{ config, ... }: let host = "saml-idp.dgnum.eu"; in { imports = [ ./module.nix ]; services.satosa = { enable = true; inherit host; port = 8090; envFile = config.age.secrets."satosa-env_file".path; frontendModules = { saml2IDP = { module = "satosa.frontends.saml2.SAMLFrontend"; name = "Saml2IDP"; config = { endpoints.single_sign_on_service = { "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" = "sso/post"; "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" = "sso/redirect"; }; entityid_endpoint = true; enable_metadata_reload = false; idp_config = { organization = { display_name = "Délégation Générale Numérique"; name = "DGNum"; url = "https://dgnum.eu"; }; contact_person = [{ contact_type = "technical"; email_address = "mailto:tom.hubrecht@dgnum.eu"; given_name = "Tom Hubrecht"; }]; key_file = "/var/lib/satosa/ssl/key.pem"; cert_file = "/var/lib/satosa/ssl/cert.pem"; metadata.local = [ ]; entityid = "https://${host}/Saml2IDP"; accepted_time_diff = 60; service = { idp = { endpoints.single_sign_on_service = [ ]; name = "DGNum proxy IdP"; ui_info = { display_name = [{ lang = "fr"; text = "Service de connexion DGNum"; }]; }; name_id_format = [ "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" ]; policy = { default = { attribute_restrictions = null; fail_on_missing_requested = false; lifetime = { minutes = 15; }; name_form = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"; encrypt_assertion = false; encrypted_advice_attributes = false; }; }; }; }; }; }; }; }; backendModules = { # module: satosa.backends.openid_connect.OpenIDConnectBackend # name: openid_connect # config: # provider_metadata: # issuer: https://op.example.com # client: # verify_ssl: yes # auth_req_params: # response_type: code # scope: [openid, profile, email, address, phone] # client_metadata: # application_name: SATOSA # application_type: web # contacts: [ops@example.com] # redirect_uris: [/] # subject_type: public # entity_info: # contact_person: # - contact_type: "technical" # email_address: ["technical_test@example.com", "support_test@example.com"] # given_name: "Test" # sur_name: "OP" # - contact_type: "support" # email_address: ["support_test@example.com"] # given_name: "Support_test" # organization: # display_name: # - ["OP Identities", "en"] # name: # - ["En test-OP", "se"] # - ["A test OP", "en"] # url: # - ["http://www.example.com", "en"] # - ["http://www.example.se", "se"] # ui_info: # description: # - ["This is a test OP", "en"] # display_name: # - ["OP - TEST", "en"] kanidm = { module = "satosa.backends.openid_connect.OpenIDConnectBackend"; name = "kanidm"; config = { provider_metadata.issuer = "https://sso.dgnum.eu/oauth2/openid/satosa_dgn/"; client = { auth_req_params = { response_type = "code"; scope = [ "openid" "profile" "email" ]; }; client_metadata = { client_id = "satosa_dgn"; client_secret = "ENV! SATOSA_FRONTEND_KANIDM_CLIENT_SECRET"; redirect_uris = [ "https://${host}/kanidm" ]; }; }; }; }; }; }; services.nginx.virtualHosts.${host} = { enableACME = true; forceSSL = true; }; dgn-secrets.matches."^satosa-.*$" = { owner = "satosa"; }; }