add sso saml config
This commit is contained in:
parent
1c37f3b10a
commit
6927e29796
|
@ -8,3 +8,9 @@ LETS_ENCRYPT_ENV=production
|
|||
SECRET_DB_PASSWORD_VERSION=v1
|
||||
SECRET_DB_ROOT_PASSWORD_VERSION=v1
|
||||
SECRET_ADMIN_PASSWORD_VERSION=v1
|
||||
|
||||
# SSO_ENABLED=0
|
||||
# SSO_PROVIDER_URL=https://sso.example.org/
|
||||
# SSO_SAML_URL=https://sso.example.org/application/saml/<application-slug>/sso/binding/redirect/
|
||||
# SSO_LOGOUT_URL=https://sso.example.org/if/session-end/<application-slug>/
|
||||
# SSO_CERT="muchmuchbase64certificatefoobar=="
|
||||
|
|
|
@ -28,3 +28,9 @@ Based on the recommended [`tobybatch/kimai2`] compose file.
|
|||
[`tobybatch/kimai2`]: https://tobybatch.github.io/kimai2/docker-compose.html#docker-compose
|
||||
[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
|
||||
[`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
|
||||
|
||||
|
||||
run from within container:
|
||||
|
||||
export DATABASE_URL="$DATABASE_TYPE://$DATABASE_USER:$(cat /run/secrets/db_password)@$DATABASE_HOST/$DATABASE_NAME"
|
||||
/opt/kimai/bin/console kimai:create-user admin admin@example.com ROLE_SUPER_ADMIN
|
||||
|
|
12
compose.yml
12
compose.yml
|
@ -13,6 +13,12 @@ services:
|
|||
- DATABASE_NAME=kimai
|
||||
- DATABASE_USER=kimai
|
||||
- DATABASE_PASSWORD_FILE=/run/secrets/db_password
|
||||
- DOMAIN
|
||||
- SSO_ENABLED
|
||||
- SSO_PROVIDER_URL
|
||||
- SSO_SAML_URL
|
||||
- SSO_LOGOUT_URL
|
||||
- SSO_CERT
|
||||
volumes:
|
||||
- kimai_public:/opt/kimai/public
|
||||
- kimai_var:/opt/kimai/var
|
||||
|
@ -23,6 +29,8 @@ services:
|
|||
- source: entrypoint_conf
|
||||
target: /docker-entrypoint.sh
|
||||
mode: 0555
|
||||
- source: local_conf
|
||||
target: /opt/kimai/config/packages/local.yaml
|
||||
secrets:
|
||||
- db_password
|
||||
- admin_password
|
||||
|
@ -98,3 +106,7 @@ configs:
|
|||
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
|
||||
file: entrypoint.sh.tmpl
|
||||
template_driver: golang
|
||||
local_conf:
|
||||
name: ${STACK_NAME}_local_config_${LOCAL_CONF_VERSION}
|
||||
file: local.yaml.tmpl
|
||||
template_driver: golang
|
||||
|
|
|
@ -0,0 +1,66 @@
|
|||
kimai:
|
||||
{{ if eq (env "SSO_ENABLED") "1" }}
|
||||
saml:
|
||||
activate: true
|
||||
title: Login with SAML
|
||||
mapping:
|
||||
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
|
||||
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: alias }
|
||||
roles:
|
||||
attribute: http://schemas.xmlsoap.org/claims/Group
|
||||
mapping:
|
||||
# Insert your roles here (ROLE_USER is added automatically)
|
||||
- { saml: admin.group, kimai: ROLE_ADMIN }
|
||||
connection:
|
||||
# You SAML provider
|
||||
# Your Authentik instance, replace https://authentik.company with your authentik URL
|
||||
idp:
|
||||
entityId: "{{ env "SSO_PROVIDER_URL" }}"
|
||||
singleSignOnService:
|
||||
url: "{{ env "SSO_SAML_URL" }}"
|
||||
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
||||
# the "single logout" feature was not yet tested, if you want to help, please let me know!
|
||||
singleLogoutService:
|
||||
url: "{{ env "SSO_LOGOUT_URL" }}"
|
||||
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
||||
# Signing certificate from *Advanced protocol settings*
|
||||
x509cert: "{{ env "SSO_CERT" }}"
|
||||
# Service Provider Data that we are deploying.
|
||||
# Your Kimai instance, replace https://kimai.dev.local-it.cloud with your Kimai URL
|
||||
sp:
|
||||
entityId: "https://{{ env "DOMAIN" }}"
|
||||
assertionConsumerService:
|
||||
url: "https://{{ env "DOMAIN" }}/auth/saml/acs"
|
||||
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
||||
singleLogoutService:
|
||||
url: "https://{{ env "DOMAIN" }}/auth/saml/logout"
|
||||
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
||||
#privateKey: ''
|
||||
# only set baseurl, if auto-detection doesn't work
|
||||
baseurl: "https://{{ env "DOMAIN" }}/auth/saml/"
|
||||
strict: false
|
||||
debug: true
|
||||
security:
|
||||
nameIdEncrypted: false
|
||||
authnRequestsSigned: false
|
||||
logoutRequestSigned: false
|
||||
logoutResponseSigned: false
|
||||
wantMessagesSigned: false
|
||||
wantAssertionsSigned: false
|
||||
wantNameIdEncrypted: false
|
||||
requestedAuthnContext: true
|
||||
signMetadata: false
|
||||
wantXMLValidation: true
|
||||
signatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
|
||||
digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256"
|
||||
contactPerson:
|
||||
technical:
|
||||
givenName: "Kimai Admin"
|
||||
emailAddress: "admin@example.com"
|
||||
organization:
|
||||
en:
|
||||
name: "Kimai"
|
||||
displayname: "Kimai"
|
||||
url: "https://{{ env "DOMAIN" }}"
|
||||
{{ end }}
|
||||
|
Loading…
Reference in New Issue