Code refactoring
* Add possibility to set keystone protocol (http/https)
* Some improvements in code
diff --git a/README.rst b/README.rst
index cd06133..c079e06 100644
--- a/README.rst
+++ b/README.rst
@@ -1,2 +1,45 @@
+=======================
salt-formula-shibboleth
-======================
+=======================
+
+Shibboleth is among the world's most widely deployed federated identity solutions, connecting users to applications both within and between organizations.
+
+Sample pillars
+==============
+
+.. code-block:: yaml
+
+ shibboleth:
+ server:
+ enabled: true
+ keystone_protocol: http
+ keystone_public_address: ${_param:proxy_vip_address_public}
+ keystone_port: 5000
+ idp_url: "https://saml.example.com/oam/fed"
+ idp_metadata_url: "https://saml.example.com/oamfed/idp/metadata"
+ attributes:
+ - name: test
+ id: test
+ name_format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
+ key: |
+ -----BEGIN PRIVATE KEY-----
+ MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDmM1NIxgQ3Y70Q
+ GXoFQQnJ7nliaRtJR2xHAW47InyALQ+M3/VCtdFnNI0d2CHoytQ6mVg6BzOtdvT2
+ ocEl0+LNkskSZsc6Nh59XooTQncL5PA7hXmo/nxCEgURH4oika5CC14K4hagwZca
+ CQZvW1m9KwfVaNc0Va0KepH2lGI+VdxyZgRMifTMl9qDLYr++ftyFTNn5uit0Yh8
+ 9QFU4HLVvT0rHSQUTcFbvYE=
+ -----END PRIVATE KEY-----
+ certificate: |
+ -----BEGIN CERTIFICATE-----
+ MIIDDzCCAfegAwIBAgIJAOvxYAMLVkHZMA0GCSqGSIb3DQEBBQUAMCMxITAfBgNV
+ BAMTGGN0bC0wMS5qcGUyLmppb2Nsb3VkLmNvbTAeFw0xNzAxMTIxMDIwMTRaFw0y
+ k3u0PIEqysz9sOpmuSmlY4FKRobYQ3viviTIMTTuqjoCAFKIApI3tZWOqj+zShje
+ Xr4ue39/lvQLj2jXV+Q2TOovQA==
+ -----END CERTIFICATE-----
+ idp_certificate: |
+ -----BEGIN CERTIFICATE-----
+ BAMTGGN0bC0wMS5qcGUyLmppb2Nsb3VkLmNvbTAeFw0xNzAxMTIxMDIwMTRaFw0y
+ CcnueWJpG0lHbEcBbjsifIAtD4zf9UK10Wc0jR3YIejK1DqZWDoHM6129PZ8kx5k
+ aN5DvAdir7oYCpHwD5/WvHahUgsrtcz9s+pzRfiStvICVwqCsGquThZHe8YAgGpZ
+ 04UU/56ncPbsHf5asS3DvfVGw==
+ -----END CERTIFICATE-----
diff --git a/metadata/service/server/cluster.yml b/metadata/service/server/cluster.yml
index b6de4a7..24cbef0 100644
--- a/metadata/service/server/cluster.yml
+++ b/metadata/service/server/cluster.yml
@@ -6,6 +6,8 @@
shibboleth:
server:
enabled: true
- public_address: ${_param:proxy_vip_address_public}
- idp_entity_id_url: "https://saml.example.com/oam/fed"
+ keystone_protocol: http
+ keystone_public_address: ${_param:proxy_vip_address_public}
+ keystone_port: 5000
+ idp_url: "https://saml.example.com/oam/fed"
idp_metadata_url: "https://saml.example.com/oamfed/idp/metadata"
diff --git a/metadata/service/server/single.yml b/metadata/service/server/single.yml
index 1068c1d..24cbef0 100644
--- a/metadata/service/server/single.yml
+++ b/metadata/service/server/single.yml
@@ -6,5 +6,8 @@
shibboleth:
server:
enabled: true
- idp_entity_id_url: "https://saml.example.com/oam/fed"
+ keystone_protocol: http
+ keystone_public_address: ${_param:proxy_vip_address_public}
+ keystone_port: 5000
+ idp_url: "https://saml.example.com/oam/fed"
idp_metadata_url: "https://saml.example.com/oamfed/idp/metadata"
diff --git a/shibboleth/files/shibboleth2.xml b/shibboleth/files/shibboleth2.xml
index d143186..d530ad1 100644
--- a/shibboleth/files/shibboleth2.xml
+++ b/shibboleth/files/shibboleth2.xml
@@ -21,7 +21,7 @@
-->
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
- <ApplicationDefaults entityID="https://{{ server.public_address }}:5000">
+ <ApplicationDefaults entityID="{{ server.keystone_protocol }}://{{ server.keystone_public_address }}:{{ server.keystone_port }}">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
@@ -41,7 +41,7 @@
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
- <SSO entityID="{{ server.idp_entity_id_url }}" ECP="true">
+ <SSO entityID="{{ server.idp_url }}" ECP="true">
SAML2 SAML1
</SSO>
@@ -71,9 +71,9 @@
<MetadataProvider type="XML" uri="{{ server.idp_metadata_url }}"
backingFilePath="/etc/shibboleth/metadata.xml" reloadInterval="180000">
- {%- if server.idp_certificate is defined %}
- <MetadataFilter type="Signature" certificate="/etc/shibboleth/fedsigner.pem"/>
- {%- endif %}
+ {%- if server.idp_certificate is defined %}
+ <MetadataFilter type="Signature" certificate="/etc/shibboleth/fedsigner.pem"/>
+ {%- endif %}
</MetadataProvider>
<!-- Example of locally maintained metadata. -->
@@ -90,7 +90,7 @@
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
- {%- if server.sp_key_cert is defined %}
+ {%- if server.certificate is defined and server.key is defined %}
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
{%- endif %}
diff --git a/shibboleth/server.sls b/shibboleth/server.sls
index 6da6460..4b345e4 100644
--- a/shibboleth/server.sls
+++ b/shibboleth/server.sls
@@ -18,7 +18,7 @@
{%- if server.idp_certificate is defined %}
/etc/shibboleth/fedsigner.pem:
file.managed:
- - contents_pillar: shibboleth:server:idp_certificate
+ - contents: {{ server.idp_certificate | yaml_encode }}
- require:
- pkg: apache_packages
- watch_in:
@@ -26,10 +26,10 @@
- service: shibboleth_service
{%- endif %}
-{%- if server.sp_key_cert is defined %}
+{%- if server.certificate is defined and server.key is defined %}
/etc/shibboleth/sp-key.pem:
file.managed:
- - contents_pillar: shibboleth:server:sp_key_cert:key
+ - contents: {{ server.key | yaml_encode }}
- mode: 600
- require:
- pkg: apache_packages
@@ -39,7 +39,7 @@
/etc/shibboleth/sp-cert.pem:
file.managed:
- - contents_pillar: shibboleth:server:sp_key_cert:cert
+ - contents: {{ server.certificate | yaml_encode }}
- require:
- pkg: apache_packages
- watch_in:
diff --git a/tests/pillar/shibboleth.sls b/tests/pillar/shibboleth.sls
index be0df94..ac37774 100644
--- a/tests/pillar/shibboleth.sls
+++ b/tests/pillar/shibboleth.sls
@@ -1,7 +1,10 @@
shibboleth:
server:
enabled: true
- idp_entity_id_url: "https://saml.example.com/oam/fed"
+ keystone_protocol: http
+ keystone_public_address: ${_param:proxy_vip_address_public}
+ keystone_port: 5000
+ idp_url: "https://saml.example.com/oam/fed"
idp_metadata_url: "https://saml.example.com/oamfed/idp/metadata"
attributes:
- name: test