feat: initial commit
This commit is contained in:
commit
f93f90f594
47
defaults/main.yml
Normal file
47
defaults/main.yml
Normal file
@ -0,0 +1,47 @@
|
||||
---
|
||||
# cadoles-pod repository configuration
|
||||
cadoles_pod_debian_repository_url: https://vulcain.cadoles.com
|
||||
cadoles_pod_debian_repository: bullseye-dev
|
||||
cadoles_pod_debian_repository_key_url: https://vulcain.cadoles.com/cadoles.gpg
|
||||
|
||||
# Hydra database configuration
|
||||
hydra_database_name: hydra
|
||||
hydra_database_user: hydra
|
||||
hydra_database_password: hydra
|
||||
hydra_database_host: 10.0.2.2
|
||||
hydra_database_port: 3306
|
||||
|
||||
# Hydra OIDC configuration
|
||||
|
||||
public_scheme: http
|
||||
public_host: "{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
|
||||
|
||||
# Hydra Passwordless configuration
|
||||
|
||||
enable_hydra_passwordless: yes
|
||||
hydra_passwordless_app_title: Adresse courriel
|
||||
hydra_passwordless_app_description: Authentification via adresse courriel
|
||||
hydra_passwordless_app_icon_url: https://upload.wikimedia.org/wikipedia/commons/4/48/You%27ve_got_mail.png
|
||||
hydra_passwordless_smtp_host: smtp-server
|
||||
hydra_passwordless_smtp_port: 25
|
||||
hydra_passwordless_smtp_user: smtp-user
|
||||
hydra_passwordless_smtp_password: smtp-password
|
||||
hydra_passwordless_smtp_insecure_skip_verify: no
|
||||
hydra_passwordless_smtp_use_start_tls: no
|
||||
hydra_passwordless_sender_address: noreply@localhost
|
||||
hydra_passwordless_sender_name: "[hydra-passwordless]"
|
||||
|
||||
# Hydra SAML configuration
|
||||
|
||||
enable_hydra_saml: yes
|
||||
hydra_saml_app_title: SAML
|
||||
hydra_saml_app_description: Authentification via SAML
|
||||
hydra_saml_app_icon_url:
|
||||
hydra_saml_idp_entity_id: https://samltest.id/saml/idp
|
||||
hydra_saml_idp_metadata_url: https://samltest.id/saml/idp
|
||||
|
||||
# OIDC Test configuration
|
||||
|
||||
enable_oidc_test_app: yes
|
||||
oidc_test_app_client_id: oidc-test
|
||||
oidc_test_app_client_secret: '$oidc-test&123456$'
|
110
doc/overview.plantuml
Normal file
110
doc/overview.plantuml
Normal file
@ -0,0 +1,110 @@
|
||||
@startuml
|
||||
|
||||
!theme vibrant
|
||||
skinparam linetype ortho
|
||||
left to right direction
|
||||
|
||||
package "External Ports (0.0.0.0)" as ExternalPorts {
|
||||
interface "tcp/80 (HTTP)" as PortServerHTTP
|
||||
}
|
||||
|
||||
node "SSO Server" as SSOServer {
|
||||
package "Internal Ports (127.0.0.1)" as InternalPorts {
|
||||
interface "tcp/4444 (Hydra Public)" as PortHydraPublic
|
||||
interface "tcp/4445 (Hydra Admin)" as PortHydraAdmin
|
||||
interface "tcp/3000 (Hydra Dispatcher)" as PortHydraDispatcher
|
||||
interface "tcp/3001 (Hydra Passwordless)" as PortHydraPasswordless
|
||||
interface "tcp/3002 (Shibboleth SP)" as PortShibbolethSP
|
||||
interface "tcp/3003 (Hydra Remote User)" as PortHydraRemoteUser
|
||||
}
|
||||
|
||||
package "Containers" as Containers {
|
||||
[cadoles-pod-hydra-v1] as ContainerHydra
|
||||
[cadoles-pod-hydra-dispatcher-v1] as ContainerHydraDispatcher
|
||||
[cadoles-pod-hydra-passwordless-v1] as ContainerHydraPasswordless
|
||||
[cadoles-pod-hydra-remote-user-v1] as ContainerHydraRemoteUser
|
||||
[cadoles-pod-shibboleth-sp-v3] as ContainerShibbolethSP
|
||||
}
|
||||
|
||||
package "Files" as Filesystem {
|
||||
frame "/etc/haproxy/haproxy.cfg" as HAProxyConfFile
|
||||
frame "/etc/cadoles-pod-hydra-v1.conf" as HydraConfFile
|
||||
frame "/etc/cadoles-pod-hydra-dispatcher-v1.conf" as HydraDispatcherConfFile
|
||||
frame "/etc/hydra-dispatcher/conf.d/*.yml" as HydraDispatcherAppsConfFile
|
||||
frame "/etc/hydra/clients.d/*.json" as HydraClientConfFile
|
||||
frame "/etc/cadoles-pod-hydra-remote-user-v1.conf" as HydraRemoteUserConfFile
|
||||
frame "/etc/hydra-remote-user/conf.d/*.yml" as HydraRemoteUserMappingsConfFile
|
||||
frame "/etc/cadoles-pod-hydra-passwordless-v1.conf" as HydraPasswordlessConfFile
|
||||
frame "/etc/cadoles-pod-shibboleth-sp-v3.conf" as ShibbolethSPConfFile
|
||||
frame "/etc/shibboleth/credentials/*" as ShibbolethSPCredentialsFile
|
||||
}
|
||||
|
||||
package "Packages" as Packages {
|
||||
[cadoles-pod-hydra-v1] as PackageHydra
|
||||
[cadoles-pod-hydra-dispatcher-v1] as PackageHydraDispatcher
|
||||
[cadoles-pod-hydra-remote-user-v1] as PackageHydraRemoteUser
|
||||
[cadoles-pod-hydra-shibboleth-sp-v3] as PackageShibbolethSP
|
||||
[cadoles-pod-hydra-passwordless-v1] as PackageHydraPasswordless
|
||||
[haproxy] as PackageHAProxy
|
||||
}
|
||||
|
||||
package "Services" as Services {
|
||||
[cadoles-pod-hydra-v1] as ServiceHydra
|
||||
[cadoles-pod-hydra-dispatcher-v1] as ServiceHydraDispatcher
|
||||
[cadoles-pod-shibboleth-sp-v3] as ServiceShibbolethSP
|
||||
[cadoles-pod-hydra-remote-user-v1] as ServiceHydraRemoteUser
|
||||
[cadoles-pod-hydra-passwordless-v1] as ServiceHydraPasswordless
|
||||
[haproxy] as ServiceHAProxy
|
||||
}
|
||||
|
||||
PackageHAProxy ..up.> PortServerHTTP: binds
|
||||
|
||||
ServiceHAProxy ...> PortHydraPublic : exposes (/)
|
||||
ServiceHAProxy ...> PortHydraDispatcher : exposes (/auth/dispatcher)
|
||||
ServiceHAProxy ...> PortHydraPasswordless : exposes (/auth/passwordless)
|
||||
ServiceHAProxy ...> PortShibbolethSP : exposes (/auth/saml)
|
||||
|
||||
ContainerHydra ...> PortHydraPublic : binds
|
||||
ContainerHydra ...> PortHydraAdmin : binds
|
||||
ContainerHydraDispatcher ...> PortHydraDispatcher : binds
|
||||
ContainerShibbolethSP ...> PortShibbolethSP : binds
|
||||
ContainerHydraPasswordless ...> PortHydraPasswordless : binds
|
||||
ContainerHydraRemoteUser ...> PortHydraRemoteUser : binds
|
||||
ContainerShibbolethSP ..> PortHydraRemoteUser : proxies
|
||||
|
||||
ServiceHydra ...> ContainerHydra: manages
|
||||
ServiceHydraDispatcher ...> ContainerHydraDispatcher: manages
|
||||
ServiceShibbolethSP ...> ContainerShibbolethSP: manages
|
||||
ServiceHydraPasswordless ...> ContainerHydraPasswordless: manages
|
||||
ServiceHydraRemoteUser ...> ContainerHydraRemoteUser: manages
|
||||
|
||||
ContainerHydra ...> HydraConfFile : uses
|
||||
ContainerHydra ...> HydraClientConfFile : uses
|
||||
ContainerHydraDispatcher ...> HydraDispatcherConfFile : uses
|
||||
ContainerHydraDispatcher ...> HydraDispatcherAppsConfFile : uses
|
||||
ContainerHydraPasswordless ...> HydraPasswordlessConfFile : uses
|
||||
ContainerHydraRemoteUser ...> HydraRemoteUserConfFile : uses
|
||||
ContainerHydraRemoteUser ...> HydraRemoteUserMappingsConfFile : uses
|
||||
ContainerShibbolethSP ...> ShibbolethSPConfFile : uses
|
||||
ContainerShibbolethSP ...> ShibbolethSPCredentialsFile : creates
|
||||
|
||||
PackageHAProxy ...> HAProxyConfFile : deploys
|
||||
PackageHydra ...> HydraConfFile : deploys
|
||||
PackageHydraDispatcher ...> HydraDispatcherConfFile : deploys
|
||||
PackageHydraRemoteUser ...> HydraRemoteUserConfFile : deploys
|
||||
PackageShibbolethSP ...> ShibbolethSPConfFile : deploys
|
||||
|
||||
PackageHAProxy ...> ServiceHAProxy : deploys
|
||||
PackageHydra ...> ServiceHydra : deploys
|
||||
PackageHydraDispatcher ...> ServiceHydraDispatcher : deploys
|
||||
PackageHydraRemoteUser ...> ServiceHydraRemoteUser : deploys
|
||||
PackageHydraPasswordless ...> ServiceHydraPasswordless : deploys
|
||||
|
||||
PackageHydra ...> ContainerHydra : deploys
|
||||
PackageHydraDispatcher ...> ContainerHydraDispatcher : deploys
|
||||
PackageHydraRemoteUser ...> ContainerHydraRemoteUser : deploys
|
||||
PackageShibbolethSP ...> ContainerShibbolethSP : deploys
|
||||
PackageHydraPasswordless ...> ContainerHydraPasswordless : deploys
|
||||
}
|
||||
|
||||
@enduml
|
32
files/hydra-remote-user-v1-apache.conf
Normal file
32
files/hydra-remote-user-v1-apache.conf
Normal file
@ -0,0 +1,32 @@
|
||||
<VirtualHost *:80>
|
||||
DocumentRoot /var/www/public
|
||||
|
||||
SetEnv APP_DEBUG ${APP_DEBUG}
|
||||
SetEnv APP_ENV ${APP_ENV}
|
||||
SetEnv HYDRA_ADMIN_BASE_URL ${HYDRA_ADMIN_BASE_URL}
|
||||
SetEnv TRUSTED_PROXIES ${TRUSTED_PROXIES}
|
||||
SetEnv LOGOUT_REDIRECT_URL_PATTERN ${LOGOUT_REDIRECT_URL_PATTERN}
|
||||
|
||||
# Création d'un alias pour réécrire gérer le préfixe /auth/saml
|
||||
Alias "/auth/saml" "/var/www/public"
|
||||
|
||||
<Directory /var/www/public>
|
||||
AllowOverride None
|
||||
Order Allow,Deny
|
||||
Allow from All
|
||||
|
||||
<IfModule mod_rewrite.c>
|
||||
RewriteEngine On
|
||||
|
||||
# Remapping de l'ensemble des chemins en /auth/saml
|
||||
RewriteBase /auth/saml
|
||||
|
||||
RewriteCond %{REQUEST_FILENAME} !-f
|
||||
RewriteRule ^(.*)$ index.php [QSA,L]
|
||||
</IfModule>
|
||||
</Directory>
|
||||
|
||||
|
||||
CustomLog /dev/stdout combined
|
||||
ErrorLog /dev/stderr
|
||||
</VirtualHost>
|
257
files/shibboleth2.xml.gotmpl
Normal file
257
files/shibboleth2.xml.gotmpl
Normal file
@ -0,0 +1,257 @@
|
||||
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
|
||||
xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
|
||||
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
|
||||
clockSkew="180">
|
||||
|
||||
<!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
|
||||
<OutOfProcess
|
||||
logger="shibd.logger" tranLogFormat="[TRANSACTION] %u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a">
|
||||
<!-- <Extensions>
|
||||
<Library path="odbc-store.so" fatal="true"/>
|
||||
</Extensions> -->
|
||||
</OutOfProcess>
|
||||
|
||||
<!-- <InProcess logger="native.logger" checkSpoofing="false"/> -->
|
||||
|
||||
<!-- Only one listener can be defined, to connect in-process modules to shibd. -->
|
||||
<UnixListener address="shibd.sock"/>
|
||||
<!-- <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/> -->
|
||||
|
||||
<!-- This set of components stores sessions and other persistent data in daemon memory. -->
|
||||
<StorageService type="Memory" id="mem" cleanupInterval="900"/>
|
||||
<SessionCache type="StorageService" StorageService="mem" cacheAssertions="false"
|
||||
cacheAllowance="900" inprocTimeout="900" cleanupInterval="900"/>
|
||||
<ReplayCache StorageService="mem"/>
|
||||
<ArtifactMap artifactTTL="180"/>
|
||||
|
||||
<!-- This set of components stores sessions and other persistent data in an ODBC database. -->
|
||||
<!--
|
||||
<StorageService type="ODBC" id="db" cleanupInterval="900">
|
||||
<ConnectionString>
|
||||
DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
|
||||
</ConnectionString>
|
||||
</StorageService>
|
||||
<SessionCache type="StorageService" StorageService="db" cacheAssertions="false"
|
||||
cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
|
||||
<ReplayCache StorageService="db"/>
|
||||
<ArtifactMap StorageService="db" artifactTTL="180"/>
|
||||
-->
|
||||
|
||||
<!--
|
||||
The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
|
||||
Resource requests are mapped by the RequestMapper to an applicationId that
|
||||
points into to this section (or to the defaults here).
|
||||
-->
|
||||
<ApplicationDefaults entityID="{{ getenv "SP_ENTITY_ID" "http://sp-entity-id" }}"
|
||||
REMOTE_USER="{{ getenv "SP_REMOTE_USER" "eppn subject-id pairwise-id persistent-id" }}"
|
||||
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
|
||||
|
||||
<!--
|
||||
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
|
||||
Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
|
||||
and should be a relative path, with the SP computing the full value based on the virtual
|
||||
host. Using handlerSSL="true" will force the protocol to be https. You should also set
|
||||
cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
|
||||
"false", this makes an assertion stolen in transit easier for attackers to misuse.
|
||||
-->
|
||||
<Sessions lifetime="28800" timeout="3600"
|
||||
handlerURL="{{ getenv "SP_HANDLER_BASE_PATH" "" }}/Shibboleth.sso" handlerSSL="false" cookieProps="http" relayState="ss:mem"
|
||||
redirectLimit="{{ getenv "SP_SESSIONS_REDIRECT_LIMIT" "host" }}"
|
||||
checkAddress="false"
|
||||
consistentAddress="false"
|
||||
exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
|
||||
idpHistory="false" idpHistoryDays="7">
|
||||
|
||||
<!--
|
||||
The "stripped down" files use the shorthand syntax for configuring handlers.
|
||||
This uses the old "every handler specified directly" syntax. You can supplement
|
||||
the new syntax following these examples but it is NOT advisable to use this
|
||||
approach wholesale.
|
||||
-->
|
||||
|
||||
<!--
|
||||
SessionInitiators handle session requests and relay them to a Discovery page,
|
||||
or to an IdP if possible. Automatic/active session rules will use the default
|
||||
or first element (or requireSessionWith can specify a specific id to use).
|
||||
-->
|
||||
|
||||
<!-- Default directs to a specific IdP. -->
|
||||
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
|
||||
entityID="{{ getenv "IDP_ENTITY_ID" "http://idp-entity-id" }}">
|
||||
|
||||
<SessionInitiator type="SAML2" template="bindingTemplate.html"/>
|
||||
<SessionInitiator type="Shib1"/>
|
||||
|
||||
<!--
|
||||
To allow for >1 IdP, remove entityID property from Chaining element and add
|
||||
*either* of the SAMLDS or WAYF handlers below:
|
||||
|
||||
<SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>
|
||||
<SessionInitiator type="WAYF" URL="https://wayf.example.org/WAYF"/>
|
||||
-->
|
||||
</SessionInitiator>
|
||||
|
||||
<!--
|
||||
md:AssertionConsumerService locations handle specific SSO protocol bindings,
|
||||
such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
|
||||
are used when sessions are initiated to determine how to tell the IdP where and
|
||||
how to return the response.
|
||||
-->
|
||||
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
|
||||
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
|
||||
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
|
||||
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
|
||||
<md:AssertionConsumerService Location="/SAML/POST" index="5"
|
||||
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
|
||||
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
|
||||
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
|
||||
|
||||
<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
|
||||
<LogoutInitiator type="Chaining" Location="/Logout">
|
||||
<LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
|
||||
<LogoutInitiator type="Local"/>
|
||||
</LogoutInitiator>
|
||||
|
||||
<!-- Administrative logout, separate from user-driven logout above. -->
|
||||
<LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
|
||||
|
||||
<!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
|
||||
<md:SingleLogoutService Location="/SLO/SOAP"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
|
||||
<md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
|
||||
<md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
|
||||
<md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
|
||||
|
||||
<!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
|
||||
<md:ManageNameIDService Location="/NIM/SOAP"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
|
||||
<md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
|
||||
<md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
|
||||
<md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
|
||||
|
||||
<!--
|
||||
md:ArtifactResolutionService locations resolve artifacts issued when using the
|
||||
SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
|
||||
-->
|
||||
<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
|
||||
|
||||
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
|
||||
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
|
||||
|
||||
<!-- Status reporting service. -->
|
||||
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
|
||||
|
||||
<!-- Session diagnostic service. -->
|
||||
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
|
||||
|
||||
<!-- JSON feed of discovery information. -->
|
||||
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
|
||||
</Sessions>
|
||||
|
||||
<!--
|
||||
Allows overriding of error template information/filenames. You can
|
||||
also add your own attributes with values that can be plugged into the
|
||||
templates, e.g., helpLocation below.
|
||||
-->
|
||||
<Errors supportContact="{{ getenv "CONTACT_EMAIL" "admin@localhost" }}"
|
||||
helpLocation="/about.html"
|
||||
styleSheet="/shibboleth-sp/main.css"/>
|
||||
|
||||
<!--
|
||||
Uncomment and modify to tweak settings for specific IdPs or groups. Settings here
|
||||
generally match those allowed by the <ApplicationDefaults> element.
|
||||
-->
|
||||
<!--
|
||||
<RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
|
||||
-->
|
||||
|
||||
<!-- Example of locally maintained metadata. -->
|
||||
<!--
|
||||
<MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
|
||||
-->
|
||||
|
||||
<!-- Example of remotely supplied batch of signed metadata. -->
|
||||
<!--
|
||||
<MetadataProvider type="XML" validate="true"
|
||||
url="http://federation.org/federation-metadata.xml"
|
||||
backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
|
||||
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
|
||||
<MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
|
||||
<DiscoveryFilter type="Exclude" matcher="EntityAttributes" trimTags="true"
|
||||
attributeName="http://macedir.org/entity-category"
|
||||
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
|
||||
attributeValue="http://refeds.org/category/hide-from-discovery" />
|
||||
</MetadataProvider>
|
||||
-->
|
||||
|
||||
<!-- Example of remotely supplied "on-demand" signed metadata. -->
|
||||
<!--
|
||||
<MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
|
||||
baseUrl="http://mdq.federation.org" ignoreTransport="true">
|
||||
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
|
||||
<MetadataFilter type="Signature" certificate="mdqsigner.pem" />
|
||||
</MetadataProvider>
|
||||
-->
|
||||
|
||||
<MetadataProvider type="Dynamic"
|
||||
verifyHost="false"
|
||||
ignoreTransport="true"
|
||||
uri="{{ getenv "IDP_METADATA_URL" "http://idp/idp/shibboleth" }}">
|
||||
</MetadataProvider>
|
||||
|
||||
<!-- TrustEngines run in order to evaluate peer keys and certificates. -->
|
||||
<TrustEngine type="ExplicitKey"/>
|
||||
<!-- <TrustEngine type="PKIX"/> -->
|
||||
|
||||
<!-- Map to extract attributes from SAML assertions. -->
|
||||
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
|
||||
|
||||
<!-- Extracts support information for IdP from its metadata. -->
|
||||
<AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName"/>
|
||||
|
||||
<!-- Use a SAML query if no attributes are supplied during SSO. -->
|
||||
<AttributeResolver type="Query" subjectMatch="true"/>
|
||||
|
||||
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
|
||||
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
|
||||
|
||||
<!-- Simple file-based resolvers for separate signing/encryption keys. -->
|
||||
<CredentialResolver type="File" use="signing"
|
||||
key="/etc/shibboleth/credentials/sp-signing.key" certificate="/etc/shibboleth/credentials/sp-signing.crt"/>
|
||||
<CredentialResolver type="File" use="encryption"
|
||||
key="/etc/shibboleth/credentials/sp-encrypt.key" certificate="/etc/shibboleth/credentials/sp-encrypt.crt"/>
|
||||
|
||||
<!--
|
||||
The default settings can be overridden by creating ApplicationOverride elements.
|
||||
Resource requests are mapped by web server commands, or the RequestMapper, to an
|
||||
applicationId setting.
|
||||
|
||||
This "canonical" use case of overriding the SP's entityID alone is now obsolete;
|
||||
you can apply selfEntityID as a content setting based on host or path to control
|
||||
the SP's own identity.
|
||||
|
||||
Avoid overrides: ask on the list or refer to the wiki for examples of how to do
|
||||
whatever you want to do without them.
|
||||
-->
|
||||
<!--
|
||||
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
|
||||
-->
|
||||
</ApplicationDefaults>
|
||||
|
||||
<!-- Policies that determine how to process and authenticate runtime messages. -->
|
||||
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
|
||||
|
||||
<!-- Low-level configuration about protocols and bindings available for use. -->
|
||||
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
|
||||
</SPConfig>
|
35
handlers/main.yml
Normal file
35
handlers/main.yml
Normal file
@ -0,0 +1,35 @@
|
||||
---
|
||||
- name: Restart HAProxy
|
||||
service:
|
||||
name: haproxy
|
||||
state: restarted
|
||||
|
||||
- name: Restart cadoles-pod-hydra-v1
|
||||
service:
|
||||
name: cadoles-pod-hydra-v1
|
||||
state: restarted
|
||||
|
||||
- name: Restart cadoles-pod-hydra-dispatcher-v1
|
||||
service:
|
||||
name: cadoles-pod-hydra-dispatcher-v1
|
||||
state: restarted
|
||||
|
||||
- name: Restart cadoles-pod-hydra-passwordless-v1
|
||||
service:
|
||||
name: cadoles-pod-hydra-passwordless-v1
|
||||
state: restarted
|
||||
|
||||
- name: Restart cadoles-pod-hydra-remote-user-v1
|
||||
service:
|
||||
name: cadoles-pod-hydra-remote-user-v1
|
||||
state: restarted
|
||||
|
||||
- name: Restart cadoles-pod-shibboleth-sp-v3
|
||||
service:
|
||||
name: cadoles-pod-shibboleth-sp-v3
|
||||
state: restarted
|
||||
|
||||
- name: Restart MySQL
|
||||
service:
|
||||
name: mysql
|
||||
state: restarted
|
1
meta/main.yml
Normal file
1
meta/main.yml
Normal file
@ -0,0 +1 @@
|
||||
---
|
18
tasks/hydra-passwordless.yml
Normal file
18
tasks/hydra-passwordless.yml
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
|
||||
- name: Install cadoles-pod-hydra-passwordless-v1 package
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- cadoles-pod-hydra-passwordless-v1
|
||||
update_cache: yes
|
||||
state: latest
|
||||
|
||||
- name: Configure cadoles-pod-hydra-passwordless-v1
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
with_items:
|
||||
- src: cadoles-pod-hydra-passwordless-v1.conf.j2
|
||||
dest: /etc/cadoles-pod-hydra-passwordless-v1.conf
|
||||
notify:
|
||||
- Restart cadoles-pod-hydra-passwordless-v1
|
55
tasks/hydra-saml.yml
Normal file
55
tasks/hydra-saml.yml
Normal file
@ -0,0 +1,55 @@
|
||||
---
|
||||
|
||||
- name: Install cadoles-pod-hydra-remote-user-v1 package
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- cadoles-pod-shibboleth-sp-v3
|
||||
- cadoles-pod-hydra-remote-user-v1
|
||||
update_cache: yes
|
||||
state: latest
|
||||
|
||||
- name: Configure cadoles-pod-hydra-remote-user-v1
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
with_items:
|
||||
- src: cadoles-pod-hydra-remote-user-v1.conf.j2
|
||||
dest: /etc/cadoles-pod-hydra-remote-user-v1.conf
|
||||
- src: hydra-remote-user.yml.j2
|
||||
dest: /etc/hydra-remote-user/conf.d/remote-user.yml
|
||||
notify:
|
||||
- Restart cadoles-pod-hydra-remote-user-v1
|
||||
|
||||
- name: Configure cadoles-pod-hydra-remote-user-v1 (2)
|
||||
ansible.builtin.copy:
|
||||
src: hydra-remote-user-v1-apache.conf
|
||||
dest: /etc/hydra-remote-user/apache.conf
|
||||
notify:
|
||||
- Restart cadoles-pod-hydra-remote-user-v1
|
||||
|
||||
- name: Create cadoles-pod-shibboleth-sp-v3 expected directories
|
||||
file:
|
||||
name: "{{ item }}"
|
||||
state: directory
|
||||
with_items:
|
||||
- /etc/shibboleth
|
||||
- /etc/shibboleth/credentials
|
||||
|
||||
- name: Configure cadoles-pod-shibboleth-sp-v3
|
||||
ansible.builtin.template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
with_items:
|
||||
- src: cadoles-pod-shibboleth-sp-v3.conf.j2
|
||||
dest: /etc/cadoles-pod-shibboleth-sp-v3.conf
|
||||
- src: shibboleth-attribute-map.inc.xml.j2
|
||||
dest: /etc/shibboleth/attribute-map.inc.xml
|
||||
notify:
|
||||
- Restart cadoles-pod-shibboleth-sp-v3
|
||||
|
||||
- name: Configure cadoles-pod-shibboleth-sp-v3 (2)
|
||||
ansible.builtin.copy:
|
||||
src: shibboleth2.xml.gotmpl
|
||||
dest: /etc/shibboleth/shibboleth2.xml.gotmpl
|
||||
notify:
|
||||
- Restart cadoles-pod-shibboleth-sp-v3
|
98
tasks/main.yml
Normal file
98
tasks/main.yml
Normal file
@ -0,0 +1,98 @@
|
||||
---
|
||||
|
||||
- name: Add required utilities
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- gpg
|
||||
- wget
|
||||
- openssl
|
||||
update_cache: yes
|
||||
state: present
|
||||
|
||||
- name: Add LetsEncrypt missing intermediate certificates
|
||||
command: "bash -c 'wget -O- --no-check-certificate https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/common/add-letsencrypt-ca.sh | bash'"
|
||||
args:
|
||||
creates: /etc/ssl/certs/lets-encrypt-e1.pem.pem
|
||||
|
||||
- name: Add cadoles-pod debian repository key
|
||||
ansible.builtin.apt_key:
|
||||
url: "{{ cadoles_pod_debian_repository_key_url }}"
|
||||
state: present
|
||||
|
||||
- name: Configure cadoles-pod debian repository
|
||||
ansible.builtin.apt_repository:
|
||||
repo: "deb {{ cadoles_pod_debian_repository_url }} {{ cadoles_pod_debian_repository }} main"
|
||||
state: present
|
||||
|
||||
- name: Install core packages
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- haproxy
|
||||
- mariadb-server
|
||||
- python3-pip
|
||||
- cadoles-pod-hydra-v1
|
||||
- cadoles-pod-hydra-dispatcher-v1
|
||||
update_cache: yes
|
||||
state: latest
|
||||
|
||||
- name: Install PyMySQL python package
|
||||
ansible.builtin.pip:
|
||||
name: PyMySQL
|
||||
|
||||
- name: Create Hydra database
|
||||
community.mysql.mysql_db:
|
||||
name: "{{ hydra_database_name }}"
|
||||
login_unix_socket: /var/run/mysqld/mysqld.sock
|
||||
state: present
|
||||
|
||||
- name: Create Hydra database user
|
||||
community.mysql.mysql_user:
|
||||
name: "{{ hydra_database_user }}"
|
||||
password: "{{ hydra_database_password }}"
|
||||
login_unix_socket: /var/run/mysqld/mysqld.sock
|
||||
priv: '{{ hydra_database_name }}.*:ALL,GRANT'
|
||||
state: present
|
||||
|
||||
- name: Configure HAProxy
|
||||
template:
|
||||
src: haproxy.cfg.j2
|
||||
dest: /etc/haproxy/haproxy.cfg
|
||||
validate: "haproxy -c -f %s"
|
||||
notify:
|
||||
- Restart HAProxy
|
||||
|
||||
- name: Configure cadoles-pod-hydra-v1
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
with_items:
|
||||
- src: cadoles-pod-hydra-v1.conf.j2
|
||||
dest: /etc/cadoles-pod-hydra-v1.conf
|
||||
- src: oidc-test-client.json.j2
|
||||
dest: /etc/hydra/clients.d/oidc-test.json
|
||||
notify:
|
||||
- Restart cadoles-pod-hydra-v1
|
||||
|
||||
- name: Configure cadoles-pod-hydra-dispatcher-v1
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
with_items:
|
||||
- src: cadoles-pod-hydra-dispatcher-v1.conf.j2
|
||||
dest: /etc/cadoles-pod-hydra-dispatcher-v1.conf
|
||||
- src: hydra-dispatcher-apps.yml.j2
|
||||
dest: /etc/hydra-dispatcher/conf.d/apps.yml
|
||||
notify:
|
||||
- Restart cadoles-pod-hydra-dispatcher-v1
|
||||
|
||||
- name: Configure passwordless authentification if enabled
|
||||
ansible.builtin.include_tasks: hydra-passwordless.yml
|
||||
when: enable_hydra_passwordless
|
||||
|
||||
- name: Configure SAML authentification if enabled
|
||||
ansible.builtin.include_tasks: hydra-saml.yml
|
||||
when: enable_hydra_saml
|
||||
|
||||
- name: Sart OIDC Test app if enabled
|
||||
ansible.builtin.include_tasks: oidc-test.yml
|
||||
when: enable_oidc_test_app
|
17
tasks/oidc-test.yml
Normal file
17
tasks/oidc-test.yml
Normal file
@ -0,0 +1,17 @@
|
||||
---
|
||||
|
||||
- name: Start oidc-test app
|
||||
containers.podman.podman_container:
|
||||
name: oidc-test
|
||||
image: docker.io/bornholm/oidc-test:v0.0.0-2-gd0583cc
|
||||
state: started
|
||||
network: host
|
||||
recreate: yes
|
||||
env:
|
||||
OIDC_CLIENT_ID: "{{ oidc_test_app_client_id }}"
|
||||
OIDC_CLIENT_SECRET: "{{ oidc_test_app_client_secret }}"
|
||||
LOG_LEVEL: 0
|
||||
OIDC_ISSUER_URL: "http://{{ public_host }}/"
|
||||
OIDC_REDIRECT_URL: "http://{{ public_host }}:8080"
|
||||
OIDC_POST_LOGOUT_REDIRECT_URL: "http://{{ public_host }}:8080"
|
||||
HTTP_ADDRESS: 0.0.0.0:8080
|
16
templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
Normal file
16
templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
Normal file
@ -0,0 +1,16 @@
|
||||
PODMAN_ARGS="\
|
||||
--name 'cadoles-pod-hydra-dispatcher-v1' \
|
||||
--replace \
|
||||
--network=slirp4netns:allow_host_loopback=true \
|
||||
-p 127.0.0.1:3000:80 \
|
||||
-v /etc/hydra-dispatcher/conf.d:/var/www/config/hydra \
|
||||
-e APP_ENV=prod \
|
||||
-e APP_DEBUG=yes \
|
||||
-e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:4445 \
|
||||
-e HYDRA_BASE_URL=http://10.0.2.2:4444 \
|
||||
-e HYDRA_REWRITE_ISSUER=no \
|
||||
-e HYDRA_ORIGINAL_ISSUER={{ public_scheme }}://{{ public_host }} \
|
||||
-e HYDRA_NEW_ISSUER={{ public_scheme }}://{{ public_host }} \
|
||||
-e 'ASSETS_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/dispatcher' \
|
||||
-e 'COOKIE_PATH=/auth/dispatcher' \
|
||||
"
|
15
templates/cadoles-pod-hydra-passwordless-v1.conf.j2
Normal file
15
templates/cadoles-pod-hydra-passwordless-v1.conf.j2
Normal file
@ -0,0 +1,15 @@
|
||||
PODMAN_ARGS="\
|
||||
-p 127.0.0.1:3001:3000 \
|
||||
--network=slirp4netns:allow_host_loopback=true \
|
||||
--replace --name 'cadoles-pod-hydra-passwordless-v1' \
|
||||
-e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/passwordless \
|
||||
-e 'SMTP_HOST={{ hydra_passwordless_smtp_host }}' \
|
||||
-e 'SMTP_PORT={{ hydra_passwordless_smtp_port }}' \
|
||||
-e 'SMTP_USER={{ hydra_passwordless_smtp_user }}' \
|
||||
-e 'SMTP_PASSWORD={{ hydra_passwordless_smtp_password }}' \
|
||||
-e 'SMTP_INSECURE_SKIP_VERIFY={{ hydra_passwordless_smtp_insecure_skip_verify }}' \
|
||||
-e 'SMTP_SENDER_ADDRESS={{ hydra_passwordless_sender_address }}' \
|
||||
-e 'SMTP_USE_START_TLS={{ hydra_passwordless_smtp_use_start_tls }}' \
|
||||
-e 'SMTP_SENDER_NAME={{ hydra_passwordless_sender_name }}' \
|
||||
-e HYDRA_BASE_URL=http://10.0.2.2:3000 \
|
||||
"
|
14
templates/cadoles-pod-hydra-remote-user-v1.conf.j2
Normal file
14
templates/cadoles-pod-hydra-remote-user-v1.conf.j2
Normal file
@ -0,0 +1,14 @@
|
||||
PODMAN_ARGS="\
|
||||
-p 127.0.0.1:3003:80 \
|
||||
--network=slirp4netns:allow_host_loopback=true \
|
||||
--replace --name 'cadoles-pod-hydra-remote-user-v1' \
|
||||
-v /etc/hydra-remote-user/conf.d:/var/www/config/remote_user \
|
||||
-v /etc/hydra-remote-user/apache.conf:/etc/apache2/sites-available/000-default.conf \
|
||||
-e APP_ENV=prod \
|
||||
-e APP_DEBUG=no \
|
||||
-e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/saml \
|
||||
-e COOKIE_PATH=/auth/saml \
|
||||
-e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:3000 \
|
||||
-e 'TRUSTED_PROXIES=127.0.0.1,10.0.2.0/24' \
|
||||
-e LOGOUT_REDIRECT_URL_PATTERN={{ public_scheme }}://{{ public_host }}/auth/saml/Shibboleth.sso/Logout?return=%s \
|
||||
"
|
18
templates/cadoles-pod-hydra-v1.conf.j2
Normal file
18
templates/cadoles-pod-hydra-v1.conf.j2
Normal file
@ -0,0 +1,18 @@
|
||||
PODMAN_ARGS="\
|
||||
--name 'cadoles-pod-hydra-v1' \
|
||||
--replace \
|
||||
--network=slirp4netns:allow_host_loopback=true \
|
||||
-p 127.0.0.1:4444:4444 \
|
||||
-p 127.0.0.1:4445:4445 \
|
||||
--tmpfs /tmp \
|
||||
-e 'HYDRA_DSN=mysql://{{ hydra_database_user }}:{{ hydra_database_password }}@tcp({{ hydra_database_host }}:{{ hydra_database_port }})/{{ hydra_database_name }}?parseTime=true' \
|
||||
-e LOG_LEVEL=debug \
|
||||
-e LOG_LEAK_SENSITIVE_VALUES=true \
|
||||
-e HYDRA_URLS_SELF_ISSUER={{ public_scheme }}://{{ public_host }} \
|
||||
-e HYDRA_URLS_CONSENT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/consent \
|
||||
-e HYDRA_URLS_LOGIN={{ public_scheme }}://{{ public_host }}/auth/dispatcher/login \
|
||||
-e HYDRA_URLS_LOGOUT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/logout \
|
||||
-e HYDRA_ALLOW_INSECURE=yes \
|
||||
-e HYDRA_LEVEL=debug \
|
||||
-v /etc/hydra/clients.d:/etc/hydra/clients.d \
|
||||
"
|
13
templates/cadoles-pod-shibboleth-sp-v3.conf.j2
Normal file
13
templates/cadoles-pod-shibboleth-sp-v3.conf.j2
Normal file
@ -0,0 +1,13 @@
|
||||
PODMAN_ARGS="\
|
||||
-p 127.0.0.1:3002:80 \
|
||||
--network=slirp4netns:allow_host_loopback=true \
|
||||
--replace --name 'cadoles-pod-shibboleth-sp-v3' \
|
||||
-e 'SP_ENTITY_ID={{ public_scheme }}://{{ public_host }}/auth/saml' \
|
||||
-e 'IDP_ENTITY_ID={{ hydra_saml_idp_entity_id }}' \
|
||||
-e 'IDP_METADATA_URL={{ hydra_saml_idp_metadata_url }}' \
|
||||
-e 'APACHE_BACKEND_URL=http://10.0.2.2:3003' \
|
||||
-e 'SP_HANDLER_BASE_PATH=/auth/saml' \
|
||||
-v '/etc/shibboleth/attribute-map.inc.xml:/etc/shibboleth/attribute-map.inc.xml' \
|
||||
-v '/etc/shibboleth/shibboleth2.xml.gotmpl:/etc/shibboleth/shibboleth2.xml.gotmpl' \
|
||||
-v '/etc/shibboleth/credentials:/etc/shibboleth/credentials' \
|
||||
"
|
115
templates/haproxy.cfg.j2
Normal file
115
templates/haproxy.cfg.j2
Normal file
@ -0,0 +1,115 @@
|
||||
global
|
||||
log /dev/log local0
|
||||
log /dev/log local1 notice
|
||||
chroot /var/lib/haproxy
|
||||
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
||||
stats timeout 30s
|
||||
user haproxy
|
||||
group haproxy
|
||||
daemon
|
||||
|
||||
# Default SSL material locations
|
||||
ca-base /etc/ssl/certs
|
||||
crt-base /etc/ssl/private
|
||||
|
||||
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
|
||||
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||||
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
||||
|
||||
defaults
|
||||
log global
|
||||
mode http
|
||||
option httplog
|
||||
option dontlognull
|
||||
timeout connect 5000
|
||||
timeout client 50000
|
||||
timeout server 50000
|
||||
errorfile 400 /etc/haproxy/errors/400.http
|
||||
errorfile 403 /etc/haproxy/errors/403.http
|
||||
errorfile 408 /etc/haproxy/errors/408.http
|
||||
errorfile 500 /etc/haproxy/errors/500.http
|
||||
errorfile 502 /etc/haproxy/errors/502.http
|
||||
errorfile 503 /etc/haproxy/errors/503.http
|
||||
errorfile 504 /etc/haproxy/errors/504.http
|
||||
|
||||
frontend http-in
|
||||
bind 0.0.0.0:80
|
||||
mode http
|
||||
|
||||
maxconn 2000
|
||||
|
||||
acl login_dispatcher path_beg -i /auth/dispatcher
|
||||
{% if enable_hydra_passwordless %}
|
||||
acl login_passwordless path_beg -i /auth/passwordless
|
||||
{% endif %}
|
||||
{% if enable_hydra_saml %}
|
||||
acl login_saml path_beg -i /auth/saml
|
||||
{% endif %}
|
||||
|
||||
use_backend hydra_dispatcher if login_dispatcher
|
||||
{% if enable_hydra_passwordless %}
|
||||
use_backend hydra_passwordless if login_passwordless
|
||||
{% endif %}
|
||||
{% if enable_hydra_saml %}
|
||||
use_backend hydra_saml if login_saml
|
||||
{% endif %}
|
||||
use_backend hydra
|
||||
|
||||
# Backend Hydra
|
||||
backend hydra
|
||||
balance roundrobin
|
||||
|
||||
# Headers HTTP des requêtes
|
||||
option forwardfor
|
||||
http-request set-header X-Forwarded-Port %[dst_port]
|
||||
http-request add-header X-Forwarded-Proto http
|
||||
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
|
||||
|
||||
server hydra 127.0.0.1:4444 check
|
||||
|
||||
# Backend Hydra Dispatcher
|
||||
backend hydra_dispatcher
|
||||
balance roundrobin
|
||||
|
||||
# Headers HTTP des requêtes
|
||||
option forwardfor
|
||||
http-request set-header X-Forwarded-Port %[dst_port]
|
||||
http-request add-header X-Forwarded-Proto http
|
||||
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
|
||||
|
||||
# Suppression du préfixe /auth/dispatcher dans l'URL
|
||||
http-request set-path %[path,regsub(^/auth/dispatcher/,/)]
|
||||
|
||||
server hydra-login-dispatcher 127.0.0.1:3000 check
|
||||
|
||||
{% if enable_hydra_passwordless %}
|
||||
# Backend Hydra Passwordless
|
||||
backend hydra_passwordless
|
||||
balance roundrobin
|
||||
|
||||
# Headers HTTP des requêtes
|
||||
option forwardfor
|
||||
http-request set-header X-Forwarded-Port %[dst_port]
|
||||
http-request add-header X-Forwarded-Proto http
|
||||
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
|
||||
|
||||
# Suppression du préfixe /auth/passwordless dans l'URL
|
||||
http-request set-path %[path,regsub(^/auth/passwordless,)]
|
||||
|
||||
server hydra-login-passwordless 127.0.0.1:3001 check
|
||||
{%- endif %}
|
||||
|
||||
{% if enable_hydra_saml %}
|
||||
# Backend Hydra SAML
|
||||
backend hydra_saml
|
||||
balance roundrobin
|
||||
|
||||
# Headers HTTP des requêtes
|
||||
option forwardfor
|
||||
http-request set-header X-Forwarded-Port %[dst_port]
|
||||
http-request add-header X-Forwarded-Proto http
|
||||
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
|
||||
|
||||
server hydra-login-saml 127.0.0.1:3002 check
|
||||
{%- endif %}
|
26
templates/hydra-dispatcher-apps.yml.j2
Normal file
26
templates/hydra-dispatcher-apps.yml.j2
Normal file
@ -0,0 +1,26 @@
|
||||
hydra:
|
||||
apps:
|
||||
{% if enable_hydra_passwordless %}
|
||||
- id: passwordless
|
||||
title: "{{ hydra_passwordless_app_title }}"
|
||||
description: "{{ hydra_passwordless_app_description }}"
|
||||
login_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/login
|
||||
consent_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/consent
|
||||
logout_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/logout
|
||||
attributes_rewrite_rules:
|
||||
email:
|
||||
- consent.session.id_token.email
|
||||
icon_url: "{{ hydra_passwordless_app_icon_url }}"
|
||||
{% endif %}
|
||||
{% if enable_hydra_saml %}
|
||||
- id: saml
|
||||
title: "{{ hydra_saml_app_title }}"
|
||||
description: "{{ hydra_saml_app_description }}"
|
||||
login_url: {{ public_scheme }}://{{ public_host }}/auth/saml/login
|
||||
consent_url: {{ public_scheme }}://{{ public_host }}/auth/saml/consent
|
||||
logout_url: {{ public_scheme }}://{{ public_host }}/auth/saml/logout
|
||||
attributes_rewrite_rules:
|
||||
email:
|
||||
- consent.session.id_token.email
|
||||
icon_url: "{{ hydra_saml_app_icon_url }}"
|
||||
{% endif %}
|
6
templates/hydra-remote-user.yml.j2
Normal file
6
templates/hydra-remote-user.yml.j2
Normal file
@ -0,0 +1,6 @@
|
||||
remote_user:
|
||||
subject_header: subject-id
|
||||
headers_attributes_mapping:
|
||||
- header: mail
|
||||
attribute: email
|
||||
required: true
|
19
templates/oidc-test-client.json.j2
Normal file
19
templates/oidc-test-client.json.j2
Normal file
@ -0,0 +1,19 @@
|
||||
{
|
||||
"client_id": "{{ oidc_test_app_client_id }}",
|
||||
"client_name": "OIDC Test",
|
||||
"client_secret": "{{ oidc_test_app_client_secret }}",
|
||||
"grant_types": [
|
||||
"authorization_code",
|
||||
"refresh_token"
|
||||
],
|
||||
"jwks": {},
|
||||
"metadata": {},
|
||||
"post_logout_redirect_uris": ["{{ public_scheme }}://{{ public_host }}:8080"],
|
||||
"redirect_uris": ["{{ public_scheme }}://{{ public_host }}:8080/oauth2/callback"],
|
||||
"response_types": [
|
||||
"code"
|
||||
],
|
||||
"logo_uri": "https://www.cadoles.com/images/logo.svg",
|
||||
"scope": "openid profile email",
|
||||
"token_endpoint_auth_method": "client_secret_post"
|
||||
}
|
2
templates/shibboleth-attribute-map.inc.xml.j2
Normal file
2
templates/shibboleth-attribute-map.inc.xml.j2
Normal file
@ -0,0 +1,2 @@
|
||||
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="uid" />
|
||||
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="mail" />
|
Loading…
Reference in New Issue
Block a user