config.dist.php 8.65 KB
Newer Older
haemmer's avatar
haemmer committed
1
<?php // Copyright (c) 2011, SWITCH - Serving Swiss Universities
haemmer's avatar
haemmer committed
2

haemmer's avatar
haemmer committed
3
4
5
6
7
//******************************************************************************
// This file contains the WAYF/DS configuration. Adapt the settings to reflect
// your environment and then do some testing before deploying the WAYF.
//******************************************************************************

8
9
// 1. Language settings
//*********************
haemmer's avatar
haemmer committed
10
11
$defaultLanguage = 'en'; 

12
13
// 2. Cookie settings
//*******************
haemmer's avatar
haemmer committed
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

// Domain within the WAYF cookei shall be readable. Must start with a .
$commonDomain = '.switch.ch';

// Optionnal cookie name prefix in case you run several 
// instances of the WAYF in the same domain. 
// Example: $cookieNamePrefix = '_mywayf';
$cookieNamePrefix = '';

// Names of the cookies where to store the settings to temporarily
// redirect users transparently to their last selected IdP
$redirectCookieName = $cookieNamePrefix.'_redirect_user_idp';
$redirectStateCookieName = $cookieNamePrefix.'_redirection_state';

// Stores last selected IdPs 
// This value shouldn't be changed because _saml_idp is the officilly
// defined name in the SAML specification
$SAMLDomainCookieName = $cookieNamePrefix.'_saml_idp';

// Stores last selected SP
// This value can be choosen as you like because it is something specific
// to this WAYF implementation. It can be used to display help/contact 
// information on a page in the same domain as $commonDomain by accessing
// the federation metadata and parsing out the contact information of the 
// selected IdP and SP using $SAMLDomainCookieName and $SPCookieName
$SPCookieName = $cookieNamePrefix.'_saml_sp';

41
// If enabled cookies are set/transmitted only via https connections
42
43
// and the http only option is set to prevent javascripts from reading the
// cookies
44
45
46
47
$cookieSecurity = false;

// Number of days longterm cookies shall be valid
$cookieValidity = 100;
haemmer's avatar
haemmer committed
48

49
50
// 3. Features and extensions
//***************************
haemmer's avatar
haemmer committed
51
52
53
54

// Whether to show the checkbox to permanently remember a setting
$showPermanentSetting = false;

55
56
57
// Whether or not to use the search-as-you-type feature of the drop down list
$userImprovedDropDownList = true;

58
59
// Set to true in order to enable reading the Identity Provider from a SAML2 
// metadata file defined below in $metadataFile
haemmer's avatar
haemmer committed
60
$useSAML2Metadata = false; 
haemmer's avatar
haemmer committed
61

62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
  // If true parsed metadata shall have precedence if there are entries defined 
  // in metadata as well as the local IDProviders configuration file.
  // Requires $useSAML2Metadata to be true
  $SAML2MetaOverLocalConf = false;

  // If includeLocalConfEntries parameter is set to true, Identity Providers
  // not listed in metadata but defined in the local IDProviders file will also
  // be displayed in the drop down list. This is required if you need to add 
  // local exceptions over the federation metadata
  // Requires $useSAML2Metadata to be true
  $includeLocalConfEntries = true;

  // Whether the return parameter is checked against SAML2 metadata or not
  // The Discovery Service specification says the DS SHOULD check this in order
  // to mitigate phising problems.
  // The return parameter will only be checked if the Service Provider's metadata 
  // contains an <idpdisc:DiscoveryResponse> or if the assertion consumer url 
  // check below is enabled
  // Requires $useSAML2Metadata to be true
  $enableDSReturnParamCheck = true;

    // If true, the return parameter is checked for Service Providers that
    // don't have and <idpdisc:DiscoveryResponse> extension set. Instead of this
    // extension, the hostnames of the assertion consumer URLs are used to check 
    // the return parameter against. 
    // This feature is useful in case the Service Provider's metadata doesn't contain 
    // a <idpdisc:DiscoveryResponse> extension. It increases security for Service 
    // Provider's that don't have an <idpdisc:DiscoveryResponse> extensions.
    // Requires $useSAML2Metadata and $enableDSReturnParamCheck to be true
    $useACURLsForReturnParamCheck = false;
92

93
// Whether to turn on Kerberos support for Identity Provider preselection
haemmer's avatar
haemmer committed
94
95
$useKerberos = false;

96
97
// If enabled, the user's IP is used for a reverse DNS lookup whose resulting 
// domain name then is matched with the URN values of the Identity Providers
haemmer's avatar
haemmer committed
98
99
$useReverseDNSLookup = false;

100
// Whether the JavaScript required for embedding the WAYF
haemmer's avatar
haemmer committed
101
// on a remote site shall be generated or not
102
103
104
105
106
107
// Lowers security against phising!
// If this value is set to true, any web page in the world can 
// (with some efforts) find out with a high probability from which 
// organization a user is from. This could be misused for phishing attacks. 
// Therefore, only enable this feature if you know what you are doing!
$useEmbeddedWAYF = false;
haemmer's avatar
haemmer committed
108

109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
  // If enabled the Embedded WAYF will prevent releasing information
  // about the user's preselected Identity Provider 
  // While this is benefical to the data protection of the user, it will also
  // prevent preselecting the user's Identity Provider. Thus, users will have
  // to preselect their IdP each and every time
  // Requires $useEmbeddedWAYF to be true
  $useEmbeddedWAYFPrivacyProtection = false;

  // If enabled, the referer hostname of the request must match tan assertion 
  // consumer URL or a discovery URL of a Service Provider in $metadataSPFile
  // in order to let the Embedded WAYF preselect an Identity Provider.
  // Therefore, this option is a good compromise between data protection and
  // userfriendlyness.
  // Requires $useSAML2Metadata to be true and $useEmbeddedWAYFPrivacyProtection
  // to be false
  $useEmbeddedWAYFRefererForPrivacyProtection = false;
haemmer's avatar
haemmer committed
125
126
127

// Whether or not to add the entityID of the preselected IdP to the
// exported JSON/Text/PHP Code
128
129
// Lowers security against phising!
// If this value is set to true, any web page
haemmer's avatar
haemmer committed
130
// in the world can easily find out with a high probability from which 
131
132
// organization a user is from. This could be misused for phishing attacks. 
// Therefore, only enable this feature if you know what you are doing!
haemmer's avatar
haemmer committed
133
134
$exportPreselectedIdP = false;

135
136
137
138
// Whether to enable logging of WAYF/DS requests
// If turned on make sure to also configure $WAYFLogFile
$useLogging = true; 

haemmer's avatar
haemmer committed
139

140
// 4. Appearance settings
141
//**************************
haemmer's avatar
haemmer committed
142
143
144
145
146
147
148
149

// Name of the federation
$federationName = 'SWITCHaai Federation';

// URL to send user to when clicking on federation logo
$federationURL = 'http://www.switch.ch/aai/';

// Use an absolute URL in case you want to use the embedded WAYF
150
$imageURL = 'https://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/images';
haemmer's avatar
haemmer committed
151

152
153
154
155
156
157
158
// Absolute URL to point to css directory
$cssURL = 'https://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/css';

// Absolute URL to point to javascript directory
$javascriptURL = 'https://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/js';

// Absolute URL to the logo that shall be displayed in the Embedded WAYF
haemmer's avatar
haemmer committed
159
160
$logoURL = $imageURL.'/switch-aai-transparent.png'; 

161
162
// Absolute URL to the small logo that shall be displayed in the 
// embedded WAYF if dimensions must be small
haemmer's avatar
haemmer committed
163
164
165
$smallLogoURL = $imageURL.'/switch-aai-transparent-small.png';


166
167
168
// 5. Files and path settings
//***************************

haemmer's avatar
haemmer committed
169
170
171
// Set both config files to the same value if you don't want to use the 
// the WAYF to read a (potential) automatically generated file that undergoes
// some plausability checks before being used
172
173
$IDPConfigFile = 'IDProvider.conf.php';
$backupIDPConfigFile = 'IDProvider.conf.php';
haemmer's avatar
haemmer committed
174
175
176
177

// Use $metadataFile as source federation's metadata.
$metadataFile = '/etc/shibboleth/metadata.switchaai.xml';

178
179
180
// File to store the parsed IdP list
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
haemmer's avatar
haemmer committed
181
// The user running the script must have permission to create $metadataIdpFile
182
$metadataIDPFile = 'IDProvider.metadata.php';
haemmer's avatar
haemmer committed
183

184
185
186
187
// File to store the parsed SP list.
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
188
$metadataSPFile = 'SProvider.metadata.php';
189

190
191
192
// File to use as the lock file for writing the parsed IdP and SP lists.
// The user running the script must have permission to write $metadataLockFile
$metadataLockFile = '/tmp/wayf_metadata.lock';
haemmer's avatar
haemmer committed
193
194
195
196
197
198

// Where to log the access
// Make sure the web server user has write access to this file!
$WAYFLogFile = '/var/log/apache2/wayf.log'; 


199
200
201
202
203
204
// 6. Other settings
//******************

// A Kerboros-protected soft link back to this script!
$kerberosRedirectURL = '/SWITCHaai/kerberosRedirect.php';

205

haemmer's avatar
haemmer committed
206
207
208
// Development mode settings
//**************************
// If the development mode is activated, PHP errors and warnings will be displayed
209
$developmentMode = false;
haemmer's avatar
haemmer committed
210
211

?>