From 7321c7ae38111a2c373dc3419b5089c427ee7995 Mon Sep 17 00:00:00 2001 From: Maxence Lange Date: Sun, 8 Mar 2026 22:54:23 -0100 Subject: [PATCH 1/2] globalscale+sso Signed-off-by: Maxence Lange --- authentik-blueprints/portal_saml.yaml | 298 ++++++++++++++++++++++++++ bootstrap.sh | 2 +- docker-compose.yml | 110 ++++++++-- docker/bin/bootstrap.sh | 72 +++++-- docker/configs/default.config.php | 4 + docker/lookupserver/Dockerfile | 2 + docker/lookupserver/config.php | 11 +- 7 files changed, 464 insertions(+), 35 deletions(-) create mode 100644 authentik-blueprints/portal_saml.yaml diff --git a/authentik-blueprints/portal_saml.yaml b/authentik-blueprints/portal_saml.yaml new file mode 100644 index 00000000..bbec8d0e --- /dev/null +++ b/authentik-blueprints/portal_saml.yaml @@ -0,0 +1,298 @@ +metadata: + name: "portal.local SAML" + labels: + blueprints.goauthentik.io/instantiate: "true" +context: {} +entries: +- attrs: + name: Authentik + certificate_data: | + -----BEGIN CERTIFICATE----- + MIIE5DCCAsygAwIBAgIQQwV9AoKySzWn+vejIypIhzANBgkqhkiG9w0BAQsFADAe + MRwwGgYDVQQDDBNhdXRoZW50aWsgMjAyNS4xMC4yMB4XDTI2MDMwNzEyNTcyNloX + DTM2MDMwNTEyNTcyNlowPjESMBAGA1UEAwwJQXV0aGVudGlrMRIwEAYDVQQKDAlh + dXRoZW50aWsxFDASBgNVBAsMC1NlbGYtc2lnbmVkMIICIjANBgkqhkiG9w0BAQEF + AAOCAg8AMIICCgKCAgEAwIeRHlF5eL7ZX11oNhR4hfztwHKdl4G6hhyDo3cxIRN8 + YUVk3IXfpGzR1U7IsnqenrsNzLk//Nw15lpx4Mxr4hsyCzKksKPD5+aNy3otRQbK + POL5Fh5m9M7WxiP/uA7xkk1l5tj8ae6Lu6wnK6T4NkePSoBD3tK8NY6nOm4r04r+ + fWjLNc24RpX+rKZL/YPDgCYaAkooBAoXL9Dcs/RHCfPIgyeGL0YxhyZKFV+kUgQp + GQYCZMdvR7waBe7rAK98y47GyQjeVIG/bRu9E/iq0rqwMAgq9rLTgUg0ZieIF1aZ + KeoS3bLaXvFDSzr8N2fR7ktkdsyyCqNrUg80n7cY5XKeaVefW2Qub1gj9uzuoyEU + 2NpzF+L9cbw0kDr5UtsCLwbdKvgQkJ9ATNWUI6EO061mRm7Ty4TyZpAY2klsvDqV + bpd/OBl7LWfTaDcxaXaN0mwEv31LkPWmeecVJcqOx26NwFn1WE91cKzlv1atkuDQ + 8f0xX/RB2GbOSNNyRBViiw5LZUZEnTznOP+orZ8XLqQh6cUYm3KaaskjF+YRCZe0 + GEKgw8+Oz4Hm82gEww0y9JRguxINn3L9C1WP/X3bWbHi9kiG3Z0BUGHM5Sek2NEf + R4HJ6IhQAQwzcosqpiOl4Z7dp6PWJaobjdg2gC2B1ZJXQ18pXtNrvgS88pWenDUC + AwEAATANBgkqhkiG9w0BAQsFAAOCAgEAlj2kVi1yKemMsWAKDmWWPXUmKthvU4i8 + tortBPGKf1ndLZ1doxGhb8hUjFnaupMRG9RgQbehslLVxcIHXYGBmaiiFuAOk3HN + GxBZtrCjlaSYDcuKPiM7Ey+gF6Ec5giix4vL/YFPv95gngvMxDrRsGsnyHgB/Cju + 5IcriJ0DfoGn/VSj+nxCdj2Ju+utyMaXEYM85I5/9c5VyB401gy7FoMkPiqA4kLs + r5JhO391R+1hpjcNLbRrUnHmjLsZyGc2paGSD/Rw2dAwOjuG8BuLa+TPrj4/3Y5e + 2jtGNAF8bHDvLaj+sCPTjm1zmrAkI7jANQ5/hywbmpoSK8Y59OpeyoJqMwLWfLXP + 7xFEzG7Ovdo/EXOnypcwrPF8keitl7umwAdBkob+ki5REb02Ya7bFwtnbDcsTMfA + FDnZfvScUAeBKNJ4uOlS0qQJja/2YP5+9uNuAXAv5/lEEbgMctURG7LdBH5XQNI3 + E/TjdJhFvV1D4exmhywbdwNBrQVaMP/FXM7cciIqFnuiRX4N+QqhH9oYpFHlGRyb + nsfniK20UyatEVNzx7rIB9WLKOKgT8iHTj6JnMLEPlCnQNnSmd9itmPBDJspohQG + IkOzQf9at5Xeg1XEn5AjSaGQYFV+G/+gjiG4sO5/o0Nwyc8PXwF42uryX88qqDJJ + MokbVpVDSPY= + -----END CERTIFICATE----- + key_data: | + -----BEGIN RSA PRIVATE KEY----- + MIIJKQIBAAKCAgEAwIeRHlF5eL7ZX11oNhR4hfztwHKdl4G6hhyDo3cxIRN8YUVk + 3IXfpGzR1U7IsnqenrsNzLk//Nw15lpx4Mxr4hsyCzKksKPD5+aNy3otRQbKPOL5 + Fh5m9M7WxiP/uA7xkk1l5tj8ae6Lu6wnK6T4NkePSoBD3tK8NY6nOm4r04r+fWjL + Nc24RpX+rKZL/YPDgCYaAkooBAoXL9Dcs/RHCfPIgyeGL0YxhyZKFV+kUgQpGQYC + ZMdvR7waBe7rAK98y47GyQjeVIG/bRu9E/iq0rqwMAgq9rLTgUg0ZieIF1aZKeoS + 3bLaXvFDSzr8N2fR7ktkdsyyCqNrUg80n7cY5XKeaVefW2Qub1gj9uzuoyEU2Npz + F+L9cbw0kDr5UtsCLwbdKvgQkJ9ATNWUI6EO061mRm7Ty4TyZpAY2klsvDqVbpd/ + OBl7LWfTaDcxaXaN0mwEv31LkPWmeecVJcqOx26NwFn1WE91cKzlv1atkuDQ8f0x + X/RB2GbOSNNyRBViiw5LZUZEnTznOP+orZ8XLqQh6cUYm3KaaskjF+YRCZe0GEKg + w8+Oz4Hm82gEww0y9JRguxINn3L9C1WP/X3bWbHi9kiG3Z0BUGHM5Sek2NEfR4HJ + 6IhQAQwzcosqpiOl4Z7dp6PWJaobjdg2gC2B1ZJXQ18pXtNrvgS88pWenDUCAwEA + AQKCAgAGEJ81LcreT2DInMgqH/X1/pQ8wj+NpMQL8n0BGsGc8aCy7b0yJzN22gi4 + J/2xhaRWirzyDInj/Mnj4kiBFN93JXUrniJLADWtKfmghc5EROT9Cwdet4F1x8hD + QKIPGcVpXu/NWFuHOMEFHfSz7sP07ccpSSYaMFhGdaJ1+D+AL/o5WCJCpSLfcl0t + 8iUlrM9tS4X5OX3ONsUpN/Kj5peQTDIuU4HqHlN0FvQxfSxPexsSUzqjExdB0r6d + Hjwf7udHAE3pylI6pkWx+bQ4m1ZCQihHsxIraFG6WlxwNWGXnp4/kESc4EP5xq7g + gVCtrCMUVyKojWU0aZZ5ZMo7F8j8b0mJkgK7VmmKpnFsTGHYQCapy65p0zWoWibp + jweMbiptyWvbyyEPjGV4ygkFZ/dDG2iEwtibabu1Yd2fUY1DweNIHzBt94w7rjKP + dmGloXqANBdXFhNOWnaz3UX8oBIXdOx4MoKb86H6S080k0cccpqGOM+D7sMAO95i + h8aJ4x59VpyT8a4Xrryy7DCruZIAYzjLeO0XCI+o/Zo3Yh0Cb+Cz0WWMF4zyRB7O + /2dNulGD3XjkJyAt/S1EKJLYQZzXzuq9tdtRffYb7DsiRQye2+ny9Od0dCjwmDLQ + AF2OlqjPfo5hi2ZWxpr78BUD5jMzmzVC/Wr4qPVBWMeWCUhXAQKCAQEA+6DpQuVT + 2fzCMLtoiPOB7s2akvT/ovfYJhYB1ZA6e1KlY9in0/mxRg4iRROuYCSa0tIw/NGs + TYV51Rl7Ij0fpwD5E3vbkSZNbxbrVasvKgAUBG7eVhORZvkrzoosFzbyWAWwCxVg + j9uTtyizbK8elPWfrYe3EUW1Zjh1+0pG0cOgxoatN9iuFocsWovNSA+QwBPVr9nx + YYAtOhG/UCjj8zWfPe74YvocfgDJEMc0Tti/BabMYipL1TYXAVZnvr/XlyyukF0V + ukoCSG0GkHCbq9XDtzryrj98AkLD9UJlGsd7pxLQD7TDyjpx9miIE5+2GgMQNOVY + 2PJqroRj8vZZgQKCAQEAw9/R2ohiyWM0/7gSqWddtZsi9NHrKRV248XucS1kyzZF + RNIkKGKtUcDeTZCV3hC3IK93jAC5zbMYTr5/D80ts2GeEU5M+SXJyLfRZRNmvOHb + GXWeBGNIj3ndsST/RgJkbmU0VTkRM11cFlnMTbrIpwA7w3NBT73zZu7uSmofp6SP + /r4EGVREXBUSLUEYW8aVXnu7tHRMvMIB4cAwbi2E84cBKLvHMivw8gifftJHzMS0 + CkLwHGjch/u8vANq6NJLorwnh21hTVgmEQ8070IjaUN0bu7Ey5HSNlgS8ToJ088Q + q/swo3V+xg4NzLrv881wVHJuejBr6n0B/OL1E5NUtQKCAQEAt74YlzC+uj9Hzi4L + d3XZO3gHl6gvw+EXhTgsvrZC/iqreu2KH9AFExLfE3H7s1kHdUrnWrYBC9qbzHB+ + 6dGYe2rKdt/KxYMiqCwkTLpkBldoRpRu5owDcR4iTv+2kn0dGgmNM4q4qFO+2dBu + tL5rpnp1z1F67LHqdGpmPMlQTXx8uns9obon5Wtvh+7uR+CV4qyZLYAIMxpV7EFp + Yi95xO8zCRanah8ZDymjqQzNtYWwd4AFXulj1p1YzzE5MKEF3O5Tyjcu1omUgS6b + zH1uL1w5PmNdMsBI3Z3DWiTRj2x7btTd+ZoWHmXvMe/C7hGB+BykiPuwlTrvi+BA + 2/noAQKCAQAex/6XhBVaJo/+m7O7EXZlgrK0nISDGU9srf8xo/uR/75U+V0bR56L + GW8V62HR2vicV1bHFpocXEe2oDMhjZHf/bg0agSopqqWM2ThqHHdvvSKhLRHZj7R + 5UnUe8bt/pQ/0QGvXt94HfTJwmTb1j2QGPZLWcJqwKQOif/Ci/jbhH3of33vaRGx + EtKfb/pe+c8hYPp3ektQ4oAfNO+ncNnS12V0PEYqeUNNFdPSv0LvR/4vGqPXIxd8 + +y+GsFbNrbabJUxk+OhwmiipR6V+7/rWoPYcNMOSZiENzzty0zcWJRUuobPcDCvW + /gBnKv1oZ+F+M9lutEtRN0Hnttbis6V9AoIBAQC/haMEUmvpAVJNUzRRSBoPTEB2 + 8KZFEaW5+NgBcrbT9p6cHnVByBfqa0fdp88BgJh7gWzzbL6pPxUcKK6/2BjcQJfj + gANvZVbvY5k9ygg2u2TQwcGt4UVP7SoyfbiQgruMMCVmI8TYAq31IiccE8vhyw2a + mhBClkVp5Xwc+7secANvNpPDmp5MSwHMTtYfgcOJhriIwMoJzkFeIq7TA0OEVjUy + eiIyMe3ewgYJ0GlsvvxuNt4hDKIvJKn5/dxQryTCLKs06OXjlUc/xOo5XLhuhlAS + iZVHJo30cIDzna1O3TgXVRO60rwTxWoxieW/kTZqN8VDG9H7D4Me+vdCZNNU + -----END RSA PRIVATE KEY----- + model: authentik_crypto.certificatekeypair + identifiers: + name: authentik-cert +- attrs: + name: Portal + certificate_data: | + -----BEGIN CERTIFICATE----- + MIIE4TCCAsmgAwIBAgIQJqHXZY3HTR67OsquzTBqmzANBgkqhkiG9w0BAQsFADAe + MRwwGgYDVQQDDBNhdXRoZW50aWsgMjAyNS4xMC4yMB4XDTI2MDMwNzEyNTcwNFoX + DTM2MDMwNTEyNTcwNFowOzEPMA0GA1UEAwwGUG9ydGFsMRIwEAYDVQQKDAlhdXRo + ZW50aWsxFDASBgNVBAsMC1NlbGYtc2lnbmVkMIICIjANBgkqhkiG9w0BAQEFAAOC + Ag8AMIICCgKCAgEAuvRuB3P2Si4QwkiARQTxx9B8MEiI6UBjyFHQlOwfi9366mG+ + /MYu7OqDfmFPMYBjxjGL61DSqs0EZCZF3urg8XPrfSNBpkFQ29vGBaUqodDo6xDg + CKulaEMc+ROJA2/JQ2i5/rgFEpMdr89ty5AyTucdPpKAlmg5z1aIqVx6O0CPpSjP + KIXYLUZATCCD4yBGcPkwwvNEx1gL4O1zTA3oPJmYXMQGEHjxL7MCjBhKp8Kz1rjP + MIMY6EU6ng4P2pI0L3gyiZSff0+xHJrT5X5Z5K20A+qsy6iUzs97fvRYWAA4LYJN + cdwms7a/EPv0BBIGisC76WYIKX0WwgnYbEtkN7Xn7BfQcdMJA9z4C8VrFrQClhAF + swEGHLAvCZ+tCPPbPG5Z5KAe18U5JNECv1L3xbTRO6gi1+qIbfMPQZfkotzYPaIU + ab42LR97MMIidVCcTeXcSXi7pWJ57qDqsy+aSGclsIM/7EyyuWyX4KSbCfB+C4WA + TC8nI+l2aVff3A6viJx4k2bVQ0JWdPPz2RB85zjkBNPOC2e+UtXPM1s8sJVAyRUO + IvHvWGmw/cCsqdb4bV6iWT+6F+i0Hb79O5ZN+s6Kej3pYPDIAHmaGqNSLyeWERPG + aQZIZTCvGgmILYEwDoiVmuEi2Ks2b9kDl/wAiMYQtjh2ZUTnaaiF/zeDjIcCAwEA + ATANBgkqhkiG9w0BAQsFAAOCAgEAj/vF3Q2EDKb7bOLaIINe1oqvG031UzC5vAUC + IutjjQc8HdE7n5+3Jd6FAH9NALmTrvLz10n07xUaoSIoB8m9vydglnKgHMOd/Jg/ + 4VYX+pwEqInNLUd3Ep5y57KwQ3eCg2kzeEHCiacg2DgmbpW2xyGfnJbsq1IDyyY6 + hyDq8yvzDmetuLd3FGpNYv0NIiMrWLcy8+h2H3HCgNs1A179VvoHV+8QW9kGbTmy + f/JLx4O4APD5QUX3vEgkp2yzFWIPaUuNkcpOddB7kYFcAxA620kICDw5t7yylmBZ + aamAK2o8tAKAhJ/KixZfj1J2t9BK4pDrPeulOTdhDA3vuao2LXmfP4PUakV7yY1W + 7YVftwNasY2RXCh+RkIhEABL98VdfRyxTo5pi6KoqMOYVp5/pRNZ6H2Zmpyb8pUZ + cBoBHFudoZ/NN5FyuUUk1leX29Ce96YudH4K/e3X+IWiwTBKpQyguYOD4Sh21NmI + LFKF2w+9C4heoaFTD+CBoGAilR+4N/RPHlKf6pC5r1XteG+UWtmkHA+BZVt2eOPL + laU25MeoifoFGGm6/Rn4QAbDTYPLpFH4GXc8/S1tqrVYZeeSmfVD66Y1Ew8FB6Sz + X1HjruX/JewD4aCTJgYBPhS+OJ93in1XYHJd8of21GuePTBHg8fgg/p2yzUB1+ST + lUraqIM= + -----END CERTIFICATE----- + key_data: | + -----BEGIN RSA PRIVATE KEY----- + MIIJKAIBAAKCAgEAuvRuB3P2Si4QwkiARQTxx9B8MEiI6UBjyFHQlOwfi9366mG+ + /MYu7OqDfmFPMYBjxjGL61DSqs0EZCZF3urg8XPrfSNBpkFQ29vGBaUqodDo6xDg + CKulaEMc+ROJA2/JQ2i5/rgFEpMdr89ty5AyTucdPpKAlmg5z1aIqVx6O0CPpSjP + KIXYLUZATCCD4yBGcPkwwvNEx1gL4O1zTA3oPJmYXMQGEHjxL7MCjBhKp8Kz1rjP + MIMY6EU6ng4P2pI0L3gyiZSff0+xHJrT5X5Z5K20A+qsy6iUzs97fvRYWAA4LYJN + cdwms7a/EPv0BBIGisC76WYIKX0WwgnYbEtkN7Xn7BfQcdMJA9z4C8VrFrQClhAF + swEGHLAvCZ+tCPPbPG5Z5KAe18U5JNECv1L3xbTRO6gi1+qIbfMPQZfkotzYPaIU + ab42LR97MMIidVCcTeXcSXi7pWJ57qDqsy+aSGclsIM/7EyyuWyX4KSbCfB+C4WA + TC8nI+l2aVff3A6viJx4k2bVQ0JWdPPz2RB85zjkBNPOC2e+UtXPM1s8sJVAyRUO + IvHvWGmw/cCsqdb4bV6iWT+6F+i0Hb79O5ZN+s6Kej3pYPDIAHmaGqNSLyeWERPG + aQZIZTCvGgmILYEwDoiVmuEi2Ks2b9kDl/wAiMYQtjh2ZUTnaaiF/zeDjIcCAwEA + AQKCAgADpRq9ZnWERpfG64TPXDVznqaxdX75DCchnAa9b3yOf86i0Mw/yAzY1Akh + VcjiJckymgPkeatS3jwiv7mcNc20HuOnAMuAEiuHrL/HvbqhDdGDHET7hCjti5fT + jGqfCZkrmlhNcytre0n+4cQGo1JEkwOeBAX/pHBMGVtnaE1+koIx6XkbJp2vsASt + 90gOL9Si88N14QgLL7X/1/rn4mz+s5oMMcJ0gilDxK0Ho0VWrZQtWyGWcs9YChXC + WYQaJVn6lIxowgI9zIVr3oyhuTQ/Mx76baMirVqabzfOooH+bcO7sYrMdm0k39WB + ihCHdFH6/587VuT7tdNtOqXHBJpWoY18jwyYfIUFlrvQq783Yz2FtJ+EqIxbZRS8 + oHTjioi54j6S2TBMdjO2XC9Nrv1wb+FKDciAeQOD4vZceMnrezc/jzJPythBxX/w + SvxnaDyliRebybE71Je3m/esLyvTNQUBjEeRdXDwYakgwCFc6WanQL8y4N1fxdU0 + 7hGf/D+GRWmhFL7/mBc8nrOf2n6r5sa0HPvXakuPFD8+yUHWJleh9Xa6BGw2VEse + 3okt0Wd9lIi4UprdKrrE8Xs3SKaTQhBGMawCQ3Du3Mk9kk7NUR6tmW2XoLvt61TL + JBcG5QitwnddTDXR2rDKE1WHBEg8rLAy7K/BYMttEtjBnvQ7MQKCAQEA8GRFsAKR + QHgW484yd99KVZuhP1w2K5yBeP4lnHgcUGUU689FyifytpL4xX1jzSSHmJM0WM4M + HzVmPXbTrHTY5l7X682cB5keEjMiIMbVmNZG8oLuiWe8tVxseNeptkOuo0G7oYch + cwGWjNQPBBgU5FihnVsWA5Foly80s1ZeuphetEiyDJ0A/FeEyP0BwFNMUKIZXWPe + XTo8jaLYyAUyGgOVs/r8QKg3oXCo8gbwAsB0El4+wk7i5sXah+GTvYM+uH0THoSK + 5thgeeEbxRKmVPHxddQ+/A3lJTHJIAknwsMPFw8qlbZdNXHGXM8wRLrNr8k7c4oq + /O6gqYADSPp0DQKCAQEAxxfxk/+NKWleBbtKyp3lk0zvM+ZTYw9ubAgTq+whFjmC + kgYq1oJikOX1kbFGYvqZqXQqEEgiw9+h4wooQnjzfTvMw/rfDzbBH18Zc4K8CjO7 + zZYxj7o9J2VGbxBO+ZcXr5k7EaME/c9HRZ3h/bGhp1WpZH0RnOG2TDtFnh8Tszys + RTmcs9RHzHfBsqYiP6erSWbfvo0yuwHLd99zc7P+PsaHwz6xKUH7XIs+pmgNdd6v + e3aAWhsH3LseDzExsOH+gK5vvD6RYyJ7IvAPwwFW4iLe69Gg9WZyg/XVxUq0yc+u + N5/dPUFThvoEQuA9QItzGDAaLlwzHlLq8su1F0b54wKCAQBoWg7KPgMRqk+9aggM + cziQevN/TqcRPWoSvLhU+OrJl2eCicJw4/B/gsNM74aAScg22kfR+PfYIFUWf1uZ + tEtnjWpLqUB/J9+e5OV+tvGH3BSGN4IW0ZpgXBOWTYAVZ8IKioFJuCA0DU9uKKuw + Ckgfa74UUbL3r4pofoxxASAz/eq2dgwcX5dK8y7oFLRK6Z3qLsO1/6FKdPpOPY+/ + HEpIcp/sthoEc0Fa6k3caliLyUFZq+GwdZAXv3GCpNB+Zte2PE0tZTnqxajzn11v + qg3cN/6qOI1y2xFKmRcGuhKxf/0v9Fx3CufhSFdkeGgqnbCmC0OsfyD0FR5XFgPX + DSmNAoIBAQCxny368QKakJO+n1Lho68fFINQFUwN08WbAjWyq271ageQiYoMaLTR + Oyg0fCkkwxj2clnYvtKtV8YRTY2PiGMLNp+/tQDujNYNTAXj5R4oJ/GEQFwlM229 + yP/mtHERAfiyxA1L9dnNKvEWLf5iHOjw5l7C9UYSZdkC99prcKRdw2KaPAUO9vO7 + ephH7yodClSpnus9ELHS344Me0GAV3Qbw3l5+mOKQICmFuClC63+m9aJWra2LOl9 + xz7RJP2FJoqteXLcSiHhhPDAwdX+DyLZi2zAjPyCE41VJ605YCYc6nkuzSRPswl3 + IXVNyMs822yqhrfE5qMAic9tH8qHYt4rAoIBABsFpeSNm5rBhQtYQxagewoGfq9B + mGc8s3TrpftwL0pFCTYj06sa0HTU89DOZoRJ1m4gmNYLKzO1KdUihYHZ6/J/7BK6 + vZs+79OHBUnrrhNOrjVzILm10y7szFQjEN26Pdp+UAlr9PF9kJzjBC7VHL+fWCdv + DQs2xeuppvxmX0ZvChwKHw2uisMikb2DeoNikKnRtCcl5jJXXdeJqGMqnTP8hagh + T/RvNczeMOJ2E3fNKvwcuubLWgd31kPeYf0z+lp1gPC64b71yPm7rWqX16TIntLU + uE6aUBi35fid4nXnVJqN4B/5/IrnXJZPaaIn/+D3JAiKePBnaCQFdmLc3hw= + -----END RSA PRIVATE KEY----- + model: authentik_crypto.certificatekeypair + identifiers: + name: portal-cert +- attrs: + acs_url: https://portal.local/index.php/apps/user_saml/saml/acs + assertion_valid_not_before: minutes=-5 + assertion_valid_not_on_or_after: minutes=5 + audience: https://portal.local/index.php/apps/user_saml/saml/metadata + authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] + default_name_id_policy: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256 + invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] + issuer: https://portal.local/index.php/apps/user_saml/saml/metadata + logout_method: frontchannel_iframe + name: portal-saml + name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [managed, goauthentik.io/providers/saml/uid]] + property_mappings: + - !Find [authentik_providers_saml.samlpropertymapping, [managed, goauthentik.io/providers/saml/upn]] + - !Find [authentik_providers_saml.samlpropertymapping, [managed, goauthentik.io/providers/saml/name]] + - !Find [authentik_providers_saml.samlpropertymapping, [managed, goauthentik.io/providers/saml/email]] + - !Find [authentik_providers_saml.samlpropertymapping, [managed, goauthentik.io/providers/saml/username]] + - !Find [authentik_providers_saml.samlpropertymapping, [managed, goauthentik.io/providers/saml/uid]] + - !Find [authentik_providers_saml.samlpropertymapping, [managed, goauthentik.io/providers/saml/groups]] + - !Find [authentik_providers_saml.samlpropertymapping, [managed, goauthentik.io/providers/saml/ms-windowsaccountname]] + session_valid_not_on_or_after: minutes=86400 + sign_assertion: true + signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 + signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik-cert]] + sls_binding: redirect + sp_binding: post + verification_kp: !Find [authentik_crypto.certificatekeypair, [name, portal-cert]] + conditions: [] + identifiers: + pk: 1 + model: authentik_providers_saml.samlprovider + permissions: [] + state: present +- attrs: + name: Portal + policy_engine_mode: any + provider: 1 + slug: portal + conditions: [] + identifiers: + name: portal + model: authentik_core.application + permissions: [] + state: present +- attrs: + name: User Eleven + email: user11@example.com + password: user11 + model: authentik_core.user + state: present + identifiers: + username: user11 +- attrs: + name: User Twelve + email: user12@example.com + password: user12 + model: authentik_core.user + state: present + identifiers: + username: user12 +- attrs: + name: User Thirteen + email: user13@example.com + password: user13 + model: authentik_core.user + state: present + identifiers: + username: user13 +- attrs: + name: User Twenty One + email: user21@example.com + password: user21 + model: authentik_core.user + state: present + identifiers: + username: user21 +- attrs: + name: User Twenty Two + email: user22@example.com + password: user22 + model: authentik_core.user + state: present + identifiers: + username: user22 +- attrs: + name: User Twenty Three + email: user23@example.com + password: user23 + model: authentik_core.user + state: present + identifiers: + username: user23 +- attrs: + name: User Thirty One + email: user31@example.com + password: user31 + model: authentik_core.user + state: present + identifiers: + username: user31 +- attrs: + name: User Thirty Two + email: user32@example.com + password: user32 + model: authentik_core.user + state: present + identifiers: + username: user32 +- attrs: + name: User Thirty Three + email: user33@example.com + password: user33 + model: authentik_core.user + state: present + identifiers: + username: user33 +version: 1 diff --git a/bootstrap.sh b/bootstrap.sh index 2d3c1819..bd653dc5 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -4,7 +4,7 @@ set -o errexit set -o nounset set -o pipefail -APPS_TO_INSTALL=(viewer recommendations files_pdfviewer profiler hmr_enabler circles) +APPS_TO_INSTALL=(viewer recommendations files_pdfviewer profiler hmr_enabler circles globalsiteselector) NEXTCLOUD_AUTOINSTALL_APPS=(viewer profiler hmr_enabler) SERVER_CLONE=squashed APPS_CLONE_FILTER= diff --git a/docker-compose.yml b/docker-compose.yml index c1fc34bc..656a4cbe 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -57,6 +57,7 @@ services: - portal${DOMAIN_SUFFIX} - gs1${DOMAIN_SUFFIX} - gs2${DOMAIN_SUFFIX} + - gs3${DOMAIN_SUFFIX} - lookup${DOMAIN_SUFFIX} - elasticsearch${DOMAIN_SUFFIX} - elasticsearch-ui${DOMAIN_SUFFIX} @@ -85,6 +86,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: "nextcloud${DOMAIN_SUFFIX}" + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: BLACKFIRE_CLIENT_ID: @@ -114,6 +116,7 @@ services: environment: SQL: ${SQL:-mysql} VIRTUAL_HOST: "nextcloud2${DOMAIN_SUFFIX}" + PROTOCOL: ${PROTOCOL:-https} PHP_XDEBUG_MODE: ${PHP_XDEBUG_MODE:-develop} volumes: - '${REPO_PATH_SERVER}:/var/www/html' @@ -140,6 +143,7 @@ services: environment: SQL: ${SQL:-mysql} VIRTUAL_HOST: "nextcloud3${DOMAIN_SUFFIX}" + PROTOCOL: ${PROTOCOL:-https} PHP_XDEBUG_MODE: ${PHP_XDEBUG_MODE:-develop} volumes: - '${REPO_PATH_SERVER}:/var/www/html' @@ -167,6 +171,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable16${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PHP_XDEBUG_MODE: ${PHP_XDEBUG_MODE:-develop} @@ -196,6 +201,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable17${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PHP_XDEBUG_MODE: ${PHP_XDEBUG_MODE:-develop} @@ -225,6 +231,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable18${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PHP_XDEBUG_MODE: ${PHP_XDEBUG_MODE:-develop} @@ -254,6 +261,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable19${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PHP_XDEBUG_MODE: ${PHP_XDEBUG_MODE:-develop} @@ -283,6 +291,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable20${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PHP_XDEBUG_MODE: ${PHP_XDEBUG_MODE:-develop} @@ -312,6 +321,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable21${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PRIMARY: ${PRIMARY:-local} @@ -342,6 +352,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable22${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PRIMARY: ${PRIMARY:-local} @@ -372,6 +383,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable23${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PRIMARY: ${PRIMARY:-local} @@ -402,6 +414,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable24${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PRIMARY: ${PRIMARY:-local} @@ -432,6 +445,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable25${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PRIMARY: ${PRIMARY:-local} @@ -462,6 +476,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable26${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PRIMARY: ${PRIMARY:-local} @@ -492,6 +507,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable27${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PRIMARY: ${PRIMARY:-local} @@ -522,6 +538,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable28${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PRIMARY: ${PRIMARY:-local} @@ -552,6 +569,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable29${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PRIMARY: ${PRIMARY:-local} @@ -582,6 +600,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable30${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PRIMARY: ${PRIMARY:-local} @@ -612,6 +631,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable31${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PRIMARY: ${PRIMARY:-local} @@ -642,6 +662,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable32${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PRIMARY: ${PRIMARY:-local} @@ -672,6 +693,7 @@ services: NEXTCLOUD_AUTOINSTALL_APPS: WITH_REDIS: "YES" VIRTUAL_HOST: stable33${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} ADDITIONAL_APPS_PATH: NEXTCLOUD_TRUSTED_DOMAINS: PRIMARY: ${PRIMARY:-local} @@ -887,17 +909,18 @@ services: aliasgroup1: http://nextcloud${DOMAIN_SUFFIX} aliasgroup2: http://gs1${DOMAIN_SUFFIX} aliasgroup3: http://gs2${DOMAIN_SUFFIX} - aliasgroup4: http://stable20${DOMAIN_SUFFIX} - aliasgroup5: http://stable24${DOMAIN_SUFFIX} - aliasgroup6: http://stable25${DOMAIN_SUFFIX} - aliasgroup7: http://stable26${DOMAIN_SUFFIX} - aliasgroup8: http://stable27${DOMAIN_SUFFIX} - aliasgroup9: http://stable28${DOMAIN_SUFFIX} - aliasgroup10: http://stable29${DOMAIN_SUFFIX} - aliasgroup11: http://stable30${DOMAIN_SUFFIX} - aliasgroup12: http://stable31${DOMAIN_SUFFIX} - aliasgroup13: http://stable32${DOMAIN_SUFFIX} - aliasgroup14: http://stable33${DOMAIN_SUFFIX} + aliasgroup4: http://gs3${DOMAIN_SUFFIX} + aliasgroup5: http://stable20${DOMAIN_SUFFIX} + aliasgroup6: http://stable24${DOMAIN_SUFFIX} + aliasgroup7: http://stable25${DOMAIN_SUFFIX} + aliasgroup8: http://stable26${DOMAIN_SUFFIX} + aliasgroup9: http://stable27${DOMAIN_SUFFIX} + aliasgroup10: http://stable28${DOMAIN_SUFFIX} + aliasgroup11: http://stable29${DOMAIN_SUFFIX} + aliasgroup12: http://stable30${DOMAIN_SUFFIX} + aliasgroup13: http://stable31${DOMAIN_SUFFIX} + aliasgroup14: http://stable32${DOMAIN_SUFFIX} + aliasgroup15: http://stable33${DOMAIN_SUFFIX} dictionaries: de_DE en_US en_GB username: admin password: admin @@ -1033,13 +1056,16 @@ services: VIRTUAL_HOST: portal${DOMAIN_SUFFIX} SQL: 'mysql' GS_MODE: master + PROTOCOL: ${PROTOCOL:-https} volumes: - - '${STABLE_ROOT_PATH}/server:/var/www/html' - - '${STABLE_ROOT_PATH}/server/apps-extra:/var/www/html/apps-extra' + - '${REPO_PATH_SERVER}:/var/www/html' + - '${REPO_PATH_SERVER}/apps-extra:/var/www/html/apps-extra' + - '${ADDITIONAL_APPS_PATH:-./data/apps-extra}:/var/www/html/apps-shared' - /var/www/html/data - /var/www/html/config - ./data/skeleton/:/skeleton - ./data/additional.config.php:/var/www/html/config/additional.config.php:ro + - ./data/shared:/shared depends_on: - ${PROXY_SERVICE:-proxy} - database-${SQL:-mysql} @@ -1052,16 +1078,23 @@ services: gs1: image: ghcr.io/juliusknorr/nextcloud-dev-php${PHP_VERSION:-82}:latest environment: - VIRTUAL_HOST: gs1${DOMAIN_SUFFIX} SQL: 'mysql' + NEXTCLOUD_AUTOINSTALL: ${NEXTCLOUD_AUTOINSTALL:-YES} + NEXTCLOUD_AUTOINSTALL_APPS: + VIRTUAL_HOST: gs1${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} + ADDITIONAL_APPS_PATH: + NEXTCLOUD_TRUSTED_DOMAINS: GS_MODE: slave volumes: - - '${STABLE_ROOT_PATH}/server:/var/www/html' - - '${STABLE_ROOT_PATH}/server/apps-extra:/var/www/html/apps-extra' + - '${REPO_PATH_SERVER}:/var/www/html' + - '${REPO_PATH_SERVER}/apps-extra:/var/www/html/apps-extra' + - '${ADDITIONAL_APPS_PATH:-./data/apps-extra}:/var/www/html/apps-shared' - /var/www/html/data - /var/www/html/config - ./data/skeleton/:/skeleton - ./data/additional.config.php:/var/www/html/config/additional.config.php:ro + - ./data/shared:/shared depends_on: - ${PROXY_SERVICE:-proxy} - portal @@ -1075,16 +1108,53 @@ services: gs2: image: ghcr.io/juliusknorr/nextcloud-dev-php${PHP_VERSION:-82}:latest environment: + SQL: 'mysql' + NEXTCLOUD_AUTOINSTALL: ${NEXTCLOUD_AUTOINSTALL:-YES} + NEXTCLOUD_AUTOINSTALL_APPS: VIRTUAL_HOST: gs2${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} + ADDITIONAL_APPS_PATH: + NEXTCLOUD_TRUSTED_DOMAINS: + GS_MODE: slave + volumes: + - '${REPO_PATH_SERVER}:/var/www/html' + - '${REPO_PATH_SERVER}/apps-extra:/var/www/html/apps-extra' + - '${ADDITIONAL_APPS_PATH:-./data/apps-extra}:/var/www/html/apps-shared' + - /var/www/html/data + - /var/www/html/config + - ./data/skeleton/:/skeleton + - ./data/additional.config.php:/var/www/html/config/additional.config.php:ro + - ./data/shared:/shared + depends_on: + - ${PROXY_SERVICE:-proxy} + - portal + - database-${SQL:-mysql} + - lookup + - redis + - mail + extra_hosts: + - host.docker.internal:host-gateway + + gs3: + image: ghcr.io/juliusknorr/nextcloud-dev-php${PHP_VERSION:-82}:latest + environment: SQL: 'mysql' + NEXTCLOUD_AUTOINSTALL: ${NEXTCLOUD_AUTOINSTALL:-YES} + NEXTCLOUD_AUTOINSTALL_APPS: + VIRTUAL_HOST: gs3${DOMAIN_SUFFIX} + PROTOCOL: ${PROTOCOL:-https} + ADDITIONAL_APPS_PATH: + NEXTCLOUD_TRUSTED_DOMAINS: GS_MODE: slave volumes: - - '${STABLE_ROOT_PATH}/server:/var/www/html' - - '${STABLE_ROOT_PATH}/server/apps-extra:/var/www/html/apps-extra' + - '${REPO_PATH_SERVER}:/var/www/html' + - '${REPO_PATH_SERVER}/apps-extra:/var/www/html/apps-extra' + - '${ADDITIONAL_APPS_PATH:-./data/apps-extra}:/var/www/html/apps-shared' - /var/www/html/data - /var/www/html/config - ./data/skeleton/:/skeleton - ./data/additional.config.php:/var/www/html/config/additional.config.php:ro + - ./data/shared:/shared depends_on: - ${PROXY_SERVICE:-proxy} - portal @@ -1099,6 +1169,7 @@ services: image: ghcr.io/juliusknorr/nextcloud-dev-lookupserver:latest environment: VIRTUAL_HOST: "lookup${DOMAIN_SUFFIX}" + PROTOCOL: ${PROTOCOL:-https} # volumes: # - '${STABLE_ROOT_PATH}/lookupserver:/var/www/html' extra_hosts: @@ -1240,6 +1311,7 @@ services: - ./authentik-media:/media - ./authentik-certs:/certs - ./authentik-custom-templates:/templates + - ./authentik-blueprints:/blueprints/z_custom authentik: command: server @@ -1256,6 +1328,7 @@ services: AUTHENTIK_SECRET_KEY: authentik-secret VIRTUAL_HOST: "authentik${DOMAIN_SUFFIX}" VIRTUAL_PORT: 9000 + PROTOCOL: ${PROTOCOL:-https} image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.10.2} ports: - ${COMPOSE_PORT_HTTP:-9000}:9000 @@ -1263,6 +1336,7 @@ services: volumes: - ./authentik-media:/media - ./authentik-custom-templates:/templates + - ./authentik-certs:/certs volumes: data: diff --git a/docker/bin/bootstrap.sh b/docker/bin/bootstrap.sh index 14acab13..745aad96 100755 --- a/docker/bin/bootstrap.sh +++ b/docker/bin/bootstrap.sh @@ -38,7 +38,7 @@ fatal() { OCC() { output "occ" "$@" # shellcheck disable=SC2068 - sudo -E -u www-data php "$WEBROOT/occ" $@ | indent + sudo -E -u www-data php "$WEBROOT/occ" "$@" | indent } is_installed() { @@ -130,18 +130,53 @@ configure_gs() { if [ "$GS_MODE" = "master" ] then - OCC app:enable globalsiteselector + tee /var/www/mapping.json << EOF +{ + "/^user1/i": "gs1${DOMAIN_SUFFIX}", + "/^user2/i": "gs2${DOMAIN_SUFFIX}", + "/^user3/i": "gs3${DOMAIN_SUFFIX}" +} +EOF + + OCC app:enable globalsiteselector --force OCC config:system:set lookup_server --value "$LOOKUP_SERVER" OCC config:system:set gs.enabled --type boolean --value true OCC config:system:set gss.jwt.key --value 'random-key' OCC config:system:set gss.mode --value 'master' OCC config:system:set gss.master.admin 0 --value 'admin' OCC config:system:set gss.master.csp-allow 0 --value "*${DOMAIN_SUFFIX}" + OCC config:system:set 'gss.user.discovery.module' --value '\OCA\GlobalSiteSelector\UserDiscoveryModules\ManualUserMapping' + OCC config:system:set 'gss.discovery.manual.mapping.file' --value '/var/www/mapping.json' + OCC config:system:set 'gss.discovery.manual.mapping.regex' --type boolean --value true + OCC config:system:set 'gss.discovery.manual.mapping.parameter' --value 'http://schemas.goauthentik.io/2021/02/saml/username' + OCC app:enable user_saml --force + OCC config:app:set user_saml type --value 'saml' + OCC saml:config:set 1 --general-uid_mapping 'http://schemas.goauthentik.io/2021/02/saml/username' + OCC saml:config:set 1 --general-idp0_display_name 'Authentik' + OCC saml:config:set 1 --idp-entityId 'https://portal.local/index.php/apps/user_saml/saml/metadata' + OCC saml:config:set 1 --idp-singleSignOnService.url 'https://authentik.local/application/saml/portal/sso/binding/redirect/' + OCC saml:config:set 1 --idp-singleLogoutService.url 'https://authentik.local/if/session-end/portal/' + OCC saml:config:set 1 --saml-attribute-mapping-email_mapping 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' + OCC saml:config:set 1 --saml-attribute-mapping-displayName_mapping 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' + OCC saml:config:set 1 --saml-attribute-mapping-group_mapping 'http://schemas.xmlsoap.org/claims/Group' + OCC saml:config:set 1 --security-nameIdEncrypted 1 + OCC saml:config:set 1 --sp-name-id-format 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName' + OCC saml:config:set 1 --sp-x509cert "'-----BEGIN CERTIFICATE-----MIIE4TCCAsmgAwIBAgIQJqHXZY3HTR67OsquzTBqmzANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNhdXRoZW50aWsgMjAyNS4xMC4yMB4XDTI2MDMwNzEyNTcwNFoXDTM2MDMwNTEyNTcwNFowOzEPMA0GA1UEAwwGUG9ydGFsMRIwEAYDVQQKDAlhdXRoZW50aWsxFDASBgNVBAsMC1NlbGYtc2lnbmVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuvRuB3P2Si4QwkiARQTxx9B8MEiI6UBjyFHQlOwfi9366mG+/MYu7OqDfmFPMYBjxjGL61DSqs0EZCZF3urg8XPrfSNBpkFQ29vGBaUqodDo6xDgCKulaEMc+ROJA2/JQ2i5/rgFEpMdr89ty5AyTucdPpKAlmg5z1aIqVx6O0CPpSjPKIXYLUZATCCD4yBGcPkwwvNEx1gL4O1zTA3oPJmYXMQGEHjxL7MCjBhKp8Kz1rjPMIMY6EU6ng4P2pI0L3gyiZSff0+xHJrT5X5Z5K20A+qsy6iUzs97fvRYWAA4LYJNcdwms7a/EPv0BBIGisC76WYIKX0WwgnYbEtkN7Xn7BfQcdMJA9z4C8VrFrQClhAFswEGHLAvCZ+tCPPbPG5Z5KAe18U5JNECv1L3xbTRO6gi1+qIbfMPQZfkotzYPaIUab42LR97MMIidVCcTeXcSXi7pWJ57qDqsy+aSGclsIM/7EyyuWyX4KSbCfB+C4WATC8nI+l2aVff3A6viJx4k2bVQ0JWdPPz2RB85zjkBNPOC2e+UtXPM1s8sJVAyRUOIvHvWGmw/cCsqdb4bV6iWT+6F+i0Hb79O5ZN+s6Kej3pYPDIAHmaGqNSLyeWERPGaQZIZTCvGgmILYEwDoiVmuEi2Ks2b9kDl/wAiMYQtjh2ZUTnaaiF/zeDjIcCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAj/vF3Q2EDKb7bOLaIINe1oqvG031UzC5vAUCIutjjQc8HdE7n5+3Jd6FAH9NALmTrvLz10n07xUaoSIoB8m9vydglnKgHMOd/Jg/4VYX+pwEqInNLUd3Ep5y57KwQ3eCg2kzeEHCiacg2DgmbpW2xyGfnJbsq1IDyyY6hyDq8yvzDmetuLd3FGpNYv0NIiMrWLcy8+h2H3HCgNs1A179VvoHV+8QW9kGbTmyf/JLx4O4APD5QUX3vEgkp2yzFWIPaUuNkcpOddB7kYFcAxA620kICDw5t7yylmBZaamAK2o8tAKAhJ/KixZfj1J2t9BK4pDrPeulOTdhDA3vuao2LXmfP4PUakV7yY1W7YVftwNasY2RXCh+RkIhEABL98VdfRyxTo5pi6KoqMOYVp5/pRNZ6H2Zmpyb8pUZcBoBHFudoZ/NN5FyuUUk1leX29Ce96YudH4K/e3X+IWiwTBKpQyguYOD4Sh21NmILFKF2w+9C4heoaFTD+CBoGAilR+4N/RPHlKf6pC5r1XteG+UWtmkHA+BZVt2eOPLlaU25MeoifoFGGm6/Rn4QAbDTYPLpFH4GXc8/S1tqrVYZeeSmfVD66Y1Ew8FB6SzX1HjruX/JewD4aCTJgYBPhS+OJ93in1XYHJd8of21GuePTBHg8fgg/p2yzUB1+STlUraqIM=-----END CERTIFICATE-----'" + OCC saml:config:set 1 --sp-privateKey "'-----BEGIN RSA PRIVATE KEY-----MIIJKAIBAAKCAgEAuvRuB3P2Si4QwkiARQTxx9B8MEiI6UBjyFHQlOwfi9366mG+/MYu7OqDfmFPMYBjxjGL61DSqs0EZCZF3urg8XPrfSNBpkFQ29vGBaUqodDo6xDgCKulaEMc+ROJA2/JQ2i5/rgFEpMdr89ty5AyTucdPpKAlmg5z1aIqVx6O0CPpSjPKIXYLUZATCCD4yBGcPkwwvNEx1gL4O1zTA3oPJmYXMQGEHjxL7MCjBhKp8Kz1rjPMIMY6EU6ng4P2pI0L3gyiZSff0+xHJrT5X5Z5K20A+qsy6iUzs97fvRYWAA4LYJNcdwms7a/EPv0BBIGisC76WYIKX0WwgnYbEtkN7Xn7BfQcdMJA9z4C8VrFrQClhAFswEGHLAvCZ+tCPPbPG5Z5KAe18U5JNECv1L3xbTRO6gi1+qIbfMPQZfkotzYPaIUab42LR97MMIidVCcTeXcSXi7pWJ57qDqsy+aSGclsIM/7EyyuWyX4KSbCfB+C4WATC8nI+l2aVff3A6viJx4k2bVQ0JWdPPz2RB85zjkBNPOC2e+UtXPM1s8sJVAyRUOIvHvWGmw/cCsqdb4bV6iWT+6F+i0Hb79O5ZN+s6Kej3pYPDIAHmaGqNSLyeWERPGaQZIZTCvGgmILYEwDoiVmuEi2Ks2b9kDl/wAiMYQtjh2ZUTnaaiF/zeDjIcCAwEAAQKCAgADpRq9ZnWERpfG64TPXDVznqaxdX75DCchnAa9b3yOf86i0Mw/yAzY1AkhVcjiJckymgPkeatS3jwiv7mcNc20HuOnAMuAEiuHrL/HvbqhDdGDHET7hCjti5fTjGqfCZkrmlhNcytre0n+4cQGo1JEkwOeBAX/pHBMGVtnaE1+koIx6XkbJp2vsASt90gOL9Si88N14QgLL7X/1/rn4mz+s5oMMcJ0gilDxK0Ho0VWrZQtWyGWcs9YChXCWYQaJVn6lIxowgI9zIVr3oyhuTQ/Mx76baMirVqabzfOooH+bcO7sYrMdm0k39WBihCHdFH6/587VuT7tdNtOqXHBJpWoY18jwyYfIUFlrvQq783Yz2FtJ+EqIxbZRS8oHTjioi54j6S2TBMdjO2XC9Nrv1wb+FKDciAeQOD4vZceMnrezc/jzJPythBxX/wSvxnaDyliRebybE71Je3m/esLyvTNQUBjEeRdXDwYakgwCFc6WanQL8y4N1fxdU07hGf/D+GRWmhFL7/mBc8nrOf2n6r5sa0HPvXakuPFD8+yUHWJleh9Xa6BGw2VEse3okt0Wd9lIi4UprdKrrE8Xs3SKaTQhBGMawCQ3Du3Mk9kk7NUR6tmW2XoLvt61TLJBcG5QitwnddTDXR2rDKE1WHBEg8rLAy7K/BYMttEtjBnvQ7MQKCAQEA8GRFsAKRQHgW484yd99KVZuhP1w2K5yBeP4lnHgcUGUU689FyifytpL4xX1jzSSHmJM0WM4MHzVmPXbTrHTY5l7X682cB5keEjMiIMbVmNZG8oLuiWe8tVxseNeptkOuo0G7oYchcwGWjNQPBBgU5FihnVsWA5Foly80s1ZeuphetEiyDJ0A/FeEyP0BwFNMUKIZXWPeXTo8jaLYyAUyGgOVs/r8QKg3oXCo8gbwAsB0El4+wk7i5sXah+GTvYM+uH0THoSK5thgeeEbxRKmVPHxddQ+/A3lJTHJIAknwsMPFw8qlbZdNXHGXM8wRLrNr8k7c4oq/O6gqYADSPp0DQKCAQEAxxfxk/+NKWleBbtKyp3lk0zvM+ZTYw9ubAgTq+whFjmCkgYq1oJikOX1kbFGYvqZqXQqEEgiw9+h4wooQnjzfTvMw/rfDzbBH18Zc4K8CjO7zZYxj7o9J2VGbxBO+ZcXr5k7EaME/c9HRZ3h/bGhp1WpZH0RnOG2TDtFnh8TszysRTmcs9RHzHfBsqYiP6erSWbfvo0yuwHLd99zc7P+PsaHwz6xKUH7XIs+pmgNdd6ve3aAWhsH3LseDzExsOH+gK5vvD6RYyJ7IvAPwwFW4iLe69Gg9WZyg/XVxUq0yc+uN5/dPUFThvoEQuA9QItzGDAaLlwzHlLq8su1F0b54wKCAQBoWg7KPgMRqk+9aggMcziQevN/TqcRPWoSvLhU+OrJl2eCicJw4/B/gsNM74aAScg22kfR+PfYIFUWf1uZtEtnjWpLqUB/J9+e5OV+tvGH3BSGN4IW0ZpgXBOWTYAVZ8IKioFJuCA0DU9uKKuwCkgfa74UUbL3r4pofoxxASAz/eq2dgwcX5dK8y7oFLRK6Z3qLsO1/6FKdPpOPY+/HEpIcp/sthoEc0Fa6k3caliLyUFZq+GwdZAXv3GCpNB+Zte2PE0tZTnqxajzn11vqg3cN/6qOI1y2xFKmRcGuhKxf/0v9Fx3CufhSFdkeGgqnbCmC0OsfyD0FR5XFgPXDSmNAoIBAQCxny368QKakJO+n1Lho68fFINQFUwN08WbAjWyq271ageQiYoMaLTROyg0fCkkwxj2clnYvtKtV8YRTY2PiGMLNp+/tQDujNYNTAXj5R4oJ/GEQFwlM229yP/mtHERAfiyxA1L9dnNKvEWLf5iHOjw5l7C9UYSZdkC99prcKRdw2KaPAUO9vO7ephH7yodClSpnus9ELHS344Me0GAV3Qbw3l5+mOKQICmFuClC63+m9aJWra2LOl9xz7RJP2FJoqteXLcSiHhhPDAwdX+DyLZi2zAjPyCE41VJ605YCYc6nkuzSRPswl3IXVNyMs822yqhrfE5qMAic9tH8qHYt4rAoIBABsFpeSNm5rBhQtYQxagewoGfq9BmGc8s3TrpftwL0pFCTYj06sa0HTU89DOZoRJ1m4gmNYLKzO1KdUihYHZ6/J/7BK6vZs+79OHBUnrrhNOrjVzILm10y7szFQjEN26Pdp+UAlr9PF9kJzjBC7VHL+fWCdvDQs2xeuppvxmX0ZvChwKHw2uisMikb2DeoNikKnRtCcl5jJXXdeJqGMqnTP8haghT/RvNczeMOJ2E3fNKvwcuubLWgd31kPeYf0z+lp1gPC64b71yPm7rWqX16TIntLUuE6aUBi35fid4nXnVJqN4B/5/IrnXJZPaaIn/+D3JAiKePBnaCQFdmLc3hw=-----END RSA PRIVATE KEY-----'" + OCC saml:config:set 1 --idp-x509cert "'-----BEGIN CERTIFICATE-----MIIE5DCCAsygAwIBAgIQQwV9AoKySzWn+vejIypIhzANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNhdXRoZW50aWsgMjAyNS4xMC4yMB4XDTI2MDMwNzEyNTcyNloXDTM2MDMwNTEyNTcyNlowPjESMBAGA1UEAwwJQXV0aGVudGlrMRIwEAYDVQQKDAlhdXRoZW50aWsxFDASBgNVBAsMC1NlbGYtc2lnbmVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwIeRHlF5eL7ZX11oNhR4hfztwHKdl4G6hhyDo3cxIRN8YUVk3IXfpGzR1U7IsnqenrsNzLk//Nw15lpx4Mxr4hsyCzKksKPD5+aNy3otRQbKPOL5Fh5m9M7WxiP/uA7xkk1l5tj8ae6Lu6wnK6T4NkePSoBD3tK8NY6nOm4r04r+fWjLNc24RpX+rKZL/YPDgCYaAkooBAoXL9Dcs/RHCfPIgyeGL0YxhyZKFV+kUgQpGQYCZMdvR7waBe7rAK98y47GyQjeVIG/bRu9E/iq0rqwMAgq9rLTgUg0ZieIF1aZKeoS3bLaXvFDSzr8N2fR7ktkdsyyCqNrUg80n7cY5XKeaVefW2Qub1gj9uzuoyEU2NpzF+L9cbw0kDr5UtsCLwbdKvgQkJ9ATNWUI6EO061mRm7Ty4TyZpAY2klsvDqVbpd/OBl7LWfTaDcxaXaN0mwEv31LkPWmeecVJcqOx26NwFn1WE91cKzlv1atkuDQ8f0xX/RB2GbOSNNyRBViiw5LZUZEnTznOP+orZ8XLqQh6cUYm3KaaskjF+YRCZe0GEKgw8+Oz4Hm82gEww0y9JRguxINn3L9C1WP/X3bWbHi9kiG3Z0BUGHM5Sek2NEfR4HJ6IhQAQwzcosqpiOl4Z7dp6PWJaobjdg2gC2B1ZJXQ18pXtNrvgS88pWenDUCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAlj2kVi1yKemMsWAKDmWWPXUmKthvU4i8tortBPGKf1ndLZ1doxGhb8hUjFnaupMRG9RgQbehslLVxcIHXYGBmaiiFuAOk3HNGxBZtrCjlaSYDcuKPiM7Ey+gF6Ec5giix4vL/YFPv95gngvMxDrRsGsnyHgB/Cju5IcriJ0DfoGn/VSj+nxCdj2Ju+utyMaXEYM85I5/9c5VyB401gy7FoMkPiqA4kLsr5JhO391R+1hpjcNLbRrUnHmjLsZyGc2paGSD/Rw2dAwOjuG8BuLa+TPrj4/3Y5e2jtGNAF8bHDvLaj+sCPTjm1zmrAkI7jANQ5/hywbmpoSK8Y59OpeyoJqMwLWfLXP7xFEzG7Ovdo/EXOnypcwrPF8keitl7umwAdBkob+ki5REb02Ya7bFwtnbDcsTMfAFDnZfvScUAeBKNJ4uOlS0qQJja/2YP5+9uNuAXAv5/lEEbgMctURG7LdBH5XQNI3E/TjdJhFvV1D4exmhywbdwNBrQVaMP/FXM7cciIqFnuiRX4N+QqhH9oYpFHlGRybnsfniK20UyatEVNzx7rIB9WLKOKgT8iHTj6JnMLEPlCnQNnSmd9itmPBDJspohQGIkOzQf9at5Xeg1XEn5AjSaGQYFV+G/+gjiG4sO5/o0Nwyc8PXwF42uryX88qqDJJMokbVpVDSPY=-----END CERTIFICATE-----'" + OCC saml:config:set 1 --security-signMetadata 1 + OCC saml:config:set 1 --security-logoutResponseSigned 1 + OCC saml:config:set 1 --security-logoutRequestSigned 1 + OCC saml:config:set 1 --security-authnRequestsSigned 1 + OCC saml:config:set 1 --security-wantAssertionsSigned 1 + OCC saml:config:set 1 --security-wantNameId 1 + OCC saml:config:set 1 --security-wantXMLValidation 1 fi if [ "$GS_MODE" = "slave" ] then - OCC app:enable globalsiteselector + OCC app:enable globalsiteselector --force + OCC app:disable user_oidc OCC config:system:set lookup_server --value "$LOOKUP_SERVER" OCC config:system:set gs.enabled --type boolean --value true OCC config:system:set gs.federation --value 'global' @@ -225,6 +260,25 @@ configure_add_user() { OCC user:add --password-from-env "$1" } +configure_users() { + # on globalscale, we create no one + if [ "$GS_MODE" = "master" ] || [ "$GS_MODE" = "slave" ] + then + return 0 + fi + + configure_add_user user1 & + configure_add_user user2 & + configure_add_user user3 & + configure_add_user user4 & + configure_add_user user5 & + configure_add_user user6 & + configure_add_user jane & + configure_add_user john & + configure_add_user alice & + configure_add_user bob & +} + install() { if [ -n "$VIRTUAL_HOST" ]; then @@ -332,17 +386,7 @@ install() { OCC user:setting admin settings email admin@example.net & INSTANCENAME=$(echo "$VIRTUAL_HOST" | cut -d '.' -f1) configure_add_user "${INSTANCENAME:-nextcloud}" & - configure_add_user user1 & - configure_add_user user2 & - configure_add_user user3 & - configure_add_user user4 & - configure_add_user user5 & - configure_add_user user6 & - configure_add_user jane & - configure_add_user john & - configure_add_user alice & - configure_add_user bob & - + configure_users run_hook_after_install output "🚀 Finished setup using $SQL database…" diff --git a/docker/configs/default.config.php b/docker/configs/default.config.php index 685782c5..1e867185 100644 --- a/docker/configs/default.config.php +++ b/docker/configs/default.config.php @@ -66,6 +66,10 @@ 'log.condition' => [ 'apps' => ['diagnostics', 'admin_audit'], ], + + // federation and globalscale to work with self-signed certificates + 'sharing.federation.allowSelfSignedCertificates' => true, + 'gss.selfsigned.allow' => true, ]; diff --git a/docker/lookupserver/Dockerfile b/docker/lookupserver/Dockerfile index b72e53f8..863a8876 100644 --- a/docker/lookupserver/Dockerfile +++ b/docker/lookupserver/Dockerfile @@ -17,6 +17,7 @@ RUN echo 'mariadb-server mysql-server/root_password password $DBPASSWD' | debcon mariadb-server \ mariadb-client \ cron \ + composer \ unzip && \ rm -rf /var/lib/apt/lists/* @@ -24,6 +25,7 @@ RUN echo 'mariadb-server mysql-server/root_password password $DBPASSWD' | debcon RUN cd /root/ && \ unzip lookup-server.zip && \ rm /var/www/html/index.html && \ + composer u --working-dir lookup-server-master/server/ --ignore-platform-req=ext-* && \ mv lookup-server-master/server/* /var/www/html/ && \ cp lookup-server-master/server/.htaccess /var/www/html/ && \ mv lookup-server-master/mysql.dmp /root/ && \ diff --git a/docker/lookupserver/config.php b/docker/lookupserver/config.php index 37a8063c..3bdc45b8 100644 --- a/docker/lookupserver/config.php +++ b/docker/lookupserver/config.php @@ -14,8 +14,15 @@ // error verbose 'ERROR_VERBOSE' => true, - // logfile - 'LOG' => '/tmp/lookup.log', + 'LOG' => [ + 'ENABLED' => true, + 'LEVEL' => 0, + 'FILE' => __DIR__ . '/../lookup.log', + 'FILE_MODE' => 0640, + 'DATE_FORMAT' => 'Y-m-d H:i:s', + 'DATE_TIMEZONE' => 'UTC', + 'HIDE_BACKTRACE' => false, + ], // replication logfile 'REPLICATION_LOG' => '/tmp/lookup_replication.log', From ceeb291adbab03fae1ce4f3d92951dc36efb2b64 Mon Sep 17 00:00:00 2001 From: Carl Schwan Date: Mon, 20 Apr 2026 12:22:50 +0200 Subject: [PATCH 2/2] Add support for using SSO without global scale Signed-off-by: Carl Schwan --- authentik-blueprints/nextcloud_saml.yaml | 298 +++++++++++++++++++++++ docker/bin/bootstrap.sh | 73 ++++-- docs/services/sso.md | 2 +- 3 files changed, 350 insertions(+), 23 deletions(-) create mode 100644 authentik-blueprints/nextcloud_saml.yaml diff --git a/authentik-blueprints/nextcloud_saml.yaml b/authentik-blueprints/nextcloud_saml.yaml new file mode 100644 index 00000000..c13b5ef0 --- /dev/null +++ b/authentik-blueprints/nextcloud_saml.yaml @@ -0,0 +1,298 @@ +metadata: + name: "nextcloud.local SAML" + labels: + blueprints.goauthentik.io/instantiate: "true" +context: {} +entries: +- attrs: + name: Authentik + certificate_data: | + -----BEGIN CERTIFICATE----- + MIIE5DCCAsygAwIBAgIQQwV9AoKySzWn+vejIypIhzANBgkqhkiG9w0BAQsFADAe + MRwwGgYDVQQDDBNhdXRoZW50aWsgMjAyNS4xMC4yMB4XDTI2MDMwNzEyNTcyNloX + DTM2MDMwNTEyNTcyNlowPjESMBAGA1UEAwwJQXV0aGVudGlrMRIwEAYDVQQKDAlh + dXRoZW50aWsxFDASBgNVBAsMC1NlbGYtc2lnbmVkMIICIjANBgkqhkiG9w0BAQEF + AAOCAg8AMIICCgKCAgEAwIeRHlF5eL7ZX11oNhR4hfztwHKdl4G6hhyDo3cxIRN8 + YUVk3IXfpGzR1U7IsnqenrsNzLk//Nw15lpx4Mxr4hsyCzKksKPD5+aNy3otRQbK + POL5Fh5m9M7WxiP/uA7xkk1l5tj8ae6Lu6wnK6T4NkePSoBD3tK8NY6nOm4r04r+ + fWjLNc24RpX+rKZL/YPDgCYaAkooBAoXL9Dcs/RHCfPIgyeGL0YxhyZKFV+kUgQp + GQYCZMdvR7waBe7rAK98y47GyQjeVIG/bRu9E/iq0rqwMAgq9rLTgUg0ZieIF1aZ + KeoS3bLaXvFDSzr8N2fR7ktkdsyyCqNrUg80n7cY5XKeaVefW2Qub1gj9uzuoyEU + 2NpzF+L9cbw0kDr5UtsCLwbdKvgQkJ9ATNWUI6EO061mRm7Ty4TyZpAY2klsvDqV + bpd/OBl7LWfTaDcxaXaN0mwEv31LkPWmeecVJcqOx26NwFn1WE91cKzlv1atkuDQ + 8f0xX/RB2GbOSNNyRBViiw5LZUZEnTznOP+orZ8XLqQh6cUYm3KaaskjF+YRCZe0 + GEKgw8+Oz4Hm82gEww0y9JRguxINn3L9C1WP/X3bWbHi9kiG3Z0BUGHM5Sek2NEf + R4HJ6IhQAQwzcosqpiOl4Z7dp6PWJaobjdg2gC2B1ZJXQ18pXtNrvgS88pWenDUC + AwEAATANBgkqhkiG9w0BAQsFAAOCAgEAlj2kVi1yKemMsWAKDmWWPXUmKthvU4i8 + tortBPGKf1ndLZ1doxGhb8hUjFnaupMRG9RgQbehslLVxcIHXYGBmaiiFuAOk3HN + GxBZtrCjlaSYDcuKPiM7Ey+gF6Ec5giix4vL/YFPv95gngvMxDrRsGsnyHgB/Cju + 5IcriJ0DfoGn/VSj+nxCdj2Ju+utyMaXEYM85I5/9c5VyB401gy7FoMkPiqA4kLs + r5JhO391R+1hpjcNLbRrUnHmjLsZyGc2paGSD/Rw2dAwOjuG8BuLa+TPrj4/3Y5e + 2jtGNAF8bHDvLaj+sCPTjm1zmrAkI7jANQ5/hywbmpoSK8Y59OpeyoJqMwLWfLXP + 7xFEzG7Ovdo/EXOnypcwrPF8keitl7umwAdBkob+ki5REb02Ya7bFwtnbDcsTMfA + FDnZfvScUAeBKNJ4uOlS0qQJja/2YP5+9uNuAXAv5/lEEbgMctURG7LdBH5XQNI3 + E/TjdJhFvV1D4exmhywbdwNBrQVaMP/FXM7cciIqFnuiRX4N+QqhH9oYpFHlGRyb + nsfniK20UyatEVNzx7rIB9WLKOKgT8iHTj6JnMLEPlCnQNnSmd9itmPBDJspohQG + IkOzQf9at5Xeg1XEn5AjSaGQYFV+G/+gjiG4sO5/o0Nwyc8PXwF42uryX88qqDJJ + MokbVpVDSPY= + -----END CERTIFICATE----- + key_data: | + -----BEGIN RSA PRIVATE KEY----- + MIIJKQIBAAKCAgEAwIeRHlF5eL7ZX11oNhR4hfztwHKdl4G6hhyDo3cxIRN8YUVk + 3IXfpGzR1U7IsnqenrsNzLk//Nw15lpx4Mxr4hsyCzKksKPD5+aNy3otRQbKPOL5 + Fh5m9M7WxiP/uA7xkk1l5tj8ae6Lu6wnK6T4NkePSoBD3tK8NY6nOm4r04r+fWjL + Nc24RpX+rKZL/YPDgCYaAkooBAoXL9Dcs/RHCfPIgyeGL0YxhyZKFV+kUgQpGQYC + ZMdvR7waBe7rAK98y47GyQjeVIG/bRu9E/iq0rqwMAgq9rLTgUg0ZieIF1aZKeoS + 3bLaXvFDSzr8N2fR7ktkdsyyCqNrUg80n7cY5XKeaVefW2Qub1gj9uzuoyEU2Npz + F+L9cbw0kDr5UtsCLwbdKvgQkJ9ATNWUI6EO061mRm7Ty4TyZpAY2klsvDqVbpd/ + OBl7LWfTaDcxaXaN0mwEv31LkPWmeecVJcqOx26NwFn1WE91cKzlv1atkuDQ8f0x + X/RB2GbOSNNyRBViiw5LZUZEnTznOP+orZ8XLqQh6cUYm3KaaskjF+YRCZe0GEKg + w8+Oz4Hm82gEww0y9JRguxINn3L9C1WP/X3bWbHi9kiG3Z0BUGHM5Sek2NEfR4HJ + 6IhQAQwzcosqpiOl4Z7dp6PWJaobjdg2gC2B1ZJXQ18pXtNrvgS88pWenDUCAwEA + AQKCAgAGEJ81LcreT2DInMgqH/X1/pQ8wj+NpMQL8n0BGsGc8aCy7b0yJzN22gi4 + J/2xhaRWirzyDInj/Mnj4kiBFN93JXUrniJLADWtKfmghc5EROT9Cwdet4F1x8hD + QKIPGcVpXu/NWFuHOMEFHfSz7sP07ccpSSYaMFhGdaJ1+D+AL/o5WCJCpSLfcl0t + 8iUlrM9tS4X5OX3ONsUpN/Kj5peQTDIuU4HqHlN0FvQxfSxPexsSUzqjExdB0r6d + Hjwf7udHAE3pylI6pkWx+bQ4m1ZCQihHsxIraFG6WlxwNWGXnp4/kESc4EP5xq7g + gVCtrCMUVyKojWU0aZZ5ZMo7F8j8b0mJkgK7VmmKpnFsTGHYQCapy65p0zWoWibp + jweMbiptyWvbyyEPjGV4ygkFZ/dDG2iEwtibabu1Yd2fUY1DweNIHzBt94w7rjKP + dmGloXqANBdXFhNOWnaz3UX8oBIXdOx4MoKb86H6S080k0cccpqGOM+D7sMAO95i + h8aJ4x59VpyT8a4Xrryy7DCruZIAYzjLeO0XCI+o/Zo3Yh0Cb+Cz0WWMF4zyRB7O + /2dNulGD3XjkJyAt/S1EKJLYQZzXzuq9tdtRffYb7DsiRQye2+ny9Od0dCjwmDLQ + AF2OlqjPfo5hi2ZWxpr78BUD5jMzmzVC/Wr4qPVBWMeWCUhXAQKCAQEA+6DpQuVT + 2fzCMLtoiPOB7s2akvT/ovfYJhYB1ZA6e1KlY9in0/mxRg4iRROuYCSa0tIw/NGs + TYV51Rl7Ij0fpwD5E3vbkSZNbxbrVasvKgAUBG7eVhORZvkrzoosFzbyWAWwCxVg + j9uTtyizbK8elPWfrYe3EUW1Zjh1+0pG0cOgxoatN9iuFocsWovNSA+QwBPVr9nx + YYAtOhG/UCjj8zWfPe74YvocfgDJEMc0Tti/BabMYipL1TYXAVZnvr/XlyyukF0V + ukoCSG0GkHCbq9XDtzryrj98AkLD9UJlGsd7pxLQD7TDyjpx9miIE5+2GgMQNOVY + 2PJqroRj8vZZgQKCAQEAw9/R2ohiyWM0/7gSqWddtZsi9NHrKRV248XucS1kyzZF + RNIkKGKtUcDeTZCV3hC3IK93jAC5zbMYTr5/D80ts2GeEU5M+SXJyLfRZRNmvOHb + GXWeBGNIj3ndsST/RgJkbmU0VTkRM11cFlnMTbrIpwA7w3NBT73zZu7uSmofp6SP + /r4EGVREXBUSLUEYW8aVXnu7tHRMvMIB4cAwbi2E84cBKLvHMivw8gifftJHzMS0 + CkLwHGjch/u8vANq6NJLorwnh21hTVgmEQ8070IjaUN0bu7Ey5HSNlgS8ToJ088Q + q/swo3V+xg4NzLrv881wVHJuejBr6n0B/OL1E5NUtQKCAQEAt74YlzC+uj9Hzi4L + d3XZO3gHl6gvw+EXhTgsvrZC/iqreu2KH9AFExLfE3H7s1kHdUrnWrYBC9qbzHB+ + 6dGYe2rKdt/KxYMiqCwkTLpkBldoRpRu5owDcR4iTv+2kn0dGgmNM4q4qFO+2dBu + tL5rpnp1z1F67LHqdGpmPMlQTXx8uns9obon5Wtvh+7uR+CV4qyZLYAIMxpV7EFp + Yi95xO8zCRanah8ZDymjqQzNtYWwd4AFXulj1p1YzzE5MKEF3O5Tyjcu1omUgS6b + zH1uL1w5PmNdMsBI3Z3DWiTRj2x7btTd+ZoWHmXvMe/C7hGB+BykiPuwlTrvi+BA + 2/noAQKCAQAex/6XhBVaJo/+m7O7EXZlgrK0nISDGU9srf8xo/uR/75U+V0bR56L + GW8V62HR2vicV1bHFpocXEe2oDMhjZHf/bg0agSopqqWM2ThqHHdvvSKhLRHZj7R + 5UnUe8bt/pQ/0QGvXt94HfTJwmTb1j2QGPZLWcJqwKQOif/Ci/jbhH3of33vaRGx + EtKfb/pe+c8hYPp3ektQ4oAfNO+ncNnS12V0PEYqeUNNFdPSv0LvR/4vGqPXIxd8 + +y+GsFbNrbabJUxk+OhwmiipR6V+7/rWoPYcNMOSZiENzzty0zcWJRUuobPcDCvW + /gBnKv1oZ+F+M9lutEtRN0Hnttbis6V9AoIBAQC/haMEUmvpAVJNUzRRSBoPTEB2 + 8KZFEaW5+NgBcrbT9p6cHnVByBfqa0fdp88BgJh7gWzzbL6pPxUcKK6/2BjcQJfj + gANvZVbvY5k9ygg2u2TQwcGt4UVP7SoyfbiQgruMMCVmI8TYAq31IiccE8vhyw2a + mhBClkVp5Xwc+7secANvNpPDmp5MSwHMTtYfgcOJhriIwMoJzkFeIq7TA0OEVjUy + eiIyMe3ewgYJ0GlsvvxuNt4hDKIvJKn5/dxQryTCLKs06OXjlUc/xOo5XLhuhlAS + iZVHJo30cIDzna1O3TgXVRO60rwTxWoxieW/kTZqN8VDG9H7D4Me+vdCZNNU + -----END RSA PRIVATE KEY----- + model: authentik_crypto.certificatekeypair + identifiers: + name: authentik-cert +- attrs: + name: Nextcloud + certificate_data: | + -----BEGIN CERTIFICATE----- + MIIE4TCCAsmgAwIBAgIQJqHXZY3HTR67OsquzTBqmzANBgkqhkiG9w0BAQsFADAe + MRwwGgYDVQQDDBNhdXRoZW50aWsgMjAyNS4xMC4yMB4XDTI2MDMwNzEyNTcwNFoX + DTM2MDMwNTEyNTcwNFowOzEPMA0GA1UEAwwGUG9ydGFsMRIwEAYDVQQKDAlhdXRo + ZW50aWsxFDASBgNVBAsMC1NlbGYtc2lnbmVkMIICIjANBgkqhkiG9w0BAQEFAAOC + Ag8AMIICCgKCAgEAuvRuB3P2Si4QwkiARQTxx9B8MEiI6UBjyFHQlOwfi9366mG+ + /MYu7OqDfmFPMYBjxjGL61DSqs0EZCZF3urg8XPrfSNBpkFQ29vGBaUqodDo6xDg + CKulaEMc+ROJA2/JQ2i5/rgFEpMdr89ty5AyTucdPpKAlmg5z1aIqVx6O0CPpSjP + KIXYLUZATCCD4yBGcPkwwvNEx1gL4O1zTA3oPJmYXMQGEHjxL7MCjBhKp8Kz1rjP + MIMY6EU6ng4P2pI0L3gyiZSff0+xHJrT5X5Z5K20A+qsy6iUzs97fvRYWAA4LYJN + cdwms7a/EPv0BBIGisC76WYIKX0WwgnYbEtkN7Xn7BfQcdMJA9z4C8VrFrQClhAF + swEGHLAvCZ+tCPPbPG5Z5KAe18U5JNECv1L3xbTRO6gi1+qIbfMPQZfkotzYPaIU + ab42LR97MMIidVCcTeXcSXi7pWJ57qDqsy+aSGclsIM/7EyyuWyX4KSbCfB+C4WA + TC8nI+l2aVff3A6viJx4k2bVQ0JWdPPz2RB85zjkBNPOC2e+UtXPM1s8sJVAyRUO + IvHvWGmw/cCsqdb4bV6iWT+6F+i0Hb79O5ZN+s6Kej3pYPDIAHmaGqNSLyeWERPG + aQZIZTCvGgmILYEwDoiVmuEi2Ks2b9kDl/wAiMYQtjh2ZUTnaaiF/zeDjIcCAwEA + ATANBgkqhkiG9w0BAQsFAAOCAgEAj/vF3Q2EDKb7bOLaIINe1oqvG031UzC5vAUC + IutjjQc8HdE7n5+3Jd6FAH9NALmTrvLz10n07xUaoSIoB8m9vydglnKgHMOd/Jg/ + 4VYX+pwEqInNLUd3Ep5y57KwQ3eCg2kzeEHCiacg2DgmbpW2xyGfnJbsq1IDyyY6 + hyDq8yvzDmetuLd3FGpNYv0NIiMrWLcy8+h2H3HCgNs1A179VvoHV+8QW9kGbTmy + f/JLx4O4APD5QUX3vEgkp2yzFWIPaUuNkcpOddB7kYFcAxA620kICDw5t7yylmBZ + aamAK2o8tAKAhJ/KixZfj1J2t9BK4pDrPeulOTdhDA3vuao2LXmfP4PUakV7yY1W + 7YVftwNasY2RXCh+RkIhEABL98VdfRyxTo5pi6KoqMOYVp5/pRNZ6H2Zmpyb8pUZ + cBoBHFudoZ/NN5FyuUUk1leX29Ce96YudH4K/e3X+IWiwTBKpQyguYOD4Sh21NmI + LFKF2w+9C4heoaFTD+CBoGAilR+4N/RPHlKf6pC5r1XteG+UWtmkHA+BZVt2eOPL + laU25MeoifoFGGm6/Rn4QAbDTYPLpFH4GXc8/S1tqrVYZeeSmfVD66Y1Ew8FB6Sz + X1HjruX/JewD4aCTJgYBPhS+OJ93in1XYHJd8of21GuePTBHg8fgg/p2yzUB1+ST + lUraqIM= + -----END CERTIFICATE----- + key_data: | + -----BEGIN RSA PRIVATE KEY----- + MIIJKAIBAAKCAgEAuvRuB3P2Si4QwkiARQTxx9B8MEiI6UBjyFHQlOwfi9366mG+ + /MYu7OqDfmFPMYBjxjGL61DSqs0EZCZF3urg8XPrfSNBpkFQ29vGBaUqodDo6xDg + CKulaEMc+ROJA2/JQ2i5/rgFEpMdr89ty5AyTucdPpKAlmg5z1aIqVx6O0CPpSjP + KIXYLUZATCCD4yBGcPkwwvNEx1gL4O1zTA3oPJmYXMQGEHjxL7MCjBhKp8Kz1rjP + MIMY6EU6ng4P2pI0L3gyiZSff0+xHJrT5X5Z5K20A+qsy6iUzs97fvRYWAA4LYJN + cdwms7a/EPv0BBIGisC76WYIKX0WwgnYbEtkN7Xn7BfQcdMJA9z4C8VrFrQClhAF + swEGHLAvCZ+tCPPbPG5Z5KAe18U5JNECv1L3xbTRO6gi1+qIbfMPQZfkotzYPaIU + ab42LR97MMIidVCcTeXcSXi7pWJ57qDqsy+aSGclsIM/7EyyuWyX4KSbCfB+C4WA + TC8nI+l2aVff3A6viJx4k2bVQ0JWdPPz2RB85zjkBNPOC2e+UtXPM1s8sJVAyRUO + IvHvWGmw/cCsqdb4bV6iWT+6F+i0Hb79O5ZN+s6Kej3pYPDIAHmaGqNSLyeWERPG + aQZIZTCvGgmILYEwDoiVmuEi2Ks2b9kDl/wAiMYQtjh2ZUTnaaiF/zeDjIcCAwEA + AQKCAgADpRq9ZnWERpfG64TPXDVznqaxdX75DCchnAa9b3yOf86i0Mw/yAzY1Akh + VcjiJckymgPkeatS3jwiv7mcNc20HuOnAMuAEiuHrL/HvbqhDdGDHET7hCjti5fT + jGqfCZkrmlhNcytre0n+4cQGo1JEkwOeBAX/pHBMGVtnaE1+koIx6XkbJp2vsASt + 90gOL9Si88N14QgLL7X/1/rn4mz+s5oMMcJ0gilDxK0Ho0VWrZQtWyGWcs9YChXC + WYQaJVn6lIxowgI9zIVr3oyhuTQ/Mx76baMirVqabzfOooH+bcO7sYrMdm0k39WB + ihCHdFH6/587VuT7tdNtOqXHBJpWoY18jwyYfIUFlrvQq783Yz2FtJ+EqIxbZRS8 + oHTjioi54j6S2TBMdjO2XC9Nrv1wb+FKDciAeQOD4vZceMnrezc/jzJPythBxX/w + SvxnaDyliRebybE71Je3m/esLyvTNQUBjEeRdXDwYakgwCFc6WanQL8y4N1fxdU0 + 7hGf/D+GRWmhFL7/mBc8nrOf2n6r5sa0HPvXakuPFD8+yUHWJleh9Xa6BGw2VEse + 3okt0Wd9lIi4UprdKrrE8Xs3SKaTQhBGMawCQ3Du3Mk9kk7NUR6tmW2XoLvt61TL + JBcG5QitwnddTDXR2rDKE1WHBEg8rLAy7K/BYMttEtjBnvQ7MQKCAQEA8GRFsAKR + QHgW484yd99KVZuhP1w2K5yBeP4lnHgcUGUU689FyifytpL4xX1jzSSHmJM0WM4M + HzVmPXbTrHTY5l7X682cB5keEjMiIMbVmNZG8oLuiWe8tVxseNeptkOuo0G7oYch + cwGWjNQPBBgU5FihnVsWA5Foly80s1ZeuphetEiyDJ0A/FeEyP0BwFNMUKIZXWPe + XTo8jaLYyAUyGgOVs/r8QKg3oXCo8gbwAsB0El4+wk7i5sXah+GTvYM+uH0THoSK + 5thgeeEbxRKmVPHxddQ+/A3lJTHJIAknwsMPFw8qlbZdNXHGXM8wRLrNr8k7c4oq + /O6gqYADSPp0DQKCAQEAxxfxk/+NKWleBbtKyp3lk0zvM+ZTYw9ubAgTq+whFjmC + kgYq1oJikOX1kbFGYvqZqXQqEEgiw9+h4wooQnjzfTvMw/rfDzbBH18Zc4K8CjO7 + zZYxj7o9J2VGbxBO+ZcXr5k7EaME/c9HRZ3h/bGhp1WpZH0RnOG2TDtFnh8Tszys + RTmcs9RHzHfBsqYiP6erSWbfvo0yuwHLd99zc7P+PsaHwz6xKUH7XIs+pmgNdd6v + e3aAWhsH3LseDzExsOH+gK5vvD6RYyJ7IvAPwwFW4iLe69Gg9WZyg/XVxUq0yc+u + N5/dPUFThvoEQuA9QItzGDAaLlwzHlLq8su1F0b54wKCAQBoWg7KPgMRqk+9aggM + cziQevN/TqcRPWoSvLhU+OrJl2eCicJw4/B/gsNM74aAScg22kfR+PfYIFUWf1uZ + tEtnjWpLqUB/J9+e5OV+tvGH3BSGN4IW0ZpgXBOWTYAVZ8IKioFJuCA0DU9uKKuw + Ckgfa74UUbL3r4pofoxxASAz/eq2dgwcX5dK8y7oFLRK6Z3qLsO1/6FKdPpOPY+/ + HEpIcp/sthoEc0Fa6k3caliLyUFZq+GwdZAXv3GCpNB+Zte2PE0tZTnqxajzn11v + qg3cN/6qOI1y2xFKmRcGuhKxf/0v9Fx3CufhSFdkeGgqnbCmC0OsfyD0FR5XFgPX + DSmNAoIBAQCxny368QKakJO+n1Lho68fFINQFUwN08WbAjWyq271ageQiYoMaLTR + Oyg0fCkkwxj2clnYvtKtV8YRTY2PiGMLNp+/tQDujNYNTAXj5R4oJ/GEQFwlM229 + yP/mtHERAfiyxA1L9dnNKvEWLf5iHOjw5l7C9UYSZdkC99prcKRdw2KaPAUO9vO7 + ephH7yodClSpnus9ELHS344Me0GAV3Qbw3l5+mOKQICmFuClC63+m9aJWra2LOl9 + xz7RJP2FJoqteXLcSiHhhPDAwdX+DyLZi2zAjPyCE41VJ605YCYc6nkuzSRPswl3 + IXVNyMs822yqhrfE5qMAic9tH8qHYt4rAoIBABsFpeSNm5rBhQtYQxagewoGfq9B + mGc8s3TrpftwL0pFCTYj06sa0HTU89DOZoRJ1m4gmNYLKzO1KdUihYHZ6/J/7BK6 + vZs+79OHBUnrrhNOrjVzILm10y7szFQjEN26Pdp+UAlr9PF9kJzjBC7VHL+fWCdv + DQs2xeuppvxmX0ZvChwKHw2uisMikb2DeoNikKnRtCcl5jJXXdeJqGMqnTP8hagh + T/RvNczeMOJ2E3fNKvwcuubLWgd31kPeYf0z+lp1gPC64b71yPm7rWqX16TIntLU + uE6aUBi35fid4nXnVJqN4B/5/IrnXJZPaaIn/+D3JAiKePBnaCQFdmLc3hw= + -----END RSA PRIVATE KEY----- + model: authentik_crypto.certificatekeypair + identifiers: + name: nextcloud-cert +- attrs: + acs_url: https://nextcloud.local/index.php/apps/user_saml/saml/acs + assertion_valid_not_before: minutes=-5 + assertion_valid_not_on_or_after: minutes=5 + audience: https://nextcloud.local/index.php/apps/user_saml/saml/metadata + authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] + default_name_id_policy: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256 + invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] + issuer: https://nextcloud.local/index.php/apps/user_saml/saml/metadata + logout_method: frontchannel_iframe + name: nextcloud-saml + name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [managed, goauthentik.io/providers/saml/uid]] + property_mappings: + - !Find [authentik_providers_saml.samlpropertymapping, [managed, goauthentik.io/providers/saml/upn]] + - !Find [authentik_providers_saml.samlpropertymapping, [managed, goauthentik.io/providers/saml/name]] + - !Find [authentik_providers_saml.samlpropertymapping, [managed, goauthentik.io/providers/saml/email]] + - !Find [authentik_providers_saml.samlpropertymapping, [managed, goauthentik.io/providers/saml/username]] + - !Find [authentik_providers_saml.samlpropertymapping, [managed, goauthentik.io/providers/saml/uid]] + - !Find [authentik_providers_saml.samlpropertymapping, [managed, goauthentik.io/providers/saml/groups]] + - !Find [authentik_providers_saml.samlpropertymapping, [managed, goauthentik.io/providers/saml/ms-windowsaccountname]] + session_valid_not_on_or_after: minutes=86400 + sign_assertion: true + signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 + signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik-cert]] + sls_binding: redirect + sp_binding: post + verification_kp: !Find [authentik_crypto.certificatekeypair, [name, nextcloud-cert]] + conditions: [] + identifiers: + pk: 1 + model: authentik_providers_saml.samlprovider + permissions: [] + state: present +- attrs: + name: Portal + policy_engine_mode: any + provider: 1 + slug: nextcloud + conditions: [] + identifiers: + name: nextcloud + model: authentik_core.application + permissions: [] + state: present +- attrs: + name: User Eleven + email: user11@example.com + password: user11 + model: authentik_core.user + state: present + identifiers: + username: user11 +- attrs: + name: User Twelve + email: user12@example.com + password: user12 + model: authentik_core.user + state: present + identifiers: + username: user12 +- attrs: + name: User Thirteen + email: user13@example.com + password: user13 + model: authentik_core.user + state: present + identifiers: + username: user13 +- attrs: + name: User Twenty One + email: user21@example.com + password: user21 + model: authentik_core.user + state: present + identifiers: + username: user21 +- attrs: + name: User Twenty Two + email: user22@example.com + password: user22 + model: authentik_core.user + state: present + identifiers: + username: user22 +- attrs: + name: User Twenty Three + email: user23@example.com + password: user23 + model: authentik_core.user + state: present + identifiers: + username: user23 +- attrs: + name: User Thirty One + email: user31@example.com + password: user31 + model: authentik_core.user + state: present + identifiers: + username: user31 +- attrs: + name: User Thirty Two + email: user32@example.com + password: user32 + model: authentik_core.user + state: present + identifiers: + username: user32 +- attrs: + name: User Thirty Three + email: user33@example.com + password: user33 + model: authentik_core.user + state: present + identifiers: + username: user33 +version: 1 diff --git a/docker/bin/bootstrap.sh b/docker/bin/bootstrap.sh index 745aad96..94174d5a 100755 --- a/docker/bin/bootstrap.sh +++ b/docker/bin/bootstrap.sh @@ -46,6 +46,10 @@ is_installed() { [[ "$STATUS" = *"installed: true"* ]] } +is_service_running() { + getent hosts "$1" > /dev/null 2>&1 +} + update_permission() { chown -R www-data:www-data "$WEBROOT"/apps-writable chown -R www-data:www-data "$WEBROOT"/data @@ -117,6 +121,52 @@ wait_for_other_containers() { [ $? -eq 0 ] && output "✅ Database server ready" } +configure_saml() { + if [[ "$IS_STANDALONE" = "true" ]]; then + return 0 + fi + + if [ "$GS_MODE" = "slave" ]; then + return 0 + fi + + if ! is_service_running "authentik-postgresql"; then + output "⏭ Skipping SAML configuration (authentik not running)" + return 0 + fi + + OCC app:enable user_saml --force + OCC config:app:set user_saml type --value 'saml' + + if [ "$GS_MODE" = "master" ]; then + OCC saml:config:set 1 --idp-singleSignOnService.url 'http://authentik.local/application/saml/portal/sso/binding/redirect/' + OCC saml:config:set 1 --idp-singleLogoutService.url 'http://authentik.local/if/session-end/portal/' + OCC saml:config:set 1 --idp-entityId 'https://portal.local/index.php/apps/user_saml/saml/metadata' + else + OCC saml:config:set 1 --idp-singleSignOnService.url 'http://authentik.local/application/saml/nextcloud/sso/binding/redirect/' + OCC saml:config:set 1 --idp-singleLogoutService.url 'http://authentik.local/if/session-end/nextcloud/' + OCC saml:config:set 1 --idp-entityId 'https://nextcloud.local/index.php/apps/user_saml/saml/metadata' + fi + + OCC saml:config:set 1 --general-uid_mapping 'http://schemas.goauthentik.io/2021/02/saml/username' + OCC saml:config:set 1 --general-idp0_display_name 'Authentik' + OCC saml:config:set 1 --saml-attribute-mapping-email_mapping 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' + OCC saml:config:set 1 --saml-attribute-mapping-displayName_mapping 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' + OCC saml:config:set 1 --saml-attribute-mapping-group_mapping 'http://schemas.xmlsoap.org/claims/Group' + OCC saml:config:set 1 --security-nameIdEncrypted 1 + OCC saml:config:set 1 --sp-name-id-format 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName' + OCC saml:config:set 1 --sp-x509cert "'-----BEGIN CERTIFICATE-----MIIE4TCCAsmgAwIBAgIQJqHXZY3HTR67OsquzTBqmzANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNhdXRoZW50aWsgMjAyNS4xMC4yMB4XDTI2MDMwNzEyNTcwNFoXDTM2MDMwNTEyNTcwNFowOzEPMA0GA1UEAwwGUG9ydGFsMRIwEAYDVQQKDAlhdXRoZW50aWsxFDASBgNVBAsMC1NlbGYtc2lnbmVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuvRuB3P2Si4QwkiARQTxx9B8MEiI6UBjyFHQlOwfi9366mG+/MYu7OqDfmFPMYBjxjGL61DSqs0EZCZF3urg8XPrfSNBpkFQ29vGBaUqodDo6xDgCKulaEMc+ROJA2/JQ2i5/rgFEpMdr89ty5AyTucdPpKAlmg5z1aIqVx6O0CPpSjPKIXYLUZATCCD4yBGcPkwwvNEx1gL4O1zTA3oPJmYXMQGEHjxL7MCjBhKp8Kz1rjPMIMY6EU6ng4P2pI0L3gyiZSff0+xHJrT5X5Z5K20A+qsy6iUzs97fvRYWAA4LYJNcdwms7a/EPv0BBIGisC76WYIKX0WwgnYbEtkN7Xn7BfQcdMJA9z4C8VrFrQClhAFswEGHLAvCZ+tCPPbPG5Z5KAe18U5JNECv1L3xbTRO6gi1+qIbfMPQZfkotzYPaIUab42LR97MMIidVCcTeXcSXi7pWJ57qDqsy+aSGclsIM/7EyyuWyX4KSbCfB+C4WATC8nI+l2aVff3A6viJx4k2bVQ0JWdPPz2RB85zjkBNPOC2e+UtXPM1s8sJVAyRUOIvHvWGmw/cCsqdb4bV6iWT+6F+i0Hb79O5ZN+s6Kej3pYPDIAHmaGqNSLyeWERPGaQZIZTCvGgmILYEwDoiVmuEi2Ks2b9kDl/wAiMYQtjh2ZUTnaaiF/zeDjIcCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAj/vF3Q2EDKb7bOLaIINe1oqvG031UzC5vAUCIutjjQc8HdE7n5+3Jd6FAH9NALmTrvLz10n07xUaoSIoB8m9vydglnKgHMOd/Jg/4VYX+pwEqInNLUd3Ep5y57KwQ3eCg2kzeEHCiacg2DgmbpW2xyGfnJbsq1IDyyY6hyDq8yvzDmetuLd3FGpNYv0NIiMrWLcy8+h2H3HCgNs1A179VvoHV+8QW9kGbTmyf/JLx4O4APD5QUX3vEgkp2yzFWIPaUuNkcpOddB7kYFcAxA620kICDw5t7yylmBZaamAK2o8tAKAhJ/KixZfj1J2t9BK4pDrPeulOTdhDA3vuao2LXmfP4PUakV7yY1W7YVftwNasY2RXCh+RkIhEABL98VdfRyxTo5pi6KoqMOYVp5/pRNZ6H2Zmpyb8pUZcBoBHFudoZ/NN5FyuUUk1leX29Ce96YudH4K/e3X+IWiwTBKpQyguYOD4Sh21NmILFKF2w+9C4heoaFTD+CBoGAilR+4N/RPHlKf6pC5r1XteG+UWtmkHA+BZVt2eOPLlaU25MeoifoFGGm6/Rn4QAbDTYPLpFH4GXc8/S1tqrVYZeeSmfVD66Y1Ew8FB6SzX1HjruX/JewD4aCTJgYBPhS+OJ93in1XYHJd8of21GuePTBHg8fgg/p2yzUB1+STlUraqIM=-----END CERTIFICATE-----'" + OCC saml:config:set 1 --sp-privateKey "'-----BEGIN RSA PRIVATE KEY-----MIIJKAIBAAKCAgEAuvRuB3P2Si4QwkiARQTxx9B8MEiI6UBjyFHQlOwfi9366mG+/MYu7OqDfmFPMYBjxjGL61DSqs0EZCZF3urg8XPrfSNBpkFQ29vGBaUqodDo6xDgCKulaEMc+ROJA2/JQ2i5/rgFEpMdr89ty5AyTucdPpKAlmg5z1aIqVx6O0CPpSjPKIXYLUZATCCD4yBGcPkwwvNEx1gL4O1zTA3oPJmYXMQGEHjxL7MCjBhKp8Kz1rjPMIMY6EU6ng4P2pI0L3gyiZSff0+xHJrT5X5Z5K20A+qsy6iUzs97fvRYWAA4LYJNcdwms7a/EPv0BBIGisC76WYIKX0WwgnYbEtkN7Xn7BfQcdMJA9z4C8VrFrQClhAFswEGHLAvCZ+tCPPbPG5Z5KAe18U5JNECv1L3xbTRO6gi1+qIbfMPQZfkotzYPaIUab42LR97MMIidVCcTeXcSXi7pWJ57qDqsy+aSGclsIM/7EyyuWyX4KSbCfB+C4WATC8nI+l2aVff3A6viJx4k2bVQ0JWdPPz2RB85zjkBNPOC2e+UtXPM1s8sJVAyRUOIvHvWGmw/cCsqdb4bV6iWT+6F+i0Hb79O5ZN+s6Kej3pYPDIAHmaGqNSLyeWERPGaQZIZTCvGgmILYEwDoiVmuEi2Ks2b9kDl/wAiMYQtjh2ZUTnaaiF/zeDjIcCAwEAAQKCAgADpRq9ZnWERpfG64TPXDVznqaxdX75DCchnAa9b3yOf86i0Mw/yAzY1AkhVcjiJckymgPkeatS3jwiv7mcNc20HuOnAMuAEiuHrL/HvbqhDdGDHET7hCjti5fTjGqfCZkrmlhNcytre0n+4cQGo1JEkwOeBAX/pHBMGVtnaE1+koIx6XkbJp2vsASt90gOL9Si88N14QgLL7X/1/rn4mz+s5oMMcJ0gilDxK0Ho0VWrZQtWyGWcs9YChXCWYQaJVn6lIxowgI9zIVr3oyhuTQ/Mx76baMirVqabzfOooH+bcO7sYrMdm0k39WBihCHdFH6/587VuT7tdNtOqXHBJpWoY18jwyYfIUFlrvQq783Yz2FtJ+EqIxbZRS8oHTjioi54j6S2TBMdjO2XC9Nrv1wb+FKDciAeQOD4vZceMnrezc/jzJPythBxX/wSvxnaDyliRebybE71Je3m/esLyvTNQUBjEeRdXDwYakgwCFc6WanQL8y4N1fxdU07hGf/D+GRWmhFL7/mBc8nrOf2n6r5sa0HPvXakuPFD8+yUHWJleh9Xa6BGw2VEse3okt0Wd9lIi4UprdKrrE8Xs3SKaTQhBGMawCQ3Du3Mk9kk7NUR6tmW2XoLvt61TLJBcG5QitwnddTDXR2rDKE1WHBEg8rLAy7K/BYMttEtjBnvQ7MQKCAQEA8GRFsAKRQHgW484yd99KVZuhP1w2K5yBeP4lnHgcUGUU689FyifytpL4xX1jzSSHmJM0WM4MHzVmPXbTrHTY5l7X682cB5keEjMiIMbVmNZG8oLuiWe8tVxseNeptkOuo0G7oYchcwGWjNQPBBgU5FihnVsWA5Foly80s1ZeuphetEiyDJ0A/FeEyP0BwFNMUKIZXWPeXTo8jaLYyAUyGgOVs/r8QKg3oXCo8gbwAsB0El4+wk7i5sXah+GTvYM+uH0THoSK5thgeeEbxRKmVPHxddQ+/A3lJTHJIAknwsMPFw8qlbZdNXHGXM8wRLrNr8k7c4oq/O6gqYADSPp0DQKCAQEAxxfxk/+NKWleBbtKyp3lk0zvM+ZTYw9ubAgTq+whFjmCkgYq1oJikOX1kbFGYvqZqXQqEEgiw9+h4wooQnjzfTvMw/rfDzbBH18Zc4K8CjO7zZYxj7o9J2VGbxBO+ZcXr5k7EaME/c9HRZ3h/bGhp1WpZH0RnOG2TDtFnh8TszysRTmcs9RHzHfBsqYiP6erSWbfvo0yuwHLd99zc7P+PsaHwz6xKUH7XIs+pmgNdd6ve3aAWhsH3LseDzExsOH+gK5vvD6RYyJ7IvAPwwFW4iLe69Gg9WZyg/XVxUq0yc+uN5/dPUFThvoEQuA9QItzGDAaLlwzHlLq8su1F0b54wKCAQBoWg7KPgMRqk+9aggMcziQevN/TqcRPWoSvLhU+OrJl2eCicJw4/B/gsNM74aAScg22kfR+PfYIFUWf1uZtEtnjWpLqUB/J9+e5OV+tvGH3BSGN4IW0ZpgXBOWTYAVZ8IKioFJuCA0DU9uKKuwCkgfa74UUbL3r4pofoxxASAz/eq2dgwcX5dK8y7oFLRK6Z3qLsO1/6FKdPpOPY+/HEpIcp/sthoEc0Fa6k3caliLyUFZq+GwdZAXv3GCpNB+Zte2PE0tZTnqxajzn11vqg3cN/6qOI1y2xFKmRcGuhKxf/0v9Fx3CufhSFdkeGgqnbCmC0OsfyD0FR5XFgPXDSmNAoIBAQCxny368QKakJO+n1Lho68fFINQFUwN08WbAjWyq271ageQiYoMaLTROyg0fCkkwxj2clnYvtKtV8YRTY2PiGMLNp+/tQDujNYNTAXj5R4oJ/GEQFwlM229yP/mtHERAfiyxA1L9dnNKvEWLf5iHOjw5l7C9UYSZdkC99prcKRdw2KaPAUO9vO7ephH7yodClSpnus9ELHS344Me0GAV3Qbw3l5+mOKQICmFuClC63+m9aJWra2LOl9xz7RJP2FJoqteXLcSiHhhPDAwdX+DyLZi2zAjPyCE41VJ605YCYc6nkuzSRPswl3IXVNyMs822yqhrfE5qMAic9tH8qHYt4rAoIBABsFpeSNm5rBhQtYQxagewoGfq9BmGc8s3TrpftwL0pFCTYj06sa0HTU89DOZoRJ1m4gmNYLKzO1KdUihYHZ6/J/7BK6vZs+79OHBUnrrhNOrjVzILm10y7szFQjEN26Pdp+UAlr9PF9kJzjBC7VHL+fWCdvDQs2xeuppvxmX0ZvChwKHw2uisMikb2DeoNikKnRtCcl5jJXXdeJqGMqnTP8haghT/RvNczeMOJ2E3fNKvwcuubLWgd31kPeYf0z+lp1gPC64b71yPm7rWqX16TIntLUuE6aUBi35fid4nXnVJqN4B/5/IrnXJZPaaIn/+D3JAiKePBnaCQFdmLc3hw=-----END RSA PRIVATE KEY-----'" + OCC saml:config:set 1 --idp-x509cert "'-----BEGIN CERTIFICATE-----MIIE5DCCAsygAwIBAgIQQwV9AoKySzWn+vejIypIhzANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNhdXRoZW50aWsgMjAyNS4xMC4yMB4XDTI2MDMwNzEyNTcyNloXDTM2MDMwNTEyNTcyNlowPjESMBAGA1UEAwwJQXV0aGVudGlrMRIwEAYDVQQKDAlhdXRoZW50aWsxFDASBgNVBAsMC1NlbGYtc2lnbmVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwIeRHlF5eL7ZX11oNhR4hfztwHKdl4G6hhyDo3cxIRN8YUVk3IXfpGzR1U7IsnqenrsNzLk//Nw15lpx4Mxr4hsyCzKksKPD5+aNy3otRQbKPOL5Fh5m9M7WxiP/uA7xkk1l5tj8ae6Lu6wnK6T4NkePSoBD3tK8NY6nOm4r04r+fWjLNc24RpX+rKZL/YPDgCYaAkooBAoXL9Dcs/RHCfPIgyeGL0YxhyZKFV+kUgQpGQYCZMdvR7waBe7rAK98y47GyQjeVIG/bRu9E/iq0rqwMAgq9rLTgUg0ZieIF1aZKeoS3bLaXvFDSzr8N2fR7ktkdsyyCqNrUg80n7cY5XKeaVefW2Qub1gj9uzuoyEU2NpzF+L9cbw0kDr5UtsCLwbdKvgQkJ9ATNWUI6EO061mRm7Ty4TyZpAY2klsvDqVbpd/OBl7LWfTaDcxaXaN0mwEv31LkPWmeecVJcqOx26NwFn1WE91cKzlv1atkuDQ8f0xX/RB2GbOSNNyRBViiw5LZUZEnTznOP+orZ8XLqQh6cUYm3KaaskjF+YRCZe0GEKgw8+Oz4Hm82gEww0y9JRguxINn3L9C1WP/X3bWbHi9kiG3Z0BUGHM5Sek2NEfR4HJ6IhQAQwzcosqpiOl4Z7dp6PWJaobjdg2gC2B1ZJXQ18pXtNrvgS88pWenDUCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAlj2kVi1yKemMsWAKDmWWPXUmKthvU4i8tortBPGKf1ndLZ1doxGhb8hUjFnaupMRG9RgQbehslLVxcIHXYGBmaiiFuAOk3HNGxBZtrCjlaSYDcuKPiM7Ey+gF6Ec5giix4vL/YFPv95gngvMxDrRsGsnyHgB/Cju5IcriJ0DfoGn/VSj+nxCdj2Ju+utyMaXEYM85I5/9c5VyB401gy7FoMkPiqA4kLsr5JhO391R+1hpjcNLbRrUnHmjLsZyGc2paGSD/Rw2dAwOjuG8BuLa+TPrj4/3Y5e2jtGNAF8bHDvLaj+sCPTjm1zmrAkI7jANQ5/hywbmpoSK8Y59OpeyoJqMwLWfLXP7xFEzG7Ovdo/EXOnypcwrPF8keitl7umwAdBkob+ki5REb02Ya7bFwtnbDcsTMfAFDnZfvScUAeBKNJ4uOlS0qQJja/2YP5+9uNuAXAv5/lEEbgMctURG7LdBH5XQNI3E/TjdJhFvV1D4exmhywbdwNBrQVaMP/FXM7cciIqFnuiRX4N+QqhH9oYpFHlGRybnsfniK20UyatEVNzx7rIB9WLKOKgT8iHTj6JnMLEPlCnQNnSmd9itmPBDJspohQGIkOzQf9at5Xeg1XEn5AjSaGQYFV+G/+gjiG4sO5/o0Nwyc8PXwF42uryX88qqDJJMokbVpVDSPY=-----END CERTIFICATE-----'" + OCC saml:config:set 1 --security-signMetadata 1 + OCC saml:config:set 1 --security-logoutResponseSigned 1 + OCC saml:config:set 1 --security-logoutRequestSigned 1 + OCC saml:config:set 1 --security-authnRequestsSigned 1 + OCC saml:config:set 1 --security-wantAssertionsSigned 1 + OCC saml:config:set 1 --security-wantNameId 1 + OCC saml:config:set 1 --security-wantXMLValidation 1 +} + configure_gs() { OCC config:system:set lookup_server --value="" @@ -149,28 +199,6 @@ EOF OCC config:system:set 'gss.discovery.manual.mapping.file' --value '/var/www/mapping.json' OCC config:system:set 'gss.discovery.manual.mapping.regex' --type boolean --value true OCC config:system:set 'gss.discovery.manual.mapping.parameter' --value 'http://schemas.goauthentik.io/2021/02/saml/username' - OCC app:enable user_saml --force - OCC config:app:set user_saml type --value 'saml' - OCC saml:config:set 1 --general-uid_mapping 'http://schemas.goauthentik.io/2021/02/saml/username' - OCC saml:config:set 1 --general-idp0_display_name 'Authentik' - OCC saml:config:set 1 --idp-entityId 'https://portal.local/index.php/apps/user_saml/saml/metadata' - OCC saml:config:set 1 --idp-singleSignOnService.url 'https://authentik.local/application/saml/portal/sso/binding/redirect/' - OCC saml:config:set 1 --idp-singleLogoutService.url 'https://authentik.local/if/session-end/portal/' - OCC saml:config:set 1 --saml-attribute-mapping-email_mapping 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' - OCC saml:config:set 1 --saml-attribute-mapping-displayName_mapping 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' - OCC saml:config:set 1 --saml-attribute-mapping-group_mapping 'http://schemas.xmlsoap.org/claims/Group' - OCC saml:config:set 1 --security-nameIdEncrypted 1 - OCC saml:config:set 1 --sp-name-id-format 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName' - OCC saml:config:set 1 --sp-x509cert "'-----BEGIN CERTIFICATE-----MIIE4TCCAsmgAwIBAgIQJqHXZY3HTR67OsquzTBqmzANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNhdXRoZW50aWsgMjAyNS4xMC4yMB4XDTI2MDMwNzEyNTcwNFoXDTM2MDMwNTEyNTcwNFowOzEPMA0GA1UEAwwGUG9ydGFsMRIwEAYDVQQKDAlhdXRoZW50aWsxFDASBgNVBAsMC1NlbGYtc2lnbmVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuvRuB3P2Si4QwkiARQTxx9B8MEiI6UBjyFHQlOwfi9366mG+/MYu7OqDfmFPMYBjxjGL61DSqs0EZCZF3urg8XPrfSNBpkFQ29vGBaUqodDo6xDgCKulaEMc+ROJA2/JQ2i5/rgFEpMdr89ty5AyTucdPpKAlmg5z1aIqVx6O0CPpSjPKIXYLUZATCCD4yBGcPkwwvNEx1gL4O1zTA3oPJmYXMQGEHjxL7MCjBhKp8Kz1rjPMIMY6EU6ng4P2pI0L3gyiZSff0+xHJrT5X5Z5K20A+qsy6iUzs97fvRYWAA4LYJNcdwms7a/EPv0BBIGisC76WYIKX0WwgnYbEtkN7Xn7BfQcdMJA9z4C8VrFrQClhAFswEGHLAvCZ+tCPPbPG5Z5KAe18U5JNECv1L3xbTRO6gi1+qIbfMPQZfkotzYPaIUab42LR97MMIidVCcTeXcSXi7pWJ57qDqsy+aSGclsIM/7EyyuWyX4KSbCfB+C4WATC8nI+l2aVff3A6viJx4k2bVQ0JWdPPz2RB85zjkBNPOC2e+UtXPM1s8sJVAyRUOIvHvWGmw/cCsqdb4bV6iWT+6F+i0Hb79O5ZN+s6Kej3pYPDIAHmaGqNSLyeWERPGaQZIZTCvGgmILYEwDoiVmuEi2Ks2b9kDl/wAiMYQtjh2ZUTnaaiF/zeDjIcCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAj/vF3Q2EDKb7bOLaIINe1oqvG031UzC5vAUCIutjjQc8HdE7n5+3Jd6FAH9NALmTrvLz10n07xUaoSIoB8m9vydglnKgHMOd/Jg/4VYX+pwEqInNLUd3Ep5y57KwQ3eCg2kzeEHCiacg2DgmbpW2xyGfnJbsq1IDyyY6hyDq8yvzDmetuLd3FGpNYv0NIiMrWLcy8+h2H3HCgNs1A179VvoHV+8QW9kGbTmyf/JLx4O4APD5QUX3vEgkp2yzFWIPaUuNkcpOddB7kYFcAxA620kICDw5t7yylmBZaamAK2o8tAKAhJ/KixZfj1J2t9BK4pDrPeulOTdhDA3vuao2LXmfP4PUakV7yY1W7YVftwNasY2RXCh+RkIhEABL98VdfRyxTo5pi6KoqMOYVp5/pRNZ6H2Zmpyb8pUZcBoBHFudoZ/NN5FyuUUk1leX29Ce96YudH4K/e3X+IWiwTBKpQyguYOD4Sh21NmILFKF2w+9C4heoaFTD+CBoGAilR+4N/RPHlKf6pC5r1XteG+UWtmkHA+BZVt2eOPLlaU25MeoifoFGGm6/Rn4QAbDTYPLpFH4GXc8/S1tqrVYZeeSmfVD66Y1Ew8FB6SzX1HjruX/JewD4aCTJgYBPhS+OJ93in1XYHJd8of21GuePTBHg8fgg/p2yzUB1+STlUraqIM=-----END CERTIFICATE-----'" - OCC saml:config:set 1 --sp-privateKey "'-----BEGIN RSA PRIVATE KEY-----MIIJKAIBAAKCAgEAuvRuB3P2Si4QwkiARQTxx9B8MEiI6UBjyFHQlOwfi9366mG+/MYu7OqDfmFPMYBjxjGL61DSqs0EZCZF3urg8XPrfSNBpkFQ29vGBaUqodDo6xDgCKulaEMc+ROJA2/JQ2i5/rgFEpMdr89ty5AyTucdPpKAlmg5z1aIqVx6O0CPpSjPKIXYLUZATCCD4yBGcPkwwvNEx1gL4O1zTA3oPJmYXMQGEHjxL7MCjBhKp8Kz1rjPMIMY6EU6ng4P2pI0L3gyiZSff0+xHJrT5X5Z5K20A+qsy6iUzs97fvRYWAA4LYJNcdwms7a/EPv0BBIGisC76WYIKX0WwgnYbEtkN7Xn7BfQcdMJA9z4C8VrFrQClhAFswEGHLAvCZ+tCPPbPG5Z5KAe18U5JNECv1L3xbTRO6gi1+qIbfMPQZfkotzYPaIUab42LR97MMIidVCcTeXcSXi7pWJ57qDqsy+aSGclsIM/7EyyuWyX4KSbCfB+C4WATC8nI+l2aVff3A6viJx4k2bVQ0JWdPPz2RB85zjkBNPOC2e+UtXPM1s8sJVAyRUOIvHvWGmw/cCsqdb4bV6iWT+6F+i0Hb79O5ZN+s6Kej3pYPDIAHmaGqNSLyeWERPGaQZIZTCvGgmILYEwDoiVmuEi2Ks2b9kDl/wAiMYQtjh2ZUTnaaiF/zeDjIcCAwEAAQKCAgADpRq9ZnWERpfG64TPXDVznqaxdX75DCchnAa9b3yOf86i0Mw/yAzY1AkhVcjiJckymgPkeatS3jwiv7mcNc20HuOnAMuAEiuHrL/HvbqhDdGDHET7hCjti5fTjGqfCZkrmlhNcytre0n+4cQGo1JEkwOeBAX/pHBMGVtnaE1+koIx6XkbJp2vsASt90gOL9Si88N14QgLL7X/1/rn4mz+s5oMMcJ0gilDxK0Ho0VWrZQtWyGWcs9YChXCWYQaJVn6lIxowgI9zIVr3oyhuTQ/Mx76baMirVqabzfOooH+bcO7sYrMdm0k39WBihCHdFH6/587VuT7tdNtOqXHBJpWoY18jwyYfIUFlrvQq783Yz2FtJ+EqIxbZRS8oHTjioi54j6S2TBMdjO2XC9Nrv1wb+FKDciAeQOD4vZceMnrezc/jzJPythBxX/wSvxnaDyliRebybE71Je3m/esLyvTNQUBjEeRdXDwYakgwCFc6WanQL8y4N1fxdU07hGf/D+GRWmhFL7/mBc8nrOf2n6r5sa0HPvXakuPFD8+yUHWJleh9Xa6BGw2VEse3okt0Wd9lIi4UprdKrrE8Xs3SKaTQhBGMawCQ3Du3Mk9kk7NUR6tmW2XoLvt61TLJBcG5QitwnddTDXR2rDKE1WHBEg8rLAy7K/BYMttEtjBnvQ7MQKCAQEA8GRFsAKRQHgW484yd99KVZuhP1w2K5yBeP4lnHgcUGUU689FyifytpL4xX1jzSSHmJM0WM4MHzVmPXbTrHTY5l7X682cB5keEjMiIMbVmNZG8oLuiWe8tVxseNeptkOuo0G7oYchcwGWjNQPBBgU5FihnVsWA5Foly80s1ZeuphetEiyDJ0A/FeEyP0BwFNMUKIZXWPeXTo8jaLYyAUyGgOVs/r8QKg3oXCo8gbwAsB0El4+wk7i5sXah+GTvYM+uH0THoSK5thgeeEbxRKmVPHxddQ+/A3lJTHJIAknwsMPFw8qlbZdNXHGXM8wRLrNr8k7c4oq/O6gqYADSPp0DQKCAQEAxxfxk/+NKWleBbtKyp3lk0zvM+ZTYw9ubAgTq+whFjmCkgYq1oJikOX1kbFGYvqZqXQqEEgiw9+h4wooQnjzfTvMw/rfDzbBH18Zc4K8CjO7zZYxj7o9J2VGbxBO+ZcXr5k7EaME/c9HRZ3h/bGhp1WpZH0RnOG2TDtFnh8TszysRTmcs9RHzHfBsqYiP6erSWbfvo0yuwHLd99zc7P+PsaHwz6xKUH7XIs+pmgNdd6ve3aAWhsH3LseDzExsOH+gK5vvD6RYyJ7IvAPwwFW4iLe69Gg9WZyg/XVxUq0yc+uN5/dPUFThvoEQuA9QItzGDAaLlwzHlLq8su1F0b54wKCAQBoWg7KPgMRqk+9aggMcziQevN/TqcRPWoSvLhU+OrJl2eCicJw4/B/gsNM74aAScg22kfR+PfYIFUWf1uZtEtnjWpLqUB/J9+e5OV+tvGH3BSGN4IW0ZpgXBOWTYAVZ8IKioFJuCA0DU9uKKuwCkgfa74UUbL3r4pofoxxASAz/eq2dgwcX5dK8y7oFLRK6Z3qLsO1/6FKdPpOPY+/HEpIcp/sthoEc0Fa6k3caliLyUFZq+GwdZAXv3GCpNB+Zte2PE0tZTnqxajzn11vqg3cN/6qOI1y2xFKmRcGuhKxf/0v9Fx3CufhSFdkeGgqnbCmC0OsfyD0FR5XFgPXDSmNAoIBAQCxny368QKakJO+n1Lho68fFINQFUwN08WbAjWyq271ageQiYoMaLTROyg0fCkkwxj2clnYvtKtV8YRTY2PiGMLNp+/tQDujNYNTAXj5R4oJ/GEQFwlM229yP/mtHERAfiyxA1L9dnNKvEWLf5iHOjw5l7C9UYSZdkC99prcKRdw2KaPAUO9vO7ephH7yodClSpnus9ELHS344Me0GAV3Qbw3l5+mOKQICmFuClC63+m9aJWra2LOl9xz7RJP2FJoqteXLcSiHhhPDAwdX+DyLZi2zAjPyCE41VJ605YCYc6nkuzSRPswl3IXVNyMs822yqhrfE5qMAic9tH8qHYt4rAoIBABsFpeSNm5rBhQtYQxagewoGfq9BmGc8s3TrpftwL0pFCTYj06sa0HTU89DOZoRJ1m4gmNYLKzO1KdUihYHZ6/J/7BK6vZs+79OHBUnrrhNOrjVzILm10y7szFQjEN26Pdp+UAlr9PF9kJzjBC7VHL+fWCdvDQs2xeuppvxmX0ZvChwKHw2uisMikb2DeoNikKnRtCcl5jJXXdeJqGMqnTP8haghT/RvNczeMOJ2E3fNKvwcuubLWgd31kPeYf0z+lp1gPC64b71yPm7rWqX16TIntLUuE6aUBi35fid4nXnVJqN4B/5/IrnXJZPaaIn/+D3JAiKePBnaCQFdmLc3hw=-----END RSA PRIVATE KEY-----'" - OCC saml:config:set 1 --idp-x509cert "'-----BEGIN CERTIFICATE-----MIIE5DCCAsygAwIBAgIQQwV9AoKySzWn+vejIypIhzANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNhdXRoZW50aWsgMjAyNS4xMC4yMB4XDTI2MDMwNzEyNTcyNloXDTM2MDMwNTEyNTcyNlowPjESMBAGA1UEAwwJQXV0aGVudGlrMRIwEAYDVQQKDAlhdXRoZW50aWsxFDASBgNVBAsMC1NlbGYtc2lnbmVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwIeRHlF5eL7ZX11oNhR4hfztwHKdl4G6hhyDo3cxIRN8YUVk3IXfpGzR1U7IsnqenrsNzLk//Nw15lpx4Mxr4hsyCzKksKPD5+aNy3otRQbKPOL5Fh5m9M7WxiP/uA7xkk1l5tj8ae6Lu6wnK6T4NkePSoBD3tK8NY6nOm4r04r+fWjLNc24RpX+rKZL/YPDgCYaAkooBAoXL9Dcs/RHCfPIgyeGL0YxhyZKFV+kUgQpGQYCZMdvR7waBe7rAK98y47GyQjeVIG/bRu9E/iq0rqwMAgq9rLTgUg0ZieIF1aZKeoS3bLaXvFDSzr8N2fR7ktkdsyyCqNrUg80n7cY5XKeaVefW2Qub1gj9uzuoyEU2NpzF+L9cbw0kDr5UtsCLwbdKvgQkJ9ATNWUI6EO061mRm7Ty4TyZpAY2klsvDqVbpd/OBl7LWfTaDcxaXaN0mwEv31LkPWmeecVJcqOx26NwFn1WE91cKzlv1atkuDQ8f0xX/RB2GbOSNNyRBViiw5LZUZEnTznOP+orZ8XLqQh6cUYm3KaaskjF+YRCZe0GEKgw8+Oz4Hm82gEww0y9JRguxINn3L9C1WP/X3bWbHi9kiG3Z0BUGHM5Sek2NEfR4HJ6IhQAQwzcosqpiOl4Z7dp6PWJaobjdg2gC2B1ZJXQ18pXtNrvgS88pWenDUCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAlj2kVi1yKemMsWAKDmWWPXUmKthvU4i8tortBPGKf1ndLZ1doxGhb8hUjFnaupMRG9RgQbehslLVxcIHXYGBmaiiFuAOk3HNGxBZtrCjlaSYDcuKPiM7Ey+gF6Ec5giix4vL/YFPv95gngvMxDrRsGsnyHgB/Cju5IcriJ0DfoGn/VSj+nxCdj2Ju+utyMaXEYM85I5/9c5VyB401gy7FoMkPiqA4kLsr5JhO391R+1hpjcNLbRrUnHmjLsZyGc2paGSD/Rw2dAwOjuG8BuLa+TPrj4/3Y5e2jtGNAF8bHDvLaj+sCPTjm1zmrAkI7jANQ5/hywbmpoSK8Y59OpeyoJqMwLWfLXP7xFEzG7Ovdo/EXOnypcwrPF8keitl7umwAdBkob+ki5REb02Ya7bFwtnbDcsTMfAFDnZfvScUAeBKNJ4uOlS0qQJja/2YP5+9uNuAXAv5/lEEbgMctURG7LdBH5XQNI3E/TjdJhFvV1D4exmhywbdwNBrQVaMP/FXM7cciIqFnuiRX4N+QqhH9oYpFHlGRybnsfniK20UyatEVNzx7rIB9WLKOKgT8iHTj6JnMLEPlCnQNnSmd9itmPBDJspohQGIkOzQf9at5Xeg1XEn5AjSaGQYFV+G/+gjiG4sO5/o0Nwyc8PXwF42uryX88qqDJJMokbVpVDSPY=-----END CERTIFICATE-----'" - OCC saml:config:set 1 --security-signMetadata 1 - OCC saml:config:set 1 --security-logoutResponseSigned 1 - OCC saml:config:set 1 --security-logoutRequestSigned 1 - OCC saml:config:set 1 --security-authnRequestsSigned 1 - OCC saml:config:set 1 --security-wantAssertionsSigned 1 - OCC saml:config:set 1 --security-wantNameId 1 - OCC saml:config:set 1 --security-wantXMLValidation 1 fi if [ "$GS_MODE" = "slave" ] @@ -342,6 +370,7 @@ install() { configure_gs configure_ldap configure_oidc + configure_saml output "🔧 Finetuning the configuration" if [ "$WITH_REDIS" != "NO" ]; then diff --git a/docs/services/sso.md b/docs/services/sso.md index f78b125f..2e1863bb 100644 --- a/docs/services/sso.md +++ b/docs/services/sso.md @@ -16,7 +16,7 @@ docker compose up -d proxy nextcloud authentik ``` -The server will be available on [http://authentik.local:9000](http://authentik.local:9000) and you can follow [authentik documentation](https://integrations.goauthentik.io/chat-communication-collaboration/nextcloud/) to understand how to configure Nextcloud with SAML (but also OIDC and LDAP). +The server will be available on [http://authentik.local](http://authentik.local). It will be automatically configured but you still need to enable the admin account [using the initial setup flow](http://authentik.local/if/flow/initial-setup/). ## SAML