config.dist.php 12.7 KB
Newer Older
Lukas Haemmerle's avatar
Lukas Haemmerle committed
1
<?php // Copyright (c) 2018, SWITCH
haemmer's avatar
haemmer committed
2

haemmer's avatar
haemmer committed
3
//******************************************************************************
4
// This file contains the configuration of SWITCHwayf, a light-weight
haemmer's avatar
haemmer committed
5 6 7
// implementation of a SAML Discovery Service. Adapt the settings to reflect
// your environment and then do some testing before going into production.
// Unless specifically set, default values will be used for all options.
haemmer's avatar
haemmer committed
8 9
//******************************************************************************

haemmer's avatar
haemmer committed
10

11
// 1. Language Settings
12
//*********************
haemmer's avatar
haemmer committed
13 14 15 16
// Language that is used by default if the language of the user's web browser
// is not available in languages.php or custom-languages.php.
// If string in local language is not available, english ('en') will be used
// as last resort.
17
//$defaultLanguage = 'en';
haemmer's avatar
haemmer committed
18

haemmer's avatar
haemmer committed
19

haemmer's avatar
haemmer committed
20

21
// 2. Cookie Settings
22
//*******************
haemmer's avatar
haemmer committed
23

haemmer's avatar
haemmer committed
24
// Domain within the WAYF cookie should be readable. Must start with a .
haemmer's avatar
haemmer committed
25
//$commonDomain = '.example.org';
haemmer's avatar
haemmer committed
26

27 28
// Optionnal cookie name prefix in case you run several
// instances of the WAYF in the same domain.
haemmer's avatar
haemmer committed
29
// Example: $cookieNamePrefix = '_mywayf';
haemmer's avatar
haemmer committed
30
//$cookieNamePrefix = '';
haemmer's avatar
haemmer committed
31 32 33

// Names of the cookies where to store the settings to temporarily
// redirect users transparently to their last selected IdP
haemmer's avatar
haemmer committed
34
//$redirectCookieName = $cookieNamePrefix.'_redirect_user_idp';
haemmer's avatar
haemmer committed
35

36
// Stores last selected IdPs
haemmer's avatar
haemmer committed
37 38
// This value shouldn't be changed because _saml_idp is the officilly
// defined name in the SAML specification
haemmer's avatar
haemmer committed
39
//$SAMLDomainCookieName = $cookieNamePrefix.'_saml_idp';
haemmer's avatar
haemmer committed
40 41 42

// Stores last selected SP
// This value can be choosen as you like because it is something specific
43
// to this WAYF implementation. It can be used to display help/contact
haemmer's avatar
haemmer committed
44
// information on a page in the same domain as $commonDomain by accessing
45
// the federation metadata and parsing out the contact information of the
haemmer's avatar
haemmer committed
46
// selected IdP and SP using $SAMLDomainCookieName and $SPCookieName
haemmer's avatar
haemmer committed
47
//$SPCookieName = $cookieNamePrefix.'_saml_sp';
haemmer's avatar
haemmer committed
48

49
// If enabled cookies are set/transmitted only via https connections
50 51
// and the http only option is set to prevent javascripts from reading the
// cookies
haemmer's avatar
haemmer committed
52
//$cookieSecurity = false;
53

haemmer's avatar
haemmer committed
54
// Number of days longterm cookies should be valid
haemmer's avatar
haemmer committed
55
//$cookieValidity = 100;
haemmer's avatar
haemmer committed
56

haemmer's avatar
haemmer committed
57

haemmer's avatar
haemmer committed
58

59
// 3. Features and Extensions
60
//***************************
haemmer's avatar
haemmer committed
61 62

// Whether to show the checkbox to permanently remember a setting
haemmer's avatar
haemmer committed
63
//$showPermanentSetting = false;
haemmer's avatar
haemmer committed
64

65
// Whether or not to use the search-as-you-type feature of the drop down list
haemmer's avatar
haemmer committed
66 67
// Enabling this will use JavaScript to convert the select element containing
// all Identity Providers to a searchable search-as-you-type list that also
68
// displays logos if available
haemmer's avatar
haemmer committed
69
//$useImprovedDropDownList = true;
70

haemmer's avatar
haemmer committed
71 72 73
  // If true the improved drop-down-list will not display logos that
  // have to be loaded from remote URLs. That way the web browser
  // does not have to make requests to third party hosts.
74
  // Logos that are embedded using data URIs
haemmer's avatar
haemmer committed
75 76 77 78
  // (src="data:image/png;base64...") will however still be displayed
  //$disableRemoteLogos = false;


79 80 81 82
// Number of previously used Identity Providers to show at top of drop-down list
// Default is 3, set to 0 to disable
//$showNumOfPreviouslyUsedIdPs = 3;

83
// Set to true in order to enable reading the Identity Providers and Service
haemmer's avatar
haemmer committed
84 85
// Providers from a SAML2 metadata file defined below in $metadataFile
// The parsed data will be available in $metadataIDPFile and $metadataSPFile
86
//$useSAML2Metadata = false;
haemmer's avatar
haemmer committed
87

88
  // If true parsed metadata should have precedence if there are entries defined
89 90
  // in metadata as well as the local IDProviders configuration file.
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
91
  //$SAML2MetaOverLocalConf = false;
92 93 94

  // If includeLocalConfEntries parameter is set to true, Identity Providers
  // not listed in metadata but defined in the local IDProviders file will also
95
  // be displayed in the drop down list. This is required if you need to add
96 97
  // local exceptions over the federation metadata
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
98
  //$includeLocalConfEntries = true;
99 100 101 102

  // Whether the return parameter is checked against SAML2 metadata or not
  // The Discovery Service specification says the DS SHOULD check this in order
  // to mitigate phising problems.
103 104
  // The return parameter will only be checked if the Service Provider's metadata
  // contains an <idpdisc:DiscoveryResponse> or if the assertion consumer url
105 106
  // check below is enabled
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
107
  //$enableDSReturnParamCheck = true;
108 109 110

    // If true, the return parameter is checked for Service Providers that
    // don't have and <idpdisc:DiscoveryResponse> extension set. Instead of this
111 112 113 114
    // extension, the hostnames of the assertion consumer URLs are used to check
    // the return parameter against.
    // This feature is useful in case the Service Provider's metadata doesn't contain
    // a <idpdisc:DiscoveryResponse> extension. It increases security for Service
115 116
    // Provider's that don't have an <idpdisc:DiscoveryResponse> extensions.
    // Requires $useSAML2Metadata and $enableDSReturnParamCheck to be true
haemmer's avatar
haemmer committed
117
    //$useACURLsForReturnParamCheck = false;
118

119
// Whether to turn on Kerberos support for Identity Provider preselection
haemmer's avatar
haemmer committed
120 121 122 123
//$useKerberos = false;

  // A Kerboros-protected page that redirects back to the WAYF script
  //$kerberosRedirectURL = '/myFederation/kerberosRedirect.php';
haemmer's avatar
haemmer committed
124

125
// If enabled, the user's IP is used for a reverse DNS lookup whose resulting
126
// domain name then is matched with the URN values of the Identity Providers
haemmer's avatar
haemmer committed
127
//$useReverseDNSLookup = false;
haemmer's avatar
haemmer committed
128

129
// Whether the JavaScript required for embedding the WAYF
haemmer's avatar
haemmer committed
130
// on a remote site should be generated or not
131
// Lowers security against phising!
132 133 134
// If this value is set to true, any web page in the world can
// (with some efforts) find out with a high probability from which
// organization a user is from. This could be misused for phishing attacks.
135
// Therefore, only enable this feature if you know what you are doing!
haemmer's avatar
haemmer committed
136
//$useEmbeddedWAYF = false;
haemmer's avatar
haemmer committed
137

138
  // If enabled the Embedded WAYF will prevent releasing information
139
  // about the user's preselected Identity Provider
140 141 142 143
  // While this is benefical to the data protection of the user, it will also
  // prevent preselecting the user's Identity Provider. Thus, users will have
  // to preselect their IdP each and every time
  // Requires $useEmbeddedWAYF to be true
haemmer's avatar
haemmer committed
144
  //$useEmbeddedWAYFPrivacyProtection = false;
145

146
  // If enabled, the referer hostname of the request must match an assertion	
147 148 149 150 151 152
  // consumer URL or a discovery URL of a Service Provider in $metadataSPFile
  // in order to let the Embedded WAYF preselect an Identity Provider.
  // Therefore, this option is a good compromise between data protection and
  // userfriendlyness.
  // Requires $useSAML2Metadata to be true and $useEmbeddedWAYFPrivacyProtection
  // to be false
haemmer's avatar
haemmer committed
153
  //$useEmbeddedWAYFRefererForPrivacyProtection = false;
haemmer's avatar
haemmer committed
154

155 156
// If enabled (default) Identity Providers that are in the
// "Hide From Discovery" entity category (see
157 158
// https://refeds.org/category/hide-from-discovery/) will not
// be parsed when SAML2 metadata is processed. The effect will
159 160
// be that these IdPs are not shown in the organisation drop
// down list. IdPs in this entity category, however, still can
161
// be manually added using the Embedded WAYF.
haemmer's avatar
haemmer committed
162
//$supportHideFromDiscoveryEntityCategory = true;
163

164 165 166 167 168 169
// Only process IDPs with a particular entity category. All
// others are ignored and not taken into account.
// Multiple entity category identifiers can be provided 
// space separated. If the IdP is in none of them, 
// the IdP is ignored.
//$filterEntityCategory = 'http://example.com/category/example-member';
170

haemmer's avatar
haemmer committed
171 172
// Whether or not to add the entityID of the preselected IdP to the
// exported JSON/Text/PHP Code
173 174
// Lowers security against phising!
// If this value is set to true, any web page
175 176
// in the world can easily find out with a high probability from which
// organization a user is from. This could be misused for phishing attacks.
177
// Therefore, only enable this feature if you know what you are doing!
haemmer's avatar
haemmer committed
178
//$exportPreselectedIdP = false;
haemmer's avatar
haemmer committed
179

180 181
// Whether to enable logging of WAYF/DS requests
// If turned on make sure to also configure $WAYFLogFile
182
//$useLogging = true;
haemmer's avatar
haemmer committed
183

184
  // Where to log the access requests
185
  // This log is only an audit log for access requests.
186
  // Errors (e.g. when parsing SAML metadata) go to the syslog.
haemmer's avatar
haemmer committed
187
  // Make sure the web server user has write access to this file!
188
  //$WAYFLogFile = '/var/log/apache2/wayf.log';
189

haemmer's avatar
haemmer committed
190

haemmer's avatar
haemmer committed
191

192 193
// 4. Files and path Settings
//***************************
194
// all relatives paths are resolved relatively to configuration directory
195

196
// Set both config files to the same value if you don't want to use the
197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221
// the WAYF to read a (potential) automatically generated file that undergoes
// some plausability checks before being used
//$IDPConfigFile = 'IDProvider.conf.php';
//$backupIDPConfigFile = 'IDProvider.conf.php';

// Use $metadataFile as source federation's metadata.
//$metadataFile = '/etc/shibboleth/metadata.myFederation.xml';

// File to store the parsed IdP list
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
//$metadataIDPFile = 'IDProvider.metadata.php';

// File to store the parsed SP list.
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
//$metadataSPFile = 'SProvider.metadata.php';

// File to use as the lock file for writing the parsed IdP and SP lists.
// The user running the script must have permission to write $metadataLockFile
//$metadataLockFile = '/tmp/wayf_metadata.lock';

// Use an absolute URL in case you want to use the embedded WAYF
haemmer's avatar
haemmer committed
222 223
// The default assumes that this is in the same directory like
// the WAYF script.
224 225 226
//$imageURL = 'https://ds.example.org/SWITCHwayf/images';

// Absolute URL to point to css directory
haemmer's avatar
haemmer committed
227 228
// The default assumes that this is in the same directory like
// the WAYF script.
229 230 231
//$cssURL = 'https://ds.example.org/SWITCHwayf/css';

// Absolute URL to point to javascript directory
haemmer's avatar
haemmer committed
232 233
// The default assumes that this is in the same directory like
// the WAYF script.
234 235 236 237 238
//$javascriptURL = 'https://ds.example.org/SWITCHwayf/js';



// 5. Appearance Settings
239
//**************************
haemmer's avatar
haemmer committed
240

241 242 243 244
// Identifier for this particular instance of the SWITCHwayf
// This is mainly used for logging to syslog and in particular
// useful in case multiple instances of the SWITCHwayf are
// operated on the same host
haemmer's avatar
haemmer committed
245
//$instanceIdentifier = 'SWITCHwayf';
246

haemmer's avatar
haemmer committed
247
// URL to send user to when clicking on federation logo
haemmer's avatar
haemmer committed
248
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
249
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
250 251 252
//$federationURL = 'http://www.example.org/myFed/';

// Absolute URL to the federation logo that should be displayed in the Embedded WAYF
haemmer's avatar
haemmer committed
253 254
// Set to an empty string to hide the logo
//$logoURL = 'http://ds.example.org/SWITCHwayf/images/federation-logo.png';
haemmer's avatar
haemmer committed
255

256
// Absolute URL to the small federation logo that should be displayed in the
haemmer's avatar
haemmer committed
257 258
// embedded WAYF. Make sure the dimensions (in particular the height of the logo)
// is small, ideally not larger than 120x30 pixel
haemmer's avatar
haemmer committed
259
//$smallLogoURL = 'http://ds.example.org/SWITCHwayf/images/small-federation-logo.png';
haemmer's avatar
haemmer committed
260

261
// Support contact email address
haemmer's avatar
haemmer committed
262
//$supportContactEmail = 'helpdesk@example.org';
263

haemmer's avatar
haemmer committed
264
// Absolute URL to the logo of the organization operating this Discovery Service
haemmer's avatar
haemmer committed
265
// Set to an empty string to hide the logo
266
//$organizationLogoURL = 'https://ds.example.org/SWITCHwayf/images/organization-logo.png';
haemmer's avatar
haemmer committed
267

haemmer's avatar
haemmer committed
268 269
// Absolute URL to the organization's web page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
270
//$organizationURL = 'http://www.example.org/';
271

haemmer's avatar
haemmer committed
272 273 274
// Absolute URL to an FAQ page
// This entries local string is 'faq' in languages.php
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
275
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
276
//$faqURL = 'http://www.example.org/%s/myFed/faq/';
277

haemmer's avatar
haemmer committed
278 279
// Absolute URL to a help/support page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
280
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
281
//$helpURL = 'http://www.example.org/%s/myFed/help/';
haemmer's avatar
haemmer committed
282

haemmer's avatar
haemmer committed
283 284
// Absolute URL to a privacy policy page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
285
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
286
//$privacyURL = 'http://www.example.org/%s/myFed/privacy/';
haemmer's avatar
haemmer committed
287

288 289
// Additional strings form custom templates
//$customStrings = array(
290
//    'federationName' = 'myFederation'
291
//);
haemmer's avatar
haemmer committed
292

haemmer's avatar
haemmer committed
293

haemmer's avatar
haemmer committed
294 295 296
// Development mode settings
//**************************
// If the development mode is activated, PHP errors and warnings will be displayed
haemmer's avatar
haemmer committed
297 298
// on pages the SWITCHwayf generates
//$developmentMode = false;