feat: generalize variables usage
This commit is contained in:
parent
20f5ef8faa
commit
4152fa2e3d
|
@ -4,6 +4,14 @@ cadoles_pod_debian_repository_url: https://vulcain.cadoles.com
|
|||
cadoles_pod_debian_repository: bullseye-dev
|
||||
cadoles_pod_debian_repository_key_url: https://vulcain.cadoles.com/cadoles.gpg
|
||||
|
||||
# packages versions
|
||||
haproxy_package_version: '*'
|
||||
cadoles_pod_hydra_v1_package_version: '*'
|
||||
cadoles_pod_hydra_dispatcher_v1_package_version: '*'
|
||||
cadoles_pod_shibboleth_sp_v3_package_version: '*'
|
||||
cadoles_pod_hydra_remote_user_v1_package_version: '*'
|
||||
cadoles_pod_hydra_passwordless_v1_package_version: '*'
|
||||
|
||||
# Hydra database configuration
|
||||
hydra_use_external_database: no
|
||||
hydra_database_name: hydra
|
||||
|
@ -12,17 +20,35 @@ hydra_database_password: hydra
|
|||
hydra_database_host: 10.0.2.2
|
||||
hydra_database_port: 3306
|
||||
|
||||
# HAProxy configuration
|
||||
|
||||
haproxy_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}
|
||||
haproxy_hydra_dispatcher_base_path: /auth/dispatcher
|
||||
haproxy_hydra_passwordless_base_path: /auth/passwordless
|
||||
haproxy_hydra_saml_base_path: /auth/saml
|
||||
|
||||
haproxy_forwarded_proto: https
|
||||
haproxy_forwarded_host: "%[req.hdr(Host)]"
|
||||
haproxy_forwarded_port: "%[dst_port]"
|
||||
|
||||
# Hydra OIDC configuration
|
||||
|
||||
public_scheme: http
|
||||
public_host: "{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
|
||||
hydra_urls_self_issuer_url: "{{ haproxy_public_base_url }}"
|
||||
hydra_urls_consent: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/consent"
|
||||
hydra_urls_login: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/login"
|
||||
hydra_urls_logout: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/logout"
|
||||
|
||||
hydra_log_level: warn
|
||||
hydra_log_leak_sensitive_values: no
|
||||
|
||||
# This value should not be changed after first deployment !
|
||||
hydra_secrets_seed: "{{ inventory_hostname }}"
|
||||
|
||||
# Hydra clients
|
||||
|
||||
hydra_clients:
|
||||
- client_id: default-client
|
||||
client_name: Default client
|
||||
redirect_uris: ["{{ public_scheme }}://{{ public_host }}"]
|
||||
|
||||
# Hydra Passwordless configuration
|
||||
|
||||
|
@ -51,5 +77,6 @@ hydra_saml_idp_metadata_url: https://samltest.id/saml/idp
|
|||
# OIDC Test configuration
|
||||
|
||||
enable_oidc_test_app: yes
|
||||
oidc_test_app_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}:8080
|
||||
oidc_test_app_client_id: oidc-test
|
||||
oidc_test_app_client_secret: '$oidc-test&123456$'
|
|
@ -1,257 +0,0 @@
|
|||
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
|
||||
xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
|
||||
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
|
||||
clockSkew="180">
|
||||
|
||||
<!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
|
||||
<OutOfProcess
|
||||
logger="shibd.logger" tranLogFormat="[TRANSACTION] %u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a">
|
||||
<!-- <Extensions>
|
||||
<Library path="odbc-store.so" fatal="true"/>
|
||||
</Extensions> -->
|
||||
</OutOfProcess>
|
||||
|
||||
<!-- <InProcess logger="native.logger" checkSpoofing="false"/> -->
|
||||
|
||||
<!-- Only one listener can be defined, to connect in-process modules to shibd. -->
|
||||
<UnixListener address="shibd.sock"/>
|
||||
<!-- <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/> -->
|
||||
|
||||
<!-- This set of components stores sessions and other persistent data in daemon memory. -->
|
||||
<StorageService type="Memory" id="mem" cleanupInterval="900"/>
|
||||
<SessionCache type="StorageService" StorageService="mem" cacheAssertions="false"
|
||||
cacheAllowance="900" inprocTimeout="900" cleanupInterval="900"/>
|
||||
<ReplayCache StorageService="mem"/>
|
||||
<ArtifactMap artifactTTL="180"/>
|
||||
|
||||
<!-- This set of components stores sessions and other persistent data in an ODBC database. -->
|
||||
<!--
|
||||
<StorageService type="ODBC" id="db" cleanupInterval="900">
|
||||
<ConnectionString>
|
||||
DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
|
||||
</ConnectionString>
|
||||
</StorageService>
|
||||
<SessionCache type="StorageService" StorageService="db" cacheAssertions="false"
|
||||
cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
|
||||
<ReplayCache StorageService="db"/>
|
||||
<ArtifactMap StorageService="db" artifactTTL="180"/>
|
||||
-->
|
||||
|
||||
<!--
|
||||
The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
|
||||
Resource requests are mapped by the RequestMapper to an applicationId that
|
||||
points into to this section (or to the defaults here).
|
||||
-->
|
||||
<ApplicationDefaults entityID="{{ getenv "SP_ENTITY_ID" "http://sp-entity-id" }}"
|
||||
REMOTE_USER="{{ getenv "SP_REMOTE_USER" "eppn subject-id pairwise-id persistent-id" }}"
|
||||
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
|
||||
|
||||
<!--
|
||||
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
|
||||
Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
|
||||
and should be a relative path, with the SP computing the full value based on the virtual
|
||||
host. Using handlerSSL="true" will force the protocol to be https. You should also set
|
||||
cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
|
||||
"false", this makes an assertion stolen in transit easier for attackers to misuse.
|
||||
-->
|
||||
<Sessions lifetime="28800" timeout="3600"
|
||||
handlerURL="{{ getenv "SP_HANDLER_BASE_PATH" "" }}/Shibboleth.sso" handlerSSL="false" cookieProps="http" relayState="ss:mem"
|
||||
redirectLimit="{{ getenv "SP_SESSIONS_REDIRECT_LIMIT" "host" }}"
|
||||
checkAddress="false"
|
||||
consistentAddress="false"
|
||||
exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
|
||||
idpHistory="false" idpHistoryDays="7">
|
||||
|
||||
<!--
|
||||
The "stripped down" files use the shorthand syntax for configuring handlers.
|
||||
This uses the old "every handler specified directly" syntax. You can supplement
|
||||
the new syntax following these examples but it is NOT advisable to use this
|
||||
approach wholesale.
|
||||
-->
|
||||
|
||||
<!--
|
||||
SessionInitiators handle session requests and relay them to a Discovery page,
|
||||
or to an IdP if possible. Automatic/active session rules will use the default
|
||||
or first element (or requireSessionWith can specify a specific id to use).
|
||||
-->
|
||||
|
||||
<!-- Default directs to a specific IdP. -->
|
||||
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
|
||||
entityID="{{ getenv "IDP_ENTITY_ID" "http://idp-entity-id" }}">
|
||||
|
||||
<SessionInitiator type="SAML2" template="bindingTemplate.html"/>
|
||||
<SessionInitiator type="Shib1"/>
|
||||
|
||||
<!--
|
||||
To allow for >1 IdP, remove entityID property from Chaining element and add
|
||||
*either* of the SAMLDS or WAYF handlers below:
|
||||
|
||||
<SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>
|
||||
<SessionInitiator type="WAYF" URL="https://wayf.example.org/WAYF"/>
|
||||
-->
|
||||
</SessionInitiator>
|
||||
|
||||
<!--
|
||||
md:AssertionConsumerService locations handle specific SSO protocol bindings,
|
||||
such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
|
||||
are used when sessions are initiated to determine how to tell the IdP where and
|
||||
how to return the response.
|
||||
-->
|
||||
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
|
||||
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
|
||||
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
|
||||
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
|
||||
<md:AssertionConsumerService Location="/SAML/POST" index="5"
|
||||
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
|
||||
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
|
||||
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
|
||||
|
||||
<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
|
||||
<LogoutInitiator type="Chaining" Location="/Logout">
|
||||
<LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
|
||||
<LogoutInitiator type="Local"/>
|
||||
</LogoutInitiator>
|
||||
|
||||
<!-- Administrative logout, separate from user-driven logout above. -->
|
||||
<LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
|
||||
|
||||
<!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
|
||||
<md:SingleLogoutService Location="/SLO/SOAP"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
|
||||
<md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
|
||||
<md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
|
||||
<md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
|
||||
|
||||
<!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
|
||||
<md:ManageNameIDService Location="/NIM/SOAP"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
|
||||
<md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
|
||||
<md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
|
||||
<md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
|
||||
|
||||
<!--
|
||||
md:ArtifactResolutionService locations resolve artifacts issued when using the
|
||||
SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
|
||||
-->
|
||||
<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
|
||||
|
||||
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
|
||||
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
|
||||
|
||||
<!-- Status reporting service. -->
|
||||
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
|
||||
|
||||
<!-- Session diagnostic service. -->
|
||||
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
|
||||
|
||||
<!-- JSON feed of discovery information. -->
|
||||
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
|
||||
</Sessions>
|
||||
|
||||
<!--
|
||||
Allows overriding of error template information/filenames. You can
|
||||
also add your own attributes with values that can be plugged into the
|
||||
templates, e.g., helpLocation below.
|
||||
-->
|
||||
<Errors supportContact="{{ getenv "CONTACT_EMAIL" "admin@localhost" }}"
|
||||
helpLocation="/about.html"
|
||||
styleSheet="/shibboleth-sp/main.css"/>
|
||||
|
||||
<!--
|
||||
Uncomment and modify to tweak settings for specific IdPs or groups. Settings here
|
||||
generally match those allowed by the <ApplicationDefaults> element.
|
||||
-->
|
||||
<!--
|
||||
<RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
|
||||
-->
|
||||
|
||||
<!-- Example of locally maintained metadata. -->
|
||||
<!--
|
||||
<MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
|
||||
-->
|
||||
|
||||
<!-- Example of remotely supplied batch of signed metadata. -->
|
||||
<!--
|
||||
<MetadataProvider type="XML" validate="true"
|
||||
url="http://federation.org/federation-metadata.xml"
|
||||
backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
|
||||
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
|
||||
<MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
|
||||
<DiscoveryFilter type="Exclude" matcher="EntityAttributes" trimTags="true"
|
||||
attributeName="http://macedir.org/entity-category"
|
||||
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
|
||||
attributeValue="http://refeds.org/category/hide-from-discovery" />
|
||||
</MetadataProvider>
|
||||
-->
|
||||
|
||||
<!-- Example of remotely supplied "on-demand" signed metadata. -->
|
||||
<!--
|
||||
<MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
|
||||
baseUrl="http://mdq.federation.org" ignoreTransport="true">
|
||||
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
|
||||
<MetadataFilter type="Signature" certificate="mdqsigner.pem" />
|
||||
</MetadataProvider>
|
||||
-->
|
||||
|
||||
<MetadataProvider type="Dynamic"
|
||||
verifyHost="false"
|
||||
ignoreTransport="true"
|
||||
uri="{{ getenv "IDP_METADATA_URL" "http://idp/idp/shibboleth" }}">
|
||||
</MetadataProvider>
|
||||
|
||||
<!-- TrustEngines run in order to evaluate peer keys and certificates. -->
|
||||
<TrustEngine type="ExplicitKey"/>
|
||||
<!-- <TrustEngine type="PKIX"/> -->
|
||||
|
||||
<!-- Map to extract attributes from SAML assertions. -->
|
||||
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
|
||||
|
||||
<!-- Extracts support information for IdP from its metadata. -->
|
||||
<AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName"/>
|
||||
|
||||
<!-- Use a SAML query if no attributes are supplied during SSO. -->
|
||||
<AttributeResolver type="Query" subjectMatch="true"/>
|
||||
|
||||
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
|
||||
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
|
||||
|
||||
<!-- Simple file-based resolvers for separate signing/encryption keys. -->
|
||||
<CredentialResolver type="File" use="signing"
|
||||
key="/etc/shibboleth/credentials/sp-signing.key" certificate="/etc/shibboleth/credentials/sp-signing.crt"/>
|
||||
<CredentialResolver type="File" use="encryption"
|
||||
key="/etc/shibboleth/credentials/sp-encrypt.key" certificate="/etc/shibboleth/credentials/sp-encrypt.crt"/>
|
||||
|
||||
<!--
|
||||
The default settings can be overridden by creating ApplicationOverride elements.
|
||||
Resource requests are mapped by web server commands, or the RequestMapper, to an
|
||||
applicationId setting.
|
||||
|
||||
This "canonical" use case of overriding the SP's entityID alone is now obsolete;
|
||||
you can apply selfEntityID as a content setting based on host or path to control
|
||||
the SP's own identity.
|
||||
|
||||
Avoid overrides: ask on the list or refer to the wiki for examples of how to do
|
||||
whatever you want to do without them.
|
||||
-->
|
||||
<!--
|
||||
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
|
||||
-->
|
||||
</ApplicationDefaults>
|
||||
|
||||
<!-- Policies that determine how to process and authenticate runtime messages. -->
|
||||
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
|
||||
|
||||
<!-- Low-level configuration about protocols and bindings available for use. -->
|
||||
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
|
||||
</SPConfig>
|
|
@ -3,9 +3,9 @@
|
|||
- name: Install cadoles-pod-hydra-passwordless-v1 package
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- cadoles-pod-hydra-passwordless-v1
|
||||
- "cadoles-pod-hydra-passwordless-v1={{ cadoles_pod_hydra_passwordless_v1_package_version }}"
|
||||
update_cache: yes
|
||||
state: latest
|
||||
state: present
|
||||
become: true
|
||||
|
||||
- name: Configure cadoles-pod-hydra-passwordless-v1
|
||||
|
|
|
@ -3,10 +3,10 @@
|
|||
- name: Install cadoles-pod-hydra-remote-user-v1 package
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- cadoles-pod-shibboleth-sp-v3
|
||||
- cadoles-pod-hydra-remote-user-v1
|
||||
- "cadoles-pod-shibboleth-sp-v3={{ cadoles_pod_shibboleth_sp_v3_package_version }}"
|
||||
- "cadoles-pod-hydra-remote-user-v1={{ cadoles_pod_hydra_remote_user_v1_package_version }}"
|
||||
update_cache: yes
|
||||
state: latest
|
||||
state: present
|
||||
become: true
|
||||
|
||||
- name: Configure cadoles-pod-hydra-remote-user-v1
|
||||
|
@ -50,12 +50,4 @@
|
|||
dest: /etc/shibboleth/attribute-map.inc.xml
|
||||
notify:
|
||||
- Restart cadoles-pod-shibboleth-sp-v3
|
||||
become: true
|
||||
|
||||
- name: Configure cadoles-pod-shibboleth-sp-v3 (2)
|
||||
ansible.builtin.copy:
|
||||
src: shibboleth2.xml.gotmpl
|
||||
dest: /etc/shibboleth/shibboleth2.xml.gotmpl
|
||||
notify:
|
||||
- Restart cadoles-pod-shibboleth-sp-v3
|
||||
become: true
|
|
@ -31,11 +31,11 @@
|
|||
- name: Install core packages
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- haproxy
|
||||
- cadoles-pod-hydra-v1
|
||||
- cadoles-pod-hydra-dispatcher-v1
|
||||
- haproxy={{ haproxy_package_version }}
|
||||
- cadoles-pod-hydra-v1={{ cadoles_pod_hydra_v1_package_version }}
|
||||
- cadoles-pod-hydra-dispatcher-v1={{ cadoles_pod_hydra_dispatcher_v1_package_version }}
|
||||
update_cache: yes
|
||||
state: latest
|
||||
state: present
|
||||
become: true
|
||||
|
||||
- name: Configure Hydra local database
|
||||
|
|
|
@ -8,8 +8,8 @@
|
|||
- client_id: "{{ oidc_test_app_client_id }}"
|
||||
client_secret: "{{ oidc_test_app_client_secret }}"
|
||||
client_name: "OIDC Test"
|
||||
redirect_uris: ["{{ public_scheme }}://{{ public_host }}:8080/oauth2/callback"]
|
||||
post_logout_redirect_uris: ["{{ public_scheme }}://{{ public_host }}:8080"]
|
||||
redirect_uris: ["{{ oidc_test_app_public_base_url }}/oauth2/callback"]
|
||||
post_logout_redirect_uris: ["{{ oidc_test_app_public_base_url }}"]
|
||||
logo_uri: https://www.cadoles.com/images/logo.svg
|
||||
|
||||
notify:
|
||||
|
@ -19,7 +19,7 @@
|
|||
- name: Start oidc-test app
|
||||
containers.podman.podman_container:
|
||||
name: oidc-test
|
||||
image: docker.io/bornholm/oidc-test:v0.0.0-2-gd0583cc
|
||||
image: docker.io/bornholm/oidc-test:v0.0.0-3-g5beae19
|
||||
state: started
|
||||
network: host
|
||||
recreate: yes
|
||||
|
@ -27,8 +27,9 @@
|
|||
OIDC_CLIENT_ID: "{{ oidc_test_app_client_id }}"
|
||||
OIDC_CLIENT_SECRET: "{{ oidc_test_app_client_secret }}"
|
||||
LOG_LEVEL: 0
|
||||
OIDC_ISSUER_URL: "http://{{ public_host }}/"
|
||||
OIDC_REDIRECT_URL: "http://{{ public_host }}:8080"
|
||||
OIDC_POST_LOGOUT_REDIRECT_URL: "http://{{ public_host }}:8080"
|
||||
OIDC_ISSUER_URL: "{{ hydra_urls_self_issuer_url }}/"
|
||||
OIDC_INSECURE_SKIP_VERIFY: true
|
||||
OIDC_REDIRECT_URL: "{{ oidc_test_app_public_base_url }}"
|
||||
OIDC_POST_LOGOUT_REDIRECT_URL: "{{ oidc_test_app_public_base_url }}"
|
||||
HTTP_ADDRESS: 0.0.0.0:8080
|
||||
become: true
|
|
@ -9,8 +9,8 @@ PODMAN_ARGS="\
|
|||
-e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:4445 \
|
||||
-e HYDRA_BASE_URL=http://10.0.2.2:4444 \
|
||||
-e HYDRA_REWRITE_ISSUER=no \
|
||||
-e HYDRA_ORIGINAL_ISSUER={{ public_scheme }}://{{ public_host }} \
|
||||
-e HYDRA_NEW_ISSUER={{ public_scheme }}://{{ public_host }} \
|
||||
-e 'ASSETS_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/dispatcher' \
|
||||
-e 'COOKIE_PATH=/auth/dispatcher' \
|
||||
-e 'HYDRA_ORIGINAL_ISSUER={{ haproxy_public_base_url }}' \
|
||||
-e 'HYDRA_NEW_ISSUER={{ haproxy_public_base_url }}' \
|
||||
-e 'ASSETS_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}' \
|
||||
-e 'COOKIE_PATH={{ haproxy_hydra_dispatcher_base_path }}' \
|
||||
"
|
|
@ -2,7 +2,7 @@ PODMAN_ARGS="\
|
|||
-p 127.0.0.1:3001:3000 \
|
||||
--network=slirp4netns:allow_host_loopback=true \
|
||||
--replace --name 'cadoles-pod-hydra-passwordless-v1' \
|
||||
-e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/passwordless \
|
||||
-e HTTP_BASE_URL={{ haproxy_public_base_url }}/auth/passwordless \
|
||||
-e 'SMTP_HOST={{ hydra_passwordless_smtp_host }}' \
|
||||
-e 'SMTP_PORT={{ hydra_passwordless_smtp_port }}' \
|
||||
-e 'SMTP_USER={{ hydra_passwordless_smtp_user }}' \
|
||||
|
|
|
@ -6,9 +6,9 @@ PODMAN_ARGS="\
|
|||
-v /etc/hydra-remote-user/apache.conf:/etc/apache2/sites-available/000-default.conf \
|
||||
-e APP_ENV=prod \
|
||||
-e APP_DEBUG=no \
|
||||
-e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/saml \
|
||||
-e COOKIE_PATH=/auth/saml \
|
||||
-e 'HTTP_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \
|
||||
-e COOKIE_PATH={{ haproxy_hydra_saml_base_path }} \
|
||||
-e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:3000 \
|
||||
-e 'TRUSTED_PROXIES=127.0.0.1,10.0.2.0/24' \
|
||||
-e LOGOUT_REDIRECT_URL_PATTERN={{ public_scheme }}://{{ public_host }}/auth/saml/Shibboleth.sso/Logout?return=%s \
|
||||
-e 'LOGOUT_REDIRECT_URL_PATTERN={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/Shibboleth.sso/Logout?return=%s' \
|
||||
"
|
|
@ -6,13 +6,15 @@ PODMAN_ARGS="\
|
|||
-p 127.0.0.1:4445:4445 \
|
||||
--tmpfs /tmp \
|
||||
-e 'HYDRA_DSN=mysql://{{ hydra_database_user }}:{{ hydra_database_password }}@tcp({{ hydra_database_host }}:{{ hydra_database_port }})/{{ hydra_database_name }}?parseTime=true' \
|
||||
-e LOG_LEVEL=debug \
|
||||
-e LOG_LEAK_SENSITIVE_VALUES=true \
|
||||
-e HYDRA_URLS_SELF_ISSUER={{ public_scheme }}://{{ public_host }} \
|
||||
-e HYDRA_URLS_CONSENT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/consent \
|
||||
-e HYDRA_URLS_LOGIN={{ public_scheme }}://{{ public_host }}/auth/dispatcher/login \
|
||||
-e HYDRA_URLS_LOGOUT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/logout \
|
||||
-e HYDRA_ALLOW_INSECURE=yes \
|
||||
-e HYDRA_LEVEL=debug \
|
||||
-e 'LOG_LEVEL={{ hydra_log_level }}' \
|
||||
-e 'LOG_LEAK_SENSITIVE_VALUES={{ hydra_log_leak_sensitive_values }}' \
|
||||
-e 'HYDRA_URLS_SELF_ISSUER={{ hydra_urls_self_issuer_url }}' \
|
||||
-e 'HYDRA_URLS_CONSENT={{ hydra_urls_consent }}' \
|
||||
-e 'HYDRA_URLS_LOGIN={{ hydra_urls_login }}' \
|
||||
-e 'HYDRA_URLS_LOGOUT={{ hydra_urls_logout }}' \
|
||||
-e 'HYDRA_ALLOW_INSECURE=yes' \
|
||||
-e 'HYDRA_LEVEL={{ hydra_log_level }}' \
|
||||
-e 'HYDRA_SECRETS_SYSTEM={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
|
||||
-e 'HYDRA_OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
|
||||
-v /etc/hydra/clients.d:/etc/hydra/clients.d \
|
||||
"
|
|
@ -2,11 +2,12 @@ PODMAN_ARGS="\
|
|||
-p 127.0.0.1:3002:80 \
|
||||
--network=slirp4netns:allow_host_loopback=true \
|
||||
--replace --name 'cadoles-pod-shibboleth-sp-v3' \
|
||||
-e 'SP_ENTITY_ID={{ public_scheme }}://{{ public_host }}/auth/saml' \
|
||||
-e 'SP_ENTITY_ID={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \
|
||||
-e 'IDP_ENTITY_ID={{ hydra_saml_idp_entity_id }}' \
|
||||
-e 'IDP_METADATA_URL={{ hydra_saml_idp_metadata_url }}' \
|
||||
-e 'APACHE_BACKEND_URL=http://10.0.2.2:3003' \
|
||||
-e 'SP_HANDLER_BASE_PATH=/auth/saml' \
|
||||
-e 'APACHE_FORCE_HTTPS={{ "true" if haproxy_public_base_url.startswith('https') else "false" }}' \
|
||||
-e 'SP_HANDLER_BASE_PATH={{ haproxy_hydra_saml_base_path }}' \
|
||||
-v '/etc/shibboleth/attribute-map.inc.xml:/etc/shibboleth/attribute-map.inc.xml' \
|
||||
-v '/etc/shibboleth/shibboleth2.xml.gotmpl:/etc/shibboleth/shibboleth2.xml.gotmpl' \
|
||||
-v '/etc/shibboleth/credentials:/etc/shibboleth/credentials' \
|
||||
|
|
|
@ -37,66 +37,49 @@ frontend http-in
|
|||
bind 0.0.0.0:80
|
||||
mode http
|
||||
|
||||
maxconn 2000
|
||||
maxconn 2000
|
||||
|
||||
acl login_dispatcher path_beg -i /auth/dispatcher
|
||||
{% if enable_hydra_passwordless %}
|
||||
acl login_passwordless path_beg -i /auth/passwordless
|
||||
{% endif %}
|
||||
{% if enable_hydra_saml %}
|
||||
acl login_saml path_beg -i /auth/saml
|
||||
{% endif %}
|
||||
acl login_dispatcher path_beg -i {{ haproxy_hydra_dispatcher_base_path }}
|
||||
{% if enable_hydra_passwordless %}
|
||||
acl login_passwordless path_beg -i {{ haproxy_hydra_passwordless_base_path }}
|
||||
{% endif %}
|
||||
{% if enable_hydra_saml %}
|
||||
acl login_saml path_beg -i {{ haproxy_hydra_saml_base_path }}
|
||||
{% endif %}
|
||||
|
||||
use_backend hydra_dispatcher if login_dispatcher
|
||||
{% if enable_hydra_passwordless %}
|
||||
{% if enable_hydra_passwordless %}
|
||||
use_backend hydra_passwordless if login_passwordless
|
||||
{% endif %}
|
||||
{% if enable_hydra_saml %}
|
||||
{% endif %}
|
||||
{% if enable_hydra_saml %}
|
||||
use_backend hydra_saml if login_saml
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
use_backend hydra
|
||||
|
||||
option forwardfor
|
||||
|
||||
http-request set-header X-Forwarded-Proto {{ haproxy_forwarded_proto }}
|
||||
http-request set-header X-Forwarded-Host {{ haproxy_forwarded_host }}
|
||||
http-request set-header X-Forwarded-Port {{ haproxy_forwarded_port }}
|
||||
|
||||
# Backend Hydra
|
||||
backend hydra
|
||||
balance roundrobin
|
||||
|
||||
# Headers HTTP des requêtes
|
||||
option forwardfor
|
||||
http-request set-header X-Forwarded-Port %[dst_port]
|
||||
http-request add-header X-Forwarded-Proto http
|
||||
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
|
||||
|
||||
server hydra 127.0.0.1:4444 check
|
||||
|
||||
# Backend Hydra Dispatcher
|
||||
backend hydra_dispatcher
|
||||
balance roundrobin
|
||||
|
||||
# Headers HTTP des requêtes
|
||||
option forwardfor
|
||||
http-request set-header X-Forwarded-Port %[dst_port]
|
||||
http-request add-header X-Forwarded-Proto http
|
||||
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
|
||||
|
||||
# Suppression du préfixe /auth/dispatcher dans l'URL
|
||||
http-request set-path %[path,regsub(^/auth/dispatcher/,/)]
|
||||
|
||||
http-request set-path %[path,regsub(^{{ haproxy_hydra_dispatcher_base_path }}/,/)]
|
||||
server hydra-login-dispatcher 127.0.0.1:3000 check
|
||||
|
||||
{% if enable_hydra_passwordless %}
|
||||
# Backend Hydra Passwordless
|
||||
backend hydra_passwordless
|
||||
balance roundrobin
|
||||
|
||||
# Headers HTTP des requêtes
|
||||
option forwardfor
|
||||
http-request set-header X-Forwarded-Port %[dst_port]
|
||||
http-request add-header X-Forwarded-Proto http
|
||||
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
|
||||
|
||||
# Suppression du préfixe /auth/passwordless dans l'URL
|
||||
http-request set-path %[path,regsub(^/auth/passwordless,)]
|
||||
|
||||
http-request set-path %[path,regsub(^{{ haproxy_hydra_passwordless_base_path }},)]
|
||||
server hydra-login-passwordless 127.0.0.1:3001 check
|
||||
{%- endif %}
|
||||
|
||||
|
@ -104,12 +87,5 @@ backend hydra_passwordless
|
|||
# Backend Hydra SAML
|
||||
backend hydra_saml
|
||||
balance roundrobin
|
||||
|
||||
# Headers HTTP des requêtes
|
||||
option forwardfor
|
||||
http-request set-header X-Forwarded-Port %[dst_port]
|
||||
http-request add-header X-Forwarded-Proto http
|
||||
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
|
||||
|
||||
server hydra-login-saml 127.0.0.1:3002 check
|
||||
{%- endif %}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"client_id": {{ item.client_id | to_json }},
|
||||
"client_name": {{ item.client_name | default(item.client_id) | to_json }},
|
||||
"client_secret": {{ item.client_secret | default(lookup('ansible.builtin.password', '/dev/null chars=ascii_lowercase,digits length=32')) | to_json }},
|
||||
"client_secret": {{ item.client_secret | default(lookup('ansible.builtin.password', '/dev/null chars=ascii_lowercase,digits length=32 seed=inventory_hostname')) | to_json }},
|
||||
"grant_types": {{ item.grant_types | default(["authorization_code","refresh_token"]) | to_json }},
|
||||
"jwks": {},
|
||||
"metadata": {},
|
||||
|
|
|
@ -4,9 +4,9 @@ hydra:
|
|||
- id: passwordless
|
||||
title: "{{ hydra_passwordless_app_title }}"
|
||||
description: "{{ hydra_passwordless_app_description }}"
|
||||
login_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/login
|
||||
consent_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/consent
|
||||
logout_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/logout
|
||||
login_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/login
|
||||
consent_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/consent
|
||||
logout_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/logout
|
||||
attributes_rewrite_rules:
|
||||
email:
|
||||
- consent.session.id_token.email
|
||||
|
@ -16,9 +16,9 @@ hydra:
|
|||
- id: saml
|
||||
title: "{{ hydra_saml_app_title }}"
|
||||
description: "{{ hydra_saml_app_description }}"
|
||||
login_url: {{ public_scheme }}://{{ public_host }}/auth/saml/login
|
||||
consent_url: {{ public_scheme }}://{{ public_host }}/auth/saml/consent
|
||||
logout_url: {{ public_scheme }}://{{ public_host }}/auth/saml/logout
|
||||
login_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/login
|
||||
consent_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/consent
|
||||
logout_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/logout
|
||||
attributes_rewrite_rules:
|
||||
email:
|
||||
- consent.session.id_token.email
|
||||
|
|
Loading…
Reference in New Issue