--- satosa_config: saml2_backend: "/etc/satosa/plugins/saml2_backend.yaml" oidc_frontend: "/etc/satosa/plugins/oidc_frontend.yaml" saml2_frontend: "/etc/satosa/plugins/saml2_frontend.yaml" internal_attributes: "/etc/satosa/internal_attributes.yaml" attribute_authorization: "/etc/satosa/plugins/attribute_authorization.yaml" healthcheck: "/etc/satosa/plugins/healthcheck.yaml" satosa_json_config: cdb: "/etc/satosa/cdb.json" attribute_authorization: module: satosa.micro_services.attribute_authorization.AttributeAuthorization plugin: AttributeAuthorization name: AttributeAuthorization config: force_attributes_presence_on_allow: true attribute_allow: default: rut: subject-id: - "." default: edupersonscopedaffiliation: - "member@" subject-id: - "." healthcheck: module: swamid_plugins.healthcheck.HealthCheck name: HealthCheck internal_attributes: attributes: name: openid: [name] saml: [displayName] givenname: saml: [givenName] openid: [given_name] surname: saml: [sn] openid: [family_name] mail: openid: [email] saml: [mail] subject-id: openid: [sub] saml: [subject-id, eduPersonPrincipalName] edupersonscopedaffiliation: saml: [eduPersonScopedAffiliation] openid: [scoped-affiliation] satosa_proxy_conf: BASE: https://idp-proxy-test.rut.sunet.se INTERNAL_ATTRIBUTES: "internal_attributes.yaml" BACKEND_MODULES: - "plugins/saml2_backend.yaml" FRONTEND_MODULES: - "plugins/oidc_frontend.yaml" - "plugins/saml2_frontend.yaml" MICRO_SERVICES: - "plugins/attribute_authorization.yaml" - "plugins/healthcheck.yaml" LOGGING: version: 1 formatters: default: format: "%(asctime)s [%(process)d] [%(levelname)s] %(message)s" handlers: console: class: logging.StreamHandler level: DEBUG formatter: default stream: ext://sys.stdout loggers: satosa: level: DEBUG handlers: [console] saml2: level: DEBUG handlers: [console] swamid_plugins: level: DEBUG handlers: [console] saml2_backend: config: sp_config: organization: {display_name: Platform services (test), name: Platform services (Test), url: 'https://sunet.se'} contact_person: - {contact_type: technical, email_address: noc@sunet.se, given_name: Technical} - {contact_type: support, email_address: noc@sunet.se, given_name: Support} key_file: backend.key cert_file: backend.crt encryption_keypairs: - { key_file: backend.key, cert_file: backend.crt } allow_unknown_attributes: true metadata: mdq: - url: https://mds.swamid.se cert: "/etc/satosa/md-signer2.crt" entityid: https://idp-proxy-test.rut.sunet.se/sp accepted_time_diff: 180 service: sp: name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:transient'] allow_unsolicited: true endpoints: assertion_consumer_service: - [//acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'] - [//acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'] discovery_response: - [//disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol'] want_response_signed: False want_assertions_signed: False want_assertions_or_response_signed: True xmlsec_binary: /usr/bin/xmlsec1 # We can't find the unspecified map. Ivan recommended to remove this setting # attribute_map_dir: attributemaps disco_srv: https://service.seamlessaccess.org/ds/ attribute_profile: saml module: satosa.backends.saml2.SAMLBackend name: Saml2SP plugin: BackendModulePlugin saml2_frontend: module: satosa.frontends.saml2.SAMLFrontend name: Saml2IDP config: #acr_mapping: # "": default-LoA # "https://accounts.google.com": LoA1 endpoints: single_sign_on_service: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect # If configured and not false or empty the common domain cookie _saml_idp will be set # with or have appended the IdP used for authentication. The default is not to set the # cookie. If the value is a dictionary with key 'domain' then the domain for the cookie # will be set to the value for the 'domain' key. If no 'domain' is set then the domain # from the BASE defined for the proxy will be used. #common_domain_cookie: # domain: .example.com entityid_endpoint: true enable_metadata_reload: no idp_config: key_file: frontend.key cert_file: frontend.crt metadata: local: [metadata/monitor.xml] entityid: //proxy.xml accepted_time_diff: 60 service: idp: endpoints: single_sign_on_service: [] name: Proxy IdP name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'] policy: default: attribute_restrictions: null fail_on_missing_requested: false lifetime: {minutes: 15} name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:uri encrypt_assertion: false encrypted_advice_attributes: false