conf/remoteUserAuthenticator.properties

# Configuration file for Confluence HTTP Authenticator

# Whether or not to support local logins
# Acceptable values: true, false
local.login.supported=true

# Whether to create user accounts for new users
# Acceptable values: true, false
create.users=true

# Whether existing accounts should have their name and email address updated upon login. This is strongly suggested if
# create.users is true.
# Acceptable values: true, false
update.info=true

# Whether new and existing accounts should have their last login date and previous login date updated in user properties
# upon login.
# Acceptable values: true, false
update.last.login.date=true

# Whether the configuration file should be automatically reloaded when it's changed.
reload.config=false

# When reloading the configuration file, how long to wait (in milliseconds) between checking the configuration file for
# changes.
reload.config.check.interval=5000

# The default group(s) to for newly created users, only used if create.users is true.
#
# Notes:
# * Group name list can be comma or semicolon delimited.
# * Currently groups must pre-exist.
default.roles=confluence-users

# HTTP header/attr. names where the user's full name, email address and username will come from. The full name and email
# address headers need not be populated (can be provided as empty values in the headers by Shibboleth for example if
# Shibboleth can provide no full name or email address for a user). If header.fullname is unspecified or the full name
# provided by the header value is empty or null then it will default to specifying the user id as the full name. If the
# header.email is unspecified or the value of the header is null the user's email address will be null.
#
# Although these two user fields may not seem so important at first, note that whenever a user modifies a wiki page,
# their full name is displayed as the person that last modified the page, and similarly their full name is noted next to
# any comment that they add to a page. Email address is important because when a user chooses to put a "watch" on a wiki
# page, they get emails when that page is changed.
#
# The headers matching the Shibboleth defaults would be:
# header.fullname=Shib-InetOrgPerson-displayName
# header.email=Shib-InetOrgPerson-mail
#
# Note: if the header value contains commas or semicolons, then it will choose the first value in the comma or
# semicolon-delmited list.
#
# Note: if fullname mapping is used (see below) then it will try using that first to get full name using this header.
#
# Each supports a strategy to get this value. All default to 0. Strategy codes mean the following:
# 0 - Try request.getAttribute then request.getHeader
# 1 - Use request.getAttribute
# 2 - Use request.getHeader
header.remote_user=REMOTE_USER
#header.remote_user.strategy=0
header.email=CONF_EMAIL
#header.email.strategy=0
header.fullname=CONF_FULLNAME
#header.fullname.strategy=0

# Whether or not to force the username we receive from Shibboleth to be all-lowercase. This was always true in
# versions <= 1.7.2 and still defaults to true
username.convertcase=true

# Indication whether the group memberships of the user should be updated after creation. Acceptable values: true/false.
# If true, then group memberships will be added (default.roles, and header.dynamicroles depending on the mapping
# headers) whenever the user authenticates, and not just if the user is created by the authenticator.
update.roles=true

# Indication whether HTTP header values should be converted to UTF-8 to avoid an issue noted by Helsinki University:
# "where there is something not using utf-8 involved, 16-bit characters get bytes 83 c2 inserted between."
convert.to.utf8=false

# OPTIONAL
# This feature takes effect only when update.roles is true. List of dynamicroles headers, along side with the labels of
# their group-mapper. Each header can have a set of mapper labels to be activated. A header entry without appropriate
# assigned label will be ignored
#
# e.g. say we'd like to perform automatic group provisioning based on headers: "SHIB-EP-ENTITLEMENT", "affiliation", and
# our defined "fix-role-header" (note these have to match whatever defined in AAP), then we can define the following:
#
#dynamicroles.header.SHIB-EP-ENTITLEMENT = label1, label2, label4, label3
#dynamicroles.header.affiliation = label1, label5

# Whether the dynamicroles attempt to automatically create the role in confluence if such role does not exist.
dynamicroles.auto_create_role=false

# Instruct to convert all output groups into lowercase before creating them on confluence. This is necessary to overcome
# some versions of Confluence's limitation of disallowing group names in upper case. Defaults to true.
dynamicroles.output.tolowercase=true

# Define mapper label and its logic for dynamicroles. Each mapper has to define either
# "match" or "transform" property, otherwise it will not be included in the
# dynamicroles processing.
#
# Notes:
#
# * Colons need to be escaped by \
# * Attribute names are case-insensitive.
# * Value list can be comma or semicolon delimited.
#
# Description of each property:
#
# * match = java regex string to match against the ENTIRE input, you can use java
#           regex groupings (http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html#cg)
#           e.g. to explicitly match a fix string: match= Hello World
#                to match with grouping: match = some\:urn\:(\\w+):(.*)
#
# * casesensitive = boolean, whether the match regex should care about case
#                   sensitivity matching, default to true
#
# * transform = a fix string replacement of the input (e.g. the group or groups).
#               when not specified, it will simply take the input value.
#               transform can be a list of groups separated by comma or semicolon e.g.
#               transform= A, B, C which means if this mapper matches, the output
#               would be group A, B, and C. You can also use $1..$N to represent
#               a matched regex group (as done by "match" regex). $0 refers to
#               the entire input string.
#               e.g. spit out a fix output: transform = Hello There
#                    reuse some regex grouping: transform = confluence-$1, confluence-$2
#                    (suppose the input is "some:urn:users:administrators", then
#                     using the last example match regex we are converting
#                     this to "confluence-users" and "confluence-administrators"
#
# You can leave the .match property empty, which simply means the input is
# passed directly for .transform to process. Similarly, if you leave .transform
# undefined, then there won't be transformation performed on the input (e.g.
# you may want to allow those inputs matching your regex to be included in
# confluence and filter out those that don't match.
#
# examples:
#
# map "some:urn:group1:group2" to groups called "group1" and "group2"
#
#dynamicroles.mapper.label1.match=some\:urn\:(\\w+)\:(.*)
#dynamicroles.mapper.label1.transform=$1, $2
#
# map "StaFF" to "cs100"
#
#dynamicroles.mapper.map2.match = staff
#dynamicroles.mapper.map2.casesensitive = false
#dynamicroles.mapper.map2.transform = cs100
#

# OPTIONAL
# Normally, users added to a group based on Shibboleth attributes would stay in
# the group forever, even if they no longer have the attribute.  The
# purge.roles feature allows to specify a list of groups which should be
# automatically purged of any users who no longer have the attributes to regain
# entry (comma or semicolon separated).
# When logging in, a user will be automatically removed from the group IFF the
# user would not be added to the group (either via dynamicroles.header or
# default.roles).  This feature takes effect only when update.roles is true.
#
# Example:
# remove members from role starting with "alum", "alumni",
# or any other "alum*", as well as from cs101. (ignore case sensitivity).
#
#purge.roles = alum.* , cs101

# OPTIONAL
# Maximum roles to purge, since purging too many at once could delay login.
#purge.roles.limit = 5

# OPTIONAL
# Do mapping on values presented in REMOTE_USER to something understandable
# by confluence. Sometimes remote user is mapped to an attribute containing
# characters invalid in confluence, use this feature below to do transformation
# for it (assuming the original remote-user value hits your confluence without
# much of your control).
#
# This feature has similar syntax to dynamic roles.
#
# Please make sure that the resultant remote user is:
# - unique & single-value
# - accepted by confluence (fit into 128 chars length, no weird chars, etc)
#
# If a regex map doesn't match the input provided, then
# the mapping is not performed (e.g. the input is untouched; make sure
# you understand the mapping logic).
#
# Example: suppose the remote user has initial value
#   "https://idp.edu/idp!https://sp.edu/shibboleth!1234-56789-#00%00-TTT"
# and we would like it to be transformed to
#   "123456789A00c00@idp.edu"
# then we can define the following:
#
#remoteuser=remoteusermap
#remoteuser.replace=#,A,%,c,(-|TTT),,
#remoteuser.map.remoteusermap.match = ^(http|https)://(.*?)(:|/)?[^!]*?!([^!]*?)!(.*)
#remoteuser.map.remoteusermap.casesensitive = false
#remoteuser.map.remoteusermap.transform = $5@$2
#
# remoteusermap is the mapping label to be used, multiple labels
# can be used but only 1st result from the label is chosen as remote user)
#
# .replace is pair-wise regex & replacement strings to be applied to the FINAL
# remote-user once the mapping has been performed. null (as replacement string)
# can be represented by simply empty string (e.g. '-' and 'TTT' above are removed)
#

# OPTIONAL
# Do mapping on values presented in header defined as value of header.fullname. This is for those that don't have a
# "display name" type attribute that can be exposed to Confluence's Shibboleth SP, but must put a full name together
# from multiple values, etc.
#
# This feature has similar syntax to dynamic roles.
#
# If a regex map doesn't match the input provided, then
# the mapping is not performed, and it will use the first value of that header.
#
# Example 1: suppose the full name has the header value
#   "Doe; John"
# and we would like it to be transformed to
#   "John Doe"
# then we can define the following:
#
#fullname=fullnamemap
#fullname.map.fullnamemap.match = ^(.*);(.*)
#fullname.map.fullnamemap.casesensitive = false
#fullname.map.fullnamemap.transform = $2 $1
#
# Note: if the expression doesn't match, it will split the string by comma or semi-colon and get the first value, so
# the fullname would be:
#   "Doe"
#
# Example 2: suppose the full name has the header value
#   "Doe#,%John"
# and we would like it to be transformed to
#   "John Doe"
# then we can define the following:
#
#fullname=fullnamemap
#fullname.replace=#,,%,,
#fullname.map.fullnamemap.match = ^(.*),(.*)
#fullname.map.fullnamemap.casesensitive = false
#fullname.map.fullnamemap.transform = $2 $1
#
# Note: if the expression doesn't match, it will split the string by comma or semi-colon and get the first value, so
# the fullname would be:
#   "Doe#"
#
# fullnamemap is the mapping label to be used, multiple labels
# can be used but only 1st result from the label is chosen as remote user)
#
# .replace is pair-wise regex & replacement strings to be applied to the FINAL
# full name once the mapping has been performed. null (as replacement string)
# can be represented by simply empty string (e.g. '-' and 'TTT' above are removed)
#