plugins/frontends/saml2_frontend.yaml

1. module: satosa.frontends.saml2.SAMLFrontend
2. name: Saml2IDP
3. config:
4.  #acr_mapping:
5.   #  "": default-LoA
6.   #  "https://accounts.google.com": LoA1
7.  
8.   endpoints:
9.     single_sign_on_service:
10.       'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post
11.       'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect
12.  
13.   # If configured and not false or empty the common domain cookie _saml_idp will be set
14.   # with or have appended the IdP used for authentication. The default is not to set the
15.   # cookie. If the value is a dictionary with key 'domain' then the domain for the cookie
16.   # will be set to the value for the 'domain' key. If no 'domain' is set then the domain
17.   # from the BASE defined for the proxy will be used.
18.   #common_domain_cookie:
19.   #  domain: .example.com
20.  
21.   entityid_endpoint: true
22.   enable_metadata_reload: no
23.  
24.   idp_config:
25.     organization: {display_name: My Company, name: My Company, url: 'https://example.com'}
26.     contact_person:
27.     - {contact_type: technical, email_address: 'mailto:[email protected]', given_name: Technical}
28.     - {contact_type: support, email_address: 'mailto:[email protected]', given_name: Support}
29.     key_file: /home/satosa/satosa/satosa_config/plugins/frontends/frontend.key
30.     cert_file: /home/satosa/satosa/satosa_config/plugins/frontends/frontend.crt
31.     encryption_keypairs:
32.     - {'key_file': /home/satosa/satosa/satosa_config/plugins/frontends/frontend.key, 'cert_file': /home/satosa/satosa/satosa_config/plugins/frontends/frontend.crt}
33.     metadata:
34.       remote:
35.         - url: "https://gitlab.example.com/users/auth/saml/metadata"
36.           cert: null
37.     attribute_map_dir: /home/satosa/satosa/satosa_config/attribute-maps
38.  
39.     entityid: https://auth.example.com/saml/proxy.xml
40.     accepted_time_diff: 60
41.     service:
42.       idp:
43.         endpoints:
44.           single_sign_on_service: []
45.         name: IdP Proxy for GitLab
46.         ui_info:
47.           display_name:
48.             - lang: en
49.               text: "IdP Proxy for Gitlab"
50.           description:
51.             - lang: en
52.               text: "IdP Proxy for GitLab"
53.           information_url:
54.             - lang: en
55.               text: "https://example.com"
56.           logo:
57.             text: "http://idp.logo.url/"
58.             width: "100"
59.             height: "100"
60.         name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
61.  
62.         signing_algorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
63.         digest_algorithm: "http://www.w3.org/2001/04/xmlenc#sha256"
64.  
65.         policy:
66.           default:
67.             attribute_restrictions: null
68.             fail_on_missing_requested: false
69.             lifetime: {minutes: 15}
70.             name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
71.             encrypt_assertion: false
72.             encrypted_advice_attributes: false
73.             sign_response: True
74.             sign_assertion: True