diff --git a/configs/development.py b/configs/development.py index 71cae97..66bd60e 100644 --- a/configs/development.py +++ b/configs/development.py @@ -62,6 +62,12 @@ SAML_METADATA_CACHE_LIFETIME = 1 ### Example: urn:oid:2.5.4.4 #SAML_ATTRIBUTE_SURNAME = 'urn:oid:2.5.4.4' +## Split into Given name and Surname +## Useful if your IDP only gives a display name +### Default: none +### Example: http://schemas.microsoft.com/identity/claims/displayname +#SAML_ATTRIBUTE_NAME = 'http://schemas.microsoft.com/identity/claims/displayname' + ## Attribute to use for username ### Default: Use NameID instead ### Example: urn:oid:0.9.2342.19200300.100.1.1 @@ -75,6 +81,22 @@ SAML_METADATA_CACHE_LIFETIME = 1 ### the user is set as a non-administrator user. #SAML_ATTRIBUTE_ADMIN = 'https://example.edu/pdns-admin' +## Attribute to get group from +### Default: Don't use groups from SAML attribute +### Example: https://example.edu/pdns-admin-group +#SAML_ATTRIBUTE_GROUP = 'https://example.edu/pdns-admin' + +## Group namem to get admin status from +### Default: Don't control admin with SAML group +### Example: https://example.edu/pdns-admin +#SAML_GROUP_ADMIN_NAME = 'powerdns-admin' + +## Attribute to get group to account mappings from +### Default: None +### If set, the user will be added and removed from accounts to match +### what's in the login assertion if they are in the required group +#SAML_GROUP_TO_ACCOUNT_MAPPING = 'dev-admins=dev,prod-admins=prod' + ## Attribute to get account names from ### Default: Don't control accounts with SAML attribute ### If set, the user will be added and removed from accounts to match @@ -88,6 +110,11 @@ SAML_SP_CONTACT_MAIL = '' #Configures if SAML tokens should be encrypted. #If enabled a new app certificate will be generated on restart SAML_SIGN_REQUEST = False + +# Configures if you want to request the IDP to sign the message +# Default is True +#SAML_WANT_MESSAGE_SIGNED = True + #Use SAML standard logout mechanism retrieved from idp metadata #If configured false don't care about SAML session on logout. #Logout from PowerDNS-Admin only and keep SAML session authenticated. diff --git a/configs/test.py b/configs/test.py index cbfc046..e50ab50 100644 --- a/configs/test.py +++ b/configs/test.py @@ -69,6 +69,12 @@ SAML_METADATA_CACHE_LIFETIME = 1 ### Example: urn:oid:2.5.4.4 #SAML_ATTRIBUTE_SURNAME = 'urn:oid:2.5.4.4' +## Split into Given name and Surname +## Useful if your IDP only gives a display name +### Default: none +### Example: http://schemas.microsoft.com/identity/claims/displayname +#SAML_ATTRIBUTE_NAME = 'http://schemas.microsoft.com/identity/claims/displayname' + ## Attribute to use for username ### Default: Use NameID instead ### Example: urn:oid:0.9.2342.19200300.100.1.1 @@ -82,6 +88,22 @@ SAML_METADATA_CACHE_LIFETIME = 1 ### the user is set as a non-administrator user. #SAML_ATTRIBUTE_ADMIN = 'https://example.edu/pdns-admin' +## Attribute to get group from +### Default: Don't use groups from SAML attribute +### Example: https://example.edu/pdns-admin-group +#SAML_ATTRIBUTE_GROUP = 'https://example.edu/pdns-admin' + +## Group namem to get admin status from +### Default: Don't control admin with SAML group +### Example: https://example.edu/pdns-admin +#SAML_GROUP_ADMIN_NAME = 'powerdns-admin' + +## Attribute to get group to account mappings from +### Default: None +### If set, the user will be added and removed from accounts to match +### what's in the login assertion if they are in the required group +#SAML_GROUP_TO_ACCOUNT_MAPPING = 'dev-admins=dev,prod-admins=prod' + ## Attribute to get account names from ### Default: Don't control accounts with SAML attribute ### If set, the user will be added and removed from accounts to match @@ -95,6 +117,11 @@ SAML_SP_CONTACT_MAIL = '' #Configures if SAML tokens should be encrypted. #If enabled a new app certificate will be generated on restart SAML_SIGN_REQUEST = False + +# Configures if you want to request the IDP to sign the message +# Default is True +#SAML_WANT_MESSAGE_SIGNED = True + #Use SAML standard logout mechanism retrieved from idp metadata #If configured false don't care about SAML session on logout. #Logout from PowerDNS-Admin only and keep SAML session authenticated.