config.dist.php 8.52 KB
Newer Older
haemmer's avatar
haemmer committed
1
<?php // Copyright (c) 2011, SWITCH - Serving Swiss Universities
haemmer's avatar
haemmer committed
2

haemmer's avatar
haemmer committed
3
4
5
6
7
//******************************************************************************
// This file contains the WAYF/DS configuration. Adapt the settings to reflect
// your environment and then do some testing before deploying the WAYF.
//******************************************************************************

8
9
// 1. Language settings
//*********************
haemmer's avatar
haemmer committed
10
11
$defaultLanguage = 'en'; 

12
13
// 2. Cookie settings
//*******************
haemmer's avatar
haemmer committed
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

// Domain within the WAYF cookei shall be readable. Must start with a .
$commonDomain = '.switch.ch';

// Optionnal cookie name prefix in case you run several 
// instances of the WAYF in the same domain. 
// Example: $cookieNamePrefix = '_mywayf';
$cookieNamePrefix = '';

// Names of the cookies where to store the settings to temporarily
// redirect users transparently to their last selected IdP
$redirectCookieName = $cookieNamePrefix.'_redirect_user_idp';
$redirectStateCookieName = $cookieNamePrefix.'_redirection_state';

// Stores last selected IdPs 
// This value shouldn't be changed because _saml_idp is the officilly
// defined name in the SAML specification
$SAMLDomainCookieName = $cookieNamePrefix.'_saml_idp';

// Stores last selected SP
// This value can be choosen as you like because it is something specific
// to this WAYF implementation. It can be used to display help/contact 
// information on a page in the same domain as $commonDomain by accessing
// the federation metadata and parsing out the contact information of the 
// selected IdP and SP using $SAMLDomainCookieName and $SPCookieName
$SPCookieName = $cookieNamePrefix.'_saml_sp';

41
42
43
44
45
// If enabled cookies are set/transmitted only via https connections
$cookieSecurity = false;

// Number of days longterm cookies shall be valid
$cookieValidity = 100;
haemmer's avatar
haemmer committed
46

47
48
// 3. Features and extensions
//***************************
haemmer's avatar
haemmer committed
49
50
51
52

// Whether to show the checkbox to permanently remember a setting
$showPermanentSetting = false;

53
54
55
// Whether or not to use the search-as-you-type feature of the drop down list
$userImprovedDropDownList = true;

56
57
// Set to true in order to enable reading the Identity Provider from a SAML2 
// metadata file defined below in $metadataFile
58
$useSAML2Metadata = true; 
haemmer's avatar
haemmer committed
59

60
61
62
// If ture parsed metadata shall have precedence if there are entries defined 
// in metadata as well as the local IDProviders configuration file.
// Only relevant if $useSAML2Metadata is true
haemmer's avatar
haemmer committed
63
64
$SAML2MetaOverLocalConf = false;

65
66
67
68
69
// If includeLocalConfEntries parameter is set to true, Identity Providers
// not listed in metadata but defined in the local IDProviders file will also
// be displayed in the drop down list. This is required if you need to add 
// local exceptions over the federation metadata
// Only relevant if $useSAML2Metadata is true
haemmer's avatar
haemmer committed
70
71
$includeLocalConfEntries = true;

72
73
// Whether the return parameter is checked against SAML2 metadata or not
// The Discovery Service specification says the DS SHOULD check this in order
74
75
76
// to mitigate phising problems.
// You must have $useSAML2Metadata = true in order to activate this check.
// The return parameter will only be checked if the Service Provider's metadata 
77
78
// contains an <idpdisc:DiscoveryResponse> or if the assertion consumer url 
// check below is enabled
79
80
$enableDSReturnParamCheck = true;

81
// If true, the return parameter is checked for Service Providers that
82
// don't have and <idpdisc:DiscoveryResponse> extension set. Instead of this
83
84
// extension, the hostnames of the assertion consumer URLs are used to check 
// the return parameter against. 
85
// This feature is useful in case the Service Provider's metadata doesn't contain 
86
87
// a <idpdisc:DiscoveryResponse> extension. It increases security for Service 
// Provider's that don't have an <idpdisc:DiscoveryResponse> extensions.
88
89
90
91
// This feature only is active if $enableDSReturnParamCheck = true 
// and if  $useSAML2Metadata = true 
$useACURLsForReturnParamCheck = false;

92
// Whether to turn on Kerberos support for Identity Provider preselection
haemmer's avatar
haemmer committed
93
94
$useKerberos = false;

95
96
// If enabled, the user's IP is used for a reverse DNS lookup whose resulting 
// domain name then is matched with the URN values of the Identity Providers
haemmer's avatar
haemmer committed
97
98
$useReverseDNSLookup = false;

99
// Whether the JavaScript required for embedding the WAYF
haemmer's avatar
haemmer committed
100
// on a remote site shall be generated or not
101
102
103
104
105
106
// Lowers security against phising!
// If this value is set to true, any web page in the world can 
// (with some efforts) find out with a high probability from which 
// organization a user is from. This could be misused for phishing attacks. 
// Therefore, only enable this feature if you know what you are doing!
$useEmbeddedWAYF = false;
haemmer's avatar
haemmer committed
107

108
109
// If enabled the Embedded WAYF will prevent releasing information
// about the user's preselected Identity Provider 
haemmer's avatar
haemmer committed
110
111
112
113
114
// While this is benefical to the data protection of the user, it will also
// prevent preselecting the user's Identity Provider. Thus, users will have
// to preselect their IdP each and every time
$useEmbeddedWAYFPrivacyProtection = false;

115
116
117
118
119
120
121
122
// If enabled, the referer hostname of the request must match tan assertion 
// consumer URL or a discovery URL of a Service Provider in $metadataSPFile
// in order to let the Embedded WAYF preselect an Identity Provider.
// Therefore, this option is a good compromise between data protection and
// userfriendlyness.
// This option can only be used if $useEmbeddedWAYFPrivacyProtection is false
// and $useSAML2Metadata is true
$useEmbeddedWAYFRefererForPrivacyProtection = false;
haemmer's avatar
haemmer committed
123
124
125

// Whether or not to add the entityID of the preselected IdP to the
// exported JSON/Text/PHP Code
126
127
// Lowers security against phising!
// If this value is set to true, any web page
haemmer's avatar
haemmer committed
128
// in the world can easily find out with a high probability from which 
129
130
// organization a user is from. This could be misused for phishing attacks. 
// Therefore, only enable this feature if you know what you are doing!
haemmer's avatar
haemmer committed
131
132
$exportPreselectedIdP = false;

133
134
135
136
// Whether to enable logging of WAYF/DS requests
// If turned on make sure to also configure $WAYFLogFile
$useLogging = true; 

haemmer's avatar
haemmer committed
137

138
// 4. Appearance settings
139
//**************************
haemmer's avatar
haemmer committed
140
141
142
143
144
145
146
147

// Name of the federation
$federationName = 'SWITCHaai Federation';

// URL to send user to when clicking on federation logo
$federationURL = 'http://www.switch.ch/aai/';

// Use an absolute URL in case you want to use the embedded WAYF
148
$imageURL = 'https://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/images';
haemmer's avatar
haemmer committed
149

150
151
152
153
154
155
156
// Absolute URL to point to css directory
$cssURL = 'https://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/css';

// Absolute URL to point to javascript directory
$javascriptURL = 'https://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/js';

// Absolute URL to the logo that shall be displayed in the Embedded WAYF
haemmer's avatar
haemmer committed
157
158
$logoURL = $imageURL.'/switch-aai-transparent.png'; 

159
160
// Absolute URL to the small logo that shall be displayed in the 
// embedded WAYF if dimensions must be small
haemmer's avatar
haemmer committed
161
162
163
$smallLogoURL = $imageURL.'/switch-aai-transparent-small.png';


164
165
166
// 5. Files and path settings
//***************************

haemmer's avatar
haemmer committed
167
168
169
// Set both config files to the same value if you don't want to use the 
// the WAYF to read a (potential) automatically generated file that undergoes
// some plausability checks before being used
170
171
$IDPConfigFile = 'IDProvider.conf.php';
$backupIDPConfigFile = 'IDProvider.conf.php';
haemmer's avatar
haemmer committed
172
173
174
175

// Use $metadataFile as source federation's metadata.
$metadataFile = '/etc/shibboleth/metadata.switchaai.xml';

176
177
178
// File to store the parsed IdP list
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
haemmer's avatar
haemmer committed
179
// The user running the script must have permission to create $metadataIdpFile
180
$metadataIDPFile = 'IDProvider.metadata.php';
haemmer's avatar
haemmer committed
181

182
183
184
185
// File to store the parsed SP list.
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
186
$metadataSPFile = 'SProvider.metadata.php';
187

188
189
190
// File to use as the lock file for writing the parsed IdP and SP lists.
// The user running the script must have permission to write $metadataLockFile
$metadataLockFile = '/tmp/wayf_metadata.lock';
haemmer's avatar
haemmer committed
191
192
193
194
195
196

// Where to log the access
// Make sure the web server user has write access to this file!
$WAYFLogFile = '/var/log/apache2/wayf.log'; 


197
198
199
200
201
202
// 6. Other settings
//******************

// A Kerboros-protected soft link back to this script!
$kerberosRedirectURL = '/SWITCHaai/kerberosRedirect.php';

203

haemmer's avatar
haemmer committed
204
205
206
// Development mode settings
//**************************
// If the development mode is activated, PHP errors and warnings will be displayed
207
$developmentMode = false;
haemmer's avatar
haemmer committed
208
209

?>