From 0c68862d6e6b0e24a956923f918e413254e8c846 Mon Sep 17 00:00:00 2001 From: Patrik Holmqvist Date: Tue, 6 May 2025 14:43:37 +0200 Subject: [PATCH] Add satosa config and secrets --- .../overlay/etc/hiera/data/local.eyaml | 36 ++++ .../overlay/etc/hiera/data/local.yaml | 169 ++++++++++++++++++ 2 files changed, 205 insertions(+) create mode 100644 netbird-test-satosa-1-sto1.sunet.se/overlay/etc/hiera/data/local.eyaml create mode 100644 netbird-test-satosa-1-sto1.sunet.se/overlay/etc/hiera/data/local.yaml diff --git a/netbird-test-satosa-1-sto1.sunet.se/overlay/etc/hiera/data/local.eyaml b/netbird-test-satosa-1-sto1.sunet.se/overlay/etc/hiera/data/local.eyaml new file mode 100644 index 0000000..898add0 --- /dev/null +++ b/netbird-test-satosa-1-sto1.sunet.se/overlay/etc/hiera/data/local.eyaml @@ -0,0 +1,36 @@ +--- +satosa_state_encryption_key: ENC[PKCS7,MIIDBwYJKoZIhvcNAQcDoIIC+DCCAvQCAQAxggKPMIICiwIBADBzMFsxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLDAqBgNVBAMMI25ldGJpcmQtdGVzdC1zYXRvc2EtMS1zdG8xLnN1bmV0LnNlAhQx3yW1x7IQotol8YzjdOxf+7/GcjANBgkqhkiG9w0BAQEFAASCAgBfnxfa8FunipkHTiocb61byqAiLWBubxgakFz8Axiq3zNWIWqAhKRbHzH/Oe9kInAVy4sgbOsKP7DlcB5UQ9a6Rc0YAD0T+7nKKUNCZb+O0W+uaI9SKMFj5/m2AAziMn2XDz8N334s6gda3rit34UBhnM6mblwHXsSV6Oc2OZmU4sTk3NcXKYn4RnzA9SXTvV5TRNJkN287zxC+EvfUQgA0U9InNCfF5OxuSCilZF6FV/jbhWt9fEUroi2Tprq9tmwkDj2tL/JLKRkaSfhvLYlDPEEpzpnbhYRey0I1cSnkzlbad4g3RDa0WuIptzJtWXMwVDVVu/8K7pUEl7Gc/zY3t45PomSVurpzIsKx3S7SOwx7L7hrJQxvvPf9ux5secWov9x3cYYZ7tiToXhFHsPNojXtcxiMhWLBA2c+aQCCPzoL9cBmqQ3xZHh3K5lvjnCyPHMTnwiNCQ0ZqDwEXtI26U4jaLbmrb/PmZaarTubBsdrU9m66QwRQUPnH4phmzwHYv3mWsq2G//ViAah//L+aQGYMekgbz1J0fnxuLOiIV2kWtO2mU60aJ9nVo9D4AnFHpEOg/a9VsOiy8TH2FBc+GTZL0GSR3HAbvQNqTKqqQhSjprYIyrDR2pnwCOe5+9f3CTIwvRqEHwRwJ2NI2IPPmrXcLhNap7iCTKWzMnQTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCYXNiYmCytegCBG1Ly3zG7gDBZrs4ibUx6xh+2DLdlXFRC2RCifOBKsC6idOYosUlIQ0+/QyWphH4LcZxpd2Dw+fY=] +satosa_user_id_hash_salt: ENC[PKCS7,MIIDBwYJKoZIhvcNAQcDoIIC+DCCAvQCAQAxggKPMIICiwIBADBzMFsxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLDAqBgNVBAMMI25ldGJpcmQtdGVzdC1zYXRvc2EtMS1zdG8xLnN1bmV0LnNlAhQx3yW1x7IQotol8YzjdOxf+7/GcjANBgkqhkiG9w0BAQEFAASCAgCq3OLjYaDbLoujsteIn94iUy32gWt8lJh5oQKFtHJKEtLdhEHhsXiSGFYi2bfDXTWypgH8g/oQBnCGPY3lWHJxLzkyCoqfML2n1aDKLJEU/xAbdKd1PuW8cW9IwcfUhw6gHnqTXit1+4WxPfLU8yHPj7Ge530v8hLBuXJLXvOt10uJm8SCgA56D0kBclSeV6INnyRWHPf88gwzE+om4R4GDyABf/cMrc0ycXteBSjIK9vuor34Vov/NKxpLxXCZJc71qd32WZvvGyLx5nhXqN63lzWdi8afPl1hIjid3ljGcX//fzHvZ7R5PEK106RCaQx3OuhF64pb9kooWbepZVN0eMAYO4fCp9r/Sd6N6qGxfc8D2yxyz8QWN85nA72jZbnFh1/v1YvUO63UzyXgm1CBeAKUmqFbPJ75m1c7klqe8M8EXFsZqPfnNzDY90tcOUkB1aHL9EP0cmNPVwcgWSrDyW7j/EjwkIP0XaIsMYX+AR/L3Cmk5kaawbhg8fclpNggAnM03mm8DzKu2pDE1NokDkmyq0PFXA76NMYBDkGCcHCm9XsUO/kJPPLFWEycURuk4Uo52qCXAFKMsgD0ppQ+RoHNIORllNxUHXt1jq4k3HOxdSx+4itEY3RDYyjTfgdBtZ7JzO6mRuZ9BQQTfjAdfl/Mkr0JwDmlaA0htYvODBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAWb66crB85/mSJps9D7oxFgDCU3nAlbnlQg9NcuAzb/ORuzyGwL8gJf/WAy+2EtPkwbgvgYsKIbZK6hcvOOK5LBsA=] + +cdb: + netbird: + response_types: + - code + - id_token + client_id: ENC[PKCS7,MIIC9wYJKoZIhvcNAQcDoIIC6DCCAuQCAQAxggKPMIICiwIBADBzMFsxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLDAqBgNVBAMMI25ldGJpcmQtdGVzdC1zYXRvc2EtMS1zdG8xLnN1bmV0LnNlAhQx3yW1x7IQotol8YzjdOxf+7/GcjANBgkqhkiG9w0BAQEFAASCAgBgYV7O5CHjx8oQadfLW58vTpxzY/z25BamUqfA/mnV8QoAVt/2h66AlZH81naEOB2dJa1vTO3GJMD+x0nawEf4jV14JJuCB1JX1UMLgHrcFq6deMK0rzBv4UPWGMlGU53gbG9RRSVaQXZA0+QuUvCh6bee7t8wMswBJnpUpv/MK3AvP5HGXMzKqAkyjUQ48I9H784CtKHZH26YeijnKlEAxXC8NeUTUKCJvUkdbp9uPfb45jjtuMexq+BfeZ5wg7jJbZTxztZ1H5NhfRsX/iLUwsBKl/+ECSEfOL3W1RSvWz6eih2hFQrH2UOq7ScPAEIPAmTLSrxYb6gJYnrwBxpxiutYgnLRIxzhjzy9+5tY/rlzKSOAGzObiLTjcgJOGYHb97F8SCc48qx5dlbtmQ+4cyXC4jwxnPnVmi3Snff5GMiHuB3ishb3820+W6w6I3mcvOHSAcTYbp/4ge23+Of0s00+rKlYk1+wmpUoprdprG/jCopQ0q2m8c7rSff8lvYhtnpiu52aMvVFPJjSEg/UibaUbFlA1jYzDyHdZyo+AY7hBylVbiqDxsUVZ46gLEV3IJ5mTqmXCrej0cR6Q/tLx+xG0rbayIsvcyr0suKINc+hquA05Ntjr/G+Hwuo8XN3cJnDuB5Ac/XjrC+8ZrYU7yZbmVtCsqtDjC3Tx28wBjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBrbcJ5oBwXmswRf3SbA4cEgCCJkwgwHFwkP4fdxS5G4A7rVr5A7TdHPicgcwBJKj6hfg==] + client_secret: ENC[PKCS7,MIIDBwYJKoZIhvcNAQcDoIIC+DCCAvQCAQAxggKPMIICiwIBADBzMFsxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLDAqBgNVBAMMI25ldGJpcmQtdGVzdC1zYXRvc2EtMS1zdG8xLnN1bmV0LnNlAhQx3yW1x7IQotol8YzjdOxf+7/GcjANBgkqhkiG9w0BAQEFAASCAgBmIo/a19vOF9STcjNVe+U/eSEWkBk6JF+AXM+w+FukGLGddteQsj8Z958/KgP2DiA4R8mga+nW01VY6Q1T9KWg16m1FusahLf9UB0muOvwpIT0vDQv0i42ieujAWhuCQ7ShInwnDCuvTqnr1NCPaOoH7TH8uj0+WQj5wzqi7KYYlyJ+oBa5T0t+sTFAf+deZfCCNjqEoJYvSoB7WM5YEQi/AV8MwzCirGoxFt6S6yGSIQ2PI9oHB8gtrbXeR8Wk4rWUOVRe4aiRlSs3kQmL+St3hx3uOxgezu/wc2DzUYKmmV7RWt5wBKNgmSSUp1gTlvXfRrt06R8MsTTL/L0WtOiSGbbYqLRYniunbOByiHwvtMp4HcQHDHqolKjXMYQQFpgB995/zSDNB9H4mcAzJI9BLTLflX6topPwa/2v/+OfZ0OpNcGyrj6bhNOV93ukWbAPP1qpCf3zbtDZh5Sz2NCLKVIFNbajizag6IMtXPN/95xoELmGzPDW3CraB/fCGufujelkshq2xgOZTry/cqqt/Dth24WcKDrB6Lpej8GYu4D/9pWmONIXYVZYO2MecLEJdi3eDkBU++Rl69pJQULWRLCwMxXr4nv2cRFwWGVQgQMSFgq2QWS6a/on2lX1fLObdjOef2iojMa/LAvqFVQ85BEkN0v9c7Ip77je44z6zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAqR4dhldL7OBvZsBcFmwQ+gDD6FyFt5m206gGvwhdWUGXajBxk6DJXsv0NUyq7xxKn5mWZIsjrNWpf3nzd38155pQ=] + claims_supported: + - id_token + redirect_uris: + - 'https://netbird-test.sunet.se/auth' + allowed_scope_values: + - profile + - email + +oidc_frontend: + name: oidc-front + config: + db_uri: ENC[PKCS7,MIIDJwYJKoZIhvcNAQcDoIIDGDCCAxQCAQAxggKPMIICiwIBADBzMFsxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLDAqBgNVBAMMI25ldGJpcmQtdGVzdC1zYXRvc2EtMS1zdG8xLnN1bmV0LnNlAhQx3yW1x7IQotol8YzjdOxf+7/GcjANBgkqhkiG9w0BAQEFAASCAgA3jBEDUIlLSy0Fy2f7g96brBVLS0vhqtwbbwiotdBOVBzbVMhBm/iejM1xvmYvF7oqKjMScVDcw2TnYfKoIsIBmk/2aJOBpS01OCmSKtrfyymugskBRI+Acn7hpKmBuT8n3bPP4G42ZndMbnYbPXGVt9DStzkG7tMtRZzKKI9vsJj3Fc5hoJN6uT+EejxZGQ70WojBd9IbKsxY4D8nbgVfuFjYy1ddJzX1EivZRKtZmi7j2rb2Q6tUoExZhc+We3i6mNg0xmI2myRRAnCXnC6vIQaSLvh0i4VTBxZRru6JnFbMT3ezTnhPYUnZdJNEaRuiWCo4WZI4klWG51OEBD7LyqnFJBqNk+bsGWHTI4LL3n17k9uvPyocP1OjyBOb5NCyC+ZchcOZxwltkxRzfjqoNyxJLxc6tNIWZue8KYfXGdVNSdbv87Bx1O5f3UpHcsjHoneawVwVK6k4aXQu0+TwfsIaTgEMz7qGci/z8z3ThW/SpgcKIv3lXwdLlmUiWaG29xiQnC6kjaupLw/1viZvzskllVE1ShW8qIfIK8oRZkNWBaQey45MYKUs0DWSxkyTtIGwxnmplga3nrEAUZF+72A98iRLkuHBCNBkTDNg6/UGMPXI85q37PsFtyTkAOrXcR266HP6uuBBQVFRnVjmvfHp61cbohzJ4hekeoPxijB8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBJg+fCqhgA+czBGMC/XzIDgFBEr4wlxoBHQr2R8vqqUazzrfge4IowSi14J7ZZwhVQDn8ZjxPysm9DxPDvBhCaaK/VEiusRJiYFqHOhiKVerdosVZ7OB/E7lkv5D9P7X6WwA==] + signing_key_path: frontend.key + client_db_path: cdb.json + backend_name: Saml2SP + provider: + client_registration_supported: Yes + response_types_supported: ["code", "id_token token"] + subject_types_supported: ["pairwise"] + scopes_supported: ["openid", "email"] + authorization_code_lifetime: 300 + access_token_lifetime: 300 + module: satosa.frontends.openid_connect.OpenIDConnectFrontend + plugin: FrontendModulePlugin + diff --git a/netbird-test-satosa-1-sto1.sunet.se/overlay/etc/hiera/data/local.yaml b/netbird-test-satosa-1-sto1.sunet.se/overlay/etc/hiera/data/local.yaml new file mode 100644 index 0000000..32c2350 --- /dev/null +++ b/netbird-test-satosa-1-sto1.sunet.se/overlay/etc/hiera/data/local.yaml @@ -0,0 +1,169 @@ +--- +satosa_config: + saml2_backend: "/etc/satosa/plugins/saml2_backend.yaml" + oidc_frontend: "/etc/satosa/plugins/oidc_frontend.yaml" + saml2_frontend: "/etc/satosa/plugins/saml2_frontend.yaml" + internal_attributes: "/etc/satosa/internal_attributes.yaml" + attribute_authorization: "/etc/satosa/plugins/attribute_authorization.yaml" + healthcheck: "/etc/satosa/plugins/healthcheck.yaml" + +satosa_json_config: + cdb: "/etc/satosa/cdb.json" + +attribute_authorization: + module: satosa.micro_services.attribute_authorization.AttributeAuthorization + plugin: AttributeAuthorization + name: AttributeAuthorization + config: + force_attributes_presence_on_allow: true + attribute_allow: + default: + platform: + subject-id: + - "." + default: + subject-id: + - "." +healthcheck: + module: swamid_plugins.healthcheck.HealthCheck + name: HealthCheck +internal_attributes: + attributes: + name: + openid: [name] + saml: [displayName] + givenname: + saml: [givenName] + openid: [given_name] + surname: + saml: [sn] + openid: [family_name] + displayname: + openid: [nickname] + mail: + openid: [email] + saml: [mail] + uid: + openid: [sub] + subject-id: + openid: [sub,username,preferred_username] + saml: [subject-id, eduPersonPrincipalName] +satosa_proxy_conf: + BASE: https://idp-proxy-platform-test.sunet.se + INTERNAL_ATTRIBUTES: "internal_attributes.yaml" + BACKEND_MODULES: + - "plugins/saml2_backend.yaml" + FRONTEND_MODULES: + - "plugins/oidc_frontend.yaml" + - "plugins/saml2_frontend.yaml" + MICRO_SERVICES: + - "plugins/attribute_authorization.yaml" + - "plugins/healthcheck.yaml" + LOGGING: + version: 1 + formatters: + default: + format: "%(asctime)s [%(process)d] [%(levelname)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + level: DEBUG + formatter: default + stream: ext://sys.stdout + loggers: + satosa: + level: DEBUG + handlers: [console] + saml2: + level: DEBUG + handlers: [console] + swamid_plugins: + level: DEBUG + handlers: [console] +saml2_backend: + config: + sp_config: + organization: {display_name: Platform services (test), name: Platform services (Test), url: 'https://sunet.se'} + contact_person: + - {contact_type: technical, email_address: noc@sunet.se, given_name: Technical} + - {contact_type: support, email_address: noc@sunet.se, given_name: Support} + key_file: backend.key + cert_file: backend.crt + encryption_keypairs: + - { key_file: backend.key, cert_file: backend.crt } + allow_unknown_attributes: true + metadata: + mdq: + - url: https://mds.swamid.se + cert: "/etc/satosa/md-signer2.crt" + entityid: https://idp-proxy-platform-test.sunet.se/sp + accepted_time_diff: 180 + service: + sp: + name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:transient'] + allow_unsolicited: true + endpoints: + assertion_consumer_service: + - [//acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'] + - [//acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'] + discovery_response: + - [//disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol'] + want_response_signed: False + want_assertions_signed: False + want_assertions_or_response_signed: True + xmlsec_binary: /usr/bin/xmlsec1 + # We can't find the unspecified map. Ivan recommended to remove this setting + # attribute_map_dir: attributemaps + disco_srv: https://service.seamlessaccess.org/ds/ + attribute_profile: saml + module: satosa.backends.saml2.SAMLBackend + name: Saml2SP + plugin: BackendModulePlugin + +saml2_frontend: + module: satosa.frontends.saml2.SAMLFrontend + name: Saml2IDP + config: + #acr_mapping: + # "": default-LoA + # "https://accounts.google.com": LoA1 + + endpoints: + single_sign_on_service: + 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post + 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect + + # If configured and not false or empty the common domain cookie _saml_idp will be set + # with or have appended the IdP used for authentication. The default is not to set the + # cookie. If the value is a dictionary with key 'domain' then the domain for the cookie + # will be set to the value for the 'domain' key. If no 'domain' is set then the domain + # from the BASE defined for the proxy will be used. + #common_domain_cookie: + # domain: .example.com + + entityid_endpoint: true + enable_metadata_reload: no + + idp_config: + key_file: frontend.key + cert_file: frontend.crt + metadata: + local: [metadata/monitor.xml, metadata/hittade.xml] + + entityid: //proxy.xml + accepted_time_diff: 60 + service: + idp: + endpoints: + single_sign_on_service: [] + name: Proxy IdP + name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'] + policy: + default: + attribute_restrictions: null + fail_on_missing_requested: false + lifetime: {minutes: 15} + name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:uri + encrypt_assertion: false + encrypted_advice_attributes: false +