satosa_config:
saml2_backend: "/etc/satosa/plugins/saml2_backend.yaml"
saml2_frontend: "/etc/satosa/plugins/saml2_frontend.yaml"
internal_attributes: "/etc/satosa/internal_attributes.yaml"
attribute_filter: "/etc/satosa/plugins/attribute_filter.yaml"
oidc_frontend: "/etc/satosa/plugins/oidc_frontend.yaml"
internal_attributes:
attributes:
edupersonprincipalname:
saml: [eduPersonPrincipalName,subject-id]
openid: [edupersonprincipalname]
mail:
openid: [email]
saml: [email, emailAddress, mail]
name:
openid: [name]
saml: [cn]
displayname:
openid: [nickname]
saml: [displayName]
attribute_filter:
module: satosa.micro_services.attribute_modifications.FilterAttributeValues
name: AttributeFilter
config:
attribute_filters:
default:
default:
eduPersonPrincipalName:
# enforce correct scope
shibmdscope_match_scope:
satosa_proxy_conf:
BASE: https://test-sso-proxy1.cert.sunet.se
INTERNAL_ATTRIBUTES: "internal_attributes.yaml"
MICRO_SERVICES:
- "plugins/attribute_filter.yaml"
BACKEND_MODULES:
- "plugins/saml2_backend.yaml"
FRONTEND_MODULES:
- "plugins/saml2_frontend.yaml"
- "plugins/oidc_frontend.yaml"
LOGGING:
version: 1
formatters:
default:
format: "%(asctime)s [%(process)d] [%(levelname)s] %(message)s"
handlers:
console:
class: logging.StreamHandler
level: DEBUG
formatter: default
stream: ext://sys.stdout
loggers:
satosa:
level: DEBUG
handlers: [console]
saml2:
level: DEBUG
handlers: [console]
saml2_backend:
config:
sp_config:
key_file: backend.key
cert_file: backend.crt
accepted_time_diff: 180
encryption_keypairs:
- { key_file: backend.key, cert_file: backend.crt }
allow_unknown_attributes: true
metadata:
mdq:
- url: https://mds.swamid.se/
cert: md-signer2.crt
entityid: https://test-sso-proxy1.cert.sunet.se/sp
service:
sp:
name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
allow_unsolicited: true
endpoints:
assertion_consumer_service:
- [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
- [<base_url>/<name>/acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
discovery_response:
- [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
want_response_signed: False
want_assertions_signed: False
want_assertions_or_response_signed: True
xmlsec_binary: /usr/bin/xmlsec1
attribute_map_dir: attributemaps
disco_srv: https://service.seamlessaccess.org/ds
attribute_profile: saml
module: satosa.backends.saml2.SAMLBackend
name: Saml2SP
plugin: BackendModulePlugin
saml2_frontend:
config:
entityid_endpoint: true
idp_config:
key_file: frontend.key
cert_file: frontend.crt
accepted_time_diff: 180
metadata:
local:
- metadata/vul-dashboard-test.xml
entityid: https://test-sso-proxy1.cert.sunet.se/idp
service:
idp:
endpoints:
single_sign_on_service: []
name: SUNET CERT Staff Login
name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
policy:
default:
attribute_restrictions: null
fail_on_missing_requested: false
lifetime: {minutes: 15}
name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
want_authn_requests_signed: false
entity_categories: ['refeds']
xmlsec_binary: /usr/bin/xmlsec1
endpoints:
single_sign_on_service: {'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post,
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect}
attribute_profile: saml
module: satosa.frontends.saml2.SAMLFrontend
plugin: FrontendModulePlugin
name: Saml2IDP
oidc_frontend:
name: oidc-front
config:
db_uri: stateless://user:dkjrwtfsosagh.beygfdsbh8udbo@localhost?alg=aes256
signing_key_path: frontend.key
client_db_path: cdb.json
backend_name: Saml2SP
provider:
client_registration_supported: false
response_types_supported:
- code
- id_token token
subject_types_supported:
- pairwise
scopes_supported:
- openid
- email
authorization_code_lifetime: 600
access_token_lifetime: 3600
module: satosa.frontends.openid_connect.OpenIDConnectFrontend
plugin: FrontendModulePlugin