From aafda754a4f57c0cedf85858c8c707e1fbc6cd48 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Sat, 30 Mar 2024 05:07:25 +0100 Subject: [PATCH] rebase idp --- .../services/idp-simplesamlphp/authpwauth.php | 205 ++++++++------- .../idp-simplesamlphp/authsources.php | 11 - .../services/idp-simplesamlphp/config.php | 9 +- .../services/idp-simplesamlphp/default.nix | 234 ++++++++++++------ .../services/idp-simplesamlphp/idp.crt | 33 +++ .../idp-simplesamlphp/metadata.php.nix | 22 ++ .../idp-simplesamlphp/saml20-idp-remote.php | 23 -- 7 files changed, 337 insertions(+), 200 deletions(-) delete mode 100644 hosts/bekkalokk/services/idp-simplesamlphp/authsources.php create mode 100644 hosts/bekkalokk/services/idp-simplesamlphp/idp.crt create mode 100644 hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix delete mode 100644 hosts/bekkalokk/services/idp-simplesamlphp/saml20-idp-remote.php diff --git a/hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php b/hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php index 18fdbcc..113d809 100644 --- a/hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php +++ b/hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php @@ -6,110 +6,129 @@ * @author Yorn de Jong * @package simpleSAMLphp */ -class sspmod_authpwauth_Auth_Source_PwAuth extends sspmod_core_Auth_UserPassBase { - protected $pwauth_bin_path; - protected $mail_domain; +namespace SimpleSAML\Module\authpwauth\Auth\Source; - public function __construct($info, $config) { - assert('is_array($info)'); - assert('is_array($config)'); +class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase +{ + protected $pwauth_bin_path; + protected $mail_domain; - /* Call the parent constructor first, as required by the interface. */ - parent::__construct($info, $config); + public function __construct(array $info, array &$config) { + assert('is_array($info)'); + assert('is_array($config)'); - $this->pwauth_bin_path = $config['pwauth_bin_path']; - if (array_key_exists('mail_domain', $config)) { - $this->mail_domain = '@' . ltrim($config['mail_domain'], '@'); - } - } + /* Call the parent constructor first, as required by the interface. */ + parent::__construct($info, $config); - public function login($username, $password) { - $username = strtolower( $username ); + $this->pwauth_bin_path = $config['pwauth_bin_path']; + if (array_key_exists('mail_domain', $config)) { + $this->mail_domain = '@' . ltrim($config['mail_domain'], '@'); + } + } - $handle = popen($this->pwauth_bin_path, 'w'); - if ($handle === FALSE) { - die("Error opening pipe to pwauth"); - return false; - } + public function login(string $username, string $password): array { + $username = strtolower( $username ); - $data = "$username\n$password\n"; - if (fwrite($handle, $data) !== strlen($data)) { - die("Error writing to pwauth pipe"); - return false; - } + if (!file_exists($this->pwauth_bin_path)) { + die("Could not find pwauth binary"); + return false; + } - # Is the password valid? - $result = pclose( $handle ); - if ($result !== 0) { - if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) { - die("pwauth returned $result for username $username"); - } - throw new SimpleSAML_Error_Error('WRONGUSERPASS'); - } -/* - $ldap = ldap_connect('129.241.210.159', 389); - ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); - ldap_start_tls($ldap); - ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh'); - $search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')'); - $entry = ldap_first_entry($ldap, $search); - $dn = ldap_get_dn($ldap, $entry); - $newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8'); - ldap_modify_batch($ldap, $dn, [ - #[ - # 'modtype' => LDAP_MODIFY_BATCH_REMOVE, - # 'attrib' => 'unicodePwd', - # 'values' => [$password], - #], - [ - #'modtype' => LDAP_MODIFY_BATCH_ADD, - 'modtype' => LDAP_MODIFY_BATCH_REPLACE, - 'attrib' => 'unicodePwd', - 'values' => [$newpassword], - ], - ]); -*/ + if (!is_executable($this->pwauth_bin_path)) { + die("pwauth binary is not executable"); + return false; + } - #0 - Login OK. - #1 - Nonexistant login or (for some configurations) incorrect password. - #2 - Incorrect password (for some configurations). - #3 - Uid number is below MIN_UNIX_UID value configured in config.h. - #4 - Login ID has expired. - #5 - Login's password has expired. - #6 - Logins to system have been turned off (usually by /etc/nologin file). - #7 - Limit on number of bad logins exceeded. - #50 - pwauth was not run with real uid SERVER_UID. If you get this - # this error code, you probably have SERVER_UID set incorrectly - # in pwauth's config.h file. - #51 - pwauth was not given a login & password to check. The means - # the passing of data from mod_auth_external to pwauth is messed - # up. Most likely one is trying to pass data via environment - # variables, while the other is trying to pass data via a pipe. - #52 - one of several possible internal errors occured. + $handle = popen($this->pwauth_bin_path, 'w'); + if ($handle === FALSE) { + die("Error opening pipe to pwauth"); + return false; + } + + $data = "$username\n$password\n"; + if (fwrite($handle, $data) !== strlen($data)) { + die("Error writing to pwauth pipe"); + return false; + } + + # Is the password valid? + $result = pclose( $handle ); + if ($result !== 0) { + if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) { + die("pwauth returned $result for username $username"); + } + throw new \SimpleSAML\Error\Error('WRONGUSERPASS'); + } + /* + $ldap = ldap_connect('129.241.210.159', 389); + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); + ldap_start_tls($ldap); + ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh'); + $search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')'); + $entry = ldap_first_entry($ldap, $search); + $dn = ldap_get_dn($ldap, $entry); + $newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8'); + ldap_modify_batch($ldap, $dn, [ + #[ + # 'modtype' => LDAP_MODIFY_BATCH_REMOVE, + # 'attrib' => 'unicodePwd', + # 'values' => [$password], + #], + [ + #'modtype' => LDAP_MODIFY_BATCH_ADD, + 'modtype' => LDAP_MODIFY_BATCH_REPLACE, + 'attrib' => 'unicodePwd', + 'values' => [$newpassword], + ], + ]); + */ + + #0 - Login OK. + #1 - Nonexistant login or (for some configurations) incorrect password. + #2 - Incorrect password (for some configurations). + #3 - Uid number is below MIN_UNIX_UID value configured in config.h. + #4 - Login ID has expired. + #5 - Login's password has expired. + #6 - Logins to system have been turned off (usually by /etc/nologin file). + #7 - Limit on number of bad logins exceeded. + #50 - pwauth was not run with real uid SERVER_UID. If you get this + # this error code, you probably have SERVER_UID set incorrectly + # in pwauth's config.h file. + #51 - pwauth was not given a login & password to check. The means + # the passing of data from mod_auth_external to pwauth is messed + # up. Most likely one is trying to pass data via environment + # variables, while the other is trying to pass data via a pipe. + #52 - one of several possible internal errors occured. - $uid = $username; - $cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1')); + $uid = $username; + # TODO: Reinstate this code once passwd is working... + /* + $cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1')); - $groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid))); - array_shift($groups); - array_shift($groups); - array_pop($groups); + $groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid))); + array_shift($groups); + array_shift($groups); + array_pop($groups); + + $info = posix_getpwnam($uid); + $group = $info['gid']; + if (!in_array($group, $groups)) { + $groups[] = $group; + } + */ + $cn = "Unknown McUnknown"; + $groups = array(); - $info = posix_getpwnam($uid); - $group = $info['gid']; - if (!in_array($group, $groups)) { - $groups[] = $group; - } - $result = array( - 'uid' => array($uid), - 'cn' => array($cn), - 'group' => $groups, - ); - if (isset($this->mail_domain)) { - $result['mail'] = array($uid.$this->mail_domain); - } - return $result; - } + $result = array( + 'uid' => array($uid), + 'cn' => array($cn), + 'group' => $groups, + ); + if (isset($this->mail_domain)) { + $result['mail'] = array($uid.$this->mail_domain); + } + return $result; + } } diff --git a/hosts/bekkalokk/services/idp-simplesamlphp/authsources.php b/hosts/bekkalokk/services/idp-simplesamlphp/authsources.php deleted file mode 100644 index 97625f4..0000000 --- a/hosts/bekkalokk/services/idp-simplesamlphp/authsources.php +++ /dev/null @@ -1,11 +0,0 @@ - array( - 'saml:SP', - # 'entityID' => 'https://wiki.pvv.ntnu.no/', - 'entityID' => 'https://bekkalokk.pvv.ntnu.no/', - 'idp' => 'https://idp.pvv.ntnu.no/', - ), -); diff --git a/hosts/bekkalokk/services/idp-simplesamlphp/config.php b/hosts/bekkalokk/services/idp-simplesamlphp/config.php index ae6d6e2..2e0e2ea 100644 --- a/hosts/bekkalokk/services/idp-simplesamlphp/config.php +++ b/hosts/bekkalokk/services/idp-simplesamlphp/config.php @@ -31,7 +31,7 @@ $config = [ * external url, no matter where you come from (direct access or via the * reverse proxy). */ - 'baseurlpath' => 'simplesaml/', + 'baseurlpath' => '/', /* * The 'application' configuration array groups a set configuration options @@ -66,7 +66,7 @@ $config = [ * When specified as a relative path, this is relative to the SimpleSAMLphp * root directory. */ - 'cachedir' => '/var/cache/mediawiki/simplesamlphp', + 'cachedir' => '$CACHE_DIRECTORY', //'loggingdir' => '/var/log/', //'datadir' => '/var/data/', @@ -532,7 +532,7 @@ $config = [ * one of the functionalities below, but in some cases you could run multiple functionalities. * In example when you are setting up a federation bridge. */ - 'enable.saml20-idp' => false, + 'enable.saml20-idp' => true, 'enable.adfs-idp' => false, @@ -555,6 +555,7 @@ $config = [ 'module.enable' => [ 'admin' => true, + 'authpwauth' => true, ], @@ -1194,7 +1195,7 @@ $config = [ * See http://www.php.net/manual/en/pdo.drivers.php for the various * syntaxes. */ - 'store.sql.dsn' => 'sqlite:/var/lib/mediawiki/simplesamlphp.sqlite3', + 'store.sql.dsn' => 'sqlite:$STATE_DIRECTORY/simplesamlphp.sqlite3', /* * The username and password to use when connecting to the database. diff --git a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix index 0a96710..ec031f0 100644 --- a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix +++ b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix @@ -2,6 +2,7 @@ let pwAuthScript = pkgs.writeShellApplication { name = "pwauth"; + runtimeInputs = with pkgs; [ coreutils heimdal ]; text = '' read -r user1 user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')" @@ -10,86 +11,181 @@ let read -r _ exit 2 fi - ${pkgs.heimdal}/bin/kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null + # kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null + kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" ''; }; - package = (pkgs.simplesamlphp.override { - authsourcesFile = pkgs.writeText "idp-authsources.php" '' - array( - 'authpwauth:PwAuth', - 'pwauth_bin_path' => '${pwAuthScript}/bin/pwauth', - 'mail_domain' => '@pvv.ntnu.no', - ), - ); - ''; - saml20-idp-remoteFile = pkgs.writeText "saml20-idp-remote.php" ''''; - configFile = pkgs.runCommandLocal "simplesamlphp-config.php" { } '' - cp ${./config.php} "$out" + package = pkgs.simplesamlphp.override { + extra_files = { + # NOTE: Using self signed certificate created 30. march 2024, with command: + # openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem + "metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" '' + '__DEFAULT__', + 'privatekey' => '${config.sops.secrets."idp/privatekey".path}', + 'certificate' => '${./idp.crt}', + 'auth' => 'pwauth', + ); + ?> + ''; - substituteInPlace "$out" \ - --replace '$SAML_COOKIE_SECURE' 'true' \ - --replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \ - --replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \ - --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' - ''; - }).overrideAttrs (prev: { - postInstall = prev.postInstall + '' - install -Dm444 "${./authpwauth.php}" $out/share/php/simplesamlphp/modules/authpwauth/lib/Auth/Source/PwAuth.php - ''; - }); -in -{ - users.groups."idp" = { }; - users.users."idp" = { - description = "PVV Identity Provider Service User"; - group = "idp"; - createHome = false; - isSystemUser = true; - }; + "metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" '' + [ + [ + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', + 'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp', + ], + [ + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP', + 'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp', + ], + ], + 'AssertionConsumerService' => [ + [ + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', + 'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp', + 'index' => 0, + ], + [ + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact', + 'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp', + 'index' => 1, + ], + ], + ]; + '')) + (lib.concatStringsSep "\n") + ]} + ?> + ''; - services.phpfpm.pools.idp = { - user = "idp"; - group = "idp"; - settings = let - listenUser = config.services.nginx.user; - listenGroup = config.services.nginx.group; - in { - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.max_requests" = 500; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 4; - "listen.owner" = listenUser; - "listen.group" = listenGroup; + "config/authsources.php" = pkgs.writeText "idp-authsources.php" '' + array( + 'core:AdminPassword' + ), + 'pwauth' => array( + 'authpwauth:PwAuth', + 'pwauth_bin_path' => '${lib.getExe pwAuthScript}', + 'mail_domain' => '@pvv.ntnu.no', + ), + ); + ?> + ''; - "catch_workers_output" = true; - "php_admin_flag[log_errors]" = true; - # "php_admin_value[error_log]" = "stderr"; + "config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } '' + cp ${./config.php} "$out" + + substituteInPlace "$out" \ + --replace '$SAML_COOKIE_SECURE' 'true' \ + --replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \ + --replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \ + --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \ + --replace '$STATE_DIRECTORY' '/var/lib/idp' \ + --replace '$CACHE_DIRECTORY' '/var/cache/idp' + ''; + + "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php; }; }; +in +{ + options.services.idp.sp-remote-metadata = lib.mkOption { + type = with lib.types; listOf str; + default = [ ]; + description = '' + List of urls point to (simplesamlphp) service profiders, which the idp should trust. - services.nginx.virtualHosts."idp2.pvv.ntnu.no" = { - forceSSL = true; - enableACME = true; - root = "${package}/share/php/simplesamlphp/public"; - locations = { - "/".index = "index.php"; + :::{.note} + Make sure the url ends with a `/` + ::: + ''; + }; - # fastcgi_split_path_info ^(.+\.php)(/.+)$; - "~ /(.+\\.php)" = { - extraConfig = '' - fastcgi_index index.php; - fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket}; - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; + config = { + sops.secrets = { + "idp/certificate" = { + owner = "idp"; + group = "idp"; + mode = "0770"; + }; + "idp/privatekey" = { + owner = "idp"; + group = "idp"; + mode = "0770"; + }; + }; - fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$request_filename; - fastcgi_param SCRIPT_NAME $request_filename; - ''; + users.groups."idp" = { }; + users.users."idp" = { + description = "PVV Identity Provider Service User"; + group = "idp"; + createHome = false; + isSystemUser = true; + }; + + systemd.tmpfiles.settings."10-idp" = { + "/var/cache/idp".d = { + user = "idp"; + group = "idp"; + mode = "0770"; + }; + "/var/lib/idp".d = { + user = "idp"; + group = "idp"; + mode = "0770"; + }; + }; + + services.phpfpm.pools.idp = { + user = "idp"; + group = "idp"; + settings = let + listenUser = config.services.nginx.user; + listenGroup = config.services.nginx.group; + in { + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 4; + "listen.owner" = listenUser; + "listen.group" = listenGroup; + + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + # "php_admin_value[error_log]" = "stderr"; + }; + }; + + services.nginx.virtualHosts."idp2.pvv.ntnu.no" = { + forceSSL = true; + enableACME = true; + root = "${package}/share/php/simplesamlphp/public"; + locations = { + # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx + "/" = { + alias = "${package}/share/php/simplesamlphp/public/"; + index = "index.php"; + + extraConfig = '' + location ~ ^/(?.+?\.php)(?/.*)?$ { + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket}; + fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$phpfile; + fastcgi_param SCRIPT_NAME /$phpfile; + fastcgi_param PATH_INFO $pathinfo if_not_empty; + } + ''; + }; }; }; }; diff --git a/hosts/bekkalokk/services/idp-simplesamlphp/idp.crt b/hosts/bekkalokk/services/idp-simplesamlphp/idp.crt new file mode 100644 index 0000000..7a85445 --- /dev/null +++ b/hosts/bekkalokk/services/idp-simplesamlphp/idp.crt @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFqTCCA5GgAwIBAgIUL2+PMM9rE9wI5W2yNnJ2CmfGxh0wDQYJKoZIhvcNAQEL +BQAwZDELMAkGA1UEBhMCTk8xEzARBgNVBAgMClNvbWUtU3RhdGUxHjAcBgNVBAoM +FVByb2dyYW12YXJldmVya3N0ZWRldDEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2 +Lm50bnUubm8wHhcNMjQwMzMwMDAyNjQ0WhcNMjUwMzMwMDAyNjQ0WjBkMQswCQYD +VQQGEwJOTzETMBEGA1UECAwKU29tZS1TdGF0ZTEeMBwGA1UECgwVUHJvZ3JhbXZh +cmV2ZXJrc3RlZGV0MSAwHgYJKoZIhvcNAQkBFhFkcmlmdEBwdnYubnRudS5ubzCC +AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/0l0jdV+PoVxdd21F+2NLm +JN6sZmSJexOSk/sFjhhF4WMtjOfDAQYjt3hlLPyYl//jCe9WteavvtdCx1tHJitd +xjOUJ/leVjHzBttCVZR+iTlQtpsZ2TbRMJ5Fcfl82njlPecV4umJvnnFXawE4Qee +dE2OM8ODjjrK1cNaHR74tyZCwmdOxNHXZ7RN22p9kZjLD18LQyNr5igaDBeaZkyk +Gxbg4tbP51x9JFRLF7kUlyAc83geFnw6v/wBahr49m/X4y7xE0rdPb2L0moUjmOO +Zyl3hvxMI3+g/0FVMM5eKmfIIP2rIVEAa6MWMx0vPjC6h2fIyxkUqg5C8aFlpqav ++8f2rUc+JfdiFsIZNrylBXsleGzS+/wY1uB/pAy5Vg9WCp+eC75EtWMt0k2f442G +rhKa3lAZ6GIYrtEiQiNGM1aT1Cs1nqTtslfnHiuAKBefLjCXgq9uvL2yRodwe9/m +oZiqYnLHy/v1xfnF5rKTcRmOleU3tc+nlN6tZSGC1nZgMpqpoqdcbJXAkvaJ2Km4 +sl0YS28VQnztgzuVPNdnv8lcS6HmkaGaNWbepKgWeaH5oT7O6u99wZIv88m+tf5m +Eu197YVpcclnojQCYKauWcQFsXS20egsVP87Qk0e2SHmGTUQp6YEYX6RLjkg7/vS +BelDBbCldraNVEiC0jmpAgMBAAGjUzBRMB0GA1UdDgQWBBSL0yofG5NEmzFIRuqC +xmyiuZW6DTAfBgNVHSMEGDAWgBSL0yofG5NEmzFIRuqCxmyiuZW6DTAPBgNVHRMB +Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAZZVs7BLk/NLq3f4Ik8qH3IoDN +2m4XXRZS+xxw5RwctgSnik7AffgAfv8QQm2co8UYkHbB0whaG1PDz+L7wB1hVkWn +DVUaJcKQnn0x+sNU5LoTbjI0PlaST7PO5D0OMFab8FSNxpzzpbUcgZUhelc99Ri/ +2Gh8mf4b3Y3Uzq6YKFsuFM65OuJhH8f1w6onai9x28t6tERHUSUfJ2keXzU4ytCV +EitWXwhe759VLqmdP4BATwlCOCuwa5aDeGcWRIqFpYIn0SOAmVV3o4V71JdZc1jE +fuOo/PbiHZ+R9ZGbh98aMidb0moL1ZDhmir9KbedezNyki6JJ72mVclhLqUajFxr +T39FXd5e2+QBMHPPhVFznQoHWnHEbZigTt61b0cg/TsxaxOkF4Ilmr/2DmSWysWK +TF5eq8hp6/53qVbXXSzrCjxd3wzGnRabsEVPX/L2hYDx81hluovJQCtskqTq1joI +W2R7AO5Sdyc6NfOR85kl0HXzHa+0Slsf8ZDs5nCz/mOOPoAGl7IxF7xQ6kPO7V+U +HdGE2tkblM/TrAObJH0HXySeJGI7Vfya+D1Y8IqGtyZtWyx1DmlA/OezGGf5D3rG +88LywHQQ2mQ+8aosBTE4+HQ+apLKZBprqQKuiDjT1RSUbfUHQkYuL+D1oIVmklAc +UxTpf01QJnZkMqf5NQ== +-----END CERTIFICATE----- diff --git a/hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix b/hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix new file mode 100644 index 0000000..ff4ed34 --- /dev/null +++ b/hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix @@ -0,0 +1,22 @@ +'' + 'saml20-idp-hosted', + 'entityid' => 'https://idp2.pvv.ntnu.no/', + 'SingleSignOnService' => [ + [ + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', + 'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService', + ], + ], + 'SingleLogoutService' => [ + [ + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', + 'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout', + ], + ], + 'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ], + 'certificate' => '${./idp.crt}', + ]; + ?> +'' diff --git a/hosts/bekkalokk/services/idp-simplesamlphp/saml20-idp-remote.php b/hosts/bekkalokk/services/idp-simplesamlphp/saml20-idp-remote.php deleted file mode 100644 index 5b9254d..0000000 --- a/hosts/bekkalokk/services/idp-simplesamlphp/saml20-idp-remote.php +++ /dev/null @@ -1,23 +0,0 @@ - 'saml20-idp-remote', - 'entityid' => 'https://idp.pvv.ntnu.no/', - 'SingleSignOnService' => - array ( - 0 => - array ( - 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', - 'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php', - ), - ), - 'SingleLogoutService' => - array ( - 0 => - array ( - 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', - 'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php', - ), - ), - 'certData' => 'MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==', - 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', -);