options:
  protocol-name:
    type: string
    default: 'mapped'
    description: |
      Protocol name to use for URL and generation. Must match the one that
      will be configured via OS-FEDERATION API.
  idp-name:
    type: string
    default: 'myidp'
    description: |
      Identity provider name to use for URL generation. Must match the one
      that will be configured via OS-FEDERATION API.
  user-facing-name:
    type: string
    default: 'myidp via mapped'
    description: |
      A user-facing name to be used for the identity provider and protocol
      combination. Used in the OpenStack dashboard.
  saml-encryption:
    type: boolean
    default: false
    description: |
      (optional)
      Specifies whether SAML assertion encryption should be used. In many
      cases this option is not needed as TLS is used to encrypt data at
      the transport level. This option results in Service Provider metadata
      rendered with the same KeyInfo used for both signing and encryption.
      In practice, this means that the private key specified in sp-private-key
      will be used for both signing SAML messages to an idP and decryption of
      messages sent by idP. idP has to receive the SP metadata file with a
      public key (or a cert) present with use="encryption" specified.
  nameid-formats:
    type: string
    default: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified,urn:oasis:names:tc:SAML:2.0:nameid-format:transient,urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress,urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,urn:mace:shibboleth:1.0:nameIdentifier"
    description: |
      NameIDFormat entries to be used in Service Provider metadata file and in
      SAML requests (comma-separated). Different NameID formats could be used
      like transient, persistent, X509SubjectName, emailAddress, unspecified
      and so on.
  subject-confirmation-data-address-check:
    type: boolean
    default: true
    description: |
      This option is used to control the checking of client IP address
      against the address returned by the IdP in Address attribute of
      the SubjectConfirmationData node. Can be useful if your SP is
      behind a reverse proxy or any kind of strange network topology
      making IP address of client different for the IdP and the SP.
      Default is on.
      This can be used for testing with something like testshib if
      you are behind a NAT.
  authn-requests-signed:
    type: boolean
    default: true
    description: |
      Indicates whether the <samlp:AuthnRequest> messages sent by the
      service provider (mellon) will be signed.
  want-assertions-signed:
    type: boolean
    default: true
    description: |
      Indicates a requirement for the <saml:Assertion> elements received
      by this service provider to be signed.
  idp-discovery-service-url:
    type: string
    default:
    description: |
      IDP discovery service URL. If set to "" (default) no discovery
      service will be used. If used, the resource "idp-metadata" must
      be an XML file containing descriptors for multiple IDPs
  idp-metadata-url:
    type: string
    default:
    description: |
      An optional URL to retrieve IDP metadata from. If set, takes priority
      over the "idp-metadata" resource. Auto-updates of metadata occur during
      any hook execution, including update-status.