This repository was archived by the owner on Jan 9, 2025. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathidp_conf.example
More file actions
295 lines (274 loc) · 10.5 KB
/
idp_conf.example
File metadata and controls
295 lines (274 loc) · 10.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import os
from idproxy.provider.idp.userinfo import DictionaryInformation
import server_conf
from dirg_util.dict import Sqllite3Dict, LDAPDict
from saml2.authn_context import authn_context_class_ref, UNSPECIFIED, PASSWORD
from saml2 import BINDING_HTTP_REDIRECT, BINDING_URI
from saml2 import BINDING_HTTP_ARTIFACT
from saml2 import BINDING_HTTP_POST
from saml2 import BINDING_SOAP
from saml2.saml import NAME_FORMAT_URI
from saml2.saml import NAMEID_FORMAT_TRANSIENT
from saml2.saml import NAMEID_FORMAT_PERSISTENT
#Must point at the correct path to xmlsec1.
try:
from saml2.sigver import get_xmlsec_binary
except ImportError:
get_xmlsec_binary = None
if get_xmlsec_binary:
xmlsec_path = get_xmlsec_binary(["/opt/local/bin", "/usr/local/bin"])
else:
xmlsec_path = xmlsec_path = '/usr/local/bin/xmlsec1'
#Please do not change! Change in server_conf.py
BASE = server_conf.ISSUER
#Must point to the complete path on disk to this file!
#Needed by the script create_metadata.sh and the IdP to find all configurations.
#No need to change this!
FULL_PATH = os.path.dirname(os.path.abspath(__file__))
#This is the directory for the IdP.
WORKING_DIR = FULL_PATH + "/"
#The yubikey server to be used. This is the official server by yubico.
YUBIKEY_SERVER = "http://api2.yubico.com/wsapi/2.0/verify"
#Database for pyYubitool (https://github.com/HaToHo/pyYubitool).
#You must connect your yubikeys to a user in this database in order to make it work.
YUBIKEY_DB = WORKING_DIR + "yubikeyconf.db"
#Symetric key for the IdP server. Any phrase will work, but it must be 16 characters!
SYM_KEY = "098qwerty1123456"
#URL to your CAS server if you wish to perform a CAS authentication.
CAS_SERVER = "https://my.cas.server.com"
#A shared server cache for the IdP. The cache expects a dictionary, but you can use a database by implementing the
#dictionary interface.
CACHE_1 = {}
#The cache as a sqlite database.
#CACHE_1 = Sqllite3Dict(WORKING_DIR + "idp_cache1.sqlite3")
#A shared server cache for the IdP. The cache expects a dictionary, but you can use a database by implementing the
#dictionary interface.
CACHE_2 = {}
#The cache as a sqlite database.
#CACHE_2 = Sqllite3Dict(WORKING_DIR + "idp_cache2.sqlite3")
#You do not need this map, but it shows an example how the user information can be collected.
#If you get different user identifications from an underlying service, like an IdP or CAS, then you have in your
#LDAP you can map the users between the services. The mapping dictionary must be a readonly dictionary, but can
#have any type of underlying implementation, like the Sqllite3Dict.
user_id_map_for_idp = {
"myserviceuser": "myldapuser"
}
#Defines the settings for a LDAP dictionary contained in the project dirg_util.
#This is just an example for how you can connect LDAP as backend and nothing that is maintained in the IdProxy project.
ldap_settings = {
"ldapuri": "ldaps://myldap.url.com",
"base": "dc=org, dc=domain",
"filter_pattern": "(uid=%s)",
"user": "",
"passwd": "",
"attr": [
"eduPersonScopedAffiliation",
"eduPersonAffiliation",
"eduPersonPrincipalName",
"givenName",
"sn",
"mail",
"uid",
"o",
"c",
"labeledURI",
"ou",
"displayName",
"norEduPersonLIN"
],
"keymap": {
"mail": "email",
"labeledURI": "labeledURL",
},
"static_values": {
"eduPersonTargetedID": "one!for!all",
},
"exact_match": True,
"firstonly_len1": True,
"timeout": 15,
}
#LDAP readonly dictionary that can be used to collect information about a user.
LDAP = DictionaryInformation(LDAPDict(**ldap_settings), None, user_id_map_for_idp)
#User database as a dictionary. You can offcourse use a database instead, but you must use the same interface
#as the dictionary below.
USERS_DICT = {
"test2": {
"sn": "Testsson",
"givenName": "Test2",
"eduPersonScopedAffiliation": "staff@example.com",
"eduPersonPrincipalName": "test2@example.com",
"uid": "test2",
"eduPersonTargetedID": "qwerty",
"c": "SE",
"o": "Example Co.",
"ou": "IT",
"initials": "P",
"schacHomeOrganization": "example.com",
"email": "test2@example.com",
"displayName": "Test2 Testsson",
"labeledURL": "http://www.example.com/test2 My homepage",
"norEduPersonNIN": "SE199012315555"
},
"test1": {
"sn": "Testsson",
"givenName": "Test1",
"eduPersonScopedAffiliation": "staff@example.com",
"eduPersonPrincipalName": "test1@example.com",
"uid": "test1",
"eduPersonTargetedID": "qwerty",
"c": "SE",
"o": "Example Co.",
"ou": "IT",
"initials": "P",
"schacHomeOrganization": "example.com",
"email": "test1@example.com",
"displayName": "Test1 Testsson",
"labeledURL": "http://www.example.com/test My homepage",
"norEduPersonNIN": "SE197001012222"
},
}
EXTRA_DICT = {
"test1": {
"eduPersonEntitlement": "urn:mace:swamid.se:foo:bar",
"schacGender": "male",
"schacUserPresenceID": "skype:test.test"
}
}
SIMPLE = DictionaryInformation(USERS_DICT, EXTRA_DICT, user_id_map_for_idp)
#How the IdP server should authenticate the users.
#SAML => This will authenticate a user at antoher IdP. With other words, the proxy part.
#MULTIPLEAUTHN => Here you can specify multiple authentication methods. The user will have to authenticate with
# all the methods in the given order.
AUTHORIZATION = {
#"SAML": {"ACR": authn_context_class_ref(UNSPECIFIED), "WEIGHT": 3, "URL": BASE, "USER_INFO": None},
#"CAS": {"ACR": authn_context_class_ref(UNSPECIFIED), "WEIGHT": 2, "URL": BASE, "USER_INFO": LDAP},
#"YUBIKEY": {"ACR": authn_context_class_ref(UNSPECIFIED), "WEIGHT": 1, "URL": BASE, "USER_INFO": SIMPLE},
"PASSWORD": {"ACR": authn_context_class_ref(PASSWORD), "WEIGHT": 1, "URL": BASE, "USER_INFO": SIMPLE},
#"PASSWORD_YUBIKEY": {"ACR": authn_context_class_ref(UNSPECIFIED), "WEIGHT": 0, "URL": BASE, "USER_INFO": SIMPLE},
#"MULTIPLEAUTHN": {
# "ACR": authn_context_class_ref(UNSPECIFIED),
# "WEIGHT": 4,
# "URL": BASE,
# "USER_INFO": None,
# "AUTHNLIST": [
# {"ACR": "PASSWORD_YUBIKEY"},
# {"ACR": "CAS"},
# {"ACR": "SAML"}
# ]
#
#}
}
#True if you want to copy the certificate from the calling SP and add it to the call to the underlying SAML IdP.
#The authn request cannot be signed if this value is true!!!!
#Only useful if SAML authorization is activated.
COPYSPCERT = False
#True if you want to copy the encryption certificate from the calling SP and add it to the call to the underlying SAML
# IdP. Only useful if SAML authorization is activated.
COPYSPKEY = False
#User/name passwords for password login in the application. It is possible to use a database if you keep the interface.
PASSWD = {
"test1": "ytrewq",
"test2": "qwerty"
}
#This is a pysaml2 configuration dictionary. Please read pysaml2 documentation.
CONFIG = {
"entityid": "%s/idp.xml" % BASE,
"description": "My Proxy IDP",
#CERT_GENERATION
"service": {
"aa": {
"endpoints": {
"attribute_service": [
("%s/attr" % BASE, BINDING_SOAP)
]
},
"name_id_format": [NAMEID_FORMAT_TRANSIENT,
NAMEID_FORMAT_PERSISTENT]
},
"aq": {
"endpoints": {
"authn_query_service": [
("%s/aqs" % BASE, BINDING_SOAP)
]
},
},
"idp": {
"name": "My proxy IdP",
#"sign_response": True,
#"encrypt_assertion": True,
"endpoints": {
"single_sign_on_service": [
("%s/sso/redirect" % BASE, BINDING_HTTP_REDIRECT),
("%s/sso/post" % BASE, BINDING_HTTP_POST),
("%s/sso/art" % BASE, BINDING_HTTP_ARTIFACT),
("%s/sso/ecp" % BASE, BINDING_SOAP)
],
"single_logout_service": [
("%s/slo/soap" % BASE, BINDING_SOAP),
("%s/slo/post" % BASE, BINDING_HTTP_POST),
("%s/slo/redirect" % BASE, BINDING_HTTP_REDIRECT)
],
"artifact_resolve_service": [
("%s/ars" % BASE, BINDING_SOAP)
],
"assertion_id_request_service": [
("%s/airs" % BASE, BINDING_URI)
],
"manage_name_id_service": [
("%s/mni/soap" % BASE, BINDING_SOAP),
("%s/mni/post" % BASE, BINDING_HTTP_POST),
("%s/mni/redirect" % BASE, BINDING_HTTP_REDIRECT),
("%s/mni/art" % BASE, BINDING_HTTP_ARTIFACT)
],
"name_id_mapping_service": [
("%s/nim" % BASE, BINDING_SOAP),
],
},
"policy": {
"default": {
"lifetime": {"minutes": 15},
"attribute_restrictions": None, # means all I have
"name_form": NAME_FORMAT_URI,
"entity_categories": ["swamid", "edugain"]
},
},
"subject_data": "./idp.subject",
"name_id_format": [NAMEID_FORMAT_TRANSIENT,
NAMEID_FORMAT_PERSISTENT]
},
},
"debug": 1,
#Here you should point out your private key for the certificate.
"key_file": WORKING_DIR+"idp_cert/localhost.key",
#Here you should point out your certificate.
"cert_file": WORKING_DIR+"idp_cert/localhost.crt",
"metadata": {"local": ["[..]/sp.xml"],},
"organization": {
"display_name": "Test organisation",
"name": "Test organisation",
"url": "http://www.test.test",
},
"contact_person": [
{
"contact_type": "technical",
"given_name": "Test",
"sur_name": "Testsson",
"email_address": "test.testsson@test.test"
}, {
"contact_type": "support",
"given_name": "Support",
"email_address": "support@test.test"
},
],
"xmlsec_binary": xmlsec_path,
"logger": {
"rotating": {
"filename": "idp.log",
"maxBytes": 500000,
"backupCount": 5,
},
"loglevel": "debug",
}
}