CSCfi.shibboleth-idp

Panoramica Versioni Approfondimenti

Ansible Role: Shibboleth IdP

This role installs Shibboleth IdP on RedHat or Debian servers.

Requirements

  • CSCfi.jetty
  • CSCfi.mariadb (Optional, used for database storage of name IDs)

Role Variables

Check the defaults/main.yml file for variables that you can change when you call the role. You can also provide a list of extra configuration options for Shibboleth IdP. This list includes:

For Federations (sets up metadata sources and certificates for IdP)

  • haka-test
  • edugain
  • haka
  • virtu-test

For Extra Functionality

  • consent: Set default parameters for the consent module (currently has predefined static values)
  • loganalysis: Installs a script for log analysis and sets it up to run monthly via cron in the Jetty webroot
  • slo: Configuration for Single Logout with predefined static values
  • mfa-client
  • mfa-server
  • mfa-stepup-server
  • nameid: Configures name IDs, currently uses UID. Some settings (like UID) can be changed by passing parameters. (Note: Requires MariaDB)
  • fticks: Configures F-ticks (still in progress, untested)
  • ldap.yml: Configures the LDAP backend for Shibboleth IdP with TLS, and allows overwriting parameters from defaults/main.yml
  • oidc: Installs OIDC extension for Shibboleth IdP
  • certs: Copies SSL certificates to /etc/pki/tls/[certs|private] and configures them properly
    • SSL certificates for the Shibboleth IdP Jetty installation (needed parameters: shibboleth_idp[_ssl_crt & _ssl_key & _ssl_cabundle & _keystore_password])
    • SAML certificates for encryption and signing (needed parameters: shibbolethidp[_saml_crt & _saml_key])
    • Separate SAML certificates for encryption and signing (needed parameters: shibbolethidp[_saml_sig_crt & _saml_sig_key & _saml_enc_crt & _saml_enc_key])

See the example playbook for how to use the role with configurable options.

Dependencies

  • CSCfi.jetty

Configurable: Name ID requires either CSCfi.mariadb or another accessible database. Configurable: LDAP requires an existing LDAP server.

Example Playbook

- hosts: all
  roles:
    - { role: CSCfi.shibboleth-idp, configurables: ['certs', 'slo', 'consent'] }
Informazioni sul progetto

Shibboleth IdPv3 for RedHat and Debian

role
Installa
ansible-galaxy install CSCfi.shibboleth-idp
GitHub repository
5 stelle
5 fork
5 problemi aperti
Licenza
Unknown
Download
1.4k
Proprietario
CSC - IT Center for Science
Finnish expertise in ICT for research, education, culture and public administration