diff --git a/roles/manage/defaults/main.yml b/roles/manage/defaults/main.yml index 41c6f34d4..bc1b326f3 100644 --- a/roles/manage/defaults/main.yml +++ b/roles/manage/defaults/main.yml @@ -32,6 +32,8 @@ manage_tabs_enabled: - provisioning - sram - organisation + - sfo + - institution manage_docker_networks: - name: loadbalancer manage_server_restart_policy: always diff --git a/roles/manage/files/metadata_templates/institution.template.json b/roles/manage/files/metadata_templates/institution.template.json new file mode 100644 index 000000000..7fc560d0e --- /dev/null +++ b/roles/manage/files/metadata_templates/institution.template.json @@ -0,0 +1,19 @@ +{ + "entityid": "", + "metaDataFields": {}, + "identifier": "", + "use_ra_locations": true, + "show_raa_contact_information": true, + "verify_email": true, + "allowed_second_factors": [ + "tiqr" + ], + "number_of_tokens_per_identity": 3, + "use_ra": [], + "use_raa": [], + "select_raa": [], + "self_vet": true, + "allow_self_asserted_tokens": false, + "sso_on_2fa": false, + "stepup-client": "full" +} diff --git a/roles/manage/files/metadata_templates/sfo.template.json b/roles/manage/files/metadata_templates/sfo.template.json new file mode 100644 index 000000000..82fb90649 --- /dev/null +++ b/roles/manage/files/metadata_templates/sfo.template.json @@ -0,0 +1,14 @@ +{ + "name": "", + "entityid": "", + "metaDataFields": {}, + "public_key": "", + "acs": [], + "loa": "{{ stepup_loa_values_supported[0] }}", + "assertion_encryption_enabled": false, + "second_factor_only": true, + "second_factor_only_nameid_patterns": [], + "blacklisted_encryption_algorithms": [], + "allow_sso_on_2fa": true, + "set_sso_cookie_on_2fa": true +} diff --git a/roles/manage/tasks/main.yml b/roles/manage/tasks/main.yml index 9df3ecb97..ea54859f3 100644 --- a/roles/manage/tasks/main.yml +++ b/roles/manage/tasks/main.yml @@ -11,6 +11,15 @@ - "/opt/openconext/manage/metadata_templates" - "/opt/openconext/manage/policies" +- name: Copy Stepup stepup_config.json from inventory + ansible.builtin.copy: + src: "{{ inventory_dir }}/files/manage/stepup_config.json" + dest: "/opt/openconext/manage/stepup_config.json" + owner: "root" + group: "root" + mode: "0644" + notify: restart manageserver + - name: Import the mongo CA file ansible.builtin.copy: src: "{{ inventory_dir }}/secrets/mongo/mongoca.pem" @@ -114,6 +123,10 @@ - source: /opt/openconext/manage/__cacert_entrypoint.sh target: /__cacert_entrypoint.sh type: bind + - source: /opt/openconext/manage/stepup_config.json + target: /stepup_config.json + type: bind + command: "java -jar /app.jar -Xmx512m --spring.config.location=./config/" etc_hosts: host.docker.internal: host-gateway diff --git a/roles/manage/templates/application.yml.j2 b/roles/manage/templates/application.yml.j2 index c45f4a570..2940e3f31 100644 --- a/roles/manage/templates/application.yml.j2 +++ b/roles/manage/templates/application.yml.j2 @@ -53,11 +53,20 @@ push: user: {{ pdp.username }} password: "{{ pdp.password }}" enabled: {{ manage.pdp_push_enabled }} + stepup: + url: https://middleware.{{ base_domain }} + user: {{ manage.middleware_user }} + configuration_file: "file:///stepup_config.json" + password: {{ manage_middleware_password }} + enabled: {{ manage.stepup_push_enabled }} + product: name: Manage organization: {{ instance_name }} service_provider_feed_url: {{ manage_service_provider_feed_url }} + jira_base_url: https://servicedesk.surf.nl/jira/browse/ + jira_ticket_prefixes: CXT,SD supported_languages: {{ supported_language_codes }} show_oidc_rp: {{ manage_show_oidc_rp_tab }} diff --git a/roles/manage/templates/metadata_configuration/institution.schema.json.j2 b/roles/manage/templates/metadata_configuration/institution.schema.json.j2 new file mode 100644 index 000000000..ac8f66e83 --- /dev/null +++ b/roles/manage/templates/metadata_configuration/institution.schema.json.j2 @@ -0,0 +1,116 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "institution", + "order": 11, + "type": "object", + "properties": { + "eid": { + "type": "number" + }, + "name": { + "type": "string", + "minLength": 1 + }, + "entityid": { + "type": "string", + "minLength": 1 + }, + "identifier": { + "type": "string", + "info": "The unique identifier of the institution." + }, + "use_ra_locations": { + "type": "boolean" + }, + "show_raa_contact_information": { + "type": "boolean" + }, + "verify_email": { + "type": "boolean" + }, + "allowed_second_factors": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "yubikey", + "tiqr", + "webauthn", + "sms" + ] + } + }, + "number_of_tokens_per_identity": { + "type": "number" + }, + "use_ra": { + "type": "array", + "items": { + "type": "string" + } + }, + "use_raa": { + "type": "array", + "items": { + "type": "string" + } + }, + "select_raa": { + "type": "array", + "items": { + "type": "string" + } + }, + "self_vet": { + "type": "boolean" + }, + "allow_self_asserted_tokens": { + "type": "boolean" + }, + "sso_on_2fa": { + "type": "boolean" + }, + "stepup-client": { + "type": "string", + "enum": [ + "freerider", + "full" + ], + "default": "freerider" + }, + + "revisionid": { + "type": "number" + }, + "created": { + "type": [ + "string", + "null" + ] + }, + "revisionnote": { + "type": "string" + }, + "notes": { + "type": [ + "string", + "null" + ] + }, + "metaDataFields": { + "type": "object", + "properties": {}, + "patternProperties": {}, + "required": [], + "additionalProperties": false + } + }, + "required": [ + "name", + "entityid", + "identifier", + "stepup-client" + ], + "additionalProperties": false, + "indexes": [] +} diff --git a/roles/manage/templates/metadata_configuration/sfo.schema.json.j2 b/roles/manage/templates/metadata_configuration/sfo.schema.json.j2 new file mode 100644 index 000000000..a96c321e9 --- /dev/null +++ b/roles/manage/templates/metadata_configuration/sfo.schema.json.j2 @@ -0,0 +1,99 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "sfo", + "order": 10, + "type": "object", + "properties": { + "eid": { + "type": "number" + }, + "name": { + "type": "string", + "minLength": 1 + }, + "entityid": { + "type": "string", + "minLength": 1 + }, + "public_key": { + "type": "string", + "format": "certificate", + "info": "The supplied public certificate of the institution. This must be a PEM encoded certificate. DER, CRT or CER are not supported." + }, + "acs": { + "type": "array", + "items": { + "type": "string", + "format": "url" + }, + "info": "The ACS locations of this institution." + }, + "loa": { + "type": "string", + "enum": [ + {% for loa in [stepup_intrinsic_loa] + stepup_loa_values_supported %} + "{{ loa }}"{{ "," if not loop.last else ""}} + {% endfor %} + ], + "default": "{{ stepup_loa_values_supported[0] }}", + }, + "assertion_encryption_enabled": { + "type": "boolean" + }, + "second_factor_only": { + "type": "boolean" + }, + "second_factor_only_nameid_patterns": { + "type": "array", + "items": { + "type": "string" + } + }, + "blacklisted_encryption_algorithms": { + "type": "array", + "items": { + "type": "string" + } + }, + "allow_sso_on_2fa": { + "type": "boolean" + }, + "set_sso_cookie_on_2fa": { + "type": "boolean" + }, + "revisionid": { + "type": "number" + }, + "created": { + "type": [ + "string", + "null" + ] + }, + "revisionnote": { + "type": "string" + }, + "notes": { + "type": [ + "string", + "null" + ] + }, + "metaDataFields": { + "type": "object", + "properties": {}, + "patternProperties": {}, + "required": [], + "additionalProperties": false + } + }, + "required": [ + "name", + "entityid", + "public_key", + "acs", + "loa" + ], + "additionalProperties": false, + "indexes": [] +}