2023-10-02 22:48:18 +02:00
|
|
|
{ config, ... }:
|
2023-09-26 20:56:55 +02:00
|
|
|
|
2023-10-02 22:48:18 +02:00
|
|
|
let host = "saml-idp.dgnum.eu";
|
2023-09-26 20:56:55 +02:00
|
|
|
in {
|
|
|
|
|
2023-09-27 22:33:18 +02:00
|
|
|
imports = [ ./module.nix ];
|
|
|
|
|
|
|
|
services.satosa = {
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
inherit host;
|
|
|
|
port = 8090;
|
|
|
|
|
|
|
|
envFile = config.age.secrets."satosa-env_file".path;
|
|
|
|
|
|
|
|
frontendModules = {
|
|
|
|
saml2IDP = {
|
|
|
|
module = "satosa.frontends.saml2.SAMLFrontend";
|
|
|
|
name = "Saml2IDP";
|
|
|
|
config = {
|
|
|
|
endpoints.single_sign_on_service = {
|
|
|
|
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" = "sso/post";
|
|
|
|
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" =
|
|
|
|
"sso/redirect";
|
|
|
|
};
|
|
|
|
entityid_endpoint = true;
|
|
|
|
enable_metadata_reload = false;
|
|
|
|
idp_config = {
|
|
|
|
organization = {
|
|
|
|
display_name = "Délégation Générale Numérique";
|
|
|
|
name = "DGNum";
|
|
|
|
url = "https://dgnum.eu";
|
|
|
|
};
|
|
|
|
|
|
|
|
contact_person = [{
|
|
|
|
contact_type = "technical";
|
|
|
|
email_address = "mailto:tom.hubrecht@dgnum.eu";
|
|
|
|
given_name = "Tom Hubrecht";
|
|
|
|
}];
|
|
|
|
|
|
|
|
key_file = "/var/lib/satosa/ssl/key.pem";
|
|
|
|
cert_file = "/var/lib/satosa/ssl/cert.pem";
|
|
|
|
|
|
|
|
metadata.local = [ ];
|
|
|
|
|
|
|
|
entityid = "https://${host}/Saml2IDP";
|
|
|
|
accepted_time_diff = 60;
|
|
|
|
service = {
|
|
|
|
idp = {
|
|
|
|
endpoints.single_sign_on_service = [ ];
|
|
|
|
name = "DGNum proxy IdP";
|
|
|
|
ui_info = {
|
|
|
|
display_name = [{
|
|
|
|
lang = "fr";
|
|
|
|
text = "Service de connexion DGNum";
|
|
|
|
}];
|
|
|
|
};
|
|
|
|
name_id_format = [
|
|
|
|
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
|
|
|
|
"urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
|
|
|
|
];
|
|
|
|
policy = {
|
|
|
|
default = {
|
|
|
|
attribute_restrictions = null;
|
|
|
|
fail_on_missing_requested = false;
|
|
|
|
lifetime = { minutes = 15; };
|
|
|
|
name_form =
|
|
|
|
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri";
|
|
|
|
encrypt_assertion = false;
|
|
|
|
encrypted_advice_attributes = false;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
backendModules = {
|
|
|
|
# module: satosa.backends.openid_connect.OpenIDConnectBackend
|
|
|
|
# name: openid_connect
|
|
|
|
# config:
|
|
|
|
# provider_metadata:
|
|
|
|
# issuer: https://op.example.com
|
|
|
|
# client:
|
|
|
|
# verify_ssl: yes
|
|
|
|
# auth_req_params:
|
|
|
|
# response_type: code
|
|
|
|
# scope: [openid, profile, email, address, phone]
|
|
|
|
# client_metadata:
|
|
|
|
# application_name: SATOSA
|
|
|
|
# application_type: web
|
|
|
|
# contacts: [ops@example.com]
|
|
|
|
# redirect_uris: [<base_url>/<name>]
|
|
|
|
# subject_type: public
|
|
|
|
# entity_info:
|
|
|
|
# contact_person:
|
|
|
|
# - contact_type: "technical"
|
|
|
|
# email_address: ["technical_test@example.com", "support_test@example.com"]
|
|
|
|
# given_name: "Test"
|
|
|
|
# sur_name: "OP"
|
|
|
|
# - contact_type: "support"
|
|
|
|
# email_address: ["support_test@example.com"]
|
|
|
|
# given_name: "Support_test"
|
|
|
|
# organization:
|
|
|
|
# display_name:
|
|
|
|
# - ["OP Identities", "en"]
|
|
|
|
# name:
|
|
|
|
# - ["En test-OP", "se"]
|
|
|
|
# - ["A test OP", "en"]
|
|
|
|
# url:
|
|
|
|
# - ["http://www.example.com", "en"]
|
|
|
|
# - ["http://www.example.se", "se"]
|
|
|
|
# ui_info:
|
|
|
|
# description:
|
|
|
|
# - ["This is a test OP", "en"]
|
|
|
|
# display_name:
|
|
|
|
# - ["OP - TEST", "en"]
|
|
|
|
kanidm = {
|
|
|
|
module = "satosa.backends.openid_connect.OpenIDConnectBackend";
|
|
|
|
name = "kanidm";
|
|
|
|
config = {
|
|
|
|
provider_metadata.issuer =
|
|
|
|
"https://sso.dgnum.eu/oauth2/openid/satosa_dgn/";
|
|
|
|
client = {
|
|
|
|
auth_req_params = {
|
|
|
|
response_type = "code";
|
|
|
|
scope = [ "openid" "profile" "email" ];
|
|
|
|
};
|
|
|
|
client_metadata = {
|
|
|
|
client_id = "satosa_dgn";
|
|
|
|
client_secret = "ENV! SATOSA_FRONTEND_KANIDM_CLIENT_SECRET";
|
|
|
|
redirect_uris = [ "https://${host}/kanidm" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
services.nginx.virtualHosts.${host} = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
};
|
|
|
|
|
2024-01-09 14:48:33 +01:00
|
|
|
age-secrets.matches."^satosa-.*$" = { owner = "satosa"; };
|
2023-09-26 20:56:55 +02:00
|
|
|
}
|