WIP: bekkalokk: init mediawiki

Co-authored-by: Jørn Åne <yorinad@pvv.ntnu.no>

flake.nix

@@ -83,6 +83,7 @@
               autoreconfHook = final.buildPackages.autoreconfHook269;
 	    };
             mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
+            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
           })
         ];
       };

hosts/bekkalokk/configuration.nix

@@ -14,7 +14,8 @@
     ./services/gitea/default.nix
     ./services/kerberos
     ./services/webmail
-    # ./services/mediawiki.nix
+    ./services/mediawiki
+    ./services/idp-simplesamlphp
   ];
 
   sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;

hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php

@@ -0,0 +1,115 @@
+<?php
+
+/**
+ * Authenticate using HTTP login.
+ *
+ * @author Yorn de Jong
+ * @package simpleSAMLphp
+ */
+class sspmod_authpwauth_Auth_Source_PwAuth extends sspmod_core_Auth_UserPassBase {
+
+        protected $pwauth_bin_path;
+        protected $mail_domain;
+
+        public function __construct($info, $config) {
+                assert('is_array($info)');
+                assert('is_array($config)');
+
+                /* Call the parent constructor first, as required by the interface. */
+                parent::__construct($info, $config);
+
+                $this->pwauth_bin_path = $config['pwauth_bin_path'];
+                if (array_key_exists('mail_domain', $config)) {
+                        $this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
+                }
+        }
+
+        public function login($username, $password) {
+                $username = strtolower( $username );
+
+                $handle = popen($this->pwauth_bin_path, 'w');
+                if ($handle === FALSE) {
+                        die("Error opening pipe to pwauth");
+                        return false;
+                }
+
+                $data = "$username\n$password\n";
+                if (fwrite($handle, $data) !== strlen($data)) {
+                        die("Error writing to pwauth pipe");
+                        return false;
+                }
+
+                # Is the password valid?
+                $result = pclose( $handle );
+                if ($result !== 0) {
+                        if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) {
+                                die("pwauth returned $result for username $username");
+                        }
+                        throw new SimpleSAML_Error_Error('WRONGUSERPASS');
+                }
+/*
+                $ldap = ldap_connect('129.241.210.159', 389);
+                ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
+                ldap_start_tls($ldap);
+                ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
+                $search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
+                $entry = ldap_first_entry($ldap, $search);
+                $dn = ldap_get_dn($ldap, $entry);
+                $newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
+                ldap_modify_batch($ldap, $dn, [
+                        #[
+                        #       'modtype' => LDAP_MODIFY_BATCH_REMOVE,
+                        #       'attrib' => 'unicodePwd',
+                        #       'values' => [$password],
+                        #],
+                        [
+                                #'modtype' => LDAP_MODIFY_BATCH_ADD,
+                                'modtype' => LDAP_MODIFY_BATCH_REPLACE,
+                                'attrib' => 'unicodePwd',
+                                'values' => [$newpassword],
+                        ],
+                ]);
+*/
+
+                #0  -  Login OK.
+                #1  -  Nonexistant login or (for some configurations) incorrect password.
+                #2  -  Incorrect password (for some configurations).
+                #3  -  Uid number is below MIN_UNIX_UID value configured in config.h.
+                #4  -  Login ID has expired.
+                #5  -  Login's password has expired.
+                #6  -  Logins to system have been turned off (usually by /etc/nologin file).
+                #7  -  Limit on number of bad logins exceeded.
+                #50 -  pwauth was not run with real uid SERVER_UID.  If you get this
+                #      this error code, you probably have SERVER_UID set incorrectly
+                #      in pwauth's config.h file.
+                #51 -  pwauth was not given a login & password to check.  The means
+                #      the passing of data from mod_auth_external to pwauth is messed
+                #      up.  Most likely one is trying to pass data via environment
+                #      variables, while the other is trying to pass data via a pipe.
+                #52 -  one of several possible internal errors occured.
+
+
+                $uid = $username;
+                $cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1'));
+
+                $groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid)));
+                array_shift($groups);
+                array_shift($groups);
+                array_pop($groups);
+
+                $info = posix_getpwnam($uid);
+                $group = $info['gid'];
+                if (!in_array($group, $groups)) {
+                        $groups[] = $group;
+                }
+                $result = array(
+                        'uid' => array($uid),
+                        'cn' => array($cn),
+                        'group' => $groups,
+                );
+                if (isset($this->mail_domain)) {
+                        $result['mail'] = array($uid.$this->mail_domain);
+                }
+                return $result;
+        }
+}

hosts/bekkalokk/services/idp-simplesamlphp/authsources.php

@@ -0,0 +1,11 @@
+<?php
+$config = array(
+
+    /* This is the name of this authentication source, and will be used to access it later. */
+    'default-sp' => array(
+        'saml:SP',
+        # 'entityID' => 'https://wiki.pvv.ntnu.no/',
+        'entityID' => 'https://bekkalokk.pvv.ntnu.no/',
+        'idp' => 'https://idp.pvv.ntnu.no/',
+    ),
+);

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -0,0 +1,96 @@
+{ config, pkgs, lib, ... }:
+let
+  pwAuthScript = pkgs.writeShellApplication {
+    name = "pwauth";
+    text = ''
+      read -r user1
+      user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
+      if test "$user1" != "$user2"
+      then
+        read -r _
+        exit 2
+      fi
+      ${pkgs.heimdal}/bin/kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
+    '';
+  };
+
+  package = (pkgs.simplesamlphp.override {
+    authsourcesFile = pkgs.writeText "idp-authsources.php" ''
+      <?php
+      $config = array(
+        'pwauth' => array(
+           'authpwauth:PwAuth',
+           'pwauth_bin_path' => '${pwAuthScript}/bin/pwauth',
+           'mail_domain' => '@pvv.ntnu.no',
+        ),
+      );
+    '';
+    saml20-idp-remoteFile = pkgs.writeText "saml20-idp-remote.php" '''';
+    configFile = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
+      cp ${./config.php} "$out"
+
+      substituteInPlace "$out" \
+        --replace '$SAML_COOKIE_SECURE' 'true' \
+        --replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
+        --replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
+        --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )'
+    '';
+  }).overrideAttrs (prev: {
+    postInstall = prev.postInstall + ''
+      install -Dm444 "${./authpwauth.php}" $out/share/php/simplesamlphp/modules/authpwauth/lib/Auth/Source/PwAuth.php
+    '';
+  });
+in
+{
+  users.groups."idp" = { };
+  users.users."idp" = {
+    description = "PVV Identity Provider Service User";
+    group = "idp";
+    createHome = false;
+    isSystemUser = true;
+  };
+
+  services.phpfpm.pools.idp = {
+    user = "idp";
+    group = "idp";
+    settings = let
+      listenUser = config.services.nginx.user;
+      listenGroup = config.services.nginx.group;
+    in {
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.max_requests" = 500;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 4;
+      "listen.owner" = listenUser;
+      "listen.group" = listenGroup;
+
+      "catch_workers_output" = true;
+      "php_admin_flag[log_errors]" = true;
+      # "php_admin_value[error_log]" = "stderr";
+    };
+  };
+
+  services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
+    forceSSL = true;
+    enableACME = true;
+    root = "${package}/share/php/simplesamlphp/public";
+    locations =  {
+      "/".index = "index.php";
+
+      # fastcgi_split_path_info ^(.+\.php)(/.+)$;
+      "~ /(.+\\.php)" = {
+        extraConfig = ''
+          fastcgi_index index.php;
+          fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+
+          fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$request_filename;
+          fastcgi_param SCRIPT_NAME $request_filename;
+        '';
+      };
+    };
+  };
+}

hosts/bekkalokk/services/idp-simplesamlphp/saml20-idp-remote.php

@@ -0,0 +1,23 @@
+<?php
+$metadata['https://idp.pvv.ntnu.no/'] = array (
+  'metadata-set' => 'saml20-idp-remote',
+  'entityid' => 'https://idp.pvv.ntnu.no/',
+  'SingleSignOnService' => 
+  array (
+    0 => 
+    array (
+      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+      'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php',
+    ),
+  ),
+  'SingleLogoutService' => 
+  array (
+    0 => 
+    array (
+      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+      'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php',
+    ),
+  ),
+  'certData' => 'MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==',
+  'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+);

hosts/bekkalokk/services/mediawiki/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, lib, config, values, ... }: let
+{ pkgs, lib, config, values, pkgs-unstable, ... }: let
   cfg = config.services.mediawiki;
 
   # "mediawiki"
@@ -6,6 +6,20 @@
 
   # "mediawiki"
   group = config.users.users.${user}.group;
+
+  simplesamlphp = pkgs.simplesamlphp.override {
+    authsourcesFile = ./simplesamlphp/authsources.php;
+    saml20-idp-remoteFile = ./simplesamlphp/saml20-idp-remote.php;
+    configFile = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
+      cp ${./simplesamlphp/config.php} "$out"
+
+      substituteInPlace "$out" \
+        --replace '$SAML_COOKIE_SECURE' 'true' \
+        --replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
+        --replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
+        --replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )'
+    '';
+  };
 in {
   sops.secrets = {
     "mediawiki/password" = {
@@ -13,7 +27,7 @@ in {
       owner = user;
       group = group;
     };
-    "keys/postgres/mediawiki" = {
+    "mediawiki/database" = {
       restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
       owner = user;
       group = group;
@@ -30,7 +44,7 @@ in {
       type = "postgres";
       host = "postgres.pvv.ntnu.no";
       port = config.services.postgresql.port;
-      passwordFile = config.sops.secrets."keys/postgres/mediawiki".path;
+      passwordFile = config.sops.secrets."mediawiki/database".path;
       createLocally = false;
       # TODO: create a normal database and copy over old data when the service is production ready
       name = "mediawiki_test";
@@ -51,10 +65,12 @@ in {
       "pm.max_spare_servers" = 4;
       "listen.owner" = listenUser;
       "listen.group" = listenGroup;
-      "php_admin_value[error_log]" = "stderr";
-      "php_admin_flag[log_errors]" = "on";
       "env[PATH]" = lib.makeBinPath [ pkgs.php ];
+
       "catch_workers_output" = true;
+      "php_admin_flag[log_errors]" = true;
+      # "php_admin_value[error_log]" = "stderr";
+
       # to accept *.html file
       "security.limit_extensions" = "";
     };
@@ -63,35 +79,8 @@ in {
       inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
     };
 
-    extraConfig = let
-
-      SimpleSAMLphpRepo = pkgs.stdenvNoCC.mkDerivation rec {
-        pname = "configuredSimpleSAML";
-	version = "2.0.4";
-        src = pkgs.fetchzip {
-          url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
-          sha256 = "sha256-pfMV/VmqqxgtG7Nx4s8MW4tWSaxOkVPtCRJwxV6RDSE=";
-        };
-
-	buildPhase = ''
-          cat > config/authsources.php << EOF
-          <?php
-          $config = array(
-            'default-sp' => array(
-              'saml:SP',
-              'idp' => 'https://idp.pvv.ntnu.no/',
-            ),
-          );
-	  EOF
-	'';
-
-	installPhase = ''
-	  cp -r . $out
-	'';
-      };
-
-    in ''
-      $wgServer = "https://bekkalokk.pvv.ntnu.no";
+    extraConfig = ''
+      $wgServer = "https://wiki2.pvv.ntnu.no";
       $wgLocaltimezone = "Europe/Oslo";
 
       # Only allow login through SSO
@@ -116,17 +105,36 @@ in {
       $wgLocalInterwiki = $wgSitename;
 
       # SimpleSAML
-      $wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}";
+      $wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
       $wgSimpleSAMLphp_AuthSourceId = "default-sp";
       $wgSimpleSAMLphp_RealNameAttribute = "cn";
       $wgSimpleSAMLphp_EmailAttribute = "mail";
       $wgSimpleSAMLphp_UsernameAttribute = "uid";
 
+      $wgPluggableAuth_Config['Log in using my SAML'] = [
+        'plugin' => 'SimpleSAMLphp',
+        'data' => [
+          'authSourceId' => 'default-sp',
+        ]
+      ];
+
       # Fix https://github.com/NixOS/nixpkgs/issues/183097
       $wgDBserver = "${toString cfg.database.host}";
     '';
   };
 
+          # 'usernameAttribute' => 'username',
+          # 'realNameAttribute' => 'name',
+          # 'emailAttribute' => 'email'
+
+  # Cache directory for simplesamlphp
+  # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
+  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp/core".d = {
+    user = "mediawiki";
+    group = "mediawiki";
+    mode = "0770";
+  };
+
   # Override because of https://github.com/NixOS/nixpkgs/issues/183097
   systemd.services.mediawiki-init.script = let
     # According to module
@@ -157,4 +165,60 @@ in {
 
     ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
   '';
+
+  services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {
+    forceSSL = true;
+    enableACME = true;
+    root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
+    locations =  {
+      "/" = {
+	index = "index.php";
+      };
+
+      "~ /(.+\\.php)" = {
+        extraConfig = ''
+          fastcgi_split_path_info ^(.+\.php)(/.+)$;
+          fastcgi_index index.php;
+          fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+        '';
+      };
+
+      # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
+      "^~ /simplesaml/" = {
+        alias = "${simplesamlphp}/share/php/simplesamlphp/public/";
+        index = "index.php";
+
+        extraConfig = ''
+          location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
+            include ${pkgs.nginx}/conf/fastcgi_params;
+            fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; 
+            fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile;
+
+            # Must be prepended with the baseurlpath
+            fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
+
+            fastcgi_param PATH_INFO $pathinfo if_not_empty;
+          }
+        '';
+      };
+
+      "/images".root = config.services.mediawiki.uploadsDir;
+
+      "= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
+
+      # Redirects from gitea
+      "/Projects".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "^~ /Projects/(.+\\.php)".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "/oysteikt".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "/Drift".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "/felixalb".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "/adriangl".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "/danio".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "/pederbs".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "/jonmro".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+      "/explore".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+    };
+  };
 }

hosts/bekkalokk/services/mediawiki/simplesamlphp/authsources.php

@@ -0,0 +1,11 @@
+<?php
+$config = array(
+
+    /* This is the name of this authentication source, and will be used to access it later. */
+    'default-sp' => array(
+        'saml:SP',
+        # 'entityID' => 'https://wiki.pvv.ntnu.no/',
+        'entityID' => 'https://wiki2.pvv.ntnu.no/',
+        'idp' => 'https://idp.pvv.ntnu.no/',
+    ),
+);

hosts/bekkalokk/services/mediawiki/simplesamlphp/saml20-idp-remote.php

@@ -0,0 +1,23 @@
+<?php
+$metadata['https://idp.pvv.ntnu.no/'] = array (
+  'metadata-set' => 'saml20-idp-remote',
+  'entityid' => 'https://idp.pvv.ntnu.no/',
+  'SingleSignOnService' => 
+  array (
+    0 => 
+    array (
+      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+      'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php',
+    ),
+  ),
+  'SingleLogoutService' => 
+  array (
+    0 => 
+    array (
+      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+      'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php',
+    ),
+  ),
+  'certData' => 'MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==',
+  'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+);