ansible-role-sso/defaults/main.yml

137 lines
4.7 KiB
YAML

---
# cadoles-pod repository configuration
cadoles_pod_debian_repository_url: https://vulcain.cadoles.com
cadoles_pod_debian_repository: bullseye-dev
cadoles_pod_debian_repository_key_url: https://vulcain.cadoles.com/cadoles.gpg
# packages versions
haproxy_package_version: '*'
cadoles_pod_hydra_v1_package_version: '*'
cadoles_pod_hydra_dispatcher_v1_package_version: '*'
cadoles_pod_shibboleth_sp_v3_package_version: '*'
cadoles_pod_hydra_remote_user_v1_package_version: '*'
cadoles_pod_hydra_passwordless_v1_package_version: '*'
# Hydra database configuration
hydra_use_external_database: no
hydra_database_name: hydra
hydra_database_user: hydra
hydra_database_password: hydra
hydra_database_host: 10.0.2.2
hydra_database_port: 3306
# HAProxy configuration
haproxy_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}
haproxy_hydra_base_path: /auth
haproxy_hydra_dispatcher_base_path: /auth/dispatcher
haproxy_hydra_passwordless_base_path: /auth/passwordless
haproxy_hydra_saml_base_path: /auth/saml
haproxy_oidc_test_base_path: /auth/oidc-test
haproxy_forwarded_proto: https
haproxy_forwarded_host: "%[req.hdr(Host)]"
haproxy_forwarded_port: "%[dst_port]"
# Hydra OIDC configuration
hydra_urls_self_issuer_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_base_path }}"
hydra_urls_consent: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/consent"
hydra_urls_login: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/login"
hydra_urls_logout: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/logout"
hydra_log_level: warn
hydra_log_leak_sensitive_values: no
# This value should not be changed after first deployment !
hydra_secrets_seed: "{{ inventory_hostname }}"
# Hydra clients
hydra_clients:
- client_id: default-client
client_name: Default client
# Hydra dispatcher configuration
hydra_dispatcher_cookie_path: "{{ haproxy_hydra_dispatcher_base_path }}"
hydra_dispatcher_debug: no
# Hydra Passwordless configuration
enable_hydra_passwordless: yes
hydra_passwordless_app_title: Adresse courriel
hydra_passwordless_app_description: Authentification via adresse courriel
hydra_passwordless_app_icon_url: https://upload.wikimedia.org/wikipedia/commons/4/48/You%27ve_got_mail.png
hydra_passwordless_smtp_host: smtp-server
hydra_passwordless_smtp_port: 25
hydra_passwordless_smtp_user: smtp-user
hydra_passwordless_smtp_password: smtp-password
hydra_passwordless_smtp_insecure_skip_verify: no
hydra_passwordless_smtp_use_start_tls: no
hydra_passwordless_sender_address: noreply@localhost
hydra_passwordless_sender_name: "[hydra-passwordless]"
hydra_passwordless_attributes_rewrite_rules:
email:
- consent.session.id_token.email
# Hydra SAML configuration
enable_hydra_saml: yes
hydra_saml_app_title: SAML
hydra_saml_app_description: Authentification via SAML
hydra_saml_app_icon_url:
hydra_saml_idp_entity_id: https://samltest.id/saml/idp
hydra_saml_idp_metadata_url: https://samltest.id/saml/idp
# Liste des URLs autorisées pour la redirection post-login/logout sur le service shibboleth-sp
hydra_saml_allowed_redirects: []
# Chemin associé au cookie du service hydra-remote-user
hydra_saml_cookie_path: "{{ haproxy_hydra_saml_base_path }}"
# Activer/désactiver le mode "debug" du service shibboleth-sp
hydra_saml_debug: no
# Niveau de verbosité du service shibboleth-sp
hydra_saml_sp_log_level: WARN
# Inclure les règles de cartographie des attributs SAML fournis par défaut par le projet hydra-shibboleth-sp-v3
hydra_saml_include_sp_default_attributes_mapping: "yes"
# Inclure les règles de filtrages des attributs SAML fournis par défaut par le projet hydra-shibboleth-sp-v3
hydra_saml_include_sp_default_attributes_policy: "yes"
# Règles de sélection et réécritures des attributs du jeton OIDC
# en provenance de la login-app sélectionnée
hydra_saml_attributes_rewrite_rules:
email:
- consent.session.id_token.email
# Entête HTTP utilisée pour identifier l'utilisateur connecté
hydra_saml_subject_header: subject-id
# Liste des entêtes HTTP utilisées et transformées en attributs
# pour le jeton OIDC
hydra_saml_headers_attributes_mapping:
- header: mail
attribute: email
required: true
saml_attributes:
- id: uid
name: urn:oid:0.9.2342.19200300.100.1.1
nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
- id: mail
name: urn:oid:0.9.2342.19200300.100.1.3
nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
saml_attribute_policies: []
# OIDC Test configuration
enable_oidc_test_app: yes
oidc_test_app_client_id: oidc-test
oidc_test_app_client_secret: '$oidc-test&123456$'
oidc_test_app_public_base_url: "{{ haproxy_public_base_url }}{{ haproxy_oidc_test_base_path }}"