config.dist.php 12.9 KB
Newer Older
Lukas Haemmerle's avatar
Lukas Haemmerle committed
1
<?php // Copyright (c) 2019, SWITCH
haemmer's avatar
haemmer committed
2

haemmer's avatar
haemmer committed
3
//******************************************************************************
4
// This file contains the configuration of SWITCHwayf, a light-weight
haemmer's avatar
haemmer committed
5 6 7
// implementation of a SAML Discovery Service. Adapt the settings to reflect
// your environment and then do some testing before going into production.
// Unless specifically set, default values will be used for all options.
haemmer's avatar
haemmer committed
8 9
//******************************************************************************

haemmer's avatar
haemmer committed
10

11
// 1. Language Settings
12
//*********************
haemmer's avatar
haemmer committed
13 14 15 16
// Language that is used by default if the language of the user's web browser
// is not available in languages.php or custom-languages.php.
// If string in local language is not available, english ('en') will be used
// as last resort.
17
//$defaultLanguage = 'en';
haemmer's avatar
haemmer committed
18

haemmer's avatar
haemmer committed
19

haemmer's avatar
haemmer committed
20

21
// 2. Cookie Settings
22
//*******************
haemmer's avatar
haemmer committed
23

haemmer's avatar
haemmer committed
24
// Domain within the WAYF cookie should be readable. Must start with a .
haemmer's avatar
haemmer committed
25
//$commonDomain = '.example.org';
haemmer's avatar
haemmer committed
26

27 28
// Optionnal cookie name prefix in case you run several
// instances of the WAYF in the same domain.
haemmer's avatar
haemmer committed
29
// Example: $cookieNamePrefix = '_mywayf';
haemmer's avatar
haemmer committed
30
//$cookieNamePrefix = '';
haemmer's avatar
haemmer committed
31 32 33

// Names of the cookies where to store the settings to temporarily
// redirect users transparently to their last selected IdP
haemmer's avatar
haemmer committed
34
//$redirectCookieName = $cookieNamePrefix.'_redirect_user_idp';
haemmer's avatar
haemmer committed
35

36
// Stores last selected IdPs
haemmer's avatar
haemmer committed
37 38
// This value shouldn't be changed because _saml_idp is the officilly
// defined name in the SAML specification
haemmer's avatar
haemmer committed
39
//$SAMLDomainCookieName = $cookieNamePrefix.'_saml_idp';
haemmer's avatar
haemmer committed
40 41 42

// Stores last selected SP
// This value can be choosen as you like because it is something specific
43
// to this WAYF implementation. It can be used to display help/contact
haemmer's avatar
haemmer committed
44
// information on a page in the same domain as $commonDomain by accessing
45
// the federation metadata and parsing out the contact information of the
haemmer's avatar
haemmer committed
46
// selected IdP and SP using $SAMLDomainCookieName and $SPCookieName
haemmer's avatar
haemmer committed
47
//$SPCookieName = $cookieNamePrefix.'_saml_sp';
haemmer's avatar
haemmer committed
48

49
// If enabled cookies are set/transmitted only via https connections
50 51
// and the http only option is set to prevent javascripts from reading the
// cookies
haemmer's avatar
haemmer committed
52
//$cookieSecurity = false;
53

haemmer's avatar
haemmer committed
54
// Number of days longterm cookies should be valid
haemmer's avatar
haemmer committed
55
//$cookieValidity = 100;
haemmer's avatar
haemmer committed
56

haemmer's avatar
haemmer committed
57

haemmer's avatar
haemmer committed
58

59
// 3. Features and Extensions
60
//***************************
haemmer's avatar
haemmer committed
61 62

// Whether to show the checkbox to permanently remember a setting
haemmer's avatar
haemmer committed
63
//$showPermanentSetting = false;
haemmer's avatar
haemmer committed
64

65
// Whether or not to use the search-as-you-type feature of the drop down list
haemmer's avatar
haemmer committed
66 67
// Enabling this will use JavaScript to convert the select element containing
// all Identity Providers to a searchable search-as-you-type list that also
68
// displays logos if available
haemmer's avatar
haemmer committed
69
//$useImprovedDropDownList = true;
70

haemmer's avatar
haemmer committed
71 72 73
  // If true the improved drop-down-list will not display logos that
  // have to be loaded from remote URLs. That way the web browser
  // does not have to make requests to third party hosts.
74
  // Logos that are embedded using data URIs
haemmer's avatar
haemmer committed
75 76 77
  // (src="data:image/png;base64...") will however still be displayed
  //$disableRemoteLogos = false;

78 79 80 81 82 83
// Whether or not use Select2 drop down
// Attention: setting this to true, overrides $useImprovedDropDownList param
//$useSelect2 = true;

// Config to change the number of IdP fetched when using Select2 dropdown
//$select2PageSize = 100;
haemmer's avatar
haemmer committed
84

85 86 87 88
// Number of previously used Identity Providers to show at top of drop-down list
// Default is 3, set to 0 to disable
//$showNumOfPreviouslyUsedIdPs = 3;

89
// Set to true in order to enable reading the Identity Providers and Service
haemmer's avatar
haemmer committed
90 91
// Providers from a SAML2 metadata file defined below in $metadataFile
// The parsed data will be available in $metadataIDPFile and $metadataSPFile
92
//$useSAML2Metadata = false;
haemmer's avatar
haemmer committed
93

94
  // If true parsed metadata should have precedence if there are entries defined
95 96
  // in metadata as well as the local IDProviders configuration file.
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
97
  //$SAML2MetaOverLocalConf = false;
98 99 100

  // If includeLocalConfEntries parameter is set to true, Identity Providers
  // not listed in metadata but defined in the local IDProviders file will also
101
  // be displayed in the drop down list. This is required if you need to add
102 103
  // local exceptions over the federation metadata
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
104
  //$includeLocalConfEntries = true;
105 106 107 108

  // Whether the return parameter is checked against SAML2 metadata or not
  // The Discovery Service specification says the DS SHOULD check this in order
  // to mitigate phising problems.
109 110
  // The return parameter will only be checked if the Service Provider's metadata
  // contains an <idpdisc:DiscoveryResponse> or if the assertion consumer url
111 112
  // check below is enabled
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
113
  //$enableDSReturnParamCheck = true;
114 115 116

    // If true, the return parameter is checked for Service Providers that
    // don't have and <idpdisc:DiscoveryResponse> extension set. Instead of this
117 118 119 120
    // extension, the hostnames of the assertion consumer URLs are used to check
    // the return parameter against.
    // This feature is useful in case the Service Provider's metadata doesn't contain
    // a <idpdisc:DiscoveryResponse> extension. It increases security for Service
121 122
    // Provider's that don't have an <idpdisc:DiscoveryResponse> extensions.
    // Requires $useSAML2Metadata and $enableDSReturnParamCheck to be true
haemmer's avatar
haemmer committed
123
    //$useACURLsForReturnParamCheck = false;
124

125
// Whether to turn on Kerberos support for Identity Provider preselection
haemmer's avatar
haemmer committed
126 127 128 129
//$useKerberos = false;

  // A Kerboros-protected page that redirects back to the WAYF script
  //$kerberosRedirectURL = '/myFederation/kerberosRedirect.php';
haemmer's avatar
haemmer committed
130

131
// If enabled, the user's IP is used for a reverse DNS lookup whose resulting
132
// domain name then is matched with the URN values of the Identity Providers
haemmer's avatar
haemmer committed
133
//$useReverseDNSLookup = false;
haemmer's avatar
haemmer committed
134

135
// Whether the JavaScript required for embedding the WAYF
haemmer's avatar
haemmer committed
136
// on a remote site should be generated or not
137
// Lowers security against phising!
138 139 140
// If this value is set to true, any web page in the world can
// (with some efforts) find out with a high probability from which
// organization a user is from. This could be misused for phishing attacks.
141
// Therefore, only enable this feature if you know what you are doing!
haemmer's avatar
haemmer committed
142
//$useEmbeddedWAYF = false;
haemmer's avatar
haemmer committed
143

144
  // If enabled the Embedded WAYF will prevent releasing information
145
  // about the user's preselected Identity Provider
146 147 148 149
  // While this is benefical to the data protection of the user, it will also
  // prevent preselecting the user's Identity Provider. Thus, users will have
  // to preselect their IdP each and every time
  // Requires $useEmbeddedWAYF to be true
haemmer's avatar
haemmer committed
150
  //$useEmbeddedWAYFPrivacyProtection = false;
151

152
  // If enabled, the referer hostname of the request must match an assertion
153 154 155 156 157 158
  // consumer URL or a discovery URL of a Service Provider in $metadataSPFile
  // in order to let the Embedded WAYF preselect an Identity Provider.
  // Therefore, this option is a good compromise between data protection and
  // userfriendlyness.
  // Requires $useSAML2Metadata to be true and $useEmbeddedWAYFPrivacyProtection
  // to be false
haemmer's avatar
haemmer committed
159
  //$useEmbeddedWAYFRefererForPrivacyProtection = false;
haemmer's avatar
haemmer committed
160

161 162
// If enabled (default) Identity Providers that are in the
// "Hide From Discovery" entity category (see
163 164
// https://refeds.org/category/hide-from-discovery/) will not
// be parsed when SAML2 metadata is processed. The effect will
165 166
// be that these IdPs are not shown in the organisation drop
// down list. IdPs in this entity category, however, still can
167
// be manually added using the Embedded WAYF.
haemmer's avatar
haemmer committed
168
//$supportHideFromDiscoveryEntityCategory = true;
169

170 171
// Only process IDPs with a particular entity category. All
// others are ignored and not taken into account.
172 173
// Multiple entity category identifiers can be provided
// space separated. If the IdP is in none of them,
174 175
// the IdP is ignored.
//$filterEntityCategory = 'http://example.com/category/example-member';
176

haemmer's avatar
haemmer committed
177 178
// Whether or not to add the entityID of the preselected IdP to the
// exported JSON/Text/PHP Code
179 180
// Lowers security against phising!
// If this value is set to true, any web page
181 182
// in the world can easily find out with a high probability from which
// organization a user is from. This could be misused for phishing attacks.
183
// Therefore, only enable this feature if you know what you are doing!
haemmer's avatar
haemmer committed
184
//$exportPreselectedIdP = false;
haemmer's avatar
haemmer committed
185

186 187
// Whether to enable logging of WAYF/DS requests
// If turned on make sure to also configure $WAYFLogFile
188
//$useLogging = true;
haemmer's avatar
haemmer committed
189

190
  // Where to log the access requests
191
  // This log is only an audit log for access requests.
192
  // Errors (e.g. when parsing SAML metadata) go to the syslog.
haemmer's avatar
haemmer committed
193
  // Make sure the web server user has write access to this file!
194
  //$WAYFLogFile = '/var/log/apache2/wayf.log';
195

haemmer's avatar
haemmer committed
196

haemmer's avatar
haemmer committed
197

198 199
// 4. Files and path Settings
//***************************
200
// all relatives paths are resolved relatively to configuration directory
201

202
// Set both config files to the same value if you don't want to use the
203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227
// the WAYF to read a (potential) automatically generated file that undergoes
// some plausability checks before being used
//$IDPConfigFile = 'IDProvider.conf.php';
//$backupIDPConfigFile = 'IDProvider.conf.php';

// Use $metadataFile as source federation's metadata.
//$metadataFile = '/etc/shibboleth/metadata.myFederation.xml';

// File to store the parsed IdP list
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
//$metadataIDPFile = 'IDProvider.metadata.php';

// File to store the parsed SP list.
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
//$metadataSPFile = 'SProvider.metadata.php';

// File to use as the lock file for writing the parsed IdP and SP lists.
// The user running the script must have permission to write $metadataLockFile
//$metadataLockFile = '/tmp/wayf_metadata.lock';

// Use an absolute URL in case you want to use the embedded WAYF
haemmer's avatar
haemmer committed
228 229
// The default assumes that this is in the same directory like
// the WAYF script.
230 231 232
//$imageURL = 'https://ds.example.org/SWITCHwayf/images';

// Absolute URL to point to css directory
haemmer's avatar
haemmer committed
233 234
// The default assumes that this is in the same directory like
// the WAYF script.
235 236 237
//$cssURL = 'https://ds.example.org/SWITCHwayf/css';

// Absolute URL to point to javascript directory
haemmer's avatar
haemmer committed
238 239
// The default assumes that this is in the same directory like
// the WAYF script.
240 241 242 243 244
//$javascriptURL = 'https://ds.example.org/SWITCHwayf/js';



// 5. Appearance Settings
245
//**************************
haemmer's avatar
haemmer committed
246

247 248 249 250
// Identifier for this particular instance of the SWITCHwayf
// This is mainly used for logging to syslog and in particular
// useful in case multiple instances of the SWITCHwayf are
// operated on the same host
haemmer's avatar
haemmer committed
251
//$instanceIdentifier = 'SWITCHwayf';
252

haemmer's avatar
haemmer committed
253
// URL to send user to when clicking on federation logo
haemmer's avatar
haemmer committed
254
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
255
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
256 257 258
//$federationURL = 'http://www.example.org/myFed/';

// Absolute URL to the federation logo that should be displayed in the Embedded WAYF
haemmer's avatar
haemmer committed
259 260
// Set to an empty string to hide the logo
//$logoURL = 'http://ds.example.org/SWITCHwayf/images/federation-logo.png';
haemmer's avatar
haemmer committed
261

262
// Absolute URL to the small federation logo that should be displayed in the
haemmer's avatar
haemmer committed
263 264
// embedded WAYF. Make sure the dimensions (in particular the height of the logo)
// is small, ideally not larger than 120x30 pixel
haemmer's avatar
haemmer committed
265
//$smallLogoURL = 'http://ds.example.org/SWITCHwayf/images/small-federation-logo.png';
haemmer's avatar
haemmer committed
266

267
// Support contact email address
haemmer's avatar
haemmer committed
268
//$supportContactEmail = 'helpdesk@example.org';
269

haemmer's avatar
haemmer committed
270
// Absolute URL to the logo of the organization operating this Discovery Service
haemmer's avatar
haemmer committed
271
// Set to an empty string to hide the logo
272
//$organizationLogoURL = 'https://ds.example.org/SWITCHwayf/images/organization-logo.png';
haemmer's avatar
haemmer committed
273

haemmer's avatar
haemmer committed
274 275
// Absolute URL to the organization's web page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
276
//$organizationURL = 'http://www.example.org/';
277

haemmer's avatar
haemmer committed
278 279 280
// Absolute URL to an FAQ page
// This entries local string is 'faq' in languages.php
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
281
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
282
//$faqURL = 'http://www.example.org/%s/myFed/faq/';
283

haemmer's avatar
haemmer committed
284 285
// Absolute URL to a help/support page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
286
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
287
//$helpURL = 'http://www.example.org/%s/myFed/help/';
haemmer's avatar
haemmer committed
288

haemmer's avatar
haemmer committed
289 290
// Absolute URL to a privacy policy page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
291
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
292
//$privacyURL = 'http://www.example.org/%s/myFed/privacy/';
haemmer's avatar
haemmer committed
293

294 295
// Additional strings form custom templates
//$customStrings = array(
296
//    'federationName' = 'myFederation'
297
//);
haemmer's avatar
haemmer committed
298

haemmer's avatar
haemmer committed
299

haemmer's avatar
haemmer committed
300 301 302
// Development mode settings
//**************************
// If the development mode is activated, PHP errors and warnings will be displayed
haemmer's avatar
haemmer committed
303
// on pages the SWITCHwayf generates
304
//$developmentMode = true;