...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
{
"oauth2.datastoreclass": "dk.itp.security.authentication.oauth.data.OAuthSQLStore",
"proxy": {
"enabled": false,
"port": 8080
},
"tokens": [
{
"name": "sample",
"validaudiences": [],
"include.in.jwks.metadata": true,
"claims": [
"sub=userid",
"groups=groups",
"name=username"
],
"issuer": "https://www.portalprotect.dk",
"keyid": "k1",
"algorithm": "RS256",
"expiration.minutes": 10,
"notbefore.minutes.in.past": 2,
"openidconnect": true,
"keystore": {
"provider": "BC",
"type": "PKCS12",
"file": "${ceptor.home}/config/x509/nemid/kr.pfx",
"password": "{encoded}96E1FAF9F9578720",
"password.per.alias": []
},
"relax.key.checks": false,
"expires.at.exact.time": false,
"require.subject": true,
"fieldmappers": []
},
{
"name": "sample2",
"description": "Example token that uses a secret key",
"validaudiences": [],
"include.in.jwks.metadata": false,
"expiration.minutes": 30,
"claims": [
"sub=userid",
"groups=groups",
"name=username"
],
"openidconnect": true,
"userid.attribute.name": "sub",
"username.attribute.name": "name",
"role.attribute.name": "groups",
"role.pattern": "^admin*",
"relax.key.checks": false,
"expires.at.exact.time": false,
"require.subject": true,
"secretkey": "secret",
"issuer": "https://ceptor.io/secret",
"algorithm": "HS256"
},
{
"name": "google",
"description": "Allows validation of tokens issued by Google",
"issuer": "accounts.google.com",
"validaudiences": ["371213948273-79eceu24cm64ft69pln0hk2lfapok1bq.apps.googleusercontent.com"],
"include.in.jwks.metadata": false,
"claims": [],
"openidconnect": false,
"relax.key.checks": false,
"expires.at.exact.time": false,
"require.subject": true,
"signer.certificates.url": "https://www.googleapis.com/oauth2/v1/certs"
},
{
"name": "microsoft",
"issuer": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0",
"validaudiences": ["317190f9-efec-4307-beb9-7f8380a8ae16"],
"include.in.jwks.metadata": false,
"claims": [],
"openidconnect": false,
"relax.key.checks": false,
"expires.at.exact.time": false,
"require.subject": true,
"signer.certificates.url": "https://login.microsoftonline.com/common/discovery/v2.0/keys",
"signer.certificates.refresh.interval.minutes": 120,
"userid.attribute.name": "preferred_username",
"username.attribute.name": "name"
}
],
"oauth2.defaulttoken": "sample",
"openid.scopes": [
{
"name": "email",
"description": "Email address in userinfo",
"idtoken": ["email=email1"],
"accesstoken": [],
"userinfo": ["email=email1"]
},
{
"name": "profile",
"description": "User name",
"idtoken": ["name=username"],
"accesstoken": ["name=username"],
"userinfo": ["name=username"]
}
],
"openid.fields": [{
"name": "address",
"description": "User address",
"attributes": [
"street_address=address1",
"locality=city",
"region=state",
"postal_code=postal",
"country=country"
]
}],
"openid.identityproviders": [
{
"name": "facebook",
"description": "Authenticate using facebook",
"clientid": "624082557774373",
"secret": "{encoded}F89141217749F5FA6306CAF6F9656965F3A5A8E3069BE032136125F3A4B27183",
"tokenurl": "https://graph.facebook.com/v2.9/oauth/access_token",
"facebook": true,
"linkedin": false,
"fieldmappers": []
},
{
"name": "google",
"description": "Google as an identity provider",
"clientid": "371213948273-79eceu24cm64ft69pln0hk2lfapok1bq.apps.googleusercontent.com",
"secret": "{encoded}806F9FE0C7CBC28D5777D6DE91772DA4961482568956695A",
"tokenurl": "https://accounts.google.com/o/oauth2/token",
"facebook": false,
"linkedin": false,
"fieldmappers": []
},
{
"name": "microsoft",
"description": "Authenticate using microsoft as identity provider",
"clientid": "317190f9-efec-4307-beb9-7f8380a8ae16",
"secret": "{encoded}9EED6C32369008FE6F3DC027CC0C2195137300594A2620",
"tokenurl": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
"facebook": false,
"linkedin": false,
"fieldmappers": []
}
],
"oauth2.accesstoken.datastoreclass": "dk.itp.security.authentication.oauth.data.AccessTokenSQLStore",
"oauth2.refreshtoken.datastoreclass": "dk.itp.security.authentication.oauth.data.RefreshTokenSQLStore",
"oauth2.datastorename": "datastore-primary",
"oauth2.clients": [{
"name": "Sample",
"client_id": "https://www.example.com/",
"description": "Example client",
"client_secret": "secret",
"accesstoken_type": "UUID",
"allowed_uris": ["https://www.example.com/oauth2"],
"allowed_logout_uris": [],
"valid_grant_types": [
"authorization_code",
"implicit",
"hybrid",
"refresh_token"
],
"allowed_scopes": [
"openid",
"profile",
"offline_access"
],
"refreshtoken_validity_seconds": 86400,
"maximum_idtoken_expiration_minutes": 120
}],
"saml.identityproviders": [
{
"name": "azure",
"description": "Azure Cloud Identity Provider",
"display.name": "Ceptor Test",
"identifier": "https://ceptor.io",
"subject.as.userid": false,
"userid.attribute.name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"username.attribute.name": "http://schemas.microsoft.com/identity/claims/displayname",
"role.attribute.name": "role;http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
"url": "https://login.microsoftonline.com/75700533-6f5e-4bd3-8730-8b46858f4e2c/wsfed",
"known.ip.list": "https://login.microsoftonline.com/75700533-6f5e-4bd3-8730-8b46858f4e2c/wsfed",
"metadata.url": "https://login.microsoftonline.com/75700533-6f5e-4bd3-8730-8b46858f4e2c/federationmetadata/2007-06/federationmetadata.xml",
"metadata.update.interval.minutes": 120
},
{
"name": "microsoft",
"description": "Use Microsoft online as Identity Provider",
"display.name": "Microsoft",
"identifier": "317190f9-efec-4307-beb9-7f8380a8ae16",
"subject.as.userid": true,
"userid.attribute.name": "upn;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"username.attribute.name": "name;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"role.attribute.name": "role;http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
"url": "https://login.microsoftonline.com/common/wsfed",
"metadata.url": "https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml",
"serviceprovider.metadata": "<?xml version=\"1.0\"?>\r\n<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\"\r\n\t\t\t\t\t xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"\r\n validUntil=\"%{validuntil}\"\r\n cacheDuration=\"PT1440M\"\r\n entityID=\"317190f9-efec-4307-beb9-7f8380a8ae16\">\r\n <md:SPSSODescriptor AuthnRequestsSigned=\"false\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\r\n <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"\r\n Location=\"https://my.server.name/logout\" />\r\n <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"\r\n Location=\"https://my.server.name/logout\" />\r\n <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent<\/md:NameIDFormat>\r\n <md:AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"\r\n Location=\"https://my.server.name/adfs\"\r\n index=\"1\" />\r\n\t\t<md:AttributeConsumingService index=\"0\" isDefault=\"true\">\r\n\t\t <md:ServiceName xml:lang=\"da\">SP<\/md:ServiceName>\r\n\t\t<\/md:AttributeConsumingService>\r\n <\/md:SPSSODescriptor>\r\n <md:Organization>\r\n <md:OrganizationName xml:lang=\"en-US\">My organisation<\/md:OrganizationName>\r\n <md:OrganizationDisplayName xml:lang=\"en-US\">My org<\/md:OrganizationDisplayName>\r\n <md:OrganizationURL xml:lang=\"en-US\">https://my.server.name<\/md:OrganizationURL>\r\n <\/md:Organization>\r\n <md:ContactPerson contactType=\"technical\">\r\n <md:GivenName>Techcontact<\/md:GivenName>\r\n <md:EmailAddress>tech@mail.dk<\/md:EmailAddress>\r\n <\/md:ContactPerson>\r\n <md:ContactPerson contactType=\"support\">\r\n <md:GivenName>Support<\/md:GivenName>\r\n <md:EmailAddress>support@mail.dk<\/md:EmailAddress>\r\n <\/md:ContactPerson>\r\n<\/md:EntityDescriptor>"
}
],
"saml.serviceproviders": [
{
"name": "local",
"description": "Local example service provider",
"keystore": {
"file": "${ceptor.home}/config/x509/issuer/certissuer.pfx",
"password": "password",
"password.per.alias": []
},
"display.name": "Local AssecoCeptor Test ADFS",
"url": "https://adfs.itptest.dk/adfs/ls/",
"issuer": "http://www.portalprotect.dk/adfs/services/trust",
"identifiers": ["http://adfs.itptest.dk/adfs/services/trust"],
"attributes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=userid",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=username",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role=groups",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=email1"
],
"identityprovider.metadata": "<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"%{validuntil}\" cacheDuration=\"PT1440M\" entityID=\"http://www.portalprotect.dk/adfs/services/trust\">\r\n <md:IDPSSODescriptor WantAuthnRequestsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\r\n <md:KeyDescriptor use=\"signing\">\r\n <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\r\n <ds:X509Data>\r\n <ds:X509Certificate>%{signcert}<\/ds:X509Certificate>\r\n <\/ds:X509Data>\r\n <\/ds:KeyInfo>\r\n <\/md:KeyDescriptor>\r\n <md:KeyDescriptor use=\"encryption\">\r\n <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\r\n <ds:X509Data>\r\n <ds:X509Certificate>%{encryptcert}<\/ds:X509Certificate>\r\n <\/ds:X509Data>\r\n <\/ds:KeyInfo>\r\n <\/md:KeyDescriptor>\r\n <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://login.my.server/logoff\"/>\r\n <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://login.my.server\"/>\r\n <\/md:IDPSSODescriptor>\r\n <md:Organization>\r\n <md:OrganizationName xml:lang=\"en-US\">orgname<\/md:OrganizationName>\r\n <md:OrganizationDisplayName xml:lang=\"en-US\">orgdispname<\/md:OrganizationDisplayName>\r\n <md:OrganizationURL xml:lang=\"en-US\">http://my.org<\/md:OrganizationURL>\r\n <\/md:Organization>\r\n <md:ContactPerson contactType=\"technical\">\r\n <md:GivenName>techname<\/md:GivenName>\r\n <md:EmailAddress>tech@mail.dk<\/md:EmailAddress>\r\n <\/md:ContactPerson>\r\n <md:ContactPerson contactType=\"support\">\r\n <md:GivenName>support name<\/md:GivenName>\r\n <md:EmailAddress>support@mail.dk<\/md:EmailAddress>\r\n <\/md:ContactPerson>\r\n<\/md:EntityDescriptor>",
"saml.response.script": "%{script:groovy}def log = org.slf4j.LoggerFactory.getLogger(\"samlscript\")\r\n\r\n// Parse the SAML Response\r\ndef samlResponse = new XmlParser().parseText( saml )\r\nlog.info(\"SAML Issuer: {}\", samlResponse.Issuer)\r\n\r\n// Find the AttributeStatement entry\r\ndef attrStatement = samlResponse.Assertion.AttributeStatement[0]\r\n\r\n// Add a new Attribute with a name and an AttributeValue\r\ndef attr = attrStatement.appendNode('Attribute',[Name: 'AdditionalInfo'])\r\nattr.appendNode('AttributeValue', [:], 'SomeValue')\r\n\r\ndef result = XmlUtil.serialize(samlResponse)\r\nlog.debug(\"SAML response modified to {}\", result)\r\n\r\nreturn result"
},
{
"name": "adfs",
"description": "Microsoft AFDS as a Service Provider, using Ceptor as Identity Provider",
"display.name": "AssecoCeptor Test ADFS2",
"url": "https://adfs2.itptest.dk/adfs/ls/",
"issuer": "https://www.pptest.dk:4443/adfs",
"identifiers": [
"https://www.pptest.dk:4443/adfs",
"http://adfs2.itptest.dk/adfs/services/trust"
],
"attributes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=userid",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=username",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role=groups",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=email1"
],
"keystore": {
"file": "${ceptor.home}/config/x509/issuer/certissuer.pfx",
"password": "password",
"password.per.alias": []
}
}
]
} |
...