[main] ############################ BOOTSTRAP CONFIGURATION ########################### # # MANDATORY SECTION - YOU MUST REVIEW AND SET EACH VALUE # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Specify the entity ID (technical name) of the IdP. This value is optional and # can be left unset. If usent, the entity ID will be created based on the HOST_NAME # value below. #ENTITY_ID=https://idp.example.edu/idp/shibboleth # Specify the externally facing address for this IdP. Typically you would have # a DNS entry for this. Do *NOT* use 'localhost' or any other local address. #HOST_NAME=idp.example.edu # The federation environment # Allowable values: {test, production} (case-sensitive) #ENVIRONMENT=test # Your organisation's name #ORGANISATION_NAME="The University of Example" # The base domain for your organisation #ORGANISATION_BASE_DOMAIN=example.edu # Your schacHomeOrganizationType. # See http://www.terena.org/activities/tf-emc2/schacreleases.html # Relevant values are: # urn:mace:terena.org:schac:homeOrganizationType:au:university # urn:mace:terena.org:schac:homeOrganizationType:au:research-institution # urn:mace:terena.org:schac:homeOrganizationType:au:other #HOME_ORG_TYPE=urn:mace:terena.org:schac:homeOrganizationType:au:university # The attribute used for AuEduPersonSharedToken, eduPersonTargetedId and # the persistent Name ID value generation. # # IMPORTANT: The generation of AuEduPersonSharedToken and EduPersonTargetedId # require the value from the specified source attribute. If the value changes, # it will change the AuEduPersonSharedToken and EduPersonTargetedId. This will # cause the user to lose access in the federation. It is *critical* that you # specify an attribute that will never change. # # Generally use uid for most LDAP servers and sAMAccountName for MS Active # Directory. In some situations the directory will use cn (commonName) to hold # the user's unique login name. # # The attribute choose MUST provide a unique single value for ALL users. If # this is not the case no value will be provided for the auEduPersonSharedToken. # #SOURCE_ATTRIBUTE_ID=uid # The attribute used to generate the subject ID and pairwise ID attributes. # These are new attributes values that will eventually replace eduPersonTargetedID # and may replace auEduPersonSharedToken. # # These attributes will be created on the fly and based on the persistent attribute # that MUST have the following properties: # * Persistent - NEVER changes once assigned to a user # * Non-reassignable - Is NEVER reassigned to another user # * Opaque - Does NOT allow the relying party to positively identify the subject # # If your Identity system does not currently have such an attribute provided for # each user you MUST leave the following value blank. # # WARNING: Once you have assigned a value, you can NOT change it. If it does change # all of your users' identities will change! # #PERSISTENT_ATTRIBUTE_ID= # Perform a system update as part of the bootstrap and every time you run # the update-idp script to ensure all of your operating system software is # patched and up to date. Setting this value to "true" is recommended. # Valid values are either "true" or "false". #OS_UPDATE=true [logging] # # These settings allow the IdP to send anonomitized FTicks logs to the AAF central # log server. These logs will be used to generate federation utilization reports. # Please contact support@aaf.edu.au to obtain the key_id and secret_key values for # the values below. You can complete this configuration later by adding the value # to your host_vars/[server_domain] file and running the deploy script. # #FTICKS_KEY_ID= # #FTICKS_SECRET_KEY= [ldap] # OPTIONAL SECTION # ~~~~~~~~~~~~~~~~ # LDAP address Shibboleth IdP will connect to #LDAP_URL=ldap://ldap.example.edu:389 # Point from where LDAP will search for users #LDAP_BASE_DN="ou=Users,dc=example,dc=edu" # The administrator's bind dn #LDAP_BIND_DN="cn=Manager,dc=example,dc=edu" # The adminstrator's password # Note: If any of the following special characters appear in your # password you must add an escape "\" before each one. # The special characters are # - $ (Dollars), # - " (Double quote), # - / (Forward Slash) # Back Slash MUST never be used! # The password: 'ReQ$-"/xxp4' would be entered as 'ReQ\$-\"\/xxp4' # #LDAP_BIND_DN_PASSWORD="p@ssw0rd" # Specify the attribute for user queries # # Generally use uid for most LDAP servers and sAMAccountName for MS Active # Directory. In some situations the directory will use cn (commonName) to hold # the user's unique login name. # #LDAP_USER_FILTER_ATTRIBUTE="uid" [policy] # # REFEDS and other policy related settings # # This IdP conforms to the REFEDS Baseline Expectations v1 for Identity Providers # Ref: https://refeds.org/baseline-expectations # REFEDS_BASELINE_IDP_V1="false" # This IdP conforms to the REFEDS Assurance Frame V2. # To conform to this framework, the IdP must also conform to the REFEDS Baseline # Expectations v1 (see above). # Ref: https://refeds.org/assurance # REFEDS_ASSURANCE_V2="false" # REFEDS RAF Identifier Unquie REFEDS_RAF_UNIQUE="false" # REFEDS RAF Uniqueness of eduPersonPrincipalName. "no-reassign" or "reassign-1y" REFEDS_RAF_EPPN_UNIQUE="no-reassign" # REFEDS RAF Freshness. "1d" or "1m" REFEDS_RAF_EPA="1d" # This IdP conforms to the REFEDS Research and Scholarship (R&S) v1.3 # Ref: http://refeds.org/category/research-and-scholarship # REFEDS_R_AND_S_V1_3="false" # This IdP conforms to the REFEDS Anonymous Access v.2 # Ref: https://refeds.org/category/anonymous # REFEDS_ANONYMOUS_V2="false" # This IdP conforms to the REFEDS Pseudonymous Access v.2 # Ref: https://refeds.org/category/pseudonymous # REFEDS_PSEUDONYMOUS_V2="false" # This IdP conforms to the REFEDS Personalized Access v.2 # Ref: https://refeds.org/category/personalized # REFEDS_PERSONALIZED_V2="false" # This IdP conforms to the REFEDS Code of Conduct v.2 # Ref: https://refeds.org/category/code-of-conduct/v2 # REFEDS_CODE_OF_CONDUCT_V2="false" [advanced] # ADVANCED SECTION # ~~~~~~~~~~~~~~~~ # The base path for Shibboleth and the IdP Installer configuration. # Changing the base path MUST only occur here, do not attempt to change # the base after the initial install. INSTALL_BASE=/opt # Select the local Firewall that will be running on your server. The default # is firewalld which is the default for CentOS and RHEL 7. Some organisations # have selected to maintain iptables. You can also select to not have the # installer maintain your local firewall but this is definitly NOT recommended. # Relevant values are: # firewalld (default) # Adds ports 433 (https) and 8443 (IdP backchannel) ports to the # firewalld config. All other configuration remains unchanged. # iptables # Adds ports 22 (ssh), 443 (https) and 8443 (IdP backchannel) ports # to the iptables config. Other firewall settings may be overwritten! # none # You are responsible for the maintance of the servers firewall. No # changes to the local firewall are made in this mode. # FIREWALL=firewalld # # The Shibboleth IdP can provide a back channel for Service Providers to # communicate directly with the Identity Provider. This has been used for # attribute release, transmission of messages via SAML Artifact and more recently # for backchannel SLO. The AAF have idenified that none of the use cases for # the backchannel are relevant to operation within the AAF, and therefore # recommend it no longer be enabled by default. If it is required, for example # for a standalone Attribute Authority service, then setting the following to true # will enable configuration for the backchannel. # ENABLE_BACKCHANNEL=false # # Enable your IdP to participate in eduGAIN (https://aaf.edu.au/edugain/). Your # orgainisation must be enabled at the federation before being enabled to use # eduGAIN services. Setting the following values to true will only technically # enable your IdP. You MUST complete the steps described AAF eduGAIN web site in # addition to making the technical changes. # ENABLE_EDUGAIN=false # # If your IdP is behind a load balancer that is SSL Offloading, set the following # value to true. The will enable the IdP to recieve requests on port 80 from the # load balancer. Note: The IdP MUST be within your DMZ or similarly protected area # that will not allow general access to port 80 on the IdP. IDP_BEHIND_PROXY=false # # The following option allows you to downgrade encryption from GCM to CBC for all # services. Some older services will fail as they are unable to process newer # encryption. The recommended approach is to leave the default set at GMC, and # carve out exceptions for each SP that doesn't support GCM. Use the he Algorithm # Metadata Filter (https://wiki.shibboleth.net/confluence/display/IDP4/AlgorithmFilter) # to achieve this. # # Changing the global setting to CBC is is NOT recommended for production deployments! # Please see: https://wiki.shibboleth.net/confluence/display/IDP4/GCMEncryption for # more details. DEFAULT_ENCRYPTION=GCM # # Web Proxy setting. Only required if your IdP sits behind a web proxy that is uses # to retrieve files from the Internet. Files such as federation metadata. #WEB_PROXYHOST=proxy.example.edu.au #WEB_PROXYPORT=80