commit f93f90f594b0c32db4de5086dbe8609a7e74283f
Author: William Petit <wpetit@cadoles.com>
Date:   Tue Jul 19 14:26:08 2022 +0200

    feat: initial commit

diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..7ffcd1a
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,47 @@
+---
+# cadoles-pod repository configuration
+cadoles_pod_debian_repository_url: https://vulcain.cadoles.com
+cadoles_pod_debian_repository: bullseye-dev
+cadoles_pod_debian_repository_key_url: https://vulcain.cadoles.com/cadoles.gpg
+
+# Hydra database configuration
+hydra_database_name: hydra
+hydra_database_user: hydra
+hydra_database_password: hydra
+hydra_database_host: 10.0.2.2
+hydra_database_port: 3306
+
+# Hydra OIDC configuration
+
+public_scheme: http
+public_host: "{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
+
+# Hydra Passwordless configuration
+
+enable_hydra_passwordless: yes
+hydra_passwordless_app_title: Adresse courriel
+hydra_passwordless_app_description: Authentification via adresse courriel
+hydra_passwordless_app_icon_url: https://upload.wikimedia.org/wikipedia/commons/4/48/You%27ve_got_mail.png
+hydra_passwordless_smtp_host: smtp-server
+hydra_passwordless_smtp_port: 25
+hydra_passwordless_smtp_user: smtp-user
+hydra_passwordless_smtp_password: smtp-password
+hydra_passwordless_smtp_insecure_skip_verify: no
+hydra_passwordless_smtp_use_start_tls: no
+hydra_passwordless_sender_address: noreply@localhost
+hydra_passwordless_sender_name: "[hydra-passwordless]"
+
+# Hydra SAML configuration
+
+enable_hydra_saml: yes
+hydra_saml_app_title: SAML
+hydra_saml_app_description: Authentification via SAML
+hydra_saml_app_icon_url: 
+hydra_saml_idp_entity_id: https://samltest.id/saml/idp
+hydra_saml_idp_metadata_url: https://samltest.id/saml/idp
+
+# OIDC Test configuration
+
+enable_oidc_test_app: yes
+oidc_test_app_client_id: oidc-test
+oidc_test_app_client_secret: '$oidc-test&123456$'
\ No newline at end of file
diff --git a/doc/overview.plantuml b/doc/overview.plantuml
new file mode 100644
index 0000000..8cccc15
--- /dev/null
+++ b/doc/overview.plantuml
@@ -0,0 +1,110 @@
+@startuml
+
+!theme vibrant
+skinparam linetype ortho
+left to right direction
+
+package "External Ports (0.0.0.0)" as ExternalPorts {
+    interface "tcp/80 (HTTP)" as PortServerHTTP
+}
+
+node "SSO Server" as SSOServer {
+    package "Internal Ports (127.0.0.1)" as InternalPorts {
+        interface "tcp/4444 (Hydra Public)" as PortHydraPublic
+        interface "tcp/4445 (Hydra Admin)" as PortHydraAdmin
+        interface "tcp/3000 (Hydra Dispatcher)" as PortHydraDispatcher
+        interface "tcp/3001 (Hydra Passwordless)" as PortHydraPasswordless
+        interface "tcp/3002 (Shibboleth SP)" as PortShibbolethSP
+        interface "tcp/3003 (Hydra Remote User)" as PortHydraRemoteUser
+    }
+
+    package "Containers" as Containers {
+        [cadoles-pod-hydra-v1] as ContainerHydra
+        [cadoles-pod-hydra-dispatcher-v1] as ContainerHydraDispatcher
+        [cadoles-pod-hydra-passwordless-v1] as ContainerHydraPasswordless
+        [cadoles-pod-hydra-remote-user-v1] as ContainerHydraRemoteUser
+        [cadoles-pod-shibboleth-sp-v3] as ContainerShibbolethSP
+    }
+
+    package "Files" as Filesystem {
+        frame "/etc/haproxy/haproxy.cfg" as HAProxyConfFile
+        frame "/etc/cadoles-pod-hydra-v1.conf" as HydraConfFile
+        frame "/etc/cadoles-pod-hydra-dispatcher-v1.conf" as HydraDispatcherConfFile
+        frame "/etc/hydra-dispatcher/conf.d/*.yml" as HydraDispatcherAppsConfFile
+        frame "/etc/hydra/clients.d/*.json" as HydraClientConfFile
+        frame "/etc/cadoles-pod-hydra-remote-user-v1.conf" as HydraRemoteUserConfFile
+        frame "/etc/hydra-remote-user/conf.d/*.yml" as HydraRemoteUserMappingsConfFile
+        frame "/etc/cadoles-pod-hydra-passwordless-v1.conf" as HydraPasswordlessConfFile
+        frame "/etc/cadoles-pod-shibboleth-sp-v3.conf" as ShibbolethSPConfFile
+        frame "/etc/shibboleth/credentials/*" as ShibbolethSPCredentialsFile
+    }
+
+    package "Packages" as Packages {
+        [cadoles-pod-hydra-v1] as PackageHydra
+        [cadoles-pod-hydra-dispatcher-v1] as PackageHydraDispatcher
+        [cadoles-pod-hydra-remote-user-v1] as PackageHydraRemoteUser
+        [cadoles-pod-hydra-shibboleth-sp-v3] as PackageShibbolethSP
+        [cadoles-pod-hydra-passwordless-v1] as PackageHydraPasswordless
+        [haproxy] as PackageHAProxy
+    }
+
+    package "Services" as Services {
+        [cadoles-pod-hydra-v1] as ServiceHydra
+        [cadoles-pod-hydra-dispatcher-v1] as ServiceHydraDispatcher
+        [cadoles-pod-shibboleth-sp-v3] as ServiceShibbolethSP
+        [cadoles-pod-hydra-remote-user-v1] as ServiceHydraRemoteUser
+        [cadoles-pod-hydra-passwordless-v1] as ServiceHydraPasswordless
+        [haproxy] as ServiceHAProxy
+    }
+
+    PackageHAProxy ..up.> PortServerHTTP: binds
+
+    ServiceHAProxy ...> PortHydraPublic : exposes (/)
+    ServiceHAProxy ...> PortHydraDispatcher : exposes (/auth/dispatcher)
+    ServiceHAProxy ...> PortHydraPasswordless : exposes (/auth/passwordless)
+    ServiceHAProxy ...> PortShibbolethSP : exposes (/auth/saml)
+
+    ContainerHydra ...> PortHydraPublic : binds
+    ContainerHydra ...> PortHydraAdmin : binds
+    ContainerHydraDispatcher ...> PortHydraDispatcher : binds
+    ContainerShibbolethSP ...> PortShibbolethSP : binds
+    ContainerHydraPasswordless ...> PortHydraPasswordless : binds
+    ContainerHydraRemoteUser ...> PortHydraRemoteUser : binds
+    ContainerShibbolethSP ..> PortHydraRemoteUser : proxies
+
+    ServiceHydra ...> ContainerHydra: manages
+    ServiceHydraDispatcher ...> ContainerHydraDispatcher: manages
+    ServiceShibbolethSP ...> ContainerShibbolethSP: manages
+    ServiceHydraPasswordless ...> ContainerHydraPasswordless: manages
+    ServiceHydraRemoteUser ...> ContainerHydraRemoteUser: manages
+
+    ContainerHydra ...> HydraConfFile : uses
+    ContainerHydra ...> HydraClientConfFile : uses
+    ContainerHydraDispatcher ...> HydraDispatcherConfFile : uses
+    ContainerHydraDispatcher ...> HydraDispatcherAppsConfFile : uses
+    ContainerHydraPasswordless ...> HydraPasswordlessConfFile : uses
+    ContainerHydraRemoteUser ...> HydraRemoteUserConfFile : uses
+    ContainerHydraRemoteUser ...> HydraRemoteUserMappingsConfFile : uses
+    ContainerShibbolethSP ...> ShibbolethSPConfFile : uses
+    ContainerShibbolethSP ...> ShibbolethSPCredentialsFile : creates
+
+    PackageHAProxy ...> HAProxyConfFile : deploys
+    PackageHydra ...> HydraConfFile : deploys
+    PackageHydraDispatcher ...> HydraDispatcherConfFile : deploys
+    PackageHydraRemoteUser ...> HydraRemoteUserConfFile : deploys
+    PackageShibbolethSP ...> ShibbolethSPConfFile : deploys
+    
+    PackageHAProxy ...> ServiceHAProxy : deploys
+    PackageHydra ...> ServiceHydra : deploys
+    PackageHydraDispatcher ...> ServiceHydraDispatcher : deploys
+    PackageHydraRemoteUser ...> ServiceHydraRemoteUser : deploys
+    PackageHydraPasswordless ...> ServiceHydraPasswordless : deploys
+
+    PackageHydra ...> ContainerHydra : deploys
+    PackageHydraDispatcher ...> ContainerHydraDispatcher : deploys
+    PackageHydraRemoteUser ...> ContainerHydraRemoteUser : deploys
+    PackageShibbolethSP ...> ContainerShibbolethSP : deploys
+    PackageHydraPasswordless ...> ContainerHydraPasswordless : deploys
+}
+
+@enduml
\ No newline at end of file
diff --git a/files/hydra-remote-user-v1-apache.conf b/files/hydra-remote-user-v1-apache.conf
new file mode 100644
index 0000000..c01f568
--- /dev/null
+++ b/files/hydra-remote-user-v1-apache.conf
@@ -0,0 +1,32 @@
+<VirtualHost *:80>
+    DocumentRoot /var/www/public
+
+    SetEnv APP_DEBUG ${APP_DEBUG}
+    SetEnv APP_ENV ${APP_ENV}
+    SetEnv HYDRA_ADMIN_BASE_URL ${HYDRA_ADMIN_BASE_URL}
+    SetEnv TRUSTED_PROXIES ${TRUSTED_PROXIES}
+    SetEnv LOGOUT_REDIRECT_URL_PATTERN ${LOGOUT_REDIRECT_URL_PATTERN}
+    
+    # Création d'un alias pour réécrire gérer le préfixe /auth/saml
+    Alias "/auth/saml" "/var/www/public"
+
+    <Directory /var/www/public>
+        AllowOverride None
+        Order Allow,Deny
+        Allow from All
+ 
+        <IfModule mod_rewrite.c>
+            RewriteEngine On
+            
+            # Remapping de l'ensemble des chemins en /auth/saml
+            RewriteBase /auth/saml
+            
+	        RewriteCond %{REQUEST_FILENAME} !-f
+            RewriteRule ^(.*)$ index.php [QSA,L]
+        </IfModule>
+    </Directory>
+
+
+    CustomLog /dev/stdout combined
+    ErrorLog /dev/stderr
+</VirtualHost>
\ No newline at end of file
diff --git a/files/shibboleth2.xml.gotmpl b/files/shibboleth2.xml.gotmpl
new file mode 100644
index 0000000..175948e
--- /dev/null
+++ b/files/shibboleth2.xml.gotmpl
@@ -0,0 +1,257 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+
+    <!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
+    <OutOfProcess
+        logger="shibd.logger" tranLogFormat="[TRANSACTION] %u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a">
+        <!-- <Extensions>
+            <Library path="odbc-store.so" fatal="true"/>
+        </Extensions> -->
+    </OutOfProcess>
+
+    <!-- <InProcess logger="native.logger" checkSpoofing="false"/> -->
+    
+    <!-- Only one listener can be defined, to connect in-process modules to shibd. -->
+    <UnixListener address="shibd.sock"/>
+    <!-- <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/> -->
+    
+    <!-- This set of components stores sessions and other persistent data in daemon memory. -->
+    <StorageService type="Memory" id="mem" cleanupInterval="900"/>
+    <SessionCache type="StorageService" StorageService="mem" cacheAssertions="false"
+                  cacheAllowance="900" inprocTimeout="900" cleanupInterval="900"/>
+    <ReplayCache StorageService="mem"/>
+    <ArtifactMap artifactTTL="180"/>
+
+    <!-- This set of components stores sessions and other persistent data in an ODBC database. -->
+    <!--
+    <StorageService type="ODBC" id="db" cleanupInterval="900">
+        <ConnectionString>
+        DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
+        </ConnectionString>
+    </StorageService>
+    <SessionCache type="StorageService" StorageService="db" cacheAssertions="false"
+                  cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
+    <ReplayCache StorageService="db"/>
+    <ArtifactMap StorageService="db" artifactTTL="180"/>
+    -->
+
+    <!--
+    The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
+    Resource requests are mapped by the RequestMapper to an applicationId that
+    points into to this section (or to the defaults here).
+    -->
+    <ApplicationDefaults entityID="{{ getenv "SP_ENTITY_ID" "http://sp-entity-id" }}"
+        REMOTE_USER="{{ getenv "SP_REMOTE_USER" "eppn subject-id pairwise-id persistent-id" }}"
+        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
+
+        <!--
+        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+        Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
+        and should be a relative path, with the SP computing the full value based on the virtual
+        host. Using handlerSSL="true" will force the protocol to be https. You should also set
+        cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
+        "false", this makes an assertion stolen in transit easier for attackers to misuse.
+        -->
+        <Sessions lifetime="28800" timeout="3600"
+            handlerURL="{{ getenv "SP_HANDLER_BASE_PATH" "" }}/Shibboleth.sso" handlerSSL="false" cookieProps="http" relayState="ss:mem"
+            redirectLimit="{{ getenv "SP_SESSIONS_REDIRECT_LIMIT" "host" }}"
+            checkAddress="false"
+            consistentAddress="false"
+            exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
+            idpHistory="false" idpHistoryDays="7">
+
+            <!--
+            The "stripped down" files use the shorthand syntax for configuring handlers.
+            This uses the old "every handler specified directly" syntax. You can supplement
+            the new syntax following these examples but it is NOT advisable to use this
+            approach wholesale.
+            -->
+          
+            <!--
+            SessionInitiators handle session requests and relay them to a Discovery page,
+            or to an IdP if possible. Automatic/active session  rules will use the default
+            or first element (or requireSessionWith can specify a specific id to use).
+            -->
+
+            <!-- Default directs to a specific IdP. -->
+            <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
+                              entityID="{{ getenv "IDP_ENTITY_ID" "http://idp-entity-id" }}">
+              
+                <SessionInitiator type="SAML2" template="bindingTemplate.html"/>
+                <SessionInitiator type="Shib1"/>
+              
+                <!--
+                To allow for >1 IdP, remove entityID property from Chaining element and add
+                *either* of the SAMLDS or WAYF handlers below:
+                
+                <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>
+                <SessionInitiator type="WAYF" URL="https://wayf.example.org/WAYF"/>
+                -->
+            </SessionInitiator>
+            
+            <!--
+            md:AssertionConsumerService locations handle specific SSO protocol bindings,
+            such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
+            are used when sessions are initiated to determine how to tell the IdP where and
+            how to return the response.
+            -->
+            <md:AssertionConsumerService Location="/SAML2/POST" index="1"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+            <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
+            <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+            <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
+            <md:AssertionConsumerService Location="/SAML/POST" index="5"
+                Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
+            <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
+                Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+
+            <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
+            <LogoutInitiator type="Chaining" Location="/Logout">
+                <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
+                <LogoutInitiator type="Local"/>
+            </LogoutInitiator>
+
+            <!-- Administrative logout, separate from user-driven logout above. -->
+            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
+
+            <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
+            <md:SingleLogoutService Location="/SLO/SOAP"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+            <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+            <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+            <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+
+            <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
+            <md:ManageNameIDService Location="/NIM/SOAP"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+            <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+            <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+            <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+
+            <!--
+            md:ArtifactResolutionService locations resolve artifacts issued when using the
+            SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
+            -->
+            <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+
+            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <!-- Status reporting service. -->
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+            <!-- Session diagnostic service. -->
+            <Handler type="Session" Location="/Session" showAttributeValues="true"/>
+
+            <!-- JSON feed of discovery information. -->
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+
+        <!--
+        Allows overriding of error template information/filenames. You can
+        also add your own attributes with values that can be plugged into the
+        templates, e.g., helpLocation below.
+        -->
+        <Errors supportContact="{{ getenv "CONTACT_EMAIL" "admin@localhost" }}"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+        
+        <!--
+        Uncomment and modify to tweak settings for specific IdPs or groups. Settings here
+        generally match those allowed by the <ApplicationDefaults> element.
+        -->
+        <!--
+        <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
+        -->
+
+        <!-- Example of locally maintained metadata. -->
+        <!--
+        <MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
+        -->
+
+        <!-- Example of remotely supplied batch of signed metadata. -->
+        <!--
+        <MetadataProvider type="XML" validate="true"
+	            url="http://federation.org/federation-metadata.xml"
+              backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
+            <DiscoveryFilter type="Exclude" matcher="EntityAttributes" trimTags="true" 
+              attributeName="http://macedir.org/entity-category"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="http://refeds.org/category/hide-from-discovery" />
+        </MetadataProvider>
+        -->
+
+        <!-- Example of remotely supplied "on-demand" signed metadata. -->
+        <!--
+        <MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
+	            baseUrl="http://mdq.federation.org" ignoreTransport="true">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="mdqsigner.pem" />
+        </MetadataProvider>
+        -->
+
+        <MetadataProvider type="Dynamic" 
+            verifyHost="false" 
+            ignoreTransport="true" 
+            uri="{{ getenv "IDP_METADATA_URL" "http://idp/idp/shibboleth" }}">
+        </MetadataProvider>
+
+        <!-- TrustEngines run in order to evaluate peer keys and certificates. -->
+        <TrustEngine type="ExplicitKey"/>
+        <!-- <TrustEngine type="PKIX"/> -->
+
+        <!-- Map to extract attributes from SAML assertions. -->
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+        <!-- Extracts support information for IdP from its metadata. -->
+        <AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName"/>
+
+        <!-- Use a SAML query if no attributes are supplied during SSO. -->
+        <AttributeResolver type="Query" subjectMatch="true"/>
+
+        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
+        <CredentialResolver type="File" use="signing"
+            key="/etc/shibboleth/credentials/sp-signing.key" certificate="/etc/shibboleth/credentials/sp-signing.crt"/>
+        <CredentialResolver type="File" use="encryption"
+            key="/etc/shibboleth/credentials/sp-encrypt.key" certificate="/etc/shibboleth/credentials/sp-encrypt.crt"/>
+        
+        <!--
+        The default settings can be overridden by creating ApplicationOverride elements.
+        Resource requests are mapped by web server commands, or the RequestMapper, to an
+        applicationId setting.
+        
+        This "canonical" use case of overriding the SP's entityID alone is now obsolete;
+        you can apply selfEntityID as a content setting based on host or path to control
+        the SP's own identity.
+        
+        Avoid overrides: ask on the list or refer to the wiki for examples of how to do
+        whatever you want to do without them.
+        -->
+        <!--
+        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+        -->
+    </ApplicationDefaults>
+    
+    <!-- Policies that determine how to process and authenticate runtime messages. -->
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <!-- Low-level configuration about protocols and bindings available for use. -->
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+</SPConfig>
\ No newline at end of file
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..25fc327
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,35 @@
+---
+- name: Restart HAProxy
+  service:
+    name: haproxy
+    state: restarted
+
+- name: Restart cadoles-pod-hydra-v1
+  service:
+    name: cadoles-pod-hydra-v1
+    state: restarted
+
+- name: Restart cadoles-pod-hydra-dispatcher-v1
+  service:
+    name: cadoles-pod-hydra-dispatcher-v1
+    state: restarted
+
+- name: Restart cadoles-pod-hydra-passwordless-v1
+  service:
+    name: cadoles-pod-hydra-passwordless-v1
+    state: restarted
+
+- name: Restart cadoles-pod-hydra-remote-user-v1
+  service:
+    name: cadoles-pod-hydra-remote-user-v1
+    state: restarted
+
+- name: Restart cadoles-pod-shibboleth-sp-v3
+  service:
+    name: cadoles-pod-shibboleth-sp-v3
+    state: restarted
+
+- name: Restart MySQL
+  service:
+    name: mysql
+    state: restarted
\ No newline at end of file
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..ed97d53
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1 @@
+---
diff --git a/tasks/hydra-passwordless.yml b/tasks/hydra-passwordless.yml
new file mode 100644
index 0000000..0ef4108
--- /dev/null
+++ b/tasks/hydra-passwordless.yml
@@ -0,0 +1,18 @@
+---
+
+- name: Install cadoles-pod-hydra-passwordless-v1 package
+  ansible.builtin.apt:
+    name:
+      - cadoles-pod-hydra-passwordless-v1
+    update_cache: yes
+    state: latest
+
+- name: Configure cadoles-pod-hydra-passwordless-v1
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  with_items:
+    - src:  cadoles-pod-hydra-passwordless-v1.conf.j2
+      dest: /etc/cadoles-pod-hydra-passwordless-v1.conf
+  notify:
+    - Restart cadoles-pod-hydra-passwordless-v1
\ No newline at end of file
diff --git a/tasks/hydra-saml.yml b/tasks/hydra-saml.yml
new file mode 100644
index 0000000..009f1d8
--- /dev/null
+++ b/tasks/hydra-saml.yml
@@ -0,0 +1,55 @@
+---
+
+- name: Install cadoles-pod-hydra-remote-user-v1 package
+  ansible.builtin.apt:
+    name:
+      - cadoles-pod-shibboleth-sp-v3
+      - cadoles-pod-hydra-remote-user-v1
+    update_cache: yes
+    state: latest
+
+- name: Configure cadoles-pod-hydra-remote-user-v1
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  with_items:
+    - src:  cadoles-pod-hydra-remote-user-v1.conf.j2
+      dest: /etc/cadoles-pod-hydra-remote-user-v1.conf
+    - src:  hydra-remote-user.yml.j2
+      dest: /etc/hydra-remote-user/conf.d/remote-user.yml
+  notify:
+    - Restart cadoles-pod-hydra-remote-user-v1
+
+- name: Configure cadoles-pod-hydra-remote-user-v1 (2)
+  ansible.builtin.copy:
+    src:  hydra-remote-user-v1-apache.conf
+    dest: /etc/hydra-remote-user/apache.conf
+  notify:
+    - Restart cadoles-pod-hydra-remote-user-v1
+
+- name: Create cadoles-pod-shibboleth-sp-v3 expected directories
+  file:
+    name: "{{ item }}"
+    state: directory
+  with_items:
+    - /etc/shibboleth
+    - /etc/shibboleth/credentials
+
+- name: Configure cadoles-pod-shibboleth-sp-v3
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  with_items:
+    - src:  cadoles-pod-shibboleth-sp-v3.conf.j2
+      dest: /etc/cadoles-pod-shibboleth-sp-v3.conf
+    - src:  shibboleth-attribute-map.inc.xml.j2
+      dest: /etc/shibboleth/attribute-map.inc.xml
+  notify:
+    - Restart cadoles-pod-shibboleth-sp-v3
+
+- name: Configure cadoles-pod-shibboleth-sp-v3 (2)
+  ansible.builtin.copy:
+    src:  shibboleth2.xml.gotmpl
+    dest: /etc/shibboleth/shibboleth2.xml.gotmpl
+  notify:
+    - Restart cadoles-pod-shibboleth-sp-v3
\ No newline at end of file
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..65b3cb7
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,98 @@
+---
+
+- name: Add required utilities
+  ansible.builtin.apt:
+    name:
+      - gpg
+      - wget
+      - openssl
+    update_cache: yes
+    state: present
+
+- name: Add LetsEncrypt missing intermediate certificates
+  command: "bash -c 'wget -O- --no-check-certificate https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/common/add-letsencrypt-ca.sh | bash'"
+  args:
+    creates: /etc/ssl/certs/lets-encrypt-e1.pem.pem
+
+- name: Add cadoles-pod debian repository key
+  ansible.builtin.apt_key:
+    url: "{{ cadoles_pod_debian_repository_key_url }}"
+    state: present
+
+- name: Configure cadoles-pod debian repository
+  ansible.builtin.apt_repository:
+    repo: "deb {{ cadoles_pod_debian_repository_url }} {{ cadoles_pod_debian_repository }} main"
+    state: present
+
+- name: Install core packages
+  ansible.builtin.apt:
+    name:
+      - haproxy
+      - mariadb-server
+      - python3-pip
+      - cadoles-pod-hydra-v1
+      - cadoles-pod-hydra-dispatcher-v1
+    update_cache: yes
+    state: latest
+
+- name: Install PyMySQL python package
+  ansible.builtin.pip:
+    name: PyMySQL
+
+- name: Create Hydra database
+  community.mysql.mysql_db:
+    name: "{{ hydra_database_name }}"
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+    state: present
+
+- name: Create Hydra database user
+  community.mysql.mysql_user:
+    name: "{{ hydra_database_user }}"
+    password: "{{ hydra_database_password }}"
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+    priv: '{{ hydra_database_name }}.*:ALL,GRANT'
+    state: present
+
+- name: Configure HAProxy
+  template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/haproxy.cfg
+    validate: "haproxy -c -f %s"
+  notify:
+    - Restart HAProxy
+
+- name: Configure cadoles-pod-hydra-v1
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  with_items:
+    - src:  cadoles-pod-hydra-v1.conf.j2
+      dest: /etc/cadoles-pod-hydra-v1.conf
+    - src: oidc-test-client.json.j2
+      dest: /etc/hydra/clients.d/oidc-test.json
+  notify:
+    - Restart cadoles-pod-hydra-v1
+
+- name: Configure cadoles-pod-hydra-dispatcher-v1
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  with_items:
+    - src:  cadoles-pod-hydra-dispatcher-v1.conf.j2
+      dest: /etc/cadoles-pod-hydra-dispatcher-v1.conf
+    - src:  hydra-dispatcher-apps.yml.j2
+      dest: /etc/hydra-dispatcher/conf.d/apps.yml
+  notify:
+    - Restart cadoles-pod-hydra-dispatcher-v1
+
+- name: Configure passwordless authentification if enabled
+  ansible.builtin.include_tasks: hydra-passwordless.yml
+  when: enable_hydra_passwordless
+
+- name: Configure SAML authentification if enabled
+  ansible.builtin.include_tasks: hydra-saml.yml
+  when: enable_hydra_saml
+
+- name: Sart OIDC Test app if enabled
+  ansible.builtin.include_tasks: oidc-test.yml
+  when: enable_oidc_test_app
diff --git a/tasks/oidc-test.yml b/tasks/oidc-test.yml
new file mode 100644
index 0000000..5b8be05
--- /dev/null
+++ b/tasks/oidc-test.yml
@@ -0,0 +1,17 @@
+---
+
+- name: Start oidc-test app
+  containers.podman.podman_container:
+    name: oidc-test
+    image: docker.io/bornholm/oidc-test:v0.0.0-2-gd0583cc
+    state: started
+    network: host
+    recreate: yes
+    env:
+      OIDC_CLIENT_ID: "{{ oidc_test_app_client_id }}"
+      OIDC_CLIENT_SECRET: "{{ oidc_test_app_client_secret }}"
+      LOG_LEVEL: 0
+      OIDC_ISSUER_URL: "http://{{ public_host }}/"
+      OIDC_REDIRECT_URL: "http://{{ public_host }}:8080" 
+      OIDC_POST_LOGOUT_REDIRECT_URL: "http://{{ public_host }}:8080"
+      HTTP_ADDRESS: 0.0.0.0:8080
\ No newline at end of file
diff --git a/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2 b/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
new file mode 100644
index 0000000..d4e5f5b
--- /dev/null
+++ b/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
@@ -0,0 +1,16 @@
+PODMAN_ARGS="\
+    --name 'cadoles-pod-hydra-dispatcher-v1' \
+    --replace \
+    --network=slirp4netns:allow_host_loopback=true \
+    -p 127.0.0.1:3000:80 \
+    -v /etc/hydra-dispatcher/conf.d:/var/www/config/hydra \
+    -e APP_ENV=prod \
+    -e APP_DEBUG=yes \
+    -e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:4445 \
+    -e HYDRA_BASE_URL=http://10.0.2.2:4444 \
+    -e HYDRA_REWRITE_ISSUER=no \
+    -e HYDRA_ORIGINAL_ISSUER={{ public_scheme }}://{{ public_host }} \
+    -e HYDRA_NEW_ISSUER={{ public_scheme }}://{{ public_host }} \
+    -e 'ASSETS_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/dispatcher' \
+    -e 'COOKIE_PATH=/auth/dispatcher' \
+"
\ No newline at end of file
diff --git a/templates/cadoles-pod-hydra-passwordless-v1.conf.j2 b/templates/cadoles-pod-hydra-passwordless-v1.conf.j2
new file mode 100644
index 0000000..9e64ef5
--- /dev/null
+++ b/templates/cadoles-pod-hydra-passwordless-v1.conf.j2
@@ -0,0 +1,15 @@
+PODMAN_ARGS="\
+    -p 127.0.0.1:3001:3000 \
+    --network=slirp4netns:allow_host_loopback=true \
+    --replace --name 'cadoles-pod-hydra-passwordless-v1' \
+    -e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/passwordless \
+    -e 'SMTP_HOST={{ hydra_passwordless_smtp_host }}' \
+    -e 'SMTP_PORT={{ hydra_passwordless_smtp_port }}' \
+    -e 'SMTP_USER={{ hydra_passwordless_smtp_user }}' \
+    -e 'SMTP_PASSWORD={{ hydra_passwordless_smtp_password }}' \
+    -e 'SMTP_INSECURE_SKIP_VERIFY={{ hydra_passwordless_smtp_insecure_skip_verify }}' \
+    -e 'SMTP_SENDER_ADDRESS={{ hydra_passwordless_sender_address }}' \
+    -e 'SMTP_USE_START_TLS={{ hydra_passwordless_smtp_use_start_tls }}' \
+    -e 'SMTP_SENDER_NAME={{ hydra_passwordless_sender_name }}' \
+    -e HYDRA_BASE_URL=http://10.0.2.2:3000 \
+"
\ No newline at end of file
diff --git a/templates/cadoles-pod-hydra-remote-user-v1.conf.j2 b/templates/cadoles-pod-hydra-remote-user-v1.conf.j2
new file mode 100644
index 0000000..c2946a1
--- /dev/null
+++ b/templates/cadoles-pod-hydra-remote-user-v1.conf.j2
@@ -0,0 +1,14 @@
+PODMAN_ARGS="\
+    -p 127.0.0.1:3003:80 \
+    --network=slirp4netns:allow_host_loopback=true \
+    --replace --name 'cadoles-pod-hydra-remote-user-v1' \
+    -v /etc/hydra-remote-user/conf.d:/var/www/config/remote_user \
+    -v /etc/hydra-remote-user/apache.conf:/etc/apache2/sites-available/000-default.conf \
+    -e APP_ENV=prod \
+    -e APP_DEBUG=no \
+    -e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/saml \
+    -e COOKIE_PATH=/auth/saml \
+    -e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:3000 \
+    -e 'TRUSTED_PROXIES=127.0.0.1,10.0.2.0/24' \
+    -e LOGOUT_REDIRECT_URL_PATTERN={{ public_scheme }}://{{ public_host }}/auth/saml/Shibboleth.sso/Logout?return=%s \
+"
\ No newline at end of file
diff --git a/templates/cadoles-pod-hydra-v1.conf.j2 b/templates/cadoles-pod-hydra-v1.conf.j2
new file mode 100644
index 0000000..79bdfc7
--- /dev/null
+++ b/templates/cadoles-pod-hydra-v1.conf.j2
@@ -0,0 +1,18 @@
+PODMAN_ARGS="\
+    --name 'cadoles-pod-hydra-v1' \
+    --replace \
+    --network=slirp4netns:allow_host_loopback=true \
+    -p 127.0.0.1:4444:4444 \
+    -p 127.0.0.1:4445:4445 \
+    --tmpfs /tmp \
+    -e 'HYDRA_DSN=mysql://{{ hydra_database_user }}:{{ hydra_database_password }}@tcp({{ hydra_database_host }}:{{ hydra_database_port }})/{{ hydra_database_name }}?parseTime=true' \
+    -e LOG_LEVEL=debug \
+    -e LOG_LEAK_SENSITIVE_VALUES=true \
+    -e HYDRA_URLS_SELF_ISSUER={{ public_scheme }}://{{ public_host }} \
+    -e HYDRA_URLS_CONSENT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/consent \
+    -e HYDRA_URLS_LOGIN={{ public_scheme }}://{{ public_host }}/auth/dispatcher/login \
+    -e HYDRA_URLS_LOGOUT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/logout \
+    -e HYDRA_ALLOW_INSECURE=yes \
+    -e HYDRA_LEVEL=debug \
+    -v /etc/hydra/clients.d:/etc/hydra/clients.d \
+"
\ No newline at end of file
diff --git a/templates/cadoles-pod-shibboleth-sp-v3.conf.j2 b/templates/cadoles-pod-shibboleth-sp-v3.conf.j2
new file mode 100644
index 0000000..b5dc81c
--- /dev/null
+++ b/templates/cadoles-pod-shibboleth-sp-v3.conf.j2
@@ -0,0 +1,13 @@
+PODMAN_ARGS="\
+    -p 127.0.0.1:3002:80 \
+    --network=slirp4netns:allow_host_loopback=true \
+    --replace --name 'cadoles-pod-shibboleth-sp-v3' \
+    -e 'SP_ENTITY_ID={{ public_scheme }}://{{ public_host }}/auth/saml' \
+    -e 'IDP_ENTITY_ID={{ hydra_saml_idp_entity_id }}' \
+    -e 'IDP_METADATA_URL={{ hydra_saml_idp_metadata_url }}' \
+    -e 'APACHE_BACKEND_URL=http://10.0.2.2:3003' \
+    -e 'SP_HANDLER_BASE_PATH=/auth/saml' \
+    -v '/etc/shibboleth/attribute-map.inc.xml:/etc/shibboleth/attribute-map.inc.xml' \
+    -v '/etc/shibboleth/shibboleth2.xml.gotmpl:/etc/shibboleth/shibboleth2.xml.gotmpl' \
+    -v '/etc/shibboleth/credentials:/etc/shibboleth/credentials' \
+"
\ No newline at end of file
diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2
new file mode 100644
index 0000000..079b38e
--- /dev/null
+++ b/templates/haproxy.cfg.j2
@@ -0,0 +1,115 @@
+global
+    log /dev/log	local0
+    log /dev/log	local1 notice
+    chroot /var/lib/haproxy
+    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+    stats timeout 30s
+    user haproxy
+    group haproxy
+    daemon
+
+    # Default SSL material locations
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+
+    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+defaults
+    log	global
+    mode	http
+    option	httplog
+    option	dontlognull
+    timeout connect 5000
+    timeout client  50000
+    timeout server  50000
+    errorfile 400 /etc/haproxy/errors/400.http
+    errorfile 403 /etc/haproxy/errors/403.http
+    errorfile 408 /etc/haproxy/errors/408.http
+    errorfile 500 /etc/haproxy/errors/500.http
+    errorfile 502 /etc/haproxy/errors/502.http
+    errorfile 503 /etc/haproxy/errors/503.http
+    errorfile 504 /etc/haproxy/errors/504.http
+
+frontend http-in
+    bind 0.0.0.0:80
+    mode http
+    
+    maxconn 2000    
+
+    acl login_dispatcher path_beg -i /auth/dispatcher
+    {% if enable_hydra_passwordless %}
+    acl login_passwordless path_beg -i /auth/passwordless
+    {% endif %}
+    {% if enable_hydra_saml %}
+    acl login_saml path_beg -i /auth/saml
+    {% endif %}
+
+    use_backend hydra_dispatcher if login_dispatcher
+    {% if enable_hydra_passwordless %}
+    use_backend hydra_passwordless if login_passwordless
+    {% endif %}
+    {% if enable_hydra_saml %}
+    use_backend hydra_saml if login_saml
+    {% endif %}
+    use_backend hydra
+
+# Backend Hydra
+backend hydra
+    balance roundrobin
+
+    # Headers HTTP des requêtes
+    option forwardfor
+    http-request set-header X-Forwarded-Port %[dst_port]
+    http-request add-header X-Forwarded-Proto http
+    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+    
+    server hydra 127.0.0.1:4444 check
+
+# Backend Hydra Dispatcher
+backend hydra_dispatcher
+    balance roundrobin
+
+    # Headers HTTP des requêtes
+    option forwardfor
+    http-request set-header X-Forwarded-Port %[dst_port]
+    http-request add-header X-Forwarded-Proto http
+    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+
+    # Suppression du préfixe /auth/dispatcher dans l'URL
+    http-request set-path %[path,regsub(^/auth/dispatcher/,/)]
+
+    server hydra-login-dispatcher 127.0.0.1:3000 check
+
+{% if enable_hydra_passwordless %}
+# Backend Hydra Passwordless
+backend hydra_passwordless
+    balance roundrobin
+
+    # Headers HTTP des requêtes
+    option forwardfor
+    http-request set-header X-Forwarded-Port %[dst_port]
+    http-request add-header X-Forwarded-Proto http
+    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+
+    # Suppression du préfixe /auth/passwordless dans l'URL
+    http-request set-path %[path,regsub(^/auth/passwordless,)]
+
+    server hydra-login-passwordless 127.0.0.1:3001 check
+{%- endif %}
+
+{% if enable_hydra_saml %}
+# Backend Hydra SAML
+backend hydra_saml
+    balance roundrobin
+
+    # Headers HTTP des requêtes
+    option forwardfor
+    http-request set-header X-Forwarded-Port %[dst_port]
+    http-request add-header X-Forwarded-Proto http
+    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+
+    server hydra-login-saml 127.0.0.1:3002 check
+{%- endif %}
diff --git a/templates/hydra-dispatcher-apps.yml.j2 b/templates/hydra-dispatcher-apps.yml.j2
new file mode 100644
index 0000000..81bfad1
--- /dev/null
+++ b/templates/hydra-dispatcher-apps.yml.j2
@@ -0,0 +1,26 @@
+hydra:
+  apps:
+{% if enable_hydra_passwordless %}
+    - id: passwordless
+      title: "{{ hydra_passwordless_app_title }}"
+      description: "{{ hydra_passwordless_app_description }}"
+      login_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/login
+      consent_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/consent
+      logout_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/logout
+      attributes_rewrite_rules:
+        email:
+          - consent.session.id_token.email
+      icon_url: "{{ hydra_passwordless_app_icon_url }}"
+{% endif %}
+{% if enable_hydra_saml %}
+    - id: saml
+      title: "{{ hydra_saml_app_title }}"
+      description: "{{ hydra_saml_app_description }}"
+      login_url: {{ public_scheme }}://{{ public_host }}/auth/saml/login
+      consent_url: {{ public_scheme }}://{{ public_host }}/auth/saml/consent
+      logout_url: {{ public_scheme }}://{{ public_host }}/auth/saml/logout
+      attributes_rewrite_rules:
+        email:
+          - consent.session.id_token.email
+      icon_url: "{{ hydra_saml_app_icon_url }}"
+{% endif %}
\ No newline at end of file
diff --git a/templates/hydra-remote-user.yml.j2 b/templates/hydra-remote-user.yml.j2
new file mode 100644
index 0000000..6d320c5
--- /dev/null
+++ b/templates/hydra-remote-user.yml.j2
@@ -0,0 +1,6 @@
+remote_user:
+  subject_header: subject-id
+  headers_attributes_mapping:
+    - header: mail
+      attribute: email
+      required: true
\ No newline at end of file
diff --git a/templates/oidc-test-client.json.j2 b/templates/oidc-test-client.json.j2
new file mode 100644
index 0000000..22aaa61
--- /dev/null
+++ b/templates/oidc-test-client.json.j2
@@ -0,0 +1,19 @@
+{
+	"client_id": "{{ oidc_test_app_client_id }}",
+	"client_name": "OIDC Test",
+	"client_secret": "{{ oidc_test_app_client_secret }}",
+	"grant_types": [
+		"authorization_code",
+		"refresh_token"
+	],
+	"jwks": {},
+	"metadata": {},
+	"post_logout_redirect_uris": ["{{ public_scheme }}://{{ public_host }}:8080"],
+	"redirect_uris": ["{{ public_scheme }}://{{ public_host }}:8080/oauth2/callback"],
+	"response_types": [
+		"code"
+	],
+	"logo_uri": "https://www.cadoles.com/images/logo.svg",
+	"scope": "openid profile email",
+	"token_endpoint_auth_method": "client_secret_post"
+}
\ No newline at end of file
diff --git a/templates/shibboleth-attribute-map.inc.xml.j2 b/templates/shibboleth-attribute-map.inc.xml.j2
new file mode 100644
index 0000000..261c341
--- /dev/null
+++ b/templates/shibboleth-attribute-map.inc.xml.j2
@@ -0,0 +1,2 @@
+<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="uid" />
+<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="mail" />
\ No newline at end of file