diff --git a/README.md b/README.md index 814c4a3..748f4b2 100644 --- a/README.md +++ b/README.md @@ -259,6 +259,27 @@ These variables are the defaults of our roles, if you want to override the prope | oauth2_token_url | OAUTH2 token url, required when enable_oauth2 is true | | | oauth2_user_url | OAUTH2 user information url, required when enable_oauth2 is true | | | oauth2_scopes | OAUTH2 scopes, required when enable_oauth2 is true | "profile email" | +| enable_saml | Enable SAML integration, this disables the username/password authentication method (self exclusive SSO type) | false | +| saml_idp_id | SAML IDP id, required when enable_saml is true | | +| saml_idp_nameid_format | SAML IDP name id format, used to interpret the attribute name. Whole urn string must be used | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified | +| saml_sp_dir | SAML SP directory, where SP specific required files (such as certificates and metadata file) are placed | /etc/trento/trento-web/saml | +| saml_sp_id | SAML SP id, required when enable_saml is true | | +| saml_sp_entity_id | SAML SP entity id | | +| saml_sp_contact_name | SAML SP contact name | "Trento SP Admin" | +| saml_sp_contact_email | SAML SP contact email | "admin@trento.suse.com" | +| saml_sp_org_name | SAML SP organization name | "Trento SP" | +| saml_sp_org_displayname | SAML SP organization display name | "SAML SP build with Trento" | +| saml_sp_org_url | SAML SP organization url | https://www.trento-project.io/ | +| saml_username_attr_name | SAML user profile "username" attribute field name. This attribute must exist in the IDP user | username | +| saml_email_attr_name | SAML user profile "email" attribute field name. This attribute must exist in the IDP user | email | +| saml_firstname_attr_name | SAML user profile "first name" attribute field name. This attribute must exist in the IDP user | firstName | +| saml_lastname_attr_name | SAML user profile "last name" attribute field name. This attribute must exist in the IDP user | lastName | +| saml_metadata_url | URL to retrieve the SAML metadata xml file. One of `saml_metadata_url` or `saml_metadata_content` is required | | +| saml_metadata_content | One line string containing the SAML metadata xml file content (`saml_metadata_url` has precedence over this) | | +| saml_sign_requests | Sign SAML requests in the SP side | true | +| saml_sign_metadata | Sign SAML metadata documents in the SP side | true | +| saml_signed_assertion | Require to receive SAML assertion signed from the IDP. Set to false if the IDP doesn't sign the assertion | true | +| saml_signed_envelopes | Require to receive SAML envelopes signed from the IDP. Set to false if the IDP doesn't sign the envelopes | true | | install_nginx | Install nginx | true | | nginx_ssl_cert_as_base64 | Nginx SSL certificate provided as base64 string | false | | nginx_ssl_key_as_base64 | Nginx SSL key provided as base64 string | false | diff --git a/roles/app/defaults/main.yml b/roles/app/defaults/main.yml index 0229949..fc7fa06 100644 --- a/roles/app/defaults/main.yml +++ b/roles/app/defaults/main.yml @@ -35,3 +35,24 @@ oauth2_authorize_url: "" oauth2_token_url: "" oauth2_user_url: "" oauth2_scopes: "profile email" +enable_saml: "false" +saml_idp_id: "" +saml_idp_nameid_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" +saml_sp_dir: "/etc/trento/trento-web/saml" +saml_sp_id: "" +saml_sp_entity_id: "" +saml_sp_contact_name: "Trento SP Admin" +saml_sp_contact_email: "admin@trento.suse.com" +saml_sp_org_name: "Trento SP" +saml_sp_org_displayname: "SAML SP build with Trento" +saml_sp_org_url: "https://www.trento-project.io/" +saml_username_attr_name: "username" +saml_email_attr_name: "email" +saml_firstname_attr_name: "firstName" +saml_lastname_attr_name: "lastName" +saml_metadata_url: "" +saml_metadata_content: "" +saml_sign_requests: "true" +saml_sign_metadata: "true" +saml_signed_assertion: "true" +saml_signed_envelopes: "true" diff --git a/roles/app/tasks/docker.yml b/roles/app/tasks/docker.yml index 003424f..548952d 100644 --- a/roles/app/tasks/docker.yml +++ b/roles/app/tasks/docker.yml @@ -114,3 +114,24 @@ OAUTH2_TOKEN_URL: "{{ oauth2_token_url }}" OAUTH2_USER_URL: "{{ oauth2_user_url }}" OAUTH2_SCOPES: "{{ oauth2_scopes }}" + ENABLE_SAML: "{{ enable_saml }}" + SAML_IDP_ID: "{{ saml_idp_id }}" + SAML_IDP_NAMEID_FORMAT: "{{ saml_idp_nameid_format }}" + SAML_SP_DIR: "{{ saml_sp_dir }}" + SAML_SP_ID: "{{ saml_sp_id }}" + SAML_SP_ENTITY_ID: "{{ saml_sp_entity_id }}" + SAML_SP_CONTACT_NAME: "{{ saml_sp_contact_name }}" + SAML_SP_CONTACT_EMAIL: "{{ saml_sp_contact_email }}" + SAML_SP_ORG_NAME: "{{ saml_sp_org_name }}" + SAML_SP_ORG_DISPLAYNAME: "{{ saml_sp_org_displayname }}" + SAML_SP_ORG_URL: "{{ saml_sp_org_url }}" + SAML_USERNAME_ATTR_NAME: "{{ saml_username_attr_name }}" + SAML_EMAIL_ATTR_NAME: "{{ saml_email_attr_name }}" + SAML_FIRSTNAME_ATTR_NAME: "{{ saml_firstname_attr_name }}" + SAML_LASTNAME_ATTR_NAME: "{{ saml_lastname_attr_name }}" + SAML_METADATA_URL: "{{ saml_metadata_url }}" + SAML_METADATA_CONTENT: "{{ saml_metadata_content }}" + SAML_SIGN_REQUESTS: "{{ saml_sign_requests }}" + SAML_SIGN_METADATA: "{{ saml_sign_metadata }}" + SAML_SIGNED_ASSERTION: "{{ saml_signed_assertion }}" + SAML_SIGNED_ENVELOPES: "{{ saml_signed_envelopes }}" diff --git a/roles/app/templates/trento-web.j2 b/roles/app/templates/trento-web.j2 index 14d2c61..cba3e55 100644 --- a/roles/app/templates/trento-web.j2 +++ b/roles/app/templates/trento-web.j2 @@ -30,3 +30,24 @@ OAUTH2_AUTHORIZE_URL={{ oauth2_authorize_url }} OAUTH2_TOKEN_URL={{ oauth2_token_url }} OAUTH2_USER_URL={{ oauth2_user_url }} OAUTH2_SCOPES={{ oauth2_scopes }} +ENABLE_SAML: "{{ enable_saml }}" +SAML_IDP_ID: "{{ saml_idp_id }}" +SAML_IDP_NAMEID_FORMAT: "{{ saml_idp_nameid_format }}" +SAML_SP_DIR: "{{ saml_sp_dir }}" +SAML_SP_ID: "{{ saml_sp_id }}" +SAML_SP_ENTITY_ID: "{{ saml_sp_entity_id }}" +SAML_SP_CONTACT_NAME: "{{ saml_sp_contact_name }}" +SAML_SP_CONTACT_EMAIL: "{{ saml_sp_contact_email }}" +SAML_SP_ORG_NAME: "{{ saml_sp_org_name }}" +SAML_SP_ORG_DISPLAYNAME: "{{ saml_sp_org_displayname }}" +SAML_SP_ORG_URL: "{{ saml_sp_org_url }}" +SAML_USERNAME_ATTR_NAME: "{{ saml_username_attr_name }}" +SAML_EMAIL_ATTR_NAME: "{{ saml_email_attr_name }}" +SAML_FIRSTNAME_ATTR_NAME: "{{ saml_firstname_attr_name }}" +SAML_LASTNAME_ATTR_NAME: "{{ saml_lastname_attr_name }}" +SAML_METADATA_URL: "{{ saml_metadata_url }}" +SAML_METADATA_CONTENT: "{{ saml_metadata_content }}" +SAML_SIGN_REQUESTS: "{{ saml_sign_requests }}" +SAML_SIGN_METADATA: "{{ saml_sign_metadata }}" +SAML_SIGNED_ASSERTION: "{{ saml_signed_assertion }}" +SAML_SIGNED_ENVELOPES: "{{ saml_signed_envelopes }}"