From e82e0bf744ca1d3936e0dbd4c6c3e0c03da5d45f Mon Sep 17 00:00:00 2001 From: Rasmus Thorslund Date: Thu, 16 Jan 2025 09:35:13 +0100 Subject: [PATCH] added satosa config --- .../overlay/etc/hiera/data/local.yaml | 169 ++++++++++++++++++ 1 file changed, 169 insertions(+) create mode 100644 internal-sto4-prod-satosa-1.rut.sunet.se/overlay/etc/hiera/data/local.yaml diff --git a/internal-sto4-prod-satosa-1.rut.sunet.se/overlay/etc/hiera/data/local.yaml b/internal-sto4-prod-satosa-1.rut.sunet.se/overlay/etc/hiera/data/local.yaml new file mode 100644 index 0000000..adda09f --- /dev/null +++ b/internal-sto4-prod-satosa-1.rut.sunet.se/overlay/etc/hiera/data/local.yaml @@ -0,0 +1,169 @@ +--- +satosa_config: + saml2_backend: "/etc/satosa/plugins/saml2_backend.yaml" + oidc_frontend: "/etc/satosa/plugins/oidc_frontend.yaml" + saml2_frontend: "/etc/satosa/plugins/saml2_frontend.yaml" + internal_attributes: "/etc/satosa/internal_attributes.yaml" + attribute_authorization: "/etc/satosa/plugins/attribute_authorization.yaml" + healthcheck: "/etc/satosa/plugins/healthcheck.yaml" + +satosa_json_config: + cdb: "/etc/satosa/cdb.json" + +attribute_authorization: + module: satosa.micro_services.attribute_authorization.AttributeAuthorization + plugin: AttributeAuthorization + name: AttributeAuthorization + config: + force_attributes_presence_on_allow: true + attribute_allow: + default: + rut: + subject-id: + - "." + default: + edupersonscopedaffiliation: + - "member@" + subject-id: + - "." +healthcheck: + module: swamid_plugins.healthcheck.HealthCheck + name: HealthCheck +internal_attributes: + attributes: + name: + openid: [name] + saml: [displayName] + givenname: + saml: [givenName] + openid: [given_name] + surname: + saml: [sn] + openid: [family_name] + mail: + openid: [email] + saml: [mail] + subject-id: + openid: [sub] + saml: [subject-id, eduPersonPrincipalName] + edupersonscopedaffiliation: + saml: [eduPersonScopedAffiliation] + openid: [scoped-affiliation] +satosa_proxy_conf: + BASE: https://idp-proxy-prod.rut.sunet.se + INTERNAL_ATTRIBUTES: "internal_attributes.yaml" + BACKEND_MODULES: + - "plugins/saml2_backend.yaml" + FRONTEND_MODULES: + - "plugins/oidc_frontend.yaml" + - "plugins/saml2_frontend.yaml" + MICRO_SERVICES: + - "plugins/attribute_authorization.yaml" + - "plugins/healthcheck.yaml" + LOGGING: + version: 1 + formatters: + default: + format: "%(asctime)s [%(process)d] [%(levelname)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + level: DEBUG + formatter: default + stream: ext://sys.stdout + loggers: + satosa: + level: DEBUG + handlers: [console] + saml2: + level: DEBUG + handlers: [console] + swamid_plugins: + level: DEBUG + handlers: [console] +saml2_backend: + config: + sp_config: + organization: {display_name: RUT services (Prod), name: RUT services (Prod), url: 'https://rut.sunet.se'} + contact_person: + - {contact_type: technical, email_address: noc@sunet.se, given_name: Technical} + - {contact_type: support, email_address: noc@sunet.se, given_name: Support} + key_file: backend.key + cert_file: backend.crt + encryption_keypairs: + - { key_file: backend.key, cert_file: backend.crt } + allow_unknown_attributes: true + metadata: + mdq: + - url: https://mds.swamid.se + cert: "/etc/satosa/md-signer2.crt" + entityid: https://idp-proxy-prod.rut.sunet.se/sp + accepted_time_diff: 180 + service: + sp: + name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:transient'] + allow_unsolicited: true + endpoints: + assertion_consumer_service: + - [//acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'] + - [//acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'] + discovery_response: + - [//disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol'] + want_response_signed: False + want_assertions_signed: False + want_assertions_or_response_signed: True + xmlsec_binary: /usr/bin/xmlsec1 + # We can't find the unspecified map. Ivan recommended to remove this setting + # attribute_map_dir: attributemaps + disco_srv: https://service.seamlessaccess.org/ds/ + attribute_profile: saml + module: satosa.backends.saml2.SAMLBackend + name: Saml2SP + plugin: BackendModulePlugin + +saml2_frontend: + module: satosa.frontends.saml2.SAMLFrontend + name: Saml2IDP + config: + #acr_mapping: + # "": default-LoA + # "https://accounts.google.com": LoA1 + + endpoints: + single_sign_on_service: + 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post + 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect + + # If configured and not false or empty the common domain cookie _saml_idp will be set + # with or have appended the IdP used for authentication. The default is not to set the + # cookie. If the value is a dictionary with key 'domain' then the domain for the cookie + # will be set to the value for the 'domain' key. If no 'domain' is set then the domain + # from the BASE defined for the proxy will be used. + #common_domain_cookie: + # domain: .example.com + + entityid_endpoint: true + enable_metadata_reload: no + + idp_config: + key_file: frontend.key + cert_file: frontend.crt + metadata: + local: [metadata/monitor.xml] + + entityid: //proxy.xml + accepted_time_diff: 60 + service: + idp: + endpoints: + single_sign_on_service: [] + name: Proxy IdP + name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'] + policy: + default: + attribute_restrictions: null + fail_on_missing_requested: false + lifetime: {minutes: 15} + name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:uri + encrypt_assertion: false + encrypted_advice_attributes: false