source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini @ 7845

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini@7845
Revision 7845, 29.1 KB checked in by pjkersha, 9 years ago (diff)

Incomplete - task 16: NDG Security 2.x.x - incl. updated Paster templates

  • fixed yadis template syntax
  • updating securedapp template.
  • Property svn:keywords set to Id
Line 
1#
2# Description:  Paste configuration for combined SAML Attribute Authority and
3#               Authorisation Services, OpenID Relying Party and Provider
4#               services and SSL client authentication filters.  This is for
5#               test purposes only.  A production system might deploy these on
6#               different hosts or separate WSGI scripts.
7#
8#               The %(here)s variable will be replaced with the parent directory
9#               of this file
10#
11# Author:       P J Kershaw
12# Date:         01/07/09
13# Copyright:    (C) 2009 Science and Technology Facilities Council
14# license:      BSD - see LICENSE file in top-level directory
15# Contact:      Philip.Kershaw@stfc.ac.uk
16# Revision:     $Id$
17
18# Settings global to all sections
19[DEFAULT]
20portNum = 7443
21hostname = localhost
22scheme = https
23baseURI = %(scheme)s://%(hostname)s:%(portNum)s
24openIDProviderIDBase = /openid/
25
26# The default OpenID set in the Relying Party form text field.  As shown it is
27# set so that the special IDSelect mode can be used where the user enters only
28# the portion of the URI identifying their Provider instead of their full
29# OpenID URI
30openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
31testConfigDir = %(here)s/../../config
32
33# Beaker session is used across multiple sections so is set here to ensure
34# consistency
35beakerSessionKeyName = beaker.session.ndg.security.services
36
37# Environ dict key name for Attribute Authority's SAML attribute query callback
38attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface
39
40# Similarly the environ key name for the Authorisation Service's SAML
41# authorisation decision query callback
42authzDecisionQueryInterfaceEnvironKeyName = ndg.security.server.wsgi.authz.service.authzDecisionQueryInterface
43
44# This is set to a test SQLite database alter as needed
45dbConnectionString = sqlite:///%(testConfigDir)s/user.db
46       
47# AuthKit Cookie secret used to secure it.  This secret must be the same as the
48# one used in the equivalent secured application(s) ini file(s) that use this
49# ini file's OpenID Relying Party and SSL authentication service.  This is
50# because the cookie is shared between the secured app(s) and this app so that
51# a user's OpenID can be communicated between them.
52authkitCookieSecret = 9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
53
54# Secret for OpenID Provider cookie
55beakerSessionCookieSecret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
56
57
58[server:main]
59use = egg:Paste#http
60host = 0.0.0.0
61port = %(portNum)s
62
63# Uncomment and replace OpenIDProviderApp with OpenIDProviderFilterApp in the
64# pipeline below if the RelyingParty filter is removed.  The RelyingParty
65# provides static content to both it and the Provider in this configuration.
66# See the staticContentDir setting in the OpenIDRelyingPartyFilter section
67#[filter-app:OpenIDProviderFilterApp]
68#use = egg:Paste#httpexceptions
69#next = cascade
70#
71## Composite for OpenID Provider to enable settings for picking up static
72## content
73#[composit:cascade]
74#use = egg:Paste#cascade
75#app1 = OpenIDProviderApp
76#app2 = OpenIDProviderStaticContent
77#catch = 404
78#
79#[app:OpenIDProviderStaticContent]
80#use = egg:Paste#static
81#document_root = %(here)s/openidprovider
82
83# Ordering of filters and final app is critical
84[pipeline:main]
85pipeline = AttributeAuthorityFilter
86           AttributeAuthoritySamlSoapBindingFilter
87           AuthorisationServiceFilter
88           AuthorisationSamlSoapBindingFilter
89           SessionMiddlewareFilter
90           SSLClientAuthKitFilter
91           SSLClientAuthenticationFilter
92           SSLClientAuthnRedirectResponseFilter
93           OpenIDRelyingPartyFilter
94           OpenIDProviderApp
95
96#______________________________________________________________________________
97# Beaker Session Middleware (used by OpenID Provider)
98[filter:SessionMiddlewareFilter]
99paste.filter_app_factory=beaker.middleware:SessionMiddleware
100beaker.session.key = openid
101beaker.session.secret = %(beakerSessionCookieSecret)s
102
103# If you'd like to fine-tune the individual locations of the cache data dirs
104# for the Cache data, or the Session saves, un-comment the desired settings
105# here:
106beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
107beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
108beaker.session.cookie_expires = True
109
110# Key name for keying into environ dictionary
111environ_key = %(beakerSessionKeyName)s
112
113#______________________________________________________________________________
114# Sets AuthKit cookie for SSL Client based authentication method
115[filter:SSLClientAuthKitFilter]
116paste.filter_app_factory = authkit.authenticate:middleware
117
118# AuthKit Set-up
119setup.method=cookie
120
121# This cookie name and secret MUST agree with the name used by the
122# Authentication Filter used to secure a given app
123cookie.name=ndg.security.auth
124
125cookie.secret=%(authkitCookieSecret)s
126cookie.signoutpath = /logout
127
128# Disable inclusion of client IP address from cookie signature due to
129# suspected problem with AuthKit setting it when a HTTP Proxy is in place
130cookie.includeip = False
131
132#______________________________________________________________________________
133# SSL Client Certificate based authentication is invoked if the client passed
134# a certificate with request.  This bypasses OpenID based authentication
135[filter:SSLClientAuthenticationFilter]
136paste.filter_app_factory = ndg.security.server.wsgi.ssl:AuthKitSSLAuthnMiddleware
137prefix = ssl.
138
139# Apply verification against a list of trusted CAs.  To skip this step, comment
140# out or remove this item.  e.g. set CA verification in the Apache config file.
141ssl.caCertFilePathList = %(testConfigDir)s/pki/ca/d573507a.0
142
143# Apply whitelisting of client certificate DNs.  This should never be needed in
144# this context.  The only reason to use it might be as a means to set a crude
145# access control list of DNs
146#ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=mytest /O=gabriel/OU=BADC/CN=test /O=NDG/OU=BADC/CN=test
147
148# The 'HTTP_' prefix is set when passed through a proxy with Apache, for example
149# if it's possible to run this ini file with paster and expose it through port
150# 443 via ProxyPass and ProxyPassReverse Apache directives.
151#ssl.sslKeyName = HTTP_HTTPS
152#ssl.sslClientCertKeyName = HTTP_SSL_CLIENT_CERT
153
154# Set the intercept URI.  Request URIs matching this pattern will be processed
155# by this filter.  The pattern is set here to match the URI that would normally
156# be processed by the OpenID Relying Party.  If this filter finds a client
157# cert set from the SSL handshake it will apply authentication based on this, if
158# not it will let the request pass by and on to the OpenID Relying Party.  The
159# latter is then therefore the default and 'catch all' for authentication
160# requests.
161ssl.rePathMatchList = ^/verify.*
162
163#______________________________________________________________________________
164# OpenID Relying Party.  This filter is set to run over SSL so that it can work
165# together with the SSL Client Authentication filter above so that tandem
166# authentication methods are supported.  It can be invoked from a HTTP app by
167# the ndg.security.server.wsgi.authn.AuthenticationMiddleware which causes a
168# redirect to this endpoint.
169[filter:OpenIDRelyingPartyFilter]
170paste.filter_app_factory = 
171        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
172
173openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
174
175# Uncomment to restrict sign in to a whitelist of trusted OpenID Providers.
176#openid.relyingparty.idpWhitelistConfigFilePath = %(here)s/openidrelyingparty/ssl-idp-validator.xml
177
178openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.genshi.GenshiSigninTemplate
179
180# Nb. in this configuration, this directory is provider static content for both
181# this filter and the OpenID Provider app downstream in the WSGI stack.
182openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/public
183
184openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
185openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
186openid.relyingparty.signinInterface.heading = OpenID Sign-in
187#openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
188#openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
189#openid.relyingparty.signinInterface.leftLink = http://ndg.nerc.ac.uk/
190#openid.relyingparty.signinInterface.leftImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
191
192# This setting will accept HTML mark-up
193openid.relyingparty.signinInterface.footerText = This site is for test purposes only.   <a class="FooterLink" href="http://openid.net/what/" target="_blank"><small>What is OpenID?</small></a>
194openid.relyingparty.signinInterface.rightLink = http://ceda.ac.uk/
195openid.relyingparty.signinInterface.rightImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/CEDA_RightButton60.png
196openid.relyingparty.signinInterface.rightAlt = Centre for Environmental Data Archival
197openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
198
199cache_dir = %(here)s/data
200
201# AuthKit Set-up
202authkit.setup.method=openid, cookie
203
204# This cookie name and secret MUST agree with the name used by the
205# Authentication Filter used to secure a given app
206authkit.cookie.name=ndg.security.auth
207
208authkit.cookie.secret=%(authkitCookieSecret)s
209authkit.cookie.signoutpath = /logout
210#authkit.cookie.params.domain = .localhost
211
212# Disable inclusion of client IP address from cookie signature due to
213# suspected problem with AuthKit setting it when a HTTP Proxy is in place
214authkit.cookie.includeip = False
215
216authkit.openid.path.signedin=/
217authkit.openid.store.type=file
218authkit.openid.store.config=%(here)s/openidrelyingparty/store
219authkit.openid.session.key = authkit_openid
220authkit.openid.session.secret = random string
221
222# Key name for dereferencing beaker.session object held in environ
223authkit.openid.session.middleware = %(beakerSessionKeyName)s
224
225authkit.openid.baseurl = %(baseURI)s
226
227# Attribute Exchange - all are optional unless the relevant ax.required.<name>
228# is set to True.  The alias defers to the parameter name given unless explicity
229# specified - see commented out entry for firstName below.  The number of
230# attributes for each attribute name defaults to 1 unless otherwise set
231#authkit.openid.ax.typeuri.firstName=http://openid.net/schema/namePerson/first
232#authkit.openid.ax.alias.firstName=firstName
233##authkit.openid.ax.count.firstName=1
234#authkit.openid.ax.required.firstName=True
235#authkit.openid.ax.typeuri.lastName=http://openid.net/schema/namePerson/last
236#authkit.openid.ax.alias.lastName=lastName
237#authkit.openid.ax.required.lastName=True
238#authkit.openid.ax.typeuri.emailAddress=http://openid.net/schema/contact/internet/email
239#authkit.openid.ax.alias.emailAddress=emailAddress
240#authkit.openid.ax.required.emailAddress=True
241
242# ESG Gateway requested parameters
243authkit.openid.ax.typeuri.uuid:http://openid.net/schema/person/guid
244authkit.openid.ax.alias.uuid=uuid
245authkit.openid.ax.typeuri.username:http://openid.net/schema/namePerson/friendly
246authkit.openid.ax.alias.username=username
247authkit.openid.ax.typeuri.firstname:http://openid.net/schema/namePerson/first
248authkit.openid.ax.alias.firstname=firstname
249authkit.openid.ax.required.firstname:True
250authkit.openid.ax.typeuri.middlename:http://openid.net/schema/namePerson/middle
251authkit.openid.ax.alias.middlename=middlename
252authkit.openid.ax.typeuri.lastname:http://openid.net/schema/namePerson/last
253authkit.openid.ax.required.lastname:True
254authkit.openid.ax.alias.lastname=lastname
255authkit.openid.ax.typeuri.email:http://openid.net/schema/contact/internet/email
256authkit.openid.ax.required.email:True
257authkit.openid.ax.alias.email=email
258authkit.openid.ax.typeuri.gateway:http://www.earthsystemgrid.org/gateway
259authkit.openid.ax.alias.gateway=gateway
260authkit.openid.ax.typeuri.organization:http://openid.net/schema/company/name
261authkit.openid.ax.alias.organization=organization
262authkit.openid.ax.typeuri.city:http://openid.net/schema/contact/city/home
263authkit.openid.ax.alias.city=city
264authkit.openid.ax.typeuri.state:http://openid.net/schema/contact/state/home
265authkit.openid.ax.alias.state=state
266authkit.openid.ax.typeuri.country:http://openid.net/schema/contact/country/home
267authkit.openid.ax.alias.country=country
268
269#______________________________________________________________________________
270# Redirect to original requested URI following SSL Client Authentication.  This
271# filter must be placed AFTER the AuthKit cookie setting middleware.  In this
272# case here it's configured in the OpenIDRelyingPartyMiddleware filter.  If the
273# OpenID Relying Party filter is removed, a separate AuthKit middleware entry
274# would need to be made so that this redirect filter can still function
275[filter:SSLClientAuthnRedirectResponseFilter]
276paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthKitRedirectResponseMiddleware
277prefix = ssl.
278ssl.sessionKey = %(beakerSessionKeyName)s
279
280#______________________________________________________________________________
281# OpenID Provider WSGI Settings
282[app:OpenIDProviderApp]
283paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
284
285openid.provider.path.openidserver=/OpenID/Provider/server
286openid.provider.path.login=/OpenID/Provider/login
287openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
288
289# Yadis based discovery only - the 'id' path is configured may be set to page
290# with <link rel="openid.server" href="..."> and Yadis
291# <meta http-equiv="x-xrds-location" content="..."> links if required but in
292# this implementation it set to return 404 not found - see
293# ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
294# class
295openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
296openid.provider.path.yadis=%(openIDProviderIDBase)s${userIdentifier}
297
298# Yadis based discovery for idselect mode - this is where the user has entered
299# a URI at the Relying Party which identifies their Provider only and not their
300# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
301# https://badc.nerc.ac.uk/John
302openid.provider.path.serveryadis=%(openIDProviderIDBase)s
303openid.provider.path.allow=/OpenID/Provider/allow
304openid.provider.path.decide=/OpenID/Provider/decide
305openid.provider.path.mainpage=/OpenID/Provider/home
306
307openid.provider.session_middleware=%(beakerSessionKeyName)s
308openid.provider.base_url=%(baseURI)s
309
310# Enable login to construct an identity URI if IDSelect mode was chosen and
311# no identity URI was passed from the Relying Party.  This value should
312# match openid.provider.path.id and/or openid.provider.path.yadis - see above
313identityUriTemplate=%(baseURI)s%(openIDProviderIDBase)s${userIdentifier}
314
315openid.provider.trace=False
316openid.provider.consumer_store_dirpath=%(here)s/openidprovider
317
318# A custom rendering class can be plugged in here.  A Genshi based renderer is
319# currently set
320openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
321#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
322
323# Template directory
324openid.provider.rendering.templateRootDir = %(here)s/openidprovider/templates
325
326# Layout
327openid.provider.rendering.baseURL = %(openid.provider.base_url)s
328openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
329openid.provider.rendering.footerText = This site is for test purposes only.
330openid.provider.rendering.rightLink = http://ceda.ac.uk/
331openid.provider.rendering.rightImage = %(openid.provider.rendering.baseURL)s/layout/CEDA_RightButton60.png
332openid.provider.rendering.rightAlt = Centre for Environmental Data Archival
333
334# SQLAlchemy based authentication interface
335openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sqlalchemy_authn.SQLAlchemyAuthnInterface
336
337# See the connection string setting set in the DEFAULT section
338openid.provider.authN.connectionString=%(dbConnectionString)s
339openid.provider.authN.logonSqlQuery=select count(*) from users where username = '${username}' and md5password = '${password}'
340openid.provider.authN.username2UserIdentifierSqlQuery=select openid_identifier from users where username = '${username}'
341
342# Set to true if the password in the database is MD5 encrypted.
343openid.provider.authN.isMD5EncodedPwd=True
344
345# This is a more interface which makes settings via this INI parameters instead
346# of a database
347#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
348
349# This setting applies to the BasicAuthNInterface only
350# user login details format is:
351# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
352# Each user entry is delimited by a space. username, password and OpenID name
353# list are delimited by a colon.  The list of OpenID names are delimited by
354# commas.  The OpenID name represents the unique part of the OpenID URL for the
355# individual user.  Each username may have more than one OpenID alias but only
356# alias at a time may be registered with a given Attribute Authority
357#openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
358
359# Basic authentication for testing/admin - comma delimited list of
360# <username>:<password> pairs
361#openid.provider.usercreds=pjk:test
362
363# Attribute Exchange interface - extract attributes from a database based on the
364# username of the client
365openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.sqlalchemy_ax.SQLAlchemyAXInterface
366openid.provider.axResponse.connectionString=%(dbConnectionString)s
367
368# Ordering is important here: the query results and names fields should exactly
369# map one to the other
370openid.provider.axResponse.sqlQuery = select firstname, lastname, emailaddress from users where username = '${username}'
371openid.provider.axResponse.attributeNames=http://openid.net/schema/namePerson/first
372    http://openid.net/schema/namePerson/last
373    http://openid.net/schema/contact/internet/email
374   
375# This is an alternative simple CSV file based AX interface class
376#openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.csv.CSVFileAXInterface
377#openid.provider.axResponse.csvFilePath=%(here)s/openidprovider/attributeexchange.csv
378
379# This setting can be used to enable the confirmation form to be omitted for
380# known Relying Parties (RP)s.  The confirmation form is part of the user
381# interface which prompts the user to confirm they wish to return their
382# credentials back to the given RP.
383openid.provider.trustedRelyingParties=https://localhost:7443, https://ndg.somewhere.ac.uk,
384        https://badc.somewhere.ac.uk
385
386#______________________________________________________________________________
387# Attribute Authority WSGI settings
388#
389# This filter publishes an Attribute Authority instance as a key in environ
390# to enable the SAML query interface middleware to access and invoke it.
391[filter:AttributeAuthorityFilter]
392paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
393prefix = attributeAuthority.
394
395# Lifetime is measured in seconds for attribute assertions made
396attributeAuthority.assertionLifetime: 28800 
397
398# Key name for the SAML SOAP binding based query interface to reference this
399# service's attribute query method
400attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
401
402# Attribute Interface - determines how a given attribute query interfaces with a
403# backend database or other persistent store.  The one here is an SQLAlchemy
404# based one.  The database connection string is the global setting - see the
405# DEFAULT section.
406attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface
407attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s
408
409# This does a sanity check to ensure the subject of the query is known to this
410# authority.
411attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}'
412
413# Map the given SAML attributes identifiers to the equivalent SQL query to
414# retrieve them.  Any number can be set.  They should have the form,
415#
416# attributeAuthority.attributeInterface.samlAttribute2SqlQuery.<id>
417#
418# where <id> can be any unique string.  The userId string is the value passed
419# from the client subject NameID field
420attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'"
421attributeAuthority.attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'"
422attributeAuthority.attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'"
423attributeAuthority.attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where openid = '${userId}'"
424
425# Set the permissable requestor Distinguished Names as set in the SAML client
426# query issuer field.  Comment out or remove if this is not required.  Nb.
427# filtering of clients can be more securely applied by whitelisting at the SSL
428# level.
429attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority,
430                                                           /O=Site B/CN=Authorisation Service,
431                                                           /CN=test/O=NDG/OU=BADC,
432                                                           /O=NDG/OU=Security/CN=localhost
433
434# Alternate custom AttributeInterface derived class to get user roles for given
435# user ID
436#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
437#attributeAuthority.attributeInterface.modName: siteAUserRoles
438#attributeAuthority.attributeInterface.className: TestUserRoles
439
440# SAML SOAP Binding to the Attribute Authority
441[filter:AttributeAuthoritySamlSoapBindingFilter]
442paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
443prefix = saml.soapbinding.
444
445# Callback to deserialise a string format query received from the client into
446# to the relevant ElementTree instance
447saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.fromXML
448
449# Corresponding callback to serialise an ElementTree instance response into a
450# string ready for dispatch back to the client
451#
452# Specialisation to incorporate ESG Group/Role type.  The deserialise method
453# doesn't need any specialised setting because no custom ESG types are required
454# in order to invoke it
455saml.soapbinding.serialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.toXML
456
457# Equivalent setting if no ESG customisation is required.
458#saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.toXML
459
460# Path following the FQDN from which this service will be mounted
461saml.soapbinding.mountPath = /AttributeAuthority
462
463# The key name for the environ dict item holding the Attribute Authority's
464# query callback method.  See the Attribute Authority filter.
465saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
466
467# Clock skew for SAML Attribute Queries - allow clockSkew number of seconds
468# tolerance for query issueInstant parameter. Set here to 3 minutes
469saml.soapbinding.clockSkewTolerance: 180.0
470
471# The issuer name for this Attribute Authority expressed as a X.509 subject
472# name.  See ndg.saml.saml2.core or the SAML 2.0 spec for alternatives.
473saml.soapbinding.issuerName: /O=Site A/CN=Attribute Authority
474saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName 
475
476#______________________________________________________________________________
477# SAML/SOAP query interface to the Authorisation Service
478[filter:AuthorisationSamlSoapBindingFilter]
479paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
480prefix = saml.
481
482# The URI path for this service
483saml.mountPath = /AuthorisationService
484
485# The key name in environ which the upstream authorisation service must assign
486# to its authorisation query callback - see the AuthorisationServiceFilter
487# settings below...
488saml.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s
489
490# ElementTree based XML parsing and serialisation used for SAML messages
491saml.deserialise = ndg.saml.xml.etree:AuthzDecisionQueryElementTree.fromXML
492saml.serialise = ndg.saml.xml.etree:ResponseElementTree.toXML
493
494# Sets the identity of THIS authorisation service when filling in SAML responses
495saml.issuerName = /O=Site A/CN=Authorisation Service
496saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
497
498#______________________________________________________________________________
499# Authorisation Service WSGI settings
500#
501# This filter is a container for a binding to a SOAP/SAML based interface to the
502# Authorisation Service.  It contains a XACML Context handler which manages
503# requests from Policy Enforcement Points to the PDP and also enables the PDP
504# to make attribute queries to Policy Information Point
505[filter:AuthorisationServiceFilter]
506paste.filter_app_factory = ndg.security.server.wsgi.authz.service:AuthorisationServiceMiddleware.filter_app_factory
507prefix = authz.
508
509# Expose this filter's authorisation decision query callback via this key name
510# in environ
511authz.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s
512
513# Lifetime for authorisation assertions issued from this service
514authz.xacmlContext.assertionLifetime = 86400
515
516#
517# XACML Context handler manages PEP (Policy Information Point) requests and the
518# PDP's (Policy Decision Point's) interface to the PIP (Policy Information
519# Point)
520
521# XACML Policy file
522authz.ctx_handler.policyFilePath = %(here)s/policy.xml
523
524# Settings for SAML authorisation decision response to a Policy Enforcement Point
525# making a decision query
526authz.ctx_handler.issuerName = /O=Site A/CN=Authorisation Service
527authz.ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
528authz.ctx_handler.assertionLifetime = 86400
529
530#
531# Policy Information Point interface settings
532#
533# The Context handler is a client to the PIP, passing on attribute queries
534# on behalf of the PDP onwards to the PIP
535
536# The PIP can cache assertions retrieved from Attribute Authority calls to
537# optimise performance.  Set this flag to True/False to enable/disable caching
538# respectively.  If this setting is omitted it defaults to True
539authz.ctx_handler.pip.cacheSessions = True
540
541# Set the directory for cached information to be stored.  This options is
542# ignored if 'cacheSessions' is set to False.  If this setting is omitted, then
543# sessions will be cached in memory only.  If the service is stopped all cached
544# information would be lost
545authz.ctx_handler.pip.sessionCacheDataDir = %(here)s/pip-session-cache
546
547# Set timeout (seconds) for a cached session - following the timeout any existing
548# session will be deleted.  This option is ignored if
549# authz.ctx_handler.pip.cacheSessions = False or is omitted.  If this option is
550# omitted, no timeout is set.  If none is set and
551# authz.ctx_handler.pip.sessionCacheDataDir is set, sessions will be effectively
552# cached permanently(!) only an assertion expiry could invalidate a given assertion
553# previously cached.
554authz.ctx_handler.pip.sessionCacheTimeout = 3600
555
556# Allow for a clock skew of +/- 3 seconds when checking validity times of
557# SAML assertions cached from attribute service queries
558authz.ctx_handler.pip.sessionCacheAssertionClockSkewTol = 3.0
559
560#
561# Attribute ID -> Attribute Authority mapping file.  The PIP, on receipt of a
562# query from the XACML context handler, checks the attribute(s) being queried
563# for and looks up this mapping to determine which attribute authority to query
564# to find out if the subject has the attribute in their entitlement
565authz.ctx_handler.pip.mappingFilePath = %(here)s/pip-mapping.txt
566
567# The attribute ID of the subject value to extract from the XACML request
568# context and pass in the SAML attribute query
569authz.ctx_handler.pip.subjectAttributeId = urn:esg:openid
570
571# The context handler
572authz.ctx_handler.pip.attributeQuery.issuerName = %(authz.ctx_handler.issuerName)s
573authz.ctx_handler.pip.attributeQuery.issuerFormat = %(authz.ctx_handler.issuerFormat)s
574
575# Enable support for ESGF Group/Role Attribute Value in SAML Attribute queries
576authz.ctx_handler.pip.attributeQuery.deserialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.fromXML
577
578# These settings configure SSL mutual authentication for the query to the SAML Attribute Authority
579authz.ctx_handler.pip.attributeQuery.sslCertFilePath = %(testConfigDir)s/pki/localhost.crt
580authz.ctx_handler.pip.attributeQuery.sslPriKeyFilePath = %(testConfigDir)s/pki/localhost.key
581authz.ctx_handler.pip.attributeQuery.sslCACertDir = %(testConfigDir)s/pki/ca
582
583#______________________________________________________________________________
584# Logging configuration
585[loggers]
586keys = root, ndg
587
588[handlers]
589keys = console, logfile
590
591[formatters]
592keys = generic
593
594[logger_root]
595level = INFO
596handlers = console
597
598[logger_ndg]
599level = DEBUG
600handlers =
601qualname = ndg
602
603[handler_console]
604class = StreamHandler
605args = (sys.stderr,)
606level = NOTSET
607formatter = generic
608
609[formatter_generic]
610format = %(asctime)s.%(msecs)03d %(levelname)-7.7s [%(name)s:%(lineno)s] %(message)s
611datefmt = %Y-%m-%d %H:%M:%S
612
613[handler_logfile]
614class = handlers.RotatingFileHandler
615level=NOTSET
616formatter=generic
617args=(os.path.join('%(here)s', 'log', 'service.log'), 'a', 50000, 2)
Note: See TracBrowser for help on using the repository browser.