# About # ===== # This file is the basis for your shibboleth config for # all entities, hosts, sites, and url paths you want to protect for your organization. # # All slh commands utilize this file to do its thing. # # To run slh commands you need to be in the directory above # shibboleths_lil_helper/config.rb, aka # # shibboleth_deployer/ # # shibboleths_lil_helper/ # # generated/ # config.rb # # Data Model # ========== # A strategy (you can think of this as a container to hold all config associated with an SP Entity ID) # has one entity # has a metadata url # has many hosts # a host has many sites # a site has many protected paths # a protected path can require auth, optionally use auth, or restrict to a # particular set of users # Usage # ===== # * fill in the REQUIRED items and change stuff that is in ALL CAPS # * follow the instructions at https://github.com/umn-asr/shibboleths_lil_helper # Slh.for_strategy :test_idp do # REQUIRED, https://yourorg.umn.edu/shibboleth/default set :sp_entity_id, 'YOUR_ENTITY_ID' # REQUIRED, https://idp-test.shib.umn.edu/metadata.xml set :idp_metadata_url, 'YOUR_IDP_METADATA_URL' # OPTIONAL set :error_support_contact, 'YOUR_ERROR_SUPPORT_EMAIL_ADDRESS' # REQUIRED # Can be either # for_apache_host # or # for_iis_host # SOMEHOSTNAME.COM does not matter externally and might have the same # name as a site underneath it. Most of the times the actual hostname of a # server is different than the sites that live on it # for_apache_host 'SOMEHOSTNAME.COM' do # OPTIONAL # uncomment if your shib stuff lives in a non-standard location # set :shib_prefix, '/swadm/etc/shibboleth' # # REQUIRED # replace with the site of your server for_site 'SOMESITENAME1.COM' do # REQUIRED if this site is underneath a "for_iis_host" block # uncomment if and fill-in if you are using IIS # set :site_id, "YOU_MUST_SET_THE_SITE_ID_HERE_IF_ON_IIS" # # REQUIRED # Each strategy must set this for exactly one site. # Its used as the authoritative source to from which all other # sites metadata's X509Certificate should match # the sp-key.pem and sp-cert.pem files from this host should be # copied to all other hosts underneath the strategy set :is_key_originator, true # REQUIRED for each path you want to protect (or "/" if the entire site) # You should have at least one of these for each site, but can have many # There are three "flavors" of protection # authentication_required: Web-server will force login for any path underneath it # i.e. # protect '/' do # set :flavor, :authentication_required # end # # authentication_optional: Makes it possible for # the app layer to redirect to Shibboleth.sso/Login # Use this when you want the app/site (rather than the web-server) # to be in control of authentication # i.e. # protect 'lazy_auth' do # set :flavor, :authentication_optional # end # # authentication_required_for_specific_users: Require auth and restrict to # a particular set of users (not-tested extensively) # i.e. # protect 'specific_users' do # set :flavor, :authentication_required_for_specific_users # set :specific_users, %w(SOMEUSER@SOME.DOMAIN.COM ANOTHERUSER@SOME.DOMAIN.COM) # end # protect '/' do set :flavor, :authentication_optional end # ... for each protected dir for this site ... end # ... for each site on this host ... end # ... for each host within this strategy (using this entity_id) end # ... for each strategy/aka entity_id ... # OPTIONAL # Uncomment these 3 lines if you want to create a new strategy that is identical # an existing one but integrates against a different IDP. The third param here # should be the URL where the IDP metadata lives (NOT THE IDP ENTITY ID). # # This creates a new strategy from an existing one who's only difference is the idp_metadata.xml # comes from THE_PRODUCTION_IDP_METADATA_URL rather than the one specified in the strategy you are cloning from (the first param) # Slh.clone_strategy_for_new_idp :test_idp, # The name of the strategy you are cloning from # :production_idp, # the name of the strategy you are cloning to # 'THE_PRODUCTION_IDP_METADATA_URL' # the url where the production idp metadata lives