- name: Import SAMLv2 Metadata in Keycloak
  hosts: localhost
  gather_facts: no
  vars:
    metadata: "{{ lookup('file', 'metadata.xml') }}"
    keycloak_url: https://lb.itix.lab/auth
    keycloak_password: secret
    keycloak_admin: admin
    keycloak_target_realm: Amft
    keycloak_validate_certs: no
    client_id: CFT01
  tasks:
  - name: extract NameIDFormat
    xml:
        xmlstring: '{{ metadata }}'
        content: "text"
        xpath: "/md:EntityDescriptor/md:SPSSODescriptor/md:NameIDFormat"
        namespaces:
          md: urn:oasis:names:tc:SAML:2.0:metadata
    register: data
  - set_fact:
      nif: "{{ (data.matches[0]|dict2items|first).value.split(':')[-1] }}"

  - name: extract AssertionConsumerService
    xml:
        xmlstring: '{{ metadata }}'
        content: "attribute"
        xpath: "/md:EntityDescriptor/md:SPSSODescriptor/md:AssertionConsumerService"
        attribute: Location
        namespaces:
          md: urn:oasis:names:tc:SAML:2.0:metadata
    register: data
  - set_fact:
      acs: "{{ (data.matches[0]|dict2items|first).value.Location }}"

  - name: extract SingleLogoutService
    xml:
        xmlstring: '{{ metadata }}'
        content: "attribute"
        xpath: "/md:EntityDescriptor/md:SPSSODescriptor/md:SingleLogoutService"
        attribute: Location
        namespaces:
          md: urn:oasis:names:tc:SAML:2.0:metadata
    register: data
  - set_fact:
      sls: "{{ (data.matches[0]|dict2items|first).value.Location }}"

  - name: extract certificate
    xml:
        xmlstring: '{{ metadata }}'
        content: "text"
        xpath: "/md:EntityDescriptor/md:SPSSODescriptor/md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate"
        namespaces:
          md: urn:oasis:names:tc:SAML:2.0:metadata
          ds: "http://www.w3.org/2000/09/xmldsig#"
    register: data
  - set_fact:
      certificate: "{{ (data.matches[0]|dict2items|first).value }}"

  - set_fact:
      x509_certificate: |
        -----BEGIN CERTIFICATE-----
        {{ base64 }}
        -----END CERTIFICATE-----
    vars:
      base64: "{{ certificate | regex_findall('.{1,64}') | join('\n') }}"

  - name: Create Keycloak Client
    community.general.keycloak_client:
      auth_keycloak_url: '{{ keycloak_url }}'
      auth_password: '{{ keycloak_password }}'
      auth_realm: master
      auth_username: '{{ keycloak_admin }}'
      validate_certs: '{{ keycloak_validate_certs | default("yes") | bool }}'
      protocol: saml
      realm: '{{ keycloak_target_realm }}'
      client_id: '{{ client_id }}'
      attributes:
        saml.signing.certificate: '{{ x509_certificate }}'
        saml_assertion_consumer_url_post: '{{ acs }}'
        saml_single_logout_service_url_post: '{{ sls }}'
        saml_name_id_format: '{{ nif }}'
      redirect_uris:
      - '{{ acs }}'