...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
{ "oauth2.datastoreclass": "dk.itp.security.authentication.oauth.data.OAuthSQLStore", "proxy": { "enabled": false, "port": 8080 }, "tokens": [ { "name": "sample", "validaudiences": [], "include.in.jwks.metadata": true, "claims": [ "sub=userid", "groups=groups", "name=username" ], "issuer": "https://www.portalprotect.dk", "keyid": "k1", "algorithm": "RS256", "expiration.minutes": 10, "notbefore.minutes.in.past": 2, "openidconnect": true, "keystore": { "provider": "BC", "type": "PKCS12", "file": "${ceptor.home}/config/x509/nemid/kr.pfx", "password": "{encoded}96E1FAF9F9578720", "password.per.alias": [] }, "relax.key.checks": false, "expires.at.exact.time": false, "require.subject": true, "fieldmappers": [] }, { "name": "sample2", "description": "Example token that uses a secret key", "validaudiences": [], "include.in.jwks.metadata": false, "expiration.minutes": 30, "claims": [ "sub=userid", "groups=groups", "name=username" ], "openidconnect": true, "userid.attribute.name": "sub", "username.attribute.name": "name", "role.attribute.name": "groups", "role.pattern": "^admin*", "relax.key.checks": false, "expires.at.exact.time": false, "require.subject": true, "secretkey": "secret", "issuer": "https://ceptor.io/secret", "algorithm": "HS256" }, { "name": "google", "description": "Allows validation of tokens issued by Google", "issuer": "accounts.google.com", "validaudiences": ["371213948273-79eceu24cm64ft69pln0hk2lfapok1bq.apps.googleusercontent.com"], "include.in.jwks.metadata": false, "claims": [], "openidconnect": false, "relax.key.checks": false, "expires.at.exact.time": false, "require.subject": true, "signer.certificates.url": "https://www.googleapis.com/oauth2/v1/certs" }, { "name": "microsoft", "issuer": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0", "validaudiences": ["317190f9-efec-4307-beb9-7f8380a8ae16"], "include.in.jwks.metadata": false, "claims": [], "openidconnect": false, "relax.key.checks": false, "expires.at.exact.time": false, "require.subject": true, "signer.certificates.url": "https://login.microsoftonline.com/common/discovery/v2.0/keys", "signer.certificates.refresh.interval.minutes": 120, "userid.attribute.name": "preferred_username", "username.attribute.name": "name" } ], "oauth2.defaulttoken": "sample", "openid.scopes": [ { "name": "email", "description": "Email address in userinfo", "idtoken": ["email=email1"], "accesstoken": [], "userinfo": ["email=email1"] }, { "name": "profile", "description": "User name", "idtoken": ["name=username"], "accesstoken": ["name=username"], "userinfo": ["name=username"] } ], "openid.fields": [{ "name": "address", "description": "User address", "attributes": [ "street_address=address1", "locality=city", "region=state", "postal_code=postal", "country=country" ] }], "openid.identityproviders": [ { "name": "facebook", "description": "Authenticate using facebook", "clientid": "624082557774373", "secret": "{encoded}F89141217749F5FA6306CAF6F9656965F3A5A8E3069BE032136125F3A4B27183", "tokenurl": "https://graph.facebook.com/v2.9/oauth/access_token", "facebook": true, "linkedin": false, "fieldmappers": [] }, { "name": "google", "description": "Google as an identity provider", "clientid": "371213948273-79eceu24cm64ft69pln0hk2lfapok1bq.apps.googleusercontent.com", "secret": "{encoded}806F9FE0C7CBC28D5777D6DE91772DA4961482568956695A", "tokenurl": "https://accounts.google.com/o/oauth2/token", "facebook": false, "linkedin": false, "fieldmappers": [] }, { "name": "microsoft", "description": "Authenticate using microsoft as identity provider", "clientid": "317190f9-efec-4307-beb9-7f8380a8ae16", "secret": "{encoded}9EED6C32369008FE6F3DC027CC0C2195137300594A2620", "tokenurl": "https://login.microsoftonline.com/common/oauth2/v2.0/token", "facebook": false, "linkedin": false, "fieldmappers": [] } ], "oauth2.accesstoken.datastoreclass": "dk.itp.security.authentication.oauth.data.AccessTokenSQLStore", "oauth2.refreshtoken.datastoreclass": "dk.itp.security.authentication.oauth.data.RefreshTokenSQLStore", "oauth2.datastorename": "datastore-primary", "oauth2.clients": [{ "name": "Sample", "client_id": "https://www.example.com/", "description": "Example client", "client_secret": "secret", "accesstoken_type": "UUID", "allowed_uris": ["https://www.example.com/oauth2"], "allowed_logout_uris": [], "valid_grant_types": [ "authorization_code", "implicit", "hybrid", "refresh_token" ], "allowed_scopes": [ "openid", "profile", "offline_access" ], "refreshtoken_validity_seconds": 86400, "maximum_idtoken_expiration_minutes": 120 }], "saml.identityproviders": [ { "name": "azure", "description": "Azure Cloud Identity Provider", "display.name": "Ceptor Test", "identifier": "https://ceptor.io", "subject.as.userid": false, "userid.attribute.name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "username.attribute.name": "http://schemas.microsoft.com/identity/claims/displayname", "role.attribute.name": "role;http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "url": "https://login.microsoftonline.com/75700533-6f5e-4bd3-8730-8b46858f4e2c/wsfed", "known.ip.list": "https://login.microsoftonline.com/75700533-6f5e-4bd3-8730-8b46858f4e2c/wsfed", "metadata.url": "https://login.microsoftonline.com/75700533-6f5e-4bd3-8730-8b46858f4e2c/federationmetadata/2007-06/federationmetadata.xml", "metadata.update.interval.minutes": 120 }, { "name": "microsoft", "description": "Use Microsoft online as Identity Provider", "display.name": "Microsoft", "identifier": "317190f9-efec-4307-beb9-7f8380a8ae16", "subject.as.userid": true, "userid.attribute.name": "upn;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "username.attribute.name": "name;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "role.attribute.name": "role;http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "url": "https://login.microsoftonline.com/common/wsfed", "metadata.url": "https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml", "serviceprovider.metadata": "<?xml version=\"1.0\"?>\r\n<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\"\r\n\t\t\t\t\t xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"\r\n validUntil=\"%{validuntil}\"\r\n cacheDuration=\"PT1440M\"\r\n entityID=\"317190f9-efec-4307-beb9-7f8380a8ae16\">\r\n <md:SPSSODescriptor AuthnRequestsSigned=\"false\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\r\n <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"\r\n Location=\"https://my.server.name/logout\" />\r\n <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"\r\n Location=\"https://my.server.name/logout\" />\r\n <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent<\/md:NameIDFormat>\r\n <md:AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"\r\n Location=\"https://my.server.name/adfs\"\r\n index=\"1\" />\r\n\t\t<md:AttributeConsumingService index=\"0\" isDefault=\"true\">\r\n\t\t <md:ServiceName xml:lang=\"da\">SP<\/md:ServiceName>\r\n\t\t<\/md:AttributeConsumingService>\r\n <\/md:SPSSODescriptor>\r\n <md:Organization>\r\n <md:OrganizationName xml:lang=\"en-US\">My organisation<\/md:OrganizationName>\r\n <md:OrganizationDisplayName xml:lang=\"en-US\">My org<\/md:OrganizationDisplayName>\r\n <md:OrganizationURL xml:lang=\"en-US\">https://my.server.name<\/md:OrganizationURL>\r\n <\/md:Organization>\r\n <md:ContactPerson contactType=\"technical\">\r\n <md:GivenName>Techcontact<\/md:GivenName>\r\n <md:EmailAddress>tech@mail.dk<\/md:EmailAddress>\r\n <\/md:ContactPerson>\r\n <md:ContactPerson contactType=\"support\">\r\n <md:GivenName>Support<\/md:GivenName>\r\n <md:EmailAddress>support@mail.dk<\/md:EmailAddress>\r\n <\/md:ContactPerson>\r\n<\/md:EntityDescriptor>" } ], "saml.serviceproviders": [ { "name": "local", "description": "Local example service provider", "keystore": { "file": "${ceptor.home}/config/x509/issuer/certissuer.pfx", "password": "password", "password.per.alias": [] }, "display.name": "Local AssecoCeptor Test ADFS", "url": "https://adfs.itptest.dk/adfs/ls/", "issuer": "http://www.portalprotect.dk/adfs/services/trust", "identifiers": ["http://adfs.itptest.dk/adfs/services/trust"], "attributes": [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=userid", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=username", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role=groups", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=email1" ], "identityprovider.metadata": "<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"%{validuntil}\" cacheDuration=\"PT1440M\" entityID=\"http://www.portalprotect.dk/adfs/services/trust\">\r\n <md:IDPSSODescriptor WantAuthnRequestsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\r\n <md:KeyDescriptor use=\"signing\">\r\n <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\r\n <ds:X509Data>\r\n <ds:X509Certificate>%{signcert}<\/ds:X509Certificate>\r\n <\/ds:X509Data>\r\n <\/ds:KeyInfo>\r\n <\/md:KeyDescriptor>\r\n <md:KeyDescriptor use=\"encryption\">\r\n <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\r\n <ds:X509Data>\r\n <ds:X509Certificate>%{encryptcert}<\/ds:X509Certificate>\r\n <\/ds:X509Data>\r\n <\/ds:KeyInfo>\r\n <\/md:KeyDescriptor>\r\n <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://login.my.server/logoff\"/>\r\n <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://login.my.server\"/>\r\n <\/md:IDPSSODescriptor>\r\n <md:Organization>\r\n <md:OrganizationName xml:lang=\"en-US\">orgname<\/md:OrganizationName>\r\n <md:OrganizationDisplayName xml:lang=\"en-US\">orgdispname<\/md:OrganizationDisplayName>\r\n <md:OrganizationURL xml:lang=\"en-US\">http://my.org<\/md:OrganizationURL>\r\n <\/md:Organization>\r\n <md:ContactPerson contactType=\"technical\">\r\n <md:GivenName>techname<\/md:GivenName>\r\n <md:EmailAddress>tech@mail.dk<\/md:EmailAddress>\r\n <\/md:ContactPerson>\r\n <md:ContactPerson contactType=\"support\">\r\n <md:GivenName>support name<\/md:GivenName>\r\n <md:EmailAddress>support@mail.dk<\/md:EmailAddress>\r\n <\/md:ContactPerson>\r\n<\/md:EntityDescriptor>", "saml.response.script": "%{script:groovy}def log = org.slf4j.LoggerFactory.getLogger(\"samlscript\")\r\n\r\n// Parse the SAML Response\r\ndef samlResponse = new XmlParser().parseText( saml )\r\nlog.info(\"SAML Issuer: {}\", samlResponse.Issuer)\r\n\r\n// Find the AttributeStatement entry\r\ndef attrStatement = samlResponse.Assertion.AttributeStatement[0]\r\n\r\n// Add a new Attribute with a name and an AttributeValue\r\ndef attr = attrStatement.appendNode('Attribute',[Name: 'AdditionalInfo'])\r\nattr.appendNode('AttributeValue', [:], 'SomeValue')\r\n\r\ndef result = XmlUtil.serialize(samlResponse)\r\nlog.debug(\"SAML response modified to {}\", result)\r\n\r\nreturn result" }, { "name": "adfs", "description": "Microsoft AFDS as a Service Provider, using Ceptor as Identity Provider", "display.name": "AssecoCeptor Test ADFS2", "url": "https://adfs2.itptest.dk/adfs/ls/", "issuer": "https://www.pptest.dk:4443/adfs", "identifiers": [ "https://www.pptest.dk:4443/adfs", "http://adfs2.itptest.dk/adfs/services/trust" ], "attributes": [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=userid", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=username", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role=groups", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=email1" ], "keystore": { "file": "${ceptor.home}/config/x509/issuer/certissuer.pfx", "password": "password", "password.per.alias": [] } } ] } |
...