mlbiam · April 5, 2023 00:48
diff --git a/aws-saml1-idp.yaml b/aws-saml1-idp.yaml
 ---
 apiVersion: openunison.tremolo.io/v2
 kind: Application
 metadata:
  labels:
    app.kubernetes.io/component: openunison-applications
    app.kubernetes.io/instance: openunison-orchestra-login-portal
    app.kubernetes.io/name: openunison
    app.kubernetes.io/part-of: openunison
  name: aws
  namespace: openunison
 spec:
  azTimeoutMillis: 3000
  cookieConfig:
    cookiesEnabled: true
    domain: '#[OU_HOST]'
    httpOnly: true
    keyAlias: session-unison
    logoutURI: /logout
    scope: -1
    secure: true
    sessionCookieName: tremolosession
    timeout: 900
  isApp: false
  urls:
  - azRules:
    - constraint: o=Tremolo
      scope: dn
    filterChain: []
    hosts:
    - '#[OU_HOST]'
    idp:
      className: com.tremolosecurity.idp.providers.Saml2Idp
      mappings:
        map:
        - sourceType: user
          targetAttributeName: sub
          targetAttributeSource: sub
        strict: true
      params:
        sigKey: unison-saml2-rp-sig
      trusts: []
    results:
      auFail: default-login-failure
      azFail: default-login-failure
    uri: /auth/idp/aws
diff --git a/aws-token.yaml b/aws-token.yaml
 apiVersion: openunison.tremolo.io/v2
 kind: Application
 metadata:
  labels:
    app.kubernetes.io/component: openunison-applications
    app.kubernetes.io/instance: openunison-orchestra-login-portal
    app.kubernetes.io/name: openunison
    app.kubernetes.io/part-of: openunison
  name: aws-token
  namespace: openunison
 spec:
  azTimeoutMillis: 3000
  cookieConfig:
    cookiesEnabled: false
    domain: '#[OU_HOST]'
    httpOnly: true
    keyAlias: session-unison
    logoutURI: /logout
    scope: -1
    secure: true
    sessionCookieName: tremolosession
    timeout: 900
  isApp: true
  urls:
  - authChain: oauth2k8s
    azRules:
    - constraint: o=Tremolo
      scope: dn
    filterChain:
    - className: com.tremolosecurity.scalejs.token.ws.ScaleToken
      params:
        displayNameAttribute: sub
        frontPage.text: AWS Environment Token
        frontPage.title: AWS Environment Token
        homeURL: /scale/
        logoutURL: /logout
        tokenClassName: "com.tremolosecurity.proxy.token.AwsTokens"
        uidAttribute: "sub"
        sigKeyName: unison-saml2-rp-sig
        issuer: https://#[OU_HOST]/auth/idp/aws
        recipient: https://signin.aws.amazon.com/saml
        audience: "urn:amazon:webservices"
        minAlive: "15"
        idpName: "arn:aws:iam::xxxxx:saml-provider/kube-saml2"
        roleName: "arn:aws:iam::xxxxx:role/kube-saml2"
        warnMinutesLeft: "5"
    hosts:
    - '#[OU_HOST]'
    results: {}
    uri: /aws/token
	---
	apiVersion: openunison.tremolo.io/v2
	kind: Application
	metadata:
	labels:
	app.kubernetes.io/component: openunison-applications
	app.kubernetes.io/instance: openunison-orchestra-login-portal
	app.kubernetes.io/name: openunison
	app.kubernetes.io/part-of: openunison
	name: aws
	namespace: openunison
	spec:
	azTimeoutMillis: 3000
	cookieConfig:
	cookiesEnabled: true
	domain: '#[OU_HOST]'
	httpOnly: true
	keyAlias: session-unison
	logoutURI: /logout
	scope: -1
	secure: true
	sessionCookieName: tremolosession
	timeout: 900
	isApp: false
	urls:
	- azRules:
	- constraint: o=Tremolo
	scope: dn
	filterChain: []
	hosts:
	- '#[OU_HOST]'
	idp:
	className: com.tremolosecurity.idp.providers.Saml2Idp
	mappings:
	map:
	- sourceType: user
	targetAttributeName: sub
	targetAttributeSource: sub
	strict: true
	params:
	sigKey: unison-saml2-rp-sig
	trusts: []
	results:
	auFail: default-login-failure
	azFail: default-login-failure
	uri: /auth/idp/aws