Doc for importMetadata config (#2720)

2022-03-23 09:19:40 +01:00 · 2022-03-23 09:19:40 +01:00 · 89083bde9f
commit 89083bde9f
parent d2dce85e8c
2 changed files with 115 additions and 14 deletions
--- a/doc/sources/admin/renater.rst
+++ b/doc/sources/admin/renater.rst
@ -45,6 +45,12 @@ and edit configuration:
   cp /usr/share/lemonldap-ng/bin/importMetadata /usr/share/lemonldap-ng/bin/importMetadataRenater
   vi /usr/share/lemonldap-ng/bin/importMetadataRenater

+.. versionchanged:: 2.0.15
+
+   Since version 2.0.15 it is no longer necessary to copy the script, you can
+   use the ``--configfile`` option to handle most customization use cases. See
+   :ref:`importmetadataconfig` below for details.
+
 Set attributes (use the SAML Name, not FriendlyName) that are provided
 by IDPs, for example:

@ -102,6 +108,7 @@ The script provide the following options
 * --ignore-idp: ignore IdP matching this entityID (can be specified multiple times)
 * -a (--nagios): output statistics in Nagios format
 * -n (--dry-run): print statistics but do not apply changes
+* -c (--configfile): use a configuration file
 * -v (--verbose): increase verbosity of output
 * -r (--remove): remove provider from LemonLDAP::NG if it does not appear in metadata

@ -145,6 +152,57 @@ With "-n" options you could get a "nagios like" output with metrics :
    You need to add this in cron to refresh metadata into
    LL::NG configuration.

+
+.. _importmetadataconfig:
+
+Metadata import configuration file
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. versionadded:: 2.0.15
+
+You can now use a configuration file for the script in order to handle most custom cases.
+
+Here is an example of a INI-formatted configuration file::
+
+    # main script options, these will be overriden by the CLI options
+    [main]
+    dry-run=1
+    verbose=1
+    metadata=http://url/to/metadata.xml
+    ; Multi-value options
+    ignore-idp=entity-id-to-ignore-1
+    ignore-idp=entity-id-to-ignore-2
+
+    # Default exported attributes for IDPs
+    [exportedAttributes]
+    cn=0;cn
+    eduPersonPrincipalName=0;eduPersonPrincipalName
+    ...
+
+    # options that apply to all providers
+    [ALL]
+    ; Disable signature requirement on requests
+    samlSPMetaDataOptionsCheckSSOMessageSignature=0
+    samlSPMetaDataOptionsCheckSLOMessageSignature=0
+    ; Store SAML assertions in session
+    samlIDPMetaDataOptionsStoreSAMLToken=1
+    ; Mark ePPN as always required
+    attribute_required_eduPersonPrincipalName=1
+    ...
+
+    # Specific provider configurations
+    [https://test-sp.federation.renater.fr]
+    ; All attributes are optional for this provider
+    attribute_required=0
+    ; Override some options
+    samlSPMetaDataOptionsNameIDFormat=persistent
+
+    [https://idp.renater.fr/idp/shibboleth]
+    ; declare an extra attribute from this provider
+    exported_attribute_eduPersonAffiliation=1;uid
+
+
+
 Add your SP into the federation
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/lemonldap-ng-common/scripts/importMetadata
+++ b/lemonldap-ng-common/scripts/importMetadata
@ -766,6 +766,7 @@ Options:
    -a, --nagios            output statistics in Nagios format
    -r, --remove            remove provider from LemonLDAP::NG if it does not appear in metadata
    -n, --dry-run           print statistics but do not apply changes
+    -c, --config-file       use provided configuration file
    -v, --verbose           increase verbosity of output
    -h, --help              print full documentation

@ -812,6 +813,48 @@ present in the imported metadata

 This option prevents the modified configuration from being saved. It can be used for testing.

+=item B<-c>, B<--config-file>
+
+Using a configuration file lets you do advanced configuration on a global per-provider basis.
+The configuration file is stored in .ini format. Here is an example file
+
+    # main script options, these will be overriden by the CLI options
+    [main]
+    dry-run=1
+    verbose=1
+    metadata=http://url/to/metadata.xml
+    ; Multi-value options
+    ignore-idp=entity-id-to-ignore-1
+    ignore-idp=entity-id-to-ignore-2
+
+    # Default exported attributes for IDPs
+    [exportedAttributes]
+    cn=0;cn
+    eduPersonPrincipalName=0;eduPersonPrincipalName
+    ...
+
+    # options that apply to all providers
+    [ALL]
+    ; Disable signature requirement on requests
+    samlSPMetaDataOptionsCheckSSOMessageSignature=0
+    samlSPMetaDataOptionsCheckSLOMessageSignature=0
+    ; Store SAML assertions in session
+    samlIDPMetaDataOptionsStoreSAMLToken=1
+    ; Mark ePPN as always required
+    attribute_required_eduPersonPrincipalName=1
+    ...
+
+    # Specific provider configurations
+    [https://test-sp.federation.renater.fr]
+    ; All attributes are optional for this provider
+    attribute_required=0
+    ; Override some options
+    samlSPMetaDataOptionsNameIDFormat=persistent
+
+    [https://idp.renater.fr/idp/shibboleth]
+    ; declare an extra attribute from this provider
+    exported_attribute_eduPersonAffiliation=1;uid
+
 =item B<-v>, B<--verbose>

 Increase verbosity during script execution