67 lines
2.6 KiB
Cheetah
67 lines
2.6 KiB
Cheetah
kimai:
|
|
{{ if eq (env "SSO_ENABLED") "1" }}
|
|
saml:
|
|
activate: true
|
|
title: Login with SAML
|
|
mapping:
|
|
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
|
|
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: alias }
|
|
roles:
|
|
attribute: http://schemas.xmlsoap.org/claims/Group
|
|
mapping:
|
|
# Insert your roles here (ROLE_USER is added automatically)
|
|
- { saml: admin.group, kimai: ROLE_ADMIN }
|
|
connection:
|
|
# You SAML provider
|
|
# Your Authentik instance, replace https://authentik.company with your authentik URL
|
|
idp:
|
|
entityId: "{{ env "SSO_PROVIDER_URL" }}"
|
|
singleSignOnService:
|
|
url: "{{ env "SSO_SAML_URL" }}"
|
|
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
|
# the "single logout" feature was not yet tested, if you want to help, please let me know!
|
|
singleLogoutService:
|
|
url: "{{ env "SSO_LOGOUT_URL" }}"
|
|
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
|
# Signing certificate from *Advanced protocol settings*
|
|
x509cert: "{{ env "SSO_CERT" }}"
|
|
# Service Provider Data that we are deploying.
|
|
# Your Kimai instance, replace https://kimai.dev.local-it.cloud with your Kimai URL
|
|
sp:
|
|
entityId: "https://{{ env "DOMAIN" }}"
|
|
assertionConsumerService:
|
|
url: "https://{{ env "DOMAIN" }}/auth/saml/acs"
|
|
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
|
singleLogoutService:
|
|
url: "https://{{ env "DOMAIN" }}/auth/saml/logout"
|
|
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
|
#privateKey: ''
|
|
# only set baseurl, if auto-detection doesn't work
|
|
baseurl: "https://{{ env "DOMAIN" }}/auth/saml/"
|
|
strict: false
|
|
debug: true
|
|
security:
|
|
nameIdEncrypted: false
|
|
authnRequestsSigned: false
|
|
logoutRequestSigned: false
|
|
logoutResponseSigned: false
|
|
wantMessagesSigned: false
|
|
wantAssertionsSigned: false
|
|
wantNameIdEncrypted: false
|
|
requestedAuthnContext: true
|
|
signMetadata: false
|
|
wantXMLValidation: true
|
|
signatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
|
|
digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256"
|
|
contactPerson:
|
|
technical:
|
|
givenName: "Kimai Admin"
|
|
emailAddress: "admin@example.com"
|
|
organization:
|
|
en:
|
|
name: "Kimai"
|
|
displayname: "Kimai"
|
|
url: "https://{{ env "DOMAIN" }}"
|
|
{{ end }}
|
|
|