From 7b34c7b5adc816a761e07284a865b9725f80a387 Mon Sep 17 00:00:00 2001 From: arbulu89 Date: Tue, 24 Sep 2024 14:43:28 +0200 Subject: [PATCH] Add SAML integration installation fields --- README.md | 21 +++++++++++++++++++++ roles/app/defaults/main.yml | 22 ++++++++++++++++++++++ roles/app/tasks/docker.yml | 25 +++++++++++++++++++++++++ roles/app/templates/trento-web.j2 | 25 +++++++++++++++++++++++++ 4 files changed, 93 insertions(+) diff --git a/README.md b/README.md index 814c4a3..748f4b2 100644 --- a/README.md +++ b/README.md @@ -259,6 +259,27 @@ These variables are the defaults of our roles, if you want to override the prope | oauth2_token_url | OAUTH2 token url, required when enable_oauth2 is true | | | oauth2_user_url | OAUTH2 user information url, required when enable_oauth2 is true | | | oauth2_scopes | OAUTH2 scopes, required when enable_oauth2 is true | "profile email" | +| enable_saml | Enable SAML integration, this disables the username/password authentication method (self exclusive SSO type) | false | +| saml_idp_id | SAML IDP id, required when enable_saml is true | | +| saml_idp_nameid_format | SAML IDP name id format, used to interpret the attribute name. Whole urn string must be used | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified | +| saml_sp_dir | SAML SP directory, where SP specific required files (such as certificates and metadata file) are placed | /etc/trento/trento-web/saml | +| saml_sp_id | SAML SP id, required when enable_saml is true | | +| saml_sp_entity_id | SAML SP entity id | | +| saml_sp_contact_name | SAML SP contact name | "Trento SP Admin" | +| saml_sp_contact_email | SAML SP contact email | "admin@trento.suse.com" | +| saml_sp_org_name | SAML SP organization name | "Trento SP" | +| saml_sp_org_displayname | SAML SP organization display name | "SAML SP build with Trento" | +| saml_sp_org_url | SAML SP organization url | https://www.trento-project.io/ | +| saml_username_attr_name | SAML user profile "username" attribute field name. This attribute must exist in the IDP user | username | +| saml_email_attr_name | SAML user profile "email" attribute field name. This attribute must exist in the IDP user | email | +| saml_firstname_attr_name | SAML user profile "first name" attribute field name. This attribute must exist in the IDP user | firstName | +| saml_lastname_attr_name | SAML user profile "last name" attribute field name. This attribute must exist in the IDP user | lastName | +| saml_metadata_url | URL to retrieve the SAML metadata xml file. One of `saml_metadata_url` or `saml_metadata_content` is required | | +| saml_metadata_content | One line string containing the SAML metadata xml file content (`saml_metadata_url` has precedence over this) | | +| saml_sign_requests | Sign SAML requests in the SP side | true | +| saml_sign_metadata | Sign SAML metadata documents in the SP side | true | +| saml_signed_assertion | Require to receive SAML assertion signed from the IDP. Set to false if the IDP doesn't sign the assertion | true | +| saml_signed_envelopes | Require to receive SAML envelopes signed from the IDP. Set to false if the IDP doesn't sign the envelopes | true | | install_nginx | Install nginx | true | | nginx_ssl_cert_as_base64 | Nginx SSL certificate provided as base64 string | false | | nginx_ssl_key_as_base64 | Nginx SSL key provided as base64 string | false | diff --git a/roles/app/defaults/main.yml b/roles/app/defaults/main.yml index 0229949..b5c7f59 100644 --- a/roles/app/defaults/main.yml +++ b/roles/app/defaults/main.yml @@ -35,3 +35,25 @@ oauth2_authorize_url: "" oauth2_token_url: "" oauth2_user_url: "" oauth2_scopes: "profile email" +enable_saml: "false" +saml_idp_id: "" +saml_idp_nameid_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" +saml_sp_dir: "/etc/trento/trento-web/saml" +saml_sp_id: "" +saml_sp_entity_id: "" +saml_sp_contact_name: "Trento SP Admin" +saml_sp_contact_email: "admin@trento.suse.com" +saml_sp_org_name: "Trento SP" +saml_sp_org_displayname: "SAML SP build with Trento" +saml_sp_org_url: "https://www.trento-project.io/" +saml_username_attr_name: "username" +saml_email_attr_name: "email" +saml_firstname_attr_name: "firstName" +saml_lastname_attr_name: "lastName" +saml_metadata_url: "" +saml_metadata_content: "" +saml_sign_requests: "true" +saml_sign_metadata: "true" +saml_signed_assertion: "true" +saml_signed_envelopes: "true" + diff --git a/roles/app/tasks/docker.yml b/roles/app/tasks/docker.yml index 003424f..fd33218 100644 --- a/roles/app/tasks/docker.yml +++ b/roles/app/tasks/docker.yml @@ -114,3 +114,28 @@ OAUTH2_TOKEN_URL: "{{ oauth2_token_url }}" OAUTH2_USER_URL: "{{ oauth2_user_url }}" OAUTH2_SCOPES: "{{ oauth2_scopes }}" + ENABLE_SAML: "{{ enable_saml }}" + SAML_IDP_ID: "{{ saml_idp_id }}" + SAML_IDP_NAMEID_FORMAT: "{{ saml_idp_nameid_format }}" + SAML_SP_DIR: "{{ saml_sp_dir }}" + SAML_SP_ID: "{{ saml_sp_id }}" + SAML_SP_ENTITY_ID: "{{ saml_sp_entity_id }}" + SAML_SP_CONTACT_NAME: "{{ saml_sp_contact_name }}" + SAML_SP_CONTACT_EMAIL: "{{ saml_sp_contact_email }}" + SAML_SP_ORG_NAME: "{{ saml_sp_org_name }}" + SAML_SP_ORG_DISPLAYNAME: "{{ saml_sp_org_displayname }}" + SAML_SP_ORG_URL: "{{ saml_sp_org_url }}" + SAML_USERNAME_ATTR_NAME: "{{ saml_username_attr_name }}" + SAML_EMAIL_ATTR_NAME: "{{ saml_email_attr_name }}" + SAML_FIRSTNAME_ATTR_NAME: "{{ saml_firstname_attr_name }}" + SAML_LASTNAME_ATTR_NAME: "{{ saml_lastname_attr_name }}" + {% if saml_metadata_url %} + SAML_METADATA_URL: "{{ saml_metadata_url }}" + {% endif %} + {% if saml_metadata_content %} + SAML_METADATA_CONTENT: "{{ saml_metadata_content }}" + {% endif %} + SAML_SIGN_REQUESTS: "{{ saml_sign_requests }}" + SAML_SIGN_METADATA: "{{ saml_sign_metadata }}" + SAML_SIGNED_ASSERTION: "{{ saml_signed_assertion }}" + SAML_SIGNED_ENVELOPES: "{{ saml_signed_envelopes }}" diff --git a/roles/app/templates/trento-web.j2 b/roles/app/templates/trento-web.j2 index 14d2c61..bd290b9 100644 --- a/roles/app/templates/trento-web.j2 +++ b/roles/app/templates/trento-web.j2 @@ -30,3 +30,28 @@ OAUTH2_AUTHORIZE_URL={{ oauth2_authorize_url }} OAUTH2_TOKEN_URL={{ oauth2_token_url }} OAUTH2_USER_URL={{ oauth2_user_url }} OAUTH2_SCOPES={{ oauth2_scopes }} +ENABLE_SAML: "{{ enable_saml }}" +SAML_IDP_ID: "{{ saml_idp_id }}" +SAML_IDP_NAMEID_FORMAT: "{{ saml_idp_nameid_format }}" +SAML_SP_DIR: "{{ saml_sp_dir }}" +SAML_SP_ID: "{{ saml_sp_id }}" +SAML_SP_ENTITY_ID: "{{ saml_sp_entity_id }}" +SAML_SP_CONTACT_NAME: "{{ saml_sp_contact_name }}" +SAML_SP_CONTACT_EMAIL: "{{ saml_sp_contact_email }}" +SAML_SP_ORG_NAME: "{{ saml_sp_org_name }}" +SAML_SP_ORG_DISPLAYNAME: "{{ saml_sp_org_displayname }}" +SAML_SP_ORG_URL: "{{ saml_sp_org_url }}" +SAML_USERNAME_ATTR_NAME: "{{ saml_username_attr_name }}" +SAML_EMAIL_ATTR_NAME: "{{ saml_email_attr_name }}" +SAML_FIRSTNAME_ATTR_NAME: "{{ saml_firstname_attr_name }}" +SAML_LASTNAME_ATTR_NAME: "{{ saml_lastname_attr_name }}" +{% if saml_metadata_url %} +SAML_METADATA_URL: "{{ saml_metadata_url }}" +{% endif %} +{% if saml_metadata_content %} +SAML_METADATA_CONTENT: "{{ saml_metadata_content }}" +{% endif %} +SAML_SIGN_REQUESTS: "{{ saml_sign_requests }}" +SAML_SIGN_METADATA: "{{ saml_sign_metadata }}" +SAML_SIGNED_ASSERTION: "{{ saml_signed_assertion }}" +SAML_SIGNED_ENVELOPES: "{{ saml_signed_envelopes }}"