kimai:
{{ if eq (env "SSO_ENABLED") "1" }}
  saml:
    activate: true
    title: Login with SAML
    mapping:
      - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
      - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: alias }
    roles:
      attribute: http://schemas.xmlsoap.org/claims/Group
      mapping:
      # Insert your roles here (ROLE_USER is added automatically)
        - { saml: admin.group, kimai: ROLE_ADMIN }
    connection:
      # You SAML provider
      # Your Authentik instance, replace https://authentik.company with your authentik URL
      idp:
        entityId: "{{ env "SSO_PROVIDER_URL" }}"
        singleSignOnService:
          url: "{{ env "SSO_SAML_URL" }}"
          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        # the "single logout" feature was not yet tested, if you want to help, please let me know!
        singleLogoutService:
          url: "{{ env "SSO_LOGOUT_URL" }}"
          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        # Signing certificate from *Advanced protocol settings*
        x509cert: "{{ env "SSO_CERT" }}"
      # Service Provider Data that we are deploying.
      # Your Kimai instance, replace https://kimai.dev.local-it.cloud with your Kimai URL
      sp:
        entityId: "https://{{ env "DOMAIN" }}"
        assertionConsumerService:
          url: "https://{{ env "DOMAIN" }}/auth/saml/acs"
          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        singleLogoutService:
          url: "https://{{ env "DOMAIN" }}/auth/saml/logout"
          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        #privateKey: ''
      # only set baseurl, if auto-detection doesn't work
      baseurl: "https://{{ env "DOMAIN" }}/auth/saml/"
      strict: false
      debug: true
      security:
        nameIdEncrypted: false
        authnRequestsSigned: false
        logoutRequestSigned: false
        logoutResponseSigned: false
        wantMessagesSigned: false
        wantAssertionsSigned: false
        wantNameIdEncrypted: false
        requestedAuthnContext: true
        signMetadata: false
        wantXMLValidation: true
        signatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
        digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256"
      contactPerson:
        technical:
          givenName: "Kimai Admin"
          emailAddress: "admin@example.com"
      organization:
        en:
          name: "Kimai"
          displayname: "Kimai"
          url: "https://{{ env "DOMAIN" }}"
{{ end }}