add sso saml config

2022-06-30 20:02:47 +02:00 · 2022-06-30 20:02:47 +02:00 · 6927e29796
parent 1c37f3b10a
commit 6927e29796
5 changed files with 91 additions and 0 deletions
--- a/.env.sample
+++ b/.env.sample
@ -8,3 +8,9 @@ LETS_ENCRYPT_ENV=production
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_ADMIN_PASSWORD_VERSION=v1
+
+# SSO_ENABLED=0
+# SSO_PROVIDER_URL=https://sso.example.org/
+# SSO_SAML_URL=https://sso.example.org/application/saml/<application-slug>/sso/binding/redirect/
+# SSO_LOGOUT_URL=https://sso.example.org/if/session-end/<application-slug>/
+# SSO_CERT="muchmuchbase64certificatefoobar=="
--- a/README.md
+++ b/README.md
@ -28,3 +28,9 @@ Based on the recommended [`tobybatch/kimai2`] compose file.
 [`tobybatch/kimai2`]: https://tobybatch.github.io/kimai2/docker-compose.html#docker-compose
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
 [`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
+
+
+run from within container:
+
+export DATABASE_URL="$DATABASE_TYPE://$DATABASE_USER:$(cat /run/secrets/db_password)@$DATABASE_HOST/$DATABASE_NAME"
+/opt/kimai/bin/console kimai:create-user admin admin@example.com ROLE_SUPER_ADMIN
--- a/abra.sh
+++ b/abra.sh
@ -1 +1,2 @@
 export ENTRYPOINT_CONF_VERSION=v1
+export LOCAL_CONF_VERSION=v1
--- a/compose.yml
+++ b/compose.yml
@ -13,6 +13,12 @@ services:
      - DATABASE_NAME=kimai
      - DATABASE_USER=kimai
      - DATABASE_PASSWORD_FILE=/run/secrets/db_password
+      - DOMAIN
+      - SSO_ENABLED
+      - SSO_PROVIDER_URL
+      - SSO_SAML_URL
+      - SSO_LOGOUT_URL
+      - SSO_CERT
    volumes:
      - kimai_public:/opt/kimai/public
      - kimai_var:/opt/kimai/var
@ -23,6 +29,8 @@ services:
      - source: entrypoint_conf
        target: /docker-entrypoint.sh
        mode: 0555
+      - source: local_conf
+        target: /opt/kimai/config/packages/local.yaml
    secrets:
      - db_password
      - admin_password
@ -98,3 +106,7 @@ configs:
    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang
+  local_conf:
+    name: ${STACK_NAME}_local_config_${LOCAL_CONF_VERSION}
+    file: local.yaml.tmpl
+    template_driver: golang
--- a/local.yaml.tmpl
+++ b/local.yaml.tmpl
@ -0,0 +1,66 @@
+kimai:
+{{ if eq (env "SSO_ENABLED") "1" }}
+  saml:
+    activate: true
+    title: Login with SAML
+    mapping:
+      - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
+      - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: alias }
+    roles:
+      attribute: http://schemas.xmlsoap.org/claims/Group
+      mapping:
+      # Insert your roles here (ROLE_USER is added automatically)
+        - { saml: admin.group, kimai: ROLE_ADMIN }
+    connection:
+      # You SAML provider
+      # Your Authentik instance, replace https://authentik.company with your authentik URL
+      idp:
+        entityId: "{{ env "SSO_PROVIDER_URL" }}"
+        singleSignOnService:
+          url: "{{ env "SSO_SAML_URL" }}"
+          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        # the "single logout" feature was not yet tested, if you want to help, please let me know!
+        singleLogoutService:
+          url: "{{ env "SSO_LOGOUT_URL" }}"
+          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        # Signing certificate from *Advanced protocol settings*
+        x509cert: "{{ env "SSO_CERT" }}"
+      # Service Provider Data that we are deploying.
+      # Your Kimai instance, replace https://kimai.dev.local-it.cloud with your Kimai URL
+      sp:
+        entityId: "https://{{ env "DOMAIN" }}"
+        assertionConsumerService:
+          url: "https://{{ env "DOMAIN" }}/auth/saml/acs"
+          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        singleLogoutService:
+          url: "https://{{ env "DOMAIN" }}/auth/saml/logout"
+          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        #privateKey: ''
+      # only set baseurl, if auto-detection doesn't work
+      baseurl: "https://{{ env "DOMAIN" }}/auth/saml/"
+      strict: false
+      debug: true
+      security:
+        nameIdEncrypted: false
+        authnRequestsSigned: false
+        logoutRequestSigned: false
+        logoutResponseSigned: false
+        wantMessagesSigned: false
+        wantAssertionsSigned: false
+        wantNameIdEncrypted: false
+        requestedAuthnContext: true
+        signMetadata: false
+        wantXMLValidation: true
+        signatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+        digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256"
+      contactPerson:
+        technical:
+          givenName: "Kimai Admin"
+          emailAddress: "admin@example.com"
+      organization:
+        en:
+          name: "Kimai"
+          displayname: "Kimai"
+          url: "https://{{ env "DOMAIN" }}"
+{{ end }}
+