infrastructure/machines/compute01/satosa/default.nix

{ config, ... }:

let host = "saml-idp.dgnum.eu";
in {

  imports = [ ./module.nix ];

  services.satosa = {
    enable = true;

    inherit host;
    port = 8090;

    envFile = config.age.secrets."satosa-env_file".path;

    frontendModules = {
      saml2IDP = {
        module = "satosa.frontends.saml2.SAMLFrontend";
        name = "Saml2IDP";
        config = {
          endpoints.single_sign_on_service = {
            "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" = "sso/post";
            "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" =
              "sso/redirect";
          };
          entityid_endpoint = true;
          enable_metadata_reload = false;
          idp_config = {
            organization = {
              display_name = "Délégation Générale Numérique";
              name = "DGNum";
              url = "https://dgnum.eu";
            };

            contact_person = [{
              contact_type = "technical";
              email_address = "mailto:tom.hubrecht@dgnum.eu";
              given_name = "Tom Hubrecht";
            }];

            key_file = "/var/lib/satosa/ssl/key.pem";
            cert_file = "/var/lib/satosa/ssl/cert.pem";

            metadata.local = [ ];

            entityid = "https://${host}/Saml2IDP";
            accepted_time_diff = 60;
            service = {
              idp = {
                endpoints.single_sign_on_service = [ ];
                name = "DGNum proxy IdP";
                ui_info = {
                  display_name = [{
                    lang = "fr";
                    text = "Service de connexion DGNum";
                  }];
                };
                name_id_format = [
                  "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                  "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                ];
                policy = {
                  default = {
                    attribute_restrictions = null;
                    fail_on_missing_requested = false;
                    lifetime = { minutes = 15; };
                    name_form =
                      "urn:oasis:names:tc:SAML:2.0:attrname-format:uri";
                    encrypt_assertion = false;
                    encrypted_advice_attributes = false;
                  };
                };
              };
            };
          };
        };
      };
    };

    backendModules = {
      # module: satosa.backends.openid_connect.OpenIDConnectBackend
      #    name: openid_connect
      #    config:
      #      provider_metadata:
      #        issuer: https://op.example.com
      #      client:
      #        verify_ssl: yes
      #        auth_req_params:
      #          response_type: code
      #          scope: [openid, profile, email, address, phone]
      #        client_metadata:
      #          application_name: SATOSA
      #          application_type: web
      #          contacts: [ops@example.com]
      #          redirect_uris: [<base_url>/<name>]
      #          subject_type: public
      #      entity_info:
      #        contact_person:
      #          - contact_type: "technical"
      #            email_address: ["technical_test@example.com", "support_test@example.com"]
      #            given_name: "Test"
      #            sur_name: "OP"
      #          - contact_type: "support"
      #            email_address: ["support_test@example.com"]
      #            given_name: "Support_test"
      #        organization:
      #          display_name:
      #          - ["OP Identities", "en"]
      #          name:
      #          - ["En test-OP", "se"]
      #          - ["A test OP", "en"]
      #          url:
      #          - ["http://www.example.com", "en"]
      #          - ["http://www.example.se", "se"]
      #        ui_info:
      #          description:
      #          - ["This is a test OP", "en"]
      #          display_name:
      #          - ["OP - TEST", "en"]
      kanidm = {
        module = "satosa.backends.openid_connect.OpenIDConnectBackend";
        name = "kanidm";
        config = {
          provider_metadata.issuer =
            "https://sso.dgnum.eu/oauth2/openid/satosa_dgn/";
          client = {
            auth_req_params = {
              response_type = "code";
              scope = [ "openid" "profile" "email" ];
            };
            client_metadata = {
              client_id = "satosa_dgn";
              client_secret = "ENV! SATOSA_FRONTEND_KANIDM_CLIENT_SECRET";
              redirect_uris = [ "https://${host}/kanidm" ];
            };
          };
        };
      };
    };
  };

  services.nginx.virtualHosts.${host} = {
    enableACME = true;
    forceSSL = true;
  };

  dgn-secrets.matches."^satosa-.*$" = { owner = "satosa"; };
}