package pl.edu.icm.unity.saml.idp;

import com.vaadin.server.Resource;
import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.unicore.samly2.trust.AcceptingSamlTrustChecker;
import eu.unicore.samly2.trust.EnumeratedTrustChecker;
import eu.unicore.samly2.trust.PKISamlTrustChecker;
import eu.unicore.samly2.trust.SamlTrustChecker;
import eu.unicore.samly2.trust.StrictSamlTrustChecker;
import eu.unicore.samly2.validators.ReplayAttackChecker;
import eu.unicore.util.configuration.ConfigurationException;
import eu.unicore.util.configuration.DocumentationReferenceMeta;
import eu.unicore.util.configuration.DocumentationReferencePrefix;
import eu.unicore.util.configuration.PropertyMD;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.MessageSource;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.engine.api.idp.CommonIdPProperties;
import pl.edu.icm.unity.engine.api.idp.PropertiesTranslationProfileLoader;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.saml.SamlProperties;
import pl.edu.icm.unity.saml.validator.UnityAuthnRequestValidator;
import pl.edu.icm.unity.types.translation.TranslationProfile;
import pl.edu.icm.unity.webui.common.file.ImageAccessService;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.protocol.AuthnRequestType;

/* loaded from: input_file:pl/edu/icm/unity/saml/idp/SamlIdpProperties.class */
public class SamlIdpProperties extends SamlProperties {

    @DocumentationReferencePrefix
    public static final String P = "unity.saml.";
    public static final String AUTHENTICATION_TIMEOUT = "authenticationTimeout";
    public static final String SIGN_RESPONSE = "signResponses";
    public static final String SIGN_ASSERTION = "signAssertion";
    public static final String CREDENTIAL = "credential";
    public static final String TRUSTSTORE = "truststore";
    public static final String DEF_ATTR_ASSERTION_VALIDITY = "validityPeriod";
    public static final String SAML_REQUEST_VALIDITY = "requestValidityPeriod";
    public static final String ISSUER_URI = "issuerURI";
    public static final String RETURN_SINGLE_ASSERTION = "returnSingleAssertion";
    public static final String SP_ACCEPT_POLICY = "spAcceptPolicy";
    public static final String SPMETA_PREFIX = "acceptedSPMetadataSource.";
    public static final String ALLOWED_SP_PREFIX = "acceptedSP.";
    public static final String ALLOWED_SP_DN = "dn";
    public static final String ALLOWED_SP_ENTITY = "entity";
    public static final String ALLOWED_SP_RETURN_URL = "returnURL";
    public static final String ALLOWED_SP_RETURN_URLS = "returnURLs.";
    public static final String ALLOWED_SP_ENCRYPT = "encryptAssertion";
    public static final String ALLOWED_SP_NAME = "name";
    public static final String ALLOWED_SP_LOGO = "logoURI";
    public static final String ALLOWED_SP_CERTIFICATE = "certificate";
    public static final String ALLOWED_SP_CERTIFICATES = "certificates.";
    public static final String GROUP_PFX = "groupMapping.";
    public static final String GROUP_TARGET = "serviceProvider";
    public static final String GROUP = "mappingGroup";
    public static final String DEFAULT_GROUP = "defaultGroup";
    public static final String USER_EDIT_CONSENT = "userCanEditConsent";
    public static final String DEFAULT_TRANSLATION_PROFILE = "sys:saml";
    public static final int DEFAULT_SAML_REQUEST_VALIDITY = 600;
    public static final int DEFAULT_AUTHENTICATION_TIMEOUT = 600;
    public static final int DEFAULT_ATTR_ASSERTION_VALIDITY = 14400;
    private Properties sourceProperties;
    private boolean signRespNever;
    private boolean signRespAlways;
    private ReplayAttackChecker replayChecker;
    private SamlTrustChecker authnTrustChecker;
    private SamlTrustChecker soapTrustChecker;
    private SamlTrustChecker sloTrustChecker;
    private long requestValidity;
    private X509CertChainValidator trustedValidator;
    private GroupChooser groupChooser;
    private SamlAttributeMapper attributesMapper;
    private PKIManagement pkiManagement;
    private IdentityTypeMapper idTypeMapper;
    private Map<Integer, String> allowedRequestersByIndex;
    public static final String LOG_PFX = "unity.server.config";
    private static final Logger log = Log.getLogger(LOG_PFX, SamlIdpProperties.class);

    @DocumentationReferenceMeta
    public static final Map<String, PropertyMD> defaults = new HashMap();

    /* loaded from: input_file:pl/edu/icm/unity/saml/idp/SamlIdpProperties$AssertionSigningPolicy.class */
    public enum AssertionSigningPolicy {
        always,
        ifResponseUnsigned
    }

    /* loaded from: input_file:pl/edu/icm/unity/saml/idp/SamlIdpProperties$RequestAcceptancePolicy.class */
    public enum RequestAcceptancePolicy {
        all,
        validSigner,
        validRequester,
        strict
    }

    /* loaded from: input_file:pl/edu/icm/unity/saml/idp/SamlIdpProperties$ResponseSigningPolicy.class */
    public enum ResponseSigningPolicy {
        always,
        never,
        asRequest
    }

    public SamlIdpProperties(Properties properties, PKIManagement pKIManagement) throws ConfigurationException {
        super("unity.saml.", cleanupLegacyProperties(properties), defaults, log);
        this.sourceProperties = new Properties();
        this.sourceProperties.putAll(this.properties);
        this.pkiManagement = pKIManagement;
        checkIssuer();
        try {
            initPki();
            init();
        } catch (EngineException e) {
            throw new ConfigurationException("Can't init SAML PKI settings", e);
        }
    }

    private static Properties cleanupLegacyProperties(Properties properties) {
        if (properties.containsKey("unity.saml.groupSelection")) {
            properties.remove("unity.saml.groupSelection");
            log.warn("The legacy property 'unity.saml.groupSelection' was removed from endpoint's configuration. If needed use output translation profile to define group membership encoding attribute.");
        }
        if (properties.containsKey("unity.saml.groupAttribute")) {
            properties.remove("unity.saml.groupAttribute");
            log.warn("The legacy property 'unity.saml.groupAttribute' was removed from endpoint's configuration. If needed use output translation profile to define group membership encoding attribute.");
        }
        return properties;
    }

    private void init() {
        ResponseSigningPolicy responseSigningPolicy = (ResponseSigningPolicy) getEnumValue(SIGN_RESPONSE, ResponseSigningPolicy.class);
        this.signRespNever = false;
        this.signRespAlways = false;
        if (responseSigningPolicy == ResponseSigningPolicy.always) {
            this.signRespAlways = true;
        } else if (responseSigningPolicy == ResponseSigningPolicy.never) {
            this.signRespNever = true;
        }
        RequestAcceptancePolicy requestAcceptancePolicy = (RequestAcceptancePolicy) getEnumValue(SP_ACCEPT_POLICY, RequestAcceptancePolicy.class);
        if (requestAcceptancePolicy == RequestAcceptancePolicy.all) {
            this.authnTrustChecker = new AcceptingSamlTrustChecker();
            this.sloTrustChecker = new AcceptingSamlTrustChecker();
            log.info("All SPs will be authorized to submit authentication requests");
        } else if (requestAcceptancePolicy == RequestAcceptancePolicy.validSigner) {
            this.authnTrustChecker = new PKISamlTrustChecker(this.trustedValidator);
            this.sloTrustChecker = new PKISamlTrustChecker(this.trustedValidator);
            log.info("All SPs using a valid certificate will be authorized to submit authentication requests");
        } else if (requestAcceptancePolicy == RequestAcceptancePolicy.strict) {
            this.authnTrustChecker = createStrictTrustChecker();
            this.sloTrustChecker = this.authnTrustChecker;
        } else {
            EnumeratedTrustChecker enumeratedTrustChecker = new EnumeratedTrustChecker();
            this.authnTrustChecker = enumeratedTrustChecker;
            Iterator it = getStructuredListKeys(ALLOWED_SP_PREFIX).iterator();
            while (it.hasNext()) {
                initValidRequester(enumeratedTrustChecker, (String) it.next());
            }
            this.sloTrustChecker = createStrictTrustChecker();
        }
        for (String str : getStructuredListKeys(ALLOWED_SP_PREFIX)) {
            Set<String> allowedSpCerts = getAllowedSpCerts(str);
            if (getBooleanValue(str + ALLOWED_SP_ENCRYPT).booleanValue() && allowedSpCerts.isEmpty()) {
                throw new ConfigurationException("Invalid specification of allowed Service Provider " + str + " must have the certificate defined to be able to encrypt assertions.");
            }
        }
        if (this.trustedValidator != null) {
            this.soapTrustChecker = new PKISamlTrustChecker(this.trustedValidator, true);
        } else {
            this.soapTrustChecker = new AcceptingSamlTrustChecker();
        }
        this.replayChecker = new ReplayAttackChecker();
        this.requestValidity = getLongValue(SAML_REQUEST_VALIDITY).longValue() * 1000;
        this.groupChooser = new GroupChooser(this);
        this.idTypeMapper = new IdentityTypeMapper(this);
        this.attributesMapper = new DefaultSamlAttributesMapper();
    }

    private void initValidRequester(EnumeratedTrustChecker enumeratedTrustChecker, String str) {
        String value = getValue(str + ALLOWED_SP_RETURN_URL);
        if (value == null) {
            throw new ConfigurationException("Invalid specification of allowed Service Provider " + str + ", return address is not set.");
        }
        if (isSet(str + ALLOWED_SP_ENTITY) && isSet(str + ALLOWED_SP_DN)) {
            throw new ConfigurationException("The allowed SP entry " + str + " has both the DN and SAML entity id defined. Please use only one, which is actually used by the SP to identify itself.");
        }
        String value2 = getValue(str + ALLOWED_SP_ENTITY);
        if (value2 != null) {
            this.allowedRequestersByIndex = initAllowedRequesters(getListOfValues(str + ALLOWED_SP_RETURN_URLS));
            enumeratedTrustChecker.addTrustedIssuer(value2, value);
            Iterator<String> it = this.allowedRequestersByIndex.values().iterator();
            while (it.hasNext()) {
                enumeratedTrustChecker.addTrustedIssuer(value2, it.next());
            }
        } else {
            value2 = getValue(str + ALLOWED_SP_DN);
            if (value2 == null) {
                throw new ConfigurationException("Invalid specification of allowed Service Provider " + str + ", neither Entity ID nor DN is set.");
            }
            enumeratedTrustChecker.addTrustedDNIssuer(value2, value);
        }
        log.debug("SP authorized to submit authentication requests: " + value2);
    }

    static Map<Integer, String> initAllowedRequesters(List<String> list) {
        HashMap hashMap = new HashMap();
        Pattern compile = Pattern.compile("\\[([\\d]+)\\](.+)");
        for (String str : list) {
            Matcher matcher = compile.matcher(str);
            if (!matcher.matches()) {
                throw new ConfigurationException("SAML allowed endpoint '" + str + "' has incorrect syntax. Should be [N]URL");
            }
            hashMap.put(Integer.valueOf(Integer.parseInt(matcher.group(1))), matcher.group(2));
        }
        return hashMap;
    }

    private void initPki() throws EngineException {
        RequestAcceptancePolicy requestAcceptancePolicy = (RequestAcceptancePolicy) getEnumValue(SP_ACCEPT_POLICY, RequestAcceptancePolicy.class);
        if (requestAcceptancePolicy == RequestAcceptancePolicy.validSigner) {
            String value = getValue(TRUSTSTORE);
            if (value == null) {
                throw new ConfigurationException("The SAML truststore must be defined for the selected SP acceptance policy " + requestAcceptancePolicy);
            }
            if (!this.pkiManagement.getValidatorNames().contains(value)) {
                throw new ConfigurationException("The SAML truststore " + value + " is unknown");
            }
            this.trustedValidator = this.pkiManagement.getValidator(value);
        }
        String value2 = getValue(CREDENTIAL);
        if (!this.pkiManagement.getCredentialNames().contains(value2)) {
            throw new ConfigurationException("The SAML credential " + value2 + " is unknown");
        }
    }

    private StrictSamlTrustChecker createStrictTrustChecker() {
        StrictSamlTrustChecker strictSamlTrustChecker = new StrictSamlTrustChecker();
        for (String str : getStructuredListKeys(ALLOWED_SP_PREFIX)) {
            String str2 = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity";
            String value = getValue(str + ALLOWED_SP_ENTITY);
            if (value == null) {
                value = getValue(str + ALLOWED_SP_DN);
                str2 = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName";
            }
            if (value == null) {
                throw new ConfigurationException("Invalid specification of allowed Service Provider " + str + ", neither Entity ID nor DN is set.");
            }
            for (String str3 : getAllowedSpCerts(str)) {
                try {
                    strictSamlTrustChecker.addTrustedIssuer(value, str2, this.pkiManagement.getCertificate(str3).value.getPublicKey());
                } catch (EngineException e) {
                    throw new ConfigurationException("Can't set certificate of trusted issuer named " + str3, e);
                }
            }
            log.debug("SP authorized to submit authentication requests: " + value);
        }
        return strictSamlTrustChecker;
    }

    public List<PublicKey> getTrustedKeysForSamlEntity(String str) {
        Set<String> allowedSpCerts = getAllowedSpCerts(str);
        ArrayList arrayList = new ArrayList();
        for (String str2 : allowedSpCerts) {
            try {
                arrayList.add(this.pkiManagement.getCertificate(str2).value.getPublicKey());
            } catch (EngineException e) {
                throw new ConfigurationException("Can't set certificate of trusted issuer named " + str2, e);
            }
        }
        return arrayList;
    }

    private void checkIssuer() {
        try {
            new URI(getValue(ISSUER_URI));
        } catch (URISyntaxException e) {
            throw new ConfigurationException("SAML endpoint's issuer is not a valid URI: " + e.getMessage(), e);
        }
    }

    public long getRequestValidity() {
        return this.requestValidity;
    }

    public SamlTrustChecker getAuthnTrustChecker() {
        return this.authnTrustChecker;
    }

    public void configureKnownRequesters(UnityAuthnRequestValidator unityAuthnRequestValidator) {
        for (String str : getStructuredListKeys(ALLOWED_SP_PREFIX)) {
            String value = getValue(str + ALLOWED_SP_ENTITY);
            if (value != null && isSet(str + ALLOWED_SP_RETURN_URL)) {
                unityAuthnRequestValidator.addKnownRequester(value);
            }
        }
    }

    public String getReturnAddressForRequester(AuthnRequestType authnRequestType) {
        String assertionConsumerServiceURL = authnRequestType.getAssertionConsumerServiceURL();
        if (assertionConsumerServiceURL != null) {
            return assertionConsumerServiceURL;
        }
        String sPConfigKey = getSPConfigKey(authnRequestType.getIssuer());
        if (sPConfigKey == null) {
            return null;
        }
        Integer valueOf = authnRequestType.isSetAssertionConsumerServiceIndex() ? Integer.valueOf(authnRequestType.getAssertionConsumerServiceIndex()) : null;
        return valueOf != null ? this.allowedRequestersByIndex.get(valueOf) : getValue(sPConfigKey + ALLOWED_SP_RETURN_URL);
    }

    public String getDisplayedNameForRequester(NameIDType nameIDType) {
        String sPConfigKey = getSPConfigKey(nameIDType);
        if (sPConfigKey == null) {
            return null;
        }
        return getValue(sPConfigKey + "name");
    }

    public Resource getLogoForRequesterOrNull(NameIDType nameIDType, MessageSource messageSource, ImageAccessService imageAccessService) {
        String sPConfigKey = getSPConfigKey(nameIDType);
        if (sPConfigKey == null) {
            return null;
        }
        return (Resource) imageAccessService.getConfiguredImageResourceFromNullableUri(getLocalizedValue(sPConfigKey + "logoURI", messageSource.getLocale())).orElse(null);
    }

    public X509Certificate getEncryptionCertificateForRequester(NameIDType nameIDType) {
        X509Certificate x509Certificate = null;
        String sPConfigKey = getSPConfigKey(nameIDType);
        if (sPConfigKey == null || !getBooleanValue(sPConfigKey + ALLOWED_SP_ENCRYPT).booleanValue()) {
            return null;
        }
        Set<String> allowedSpCerts = getAllowedSpCerts(sPConfigKey);
        HashSet<X509Certificate> hashSet = new HashSet();
        for (String str : allowedSpCerts) {
            try {
                hashSet.add(this.pkiManagement.getCertificate(str).value);
            } catch (EngineException e) {
                throw new InternalException("Can't retrieve SAML encryption certificate " + str + " for requester with config key " + sPConfigKey, e);
            }
        }
        for (X509Certificate x509Certificate2 : hashSet) {
            if (x509Certificate == null) {
                x509Certificate = x509Certificate2;
            } else if (x509Certificate2.getNotAfter().compareTo(x509Certificate.getNotAfter()) > 0) {
                x509Certificate = x509Certificate2;
            }
        }
        return x509Certificate;
    }

    public Set<String> getAllowedSpCerts(String str) {
        return getCertificateNames(str, "certificate", "certificates.");
    }

    public String getSPConfigKey(NameIDType nameIDType) {
        Set<String> structuredListKeys = getStructuredListKeys(ALLOWED_SP_PREFIX);
        boolean z = nameIDType.getFormat() != null && nameIDType.getFormat().equals("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName");
        for (String str : structuredListKeys) {
            if (z) {
                String value = getValue(str + ALLOWED_SP_DN);
                if (value != null && X500NameUtils.equal(value, nameIDType.getStringValue())) {
                    return str;
                }
            } else {
                String value2 = getValue(str + ALLOWED_SP_ENTITY);
                if (value2 != null && value2.equals(nameIDType.getStringValue())) {
                    return str;
                }
            }
        }
        return null;
    }

    public String getPrefixOfSP(String str) {
        for (String str2 : getStructuredListKeys(ALLOWED_SP_PREFIX)) {
            if (str.equals(getValue(str2 + ALLOWED_SP_ENTITY))) {
                return str2;
            }
        }
        return null;
    }

    public SamlTrustChecker getSoapTrustChecker() {
        return this.soapTrustChecker;
    }

    public SamlTrustChecker getSloTrustChecker() {
        return this.sloTrustChecker;
    }

    public X509Credential getSamlIssuerCredential() {
        try {
            return this.pkiManagement.getCredential(getValue(CREDENTIAL));
        } catch (EngineException e) {
            throw new InternalException("Can't retrieve SAML credential", e);
        }
    }

    public ReplayAttackChecker getReplayChecker() {
        return this.replayChecker;
    }

    public boolean isSignRespNever() {
        return this.signRespNever;
    }

    public boolean isSignRespAlways() {
        return this.signRespAlways;
    }

    @Override // pl.edu.icm.unity.saml.SamlProperties
    public Properties getProperties() {
        return this.properties;
    }

    public GroupChooser getGroupChooser() {
        return this.groupChooser;
    }

    public IdentityTypeMapper getIdTypeMapper() {
        return this.idTypeMapper;
    }

    public SamlAttributeMapper getAttributesMapper() {
        return this.attributesMapper;
    }

    @Override // pl.edu.icm.unity.saml.SamlProperties
    /* renamed from: clone, reason: merged with bridge method [inline-methods] */
    public SamlProperties mo5clone() {
        try {
            return new SamlIdpProperties(getProperties(), this.pkiManagement);
        } catch (Exception e) {
            throw new ConfigurationException("Can not clone saml properties", e);
        }
    }

    @Override // pl.edu.icm.unity.saml.SamlProperties
    public Properties getSourceProperties() {
        Properties properties = new Properties();
        properties.putAll(this.sourceProperties);
        return properties;
    }

    public TranslationProfile getOutputTranslationProfile() {
        return PropertiesTranslationProfileLoader.getTranslationProfile(this, "translationProfile", "embeddedTranslationProfile");
    }

    static {
        PropertyMD.DocumentationCategory documentationCategory = new PropertyMD.DocumentationCategory("Manual settings of allowed Sps", "03");
        PropertyMD.DocumentationCategory documentationCategory2 = new PropertyMD.DocumentationCategory("SAML subsystem settings", "5");
        defaults.put(GROUP_PFX, new PropertyMD().setStructuredList(false).setCategory(documentationCategory2).setDescription("Prefix used to mark requester to group mappings."));
        defaults.put(GROUP_TARGET, new PropertyMD().setStructuredListEntry(GROUP_PFX).setMandatory().setCategory(documentationCategory2).setDescription("Requester for which this entry applies."));
        defaults.put(GROUP, new PropertyMD().setStructuredListEntry(GROUP_PFX).setMandatory().setCategory(documentationCategory2).setDescription("Group for the requester."));
        defaults.put(DEFAULT_GROUP, new PropertyMD().setMandatory().setCategory(documentationCategory2).setDescription("Default group to be used for all requesers without an explicite mapping."));
        defaults.put(SamlProperties.IDENTITY_MAPPING_PFX, new PropertyMD().setStructuredList(false).setCategory(documentationCategory2).setDescription("Prefix used to store mappings of SAML identity types to Unity identity types. Those mappings can override and/or complement the default mapping."));
        defaults.put(SamlProperties.IDENTITY_LOCAL, new PropertyMD().setStructuredListEntry(SamlProperties.IDENTITY_MAPPING_PFX).setMandatory().setCategory(documentationCategory2).setDescription("Unity identity to which the SAML identity is mapped. If it is set to an empty value, then the mapping is disabled, what is useful for turning off the default mappings."));
        defaults.put(SamlProperties.IDENTITY_SAML, new PropertyMD().setStructuredListEntry(SamlProperties.IDENTITY_MAPPING_PFX).setMandatory().setCategory(documentationCategory2).setDescription("SAML identity to be mapped"));
        defaults.put(SAML_REQUEST_VALIDITY, new PropertyMD(String.valueOf(600)).setPositive().setCategory(documentationCategory2).setDescription("Defines maximum validity period (in seconds) of a SAML request. Requests older than this value are denied. It also controls the validity of an authentication assertion."));
        defaults.put(AUTHENTICATION_TIMEOUT, new PropertyMD(String.valueOf(600)).setPositive().setCategory(documentationCategory2).setDescription("Defines maximum time (in seconds) after which the authentication in progress is invalidated. This feature is used to clean up authentications started by users but not finished."));
        defaults.put(SIGN_RESPONSE, new PropertyMD(ResponseSigningPolicy.asRequest).setCategory(documentationCategory2).setDescription("Defines when SAML responses should be signed. Note that it is not related to signing SAML assertions which are included in response. 'asRequest' setting will result in signing only those responses for which the corresponding request was signed."));
        defaults.put(SIGN_ASSERTION, new PropertyMD(AssertionSigningPolicy.always).setCategory(documentationCategory2).setDescription("Defines when SAML assertions (contained in SAML response) should be signed: either always or if signing may be skipped if wrapping request will be anyway signed"));
        defaults.put(DEF_ATTR_ASSERTION_VALIDITY, new PropertyMD(String.valueOf(DEFAULT_ATTR_ASSERTION_VALIDITY)).setPositive().setCategory(documentationCategory2).setDescription("Controls the maximum validity period of an attribute assertion returned to client (in seconds). It is inserted whenever query is compliant with 'SAML V2.0 Deployment Profiles for X.509 Subjects', what usually is the case."));
        defaults.put(ISSUER_URI, new PropertyMD().setCategory(documentationCategory2).setMandatory().setDescription("This property controls the server's URI which is inserted into SAML responses (the Issuer field). It should be a unique URI which identifies the server. The best approach is to use the server's URL."));
        defaults.put(RETURN_SINGLE_ASSERTION, new PropertyMD("true").setCategory(documentationCategory2).setDescription("If true then a single SAML assertion is returned what provides a better interoperability with 3rd party solutions. If false then attributes are returned in a separate assertion, what is required by certain consumers as UNICORE."));
        defaults.put(SP_ACCEPT_POLICY, new PropertyMD(RequestAcceptancePolicy.validRequester).setCategory(documentationCategory2).setDescription("Controls which requests are authorized. +all+ accepts all, +validSigner+ accepts all requests which are signed with a trusted certificate, +validRequester+ accepts all requests (even unsigned) which are issued by a known entity with a fixed response address, finally +strict+ allows only requests signed by one of the enumerated issuers. Important: this setting fully works for web endpoints only, for SOAP endpoints only +validRequester+ and +all+ acceptance policies can be used. All other will be treated as +all+. This is because you can control the access with authentication and authorization of the client, additional SAML level configuraiton is not neccessary."));
        defaults.put(ALLOWED_SP_PREFIX, new PropertyMD().setStructuredList(false).setCategory(documentationCategory2).setDescription("List of entries defining allowed Service Providers (clients). Used only for +validRequester+ and +strict+ acceptance policies."));
        defaults.put(ALLOWED_SP_DN, new PropertyMD().setStructuredListEntry(ALLOWED_SP_PREFIX).setCanHaveSubkeys().setCategory(documentationCategory).setDescription("Rarely useful: for SPs which use DN SAML identifiers as UNICORE portal. Typically entity is used instead. Value must be the X.500 DN of the trusted SP."));
        defaults.put(ALLOWED_SP_ENTITY, new PropertyMD().setStructuredListEntry(ALLOWED_SP_PREFIX).setCategory(documentationCategory).setDescription("Entity ID (typically an URI) of a trusted SAML requester (SP)."));
        defaults.put(ALLOWED_SP_ENCRYPT, new PropertyMD("false").setStructuredListEntry(ALLOWED_SP_PREFIX).setCategory(documentationCategory).setDescription("Whether to encrypt assertions sent to this peer. Usually not needed as Unity uses TLS. If turned on, then certificate of the peer must be also set."));
        defaults.put(ALLOWED_SP_RETURN_URL, new PropertyMD().setStructuredListEntry(ALLOWED_SP_PREFIX).setCategory(documentationCategory).setDescription("Response consumer address of the SP. Mandatory when acceptance policy is +validRequester+, optional otherwise as SAML requesters may send this addresswith a request. In case when more then one response consumer address is allowed, then this one denotes the default."));
        defaults.put(ALLOWED_SP_RETURN_URLS, new PropertyMD().setList(false).setStructuredListEntry(ALLOWED_SP_PREFIX).setCategory(documentationCategory).setDescription("List of response consumer addresses of the SP. Used only when acceptance policy is +validRequester+. The format for each entry is +[N]URL+ where N is the index of the endpoint (as used in SAML metadata spec) and URL is the endpoints address. Note that it makes perfect sense to specify the default endpoint also in this list as this allows to assign it an index."));
        defaults.put(SamlProperties.SOAP_LOGOUT_URL, new PropertyMD().setStructuredListEntry(ALLOWED_SP_PREFIX).setCategory(documentationCategory).setDescription("SOAP Single Logout Endpoint of the SP."));
        defaults.put(SamlProperties.REDIRECT_LOGOUT_URL, new PropertyMD().setStructuredListEntry(ALLOWED_SP_PREFIX).setCategory(documentationCategory).setDescription("HTTP Redirect Single Logout Endpoint of the SP."));
        defaults.put(SamlProperties.POST_LOGOUT_URL, new PropertyMD().setStructuredListEntry(ALLOWED_SP_PREFIX).setCategory(documentationCategory).setDescription("HTTP POST Single Logout Endpoint of the SP."));
        defaults.put(SamlProperties.REDIRECT_LOGOUT_RET_URL, new PropertyMD().setStructuredListEntry(ALLOWED_SP_PREFIX).setCategory(documentationCategory).setDescription("HTTP Redirect Single Logout response endpoint of the SP. If undefined the base endpoint address is assumed."));
        defaults.put(SamlProperties.POST_LOGOUT_RET_URL, new PropertyMD().setStructuredListEntry(ALLOWED_SP_PREFIX).setCategory(documentationCategory).setDescription("HTTP POST Single Logout response endpoint of the SP. If undefined the base endpoint address is assumed."));
        defaults.put("name", new PropertyMD().setStructuredListEntry(ALLOWED_SP_PREFIX).setCategory(documentationCategory).setCanHaveSubkeys().setDescription("Displayed name of the Sp. If not defined then the name is created from the Sp address (what is rather not user friendly). The property can have subkeys being locale names; then the localized value is used if it is matching the selected locale of the UI."));
        defaults.put("logoURI", new PropertyMD().setStructuredListEntry(ALLOWED_SP_PREFIX).setCategory(documentationCategory).setCanHaveSubkeys().setDescription("Displayed logo of the SP. If not defined then only the name is used. The value can be a file:, http(s): or data: URI. The last option allows for embedding the logo in the configuration. The property can have subkeys being locale names; then the localized value is used if it is matching the selected locale of the UI."));
        defaults.put("certificate", new PropertyMD().setStructuredListEntry(ALLOWED_SP_PREFIX).setCategory(documentationCategory).setDescription("Certificate of the SP. Used only when acceptance policy is +strict+ and when assertion encryption is turned on for this SP. Alsoused for single logout, initiated by the peer."));
        defaults.put("certificates.", new PropertyMD().setStructuredListEntry(ALLOWED_SP_PREFIX).setCategory(documentationCategory).setList(false).setDescription("Using this property additional trusted certificates of an SP can be added (when SP uses more then one). See certificate for details. Those properties can be used together or alternatively."));
        defaults.put(TRUSTSTORE, new PropertyMD().setCategory(documentationCategory2).setDescription("Truststore name to setup SAML trust settings. The truststore is used to verify request signature issuer, if the Service Provider accept policy requires so."));
        defaults.put(CREDENTIAL, new PropertyMD().setMandatory().setCategory(documentationCategory2).setDescription("SAML IdP credential name, which is used to sign responses."));
        defaults.putAll(SamlProperties.getDefaults(SPMETA_PREFIX, "Under this prefix you can configure the remote trusted SAML Sps however not providing all their details but only their metadata."));
        defaults.putAll(CommonIdPProperties.getDefaultsWithCategory(documentationCategory2, "Name of an output translation profile which can be used to dynamically modify the data being returned on this endpoint.", "sys:saml"));
        defaults.put(USER_EDIT_CONSENT, new PropertyMD("true").setCategory(documentationCategory2).setDescription("Controls whether user is allowed to remove released attributes on the consent screen. Note that attributes marked as mandatory in output profile can not be removed regardless of this option."));
    }
}
