canariecaf/docker-compose.yml Secret

## docker-compose.yml
version: '3'

services:
  satosa:
    image: satosa/satosa:latest
    restart: always
    #env_file: .env
    environment:
     - TZ=${TZ}
    volumes:
     - ./etc:/opt/satosa/etc
    ports:
     - "8000:8000/tcp"


## internal_attributes.yaml
attributes:
  address:
    openid: [address.street_address]
    orcid: [addresses.str]
    saml: [postaladdress]
  displayname:
    openid: [nickname]
    orcid: [name.credit-name]
    github: [login]
    saml: [displayName]
  edupersontargetedid:
    facebook: [id]
    linkedin: [id]
    orcid: [orcid]
    github: [id]
    openid: [sub]
    saml: [eduPersonTargetedID]
  givenname:
    facebook: [first_name]
    linkedin: [email-address]
    orcid: [name.given-names.value]
    openid: [given_name]
    saml: [givenName]
  mail:
    facebook: [email]
    linkedin: [email-address]
    orcid: [emails.str]
    github: [email]
    openid: [email]
    saml: [email, emailAdress, mail]
  name:
    facebook: [name]
    orcid: [name.credit-name]
    github: [name]
    openid: [name]
    saml: [cn]
  surname:
    facebook: [last_name]
    linkedin: [lastName]
    orcid: [name.family-name.value]
    openid: [family_name]
    saml: [sn, surname]
hash: [mail]
user_id_from_attrs: [mail]
user_id_to_attr: mail

## saml2_backend.yml
module: satosa.backends.saml2.SAMLBackend
name: Saml2
config:
  #idp_blacklist_file: /path/to/blacklist.json
  sp_config:
    key_file: /opt/satosa/etc/backend.key
    cert_file: /opt/satosa/etc/backend.crt
    organization: {display_name: CANARIE Inc., name: CANARIE Inc., url: 'http://www.canarie.com'}
    contact_person:
    - {contact_type: technical, email_address: tickets@canarie.ca, given_name: Technical}
    - {contact_type: support, email_address: tickets@canarie.ca, given_name: Support}

    metadata:
      remote:
      - {url: "https://caf-shib2ops.ca/CoreServices/testbed/caf_test_fed.xml", cert: "/opt/satosa/etc/pki/testfed.crt"}

    entityid: <base_url>/<name>/proxy_saml2_backend.xml
    accepted_time_diff: 60
    service:
      sp:
        want_response_signed: true
        allow_unsolicited: true
        endpoints:
          assertion_consumer_service:
          - [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
          - [<base_url>/<name>/acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
          discovery_response:
          - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
        name_id_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
  # disco_srv must be defined if there is more than one IdP in the metadata specified above
  disco_srv: https://ds.caftest.canarie.ca/DS/CAF.ds

## saml2_frontend.yml
module: satosa.frontends.saml2.SAMLFrontend
name: Saml2IDP
config:
  idp_config:
    organization: {display_name: Identities, name: Example Identities Org., url: 'http://www.canarie.ca'}
    contact_person:
    - {contact_type: technical, email_address: tickets@canarie.ca, given_name: Technical}
    - {contact_type: support, email_address: tickets@canarie.ca, given_name: Support}
    key_file: /opt/satosa/etc/frontend.key
    cert_file: /opt/satosa/etc/frontend.crt
    metadata:
      local: [sp.xml]

    entityid: <base_url>/<name>/proxy.xml
    accepted_time_diff: 60
    service:
      idp:
        endpoints:
          single_sign_on_service: []
        name: Proxy IdP
        name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
        policy:
          default:
            attribute_restrictions: null
            fail_on_missing_requested: false
            lifetime: {minutes: 15}
            name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
  acr_mapping:
    "": default-LoA
    "https://accounts.google.com": LoA1

  endpoints:
    single_sign_on_service: {'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post,
      'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect}
	version: '3'

	services:
	satosa:
	image: satosa/satosa:latest
	restart: always
	#env_file: .env
	environment:
	- TZ=${TZ}
	volumes:
	- ./etc:/opt/satosa/etc
	ports:
	- "8000:8000/tcp"
	attributes:
	address:
	openid: [address.street_address]
	orcid: [addresses.str]
	saml: [postaladdress]
	displayname:
	openid: [nickname]
	orcid: [name.credit-name]
	github: [login]
	saml: [displayName]
	edupersontargetedid:
	facebook: [id]
	linkedin: [id]
	orcid: [orcid]
	github: [id]
	openid: [sub]
	saml: [eduPersonTargetedID]
	givenname:
	facebook: [first_name]
	linkedin: [email-address]
	orcid: [name.given-names.value]
	openid: [given_name]
	saml: [givenName]
	mail:
	facebook: [email]
	linkedin: [email-address]
	orcid: [emails.str]
	github: [email]
	openid: [email]
	saml: [email, emailAdress, mail]
	name:
	facebook: [name]
	orcid: [name.credit-name]
	github: [name]
	openid: [name]
	saml: [cn]
	surname:
	facebook: [last_name]
	linkedin: [lastName]
	orcid: [name.family-name.value]
	openid: [family_name]
	saml: [sn, surname]
	hash: [mail]
	user_id_from_attrs: [mail]
	user_id_to_attr: mail
	module: satosa.backends.saml2.SAMLBackend
	name: Saml2
	config:
	#idp_blacklist_file: /path/to/blacklist.json
	sp_config:
	key_file: /opt/satosa/etc/backend.key
	cert_file: /opt/satosa/etc/backend.crt
	organization: {display_name: CANARIE Inc., name: CANARIE Inc., url: 'http://www.canarie.com'}
	contact_person:
	- {contact_type: technical, email_address: tickets@canarie.ca, given_name: Technical}
	- {contact_type: support, email_address: tickets@canarie.ca, given_name: Support}

	metadata:
	remote:
	- {url: "https://caf-shib2ops.ca/CoreServices/testbed/caf_test_fed.xml", cert: "/opt/satosa/etc/pki/testfed.crt"}

	entityid: <base_url>/<name>/proxy_saml2_backend.xml
	accepted_time_diff: 60
	service:
	sp:
	want_response_signed: true
	allow_unsolicited: true
	endpoints:
	assertion_consumer_service:
	- [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
	- [<base_url>/<name>/acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
	discovery_response:
	- [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
	name_id_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
	# disco_srv must be defined if there is more than one IdP in the metadata specified above
	disco_srv: https://ds.caftest.canarie.ca/DS/CAF.ds
	module: satosa.frontends.saml2.SAMLFrontend
	name: Saml2IDP
	config:
	idp_config:
	organization: {display_name: Identities, name: Example Identities Org., url: 'http://www.canarie.ca'}
	contact_person:
	- {contact_type: technical, email_address: tickets@canarie.ca, given_name: Technical}
	- {contact_type: support, email_address: tickets@canarie.ca, given_name: Support}
	key_file: /opt/satosa/etc/frontend.key
	cert_file: /opt/satosa/etc/frontend.crt
	metadata:
	local: [sp.xml]

	entityid: <base_url>/<name>/proxy.xml
	accepted_time_diff: 60
	service:
	idp:
	endpoints:
	single_sign_on_service: []
	name: Proxy IdP
	name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
	policy:
	default:
	attribute_restrictions: null
	fail_on_missing_requested: false
	lifetime: {minutes: 15}
	name_form: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
	acr_mapping:
	"": default-LoA
	"https://accounts.google.com": LoA1

	endpoints:
	single_sign_on_service: {'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post,
	'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect}