First stab at SimpleSAMLPHP
Main issue is how to customise the virtual host configuration of the Mediawiki container to pass /simplesamlphp/ through to the right directory (or reverse proxy to the `simplesamlphp` container)
This commit is contained in:
parent
3cc586873a
commit
36feb5062d
28
compose.yml
28
compose.yml
|
@ -34,6 +34,7 @@ services:
|
|||
volumes:
|
||||
- 'mediawiki_images:/var/www/html/images'
|
||||
- 'parsoid:/usr/lib/parsoid'
|
||||
- 'simplesaml:/var/www/html/simplesamlphp'
|
||||
configs:
|
||||
- source: LocalSettings_conf
|
||||
target: /var/www/html/LocalSettings.php
|
||||
|
@ -60,11 +61,38 @@ services:
|
|||
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
entrypoint: /docker-entrypoint2.sh
|
||||
simplesamlphp:
|
||||
image: venatorfox/simplesamlphp:latest
|
||||
environment:
|
||||
- CONFIG_BASEURLPATH=${DOMAIN}/simplesamlphp
|
||||
- CONFIG_AUTHADMINPASSWORD={SSHA256}MjJSiMlkQLa+fqI+CmQ1x1oUJ7OGucYpznKxBBHpgfC+Oh+7B9vgGw==
|
||||
- CONFIG_SECRETSALT=exampleabcdefghijklmnopqrstuvwxy
|
||||
- CONFIG_TECHNICALCONTACT_NAME=Adam W Zheng
|
||||
- CONFIG_TECHNICALCONTACT_EMAIL=helo@autonomic.zone
|
||||
- CONFIG_SHOWERRORS=true
|
||||
- CONFIG_ERRORREPORTING=true
|
||||
- CONFIG_ADMINPROTECTINDEXPAGE=true
|
||||
- CONFIG_LOGGINGLEVEL=INFO
|
||||
- CONFIG_ENABLESAML20IDP=true
|
||||
#- CONFIG_STORETYPE=memcache
|
||||
#- CONFIG_MEMCACHESTOREPREFIX=simplesamlphp
|
||||
#- CONFIG_MEMCACHESTORESERVERS= 'memcache_store.servers' => [\n [\n ['hostname' => 'some-memcacheda01'],\n ['hostname' => 'some-memcacheda02'],\n ],\n [\n ['hostname' => 'some-memcachedb01'],\n ['hostname' => 'some-memcachedb02'],\n ],
|
||||
- OPENLDAP_TLS_REQCERT=allow
|
||||
- MTA_NULLCLIENT=false
|
||||
- POSTFIX_MYHOSTNAME=${DOMAIN}
|
||||
- POSTFIX_MYORIGIN=$$mydomain
|
||||
- POSTFIX_INETINTERFACES=loopback-only
|
||||
- DOCKER_REDIRECTLOGS=true
|
||||
volumes:
|
||||
- simplesaml:/var/simplesamlphp/
|
||||
networks:
|
||||
- internal
|
||||
|
||||
volumes:
|
||||
mariadb:
|
||||
mediawiki_images:
|
||||
parsoid:
|
||||
simplesaml:
|
||||
|
||||
networks:
|
||||
proxy:
|
||||
|
|
|
@ -0,0 +1,93 @@
|
|||
<?php
|
||||
/**
|
||||
* SAML 2.0 IdP configuration for SimpleSAMLphp.
|
||||
*
|
||||
* See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
|
||||
*/
|
||||
|
||||
$metadata['__DYNAMIC:1__'] = array(
|
||||
/*
|
||||
* The hostname of the server (VHOST) that will use this SAML entity.
|
||||
*
|
||||
* Can be '__DEFAULT__', to use this entry by default.
|
||||
*/
|
||||
'host' => 'wisera.auth.dev.iww.org.uk',
|
||||
|
||||
// X.509 key and certificate. Relative to the cert directory.
|
||||
'privatekey' => 'saml.pem',
|
||||
'certificate' => 'saml.crt',
|
||||
|
||||
/*
|
||||
* Authentication source to use. Must be one that is configured in
|
||||
* 'config/authsources.php'.
|
||||
*/
|
||||
'auth' => 'live',
|
||||
|
||||
/*
|
||||
* WARNING: SHA-1 is disallowed starting January the 1st, 2014.
|
||||
*
|
||||
* Uncomment the following option to start using SHA-256 for your signatures.
|
||||
* Currently, SimpleSAMLphp defaults to SHA-1, which has been deprecated since
|
||||
* 2011, and will be disallowed by NIST as of 2014. Please refer to the following
|
||||
* document for more information:
|
||||
*
|
||||
* http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
|
||||
*
|
||||
* If you are uncertain about service providers supporting SHA-256 or other
|
||||
* algorithms of the SHA-2 family, you can configure it individually in the
|
||||
* SP-remote metadata set for those that support it. Once you are certain that
|
||||
* all your configured SPs support SHA-2, you can safely remove the configuration
|
||||
* options in the SP-remote metadata set and uncomment the following option.
|
||||
*
|
||||
* Please refer to the IdP hosted reference for more information.
|
||||
*/
|
||||
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
|
||||
|
||||
/* Uncomment the following to use the uri NameFormat on attributes. */
|
||||
/*
|
||||
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
||||
'authproc' => array(
|
||||
// Convert LDAP names to oids.
|
||||
100 => array('class' => 'core:AttributeMap', 'name2oid'),
|
||||
),
|
||||
*/
|
||||
|
||||
/*
|
||||
* Uncomment the following to specify the registration information in the
|
||||
* exported metadata. Refer to:
|
||||
* http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html
|
||||
* for more information.
|
||||
*/
|
||||
/*
|
||||
'RegistrationInfo' => array(
|
||||
'authority' => 'urn:mace:example.org',
|
||||
'instant' => '2008-01-17T11:28:03Z',
|
||||
'policies' => array(
|
||||
'en' => 'http://example.org/policy',
|
||||
'es' => 'http://example.org/politica',
|
||||
),
|
||||
),
|
||||
*/
|
||||
);
|
||||
|
||||
$metadata['__DYNAMIC:2__'] = array(
|
||||
'host' => 'nara.auth.dev.iww.org.uk',
|
||||
|
||||
'privatekey' => 'saml.pem',
|
||||
'certificate' => 'saml.crt',
|
||||
|
||||
'auth' => 'redcard',
|
||||
|
||||
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
|
||||
);
|
||||
|
||||
$metadata['__DYNAMIC:3__'] = array(
|
||||
'host' => 'auth.dev.iww.org.uk',
|
||||
|
||||
'privatekey' => 'saml.pem',
|
||||
'certificate' => 'saml.crt',
|
||||
|
||||
'auth' => 'default-sp',
|
||||
|
||||
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
|
||||
);
|
|
@ -0,0 +1,60 @@
|
|||
<?php
|
||||
/**
|
||||
* SAML 2.0 remote IdP metadata for SimpleSAMLphp.
|
||||
*
|
||||
* Remember to remove the IdPs you don't use from this file.
|
||||
*
|
||||
* See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
|
||||
*/
|
||||
|
||||
/*
|
||||
* WISE-RA Members area login.
|
||||
*/
|
||||
// $metadata['https://service.iww.org.uk/simplesaml/saml2/idp/metadata.php'] = array(
|
||||
// 'name' => array(
|
||||
// 'en' => 'WISE-RA (production)',
|
||||
// ),
|
||||
// 'description' => 'Log in using your WISE-RA members area user name.',
|
||||
// 'SingleSignOnService' => 'https://service.iww.org.uk/simplesaml/saml2/idp/SSOService.php',
|
||||
// 'SingleLogoutService' => 'https://service.iww.org.uk/simplesaml/saml2/idp/SingleLogoutService.php',
|
||||
// 'privatekey' => 'saml.pem',
|
||||
// 'certificate' => 'saml.crt',
|
||||
// );
|
||||
$metadata['https://wisera.auth.dev.iww.org.uk/simplesaml/saml2/idp/metadata.php'] = array(
|
||||
'name' => array(
|
||||
'en' => 'WISE-RA (dev)',
|
||||
),
|
||||
'description' => 'Log in using your WISE-RA members area user name.',
|
||||
'SingleSignOnService' => 'https://wisera.auth.dev.iww.org.uk/simplesaml/saml2/idp/SSOService.php',
|
||||
'SingleLogoutService' => 'https://wisera.auth.dev.iww.org.uk/simplesaml/saml2/idp/SingleLogoutService.php',
|
||||
'privatekey' => 'saml.pem',
|
||||
'certificate' => 'saml.crt',
|
||||
);
|
||||
$metadata['https://nara.auth.dev.iww.org.uk/simplesaml/saml2/idp/metadata.php'] = array(
|
||||
'name' => array(
|
||||
'en' => 'NARA (dev)',
|
||||
),
|
||||
'description' => 'Log in using your NARA red card username.',
|
||||
'SingleSignOnService' => 'https://nara.auth.dev.iww.org.uk/simplesaml/saml2/idp/SSOService.php',
|
||||
'SingleLogoutService' => 'https://nara.auth.dev.iww.org.uk/simplesaml/saml2/idp/SingleLogoutService.php',
|
||||
'privatekey' => 'saml.pem',
|
||||
'certificate' => 'saml.crt',
|
||||
);
|
||||
|
||||
/*
|
||||
* Guest IdP. allows users to sign up and register. Great for testing!
|
||||
*/
|
||||
/*
|
||||
$metadata['https://openidp.feide.no'] = array(
|
||||
'name' => array(
|
||||
'en' => 'Feide OpenIdP - guest users',
|
||||
'no' => 'Feide Gjestebrukere',
|
||||
),
|
||||
'description' => 'Here you can login with your account on Feide RnD OpenID. If you do not already have an account on this identity provider, you can create a new one by following the create new account link and follow the instructions.',
|
||||
|
||||
'SingleSignOnService' => 'https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php',
|
||||
'SingleLogoutService' => 'https://openidp.feide.no/simplesaml/saml2/idp/SingleLogoutService.php',
|
||||
'certFingerprint' => 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb'
|
||||
);
|
||||
*/
|
||||
|
|
@ -0,0 +1,96 @@
|
|||
<?php
|
||||
/**
|
||||
* SAML 2.0 remote SP metadata for SimpleSAMLphp.
|
||||
*
|
||||
* See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
|
||||
*/
|
||||
|
||||
/*
|
||||
* Default SAML 2.0 SP
|
||||
*/
|
||||
$metadata['https://auth.dev.iww.org.uk/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array(
|
||||
'AssertionConsumerService' => 'https://auth.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
|
||||
'SingleLogoutService' => 'https://auth.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
|
||||
);
|
||||
|
||||
/*
|
||||
* MediaWiki
|
||||
*/
|
||||
$metadata['https://mediawiki.dev.iww.org.uk/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array(
|
||||
'AssertionConsumerService' => 'https://mediawiki.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
|
||||
'SingleLogoutService' => 'https://mediawiki.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
|
||||
);
|
||||
|
||||
/*
|
||||
* Moodle
|
||||
*/
|
||||
$metadata['https://moodle.dev.iww.org.uk/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array(
|
||||
'AssertionConsumerService' => 'https://moodle.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
|
||||
'SingleLogoutService' => 'https://moodle.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
|
||||
);
|
||||
|
||||
/*
|
||||
* WordPress
|
||||
*/
|
||||
$metadata['urn:dev.iww.org.uk'] = array(
|
||||
'AssertionConsumerService' => 'https://dev.iww.org.uk/wp/wp-login.php',
|
||||
'SingleLogoutService' => 'https://dev.iww.org.uk/wp/wp-login.php',
|
||||
);
|
||||
$metadata['urn:shop.dev.iww.org.uk'] = array(
|
||||
'AssertionConsumerService' => 'https://shop.dev.iww.org.uk/wp/wp-login.php',
|
||||
'SingleLogoutService' => 'https://shop.dev.iww.org.uk/wp/wp-login.php',
|
||||
);
|
||||
|
||||
/*
|
||||
* Nextcloud
|
||||
*/
|
||||
$metadata['https://cloud.dev.iww.org.uk/apps/user_saml/saml/metadata'] = array(
|
||||
'AssertionConsumerService' => 'https://cloud.dev.iww.org.uk/apps/user_saml/saml/acs',
|
||||
'SingleLogoutService' => 'https://cloud.dev.iww.org.uk/apps/user_saml/saml/sls',
|
||||
);
|
||||
|
||||
/*
|
||||
* RocketChat
|
||||
*/
|
||||
$metadata['https://chat.dev.iww.org.uk/_saml/metadata/rc'] = array (
|
||||
'entityid' => 'https://chat.dev.iww.org.uk/_saml/metadata/rc',
|
||||
'contacts' => array (),
|
||||
'metadata-set' => 'saml20-sp-remote',
|
||||
'AssertionConsumerService' => array (
|
||||
0 => array (
|
||||
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
|
||||
'Location' => 'https://chat.dev.iww.org.uk/_saml/validate/rc',
|
||||
'index' => 1,
|
||||
'isDefault' => true,
|
||||
),
|
||||
),
|
||||
'SingleLogoutService' => array (
|
||||
0 => array (
|
||||
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||
'Location' => 'https://chat.dev.iww.org.uk/_saml/logout/rc/',
|
||||
'ResponseLocation' => 'https://chat.dev.iww.org.uk/_saml/logout/rc/',
|
||||
),
|
||||
),
|
||||
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
|
||||
);
|
||||
|
||||
/*
|
||||
* Example SimpleSAMLphp SAML 2.0 SP
|
||||
*/
|
||||
/* $metadata['https://saml2sp.example.org'] = array(
|
||||
'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
|
||||
'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
|
||||
); */
|
||||
|
||||
/*
|
||||
* This example shows an example config that works with Google Apps for education.
|
||||
* What is important is that you have an attribute in your IdP that maps to the local part of the email address
|
||||
* at Google Apps. In example, if your google account is foo.com, and you have a user that has an email john@foo.com, then you
|
||||
* must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the value of 'john'.
|
||||
*/
|
||||
/* $metadata['google.com'] = array(
|
||||
'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
|
||||
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
|
||||
'simplesaml.nameidattribute' => 'uid',
|
||||
'simplesaml.attributes' => FALSE,
|
||||
); */
|
Reference in New Issue