-
Notifications
You must be signed in to change notification settings - Fork 25
/
spidsaml2_backend.yaml
154 lines (131 loc) · 5.97 KB
/
spidsaml2_backend.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
module: backends.spidsaml2.SpidSAMLBackend
name: spidSaml2
config:
# idp_blacklist_file: /path/to/blacklist.json
# error templates
static_storage_url: !ENV SATOSA_BASE_STATIC
error_template: "spid_login_error.html"
template_folder: "templates" # project root
# make metadata downloadable from entityid url
entityid_endpoint: true
spid_allowed_acrs:
- https://www.spid.gov.it/SpidL1
- https://www.spid.gov.it/SpidL2
- https://www.spid.gov.it/SpidL3
spid_acr_comparison: "minimum"
acr_mapping:
"": 'https://www.spid.gov.it/SpidL2'
# specify AuthnContext per IdP
# "https://identity.sieltecloud.it": 'https://www.spid.gov.it/SpidL1'
# "https://idp.namirialtsp.com/idp": 'https://www.spid.gov.it/SpidL1'
# "https://identity.infocert.it": 'https://www.spid.gov.it/SpidL1'
sp_config:
key_file: !ENV SATOSA_PRIVATE_KEY
cert_file: !ENV SATOSA_PUBLIC_KEY
encryption_keypairs:
- {'key_file': !ENV SATOSA_PRIVATE_KEY, 'cert_file': !ENV SATOSA_PUBLIC_KEY}
attribute_map_dir: 'attributes-map'
organization:
display_name:
- [ !ENV SATOSA_ORGANIZATION_DISPLAY_NAME_EN, 'en']
- [ !ENV SATOSA_ORGANIZATION_DISPLAY_NAME_IT, 'it']
name:
- [ !ENV SATOSA_ORGANIZATION_NAME_EN, 'en']
- [ !ENV SATOSA_ORGANIZATION_NAME_IT, 'it']
url:
- [ !ENV SATOSA_ORGANIZATION_URL_EN, 'en']
- [ !ENV SATOSA_ORGANIZATION_URL_IT, 'it']
contact_person:
- contact_type: 'other'
given_name: !ENV SATOSA_CONTACT_PERSON_GIVEN_NAME
email_address: !ENV SATOSA_CONTACT_PERSON_EMAIL_ADDRESS
telephone_number: !ENV SATOSA_CONTACT_PERSON_TELEPHONE_NUMBER
FiscalCode: !ENV SATOSA_CONTACT_PERSON_FISCALCODE
Public: ''
# - {'contact_type': 'other', 'telephone_number': '+3984756344785', 'email_address': 'info@example.org', 'VATNumber': 'IT12345678901', 'FiscalCode': 'XYasdasdadasdGGJ000W', 'Private': '' }
# - {'contact_type': 'billing', 'telephone_number': '+3984756344785', 'email_address': 'info@example.org', 'company': 'example s.p.a.', 'CodiceFiscale': 'NGLMRA80A01D086T', 'IdCodice': '983745349857', 'IdPaese': 'IT', 'Denominazione': 'Destinatario Fatturazione', 'Indirizzo': 'via tante cose', 'NumeroCivico': '12', 'CAP': '87100', 'Comune': 'Cosenza', 'Provincia': 'CS', 'Nazione': 'IT' }
metadata:
local: [./metadata/idp/]
# using pyFF or other MDX server
# mdq:
# cert: mdq.pem
ficep_enable: True
ficep_entity_id: https://sp-proxy.eid.gov.it/spproxy/idpit
ficep_default_acs_index: 99
entityid: '<base_url>/<name>/metadata'
accepted_time_diff: 10
service:
sp:
ui_info:
display_name:
- lang: en
text: !ENV SATOSA_UI_DISPLAY_NAME_EN
- lang: it
text: !ENV SATOSA_UI_DISPLAY_NAME_IT
description:
- lang: en
text: !ENV SATOSA_UI_DESCRIPTION_EN
- lang: it
text: !ENV SATOSA_UI_DESCRIPTION_IT
information_url:
- lang: en
text: !ENV SATOSA_UI_INFORMATION_URL_EN
- lang: it
text: !ENV SATOSA_UI_INFORMATION_URL_IT
privacy_statement_url:
- lang: en
text: !ENV SATOSA_UI_PRIVACY_URL_EN
- lang: it
text: !ENV SATOSA_UI_PRIVACY_URL_IT
keywords:
- lang: it
text: ["SPID Authentication Proxy", "SPID Service Provider IT"]
- lang: en
text: ["SPID Authentication Proxy", "SPID Service Provider EN"]
logo:
text: !ENV SATOSA_UI_LOGO_URL
width: !ENV SATOSA_UI_LOGO_WIDTH
height: !ENV SATOSA_UI_LOGO_HEIGHT
# sign dig and enc
authn_requests_signed: true
want_response_signed: true
want_assertions_signed: true
signing_algorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
digest_algorithm: "http://www.w3.org/2001/04/xmlenc#sha256"
# security
only_use_keys_in_metadata: true
# it depends by acr level, see spidsaml2.authn_request
# force_authn: false
name_id_format_allow_create: false
name_id_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
requested_attribute_name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'
allow_unknown_attributes: true
# in production different workers do not share the same storage!
allow_unsolicited: true
# this instantiate the attribute_consuming_service
required_attributes: ['spidCode', 'name', 'familyName', 'fiscalNumber', 'email']
requested_attributes: !ENV SATOSA_REQUESTED_ATTRIBUTES
#optional_attributes: ['gender',
# 'companyName',
# 'registeredOffice',
# 'ivaCode',
# 'idCard',
# 'digitalAddress',
# 'placeOfBirth',
# 'countyOfBirth',
# 'dateOfBirth',
# 'address',
# 'mobilePhone',
# 'expirationDate']
endpoints:
assertion_consumer_service:
- [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
- [<base_url>/<name>/acs/99/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
- [<base_url>/<name>/acs/100/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
single_logout_service:
- [<base_url>/<name>/ls/post/, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
discovery_response:
- [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
# disco_srv must be defined if there is more than one IdP in the metadata specified above
# disco_srv: change with $SATOSA_DISCO_SRV
disco_srv: !ENV SATOSA_DISCO_SRV