# Configuration file for Confluence HTTP Authenticator # Whether or not to support local logins # Acceptable values: true, false local.login.supported=true # Whether to create user accounts for new users # Acceptable values: true, false # Check and set adminUserId below, if set true. create.users=true # Whether existing accounts should have their name and email address updated upon login. This is strongly suggested if # create.users is true. # Acceptable values: true, false update.info=true # Whether new and existing accounts should have their last login date and previous login date updated in user properties # upon login. # Acceptable values: true, false update.last.login.date=true # Whether the configuration file should be automatically reloaded when it's changed. reload.config=false # When reloading the configuration file, how long to wait (in milliseconds) between checking the configuration file for # changes. reload.config.check.interval=5000 # The default group(s) to for newly created users, only used if create.users is true. # # Notes: # * Group name list can be comma or semicolon delimited. # * Currently groups must pre-exist. default.roles=confluence-users # Name of the admin user account with which to execute createUser transaction call. Should be at least a Confluence Administrator # role as given at https://confluence.atlassian.com/doc/global-permissions-overview-138709.html # required if users.create is true, since Confluence v8 adminUserId= # HTTP header/attr. names where the user's full name, email address and username will come from. The full name and email # address headers need not be populated (can be provided as empty values in the headers by Shibboleth for example if # Shibboleth can provide no full name or email address for a user). If header.fullname is unspecified or the full name # provided by the header value is empty or null then it will default to specifying the user id as the full name. If the # header.email is unspecified or the value of the header is null the user's email address will be null. # # Although these two user fields may not seem so important at first, note that whenever a user modifies a wiki page, # their full name is displayed as the person that last modified the page, and similarly their full name is noted next to # any comment that they add to a page. Email address is important because when a user chooses to put a "watch" on a wiki # page, they get emails when that page is changed. # # The headers matching the Shibboleth defaults would be: # header.fullname=Shib-InetOrgPerson-displayName # header.email=Shib-InetOrgPerson-mail # # Note: if the header value contains commas or semicolons, then it will choose the first value in the comma or # semicolon-delimited list. # # Note: if fullname mapping is used (see below) then it will try using that first to get full name using this header. # # Each supports a strategy to get this value. All default to 0. Strategy codes mean the following: # 0 - Try request.getAttribute then request.getHeader # 1 - Use request.getAttribute # 2 - Use request.getHeader header.remote_user=REMOTE_USER #header.remote_user.strategy=0 header.email=CONF_EMAIL #header.email.strategy=0 header.fullname=CONF_FULLNAME #header.fullname.strategy=0 # Whether or not to force the username we receive from Shibboleth to be all-lowercase. This was always true in # versions <= 1.7.2 and still defaults to true username.convertcase=true # Regex search term to extract user_id from specific attribute. Default is "^CN=(.*)". # # This filter supports a strategy to get user id attribute value by default as first attribute or use custom one. Strategy codes mean the following: # 0 - Get user id attribute value as first attribute from the header # 1 - Use username.filter to get custom attribute username.filter=CN=([A-Za-z0-9]*) #username.filter.strategy=0 # Indication whether the group memberships of the user should be updated after creation. Acceptable values: true/false. # If true, then group memberships will be added (default.roles, and dynamicroles.header depending on the mapping # headers) whenever the user authenticates, and not just if the user is created by the authenticator. update.roles=true # Indication whether HTTP header values should be converted to UTF-8 to avoid an issue noted by Helsinki University: # "where there is something not using utf-8 involved, 16-bit characters get bytes 83 c2 inserted between." convert.to.utf8=false # OPTIONAL # This feature takes effect only when update.roles is true. List of dynamicroles headers, along side with the labels of # their group-mapper. Each header can have a set of mapper labels to be activated. A header entry without appropriate # assigned label will be ignored # # e.g. say we'd like to perform automatic group provisioning based on headers: "SHIB-EP-ENTITLEMENT", "affiliation", and # our defined "fix-role-header" (note these have to match whatever defined in AAP), then we can define the following: # #dynamicroles.header.SHIB-EP-ENTITLEMENT = label1, label2, label4, label3 #dynamicroles.header.affiliation = label1, label5 # Whether the dynamicroles attempt to automatically create the role in confluence if such role does not exist. dynamicroles.auto_create_role=false # Instruct to convert all output groups into lowercase before creating them on confluence. This is necessary to overcome # some versions of Confluence's limitation of disallowing group names in upper case. Defaults to true. dynamicroles.output.tolowercase=true # Define mapper label and its logic for dynamicroles. Each mapper has to define either # "match" or "transform" property, otherwise it will not be included in the # dynamicroles processing. # # Notes: # # * Colons need to be escaped by \ # * Attribute names are case-insensitive. # * Value list can be comma or semicolon delimited. # # Description of each property: # # * match = java regex string to match against the ENTIRE input, you can use java # regex groupings (http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html#cg) # e.g. to explicitly match a fix string: match= Hello World # to match with grouping: match = some\:urn\:(\\w+):(.*) # # * casesensitive = boolean, whether the match regex should care about case # sensitivity matching, default to true # # * transform = a fix string replacement of the input (e.g. the group or groups). # when not specified, it will simply take the input value. # transform can be a list of groups separated by comma or semicolon e.g. # transform= A, B, C which means if this mapper matches, the output # would be group A, B, and C. You can also use $1..$N to represent # a matched regex group (as done by "match" regex). $0 refers to # the entire input string. # e.g. spit out a fix output: transform = Hello There # reuse some regex grouping: transform = confluence-$1, confluence-$2 # (suppose the input is "some:urn:users:administrators", then # using the last example match regex we are converting # this to "confluence-users" and "confluence-administrators" # # You can leave the .match property empty, which simply means the input is # passed directly for .transform to process. Similarly, if you leave .transform # undefined, then there won't be transformation performed on the input (e.g. # you may want to allow those inputs matching your regex to be included in # confluence and filter out those that don't match. # # examples: # # map "some:urn:group1:group2" to groups called "group1" and "group2" # #dynamicroles.mapper.label1.match=some\:urn\:(\\w+)\:(.*) #dynamicroles.mapper.label1.transform=$1, $2 # # map "StaFF" to "cs100" # #dynamicroles.mapper.map2.match = staff #dynamicroles.mapper.map2.casesensitive = false #dynamicroles.mapper.map2.transform = cs100 # # OPTIONAL # Normally, users added to a group based on Shibboleth attributes would stay in # the group forever, even if they no longer have the attribute. The # purge.roles feature allows to specify a list of groups which should be # automatically purged of any users who no longer have the attributes to regain # entry (comma or semicolon separated). # When logging in, a user will be automatically removed from the group IFF the # user would not be added to the group (either via dynamicroles.header or # default.roles). This feature takes effect only when update.roles is true. # # Example: # remove members from role starting with "alum", "alumni", # or any other "alum*", as well as from cs101. (ignore case sensitivity). # #purge.roles = alum.* , cs101 # OPTIONAL # Maximum roles to purge, since purging too many at once could delay login. #purge.roles.limit = 5 # OPTIONAL # Do mapping on values presented in REMOTE_USER to something understandable # by confluence. Sometimes remote user is mapped to an attribute containing # characters invalid in confluence, use this feature below to do transformation # for it (assuming the original remote-user value hits your confluence without # much of your control). # # This feature has similar syntax to dynamic roles. # # Please make sure that the resultant remote user is: # - unique & single-value # - accepted by confluence (fit into 128 chars length, no weird chars, etc) # # If a regex map doesn't match the input provided, then # the mapping is not performed (e.g. the input is untouched; make sure # you understand the mapping logic). # # Example: suppose the remote user has initial value # "https://idp.edu/idp!https://sp.edu/shibboleth!1234-56789-#00%00-TTT" # and we would like it to be transformed to # "123456789A00c00@idp.edu" # then we can define the following: # #remoteuser=remoteusermap #remoteuser.replace=#,A,%,c,(-|TTT),, #remoteuser.map.remoteusermap.match = ^(http|https)://(.*?)(:|/)?[^!]*?!([^!]*?)!(.*) #remoteuser.map.remoteusermap.casesensitive = false #remoteuser.map.remoteusermap.transform = $5@$2 # # remoteusermap is the mapping label to be used, multiple labels # can be used but only 1st result from the label is chosen as remote user) # # .replace is pair-wise regex & replacement strings to be applied to the FINAL # remote-user once the mapping has been performed. null (as replacement string) # can be represented by simply empty string (e.g. '-' and 'TTT' above are removed) # # OPTIONAL # Do mapping on values presented in header defined as value of header.fullname. This is for those that don't have a # "display name" type attribute that can be exposed to Confluence's Shibboleth SP, but must put a full name together # from multiple values, etc. # # This feature has similar syntax to dynamic roles. # # If a regex map doesn't match the input provided, then # the mapping is not performed, and it will use the first value of that header. # # Example 1: suppose the full name has the header value # "Doe; John" # and we would like it to be transformed to # "John Doe" # then we can define the following: # #fullname=fullnamemap #fullname.map.fullnamemap.match = ^(.*);(.*) #fullname.map.fullnamemap.casesensitive = false #fullname.map.fullnamemap.transform = $2 $1 # # Note: if the expression doesn't match, it will split the string by comma or semi-colon and get the first value, so # the fullname would be: # "Doe" # # Example 2: suppose the full name has the header value # "Doe#,%John" # and we would like it to be transformed to # "John Doe" # then we can define the following: # #fullname=fullnamemap #fullname.replace=#,,%,, #fullname.map.fullnamemap.match = ^(.*),(.*) #fullname.map.fullnamemap.casesensitive = false #fullname.map.fullnamemap.transform = $2 $1 # # Note: if the expression doesn't match, it will split the string by comma or semi-colon and get the first value, so # the fullname would be: # "Doe#" # # fullnamemap is the mapping label to be used, multiple labels # can be used but only 1st result from the label is chosen as remote user) # # .replace is pair-wise regex & replacement strings to be applied to the FINAL # full name once the mapping has been performed. null (as replacement string) # can be represented by simply empty string (e.g. '-' and 'TTT' above are removed) #