config.dist.php 12.4 KB
Newer Older
Lukas Haemmerle's avatar
Lukas Haemmerle committed
1
<?php // Copyright (c) 2017, SWITCH
haemmer's avatar
haemmer committed
2

haemmer's avatar
haemmer committed
3
//******************************************************************************
haemmer's avatar
haemmer committed
4
5
6
7
// This file contains the configuration of SWITCHwayf, a light-weight 
// implementation of a SAML Discovery Service. Adapt the settings to reflect
// your environment and then do some testing before going into production.
// Unless specifically set, default values will be used for all options.
haemmer's avatar
haemmer committed
8
9
//******************************************************************************

haemmer's avatar
haemmer committed
10

11
// 1. Language Settings
12
//*********************
haemmer's avatar
haemmer committed
13
14
15
16
17
// Language that is used by default if the language of the user's web browser
// is not available in languages.php or custom-languages.php.
// If string in local language is not available, english ('en') will be used
// as last resort.
//$defaultLanguage = 'en'; 
haemmer's avatar
haemmer committed
18

haemmer's avatar
haemmer committed
19

haemmer's avatar
haemmer committed
20

21
// 2. Cookie Settings
22
//*******************
haemmer's avatar
haemmer committed
23

haemmer's avatar
haemmer committed
24
// Domain within the WAYF cookie should be readable. Must start with a .
haemmer's avatar
haemmer committed
25
//$commonDomain = '.example.org';
haemmer's avatar
haemmer committed
26
27
28
29

// Optionnal cookie name prefix in case you run several 
// instances of the WAYF in the same domain. 
// Example: $cookieNamePrefix = '_mywayf';
haemmer's avatar
haemmer committed
30
//$cookieNamePrefix = '';
haemmer's avatar
haemmer committed
31
32
33

// Names of the cookies where to store the settings to temporarily
// redirect users transparently to their last selected IdP
haemmer's avatar
haemmer committed
34
//$redirectCookieName = $cookieNamePrefix.'_redirect_user_idp';
haemmer's avatar
haemmer committed
35
36
37
38

// Stores last selected IdPs 
// This value shouldn't be changed because _saml_idp is the officilly
// defined name in the SAML specification
haemmer's avatar
haemmer committed
39
//$SAMLDomainCookieName = $cookieNamePrefix.'_saml_idp';
haemmer's avatar
haemmer committed
40
41
42
43
44
45
46

// Stores last selected SP
// This value can be choosen as you like because it is something specific
// to this WAYF implementation. It can be used to display help/contact 
// information on a page in the same domain as $commonDomain by accessing
// the federation metadata and parsing out the contact information of the 
// selected IdP and SP using $SAMLDomainCookieName and $SPCookieName
haemmer's avatar
haemmer committed
47
//$SPCookieName = $cookieNamePrefix.'_saml_sp';
haemmer's avatar
haemmer committed
48

49
// If enabled cookies are set/transmitted only via https connections
50
51
// and the http only option is set to prevent javascripts from reading the
// cookies
haemmer's avatar
haemmer committed
52
//$cookieSecurity = false;
53

haemmer's avatar
haemmer committed
54
// Number of days longterm cookies should be valid
haemmer's avatar
haemmer committed
55
//$cookieValidity = 100;
haemmer's avatar
haemmer committed
56

haemmer's avatar
haemmer committed
57

haemmer's avatar
haemmer committed
58

59
// 3. Features and Extensions
60
//***************************
haemmer's avatar
haemmer committed
61
62

// Whether to show the checkbox to permanently remember a setting
haemmer's avatar
haemmer committed
63
//$showPermanentSetting = false;
haemmer's avatar
haemmer committed
64

65
// Whether or not to use the search-as-you-type feature of the drop down list
haemmer's avatar
haemmer committed
66
67
68
// Enabling this will use JavaScript to convert the select element containing
// all Identity Providers to a searchable search-as-you-type list that also
// displays logos if available 
haemmer's avatar
haemmer committed
69
//$useImprovedDropDownList = true;
70

haemmer's avatar
haemmer committed
71
72
73
74
75
76
77
78
  // If true the improved drop-down-list will not display logos that
  // have to be loaded from remote URLs. That way the web browser
  // does not have to make requests to third party hosts.
  // Logos that are embedded using data URIs 
  // (src="data:image/png;base64...") will however still be displayed
  //$disableRemoteLogos = false;


79
80
81
82
// Number of previously used Identity Providers to show at top of drop-down list
// Default is 3, set to 0 to disable
//$showNumOfPreviouslyUsedIdPs = 3;

haemmer's avatar
haemmer committed
83
84
85
// Set to true in order to enable reading the Identity Providers and Service 
// Providers from a SAML2 metadata file defined below in $metadataFile
// The parsed data will be available in $metadataIDPFile and $metadataSPFile
haemmer's avatar
haemmer committed
86
//$useSAML2Metadata = false; 
haemmer's avatar
haemmer committed
87

haemmer's avatar
haemmer committed
88
  // If true parsed metadata should have precedence if there are entries defined 
89
90
  // in metadata as well as the local IDProviders configuration file.
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
91
  //$SAML2MetaOverLocalConf = false;
92
93
94
95
96
97

  // If includeLocalConfEntries parameter is set to true, Identity Providers
  // not listed in metadata but defined in the local IDProviders file will also
  // be displayed in the drop down list. This is required if you need to add 
  // local exceptions over the federation metadata
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
98
  //$includeLocalConfEntries = true;
99
100
101
102
103
104
105
106

  // Whether the return parameter is checked against SAML2 metadata or not
  // The Discovery Service specification says the DS SHOULD check this in order
  // to mitigate phising problems.
  // The return parameter will only be checked if the Service Provider's metadata 
  // contains an <idpdisc:DiscoveryResponse> or if the assertion consumer url 
  // check below is enabled
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
107
  //$enableDSReturnParamCheck = true;
108
109
110
111
112
113
114
115
116

    // If true, the return parameter is checked for Service Providers that
    // don't have and <idpdisc:DiscoveryResponse> extension set. Instead of this
    // extension, the hostnames of the assertion consumer URLs are used to check 
    // the return parameter against. 
    // This feature is useful in case the Service Provider's metadata doesn't contain 
    // a <idpdisc:DiscoveryResponse> extension. It increases security for Service 
    // Provider's that don't have an <idpdisc:DiscoveryResponse> extensions.
    // Requires $useSAML2Metadata and $enableDSReturnParamCheck to be true
haemmer's avatar
haemmer committed
117
    //$useACURLsForReturnParamCheck = false;
118

119
// Whether to turn on Kerberos support for Identity Provider preselection
haemmer's avatar
haemmer committed
120
121
122
123
//$useKerberos = false;

  // A Kerboros-protected page that redirects back to the WAYF script
  //$kerberosRedirectURL = '/myFederation/kerberosRedirect.php';
haemmer's avatar
haemmer committed
124

125
126
// If enabled, the user's IP is used for a reverse DNS lookup whose resulting 
// domain name then is matched with the URN values of the Identity Providers
haemmer's avatar
haemmer committed
127
//$useReverseDNSLookup = false;
haemmer's avatar
haemmer committed
128

129
// Whether the JavaScript required for embedding the WAYF
haemmer's avatar
haemmer committed
130
// on a remote site should be generated or not
131
132
133
134
135
// Lowers security against phising!
// If this value is set to true, any web page in the world can 
// (with some efforts) find out with a high probability from which 
// organization a user is from. This could be misused for phishing attacks. 
// Therefore, only enable this feature if you know what you are doing!
haemmer's avatar
haemmer committed
136
//$useEmbeddedWAYF = false;
haemmer's avatar
haemmer committed
137

138
139
140
141
142
143
  // If enabled the Embedded WAYF will prevent releasing information
  // about the user's preselected Identity Provider 
  // While this is benefical to the data protection of the user, it will also
  // prevent preselecting the user's Identity Provider. Thus, users will have
  // to preselect their IdP each and every time
  // Requires $useEmbeddedWAYF to be true
haemmer's avatar
haemmer committed
144
  //$useEmbeddedWAYFPrivacyProtection = false;
145

haemmer's avatar
haemmer committed
146
  // If enabled, the referer hostname of the request must match an assertion	 
147
148
149
150
151
152
  // consumer URL or a discovery URL of a Service Provider in $metadataSPFile
  // in order to let the Embedded WAYF preselect an Identity Provider.
  // Therefore, this option is a good compromise between data protection and
  // userfriendlyness.
  // Requires $useSAML2Metadata to be true and $useEmbeddedWAYFPrivacyProtection
  // to be false
haemmer's avatar
haemmer committed
153
  //$useEmbeddedWAYFRefererForPrivacyProtection = false;
haemmer's avatar
haemmer committed
154

155
156
157
158
159
160
161
// If enabled (default) Identity Providers that are in the 
// "Hide From Discovery" entity category (see 
// https://refeds.org/category/hide-from-discovery/) will not
// be parsed when SAML2 metadata is processed. The effect will
// be that these IdPs are not shown in the organisation drop 
// down list. IdPs in this entity category, however, still can 
// be manually added using the Embedded WAYF.
haemmer's avatar
haemmer committed
162
//$supportHideFromDiscoveryEntityCategory = true;
163
164


haemmer's avatar
haemmer committed
165
166
// Whether or not to add the entityID of the preselected IdP to the
// exported JSON/Text/PHP Code
167
168
// Lowers security against phising!
// If this value is set to true, any web page
haemmer's avatar
haemmer committed
169
// in the world can easily find out with a high probability from which 
170
171
// organization a user is from. This could be misused for phishing attacks. 
// Therefore, only enable this feature if you know what you are doing!
haemmer's avatar
haemmer committed
172
//$exportPreselectedIdP = false;
haemmer's avatar
haemmer committed
173

174
175
// Whether to enable logging of WAYF/DS requests
// If turned on make sure to also configure $WAYFLogFile
haemmer's avatar
haemmer committed
176
177
//$useLogging = true; 

178
179
180
  // Where to log the access requests
  // This log is only an audit log for access requests. 
  // Errors (e.g. when parsing SAML metadata) go to the syslog.
haemmer's avatar
haemmer committed
181
182
  // Make sure the web server user has write access to this file!
  //$WAYFLogFile = '/var/log/apache2/wayf.log'; 
183

haemmer's avatar
haemmer committed
184

haemmer's avatar
haemmer committed
185

186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
// 4. Files and path Settings
//***************************

// Set both config files to the same value if you don't want to use the 
// the WAYF to read a (potential) automatically generated file that undergoes
// some plausability checks before being used
//$IDPConfigFile = 'IDProvider.conf.php';
//$backupIDPConfigFile = 'IDProvider.conf.php';

// Use $metadataFile as source federation's metadata.
//$metadataFile = '/etc/shibboleth/metadata.myFederation.xml';

// File to store the parsed IdP list
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
//$metadataIDPFile = 'IDProvider.metadata.php';

// File to store the parsed SP list.
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
//$metadataSPFile = 'SProvider.metadata.php';

// File to use as the lock file for writing the parsed IdP and SP lists.
// The user running the script must have permission to write $metadataLockFile
//$metadataLockFile = '/tmp/wayf_metadata.lock';

// Use an absolute URL in case you want to use the embedded WAYF
haemmer's avatar
haemmer committed
215
216
// The default assumes that this is in the same directory like
// the WAYF script.
217
218
219
//$imageURL = 'https://ds.example.org/SWITCHwayf/images';

// Absolute URL to point to css directory
haemmer's avatar
haemmer committed
220
221
// The default assumes that this is in the same directory like
// the WAYF script.
222
223
224
//$cssURL = 'https://ds.example.org/SWITCHwayf/css';

// Absolute URL to point to javascript directory
haemmer's avatar
haemmer committed
225
226
// The default assumes that this is in the same directory like
// the WAYF script.
227
228
229
230
231
//$javascriptURL = 'https://ds.example.org/SWITCHwayf/js';



// 5. Appearance Settings
232
//**************************
haemmer's avatar
haemmer committed
233

234
235
236
237
// Identifier for this particular instance of the SWITCHwayf
// This is mainly used for logging to syslog and in particular
// useful in case multiple instances of the SWITCHwayf are
// operated on the same host
haemmer's avatar
haemmer committed
238
//$instanceIdentifier = 'SWITCHwayf';
239
240
241
242

// Name of the federation [deprecated]
// This value is not used anymore in the standard code. 
// Please ensure it is not used anymore in templates
haemmer's avatar
haemmer committed
243
//$federationName = 'myFederation';
haemmer's avatar
haemmer committed
244
245

// URL to send user to when clicking on federation logo
haemmer's avatar
haemmer committed
246
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
247
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
248
249
250
//$federationURL = 'http://www.example.org/myFed/';

// Absolute URL to the federation logo that should be displayed in the Embedded WAYF
haemmer's avatar
haemmer committed
251
252
// Set to an empty string to hide the logo
//$logoURL = 'http://ds.example.org/SWITCHwayf/images/federation-logo.png';
haemmer's avatar
haemmer committed
253
254

// Absolute URL to the small federation logo that should be displayed in the 
haemmer's avatar
haemmer committed
255
256
// embedded WAYF. Make sure the dimensions (in particular the height of the logo)
// is small, ideally not larger than 120x30 pixel
haemmer's avatar
haemmer committed
257
//$smallLogoURL = 'http://ds.example.org/SWITCHwayf/images/small-federation-logo.png';
haemmer's avatar
haemmer committed
258

259
// Support contact email address
haemmer's avatar
haemmer committed
260
//$supportContactEmail = 'helpdesk@example.org';
261

haemmer's avatar
haemmer committed
262
// Absolute URL to the logo of the organization operating this Discovery Service
haemmer's avatar
haemmer committed
263
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
264
//$organizationLogoURL = 'https://ds.example.org/SWITCHwayf/images/organization-logo.png'; 
haemmer's avatar
haemmer committed
265

haemmer's avatar
haemmer committed
266
267
268
// Absolute URL to the organization's web page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
//$organizationURL = 'http://www.example.org/'; 
269

haemmer's avatar
haemmer committed
270
271
272
// Absolute URL to an FAQ page
// This entries local string is 'faq' in languages.php
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
273
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
274
//$faqURL = 'http://www.example.org/%s/myFed/faq/';
275

haemmer's avatar
haemmer committed
276
277
// Absolute URL to a help/support page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
278
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
279
//$helpURL = 'http://www.example.org/%s/myFed/help/';
haemmer's avatar
haemmer committed
280

haemmer's avatar
haemmer committed
281
282
// Absolute URL to a privacy policy page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
283
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
284
//$privacyURL = 'http://www.example.org/%s/myFed/privacy/';
haemmer's avatar
haemmer committed
285
286


haemmer's avatar
haemmer committed
287

haemmer's avatar
haemmer committed
288
289
290
// Development mode settings
//**************************
// If the development mode is activated, PHP errors and warnings will be displayed
haemmer's avatar
haemmer committed
291
292
// on pages the SWITCHwayf generates
//$developmentMode = false;
haemmer's avatar
haemmer committed
293
294

?>