Doc for importMetadata config (#2720)

2022-03-23 09:19:40 +01:00 · 2022-03-23 09:19:40 +01:00 · 89083bde9f
parent d2dce85e8c
commit 89083bde9f
2 changed files with 115 additions and 14 deletions
--- a/doc/sources/admin/renater.rst
+++ b/doc/sources/admin/renater.rst
@ -45,6 +45,12 @@ and edit configuration:
   cp /usr/share/lemonldap-ng/bin/importMetadata /usr/share/lemonldap-ng/bin/importMetadataRenater
   vi /usr/share/lemonldap-ng/bin/importMetadataRenater

+.. versionchanged:: 2.0.15
+
+   Since version 2.0.15 it is no longer necessary to copy the script, you can
+   use the ``--configfile`` option to handle most customization use cases. See
+   :ref:`importmetadataconfig` below for details.
+
 Set attributes (use the SAML Name, not FriendlyName) that are provided
 by IDPs, for example:

@ -92,26 +98,27 @@ Then run the script:

   /usr/share/lemonldap-ng/bin/importMetadataRenater -m https://metadata.federation.renater.fr/renater/main/main-idps-renater-metadata.xml -r -i "idp-renater-" -s "sp-renater-"

-The script provide the following options 
+The script provide the following options

- * -i (--idpconfprefix): Prefix used to set IDP configuration key
- * -h (--help): print this message
- * -m (--metadata): URL of metadata document
- * -s (--spconfprefix): Prefix used to set SP configuration key
- * --ignore-sp: ignore SP matching this entityID (can be specified multiple times)
- * --ignore-idp: ignore IdP matching this entityID (can be specified multiple times)
- * -a (--nagios): output statistics in Nagios format
- * -n (--dry-run): print statistics but do not apply changes
- * -v (--verbose): increase verbosity of output
- * -r (--remove): remove provider from LemonLDAP::NG if it does not appear in metadata
+* -i (--idpconfprefix): Prefix used to set IDP configuration key
+* -h (--help): print this message
+* -m (--metadata): URL of metadata document
+* -s (--spconfprefix): Prefix used to set SP configuration key
+* --ignore-sp: ignore SP matching this entityID (can be specified multiple times)
+* --ignore-idp: ignore IdP matching this entityID (can be specified multiple times)
+* -a (--nagios): output statistics in Nagios format
+* -n (--dry-run): print statistics but do not apply changes
+* -c (--configfile): use a configuration file
+* -v (--verbose): increase verbosity of output
+* -r (--remove): remove provider from LemonLDAP::NG if it does not appear in metadata


 Example :
 ::

    /usr/libexec/lemonldap-ng/bin/importMetadata -m https://pub.federation.renater.fr/metadata/renater/main/main-sps-renater-metadata.xml -s "sp-fed-prd" -c https://pub.federation.renater.fr/metadata/certs/renater-metadata-signing-cert-2016.pem -bs https://test-sp.federation.renater.fr -r -v -d
-    
-This command will 
+
+This command will
  * fetch all SPs metadata from renater
  * set a prefix to entity stored inside LemonLdap::NG
  * disable local modification of SP https://test-sp.federation.renater.fr
@ -135,7 +142,7 @@ The output is the following :

 With "-n" options you could get a "nagios like" output with metrics :
 ::
- 
+
  /usr/libexec/lemonldap-ng/bin/importMetadataFedRenater -m https://pub.federation.renater.fr/metadata/renater/main/main-sps-renater-metadata.xml -s "sp-fed-prd" -c https://pub.federation.renater.fr/metadata/certs/renater-metadata-signing-cert-2016.pem -bs https://test-sp.federation.renater.fr -r -d -n
  Metadata loaded inside Conf: [DRY-RUN]|idp_found=0, idp_updated=0, idp_created=0, idp_removed=0, idp_rejected=0, idp_ignored=0, sp_found=1248, sp_updated=1240, sp_created=0, sp_removed=0, sp_rejected=7, sp_ignored=1

@ -145,6 +152,57 @@ With "-n" options you could get a "nagios like" output with metrics :
    You need to add this in cron to refresh metadata into
    LL::NG configuration.

+
+.. _importmetadataconfig:
+
+Metadata import configuration file
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. versionadded:: 2.0.15
+
+You can now use a configuration file for the script in order to handle most custom cases.
+
+Here is an example of a INI-formatted configuration file::
+
+    # main script options, these will be overriden by the CLI options
+    [main]
+    dry-run=1
+    verbose=1
+    metadata=http://url/to/metadata.xml
+    ; Multi-value options
+    ignore-idp=entity-id-to-ignore-1
+    ignore-idp=entity-id-to-ignore-2
+
+    # Default exported attributes for IDPs
+    [exportedAttributes]
+    cn=0;cn
+    eduPersonPrincipalName=0;eduPersonPrincipalName
+    ...
+
+    # options that apply to all providers
+    [ALL]
+    ; Disable signature requirement on requests
+    samlSPMetaDataOptionsCheckSSOMessageSignature=0
+    samlSPMetaDataOptionsCheckSLOMessageSignature=0
+    ; Store SAML assertions in session
+    samlIDPMetaDataOptionsStoreSAMLToken=1
+    ; Mark ePPN as always required
+    attribute_required_eduPersonPrincipalName=1
+    ...
+
+    # Specific provider configurations
+    [https://test-sp.federation.renater.fr]
+    ; All attributes are optional for this provider
+    attribute_required=0
+    ; Override some options
+    samlSPMetaDataOptionsNameIDFormat=persistent
+
+    [https://idp.renater.fr/idp/shibboleth]
+    ; declare an extra attribute from this provider
+    exported_attribute_eduPersonAffiliation=1;uid
+
+
+
 Add your SP into the federation
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/lemonldap-ng-common/scripts/importMetadata
+++ b/lemonldap-ng-common/scripts/importMetadata
@ -766,6 +766,7 @@ Options:
    -a, --nagios            output statistics in Nagios format
    -r, --remove            remove provider from LemonLDAP::NG if it does not appear in metadata
    -n, --dry-run           print statistics but do not apply changes
+    -c, --config-file       use provided configuration file
    -v, --verbose           increase verbosity of output
    -h, --help              print full documentation

@ -812,6 +813,48 @@ present in the imported metadata

 This option prevents the modified configuration from being saved. It can be used for testing.

+=item B<-c>, B<--config-file>
+
+Using a configuration file lets you do advanced configuration on a global per-provider basis.
+The configuration file is stored in .ini format. Here is an example file
+
+    # main script options, these will be overriden by the CLI options
+    [main]
+    dry-run=1
+    verbose=1
+    metadata=http://url/to/metadata.xml
+    ; Multi-value options
+    ignore-idp=entity-id-to-ignore-1
+    ignore-idp=entity-id-to-ignore-2
+
+    # Default exported attributes for IDPs
+    [exportedAttributes]
+    cn=0;cn
+    eduPersonPrincipalName=0;eduPersonPrincipalName
+    ...
+
+    # options that apply to all providers
+    [ALL]
+    ; Disable signature requirement on requests
+    samlSPMetaDataOptionsCheckSSOMessageSignature=0
+    samlSPMetaDataOptionsCheckSLOMessageSignature=0
+    ; Store SAML assertions in session
+    samlIDPMetaDataOptionsStoreSAMLToken=1
+    ; Mark ePPN as always required
+    attribute_required_eduPersonPrincipalName=1
+    ...
+
+    # Specific provider configurations
+    [https://test-sp.federation.renater.fr]
+    ; All attributes are optional for this provider
+    attribute_required=0
+    ; Override some options
+    samlSPMetaDataOptionsNameIDFormat=persistent
+
+    [https://idp.renater.fr/idp/shibboleth]
+    ; declare an extra attribute from this provider
+    exported_attribute_eduPersonAffiliation=1;uid
+
 =item B<-v>, B<--verbose>

 Increase verbosity during script execution