# Environment for docker compose (read automatically).

# Public hostname: drives Caddy TLS and the IdP base URL / entityID.
IDP_DOMAIN=idp.example.com

# --- Service Provider metadata (no local DB) -------------------------------
# Two sources, tried local-first:
#
#  1. Local files in ./data/metadata (mounted /data/metadata): self-contained SP
#     metadata (the SP's keys are in the file). Trusted as provided - add with
#     `just add-sp <file>`. No cert needed for this path.
#
#  2. MDQ service: SPs fetched on demand by entityID and signature-verified
#     against SAML_IDP_METADATA_CERT (mandatory whenever MDQ is set).
#
# Point MDQ at the SWAMID QA endpoint; fetch the signing cert with `just swamid-cert`.
SAML_IDP_MDQ_URL=https://mds.swamid.se/qa/
SAML_IDP_METADATA_CERT=/data/swamid-signing.pem

# To use ONLY local files, leave SAML_IDP_MDQ_URL empty and use `just add-sp`.

# Support contact shown on the error page (the metadata errorURL target,
# required by SWAMID Tech 5.1.13). Optional.
# SAML_IDP_SUPPORT_EMAIL=support@example.com

# --- Demo accounts (optional overrides) ------------------------------------
# DEMO_PASSWORD=gamlastan
# DJANGO_SECRET_KEY=change-me
