SUNET/net-ops
9
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
net-ops/zoomproxy-sto1-prod-1.sunet.se/overlay/etc/hiera/data/local.yaml

190 lines
6.5 KiB
YAML
Raw Normal View History

added secrets and overlay files
2025-01-30 14:40:00 +01:00
---
satosa_config:
saml2_backend: "/etc/satosa/plugins/saml2_backend.yaml"
saml2_frontend: "/etc/satosa/plugins/saml2_frontend.yaml"
generated_attributes: "/etc/satosa/plugins/generated_attributes.yaml"
internal_attributes: "/etc/satosa/internal_attributes.yaml"
attribute_authorization: "/etc/satosa/plugins/attribute_authorization.yaml"
attribute_filter: "/etc/satosa/plugins/attribute_filter.yaml"
healthcheck: "/etc/satosa/plugins/healthcheck.yaml"
generated_attributes:
module: satosa.micro_services.attribute_generation.AddSyntheticAttributes
plugin: AddSyntheticAttributes
name: AddSyntheticAttributes
config:
synthetic_attributes:
default:
default:
schachomeorganization: "{{edupersonprincipalname.scope}}"
attribute_authorization:
module: satosa.micro_services.attribute_authorization.AttributeAuthorization
plugin: AttributeAuthorization
name: AttributeAuthorization
config:
force_attributes_presence_on_allow: true
attribute_allow:
default:
default:
edupersonscopedaffiliation:
- "^(member|employee)@sunet.se$"
attribute_filter:
module: satosa.micro_services.attribute_modifications.FilterAttributeValues
name: AttributeFilter
config:
attribute_filters:
default:
default:
edupersonscopedaffiliation: "^(member|employee|student)@"
internal_attributes:
attributes:
displayname:
saml: [displayName]
adfs: [displayName]
commonname:
saml: [cn]
adfs: [displayName]
givenname:
saml: [givenName]
adfs: [givenName]
surname:
saml: [sn]
adfs: [sn]
mail:
saml: [mail]
adfs: [mail]
edupersonprincipalname:
saml: [eduPersonPrincipalName]
adfs: [eduPersonPrincipalName]
edupersonscopedaffiliation:
saml: [eduPersonScopedAffiliation]
adfs: [eduPersonScopedAffiliation]
noredupersonnin:
saml: [norEduPersonNIN]
adfs: [norEduPersonNIN]
edupersonentitlement:
saml: [eduPersonEntitlement]
adfs: [eduPersonEntitlement]
schachomeorganization:
saml: [schacHomeOrganization]
schachomeorganizationtype:
saml: [schacHomeOrganizationType]
organizationname:
saml: [ou]
noreduorgacronym:
saml: [norEduOrgAcronym]
countryname:
saml: [c]
friendlycountryname:
saml: [co]
edupersontargetedid:
saml: [eduPersonTargetedID]
user_id_to_attr: edupersontargetedid
healthcheck:
module: swamid_plugins.healthcheck.HealthCheck
name: HealthCheck
satosa_proxy_conf:
BASE: https://zoom-saas-idp-proxy.sunet.se
INTERNAL_ATTRIBUTES: "internal_attributes.yaml"
BACKEND_MODULES:
- "plugins/saml2_backend.yaml"
FRONTEND_MODULES:
- "plugins/saml2_frontend.yaml"
MICRO_SERVICES:
- "plugins/generated_attributes.yaml"
- "plugins/attribute_authorization.yaml"
- "plugins/attribute_filter.yaml"
- "plugins/healthcheck.yaml"
LOGGING:
version: 1
formatters:
default:
format: "%(asctime)s [%(process)d] [%(levelname)s] %(message)s"
handlers:
console:
class: logging.StreamHandler
level: DEBUG
formatter: default
stream: ext://sys.stdout
loggers:
satosa:
level: DEBUG
handlers: [console]
saml2:
level: DEBUG
handlers: [console]
saml2_backend:
config:
sp_config:
organization: {display_name: SUNET Zoom, name: SUNET Zoom, url: 'https://sunet.se'}
contact_person:
- {contact_type: technical, email_address: noc@sunet.se, given_name: Technical}
- {contact_type: support, email_address: noc@sunet.se, given_name: Support}
key_file: backend.key
cert_file: backend.crt
encryption_keypairs:
- { key_file: backend.key, cert_file: backend.crt }
allow_unknown_attributes: true
metadata:
mdq:
- url: https://mds.swamid.se
cert: "/etc/satosa/md-signer2.crt"
entityid: https://zoom-saas-idp-proxy.sunet.se/sp
service:
sp:
name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
allow_unsolicited: true
endpoints:
assertion_consumer_service:
- [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
- [<base_url>/<name>/acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
discovery_response:
- [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
want_response_signed: False
want_assertions_signed: False
want_assertions_or_response_signed: True
xmlsec_binary: /usr/bin/xmlsec1
attribute_map_dir: attributemaps
disco_srv: https://service.seamlessaccess.org/ds
attribute_profile: saml
module: satosa.backends.saml2.SAMLBackend
name: Saml2SP
plugin: BackendModulePlugin
saml2_frontend:
config:
custom_attribute_release:
default:
default:
exclude: ["eduPersonTargetedID","eduPersonAffiliation"]
idp_config:
organization: {display_name: SWAMID, name: SWAMID, url: 'https://sunet.se'}
contact_person:
- {contact_type: technical, email_address: noc@sunet.se, given_name: Technical}
- {contact_type: support, email_address: noc@sunet.se, given_name: Support}
key_file: frontend.key
cert_file: frontend.crt
metadata:
local: [metadata/zoom.xml]
entityid: https://zoom-saas-idp-proxy.sunet.se/idp
accepted_time_diff: 300
service:
idp:
endpoints:
single_sign_on_service: []
name: SWAMID
name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
policy:
default:
attribute_restrictions: null
fail_on_missing_requested: false
lifetime: {minutes: 15}
name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
want_authn_requests_signed: false
xmlsec_binary: /usr/bin/xmlsec1
endpoints:
single_sign_on_service: {'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post,
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect}
attribute_profile: saml
module: satosa.frontends.saml2.SAMLFrontend
plugin: FrontendModulePlugin
name: Saml2IDP
Reference in a new issue Copy permalink