forked from peppelinux/Ansible-Shibboleth-IDP-SP-Debian
-
Notifications
You must be signed in to change notification settings - Fork 0
/
playbook.yml
119 lines (98 loc) · 4.49 KB
/
playbook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# https://wiki.shibboleth.net/confluence/display/IDP30/Installation
# ansible-playbook playbook.yml -i hosts -v
# or if you want to run specifieds roles:
# ansible-playbook playbook.yml -i hosts -v --tag common
# inspired by: https://github.com/ConsortiumGARR/idem-tutorials/blob/master/idem-fedops/HOWTO-Shibboleth/Identity%20Provider/Ubuntu/HOWTO%20Install%20and%20Configure%20a%20Shibboleth%20IdP%20v3.2.1%20on%20Ubuntu%20Linux%20LTS%2016.04%20with%20Apache2%20%2B%20Jetty9.md
---
- name: Install Shibboleth IDP and SP
hosts: all
become: yes
# vars_files:
# - server_ip.yml
vars:
domain2: testunical
domain1: it
domain: "{{ domain2 }}.{{ domain1 }}"
server_admin: "root@{{ domain }}"
# If True it will uninstall and purge existing applications and configurations
# DO NOT USE THIS IN PRODUCTION ENVIRONMENT, it will destroy everything!
purge: true
# if idp and sp have the same ip: apache's <VirtualHost ip:port> must be configured as <VirtualHost *:port>
# otherwise exception "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:661)" will be raised
# otherwise exception SSL_ERROR_RX_RECORD_TOO_LONG will be raised or other, exception message depends by the client.
# modify this in server_ip.yml
# ldap_ip: "10.87.7.104"
# idp_ip: "10.87.7.235"
# sp_ip: "{{ idp_ip }}" # everything on the same vm
# Commons
cert_path: "/etc/ssl/certs/{{ domain }}"
tmp_upload_dir: "/tmp/ansible-shibboleth-idp-sp-setup"
# LDAP configuration
ldap_fqdn: "ldap.{{ domain2 }}.{{ domain1 }}"
ldap_basedc: "dc={{ domain2 }},dc={{ domain1 }}"
ldap_binddn: "uid=idp,ou=applications,{{ ldap_basedc }}"
ldap_pw: idpsecret
ldap_basedn: "ou=people,{{ ldap_basedc }}"
# remember to copy slapds' public cert, as slapd-cert.pem, in roles/common/files/certs/
ldap_cert: slapd-cert.pem
# choose between: starttls, tls, plain
ldap_auth: starttls
# webserver configuration, choose between apache and nginx
httpd: apache
# nginx
nginx_src_dir: /opt
nginx_version: nginx-1.14.2
nginx_dl_url: http://nginx.org/download/{{ nginx_version }}.tar.gz
# Servlet configuration, choose your preferred between tomcat and jetty
servlet_container: jetty
servlet_ram: 384m
servlet_port: 8080
# Jetty configuration
jetty_version: 9.4.14.v20181114
jetty_distribution: "jetty-distribution-{{ jetty_version }}"
jetty_pkg: "{{ jetty_distribution }}.tar.gz"
jetty_dl_path: /opt
jetty_dl_url: "https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/{{ jetty_version }}/{{ jetty_pkg }}"
jetty_path : "{{ jetty_dl_path }}/jetty"
# Tomcat configuration
tomcat_version: tomcat8
# TODO: tomcat_common
# tomcat_admin_pw: tomcatsecret
# tomcat_manager_pw: tomcatsecret
# Shibboleth IDP
shib_idp_version: "3.4.2"
shib_idp_package: "shibboleth-identity-provider-{{ shib_idp_version }}.tar.gz"
shib_dest_dir: "/opt"
idp_path: "{{ shib_dest_dir }}/shibboleth-idp"
shib_setup_folder: "{{ shib_dest_dir }}/shibboleth-identity-provider-{{ shib_idp_version }}"
idp_dl_url: "https://shibboleth.net/downloads/identity-provider/{{ shib_idp_version }}/{{ shib_idp_package }}"
idp_web_folder: /idp/shibboleth
idp_entity_id: "https://{{ idp_fqdn }}{{ idp_web_folder }}"
idp_fqdn: "idp.{{ domain }}"
idp_secret: idpsecret
idp_admin_email: "root@{{ idp_fqdn }}"
idp_localized_message_url: "https://wiki.shibboleth.net/confluence/download/attachments/21660022/messages_it.properties?version=2&modificationDate=1541061867323&api=v2"
# idp_attr_resolver: attribute-resolver-full.v332.saml2.light.xml # in roles/shib2_configure/files
idp_attr_resolver: attribute-resolver-v3_4-idem_TLS.xml
idp_disable_saml1: true
# persistent id on rdbms, it will install mariadb
idp_persistent_id_rdbms: true
# Shibboleth IDP RDBMS per persistentID
idp_rdbms_dbname: shibboleth
idp_rdbms_user: "{{ idp_rdbms_dbname }}"
idp_rdbms_pw: "{{ idp_secret }}"
# Shibboleth SP
sp_fqdn: "sp.{{ domain }}"
roles:
# apt dependencies and certificates
- { role: uninstall, tags: ["uninstall"] }
- { role: common, tags: ["common"] }
# idp
- { role: shib3idp_install, tags: ["idp_install"] }
- { role: shib3idp_configure, tags: ["idp_configure"] }
# sp
- { role: shib2sp, tags: ["sp"] }
# httpd
- { role: httpd, tags: ["httpd"] }
# federation
- { role: sp_federation, tags: ["sp"] }