added satosa config

internal-sto4-prod-satosa-1.rut.sunet.se/overlay/etc/hiera/data/local.yaml

@@ -0,0 +1,169 @@
+---
+satosa_config:
+   saml2_backend: "/etc/satosa/plugins/saml2_backend.yaml"
+   oidc_frontend: "/etc/satosa/plugins/oidc_frontend.yaml"
+   saml2_frontend: "/etc/satosa/plugins/saml2_frontend.yaml"
+   internal_attributes: "/etc/satosa/internal_attributes.yaml"
+   attribute_authorization: "/etc/satosa/plugins/attribute_authorization.yaml"
+   healthcheck: "/etc/satosa/plugins/healthcheck.yaml"
+
+satosa_json_config:
+  cdb: "/etc/satosa/cdb.json"
+
+attribute_authorization:
+   module: satosa.micro_services.attribute_authorization.AttributeAuthorization
+   plugin: AttributeAuthorization
+   name: AttributeAuthorization
+   config:
+      force_attributes_presence_on_allow: true
+      attribute_allow:
+         default:
+            rut:
+               subject-id:
+                  - "."
+            default:
+               edupersonscopedaffiliation:
+                  - "member@"
+               subject-id:
+                  - "."
+healthcheck:
+   module: swamid_plugins.healthcheck.HealthCheck
+   name: HealthCheck
+internal_attributes:
+   attributes:
+      name:
+        openid: [name]
+        saml: [displayName]
+      givenname:
+         saml: [givenName]
+         openid: [given_name]
+      surname:
+        saml: [sn]
+        openid: [family_name]
+      mail:
+        openid: [email]
+        saml: [mail]
+      subject-id:
+        openid: [sub]
+        saml: [subject-id, eduPersonPrincipalName]
+      edupersonscopedaffiliation:
+        saml: [eduPersonScopedAffiliation]
+        openid: [scoped-affiliation]
+satosa_proxy_conf:
+   BASE: https://idp-proxy-prod.rut.sunet.se
+   INTERNAL_ATTRIBUTES: "internal_attributes.yaml"
+   BACKEND_MODULES:
+      - "plugins/saml2_backend.yaml"
+   FRONTEND_MODULES:
+      - "plugins/oidc_frontend.yaml"
+      - "plugins/saml2_frontend.yaml"
+   MICRO_SERVICES:
+      - "plugins/attribute_authorization.yaml"
+      - "plugins/healthcheck.yaml"
+   LOGGING:
+     version: 1
+     formatters:
+        default:
+           format: "%(asctime)s [%(process)d] [%(levelname)s] %(message)s"
+     handlers:
+        console:
+           class: logging.StreamHandler
+           level: DEBUG
+           formatter: default
+           stream: ext://sys.stdout
+     loggers:
+        satosa:
+           level: DEBUG
+           handlers: [console]
+        saml2:
+           level: DEBUG
+           handlers: [console]
+        swamid_plugins:
+           level: DEBUG
+           handlers: [console]
+saml2_backend:
+  config:
+    sp_config:
+      organization: {display_name: RUT services (Prod), name: RUT services (Prod), url: 'https://rut.sunet.se'}
+      contact_person:
+        - {contact_type: technical, email_address: noc@sunet.se, given_name: Technical}
+        - {contact_type: support, email_address: noc@sunet.se, given_name: Support}
+      key_file: backend.key
+      cert_file: backend.crt
+      encryption_keypairs:
+        - { key_file: backend.key, cert_file: backend.crt }
+      allow_unknown_attributes: true
+      metadata:
+        mdq:
+         - url: https://mds.swamid.se
+           cert: "/etc/satosa/md-signer2.crt"
+      entityid: https://idp-proxy-prod.rut.sunet.se/sp
+      accepted_time_diff: 180
+      service:
+        sp:
+          name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
+          allow_unsolicited: true
+          endpoints:
+            assertion_consumer_service:
+              - [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+              - [<base_url>/<name>/acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+            discovery_response:
+              - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
+          want_response_signed: False
+          want_assertions_signed: False
+          want_assertions_or_response_signed: True
+      xmlsec_binary: /usr/bin/xmlsec1
+      # We can't find the unspecified map. Ivan recommended to remove this setting
+      # attribute_map_dir: attributemaps
+    disco_srv: https://service.seamlessaccess.org/ds/
+    attribute_profile: saml
+  module: satosa.backends.saml2.SAMLBackend
+  name: Saml2SP
+  plugin: BackendModulePlugin
+
+saml2_frontend:
+  module: satosa.frontends.saml2.SAMLFrontend
+  name: Saml2IDP
+  config:
+    #acr_mapping:
+    #  "": default-LoA
+    #  "https://accounts.google.com": LoA1
+
+    endpoints:
+      single_sign_on_service:
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect
+
+    # If configured and not false or empty the common domain cookie _saml_idp will be set
+    # with or have appended the IdP used for authentication. The default is not to set the
+    # cookie. If the value is a dictionary with key 'domain' then the domain for the cookie
+    # will be set to the value for the 'domain' key. If no 'domain' is set then the domain
+    # from the BASE defined for the proxy will be used.
+    #common_domain_cookie:
+    #  domain: .example.com
+
+    entityid_endpoint: true
+    enable_metadata_reload: no
+
+    idp_config:
+      key_file: frontend.key
+      cert_file: frontend.crt
+      metadata:
+        local: [metadata/monitor.xml]
+
+      entityid: <base_url>/<name>/proxy.xml
+      accepted_time_diff: 60
+      service:
+        idp:
+          endpoints:
+            single_sign_on_service: []
+          name: Proxy IdP
+          name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
+          policy:
+            default:
+              attribute_restrictions: null
+              fail_on_missing_requested: false
+              lifetime: {minutes: 15}
+              name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
+              encrypt_assertion: false
+              encrypted_advice_attributes: false