInterface.leftLink = http://ndg.nerc.ac.uk/ |
---|
192 | #openid.relyingparty.signinInterface.leftImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif |
---|
193 | |
---|
194 | # This setting will accept HTML mark-up |
---|
195 | openid.relyingparty.signinInterface.footerText = This site is for test purposes only. <a class="FooterLink" href="http://openid.net/what/" target="_blank"><small>What is OpenID?</small></a> |
---|
196 | openid.relyingparty.signinInterface.rightLink = http://ceda.ac.uk/ |
---|
197 | openid.relyingparty.signinInterface.rightImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/CEDA_RightButton60.png |
---|
198 | openid.relyingparty.signinInterface.rightAlt = Centre for Environmental Data Archival |
---|
199 | openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png |
---|
200 | |
---|
201 | cache_dir = %(here)s/data |
---|
202 | |
---|
203 | # AuthKit Set-up |
---|
204 | authkit.setup.method=openid, cookie |
---|
205 | |
---|
206 | # This cookie name and secret MUST agree with the name used by the |
---|
207 | # Authentication Filter used to secure a given app |
---|
208 | authkit.cookie.name=ndg.security.auth |
---|
209 | |
---|
210 | authkit.cookie.secret=%(authkitCookieSecret)s |
---|
211 | authkit.cookie.signoutpath = /logout |
---|
212 | #authkit.cookie.params.domain = .localhost |
---|
213 | |
---|
214 | # Disable inclusion of client IP address from cookie signature due to |
---|
215 | # suspected problem with AuthKit setting it when a HTTP Proxy is in place |
---|
216 | authkit.cookie.includeip = False |
---|
217 | |
---|
218 | authkit.openid.path.signedin=/ |
---|
219 | authkit.openid.store.type=file |
---|
220 | authkit.openid.store.config=%(here)s/openidrelyingparty/store |
---|
221 | authkit.openid.session.key = authkit_openid |
---|
222 | authkit.openid.session.secret = random string |
---|
223 | |
---|
224 | # Key name for dereferencing beaker.session object held in environ |
---|
225 | authkit.openid.session.middleware = %(beakerSessionKeyName)s |
---|
226 | |
---|
227 | authkit.openid.baseurl = %(baseURI)s |
---|
228 | |
---|
229 | # Attribute Exchange - all are optional unless the relevant ax.required.<name> |
---|
230 | # is set to True. The alias defers to the parameter name given unless explicity |
---|
231 | # specified - see commented out entry for firstName below. The number of |
---|
232 | # attributes for each attribute name defaults to 1 unless otherwise set |
---|
233 | #authkit.openid.ax.typeuri.firstName=http://openid.net/schema/namePerson/first |
---|
234 | #authkit.openid.ax.alias.firstName=firstName |
---|
235 | ##authkit.openid.ax.count.firstName=1 |
---|
236 | #authkit.openid.ax.required.firstName=True |
---|
237 | #authkit.openid.ax.typeuri.lastName=http://openid.net/schema/namePerson/last |
---|
238 | #authkit.openid.ax.alias.lastName=lastName |
---|
239 | #authkit.openid.ax.required.lastName=True |
---|
240 | #authkit.openid.ax.typeuri.emailAddress=http://openid.net/schema/contact/internet/email |
---|
241 | #authkit.openid.ax.alias.emailAddress=emailAddress |
---|
242 | #authkit.openid.ax.required.emailAddress=True |
---|
243 | |
---|
244 | # ESG Gateway requested parameters |
---|
245 | authkit.openid.ax.typeuri.uuid:http://openid.net/schema/person/guid |
---|
246 | authkit.openid.ax.alias.uuid=uuid |
---|
247 | authkit.openid.ax.typeuri.username:http://openid.net/schema/namePerson/friendly |
---|
248 | authkit.openid.ax.alias.username=username |
---|
249 | authkit.openid.ax.typeuri.firstname:http://openid.net/schema/namePerson/first |
---|
250 | authkit.openid.ax.alias.firstname=firstname |
---|
251 | authkit.openid.ax.required.firstname:True |
---|
252 | authkit.openid.ax.typeuri.middlename:http://openid.net/schema/namePerson/middle |
---|
253 | authkit.openid.ax.alias.middlename=middlename |
---|
254 | authkit.openid.ax.typeuri.lastname:http://openid.net/schema/namePerson/last |
---|
255 | authkit.openid.ax.required.lastname:True |
---|
256 | authkit.openid.ax.alias.lastname=lastname |
---|
257 | authkit.openid.ax.typeuri.email:http://openid.net/schema/contact/internet/email |
---|
258 | authkit.openid.ax.required.email:True |
---|
259 | authkit.openid.ax.alias.email=email |
---|
260 | authkit.openid.ax.typeuri.gateway:http://www.earthsystemgrid.org/gateway |
---|
261 | authkit.openid.ax.alias.gateway=gateway |
---|
262 | authkit.openid.ax.typeuri.organization:http://openid.net/schema/company/name |
---|
263 | authkit.openid.ax.alias.organization=organization |
---|
264 | authkit.openid.ax.typeuri.city:http://openid.net/schema/contact/city/home |
---|
265 | authkit.openid.ax.alias.city=city |
---|
266 | authkit.openid.ax.typeuri.state:http://openid.net/schema/contact/state/home |
---|
267 | authkit.openid.ax.alias.state=state |
---|
268 | authkit.openid.ax.typeuri.country:http://openid.net/schema/contact/country/home |
---|
269 | authkit.openid.ax.alias.country=country |
---|
270 | |
---|
271 | #______________________________________________________________________________ |
---|
272 | # Redirect to original requested URI following SSL Client Authentication. This |
---|
273 | # filter must be placed AFTER the AuthKit cookie setting middleware. In this |
---|
274 | # case here it's configured in the OpenIDRelyingPartyMiddleware filter. If the |
---|
275 | # OpenID Relying Party filter is removed, a separate AuthKit middleware entry |
---|
276 | # would need to be made so that this redirect filter can still function |
---|
277 | [filter:SSLClientAuthnRedirectResponseFilter] |
---|
278 | paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthKitRedirectResponseMiddleware |
---|
279 | prefix = ssl. |
---|
280 | ssl.sessionKey = %(beakerSessionKeyName)s |
---|
281 | |
---|
282 | #______________________________________________________________________________ |
---|
283 | # OpenID Provider WSGI Settings |
---|
284 | [app:OpenIDProviderApp] |
---|
285 | paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory |
---|
286 | |
---|
287 | openid.provider.path.openidserver=/OpenID/Provider/server |
---|
288 | openid.provider.path.login=/OpenID/Provider/login |
---|
289 | openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit |
---|
290 | |
---|
291 | # Yadis based discovery only - the 'id' path is configured may be set to page |
---|
292 | # with <link rel="openid.server" href="..."> and Yadis |
---|
293 | # <meta http-equiv="x-xrds-location" content="..."> links if required but in |
---|
294 | # this implementation it set to return 404 not found - see |
---|
295 | # ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering |
---|
296 | # class |
---|
297 | openid.provider.path.id=/OpenID/Provider/id/${userIdentifier} |
---|
298 | openid.provider.path.yadis=%(openIDProviderIDBase)s${userIdentifier} |
---|
299 | |
---|
300 | # Yadis based discovery for idselect mode - this is where the user has entered |
---|
301 | # a URI at the Relying Party which identifies their Provider only and not their |
---|
302 | # full ID URI. e.g. https://badc.nerc.ac.uk instead of |
---|
303 | # https://badc.nerc.ac.uk/John |
---|
304 | openid.provider.path.serveryadis=%(openIDProviderIDBase)s |
---|
305 | openid.provider.path.allow=/OpenID/Provider/allow |
---|
306 | openid.provider.path.decide=/OpenID/Provider/decide |
---|
307 | openid.provider.path.mainpage=/OpenID/Provider/home |
---|
308 | |
---|
309 | openid.provider.session_middleware=%(beakerSessionKeyName)s |
---|
310 | openid.provider.base_url=%(baseURI)s |
---|
311 | |
---|
312 | # Enable login to construct an identity URI if IDSelect mode was chosen and |
---|
313 | # no identity URI was passed from the Relying Party. This value should |
---|
314 | # match openid.provider.path.id and/or openid.provider.path.yadis - see above |
---|
315 | identityUriTemplate=%(baseURI)s%(openIDProviderIDBase)s${userIdentifier} |
---|
316 | |
---|
317 | openid.provider.trace=False |
---|
318 | openid.provider.consumer_store_dirpath=%(here)s/openidprovider |
---|
319 | |
---|
320 | # A custom rendering class can be plugged in here. A Genshi based renderer is |
---|
321 | # currently set |
---|
322 | openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering |
---|
323 | #openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface |
---|
324 | |
---|
325 | # Template directory |
---|
326 | openid.provider.rendering.templateRootDir = %(here)s/openidprovider/templates |
---|
327 | |
---|
328 | # Layout |
---|
329 | openid.provider.rendering.baseURL = %(openid.provider.base_url)s |
---|
330 | openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png |
---|
331 | openid.provider.rendering.footerText = This site is for test purposes only. |
---|
332 | openid.provider.rendering.rightLink = http://ceda.ac.uk/ |
---|
333 | openid.provider.rendering.rightImage = %(openid.provider.rendering.baseURL)s/layout/CEDA_RightButton60.png |
---|
334 | openid.provider.rendering.rightAlt = Centre for Environmental Data Archival |
---|
335 | |
---|
336 | # SQLAlchemy based authentication interface |
---|
337 | openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sqlalchemy_authn.SQLAlchemyAuthnInterface |
---|
338 | |
---|
339 | # See the connection string setting set in the DEFAULT section |
---|
340 | openid.provider.authN.connectionString=%(dbConnectionString)s |
---|
341 | openid.provider.authN.logonSqlQuery=select count(*) from users where username = '${username}' and md5password = '${password}' |
---|
342 | openid.provider.authN.username2UserIdentifierSqlQuery=select openid_identifier from users where username = '${username}' |
---|
343 | |
---|
344 | # Set to true if the password in the database is MD5 encrypted. |
---|
345 | openid.provider.authN.isMD5EncodedPwd=True |
---|
346 | |
---|
347 | # This is a more interface which makes settings via this INI parameters instead |
---|
348 | # of a database |
---|
349 | #openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface |
---|
350 | |
---|
351 | # This setting applies to the BasicAuthNInterface only |
---|
352 | # user login details format is: |
---|
353 | # <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc |
---|
354 | # Each user entry is delimited by a space. username, password and OpenID name |
---|
355 | # list are delimited by a colon. The list of OpenID names are delimited by |
---|
356 | # commas. The OpenID name represents the unique part of the OpenID URL for the |
---|
357 | # individual user. Each username may have more than one OpenID alias but only |
---|
358 | # alias at a time may be registered with a given Attribute Authority |
---|
359 | #openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other |
---|
360 | |
---|
361 | # Basic authentication for testing/admin - comma delimited list of |
---|
362 | # <username>:<password> pairs |
---|
363 | #openid.provider.usercreds=pjk:test |
---|
364 | |
---|
365 | # Attribute Exchange interface - extract attributes from a database based on the |
---|
366 | # username of the client |
---|
367 | openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.sqlalchemy_ax.SQLAlchemyAXInterface |
---|
368 | openid.provider.axResponse.connectionString=%(dbConnectionString)s |
---|
369 | |
---|
370 | # Ordering is important here: the query results and names fields should exactly |
---|
371 | # map one to the other |
---|
372 | openid.provider.axResponse.sqlQuery = select firstname, lastname, emailaddress from users where username = '${username}' |
---|
373 | openid.provider.axResponse.attributeNames=http://openid.net/schema/namePerson/first |
---|
374 | http://openid.net/schema/namePerson/last |
---|
375 | http://openid.net/schema/contact/internet/email |
---|
376 | |
---|
377 | # This is an alternative simple CSV file based AX interface class |
---|
378 | #openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.csv.CSVFileAXInterface |
---|
379 | #openid.provider.axResponse.csvFilePath=%(here)s/openidprovider/attributeexchange.csv |
---|
380 | |
---|
381 | # This setting can be used to enable the confirmation form to be omitted for |
---|
382 | # known Relying Parties (RP)s. The confirmation form is part of the user |
---|
383 | # interface which prompts the user to confirm they wish to return their |
---|
384 | # credentials back to the given RP. |
---|
385 | openid.provider.trustedRelyingParties=https://localhost:7443, https://ndg.somewhere.ac.uk, |
---|
386 | https://badc.somewhere.ac.uk |
---|
387 | |
---|
388 | #______________________________________________________________________________ |
---|
389 | # Attribute Authority WSGI settings |
---|
390 | # |
---|
391 | # This filter publishes an Attribute Authority instance as a key in environ |
---|
392 | # to enable the SAML query interface middleware to access and invoke it. |
---|
393 | [filter:AttributeAuthorityFilter] |
---|
394 | paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory |
---|
395 | prefix = attributeAuthority. |
---|
396 | |
---|
397 | # Lifetime is measured in seconds for attribute assertions made |
---|
398 | attributeAuthority.assertionLifetime: 28800 |
---|
399 | |
---|
400 | # Key name for the SAML SOAP binding based query interface to reference this |
---|
401 | # service's attribute query method |
---|
402 | attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s |
---|
403 | |
---|
404 | # Attribute Interface - determines how a given attribute query interfaces with a |
---|
405 | # backend database or other persistent store. The one here is an SQLAlchemy |
---|
406 | # based one. The database connection string is the global setting - see the |
---|
407 | # DEFAULT section. |
---|
408 | attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface |
---|
409 | attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s |
---|
410 | |
---|
411 | # This does a sanity check to ensure the subject of the query is known to this |
---|
412 | # authority. |
---|
413 | attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}' |
---|
414 | |
---|
415 | # Map the given SAML attributes identifiers to the equivalent SQL query to |
---|
416 | # retrieve them. Any number can be set. They should have the form, |
---|
417 | # |
---|
418 | # attributeAuthority.attributeInterface.samlAttribute2SqlQuery.<id> |
---|
419 | # |
---|
420 | # where <id> can be any unique string. The userId string is the value passed |
---|
421 | # from the client subject NameID field |
---|
422 | attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'" |
---|
423 | attributeAuthority.attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'" |
---|
424 | attributeAuthority.attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'" |
---|
425 | attributeAuthority.attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where openid = '${userId}'" |
---|
426 | |
---|
427 | # Set the permissable requestor Distinguished Names as set in the SAML client |
---|
428 | # query issuer field. Comment out or remove if this is not required. Nb. |
---|
429 | # filtering of clients can be more securely applied by whitelisting at the SSL |
---|
430 | # level. |
---|
431 | attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority, |
---|
432 | /O=Site B/CN=Authorisation Service, |
---|
433 | /CN=test/O=NDG/OU=BADC, |
---|
434 | /O=NDG/OU=Security/CN=localhost |
---|
435 | |
---|
436 | # Alternate custom AttributeInterface derived class to get user roles for given |
---|
437 | # user ID |
---|
438 | #attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea |
---|
439 | #attributeAuthority.attributeInterface.modName: siteAUserRoles |
---|
440 | #attributeAuthority.attributeInterface.className: TestUserRoles |
---|
441 | |
---|
442 | # SAML SOAP Binding to the Attribute Authority |
---|
443 | [filter:AttributeAuthoritySamlSoapBindingFilter] |
---|
444 | paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory |
---|
445 | prefix = saml.soapbinding. |
---|
446 | |
---|
447 | # Callback to deserialise a string format query received from the client into |
---|
448 | # to the relevant ElementTree instance |
---|
449 | saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.fromXML |
---|
450 | |
---|
451 | # Corresponding callback to serialise an ElementTree instance response into a |
---|
452 | # string ready for dispatch back to the client |
---|
453 | # |
---|
454 | # Specialisation to incorporate ESG Group/Role type. The deserialise method |
---|
455 | # doesn't need any specialised setting because no custom ESG types are required |
---|
456 | # in order to invoke it |
---|
457 | saml.soapbinding.serialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.toXML |
---|
458 | |
---|
459 | # Equivalent setting if no ESG customisation is required. |
---|
460 | #saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.toXML |
---|
461 | |
---|
462 | # Path following the FQDN from which this service will be mounted |
---|
463 | saml.soapbinding.mountPath = /AttributeAuthority |
---|
464 | |
---|
465 | # The key name for the environ dict item holding the Attribute Authority's |
---|
466 | # query callback method. See the Attribute Authority filter. |
---|
467 | saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s |
---|
468 | |
---|
469 | # Clock skew for SAML Attribute Queries - allow clockSkew number of seconds |
---|
470 | # tolerance for query issueInstant parameter. Set here to 3 minutes |
---|
471 | saml.soapbinding.clockSkewTolerance: 180.0 |
---|
472 | |
---|
473 | # The issuer name for this Attribute Authority expressed as a X.509 subject |
---|
474 | # name. See ndg.saml.saml2.core or the SAML 2.0 spec for alternatives. |
---|
475 | saml.soapbinding.issuerName: /O=Site A/CN=Attribute Authority |
---|
476 | saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName |
---|
477 | |
---|
478 | #______________________________________________________________________________ |
---|
479 | # SAML/SOAP query interface to the Authorisation Service |
---|
480 | [filter:AuthorisationSamlSoapBindingFilter] |
---|
481 | paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory |
---|
482 | prefix = saml. |
---|
483 | |
---|
484 | # The URI path for this service |
---|
485 | saml.mountPath = /AuthorisationService |
---|
486 | |
---|
487 | # The key name in environ which the upstream authorisation service must assign |
---|
488 | # to its authorisation query callback - see the AuthorisationServiceFilter |
---|
489 | # settings below... |
---|
490 | saml.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s |
---|
491 | |
---|
492 | # ElementTree based XML parsing and serialisation used for SAML messages |
---|
493 | saml.deserialise = ndg.saml.xml.etree:AuthzDecisionQueryElementTree.fromXML |
---|
494 | saml.serialise = ndg.saml.xml.etree:ResponseElementTree.toXML |
---|
495 | |
---|
496 | # Sets the identity of THIS authorisation service when filling in SAML responses |
---|
497 | saml.issuerName = /O=Site A/CN=Authorisation Service |
---|
498 | saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName |
---|
499 | |
---|
500 | #______________________________________________________________________________ |
---|
501 | # Authorisation Service WSGI settings |
---|
502 | # |
---|
503 | # This filter is a container for a binding to a SOAP/SAML based interface to the |
---|
504 | # Authorisation Service. It contains a XACML Context handler which manages |
---|
505 | # requests from Policy Enforcement Points to the PDP and also enables the PDP |
---|
506 | # to make attribute queries to Policy Information Point |
---|
507 | [filter:AuthorisationServiceFilter] |
---|
508 | paste.filter_app_factory = ndg.security.server.wsgi.authz.service:AuthorisationServiceMiddleware.filter_app_factory |
---|
509 | prefix = authz. |
---|
510 | |
---|
511 | # Expose this filter's authorisation decision query callback via this key name |
---|
512 | # in environ |
---|
513 | authz.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s |
---|
514 | |
---|
515 | # Lifetime for authorisation assertions issued from this service |
---|
516 | authz.xacmlContext.assertionLifetime = 86400 |
---|
517 | |
---|
518 | # |
---|
519 | # XACML Context handler manages PEP (Policy Information Point) requests and the |
---|
520 | # PDP's (Policy Decision Point's) interface to the PIP (Policy Information |
---|
521 | # Point) |
---|
522 | |
---|
523 | # XACML Policy file |
---|
524 | authz.ctx_handler.policyFilePath = %(here)s/policy.xml |
---|
525 | |
---|
526 | # Settings for SAML authorisation decision response to a Policy Enforcement Point |
---|
527 | # making a decision query |
---|
528 | authz.ctx_handler.issuerName = /O=Site A/CN=Authorisation Service |
---|
529 | authz.ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName |
---|
530 | authz.ctx_handler.assertionLifetime = 86400 |
---|
531 | |
---|
532 | # |
---|
533 | # Policy Information Point interface settings |
---|
534 | # |
---|
535 | # The Context handler is a client to the PIP, passing on attribute queries |
---|
536 | # on behalf of the PDP onwards to the PIP |
---|
537 | |
---|
538 | # The PIP can cache assertions retrieved from Attribute Authority calls to |
---|
539 | # optimise performance. Set this flag to True/False to enable/disable caching |
---|
540 | # respectively. If this setting is omitted it defaults to True |
---|
541 | authz.ctx_handler.pip.cacheSessions = True |
---|
542 | |
---|
543 | # Set the directory for cached information to be stored. This options is |
---|
544 | # ignored if 'cacheSessions' is set to False. If this setting is omitted, then |
---|
545 | # sessions will be cached in memory only. If the service is stopped all cached |
---|
546 | # information would be lost |
---|
547 | authz.ctx_handler.pip.sessionCacheDataDir = %(here)s/pip-session-cache |
---|
548 | |
---|
549 | # Set timeout (seconds) for a cached session - following the timeout any existing |
---|
550 | # session will be deleted. This option is ignored if |
---|
551 | # authz.ctx_handler.pip.cacheSessions = False or is omitted. If this option is |
---|
552 | # omitted, no timeout is set. If none is set and |
---|
553 | # authz.ctx_handler.pip.sessionCacheDataDir is set, sessions will be effectively |
---|
554 | # cached permanently(!) only an assertion expiry could invalidate a given assertion |
---|
555 | # previously cached. |
---|
556 | authz.ctx_handler.pip.sessionCacheTimeout = 3600 |
---|
557 | |
---|
558 | # Allow for a clock skew of +/- 3 seconds when checking validity times of |
---|
559 | # SAML assertions cached from attribute service queries |
---|
560 | authz.ctx_handler.pip.sessionCacheAssertionClockSkewTol = 3.0 |
---|
561 | |
---|
562 | # |
---|
563 | # Attribute ID -> Attribute Authority mapping file. The PIP, on receipt of a |
---|
564 | # query from the XACML context handler, checks the attribute(s) being queried |
---|
565 | # for and looks up this mapping to determine which attribute authority to query |
---|
566 | # to find out if the subject has the attribute in their entitlement |
---|
567 | authz.ctx_handler.pip.mappingFilePath = %(here)s/pip-mapping.txt |
---|
568 | |
---|
569 | # The attribute ID of the subject value to extract from the XACML request |
---|
570 | # context and pass in the SAML attribute query |
---|
571 | authz.ctx_handler.pip.subjectAttributeId = urn:esg:openid |
---|
572 | |
---|
573 | # The context handler |
---|
574 | authz.ctx_handler.pip.attributeQuery.issuerName = %(authz.ctx_handler.issuerName)s |
---|
575 | authz.ctx_handler.pip.attributeQuery.issuerFormat = %(authz.ctx_handler.issuerFormat)s |
---|
576 | |
---|
577 | # Enable support for ESGF Group/Role Attribute Value in SAML Attribute queries |
---|
578 | authz.ctx_handler.pip.attributeQuery.deserialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.fromXML |
---|
579 | |
---|
580 | # These settings configure SSL mutual authentication for the query to the SAML Attribute Authority |
---|
581 | authz.ctx_handler.pip.attributeQuery.sslCertFilePath = %(testConfigDir)s/pki/localhost.crt |
---|
582 | authz.ctx_handler.pip.attributeQuery.sslPriKeyFilePath = %(testConfigDir)s/pki/localhost.key |
---|
583 | authz.ctx_handler.pip.attributeQuery.sslCACertDir = %(testConfigDir)s/pki/ca |
---|
584 | |
---|
585 | #______________________________________________________________________________ |
---|
586 | # Logging configuration |
---|
587 | [loggers] |
---|
588 | keys = root, ndg |
---|
589 | |
---|
590 | [handlers] |
---|
591 | keys = console, logfile |
---|
592 | |
---|
593 | [formatters] |
---|
594 | keys = generic |
---|
595 | |
---|
596 | [logger_root] |
---|
597 | level = INFO |
---|
598 | handlers = console |
---|
599 | |
---|
600 | [logger_ndg] |
---|
601 | level = DEBUG |
---|
602 | handlers = |
---|
603 | qualname = ndg |
---|
604 | |
---|
605 | [handler_console] |
---|
606 | class = StreamHandler |
---|
607 | args = (sys.stderr,) |
---|
608 | level = NOTSET |
---|
609 | formatter = generic |
---|
610 | |
---|
611 | [formatter_generic] |
---|
612 | format = %(asctime)s.%(msecs)03d %(levelname)-7.7s [%(name)s:%(lineno)s] %(message)s |
---|
613 | datefmt = %Y-%m-%d %H:%M:%S |
---|
614 | |
---|
615 | [handler_logfile] |
---|
616 | class = handlers.RotatingFileHandler |
---|
617 | level=NOTSET |
---|
618 | formatter=generic |
---|
619 | args=(os.path.join('%(here)s', 'log', 'service.log'), 'a', 50000, 2) |
---|