From 66ac599d506626bb27d05890b4be5cefc037f75c Mon Sep 17 00:00:00 2001
From: shahaan <shahaan@gmail.com>
Date: Thu, 30 Jul 2015 12:25:50 +1000
Subject: [PATCH] Changing debianApache to use lineinfile and adding Shibboleth
Role
---
buildKaraage3.x.yml | 13 +-
roles/karaage3.1.17/tasks/apacheDebian.yml | 20 ++-
.../shibboleth-sp/files/aaf-metadata-cert.pem | 26 +++
roles/shibboleth-sp/files/metadata.aaf.xml | 106 ++++++++++++
roles/shibboleth-sp/tasks/main.yml | 3 +
.../shibboleth-sp/tasks/shibbolethConfig.yml | 109 +++++++++++++
.../tasks/shibbolethPrerequisites.yml | 12 ++
.../templates/attribute-map.xml.j2 | 153 ++++++++++++++++++
8 files changed, 427 insertions(+), 15 deletions(-)
create mode 100644 roles/shibboleth-sp/files/aaf-metadata-cert.pem
create mode 100644 roles/shibboleth-sp/files/metadata.aaf.xml
create mode 100644 roles/shibboleth-sp/tasks/main.yml
create mode 100644 roles/shibboleth-sp/tasks/shibbolethConfig.yml
create mode 100644 roles/shibboleth-sp/tasks/shibbolethPrerequisites.yml
create mode 100644 roles/shibboleth-sp/templates/attribute-map.xml.j2
diff --git a/buildKaraage3.x.yml b/buildKaraage3.x.yml
index 1a349bc4..28bf2a99 100644
--- a/buildKaraage3.x.yml
+++ b/buildKaraage3.x.yml
@@ -7,10 +7,10 @@
- service: name=network state=restarted
when: ansible_os_family == 'RedHat'
roles:
- - etcHosts
- - easy-rsa-CA
- - easy-rsa-certificate
- - ldapserver
+# - etcHosts
+# - easy-rsa-CA
+# - easy-rsa-certificate
+# - ldapserver
sudo: true
vars:
- x509_ca_server: "{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
@@ -47,8 +47,8 @@
- service: name=network state=restarted
when: ansible_os_family == 'RedHat'
roles:
- - etcHosts
- - easy-rsa-certificate
+# - etcHosts
+# - easy-rsa-certificate
- karaage3.1.17
sudo: true
vars:
@@ -78,4 +78,3 @@
- x509_csr_args: ""
- x509_sign_args: "{{ x509_csr_args }}"
- x509_common_name: "{{ inventory_hostname }}"
- - apache_user: "{% if ansible_os_family == 'RedHat' %}apache{% else %}www-data{% endif %}"
diff --git a/roles/karaage3.1.17/tasks/apacheDebian.yml b/roles/karaage3.1.17/tasks/apacheDebian.yml
index 0a08f63e..308f692a 100644
--- a/roles/karaage3.1.17/tasks/apacheDebian.yml
+++ b/roles/karaage3.1.17/tasks/apacheDebian.yml
@@ -1,16 +1,20 @@
---
-
name: "Install Apache2"
- apt: name=apache2 state=present
+ apt: name={{ item }} state=present
+ with_items:
+ - apache2
+ - apache2-dev
-
- name: "Templating default-ssl site"
- template: src=default-ssl.j2 dest=/etc/apache2/sites-available/default-ssl.conf owner=www-data group=www-data
+ name: "Setting default site"
+ lineinfile: dest=/etc/apache2/sites-available/000-default.conf regexp="#ServerName" line="ServerName {{ ansible_nodename }}" backrefs=yes
-
- name: "Templating default site"
- template: src=default.j2 dest=/etc/apache2/sites-available/000-default.conf owner=www-data group=www-data
--
- name: "Templating ssl configuration"
- template: src=ssl.conf.j2 dest=/etc/apache2/mods-available/ssl.conf owner=www-data group=www-data
+ name: "Setting default-ssl site"
+ lineinfile: dest=/etc/apache2/sites-available/default-ssl.conf regexp="{{ item.regexp }}" line="{{ item.line }}" backrefs=yes
+ with_items:
+ - { regexp : "^\\s+SSLCertificateFile", line : " SSLCertificateFile {{ x509_cert_file }}" }
+ - { regexp : "SSLCertificateKeyFile", line : " SSLCertificateKeyFile {{ x509_key_file }}" }
+ - { regexp : "SSLCACertificateFile", line : " SSLCACertificateFile {{ x509_cacert_file }}" }
-
name: "Enable ssl module"
apache2_module: state=present name=ssl
diff --git a/roles/shibboleth-sp/files/aaf-metadata-cert.pem b/roles/shibboleth-sp/files/aaf-metadata-cert.pem
new file mode 100644
index 00000000..af925f02
--- /dev/null
+++ b/roles/shibboleth-sp/files/aaf-metadata-cert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbDCCA1SgAwIBAgIESWrmGDANBgkqhkiG9w0BAQUFADCB9zEQMA4GA1UEBhMH
+VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G
+A1UEChMHVW5rbm93bjFaMFgGA1UECxNRb3BlbnNzbCB4NTA5IC1vdXQgbWV0YWRh
+dGEtY2VydC5wZW0gLW91dGZvcm0gcGVtIC1pbiBtZXRhZGF0YS1kZXIuY3J0IC1p
+bmZvcm0gZGVyMVEwTwYDVQQDDEhrZXl0b29sIC1rZXlzdG9yZSBrZXlzdG9yZS5r
+cyAtZXhwb3J0IC1hbGlhcyBtZXRhZGF0YSA+IG1ldGFkYXRhLWRlci5jcnQwHhcN
+MDkwMTEyMDY0MTI4WhcNMTQwMTExMDY0MTI4WjCB9zEQMA4GA1UEBhMHVW5rbm93
+bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMH
+VW5rbm93bjFaMFgGA1UECxNRb3BlbnNzbCB4NTA5IC1vdXQgbWV0YWRhdGEtY2Vy
+dC5wZW0gLW91dGZvcm0gcGVtIC1pbiBtZXRhZGF0YS1kZXIuY3J0IC1pbmZvcm0g
+ZGVyMVEwTwYDVQQDDEhrZXl0b29sIC1rZXlzdG9yZSBrZXlzdG9yZS5rcyAtZXhw
+b3J0IC1hbGlhcyBtZXRhZGF0YSA+IG1ldGFkYXRhLWRlci5jcnQwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZgh/InL2LixNtzuA+dNXSn19/W4IMbD6+
+Zzysk/jMi4Sgr4FrEfMeTi2G2/rpf32TeSG1P4MZqqyy5yuhNX7RQTFSZyl5D9cs
+98dE7FY/g7uySGv7oao1rkJfEmFmcZQIvRkLs89PQqKok2/m807DnzF1zCAt+YcY
+wqHyXyTrzxr4hMDDB2Ij8PeDZeSIB3s/CK2F6hIg13VeYEZjAWf4KPwsOteuzR4Y
+uuuGDlNFjcJGu+97N4LTnOBb6uW8qNtAAq6UWtA28A4KQejrzBZrfBGPLGbe6KHs
+WrziN2uk8kEY1TQw0cp+Am/ph8nl00KU+oVrswjS8oUklL98C5LnAgMBAAEwDQYJ
+KoZIhvcNAQEFBQADggEBAEy0xLMJBneC+DQ0cSNH3kXaW9cdqzsoD/UawJHaDqIJ
+UjIslR38p5H3pRQ7rZ1+c7z0lUaBqQO/i+MZUEMHCpbhEcZK0Ep5dlWc80DFGSxS
+ItbghQ5loS4JOgKYZZdRSzCxV3PAqlzqXoZrFeaeJL7xFIRglpphN06joOlX0zQM
+0iN8qn7oTTaR3U2Kxkh6NQ2qTH3IvP71YJnjSzljqZHFughhTpl8cA8i9ijcmeyP
+Y5TYJTbtwQ0X+435LTX8xxW/B4E8XnH7iEOykvfZMYxt5cSrtzF1eAMQ/ln2r54O
+bk0oX1BGue0XcgeMObQrs/eC+2uspENHKtUdYDU0OK4=
+-----END CERTIFICATE-----
diff --git a/roles/shibboleth-sp/files/metadata.aaf.xml b/roles/shibboleth-sp/files/metadata.aaf.xml
new file mode 100644
index 00000000..a1603b1d
--- /dev/null
+++ b/roles/shibboleth-sp/files/metadata.aaf.xml
@@ -0,0 +1,106 @@
+<EntityDescriptor entityID="https://vm-118-138-241-159.erc.monash.edu.au/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd">
+ <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+ <Extensions>
+ <dsr:DiscoveryResponse xmlns:dsr="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/Login" index="0" isDefault="true" />
+ </Extensions>
+ <KeyDescriptor use="signing">
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:X509Data>
+ <ds:X509Certificate>
+MIIFDDCCA/SgAwIBAgIJALO1/Blx64tvMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
+VQQGEwJBVTEMMAoGA1UECBMDVklDMRIwEAYDVQQHEwlNZWxib3VybmUxDTALBgNV
+BAoTBE1lUkMxETAPBgNVBAsTCG9wZW5sZGFwMS0wKwYDVQQDEyR2bS0xMTgtMTM4
+LTI0MS0xNTkuZXJjLm1vbmFzaC5lZHUuYXUxEDAOBgNVBCkTB0Vhc3lSU0ExIDAe
+BgkqhkiG9w0BCQEWEXNoYWhhYW5AZ21haWwuY29tMB4XDTE1MDMyMzEyMjYzOFoX
+DTI1MDMyMDEyMjYzOFowgbQxCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNWSUMxEjAQ
+BgNVBAcTCU1lbGJvdXJuZTENMAsGA1UEChMETWVSQzERMA8GA1UECxMIb3Blbmxk
+YXAxLTArBgNVBAMTJHZtLTExOC0xMzgtMjQxLTE1OS5lcmMubW9uYXNoLmVkdS5h
+dTEQMA4GA1UEKRMHRWFzeVJTQTEgMB4GCSqGSIb3DQEJARYRc2hhaGFhbkBnbWFp
+bC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTcsIqn/HKgeRK
+gj4rXYu8V/kTkv63d2Rtmv6zSlRwtjKBCvePEo/4ZpwOK235kBfX9KZKU9wlyFhf
+DdmOvIBYvhrLqtIYNfMWLt8iUFkdt2N/dNmftu7WUXuZezsRXMqbPG7dLjMLyJ7D
+7UCox1IB2SYzHx0K9w7PtCleV5A/o9Eg/7G8/FvOCB5askY/YywzEWLrxIYYn6Cr
+Gsioh5hXxac9p3KuO6dvbMLIMHVZ4u7mbLrdp/e6TZTlyZN+Tfbjta0VYBw0beuS
+KpwZc8Toow2B22O3K15o6tr0nvVSTEj2Qrd+LPolFSFBKVaD+9G/i0FMLHNOuQVP
+Cw/62vEnAgMBAAGjggEdMIIBGTAdBgNVHQ4EFgQUouRhu/Wc+jU1rfUd+kiqbtg/
+q3cwgekGA1UdIwSB4TCB3oAUouRhu/Wc+jU1rfUd+kiqbtg/q3ehgbqkgbcwgbQx
+CzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNWSUMxEjAQBgNVBAcTCU1lbGJvdXJuZTEN
+MAsGA1UEChMETWVSQzERMA8GA1UECxMIb3BlbmxkYXAxLTArBgNVBAMTJHZtLTEx
+OC0xMzgtMjQxLTE1OS5lcmMubW9uYXNoLmVkdS5hdTEQMA4GA1UEKRMHRWFzeVJT
+QTEgMB4GCSqGSIb3DQEJARYRc2hhaGFhbkBnbWFpbC5jb22CCQCztfwZceuLbzAM
+BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDFKPmj1TGpUZsdviOwMjU/
+IHqZ+3RwFcvkfBu8JmwxaO86GrC1mwZyQExvQLQF6LLaGHyVlZa3PxUkmcqq1for
+ZcYYyVRip4fgtOI6WcKg+nWI9+rDX5fU5gZAYm3er4MNZ/R7sTmgHEemOcuSiatQ
+hDoUkv9GOZKoxw4uJJq/yUumAkziAIuMWoTHYrR9cqOkoKQiFUjqmhI3m4phtoV4
+OaeVf3hkhXakbk1OkAAAzPxsrpAaUM5eLC75SV5Hopid9ltpFjpD457TXKdE+IyB
+oBDUnCaHSkrDmbeX6iSUHLWjjcOs0MI0UOXH+XNKNR3kUUvS+0ZCwRIPXc11/AFN
+</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+ <KeyDescriptor use="encryption">
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:X509Data>
+ <ds:X509Certificate>
+MIIFDDCCA/SgAwIBAgIJALO1/Blx64tvMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
+VQQGEwJBVTEMMAoGA1UECBMDVklDMRIwEAYDVQQHEwlNZWxib3VybmUxDTALBgNV
+BAoTBE1lUkMxETAPBgNVBAsTCG9wZW5sZGFwMS0wKwYDVQQDEyR2bS0xMTgtMTM4
+LTI0MS0xNTkuZXJjLm1vbmFzaC5lZHUuYXUxEDAOBgNVBCkTB0Vhc3lSU0ExIDAe
+BgkqhkiG9w0BCQEWEXNoYWhhYW5AZ21haWwuY29tMB4XDTE1MDMyMzEyMjYzOFoX
+DTI1MDMyMDEyMjYzOFowgbQxCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNWSUMxEjAQ
+BgNVBAcTCU1lbGJvdXJuZTENMAsGA1UEChMETWVSQzERMA8GA1UECxMIb3Blbmxk
+YXAxLTArBgNVBAMTJHZtLTExOC0xMzgtMjQxLTE1OS5lcmMubW9uYXNoLmVkdS5h
+dTEQMA4GA1UEKRMHRWFzeVJTQTEgMB4GCSqGSIb3DQEJARYRc2hhaGFhbkBnbWFp
+bC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTcsIqn/HKgeRK
+gj4rXYu8V/kTkv63d2Rtmv6zSlRwtjKBCvePEo/4ZpwOK235kBfX9KZKU9wlyFhf
+DdmOvIBYvhrLqtIYNfMWLt8iUFkdt2N/dNmftu7WUXuZezsRXMqbPG7dLjMLyJ7D
+7UCox1IB2SYzHx0K9w7PtCleV5A/o9Eg/7G8/FvOCB5askY/YywzEWLrxIYYn6Cr
+Gsioh5hXxac9p3KuO6dvbMLIMHVZ4u7mbLrdp/e6TZTlyZN+Tfbjta0VYBw0beuS
+KpwZc8Toow2B22O3K15o6tr0nvVSTEj2Qrd+LPolFSFBKVaD+9G/i0FMLHNOuQVP
+Cw/62vEnAgMBAAGjggEdMIIBGTAdBgNVHQ4EFgQUouRhu/Wc+jU1rfUd+kiqbtg/
+q3cwgekGA1UdIwSB4TCB3oAUouRhu/Wc+jU1rfUd+kiqbtg/q3ehgbqkgbcwgbQx
+CzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNWSUMxEjAQBgNVBAcTCU1lbGJvdXJuZTEN
+MAsGA1UEChMETWVSQzERMA8GA1UECxMIb3BlbmxkYXAxLTArBgNVBAMTJHZtLTEx
+OC0xMzgtMjQxLTE1OS5lcmMubW9uYXNoLmVkdS5hdTEQMA4GA1UEKRMHRWFzeVJT
+QTEgMB4GCSqGSIb3DQEJARYRc2hhaGFhbkBnbWFpbC5jb22CCQCztfwZceuLbzAM
+BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDFKPmj1TGpUZsdviOwMjU/
+IHqZ+3RwFcvkfBu8JmwxaO86GrC1mwZyQExvQLQF6LLaGHyVlZa3PxUkmcqq1for
+ZcYYyVRip4fgtOI6WcKg+nWI9+rDX5fU5gZAYm3er4MNZ/R7sTmgHEemOcuSiatQ
+hDoUkv9GOZKoxw4uJJq/yUumAkziAIuMWoTHYrR9cqOkoKQiFUjqmhI3m4phtoV4
+OaeVf3hkhXakbk1OkAAAzPxsrpAaUM5eLC75SV5Hopid9ltpFjpD457TXKdE+IyB
+oBDUnCaHSkrDmbeX6iSUHLWjjcOs0MI0UOXH+XNKNR3kUUvS+0ZCwRIPXc11/AFN
+</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+ <ContactPerson contactType="technical">
+ <Company>Monash University</Company>
+ <GivenName>Shahaan</GivenName>
+ <SurName>Ayyub</SurName>
+ <EmailAddress>mailto:shahaan.ayyub@monash.edu</EmailAddress>
+ </ContactPerson>
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/SLO/Artifact" />
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/SLO/POST" />
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/SLO/SOAP" />
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/SLO/Redirect" />
+ <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/NIM/POST" />
+ <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/NIM/Redirect" />
+ <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/NIM/SOAP" />
+ <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/NIM/Artifact" />
+ <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+ <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/SAML2/Artifact" index="3" isDefault="false" />
+ <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vm-118-138-241-159.erc.monash.edu.au/Shibboleth.sso/SAML2/POST" index="1" isDefault="true" />
+ <AttributeConsumingService index="1" isDefault="false">
+ <ServiceName xml:lang="en">vm-118-138-241-159.erc.monash.edu.au</ServiceName>
+ <RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.3" FriendlyName="commonName" isRequired="true" />
+ <RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="email" isRequired="true" />
+ <RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName" isRequired="false" />
+ <RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.4" FriendlyName="surname" isRequired="true" />
+ </AttributeConsumingService>
+ </SPSSODescriptor>
+ <Organization>
+ <OrganizationName xml:lang="en">monash.edu.au</OrganizationName>
+ <OrganizationDisplayName xml:lang="en">Monash University</OrganizationDisplayName>
+ <OrganizationURL xml:lang="en">https://manager.aaf.edu.au/support</OrganizationURL>
+ </Organization>
+</EntityDescriptor>
diff --git a/roles/shibboleth-sp/tasks/main.yml b/roles/shibboleth-sp/tasks/main.yml
new file mode 100644
index 00000000..7ccef2b9
--- /dev/null
+++ b/roles/shibboleth-sp/tasks/main.yml
@@ -0,0 +1,3 @@
+---
+- include: shibbolethPrerequisites.yml
+- include: shibbolethConfig.yml
diff --git a/roles/shibboleth-sp/tasks/shibbolethConfig.yml b/roles/shibboleth-sp/tasks/shibbolethConfig.yml
new file mode 100644
index 00000000..16ae37d4
--- /dev/null
+++ b/roles/shibboleth-sp/tasks/shibbolethConfig.yml
@@ -0,0 +1,109 @@
+---
+-
+ name: "Copying the metadata.aaf.xml and aaf-metadata-cert.pem"
+ copy: src={{ item }} dest=/etc/shibboleth/{{ item }} mode=0644
+ with_items:
+ - metadata.aaf.xml
+ - aaf-metadata-cert.pem
+-
+ name: "Setting shibboleth2.xml sp.example.org"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: sp.example.org
+ replace: "{{ ansible_fqdn }}"
+ backup: yes
+
+
+-
+ name: "Setting shibboleth2.xml handlerSSL"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: 'handlerSSL="false"'
+ replace: 'handlerSSL="true" handlerURL="https://{{ ansible_fqdn }}/Shibboleth.sso"'
+
+
+-
+ name: "Setting shibboleth2.xml supportContact"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: 'supportContact="root@localhost"'
+ replace: 'supportContact="{{ admin_email }}"'
+
+
+-
+ name: "Enabling MetadataProvider"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: '<!-- Example of remotely supplied batch of signed metadata. -->\s+<!--\s+<MetadataProvider'
+ replace: '<!-- Example of remotely supplied batch of signed metadata. -->\n\t<MetadataProvider'
+
+-
+ name: "Enabling MetadataProvider"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: '</MetadataProvider>\s+-->'
+ replace: '</MetadataProvider>'
+-
+ name: "Setting shibboleth2.xml Federation URI"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: 'uri="http://federation.org/federation-metadata.xml"'
+ replace: 'uri="{{ aaf_federation_url }}/metadata.aaf.signed.complete.xml"'
+
+-
+ name: "Setting shibboleth2.xml backingFilePath"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: 'backingFilePath="federation-metadata.xml"'
+ replace: 'backingFilePath="metadata.aaf.xml"'
+
+-
+ name: "Setting shibboleth2.xml aaf Certificate"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: 'type="Signature" certificate="fedsigner.pem"'
+ replace: 'type="Signature" certificate="aaf-metadata-cert.pem"'
+
+-
+ name: "Setting shibboleth2.xml AAF Discovery URL"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: 'discoveryURL="https://ds.example.org/DS/WAYF"'
+ replace: 'discoveryURL="{{ aaf_discovery_url }}"'
+
+-
+ name: "Setting shibboleth2.xml Credential Resolver"
+ replace:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: '<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>'
+ replace: '<CredentialResolver type="File" key="{{ x509_key_file }}" certificate="{{ x509_cert_file }}"/>'
+
+-
+ name: "Templating attribute-map.xml"
+ template:
+ args:
+ src: attribute-map.xml.j2
+ dest: /etc/shibboleth/attribute-map.xml
+-
+ name: "Restarting Apache"
+ service:
+ args:
+ name: apache2
+ state: restarted
+
+-
+ name: "Restarting shibboleth"
+ service:
+ args:
+ name: shibd
+ state: restarted
diff --git a/roles/shibboleth-sp/tasks/shibbolethPrerequisites.yml b/roles/shibboleth-sp/tasks/shibbolethPrerequisites.yml
new file mode 100644
index 00000000..b6bdee02
--- /dev/null
+++ b/roles/shibboleth-sp/tasks/shibbolethPrerequisites.yml
@@ -0,0 +1,12 @@
+---
+-
+ name: Install base packages - Debian
+ apt: name={{ item }} state=present
+ with_items:
+ - shibboleth-sp2-schemas
+ - libshibsp-dev
+ - libapache2-mod-shib2
+ - opensaml2-tools
+ - xmlstarlet
+
+
diff --git a/roles/shibboleth-sp/templates/attribute-map.xml.j2 b/roles/shibboleth-sp/templates/attribute-map.xml.j2
new file mode 100644
index 00000000..6b8a8c85
--- /dev/null
+++ b/roles/shibboleth-sp/templates/attribute-map.xml.j2
@@ -0,0 +1,153 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ <!--
+ The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+ community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+ few exceptions for newer attributes where the name is the same for both versions. You will
+ usually want to uncomment or map the names for both SAML versions as a unit.
+ -->
+
+ <!-- First some useful eduPerson attributes that many sites might use. -->
+
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ </Attribute>
+
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+
+ <!-- A persistent id attribute that supports personalized anonymous access. -->
+ <!-- First, the deprecated/incorrect version, decoded as a scoped string: -->
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ <!-- <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> -->
+ </Attribute>
+
+ <!-- Second, an alternate decoder that will decode the incorrect form into the newer form. -->
+ <!--
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+ -->
+
+ <!-- Third, the new version (note the OID-style name): -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+
+ <!-- Fourth, the SAML 2.0 NameID Format: -->
+ <!--
+ <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+ -->
+
+ <!-- Some more eduPerson attributes, uncomment these to use them... -->
+ <!--
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+ -->
+ <!-- Added BY Shahaan -->
+ <Attribute name="urn:oid:2.5.4.3" id="commonName"/>
+ <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+ <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+
+ <!-- Examples of LDAP-based attributes, uncomment to use these... -->
+
+ <!--
+ <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+ <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+ <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+ <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+ <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
+ <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+ <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+ <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+ <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+ <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+ <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+ <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+ <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+ <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+ <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+ <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+ <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+ <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+ <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+ <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+ <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+ <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+ <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
+
+ <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+ <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+ <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+ <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.12" id="title"/>
+ <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+ <Attribute name="urn:oid:2.5.4.13" id="description"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+ <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+ <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.9" id="street"/>
+ <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+ <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+ <Attribute name="urn:oid:2.5.4.8" id="st"/>
+ <Attribute name="urn:oid:2.5.4.7" id="l"/>
+ <Attribute name="urn:oid:2.5.4.10" id="o"/>
+ <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+ <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+ <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+ -->
+
+</Attributes>
--
GitLab