update for sso setup
diff --git a/defaults/main.yml b/defaults/main.yml
index 833ab58..b674fc0 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -5,19 +5,22 @@
jwt_key_folder: "{{ apigee_home }}/customer/application/apigee-sso/jwt-keys"
jwt_private_key: private_key.pem
-edge_sso_jwt_private_key_filepath: "{{ jwt_key_folder }}/{{ jwt_private_key }}"
+sso_jwt_signinig_key_filepath: "{{ jwt_key_folder }}/{{ jwt_private_key }}"
jwt_public_key: public_key.pem
-edge_sso_jwt_public_key_filepath: "{{ jwt_key_folder }}/{{ jwt_public_key }}"
+sso_jwt_verification_key_filepath: "{{ jwt_key_folder }}/{{ jwt_public_key }}"
jwt_key_size: 2048
saml_folder: "{{ apigee_home }}/customer/application/apigee-sso/saml"
-saml_private_key: server.key
-edge_sso_saml_service_provider_key: "{{ saml_folder }}/{{ saml_private_key }}"
+sso_saml_service_provider_key_filename: server.key
+sso_saml_service_provider_key: "{{ saml_folder }}/{{ sso_saml_service_provider_key_filename}}"
saml_private_encryption_type: aes256
saml_private_key_size: 1024
saml_cert_signing_request: server.csr
-saml_cert_self_signed_cert: server.crt
+sso_saml_service_provider_certificate_filename: server.crt
+sso_saml_service_provider_certificate: "{{ saml_folder }}/{{ sso_saml_service_provider_certificate_filename }}"
saml_cert_encryption_type: sha256
saml_cert_expiry_days: 365
saml_cert_subject: "/C=US/O=google/OU=apigee/CN=apigee.com"
+
+sso_saml_idp_metadata_url: "{{ saml_folder }}/target_idp_metadata_url.xml"
diff --git a/tasks/create-saml-keys-cert.yml b/tasks/create-saml-keys-cert.yml
index a197513..bc7f0a6 100644
--- a/tasks/create-saml-keys-cert.yml
+++ b/tasks/create-saml-keys-cert.yml
@@ -14,33 +14,33 @@
register: passphrase
- name: Generate your private key with a passphrase
- command: "openssl genrsa -{{ saml_private_encryption_type }} -passout pass:{{ passphrase.stdout }} -out {{ saml_private_key }} {{ saml_private_key_size }}"
+ command: "openssl genrsa -{{ saml_private_encryption_type }} -passout pass:{{ passphrase.stdout }} -out {{ sso_saml_service_provider_key_filename}} {{ saml_private_key_size }}"
args:
chdir: "{{ saml_folder }}"
- name: Prep to remove passphrase from Key
copy:
- dest: "{{ saml_folder }}/remove-passphrase-{{ saml_private_key }}"
- src: "{{ saml_folder }}/{{ saml_private_key }}"
+ dest: "{{ saml_folder }}/remove-passphrase-{{ sso_saml_service_provider_key_filename}}"
+ src: "{{ saml_folder }}/{{ sso_saml_service_provider_key_filename}}"
remote_src: yes
- name: Remove the passphrase from the key
- shell: "openssl rsa -in remove-passphrase-{{ saml_private_key }} -passin pass:{{ passphrase.stdout }} -out {{ saml_private_key }}"
+ shell: "openssl rsa -in remove-passphrase-{{ sso_saml_service_provider_key_filename}} -passin pass:{{ passphrase.stdout }} -out {{ sso_saml_service_provider_key_filename}}"
args:
chdir: "{{ saml_folder }}"
- name: Clean up passphrase removal file
file:
- path: "{{ saml_folder }}/remove-passphrase-{{ saml_private_key }}"
+ path: "{{ saml_folder }}/remove-passphrase-{{ sso_saml_service_provider_key_filename}}"
state: absent
- name: Generate certificate signing request for CA
- shell: "openssl req -x509 -sha256 -new -passin pass:{{ passphrase.stdout }} -key {{ saml_private_key }} -out {{ saml_cert_signing_request }} -subj {{ saml_cert_subject }}"
+ shell: "openssl req -x509 -sha256 -new -passin pass:{{ passphrase.stdout }} -key {{ sso_saml_service_provider_key_filename}} -out {{ saml_cert_signing_request }} -subj {{ saml_cert_subject }}"
args:
chdir: "{{ saml_folder }}"
- name: Generate self-signed certificate with 365 days expiry-time
- shell: "openssl x509 -{{ saml_cert_encryption_type }} -days {{ saml_cert_expiry_days }} -in {{ saml_cert_signing_request }} -signkey {{ saml_private_key }} -out {{ saml_cert_self_signed_cert }}"
+ shell: "openssl x509 -{{ saml_cert_encryption_type }} -days {{ saml_cert_expiry_days }} -in {{ saml_cert_signing_request }} -signkey {{ sso_saml_service_provider_key_filename}} -out {{ sso_saml_service_provider_certificate_filename }}"
args:
chdir: "{{ saml_folder }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index 1dc05b3..27c1895 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -12,8 +12,9 @@
key: "{{ item.key }}"
value: "{{ item.value }}"
with_items:
- - { key: 'edge_sso_jwt_private_key_filepath', value: '{{ edge_sso_jwt_private_key_filepath }}' }
- - { key: 'edge_sso_saml_service_provider_key', value: '{{ edge_sso_saml_service_provider_key }}' }
+ - { key: 'sso_jwt_signinig_key_filepath', value: '{{ sso_jwt_signinig_key_filepath }}' }
+ - { key: 'sso_saml_service_provider_key', value: '{{ sso_saml_service_provider_key }}' }
+ - { key: 'sso_saml_service_provider_certificate', value: '{{ sso_saml_service_provider_certificate }}' }
- name: Create Private key and Self Signed Certificate Request
tags: ['private']
@@ -40,7 +41,7 @@
- name: Assert that availability of SAML IDP metadata file
assert:
that:
- - "edge_sso_saml_idp_metadata_url is defined"
+ - "sso_saml_idp_metadata_url is defined"
- name: Construct the Edge SSO Installation config file file
become: yes
diff --git a/templates/edge-sso-installer-config.conf.j2 b/templates/edge-sso-installer-config.conf.j2
index d636e84..2692902 100644
--- a/templates/edge-sso-installer-config.conf.j2
+++ b/templates/edge-sso-installer-config.conf.j2
@@ -6,7 +6,7 @@
APIGEE_ADMINPW={{ opdk_user_pass }}
# Set the protocol for the Edge management API. Default is http.
# Set to https if you enabled TLS on the management API.
-MS_SCHEME={{ edge_sso_ms_scheme | default('http') }}
+MS_SCHEME={{ ms_scheme | default('http') }}
## Postgres configuration.
PG_HOST={{ pgmaster_ip | default(pg_ip) }}
@@ -16,47 +16,47 @@
PG_PWD={{ pg_pass }}
# apigee-sso configuration.
-SSO_PROFILE={{ edge_sso_profile | default("saml") }}
+SSO_PROFILE={{ sso_profile | default("saml") }}
# Externally accessible IP or DNS name of apigee-sso.
SSO_PUBLIC_URL_HOSTNAME=$MSIP
# Default port is 9099. If changing, set both properties to the same value.
-SSO_PUBLIC_URL_PORT={{ edge_sso_public_url_port | default(9099) }}
-SSO_TOMCAT_PORT={{ edge_sso_tomcat_port | default(9099) }}
+SSO_PUBLIC_URL_PORT={{ sso_public_url_port | default(9099) }}
+SSO_TOMCAT_PORT={{ sso_tomcat_port | default(9099) }}
# Set Tomcat TLS mode to DEFAULT to use HTTP access to apigee-sso.
-SSO_TOMCAT_PROFILE={{ edge_sso_tomcat_profile | default('DEFAULT') }}
-SSO_PUBLIC_URL_SCHEME={{ edge_sso_public_url_scheme | default('http') }}
+SSO_TOMCAT_PROFILE={{ sso_tomcat_profile | default('DEFAULT') }}
+SSO_PUBLIC_URL_SCHEME={{ sso_public_url_scheme | default('http') }}
# SSO admin user name. The default is ssoadmin.
-SSO_ADMIN_NAME={{ edge_sso_admin_name | default('ssoadmin') }}
+SSO_ADMIN_NAME={{ sso_admin_name | default('ssoadmin') }}
# SSO admin password using uppercase, lowercase, number, and special chars.
-SSO_ADMIN_SECRET={{ edge_sso_admin_secret | default(opdk_user_pass) }}
+SSO_ADMIN_SECRET={{ sso_admin_secret | default(opdk_user_pass) }}
# Path to signing key and secret from "Create the TLS keys and certificates" above.
-SSO_JWT_SIGNINIG_KEY_FILEPATH={{ edge_sso_jwt_private_key_filepath | default('/opt/apigee/customer/application/apigee-sso/jwt-keys/privkey.pem') }}
-SSO_JWT_VERIFICATION_KEY_FILEPATH={{ edge_sso_jwt_public_key_filepath | default('/opt/apigee/customer/application/apigee-sso/jwt-keys/pubkey.pem') }}
+SSO_JWT_SIGNINIG_KEY_FILEPATH={{ sso_jwt_signinig_key_filepath | default('/opt/apigee/customer/application/apigee-sso/jwt-keys/privkey.pem') }}
+SSO_JWT_VERIFICATION_KEY_FILEPATH={{ sso_jwt_verification_key_filepath | default('/opt/apigee/customer/application/apigee-sso/jwt-keys/pubkey.pem') }}
# Name of SAML IDP. For example, okta or adfs.
-SSO_SAML_IDP_NAME={{ edge_sso_saml_ipd_name | default('okta') }}
+SSO_SAML_IDP_NAME={{ sso_saml_ipd_name | default('okta') }}
# Text displayed to user when they attempt to access Edge UI.
-SSO_SAML_IDP_LOGIN_TEXT="{{ edge_sso_saml_ipd_login_text | default("Please log in to your IDP") }}"
+SSO_SAML_IDP_LOGIN_TEXT="{{ sso_saml_ipd_login_text | default("Please log in to your IDP") }}"
# The metadata URL from your IDP.
# If you have a metadata file, and not a URL,
# see "Specifying a metadata file instead of a URL" below.
-SSO_SAML_IDP_METADATA_URL={{ edge_sso_saml_idp_metadata_url }}
+SSO_SAML_IDP_METADATA_URL={{ sso_saml_idp_metadata_url }}
# Specifies to skip TLS validation for the URL specified
# by SSO_SAML_IDP_METADATA_URL. Necessary if URL uses a self-signed cert.
# Default value is "n".
-SSO_SAML_IDPMETAURL_SKIPSSLVALIDATION={{ edge_sso_saml_idpmetaurl_skipsslvalidation | default('n') }}
+SSO_SAML_IDPMETAURL_SKIPSSLVALIDATION={{ sso_saml_idpmetaurl_skipsslvalidation | default('n') }}
# SAML service provider key and cert from "Create the TLS keys and certificates" above.
-SSO_SAML_SERVICE_PROVIDER_KEY={{ edge_sso_saml_service_provider_key | default('/opt/apigee/customer/application/apigee-sso/saml/server.key') }}
-SSO_SAML_SERVICE_PROVIDER_CERTIFICATE={{ edge_sso_saml_service_provider_certificate | default('/opt/apigee/customer/application/apigee-sso/saml/selfsigned.crt') }}
+SSO_SAML_SERVICE_PROVIDER_KEY={{ sso_saml_service_provider_key | default('/opt/apigee/customer/application/apigee-sso/saml/server.key') }}
+SSO_SAML_SERVICE_PROVIDER_CERTIFICATE={{ sso_saml_service_provider_certificate | default('/opt/apigee/customer/application/apigee-sso/saml/selfsigned.crt') }}
# The passphrase used when you created the SAML cert and key.
# The section "Create the TLS keys and certificates" above removes the passphrase,
# but this property is available if you require a passphrase.
-# SSO_SAML_SERVICE_PROVIDER_PASSWORD={{ edge_sso_saml_service_provider_password | default('samlSP123') }}
+# SSO_SAML_SERVICE_PROVIDER_PASSWORD={{ sso_saml_service_provider_password | default('samlSP123') }}
# Must configure an SMTP server so Edge SSO can send emails to users.
SMTPMAILFROM="{{ opdk_smtp_mail_from }} <{{ opdk_user_email }}>"
