update simplesaml

roles/demo-sp/tasks/main.yml

@@ -61,9 +61,14 @@
 
 - name: Install JumboJett OIDC PHP module
   community.general.composer:
-    command: require
-    arguments: jumbojett/openid-connect-php
+    command: "require"
+    arguments: "jumbojett/openid-connect-php"
     working_dir: "{{ demosp_dir}}"
+    no_scripts: true
+    no_plugins: true
+  environment:
+    # TODO: fix this; create a separate user that own the files and can run composer
+    COMPOSER_ALLOW_SUPERUSER: "1"
   notify: "restart php-fpm"
 
 - name: Install OIDC RP config

roles/demo-sp/templates/config.php.j2

@@ -22,7 +22,8 @@ $config = [
      | SECURITY CONFIGURATION OPTIONS |
      **********************************/
     'secretsalt' => '{{ simplesaml_salt.content }}',
-    'auth.adminpassword' => '{{ simplesaml_admin_passwd }}',
+    {# because OF COURSE php head to reinvent the wheel and only support their very limited password hash types -#}
+    'auth.adminpassword' => '{{ simplesaml_admin_passwd | string | ansible.builtin.password_hash(hashtype="bcrypt") | replace("$2b$", "$2y$") }}',
     'admin.protectmetadata' => false,
     'admin.checkforupdates' => true,
 
@@ -164,11 +165,6 @@ $config = [
      *************************************/
     'authproc.idp' => [
         30 => 'core:LanguageAdaptor',
-        45 => [
-            'class'         => 'core:StatisticsWithAttribute',
-            'attributename' => 'realm',
-            'type'          => 'saml20-idp-SSO',
-        ],
         50 => 'core:AttributeLimit',
         99 => 'core:LanguageAdaptor',
     ],

roles/demo-sp/templates/saml20-idp-remote.php.j2

@@ -7,7 +7,12 @@ $metadata['https://proxy.acc.sram.eduteams.org/proxy'] = array(
         'en' => 'SRAM acc',
         'nl' => 'SRAM acc',
     ],
-    'SingleSignOnService' => 'https://proxy.acc.sram.eduteams.org/saml2sp/sso/redirect',
+    'SingleSignOnService' => [
+        [
+            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+            'Location' => 'https://proxy.acc.sram.eduteams.org/saml2sp/sso/redirect',
+        ],
+    ],
     'certificate' => 'eduteams-acc.pem',
 
     'authproc' => [
@@ -21,7 +26,12 @@ $metadata['https://proxy.sram.surf.nl/proxy'] = array(
         'en' => 'SRAM prod',
         'nl' => 'SRAM prod',
     ],
-    'SingleSignOnService' => 'https://proxy.sram.surf.nl/saml2sp/sso/redirect',
+    'SingleSignOnService' => [
+        [
+            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+            'Location' => 'https://proxy.sram.surf.nl/saml2sp/sso/redirect',
+        ],
+    ],
     'certificate' => 'eduteams-prd.pem',
 
     'authproc' => [

roles/simplesamlphp/defaults/main.yml

@@ -14,4 +14,3 @@ simplesaml_group: "ssp-group"
 simplesaml_project_dir: "/opt/{{simplesaml_name}}"
 simplesaml_tmp_dir: "{{simplesaml_project_dir}}/tmp/"
 simplesaml_cert_dir: "{{simplesaml_project_dir}}/cert/"
-

roles/simplesamlphp/handlers/main.yml

@@ -2,7 +2,7 @@
 - name: "restart php-fpm"
   listen: "restart php-fpm"
   systemd:
-    name: "php7.4-fpm.service"
+    name: "php{{php_version}}-fpm.service"
     state: "restarted"
     daemon_reload: true
     enabled: true

roles/simplesamlphp/tasks/main.yml

@@ -15,6 +15,17 @@
       - "php-ldap"
     state: "present"
 
+- name: Find php version
+  command: >
+    php -r '$v=phpversion(); echo substr($v, 0, strrpos($v, "."));'
+  register: "php_output"
+  changed_when: false
+
+- set_fact:
+    php_version={{ php_output.stdout }}
+    simplesaml_project_dir={{simplesaml_project_dir}}
+    simplesaml_cert_dir={{simplesaml_cert_dir}}
+
 - name: Create simplesaml group
   group:
     name: "{{simplesaml_group}}"
@@ -92,7 +103,6 @@
     force: false
   notify: "restart php-fpm"
 
-
 - name: Read random salt
   slurp:
     src: "{{ simplesaml_project_dir }}/config/salt"
@@ -121,20 +131,9 @@
 - name: Install fpm pool config
   template:
     src: "fpm-pool.j2"
-    dest: "/etc/php/7.4/fpm/pool.d/{{simplesaml_name}}.conf"
+    dest: "/etc/php/{{ php_version }}/fpm/pool.d/{{simplesaml_name}}.conf"
   notify: "restart php-fpm"
 
-- name: Find php version
-  command: >
-    php -r '$v=phpversion(); echo substr($v, 0, strrpos($v, "."));'
-  register: "php_output"
-  changed_when: false
-
-- set_fact:
-    php_version={{ php_output.stdout }}
-    simplesaml_project_dir={{simplesaml_project_dir}}
-    simplesaml_cert_dir={{simplesaml_cert_dir}}
-
 - name: Set php session cookie httponly
   ansible.builtin.copy:
     content: |

roles/surfstar-idp/templates/config.php.j2

@@ -29,7 +29,7 @@ $config = [
      | SECURITY CONFIGURATION OPTIONS |
      **********************************/
     'secretsalt' => '{{ simplesaml_salt.content }}',
-    'auth.adminpassword' => '{{ surfstar_idp_admin_passwd }}',
+    'auth.adminpassword' => '{{ surfstar_idp_admin_passwd | string | ansible.builtin.password_hash(hashtype="bcrypt") | replace("$2b$", "$2y$") }}',
     'admin.protectmetadata' => false,
     'admin.checkforupdates' => true,
 
@@ -150,11 +150,6 @@ $config = [
      *************************************/
     'authproc.idp' => [
         30 => 'core:LanguageAdaptor',
-        45 => [
-            'class'         => 'core:StatisticsWithAttribute',
-            'attributename' => 'realm',
-            'type'          => 'saml20-idp-SSO',
-        ],
         50 => 'core:AttributeLimit',
         99 => 'core:LanguageAdaptor',
     ],

roles/test-idp/templates/config.php.j2

@@ -22,7 +22,7 @@ $config = [
      | SECURITY CONFIGURATION OPTIONS |
      **********************************/
     'secretsalt' => '{{ simplesaml_salt.content }}',
-    'auth.adminpassword' => '{{ simplesaml_admin_passwd }}',
+    'auth.adminpassword' => '{{ simplesaml_admin_passwd | string | ansible.builtin.password_hash(hashtype="bcrypt") | replace("$2b$", "$2y$") }}',
     'admin.protectmetadata' => false,
     'admin.checkforupdates' => true,