4d1557dcf2
This patch aims to add a prefix for memcached_server on each role to give the ability for deployers to override the location of memcached cluster. I.e users wants to create a single memcached cluster with k8s for each service. Change-Id: I57e7a977675c203d811bf0afc60ebf2c5661c284
127 lines
5.2 KiB
Django/Jinja
127 lines
5.2 KiB
Django/Jinja
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
|
|
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
|
|
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
|
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
|
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
|
|
clockSkew="180">
|
|
|
|
<OutOfProcess>
|
|
<Extensions>
|
|
<Library path="memcache-store.so" fatal="true"/>
|
|
</Extensions>
|
|
</OutOfProcess>
|
|
|
|
<StorageService type="MEMCACHE" id="mc" prefix="shibboleth2:">
|
|
<Hosts>
|
|
{{ keystone_memcached_servers }}
|
|
</Hosts>
|
|
</StorageService>
|
|
|
|
<StorageService type="MEMCACHE" id="mc-ctx" prefix="shibboleth2:" buildMap="1">
|
|
<Hosts>
|
|
{{ keystone_memcached_servers }}
|
|
</Hosts>
|
|
</StorageService>
|
|
|
|
<SessionCache type="StorageService" cacheTimeout="{{ horizon_session_timeout }}" StorageService="mc-ctx" StorageServiceLite="mc" />
|
|
<ReplayCache StorageService="mc"/>
|
|
<ArtifactMap StorageService="mc" artifactTTL="180"/>
|
|
|
|
<!-- The entityID is the name by which your IdP will know your SP. -->
|
|
<ApplicationDefaults entityID="{{ keystone_service_publicuri }}/shibboleth">
|
|
|
|
<!-- You should use secure cookies if at all possible. See cookieProps in this Wiki article. -->
|
|
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions -->
|
|
<Sessions lifetime="28800"
|
|
timeout="3600"
|
|
relayState="ss:mc"
|
|
checkAddress="false"
|
|
handlerSSL="{% if keystone_ssl | bool %}true{% else %}false{% endif %}"
|
|
{% if keystone_service_publicuri_proto == "https" %}cookieProps="; path=/; secure"{% endif %}>
|
|
|
|
<!-- Triggers a login request directly to the IdP. -->
|
|
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
|
|
<SSO ECP="true" entityID="{{ keystone_sp.trusted_idp_list.0.entity_ids.0 }}">
|
|
SAML2 SAML1
|
|
</SSO>
|
|
|
|
<!-- SAML and local-only logout. -->
|
|
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout -->
|
|
<Logout>SAML2 Local</Logout>
|
|
|
|
<!--
|
|
Handlers allow you to interact with the SP and gather more information.
|
|
Attribute values received by the SP through SAML will be visible at:
|
|
{{ keystone_service_publicuri }}/Shibboleth.sso/Session
|
|
-->
|
|
|
|
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
|
|
<Handler type="MetadataGenerator"
|
|
Location="/Metadata"
|
|
signing="false"/>
|
|
|
|
<!-- Status reporting service. -->
|
|
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
|
|
|
|
<!-- Session diagnostic service. -->
|
|
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
|
|
|
|
<!-- JSON feed of discovery information. -->
|
|
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
|
|
</Sessions>
|
|
|
|
<!--
|
|
Allows overriding of error template information/filenames. You can
|
|
also add attributes with values that can be plugged into the templates.
|
|
-->
|
|
<Errors supportContact="root@localhost"
|
|
helpLocation="/about.html"
|
|
styleSheet="/shibboleth-sp/main.css"/>
|
|
|
|
<!--
|
|
Loads and trusts a list of metadata files which describes
|
|
the trusted IdP's and how to communicate with them.
|
|
-->
|
|
{% if keystone_sp.trusted_idp_list is defined -%}
|
|
{% for item in keystone_sp.trusted_idp_list %}
|
|
<MetadataProvider type="XML"
|
|
uri="{{ item.metadata_uri }}"
|
|
backingFilePath="{{ item.metadata_file }}"
|
|
reloadInterval="{{ item.metadata_reload }}" />
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
<!-- Map to extract attributes from SAML assertions. -->
|
|
<AttributeExtractor type="XML"
|
|
validate="true"
|
|
reloadChanges="false"
|
|
path="attribute-map.xml"/>
|
|
|
|
<!-- Use a SAML query if no attributes are supplied during SSO. -->
|
|
<AttributeResolver type="Query" subjectMatch="true"/>
|
|
|
|
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
|
|
<AttributeFilter type="XML"
|
|
validate="true"
|
|
path="attribute-policy.xml"/>
|
|
|
|
<!-- Your SP generated these credentials. They're used to talk to IdP's. -->
|
|
<CredentialResolver type="File"
|
|
key="sp-key.pem"
|
|
certificate="sp-cert.pem"/>
|
|
|
|
</ApplicationDefaults>
|
|
|
|
<!-- Policies that determine how to process and authenticate runtime messages. -->
|
|
<SecurityPolicyProvider type="XML"
|
|
validate="true"
|
|
path="security-policy.xml"/>
|
|
|
|
<!-- Low-level configuration about protocols and bindings available for use. -->
|
|
<ProtocolProvider type="XML"
|
|
validate="true"
|
|
reloadChanges="false"
|
|
path="protocols.xml"/>
|
|
|
|
</SPConfig>
|