<?php
/**
 * SAML Authentication Configuration with Group-Based Admin Assignment
 *
 * Group-Based Admin Assignment:
 * ────────────────────────────────────────────────────────────────────────
 * To make members of specific Authentik groups admins in Xibo:
 *
 * 1. In Authentik, create a custom property mapping for your SAML provider:
 *    - Name: saml-usertypeid
 *    - Expression: Return "1" if user in admin group, else return empty string
 *    - Example: return "1" if user.groups.all() | selectattr("name", "equalto", "OTS IT") else ""
 *
 * 2. Attach this mapping to the SAML provider via the API or UI
 *
 * 3. The usertypeid mapping below will read this attribute from the SAML response
 *
 * 4. On JIT provisioning, Xibo will assign users with usertypeid=1 as super-admins
 *
 * Excluded Groups:
 * ────────────────────────────────────────────────────────────────────────
 * Groups listed in {{EXCLUDED_GROUPS}} are not synced to Xibo during provisioning.
 * However, users in excluded groups can still log in via SSO (they'll use the
 * default 'Users' group). Use this to prevent internal admin groups from appearing
 * as Xibo user groups.
 */

$authentication = new \Xibo\Middleware\SAMLAuthentication();
$samlSettings = [
    'workflow' => [
        'jit' => true,
        'field_to_identify' => 'UserName',
        'libraryQuota' => 1000,
        'homePage' => 'icondashboard.view',
        'slo' => true,
        'mapping' => [
            'UserID' => '',
            // usertypeid: Set to 1 (super-admin) for members of admin groups.
            // Requires a custom SAML property mapping in Authentik (see notes above).
            'usertypeid' => 'http://schemas.goauthentik.io/2021/02/saml/usertypeid',
            'UserName' => 'http://schemas.goauthentik.io/2021/02/saml/username',
            'email' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
        ],
        'group' => 'Users',
        'matchGroups' => [
            'enabled' => true,
            'attribute' => 'http://schemas.goauthentik.io/2021/02/saml/groups',
            'extractionRegEx' => null,
        ],
    ],
    'strict' => true,
    'debug' => true,
    'baseurl' => '{{SAML_BASE_URL}}',
    'idp' => [
        'entityId' => '{{AUTHENTIK_IDP_ENTITY_ID}}',
        'singleSignOnService' => [
            'url' => '{{AUTHENTIK_SSO_URL}}',
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ],
        'singleLogoutService' => [
            'url' => '{{AUTHENTIK_SLO_URL}}',
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ],
        'x509cert' => '{{AUTHENTIK_IDP_X509_CERT}}',
    ],
    'sp' => [
        'entityId' => '{{SAML_SP_ENTITY_ID}}',
        'assertionConsumerService' => [
            'url' => '{{SAML_BASE_URL}}/acs',
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
        ],
        'singleLogoutService' => [
            'url' => '{{SAML_BASE_URL}}/sls',
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ],
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
        'x509cert' => '',
        'privateKey' => '',
    ],
    'security' => [
        'nameIdEncrypted' => false,
        'authnRequestsSigned' => false,
        'logoutRequestSigned' => false,
        'logoutResponseSigned' => false,
        'signMetadata' => false,
        'wantMessagesSigned' => false,
        'wantAssertionsSigned' => false,
        'wantAssertionsEncrypted' => false,
        'wantNameIdEncrypted' => false,
    ],
];

// {{ EXCLUDED_GROUPS_COMMENT: Groups to exclude from Xibo sync: OTS IT }}