# GridShib SAML Tools: TeraGrid Science Gateway config properties ##################################################################### # # Gateway Community Credential # # The GridShib SAML Tools requires an issuing credential used # to sign the proxy certificate containing the SAML token. # The SAML Tools ship with a default credential for testing, # but a gateway should override this default and configure # its community credential below. # # Both the certLocation and keyLocation properties are # required. The two config properties are specified as # system independent file locations (i.e., file: URIs). # ##################################################################### # the location of the community credential: #certLocation=file:///etc/grid-security/communitycert.pem #keyLocation=file:///etc/grid-security/communitykey.pem ##################################################################### # # Identity Provider entityID # # The Identity Provider (IdP) entityID is the unique identifier # for the IdP (which is what a gateway becomes when it uses the # SAML Tools to issue SAML tokens). In the SAML world, an # entityID is usually an URI. It is strongly recommended that # an entityID be an URL. It need not be a resolvable URL, but # it should be chosen in such a way that it could easily become # resolvable in the future. # # For gateways, the IdP.entityID property is required. Replace # "example.org" below with the DNS domain of your gateway. For # example: # # IdP.entityID=https://gridshib.gisolve.org/idp # # Choose your entityID with care, since it is later changed only # with great pain. # ##################################################################### # IdP.entityID=https://saml.teragrid.org/gateway/gisolve # IdP.entityID=https://www.phylo.org/portal2 IdP.entityID=https://${gridshib.entity.id} ##################################################################### # # SAML NameIdentifier # # The NameID.Format property gives the value of the Format # XML attribute on the element in the # SAML token. The NameID.Format.template property determines # the syntax of the value of the element # itself. The %PRINCIPAL% placeholder is replaced by the # software with the username passed to the application on the # command line or via the API. # # For gateways, the NameID.Format and NameID.Format.template # properties are required. Replace "example.org" below with # the DNS domain of your gateway. For example: # # NameID.Format.template=%PRINCIPAL%@gisolve.org # # The resulting element conforms to the # MACE-Dir Attribute Profile for SAML 1.x: # # http://middleware.internet2.edu/dir/docs/draft-internet2-mace-dir-saml-attributes-latest.pdf # # Note: The NameID.NameQualifier property discussed in the User # Guide MUST be omitted (as it is below). # ##################################################################### NameID.Format=urn:oid:1.3.6.1.4.1.5923.1.1.1.6 # NameID.Format.template=%PRINCIPAL%@www.phylo.org NameID.Format.template=%PRINCIPAL%@${gridshib.domain} ##################################################################### # # SAML Attributes # # A single attribute is defined by three config properties: # # Attribute.label.Namespace=format # Attribute.label.Name=name # Attribute.label.Value=value # # where name and value are the Name and Value of the attribute # to be asserted. The label is an arbitrary string that # distinguishes a triple (Namespace, Name, Value). Any number # of such triples are possible, each with its own unique label. # # Only static attributes may be configured in this config file, # that is, attributes that are independent of the end user. # A gateway is required to provide one such attribute, a # membership attribute, as described below. # # The Namespace property of the membership attribute is a # fixed URI that indicates that the attribute name is itself a # URI. We omit the Namespace property below. # # The Name property conforms to both the MACE-Dir LDAP # representation of group memberships and the Attribute # Profile for SAML 1.x cited above: # # http://middleware.internet2.edu/dir/docs/internet2-mace-dir-ldap-group-membership-200507.html # http://middleware.internet2.edu/dir/docs/draft-internet2-mace-dir-saml-attributes-latest.pdf # # The Value property of the membership attribute is a URI # patterned after the well-known file URI. Again, replace # "example.org" below with the DNS domain of your gateway # and "example" with the name of your virtual organization. # For example: # # Attribute.isMemberOf.Value=group://gisolve.org/gisolve # # The above attribute value tells the RP that the end user is # a member of the virtual organization (VO) whose name is # "gisolve". The string "gisolve.org" is called a scope. # ##################################################################### # FriendlyName="isMemberOf" Attribute.isMemberOf.Name=urn:oid:1.3.6.1.4.1.5923.1.5.1.1 # Attribute.isMemberOf.Value=group://www.phylo.org/portal2 Attribute.isMemberOf.Value=group://${gridshib.entity.id} ##################################################################### # # dateTime pattern # # The dateTime.pattern property determines the syntax of the # --authnInstant command-line option. # # This config property is optional. If omitted, the pattern # defaults to "yyyy-MM-dd'T'HH:mm:ssZ" (as shown below). # # For details regarding pattern syntax, please refer to the # following javadoc: # # http://java.sun.com/j2se/1.4.2/docs/api/java/text/SimpleDateFormat.html # ##################################################################### #dateTime.pattern=yyyy-MM-dd'T'HH\:mm\:ssZ