[login_config]
global enabled=gssapi,pam

[info_config]
global enabled = fas
fas preconfigured=True
fas aws idp arn=arn:aws:iam::125523088429:saml-provider/id.fedoraproject.org
fas aws groups=[["aws-master", "arn:aws:iam::125523088429:role/aws-master"], ["aws-iam", "arn:aws:iam::125523088429:role/aws-iam"], ["aws-billing", "arn:aws:iam::125523088429:role/aws-billing"], ["aws-atomic", "arn:aws:iam::125523088429:role/aws-atomic"], ["aws-s3-readonly", "arn:aws:iam::125523088429:role/aws-s3-readonly"], ["aws-fedoramirror", "arn:aws:iam::125523088429:role/aws-fedoramirror"], ["aws-s3", "arn:aws:iam::125523088429:role/aws-s3"], ["aws-cloud-poc", "arn:aws:iam::125523088429:role/aws-cloud-poc"], ["aws-infra", "arn:aws:iam::125523088429:role/aws-infra"], ["aws-docs", "arn:aws:iam::125523088429:role/aws-docs"], ["aws-copr", "arn:aws:iam::125523088429:role/aws-copr"], ["aws-centos", "arn:aws:iam::125523088429:role/aws-centos"], ["aws-min", "arn:aws:iam::125523088429:role/aws-min"], ["aws-fedora-ci", "arn:aws:iam::125523088429:role/aws-fedora-ci"], ["aws-fcos-mgmt", "arn:aws:iam::125523088429:role/aws-fcos-mgmt"], ["aws-qa", "arn:aws:iam::125523088429:role/aws-qa"], ["aws-fcos-s3-readonly", "arn:aws:iam::125523088429:role/aws-fcos-s3-readonly"], ["aws-fpl", "arn:aws:iam::125523088429:role/aws-fpl"], ["aws-openscanhub", "arn:aws:iam::125523088429:role/aws-openscanhub"]]

[authz_config]
global enabled=allow

[provider_config]
global enabled=openid,saml2,openidc

openidc enabled extensions=fedora-account,mbs,beaker,waiverdb,odcs,wiki,src,kerneltest

{% if env == 'staging' %}
openidc subject salt={{ ipsilon_stg_openidc_subject_salt }}
{% else %}
openidc subject salt={{ ipsilon_openidc_subject_salt }}
{% endif %}
openidc endpoint url=https://id{{env_suffix}}.fedoraproject.org/openidc/
openidc idp key file=/etc/ipsilon/root/openidc.key
openidc static database url=configfile:///etc/ipsilon/root/openidc.static.cfg
{% if env == 'staging' %}
openidc database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
{% else %}
openidc database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
{% endif %}
openidc documentation url=https://fedoraproject.org/wiki/Infrastructure/Authentication
openidc policy url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
openidc tos url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
openidc idp sig key id=20161031-sig
openidc allow dynamic client registration=False
openidc default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasWebsiteURL", "website"], ["fasGPGKeyId", "gpg_keyid"], ["ipaSshPubKey", "ssh_key"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"]]

openid endpoint url=https://id{{env_suffix}}.fedoraproject.org/openid/
openid identity url template=http://%(username)s.id{{env_suffix}}.fedoraproject.org/
{% if env == 'staging' %}
openid trusted roots=
{% else %}
openid trusted roots=https://ask.fedoraproject.org/,https://fedorahosted.org/,https://badges.fedoraproject.org,https://apps.fedoraproject.org/datagrepper/,https://apps.fedoraproject.org/calendar/,http://notifications.fedoraproject.org/,http://copr.fedoraproject.org/,https://copr.fedoraproject.org/,https://admin.fedoraproject.org/voting/,https://apps.fedoraproject.org/github2fedmsg,https://admin.fedoraproject.org,https://apps.fedoraproject.org/,https://release-monitoring.org/,http://pagure.io/,http://admin.fedoraproject.org/mirrormanager/,https://koschei.fedoraproject.org/,https://bodhi.fedoraproject.org,https://lists.fedoraproject.org/,https://openqa.fedoraproject.org/,https://src.fedoraproject.org/
{% endif %}
{% if env == 'staging' %}
openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
{% else %}
openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
{% endif %}
openid untrusted roots=
openid enabled extensions=Fedora Teams,Attribute Exchange,CLAs,Simple Registration,API
openid default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasWebsiteURL", "website"], ["fasGPGKeyId", "gpg_keyid"], ["ipaSshPubKey", "ssh_key"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"]]

saml2 idp metadata file=metadata.xml
saml2 idp storage path=/etc/ipsilon/root/saml2
{% if env == 'staging' %}
saml2 idp nameid salt={{ ipsilon_stg_saml2_nameid_salt }}
{% else %}
saml2 idp nameid salt={{ ipsilon_saml2_nameid_salt }}
{% endif %}
saml2 idp certificate file=idp.crt
saml2 idp key file=idp.key
saml2 allow self registration=False
saml2 default nameid=transient
saml2 default email domain=fedoraproject.org
{% if env == 'staging' %}
saml2 session database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_saml2_name }}
{% else %}
saml2 session database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_saml2_name }}
{% endif %}

[saml2_data]
{% if env == 'staging' %}
{% include "saml2_data_stg" %}
{% else %}
{% include "saml2_data" %}
{% endif %}