feat(authentik-application): add saml support - WIP

authentik-application/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: authentik-application
 type: application
 
-version: 0.3.5
+version: 0.4.0
 description: "A Chart to deploy a secret for the authentik blueprint-sidecar."

authentik-application/README.md

@@ -1,6 +1,6 @@
 # authentik-application
 
-![Version: 0.3.5](https://img.shields.io/badge/Version-0.3.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Chart to deploy a secret for the authentik blueprint-sidecar.
 
@@ -121,7 +121,12 @@ helm uninstall authentik-application-release
 | blueprint.provider.proxy.ingress.domain | string | `nil` | domain of application (where outpost should be deployed) |
 | blueprint.provider.proxy.ingress.enabled | bool | `false` | deploy ingress on application domain for e.g. logout (WIP) |
 | blueprint.provider.proxy.skipPathRegex | string | `""` |  |
-| blueprint.provider.saml | string | `nil` |  |
+| blueprint.provider.saml.acsURL | string | `nil` | on nextcloud "/apps/user_saml/saml/acs"" |
+| blueprint.provider.saml.audience | string | `nil` | on nextcloud "/apps/user_saml/saml/metadata" |
+| blueprint.provider.saml.issuer | string | `nil` | default `blueprint.authentik.domain` with / at end |
+| blueprint.provider.saml.propertyMappings | list | `[]` |  |
+| blueprint.provider.saml.serviceProviderBinding | string | `"redirect"` | or "post" (on nextcloud "post") |
+| blueprint.provider.saml.singingCertificate | string | `nil` |  |
 | blueprint.provider.type | string | `"oidc"` | type of application connection, current support: oidc, saml and proxy |
 | secret.labels | object | `{}` | label of secret to store generated secret |
 | secret.name | string | `""` | name of secret to store generated secret (like clientI) |

authentik-application/files/provider/saml.yaml.gotmpl

@@ -0,0 +1,34 @@
+{{/*
+  https://github.com/goauthentik/authentik/blob/main/authentik/providers/saml/models.py
+*/}}
+{{- with get . "root" }}
+{{- $ := . }}
+
+- model: .SAMLPropertyMapping
+  attrs:
+    saml_name:
+    friendly_name:
+    # ---
+    pm_uuid:
+    name:
+    expression:
+
+- model: authentik_providers_saml.SAMLProvider
+  id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
+  identifiers:
+    name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
+  state: present
+  attrs:
+    {{- with .Values.blueprint.provider.saml }}
+    acs_url: {{ .acsURL | quote }}
+    issuer: {{ .issuer | default (printf "%s/" $.Values.blueprint.authentik.domain) | quote }}
+    sp_binding: {{ .serviceProviderBinding | quote }}
+
+    {{- with .audience }}
+    audience: {{ . | quote }}
+    {{- end }}
+
+    # signing_kp:
+ 
+    {{- end }}{{/* end with-saml */}}
+{{- end }}{{/* end with of get-root */}}

authentik-application/values.yaml

@@ -30,6 +30,17 @@ blueprint:
       # -- Scope
       scopes:
     saml:
+      # -- on nextcloud "/apps/user_saml/saml/acs""
+      acsURL:
+      # -- default `blueprint.authentik.domain` with / at end
+      issuer:
+      # -- or "post" (on nextcloud "post")
+      serviceProviderBinding: "redirect"
+      # -- on nextcloud "/apps/user_saml/saml/metadata"
+      audience:
+      singingCertificate:
+      propertyMappings: []
+        
     proxy:
       externalHost:
       skipPathRegex: ""