IdProxy/sp_conf.example at master · its-dirg/IdProxy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
import os
from dirg_util.dict import Sqllite3Dict
from saml2 import BINDING_HTTP_REDIRECT
from saml2 import BINDING_HTTP_POST
from saml2.extension.idpdisc import BINDING_DISCO
from saml2.saml import NAME_FORMAT_URI
from saml2.entity_category.edugain import COC
from saml2.entity_category.swamid import RESEARCH_AND_EDUCATION
from saml2.entity_category.swamid import HEI
from saml2.entity_category.swamid import SFS_1993_1153
from saml2.entity_category.swamid import NREN
from saml2.entity_category.swamid import EU

#Setup to get the right path for xmlsec.
import server_conf

try:
    from saml2.sigver import get_xmlsec_binary
except ImportError:
    get_xmlsec_binary = None
if get_xmlsec_binary:
    xmlsec_path = get_xmlsec_binary(["/opt/local/bin", "/usr/local/bin"])
else:
    xmlsec_path = '/usr/local/bin/xmlsec1'

#Url to a discovery server for SAML. None implies not using one.
DISCOSRV = None
#Url to a wayf for SAML. None implies not using one.
WAYF = None

#Changes should be performed in server_conf.py.
PORT = server_conf.PORT
HTTPS = server_conf.HTTPS
HOST = server_conf.HOST
BASEURL = server_conf.BASEURL

#Full URL to the SP.
ISSUER = "%s:%s" % (BASEURL, PORT)
BASE = ISSUER

#Discovery endpoint
DISCOENDPOINT = "disco"

#The base url for the SP at the server.
SPVERIFYBASE = "spverify"

#The base url for verification of the response from a IdP.
SPVERIFYBASEIDP = "idpspverify"

#The BASE url where the Idp performs the redirect after a authn request from the SP.
#For the cookies to work do not use subfolders.
ASCREDIRECT = 'acsredirect'
#The BASE url where the Idp performs a post after a authn request from the SP.
#For the cookies to work do not use subfolders.
ASCPOST = 'acspost'

#Regual expression to match a post from Idp to SP.
ASCVERIFYPOSTLIST = [ASCPOST + "/(.*)$", ASCPOST + "$"]
#Regual expression to match a redirect from Idp to SP.
ASCVERIFYREDIRECTLIST = [ASCREDIRECT + "/(.*)$", ASCREDIRECT + "$"]

#Must point to the complete path on disk to this file!
#Needed by the script create_metadata.sh and the SP to find all configurations.
#No need to change this!
FULL_PATH = os.path.dirname(os.path.abspath(__file__))

#This is the directory for the SP.
WORKING_DIR = FULL_PATH + "/"

#A shared server cache for the IdP. The cache expects a dictionary, but you can use a database by implementing the
#dictionary interface.
CACHE = {}
#The cache as a sqlite database.
#CACHE = Sqllite3Dict(WORKING_DIR + "sp_cache1.sqlite3")

#If the assertion is encrypted for the desination SP you have to copy the complete assertion.
#Set this value to true. This is a special case and the normal value is false!
COPY_ASSERTION = False

#The amount of time in minutes an SP cert will be saved in the cache.
CERT_TIMEOUT = 15

#True if you want to anonymize the assertion form the IdP.
#If COPY_ASSERTION is true this flag is of no use.
ANONYMIZE = False

#This salt is the key to perform a more secure anonymize service.
#YOU SHOULD NEVER USE THE DEFAULT VALUE! Please change this!
ANONYMIZE_SALT = "ddlfjdslk32432FDGFGFDSG5436453rgDRGFDGDFSGQREGAFDG#dgasdgflsdkj45r#"

#This is a map for Open Id connect to Saml2.
#The proxy will give the same response for OAuth2.
OPENID2SAMLMAP = {
    "sub": "uid",
    "name": "displayName",
    "given_name": "givenname",
    "family_name": "sn",
    "middle_name": "",
    "nickname":	"eduPersonNickname",
    "preferred_username": "uid",
    "profile": "member",
    "picture": "jpegPhoto",
    "website": "labeledURI",
    "email": "email",
    #"email_verified": "Missing
    "gender": "",
    "birthdate": "norEduPersonNIN",
    #zoneinfo timezone
    "locale": "c",
    "phone_number":	"telephoneNumber",
    #phone_number_verified
    "address": "registeredAddress",
    "updated_at": ""  # When information was updated
}

#Traditional pysaml2 configuration for a SP. View more documentation for pysaml2.
CONFIG = {
    "entityid": "%s/%ssp.xml" % (BASE, ""),
    "description": "IdProxy SP",
    "entity_category": [COC, RESEARCH_AND_EDUCATION, HEI, SFS_1993_1153, NREN, EU],
    #CERT_GENERATION
    #"validate_certificate": True,
    "service": {
        "sp": {
            "name": "Test proxy SP",
            #Will sign the request!
            #"authn_requests_signed": "true",
            #Demands that the assertion is signed.
            #"want_assertions_signed": "true",
            #"want_response_signed": "true",
            "endpoints": {
                "assertion_consumer_service": [
                    (BASE + "/" + ASCREDIRECT, BINDING_HTTP_REDIRECT),
                    (BASE + "/" + ASCPOST, BINDING_HTTP_POST)
                ],
                "required_attributes": ["uid"],
                "discovery_response": [
                    ("%s/%s" % (BASE, DISCOENDPOINT), BINDING_DISCO)
                ],
            }
        },
    },
    "key_file": WORKING_DIR+"sp_cert/localhost.key",
    "cert_file": WORKING_DIR+"sp_cert/localhost.crt",
    "xmlsec_binary": xmlsec_path,
    "metadata": {"local": ["[..]/idp.xml"]},
    "name_form": NAME_FORMAT_URI,
}

#Contains all valid attributes and valid values for that attribute.
VALID_ATTRIBUTE_RESPONSE = None

#Contains all attributes that will be returned.
#Only value that contains the values in the value list will be returned. If None will all values be returned.
ATTRIBUTE_WHITELIST = None