--- # cadoles-pod repository configuration cadoles_pod_debian_repository_url: https://vulcain.cadoles.com cadoles_pod_debian_repository: bullseye-dev cadoles_pod_debian_repository_key_url: https://vulcain.cadoles.com/cadoles.gpg # packages versions haproxy_package_version: '*' cadoles_pod_hydra_v1_package_version: '*' cadoles_pod_hydra_dispatcher_v1_package_version: '*' cadoles_pod_shibboleth_sp_v3_package_version: '*' cadoles_pod_hydra_remote_user_v1_package_version: '*' cadoles_pod_hydra_passwordless_v1_package_version: '*' cadoles_pod_hydra_oidc_v1_package_version: '*' # Hydra database configuration hydra_use_external_database: no hydra_database_name: hydra hydra_database_user: hydra hydra_database_password: hydra hydra_database_host: 10.0.2.2 hydra_database_port: 3306 # HAProxy configuration haproxy_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }} haproxy_hydra_base_path: /auth haproxy_hydra_dispatcher_base_path: /auth/dispatcher haproxy_hydra_passwordless_base_path: /auth/passwordless haproxy_hydra_saml_base_path: /auth/saml haproxy_hydra_oidc_base_path: /auth/oidc haproxy_oidc_test_base_path: /auth/test haproxy_forwarded_proto: https haproxy_forwarded_host: "%[req.hdr(Host)]" haproxy_forwarded_port: "%[dst_port]" # Hydra OIDC configuration hydra_urls_self_issuer_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_base_path }}" hydra_urls_consent: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/consent" hydra_urls_login: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/login" hydra_urls_logout: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/logout" hydra_log_level: warn hydra_log_leak_sensitive_values: no # This value should not be changed after first deployment ! hydra_secrets_seed: "{{ inventory_hostname }}" # Hydra clients hydra_clients: - client_id: default-client client_name: Default client # Hydra dispatcher configuration hydra_dispatcher_cookie_path: "{{ haproxy_hydra_dispatcher_base_path }}" hydra_dispatcher_debug: no hydra_dispatcher_admin_authorized_hosts: - '10.0.0.0/8' - '172.16.0.0/12' - '192.168.0.0/16' hydra_dispatcher_default_locale: fr hydra_dispatcher_available_locales: - fr - en # Hydra Passwordless configuration enable_hydra_passwordless: yes hydra_passwordless_app_title: Adresse courriel hydra_passwordless_app_description: Authentification via adresse courriel hydra_passwordless_app_icon_url: https://upload.wikimedia.org/wikipedia/commons/4/48/You%27ve_got_mail.png hydra_passwordless_smtp_host: smtp-server hydra_passwordless_smtp_port: 25 hydra_passwordless_smtp_user: smtp-user hydra_passwordless_smtp_password: smtp-password hydra_passwordless_smtp_insecure_skip_verify: no hydra_passwordless_smtp_use_start_tls: no hydra_passwordless_sender_address: noreply@localhost hydra_passwordless_sender_name: "[hydra-passwordless]" hydra_passwordless_attributes_rewrite_rules: email: - consent.session.id_token.email # Hydra SAML configuration enable_hydra_saml: yes hydra_saml_app_title: SAML hydra_saml_app_description: Authentification via SAML hydra_saml_app_icon_url: hydra_saml_idp_entity_id: https://samltest.id/saml/idp hydra_saml_idp_metadata_url: https://samltest.id/saml/idp # Liste des URLs autorisées pour la redirection post-login/logout sur le service shibboleth-sp hydra_saml_allowed_redirects: [] # Chemin associé au cookie du service hydra-remote-user hydra_saml_cookie_path: "{{ haproxy_hydra_saml_base_path }}" # Activer/désactiver le mode "debug" du service shibboleth-sp hydra_saml_debug: no # Niveau de verbosité du service shibboleth-sp hydra_saml_sp_log_level: WARN # Inclure les règles de cartographie des attributs SAML fournis par défaut par le projet hydra-shibboleth-sp-v3 hydra_saml_include_sp_default_attributes_mapping: "yes" # Inclure les règles de filtrages des attributs SAML fournis par défaut par le projet hydra-shibboleth-sp-v3 hydra_saml_include_sp_default_attributes_policy: "yes" # Règles de sélection et réécritures des attributs du jeton OIDC # en provenance de la login-app sélectionnée hydra_saml_attributes_rewrite_rules: email: - consent.session.id_token.email # Entête HTTP utilisée pour identifier l'utilisateur connecté hydra_saml_subject_header: subject-id # Liste des entêtes HTTP utilisées et transformées en attributs # pour le jeton OIDC hydra_saml_headers_attributes_mapping: - header: mail attribute: email required: true saml_attributes: - id: uid name: urn:oid:0.9.2342.19200300.100.1.1 nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri - id: mail name: urn:oid:0.9.2342.19200300.100.1.3 nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri saml_attribute_policies: [] # OIDC Test configuration enable_oidc_test_app: yes oidc_test_app_client_id: oidc-test oidc_test_app_client_secret: '$oidc-test&123456$' oidc_test_app_public_base_url: "{{ haproxy_public_base_url }}{{ haproxy_oidc_test_base_path }}" # Hydra OIDC configuration enable_hydra_oidc: no hydra_oidc_debug: no hydra_oidc_cookie_path: "{{ haproxy_hydra_oidc_base_path }}" hydra_oidc_app_title: OpenID Connect hydra_oidc_app_description: Authentification via OpenID Connect hydra_oidc_app_icon_url: https://openid.net/wordpress-content/uploads/2014/09/openid-r-logo-900x360.png hydra_oidc_authorize_endpoint: hydra_oidc_token_endpoint: hydra_oidc_userinfo_endpoint: hydra_oidc_logout_endpoint: hydra_oidc_post_logout_redirect_url: hydra_oidc_scope: openid email hydra_oidc_client_id: hydra_oidc_client_secret: hydra_oidc_attributes_rewrite_rules: email: - consent.session.id_token.email family_name: - consent.session.id_token.family_name given_name: - consent.session.id_token.given_name birthdate: - consent.session.id_token.birthdate gender: - consent.session.id_token.gender birthplace: - consent.session.id_token.birthplace birthcountry: - consent.session.id_token.birthcountry