diff --git a/inst/.gitignore b/inst/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..f5c6764910970e9b6ccf280d38f46f3beed42c4c
--- /dev/null
+++ b/inst/.gitignore
@@ -0,0 +1,4 @@
+
+apache_shib0
+apache_shib0.tar.gz
+
diff --git a/inst/apache_shib/apache_shib_init.sh b/inst/apache_shib/apache_shib_init.sh
new file mode 100755
index 0000000000000000000000000000000000000000..dbebe7ddb62f8dc7831ab337f5640972850dd90a
--- /dev/null
+++ b/inst/apache_shib/apache_shib_init.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+#!/bin/sh
+
+export LC_ALL="C"
+
+#apt-get -y install apache2
+#apt-get -y install libapache2-mod-shib2
+#apt-get -y install perl libcgi-pm-perl
+
+[ -z "$NOAPT" ] && apt-get -y install apache2 libapache2-mod-shib2 perl libcgi-pm-perl
+
+[ -z "$NOMOD" ] && a2enmod proxy
+[ -z "$NOMOD" ] && a2enmod proxy_http
+[ -z "$NOMOD" ] && a2enmod cgi
+
+#
+
+basedir="/srv/flowspy"
+basedir2="$basedir/inst/apache_shib"
+
+#cd /srv/flowspy/ || exit 3
+cd "$basedir" || exit 3
+
+#cp -uva shibboleth_inst/inst/etc/apache2/ shibboleth_inst/inst/etc/shibboleth/ /etc/
+
+echo 1>&2
+#cp -uva shibboleth_inst/inst/etc/apache2/ /etc/
+#cd ./shibboleth_inst/inst/etc/apache2/ && cp -uva --parents -t /etc/apache2/ .
+#cd "$basedir/shibboleth_inst/inst/etc/apache2/" && cp -uva --parents -t /etc/apache2/ $(cat "$basedir/shibboleth_inst/etc-apache-diff.list.filtered2")
+(cd "$basedir2/files.inst/etc/apache2/" && cp -fva --parents -t /etc/apache2/ $(cat "$basedir2/files.inst/etc-apache-diff.list.filtered2"))
+
+echo 1>&2
+#cp -uva shibboleth_inst/inst/etc/shibboleth/ /etc/
+(cd "$basedir2/files.inst/etc/shibboleth/" && cp -fva --parents -t /etc/shibboleth/ $(cat "$basedir2/files.inst/etc-shibboleth-diff.list.filtered2"))
+
+##
+
+echo 1>&2
+#cp shibboleth_inst/inst/srv/flowspy/flowspy/settings.py flowspy/settings.py
+cp -fv "$basedir2/files.inst/srv/flowspy/flowspy/settings.py" flowspy/settings.py
+
+echo 1>&2
+(cd /etc/shibboleth/ && ./keygen.sh)
+
+echo 1>&2
+# -subj "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/"
+(cd /etc/apache2/ && openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt)
+
+##
+
+echo 1>&2
+hostname test-fod.geant.net
+
+##
+
+/etc/init.d/shibd restart
+
+/etc/init.d/apache2 restart
+
+
+
+
diff --git a/inst/apache_shib/files.inst/etc-apache-diff.list.filtered2 b/inst/apache_shib/files.inst/etc-apache-diff.list.filtered2
new file mode 100644
index 0000000000000000000000000000000000000000..d51d9caa09ca6010c2f0e9c72cdee5b4e0e9cc25
--- /dev/null
+++ b/inst/apache_shib/files.inst/etc-apache-diff.list.filtered2
@@ -0,0 +1,5 @@
+cgi-bin-test/test.cgi
+sites-enabled/000-default.conf
+sites-enabled/100-default-https.conf
+apache2.conf
+sites-available/000-default.conf
diff --git a/inst/apache_shib/files.inst/etc-shibboleth-diff.list.filtered2 b/inst/apache_shib/files.inst/etc-shibboleth-diff.list.filtered2
new file mode 100644
index 0000000000000000000000000000000000000000..c3afb82f9d07c931335250b4b9785698eeef6520
--- /dev/null
+++ b/inst/apache_shib/files.inst/etc-shibboleth-diff.list.filtered2
@@ -0,0 +1,6 @@
+keygen.sh
+login-terena-org.xml
+metagen.sh
+attribute-map.xml
+attribute-policy.xml
+shibboleth2.xml
diff --git a/inst/apache_shib/files.inst/etc/apache2/apache2.conf b/inst/apache_shib/files.inst/etc/apache2/apache2.conf
new file mode 100644
index 0000000000000000000000000000000000000000..ba863da6a8e2f0f3a98e8938fdd056a7e0e2ced9
--- /dev/null
+++ b/inst/apache_shib/files.inst/etc/apache2/apache2.conf
@@ -0,0 +1,256 @@
+# This is the main Apache server configuration file. It contains the
+# configuration directives that give the server its instructions.
+# See http://httpd.apache.org/docs/2.4/ for detailed information about
+# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
+# hints.
+#
+#
+# Summary of how the Apache 2 configuration works in Debian:
+# The Apache 2 web server configuration in Debian is quite different to
+# upstream's suggested way to configure the web server. This is because Debian's
+# default Apache2 installation attempts to make adding and removing modules,
+# virtual hosts, and extra configuration directives as flexible as possible, in
+# order to make automating the changes and administering the server as easy as
+# possible.
+
+# It is split into several files forming the configuration hierarchy outlined
+# below, all located in the /etc/apache2/ directory:
+#
+# /etc/apache2/
+# |-- apache2.conf
+# | `-- ports.conf
+# |-- mods-enabled
+# | |-- *.load
+# | `-- *.conf
+# |-- conf-enabled
+# | `-- *.conf
+# `-- sites-enabled
+# `-- *.conf
+#
+#
+# * apache2.conf is the main configuration file (this file). It puts the pieces
+# together by including all remaining configuration files when starting up the
+# web server.
+#
+# * ports.conf is always included from the main configuration file. It is
+# supposed to determine listening ports for incoming connections which can be
+# customized anytime.
+#
+# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
+# directories contain particular configuration snippets which manage modules,
+# global configuration fragments, or virtual host configurations,
+# respectively.
+#
+# They are activated by symlinking available configuration files from their
+# respective *-available/ counterparts. These should be managed by using our
+# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
+# their respective man pages for detailed information.
+#
+# * The binary is called apache2. Due to the use of environment variables, in
+# the default configuration, apache2 needs to be started/stopped with
+# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
+# work with the default configuration.
+
+
+# Global configuration
+#
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# NOTE! If you intend to place this on an NFS (or otherwise network)
+# mounted filesystem then please read the Mutex documentation (available
+# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
+# you will save yourself a lot of trouble.
+#
+# Do NOT add a slash at the end of the directory path.
+#
+#ServerRoot "/etc/apache2"
+
+#
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+#
+#Mutex file:${APACHE_LOCK_DIR} default
+
+#
+# The directory where shm and other runtime files will be stored.
+#
+
+DefaultRuntimeDir ${APACHE_RUN_DIR}
+
+#
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+# This needs to be set in /etc/apache2/envvars
+#
+PidFile ${APACHE_PID_FILE}
+
+#
+# Timeout: The number of seconds before receives and sends time out.
+#
+Timeout 300
+
+#
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+#
+KeepAlive On
+
+#
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+#
+MaxKeepAliveRequests 100
+
+#
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+#
+KeepAliveTimeout 5
+
+
+# These need to be set in /etc/apache2/envvars
+User ${APACHE_RUN_USER}
+Group ${APACHE_RUN_GROUP}
+
+#
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+#
+HostnameLookups Off
+
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here. If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog ${APACHE_LOG_DIR}/error.log
+
+#
+# LogLevel: Control the severity of messages logged to the error_log.
+# Available values: trace8, ..., trace1, debug, info, notice, warn,
+# error, crit, alert, emerg.
+# It is also possible to configure the log level for particular modules, e.g.
+# "LogLevel info ssl:warn"
+#
+LogLevel warn
+
+# Include module configuration:
+IncludeOptional mods-enabled/*.load
+IncludeOptional mods-enabled/*.conf
+
+# Include list of ports to listen on
+Include ports.conf
+
+
+# Sets the default security model of the Apache2 HTTPD server. It does
+# not allow access to the root filesystem outside of /usr/share and /var/www.
+# The former is used by web applications packaged in Debian,
+# the latter may be used for local directories served by the web server. If
+# your system is serving content from a sub-directory in /srv you must allow
+# access here, or in any related virtual host.
+<Directory />
+ Options FollowSymLinks
+ AllowOverride None
+ Require all denied
+</Directory>
+
+<Directory /usr/share>
+ AllowOverride None
+ Require all granted
+</Directory>
+
+<Directory /var/www/>
+ Options Indexes FollowSymLinks
+ AllowOverride None
+ Require all granted
+</Directory>
+
+#<Directory /srv/>
+# Options Indexes FollowSymLinks
+# AllowOverride None
+# Require all granted
+#</Directory>
+
+
+
+
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives. See also the AllowOverride
+# directive.
+#
+AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+#
+<FilesMatch "^\.ht">
+ Require all denied
+</FilesMatch>
+
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive.
+#
+# These deviate from the Common Log Format definitions in that they use %O
+# (the actual bytes sent including headers) instead of %b (the size of the
+# requested file), because the latter makes it impossible to detect partial
+# requests.
+#
+# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
+# Use mod_remoteip instead.
+#
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %O" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+
+# Include of directories ignores editors' and dpkg's backup files,
+# see README.Debian for details.
+
+# Include generic snippets of statements
+IncludeOptional conf-enabled/*.conf
+
+# Include the virtual host configurations:
+IncludeOptional sites-enabled/*.conf
+
+
+
+#<IfModule mod_alias.c>
+# <Location /shibboleth-sp>
+# #Satisfy Any
+# #Allow from all
+# AllowOverride None
+# Require all granted
+# </Location>
+# Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
+#</IfModule>
+#
+##
+## Configure the module for content.
+##
+## You MUST enable AuthType shibboleth for the module to process
+## any requests, and there MUST be a require command as well. To
+## enable Shibboleth but not specify any session/access requirements
+## use "require shibboleth".
+##
+#<Location /secure>
+# AuthType shibboleth
+# #ShibCompatWith24 On
+# ShibRequestSetting requireSession 1
+# require shib-session
+#</Location>
+
+
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/inst/apache_shib/files.inst/etc/apache2/cgi-bin-test/test.cgi b/inst/apache_shib/files.inst/etc/apache2/cgi-bin-test/test.cgi
new file mode 100755
index 0000000000000000000000000000000000000000..6df1c9a6c786c74ec4fbbc55d8be5e49ef5d11ad
--- /dev/null
+++ b/inst/apache_shib/files.inst/etc/apache2/cgi-bin-test/test.cgi
@@ -0,0 +1,9 @@
+#!/usr/bin/perl
+use CGI;
+print CGI->header;
+print "<pre>\n";
+for (sort keys %ENV) {
+ print "$_ = ", $ENV{$_}, "\n";
+}
+print "</pre>\n";
+exit 0;
diff --git a/inst/apache_shib/files.inst/etc/apache2/sites-available/000-default.conf b/inst/apache_shib/files.inst/etc/apache2/sites-available/000-default.conf
new file mode 100644
index 0000000000000000000000000000000000000000..3217980608914c9b040e483adec58992f2e8f79f
--- /dev/null
+++ b/inst/apache_shib/files.inst/etc/apache2/sites-available/000-default.conf
@@ -0,0 +1,134 @@
+<VirtualHost *:80>
+ # The ServerName directive sets the request scheme, hostname and port that
+ # the server uses to identify itself. This is used when creating
+ # redirection URLs. In the context of virtual hosts, the ServerName
+ # specifies what hostname must appear in the request's Host: header to
+ # match this virtual host. For the default virtual host (this file) this
+ # value is not decisive as it is used as a last resort host regardless.
+ # However, you must set it for any further virtual host explicitly.
+ #ServerName www.example.com
+
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/html
+
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+ # For most configuration files from conf-available/, which are
+ # enabled or disabled at a global level, it is possible to
+ # include a line for only one particular virtual host. For example the
+ # following line enables the CGI configuration for this host only
+ # after it has been globally disabled with "a2disconf".
+ #Include conf-available/serve-cgi-bin.conf
+
+ # ServerName test-fod-lab.geant.net
+ # APACHE_SHIB__SERVERNAME
+ ServerName test-fod.geant.net
+
+ Alias /shibboleth-sp "usr/share/shibboleth"
+
+<IfModule mod_alias.c>
+ <Location /shibboleth-sp>
+ #Satisfy Any
+ #Allow from all
+ AllowOverride None
+ Require all granted
+ </Location>
+ Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
+</IfModule>
+
+#
+# Configure the module for content.
+#
+# You MUST enable AuthType shibboleth for the module to process
+# any requests, and there MUST be a require command as well. To
+# enable Shibboleth but not specify any session/access requirements
+# use "require shibboleth".
+##
+<Location /secure>
+ AuthType shibboleth
+ #ShibCompatWith24 On
+ ShibRequestSetting requireSession 1
+ require shib-session
+</Location>
+
+
+
+ <Location "/Shibboleth.sso">
+ #Order allow,deny
+ #Allow from all
+ AllowOverride None
+ Require all granted
+
+
+ SetHandler shib
+ </Location>
+
+ <Location "/login">
+ Require shib-session
+
+ #Order allow,deny
+ #Allow from all
+ AllowOverride None
+ Require all granted
+
+ AuthType shibboleth
+ ShibUseHeaders on
+ ShibRequestSetting requireSession 1
+ #ShibCompatWith24 on
+ </Location>
+
+ Alias /static "/srv/flowspy/static"
+ #<Location /srv/flowspy/static>
+ # AllowOverride None
+ # Require all granted
+ #</Location>
+
+ <Location /static>
+ AllowOverride None
+ Require all granted
+ </Location>
+
+ ## Proxy rules
+ ProxyRequests Off
+
+ ProxyPass /static !
+ <Location /static>
+ ProxyPassReverse !
+ </Location>
+ ProxyPass /shibboleth !
+ <Location /shibboleth>
+ ProxyPassReverse !
+ </Location>
+ ProxyPass /Shibboleth.sso !
+ <Location /Shibboleth.sso>
+ ProxyPassReverse !
+ </Location>
+ ProxyPass "/" "http://localhost:8000/" retry=0
+ <Location />
+ ProxyPassReverse http://localhost:8000/
+ </Location>
+
+
+# ## Header rules
+# ## as per http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header
+# Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
+# RequestHeader set X-Forwarded-Proto 'https'
+# RequestHeader set X_FORWARDED_PROTO 'https'
+# Header always set X-Forw-Proto 'https'
+# SetEnv HTTPS 1
+# SetEnv X_FORWARDED_PROTO 'https'
+
+# ## Custom fragment
+# ProxyErrorOverride off
+# ProxyTimeout 28800
+
+</VirtualHost>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/inst/apache_shib/files.inst/etc/apache2/sites-enabled/000-default.conf b/inst/apache_shib/files.inst/etc/apache2/sites-enabled/000-default.conf
new file mode 120000
index 0000000000000000000000000000000000000000..3c4632b73882eaa0687732a62611fe5f759041c3
--- /dev/null
+++ b/inst/apache_shib/files.inst/etc/apache2/sites-enabled/000-default.conf
@@ -0,0 +1 @@
+../sites-available/000-default.conf
\ No newline at end of file
diff --git a/inst/apache_shib/files.inst/etc/apache2/sites-enabled/100-default-https.conf b/inst/apache_shib/files.inst/etc/apache2/sites-enabled/100-default-https.conf
new file mode 100644
index 0000000000000000000000000000000000000000..33c7a8a8670a7e989e85c41619065e731e66b918
--- /dev/null
+++ b/inst/apache_shib/files.inst/etc/apache2/sites-enabled/100-default-https.conf
@@ -0,0 +1,162 @@
+<VirtualHost *:443>
+ # The ServerName directive sets the request scheme, hostname and port that
+ # the server uses to identify itself. This is used when creating
+ # redirection URLs. In the context of virtual hosts, the ServerName
+ # specifies what hostname must appear in the request's Host: header to
+ # match this virtual host. For the default virtual host (this file) this
+ # value is not decisive as it is used as a last resort host regardless.
+ # However, you must set it for any further virtual host explicitly.
+ #ServerName www.example.com
+
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/html
+
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+ # For most configuration files from conf-available/, which are
+ # enabled or disabled at a global level, it is possible to
+ # include a line for only one particular virtual host. For example the
+ # following line enables the CGI configuration for this host only
+ # after it has been globally disabled with "a2disconf".
+ #Include conf-available/serve-cgi-bin.conf
+
+ # ServerName test-fod-lab.geant.net
+ ServerName test-fod.geant.net
+
+ Alias /cgi-bin-test /etc/apache2/cgi-bin-test
+ <Location /cgi-bin-test>
+ Require shib-session
+ AuthType shibboleth
+ ShibUseHeaders on
+ ShibRequestSetting requireSession 1
+ #ShibCompatWith24 on
+ Options +ExecCGI
+ AddHandler cgi-script cgi pl
+ </Location>
+
+ Alias /shibboleth-sp "usr/share/shibboleth"
+
+#<IfModule mod_alias.c>
+ <Location /shibboleth-sp>
+ #Satisfy Any
+ #Allow from all
+ AllowOverride None
+ Require all granted
+ </Location>
+ Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
+#</IfModule>
+
+#
+# Configure the module for content.
+#
+# You MUST enable AuthType shibboleth for the module to process
+# any requests, and there MUST be a require command as well. To
+# enable Shibboleth but not specify any session/access requirements
+# use "require shibboleth".
+##
+<Location /secure>
+ AuthType shibboleth
+ #ShibCompatWith24 On
+ ShibRequestSetting requireSession 1
+ require shib-session
+</Location>
+
+
+
+ <Location "/Shibboleth.sso">
+ #Order allow,deny
+ #Allow from all
+ AllowOverride None
+ Require all granted
+
+
+ SetHandler shib
+ </Location>
+
+ <Location "/login">
+ Require shib-session
+
+ #Order allow,deny
+ #Allow from all
+ #AllowOverride None
+ #Require all granted
+
+ AuthType shibboleth
+ ShibUseHeaders on
+ ShibRequestSetting requireSession 1
+ #ShibCompatWith24 on
+ </Location>
+
+ Alias /static "/srv/flowspy/static"
+ #<Location /srv/flowspy/static>
+ # AllowOverride None
+ # Require all granted
+ #</Location>
+
+ <Location /static>
+ AllowOverride None
+ Require all granted
+ </Location>
+
+ ## Proxy rules
+ ProxyRequests Off
+
+ ProxyPass /static !
+ <Location /static>
+ ProxyPassReverse !
+ </Location>
+ ProxyPass /shibboleth !
+ <Location /shibboleth>
+ ProxyPassReverse !
+ </Location>
+ ProxyPass /Shibboleth.sso !
+ <Location /Shibboleth.sso>
+ ProxyPassReverse !
+ </Location>
+ ProxyPass /shibboleth-sp !
+ <Location /shibboleth-sp>
+ ProxyPassReverse !
+ </Location>
+ ProxyPass /cgi-bin-test !
+ <Location /cgi-bin-test>
+ ProxyPassReverse !
+ </Location>
+ ProxyPass "/" "http://localhost:8000/" retry=0
+ <Location />
+ ProxyPassReverse http://localhost:8000/
+ </Location>
+
+
+
+# ## Header rules
+# ## as per http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header
+# Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
+# RequestHeader set X-Forwarded-Proto 'https'
+# RequestHeader set X_FORWARDED_PROTO 'https'
+# Header always set X-Forw-Proto 'https'
+# SetEnv HTTPS 1
+# SetEnv X_FORWARDED_PROTO 'https'
+
+# ## Custom fragment
+# ProxyErrorOverride off
+# ProxyTimeout 28800
+
+####
+
+ SSLEngine on
+ SSLCertificateFile "/etc/apache2/mysitename.crt"
+ SSLCertificateKeyFile "/etc/apache2/mysitename.key"
+
+
+
+
+</VirtualHost>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/inst/apache_shib/files.inst/etc/shibboleth/attribute-map.xml b/inst/apache_shib/files.inst/etc/shibboleth/attribute-map.xml
new file mode 100644
index 0000000000000000000000000000000000000000..9b574ea9d77af7f29f97a9747d5e140fa1f390f3
--- /dev/null
+++ b/inst/apache_shib/files.inst/etc/shibboleth/attribute-map.xml
@@ -0,0 +1,146 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+
+ <!-- Core attributes -->
+ <Attribute name="TAL:federated_user_id" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="uniqueID"/>
+
+ <Attribute name="urn:oid:2.5.4.10" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="organisation"/>
+
+ <!-- A persistent id attribute that supports personalized anonymous access. -->
+
+ <!-- First, the deprecated version, decoded as a scoped string: -->
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ </Attribute>
+
+ <!-- Third, the new version (note the OID-style name): -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id"/>
+
+ <!-- Surname -->
+ <Attribute name="urn:mace:dir:attribute-def:sn" id="surname"/>
+ <Attribute name="urn:oid:2.5.4.4" id="surname"/>
+
+ <!-- Given name -->
+ <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+ <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+
+ <!-- E-mail address -->
+ <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+
+ <Attribute name="urn:oid:2.16.756.1.2.5.1.1.5" id="homeOrganizationType">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <!-- Affiliation -->
+ <!-- to maintain backwards compatibility in SWITCHaai, the id is
+ "affiliation" instead of "unscoped-affiliation"
+ -->
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="affiliation"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="affiliation"/>
+
+ <!-- Other attributes -->
+
+ <!-- User ID -->
+ <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+
+
+ <!-- Employee number -->
+ <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+
+
+ <!-- Nick name -->
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+
+ <!-- Preferred Language -->
+ <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+
+ <!-- Home postal address -->
+ <Attribute name="urn:mace:dir:attribute-def:homePostalAddress" id="homePostalAddress"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.39" id="homePostalAddress"/>
+
+ <!-- Business postal address -->
+ <Attribute name="urn:mace:dir:attribute-def:postalAddress" id="postalAddress"/>
+ <Attribute name="urn:oid:2.5.4.16" id="postalAddress"/>
+
+ <!-- Private phone number -->
+ <Attribute name="urn:mace:dir:attribute-def:homePhone" id="homePhone"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.20" id="homePhone"/>
+
+ <!-- Business phone number -->
+ <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+
+ <!-- Mobile phone number -->
+ <Attribute name="urn:mace:dir:attribute-def:mobile" id="mobile"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.41" id="mobile"/>
+
+ <!-- Scoped Affiliation -->
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="scoped-affiliation">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="scoped-affiliation">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <!-- Organization path -->
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+
+ <!-- Organizational unit path -->
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+
+ <!-- Primary organizational unit -->
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+
+ <!-- Entitlement
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"-->
+
+
+ <!-- Other Standardized/International attributes -->
+
+ <!-- Organizational unit -->
+ <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+ <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+
+ <!-- Assurance level -->
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonAssurance" id="assurance"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+
+ <!-- Member of -->
+ <Attribute name="urn:mace:dir:attribute-def:isMemberOf" id="isMemberOf"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="isMemberOf"/>
+
+ <!-- Display Name -->
+ <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="displayName"/>
+
+ <!-- Common Name -->
+ <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+ <Attribute name="urn:oid:2.5.4.3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="cn"/>
+
+ <!-- SCHAC Home Organisation -->
+ <Attribute name="urn:mace:terena.org:schac:homeOrganization" id="schacHomeOrganization"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization"/>
+
+ <!-- SCHAC Home Organisation Type -->
+ <Attribute name="urn:mace:terena.org:schac:homeOrganizationType" id="schacHomeOrganizationType"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType"/>
+
+ <!-- Principal name -->
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="principalName">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="principalName">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+</Attributes>
diff --git a/inst/apache_shib/files.inst/etc/shibboleth/attribute-policy.xml b/inst/apache_shib/files.inst/etc/shibboleth/attribute-policy.xml
new file mode 100644
index 0000000000000000000000000000000000000000..2d4264f3ed5b5cef8219cc421c1da53614e951f6
--- /dev/null
+++ b/inst/apache_shib/files.inst/etc/shibboleth/attribute-policy.xml
@@ -0,0 +1,69 @@
+<afp:AttributeFilterPolicyGroup
+ xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
+ xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
+ xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
+ xmlns:afp="urn:mace:shibboleth:2.0:afp"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ <!-- Shared rule for affiliation values. -->
+ <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
+ <Rule xsi:type="AttributeValueString" value="faculty"/>
+ <Rule xsi:type="AttributeValueString" value="student"/>
+ <Rule xsi:type="AttributeValueString" value="staff"/>
+ <Rule xsi:type="AttributeValueString" value="alum"/>
+ <Rule xsi:type="AttributeValueString" value="member"/>
+ <Rule xsi:type="AttributeValueString" value="affiliate"/>
+ <Rule xsi:type="AttributeValueString" value="employee"/>
+ <Rule xsi:type="AttributeValueString" value="library-walk-in"/>
+ </afp:PermitValueRule>
+
+ <!--
+ Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
+ an AttributeRule for each attribute you want to check.
+ -->
+ <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
+ <Rule xsi:type="NOT">
+ <Rule xsi:type="AttributeValueRegex" regex="@"/>
+ </Rule>
+ <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
+ </afp:PermitValueRule>
+
+ <afp:AttributeFilterPolicy>
+ <!-- This policy is in effect in all cases. -->
+ <afp:PolicyRequirementRule xsi:type="ANY"/>
+
+ <!-- Filter out undefined affiliations and ensure only one primary. -->
+ <afp:AttributeRule attributeID="affiliation">
+ <afp:PermitValueRule xsi:type="AND">
+ <RuleReference ref="eduPersonAffiliationValues"/>
+ <RuleReference ref="ScopingRules"/>
+ </afp:PermitValueRule>
+ </afp:AttributeRule>
+ <afp:AttributeRule attributeID="unscoped-affiliation">
+ <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+ </afp:AttributeRule>
+ <afp:AttributeRule attributeID="primary-affiliation">
+ <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+ </afp:AttributeRule>
+
+ <afp:AttributeRule attributeID="eppn">
+ <afp:PermitValueRuleReference ref="ScopingRules"/>
+ </afp:AttributeRule>
+
+ <afp:AttributeRule attributeID="targeted-id">
+ <afp:PermitValueRuleReference ref="ScopingRules"/>
+ </afp:AttributeRule>
+
+ <!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively.
+ <afp:AttributeRule attributeID="persistent-id">
+ <afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
+ </afp:AttributeRule -->
+
+ <!-- Catch-all that passes everything else through unmolested. -->
+ <afp:AttributeRule attributeID="*">
+ <afp:PermitValueRule xsi:type="ANY"/>
+ </afp:AttributeRule>
+
+ </afp:AttributeFilterPolicy>
+
+</afp:AttributeFilterPolicyGroup>
diff --git a/inst/apache_shib/files.inst/etc/shibboleth/keygen.sh b/inst/apache_shib/files.inst/etc/shibboleth/keygen.sh
new file mode 100755
index 0000000000000000000000000000000000000000..4ee69f68830728f9f39a20254f0b72150500274d
--- /dev/null
+++ b/inst/apache_shib/files.inst/etc/shibboleth/keygen.sh
@@ -0,0 +1,85 @@
+#! /bin/sh
+
+while getopts h:u:g:o:e:y:bf c
+ do
+ case $c in
+ u) USER=$OPTARG;;
+ g) GROUP=$OPTARG;;
+ o) OUT=$OPTARG;;
+ b) BATCH=1;;
+ f) FORCE=1;;
+ h) FQDN=$OPTARG;;
+ e) ENTITYID=$OPTARG;;
+ y) YEARS=$OPTARG;;
+ \?) echo "keygen [-o output directory (default .)] [-u username to own keypair] [-g owning groupname] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert]"
+ exit 1;;
+ esac
+ done
+if [ -z "$OUT" ] ; then
+ OUT=.
+fi
+
+if [ -n "$FORCE" ] ; then
+ rm $OUT/sp-key.pem $OUT/sp-cert.pem
+fi
+
+if [ -s $OUT/sp-key.pem -o -s $OUT/sp-cert.pem ] ; then
+ if [ -z "$BATCH" ] ; then
+ echo The files $OUT/sp-key.pem and/or $OUT/sp-cert.pem already exist!
+ echo Use -f option to force recreation of keypair.
+ exit 2
+ fi
+ exit 0
+fi
+
+if [ -z "$FQDN" ] ; then
+ FQDN=`hostname`
+fi
+
+if [ -z "$YEARS" ] ; then
+ YEARS=10
+fi
+
+DAYS=`expr $YEARS \* 365`
+
+if [ -z "$ENTITYID" ] ; then
+ ALTNAME=DNS:$FQDN
+else
+ ALTNAME=DNS:$FQDN,URI:$ENTITYID
+fi
+
+SSLCNF=$OUT/sp-cert.cnf
+cat >$SSLCNF <<EOF
+# OpenSSL configuration file for creating sp-cert.pem
+[req]
+prompt=no
+default_bits=2048
+encrypt_key=no
+default_md=sha1
+distinguished_name=dn
+# PrintableStrings only
+string_mask=MASK:0002
+x509_extensions=ext
+[dn]
+CN=$FQDN
+[ext]
+subjectAltName=$ALTNAME
+subjectKeyIdentifier=hash
+EOF
+
+touch $OUT/sp-key.pem
+chmod 600 $OUT/sp-key.pem
+if [ -z "$BATCH" ] ; then
+ openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem
+else
+ openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem 2> /dev/null
+fi
+rm $SSLCNF
+
+if [ -s $OUT/sp-key.pem -a -n "$USER" ] ; then
+ chown $USER $OUT/sp-key.pem $OUT/sp-cert.pem
+fi
+
+if [ -s $OUT/sp-key.pem -a -n "$GROUP" ] ; then
+ chgrp $GROUP $OUT/sp-key.pem $OUT/sp-cert.pem
+fi
diff --git a/inst/apache_shib/files.inst/etc/shibboleth/login-terena-org.xml b/inst/apache_shib/files.inst/etc/shibboleth/login-terena-org.xml
new file mode 100644
index 0000000000000000000000000000000000000000..a452bd6d200f72dea2d5a9e4d967d67a724896f6
--- /dev/null
+++ b/inst/apache_shib/files.inst/etc/shibboleth/login-terena-org.xml
@@ -0,0 +1,65 @@
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://login.terena.org/wayf/saml2/idp/metadata.php" ID="pfx97d1a047-79d7-86e6-2f1b-223fbe88e668">
+<ds:Signature>
+<ds:SignedInfo>
+<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+<ds:Reference URI="#pfx97d1a047-79d7-86e6-2f1b-223fbe88e668">
+<ds:Transforms>
+<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+</ds:Transforms>
+<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+<ds:DigestValue>kHAfWD6N1M47jzCBwrsJCkx85Rc=</ds:DigestValue>
+</ds:Reference>
+</ds:SignedInfo>
+<ds:SignatureValue>
+oUPgpYX2pSLWGZAdyyYhSRhYIs1VwILf1vm52W7vLY2/QFnD2uFFVv7ve229AmLNYW3jJkj8h9ZDQIlDS/Kw8LT7xifzXSAx9Nun2DvF7uTMIt1HwHL3WeepBuIbsVrQGBC88shNn/b2aW9sutvlm98R7oCpGoS9cczQnHhhun63sCEuMjT7HoL/ZGQjtwwTDnKnuID/PbJNbcN9wTL/dyCNwnCOMMel8Rv4Ybgs3DBnh3ZExEZlfoYk9EMBlPcy59IyZtiHIwdvzRNV2fpoupHzW33N7/vNMFw0DRKiEHTs9menj0uKCcnqGR9Bo/QHorhBI2WNxuGyVY92BJbEvg==
+</ds:SignatureValue>
+<ds:KeyInfo>
+<ds:X509Data>
+<ds:X509Certificate>
+MIIEkjCCA3qgAwIBAgIJAL90CxMEVb/kMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJOTDELMAkGA1UECBMCTkgxEjAQBgNVBAcTCUFtc3RlcmRhbTEPMA0GA1UEChMGVEVSRU5BMQwwCgYDVQQLEwNJVFMxHjAcBgNVBAMTFWh0dHBzOi8vdGVyZW5hLm9yZy9zcDEdMBsGCSqGSIb3DQEJARYOYWFpQHRlcmVuYS5vcmcwHhcNMTEwMTEyMTUyNjM4WhcNMjEwMTExMTUyNjM4WjCBjDELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEMMAoGA1UECxMDSVRTMR4wHAYDVQQDExVodHRwczovL3RlcmVuYS5vcmcvc3AxHTAbBgkqhkiG9w0BCQEWDmFhaUB0ZXJlbmEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwTxx8JBWSpBJiZgdvGOJDXLwaE29Opx1CBbIrYHm47Oy4btsf0BzCmfdSPDlydDm6//355hsQU8BgIh/waEwFZZCg/XyzrJEXCDTZBm1H210aT7FNp356azqKOO1bYWcku0xpFOWWf3jCIkjtOiTkbl12Tw7Y+zJRhV2+jleC5td3JxZ6k1qotgN+1cGwZ2Tv2HhSNeMC4QsGOyBqeP+7B1CLFqFZSiLWGVqcZi0fGkXf+SrTSEH/kLzdciEg2EePyQPcLCKNz9RiIhSmsLE/Rr1ksOvZGmyWFe7YsPyJOLsNyYcZTufDVwpl9fDuJdYy2GdMT1kSNNOpZXZ7QcgYwIDAQABo4H0MIHxMB0GA1UdDgQWBBQ6tVqjpKC8+30XF/qWlaZ3fUKTvDCBwQYDVR0jBIG5MIG2gBQ6tVqjpKC8+30XF/qWlaZ3fUKTvKGBkqSBjzCBjDELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEMMAoGA1UECxMDSVRTMR4wHAYDVQQDExVodHRwczovL3RlcmVuYS5vcmcvc3AxHTAbBgkqhkiG9w0BCQEWDmFhaUB0ZXJlbmEub3JnggkAv3QLEwRVv+QwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAn+06i7zZE7MjuB68gCaNvnCkrgfumi4PWiP6kaE6+LU2MTbxdFyoSAoKh6Ft9TDi+8ANAsn5jRQ5xLUE4YoVbub/KufMwdlX0zO9i+Q//npDTFESnWsiMi7DHg/av1LtzrYYZvE2E1e5c/7wo/axx8Bk7qsE9YXFRs372vDkDwOGSkLbRtgwdCUX47CE/fXvccPDHH217XMed2cVOGFjQgidsFZlJbSfSvQjWYw5LIE0wo9RtsEu5I3WAIar8Wr6/nhVOgIBUStpcw94GwlPxLywfij5CJ9HT+sN2SOj4YmKPBtcwHI75uNZp7XRy85jRjrvhahg5baIQ0u3aL8aMA==
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+</ds:Signature>
+<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+<md:KeyDescriptor use="signing">
+<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:X509Data>
+<ds:X509Certificate>
+MIIEkjCCA3qgAwIBAgIJAL90CxMEVb/kMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJOTDELMAkGA1UECBMCTkgxEjAQBgNVBAcTCUFtc3RlcmRhbTEPMA0GA1UEChMGVEVSRU5BMQwwCgYDVQQLEwNJVFMxHjAcBgNVBAMTFWh0dHBzOi8vdGVyZW5hLm9yZy9zcDEdMBsGCSqGSIb3DQEJARYOYWFpQHRlcmVuYS5vcmcwHhcNMTEwMTEyMTUyNjM4WhcNMjEwMTExMTUyNjM4WjCBjDELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEMMAoGA1UECxMDSVRTMR4wHAYDVQQDExVodHRwczovL3RlcmVuYS5vcmcvc3AxHTAbBgkqhkiG9w0BCQEWDmFhaUB0ZXJlbmEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwTxx8JBWSpBJiZgdvGOJDXLwaE29Opx1CBbIrYHm47Oy4btsf0BzCmfdSPDlydDm6//355hsQU8BgIh/waEwFZZCg/XyzrJEXCDTZBm1H210aT7FNp356azqKOO1bYWcku0xpFOWWf3jCIkjtOiTkbl12Tw7Y+zJRhV2+jleC5td3JxZ6k1qotgN+1cGwZ2Tv2HhSNeMC4QsGOyBqeP+7B1CLFqFZSiLWGVqcZi0fGkXf+SrTSEH/kLzdciEg2EePyQPcLCKNz9RiIhSmsLE/Rr1ksOvZGmyWFe7YsPyJOLsNyYcZTufDVwpl9fDuJdYy2GdMT1kSNNOpZXZ7QcgYwIDAQABo4H0MIHxMB0GA1UdDgQWBBQ6tVqjpKC8+30XF/qWlaZ3fUKTvDCBwQYDVR0jBIG5MIG2gBQ6tVqjpKC8+30XF/qWlaZ3fUKTvKGBkqSBjzCBjDELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEMMAoGA1UECxMDSVRTMR4wHAYDVQQDExVodHRwczovL3RlcmVuYS5vcmcvc3AxHTAbBgkqhkiG9w0BCQEWDmFhaUB0ZXJlbmEub3JnggkAv3QLEwRVv+QwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAn+06i7zZE7MjuB68gCaNvnCkrgfumi4PWiP6kaE6+LU2MTbxdFyoSAoKh6Ft9TDi+8ANAsn5jRQ5xLUE4YoVbub/KufMwdlX0zO9i+Q//npDTFESnWsiMi7DHg/av1LtzrYYZvE2E1e5c/7wo/axx8Bk7qsE9YXFRs372vDkDwOGSkLbRtgwdCUX47CE/fXvccPDHH217XMed2cVOGFjQgidsFZlJbSfSvQjWYw5LIE0wo9RtsEu5I3WAIar8Wr6/nhVOgIBUStpcw94GwlPxLywfij5CJ9HT+sN2SOj4YmKPBtcwHI75uNZp7XRy85jRjrvhahg5baIQ0u3aL8aMA==
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+</md:KeyDescriptor>
+<md:KeyDescriptor use="encryption">
+<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:X509Data>
+<ds:X509Certificate>
+MIIEkjCCA3qgAwIBAgIJAL90CxMEVb/kMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJOTDELMAkGA1UECBMCTkgxEjAQBgNVBAcTCUFtc3RlcmRhbTEPMA0GA1UEChMGVEVSRU5BMQwwCgYDVQQLEwNJVFMxHjAcBgNVBAMTFWh0dHBzOi8vdGVyZW5hLm9yZy9zcDEdMBsGCSqGSIb3DQEJARYOYWFpQHRlcmVuYS5vcmcwHhcNMTEwMTEyMTUyNjM4WhcNMjEwMTExMTUyNjM4WjCBjDELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEMMAoGA1UECxMDSVRTMR4wHAYDVQQDExVodHRwczovL3RlcmVuYS5vcmcvc3AxHTAbBgkqhkiG9w0BCQEWDmFhaUB0ZXJlbmEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwTxx8JBWSpBJiZgdvGOJDXLwaE29Opx1CBbIrYHm47Oy4btsf0BzCmfdSPDlydDm6//355hsQU8BgIh/waEwFZZCg/XyzrJEXCDTZBm1H210aT7FNp356azqKOO1bYWcku0xpFOWWf3jCIkjtOiTkbl12Tw7Y+zJRhV2+jleC5td3JxZ6k1qotgN+1cGwZ2Tv2HhSNeMC4QsGOyBqeP+7B1CLFqFZSiLWGVqcZi0fGkXf+SrTSEH/kLzdciEg2EePyQPcLCKNz9RiIhSmsLE/Rr1ksOvZGmyWFe7YsPyJOLsNyYcZTufDVwpl9fDuJdYy2GdMT1kSNNOpZXZ7QcgYwIDAQABo4H0MIHxMB0GA1UdDgQWBBQ6tVqjpKC8+30XF/qWlaZ3fUKTvDCBwQYDVR0jBIG5MIG2gBQ6tVqjpKC8+30XF/qWlaZ3fUKTvKGBkqSBjzCBjDELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEMMAoGA1UECxMDSVRTMR4wHAYDVQQDExVodHRwczovL3RlcmVuYS5vcmcvc3AxHTAbBgkqhkiG9w0BCQEWDmFhaUB0ZXJlbmEub3JnggkAv3QLEwRVv+QwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAn+06i7zZE7MjuB68gCaNvnCkrgfumi4PWiP6kaE6+LU2MTbxdFyoSAoKh6Ft9TDi+8ANAsn5jRQ5xLUE4YoVbub/KufMwdlX0zO9i+Q//npDTFESnWsiMi7DHg/av1LtzrYYZvE2E1e5c/7wo/axx8Bk7qsE9YXFRs372vDkDwOGSkLbRtgwdCUX47CE/fXvccPDHH217XMed2cVOGFjQgidsFZlJbSfSvQjWYw5LIE0wo9RtsEu5I3WAIar8Wr6/nhVOgIBUStpcw94GwlPxLywfij5CJ9HT+sN2SOj4YmKPBtcwHI75uNZp7XRy85jRjrvhahg5baIQ0u3aL8aMA==
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+</md:KeyDescriptor>
+<md:KeyDescriptor use="signing">
+<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:X509Data>
+<ds:X509Certificate>
+MIICGTCCAYICCQCTYS2pMIdaaDANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJOTDELMAkGA1UECBMCTkgxEjAQBgNVBAcTCUFtc3RlcmRhbTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMB4XDTEwMDkwMTE4NTMyMFoXDTM4MDExNjE4NTMyMFowUTELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvhzp9Tk7zQC+q5cpS36FMaaX3uQp6Sksnh+EnFtKFKeR4lKPmmgCSmVZkFdkgd7cE/vfFBInrQdb2rvLZrICdQbyLDuhQJUyqZHK52nbtP5FNcRN7V9LjpBB3CsUznenQoJLrpdPogSMDlSPjeLTaeB697EdZTt7IAmWDQmWWb8CAwEAATANBgkqhkiG9w0BAQUFAAOBgQAbKXFszQd2En/pqaxHWPISCqcpPfAxXXm7PNZ+sem6TYbtJuY7V68T1izuvax10FFgXBoltLKTg9IOdou6ZO+g5JrdMq1sOCQL/kILdmaIUZjm/hIeoygbwN3I0LhoxZbJqgWT5+gLtb+7JGRmbs8WE/3/Wm5i17ITMxptGjZQnQ==
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+</md:KeyDescriptor>
+<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.terena.org/wayf/saml2/idp/SingleLogoutService.php"/>
+<md:NameIDFormat>
+urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+</md:NameIDFormat>
+<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.terena.org/wayf/saml2/idp/SSOService.php"/>
+</md:IDPSSODescriptor>
+<md:ContactPerson contactType="technical">
+<md:GivenName>TERENA</md:GivenName>
+<md:SurName>AAI team</md:SurName>
+<md:EmailAddress>aai@terena.org</md:EmailAddress>
+</md:ContactPerson>
+</md:EntityDescriptor>
diff --git a/inst/apache_shib/files.inst/etc/shibboleth/metagen.sh b/inst/apache_shib/files.inst/etc/shibboleth/metagen.sh
new file mode 100755
index 0000000000000000000000000000000000000000..d616b1f1590b2464d7faf7c614306aaf18be39a5
--- /dev/null
+++ b/inst/apache_shib/files.inst/etc/shibboleth/metagen.sh
@@ -0,0 +1,355 @@
+#!/usr/bin/env bash
+
+DECLS=1
+
+SAML1=0
+SAML2=0
+ARTIFACT=0
+DS=0
+LOGOUT=0
+NAMEIDMGMT=0
+
+SAML10PROT="urn:oasis:names:tc:SAML:1.0:protocol"
+SAML11PROT="urn:oasis:names:tc:SAML:1.1:protocol"
+SAML20PROT="urn:oasis:names:tc:SAML:2.0:protocol"
+
+SAML20SOAP="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+SAML20REDIRECT="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+SAML20POST="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+SAML20POSTSS="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
+SAML20ART="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+SAML20PAOS="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
+
+SAML1POST="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
+SAML1ART="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
+
+while getopts a:c:e:f:h:l:n:o:s:t:u:12ADLNO c
+ do
+ case $c in
+ c) CERTS[${#CERTS[*]}]=$OPTARG;;
+ e) ENTITYID=$OPTARG;;
+ f) FORMATS[${#FORMATS[*]}]=$OPTARG;;
+ h) HOSTS[${#HOSTS[*]}]=$OPTARG;;
+ l) HOSTLIST=$OPTARG;;
+ n) NAKEDHOSTS[${#NAKEDHOSTS[*]}]=$OPTARG;;
+ o) ORGNAME=$OPTARG;;
+ a) ADMIN[${#ADMIN[*]}]=$OPTARG;;
+ s) SUP[${#SUP[*]}]=$OPTARG;;
+ t) TECH[${#TECH[*]}]=$OPTARG;;
+ u) URL=$OPTARG;;
+ 1) SAML1=1;;
+ 2) SAML2=1;;
+ A) ARTIFACT=1;;
+ D) DS=1;;
+ L) LOGOUT=1;;
+ N) NAMEIDMGMT=1;;
+ O) DECLS=0;;
+ \?) echo metagen [-12ADLNO] -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID]
+ exit 1;;
+ esac
+ done
+
+if [ ${#HOSTS[*]} -eq 0 -a ${#NAKEDHOSTS[*]} -eq 0 ] ; then
+ echo metagen [-12ADLN] -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID]
+ exit 1
+fi
+
+if [ ${#CERTS[*]} -eq 0 ] ; then
+ CERTS[${#CERTS[*]}]=sp-cert.pem
+fi
+
+for c in ${CERTS[@]}
+do
+ if [ ! -s $c ] ; then
+ echo Certificate file $c does not exist!
+ exit 2
+ fi
+done
+
+if [ -z $ENTITYID ] ; then
+ if [ ${#HOSTS[*]} -eq 0 ] ; then
+ ENTITYID=https://${NAKEDHOSTS[0]}/shibboleth
+ else
+ ENTITYID=https://${HOSTS[0]}/shibboleth
+ fi
+fi
+
+if [ ! -z $HOSTLIST ] ; then
+ if [ -s $HOSTLIST ] ; then
+ while read h
+ do
+ HOSTS[${#HOSTS[@]}]=$h
+ done <$HOSTLIST
+ else
+ echo File with list of hostnames $l does not exist!
+ exit 2
+ fi
+fi
+
+# Establish protocols and bindings.
+
+if [ $SAML1 -eq 0 -a $SAML2 -eq 0 ] ; then
+ SAML1=1
+ SAML2=1
+fi
+
+if [ $LOGOUT -eq 1 -o $NAMEIDMGMT -eq 1 ] ; then
+ SAML2=1
+ SLO[${#SLO[*]}]=$SAML20SOAP
+ SLO[${#SLO[*]}]=$SAML20REDIRECT
+ SLO[${#SLO[*]}]=$SAML20POST
+ SLOLOC[${#SLOLOC[*]}]="SOAP"
+ SLOLOC[${#SLOLOC[*]}]="Redirect"
+ SLOLOC[${#SLOLOC[*]}]="POST"
+ if [ $ARTIFACT -eq 1 ] ; then
+ SLO[${#SLO[*]}]=$SAML20ART
+ SLOLOC[${#SLOLOC[*]}]="Artifact"
+ fi
+fi
+
+if [ $SAML1 -eq 1 -a $SAML2 -eq 1 ] ; then
+ PROTENUM="$SAML20PROT $SAML11PROT"
+elif [ $SAML1 -eq 1 ] ; then
+ PROTENUM="$SAML11PROT"
+else
+ PROTENUM="$SAML20PROT"
+fi
+
+if [ $SAML2 -eq 1 ] ; then
+ ACS[${#ACS[*]}]=$SAML20POST
+ ACSLOC[${#ACSLOC[*]}]="SAML2/POST"
+ ACS[${#ACS[*]}]=$SAML20POSTSS
+ ACSLOC[${#ACSLOC[*]}]="SAML2/POST-SimpleSign"
+ if [ $ARTIFACT -eq 1 ] ; then
+ ACS[${#ACS[*]}]=$SAML20ART
+ ACSLOC[${#ACSLOC[*]}]="SAML2/Artifact"
+ fi
+ ACS[${#ACS[*]}]=$SAML20PAOS
+ ACSLOC[${#ACSLOC[*]}]="SAML2/ECP"
+fi
+
+if [ $SAML1 -eq 1 ] ; then
+ ACS[${#ACS[*]}]=$SAML1POST
+ ACSLOC[${#ACSLOC[*]}]="SAML/POST"
+ if [ $ARTIFACT -eq 1 ] ; then
+ ACS[${#ACS[*]}]=$SAML1ART
+ ACSLOC[${#ACSLOC[*]}]="SAML/Artifact"
+ fi
+fi
+
+if [ $DECLS -eq 1 ] ; then
+ DECLS="xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" "
+ if [ $DS -eq 1 ] ; then
+ DECLS="${DECLS}xmlns:disco=\"urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol\" "
+ fi
+else
+ DECLS=""
+fi
+
+cat <<EOF
+<md:EntityDescriptor ${DECLS}entityID="${ENTITYID}">
+ <md:SPSSODescriptor protocolSupportEnumeration="${PROTENUM}">
+EOF
+
+# Discovery BEGIN
+if [ $DS -eq 1 ] ; then
+
+cat << EOF
+ <md:Extensions>
+EOF
+
+count=1
+for h in ${HOSTS[@]}
+do
+ cat << EOF
+ <disco:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://$h/Shibboleth.sso/DS" index="$count"/>
+EOF
+ let "count++"
+done
+
+for h in ${NAKEDHOSTS[@]}
+do
+ cat << EOF
+ <disco:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://$h/Shibboleth.sso/DS" index="$count"/>
+EOF
+ let "count++"
+done
+
+cat << EOF
+ </md:Extensions>
+EOF
+
+fi
+# Discovery END
+
+for c in ${CERTS[@]}
+do
+cat << EOF
+ <md:KeyDescriptor>
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>
+EOF
+grep -v ^- $c
+cat << EOF
+ </ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </md:KeyDescriptor>
+EOF
+done
+
+for f in ${FORMATS[@]}
+do
+cat << EOF
+ <md:NameIDFormat>$f</md:NameIDFormat>
+EOF
+done
+
+# Logout BEGIN
+if [ $LOGOUT -eq 1 ] ; then
+
+for h in ${HOSTS[@]}
+do
+ count=0
+ while [ $count -lt ${#SLO[*]} ]
+ do
+ cat <<EOF
+ <md:SingleLogoutService Binding="${SLO[$count]}" Location="https://$h/Shibboleth.sso/SLO/${SLOLOC[$count]}"/>
+EOF
+ let "count++"
+ done
+done
+
+for h in ${NAKEDHOSTS[@]}
+do
+ count=0
+ while [ $count -lt ${#SLO[*]} ]
+ do
+ cat <<EOF
+ <md:SingleLogoutService Binding="${SLO[$count]}" Location="http://$h/Shibboleth.sso/SLO/${SLOLOC[$count]}"/>
+EOF
+ let "count++"
+ done
+done
+
+fi
+# Logout END
+
+# NameID Mgmt BEGIN
+if [ $NAMEIDMGMT -eq 1 ] ; then
+
+for h in ${HOSTS[@]}
+do
+ count=0
+ while [ $count -lt ${#SLO[*]} ]
+ do
+ cat <<EOF
+ <md:ManageNameIDService Binding="${SLO[$count]}" Location="https://$h/Shibboleth.sso/NIM/${SLOLOC[$count]}"/>
+EOF
+ let "count++"
+ done
+done
+
+for h in ${NAKEDHOSTS[@]}
+do
+ count=0
+ while [ $count -lt ${#SLO[*]} ]
+ do
+ cat <<EOF
+ <md:ManageNameIDService Binding="${SLO[$count]}" Location="http://$h/Shibboleth.sso/NIM/${SLOLOC[$count]}"/>
+EOF
+ let "count++"
+ done
+done
+
+fi
+# NameID Mgmt END
+
+index=0
+for h in ${HOSTS[@]}
+do
+ count=0
+ while [ $count -lt ${#ACS[*]} ]
+ do
+ cat <<EOF
+ <md:AssertionConsumerService Binding="${ACS[$count]}" Location="https://$h/Shibboleth.sso/${ACSLOC[$count]}" index="$((index+1))"/>
+EOF
+ let "count++"
+ let "index++"
+ done
+done
+
+for h in ${NAKEDHOSTS[@]}
+do
+ count=0
+ while [ $count -lt ${#ACS[*]} ]
+ do
+ cat <<EOF
+ <md:AssertionConsumerService Binding="${ACS[$count]}" Location="http://$h/Shibboleth.sso/${ACSLOC[$count]}" index="$((index+1))"/>
+EOF
+ let "count++"
+ let "index++"
+ done
+done
+
+cat <<EOF
+ </md:SPSSODescriptor>
+EOF
+
+if [ -n "$ORGNAME" ] ; then
+ if [ -z "$URL" ] ; then
+ URL=$ENTITYID
+ fi
+ cat <<EOF
+ <md:Organization>
+ <md:OrganizationName xml:lang="en">$ORGNAME</md:OrganizationName>
+ <md:OrganizationDisplayName xml:lang="en">$ORGNAME</md:OrganizationDisplayName>
+ <md:OrganizationURL xml:lang="en">$URL</md:OrganizationURL>
+ </md:Organization>
+EOF
+fi
+
+count=${#ADMIN[*]}
+for (( i=0; i<count; i++ ))
+do
+ IFS="/"; declare -a c=(${ADMIN[$i]})
+ cat <<EOF
+ <md:ContactPerson contactType="administrative">
+ <md:GivenName>${c[0]}</md:GivenName>
+ <md:SurName>${c[1]}</md:SurName>
+ <md:EmailAddress>${c[2]}</md:EmailAddress>
+ </md:ContactPerson>
+EOF
+done
+
+count=${#SUP[*]}
+for (( i=0; i<count; i++ ))
+do
+ IFS="/"; declare -a c=(${SUP[$i]})
+ cat <<EOF
+ <md:ContactPerson contactType="support">
+ <md:GivenName>${c[0]}</md:GivenName>
+ <md:SurName>${c[1]}</md:SurName>
+ <md:EmailAddress>${c[2]}</md:EmailAddress>
+ </md:ContactPerson>
+EOF
+done
+
+count=${#TECH[*]}
+for (( i=0; i<count; i++ ))
+do
+ IFS="/"; declare -a c=(${TECH[$i]})
+ cat <<EOF
+ <md:ContactPerson contactType="technical">
+ <md:GivenName>${c[0]}</md:GivenName>
+ <md:SurName>${c[1]}</md:SurName>
+ <md:EmailAddress>${c[2]}</md:EmailAddress>
+ </md:ContactPerson>
+EOF
+done
+
+cat <<EOF
+</md:EntityDescriptor>
+
+EOF
diff --git a/inst/apache_shib/files.inst/etc/shibboleth/shibboleth2.xml b/inst/apache_shib/files.inst/etc/shibboleth/shibboleth2.xml
new file mode 100644
index 0000000000000000000000000000000000000000..51778a16aae151d9318148732412d839828c3ac7
--- /dev/null
+++ b/inst/apache_shib/files.inst/etc/shibboleth/shibboleth2.xml
@@ -0,0 +1,128 @@
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+ xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ clockSkew="180">
+
+ <!--
+ By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+ are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+ -->
+
+ <!--
+ To customize behavior for specific resources on Apache, and to link vhosts or
+ resources to ApplicationOverride settings below, use web server options/commands.
+ See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
+
+ For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+ file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
+ -->
+
+ <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+ <ApplicationDefaults entityID="https://test-fod.geant.net/shibboleth"
+ homeURL="https://test-fod.geant.net/Shibboleth.sso/Session"
+ REMOTE_USER="uniqueID eppn persistent-id targeted-id"
+ metadataAttributePrefix="Meta-"
+ signing="back"
+ requireTransportAuth="false">
+
+ <!--
+ Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+ You MUST supply an effectively unique handlerURL value for each of your applications.
+ The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+ a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+ the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+ Note that while we default checkAddress to "false", this has a negative impact on the
+ security of your site. Stealing sessions via cookie theft is much easier with this disabled.
+ -->
+ <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+ checkAddress="false" handlerSSL="false" cookieProps="http">
+
+ <!--
+ Configures SSO for a default IdP. To allow for >1 IdP, remove
+ entityID property and adjust discoveryURL to point to discovery service.
+ (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
+ You can also override entityID on /Login query string, or in RequestMap/htaccess.
+ -->
+ <SSO entityID="https://login.terena.org/wayf/saml2/idp/metadata.php"
+ discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
+ SAML2 SAML1
+ </SSO>
+
+ <!-- SAML and local-only logout. -->
+ <Logout>SAML2 Local</Logout>
+
+ <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+ <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+ <!-- Status reporting service. -->
+ <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+ <!-- Session diagnostic service. -->
+ <Handler type="Session" Location="/Session" showAttributeValues="true"/>
+
+ <!-- JSON feed of discovery information. -->
+ <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+ </Sessions>
+
+ <!--
+ Allows overriding of error template information/filenames. You can
+ also add attributes with values that can be plugged into the templates.
+ -->
+ <Errors supportContact="root@localhost"
+ helpLocation="/about.html"
+ styleSheet="/shibboleth-sp/main.css"/>
+
+ <!-- Example of remotely supplied batch of signed metadata. -->
+ <!--
+ <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
+ backingFilePath="federation-metadata.xml" reloadInterval="7200">
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+ <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+ <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
+ attributeName="http://macedir.org/entity-category"
+ attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+ attributeValue="http://refeds.org/category/hide-from-discovery" />
+ </MetadataProvider>
+ -->
+ <MetadataProvider type="XML" file="login-terena-org.xml"/>
+
+ <!-- Example of locally maintained metadata. -->
+ <!--
+ <MetadataProvider type="XML" file="partner-metadata.xml"/>
+ -->
+
+ <!-- Map to extract attributes from SAML assertions. -->
+ <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+ <!-- Use a SAML query if no attributes are supplied during SSO. -->
+ <AttributeResolver type="Query" subjectMatch="true"/>
+
+ <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+ <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+ <!-- Simple file-based resolver for using a single keypair. -->
+ <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+
+ <!--
+ The default settings can be overridden by creating ApplicationOverride elements (see
+ the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
+ Resource requests are mapped by web server commands, or the RequestMapper, to an
+ applicationId setting.
+
+ Example of a second application (for a second vhost) that has a different entityID.
+ Resources on the vhost would map to an applicationId of "admin":
+ -->
+ <!--
+ <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+ -->
+ </ApplicationDefaults>
+
+ <!-- Policies that determine how to process and authenticate runtime messages. -->
+ <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+ <!-- Low-level configuration about protocols and bindings available for use. -->
+ <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
diff --git a/inst/apache_shib/files.inst/srv/flowspy/flowspy/settings.py b/inst/apache_shib/files.inst/srv/flowspy/flowspy/settings.py
new file mode 100644
index 0000000000000000000000000000000000000000..813b7cc79782bba7c11e49f6ecee596a699ba40c
--- /dev/null
+++ b/inst/apache_shib/files.inst/srv/flowspy/flowspy/settings.py
@@ -0,0 +1,475 @@
+# -*- coding: utf-8 -*- vim:fileencoding=utf-8:
+# vim: tabstop=4:shiftwidth=4:softtabstop=4:expandtab
+# Django settings for flowspy project.
+# Copyright © 2011-2015 Greek Research and Technology Network (GRNET S.A.)
+# Copyright © 2011-2014 Leonidas Poulopoulos (@leopoul)
+# Copyright © 2014-2015 Stavros Kroustouris (@kroustou)
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# _uuid_generate_random was deprecated and removed in newer python
+import uuid
+uuid._uuid_generate_random = None
+try:
+ from uuid import _uuid_generate_random
+except ImportError:
+ _uuid_generate_random = None
+
+import os
+import djcelery
+djcelery.setup_loader()
+from celery.schedules import crontab
+
+DEBUG = True
+TEMPLATE_DEBUG = DEBUG
+
+ADMINS = (
+ ('AdminName', 'admin@example.com'),
+)
+MANAGERS = ADMINS
+here = lambda x: os.path.join(os.path.abspath(os.path.dirname(__file__)), x)
+BASE_DIR = os.path.dirname(os.path.dirname(__file__))
+
+# Hosts/domain names that are valid for this site; required if DEBUG is False
+ALLOWED_HOSTS = ['*']
+SITE_ID = 1
+
+# Place a sequence of random chars here
+SECRET_KEY = '@sa@5234#$%345345^@#$%*()123^@12!&!()$JMNDF#$@(@#8FRNJWX_'
+
+# Set up database
+
+DATABASES = {
+ 'default': {
+ 'ENGINE': 'django.db.backends.sqlite3', # Add 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
+ 'NAME': 'example-data',
+ 'USER': '',
+ 'PASSWORD': '',
+ 'HOST': '', # Set to empty string for localhost.
+ 'PORT': '', # Set to empty string for default.
+ }
+}
+
+# Local time zone for this installation. Choices can be found here:
+# http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
+# although not all choices may be available on all operating systems.
+# In a Windows environment this must be set to your system time zone.
+#TIME_ZONE = 'Europe/Athens'
+TIME_ZONE = 'UTC'
+
+# Language code for this installation. All choices can be found here:
+# http://www.i18nguy.com/unicode/language-identifiers.html
+LANGUAGE_CODE = 'en'
+
+# Language code for this installation. All choices can be found here:
+# http://www.i18nguy.com/unicode/language-identifiers.html
+_ = lambda s: s
+
+LANGUAGES = (
+ ('el', _('Greek')),
+ ('en', _('English')),
+)
+
+LOCALE_PATHS = (
+ os.path.join(os.path.dirname(os.path.dirname(os.path.abspath(__file__))), 'locale'),
+)
+
+# If you set this to False, Django will make some optimizations so as not
+# to load the internationalization machinery.
+USE_I18N = True
+
+# If you set this to False, Django will not format dates, numbers and
+# calendars according to the current locale.
+USE_L10N = True
+
+# If you set this to False, Django will not use timezone-aware datetimes.
+USE_TZ = True
+
+PROJECT_PATH = os.path.abspath(os.path.dirname(__file__))
+STATIC_ROOT = os.path.join(BASE_DIR)
+STATICFILES_DIRS = ( os.path.join(BASE_DIR, 'static'), )
+STATIC_URL = '/static/'
+STATICFILES_FINDERS = (
+ 'django.contrib.staticfiles.finders.FileSystemFinder',
+ 'django.contrib.staticfiles.finders.AppDirectoriesFinder',
+)
+
+# Templates
+TEMPLATE_DIRS = (
+ os.path.join(BASE_DIR, 'templates'),
+ os.path.join('/srv/venv/django/contrib/admin/templates/'),
+)
+
+TEMPLATE_LOADERS = (
+ 'django.template.loaders.filesystem.Loader',
+ 'django.template.loaders.app_directories.Loader',
+)
+
+TEMPLATE_CONTEXT_PROCESSORS = (
+ "django.contrib.auth.context_processors.auth",
+ "django.core.context_processors.debug",
+ "django.core.context_processors.i18n",
+ "django.core.context_processors.media",
+ "django.core.context_processors.static",
+ "django.contrib.messages.context_processors.messages",
+ "context.global_vars.settings_vars",
+)
+
+MIDDLEWARE_CLASSES = (
+ 'django.middleware.cache.UpdateCacheMiddleware',
+ 'django.middleware.common.CommonMiddleware',
+ 'django.contrib.sessions.middleware.SessionMiddleware',
+ 'django.middleware.locale.LocaleMiddleware',
+ 'django.middleware.csrf.CsrfViewMiddleware',
+ 'django.contrib.auth.middleware.AuthenticationMiddleware',
+ 'django.contrib.messages.middleware.MessageMiddleware',
+ 'django.middleware.cache.FetchFromCacheMiddleware',
+ 'django.contrib.flatpages.middleware.FlatpageFallbackMiddleware',
+)
+
+ROOT_URLCONF = 'flowspy.urls'
+WSGI_APPLICATION = 'flowspy.wsgi.application'
+
+AUTHENTICATION_BACKENDS = (
+ 'djangobackends.shibauthBackend.shibauthBackend',
+ 'django.contrib.auth.backends.ModelBackend',
+)
+
+INSTALLED_APPS = (
+ 'longerusername',
+ 'django.contrib.auth',
+ 'django.contrib.contenttypes',
+ 'django.contrib.sessions',
+ 'django.contrib.sites',
+ 'django.contrib.flatpages',
+ 'django.contrib.messages',
+ 'django.contrib.staticfiles',
+ 'flowspec',
+ 'poller',
+ 'south',
+ 'django.contrib.admin',
+ 'djcelery',
+ 'peers',
+ 'registration',
+ 'accounts',
+ 'tinymce',
+ 'widget_tweaks',
+ 'rest_framework',
+ 'rest_framework.authtoken',
+)
+
+#GRAPHS_API_URL = 'graphs'
+GRAPHS_API_URL = 'http://127.0.0.1:8080/api/routes/'
+
+# A sample logging configuration. The only tangible logging
+# performed by this configuration is to send an email to
+# the site admins on every HTTP 500 error when DEBUG=False.
+# See http://docs.djangoproject.com/en/dev/topics/logging for
+# more details on how to customize your logging configuration.
+LOGGING = {
+ 'version': 1,
+ 'disable_existing_loggers': False,
+ 'handlers': {
+ 'file': {
+ 'level': 'DEBUG',
+ 'class': 'logging.FileHandler',
+ 'filename': 'debug.log',
+ },
+ },
+ 'loggers': {
+ 'django': {
+ 'handlers': ['file'],
+ 'level': 'DEBUG',
+ 'propagate': True,
+ },
+ },
+}
+
+LOGIN_URL = '/welcome'
+
+# CACHES = {
+# 'default': {
+# 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
+# 'LOCATION': '127.0.0.1:11211',
+# }
+# }
+CACHES = {
+ 'default': {
+ 'BACKEND': 'django.core.cache.backends.dummy.DummyCache',
+ }
+}
+
+AUTH_PROFILE_MODULE = 'accounts.UserProfile'
+
+# Netconf Device credentials
+# The following variables should contain the address of the device with
+# flowspec, the username and password of the appliers account and the netconf
+# port.
+NETCONF_DEVICE = ""
+NETCONF_USER = ""
+NETCONF_PASS = ""
+NETCONF_PORT = 830
+
+# The filter applied in the device in order to find the flowspec routes
+ROUTES_FILTER = "<configuration><routing-options><flow/></routing-options></configuration>"
+ROUTE_FILTER = "<configuration><routing-options><flow><route><name>%s</name></route></flow></routing-options></configuration>"
+COMMIT_CONFIRMED_TIMEOUT = "120"
+
+# Change the following values only if you know what you are doing!!!
+# To integrate FoD with tables (Peer, Networks, Contacts)
+# from your CRM platform, set the following values to False and create the views that are
+# exact matches of the tables in peers/models.py
+PEER_MANAGED_TABLE = True
+PEER_RANGE_MANAGED_TABLE = True
+PEER_TECHC_MANAGED_TABLE = True
+
+# Actually apply the rules
+COMMIT = True
+
+# Flowspy configuration
+#EXPIRATION_DAYS_OFFSET = 7
+EXPIRATION_DAYS_OFFSET = 30
+
+USE_X_FORWARDED_HOST = True
+
+# Beanstalk configuration (as a broker for celery)
+BROKER_HOST = "localhost"
+BROKER_PORT = 11300
+POLLS_TUBE = 'polls'
+BROKER_URL = "beanstalk://localhost:11300//"
+BROKER_VHOST = "/"
+CELERY_CONCURRENCY = 1
+POLL_SESSION_UPDATE = 60.0
+
+CELERYBEAT_SCHEDULE = {
+ "every-day-sync": {
+ "task": "flowspec.tasks.check_sync",
+ "schedule": crontab(minute=01, hour=01),
+ "args": (),
+ },
+ "notify-expired": {
+ "task": "flowspec.tasks.notify_expired",
+ "schedule": crontab(minute=01, hour=02),
+ "args": (),
+ },
+ "snmp-stats-poll": {
+ "task": "flowspec.tasks.poll_snmp_statistics",
+ "schedule": crontab(minute="*/5"),
+ "args": (),
+ },
+}
+
+# List of modules to import when celery starts.
+CELERY_IMPORTS = ("flowspec.tasks", )
+
+# Notifications
+SERVER_EMAIL = "Example FoD Service <noreply@example.com>"
+EMAIL_SUBJECT_PREFIX = "[FoD] "
+EXPIRATION_NOTIFY_DAYS = 4
+# max number of days into the future that is allowed to pick in rule expiration datepicker
+MAX_RULE_EXPIRE_DAYS = 30
+PREFIX_LENGTH = 29
+POLL_SESSION_UPDATE = 60.0
+
+# Shibboleth
+#SHIB_AUTH_ENTITLEMENT = 'urn:mace:example.com:pki:user'
+SHIB_AUTH_ENTITLEMENT = ''
+SHIB_ADMIN_DOMAIN = 'example.com'
+SHIB_LOGOUT_URL = 'https://example.com/Shibboleth.sso/Logout'
+
+##############################################################################
+# Shibboleth attribute map
+
+# general info on these shibboleth attribute definitions:
+# *_DISPLAY_NAME and *_ADDINFO should give edugain-global names and definitions and so match definitions in /etc/shibboleth/attribute-map.xml
+# as values of the * variables (SHIB_ENTITLEMENT, SHIB_USERNAME, SHIB_MAIL, SHIB_FIRSTNAME, SHIB_LASTNAME) are in principle only host-config-local keys
+#
+# values of *_DISPLAY* are shown in edugain/login-related error messages for users;
+# instead, the values of * variables (e.g. SHIB_ENTITLEMENT, ...) are of no use for users and just confusing!
+#
+# specifically:
+# *_DISPLAY_NAME should be a single string fully identifying the required attribute in an human-readable fashion
+# *_DISPLAY_ADDINFO should be a string and should correspondingly contain descriptions for each array element of the value of the * variable
+
+# e.g. for SHIB_ENTITLEMENT = "HTTP_ENTITLEMENT" =>
+#
+# key in /etc/shibboleth/attribute-map.xml is "entitlement":
+# <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+# <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"-->
+
+#SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT'] # value in settings.py.dist
+SHIB_ENTITLEMENT = ['HTTP_ENTITLEMENT']
+SHIB_ENTITLEMENT_DISPLAY_NAME = "eduPersonEntitlement"
+SHIB_ENTITLEMENT_DISPLAY_ADDINFO = "urn:oid:1.3.6.1.4.1.5923.1.1.1.7; the value of this attribute also has to include 'urn:mace:example.com:pki:user'"
+#SHIB_ENTITLEMENT_DISPLAY_ADDINFO = "urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
+
+# (";"-separated) part of value of attribute with key SHIB_ENTITLEMENT needed in order to be considered a valid user:
+# if SHIB_AUTH_ENTITLEMENT is empty no constraint on SHIB_ENTITLEMENT attribute value is enforced (can even be missing)
+#SHIB_AUTH_ENTITLEMENT = 'urn:mace:example.com:pki:user'
+SHIB_AUTH_ENTITLEMENT = '' # is also in settings_local.py so override it there
+
+#SHIB_USERNAME = ['HTTP_EPPN'] # in settings.py.dist # originally used for SHIB_USERNAME
+#SHIB_USERNAME_DISPLAY_NAME = "eduPersonPrincipalName"
+#SHIB_USERNAME_DISPLAY_ADDINFO = "urn:mace:dir:attribute-def:eduPersonPrincipalName or urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+#SHIB_USERNAME = ['HTTP_PERSISTENT_ID']
+SHIB_USERNAME = ['HTTP_PERSISTENT_ID', 'HTTP_PRINCIPALNAME']
+#SHIB_USERNAME = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
+SHIB_USERNAME_DISPLAY_NAME = "PERSISTENT_ID"
+SHIB_USERNAME_DISPLAY_ADDINFO = "urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
+
+#SHIB_SLUGIFY_USERNAME = False # value in settings.py.dist
+SHIB_SLUGIFY_USERNAME = True
+
+SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
+SHIB_MAIL_DISPLAY_NAME = "MAIL"
+SHIB_MAIL_DISPLAY_ADDINFO = "urn:mace:dir:attribute-def:mail or urn:oid:0.9.2342.19200300.100.1.3 or SHIB_INETORGPERSON_MAIL"
+
+# both optional:
+SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME'] # value in settings.py.dist
+#SHIB_FIRSTNAME = ['HTTP_GIVENNAME']
+SHIB_FIRSTNAME_DISPLAY_NAME = "GIVENNAME"
+SHIB_FIRSTNAME_DISPLAY_ADDINFO = "urn:mace:dir:attribute-def:givenName or urn:oid:2.5.4.42"
+
+SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME'] # value in settings.py.dist
+#SHIB_LASTNAME = ['HTTP_SURNAME']
+SHIB_LASTNAME_DISPLAY_NAME = "SURNAME"
+SHIB_LASTNAME_DISPLAY_ADDINFO = "urn:mace:dir:attribute-def:sn or urn:oid:2.5.4.4"
+
+##############################################################################
+
+# BCC mail addresses
+NOTIFY_ADMIN_MAILS = ["admin@example.com"]
+
+# Then actions in the ui (dropdown)
+UI_USER_THEN_ACTIONS = ['discard', 'rate-limit']
+UI_USER_PROTOCOLS = ['icmp', 'tcp', 'udp']
+ACCOUNT_ACTIVATION_DAYS = 7
+
+# Define subnets that should not have any rules applied whatsoever
+PROTECTED_SUBNETS = ['10.10.0.0/16']
+
+# Add two whois servers in order to be able to get all the subnets for an AS.
+PRIMARY_WHOIS = 'whois.example.com'
+ALTERNATE_WHOIS = 'whois.example.net'
+
+TINYMCE_JS_URL = STATIC_URL + 'js/tinymce/tiny_mce.js'
+
+TINYMCE_DEFAULT_CONFIG = {
+ 'extended_valid_elements': 'iframe[src|width|height|name|align]',
+ 'plugins': "table,spellchecker,paste,searchreplace",
+ 'theme': "advanced",
+}
+
+import _version
+SW_VERSION = _version.VERSION
+
+LOG_FILE_LOCATION = "/var/log/fod"
+
+
+BRANDING = {
+ 'name': 'Example',
+ 'url': 'https://example.com',
+ 'footer_iframe': 'https://example.com/iframe',
+ 'facebook': '//facebook.com/',
+ 'twitter': '//twitter.com/',
+ 'phone': '800-example-com',
+ 'email': 'helpdesk@example.com',
+ 'logo': 'fodlogo2.png',
+ 'favicon': 'favicon.ico',
+}
+
+
+# Django Rest Framework configuration.
+# You should leave this intact.
+REST_FRAMEWORK = {
+ 'DEFAULT_AUTHENTICATION_CLASSES': (
+ 'rest_framework.authentication.TokenAuthentication',
+ ),
+ 'DEFAULT_RENDERER_CLASSES': (
+ 'rest_framework.renderers.JSONRenderer',
+ ),
+ 'DEFAULT_PERMISSION_CLASSES': [
+ 'rest_framework.permissions.DjangoModelPermissions',
+ 'rest_framework.permissions.IsAuthenticated'
+ ]
+}
+
+# Limit of ports in 'ports' / 'SrcPorts' / 'DstPorts' of a rule:
+#PORTRANGE_LIMIT = 100
+PORTRANGE_LIMIT = 65535
+
+# Statistics polled via SNMP:
+# Default community string
+SNMP_COMMUNITY = "abcd"
+
+# list of IP addresses, each IP is a dict with "ip", "port" (optional, default
+# is 161), "community" (optional, default is SNMP_COMMUNITY) keys
+SNMP_IP = [
+ {"ip": "192.168.0.1", "port": 1000},
+ {"ip": "192.168.0.2", "port": 1001, "community": "abcdef"},
+ {"ip": "192.168.0.3", "port": 1002},
+ {"ip": "192.168.0.4", "port": 1002}
+]
+
+# or simpler way of IP list:
+# SNMP_IP = ["10.0.0.1", "10.0.0.2"]
+
+# OID of bytes counter (currently unused)
+SNMP_CNTBYTES = "1.3.6.1.4.1.2636.3.5.2.1.5"
+# OID of packet counter
+SNMP_CNTPACKETS = "1.3.6.1.4.1.2636.3.5.2.1.4"
+
+# get only statistics of specified tables
+SNMP_RULESFILTER = ["__flowspec_default_inet__", "__flowspec_IAS_inet__"]
+# load new data into cache if it is older that a specified number of seconds
+SNMP_POLL_INTERVAL = 8 #seconds
+# cache file for data
+SNMP_TEMP_FILE = "/tmp/snmp_temp_data"
+SNMP_POLL_LOCK = "/var/run/fod/snmppoll.lock"
+
+# Number of historical values to store for a route.
+# Polling interval must be set for "snmp-stats-poll" celery task in CELERYBEAT_SCHEDULE.
+# By default, it is 5 min interval, so SNMP_MAX_SAMPLECOUNT=12 means we have about
+# one hour history.
+SNMP_MAX_SAMPLECOUNT = 12
+
+# Age of inactive routes that can be already removed (in seconds)
+SNMP_REMOVE_RULES_AFTER = 3600
+
+##############################################################################
+##############################################################################
+
+# REST API config (v1.6 only)
+
+DISABLE_RULE_OVERLAP_CHECK = False
+
+ALLOW_DELETE_FULL_FOR_NONADMIN = False
+
+MAIL_NOTIFICATION_TO_ALL_MATCHING_PEERS = True
+
+# statistics calc
+
+STATISTICS_PER_MATCHACTION_ADD_FINAL_ZERO = False # not necessary if STATISTICS_PER_RULE==True
+STATISTICS_PER_RULE = True
+
+STATISTICS_PER_RULE__ADD_INITIAL_ZERO = True
+
+#
+
+DISABLE_EMAIL_NOTIFICATION = True
+
+##############################################################################
+##############################################################################
+