digitaldemocratic/dd-apps/docker/nextcloud/saml.sh

43 lines
1.6 KiB
Bash
Raw Normal View History

#!/bin/sh -eu
occ="./occ"
current_nc_saml="$("${occ}" saml:config:get --output=json)"
prov_id="1"
if [ "${current_nc_saml}" = "{}" ] || [ "${current_nc_saml}" = "[]" ]; then
prov_id="$("${occ}" saml:config:create)"
fi
# Gather variables
## When keycloak gets updated, /auth disappears
2023-01-23 13:34:25 +01:00
idp_entityid_port="https://sso.${DOMAIN}:8443/auth/realms/master"
idp_entityid="https://sso.${DOMAIN}/auth/realms/master"
2023-01-23 13:34:25 +01:00
idp_sso_url="https://sso.${DOMAIN}/auth/realms/master/protocol/saml"
## This one has no PEM headers or newlines
2023-01-23 13:34:25 +01:00
idp_x509cert="$(curl -s -k "${idp_entityid_port}/protocol/openid-connect/certs" | sed -E 's!.*RS256[^}]*x5c":\["([^"]+)".*!\1!')"
2022-09-26 09:37:39 +02:00
## PEM format
sp_x509cert="$(cat /saml/public.crt)"
## PEM format
sp_privatekey="$(cat /saml/private.key)"
# Actually set up Nextcloud
"${occ}" saml:config:set --no-interaction --no-ansi \
--general-idp0_display_name="SAML Login" \
--general-uid_mapping=username \
--idp-entityId="${idp_entityid}" \
--idp-singleLogoutService.url="${idp_sso_url}" \
--idp-singleSignOnService.url="${idp_sso_url}" \
--idp-x509cert="${idp_x509cert}" \
--security-authnRequestsSigned=1 \
--security-logoutRequestSigned=1 \
--security-logoutResponseSigned=1 \
--security-wantAssertionsSigned=1 \
--security-wantMessagesSigned=1 \
--saml-attribute-mapping-displayName_mapping=displayname \
--saml-attribute-mapping-email_mapping=email \
--saml-attribute-mapping-group_mapping=member \
--saml-attribute-mapping-quota_mapping=quota \
--sp-x509cert="${sp_x509cert}" \
--sp-privateKey="${sp_privatekey}" \
"${prov_id}"
# And set type, else it won't be active
"${occ}" config:app:set user_saml type --value saml