forked from coop-cloud/mediawiki
First stab at SimpleSAMLPHP
Main issue is how to customise the virtual host configuration of the Mediawiki container to pass /simplesamlphp/ through to the right directory (or reverse proxy to the `simplesamlphp` container)
This commit is contained in:
parent
3cc586873a
commit
36feb5062d
28
compose.yml
28
compose.yml
|
@ -34,6 +34,7 @@ services:
|
||||||
volumes:
|
volumes:
|
||||||
- 'mediawiki_images:/var/www/html/images'
|
- 'mediawiki_images:/var/www/html/images'
|
||||||
- 'parsoid:/usr/lib/parsoid'
|
- 'parsoid:/usr/lib/parsoid'
|
||||||
|
- 'simplesaml:/var/www/html/simplesamlphp'
|
||||||
configs:
|
configs:
|
||||||
- source: LocalSettings_conf
|
- source: LocalSettings_conf
|
||||||
target: /var/www/html/LocalSettings.php
|
target: /var/www/html/LocalSettings.php
|
||||||
|
@ -60,11 +61,38 @@ services:
|
||||||
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||||
entrypoint: /docker-entrypoint2.sh
|
entrypoint: /docker-entrypoint2.sh
|
||||||
|
simplesamlphp:
|
||||||
|
image: venatorfox/simplesamlphp:latest
|
||||||
|
environment:
|
||||||
|
- CONFIG_BASEURLPATH=${DOMAIN}/simplesamlphp
|
||||||
|
- CONFIG_AUTHADMINPASSWORD={SSHA256}MjJSiMlkQLa+fqI+CmQ1x1oUJ7OGucYpznKxBBHpgfC+Oh+7B9vgGw==
|
||||||
|
- CONFIG_SECRETSALT=exampleabcdefghijklmnopqrstuvwxy
|
||||||
|
- CONFIG_TECHNICALCONTACT_NAME=Adam W Zheng
|
||||||
|
- CONFIG_TECHNICALCONTACT_EMAIL=helo@autonomic.zone
|
||||||
|
- CONFIG_SHOWERRORS=true
|
||||||
|
- CONFIG_ERRORREPORTING=true
|
||||||
|
- CONFIG_ADMINPROTECTINDEXPAGE=true
|
||||||
|
- CONFIG_LOGGINGLEVEL=INFO
|
||||||
|
- CONFIG_ENABLESAML20IDP=true
|
||||||
|
#- CONFIG_STORETYPE=memcache
|
||||||
|
#- CONFIG_MEMCACHESTOREPREFIX=simplesamlphp
|
||||||
|
#- CONFIG_MEMCACHESTORESERVERS= 'memcache_store.servers' => [\n [\n ['hostname' => 'some-memcacheda01'],\n ['hostname' => 'some-memcacheda02'],\n ],\n [\n ['hostname' => 'some-memcachedb01'],\n ['hostname' => 'some-memcachedb02'],\n ],
|
||||||
|
- OPENLDAP_TLS_REQCERT=allow
|
||||||
|
- MTA_NULLCLIENT=false
|
||||||
|
- POSTFIX_MYHOSTNAME=${DOMAIN}
|
||||||
|
- POSTFIX_MYORIGIN=$$mydomain
|
||||||
|
- POSTFIX_INETINTERFACES=loopback-only
|
||||||
|
- DOCKER_REDIRECTLOGS=true
|
||||||
|
volumes:
|
||||||
|
- simplesaml:/var/simplesamlphp/
|
||||||
|
networks:
|
||||||
|
- internal
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
mariadb:
|
mariadb:
|
||||||
mediawiki_images:
|
mediawiki_images:
|
||||||
parsoid:
|
parsoid:
|
||||||
|
simplesaml:
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
proxy:
|
proxy:
|
||||||
|
|
|
@ -0,0 +1,93 @@
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* SAML 2.0 IdP configuration for SimpleSAMLphp.
|
||||||
|
*
|
||||||
|
* See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
|
||||||
|
*/
|
||||||
|
|
||||||
|
$metadata['__DYNAMIC:1__'] = array(
|
||||||
|
/*
|
||||||
|
* The hostname of the server (VHOST) that will use this SAML entity.
|
||||||
|
*
|
||||||
|
* Can be '__DEFAULT__', to use this entry by default.
|
||||||
|
*/
|
||||||
|
'host' => 'wisera.auth.dev.iww.org.uk',
|
||||||
|
|
||||||
|
// X.509 key and certificate. Relative to the cert directory.
|
||||||
|
'privatekey' => 'saml.pem',
|
||||||
|
'certificate' => 'saml.crt',
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Authentication source to use. Must be one that is configured in
|
||||||
|
* 'config/authsources.php'.
|
||||||
|
*/
|
||||||
|
'auth' => 'live',
|
||||||
|
|
||||||
|
/*
|
||||||
|
* WARNING: SHA-1 is disallowed starting January the 1st, 2014.
|
||||||
|
*
|
||||||
|
* Uncomment the following option to start using SHA-256 for your signatures.
|
||||||
|
* Currently, SimpleSAMLphp defaults to SHA-1, which has been deprecated since
|
||||||
|
* 2011, and will be disallowed by NIST as of 2014. Please refer to the following
|
||||||
|
* document for more information:
|
||||||
|
*
|
||||||
|
* http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
|
||||||
|
*
|
||||||
|
* If you are uncertain about service providers supporting SHA-256 or other
|
||||||
|
* algorithms of the SHA-2 family, you can configure it individually in the
|
||||||
|
* SP-remote metadata set for those that support it. Once you are certain that
|
||||||
|
* all your configured SPs support SHA-2, you can safely remove the configuration
|
||||||
|
* options in the SP-remote metadata set and uncomment the following option.
|
||||||
|
*
|
||||||
|
* Please refer to the IdP hosted reference for more information.
|
||||||
|
*/
|
||||||
|
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
|
||||||
|
|
||||||
|
/* Uncomment the following to use the uri NameFormat on attributes. */
|
||||||
|
/*
|
||||||
|
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
||||||
|
'authproc' => array(
|
||||||
|
// Convert LDAP names to oids.
|
||||||
|
100 => array('class' => 'core:AttributeMap', 'name2oid'),
|
||||||
|
),
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Uncomment the following to specify the registration information in the
|
||||||
|
* exported metadata. Refer to:
|
||||||
|
* http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html
|
||||||
|
* for more information.
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
'RegistrationInfo' => array(
|
||||||
|
'authority' => 'urn:mace:example.org',
|
||||||
|
'instant' => '2008-01-17T11:28:03Z',
|
||||||
|
'policies' => array(
|
||||||
|
'en' => 'http://example.org/policy',
|
||||||
|
'es' => 'http://example.org/politica',
|
||||||
|
),
|
||||||
|
),
|
||||||
|
*/
|
||||||
|
);
|
||||||
|
|
||||||
|
$metadata['__DYNAMIC:2__'] = array(
|
||||||
|
'host' => 'nara.auth.dev.iww.org.uk',
|
||||||
|
|
||||||
|
'privatekey' => 'saml.pem',
|
||||||
|
'certificate' => 'saml.crt',
|
||||||
|
|
||||||
|
'auth' => 'redcard',
|
||||||
|
|
||||||
|
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
|
||||||
|
);
|
||||||
|
|
||||||
|
$metadata['__DYNAMIC:3__'] = array(
|
||||||
|
'host' => 'auth.dev.iww.org.uk',
|
||||||
|
|
||||||
|
'privatekey' => 'saml.pem',
|
||||||
|
'certificate' => 'saml.crt',
|
||||||
|
|
||||||
|
'auth' => 'default-sp',
|
||||||
|
|
||||||
|
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
|
||||||
|
);
|
|
@ -0,0 +1,60 @@
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* SAML 2.0 remote IdP metadata for SimpleSAMLphp.
|
||||||
|
*
|
||||||
|
* Remember to remove the IdPs you don't use from this file.
|
||||||
|
*
|
||||||
|
* See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* WISE-RA Members area login.
|
||||||
|
*/
|
||||||
|
// $metadata['https://service.iww.org.uk/simplesaml/saml2/idp/metadata.php'] = array(
|
||||||
|
// 'name' => array(
|
||||||
|
// 'en' => 'WISE-RA (production)',
|
||||||
|
// ),
|
||||||
|
// 'description' => 'Log in using your WISE-RA members area user name.',
|
||||||
|
// 'SingleSignOnService' => 'https://service.iww.org.uk/simplesaml/saml2/idp/SSOService.php',
|
||||||
|
// 'SingleLogoutService' => 'https://service.iww.org.uk/simplesaml/saml2/idp/SingleLogoutService.php',
|
||||||
|
// 'privatekey' => 'saml.pem',
|
||||||
|
// 'certificate' => 'saml.crt',
|
||||||
|
// );
|
||||||
|
$metadata['https://wisera.auth.dev.iww.org.uk/simplesaml/saml2/idp/metadata.php'] = array(
|
||||||
|
'name' => array(
|
||||||
|
'en' => 'WISE-RA (dev)',
|
||||||
|
),
|
||||||
|
'description' => 'Log in using your WISE-RA members area user name.',
|
||||||
|
'SingleSignOnService' => 'https://wisera.auth.dev.iww.org.uk/simplesaml/saml2/idp/SSOService.php',
|
||||||
|
'SingleLogoutService' => 'https://wisera.auth.dev.iww.org.uk/simplesaml/saml2/idp/SingleLogoutService.php',
|
||||||
|
'privatekey' => 'saml.pem',
|
||||||
|
'certificate' => 'saml.crt',
|
||||||
|
);
|
||||||
|
$metadata['https://nara.auth.dev.iww.org.uk/simplesaml/saml2/idp/metadata.php'] = array(
|
||||||
|
'name' => array(
|
||||||
|
'en' => 'NARA (dev)',
|
||||||
|
),
|
||||||
|
'description' => 'Log in using your NARA red card username.',
|
||||||
|
'SingleSignOnService' => 'https://nara.auth.dev.iww.org.uk/simplesaml/saml2/idp/SSOService.php',
|
||||||
|
'SingleLogoutService' => 'https://nara.auth.dev.iww.org.uk/simplesaml/saml2/idp/SingleLogoutService.php',
|
||||||
|
'privatekey' => 'saml.pem',
|
||||||
|
'certificate' => 'saml.crt',
|
||||||
|
);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Guest IdP. allows users to sign up and register. Great for testing!
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
$metadata['https://openidp.feide.no'] = array(
|
||||||
|
'name' => array(
|
||||||
|
'en' => 'Feide OpenIdP - guest users',
|
||||||
|
'no' => 'Feide Gjestebrukere',
|
||||||
|
),
|
||||||
|
'description' => 'Here you can login with your account on Feide RnD OpenID. If you do not already have an account on this identity provider, you can create a new one by following the create new account link and follow the instructions.',
|
||||||
|
|
||||||
|
'SingleSignOnService' => 'https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php',
|
||||||
|
'SingleLogoutService' => 'https://openidp.feide.no/simplesaml/saml2/idp/SingleLogoutService.php',
|
||||||
|
'certFingerprint' => 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb'
|
||||||
|
);
|
||||||
|
*/
|
||||||
|
|
|
@ -0,0 +1,96 @@
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* SAML 2.0 remote SP metadata for SimpleSAMLphp.
|
||||||
|
*
|
||||||
|
* See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Default SAML 2.0 SP
|
||||||
|
*/
|
||||||
|
$metadata['https://auth.dev.iww.org.uk/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array(
|
||||||
|
'AssertionConsumerService' => 'https://auth.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
|
||||||
|
'SingleLogoutService' => 'https://auth.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
|
||||||
|
);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* MediaWiki
|
||||||
|
*/
|
||||||
|
$metadata['https://mediawiki.dev.iww.org.uk/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array(
|
||||||
|
'AssertionConsumerService' => 'https://mediawiki.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
|
||||||
|
'SingleLogoutService' => 'https://mediawiki.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
|
||||||
|
);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Moodle
|
||||||
|
*/
|
||||||
|
$metadata['https://moodle.dev.iww.org.uk/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array(
|
||||||
|
'AssertionConsumerService' => 'https://moodle.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
|
||||||
|
'SingleLogoutService' => 'https://moodle.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
|
||||||
|
);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* WordPress
|
||||||
|
*/
|
||||||
|
$metadata['urn:dev.iww.org.uk'] = array(
|
||||||
|
'AssertionConsumerService' => 'https://dev.iww.org.uk/wp/wp-login.php',
|
||||||
|
'SingleLogoutService' => 'https://dev.iww.org.uk/wp/wp-login.php',
|
||||||
|
);
|
||||||
|
$metadata['urn:shop.dev.iww.org.uk'] = array(
|
||||||
|
'AssertionConsumerService' => 'https://shop.dev.iww.org.uk/wp/wp-login.php',
|
||||||
|
'SingleLogoutService' => 'https://shop.dev.iww.org.uk/wp/wp-login.php',
|
||||||
|
);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Nextcloud
|
||||||
|
*/
|
||||||
|
$metadata['https://cloud.dev.iww.org.uk/apps/user_saml/saml/metadata'] = array(
|
||||||
|
'AssertionConsumerService' => 'https://cloud.dev.iww.org.uk/apps/user_saml/saml/acs',
|
||||||
|
'SingleLogoutService' => 'https://cloud.dev.iww.org.uk/apps/user_saml/saml/sls',
|
||||||
|
);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* RocketChat
|
||||||
|
*/
|
||||||
|
$metadata['https://chat.dev.iww.org.uk/_saml/metadata/rc'] = array (
|
||||||
|
'entityid' => 'https://chat.dev.iww.org.uk/_saml/metadata/rc',
|
||||||
|
'contacts' => array (),
|
||||||
|
'metadata-set' => 'saml20-sp-remote',
|
||||||
|
'AssertionConsumerService' => array (
|
||||||
|
0 => array (
|
||||||
|
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
|
||||||
|
'Location' => 'https://chat.dev.iww.org.uk/_saml/validate/rc',
|
||||||
|
'index' => 1,
|
||||||
|
'isDefault' => true,
|
||||||
|
),
|
||||||
|
),
|
||||||
|
'SingleLogoutService' => array (
|
||||||
|
0 => array (
|
||||||
|
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||||
|
'Location' => 'https://chat.dev.iww.org.uk/_saml/logout/rc/',
|
||||||
|
'ResponseLocation' => 'https://chat.dev.iww.org.uk/_saml/logout/rc/',
|
||||||
|
),
|
||||||
|
),
|
||||||
|
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
|
||||||
|
);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Example SimpleSAMLphp SAML 2.0 SP
|
||||||
|
*/
|
||||||
|
/* $metadata['https://saml2sp.example.org'] = array(
|
||||||
|
'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
|
||||||
|
'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
|
||||||
|
); */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This example shows an example config that works with Google Apps for education.
|
||||||
|
* What is important is that you have an attribute in your IdP that maps to the local part of the email address
|
||||||
|
* at Google Apps. In example, if your google account is foo.com, and you have a user that has an email john@foo.com, then you
|
||||||
|
* must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the value of 'john'.
|
||||||
|
*/
|
||||||
|
/* $metadata['google.com'] = array(
|
||||||
|
'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
|
||||||
|
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
|
||||||
|
'simplesaml.nameidattribute' => 'uid',
|
||||||
|
'simplesaml.attributes' => FALSE,
|
||||||
|
); */
|
Loading…
Reference in New Issue