From bd6b7893f1142ec727c5de4364ec0390bb49d66d Mon Sep 17 00:00:00 2001
From: Mikael Frykholm <mifr@sunet.se>
Date: Tue, 30 Apr 2024 12:23:34 +0200
Subject: [PATCH] Start wiring up monitor and satosa.

---
 global/overlay/etc/puppet/cosmos-rules.yaml   |  10 +-
 .../opt/naemon_monitor/attribute-policy.xml   |  75 ++++++++
 .../opt/naemon_monitor/shibboleth2.xml        |  63 +++++++
 .../overlay/etc/hiera/data/local.eyaml        |  36 ++++
 .../overlay/etc/hiera/data/local.yaml         | 169 ++++++++++++++++++
 5 files changed, 352 insertions(+), 1 deletion(-)
 create mode 100644 internal-sto4-test-monitor-1.rut.sunet.se/overlay/opt/naemon_monitor/attribute-policy.xml
 create mode 100644 internal-sto4-test-monitor-1.rut.sunet.se/overlay/opt/naemon_monitor/shibboleth2.xml
 create mode 100644 internal-sto4-test-satosa-1.rut.sunet.se/overlay/etc/hiera/data/local.eyaml
 create mode 100644 internal-sto4-test-satosa-1.rut.sunet.se/overlay/etc/hiera/data/local.yaml

diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index 072fa63..d4a62da 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -40,4 +40,12 @@
     thruk_users:
       - '*@sunet.se'
     nrpe_group: sunet::nagios::nrpe
-
+    thruk_extra_volumes:
+      - /opt/naemon_monitor/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml
+      - /opt/naemon_monitor/satosa.xml:/etc/shibboleth/satosa.xml
+      - /opt/naemon_monitor/attribute-policy.xml:/etc/shibboleth/attribute-policy.xml
+internal-sto3-test-satosa-1.platform.sunet.se:
+  sunet::dockerhost2:
+  sunet::satosa:
+    satosa_tag: 8.2.0
+    dehydrated_name: idp-proxy-test.rut.sunet.se
diff --git a/internal-sto4-test-monitor-1.rut.sunet.se/overlay/opt/naemon_monitor/attribute-policy.xml b/internal-sto4-test-monitor-1.rut.sunet.se/overlay/opt/naemon_monitor/attribute-policy.xml
new file mode 100644
index 0000000..9f319d2
--- /dev/null
+++ b/internal-sto4-test-monitor-1.rut.sunet.se/overlay/opt/naemon_monitor/attribute-policy.xml
@@ -0,0 +1,75 @@
+<AttributeFilterPolicyGroup
+    xmlns="urn:mace:shibboleth:2.0:afp"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!-- Shared rule for affiliation values. -->
+    <PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty"/>
+        <Rule xsi:type="Value" value="student"/>
+        <Rule xsi:type="Value" value="staff"/>
+        <Rule xsi:type="Value" value="alum"/>
+        <Rule xsi:type="Value" value="member"/>
+        <Rule xsi:type="Value" value="affiliate"/>
+        <Rule xsi:type="Value" value="employee"/>
+        <Rule xsi:type="Value" value="library-walk-in"/>
+    </PermitValueRule>
+    
+    <!--
+    Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
+    an AttributeRule for each attribute you want to check.
+    -->
+    <PermitValueRule id="ScopingRules" xsi:type="AND">
+        <Rule xsi:type="NOT">
+            <Rule xsi:type="ValueRegex" regex="@"/>
+        </Rule>
+        <Rule xsi:type="ScopeMatchesShibMDScope"/>
+    </PermitValueRule>
+
+    <AttributeFilterPolicy>
+        <!-- This policy is in effect in all cases. -->
+        <PolicyRequirementRule xsi:type="ANY"/>
+
+        <!-- Filter out undefined affiliations and ensure only one primary. -->
+        <AttributeRule attributeID="affiliation">
+            <PermitValueRule xsi:type="AND">
+                <RuleReference ref="eduPersonAffiliationValues"/>
+                <RuleReference ref="ScopingRules"/>
+            </PermitValueRule>
+        </AttributeRule>
+        <AttributeRule attributeID="unscoped-affiliation">
+            <PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+        </AttributeRule>
+        <AttributeRule attributeID="primary-affiliation">
+            <PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+        </AttributeRule>
+
+        <AttributeRule attributeID="subject-id" permitAny="true"/>
+
+        <AttributeRule attributeID="pairwise-id">
+            <PermitValueRuleReference ref="ScopingRules"/>
+        </AttributeRule>
+        
+        <AttributeRule attributeID="eppn">
+            <PermitValueRuleReference ref="ScopingRules"/>
+        </AttributeRule>
+
+        <AttributeRule attributeID="targeted-id">
+            <PermitValueRuleReference ref="ScopingRules"/>
+        </AttributeRule>
+
+        <!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
+        <AttributeRule attributeID="persistent-id">
+            <PermitValueRule xsi:type="NameIDQualifierString"/>
+        </AttributeRule>
+        
+        <!-- Enforce that the values of schacHomeOrganization are a valid Scope. -->
+        <AttributeRule attributeID="schacHomeOrganization">
+            <PermitValueRule xsi:type="ValueMatchesShibMDScope" />
+        </AttributeRule>
+
+        <!-- Catch-all that passes everything else through unmolested. -->
+        <AttributeRule attributeID="*" permitAny="true"/>
+        
+    </AttributeFilterPolicy>
+
+</AttributeFilterPolicyGroup>
diff --git a/internal-sto4-test-monitor-1.rut.sunet.se/overlay/opt/naemon_monitor/shibboleth2.xml b/internal-sto4-test-monitor-1.rut.sunet.se/overlay/opt/naemon_monitor/shibboleth2.xml
new file mode 100644
index 0000000..9589435
--- /dev/null
+++ b/internal-sto4-test-monitor-1.rut.sunet.se/overlay/opt/naemon_monitor/shibboleth2.xml
@@ -0,0 +1,63 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+<ApplicationDefaults entityID="replaced-by-entityIDSelf"
+                         REMOTE_USER="subject-id eppn persistent-id targeted-id"
+                         metadataAttributePrefix="Meta-">
+
+        <Sessions lifetime="28800" timeout="36000" relayState="ss:mem"
+                   redirectLimit="exact"
+                  checkAddress="false" handlerSSL="true" cookieProps="http">
+            <Logout>SAML2 Local</Logout>
+
+       <SessionInitiator type="Chaining" Location="/satosa" id="satosa"
+		             entityID="https://idp-proxy-platform-test.sunet.se/Saml2IDP/proxy.xml">
+             <SessionInitiator type="SAML2" template="bindingTemplate.html"/>
+            </SessionInitiator>
+
+    <SessionInitiator type="Chaining" Location="/DS/Login" id="swamid-ds-default" relayState="cookie">
+       <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
+       <SessionInitiator type="Shib1" defaultACSIndex="5"/>
+       <SessionInitiator type="SAMLDS" URL="https://service.seamlessaccess.org/ds/"/>
+    </SessionInitiator>
+
+            <md:AssertionConsumerService Location="/SAML2/POST" index="1"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                conf:ignoreNoPassive="true"/>
+
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+
+            <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+
+        </Sessions>
+
+        <Errors supportContact="webmaster@example.org"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+	<MetadataProvider type="XML" path="/etc/shibboleth/satosa.xml"/>
+        <MetadataProvider type="MDQ" id="mdq.swamid.se" ignoreTransport="true" cacheDirectory="mdq.swamid.se"
+		    baseUrl="https://mds.swamid.se/">
+            <MetadataFilter type="Signature" certificate="md-signer2.crt"/>
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+        </MetadataProvider>
+
+       <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+        <AttributeResolver type="Query" subjectMatch="true"/>
+
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <CredentialResolver type="File" key="certs/sp-key.pem" certificate="certs/sp-cert.pem"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
diff --git a/internal-sto4-test-satosa-1.rut.sunet.se/overlay/etc/hiera/data/local.eyaml b/internal-sto4-test-satosa-1.rut.sunet.se/overlay/etc/hiera/data/local.eyaml
new file mode 100644
index 0000000..0535989
--- /dev/null
+++ b/internal-sto4-test-satosa-1.rut.sunet.se/overlay/etc/hiera/data/local.eyaml
@@ -0,0 +1,36 @@
+---
+satosa_state_encryption_key: ENC[PKCS7,MIIC/AYJKoZIhvcNAQcDoIIC7TCCAukCAQAxggKUMIICkAIBADB4MGAxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMTAvBgNVBAMMKGludGVybmFsLXN0bzQtdGVzdC1zYXRvc2EtMS5ydXQuc3VuZXQuc2UCFCQPzYT5P8dedNW1szZQvY2kGuFnMA0GCSqGSIb3DQEBAQUABIICAFPMBO1iqpKMluGPyw/ytv0oAM9QXZnD7GrAWyl5LLa/BDK0UaFgMnOIv8jYvezQF4LaV5oFT24vTL3y//vLVE1W4zBN+IUMVCWDbl2EeCa9eXsAbadCv+WTD7mwewejQgX0n8x9CwC1RSrghjVF1Tp1SEvrRuN6U99bjGVHieQb1jxXmORpsTwuAaTk1BMkVpegf7JQSdDgjVCBY0FwDvX/arvZZhkkdNm8yJe4Q0hAtaabgHkbw4jgqyZZjSHGVhPF0BIvLneYDpIzO5xnzawnPcOJDlkNCZhgpxDdJ70LgnKCc0hoSdcTRCOYFdvZot0ohjxcxAwS8nGvoGS6Q/iNkubViRj7Kcg9VDpPbdUbnFNY+c3s+L3G9iw8cq5DAVXfNpdM+cGdND5k0Nhif3P15ogM3cH7jwz0JiWghLAFmh+MqH3GJXNzLHW1vk7gJP+tWMtLNKocDvww/dcqL9rMTxHmKmx5lYwdmBqPSDC60bM/cv3BIjzGcZHy1DdZ0dTVD8494osdeWH/+MCeg9WC8+JNZkKIJXFM9aRjQqoyoZqMk2THJNqtSxCjLX1pMxhnUDqfI44pU18zzQOqwNzR2M4M8zsu4eLDTIhvEgyJvUgNA658eoQCwT5J7vYemMPohxT7HoeG9v8EfWNirjKc1+I8BQpQEZM4v16TUPW3MEwGCSqGSIb3DQEHATAdBglghkgBZQMEASoEEOqrv5W9gfiFgHiEe7osaGmAILHqd3W1rN1ZxDM4DSJtNdGl/4mI7+9HxjwDmMibgX2G]
+satosa_user_id_hash_salt: ENC[PKCS7,MIIC/AYJKoZIhvcNAQcDoIIC7TCCAukCAQAxggKUMIICkAIBADB4MGAxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMTAvBgNVBAMMKGludGVybmFsLXN0bzQtdGVzdC1zYXRvc2EtMS5ydXQuc3VuZXQuc2UCFCQPzYT5P8dedNW1szZQvY2kGuFnMA0GCSqGSIb3DQEBAQUABIICAEf4wJee07QS5UjDHGQgFXNxOFPCdjYDTW/1P4WQhlA6Hdudp5+m5K+frx23Cap55ROAMiRyrlCTnp0P0hQ0QiCjGAUhVXEfxfH+fTogRtihZ704quF3yStHXR+eMSO2ofiyqs1pypzmd8r7E9CkQfvLFpErScXHiH2KjsWkEcMwP8aSAafaXyFXWmSolPg8Ivou1ROoObi6sffNhYHcmDU/BwCZsV4hG3PDT6zDNpGClSiD2MqR4QmVGBk5GhOT1ChjI5+YDIRH9Cdu61mnGU/zeoeFThRhOb7YNjgFKW5m27fCRuHGpuosK7SnP7ia0adGZ21gb/fzKd//VaEDt0eOvG6ZT2LyJUb1EwGhcUCw9OW6/VYRRPNXS6EKCJ8b2oHtIwdEe1hx8HyUOHo1zyh0u3DwpYM8cMIQQ/OI/Bc3o382qeWAlghZFtzrxxa4w05Xh69iAHzhcBsVtTLTUcFkI5Rom61MdMdMkBBE1f9cMpa78bR7XxlMt4uilYs0p5SY1b9X41fLdGG8pyfBcqQ184aRmjaK/2dby42sVp+WNTQKUVm2tnMEY9nW5O4kywwDrMuLmVakKYOhHASJxhluipmsWCLMsFpygEwPkvNaW83tcJKOlfPUVhoty9MHvYvOldhWWF4L1qqfNvQTWAUV2dKbNdH2AasLV7taYYUtMEwGCSqGSIb3DQEHATAdBglghkgBZQMEASoEEJbnUjGYzlNydv6DZhB8t7eAIFFQwZTk9JA0gkW48PLMfq/z8PegzUJGQ6O851kaSaEs]
+
+cdb:
+  platform:
+    response_types:
+      - code
+      - id_token
+    client_id: ENC[PKCS7,MIIC/AYJKoZIhvcNAQcDoIIC7TCCAukCAQAxggKUMIICkAIBADB4MGAxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMTAvBgNVBAMMKGludGVybmFsLXN0bzQtdGVzdC1zYXRvc2EtMS5ydXQuc3VuZXQuc2UCFCQPzYT5P8dedNW1szZQvY2kGuFnMA0GCSqGSIb3DQEBAQUABIICACWefjKuG37sSYt+z+KDHP0ZLHVe1Lc8EZWqHRsywdIbOduR2BOrB3kUHkNseNIwXLuVq/y3BQgS0wBeum4z1r7BthERZPxr764g51yxLnfugXerLlWq9YzNgTEwS3Vbr/q1TsxczMDuhPiWk+PwL0px3x+2zipB5DzzA5DiPhgkxxwc6kSpiB3eymYZtIlOmReSrfQAarM6j8mt3l52n4W+FsYAYHPtqaxPdAzlsr+hEOXCpNREAeA6wKItnWyXiDuFER2DcPYp/p2kaiXcU8CMujng6ljJJP0nuRlldX36YtW2DPWTLpVLboQ4d7UClr4wU5wPODLhmtD8At8kG4eyuyofmohBMjBLP9DNWf4ALussontEnRpqv+TvHsuEU92AnX2lTB4fkCKXo1aYsg73VuGETGp1sL0xtb1AAvAN4AGiEPwOMVXpEOjrKKA2/Pj0dz8bcO/meGRpFBDUCMuUJ+pgcYIDbPbrfCdVdSBI7AaWU9lq/3Za/z8Zrv8alJEW0s9j3y9bPzROIvvE8WbaKBInTzlD36Foj1QFJ2yInN82cSH4Q7LCVAkGiNkrTB3EKkdbyRb6vzYRneDx19DwdUIXx4gE1lQNEpO6W5cS7lElCU+AaAzmya1tV6p8e3L7mzVvaPJXIP8tNvAJLM3SGaMIudPFs8RMQ1G36UKqMEwGCSqGSIb3DQEHATAdBglghkgBZQMEASoEEGHXXgpAhcpuVrQJoxlYnamAIGlTfHwxx72/Qj2x2eyuIaD9KSVqXg1/iiHhmDFjZEQ6]
+    client_secret: ENC[PKCS7,MIIC/AYJKoZIhvcNAQcDoIIC7TCCAukCAQAxggKUMIICkAIBADB4MGAxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMTAvBgNVBAMMKGludGVybmFsLXN0bzQtdGVzdC1zYXRvc2EtMS5ydXQuc3VuZXQuc2UCFCQPzYT5P8dedNW1szZQvY2kGuFnMA0GCSqGSIb3DQEBAQUABIICAAL6za7+nJxCv8ELfCeU+ddo+gT65Reqc/yV3YxCZqxm8LnhMba7P0A/gCynj5CUEVSD4NKyRXyi/kVmdTFAfzaYODtoC3qYmsw5Rau7dSardSGRpp8Np5936iR+BaI2Gjug85bl56KFyCyf/VjMCTkhCuNCK8Zok0kZ5UcflXi6YG0a3Q7XYhM58wcnrU4eulWwOqXSUq8oicUxbkjz55SYprJVkQicF1PfvTIDutjckyBsFfiHRhES9Jszo8FjewxgtEUPg2qPWBKhApYvq9q4Qn3EfIKctTRevlmCqxJAd2Wo5ArVmUgGYpazQGIvAQvNXkdUgAeUQfUzgqxjeAJoPzP9fsws9Jjo738bo4hZ/9auru3WA34P5LPFSEISN9tIUkc03EgYZpWOjeH4fdIJcAMFgZ9Zm5nr+ASQJdopOrNxxKeJt5fHwQmMGrWin8ISR8bw40NtNdmZVHHpOOD0Pe90CNeORhHXaZVmUTJaLaqw4PPNnI4XcmhOZlCaCSz7W7gbA0WFlaY7MyY1jPQeSyBHFjSYV97BgE4LuiTAc6yFVzfIf+Hft9GfjhEbA6sOPU10p4tjAli7h+xbajAyBOMnuWkHh5BNtaYsx2Fk7Ga5TsUqtslnzmpGLcMoVhqHcAqdHCmhBsJuRrGUrK0y80EfTuL9ABzddK/yrOzIMEwGCSqGSIb3DQEHATAdBglghkgBZQMEASoEEIsPJCuuSXnlo+dgBJF3NpeAIKLuN80Kx1TcLv9GYH+ig1Hpn1tmIdJ21GdCaCtslBJV]
+    claims_supported:
+      - id_token
+    redirect_uris:
+      - 'https://rut.sunet.se/user/oauth2/platform/callback'
+    allowed_scope_values:
+      - profile
+      - email
+
+oidc_frontend:
+  name: oidc-front
+  config:
+     db_uri: ENC[PKCS7,MIIDLAYJKoZIhvcNAQcDoIIDHTCCAxkCAQAxggKUMIICkAIBADB4MGAxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMTAvBgNVBAMMKGludGVybmFsLXN0bzQtdGVzdC1zYXRvc2EtMS5ydXQuc3VuZXQuc2UCFCQPzYT5P8dedNW1szZQvY2kGuFnMA0GCSqGSIb3DQEBAQUABIICACJzFZTTXtYKMwKcGzmH1iW2zc7ASxz9cqPLLw3JNoNFqq10c9VsKqgfO36bnTWUIlqLaIA8c+OywdXMJ10Tdt30poMe6HjX3Zz/aoAmK3zOQcUFzXzHRJbl6sm9cJ8T/1JdUBH+PFWzH0s7gnx2NOVEMDhxuRQ8EpOWUaiSvEfSpP+U4+/jObh/oZfrspMcY2zbhKCwspg2c/AFYkTNEmU1dNXryYEW8JyaHHChk41LSbgM3uC0QOyGLpgW/MJq0IPSh2yjXlmTYWZ92z31hA3/IAgsv9QreOpWZlTmUVEkG8kNSyKLmuBdcNIBnE+W1BoT0/Hfd0VjRNMu4mTVQwFO3mmM+F4V4EdrcLrSbkKyKCBrxHVkODZww2ZeuKVS/kUYjYGwvf+N0WcO9jiIbBCM+jJJCS7SR0dYph86heKOGMJ23LrHdhv73fbtlQSCjkhd/VeI4RJONNcjY51QonfwtOPg0aOHFdNdE2B8mSbB2mqKLR+ACkRmGqUkdkBMbarVqZa+abhE4qnNL3k7gV2/rVkvkrEBsshA/8RMPJd5jhnHVlpD+YBLoaibF/9xVDnEHP/BzvLLjsbsqasS9HN+VP5nednkkxFvLYMbxf7waxgrFuhrrF2zpZb/rzTZI4w2WAA1fUjha5Ot0VaUNjCFJ+BYQQ+mhj84ozIGWqqaMHwGCSqGSIb3DQEHATAdBglghkgBZQMEASoEEL7vGQTbgYlwKhNZAKqVKomAUFYvQOE2D6P5X1kutuVo8+a4vQfvhfG9eWt+IDCku3Oham0m2vFvAlYF6htDqtDx22k/5l8F3kyx7ufmTI7+F4it3V9ON6C3js4+8ClnW14q]
+     signing_key_path: frontend.key
+     client_db_path: cdb.json
+     backend_name: Saml2SP
+     provider:
+       client_registration_supported: Yes
+       response_types_supported: ["code", "id_token token"]
+       subject_types_supported: ["pairwise"]
+       scopes_supported: ["openid", "email"]
+       authorization_code_lifetime: 300
+       access_token_lifetime: 300
+  module: satosa.frontends.openid_connect.OpenIDConnectFrontend
+  plugin: FrontendModulePlugin
+
diff --git a/internal-sto4-test-satosa-1.rut.sunet.se/overlay/etc/hiera/data/local.yaml b/internal-sto4-test-satosa-1.rut.sunet.se/overlay/etc/hiera/data/local.yaml
new file mode 100644
index 0000000..d1bad26
--- /dev/null
+++ b/internal-sto4-test-satosa-1.rut.sunet.se/overlay/etc/hiera/data/local.yaml
@@ -0,0 +1,169 @@
+---
+satosa_config:
+   saml2_backend: "/etc/satosa/plugins/saml2_backend.yaml"
+   oidc_frontend: "/etc/satosa/plugins/oidc_frontend.yaml"
+   saml2_frontend: "/etc/satosa/plugins/saml2_frontend.yaml"
+   internal_attributes: "/etc/satosa/internal_attributes.yaml"
+   attribute_authorization: "/etc/satosa/plugins/attribute_authorization.yaml"
+   healthcheck: "/etc/satosa/plugins/healthcheck.yaml"
+
+satosa_json_config:
+  cdb: "/etc/satosa/cdb.json"
+
+attribute_authorization:
+   module: satosa.micro_services.attribute_authorization.AttributeAuthorization
+   plugin: AttributeAuthorization
+   name: AttributeAuthorization
+   config:
+      force_attributes_presence_on_allow: true
+      attribute_allow:
+         default:
+            rut:
+               subject-id:
+                  - "."
+            default:
+               edupersonscopedaffiliation:
+                  - "member@"
+               subject-id:
+                  - "."
+healthcheck:
+   module: swamid_plugins.healthcheck.HealthCheck
+   name: HealthCheck
+internal_attributes:
+   attributes:
+      name:
+        openid: [name]
+        saml: [displayName]
+      givenname:
+         saml: [givenName]
+         openid: [given_name]
+      surname:
+        saml: [sn]
+        openid: [family_name]
+      mail:
+        openid: [email]
+        saml: [mail]
+      subject-id:
+        openid: [sub]
+        saml: [subject-id, eduPersonPrincipalName]
+      edupersonscopedaffiliation:
+        saml: [eduPersonScopedAffiliation]
+        openid: [scoped-affiliation]
+satosa_proxy_conf:
+   BASE: https://idp-proxy-test.rut.sunet.se
+   INTERNAL_ATTRIBUTES: "internal_attributes.yaml"
+   BACKEND_MODULES:
+      - "plugins/saml2_backend.yaml"
+   FRONTEND_MODULES:
+      - "plugins/oidc_frontend.yaml"
+      - "plugins/saml2_frontend.yaml"
+   MICRO_SERVICES:
+      - "plugins/attribute_authorization.yaml"
+      - "plugins/healthcheck.yaml"
+   LOGGING:
+     version: 1
+     formatters:
+        default:
+           format: "%(asctime)s [%(process)d] [%(levelname)s] %(message)s"
+     handlers:
+        console:
+           class: logging.StreamHandler
+           level: DEBUG
+           formatter: default
+           stream: ext://sys.stdout
+     loggers:
+        satosa:
+           level: DEBUG
+           handlers: [console]
+        saml2:
+           level: DEBUG
+           handlers: [console]
+        swamid_plugins:
+           level: DEBUG
+           handlers: [console]
+saml2_backend:
+  config:
+    sp_config:
+      organization: {display_name: Platform services (test), name: Platform services (Test), url: 'https://sunet.se'}
+      contact_person:
+        - {contact_type: technical, email_address: noc@sunet.se, given_name: Technical}
+        - {contact_type: support, email_address: noc@sunet.se, given_name: Support}
+      key_file: backend.key
+      cert_file: backend.crt
+      encryption_keypairs:
+        - { key_file: backend.key, cert_file: backend.crt }
+      allow_unknown_attributes: true
+      metadata:
+        mdq:
+         - url: https://mds.swamid.se
+           cert: "/etc/satosa/md-signer2.crt"
+      entityid: https://idp-proxy-test.rut.sunet.se/sp
+      accepted_time_diff: 180
+      service:
+        sp:
+          name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
+          allow_unsolicited: true
+          endpoints:
+            assertion_consumer_service:
+              - [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+              - [<base_url>/<name>/acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+            discovery_response:
+              - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
+          want_response_signed: False
+          want_assertions_signed: False
+          want_assertions_or_response_signed: True
+      xmlsec_binary: /usr/bin/xmlsec1
+      # We can't find the unspecified map. Ivan recommended to remove this setting
+      # attribute_map_dir: attributemaps
+    disco_srv: https://service.seamlessaccess.org/ds/
+    attribute_profile: saml
+  module: satosa.backends.saml2.SAMLBackend
+  name: Saml2SP
+  plugin: BackendModulePlugin
+
+saml2_frontend:
+  module: satosa.frontends.saml2.SAMLFrontend
+  name: Saml2IDP
+  config:
+    #acr_mapping:
+    #  "": default-LoA
+    #  "https://accounts.google.com": LoA1
+
+    endpoints:
+      single_sign_on_service:
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect
+
+    # If configured and not false or empty the common domain cookie _saml_idp will be set
+    # with or have appended the IdP used for authentication. The default is not to set the
+    # cookie. If the value is a dictionary with key 'domain' then the domain for the cookie
+    # will be set to the value for the 'domain' key. If no 'domain' is set then the domain
+    # from the BASE defined for the proxy will be used.
+    #common_domain_cookie:
+    #  domain: .example.com
+
+    entityid_endpoint: true
+    enable_metadata_reload: no
+
+    idp_config:
+      key_file: frontend.key
+      cert_file: frontend.crt
+      metadata:
+        local: [metadata/monitor.xml]
+
+      entityid: <base_url>/<name>/proxy.xml
+      accepted_time_diff: 60
+      service:
+        idp:
+          endpoints:
+            single_sign_on_service: []
+          name: Proxy IdP
+          name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
+          policy:
+            default:
+              attribute_restrictions: null
+              fail_on_missing_requested: false
+              lifetime: {minutes: 15}
+              name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
+              encrypt_assertion: false
+              encrypted_advice_attributes: false