charm-keystone-saml-mellon/src/config.yaml

72 lines
3.0 KiB
YAML

options:
protocol-name:
type: string
default: 'mapped'
description: |
Protocol name to use for URL and generation. Must match the one that
will be configured via OS-FEDERATION API.
idp-name:
type: string
default: 'myidp'
description: |
Identity provider name to use for URL generation. Must match the one
that will be configured via OS-FEDERATION API.
user-facing-name:
type: string
default: 'myidp via mapped'
description: |
A user-facing name to be used for the identity provider and protocol
combination. Used in the OpenStack dashboard.
saml-encryption:
type: boolean
default: false
description: |
(optional)
Specifies whether SAML assertion encryption should be used. In many
cases this option is not needed as TLS is used to encrypt data at
the transport level. This option results in Service Provider metadata
rendered with the same KeyInfo used for both signing and encryption.
In practice, this means that the private key specified in sp-private-key
will be used for both signing SAML messages to an idP and decryption of
messages sent by idP. idP has to receive the SP metadata file with a
public key (or a cert) present with use="encryption" specified.
nameid-formats:
type: string
default: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified,urn:oasis:names:tc:SAML:2.0:nameid-format:transient,urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress,urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,urn:mace:shibboleth:1.0:nameIdentifier"
description: |
NameIDFormat entries to be used in Service Provider metadata file and in
SAML requests (comma-separated). Different NameID formats could be used
like transient, persistent, X509SubjectName, emailAddress, unspecified
and so on.
subject-confirmation-data-address-check:
type: boolean
default: true
description: |
This option is used to control the checking of client IP address
against the address returned by the IdP in Address attribute of
the SubjectConfirmationData node. Can be useful if your SP is
behind a reverse proxy or any kind of strange network topology
making IP address of client different for the IdP and the SP.
Default is on.
This can be used for testing with something like testshib if
you are behind a NAT.
authn-requests-signed:
type: boolean
default: true
description: |
Indicates whether the <samlp:AuthnRequest> messages sent by the
service provider (mellon) will be signed.
want-assertions-signed:
type: boolean
default: true
description: |
Indicates a requirement for the <saml:Assertion> elements received
by this service provider to be signed.
idp-discovery-service-url:
type: string
default:
description: |
IDP discovery service URL. If set to "" (default) no discovery
service will be used. If used, the resource "idp-metadata" must
be an XML file containing descriptors for multiple IDPs