Property name alignment, added template properties

mzielony-i · mzielony-i · commit adc67d9abffe · 2025-02-26T15:49:03.000-03:00
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/identicum/alpine-jdk17-maven:latest as builder
+FROM ghcr.io/identicum/alpine-jdk17-maven:latest AS builder
 WORKDIR /app
 COPY . .
 RUN mvn install -DskipTests
@@ -10,7 +10,7 @@ COPY --from=builder /app/target/saml-demoapp-java.war /tmp/
 
 ENV ONELOGIN_SAML2_DEBUG=true
 ENV ONELOGIN_SAML2_STRICT=true
-ENV IDP_ENTITY_DESCRIPTOR=""
+ENV ONELOGIN_SAML2_IDP_ENTITYID = ""
 ENV ONELOGIN_SAML2_SP_ENTITYID=""
 ENV ONELOGIN_SAML2_SP_ASSERTION_CONSUMER_SERVICE_URL=""
 ENV ONELOGIN_SAML2_SP_SINGLE_LOGOUT_SERVICE_URL=""
diff --git a/compose.yaml b/compose.yaml
@@ -23,7 +23,7 @@ services:
             - ONELOGIN_SAML2_SP_ENTITYID=http://demoapp1:8081/
             - ONELOGIN_SAML2_SP_ASSERTION_CONSUMER_SERVICE_URL=http://demoapp1:8081/acs.jsp
             - ONELOGIN_SAML2_SP_SINGLE_LOGOUT_SERVICE_URL=http://demoapp1:8081/sls.jsp
-            - IDP_ENTITY_DESCRIPTOR=http://idp:8080/realms/demorealm/protocol/saml/descriptor
+            - ONELOGIN_SAML2_IDP_ENTITYID=http://idp:8080/realms/demorealm/protocol/saml/descriptor
         depends_on:
             idp:
                 condition: service_healthy
diff --git a/src/main/resources/onelogin.saml.template b/src/main/resources/onelogin.saml.template
@@ -5,7 +5,39 @@ onelogin.saml2.debug =
 onelogin.saml2.strict =
 
 # IDP metadata URI (e.g. http://idp:8080/auth/realms/demorealm/protocol/saml/descriptor)
-idp.entity.descriptor = 
+onelogin.saml2.idp.entityid =
+
+# SSO endpoint info of the IdP. (Authentication Request protocol)
+# URL Target of the IdP where the SP will send the Authentication Request Message
+onelogin.saml2.idp.single_sign_on_service.url =
+
+# SAML protocol binding to be used to deliver the <AuthnRequest> message to the IdP.  SAMLToolkit supports for this endpoint the HTTP-Redirect binding only
+onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+
+# SLO endpoint info of the IdP.
+# URL Location of the IdP where the SP will send the SLO Request
+onelogin.saml2.idp.single_logout_service.url =
+
+# Optional SLO Response endpoint info of the IdP.
+# URL Location of the IdP where the SP will send the SLO Response. If left blank, same URL as onelogin.saml2.idp.single_logout_service.url will be used.
+# Some IdPs use a separate URL for sending a logout request and response, use this property to set the separate response url
+onelogin.saml2.idp.single_logout_service.response.url =
+
+# SAML protocol binding to be used when returning the <Response> message.  SAMLToolkit supports for this endpoint the HTTP-Redirect binding only
+onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+
+# Public x509 certificate of the IdP
+onelogin.saml2.idp.x509cert =
+
+# Instead of use the whole x509cert you can use a fingerprint
+# (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
+# or add for example the -sha256 , -sha384 or -sha512 parameter)
+#
+# If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
+# let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
+# 'sha1' is the default value.
+# onelogin.saml2.idp.certfingerprint =
+# onelogin.saml2.idp.certfingerprint_algorithm = sha256
 
 # SP
 # When configuring the SP in your IDP, the URL for the SP metadata is http://app_hostname/metadata.jsp
@@ -16,10 +48,104 @@ onelogin.saml2.sp.entityid =
 # URL Location where the <Response> from the IdP will be returned (e.g.: http://demoapp1:8081/acs.jsp)
 onelogin.saml2.sp.assertion_consumer_service.url = 
 
+# SAML protocol binding to be used when returning the <Response> message.  SAMLToolkit supports for this endpoint the HTTP-POST binding only
+onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
+
 # URL for LogoutResponse
 onelogin.saml2.sp.single_logout_service.url = 
 
+# SAML protocol binding to be used when returning the <LogoutResponse> or sending the <LogoutRequest> message.  SAMLToolkit supports for this endpoint the HTTP-Redirect binding only
+onelogin.saml2.sp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+
 # NameID format, e.g.:
 # urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
 # urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
-onelogin.saml2.sp.nameidformat = 
+onelogin.saml2.sp.nameidformat =
+
+# Indicates that the nameID of the <samlp:logoutRequest> sent by this SP will be encrypted.
+onelogin.saml2.security.nameid_encrypted = false
+
+# Usually x509cert and privateKey of the SP are provided by files placed at the certs folder. But we can also provide them with the following parameters
+onelogin.saml2.sp.x509cert =
+
+# Requires Format PKCS#8   BEGIN PRIVATE KEY
+# If you have     PKCS#1   BEGIN RSA PRIVATE KEY  convert it by   openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem
+onelogin.saml2.sp.privatekey =
+
+
+# Security settings
+#
+
+# Indicates whether the <samlp:AuthnRequest> messages sent by this SP
+# will be signed.              [The Metadata of the SP will offer this info]
+onelogin.saml2.security.authnrequest_signed = false
+
+# Indicates whether the <samlp:logoutRequest> messages sent by this SP
+# will be signed.
+onelogin.saml2.security.logoutrequest_signed = false
+
+# Indicates whether the <samlp:logoutResponse> messages sent by this SP
+# will be signed.
+onelogin.saml2.security.logoutresponse_signed = false
+
+# Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
+# <samlp:LogoutResponse> elements received by this SP to be signed.
+onelogin.saml2.security.want_messages_signed = false
+
+# Indicates a requirement for the <saml:Assertion> elements received by this SP to be signed.
+onelogin.saml2.security.want_assertions_signed = false
+
+# Indicates a requirement for the Metadata of this SP to be signed.
+# Right now supported null (in order to not sign) or true (sign using SP private key)
+onelogin.saml2.security.sign_metadata =
+
+# Indicates a requirement for the Assertions received by this SP to be encrypted
+onelogin.saml2.security.want_assertions_encrypted = false
+
+# Indicates a requirement for the NameID received by this SP to be encrypted
+onelogin.saml2.security.want_nameid_encrypted = false
+
+# Authentication context.
+# Set Empty and no AuthContext will be sent in the AuthNRequest
+# You can set multiple values (comma separated them)
+onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+
+# Allows the authn comparison parameter to be set, defaults to 'exact'
+onelogin.saml2.security.onelogin.saml2.security.requested_authncontextcomparison = exact
+
+# Allows duplicated names in the attribute statement
+onelogin.saml2.security.allow_duplicated_attribute_name = false
+
+# Indicates if the SP will validate all received xmls.
+# (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
+onelogin.saml2.security.want_xml_validation = true
+
+# Algorithm that the toolkit will use on signing process. Options:
+#  'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+#  'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
+#  'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
+#  'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
+#  'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
+onelogin.saml2.security.signature_algorithm = http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+
+# Algorithm that the toolkit will use on digest process. Options:
+#  'http://www.w3.org/2000/09/xmldsig#sha1'
+#  'http://www.w3.org/2001/04/xmlenc#sha256'
+#  'http://www.w3.org/2001/04/xmldsig-more#sha384'
+#  'http://www.w3.org/2001/04/xmlenc#sha512'
+onelogin.saml2.security.digest_algorithm = http://www.w3.org/2001/04/xmlenc#sha256
+
+# Reject Signatures with deprecated algorithms (sha1)
+onelogin.saml2.security.reject_deprecated_alg = true
+
+# Organization
+onelogin.saml2.organization.name = Identicum
+onelogin.saml2.organization.displayname = Identicum SA
+onelogin.saml2.organization.url = https://identicum.com
+onelogin.saml2.organization.lang =
+
+# Contacts
+onelogin.saml2.contacts.technical.given_name = Technical Guy
+onelogin.saml2.contacts.technical.email_address = technical@example.com
+onelogin.saml2.contacts.support.given_name = Support Guy
+onelogin.saml2.contacts.support.email_address = support@@example.com
diff --git a/src/main/webapp/samlsettings.jsp b/src/main/webapp/samlsettings.jsp
@@ -36,10 +36,10 @@ public Properties getSamlSettings() throws Exception {
         }
     });
 
-    String idpEntityDescriptor = properties.getProperty("idp.entity.descriptor");
+    String idpEntityDescriptor = properties.getProperty("onelogin.saml2.idp.entityid");
     if(StringUtils.isNotBlank(idpEntityDescriptor)){
         List<String> idpProperties = Arrays.asList("onelogin.saml2.idp.entityid", "onelogin.saml2.idp.x509cert", "onelogin.saml2.idp.single_sign_on_service.url", "onelogin.saml2.idp.single_logout_service.url");
-        URL url = new URL(properties.getProperty("idp.entity.descriptor"));
+        URL url = new URL(properties.getProperty("onelogin.saml2.idp.entityid"));
 
         Map<String, Object> idpMetadata = IdPMetadataParser.parseRemoteXML(url);
         idpMetadata = idpMetadata
