Yan0S Keystone Saml Mellon
- By Yanos Angelopoulos
- Cloud
Channel | Revision | Published | Runs on |
---|---|---|---|
latest/stable | 1 | 19 Mar 2021 | |
latest/beta | 1 | 19 Mar 2021 |
juju deploy yan0s-keystone-saml-mellon
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
-
authn-requests-signed | boolean
Default: True
Indicates whether the <samlp:AuthnRequest> messages sent by the service provider (mellon) will be signed.
-
debug | boolean
Enable debug logging
-
idp-discovery-service-url | string
IDP discovery service URL
-
idp-metadata-auto-update | string
If set to anything other than "" then a URL is expected in which the IDP XML metadata are being served. Also, if set then the "idp-metadata" resource will be ignored. Auto update will occur on every "update-status" hook.
-
idp-name | string
Default: myidp
Identity provider name to use for URL generation. Must match the one that will be configured via OS-FEDERATION API.
-
nameid-formats | string
Default: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified,urn:oasis:names:tc:SAML:2.0:nameid-format:transient,urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress,urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,urn:mace:shibboleth:1.0:nameIdentifier
NameIDFormat entries to be used in Service Provider metadata file and in SAML requests (comma-separated). Different NameID formats could be used like transient, persistent, X509SubjectName, emailAddress, unspecified and so on.
-
protocol-name | string
Default: mapped
Protocol name to use for URL and generation. Must match the one that will be configured via OS-FEDERATION API.
-
saml-encryption | boolean
(optional) Specifies whether SAML assertion encryption should be used. In many cases this option is not needed as TLS is used to encrypt data at the transport level. This option results in Service Provider metadata rendered with the same KeyInfo used for both signing and encryption. In practice, this means that the private key specified in sp-private-key will be used for both signing SAML messages to an idP and decryption of messages sent by idP. idP has to receive the SP metadata file with a public key (or a cert) present with use="encryption" specified.
-
ssl_ca | string
SSL CA to use to communicate with other OpenStack cloud components.
-
ssl_cert | string
TLS certificate to install and use for any listening services. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
-
ssl_key | string
TLS key to use with certificate specified as ``ssl_cert``. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
-
subject-confirmation-data-address-check | boolean
Default: True
This option is used to control the checking of client IP address against the address returned by the IdP in Address attribute of the SubjectConfirmationData node. Can be useful if your SP is behind a reverse proxy or any kind of strange network topology making IP address of client different for the IdP and the SP. Default is on. This can be used for testing with something like testshib if you are behind a NAT.
-
use-internal-endpoints | boolean
Openstack mostly defaults to using public endpoints for internal communication between services. If set to True this option will configure services to use internal endpoints where possible.
-
use-syslog | boolean
Setting this to True will allow supporting services to log to syslog.
-
user-facing-name | string
Default: myidp via mapped
A user-facing name to be used for the identity provider and protocol combination. Used in the OpenStack dashboard.
-
verbose | boolean
Enable verbose logging
-
want-assertions-signed | boolean
Default: True
Indicates a requirement for the <saml:Assertion> elements received by this service provider to be signed.