diff --git a/salt/profile/identification/apache.sls b/salt/profile/identification/apache.sls
index 94d2cc8..d05a08e 100644
--- a/salt/profile/identification/apache.sls
+++ b/salt/profile/identification/apache.sls
@@ -1,8 +1,8 @@
{% set roles = salt['grains.get']('roles', []) %}
-/etc/apache2/vhosts.d/id.opensuse.org.conf:
+/etc/apache2/vhosts.d/sso.opensuse.org.conf:
file.managed:
- listen_in:
- service: apache2
- - source: salt://profile/identification/files/id.opensuse.org.conf
+ - source: salt://profile/identification/files/sso.opensuse.org.conf
- template: jinja
diff --git a/salt/profile/identification/config.sls b/salt/profile/identification/config.sls
index fe2d0a9..8106bdf 100644
--- a/salt/profile/identification/config.sls
+++ b/salt/profile/identification/config.sls
@@ -1,27 +1,23 @@
{% set roles = salt['grains.get']('roles', []) %}
-ipsilon_wellknown_dir:
- file.directory:
- - name: /etc/ipsilon/wellknown
- - mode: 755
- - user: ipsilon
-
ipsilon_saml2_dir:
file.directory:
- name: /etc/ipsilon/saml2
- mode: 700
- user: ipsilon
-ipsilon_configuration_file:
- file.managed:
- - name: /etc/ipsilon/configuration.conf
- - source: salt://profile/identification/files/configuration.conf
- - template: jinja
- - mode: 600
- - require_in:
- - service: id_apache_service
- - watch_in:
- - module: id_apache_restart
+# # This will be exported from the UI once we set everything up there
+#
+# ipsilon_configuration_file:
+# file.managed:
+# - name: /etc/ipsilon/configuration.conf
+# - source: salt://profile/identification/files/configuration.conf
+# - template: jinja
+# - mode: 600
+# - require_in:
+# - service: id_apache_service
+# - watch_in:
+# - module: id_apache_restart
ipsilon_conf_file:
file.managed:
@@ -49,18 +45,6 @@ ipsilon_oidc_conf_file:
- watch_in:
- module: id_apache_restart
-/etc/ipsilon/persona.key:
- file.managed:
- - contents_pillar: profile:matrix:persona_priv_key
- - mode: 600
- - user: ipsilon
-
-/etc/ipsilon/wellknown/browserid:
- file.managed:
- - contents_pillar: profile:matrix:persona_pub_key
- - mode: 644
- - user: ipsilon
-
/etc/ipsilon/openidc.key:
file.managed:
- contents_pillar: profile:matrix:openidc_priv_key
diff --git a/salt/profile/identification/files/configuration.conf b/salt/profile/identification/files/configuration.conf
deleted file mode 100644
index e3bfd41..0000000
--- a/salt/profile/identification/files/configuration.conf
+++ /dev/null
@@ -1,45 +0,0 @@
-[login_config]
-global enabled=gssapi
-
-[info_config]
-global enabled=
-
-
-[authz_config]
-global enabled=allow
-
-[provider_config]
-global enabled=openid,saml2,openidc
-
-openidc enabled extensions=
-
-openidc subject salt={{ ipsilon_openidc_subject_salt }}
-openidc endpoint url=https://id.opensuse.org/openidc/
-openidc idp key file=/etc/ipsilon/openidc.key
-openidc database url=postgresql://{{ pillar['profile']['identification']['database_user'] }}:{{ pillar['postgres']['users']['identification']['password'] }}@{{ pillar['profile']['identification']['database_host'] }}/ipsilon_openid
-openidc static database url=configfile:///etc/ipsilon/openidc.static.cfg
-openidc documentation url=
-openidc policy url=https://en.opensuse.org/Terms_of_site
-openidc tos url=https://en.opensuse.org/Terms_of_site
-openidc idp sig key id=20200224-sig
-openidc allow dynamic client registration=False
-openidc default attribute mapping=[["*", "*"], ["timezone", "zoneinfo"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "preferred_username"]]
-
-openid endpoint url=https://id.opensuse.org/openid/
-openid identity url template=http://%(username)s.id.opensuse.org/
-openid trusted roots=
-openid database url=postgresql://{{ pillar['profile']['identification']['database_user'] }}:{{ pillar['postgres']['users']['identification']['password'] }}@{{ pillar['profile']['identification']['database_host'] }}/ipsilon_openid
-openid untrusted roots=
-openid enabled extensions=
-
-saml2 idp storage path=/etc/ipsilon
-saml2 idp metadata file=/httpdir/metadata.xml
-saml2 idp nameid salt={{ ipsilon_saml2_nameid_salt }}
-saml2 idp certificate file=saml2_idp.crt
-saml2 idp key file=saml2_idp.key
-saml2 allow self registration=False
-saml2 default nameid=transient
-saml2 default email domain=opensuse.org
-saml2 session database url=postgresql://{{ pillar['profile']['identification']['database_user'] }}:{{ pillar['postgres']['users']['identification']['password'] }}@{{ pillar['profile']['identification']['database_host'] }}/ipsilon_saml2
-
-[saml2_data]
diff --git a/salt/profile/identification/files/id.opensuse.org.conf b/salt/profile/identification/files/id.opensuse.org.conf
deleted file mode 100644
index 3211444..0000000
--- a/salt/profile/identification/files/id.opensuse.org.conf
+++ /dev/null
@@ -1,54 +0,0 @@
-
- ServerName id.opensuse.org
- RewriteEngine on
- RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
-
- # This is for mapping $username.id.fp.o -> id.fp.o/id/$username
- RewriteEngine on
- RewriteMap lowercase int:tolower
- RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.opensuse\.org$
- RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
- RewriteRule ^([a-z0-9-]+)\.id\.opensuse\.org/.* /openid/id/$1/ [PT]
-
-
- Alias /ui /usr/share/ipsilon/ui
- WSGIScriptAlias / /usr/libexec/ipsilon
- WSGIPassAuthorization On
- WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
- WSGIApplicationGroup %{GLOBAL}
- WSGISocketPrefix /httpdir/run/wsgi
- WSGIRestrictStdout Off
- WSGIRestrictSignal Off
-
-
-
- WSGIProcessGroup ipsilon
-
-
-
- AuthName "GSSAPI Single Sign On Login"
- GssapiCredStore keytab:/etc/keytabs/ipsilon-keytab
- AuthType GSSAPI
- # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
- GssapiSSLonly Off
- GssapiLocalName on
- Require valid-user
- ErrorDocument 401 /login/gssapi/unauthorized
- ErrorDocument 500 /login/gssapi/failed
-
-
-
- Require all granted
-
-
-
- Require all granted
-
-
-
- Require all granted
-
-
- ForceType application/json
-
-
diff --git a/salt/profile/identification/files/ipsilon.conf b/salt/profile/identification/files/ipsilon.conf
index ef70878..74b96f8 100644
--- a/salt/profile/identification/files/ipsilon.conf
+++ b/salt/profile/identification/files/ipsilon.conf
@@ -20,4 +20,4 @@ tools.sessions.secure = True
tools.sessions.locking = 'explicit'
tools.proxy.on = True
-tools.proxy.base = "https://id.opensuse.org"
+tools.proxy.base = "https://sso.opensuse.org"
diff --git a/salt/profile/identification/files/sso.opensuse.org.conf b/salt/profile/identification/files/sso.opensuse.org.conf
new file mode 100644
index 0000000..d395b5d
--- /dev/null
+++ b/salt/profile/identification/files/sso.opensuse.org.conf
@@ -0,0 +1,47 @@
+
+ ServerName sso.opensuse.org
+ RewriteEngine on
+ RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
+
+ # This is for mapping $username.sso.o.o -> sso.o.o/id/$username
+ RewriteEngine on
+ RewriteMap lowercase int:tolower
+ RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.sso\.opensuse\.org$
+ RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
+ RewriteRule ^([a-z0-9-]+)\.sso\.opensuse\.org/.* /openid/id/$1/ [PT]
+
+
+ Alias /ui /usr/share/ipsilon/ui
+ WSGIScriptAlias / /usr/libexec/ipsilon
+ WSGIPassAuthorization On
+ WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
+ WSGIApplicationGroup %{GLOBAL}
+ WSGISocketPrefix /httpdir/run/wsgi
+ WSGIRestrictStdout Off
+ WSGIRestrictSignal Off
+
+
+
+ WSGIProcessGroup ipsilon
+
+
+
+ AuthName "GSSAPI Single Sign On Login"
+ GssapiCredStore keytab:/etc/keytabs/ipsilon-keytab
+ AuthType GSSAPI
+ # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
+ GssapiSSLonly Off
+ GssapiLocalName on
+ Require valid-user
+ ErrorDocument 401 /login/gssapi/unauthorized
+ ErrorDocument 500 /login/gssapi/failed
+
+
+
+ Require all granted
+
+
+
+ Require all granted
+
+
diff --git a/salt/profile/identification/ipsilon.sls b/salt/profile/identification/ipsilon.sls
index 4502d7c..e6b1774 100644
--- a/salt/profile/identification/ipsilon.sls
+++ b/salt/profile/identification/ipsilon.sls
@@ -3,10 +3,10 @@
ipsilon_dependencies:
pkg.installed:
- pkgs:
+ - apache2
- ipsilon
- - ipsilon-openid
+ - ipsilon-tools-ipa
- ipsilon-saml2
- - ipsilon-persona
- - ipsilon-authgssapi
+ - ipsilon-openid
- ipsilon-openidc
-
+ - ipsilon-theme-openSUSE