CSCfi · apurvann · Feb 7, 2019
diff --git a/openshift_playbooks/files/attribute-map.xml b/openshift_playbooks/files/attribute-map.xml
@@ -0,0 +1,254 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!-- First some useful eduPerson attributes that many sites might use. -->
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="SHIB_eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="SHIB_eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+
+    <Attribute name="scopedEPPN" id="SHIB_scoped_eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="SHIB_affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="SHIB_affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="SHIB_unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="SHIB_unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="SHIB_entitlement"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="SHIB_entitlement"/>
+
+    <!-- A persistent id attribute that supports personalized anonymous access. -->
+
+    <!-- First, the deprecated version: -->
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="SHIB_targeted-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+
+    <!-- Second, the new version (note the OID-style name): -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
+    </Attribute>
+
+    <!-- Third, the SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
+    </Attribute>
+
+    <!-- Some more eduPerson attributes, uncomment these to use them... -->
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="SHIB_primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="SHIB_nickname"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="SHIB_primary-orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="SHIB_orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="SHIB_org-dn"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="SHIB_primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="SHIB_nickname"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="SHIB_primary-orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="SHIB_orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="SHIB_org-dn"/>
+
+    <!--Examples of LDAP-based attributes, uncomment to use these... -->
+    <Attribute name="urn:mace:dir:attribute-def:cn" id="SHIB_cn"/>
+    <Attribute name="urn:oid:2.5.4.3" id="SHIB_cn"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:description" id="SHIB_description"/>
+    <Attribute name="urn:oid:2.5.4.13" id="SHIB_description"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:displayName" id="SHIB_displayName"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="SHIB_displayName"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="SHIB_employeeNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="SHIB_employeeNumber"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="SHIB_facsimileTelephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.23" id="SHIB_facsimileTelephoneNumber"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:givenName" id="SHIB_givenName"/>
+    <Attribute name="urn:oid:2.5.4.42" id="SHIB_givenName"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:homePhone" id="SHIB_homePhone"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.20" id="SHIB_homePhone"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:homePostalAddress" id="SHIB_homePostalAddress"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.39" id="SHIB_homePostalAddress"/>
+
+		<Attribute name="urn:mace:dir:attribute-def:jpegPhoto" id="SHIB_jpegPhoto"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.60" id="SHIB_jpegPhoto"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:l" id="SHIB_l"/>
+    <Attribute name="urn:oid:2.5.4.7" id="SHIB_l"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:labeledURI" id="SHIB_labeledURI"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.250.1.57" id="SHIB_labeledURI"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:mail" id="SHIB_mail"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="SHIB_mail"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:mobile" id="SHIB_mobile"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.41" id="SHIB_mobile"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:o" id="SHIB_o"/>
+    <Attribute name="urn:oid:2.5.4.10" id="SHIB_o"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:ou" id="SHIB_ou"/>
+    <Attribute name="urn:oid:2.5.4.11" id="SHIB_ou"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:postalAddress" id="SHIB_postalAddress"/>
+    <Attribute name="urn:oid:2.5.4.16" id="SHIB_postalAddress"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:postalCode" id="SHIB_postalCode"/>
+    <Attribute name="urn:oid:2.5.4.17" id="SHIB_postalCode"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="SHIB_preferredLanguage"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="SHIB_preferredLanguage"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="SHIB_seeAlso"/>
+    <Attribute name="urn:oid:2.5.4.34" id="SHIB_seeAlso"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:sn" id="SHIB_sn"/>
+    <Attribute name="urn:oid:2.5.4.4" id="SHIB_sn"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:street" id="SHIB_street"/>
+    <Attribute name="urn:oid:2.5.4.9" id="SHIB_street"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="SHIB_telephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.20" id="SHIB_telephoneNumber"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:title" id="SHIB_title"/>
+    <Attribute name="urn:oid:2.5.4.12" id="SHIB_title"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:uid" id="SHIB_uid"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="SHIB_uid"/>
+
+
+    <!-- Non funetEduPerson attributes -->
+    <Attribute name="urn:mace:dir:attribute-def:initials" id="SHIB_initials"/>
+    <Attribute name="urn:oid:2.5.4.43" id="SHIB_initials"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:carLicense" id="SHIB_carLicense"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="SHIB_carLicense"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="SHIB_departmentNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="SHIB_departmentNumber"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:employeeType" id="SHIB_employeeType"/>
+    <Attribute name="urn:oid:1.2.840.113556.1.2.613" id="SHIB_employeeType"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:manager" id="SHIB_manager"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="SHIB_manager"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:street" id="SHIB_street"/>
+    <Attribute name="urn:oid:2.5.4.9" id="SHIB_street"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="SHIB_postOfficeBox"/>
+    <Attribute name="urn:oid:2.5.4.18" id="SHIB_postOfficeBox"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="SHIB_businessCategory"/>
+    <Attribute name="urn:oid:2.5.4.15" id="SHIB_businessCategory"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="SHIB_physicalDeliveryOfficeName"/>
+    <Attribute name="urn:oid:2.5.4.19" id="SHIB_physicalDeliveryOfficeName"/>
+
+
+    <!-- Schac attributes  -->
+    <Attribute name="urn:mace:terena.org:schac:attribute-def:schacMotherTongue" id="SHIB_schacMotherTongue"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.1" id="SHIB_schacMotherTongue"/>
+
+    <Attribute name="urn:mace:terena.org:schac:attribute-def:schacGender" id="SHIB_schacGender"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.2" id="SHIB_schacGender"/>
+
+    <Attribute name="urn:mace:terena.org:schac:attribute-def:schacDateOfBirth" id="SHIB_schacDateOfBirth"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.3" id="SHIB_schacDateOfBirth"/>
+
+    <Attribute name="urn:mace:terena.org:schac:attribute-def:schacPlaceOfBirth" id="SHIB_schacPlaceOfBirth"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.4" id="SHIB_schacPlaceOfBirth"/>
+
+    <Attribute name="urn:mace:terena.org:schac:attribute-def:schacCountryOfCitizenship" id="SHIB_schacCountryOfCitizenship"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.5" id="SHIB_schacCountryOfCitizenship"/>
+
+    <Attribute name="urn:mace:terena.org:schac:attribute-def:schacHomeOrganization" id="SHIB_schacHomeOrganization"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="SHIB_schacHomeOrganization"/>
+
+    <Attribute name="urn:mace:terena.org:schac:attribute-def:schacHomeOrganizationType" id="SHIB_schacHomeOrganizationType"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="SHIB_schacHomeOrganizationType"/>
+
+    <Attribute name="urn:mace:terena.org:schac:attribute-def:schacCountryOfResidence" id="SHIB_schacCountryOfResidence"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.11" id="SHIB_schacCountryOfResidence"/>
+
+    <Attribute name="urn:mace:terena.org:schac:attribute-def:schacUserPresenceID" id="SHIB_schacUserPresenceID"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.12" id="SHIB_schacUserPresenceID"/>
+
+    <Attribute name="urn:mace:terena.org:schac:attribute-def:schacPersonalUniqueCode" id="SHIB_schacPersonalUniqueCode"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" id="SHIB_schacPersonalUniqueCode"/>
+
+    <Attribute name="urn:mace:terena.org:schac:attribute-def:schacPersonalUniqueID" id="SHIB_schacPersonalUniqueID"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.15" id="SHIB_schacPersonalUniqueID"/>
+
+    <Attribute name="urn:mace:terena.org:schac:attribute-def:schacUserStatus" id="SHIB_schacUserStatus"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.19" id="SHIB_schacUserStatus"/>
+
+
+		<!-- FunetEduPerson attributes -->
+		<Attribute name="urn:mace:funet.fi:attribute-def:funetEduPersonTargetDegree" id="SHIB_funetEduPersonTargetDegree"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.16161.1.1.11" id="SHIB_funetEduPersonTargetDegree"/>
+
+    <Attribute name="urn:mace:funet.fi:attribute-def:funetEduPersonProgram" id="SHIB_funetEduPersonProgram"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.16161.1.1.12" id="SHIB_funetEduPersonProgram"/>
+
+    <Attribute name="urn:mace:funet.fi:attribute-def:funetEduPersonSpecialisation" id="SHIB_funetEduPersonSpecialisation"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.16161.1.1.13" id="SHIB_funetEduPersonSpecialisation"/>
+
+    <Attribute name="urn:mace:funet.fi:attribute-def:funetEduPersonStudyStart" id="SHIB_funetEduPersonStudyStart"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.16161.1.1.14" id="SHIB_funetEduPersonStudyStart"/>
+
+    <Attribute name="urn:mace:funet.fi:attribute-def:funetEduPersonPrimaryStudyStart" id="SHIB_funetEduPersonPrimaryStudyStart"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.16161.1.1.15" id="SHIB_funetEduPersonPrimaryStudyStart"/>
+
+    <Attribute name="urn:mace:funet.fi:attribute-def:funetEduPersonStudyToEnd" id="SHIB_funetEduPersonStudyToEnd"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.16161.1.1.16" id="SHIB_funetEduPersonStudyToEnd"/>
+
+    <Attribute name="urn:mace:funet.fi:attribute-def:funetEduPersonPrimaryStudyToEnd" id="SHIB_funetEduPersonPrimaryStudyToEnd"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.16161.1.1.17" id="SHIB_funetEduPersonPrimaryStudyToEnd"/>
+
+    <Attribute name="urn:mace:funet.fi:attribute-def:funetEduPersonCreditUnits" id="SHIB_funetEduPersonCreditUnits"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.16161.1.1.18" id="SHIB_funetEduPersonCreditUnits"/>
+
+    <Attribute name="urn:mace:funet.fi:attribute-def:funetEduPersonECTS" id="SHIB_funetEduPersonECTS"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.16161.1.1.19" id="SHIB_funetEduPersonECTS"/>
+
+    <Attribute name="urn:mace:funet.fi:attribute-def:funetEduPersonStudentCategory" id="SHIB_funetEduPersonStudentCategory"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.16161.1.1.20" id="SHIB_funetEduPersonStudentCategory"/>
+
+    <Attribute name="urn:mace:funet.fi:attribute-def:funetEduPersonStudentStatus" id="SHIB_funetEduPersonStudentStatus"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.16161.1.1.21" id="SHIB_funetEduPersonStudentStatus"/>
+
+    <Attribute name="urn:mace:funet.fi:attribute-def:funetEduPersonStudentUnion" id="SHIB_funetEduPersonStudentUnion"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.16161.1.1.22" id="SHIB_funetEduPersonStudentUnion"/>
+
+    <Attribute name="urn:mace:funet.fi:attribute-def:funetEduPersonHomeCity" id="SHIB_funetEduPersonHomeCity"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.16161.1.1.23" id="SHIB_funetEduPersonHomeCity"/>
+
+    <Attribute name="urn:mace:funet.fi:attribute-def:funetEduPersonEPPNTimeStamp" id="SHIB_funetEduPersonEPPNTimeStamp"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.16161.1.1.24" id="SHIB_funetEduPersonEPPNTimeStamp"/>
+
+    <!-- Haka logout -->
+		<Attribute name="urn:mace:funet.fi:haka:logout-url" id="SHIB_logouturl"/>
+		<Attribute name="urn:oid:1.3.6.1.4.1.16161.3.1" id="SHIB_logouturl"/>
+</Attributes>
diff --git a/openshift_playbooks/files/shibd.logger b/openshift_playbooks/files/shibd.logger
@@ -0,0 +1,69 @@
+# set overall behavior
+log4j.rootCategory=DEBUG, shibd_log, warn_log
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+#log4j.category.XMLTooling.SOAPClient=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# logs XML being signed or verified if set to DEBUG
+log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
+log4j.additivity.XMLTooling.Signature.Debugger=false
+
+# the tran log blocks the "default" appender(s) at runtime
+# Level should be left at INFO for this category
+log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
+log4j.additivity.Shibboleth-TRANSACTION=false
+# uncomment to suppress particular event types
+#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
+#log4j.category.Shibboleth-TRANSACTION.Login=WARN
+#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
+
+# define the appenders
+
+log4j.appender.shibd_log=org.apache.log4j.RollingFileAppender
+log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log
+log4j.appender.shibd_log.maxFileSize=1000000
+log4j.appender.shibd_log.maxBackupIndex=10
+log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.shibd_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
+log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log
+log4j.appender.warn_log.maxFileSize=1000000
+log4j.appender.warn_log.maxBackupIndex=10
+log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+log4j.appender.warn_log.threshold=WARN
+
+log4j.appender.tran_log=org.apache.log4j.RollingFileAppender
+log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log
+log4j.appender.tran_log.maxFileSize=1000000
+log4j.appender.tran_log.maxBackupIndex=20
+log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.tran_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.sig_log=org.apache.log4j.FileAppender
+log4j.appender.sig_log.fileName=/var/log/shibboleth/signature.log
+log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.sig_log.layout.ConversionPattern=%m