Added a lot of SSO stuff and base for SSO proxy.

global/overlay/etc/puppet/cosmos-rules.yaml

@@ -6,11 +6,18 @@
     ssh_allow_from_anywhere: false
 
 '^internal-sto1-dev-vulndash-1.cert.sunet.se$':
-  soc::sso:
+#  soc::sso:
-    hostname: 'vd-dev.cert.sunet.se'
+#    hostname: 'vd-dev.cert.sunet.se'
-    email: 'cert@cert.sunet.se'
+#    email: 'cert@cert.sunet.se'
-    service_endpoint: 'http://nginx:80'
+#    service_endpoint: 'http://nginx:80'
-    x_remote_user: true
+#    x_remote_user: true
-    groups:
+#    groups:
-      - 'sunet-cert'
+#      - 'sunet-cert'
-    certbot: false
+#    certbot: false
+
+test-sso-proxy1.cert.sunet.se:
+  sunet::starship:
+  sunet::dockerhost2:
+  sunet::satosa:
+    satosa_tag: 8.4.0
+#    dehydrated_name: 'test-sso-proxy1.cert.sunet.se'

global/overlay/etc/puppet/modules/soc/files/sso/frontend.xml

@@ -0,0 +1 @@
+

global/overlay/etc/puppet/modules/soc/manifests/sso.pp

@@ -1,4 +1,3 @@
-## Copy from CNAAS, modifications for Sunet CERT
 #
 # General SSO documentation: https://wiki.sunet.se/x/sZGLBg
 #
@@ -22,7 +21,7 @@
 #   cases where the service we reverse proxy for can't create new accounts automatically.
 #   We use this only for Graylog at the time of writing.
 #
-# @param swamid_testing Set this to true if your SP is registered in swamid-testing.
+/ @param swamid_testing Set this to true if your SP is registered in swamid-testing.
 #
 # @param front_clients
 #   Hiera field, defined at common.yaml, with the the frontend IP prefixes that require access
@@ -38,8 +37,11 @@ class soc::sso(
   $swamid_testing = false,
   $single_user = false,
   $front_clients = '',
+  $satosa = true,
+  $satosa_certbot = true,
   $translog = 'INFO',
-  $certbot = true,
+  $proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp',
+  $norpan = false,
 ) {
 
   file { '/opt/sso':
@@ -98,15 +100,46 @@ class soc::sso(
     ensure  => file,
     content => file('soc/sso/md-signer2.crt'),
   }
+  if $satosa {
+    if $norpan {
+        file { '/opt/sso/shibboleth/frontend.xml':
+          ensure  => file,
+          content => file('soc/sso/frontend_norpan.xml'),
+        }
+    } else {
+        file { '/opt/sso/shibboleth/frontend.xml':
+          ensure  => file,
+          content => file('soc/sso/frontend.xml'),
+        }
+    }
+
+    file { '/opt/sso/shibboleth/attribute-policy.xml':
+      ensure  => file,
+      content => file('soc/sso/attribute-policy.xml'),
+    }
+
+    if lookup('sso_sp_key', undef, undef, undef) != undef {
       sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem':
         hiera_key => 'sso_sp_key'
       }
+    } else {
+      sunet::snippets::keygen {'shib_cert':
+        key_file  => '/opt/sso/shibboleth/sp-key.pem',
+        cert_file => '/opt/sso/shibboleth/sp-cert.pem'
+      }
+    }
+
+  } else {
+    sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem':
+      hiera_key => 'sso_sp_key'
+    }
+  }
 
   #
   # Certbot
   #
 
-  if $certbot {
+  if $satosa_certbot {
     package { ['certbot', 'python3-requests']:
       ensure => 'latest',
     }

global/overlay/etc/puppet/modules/soc/templates/sso/apache-site.conf.erb

@@ -34,7 +34,7 @@
         <%- if @x_remote_user -%>
         RequestHeader set X-Remote-User %{REMOTE_USER}s
         <%- elsif @single_user -%>
-        RequestHeader set X-Remote-User soc-user
+        RequestHeader set X-Remote-User cnaas-user
         <%- else -%>
         ShibUseHeaders On
         <%- end -%>

global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb

@@ -15,7 +15,12 @@ services:
       - ./shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml
       - ./shibboleth/shibd.logger:/etc/shibboleth/shibd.logger
       - ./shibboleth/attribute-map.xml:/etc/shibboleth/attribute-map.xml
+<% if @satosa -%>
+      - ./shibboleth/frontend.xml:/etc/shibboleth/frontend.xml
+      - ./shibboleth/attribute-policy.xml:/etc/shibboleth/attribute-policy.xml
+<% else -%>
       - ./shibboleth/md-signer2.crt:/etc/shibboleth/md-signer2.crt
+<% end -%>
       - ./shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem
       - ./shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem
 networks:

global/overlay/etc/puppet/modules/soc/templates/sso/shibboleth2.xml.erb

@@ -40,6 +40,12 @@
             <!-- SAML and local-only logout. -->
 
             <Logout>SAML2 Local</Logout>
+<% if @satosa -%>
+            <SessionInitiator type="Chaining" Location="/satosa" id="satosa"
+                    entityID="<%= @proxy %>">
+                <SessionInitiator type="SAML2" template="bindingTemplate.html"/>
+            </SessionInitiator>
+<% else -%>
             <SessionInitiator type="Chaining" Location="/DS/Login" id="swamid-ds-default" relayState="cookie">
                 <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
                 <SessionInitiator type="Shib1" defaultACSIndex="5"/>
@@ -49,6 +55,7 @@
                 <SessionInitiator type="SAMLDS" URL="https://service.seamlessaccess.org/ds"/>
                 <%- end -%>
             </SessionInitiator>
+<% end -%>
 
             <!--
             md:AssertionConsumerService locations handle specific SSO protocol bindings,