Upgrade to new Gitlab Version 13.9 on Saturday 19th April 20:00. Expect an interruption of about 30 to 60 minutes

config.dist.php 13.1 KB
Newer Older
Lukas Haemmerle's avatar
Lukas Haemmerle committed
1
<?php // Copyright (c) 2019, SWITCH
haemmer's avatar
haemmer committed
2

haemmer's avatar
haemmer committed
3
//******************************************************************************
4
// This file contains the configuration of SWITCHwayf, a light-weight
haemmer's avatar
haemmer committed
5 6 7
// implementation of a SAML Discovery Service. Adapt the settings to reflect
// your environment and then do some testing before going into production.
// Unless specifically set, default values will be used for all options.
haemmer's avatar
haemmer committed
8 9
//******************************************************************************

haemmer's avatar
haemmer committed
10

11
// 1. Language Settings
12
//*********************
haemmer's avatar
haemmer committed
13 14 15 16
// Language that is used by default if the language of the user's web browser
// is not available in languages.php or custom-languages.php.
// If string in local language is not available, english ('en') will be used
// as last resort.
17
//$defaultLanguage = 'en';
haemmer's avatar
haemmer committed
18

haemmer's avatar
haemmer committed
19

haemmer's avatar
haemmer committed
20

21
// 2. Cookie Settings
22
//*******************
haemmer's avatar
haemmer committed
23

haemmer's avatar
haemmer committed
24
// Domain within the WAYF cookie should be readable. Must start with a .
haemmer's avatar
haemmer committed
25
//$commonDomain = '.example.org';
haemmer's avatar
haemmer committed
26

27 28
// Optionnal cookie name prefix in case you run several
// instances of the WAYF in the same domain.
haemmer's avatar
haemmer committed
29
// Example: $cookieNamePrefix = '_mywayf';
haemmer's avatar
haemmer committed
30
//$cookieNamePrefix = '';
haemmer's avatar
haemmer committed
31 32 33

// Names of the cookies where to store the settings to temporarily
// redirect users transparently to their last selected IdP
haemmer's avatar
haemmer committed
34
//$redirectCookieName = $cookieNamePrefix.'_redirect_user_idp';
haemmer's avatar
haemmer committed
35

36
// Stores last selected IdPs
haemmer's avatar
haemmer committed
37 38
// This value shouldn't be changed because _saml_idp is the officilly
// defined name in the SAML specification
haemmer's avatar
haemmer committed
39
//$SAMLDomainCookieName = $cookieNamePrefix.'_saml_idp';
haemmer's avatar
haemmer committed
40 41 42

// Stores last selected SP
// This value can be choosen as you like because it is something specific
43
// to this WAYF implementation. It can be used to display help/contact
haemmer's avatar
haemmer committed
44
// information on a page in the same domain as $commonDomain by accessing
45
// the federation metadata and parsing out the contact information of the
haemmer's avatar
haemmer committed
46
// selected IdP and SP using $SAMLDomainCookieName and $SPCookieName
haemmer's avatar
haemmer committed
47
//$SPCookieName = $cookieNamePrefix.'_saml_sp';
haemmer's avatar
haemmer committed
48

49
// If enabled cookies are set/transmitted only via https connections
50 51
// and the http only option is set to prevent javascripts from reading the
// cookies
haemmer's avatar
haemmer committed
52
//$cookieSecurity = false;
53

haemmer's avatar
haemmer committed
54
// Number of days longterm cookies should be valid
haemmer's avatar
haemmer committed
55
//$cookieValidity = 100;
haemmer's avatar
haemmer committed
56

haemmer's avatar
haemmer committed
57

haemmer's avatar
haemmer committed
58

59
// 3. Features and Extensions
60
//***************************
haemmer's avatar
haemmer committed
61 62

// Whether to show the checkbox to permanently remember a setting
haemmer's avatar
haemmer committed
63
//$showPermanentSetting = false;
haemmer's avatar
haemmer committed
64

65
// Whether or not to use the search-as-you-type feature of the drop down list
haemmer's avatar
haemmer committed
66 67
// Enabling this will use JavaScript to convert the select element containing
// all Identity Providers to a searchable search-as-you-type list that also
68
// displays logos if available
haemmer's avatar
haemmer committed
69
//$useImprovedDropDownList = true;
70

haemmer's avatar
haemmer committed
71 72 73
  // If true the improved drop-down-list will not display logos that
  // have to be loaded from remote URLs. That way the web browser
  // does not have to make requests to third party hosts.
74
  // Logos that are embedded using data URIs
haemmer's avatar
haemmer committed
75 76 77
  // (src="data:image/png;base64...") will however still be displayed
  //$disableRemoteLogos = false;

78 79 80 81 82 83
// Whether or not use Select2 drop down
// Attention: setting this to true, overrides $useImprovedDropDownList param
//$useSelect2 = true;

// Config to change the number of IdP fetched when using Select2 dropdown
//$select2PageSize = 100;
haemmer's avatar
haemmer committed
84

85 86 87 88 89
// For Select2 to work in embedded WAYF, CORS must be enabled.
// This settings allows to limit origins
// default: *
//$allowedCORSDomain = "*";

90 91 92 93
// Number of previously used Identity Providers to show at top of drop-down list
// Default is 3, set to 0 to disable
//$showNumOfPreviouslyUsedIdPs = 3;

94
// Set to true in order to enable reading the Identity Providers and Service
haemmer's avatar
haemmer committed
95 96
// Providers from a SAML2 metadata file defined below in $metadataFile
// The parsed data will be available in $metadataIDPFile and $metadataSPFile
97
//$useSAML2Metadata = false;
haemmer's avatar
haemmer committed
98

99
  // If true parsed metadata should have precedence if there are entries defined
100 101
  // in metadata as well as the local IDProviders configuration file.
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
102
  //$SAML2MetaOverLocalConf = false;
103 104 105

  // If includeLocalConfEntries parameter is set to true, Identity Providers
  // not listed in metadata but defined in the local IDProviders file will also
106
  // be displayed in the drop down list. This is required if you need to add
107 108
  // local exceptions over the federation metadata
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
109
  //$includeLocalConfEntries = true;
110 111 112 113

  // Whether the return parameter is checked against SAML2 metadata or not
  // The Discovery Service specification says the DS SHOULD check this in order
  // to mitigate phising problems.
114 115
  // The return parameter will only be checked if the Service Provider's metadata
  // contains an <idpdisc:DiscoveryResponse> or if the assertion consumer url
116 117
  // check below is enabled
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
118
  //$enableDSReturnParamCheck = true;
119 120 121

    // If true, the return parameter is checked for Service Providers that
    // don't have and <idpdisc:DiscoveryResponse> extension set. Instead of this
122 123 124 125
    // extension, the hostnames of the assertion consumer URLs are used to check
    // the return parameter against.
    // This feature is useful in case the Service Provider's metadata doesn't contain
    // a <idpdisc:DiscoveryResponse> extension. It increases security for Service
126 127
    // Provider's that don't have an <idpdisc:DiscoveryResponse> extensions.
    // Requires $useSAML2Metadata and $enableDSReturnParamCheck to be true
haemmer's avatar
haemmer committed
128
    //$useACURLsForReturnParamCheck = false;
129

130
// Whether to turn on Kerberos support for Identity Provider preselection
haemmer's avatar
haemmer committed
131 132 133 134
//$useKerberos = false;

  // A Kerboros-protected page that redirects back to the WAYF script
  //$kerberosRedirectURL = '/myFederation/kerberosRedirect.php';
haemmer's avatar
haemmer committed
135

136
// If enabled, the user's IP is used for a reverse DNS lookup whose resulting
137
// domain name then is matched with the URN values of the Identity Providers
haemmer's avatar
haemmer committed
138
//$useReverseDNSLookup = false;
haemmer's avatar
haemmer committed
139

140
// Whether the JavaScript required for embedding the WAYF
haemmer's avatar
haemmer committed
141
// on a remote site should be generated or not
142
// Lowers security against phising!
143 144 145
// If this value is set to true, any web page in the world can
// (with some efforts) find out with a high probability from which
// organization a user is from. This could be misused for phishing attacks.
146
// Therefore, only enable this feature if you know what you are doing!
haemmer's avatar
haemmer committed
147
//$useEmbeddedWAYF = false;
haemmer's avatar
haemmer committed
148

149
  // If enabled the Embedded WAYF will prevent releasing information
150
  // about the user's preselected Identity Provider
151 152 153 154
  // While this is benefical to the data protection of the user, it will also
  // prevent preselecting the user's Identity Provider. Thus, users will have
  // to preselect their IdP each and every time
  // Requires $useEmbeddedWAYF to be true
haemmer's avatar
haemmer committed
155
  //$useEmbeddedWAYFPrivacyProtection = false;
156

157
  // If enabled, the referer hostname of the request must match an assertion
158 159 160 161 162 163
  // consumer URL or a discovery URL of a Service Provider in $metadataSPFile
  // in order to let the Embedded WAYF preselect an Identity Provider.
  // Therefore, this option is a good compromise between data protection and
  // userfriendlyness.
  // Requires $useSAML2Metadata to be true and $useEmbeddedWAYFPrivacyProtection
  // to be false
haemmer's avatar
haemmer committed
164
  //$useEmbeddedWAYFRefererForPrivacyProtection = false;
haemmer's avatar
haemmer committed
165

166 167
// If enabled (default) Identity Providers that are in the
// "Hide From Discovery" entity category (see
168 169
// https://refeds.org/category/hide-from-discovery/) will not
// be parsed when SAML2 metadata is processed. The effect will
170 171
// be that these IdPs are not shown in the organisation drop
// down list. IdPs in this entity category, however, still can
172
// be manually added using the Embedded WAYF.
haemmer's avatar
haemmer committed
173
//$supportHideFromDiscoveryEntityCategory = true;
174

175 176
// Only process IDPs with a particular entity category. All
// others are ignored and not taken into account.
177 178
// Multiple entity category identifiers can be provided
// space separated. If the IdP is in none of them,
179 180
// the IdP is ignored.
//$filterEntityCategory = 'http://example.com/category/example-member';
181

haemmer's avatar
haemmer committed
182 183
// Whether or not to add the entityID of the preselected IdP to the
// exported JSON/Text/PHP Code
184 185
// Lowers security against phising!
// If this value is set to true, any web page
186 187
// in the world can easily find out with a high probability from which
// organization a user is from. This could be misused for phishing attacks.
188
// Therefore, only enable this feature if you know what you are doing!
haemmer's avatar
haemmer committed
189
//$exportPreselectedIdP = false;
haemmer's avatar
haemmer committed
190

191 192
// Whether to enable logging of WAYF/DS requests
// If turned on make sure to also configure $WAYFLogFile
193
//$useLogging = true;
haemmer's avatar
haemmer committed
194

195
  // Where to log the access requests
196
  // This log is only an audit log for access requests.
197
  // Errors (e.g. when parsing SAML metadata) go to the syslog.
haemmer's avatar
haemmer committed
198
  // Make sure the web server user has write access to this file!
199
  //$WAYFLogFile = '/var/log/apache2/wayf.log';
200

haemmer's avatar
haemmer committed
201

haemmer's avatar
haemmer committed
202

203 204
// 4. Files and path Settings
//***************************
205
// all relatives paths are resolved relatively to configuration directory
206

207
// Set both config files to the same value if you don't want to use the
208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232
// the WAYF to read a (potential) automatically generated file that undergoes
// some plausability checks before being used
//$IDPConfigFile = 'IDProvider.conf.php';
//$backupIDPConfigFile = 'IDProvider.conf.php';

// Use $metadataFile as source federation's metadata.
//$metadataFile = '/etc/shibboleth/metadata.myFederation.xml';

// File to store the parsed IdP list
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
//$metadataIDPFile = 'IDProvider.metadata.php';

// File to store the parsed SP list.
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
//$metadataSPFile = 'SProvider.metadata.php';

// File to use as the lock file for writing the parsed IdP and SP lists.
// The user running the script must have permission to write $metadataLockFile
//$metadataLockFile = '/tmp/wayf_metadata.lock';

// Use an absolute URL in case you want to use the embedded WAYF
haemmer's avatar
haemmer committed
233 234
// The default assumes that this is in the same directory like
// the WAYF script.
235 236 237
//$imageURL = 'https://ds.example.org/SWITCHwayf/images';

// Absolute URL to point to css directory
haemmer's avatar
haemmer committed
238 239
// The default assumes that this is in the same directory like
// the WAYF script.
240 241 242
//$cssURL = 'https://ds.example.org/SWITCHwayf/css';

// Absolute URL to point to javascript directory
haemmer's avatar
haemmer committed
243 244
// The default assumes that this is in the same directory like
// the WAYF script.
245 246 247 248 249
//$javascriptURL = 'https://ds.example.org/SWITCHwayf/js';



// 5. Appearance Settings
250
//**************************
haemmer's avatar
haemmer committed
251

252 253 254 255
// Identifier for this particular instance of the SWITCHwayf
// This is mainly used for logging to syslog and in particular
// useful in case multiple instances of the SWITCHwayf are
// operated on the same host
haemmer's avatar
haemmer committed
256
//$instanceIdentifier = 'SWITCHwayf';
257

haemmer's avatar
haemmer committed
258
// URL to send user to when clicking on federation logo
haemmer's avatar
haemmer committed
259
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
260
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
261 262 263
//$federationURL = 'http://www.example.org/myFed/';

// Absolute URL to the federation logo that should be displayed in the Embedded WAYF
haemmer's avatar
haemmer committed
264 265
// Set to an empty string to hide the logo
//$logoURL = 'http://ds.example.org/SWITCHwayf/images/federation-logo.png';
haemmer's avatar
haemmer committed
266

267
// Absolute URL to the small federation logo that should be displayed in the
haemmer's avatar
haemmer committed
268 269
// embedded WAYF. Make sure the dimensions (in particular the height of the logo)
// is small, ideally not larger than 120x30 pixel
haemmer's avatar
haemmer committed
270
//$smallLogoURL = 'http://ds.example.org/SWITCHwayf/images/small-federation-logo.png';
haemmer's avatar
haemmer committed
271

272
// Support contact email address
haemmer's avatar
haemmer committed
273
//$supportContactEmail = 'helpdesk@example.org';
274

haemmer's avatar
haemmer committed
275
// Absolute URL to the logo of the organization operating this Discovery Service
haemmer's avatar
haemmer committed
276
// Set to an empty string to hide the logo
277
//$organizationLogoURL = 'https://ds.example.org/SWITCHwayf/images/organization-logo.png';
haemmer's avatar
haemmer committed
278

haemmer's avatar
haemmer committed
279 280
// Absolute URL to the organization's web page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
281
//$organizationURL = 'http://www.example.org/';
282

haemmer's avatar
haemmer committed
283 284 285
// Absolute URL to an FAQ page
// This entries local string is 'faq' in languages.php
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
286
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
287
//$faqURL = 'http://www.example.org/%s/myFed/faq/';
288

haemmer's avatar
haemmer committed
289 290
// Absolute URL to a help/support page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
291
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
292
//$helpURL = 'http://www.example.org/%s/myFed/help/';
haemmer's avatar
haemmer committed
293

haemmer's avatar
haemmer committed
294 295
// Absolute URL to a privacy policy page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
296
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
297
//$privacyURL = 'http://www.example.org/%s/myFed/privacy/';
haemmer's avatar
haemmer committed
298

299 300
// Additional strings form custom templates
//$customStrings = array(
301
//    'federationName' = 'myFederation'
302
//);
haemmer's avatar
haemmer committed
303

haemmer's avatar
haemmer committed
304

haemmer's avatar
haemmer committed
305 306 307
// Development mode settings
//**************************
// If the development mode is activated, PHP errors and warnings will be displayed
haemmer's avatar
haemmer committed
308
// on pages the SWITCHwayf generates
309
//$developmentMode = true;