config.dist.php 6.23 KB
Newer Older
haemmer's avatar
haemmer committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<?php
//******************************************************************************
// This file contains the WAYF/DS configuration. Adapt the settings to reflect
// your environment and then do some testing before deploying the WAYF.
//******************************************************************************

// Language settings
//******************
$defaultLanguage = 'en'; 


// Cookie settings
//****************

// Domain within the WAYF cookei shall be readable. Must start with a .
$commonDomain = '.switch.ch';

// Optionnal cookie name prefix in case you run several 
// instances of the WAYF in the same domain. 
// Example: $cookieNamePrefix = '_mywayf';
$cookieNamePrefix = '';

// Names of the cookies where to store the settings to temporarily
// redirect users transparently to their last selected IdP
$redirectCookieName = $cookieNamePrefix.'_redirect_user_idp';
$redirectStateCookieName = $cookieNamePrefix.'_redirection_state';

// Stores last selected IdPs 
// This value shouldn't be changed because _saml_idp is the officilly
// defined name in the SAML specification
$SAMLDomainCookieName = $cookieNamePrefix.'_saml_idp';

// Stores last selected SP
// This value can be choosen as you like because it is something specific
// to this WAYF implementation. It can be used to display help/contact 
// information on a page in the same domain as $commonDomain by accessing
// the federation metadata and parsing out the contact information of the 
// selected IdP and SP using $SAMLDomainCookieName and $SPCookieName
$SPCookieName = $cookieNamePrefix.'_saml_sp';


// Enabled/Disabled Features
//**************************

// Whether to show the checkbox to permanently remember a setting
$showPermanentSetting = false;

48
49
// Set to true in order to enable reading the Identity Provider from a SAML2 
// metadata file defined below in $metadataFile
50
$useSAML2Metadata = true; 
haemmer's avatar
haemmer committed
51

52
53
54
// If ture parsed metadata shall have precedence if there are entries defined 
// in metadata as well as the local IDProviders configuration file.
// Only relevant if $useSAML2Metadata is true
haemmer's avatar
haemmer committed
55
56
$SAML2MetaOverLocalConf = false;

57
58
59
60
61
// If includeLocalConfEntries parameter is set to true, Identity Providers
// not listed in metadata but defined in the local IDProviders file will also
// be displayed in the drop down list. This is required if you need to add 
// local exceptions over the federation metadata
// Only relevant if $useSAML2Metadata is true
haemmer's avatar
haemmer committed
62
63
$includeLocalConfEntries = true;

64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
// Whether the return parameter is checked against SAML2 metadata or not
// The Discovery Service specification says the DS SHOULD check this in order
// to mitigate phising problems
// This check only is active if $useSAML2Metadata = true 
$enableDSReturnParamCheck = true;

// If true, not only the the URLs defined in the metadata extension 
// <idpdisc:DiscoveryResponse> are used for the check but also the hostnames
// of the assertion consumer URLs. The hostnames are compared against the 
// hostname used in the return parameter
// This feature is especially useful in case metadata doesn't contain the
// <idpdisc:DiscoveryResponse> extension. However, enabling this feature also
// reduces the security of the check.
// This feature only is active if $enableDSReturnParamCheck = true 
// and if  $useSAML2Metadata = true 
$useACURLsForReturnParamCheck = false;

haemmer's avatar
haemmer committed
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
// Whether to turn on Kerberos support for IdP preselection
$useKerberos = false;

// If true, the users IP is used for a reverse DNS lookup whose
// resulting domain name then is matched with the URN values of the IdPs
$useReverseDNSLookup = false;

// Whether the JavaScript for embedding the WAYF
// on a remote site shall be generated or not
$useEmbeddedWAYF = true;

// Whether to enable logging of WAYF/DS requests
// If turned on make sure to also configure $WAYFLogFile
$useLogging = true; 

// Whether or not to add the entityID of the preselected IdP to the
// exported JSON/Text/PHP Code
// You have to be aware that if this value is set to true, any web page
// in the world can easily find out with a high probability from which 
// organization a user is from. This could be misused for various kinds of 
// things and even for phishing attacks. Therefore, only enable this feature
// if you know what you are doing!
$exportPreselectedIdP = false;


// Look&feel settings
//*******************

// Name of the federation
$federationName = 'SWITCHaai Federation';

// URL to send user to when clicking on federation logo
$federationURL = 'http://www.switch.ch/aai/';

// Use an absolute URL in case you want to use the embedded WAYF
$imageURL = 'https://'.$_SERVER['SERVER_NAME'].'/SWITCHaai/images';

// URL to the logo that shall be displayed
$logoURL = $imageURL.'/switch-aai-transparent.png'; 

// URL to the small logo that shall be displayed in the embedded WAYF if dimensions are small
$smallLogoURL = $imageURL.'/switch-aai-transparent-small.png';


// Involved files settings
//************************
// Set both config files to the same value if you don't want to use the 
// the WAYF to read a (potential) automatically generated file that undergoes
// some plausability checks before being used
$IDPConfigFile = 'IDProvider.conf.php'; // Config file
$backupIDPConfigFile = 'IDProvider.conf.php'; // Backup config file

// Use $metadataFile as source federation's metadata.
$metadataFile = '/etc/shibboleth/metadata.switchaai.xml';

136
137
138
// File to store the parsed IdP list
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
haemmer's avatar
haemmer committed
139
// The user running the script must have permission to create $metadataIdpFile
140
$metadataIDPFile = 'IDProvider.metadata.php';
haemmer's avatar
haemmer committed
141

142
143
144
145
// File to store the parsed SP list.
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
146
$metadataSPFile = 'SProvider.metadata.php';
147

haemmer's avatar
haemmer committed
148
149
150
151
152
153
154
155
156
157
158
// A Kerboros-protected soft link back to this script!
$kerberosRedirectURL = '/SWITCHaai/kerberosRedirect.php';

// Where to log the access
// Make sure the web server user has write access to this file!
$WAYFLogFile = '/var/log/apache2/wayf.log'; 


// Development mode settings
//**************************
// If the development mode is activated, PHP errors and warnings will be displayed
159
$developmentMode = false;
haemmer's avatar
haemmer committed
160
161

?>