rut-test-ops/internal-sto4-test-satosa-1.rut.sunet.se/overlay/etc/hiera/data/local.yaml

170 lines
5.7 KiB
YAML
Raw Normal View History

2024-04-30 10:23:34 +00:00
---
satosa_config:
saml2_backend: "/etc/satosa/plugins/saml2_backend.yaml"
oidc_frontend: "/etc/satosa/plugins/oidc_frontend.yaml"
saml2_frontend: "/etc/satosa/plugins/saml2_frontend.yaml"
internal_attributes: "/etc/satosa/internal_attributes.yaml"
attribute_authorization: "/etc/satosa/plugins/attribute_authorization.yaml"
healthcheck: "/etc/satosa/plugins/healthcheck.yaml"
satosa_json_config:
cdb: "/etc/satosa/cdb.json"
attribute_authorization:
module: satosa.micro_services.attribute_authorization.AttributeAuthorization
plugin: AttributeAuthorization
name: AttributeAuthorization
config:
force_attributes_presence_on_allow: true
attribute_allow:
default:
rut:
subject-id:
- "."
default:
edupersonscopedaffiliation:
- "member@"
subject-id:
- "."
healthcheck:
module: swamid_plugins.healthcheck.HealthCheck
name: HealthCheck
internal_attributes:
attributes:
name:
openid: [name]
saml: [displayName]
givenname:
saml: [givenName]
openid: [given_name]
surname:
saml: [sn]
openid: [family_name]
mail:
openid: [email]
saml: [mail]
subject-id:
openid: [sub]
saml: [subject-id, eduPersonPrincipalName]
edupersonscopedaffiliation:
saml: [eduPersonScopedAffiliation]
openid: [scoped-affiliation]
satosa_proxy_conf:
BASE: https://idp-proxy-test.rut.sunet.se
INTERNAL_ATTRIBUTES: "internal_attributes.yaml"
BACKEND_MODULES:
- "plugins/saml2_backend.yaml"
FRONTEND_MODULES:
- "plugins/oidc_frontend.yaml"
- "plugins/saml2_frontend.yaml"
MICRO_SERVICES:
- "plugins/attribute_authorization.yaml"
- "plugins/healthcheck.yaml"
LOGGING:
version: 1
formatters:
default:
format: "%(asctime)s [%(process)d] [%(levelname)s] %(message)s"
handlers:
console:
class: logging.StreamHandler
level: DEBUG
formatter: default
stream: ext://sys.stdout
loggers:
satosa:
level: DEBUG
handlers: [console]
saml2:
level: DEBUG
handlers: [console]
swamid_plugins:
level: DEBUG
handlers: [console]
saml2_backend:
config:
sp_config:
organization: {display_name: Platform services (test), name: Platform services (Test), url: 'https://sunet.se'}
contact_person:
- {contact_type: technical, email_address: noc@sunet.se, given_name: Technical}
- {contact_type: support, email_address: noc@sunet.se, given_name: Support}
key_file: backend.key
cert_file: backend.crt
encryption_keypairs:
- { key_file: backend.key, cert_file: backend.crt }
allow_unknown_attributes: true
metadata:
mdq:
- url: https://mds.swamid.se
cert: "/etc/satosa/md-signer2.crt"
entityid: https://idp-proxy-test.rut.sunet.se/sp
accepted_time_diff: 180
service:
sp:
name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
allow_unsolicited: true
endpoints:
assertion_consumer_service:
- [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
- [<base_url>/<name>/acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
discovery_response:
- [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
want_response_signed: False
want_assertions_signed: False
want_assertions_or_response_signed: True
xmlsec_binary: /usr/bin/xmlsec1
# We can't find the unspecified map. Ivan recommended to remove this setting
# attribute_map_dir: attributemaps
disco_srv: https://service.seamlessaccess.org/ds/
attribute_profile: saml
module: satosa.backends.saml2.SAMLBackend
name: Saml2SP
plugin: BackendModulePlugin
saml2_frontend:
module: satosa.frontends.saml2.SAMLFrontend
name: Saml2IDP
config:
#acr_mapping:
# "": default-LoA
# "https://accounts.google.com": LoA1
endpoints:
single_sign_on_service:
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect
# If configured and not false or empty the common domain cookie _saml_idp will be set
# with or have appended the IdP used for authentication. The default is not to set the
# cookie. If the value is a dictionary with key 'domain' then the domain for the cookie
# will be set to the value for the 'domain' key. If no 'domain' is set then the domain
# from the BASE defined for the proxy will be used.
#common_domain_cookie:
# domain: .example.com
entityid_endpoint: true
enable_metadata_reload: no
idp_config:
key_file: frontend.key
cert_file: frontend.crt
metadata:
local: [metadata/monitor.xml]
entityid: <base_url>/<name>/proxy.xml
accepted_time_diff: 60
service:
idp:
endpoints:
single_sign_on_service: []
name: Proxy IdP
name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
policy:
default:
attribute_restrictions: null
fail_on_missing_requested: false
lifetime: {minutes: 15}
name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
encrypt_assertion: false
encrypted_advice_attributes: false