Add Ipsilon SAML2 config

roles/ipsilon/files/saml2.pem

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFMTCCAxmgAwIBAgIJAKkACNwMmCwqMA0GCSqGSIb3DQEBCwUAMC8xLTArBgNV
+BAMMJGlkLmZlZG9yYXByb2plY3Qub3JnIFRFTVBPUkFSWSBTQU1MMjAeFw0xNTA5
+MzAwOTA4MjJaFw0xNTEwMzAwOTA4MjJaMC8xLTArBgNVBAMMJGlkLmZlZG9yYXBy
+b2plY3Qub3JnIFRFTVBPUkFSWSBTQU1MMjCCAiIwDQYJKoZIhvcNAQEBBQADggIP
+ADCCAgoCggIBAJhbNmEB9HSMe4gL3QBTmW5GTCKNWjmo2vEssnrM3mHFB6580gkB
+pLpEovgXe93trGYJkEqr6MLhx/cHGIBGGWsC1AGqO6fMMO6t9ZqeDAUuujJwK97S
+hVDNmQT9wzwGXlSLifvYaGcxKSMnVQFz2Ms+LRsQgumbMaZbAeHS2YpnZHmxNCb4
++o3F0SSX4g1EPSkSzyFx8KFlqWlgg0fAkbIfJTe5/q6d+Y1JIKWKmIFDhyByiLLF
+4CIAVwZZBT2g+cYY3VnKLgWoSDlOTzQ2sB9xQm8ULLF3QBJtJ32JgudULpXvHxy1
+3dF0AcyE9wnSGlYUf0yXukWXZokqjMafN2KBer/epMAgbSXg09AWvfKrmnZw4w9z
+/I3S5eFvRPlffcfTkqk4bYb+V+GCF/ri/Bbx+yVRx/nqhLrk3f+QzpBTm52k2yqo
+XzpvFkNSYbPeuYYLUZNtg7b13rv5ezr4obN2jQHMPM1p9VLCANUE72y63H4wOVDv
+6C9bZqxww5becuYRPIYNlkWFgkyaMDvRjjpNBM8VNXUi2wkgjDQ9PtaYsRmbMzx6
+hI6YJUza49gEPwm5FRVXimW1t5PTqwIhIgiP8fTghgvfFBxuZi3QoohShjgDhfNw
+qDcjlKqQ6gbB1oUzEMs86qVWvGFDQXnnFrH3kPvM1pFlcDiCUimONEjjAgMBAAGj
+UDBOMB0GA1UdDgQWBBSTgtObEolj8bXrNXfM81a6o/+RuzAfBgNVHSMEGDAWgBST
+gtObEolj8bXrNXfM81a6o/+RuzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4ICAQAG3wuIHr84DeNyUNy9i7Vl9QXravXXcfBjzagZFIv+vw5TQajzTP+cEhvW
+QBPy+bkx/e2gaeo5FPPwC4KISpHGU2sn/EyMajRpCFA9ackWU86V8ulWtafaBs9g
+kpE0CHXKpvdKFHEMqZqD76oz0JU++YZvrgFka6cLhN5goD5HxHGeLrFOH9cXUv0d
+SkH8iee8Ztpn/tFnxJ2/D/KHkzmxQWI6kEKkNTdxIk9jMVQ9JFNCBZaFOcJmJnf7
+L9Lp4PLZ2957ePKo7SKNiJEwF9uEL8RCPfos3qMhklItb3IPVmILrQubCUec43Z3
+hTzwJVjUedGrEaA/IYH+nOZL0LAR1/QUinx+NShMR6+fgBSj4pVkDm4L8h6dnnzi
+oJP/SPd0pOegOdN1bZOkb1qTp0cOoipItQQbJR9oHKcAPrapuvjngU0Fj5yqtuVo
+J+uCdUQPf8iXF6Ml/buZ9Xf44qcFuvJRWw74arDnIgXzCDzpN0faKZV61m1XPbso
+Sexyxv94LEvOrWp04M/r+eUmuV7NIpqegM2MTStBffu3kyeFyWMeU56ZjySRoADc
+UqXoHtxw5E8KMNSATmTp2z7nzpBhE8+vHsvjP/radJteiYLPgzYGxAOoOx+ct+Yh
+GqhnOPtE6u+yJm0OWqybeXUvpsYBTYGmL4wpIj48Zlrq7rkPpw==
+-----END CERTIFICATE-----

roles/ipsilon/files/saml2.stg.pem

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFOTCCAyGgAwIBAgIJAOtrg+MpYNUgMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNV
+BAMMKGlkLmZlZG9yYXByb2plY3Qub3JnIFNURyBURU1QT1JBUlkgU0FNTDIwHhcN
+MTUwOTMwMDkxMzU3WhcNMTUxMDMwMDkxMzU3WjAzMTEwLwYDVQQDDChpZC5mZWRv
+cmFwcm9qZWN0Lm9yZyBTVEcgVEVNUE9SQVJZIFNBTUwyMIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAt1mvOsVxRm9O+dT0QIYxl0vmqQQ4MhQA3wboEeBp
+sQYjM2te+2Q/7OOwklVdD5g/rgXuDwOH6ztt1Y6UJmMC9RQCSJ5YNFe95hOE0H+P
+ar9/9xm6hlwqxp9S1NftO7G6x7Zad/QHURcQit2EeDJAox/LEk3FEti03Q2tSPBa
+wpNk/AUwkXnGn+bQ142JxvfJaO8sdxPpww1955SxKnJ3ClaPw3Qs0SLbD7cQQnyu
+gQne0jBNPS5LkXS7DKmPBXY7R7der2gx3Wr6TxHNCcqMruL/RHmGKEB/KnFqxDK1
+zNrcUyyghHGBRtGqbJw37kQBWtuoE67iyAiHQWnn4onNHTFeP1SfpzFIM3ya8Iew
+Awh93IH2YAAd3SxNsCE27iZej2+8OikkWp6rpG36apskwKLAmOTKATqAII49u32o
+aYqMe3LEORzmoR45/FGmQ8fPTxIXoT9kkA8nS3Xa1f6BaGnlxPu+VNAYEQx5hzX1
+yhjSEiIcyowIx4/Frp+XHn7USQHb0jBkBGTWlo3QRO3LDarTmcoJZIrMK1fISggv
+KJ1jUisrboFm0hX4O0F6TAx9UbWGIpgTiEjynDbBgIWsElGaTOfafPOFAVVusW5W
+6na5R0sKDiaw5Ej3tMz5gTlSLk+0Vfc/tQphqIgXu1BIQ5gghyDUAEZRIe7iFEnu
+LqUCAwEAAaNQME4wHQYDVR0OBBYEFFIneEZsGOpk6nVXammdrrRVyG5/MB8GA1Ud
+IwQYMBaAFFIneEZsGOpk6nVXammdrrRVyG5/MAwGA1UdEwQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggIBAGqXB//gUKBAUFHB4i45/70vWID2lYMu2nFvd7SWI1oc0n78
+DTlqFDYDyV05V/qCnezjAb+6KUyyeyAevgZPaDswCVd2aygYGDE9RsvOy60UhZ1c
+yfgVx2l/YLzO4bWNKllxpfbLVHTfKo8MfFa99ClN6Y+t8+fucTS2+WOq5MYd5lKS
+/4FY7QYq645oYHAlQzOV2PHAcMDbhtaEJJ4CXh4//ArM/NE73NYaH4SGQW1xVD7D
+8zS/0TGYDX6MNQvRwzihtKVEtUAGj1zIZZUYFd9+mx4Ir3OBnRozSe8LkfaWYd13
+hlRLINzOEQ3ebSGGRlgeFYXw+cTpn64KoyE56CcL//dxZS27LGBIMAul0eARoa6U
+Y1DYkZ178QugycphmLCkxe2/Qe9xZjn0ghycxiYAlPqGFG87pW8UC162B7eklOuR
+GO/BqcKZcO5GPyWkuslUpx8w0bOnCgXKxVzbt5BGBMvSMxe/QCw9x4sXnKGUtHaV
+FqnKqa/sxkfQ8HltSvft8goNw13/I+J5ERHdif0EyI83ba+CyGwEjCe8uZYjp2G3
+DqtUXjiYReHTYZr6R9Xgts0RKf44wVJ3D7Fs7P2dBGI7b/R/8HHv9HM+/HcbkRhA
+25vdCBgg+KF3u3bZZlUp82PkOtRFcr4kb3GwS4FAaxRC5i/8Z4qI2ICNZFPN
+-----END CERTIFICATE-----

roles/ipsilon/tasks/main.yml

@@ -73,6 +73,30 @@
         owner=ipsilon group=ipsilon mode=0644
   when: env == "staging"
 
+- name: create SAML2 dir
+  file: path=/etc/ipsilon/saml2 state=directory mode=0700
+        owner=ipsilon group=ipsilon
+
+- name: copy SAML2 private key
+  copy: src={{ private }}/files/ipsilon/saml2.key dest=/etc/ipsilon/saml2/certificate.key
+        owner=ipsilon group=ipsilon mode=0600
+  when: env != "staging"
+
+- name: copy SAML2 public key
+  copy: src=saml2.pem dest=/etc/ipsilon/saml2/certificate.pem
+        owner=ipsilon group=ipsilon mode=0644
+  when: env != "staging"
+
+- name: copy SAML2 STG private key
+  copy: src={{ private }}/files/ipsilon/saml2.stg.key dest=/etc/ipsilon/certificate.stg.key
+        owner=ipsilon group=ipsilon mode=0600
+  when: env == "staging"
+
+- name: copy SAML STG public key
+  copy: src=saml2.stg.pem dest=/etc/ipsilon/ipsilon/saml2/certificate.stg.pem
+        owner=ipsilon group=ipsilon mode=0644
+  when: env == "staging"
+
 - name: set sebooleans so ipsilon can talk to the db
   action: seboolean name=httpd_can_network_connect_db
                     state=true

roles/ipsilon/templates/configuration.conf

@@ -12,7 +12,7 @@ fas FAS Insecure Auth=False
 
 
 [provider_config]
-global enabled=persona,openid
+global enabled=persona,openid,saml2
 
 {% if env == 'staging' %}
 persona allowed domains=stg.fedoraproject.org
@@ -37,3 +37,10 @@ openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{
 openid untrusted roots=
 openid enabled extensions=Teams,Attribute Exchange,CLAs,Simple Registration,API
 
+saml2 idp storage path=/etc/ipsilon/saml2
+saml2 idp metadata file=metadata.xml
+saml2 idp nameid salt={{ ipsilon_saml2_nameid_salt }}
+saml2 allow self registration=False
+saml2 default nameid=transient
+saml2 default email domain=fedoraproject.org
+saml2 session database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_saml2_name }}