...
Adjusting from where a configuration is loaded is done by changing the type of the <ConfigurationResource>. The following configuration snippet loads an IdP's attribute filter policy from the local filesystem and is what you would have from a basic installation.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Attribute Filter Engine Loading Policy from Local Filesystemxml |
|---|
|
<Service id="shibboleth.AttributeFilterEngine"
xsi:type="attribute-afp:ShibbolethAttributeFilteringEngine">
<ConfigurationResource xsi:type="resource:FilesystemResource"
file="/opt/idp/shibboleth-idp-2.1.3/conf/attribute-filter.xml" />
</Service>
|
To fetch the attribute filter policy from an HTTP URL the configuration would become:
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Attribute Filter Engine Loading Policy from HTTP URLxml |
|---|
|
<Service id="shibboleth.AttributeFilterEngine"
xsi:type="attribute-afp:ShibbolethAttributeFilteringEngine">
<ConfigurationResource xsi:type="resource:HttpResource"
url="http://example.org/idpconf/attribute-filter.xml" />
</Service>
|
...
To load configuration files from a Subversion server use the SVN Resource configuration resource type. Here is an example:
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Attribute Filter Engine Loading Policy from Subversionxml |
|---|
|
<Service id="shibboleth.AttributeFilterEngine"
xsi:type="attribute-afp:ShibbolethAttributeFilteringEngine">
<ConfigurationResource xsi:type="resource:SVNResource"
repositoryURL="http://svn.example.org/idp/prod/conf"
workingCopyDirectory="/opt/shibboleth-idp/svnconf"
resourceFile="attribute-filter.xml"
revision="513" />
</Service>
|
...
To load configuration files from a Subversion server use the File-backed HTTP Resource configuration resource type. Here is an example:
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Attribute Filter Engine Loading Policy from File-backed HTTPxml |
|---|
|
<Service id="shibboleth.AttributeFilterEngine"
xsi:type="attribute-afp:ShibbolethAttributeFilteringEngine">
<ConfigurationResource xsi:type="resource:FileBackedHttpResource"
url="http://example.org/idpconf"
file="/opt/shibboleth-idp/httpconf" />
</Service>
|
...
This is remedied by using the property replacement filter within the <ConfigurationResource> that loads the file that contains the sensitive information. This allows such sensitive information to be pulled out in to a property file and merged in to the configuration resource before it is loaded by the IdP.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Example Attribute Resolver Configuration Loaded from SVN with Property Replacementxml |
|---|
|
<Service id="shibboleth.AttributeResolver"
xsi:type="attribute-resolver:ShibbolethAttributeResolver">
<ConfigurationResource xsi:type="resource:SVNResource"
repositoryURL="http://svn.example.org/idp/prod/conf"
workingCopyDirectory="/opt/shibboleth-idp/svnconf"
resourceFile="attribute-resolver.xml"
revision="513">
<ResourceFilter xsi:type="PropertyReplacement"
xmlns="urn:mace:shibboleth:2.0:resource"
propertyFile="/opt/idp/shibboleth-idp/conf/config.properties"/>
</ConfigurationResource>
</Service>
|
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Attribute Resolver LDAP Data Connector with Properties for Sensitive Informationxml |
|---|
|
<resolver:DataConnector id="myLDAP"
xsi:type="LDAPDirectory"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldap://example.org"
baseDN="ou=people,dc=example,dc=org"
principal="${ldap.principal}"
principalCredential="${ldap.credential}" >
<FilterTemplate>(uid=$requestContext.principalName)</FilterTemplate>
</resolver:DataConnector>
|
...