source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini @ 7517

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg-security/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini@7517
Revision 7517, 23.4 KB checked in by pjkersha, 10 years ago (diff)

2.0.0 release for NDG Security

  • Fixed bug with incorrect SAML X.509 Subject Name urn in test ini files.
  • All unit tests and integration tests pass
  • Property svn:keywords set to Id
Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined SAML Attribute Authority and Authorisation
5# Services, OpenID Relying Party and Provider services and SSL client
6# authentication filters.  This is for test purposes only.  A production system
7# might deploy these on different hosts or separate WSGI scripts.
8#
9# The %(here)s variable will be replaced with the parent directory of this file
10#
11# Author: P J Kershaw
12# date: 01/07/09
13# Copyright: (C) 2009 Science and Technology Facilities Council
14# license: BSD - see LICENSE file in top-level directory
15# Contact: Philip.Kershaw@stfc.ac.uk
16# Revision: $Id$
17
18[DEFAULT]
19portNum = 7443
20hostname = localhost
21scheme = https
22baseURI = %(scheme)s://%(hostname)s:%(portNum)s
23openIDProviderIDBase = /openid
24openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
25testConfigDir = %(here)s/../../config
26beakerSessionKeyName = beaker.session.ndg.security.services
27
28# Global Attribute Authority Settings
29attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface
30
31# ... and Authorisation Service
32authzDecisionQueryInterfaceEnvironKeyName = ndg.security.server.wsgi.authz.service.authzDecisionQueryInterface
33
34dbConnectionString = sqlite:///%(testConfigDir)s/user.db
35
36[server:main]
37use = egg:Paste#http
38host = 0.0.0.0
39port = %(portNum)s
40
41# Uncomment and replace OpenIDProviderApp with OpenIDProviderFilterApp in the
42# pipeline below if the RelyingParty filter is removed.  The RelyingParty
43# provides static content to both it and the Provider in this configuration.
44# See the staticContentDir setting in the OpenIDRelyingPartyFilter section
45#[filter-app:OpenIDProviderFilterApp]
46#use = egg:Paste#httpexceptions
47#next = cascade
48#
49## Composite for OpenID Provider to enable settings for picking up static
50## content
51#[composit:cascade]
52#use = egg:Paste#cascade
53#app1 = OpenIDProviderStaticContent
54#catch = 404
55#
56#[app:OpenIDProviderStaticContent]
57#use = egg:Paste#static
58#document_root = %(here)s/openidprovider
59
60# Ordering of filters and app is critical
61[pipeline:main]
62pipeline = AttributeAuthorityFilter
63           AttributeAuthoritySamlSoapBindingFilter
64           AuthorisationServiceFilter
65           AuthorisationSamlSoapBindingFilter
66                   SessionMiddlewareFilter
67                   SSLCientAuthKitFilter
68                   SSLClientAuthenticationFilter
69                   SSLCientAuthnRedirectResponseFilter
70                   OpenIDRelyingPartyFilter
71                   OpenIDProviderApp
72
73#______________________________________________________________________________
74# Beaker Session Middleware (used by OpenID Provider Filter)
75[filter:SessionMiddlewareFilter]
76paste.filter_app_factory=beaker.middleware:SessionMiddleware
77beaker.session.key = openid
78beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
79
80# If you'd like to fine-tune the individual locations of the cache data dirs
81# for the Cache data, or the Session saves, un-comment the desired settings
82# here:
83beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
84beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
85beaker.session.cookie_expires = True
86
87#beaker.session.cookie_domain = .localhost
88
89# Key name for keying into environ dictionary
90environ_key = %(beakerSessionKeyName)s
91
92[filter:SSLCientAuthKitFilter]
93paste.filter_app_factory = authkit.authenticate:middleware
94
95# AuthKit Set-up
96setup.method=cookie
97
98# This cookie name and secret MUST agree with the name used by the
99# Authentication Filter used to secure a given app
100cookie.name=ndg.security.auth
101
102cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
103cookie.signoutpath = /logout
104
105# Disable inclusion of client IP address from cookie signature due to
106# suspected problem with AuthKit setting it when a HTTP Proxy is in place
107cookie.includeip = False
108
109#cookie.params.domain = .localhost
110
111# SSL Client Certificate based authentication is invoked if the client passed
112# a certificate with request.  This bypasses OpenID based authn.
113[filter:SSLClientAuthenticationFilter]
114paste.filter_app_factory = ndg.security.server.wsgi.ssl:AuthKitSSLAuthnMiddleware
115prefix = ssl.
116
117# Apply verification against a list of trusted CAs.  To skip this step, comment
118# out or remove this item.  e.g. set CA verification in the Apache config file.
119ssl.caCertFilePathList = %(testConfigDir)s/ca/d573507a.0
120#ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=mytest /O=gabriel/OU=BADC/CN=test /O=NDG/OU=BADC/CN=test
121
122# 'HTTP_' prefix is set when passed through a proxy
123ssl.sslKeyName = HTTP_HTTPS
124ssl.sslClientCertKeyName = HTTP_SSL_CLIENT_CERT
125
126# Set the URI pattern match here to interrupt a redirect to the OpenID Relying
127# Party from the service running over HTTP and see if a client certificate has
128# been set
129ssl.rePathMatchList = ^/verify.*
130
131[filter:OpenIDRelyingPartyFilter]
132paste.filter_app_factory = 
133        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
134
135openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
136
137# Uncomment to restrict sign in to a whitelist of trusted OpenID Providers.
138#openid.relyingparty.idpWhitelistConfigFilePath = %(here)s/openidrelyingparty/ssl-idp-validator.xml
139
140openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.genshi.GenshiSigninTemplate
141
142# Nb. in this configuration, this directory is provider static content for both
143# this filter and the OpenID Provider app downstream in the WSGI stack.
144openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/public
145
146openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
147openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
148openid.relyingparty.signinInterface.heading = OpenID Sign-in
149#openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
150#openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
151#openid.relyingparty.signinInterface.leftLink = http://ndg.nerc.ac.uk/
152#openid.relyingparty.signinInterface.leftImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
153
154# This setting will accept HTML mark-up
155openid.relyingparty.signinInterface.footerText = This site is for test purposes only.   <a class="FooterLink" href="http://openid.net/what/" target="_blank"><small>What is OpenID?</small></a>
156openid.relyingparty.signinInterface.rightLink = http://ceda.ac.uk/
157openid.relyingparty.signinInterface.rightImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/CEDA_RightButton60.png
158openid.relyingparty.signinInterface.rightAlt = Centre for Environmental Data Archival
159openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
160
161cache_dir = %(here)s/data
162
163# AuthKit Set-up
164authkit.setup.method=openid, cookie
165
166# This cookie name and secret MUST agree with the name used by the
167# Authentication Filter used to secure a given app
168authkit.cookie.name=ndg.security.auth
169
170authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
171authkit.cookie.signoutpath = /logout
172#authkit.cookie.params.domain = .localhost
173
174# Disable inclusion of client IP address from cookie signature due to
175# suspected problem with AuthKit setting it when a HTTP Proxy is in place
176authkit.cookie.includeip = False
177
178authkit.openid.path.signedin=/
179authkit.openid.store.type=file
180authkit.openid.store.config=%(here)s/openidrelyingparty/store
181authkit.openid.session.key = authkit_openid
182authkit.openid.session.secret = random string
183
184# Key name for dereferencing beaker.session object held in environ
185authkit.openid.session.middleware = %(beakerSessionKeyName)s
186
187authkit.openid.baseurl = %(baseURI)s
188
189# Template for signin
190#authkit.openid.template.obj =
191
192# Handler for parsing OpenID and creating a session from it
193#authkit.openid.urltouser =
194
195# Attribute Exchange - all are optional unless the relevant ax.required.<name>
196# is set to True.  The alias defers to the parameter name given unless explicity
197# specified - see commented out entry for firstName below.  The number of
198# attributes for each attribute name defaults to 1 unless otherwise set
199#authkit.openid.ax.typeuri.firstName=http://openid.net/schema/namePerson/first
200#authkit.openid.ax.alias.firstName=firstName
201##authkit.openid.ax.count.firstName=1
202#authkit.openid.ax.required.firstName=True
203#authkit.openid.ax.typeuri.lastName=http://openid.net/schema/namePerson/last
204#authkit.openid.ax.alias.lastName=lastName
205#authkit.openid.ax.required.lastName=True
206#authkit.openid.ax.typeuri.emailAddress=http://openid.net/schema/contact/internet/email
207#authkit.openid.ax.alias.emailAddress=emailAddress
208#authkit.openid.ax.required.emailAddress=True
209
210# ESG Gateway requested parameters
211authkit.openid.ax.typeuri.uuid:http://openid.net/schema/person/guid
212authkit.openid.ax.alias.uuid=uuid
213authkit.openid.ax.typeuri.username:http://openid.net/schema/namePerson/friendly
214authkit.openid.ax.alias.username=username
215authkit.openid.ax.typeuri.firstname:http://openid.net/schema/namePerson/first
216authkit.openid.ax.alias.firstname=firstname
217authkit.openid.ax.required.firstname:True
218authkit.openid.ax.typeuri.middlename:http://openid.net/schema/namePerson/middle
219authkit.openid.ax.alias.middlename=middlename
220authkit.openid.ax.typeuri.lastname:http://openid.net/schema/namePerson/last
221authkit.openid.ax.required.lastname:True
222authkit.openid.ax.alias.lastname=lastname
223authkit.openid.ax.typeuri.email:http://openid.net/schema/contact/internet/email
224authkit.openid.ax.required.email:True
225authkit.openid.ax.alias.email=email
226authkit.openid.ax.typeuri.gateway:http://www.earthsystemgrid.org/gateway
227authkit.openid.ax.alias.gateway=gateway
228authkit.openid.ax.typeuri.organization:http://openid.net/schema/company/name
229authkit.openid.ax.alias.organization=organization
230authkit.openid.ax.typeuri.city:http://openid.net/schema/contact/city/home
231authkit.openid.ax.alias.city=city
232authkit.openid.ax.typeuri.state:http://openid.net/schema/contact/state/home
233authkit.openid.ax.alias.state=state
234authkit.openid.ax.typeuri.country:http://openid.net/schema/contact/country/home
235authkit.openid.ax.alias.country=country
236
237[filter:SSLCientAuthnRedirectResponseFilter]
238# Redirect to original requested URI following SSL Client Authentication.  This
239# filter must be placed AFTER the AuthKit cookie setting middleware.  In this
240# case its configured in the OpenIDRelyingPartyMiddleware filter.  If the
241# OpenID Relying Party filter is removed, a separate AuthKit middleware entry
242# would need to be made so that this redirect filter can still function
243paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthKitRedirectResponseMiddleware
244prefix = ssl.
245ssl.sessionKey = %(beakerSessionKeyName)s
246
247#______________________________________________________________________________
248# OpenID Provider WSGI Settings
249[app:OpenIDProviderApp]
250paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
251
252openid.provider.path.openidserver=/OpenID/Provider/server
253openid.provider.path.login=/OpenID/Provider/login
254openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
255
256# Yadis based discovery only - the 'id' path is configured may be set to page
257# with <link rel="openid.server" href="..."> and Yadis
258# <meta http-equiv="x-xrds-location" content="..."> links if required but in
259# this implementation it set to return 404 not found - see
260# ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
261# class
262openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
263openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
264
265# Yadis based discovery for idselect mode - this is where the user has entered
266# a URI at the Relying Party which identifies their Provider only and not their
267# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
268# https://badc.nerc.ac.uk/John
269openid.provider.path.serveryadis=%(openIDProviderIDBase)s
270openid.provider.path.allow=/OpenID/Provider/allow
271openid.provider.path.decide=/OpenID/Provider/decide
272openid.provider.path.mainpage=/OpenID/Provider/home
273
274openid.provider.session_middleware=%(beakerSessionKeyName)s
275openid.provider.base_url=%(baseURI)s
276
277# Enable login to construct an identity URI if IDSelect mode was chosen and
278# no identity URI was passed from the Relying Party.  This value should
279# match openid.provider.path.id and/or openid.provider.path.yadis - see above
280identityUriTemplate=%(baseURI)s%(openIDProviderIDBase)s/${userIdentifier}
281
282openid.provider.trace=False
283openid.provider.consumer_store_dirpath=%(here)s/openidprovider
284openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
285#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
286
287# Templates
288openid.provider.rendering.templateRootDir = %(here)s/openidprovider/templates
289
290# Layout
291openid.provider.rendering.baseURL = %(openid.provider.base_url)s
292#openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
293#openid.provider.rendering.leftAlt = Natural Environment Research Council
294#openid.provider.rendering.leftLink = http://ndg.nerc.ac.uk/
295#openid.provider.rendering.leftImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
296openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
297openid.provider.rendering.footerText = This site is for test purposes only.
298openid.provider.rendering.rightLink = http://ceda.ac.uk/
299openid.provider.rendering.rightImage = %(openid.provider.rendering.baseURL)s/layout/CEDA_RightButton60.png
300openid.provider.rendering.rightAlt = Centre for Environmental Data Archival
301
302# Basic Authentication interface to demonstrate capabilities
303#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
304openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sqlalchemy_authn.SQLAlchemyAuthnInterface
305openid.provider.authN.connectionString=%(dbConnectionString)s
306openid.provider.authN.logonSqlQuery=select count(*) from users where username = '${username}' and md5password = '${password}'
307openid.provider.authN.username2UserIdentifierSqlQuery=select openid_identifier from users where username = '${username}'
308openid.provider.authN.isMD5EncodedPwd=True
309
310# user login details format is:
311# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
312# Each user entry is delimited by a space. username, password and OpenID name
313# list are delimited by a colon.  The list of OpenID names are delimited by
314# commas.  The OpenID name represents the unique part of the OpenID URL for the
315# individual user.  Each username may have more than one OpenID alias but only
316# alias at a time may be registered with a given Attribute Authority
317openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
318
319# Basic authentication for testing/admin - comma delimited list of
320# <username>:<password> pairs
321#openid.provider.usercreds=pjk:test
322
323# Attribute Exchange interface
324#openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.csv.CSVFileAXInterface
325#openid.provider.axResponse.csvFilePath=%(here)s/openidprovider/attributeexchange.csv
326openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.sqlalchemy_ax.SQLAlchemyAXInterface
327openid.provider.axResponse.connectionString=%(dbConnectionString)s
328openid.provider.axResponse.sqlQuery = select firstname, lastname, emailaddress from users where username = '${username}'
329openid.provider.axResponse.attributeNames=http://openid.net/schema/namePerson/first
330    http://openid.net/schema/namePerson/last
331    http://openid.net/schema/contact/internet/email
332   
333openid.provider.trustedRelyingParties=https://localhost:7443, https://ndg.somewhere.ac.uk,
334        https://badc.somewhere.ac.uk
335
336#______________________________________________________________________________
337# Attribute Authority WSGI settings
338#
339[filter:AttributeAuthorityFilter]
340# This filter publishes an Attribute Authority instance as a key in environ
341# to enable other middleware to access it
342paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
343prefix = attributeAuthority.
344
345# Lifetime is measured in seconds
346attributeAuthority.assertionLifetime: 28800 
347
348# Settings for custom AttributeInterface derived class to get user roles for given
349# user ID
350#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
351#attributeAuthority.attributeInterface.modName: siteAUserRoles
352#attributeAuthority.attributeInterface.className: TestUserRoles
353
354# Key name for the SAML SOAP binding based interface to reference this
355# service's attribute query method
356attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
357
358# SQLAlchemy Attribute Interface
359attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s
360attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface
361attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}'
362attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'"
363attributeAuthority.attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'"
364attributeAuthority.attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'"
365attributeAuthority.attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where openid = '${userId}'"
366attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority,
367                                                           /O=Site B/CN=Authorisation Service,
368                                                           /CN=test/O=NDG/OU=BADC,
369                                                           /O=NDG/OU=Security/CN=localhost
370
371# SAML SOAP Binding to the Attribute Authority
372[filter:AttributeAuthoritySamlSoapBindingFilter]
373paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
374prefix = saml.soapbinding.
375
376saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.fromXML
377
378# Specialisation to incorporate ESG Group/Role type
379saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
380
381saml.soapbinding.mountPath = /AttributeAuthority
382saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
383
384# Clock skew for SAML Attribute Queries - allow clockSkew number of seconds
385# tolerance for query issueInstant parameter. Set here to 3 minutes
386saml.soapbinding.clockSkewTolerance: 180.0
387
388saml.soapbinding.issuerName: /O=Site A/CN=Attribute Authority
389saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName 
390
391#______________________________________________________________________________
392# SAML/SOAP query interface to the Authorisation Service
393[filter:AuthorisationSamlSoapBindingFilter]
394paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
395prefix = saml.
396
397# The URI path for this service
398saml.mountPath = /AuthorisationService
399
400# The key name in environ which the upstream authorisation service must assign
401# to its authorisation query callback - see the AuthorisationServiceFilter
402# settings below...
403saml.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s
404
405# ElementTree based XML parsing and serialisation used for SAML messages
406saml.deserialise = ndg.saml.xml.etree:AuthzDecisionQueryElementTree.fromXML
407saml.serialise = ndg.saml.xml.etree:ResponseElementTree.toXML
408
409# Sets the identity of THIS authorisation service when filling in SAML responses
410saml.issuerName = /O=Site A/CN=Authorisation Service
411saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
412
413#______________________________________________________________________________
414# Authorisation Service WSGI settings
415[filter:AuthorisationServiceFilter]
416# This filter is a container for a binding to a SOAP/SAML based interface to the
417# Authorisation Service.  It contains a XACML Context handler which manages
418# requests from Policy Enforcement Points to the PDP and also enables the PDP
419# to make attribute queries to Policy Information Point
420paste.filter_app_factory = ndg.security.server.wsgi.authz.service:AuthorisationServiceMiddleware.filter_app_factory
421prefix = authz.
422
423# Expose this filter's authorisation decision query callback via this key name
424# in environ
425authz.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s
426
427# Lifetime for authorisation assertions issued from this service
428authz.xacmlContext.assertionLifetime = 86400
429
430#
431# XACML Context handler manages PEP (Policy Information Point) requests and the
432# PDP's (Policy Decision Point's) interface to the PIP (Policy Information
433# Point)
434
435# XACML Policy file
436authz.ctx_handler.policyFilePath = %(here)s/policy.xml
437
438# Settings for SAML authorisation decision response to a Policy Enforcement Point
439# making a decision query
440authz.ctx_handler.issuerName = /O=Site A/CN=Authorisation Service
441authz.ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
442authz.ctx_handler.assertionLifetime = 86400
443
444#
445# Policy Information Point interface settings
446#
447# The Context handler is a client to the PIP, passing on attribute queries
448# on behalf of the PDP onwards to the PIP
449
450# The PIP can cache assertions retrieved from Attribute Authority calls to
451# optimise performance.  Set this flag to True/False to enable/disable caching
452# respectively.  If this setting is omitted it defaults to True
453authz.ctx_handler.pip.cacheSessions = True
454
455# Set the directory for cached information to be stored.  This options is
456# ignored if 'cacheSessions' is set to False.  If this setting is omitted, then
457# sessions will be cached in memory only.  If the service is stopped all cached
458# information would be lost
459authz.ctx_handler.pip.sessionCacheDataDir = %(here)s/pip-session-cache
460
461#
462# Attribute ID -> Attribute Authority mapping file.  The PIP, on receipt of a
463# query from the XACML context handler, checks the attribute(s) being queried
464# for and looks up this mapping to determine which attribute authority to query
465# to find out if the subject has the attribute in their entitlement
466authz.ctx_handler.pip.mappingFilePath = %(here)s/pip-mapping.txt
467
468# The attribute ID of the subject value to extract from the XACML request
469# context and pass in the SAML attribute query
470authz.ctx_handler.pip.subjectAttributeId = urn:esg:openid
471
472# The context handler
473authz.ctx_handler.pip.attributeQuery.issuerName = %(authz.ctx_handler.issuerName)s
474authz.ctx_handler.pip.attributeQuery.issuerFormat = %(authz.ctx_handler.issuerFormat)s
475
476# These settings configure SSL mutual authentication for the query to the SAML Attribute Authority
477authz.ctx_handler.pip.attributeQuery.sslCertFilePath = %(testConfigDir)s/pki/localhost.crt
478authz.ctx_handler.pip.attributeQuery.sslPriKeyFilePath = %(testConfigDir)s/pki/localhost.key
479authz.ctx_handler.pip.attributeQuery.sslCACertDir = %(testConfigDir)s/ca
480
481# Logging configuration
482[loggers]
483keys = root, ndg
484
485[handlers]
486keys = console
487
488[formatters]
489keys = generic
490
491[logger_root]
492level = INFO
493handlers = console
494
495[logger_ndg]
496level = DEBUG
497handlers =
498qualname = ndg
499
500[handler_console]
501class = StreamHandler
502args = (sys.stderr,)
503level = NOTSET
504formatter = generic
505
506[formatter_generic]
507format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s:%(lineno)s] %(message)s
508datefmt = %Y-%m-%d %H:%M:%S
509
Note: See TracBrowser for help on using the repository browser.