Blame - README.rst - salt-formulas/shibboleth

blob: 5fe15d634a0e135432765874b58fc3644c2a00f9 [file] [log] [blame]

Alexander Noskov	747be50	2017-01-12 14:53:55 +0400	[diff] [blame]	1	=======================
Alexander Noskov	d0e69af	2016-12-07 13:19:14 +0400	[diff] [blame]	2	salt-formula-shibboleth
Alexander Noskov	747be50	2017-01-12 14:53:55 +0400	[diff] [blame]	3	=======================
				4
				5	Shibboleth is among the world's most widely deployed federated identity solutions, connecting users to applications both within and between organizations.
				6
				7	Sample pillars
				8	==============
				9
				10	.. code-block:: yaml
				11
				12	shibboleth:
				13	server:
				14	enabled: true
Aleksieiev, Oleksii	eca3f2a	2018-05-17 13:21:01 -0700	[diff] [blame]	15	app:
				16	entity_id: http://${_param:proxy_vip_address_public}:5000
				17	signing: false
				18	encryption: false
Alexander Noskov	747be50	2017-01-12 14:53:55 +0400	[diff] [blame]	19	idp_url: "https://saml.example.com/oam/fed"
				20	idp_metadata_url: "https://saml.example.com/oamfed/idp/metadata"
				21	attributes:
				22	- name: test
				23	id: test
				24	name_format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
				25	key: \|
				26	-----BEGIN PRIVATE KEY-----
				27	MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDmM1NIxgQ3Y70Q
				28	GXoFQQnJ7nliaRtJR2xHAW47InyALQ+M3/VCtdFnNI0d2CHoytQ6mVg6BzOtdvT2
				29	ocEl0+LNkskSZsc6Nh59XooTQncL5PA7hXmo/nxCEgURH4oika5CC14K4hagwZca
				30	CQZvW1m9KwfVaNc0Va0KepH2lGI+VdxyZgRMifTMl9qDLYr++ftyFTNn5uit0Yh8
				31	9QFU4HLVvT0rHSQUTcFbvYE=
				32	-----END PRIVATE KEY-----
				33	certificate: \|
				34	-----BEGIN CERTIFICATE-----
				35	MIIDDzCCAfegAwIBAgIJAOvxYAMLVkHZMA0GCSqGSIb3DQEBBQUAMCMxITAfBgNV
				36	BAMTGGN0bC0wMS5qcGUyLmppb2Nsb3VkLmNvbTAeFw0xNzAxMTIxMDIwMTRaFw0y
				37	k3u0PIEqysz9sOpmuSmlY4FKRobYQ3viviTIMTTuqjoCAFKIApI3tZWOqj+zShje
				38	Xr4ue39/lvQLj2jXV+Q2TOovQA==
				39	-----END CERTIFICATE-----
				40	idp_certificate: \|
				41	-----BEGIN CERTIFICATE-----
				42	BAMTGGN0bC0wMS5qcGUyLmppb2Nsb3VkLmNvbTAeFw0xNzAxMTIxMDIwMTRaFw0y
				43	CcnueWJpG0lHbEcBbjsifIAtD4zf9UK10Wc0jR3YIejK1DqZWDoHM6129PZ8kx5k
				44	aN5DvAdir7oYCpHwD5/WvHahUgsrtcz9s+pzRfiStvICVwqCsGquThZHe8YAgGpZ
				45	04UU/56ncPbsHf5asS3DvfVGw==
				46	-----END CERTIFICATE-----
lmercl	4f7f6fd	2018-03-12 17:39:56 +0100	[diff] [blame]	47
				48
				49	Shibboleth through HTTP proxy
				50	==============
				51	Sometimes there is needed to connect to IdP through HTTP proxy. This has to be done via adding TransportOption to MetadataProvider in Shibboleth2.xml configuration file.
				52
				53	.. code-block:: yaml
				54
				55	shibboleth:
				56	server:
				57	enabled: true
Aleksieiev, Oleksii	eca3f2a	2018-05-17 13:21:01 -0700	[diff] [blame]	58	proxy: http://10.10.10.12:8888
				59
				60
				61	Override IdP metadata from file
				62	==============
				63	Sometimes the metadata is not publicly aviailable from IPD. You can define the metadata in pillar. In this case the idp_metadata_url parameter will be ignored.
				64
				65	.. code-block:: yaml
				66
				67	shibboleth:
				68	server:
				69	idp_metadata_file: \|
				70	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
				71	<EntityDescriptor xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
				72	entityID="idp_url">
				73	<IDPSSODescriptor
				74	WantAuthnRequestsSigned="false"
				75	protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
				76	<KeyDescriptor use="signing">
				77	<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				78	<ds:X509Data>
				79	<ds:X509Certificate>MIIEADi........==</ds:X509Certificate>
				80	</ds:X509Data>
				81	</ds:KeyInfo>
				82	</KeyDescriptor>
				83	<KeyDescriptor use="signing">
				84	<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				85	<ds:X509Data>
				86	<ds:X509Certificate>MIIEADi........==</ds:X509Certificate>
				87	</ds:X509Data>
				88	</ds:KeyInfo>
				89	</KeyDescriptor>
				90	<!-- Supported Name Identifier Formats -->
				91	<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
				92	<!-- AuthenticationRequest Consumer endpoint -->
				93	<SingleSignOnService
				94	Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
				95	Location="https://IDP_URL/SAMLLogin"
				96	/>
				97	</IDPSSODescriptor>
				98	</EntityDescriptor>
				99
				100
				101	Shibboleth session control
				102	==============
				103	Sometimes there is needed to tune session settings for the application. This has to be done via setting sessions variables Shibboleth2.xml configuration file.
				104
				105	.. code-block:: yaml
				106
				107	shibboleth:
				108	server:
				109	sessions:
				110	lifetime: 28800
				111	timeout: 3600
				112	relaystate: "ss:mem"
				113	checkaddress: "false"
				114	handlerssl: "false"
				115	cookieprops: "http"
				116
				117
				118	Shibboleth attributeresolver/regex plugins support
				119	==============
				120	Sometimes there is needed to set add new attribute by extracting some information from other attributes. This has to be done loading the plugin and a adding attributeresolver with transform type in Shibboleth2.xml configuration file.
				121	See more detail here: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeResolver#NativeSPAttributeResolver-TransformAttributeResolver(Version2.5andAbove)
				122
				123	.. code-block:: yaml
				124
				125	shibboleth:
				126	server:
				127	outofprocess:
				128	extensions:
				129	library:
				130	plugin1:
				131	path: plugins.so
				132	fatal: "true"
				133	attributeresolver:
				134	transform:
				135	Email:
				136	mantch1:
				137	match: "@.*$"
				138	destination_name: "User-identifier"
				139	destination: "$1"
				140	mantch2:
				141	match: "@.*$"
				142	destination: "$2"
				143	Shibboleth shared session
				144	==============
				145	Sometimes there is needed to set shibd on each controller where keystone is running. To make sure sessions are accessible and shared between all of them you need to setup shared storage for sessions
				146	The example below shows you how to setup shared storage using memcached available on controllers:
				147	Please note that sessioncache requires memcached with bitmap set to true. Omitting sessioncache element will result in an in-memory plugin identified as id="mem".
				148	https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPStorageService
				149
				150	.. code-block:: yaml
				151
				152	shibboleth:
				153	server:
				154	outofprocess:
				155	extensions:
				156	library:
				157	plugin1:
				158	path: "memcache-store.so"
				159	fatal: "true"
				160	storageservice:
				161	mc:
				162	type: MEMCACHE
				163	buildmap: "0"
				164	sendtimeout: "999999" #optional
				165	recvtimeout: "999999" #optional
				166	polltimeout: "1000" #optional
				167	failtimeout: "5" #optional
				168	retrytimeout: "30" #optional
				169	prefix: "SHIBD" #optional
				170	hosts: "${_param:cluster_node01_address}:11211,${_param:cluster_node02_address}:11211,${_param:cluster_node03_address}:11211
				171	mc-ctx:
				172	type: MEMCACHE
				173	buildmap: "1"
				174	sendtimeout: "999999" #optional
				175	recvtimeout: "999999" #optional
				176	polltimeout: "1000" #optional
				177	failtimeout: "5" #optional
				178	retrytimeout: "30" #optional
				179	prefix: "SHIBD" #optional
				180	hosts: "${_param:cluster_node01_address}:11211,${_param:cluster_node02_address}:11211,${_param:cluster_node03_address}:11211
				181	sessioncache:
				182	type: "StorageService"
				183	cachetimeout: "900" #optional
				184	storageservice: "mc-ctx"
				185	storageservicelite: "mc"
				186	replaycache:
				187	storageservice: "mc"
				188	replaycache:
				189	storageservice: "mc"
				190	artifactTTL: "180" #optional