-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsaml2_frontend.example.yaml
108 lines (91 loc) · 3.66 KB
/
saml2_frontend.example.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
module: satosa.frontends.saml2.SAMLFrontend
# This allows external discovery services to present the mirrored providers transparently, as separate entities in its UI
# module: satosa.frontends.saml2.SAMLMirrorFrontend
name: Saml2IDP
config:
# make metadata downloadable from entityid url
entityid_endpoint: true
idp_config:
organization: {display_name: 'Saml2 Authentication Proxy', name: 'proxy.auth', url: 'https://spid.proxy.example.org'}
contact_person:
- {contact_type: technical, email_address: "mailto:supporto.tecnico@example.org", given_name: Technical}
- {contact_type: support, email_address: "mailto:richieste.ict@example.org", given_name: Support}
attribute_map_dir: 'attributes-map'
key_file: ./pki/privkey.pem
cert_file: ./pki/cert.pem
encryption_keypairs:
- {'key_file': ./pki/privkey.pem, 'cert_file': ./pki/cert.pem}
metadata:
local: [./metadata/sp/]
# using pyFF or other MDX server
# mdq:
# - url: "http://mdq.auth.unical.it/static/sha1"
# cert: mdq.pem
entityid: '<base_url>/<name>/metadata'
accepted_time_diff: 300
# custom_attribute_release:
# "default":
# "":
# exclude: ["givenName"]
# idp-entity-id1
# sp-entity-id1:
# exclude: ["givenName"]
service:
idp:
endpoints:
single_sign_on_service: []
name: Authentication Proxy
ui_info:
display_name:
- lang: en
text: "Authentication Proxy"
description:
- lang: en
text: "Authentication Proxy"
# information_url:
# - lang: en
# text: "http://sp.information.url/"
privacy_statement_url:
- lang: en
text: "https://www.example.org/privacy/"
keywords:
- lang: it
text: ["Authentication Proxy", "IdP IT"]
- lang: en
text: ["Authentication Proxy", "IdP EN"]
logo:
text: "https://www.spid.gov.it/assets/img/spid-ico-circle-bb.svg"
width: "100"
height: "100"
name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
# want_authn_requests_signed: true
want_authn_requests_only_with_valid_cert: false
signing_algorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
digest_algorithm: "http://www.w3.org/2001/04/xmlenc#sha256"
policy:
default:
attribute_restrictions: null
fail_on_missing_requested: false
lifetime: {minutes: 15}
name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
sign_response: true
sign_assertion: true
encrypt_assertion: false
encrypted_advice_attributes: false
# acr_mapping:
# "": default-LoA
# "https://accounts.google.com": LoA1
endpoints:
# to be implemented
#single_logout_service:
#'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': 'slo/post'
single_sign_on_service:
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': 'sso/post'
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': 'sso/redirect'
# If configured and not false or empty the common domain cookie _saml_idp will be set
# with or have appended the IdP used for authentication. The default is not to set the
# cookie. If the value is a dictionary with key 'domain' then the domain for the cookie
# will be set to the value for the 'domain' key. If no 'domain' is set then the domain
# from the BASE defined for the proxy will be used.
#common_domain_cookie:
# domain: .example.com