rut-test-ops/internal-sto4-test-satosa-1.rut.sunet.se/overlay/etc/hiera/data/local.yaml

---
satosa_config:
   saml2_backend: "/etc/satosa/plugins/saml2_backend.yaml"
   oidc_frontend: "/etc/satosa/plugins/oidc_frontend.yaml"
   saml2_frontend: "/etc/satosa/plugins/saml2_frontend.yaml"
   internal_attributes: "/etc/satosa/internal_attributes.yaml"
   attribute_authorization: "/etc/satosa/plugins/attribute_authorization.yaml"
   healthcheck: "/etc/satosa/plugins/healthcheck.yaml"

satosa_json_config:
  cdb: "/etc/satosa/cdb.json"

attribute_authorization:
   module: satosa.micro_services.attribute_authorization.AttributeAuthorization
   plugin: AttributeAuthorization
   name: AttributeAuthorization
   config:
      force_attributes_presence_on_allow: true
      attribute_allow:
         default:
            rut:
               subject-id:
                  - "."
            default:
               edupersonscopedaffiliation:
                  - "member@"
               subject-id:
                  - "."
healthcheck:
   module: swamid_plugins.healthcheck.HealthCheck
   name: HealthCheck
internal_attributes:
   attributes:
      name:
        openid: [name]
        saml: [displayName]
      givenname:
         saml: [givenName]
         openid: [given_name]
      surname:
        saml: [sn]
        openid: [family_name]
      mail:
        openid: [email]
        saml: [mail]
      subject-id:
        openid: [sub]
        saml: [subject-id, eduPersonPrincipalName]
      edupersonscopedaffiliation:
        saml: [eduPersonScopedAffiliation]
        openid: [scoped-affiliation]
satosa_proxy_conf:
   BASE: https://idp-proxy-test.rut.sunet.se
   INTERNAL_ATTRIBUTES: "internal_attributes.yaml"
   BACKEND_MODULES:
      - "plugins/saml2_backend.yaml"
   FRONTEND_MODULES:
      - "plugins/oidc_frontend.yaml"
      - "plugins/saml2_frontend.yaml"
   MICRO_SERVICES:
      - "plugins/attribute_authorization.yaml"
      - "plugins/healthcheck.yaml"
   LOGGING:
     version: 1
     formatters:
        default:
           format: "%(asctime)s [%(process)d] [%(levelname)s] %(message)s"
     handlers:
        console:
           class: logging.StreamHandler
           level: DEBUG
           formatter: default
           stream: ext://sys.stdout
     loggers:
        satosa:
           level: DEBUG
           handlers: [console]
        saml2:
           level: DEBUG
           handlers: [console]
        swamid_plugins:
           level: DEBUG
           handlers: [console]
saml2_backend:
  config:
    sp_config:
      organization: {display_name: RUT services (test), name: RUT services (Test), url: 'https://rut.sunet.se'}
      contact_person:
        - {contact_type: technical, email_address: noc@sunet.se, given_name: Technical}
        - {contact_type: support, email_address: noc@sunet.se, given_name: Support}
      key_file: backend.key
      cert_file: backend.crt
      encryption_keypairs:
        - { key_file: backend.key, cert_file: backend.crt }
      allow_unknown_attributes: true
      metadata:
        mdq:
         - url: https://mds.swamid.se
           cert: "/etc/satosa/md-signer2.crt"
      entityid: https://idp-proxy-test.rut.sunet.se/sp
      accepted_time_diff: 180
      service:
        sp:
          name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
          allow_unsolicited: true
          endpoints:
            assertion_consumer_service:
              - [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
              - [<base_url>/<name>/acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
            discovery_response:
              - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
          want_response_signed: False
          want_assertions_signed: False
          want_assertions_or_response_signed: True
      xmlsec_binary: /usr/bin/xmlsec1
      # We can't find the unspecified map. Ivan recommended to remove this setting
      # attribute_map_dir: attributemaps
    disco_srv: https://service.seamlessaccess.org/ds/
    attribute_profile: saml
  module: satosa.backends.saml2.SAMLBackend
  name: Saml2SP
  plugin: BackendModulePlugin

saml2_frontend:
  module: satosa.frontends.saml2.SAMLFrontend
  name: Saml2IDP
  config:
    #acr_mapping:
    #  "": default-LoA
    #  "https://accounts.google.com": LoA1

    endpoints:
      single_sign_on_service:
        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post
        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect

    # If configured and not false or empty the common domain cookie _saml_idp will be set
    # with or have appended the IdP used for authentication. The default is not to set the
    # cookie. If the value is a dictionary with key 'domain' then the domain for the cookie
    # will be set to the value for the 'domain' key. If no 'domain' is set then the domain
    # from the BASE defined for the proxy will be used.
    #common_domain_cookie:
    #  domain: .example.com

    entityid_endpoint: true
    enable_metadata_reload: no

    idp_config:
      key_file: frontend.key
      cert_file: frontend.crt
      metadata:
        local: [metadata/monitor.xml]

      entityid: <base_url>/<name>/proxy.xml
      accepted_time_diff: 60
      service:
        idp:
          endpoints:
            single_sign_on_service: []
          name: Proxy IdP
          name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
          policy:
            default:
              attribute_restrictions: null
              fail_on_missing_requested: false
              lifetime: {minutes: 15}
              name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
              encrypt_assertion: false
              encrypted_advice_attributes: false
Start wiring up monitor and satosa. 2024-04-30 10:23:34 +00:00			`---`
			`satosa_config:`
			`saml2_backend: "/etc/satosa/plugins/saml2_backend.yaml"`
			`oidc_frontend: "/etc/satosa/plugins/oidc_frontend.yaml"`
			`saml2_frontend: "/etc/satosa/plugins/saml2_frontend.yaml"`
			`internal_attributes: "/etc/satosa/internal_attributes.yaml"`
			`attribute_authorization: "/etc/satosa/plugins/attribute_authorization.yaml"`
			`healthcheck: "/etc/satosa/plugins/healthcheck.yaml"`

			`satosa_json_config:`
			`cdb: "/etc/satosa/cdb.json"`

			`attribute_authorization:`
			`module: satosa.micro_services.attribute_authorization.AttributeAuthorization`
			`plugin: AttributeAuthorization`
			`name: AttributeAuthorization`
			`config:`
			`force_attributes_presence_on_allow: true`
			`attribute_allow:`
			`default:`
			`rut:`
			`subject-id:`
			`- "."`
			`default:`
			`edupersonscopedaffiliation:`
			`- "member@"`
			`subject-id:`
			`- "."`
			`healthcheck:`
			`module: swamid_plugins.healthcheck.HealthCheck`
			`name: HealthCheck`
			`internal_attributes:`
			`attributes:`
			`name:`
			`openid: [name]`
			`saml: [displayName]`
			`givenname:`
			`saml: [givenName]`
			`openid: [given_name]`
			`surname:`
			`saml: [sn]`
			`openid: [family_name]`
			`mail:`
			`openid: [email]`
			`saml: [mail]`
			`subject-id:`
			`openid: [sub]`
			`saml: [subject-id, eduPersonPrincipalName]`
			`edupersonscopedaffiliation:`
			`saml: [eduPersonScopedAffiliation]`
			`openid: [scoped-affiliation]`
			`satosa_proxy_conf:`
			`BASE: https://idp-proxy-test.rut.sunet.se`
			`INTERNAL_ATTRIBUTES: "internal_attributes.yaml"`
			`BACKEND_MODULES:`
			`- "plugins/saml2_backend.yaml"`
			`FRONTEND_MODULES:`
			`- "plugins/oidc_frontend.yaml"`
			`- "plugins/saml2_frontend.yaml"`
			`MICRO_SERVICES:`
			`- "plugins/attribute_authorization.yaml"`
			`- "plugins/healthcheck.yaml"`
			`LOGGING:`
			`version: 1`
			`formatters:`
			`default:`
			`format: "%(asctime)s [%(process)d] [%(levelname)s] %(message)s"`
			`handlers:`
			`console:`
			`class: logging.StreamHandler`
			`level: DEBUG`
			`formatter: default`
			`stream: ext://sys.stdout`
			`loggers:`
			`satosa:`
			`level: DEBUG`
			`handlers: [console]`
			`saml2:`
			`level: DEBUG`
			`handlers: [console]`
			`swamid_plugins:`
			`level: DEBUG`
			`handlers: [console]`
			`saml2_backend:`
			`config:`
			`sp_config:`
Correct name 2024-04-30 10:26:14 +00:00			`organization: {display_name: RUT services (test), name: RUT services (Test), url: 'https://rut.sunet.se'}`
Start wiring up monitor and satosa. 2024-04-30 10:23:34 +00:00			`contact_person:`
			`- {contact_type: technical, email_address: noc@sunet.se, given_name: Technical}`
			`- {contact_type: support, email_address: noc@sunet.se, given_name: Support}`
			`key_file: backend.key`
			`cert_file: backend.crt`
			`encryption_keypairs:`
			`- { key_file: backend.key, cert_file: backend.crt }`
			`allow_unknown_attributes: true`
			`metadata:`
			`mdq:`
			`- url: https://mds.swamid.se`
			`cert: "/etc/satosa/md-signer2.crt"`
			`entityid: https://idp-proxy-test.rut.sunet.se/sp`
			`accepted_time_diff: 180`
			`service:`
			`sp:`
			`name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:transient']`
			`allow_unsolicited: true`
			`endpoints:`
			`assertion_consumer_service:`
			`- [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']`
			`- [<base_url>/<name>/acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']`
			`discovery_response:`
			`- [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']`
			`want_response_signed: False`
			`want_assertions_signed: False`
			`want_assertions_or_response_signed: True`
			`xmlsec_binary: /usr/bin/xmlsec1`
			`# We can't find the unspecified map. Ivan recommended to remove this setting`
			`# attribute_map_dir: attributemaps`
			`disco_srv: https://service.seamlessaccess.org/ds/`
			`attribute_profile: saml`
			`module: satosa.backends.saml2.SAMLBackend`
			`name: Saml2SP`
			`plugin: BackendModulePlugin`

			`saml2_frontend:`
			`module: satosa.frontends.saml2.SAMLFrontend`
			`name: Saml2IDP`
			`config:`
			`#acr_mapping:`
			`# "": default-LoA`
			`# "https://accounts.google.com": LoA1`

			`endpoints:`
			`single_sign_on_service:`
			`'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post`
			`'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect`

			`# If configured and not false or empty the common domain cookie _saml_idp will be set`
			`# with or have appended the IdP used for authentication. The default is not to set the`
			`# cookie. If the value is a dictionary with key 'domain' then the domain for the cookie`
			`# will be set to the value for the 'domain' key. If no 'domain' is set then the domain`
			`# from the BASE defined for the proxy will be used.`
			`#common_domain_cookie:`
			`# domain: .example.com`

			`entityid_endpoint: true`
			`enable_metadata_reload: no`

			`idp_config:`
			`key_file: frontend.key`
			`cert_file: frontend.crt`
			`metadata:`
			`local: [metadata/monitor.xml]`

			`entityid: <base_url>/<name>/proxy.xml`
			`accepted_time_diff: 60`
			`service:`
			`idp:`
			`endpoints:`
			`single_sign_on_service: []`
			`name: Proxy IdP`
			`name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient']`
			`policy:`
			`default:`
			`attribute_restrictions: null`
			`fail_on_missing_requested: false`
			`lifetime: {minutes: 15}`
			`name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:uri`
			`encrypt_assertion: false`
			`encrypted_advice_attributes: false`