170 lines
5.7 KiB
YAML
170 lines
5.7 KiB
YAML
|
---
|
||
|
satosa_config:
|
||
|
saml2_backend: "/etc/satosa/plugins/saml2_backend.yaml"
|
||
|
oidc_frontend: "/etc/satosa/plugins/oidc_frontend.yaml"
|
||
|
saml2_frontend: "/etc/satosa/plugins/saml2_frontend.yaml"
|
||
|
internal_attributes: "/etc/satosa/internal_attributes.yaml"
|
||
|
attribute_authorization: "/etc/satosa/plugins/attribute_authorization.yaml"
|
||
|
healthcheck: "/etc/satosa/plugins/healthcheck.yaml"
|
||
|
|
||
|
satosa_json_config:
|
||
|
cdb: "/etc/satosa/cdb.json"
|
||
|
|
||
|
attribute_authorization:
|
||
|
module: satosa.micro_services.attribute_authorization.AttributeAuthorization
|
||
|
plugin: AttributeAuthorization
|
||
|
name: AttributeAuthorization
|
||
|
config:
|
||
|
force_attributes_presence_on_allow: true
|
||
|
attribute_allow:
|
||
|
default:
|
||
|
rut:
|
||
|
subject-id:
|
||
|
- "."
|
||
|
default:
|
||
|
edupersonscopedaffiliation:
|
||
|
- "member@"
|
||
|
subject-id:
|
||
|
- "."
|
||
|
healthcheck:
|
||
|
module: swamid_plugins.healthcheck.HealthCheck
|
||
|
name: HealthCheck
|
||
|
internal_attributes:
|
||
|
attributes:
|
||
|
name:
|
||
|
openid: [name]
|
||
|
saml: [displayName]
|
||
|
givenname:
|
||
|
saml: [givenName]
|
||
|
openid: [given_name]
|
||
|
surname:
|
||
|
saml: [sn]
|
||
|
openid: [family_name]
|
||
|
mail:
|
||
|
openid: [email]
|
||
|
saml: [mail]
|
||
|
subject-id:
|
||
|
openid: [sub]
|
||
|
saml: [subject-id, eduPersonPrincipalName]
|
||
|
edupersonscopedaffiliation:
|
||
|
saml: [eduPersonScopedAffiliation]
|
||
|
openid: [scoped-affiliation]
|
||
|
satosa_proxy_conf:
|
||
|
BASE: https://idp-proxy-test.rut.sunet.se
|
||
|
INTERNAL_ATTRIBUTES: "internal_attributes.yaml"
|
||
|
BACKEND_MODULES:
|
||
|
- "plugins/saml2_backend.yaml"
|
||
|
FRONTEND_MODULES:
|
||
|
- "plugins/oidc_frontend.yaml"
|
||
|
- "plugins/saml2_frontend.yaml"
|
||
|
MICRO_SERVICES:
|
||
|
- "plugins/attribute_authorization.yaml"
|
||
|
- "plugins/healthcheck.yaml"
|
||
|
LOGGING:
|
||
|
version: 1
|
||
|
formatters:
|
||
|
default:
|
||
|
format: "%(asctime)s [%(process)d] [%(levelname)s] %(message)s"
|
||
|
handlers:
|
||
|
console:
|
||
|
class: logging.StreamHandler
|
||
|
level: DEBUG
|
||
|
formatter: default
|
||
|
stream: ext://sys.stdout
|
||
|
loggers:
|
||
|
satosa:
|
||
|
level: DEBUG
|
||
|
handlers: [console]
|
||
|
saml2:
|
||
|
level: DEBUG
|
||
|
handlers: [console]
|
||
|
swamid_plugins:
|
||
|
level: DEBUG
|
||
|
handlers: [console]
|
||
|
saml2_backend:
|
||
|
config:
|
||
|
sp_config:
|
||
|
organization: {display_name: Platform services (test), name: Platform services (Test), url: 'https://sunet.se'}
|
||
|
contact_person:
|
||
|
- {contact_type: technical, email_address: noc@sunet.se, given_name: Technical}
|
||
|
- {contact_type: support, email_address: noc@sunet.se, given_name: Support}
|
||
|
key_file: backend.key
|
||
|
cert_file: backend.crt
|
||
|
encryption_keypairs:
|
||
|
- { key_file: backend.key, cert_file: backend.crt }
|
||
|
allow_unknown_attributes: true
|
||
|
metadata:
|
||
|
mdq:
|
||
|
- url: https://mds.swamid.se
|
||
|
cert: "/etc/satosa/md-signer2.crt"
|
||
|
entityid: https://idp-proxy-test.rut.sunet.se/sp
|
||
|
accepted_time_diff: 180
|
||
|
service:
|
||
|
sp:
|
||
|
name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
|
||
|
allow_unsolicited: true
|
||
|
endpoints:
|
||
|
assertion_consumer_service:
|
||
|
- [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
|
||
|
- [<base_url>/<name>/acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
|
||
|
discovery_response:
|
||
|
- [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
|
||
|
want_response_signed: False
|
||
|
want_assertions_signed: False
|
||
|
want_assertions_or_response_signed: True
|
||
|
xmlsec_binary: /usr/bin/xmlsec1
|
||
|
# We can't find the unspecified map. Ivan recommended to remove this setting
|
||
|
# attribute_map_dir: attributemaps
|
||
|
disco_srv: https://service.seamlessaccess.org/ds/
|
||
|
attribute_profile: saml
|
||
|
module: satosa.backends.saml2.SAMLBackend
|
||
|
name: Saml2SP
|
||
|
plugin: BackendModulePlugin
|
||
|
|
||
|
saml2_frontend:
|
||
|
module: satosa.frontends.saml2.SAMLFrontend
|
||
|
name: Saml2IDP
|
||
|
config:
|
||
|
#acr_mapping:
|
||
|
# "": default-LoA
|
||
|
# "https://accounts.google.com": LoA1
|
||
|
|
||
|
endpoints:
|
||
|
single_sign_on_service:
|
||
|
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post
|
||
|
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect
|
||
|
|
||
|
# If configured and not false or empty the common domain cookie _saml_idp will be set
|
||
|
# with or have appended the IdP used for authentication. The default is not to set the
|
||
|
# cookie. If the value is a dictionary with key 'domain' then the domain for the cookie
|
||
|
# will be set to the value for the 'domain' key. If no 'domain' is set then the domain
|
||
|
# from the BASE defined for the proxy will be used.
|
||
|
#common_domain_cookie:
|
||
|
# domain: .example.com
|
||
|
|
||
|
entityid_endpoint: true
|
||
|
enable_metadata_reload: no
|
||
|
|
||
|
idp_config:
|
||
|
key_file: frontend.key
|
||
|
cert_file: frontend.crt
|
||
|
metadata:
|
||
|
local: [metadata/monitor.xml]
|
||
|
|
||
|
entityid: <base_url>/<name>/proxy.xml
|
||
|
accepted_time_diff: 60
|
||
|
service:
|
||
|
idp:
|
||
|
endpoints:
|
||
|
single_sign_on_service: []
|
||
|
name: Proxy IdP
|
||
|
name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
|
||
|
policy:
|
||
|
default:
|
||
|
attribute_restrictions: null
|
||
|
fail_on_missing_requested: false
|
||
|
lifetime: {minutes: 15}
|
||
|
name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
|
||
|
encrypt_assertion: false
|
||
|
encrypted_advice_attributes: false
|