Merge branch 'sso_2.0' into 'master'

SSO Refactor for Global IdP values Closes #1361 See merge request !2321

Merge branch 'sso_2.0' into 'master'
e731912b · Micah Nagel · c1e0d157 · c8f187b7 · e731912b · e731912b
Commit e731912b authored 2 years ago by Micah Nagel
--- a/chart/templates/nexus-repository-manager/values.yaml
+++ b/chart/templates/nexus-repository-manager/values.yaml
@@ -77,7 +77,7 @@ sso:
    groupsAttribute: "{{ default "groups" $nexusValues.sso.idp_data.groups }}"
    validateResponseSignature: "true"
    validateAssertionSignature: "true"
-    idpMetadata: '{{ $nexusValues.sso.idp_data.idpMetadata }}'
+    idpMetadata: '{{ default (dig "saml" "metadata" "" .Values.sso) (dig "sso" "idp_data" "idpMetadata" "" $nexusValues) }}'
  realm:
    - "NexusAuthenticatingRealm"
    - "NexusAuthorizingRealm"

--- a/chart/templates/secrets/certificateauthority.yaml
+++ b/chart/templates/secrets/certificateauthority.yaml
 {{- /* Used for adding a trusted custom CA for SSO.  One per namespace. */ -}}
-{{- if (dig "certificate_authority" false .Values.sso) -}}
+{{- if (or (dig "certificate_authority" false .Values.sso) (dig "certificateAuthority" "cert" false .Values.sso)) -}}
 {{- range $ns := compact (splitList " " (include "uniqueNamespaces" (merge (dict "default" false "constraint" "sso.enabled") $))) -}}
 apiVersion: v1
 kind: Secret
@@ -11,7 +11,7 @@ metadata:
    {{- include "commonLabels" $ | nindent 4 }}
 type: Opaque
 data:
-  ca.pem: {{ $.Values.sso.certificate_authority | b64enc }}
+  ca.pem: {{ default (dig "certificateAuthority" "cert" "" $.Values.sso) $.Values.sso.certificate_authority | b64enc }}
 ---
 {{ end -}}
 {{- end -}}
\ No newline at end of file
--- a/chart/templates/sonarqube/secret-ca.yaml
+++ b/chart/templates/sonarqube/secret-ca.yaml
-{{- if and  .Values.addons.sonarqube.enabled  .Values.addons.sonarqube.sso.enabled .Values.sso.certificate_authority }}
+{{- if and .Values.addons.sonarqube.enabled  .Values.addons.sonarqube.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Values.sso.secretName }}
+  name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
  namespace: sonarqube
 type: Opaque
 data:
-  ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
+  ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
 {{- end }}
\ No newline at end of file
--- a/chart/templates/sonarqube/values.yaml
+++ b/chart/templates/sonarqube/values.yaml
@@ -44,10 +44,10 @@ sonarProperties:
  sonar.auth.saml.enabled: {{ .Values.addons.sonarqube.sso.enabled }}
  sonar.core.serverBaseURL: https://sonarqube.{{ $domainName }}
  sonar.auth.saml.applicationId: {{ .Values.addons.sonarqube.sso.client_id }}
-  sonar.auth.saml.providerName: {{ .Values.addons.sonarqube.sso.provider_name | default .Values.addons.sonarqube.sso.label }}
-  sonar.auth.saml.providerId: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}
-  sonar.auth.saml.loginUrl: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/saml
-  sonar.auth.saml.certificate.secured: {{ .Values.addons.sonarqube.sso.certificate }}
+  sonar.auth.saml.providerName: {{ coalesce .Values.addons.sonarqube.sso.provider_name .Values.addons.sonarqube.sso.label .Values.sso.name }}
+  sonar.auth.saml.providerId: {{ include "sso.url" . }}
+  sonar.auth.saml.loginUrl: {{ include "sso.saml.service" . }}
+  sonar.auth.saml.certificate.secured: {{ default (include "sso.saml.cert" .) .Values.addons.sonarqube.sso.certificate }}
  sonar.auth.saml.user.login: {{ .Values.addons.sonarqube.sso.login | default "login" }}
  sonar.auth.saml.user.name: {{ .Values.addons.sonarqube.sso.name | default "name" }}
  sonar.auth.saml.user.email: {{ .Values.addons.sonarqube.sso.email | default "email" }}

--- a/chart/templates/twistlock/values.yaml
+++ b/chart/templates/twistlock/values.yaml
@@ -4,7 +4,8 @@

 {{- define "bigbang.defaults.twistlock" -}}
 # hostname is deprecated and replaced with domain. But if hostname exists then use it.
-domain: {{ default .Values.domain .Values.hostname }}
+{{- $domainName := default .Values.domain .Values.hostname }}
+domain: {{ $domainName }}

 openshift: {{ .Values.openshift }}

@@ -52,12 +53,12 @@ console:
 sso:
  enabled: {{ .Values.twistlock.sso.enabled }}
  client_id: {{ .Values.twistlock.sso.client_id }}
-  provider_name: {{ .Values.twistlock.sso.provider_name }}
+  provider_name: {{ default .Values.sso.name .Values.twistlock.sso.provider_name }}
  provider_type: {{ .Values.twistlock.sso.provider_type }}
-  issuer_uri: {{ tpl .Values.twistlock.sso.issuer_uri . }}
-  idp_url: {{ tpl .Values.twistlock.sso.idp_url . }}
-  console_url: {{ tpl .Values.twistlock.sso.console_url . }}
+  issuer_uri: {{ default (include "sso.url" .) (tpl (default "" .Values.twistlock.sso.issuer_uri) .) }}
+  idp_url: {{ default (include "sso.saml.service" .) (tpl (default "" .Values.twistlock.sso.idp_url) .) }}
+  {{- $console := first (dig "istio" "console" "hosts" (list (printf "twistlock.%s" $domainName)) .Values.twistlock.values) }}
+  console_url: {{ tpl (default (printf "https://%s" $console) .Values.twistlock.sso.console_url) . }}
  groups: {{ .Values.twistlock.sso.groups }}
-  cert: {{ .Values.twistlock.sso.cert | quote }}
-
+  cert: {{ default (include "sso.saml.cert.withheaders" .) .Values.twistlock.sso.cert | quote }}
 {{- end -}}
--- a/chart/templates/wrapper/gitrepository.yaml
+++ b/chart/templates/wrapper/gitrepository.yaml
 {{- /* Used for GitOps of the BigBang package wrapper Helm chart.  Shared by all packages */ -}}
-{{- if .Values.wrapper -}}
+{{- if and .Values.wrapper (omit (default dict .Values.packages) "sample") -}}
 apiVersion: source.toolkit.fluxcd.io/v1beta1
 kind: GitRepository
 metadata:

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -48,37 +48,53 @@ git:
    publicKey: ""
    knownHosts: ""

-# -- Global SSO values used for BigBang deployments when sso is enabled, can be overridden by individual packages.
+# -- Global SSO values used for BigBang deployments when sso is enabled
 sso:
+  # -- Name of the identity provider.  This is used by some packages as the SSO login label.
+  name: SSO
+  # -- Base URL for the identity provider. For OIDC, this is the issuer.  For SAML this is the entityID.
+  url: https://login.dso.mil/auth/realms/baby-yoda
+
+  # -- Certificate authority for the identity provider's certificates
+  certificateAuthority:
+    # -- The certificate authority public certificate in .pem format.  Populating this will create a secret in each namespace that enables SSO.
+    cert: "" # See docs/assets/configs/example/dev-sso-values.yaml for an example
+    # -- The secret name to use for the certificate authority.  Can be manually populated if cert is blank.
+    secretName: tls-ca-sso
+
+  saml:
+    # -- SAML entityDescriptor (metadata) path
+    entityDescriptor: "{{ .Values.sso.url }}/protocol/saml/descriptor"
+    # -- SAML SSO Service path
+    service: "{{ .Values.sso.url }}/protocol/saml"
+    # -- Literal SAML XML metadata retrieved from `{{ .Values.sso.saml.entityDescriptor }}`.  Required for SSO in Nexus, Twistlock, or Sonarqube.
+    metadata: "" # See docs/assets/configs/example/dev-sso-values.yaml for an example
+    # NOTE: SAML attribute names may vary by package.  Use the package values to setup attribute names
+
+  # -- OIDC endpoints can be retrieved from `{{ .Values.sso.url }}/.well-known/openid-configuration`
  oidc:
-    # -- Domain for keycloak used for configuring SSO
-    host: login.dso.mil
-    # -- Keycloak realm containing clients
-    realm: baby-yoda
-
-  # -- Keycloak's certificate authority (PEM Format). Entered using chomp modifier (see docs/assets/configs/example/dev-sso-values.yaml for example). Used by authservice to support SSO for various packages
-  certificate_authority: ""
-
-  # -- Keycloak realm's json web key output, obtained at https://<keycloak-server>/auth/realms/<realm>/protocol/openid-connect/certs
-  jwks: ''
-
-  # -- Optional use of JWKS fetcher config for ease of use and automation. Fill in JWKS URI value of OIDC endpoint, can be found under the well known OpenID metadata configuration page of your provider.
-  jwks_uri: ""
-
-  # -- OIDC client ID used for packages authenticated through authservice
-  client_id: ""
-
-  # -- OIDC client secret used for packages authenticated through authservice
-  client_secret: ""
-
-  # -- OIDC token URL template string (to be used as default)
-  token_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"
-
-  # -- OIDC auth URL template string (to be used as default)
-  auth_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth"
-
-  # -- Kubernetes Secret containing the sso.certificate_authority value for SSO enabled application namespaces
-  secretName: "tls-ca-sso"
+    # -- OIDC authorization path
+    authorization: "{{ .Values.sso.url }}/protocol/openid-connect/auth"
+    # -- OIDC logout / end session path
+    endSession: "{{ .Values.sso.url }}/protocol/openid-connect/logout"
+    # -- OIDC JSON Web Key Set (JWKS) path
+    jwksUri: "{{ .Values.sso.url }}/protocol/openid-connect/certs"
+    # -- OIDC token path
+    token: "{{ .Values.sso.url }}/protocol/openid-connect/token"
+    # -- OIDC user information path
+    userinfo: "{{ .Values.sso.url }}/protocol/openid-connect/userinfo"
+    # -- Literal OIDC JWKS data retrieved from JWKS Uri.  Only needed if `jwsksUri` is not defined.
+    jwks: ""
+    # -- Identity provider claim names that store metadata about the authenticated user.
+    claims:
+      # -- IdP's claim name used for the user's email address.
+      email: email
+      # -- IdP's claim name used for the user's full name
+      name: name
+      # -- IdP's claim name used for the username
+      username: preferred_username
+      # -- IdP's claim name used for the user's groups or roles
+      groups: groups

 # -- (Advanced) Flux reconciliation parameters.
 # The default values provided will be sufficient for the majority of workloads.
@@ -736,27 +752,13 @@ twistlock:
    # -- SAML client ID
    client_id: ""

-    # -- SAML Povider Alias (optional)
-    provider_name: ""
-
    # -- SAML Identity Provider. `shibboleth` is recommended by Twistlock support for Keycloak
+    # Possible values: okta, gsuite, ping, shibboleth, azure, adfs
    provider_type: "shibboleth"

-    # -- Identity Provider url with path to realm
-    issuer_uri: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}"
-
-    # -- SAML Identity Provider SSO URL
-    idp_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/saml"
-
-    # -- Console URL of the Twistlock app (optional)
-    console_url: "https://twistlock.{{ .Values.domain }}"
-
    # -- Groups attribute (optional)
    groups: ""

-    # -- X.509 Certificate from Identity Provider (i.e. Keycloak). See https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock/-/blob/main/docs/KEYCLOAK.md for format. Use the `|-` syntax for multiline string.
-    cert: ""
-
  # -- Values to passthrough to the twistlock chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git
  values: {}

@@ -800,9 +802,6 @@ addons:
      # -- ArgoCD OIDC client secret
      client_secret: ""

-      # -- ArgoCD SSO login text
-      provider_name: ""
-
      # -- ArgoCD SSO group roles, see docs for more details: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
      groups: |
        g, Impact Level 2 Authorized, role:admin
@@ -918,24 +917,10 @@ addons:
      # -- Gitlab OIDC client secret
      client_secret: ""

-      # -- Gitlab SSO login button label
-      label: ""
-
      # -- Gitlab SSO Scopes, default is ["Gitlab"]
      scopes:
      - Gitlab

-      # -- GitLab SSO Issuer URI,
-      # Only needed if your SSO is non-Keycloak
-      issuer_uri: ""
-
-      # -- GitLab SSO End Session URI,
-      # Only needed if your SSO is non-Keycloak
-      end_session_uri: ""
-
-      # -- Gitlab SSO UID field
-      uid_field: preferred_username
-
    database:
      # -- Hostname of a pre-existing PostgreSQL database to use for Gitlab.
      # Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
@@ -1040,7 +1025,7 @@ addons:

      # -- NXRM SAML SSO Integration data
      idp_data:
-        # Nexus saml URL. example: "https://nexus.example.mil/service/rest/v1/security/saml/metadata"
+        # Nexus saml URL. example: "https://nexus.bigbang.dev/service/rest/v1/security/saml/metadata"
        entityId: ""

        # -- IdP Field Mappings
@@ -1059,10 +1044,6 @@ addons:
        # -- NXRM groups attribute (optional)
        groups: ""

-        # -- IDP SAML Metadata XML as a single line string in single quotes
-        # -- this information is public and does not require a secret
-        idpMetadata: ''
-
      # -- NXRM Role
      role:
        # the id must match the Keycloak group name (case sensitive)
@@ -1104,13 +1085,6 @@ addons:
      # -- SonarQube SAML client ID
      client_id: ""

-      # -- SonarQube SSO login button label
-      provider_name: ""
-
-      # -- SonarQube plaintext SAML sso certificate.
-      # example: MITCAYCBFyIEUjNBkqhkiG9w0BA....
-      certificate: ""
-
      # -- SonarQube login sso attribute.
      login: login

@@ -1198,14 +1172,14 @@ addons:
      gateway: ""

    sso:
-      # -- Toggle OIDC SSO for Anchore on and off.
+      # -- Toggle SAML SSO for Anchore on and off.
      # Enabling this option will auto-create any required secrets (Note: SSO requires an Enterprise license).
      enabled: false

-      # -- Anchore OIDC client ID
+      # -- Anchore SAML client ID
      client_id: ""

-      # -- Anchore OIDC client role attribute
+      # -- Anchore SAML client role attribute
      role_attribute: ""

    database:
@@ -1306,18 +1280,6 @@ addons:
      # -- Mattermost OIDC client secret
      client_secret: ""

-      # -- Mattermost OIDC auth endpoint
-      # To get endpoint values, see here: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/docs/keycloak.md#helm-values
-      auth_endpoint: ""
-
-      # -- Mattermost OIDC token endpoint
-      # To get endpoint values, see here: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/docs/keycloak.md#helm-values
-      token_endpoint: ""
-
-      # -- Mattermost OIDC user API endpoint
-      # To get endpoint values, see here: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/docs/keycloak.md#helm-values
-      user_api_endpoint: ""
-
    database:
      # -- Hostname of a pre-existing PostgreSQL database to use for Mattermost.
      # Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.

--- a/docs/assets/configs/example/dev-sso-values.yaml
+++ b/docs/assets/configs/example/dev-sso-values.yaml
--- a/docs/assets/configs/example/google-auth-example-values.yaml
+++ b/docs/assets/configs/example/google-auth-example-values.yaml
@@ -6,6 +6,18 @@
 #   * kibana/es - https://www.elastic.co/guide/en/elasticsearch/reference/7.12/oidc-guide-stack.html
 #               - https://www.elastic.co/guide/en/kibana/current/kibana-authentication.html#oidc
 #
+sso:
+  name: Google SSO
+  url: https://accounts.google.com
+  oidc:
+    authorization: https://accounts.google.com/o/oauth2/v2/auth
+    endSession: ""
+    jwksUri: https://www.googleapis.com/oauth2/v3/certs
+    token: https://oauth2.googleapis.com/token
+    userinfo: https://openidconnect.googleapis.com/v1/userinfo
+    claims:
+      username: email
+      groups: ""

 monitoring:
  sso:
@@ -15,31 +27,17 @@ monitoring:
      client_secret: <client_secret>
      scopes: "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"
      allowed_domains: <allowed_domains>
-      auth_url: https://accounts.google.com/o/oauth2/auth
-      token_url: https://oauth2.googleapis.com/token
      signout_redirect_url: https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=https://grafana.bigbang.dev
 logging:
  sso:
    enabled: true
-    oidc:
-      realm: "Google" # optionally override the name used in the custom ES realm def and login page
    client_secret: "<client_secret>"
    client_id: "<client_id>"
    # additional fields (required to override keycloak defaults)
-    issuer: "https://accounts.google.com"
-    auth_url: "https://accounts.google.com/o/oauth2/v2/auth"
-    token_url: "https://oauth2.googleapis.com/token"
-    userinfo_url: "https://openidconnect.googleapis.com/v1/userinfo"
-    jwkset_url: "https://www.googleapis.com/oauth2/v3/certs"
-    claims_principal: email
    claims_principal_pattern: "<regex for allowed email domains>" # example: "^([^@]+)@leapfrog\\.ai$"
    requested_scopes:
      - openid
      - email
-    # required for keycloak - should be empty for google)
    signature_algorithm: ""
-    endsession_url: ""
-    claims_group: ""
-    claims_mail: ""
  license:
    trial: true
\ No newline at end of file
--- a/docs/developer/package-integration/supported.md
+++ b/docs/developer/package-integration/supported.md
@@ -28,7 +28,7 @@ After [graduating your package](https://repo1.dso.mil/platform-one/bbtoc/-/tree/

 1. Make sure the files described in this [document](./flux.md) have been generated in `chart/templates/<your-package-name>` directory

-1. More details about secret-*.yaml: The secret template is where the code for secrets go. Typically you will see secrets for imagePullSecret, sso, database, and possibly object storage. These secrets are a BigBang chart enhancement. They are created conditionally based on what the user enables in the config. For example if the app supports SSO and will need a Certificate Authority supplied to trust the connection to the IdP there should be a `secret-ca.yaml` template to populate a secret with the `sso.certificate_authority` value in the application namespace.
+1. More details about secret-*.yaml: The secret template is where the code for secrets go. Typically you will see secrets for imagePullSecret, sso, database, and possibly object storage. These secrets are a BigBang chart enhancement. They are created conditionally based on what the user enables in the config. For example if the app supports SSO and will need a Certificate Authority supplied to trust the connection to the IdP there should be a `secret-ca.yaml` template to populate a secret with the `sso.certificateAuthority.cert` value in the application namespace.

 1. Merge your default package values from `<your-package-git-folder>/bigbang/values.yaml` into `chart/values.yaml`.  Only the "standard" keys used across packages should be used.  Keep in mind that values can be passed directly to the package using `.Values.<package>.values`


--- a/docs/guides/deployment-scenarios/sso-quickstart.md
+++ b/docs/guides/deployment-scenarios/sso-quickstart.md
--- a/docs/understanding-bigbang/configuration/base-config.md
+++ b/docs/understanding-bigbang/configuration/base-config.md
@@ -36,17 +36,27 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | git.credentials.username | string | `""` | HTTP git credentials, both username and password must be provided |
 | git.credentials.caFile | string | `""` | HTTPS certificate authority file.  Required for any repo with a self signed certificate |
 | git.credentials.privateKey | string | `""` | SSH git credentials, privateKey, publicKey, and knownHosts must be provided |
-| sso | object | `{"auth_url":"https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth","certificate_authority":"","client_id":"","client_secret":"","jwks":"","jwks_uri":"","oidc":{"host":"login.dso.mil","realm":"baby-yoda"},"secretName":"tls-ca-sso","token_url":"https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"}` | Global SSO values used for BigBang deployments when sso is enabled, can be overridden by individual packages. |
-| sso.oidc.host | string | `"login.dso.mil"` | Domain for keycloak used for configuring SSO |
-| sso.oidc.realm | string | `"baby-yoda"` | Keycloak realm containing clients |
-| sso.certificate_authority | string | `""` | Keycloak's certificate authority (PEM Format). Entered using chomp modifier (see docs/assets/configs/example/dev-sso-values.yaml for example). Used by authservice to support SSO for various packages |
-| sso.jwks | string | `""` | Keycloak realm's json web key output, obtained at https://<keycloak-server>/auth/realms/<realm>/protocol/openid-connect/certs |
-| sso.jwks_uri | string | `""` | Optional use of JWKS fetcher config for ease of use and automation. Fill in JWKS URI value of OIDC endpoint, can be found under the well known OpenID metadata configuration page of your provider. |
-| sso.client_id | string | `""` | OIDC client ID used for packages authenticated through authservice |
-| sso.client_secret | string | `""` | OIDC client secret used for packages authenticated through authservice |
-| sso.token_url | string | `"https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"` | OIDC token URL template string (to be used as default) |
-| sso.auth_url | string | `"https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth"` | OIDC auth URL template string (to be used as default) |
-| sso.secretName | string | `"tls-ca-sso"` | Kubernetes Secret containing the sso.certificate_authority value for SSO enabled application namespaces |
+| sso | object | `{"certificateAuthority":{"cert":null,"secretName":"tls-ca-sso"},"name":"SSO","oidc":{"authorization":"{{ .Values.sso.url }}/protocol/openid-connect/auth","claims":{"email":"email","groups":"groups","name":"name","username":"preferred_username"},"endSession":"{{ .Values.sso.url }}/protocol/openid-connect/logout","jwks":null,"jwksUri":"{{ .Values.sso.url }}/protocol/openid-connect/certs","token":"{{ .Values.sso.url }}/protocol/openid-connect/token","userinfo":"{{ .Values.sso.url }}/protocol/openid-connect/userinfo"},"saml":{"attributes":{"email":"email","groups":"groups","name":"name","username":"login"},"entityDescriptor":"{{ .Values.sso.url }}/protocol/saml/descriptor","metadata":null,"service":"{{ .Values.sso.url }}/protocol/saml"},"url":"https://login.dso.mil/auth/realms/baby-yoda"}` | Global SSO values used for BigBang deployments when sso is enabled |
+| sso.name | string | `"SSO"` | Name of the identity provider.  This is used by some packages as the SSO login label. |
+| sso.url | string | `"https://login.dso.mil/auth/realms/baby-yoda"` | Base URL for the identity provider. For OIDC, this is the issuer.  For SAML this is the entityID. |
+| sso.certificateAuthority | object | `{"cert":null,"secretName":"tls-ca-sso"}` | Certificate authority for the identity provider's certificates |
+| sso.certificateAuthority.cert | string | `nil` | The certificate authority public certificate in .pem format.  Populating this will create a secret in each namespace that enables SSO. |
+| sso.certificateAuthority.secretName | string | `"tls-ca-sso"` | The secret name to use for the certificate authority.  Can be manually populated if cert is blank. |
+| sso.saml.entityDescriptor | string | `"{{ .Values.sso.url }}/protocol/saml/descriptor"` | SAML entityDescriptor (metadata) path |
+| sso.saml.service | string | `"{{ .Values.sso.url }}/protocol/saml"` | SAML SSO Service path |
+| sso.saml.metadata | string | `nil` | Literal SAML XML metadata retrieved from `{{ .Values.sso.saml.entityDescriptor }}`.  Required for SSO in Nexus, Twistlock, or Sonarqube. |
+| sso.oidc | object | `{"authorization":"{{ .Values.sso.url }}/protocol/openid-connect/auth","claims":{"email":"email","groups":"groups","name":"name","username":"preferred_username"},"endSession":"{{ .Values.sso.url }}/protocol/openid-connect/logout","jwks":null,"jwksUri":"{{ .Values.sso.url }}/protocol/openid-connect/certs","token":"{{ .Values.sso.url }}/protocol/openid-connect/token","userinfo":"{{ .Values.sso.url }}/protocol/openid-connect/userinfo"}` | OIDC endpoints can be retrieved from `{{ .Values.sso.url }}/.well-known/openid-configuration` |
+| sso.oidc.authorization | string | `"{{ .Values.sso.url }}/protocol/openid-connect/auth"` | OIDC authorization path |
+| sso.oidc.endSession | string | `"{{ .Values.sso.url }}/protocol/openid-connect/logout"` | OIDC logout / end session path |
+| sso.oidc.jwksUri | string | `"{{ .Values.sso.url }}/protocol/openid-connect/certs"` | OIDC JSON Web Key Set (JWKS) path |
+| sso.oidc.token | string | `"{{ .Values.sso.url }}/protocol/openid-connect/token"` | OIDC token path |
+| sso.oidc.userinfo | string | `"{{ .Values.sso.url }}/protocol/openid-connect/userinfo"` | OIDC user information path |
+| sso.oidc.jwks | string | `nil` | Literal OIDC JWKS data retrieved from JWKS Uri.  Only needed if `jwsksUri` is not defined. |
+| sso.oidc.claims | object | `{"email":"email","groups":"groups","name":"name","username":"preferred_username"}` | Identity provider claim names that store metadata about the authenticated user. |
+| sso.oidc.claims.email | string | `"email"` | IdP's claim name used for the user's email address. |
+| sso.oidc.claims.name | string | `"name"` | IdP's claim name used for the user's full name |
+| sso.oidc.claims.username | string | `"preferred_username"` | IdP's claim name used for the username |
+| sso.oidc.claims.groups | string | `"groups"` | IdP's claim name used for the user's groups or roles |
 | flux | object | `{"install":{"remediation":{"retries":-1}},"interval":"2m","rollback":{"cleanupOnFail":true,"timeout":"10m"},"test":{"enable":false},"timeout":"10m","upgrade":{"cleanupOnFail":true,"remediation":{"remediateLastFailure":true,"retries":3}}}` | (Advanced) Flux reconciliation parameters. The default values provided will be sufficient for the majority of workloads. |
 | networkPolicies | object | `{"controlPlaneCidr":"0.0.0.0/0","enabled":true,"nodeCidr":"","vpcCidr":"0.0.0.0/0"}` | Global NetworkPolicies settings |
 | networkPolicies.enabled | bool | `true` | Toggle all package NetworkPolicies, can disable specific packages with `package.values.networkPolicies.enabled` |

--- a/docs/understanding-bigbang/package-architecture/argocd.md
+++ b/docs/understanding-bigbang/package-architecture/argocd.md
@@ -57,7 +57,6 @@ addons:
      enabled: true
      client_id:
      client_secret: ""
-      provider_name: ""
      groups: |
        g, Impact Level 2 Authorized, role:admin
 ```

--- a/docs/understanding-bigbang/package-architecture/elasticsearch-kibana.md
+++ b/docs/understanding-bigbang/package-architecture/elasticsearch-kibana.md
@@ -97,13 +97,6 @@ logging:
 SSO integration for the eck stack requires a license (see below) and can be configured with the following values:

 ```yaml
-sso:
-  oidc:
-    # -- Domain for keycloak used for configuring SSO
-    host: login.dso.mil
-    # -- Keycloak realm containing clients
-    realm: baby-yoda
-
 logging:
  sso:
    # -- Toggle OIDC SSO for Kibana/Elasticsearch on and off.

--- a/docs/understanding-bigbang/package-architecture/kiali.md
+++ b/docs/understanding-bigbang/package-architecture/kiali.md
@@ -127,11 +127,7 @@ kiali:
    enabled: true
    client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-kiali
    client_secret: your_client_secret_or_empty_string
-# Kiali inherits/uses the global SSO settings for the host/realm
-sso:
-  oidc:
-    host: login.dso.mil
-    realm: baby-yoda
+# Kiali inherits/uses the global SSO settings at .sso
 ```

 If you require a more advanced SSO configuration there are additional ways to customize that are detailed in the [upstream OIDC docs](https://kiali.io/docs/configuration/authentication/openid/). This doc includes details on how to configure username, scope, timeout, proxies, and more. It also lists some [SSO provider specifics](https://kiali.io/docs/configuration/authentication/openid/#_provider_specific_instructions) which may be needed for configuring with different providers. If you want to provide any further configuration than what is included in the `kiali.sso` block, you can override the BB pre-configured SSO and pass values via `kiali.values.cr.spec.auth`.

--- a/docs/understanding-bigbang/package-architecture/mattermost.md
+++ b/docs/understanding-bigbang/package-architecture/mattermost.md
@@ -130,9 +130,6 @@ addons:
      enabled: true
      client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-mattermost
      client_secret: no-secret
-      auth_endpoint: https://login.dso.mil/oauth/authorize
-      token_endpoint: https://login.dso.mil/oauth/token
-      user_api_endpoint: https://login.dso.mil/api/v4/user
 ```

 ## Licensing

--- a/docs/understanding-bigbang/package-architecture/sonarqube.md
+++ b/docs/understanding-bigbang/package-architecture/sonarqube.md
@@ -84,19 +84,12 @@ addons:
 SSO integration can be configured by modifying the following settings in the bigbang chart.

 ```yaml
-sso:
-  oidc:
-    host: login.dso.mil
-    realm: baby-yoda
-
 addons:
  sonarqube:
    enabled: true
    sso:
      enabled: true
      client_id: ""
-      label: ""
-      certificate: ""
      login: login
      name: name
      email: email

--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
 domain: bigbang.dev

 sso:
-  # LetsEncrypt certificate authority
-  certificate_authority: |
-    -----BEGIN CERTIFICATE-----
-    MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
-    TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-    cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
-    WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
-    ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
-    MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
-    h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
-    0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
-    A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
-    T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
-    B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
-    B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
-    KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
-    OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
-    jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
-    qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
-    rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
-    HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
-    hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
-    ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
-    3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
-    NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
-    ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
-    TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
-    jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
-    oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
-    4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
-    mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
-    emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-    -----END CERTIFICATE-----
+  url: https://keycloak.bigbang.dev/auth/realms/baby-yoda

-  # Must be updated for every new deployment of Keycloak. Example of where to get the jwks:
-  # https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/openid-connect/certs
-  # must be single quoted and double quotes must be escaped like this \"xxxx\"
-  jwks: '{\"keys\":[{\"kid\":\"nZUXZDUyyAEKY4dJyargboayGxJmmlrhcoBoik-7040\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"qAl-BtUwp2ZVl7wix_8-pucv-jTK1L9QGFVW02kPYlFi0frg-OL9XsSB1MsJIEFfnDIZ_psvvWYoZkVnzibgVlfAjOQXyIevOWLpSlUK3BpWFnAfO-0oyQWSsclyE8-xpzTifL75SvbSvDp3JXVBa4UdgV2qsNs7xu99wipQ7cro2lpne5EIHv6eKJMeG1eFQS2DJrI6ydNOLrzHFOA3pAhZRphId6dxYWaKzH_tcR34uQ2gg-IgmGakYLFhG_P2ZrMdPqouej_WFoc9Y9hlHx8NALfA6uYe4aDCbWCTL1V1sZJjzVR7WiTDh7fIogTu_2ukpCOnXX_SaLadoulxLw\",\"e\":\"AQAB\",\"x5c\":[\"MIICoTCCAYkCBgF/iYn0azANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjIwMzE0MTc0NDUzWhcNMzIwMzE0MTc0NjMzWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoCX4G1TCnZlWXvCLH/z6m5y/6NMrUv1AYVVbTaQ9iUWLR+uD44v1exIHUywkgQV+cMhn+my+9ZihmRWfOJuBWV8CM5BfIh685YulKVQrcGlYWcB877SjJBZKxyXITz7GnNOJ8vvlK9tK8OncldUFrhR2BXaqw2zvG733CKlDtyujaWmd7kQge/p4okx4bV4VBLYMmsjrJ004uvMcU4DekCFlGmEh3p3FhZorMf+1xHfi5DaCD4iCYZqRgsWEb8/Zmsx0+qi56P9YWhz1j2GUfHw0At8Dq5h7hoMJtYJMvVXWxkmPNVHtaJMOHt8iiBO7/a6SkI6ddf9Jotp2i6XEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJwSLJ0eybbeBYPvXnawqpy6JSXJ/MnnRvSGN9tXJ2+d/QXMOEPwJaAaOrvFtpUQxyPELJ8nU/Ukf7AL2zWltsCLiwtTrJkC+BpbZYkb1UsByveBS5wTPfiNkFzHeGg+MxBjiju2y04P4kEngXhQh4ZIUdi+WJjew721nJa/tjrMfnuEsMjxY/tWnzkk8xkGgaApZpGyaj1tOmVH4GR6CeBU6459m/GXmGH5TCGwT3EyfpZ189te+xV73WZR/r2nDlGuuy//w/P4JGHh4lcCwLfPcOOH30otcPAgctyX9Takk4MkVjva+b9S88sGaWPg075bxA2sysmkuqEOULjdXjU=\"],\"x5t\":\"ihEvRimRNSdrnr_Fhnd4OElB3-E\",\"x5t#S256\":\"YNijWPCIhWA5xQTwyIfvlBN-UcMe46Um2ywE-ADiqjM\"}]}'
-  oidc:
-    host: keycloak.bigbang.dev
-    realm: baby-yoda
+  # LetsEncrypt certificate authority
+  certificateAuthority:
+    cert: |
+      -----BEGIN CERTIFICATE-----
+      MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+      TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+      cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+      WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+      ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+      MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+      h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+      0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+      A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+      T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+      B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+      B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+      KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+      OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+      jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+      qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+      rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+      HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+      hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+      ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+      3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+      NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+      ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+      TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+      jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+      oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+      4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+      mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+      emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+      -----END CERTIFICATE-----
+  saml:
+    # Retrieve from {{ .Values.sso.url }}/protocol/saml/descriptor
+    metadata: <md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://keycloak.bigbang.dev/auth/realms/baby-yoda"><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:KeyName>4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICoTCCAYkCBgF/iYn0azANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjIwMzE0MTc0NDUzWhcNMzIwMzE0MTc0NjMzWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoCX4G1TCnZlWXvCLH/z6m5y/6NMrUv1AYVVbTaQ9iUWLR+uD44v1exIHUywkgQV+cMhn+my+9ZihmRWfOJuBWV8CM5BfIh685YulKVQrcGlYWcB877SjJBZKxyXITz7GnNOJ8vvlK9tK8OncldUFrhR2BXaqw2zvG733CKlDtyujaWmd7kQge/p4okx4bV4VBLYMmsjrJ004uvMcU4DekCFlGmEh3p3FhZorMf+1xHfi5DaCD4iCYZqRgsWEb8/Zmsx0+qi56P9YWhz1j2GUfHw0At8Dq5h7hoMJtYJMvVXWxkmPNVHtaJMOHt8iiBO7/a6SkI6ddf9Jotp2i6XEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJwSLJ0eybbeBYPvXnawqpy6JSXJ/MnnRvSGN9tXJ2+d/QXMOEPwJaAaOrvFtpUQxyPELJ8nU/Ukf7AL2zWltsCLiwtTrJkC+BpbZYkb1UsByveBS5wTPfiNkFzHeGg+MxBjiju2y04P4kEngXhQh4ZIUdi+WJjew721nJa/tjrMfnuEsMjxY/tWnzkk8xkGgaApZpGyaj1tOmVH4GR6CeBU6459m/GXmGH5TCGwT3EyfpZ189te+xV73WZR/r2nDlGuuy//w/P4JGHh4lcCwLfPcOOH30otcPAgctyX9Takk4MkVjva+b9S88sGaWPg075bxA2sysmkuqEOULjdXjU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml/resolve" index="0"></md:ArtifactResolutionService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService></md:IDPSSODescriptor></md:EntityDescriptor>

 flux:
  timeout: 20m
@@ -825,7 +823,6 @@ addons:
      enabled: false
      client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_argocd
      client_secret: anything-for-dev
-      provider_name: "P1 SSO"
      groups: |
        g, Impact Level 2 Authorized, role:admin
    values:
@@ -1174,8 +1171,6 @@ addons:
    sso:
      enabled: false
      client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_saml-sonarqube
-      provider_name: "P1 SSO"
-      certificate: MIICoTCCAYkCBgF/iYn0azANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjIwMzE0MTc0NDUzWhcNMzIwMzE0MTc0NjMzWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoCX4G1TCnZlWXvCLH/z6m5y/6NMrUv1AYVVbTaQ9iUWLR+uD44v1exIHUywkgQV+cMhn+my+9ZihmRWfOJuBWV8CM5BfIh685YulKVQrcGlYWcB877SjJBZKxyXITz7GnNOJ8vvlK9tK8OncldUFrhR2BXaqw2zvG733CKlDtyujaWmd7kQge/p4okx4bV4VBLYMmsjrJ004uvMcU4DekCFlGmEh3p3FhZorMf+1xHfi5DaCD4iCYZqRgsWEb8/Zmsx0+qi56P9YWhz1j2GUfHw0At8Dq5h7hoMJtYJMvVXWxkmPNVHtaJMOHt8iiBO7/a6SkI6ddf9Jotp2i6XEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJwSLJ0eybbeBYPvXnawqpy6JSXJ/MnnRvSGN9tXJ2+d/QXMOEPwJaAaOrvFtpUQxyPELJ8nU/Ukf7AL2zWltsCLiwtTrJkC+BpbZYkb1UsByveBS5wTPfiNkFzHeGg+MxBjiju2y04P4kEngXhQh4ZIUdi+WJjew721nJa/tjrMfnuEsMjxY/tWnzkk8xkGgaApZpGyaj1tOmVH4GR6CeBU6459m/GXmGH5TCGwT3EyfpZ189te+xV73WZR/r2nDlGuuy//w/P4JGHh4lcCwLfPcOOH30otcPAgctyX9Takk4MkVjva+b9S88sGaWPg075bxA2sysmkuqEOULjdXjU=
      login: login
      name: name
      email: email
@@ -1294,7 +1289,7 @@ addons:

  nexusRepositoryManager:
    enabled: false
-    # Nexus requires manual configuration in Keycloak client and cannot be tested with login.dso.mil
+    # Nexus requires manual configuration in Keycloak client and cannot be tested with 
    # you must test with your own dev deployment.  Example: keycloak.bigbang.dev
    # See more info in Nexus Package docs /docs/keycloak.md
    # Nexus SSO is behind a paywall. You must have a valid license to enable SSO
@@ -1313,10 +1308,6 @@ addons:
        lastName: "lastName"
        email: "email"
        groups: "groups"
-        # -- IDP SAML Metadata XML as a single line string in single quotes
-        # -- this information is public and does not require a secret
-        # curl https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml/descriptor ; echo
-        idpMetadata: 'enter-single-quoted-single-line-string-here'
      role:
        # id is the name of the Keycloak group (case sensitive)
        - id: "Nexus"