You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
94 lines
2.9 KiB
94 lines
2.9 KiB
- name: Import SAMLv2 Metadata in Keycloak
|
|
hosts: localhost
|
|
gather_facts: no
|
|
vars:
|
|
metadata: "{{ lookup('file', 'metadata.xml') }}"
|
|
keycloak_url: https://lb.itix.lab/auth
|
|
keycloak_password: secret
|
|
keycloak_admin: admin
|
|
keycloak_target_realm: Amft
|
|
keycloak_validate_certs: no
|
|
client_id: CFT01
|
|
tasks:
|
|
- name: extract NameIDFormat
|
|
xml:
|
|
xmlstring: '{{ metadata }}'
|
|
content: "text"
|
|
xpath: "/md:EntityDescriptor/md:SPSSODescriptor/md:NameIDFormat"
|
|
namespaces:
|
|
md: urn:oasis:names:tc:SAML:2.0:metadata
|
|
register: data
|
|
- set_fact:
|
|
nif: "{{ (data.matches[0]|dict2items|first).value }}"
|
|
- debug:
|
|
var: nif
|
|
|
|
- name: extract AssertionConsumerService
|
|
xml:
|
|
xmlstring: '{{ metadata }}'
|
|
content: "attribute"
|
|
xpath: "/md:EntityDescriptor/md:SPSSODescriptor/md:AssertionConsumerService"
|
|
attribute: Location
|
|
namespaces:
|
|
md: urn:oasis:names:tc:SAML:2.0:metadata
|
|
register: data
|
|
- set_fact:
|
|
acs: "{{ (data.matches[0]|dict2items|first).value.Location }}"
|
|
- debug:
|
|
var: acs
|
|
|
|
- name: extract SingleLogoutService
|
|
xml:
|
|
xmlstring: '{{ metadata }}'
|
|
content: "attribute"
|
|
xpath: "/md:EntityDescriptor/md:SPSSODescriptor/md:SingleLogoutService"
|
|
attribute: Location
|
|
namespaces:
|
|
md: urn:oasis:names:tc:SAML:2.0:metadata
|
|
register: data
|
|
- set_fact:
|
|
sls: "{{ (data.matches[0]|dict2items|first).value.Location }}"
|
|
- debug:
|
|
var: sls
|
|
|
|
- name: extract certificate
|
|
xml:
|
|
xmlstring: '{{ metadata }}'
|
|
content: "text"
|
|
xpath: "/md:EntityDescriptor/md:SPSSODescriptor/md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate"
|
|
namespaces:
|
|
md: urn:oasis:names:tc:SAML:2.0:metadata
|
|
ds: "http://www.w3.org/2000/09/xmldsig#"
|
|
register: data
|
|
- set_fact:
|
|
certificate: "{{ (data.matches[0]|dict2items|first).value }}"
|
|
- debug:
|
|
var: certificate
|
|
|
|
- set_fact:
|
|
x509_certificate: |
|
|
-----BEGIN CERTIFICATE-----
|
|
{{ base64 }}
|
|
-----END CERTIFICATE-----
|
|
vars:
|
|
base64: "{{ certificate | regex_findall('.{1,64}') | join('\n') }}"
|
|
- debug:
|
|
var: x509_certificate
|
|
|
|
- name: Create Keycloak Client
|
|
community.general.keycloak_client:
|
|
auth_keycloak_url: '{{ keycloak_url }}'
|
|
auth_password: '{{ keycloak_password }}'
|
|
auth_realm: master
|
|
auth_username: '{{ keycloak_admin }}'
|
|
validate_certs: '{{ keycloak_validate_certs | default("yes") | bool }}'
|
|
protocol: saml
|
|
realm: '{{ keycloak_target_realm }}'
|
|
client_id: '{{ client_id }}'
|
|
attributes:
|
|
saml.signing.certificate: '{{ x509_certificate }}'
|
|
saml_assertion_consumer_url_post: '{{ acs }}'
|
|
saml_single_logout_service_url_post: '{{ sls }}'
|
|
saml_name_id_format: unspecified
|
|
redirect_uris:
|
|
- '{{ acs }}'
|
|
|