1 |
<config> |
2 |
|
3 |
<service name="default" alias="server-config"/> |
4 |
|
5 |
<!-- ############################################################################## --> |
6 |
|
7 |
<service name="server-config" address="https://{{ inventory_hostname }}/{{ oa4mp_server }}" debug="true"> |
8 |
|
9 |
<!-- Regular Logs --> |
10 |
<logging logFileName="{{ oa4mp_server_log_dir }}/{{ oa4mp_server }}.log" |
11 |
logName="oauth2" |
12 |
logSize="10000000" |
13 |
logFileCount="10" |
14 |
debug="true" |
15 |
/> |
16 |
|
17 |
<!-- Trace Logs --> |
18 |
<traceLogging logFileName="{{ oa4mp_server_log_dir }}/trace.log" |
19 |
logName="trace" |
20 |
logSize="10000000" |
21 |
logFileCount="3" |
22 |
debug="true" |
23 |
/> |
24 |
|
25 |
<!-- JSON Web key for signing --> |
26 |
<JSONWebKey defaultKeyID="{{ oa4mp_server_jwk_key_id }}"> |
27 |
<path>{{ oa4mp_server_jwk_file }}</path> |
28 |
</JSONWebKey> |
29 |
|
30 |
<!-- Claim mappings --> |
31 |
<scopes handler="org.delegserver.oauth2.DSDynamicScopeHandler"> |
32 |
<scope name="edu.uiuc.ncsa.myproxy.getcert"> |
33 |
<claim name="cert_subject_dn">X509_CERT_SUBJECT</claim> |
34 |
</scope> |
35 |
<scope name="email"> |
36 |
<claim name="email">mail</claim> |
37 |
</scope> |
38 |
<scope name="openid"> |
39 |
<!-- |
40 |
The 'sub' claim is always sent and it defaults to whatever the |
41 |
authorizationServlet returns as a username |
42 |
--> |
43 |
<!-- <claim name="sub">REMOTE_USER</claim> --> |
44 |
</scope> |
45 |
<scope name="profile"> |
46 |
<claim name="given_name">givenName</claim> |
47 |
<claim name="family_name">sn</claim> |
48 |
</scope> |
49 |
<scope name="org.cilogon.userinfo"> |
50 |
<claim name="idp">Shib-Authenticating-Authority</claim> |
51 |
<claim name="idp_display_name">o</claim> |
52 |
<claim name="eduPersonTargetedID">eptid</claim> |
53 |
<claim name="eduPersonPrincipalName">eppn</claim> |
54 |
<claim name="eduPersonUniqueId">epuid</claim> |
55 |
<claim name="eduPersonScopedAffiliation">affiliation</claim> |
56 |
<claim name="name">displayName</claim> |
57 |
</scope> |
58 |
</scopes> |
59 |
|
60 |
<!-- DN generator sources --> |
61 |
<!-- <dnGenerator attributeName="X509_CERT_SUBJECT" type="rfc2253" baseDN="DC=rcauth-clients,DC=rcauth,DC=eu"> --> |
62 |
<dnGenerator attributeName="X509_CERT_SUBJECT" type="rfc2253" baseDN="DC=Example,DC=NL"> |
63 |
<cnName> |
64 |
<source>displayName</source> |
65 |
<source>givenName+sn</source> |
66 |
<source>cn</source> |
67 |
</cnName> |
68 |
<cnUniqueId> |
69 |
<source>epuid</source> |
70 |
<source>eppn</source> |
71 |
<source>eptid</source> |
72 |
</cnUniqueId> |
73 |
<organisation> |
74 |
<source>schacHomeOrganization</source> |
75 |
<source filter="url">o</source> |
76 |
</organisation> |
77 |
<extensions> |
78 |
<source name="email">mail</source> |
79 |
</extensions> |
80 |
</dnGenerator> |
81 |
|
82 |
<attributeFilters> |
83 |
<filter name="url">org.delegserver.oauth2.shib.filters.URLDomainNameFilter</filter> |
84 |
<filter name="shout">org.delegserver.oauth2.shib.filters.ShoutFilter</filter> |
85 |
<filter name="leetify">org.delegserver.oauth2.shib.filters.LeetifyFilter</filter> |
86 |
<filter name="missepll">org.delegserver.oauth2.shib.filters.MissepllFilter</filter> |
87 |
</attributeFilters> |
88 |
|
89 |
|
90 |
{% if oa4mp_server_db_conf == "fileStore" %} |
91 |
|
92 |
<{{ oa4mp_server_db_conf }} path="{{ oa4mp_server_storage_dir }}"> |
93 |
<transactions/> |
94 |
<clients/> |
95 |
<clientApprovals/> |
96 |
<traceRecords/> |
97 |
</{{ oa4mp_server_db_conf }}> |
98 |
|
99 |
{% else %} |
100 |
|
101 |
<{{ oa4mp_server_db_conf }} username="{{ oa4mp_server_db_user }}" |
102 |
password="{{ oa4mp_server_db_pw }}" |
103 |
database="{{ oa4mp_server_db }}" |
104 |
schema="{{ oa4mp_server_db }}" > |
105 |
<transactions/> |
106 |
<clients/> |
107 |
<clientApprovals/> |
108 |
<traceRecords/> |
109 |
</{{ oa4mp_server_db_conf }}> |
110 |
|
111 |
{% endif %} |
112 |
|
113 |
<myproxy host="{{ myproxy_ca_host }}" port="{{ myproxy_ca_port }}"> |
114 |
<keystore path="{{ oa4mp_server_keystore }}" |
115 |
type="pkcs12" |
116 |
password="{{ oa4mp_server_keystore_pw }}" |
117 |
factory="SunX509" /> |
118 |
</myproxy> |
119 |
|
120 |
<authorizationServlet useHeader="true" requireHeader="true" headerFieldName="{{ oa4mp_remote_user }}" /> |
121 |
|
122 |
</service> |
123 |
|
124 |
</config> |
125 |
|