Add satosa config and secrets

2025-05-06 14:43:37 +02:00 · 2025-05-06 14:43:37 +02:00 · 0c68862d6e
commit 0c68862d6e
parent b4ef704512
2 changed files with 205 additions and 0 deletions
--- a/netbird-test-satosa-1-sto1.sunet.se/overlay/etc/hiera/data/local.eyaml
+++ b/netbird-test-satosa-1-sto1.sunet.se/overlay/etc/hiera/data/local.eyaml
@ -0,0 +1,36 @@
+---
+satosa_state_encryption_key: ENC[PKCS7,MIIDBwYJKoZIhvcNAQcDoIIC+DCCAvQCAQAxggKPMIICiwIBADBzMFsxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLDAqBgNVBAMMI25ldGJpcmQtdGVzdC1zYXRvc2EtMS1zdG8xLnN1bmV0LnNlAhQx3yW1x7IQotol8YzjdOxf+7/GcjANBgkqhkiG9w0BAQEFAASCAgBfnxfa8FunipkHTiocb61byqAiLWBubxgakFz8Axiq3zNWIWqAhKRbHzH/Oe9kInAVy4sgbOsKP7DlcB5UQ9a6Rc0YAD0T+7nKKUNCZb+O0W+uaI9SKMFj5/m2AAziMn2XDz8N334s6gda3rit34UBhnM6mblwHXsSV6Oc2OZmU4sTk3NcXKYn4RnzA9SXTvV5TRNJkN287zxC+EvfUQgA0U9InNCfF5OxuSCilZF6FV/jbhWt9fEUroi2Tprq9tmwkDj2tL/JLKRkaSfhvLYlDPEEpzpnbhYRey0I1cSnkzlbad4g3RDa0WuIptzJtWXMwVDVVu/8K7pUEl7Gc/zY3t45PomSVurpzIsKx3S7SOwx7L7hrJQxvvPf9ux5secWov9x3cYYZ7tiToXhFHsPNojXtcxiMhWLBA2c+aQCCPzoL9cBmqQ3xZHh3K5lvjnCyPHMTnwiNCQ0ZqDwEXtI26U4jaLbmrb/PmZaarTubBsdrU9m66QwRQUPnH4phmzwHYv3mWsq2G//ViAah//L+aQGYMekgbz1J0fnxuLOiIV2kWtO2mU60aJ9nVo9D4AnFHpEOg/a9VsOiy8TH2FBc+GTZL0GSR3HAbvQNqTKqqQhSjprYIyrDR2pnwCOe5+9f3CTIwvRqEHwRwJ2NI2IPPmrXcLhNap7iCTKWzMnQTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCYXNiYmCytegCBG1Ly3zG7gDBZrs4ibUx6xh+2DLdlXFRC2RCifOBKsC6idOYosUlIQ0+/QyWphH4LcZxpd2Dw+fY=]
+satosa_user_id_hash_salt: ENC[PKCS7,MIIDBwYJKoZIhvcNAQcDoIIC+DCCAvQCAQAxggKPMIICiwIBADBzMFsxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLDAqBgNVBAMMI25ldGJpcmQtdGVzdC1zYXRvc2EtMS1zdG8xLnN1bmV0LnNlAhQx3yW1x7IQotol8YzjdOxf+7/GcjANBgkqhkiG9w0BAQEFAASCAgCq3OLjYaDbLoujsteIn94iUy32gWt8lJh5oQKFtHJKEtLdhEHhsXiSGFYi2bfDXTWypgH8g/oQBnCGPY3lWHJxLzkyCoqfML2n1aDKLJEU/xAbdKd1PuW8cW9IwcfUhw6gHnqTXit1+4WxPfLU8yHPj7Ge530v8hLBuXJLXvOt10uJm8SCgA56D0kBclSeV6INnyRWHPf88gwzE+om4R4GDyABf/cMrc0ycXteBSjIK9vuor34Vov/NKxpLxXCZJc71qd32WZvvGyLx5nhXqN63lzWdi8afPl1hIjid3ljGcX//fzHvZ7R5PEK106RCaQx3OuhF64pb9kooWbepZVN0eMAYO4fCp9r/Sd6N6qGxfc8D2yxyz8QWN85nA72jZbnFh1/v1YvUO63UzyXgm1CBeAKUmqFbPJ75m1c7klqe8M8EXFsZqPfnNzDY90tcOUkB1aHL9EP0cmNPVwcgWSrDyW7j/EjwkIP0XaIsMYX+AR/L3Cmk5kaawbhg8fclpNggAnM03mm8DzKu2pDE1NokDkmyq0PFXA76NMYBDkGCcHCm9XsUO/kJPPLFWEycURuk4Uo52qCXAFKMsgD0ppQ+RoHNIORllNxUHXt1jq4k3HOxdSx+4itEY3RDYyjTfgdBtZ7JzO6mRuZ9BQQTfjAdfl/Mkr0JwDmlaA0htYvODBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAWb66crB85/mSJps9D7oxFgDCU3nAlbnlQg9NcuAzb/ORuzyGwL8gJf/WAy+2EtPkwbgvgYsKIbZK6hcvOOK5LBsA=]
+
+cdb:
+  netbird:
+    response_types:
+      - code
+      - id_token
+    client_id: ENC[PKCS7,MIIC9wYJKoZIhvcNAQcDoIIC6DCCAuQCAQAxggKPMIICiwIBADBzMFsxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLDAqBgNVBAMMI25ldGJpcmQtdGVzdC1zYXRvc2EtMS1zdG8xLnN1bmV0LnNlAhQx3yW1x7IQotol8YzjdOxf+7/GcjANBgkqhkiG9w0BAQEFAASCAgBgYV7O5CHjx8oQadfLW58vTpxzY/z25BamUqfA/mnV8QoAVt/2h66AlZH81naEOB2dJa1vTO3GJMD+x0nawEf4jV14JJuCB1JX1UMLgHrcFq6deMK0rzBv4UPWGMlGU53gbG9RRSVaQXZA0+QuUvCh6bee7t8wMswBJnpUpv/MK3AvP5HGXMzKqAkyjUQ48I9H784CtKHZH26YeijnKlEAxXC8NeUTUKCJvUkdbp9uPfb45jjtuMexq+BfeZ5wg7jJbZTxztZ1H5NhfRsX/iLUwsBKl/+ECSEfOL3W1RSvWz6eih2hFQrH2UOq7ScPAEIPAmTLSrxYb6gJYnrwBxpxiutYgnLRIxzhjzy9+5tY/rlzKSOAGzObiLTjcgJOGYHb97F8SCc48qx5dlbtmQ+4cyXC4jwxnPnVmi3Snff5GMiHuB3ishb3820+W6w6I3mcvOHSAcTYbp/4ge23+Of0s00+rKlYk1+wmpUoprdprG/jCopQ0q2m8c7rSff8lvYhtnpiu52aMvVFPJjSEg/UibaUbFlA1jYzDyHdZyo+AY7hBylVbiqDxsUVZ46gLEV3IJ5mTqmXCrej0cR6Q/tLx+xG0rbayIsvcyr0suKINc+hquA05Ntjr/G+Hwuo8XN3cJnDuB5Ac/XjrC+8ZrYU7yZbmVtCsqtDjC3Tx28wBjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBrbcJ5oBwXmswRf3SbA4cEgCCJkwgwHFwkP4fdxS5G4A7rVr5A7TdHPicgcwBJKj6hfg==]
+    client_secret: ENC[PKCS7,MIIDBwYJKoZIhvcNAQcDoIIC+DCCAvQCAQAxggKPMIICiwIBADBzMFsxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLDAqBgNVBAMMI25ldGJpcmQtdGVzdC1zYXRvc2EtMS1zdG8xLnN1bmV0LnNlAhQx3yW1x7IQotol8YzjdOxf+7/GcjANBgkqhkiG9w0BAQEFAASCAgBmIo/a19vOF9STcjNVe+U/eSEWkBk6JF+AXM+w+FukGLGddteQsj8Z958/KgP2DiA4R8mga+nW01VY6Q1T9KWg16m1FusahLf9UB0muOvwpIT0vDQv0i42ieujAWhuCQ7ShInwnDCuvTqnr1NCPaOoH7TH8uj0+WQj5wzqi7KYYlyJ+oBa5T0t+sTFAf+deZfCCNjqEoJYvSoB7WM5YEQi/AV8MwzCirGoxFt6S6yGSIQ2PI9oHB8gtrbXeR8Wk4rWUOVRe4aiRlSs3kQmL+St3hx3uOxgezu/wc2DzUYKmmV7RWt5wBKNgmSSUp1gTlvXfRrt06R8MsTTL/L0WtOiSGbbYqLRYniunbOByiHwvtMp4HcQHDHqolKjXMYQQFpgB995/zSDNB9H4mcAzJI9BLTLflX6topPwa/2v/+OfZ0OpNcGyrj6bhNOV93ukWbAPP1qpCf3zbtDZh5Sz2NCLKVIFNbajizag6IMtXPN/95xoELmGzPDW3CraB/fCGufujelkshq2xgOZTry/cqqt/Dth24WcKDrB6Lpej8GYu4D/9pWmONIXYVZYO2MecLEJdi3eDkBU++Rl69pJQULWRLCwMxXr4nv2cRFwWGVQgQMSFgq2QWS6a/on2lX1fLObdjOef2iojMa/LAvqFVQ85BEkN0v9c7Ip77je44z6zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAqR4dhldL7OBvZsBcFmwQ+gDD6FyFt5m206gGvwhdWUGXajBxk6DJXsv0NUyq7xxKn5mWZIsjrNWpf3nzd38155pQ=]
+    claims_supported:
+      - id_token
+    redirect_uris:
+      - 'https://netbird-test.sunet.se/auth'
+    allowed_scope_values:
+      - profile
+      - email
+            
+oidc_frontend:
+  name: oidc-front
+  config:
+     db_uri: ENC[PKCS7,MIIDJwYJKoZIhvcNAQcDoIIDGDCCAxQCAQAxggKPMIICiwIBADBzMFsxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLDAqBgNVBAMMI25ldGJpcmQtdGVzdC1zYXRvc2EtMS1zdG8xLnN1bmV0LnNlAhQx3yW1x7IQotol8YzjdOxf+7/GcjANBgkqhkiG9w0BAQEFAASCAgA3jBEDUIlLSy0Fy2f7g96brBVLS0vhqtwbbwiotdBOVBzbVMhBm/iejM1xvmYvF7oqKjMScVDcw2TnYfKoIsIBmk/2aJOBpS01OCmSKtrfyymugskBRI+Acn7hpKmBuT8n3bPP4G42ZndMbnYbPXGVt9DStzkG7tMtRZzKKI9vsJj3Fc5hoJN6uT+EejxZGQ70WojBd9IbKsxY4D8nbgVfuFjYy1ddJzX1EivZRKtZmi7j2rb2Q6tUoExZhc+We3i6mNg0xmI2myRRAnCXnC6vIQaSLvh0i4VTBxZRru6JnFbMT3ezTnhPYUnZdJNEaRuiWCo4WZI4klWG51OEBD7LyqnFJBqNk+bsGWHTI4LL3n17k9uvPyocP1OjyBOb5NCyC+ZchcOZxwltkxRzfjqoNyxJLxc6tNIWZue8KYfXGdVNSdbv87Bx1O5f3UpHcsjHoneawVwVK6k4aXQu0+TwfsIaTgEMz7qGci/z8z3ThW/SpgcKIv3lXwdLlmUiWaG29xiQnC6kjaupLw/1viZvzskllVE1ShW8qIfIK8oRZkNWBaQey45MYKUs0DWSxkyTtIGwxnmplga3nrEAUZF+72A98iRLkuHBCNBkTDNg6/UGMPXI85q37PsFtyTkAOrXcR266HP6uuBBQVFRnVjmvfHp61cbohzJ4hekeoPxijB8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBJg+fCqhgA+czBGMC/XzIDgFBEr4wlxoBHQr2R8vqqUazzrfge4IowSi14J7ZZwhVQDn8ZjxPysm9DxPDvBhCaaK/VEiusRJiYFqHOhiKVerdosVZ7OB/E7lkv5D9P7X6WwA==]
+     signing_key_path: frontend.key
+     client_db_path: cdb.json
+     backend_name: Saml2SP
+     provider:
+       client_registration_supported: Yes
+       response_types_supported: ["code", "id_token token"]
+       subject_types_supported: ["pairwise"]
+       scopes_supported: ["openid", "email"]
+       authorization_code_lifetime: 300
+       access_token_lifetime: 300
+  module: satosa.frontends.openid_connect.OpenIDConnectFrontend
+  plugin: FrontendModulePlugin
+
--- a/netbird-test-satosa-1-sto1.sunet.se/overlay/etc/hiera/data/local.yaml
+++ b/netbird-test-satosa-1-sto1.sunet.se/overlay/etc/hiera/data/local.yaml
@ -0,0 +1,169 @@
+---
+satosa_config:
+   saml2_backend: "/etc/satosa/plugins/saml2_backend.yaml"
+   oidc_frontend: "/etc/satosa/plugins/oidc_frontend.yaml"
+   saml2_frontend: "/etc/satosa/plugins/saml2_frontend.yaml"
+   internal_attributes: "/etc/satosa/internal_attributes.yaml"
+   attribute_authorization: "/etc/satosa/plugins/attribute_authorization.yaml"
+   healthcheck: "/etc/satosa/plugins/healthcheck.yaml"
+
+satosa_json_config:
+  cdb: "/etc/satosa/cdb.json"
+
+attribute_authorization:
+   module: satosa.micro_services.attribute_authorization.AttributeAuthorization
+   plugin: AttributeAuthorization
+   name: AttributeAuthorization
+   config:
+      force_attributes_presence_on_allow: true
+      attribute_allow:
+         default:
+            platform:
+               subject-id:
+                  - "."
+            default:
+               subject-id:
+                  - "."
+healthcheck:
+   module: swamid_plugins.healthcheck.HealthCheck
+   name: HealthCheck
+internal_attributes:
+   attributes:
+      name:
+        openid: [name]
+        saml: [displayName]
+      givenname:
+         saml: [givenName]
+         openid: [given_name]
+      surname:
+        saml: [sn]
+        openid: [family_name]
+      displayname:
+        openid: [nickname]
+      mail:
+        openid: [email]
+        saml: [mail]
+      uid:
+        openid: [sub]
+      subject-id:
+        openid: [sub,username,preferred_username]
+        saml: [subject-id, eduPersonPrincipalName]
+satosa_proxy_conf:
+   BASE: https://idp-proxy-platform-test.sunet.se
+   INTERNAL_ATTRIBUTES: "internal_attributes.yaml"
+   BACKEND_MODULES:
+      - "plugins/saml2_backend.yaml"
+   FRONTEND_MODULES:
+      - "plugins/oidc_frontend.yaml"
+      - "plugins/saml2_frontend.yaml"
+   MICRO_SERVICES:
+      - "plugins/attribute_authorization.yaml"
+      - "plugins/healthcheck.yaml"
+   LOGGING:
+     version: 1
+     formatters:
+        default:
+           format: "%(asctime)s [%(process)d] [%(levelname)s] %(message)s"
+     handlers:
+        console:
+           class: logging.StreamHandler
+           level: DEBUG
+           formatter: default
+           stream: ext://sys.stdout
+     loggers:
+        satosa:
+           level: DEBUG
+           handlers: [console]
+        saml2:
+           level: DEBUG
+           handlers: [console]
+        swamid_plugins:
+           level: DEBUG
+           handlers: [console]
+saml2_backend:
+  config:
+    sp_config:
+      organization: {display_name: Platform services (test), name: Platform services (Test), url: 'https://sunet.se'}
+      contact_person:
+        - {contact_type: technical, email_address: noc@sunet.se, given_name: Technical}
+        - {contact_type: support, email_address: noc@sunet.se, given_name: Support}
+      key_file: backend.key
+      cert_file: backend.crt
+      encryption_keypairs:
+        - { key_file: backend.key, cert_file: backend.crt }
+      allow_unknown_attributes: true
+      metadata:
+        mdq:
+         - url: https://mds.swamid.se
+           cert: "/etc/satosa/md-signer2.crt"
+      entityid: https://idp-proxy-platform-test.sunet.se/sp
+      accepted_time_diff: 180
+      service:
+        sp:
+          name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
+          allow_unsolicited: true
+          endpoints:
+            assertion_consumer_service:
+              - [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+              - [<base_url>/<name>/acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+            discovery_response:
+              - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
+          want_response_signed: False
+          want_assertions_signed: False
+          want_assertions_or_response_signed: True
+      xmlsec_binary: /usr/bin/xmlsec1
+      # We can't find the unspecified map. Ivan recommended to remove this setting
+      # attribute_map_dir: attributemaps
+    disco_srv: https://service.seamlessaccess.org/ds/
+    attribute_profile: saml
+  module: satosa.backends.saml2.SAMLBackend
+  name: Saml2SP
+  plugin: BackendModulePlugin
+
+saml2_frontend:
+  module: satosa.frontends.saml2.SAMLFrontend
+  name: Saml2IDP
+  config:
+    #acr_mapping:
+    #  "": default-LoA
+    #  "https://accounts.google.com": LoA1
+
+    endpoints:
+      single_sign_on_service:
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect
+
+    # If configured and not false or empty the common domain cookie _saml_idp will be set
+    # with or have appended the IdP used for authentication. The default is not to set the
+    # cookie. If the value is a dictionary with key 'domain' then the domain for the cookie
+    # will be set to the value for the 'domain' key. If no 'domain' is set then the domain
+    # from the BASE defined for the proxy will be used.
+    #common_domain_cookie:
+    #  domain: .example.com
+
+    entityid_endpoint: true
+    enable_metadata_reload: no
+
+    idp_config:
+      key_file: frontend.key
+      cert_file: frontend.crt
+      metadata:
+        local: [metadata/monitor.xml, metadata/hittade.xml]
+
+      entityid: <base_url>/<name>/proxy.xml
+      accepted_time_diff: 60
+      service:
+        idp:
+          endpoints:
+            single_sign_on_service: []
+          name: Proxy IdP
+          name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
+          policy:
+            default:
+              attribute_restrictions: null
+              fail_on_missing_requested: false
+              lifetime: {minutes: 15}
+              name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
+              encrypt_assertion: false
+              encrypted_advice_attributes: false
+