Draft: SSO : env de dev (sans env et variables), IdP hosted, SP Remote pour tests
Je crée la MR pour pouvoir échanger sur l'avancement et y remettre les notes faites sur discord:
l y a dans la branche SSO, la gestion de la configuration de l'IdP (serveur SSO) et d'un SP de test (client SSO, un redmine en local). Il reste de nombreuses choses à faire:
- gestion des groupes (donc exploitation de la DB personae);
- test des impacts avec des comptes existants;
- environnement de test et de production (un peu différent de celui-de dev);
- thème pirate pour l'IdP;
- préparation et test d'intégration des autres SP (gitlab, nextcloud, discourse);
Pour mes tests, le docker-compose.yml de redmine:
# Copyright Broadcom, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0
# https://github.com/team-lab/redmine_omniauth_saml : plugin SAML à installer
services:
mariadb:
image: docker.io/bitnami/mariadb:11.4
volumes:
- 'mariadb_data:/bitnami/mariadb'
environment:
- MARIADB_USER=redmine
- MARIADB_PASSWORD=enimder
- MARIADB_DATABASE=redmine
redmine:
image: redmine:4.2.10
ports:
- '8580:3000'
volumes:
- 'redmine_data:/usr/src/redmine'
- './saml-initializers.rb:/usr/src/redmine/config/initializers/saml-initializers.rb'
depends_on:
- mariadb
environment:
- REDMINE_DB_HOST=mariadb
- REDMINE_DB_PORT_NUMBER=3306
- REDMINE_DB_USERNAME=redmine
- REDMINE_DB_PASSWORD=enimder
- REDMINE_DB_NAME=redmine
volumes:
mariadb_data:
driver: local
redmine_data:
driver: localhttps://github.com/team-lab/redmine_omniauth_saml : plugin SAML que j'ai installé (version master)
l'initializer saml-initializers.rb:
Redmine::OmniAuthSAML::Base.configure do |config|
config.saml = {
:assertion_consumer_service_url => "http://localhost:8580/auth/saml/callback", # OmniAuth callback URL
:issuer => "http://localhost:8580/auth/saml/metadata", # The issuer name / entity ID. Must be an URI as per SAML 2.0 spec.
:single_logout_service_url => "http://localhost:8580/auth/saml/sls", # The SLS (logout) callback URL
:idp_sso_target_url => "http://localhost:8480/auth/saml2/idp/SSOService.php", # SSO login endpoint
#:idp_sso_target_url => "http://localhost:8480/auth/module.php/saml/idp/singleSignOnService", # SSO login endpoint
#:idp_cert_fingerprint => "certificate fingerprint", # SSO ssl certificate fingerprint
# Alternatively, specify the full certifiate:
:idp_cert => "-----BEGIN CERTIFICATE-----\n...ca sert à rien que je mette le mien...\n-----END CERTIFICATE-----",
:name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
:signout_url => "http://localhost:8480/auth/module.php/saml/idp/singleLogout", # Optional signout URL, not supported by all identity providers
:idp_slo_target_url => "http://localhost:8480/auth/module.php/saml/idp/singleLogout",
:name_identifier_value => "email", # Which redmine field is used as name_identifier_value for SAML logout
:attribute_mapping => {
# How will we map attributes from SSO to redmine attributes
:login => 'extra.raw_info.login_adh',
:mail => 'extra.raw_info.email_adh',
:firstname => 'extra.raw_info.login_adh',
:lastname => 'extra.raw_info.login_adh'
}
}
config.on_login do |omniauth_hash, user|
# Implement any hook you want here
end
endEt aussi mon .env parce que j'ai mis tout en dur concernant le SSO et redmine:
USERGID=1000
LOCALHOST=localhost
LOCALPORT=8480
LOCALDBPORT=8481
LOCALMAILPORT=8482
DBROOTPW=partipirate
NODE_ENV=developmentEdited by Alex