Commit d14dd7df authored by Sandro Mathys's avatar Sandro Mathys
Browse files

initial commit

parents
# ansible-vault password file
.vault_password
# tls private key
ci/sp-key.pem
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
apiVersion: v2
name: shibboleth-sp
description: Shibboleth SP for SWITCHaai
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.1
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
appVersion: 3.2
TODO: write NOTES :)
{{- include "shibboleth-sp.validateValues" . }}
\ No newline at end of file
{{/*
Expand the name of the chart.
*/}}
{{- define "shibboleth-sp.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 54 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec),
and we want to append "-backend" and "-frontend" below.
If release name contains chart name it will be used as a full name.
*/}}
{{- define "shibboleth-sp.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 54 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 54 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 54 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{- define "shibboleth-sp.backend.fullname" -}}
{{- include "shibboleth-sp.fullname" . }}-backend
{{- end }}
{{- define "shibboleth-sp.frontend.fullname" -}}
{{- include "shibboleth-sp.fullname" . }}-frontend
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "shibboleth-sp.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "shibboleth-sp.labels" -}}
helm.sh/chart: {{ include "shibboleth-sp.chart" . }}
{{ include "shibboleth-sp.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- define "shibboleth-sp.backend.labels" -}}
helm.sh/chart: {{ include "shibboleth-sp.chart" . }}
{{ include "shibboleth-sp.backend.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- define "shibboleth-sp.frontend.labels" -}}
helm.sh/chart: {{ include "shibboleth-sp.chart" . }}
{{ include "shibboleth-sp.frontend.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "shibboleth-sp.selectorLabels" -}}
app.kubernetes.io/name: {{ include "shibboleth-sp.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- define "shibboleth-sp.backend.selectorLabels" -}}
{{ include "shibboleth-sp.selectorLabels" . }}
app.kubernetes.io/component: shibboleth
{{- end }}
{{- define "shibboleth-sp.frontend.selectorLabels" -}}
{{ include "shibboleth-sp.selectorLabels" . }}
app.kubernetes.io/component: apache
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "shibboleth-sp.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "shibboleth-sp.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Compile all warnings into a single message, and call fail.
*/}}
{{- define "shibboleth-sp.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "shibboleth-sp.validateValues.podAntiAffinityPreset" .) -}}
{{- $messages := append $messages (include "shibboleth-sp.validateValues.route" .) -}}
{{- $messages := append $messages (include "shibboleth-sp.validateValues.backend.eduIDOnly_xor_interfederation" .) -}}
{{- $messages := append $messages (include "shibboleth-sp.validateValues.backend.shibboleth.configMap" .) -}}
{{- $messages := append $messages (include "shibboleth-sp.validateValues.backend.shibboleth.missingValues" .) -}}
{{- $messages := append $messages (include "shibboleth-sp.validateValues.backend.shibboleth.sessionCache_xor_memcached" .) -}}
{{- $messages := append $messages (include "shibboleth-sp.validateValues.backend.shibboleth.sessionCache.missingValues" .) -}}
{{- $messages := append $messages (include "shibboleth-sp.validateValues.backend.shibboleth.memcached.missingValues" .) -}}
{{- $messages := append $messages (include "shibboleth-sp.validateValues.frontend.apache.mainConfig" .) -}}
{{- $messages := append $messages (include "shibboleth-sp.validateValues.frontend.apache.modulesConfig" .) -}}
{{- $messages := append $messages (include "shibboleth-sp.validateValues.frontend.apache.sitesConfig" .) -}}
{{- $messages := append $messages (include "shibboleth-sp.validateValues.frontend.apache.sitesConfigMap" .) -}}
{{- $messages := append $messages (include "shibboleth-sp.validateValues.frontend.apache.missingValues" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\n\nshibboleth-sp - results of values validation:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}
{{/*************
*** COMMON ***
*************/}}
{{- define "shibboleth-sp.validateValues.podAntiAffinityPreset" -}}
{{- if .Values.podAntiAffinityPreset -}}
{{- if not (or (eq .Values.podAntiAffinityPreset "soft") (eq .Values.podAntiAffinityPreset "hard")) }}
podAntiAffinityPreset
Illegal value: `podAntiAffinityPreset` must be set to "", "soft" or "hard", not "{{ .Values.podAntiAffinityPreset }}".
{{- end -}}
{{- end -}}
{{- end -}}
{{/*** ROUTE ***/}}
{{- define "shibboleth-sp.validateValues.route" -}}
{{- if and .Values.route.enabled -}}
{{- if .Values.route.letsencrypt -}}
{{- if eq .Values.route.tls.termination "passthrough" }}
route.letsencrypt
route.tls.termination
Conflict: can't enable `letsencrypt` is `termination` is set to `passthrough`.
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/**************
*** BACKEND ***
**************/}}
{{- define "shibboleth-sp.validateValues.backend.eduIDOnly_xor_interfederation" -}}
{{- if and .Values.backend.shibboleth.eduIDOnly .Values.backend.shibboleth.interfederation }}
backend.shibboleth.eduIDOnly
backend.shibboleth.interfederation
Conflict: can't enable both `eduIDOnly` and `interfederation` at the same time.
{{- end -}}
{{- end -}}
{{/* this is needed independent of whether a configMap is specified or not */}}
{{- if not .Values.backend.shibboleth.applicationDefaults.credentialResolver.activeSecretName }}
backend.shibboleth.applicationDefaults.credentialResolver.activeSecretName
Missing: `activeSecretName` must be specified.
{{- end -}}
{{- define "shibboleth-sp.validateValues.backend.shibboleth.configMap" -}}
{{- if .Values.backend.shibboleth.configMap }}
{{- if .Values.backend.shibboleth.version }}
backend.shibboleth.configMap
backend.shibboleth.version
Conflict: can't specify `version` if `configMap` is set.
{{- end -}}
{{- if .Values.backend.shibboleth.applicationDefaults.entityID }}
backend.shibboleth.configMap
backend.shibboleth.applicationDefaults.entityID
Conflict: can't specify `entityID` if `configMap` is set.
{{- end -}}
{{- if .Values.backend.shibboleth.applicationDefaults.homeURL }}
backend.shibboleth.configMap
backend.shibboleth.applicationDefaults.homeURL
Conflict: can't specify `homeURL` if `configMap` is set.
{{- end -}}
{{- if .Values.backend.shibboleth.applicationDefaults.remoteUser }}
backend.shibboleth.configMap
backend.shibboleth.applicationDefaults.remoteUser
Conflict: can't specify `remoteUser` if `configMap` is set.
{{- end -}}
{{- if .Values.backend.shibboleth.applicationDefaults.handlerSSL }}
backend.shibboleth.configMap
backend.shibboleth.applicationDefaults.sessions.handlerSSL
Conflict: can't specify `handlerSSL` if `configMap` is set.
{{- end -}}
{{- if .Values.backend.shibboleth.applicationDefaults.sessions.redirectLimit }}
backend.shibboleth.configMap
backend.shibboleth.applicationDefaults.sessions.redirectLimit
Conflict: can't specify `redirectLimit` if `configMap` is set.
{{- end -}}
{{- if .Values.backend.shibboleth.applicationDefaults.sessions.cookieProps }}
backend.shibboleth.configMap
backend.shibboleth.applicationDefaults.sessions.cookieProps
Conflict: can't specify `cookieProps` if `configMap` is set.
{{- end -}}
{{- if .Values.backend.shibboleth.applicationDefaults.errors.supportContact }}
backend.shibboleth.configMap
backend.shibboleth.applicationDefaults.errors.supportContact
Conflict: can't specify `supportContact` if `configMap` is set.
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "shibboleth-sp.validateValues.backend.shibboleth.missingValues" -}}
{{- if not .Values.backend.shibboleth.configMap }}
{{- if not .Values.backend.shibboleth.version }}
backend.shibboleth.configMap
backend.shibboleth.version
Missing: `version` must be specified if `configMap` is not specified.
{{- end -}}
{{- if not .Values.backend.shibboleth.applicationDefaults.entityID }}
backend.shibboleth.configMap
backend.shibboleth.applicationDefaults.entityID
Missing: `entityID` must be specified if `configMap` is not specified.
{{- end -}}
{{- if not .Values.backend.shibboleth.applicationDefaults.homeURL }}
backend.shibboleth.configMap
backend.shibboleth.applicationDefaults.homeURL
Missing: `homeURL` must be specified if `configMap` is not specified.
{{- end -}}
{{- if not .Values.backend.shibboleth.applicationDefaults.errors.supportContact }}
backend.shibboleth.configMap
backend.shibboleth.applicationDefaults.errors.supportContact
Missing: `supportContact` must be specified if `configMap` is not specified.
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "shibboleth-sp.validateValues.backend.shibboleth.sessionCache_xor_memcached" -}}
{{- if and .Values.backend.shibboleth.sessionCache.enabled .Values.backend.shibboleth.memcached.enabled }}
backend.shibboleth.sessionCache.enabled
backend.shibboleth.memcached.enabled
Conflict: can't enable both `sessionCache` and `memcached` at the same time.
{{- end -}}
{{- end -}}
{{/*** SESSION CACHE ***/}}
{{- define "shibboleth-sp.validateValues.backend.shibboleth.sessionCache.missingValues" -}}
{{- if .Values.backend.shibboleth.sessionCache.enabled }}
{{- if not .Values.backend.shibboleth.sessionCache.persistedAttributes }}
backend.shibboleth.sessionCache.persistedAttributes
Missing: `persistedAttributes` must be specified.
{{- end -}}
{{- if not .Values.backend.shibboleth.sessionCache.sealerKeysConfigMap }}
backend.shibboleth.sessionCache.sealerKeysConfigMap
Missing: `sealerKeysConfigMap` must be specified.
{{- end -}}
{{- end -}}
{{- end -}}
{{/*** MEMCACHED ***/}}
{{- define "shibboleth-sp.validateValues.backend.shibboleth.memcached.missingValues" -}}
{{- if and .Values.backend.shibboleth.memcached.enabled (not .Values.backend.shibboleth.memcached.hosts) }}
backend.shibboleth.memcached.hosts
Missing: `hosts` must be specified.
{{- end -}}
{{- end -}}
{{/***************
*** FRONTEND ***
***************/}}
{{- define "shibboleth-sp.validateValues.frontend.apache.mainConfig" -}}
{{- if and .Values.frontend.apache.mainConfigMap .Values.frontend.apache.extraMainConfig }}
frontend.apache.mainConfigMap
frontend.apache.extraMainConfig
Conflict: can't specify both `mainConfigMap` and `extraMainConfig`
{{- end -}}
{{- end -}}
{{- define "shibboleth-sp.validateValues.frontend.apache.modulesConfig" -}}
{{- if and .Values.frontend.apache.mainConfigMap .Values.frontend.apache.extraModulesConfig }}
frontend.apache.mainConfigMap
frontend.apache.extraModulesConfig
Conflict: can't specify both `mainConfigMap` and `extraModulesConfig`
{{- end -}}
{{- end -}}
{{- define "shibboleth-sp.validateValues.frontend.apache.sitesConfig" -}}
{{- if and .Values.frontend.apache.sitesConfigMap .Values.frontend.apache.extraSitesConfig }}
frontend.apache.sitesConfigMap
frontend.apache.extraSitesConfig
Conflict: can't specify both `sitesConfigMap` and `extraSitesConfig`
{{- end -}}
{{- end -}}
{{- define "shibboleth-sp.validateValues.frontend.apache.sitesConfigMap" -}}
{{- if .Values.frontend.apache.sitesConfigMap }}
{{- if .Values.frontend.apache.logLevel }}
frontend.apache.sitesConfigMap
frontend.apache.logLevel
Conflict: can't specify `logLevel` if `sitesConfigMap` is set.
{{- end -}}
{{- if .Values.frontend.apache.logFormat }}
frontend.apache.sitesConfigMap
frontend.apache.logFormat
Conflict: can't specify `logFormat` if `sitesConfigMap` is set.
{{- end -}}
{{- if .Values.frontend.apache.remoteURL }}
frontend.apache.sitesConfigMap
frontend.apache.remoteURL
Conflict: can't specify `remoteURL` if `sitesConfigMap` is set.
{{- end -}}
{{- if .Values.frontend.apache.accessRules }}
frontend.apache.sitesConfigMap
frontend.apache.accessRules
Conflict: can't specify `accessRules` if `sitesConfigMap` is set.
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "shibboleth-sp.validateValues.frontend.apache.missingValues" -}}
{{- if not .Values.frontend.apache.sitesConfigMap }}
{{- if not .Values.frontend.apache.remoteURL }}
frontend.apache.remoteURL
Missing: `remoteURL` must be specified if `sitesConfigMap` is not specified.
{{- end -}}
{{- if not .Values.frontend.apache.accessRules }}
frontend.apache.accessRules
Missing: `accessRules` must be specified if `sitesConfigMap` is not specified.
{{- end -}}
{{- end -}}
{{- end -}}
{{ if not .Values.frontend.apache.baseConfigMap -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "shibboleth-sp.frontend.fullname" . }}-base
labels:
{{- include "shibboleth-sp.frontend.labels" . | nindent 4 }}
data:
base.conf: |
Include conf-enabled/*.conf
Include mods-enabled/*.conf
Include sites-enabled/*.conf
{{ end }}
{{ if not .Values.frontend.apache.mainConfigMap -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "shibboleth-sp.frontend.fullname" . }}-config
labels:
{{- include "shibboleth-sp.frontend.labels" . | nindent 4 }}
data:
000-main.conf: |
DefaultRuntimeDir run
PidFile run/apache2.pid
User www-data
Group www-data
Listen 8080
ServerName _
TypesConfig /etc/mime.types
HostnameLookups Off
# disable forward proxy as having it enabled can pose a security risk
ProxyRequests off
{{- if .Values.frontend.apache.extraMainConfig }}
100-custom.conf: |
{{ .Values.frontend.apache.extraMainConfig | nindent 4 }}
{{- end }}
{{ end }}
{{ if not .Values.frontend.apache.modulesConfigMap -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "shibboleth-sp.frontend.fullname" . }}-modules
labels:
{{- include "shibboleth-sp.frontend.labels" . | nindent 4 }}
data:
000-basics.conf: |
# LoadModule log_config_module modules/mod_log_config.so # built-in
# LoadModule unixd_module modules/mod_unixd.so # built-in
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule mime_module modules/mod_mime.so
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
010-shibboleth.conf: |
LoadModule mod_shib modules/mod_shib.so
# never proxy this special url
ProxyPass "/Shibboleth.sso" !
<Location /Shibboleth.sso>
AuthType None
Require all granted
</Location>
{{- if .Values.frontend.apache.extraModulesConfig }}
100-custom.conf: |
{{- .Values.frontend.apache.extraModulesConfig | nindent 4 }}
{{- end }}
{{ end }}
{{ if not .Values.frontend.apache.sitesConfigMap -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "shibboleth-sp.frontend.fullname" . }}-sites
labels:
{{- include "shibboleth-sp.frontend.labels" . | nindent 4 }}
data:
000-proxy.conf: |
# log levels can be set for mod_shib individually by adding e.g. mod_shib:trace6
LogLevel {{ .Values.frontend.apache.logLevel | default "warn" }}
LogFormat {{ .Values.frontend.apache.logFormat | default "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" | quote }} custom
CustomLog "/dev/stdout" custom
ErrorLog "/dev/stderr"
<VirtualHost _default_:8080>
UseCanonicalName On
ServerName https://{{ tpl .Values.global.domainName . }}
ServerAlias https://*.{{ tpl .Values.global.domainName . }}
ServerAlias http://{{ tpl .Values.global.domainName . }}
ServerAlias http://*.{{ tpl .Values.global.domainName . }}
ProxyPreserveHost On
ProxyPass "/" "{{ .Values.frontend.apache.remoteURL }}"
ProxyPassReverse "/" "{{ .Values.frontend.apache.remoteURL }}"
<Location />
# This exception is required as OPTIONS requests come with no cookie
<LimitExcept OPTIONS>
Require shibboleth
AuthType shibboleth
ShibRequestSetting requireSession true
# https://www.switch.ch/aai/guides/sp/access-rules/
{{- if .Values.frontend.apache.accessRules }}
{{- .Values.frontend.apache.accessRules | nindent 10 }}
{{- end }}
</LimitExcept>
</Location>
</VirtualHost>
{{- if .Values.frontend.apache.extraSitesConfig }}
100-custom.conf: |
{{- .Values.frontend.apache.extraSitesConfig | nindent 4 }}
{{- end }}
{{ end }}
{{- if not .Values.backend.shibboleth.configMap -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "shibboleth-sp.backend.fullname" . }}-config
labels:
{{- include "shibboleth-sp.backend.labels" . | nindent 4 }}
data:
shibboleth2.xml: |
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
{{ if .Values.backend.shibboleth.memcached.enabled }}
<OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a">
<Extensions>
<Library path="memcache-store.so" fatal="true"/>
</Extensions>
</OutOfProcess>
<StorageService type="MEMCACHE" id="mc" prefix="{{ .Values.backend.shibboleth.memcached.prefix }}">
<Hosts>
{{ .Values.backend.shibboleth.memcached.hosts }}
</Hosts>
</StorageService>
<StorageService type="MEMCACHE" id="mc-ctx" prefix="{{ .Values.backend.shibboleth.memcached.prefix }}" buildMap="1">
<Hosts>
{{ .Values.backend.shibboleth.memcached.hosts }}
</Hosts>
</StorageService>
<SessionCache type="StorageService" StorageService="mc-ctx" StorageServiceLite="mc" />
<ReplayCache StorageService="mc" />
<ArtifactMap StorageService="mc" />
{{- else }}
<OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
{{ if .Values.backend.shibboleth.sessionCache.enabled }}
<DataSealer type="Versioned" path="sealer.keys" />
<SessionCache type="StorageService" persistedAttributes="{{ .Values.backend.shibboleth.sessionCache.persistedAttributes }}" />
{{- end }}
{{- end }}
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="{{ tpl .Values.backend.shibboleth.applicationDefaults.entityID . }}"
homeURL="{{ .Values.backend.shibboleth.applicationDefaults.homeURL | default "/Shibboleth.sso/Session" }}"
{{- if .Values.backend.shibboleth.publicAttributes }}
metadataAttributePrefix="Meta-"
{{- end }}
REMOTE_USER="{{ .Values.backend.shibboleth.applicationDefaults.remoteUser | default "persistent-id uniqueID" }}"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
and should be a relative path, with the SP computing the full value based on the virtual
host. Using handlerSSL="true" will force the protocol to be https. You should also set
cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
"false", this makes an assertion stolen in transit easier for attackers to misuse.
-->
<Sessions lifetime="28800"
timeout="3600"
{{- if .Values.backend.shibboleth.memcached.enabled }}
relayState="ss:mc"
{{- else }}
relayState="ss:mem"
{{- end }}
checkAddress="false"
consistentAddress="true"
handlerSSL="{{ .Values.backend.shibboleth.applicationDefaults.sessions.handlerSSL | default "true" }}"
redirectLimit="{{ .Values.backend.shibboleth.applicationDefaults.sessions.redirectLimit | default "host" }}"
cookieProps="{{ tpl .Values.backend.shibboleth.applicationDefaults.sessions.cookieProps . | default "https" }}">
{{ if .Values.backend.shibboleth.eduIDOnly }}
<!-- Send user directly to edu-ID Identity Provider -->
<SSO entityID="https://eduid.ch/idp/shibboleth">
SAML2
</SSO>
{{- else }}
<!--
Configures SSO for a default IdP. To properly allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<SSO discoveryProtocol="SAMLDS"