Commit af6e5977 authored by haemmer's avatar haemmer
Browse files

Added cookieSecurity option to set and transmit cookies securely

Added additional data protection feature that uses the referer to decide whether or not to preselect an Identity Provider in the Embedded WAYF
If the Discovery Feed feature is activated only those IdPs are shown that are contained in the feed. Others will be hidden automatically.
Added code to automatically set default proper values in case there are not defined in the configuration
Added improved drop-down feature with search as you type functionality
Added licenses of added libraries
parent 5590a93f
...@@ -25,6 +25,15 @@ necessary for such releases. ...@@ -25,6 +25,15 @@ necessary for such releases.
SWITCHwayf Changes and Version History: SWITCHwayf Changes and Version History:
1.16 Release date:
- Added an improved version of the drop down list to the WAYF
- Added cookieSecurity option to set and transmit cookies securely
- Added additional data protection feature that uses the referer to
decide whether or not to preselect an Identity Provider in the
Embedded WAYF
- If the Discovery Feed feature is activated only those IdPs are shown
that are contained in the feed. Others will be hidden automatically.
1.15 Release date: 21. October 2011 1.15 Release date: 21. October 2011
- A default and custom CSS file can now be used - A default and custom CSS file can now be used
- Graphical design now is based new SWITCH harmos elements - Graphical design now is based new SWITCH harmos elements
......
License note for the SWITCHwayf code
-----------------------------------
Copyright (c) 2011, SWITCH - Serving Swiss Universities Copyright (c) 2011, SWITCH - Serving Swiss Universities
All rights reserved. All rights reserved.
...@@ -25,3 +27,44 @@ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF ...@@ -25,3 +27,44 @@ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
License note for the Improved Drop Down
---------------------------------------
Copyright 2011 - John Fuex
Licensed under the Apache License, Version 2.0 (the "License"); you
may not use this file except in compliance with the License. You may
obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied. See the License for the specific language governing
permissions and limitations under the License.
License note for JQuery
-----------------------
Copyright (c) 2011 John Resig, http://jquery.com/
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
/* /*
****************************************************************************** ******************************************************************************
SWITCHwayf SWITCHwayf
Version: 1.15 Version: 1.16
Contact: aai@switch.ch Contact: aai@switch.ch
Web site: http://www.switch.ch/aai/wayf Web site: http://www.switch.ch/aai/wayf
****************************************************************************** ******************************************************************************
...@@ -18,7 +18,13 @@ require_once('templates.php'); ...@@ -18,7 +18,13 @@ require_once('templates.php');
require_once('functions.php'); require_once('functions.php');
require_once('languages.php'); require_once('languages.php');
// Read custom strings // Set P3P headers just in case they were not set in Apache already
header('P3P: CP="NOI CUR DEVa OUR IND COM NAV PRE"');
// Set default config options
initConfigOptions();
// Read custom locales
if (file_exists('custom-languages.php')){ if (file_exists('custom-languages.php')){
require_once('custom-languages.php'); require_once('custom-languages.php');
} }
...@@ -26,7 +32,7 @@ if (file_exists('custom-languages.php')){ ...@@ -26,7 +32,7 @@ if (file_exists('custom-languages.php')){
/*------------------------------------------------*/ /*------------------------------------------------*/
// Turn on PHP error reporting // Turn on PHP error reporting
/*------------------------------------------------*/ /*------------------------------------------------*/
if (isset($developmentMode) && $developmentMode){ if ($developmentMode){
ini_set('error_reporting', E_ALL); ini_set('error_reporting', E_ALL);
ini_set('display_errors', 'On'); ini_set('display_errors', 'On');
ini_set('log_erros', 'Off'); ini_set('log_erros', 'Off');
...@@ -54,7 +60,7 @@ if ($IDPConfigFile == $backupIDPConfigFile){ ...@@ -54,7 +60,7 @@ if ($IDPConfigFile == $backupIDPConfigFile){
} }
// Read metadata file if configuration option is set // Read metadata file if configuration option is set
if(isset($useSAML2Metadata) && $useSAML2Metadata && function_exists('xml_parser_create')){ if($useSAML2Metadata && function_exists('xml_parser_create')){
require('readMetadata.php'); require('readMetadata.php');
} }
...@@ -89,7 +95,7 @@ if(isValidDSRequest()){ ...@@ -89,7 +95,7 @@ if(isValidDSRequest()){
exit; exit;
} }
if (isset($enableDSReturnParamCheck) && $enableDSReturnParamCheck){ if ($enableDSReturnParamCheck){
// Check SP // Check SP
if(!isset($SProviders[$_GET['entityID']])){ if(!isset($SProviders[$_GET['entityID']])){
// Show error // Show error
...@@ -120,7 +126,7 @@ if (isRequestType('deleteSettings')){ ...@@ -120,7 +126,7 @@ if (isRequestType('deleteSettings')){
$cookies = array($redirectCookieName, $redirectStateCookieName, $SAMLDomainCookieName, $SPCookieName); $cookies = array($redirectCookieName, $redirectStateCookieName, $SAMLDomainCookieName, $SPCookieName);
foreach ($cookies as $cookie){ foreach ($cookies as $cookie){
if (isset($_COOKIE[$cookie])){ if (isset($_COOKIE[$cookie])){
setcookie($cookie,'',time()-86400, '/', $commonDomain); setcookie($cookie,'',time()-86400, '/', $commonDomain, $cookieSecurity, $cookieSecurity);
} }
} }
...@@ -135,7 +141,7 @@ if (isRequestType('deleteSettings')){ ...@@ -135,7 +141,7 @@ if (isRequestType('deleteSettings')){
// Delete permanent cookie // Delete permanent cookie
if (isset($_POST['clear_user_idp'])){ if (isset($_POST['clear_user_idp'])){
setcookie ($redirectCookieName, '', time() - 3600, '/', $commonDomain, false); setcookie ($redirectCookieName, '', time() - 3600, '/', $commonDomain, $cookieSecurity, $cookieSecurity);
redirectTo('?'.$_SERVER['QUERY_STRING']); redirectTo('?'.$_SERVER['QUERY_STRING']);
exit; exit;
} }
...@@ -155,43 +161,43 @@ if (isset($_COOKIE[$SPCookieName])){ ...@@ -155,43 +161,43 @@ if (isset($_COOKIE[$SPCookieName])){
} }
// Set Cookie to remember the selection // Set Cookie to remember the selection
if (isset($_POST['user_idp']) && checkIDP($_POST['user_idp'])){ if (isset($_POST['user_idp']) && checkIDPAndShowErrors($_POST['user_idp'])){
$IDPArray = appendValueToIdPArray($_POST['user_idp'], $IDPArray); $IDPArray = appendValueToIdPArray($_POST['user_idp'], $IDPArray);
setcookie ($SAMLDomainCookieName, getValueFromIdPArray($IDPArray) , time() + (1000*24*3600), '/', $commonDomain, false); setcookie ($SAMLDomainCookieName, getValueFromIdPArray($IDPArray) , time() + ($cookieValidity*24*3600), '/', $commonDomain, $cookieSecurity, $cookieSecurity);
} }
// Set cookie for most recently used Service Provider // Set cookie for most recently used Service Provider
if (isset($_GET['entityID'])){ if (isset($_GET['entityID'])){
$SPArray = appendValueToIdPArray($_GET['entityID'], array()); $SPArray = appendValueToIdPArray($_GET['entityID'], array());
setcookie ($SPCookieName, getValueFromIdPArray($SPArray), time() + (10*24*3600), '/', $commonDomain, false); setcookie ($SPCookieName, getValueFromIdPArray($SPArray), time() + (10*24*3600), '/', $commonDomain, $cookieSecurity, $cookieSecurity);
} else if (isset($_GET['providerId'])){ } else if (isset($_GET['providerId'])){
$SPArray = appendValueToIdPArray($_GET['providerId'], array()); $SPArray = appendValueToIdPArray($_GET['providerId'], array());
setcookie ($SPCookieName, getValueFromIdPArray($SPArray), time() + (10*24*3600), '/', $commonDomain, false); setcookie ($SPCookieName, getValueFromIdPArray($SPArray), time() + (10*24*3600), '/', $commonDomain, $cookieSecurity, $cookieSecurity);
} }
// Set the permanent or session cookie // Set the permanent or session cookie
if (isset($_POST['permanent']) if (isset($_POST['permanent'])
&& isset($_POST['user_idp']) && isset($_POST['user_idp'])
&& checkIDP($_POST['user_idp'])){ && checkIDPAndShowErrors($_POST['user_idp'])){
// Set permanent cookie // Set permanent cookie
if (is_numeric($_POST['permanent'])){ if (is_numeric($_POST['permanent'])){
setcookie ($redirectCookieName, $_POST['user_idp'], time() + ($_POST['permanent']*24*3600), '/', $commonDomain, false); setcookie ($redirectCookieName, $_POST['user_idp'], time() + ($_POST['permanent']*24*3600), '/', $commonDomain, $cookieSecurity, $cookieSecurity);
} else { } else {
setcookie ($redirectCookieName, $_POST['user_idp'], time() + (100*24*3600), '/', $commonDomain, false); setcookie ($redirectCookieName, $_POST['user_idp'], time() + ($cookieValidity*24*3600), '/', $commonDomain, $cookieSecurity, $cookieSecurity);
} }
} elseif ( } elseif (
isset($_POST['user_idp']) isset($_POST['user_idp'])
&& checkIDP($_POST['user_idp']) && checkIDPAndShowErrors($_POST['user_idp'])
){ ){
if (isset($_POST['session'])){ if (isset($_POST['session'])){
// Set redirection cookie and redirection state cookie // Set redirection cookie and redirection state cookie
setcookie ($redirectCookieName, $_POST['user_idp'], null, '/', $commonDomain, false); setcookie ($redirectCookieName, $_POST['user_idp'], null, '/', $commonDomain, $cookieSecurity, $cookieSecurity);
setcookie ($redirectStateCookieName, 'checked', time() + (100*24*3600), '/', $commonDomain, false); setcookie ($redirectStateCookieName, 'checked', time() + ($cookieValidity*24*3600), '/', $commonDomain, $cookieSecurity, $cookieSecurity);
} else { } else {
setcookie ($redirectStateCookieName, 'checked', time() - 3600, '/', $commonDomain, false); setcookie ($redirectStateCookieName, 'checked', time() - 3600, '/', $commonDomain, $cookieSecurity, $cookieSecurity);
} }
} }
...@@ -203,7 +209,7 @@ if (isset($_POST['permanent']) ...@@ -203,7 +209,7 @@ if (isset($_POST['permanent'])
if ( if (
isValidShibRequest() isValidShibRequest()
&& isset($_COOKIE[$redirectCookieName]) && isset($_COOKIE[$redirectCookieName])
&& checkIDP($_COOKIE[$redirectCookieName], false) && checkIDP($_COOKIE[$redirectCookieName])
){ ){
$cookieIdP = $_COOKIE[$redirectCookieName]; $cookieIdP = $_COOKIE[$redirectCookieName];
...@@ -238,7 +244,7 @@ if ($useKerberos && isset($_SERVER['REMOTE_USER'])) { ...@@ -238,7 +244,7 @@ if ($useKerberos && isset($_SERVER['REMOTE_USER'])) {
// Bingo - we have a winner! // Bingo - we have a winner!
$kerberosRealm = substr($user, 1 + strlen($kerberosPrincipal) - strlen(strrchr($kerberosPrincipal, "@"))); $kerberosRealm = substr($user, 1 + strlen($kerberosPrincipal) - strlen(strrchr($kerberosPrincipal, "@")));
if ($kerberosIDP = getKerberosRealm($kerberosRealm) && checkIDP($kerberosIDP, false)){ if ($kerberosIDP = getKerberosRealm($kerberosRealm) && checkIDP($kerberosIDP)){
// Handle cascaded WAYF // Handle cascaded WAYF
if (isset($IDProviders[$kerberosIDP]['Type']) && $IDProviders[$kerberosIDP]['Type'] == 'wayf'){ if (isset($IDProviders[$kerberosIDP]['Type']) && $IDProviders[$kerberosIDP]['Type'] == 'wayf'){
...@@ -290,7 +296,7 @@ if ( ...@@ -290,7 +296,7 @@ if (
isset($_GET['shire']) isset($_GET['shire'])
&& isset($_GET['target']) && isset($_GET['target'])
&& isset($_GET['origin']) && isset($_GET['origin'])
&& checkIDP($_GET['origin']) && checkIDPAndShowErrors($_GET['origin'])
){ ){
redirectTo($IDProviders[$_GET['origin']]['SSO'].'?'.$_SERVER['QUERY_STRING']); redirectTo($IDProviders[$_GET['origin']]['SSO'].'?'.$_SERVER['QUERY_STRING']);
...@@ -311,7 +317,7 @@ if ($hintedPathIDP != '-'){ ...@@ -311,7 +317,7 @@ if ($hintedPathIDP != '-'){
} elseif ( checkPathInfo('redirect') ){ } elseif ( checkPathInfo('redirect') ){
// Set redirect cookie for this session // Set redirect cookie for this session
setcookie ($redirectCookieName, $hintedPathIDP, null, '/', $commonDomain, false); setcookie ($redirectCookieName, $hintedPathIDP, null, '/', $commonDomain, $cookieSecurity, $cookieSecurity);
// Determine if DS or WAYF request // Determine if DS or WAYF request
if (isValidDSRequest()){ if (isValidDSRequest()){
...@@ -334,7 +340,7 @@ if ($hintedPathIDP != '-'){ ...@@ -334,7 +340,7 @@ if ($hintedPathIDP != '-'){
// Redirect using user selection // Redirect using user selection
if ( if (
isset($_POST['user_idp']) isset($_POST['user_idp'])
&& checkIDP($_POST['user_idp']) && checkIDPAndShowErrors($_POST['user_idp'])
&& isValidShibRequest() && isValidShibRequest()
&& !isset($_POST['permanent']) && !isset($_POST['permanent'])
){ ){
...@@ -394,7 +400,7 @@ $hintedIPIDP = getIPAdressHint(); ...@@ -394,7 +400,7 @@ $hintedIPIDP = getIPAdressHint();
// Reverse DNS lookup hint // Reverse DNS lookup hint
$hintedDomainIDP = '-'; $hintedDomainIDP = '-';
if (isset($useReverseDNSLookup) && $useReverseDNSLookup){ if ($useReverseDNSLookup){
$hintedDomainIDP = getDomainNameFromURIHint(); $hintedDomainIDP = getDomainNameFromURIHint();
} }
...@@ -425,7 +431,7 @@ if ($hintedCookieIdP != '-'){ ...@@ -425,7 +431,7 @@ if ($hintedCookieIdP != '-'){
// Sort Identity Providers // Sort Identity Providers
/*------------------------------------------------*/ /*------------------------------------------------*/
if (isset($useSAML2Metadata) && $useSAML2Metadata){ if ($useSAML2Metadata){
// Only automatically sort if list of Identity Provider is parsed // Only automatically sort if list of Identity Provider is parsed
// from metadata instead of being manualy managed // from metadata instead of being manualy managed
sortIdentityProviders($IDProviders); sortIdentityProviders($IDProviders);
...@@ -511,7 +517,7 @@ if ( ...@@ -511,7 +517,7 @@ if (
} elseif(isRequestType('snippet.html')){ } elseif(isRequestType('snippet.html')){
// Check if this feature is activated at all // Check if this feature is activated at all
if (!isset($useEmbeddedWAYF) || !$useEmbeddedWAYF){ if (!$useEmbeddedWAYF){
echo '// The embedded WAYF feature is deactivated in the configuration'; echo '// The embedded WAYF feature is deactivated in the configuration';
exit; exit;
} }
...@@ -526,7 +532,7 @@ if ( ...@@ -526,7 +532,7 @@ if (
header('Content-Type: text/plain'); header('Content-Type: text/plain');
// Check if this feature is activated at all // Check if this feature is activated at all
if (!isset($useEmbeddedWAYF) || !$useEmbeddedWAYF){ if (!$useEmbeddedWAYF){
echo '// The embedded WAYF feature is deactivated in the configuration'; echo '// The embedded WAYF feature is deactivated in the configuration';
exit; exit;
} }
...@@ -539,7 +545,7 @@ if ( ...@@ -539,7 +545,7 @@ if (
} elseif(isRequestType('embedded-wayf.js')){ } elseif(isRequestType('embedded-wayf.js')){
// Check if this feature is activated at all // Check if this feature is activated at all
if (!isset($useEmbeddedWAYF) || !$useEmbeddedWAYF){ if (!$useEmbeddedWAYF){
echo '// The embedded WAYF feature is deactivated in the configuration'; echo '// The embedded WAYF feature is deactivated in the configuration';
exit; exit;
} }
...@@ -547,10 +553,16 @@ if ( ...@@ -547,10 +553,16 @@ if (
// Set JavaScript content type // Set JavaScript content type
header('Content-type: text/javascript;charset="utf-8"'); header('Content-type: text/javascript;charset="utf-8"');
// Is Embedded WAYF data protection feature enabled? // If the data protection feature is enabled, don't preselect the IdP
if ($useEmbeddedWAYFPrivacyProtection){
$selectedIDP = '-';
}
// If the referer check is enabled but fails, don't preselect the IdP
if ( if (
isset($useEmbeddedWAYFPrivacyProtection) !$useEmbeddedWAYFPrivacyProtection
&& $useEmbeddedWAYFPrivacyProtection == true && $useEmbeddedWAYFRefererForPrivacyProtection
&& !isRequestRefererMatchingSPHost()
){ ){
$selectedIDP = '-'; $selectedIDP = '-';
} }
...@@ -568,7 +580,7 @@ if ( ...@@ -568,7 +580,7 @@ if (
} }
// Add guessed Identity Provider // Add guessed Identity Provider
if (isset($exportPreselectedIdP) && $exportPreselectedIdP){ if ($exportPreselectedIdP){
$IDProviders['preselectedIDP'] = $selectedIDP; $IDProviders['preselectedIDP'] = $selectedIDP;
} }
...@@ -585,7 +597,7 @@ if ( ...@@ -585,7 +597,7 @@ if (
header('Content-type: text/javascript;charset="utf-8"'); header('Content-type: text/javascript;charset="utf-8"');
// Add guessed Identity Provider // Add guessed Identity Provider
if (isset($exportPreselectedIdP) && $exportPreselectedIdP){ if ($exportPreselectedIdP){
$IDProviders['preselectedIDP'] = $selectedIDP; $IDProviders['preselectedIDP'] = $selectedIDP;
} }
...@@ -604,7 +616,7 @@ if ( ...@@ -604,7 +616,7 @@ if (
} }
// Add guessed Identity Provider // Add guessed Identity Provider
if (isset($exportPreselectedIdP) && $exportPreselectedIdP){ if ($exportPreselectedIdP){
$IDProviders['preselectedIDP'] = $selectedIDP; $IDProviders['preselectedIDP'] = $selectedIDP;
} }
...@@ -619,7 +631,7 @@ if ( ...@@ -619,7 +631,7 @@ if (
header('Content-Type: text/plain'); header('Content-Type: text/plain');
// Add guessed Identity Provider // Add guessed Identity Provider
if (isset($exportPreselectedIdP) && $exportPreselectedIdP){ if ($exportPreselectedIdP){
$IDProviders['preselectedIDP'] = $selectedIDP; $IDProviders['preselectedIDP'] = $selectedIDP;
} }
...@@ -636,7 +648,7 @@ if ( ...@@ -636,7 +648,7 @@ if (
header('Content-Type: text/plain'); header('Content-Type: text/plain');
// Add guessed Identity Provider // Add guessed Identity Provider
if (isset($exportPreselectedIdP) && $exportPreselectedIdP){ if ($exportPreselectedIdP){
$IDProviders['preselectedIDP'] = $selectedIDP; $IDProviders['preselectedIDP'] = $selectedIDP;
} }
...@@ -648,10 +660,10 @@ if ( ...@@ -648,10 +660,10 @@ if (
exit; exit;
} elseif ( } elseif (
(isset($_POST['user_idp']) && checkIDP($_POST['user_idp'])) (isset($_POST['user_idp']) && checkIDPAndShowErrors($_POST['user_idp']))
|| ( || (
isset($_COOKIE[$redirectCookieName]) isset($_COOKIE[$redirectCookieName])
&& checkIDP($_COOKIE[$redirectCookieName], false) && checkIDP($_COOKIE[$redirectCookieName])
) )
){ ){
......
...@@ -38,6 +38,11 @@ $SAMLDomainCookieName = $cookieNamePrefix.'_saml_idp'; ...@@ -38,6 +38,11 @@ $SAMLDomainCookieName = $cookieNamePrefix.'_saml_idp';
// selected IdP and SP using $SAMLDomainCookieName and $SPCookieName // selected IdP and SP using $SAMLDomainCookieName and $SPCookieName
$SPCookieName = $cookieNamePrefix.'_saml_sp'; $SPCookieName = $cookieNamePrefix.'_saml_sp';
// If enabled cookies are set/transmitted only via https connections
$cookieSecurity = false;
// Number of days longterm cookies shall be valid
$cookieValidity = 100;
// 3. Features and extensions // 3. Features and extensions
//*************************** //***************************
...@@ -45,6 +50,9 @@ $SPCookieName = $cookieNamePrefix.'_saml_sp'; ...@@ -45,6 +50,9 @@ $SPCookieName = $cookieNamePrefix.'_saml_sp';
// Whether to show the checkbox to permanently remember a setting // Whether to show the checkbox to permanently remember a setting
$showPermanentSetting = false; $showPermanentSetting = false;
// Whether or not to use the search-as-you-type feature of the drop down list
$userImprovedDropDownList = true;
// Set to true in order to enable reading the Identity Provider from a SAML2 // Set to true in order to enable reading the Identity Provider from a SAML2
// metadata file defined below in $metadataFile // metadata file defined below in $metadataFile
$useSAML2Metadata = true; $useSAML2Metadata = true;
...@@ -97,16 +105,21 @@ $useReverseDNSLookup = false; ...@@ -97,16 +105,21 @@ $useReverseDNSLookup = false;
// Therefore, only enable this feature if you know what you are doing! // Therefore, only enable this feature if you know what you are doing!
$useEmbeddedWAYF = false; $useEmbeddedWAYF = false;
// If activated the Embedded WAYF will prevent releasing information // If enabled the Embedded WAYF will prevent releasing information
// about the user's preselected Identity Provider // about the user's preselected Identity Provider
// While this is benefical to the data protection of the user, it will also // While this is benefical to the data protection of the user, it will also
// prevent preselecting the user's Identity Provider. Thus, users will have // prevent preselecting the user's Identity Provider. Thus, users will have
// to preselect their IdP each and every time // to preselect their IdP each and every time
$useEmbeddedWAYFPrivacyProtection = false; $useEmbeddedWAYFPrivacyProtection = false;
// Whether to enable logging of WAYF/DS requests // If enabled, the referer hostname of the request must match tan assertion
// If turned on make sure to also configure $WAYFLogFile // consumer URL or a discovery URL of a Service Provider in $metadataSPFile
$useLogging = true; // in order to let the Embedded WAYF preselect an Identity Provider.
// Therefore, this option is a good compromise between data protection and
// userfriendlyness.
// This option can only be used if $useEmbeddedWAYFPrivacyProtection is false
// and $useSAML2Metadata is true
$useEmbeddedWAYFRefererForPrivacyProtection = false;
// Whether or not to add the entityID of the preselected IdP to the // Whether or not to add the entityID of the preselected IdP to the
// exported JSON/Text/PHP Code // exported JSON/Text/PHP Code
...@@ -117,8 +130,12 @@ $useLogging = true; ...@@ -117,8 +130,12 @@ $useLogging = true;
// Therefore, only enable this feature if you know what you are doing! // Therefore, only enable this feature if you know what you are doing!
$exportPreselectedIdP = false; $exportPreselectedIdP = false;
// Whether to enable logging of WAYF/DS requests
// If turned on make sure to also configure $WAYFLogFile
$useLogging = true;
// 4. Look and feel settings // 4. Appearance settings
//************************** //**************************
// Name of the federation // Name of the federation
...@@ -128,12 +145,19 @@ $federationName = 'SWITCHaai Federation'; ...@@ -128,12 +145,19 @@ $federationName = 'SWITCHaai Federation';
$federationURL = 'http://www.switch.ch/aai/'; $federationURL = 'http://www.switch.ch/aai/';
// Use an absolute URL in case you want to use the embedded WAYF // Use an absolute URL in case you want to use the embedded WAYF
$imageURL = 'https://'.$_SERVER['SERVER_NAME'].'/SWITCHaai/images'; $imageURL = 'https://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/images';
// URL to the logo that shall be displayed // Absolute URL to point to css directory
$cssURL = 'https://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/css';
// Absolute URL to point to javascript directory
$javascriptURL = 'https://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/js';
// Absolute URL to the logo that shall be displayed in the Embedded WAYF
$logoURL = $imageURL.'/switch-aai-transparent.png'; $logoURL = $imageURL.'/switch-aai-transparent.png';
// URL to the small logo that shall be displayed in the embedded WAYF if dimensions are small // Absolute URL to the small logo that shall be displayed in the
// embedded WAYF if dimensions must be small
$smallLogoURL = $imageURL.'/switch-aai-transparent-small.png'; $smallLogoURL = $imageURL.'/switch-aai-transparent-small.png';
...@@ -143,8 +167,8 @@ $smallLogoURL = $imageURL.'/switch-aai-transparent-small.png'; ...@@ -143,8 +167,8 @@ $smallLogoURL = $imageURL.'/switch-aai-transparent-small.png';
// Set both config files to the same value if you don't want to use the // Set both config files to the same value if you don't want to use the
// the WAYF to read a (potential) automatically generated file that undergoes // the WAYF to read a (potential) automatically generated file that undergoes
// some plausability checks before being used // some plausability checks before being used
$IDPConfigFile = 'IDProvider.conf.php'; // Config file $IDPConfigFile = 'IDProvider.conf.php';
$backupIDPConfigFile = 'IDProvider.conf.php'; // Backup config file $backupIDPConfigFile = 'IDProvider.conf.php';
// Use $metadataFile as source federation's metadata. // Use $metadataFile as source federation's metadata.
$metadataFile = '/etc/shibboleth/metadata.switchaai.xml'; $metadataFile = '/etc/shibboleth/metadata.switchaai.xml';
...@@ -176,6 +200,7 @@ $WAYFLogFile = '/var/log/apache2/wayf.log'; ...@@ -176,6 +200,7 @@ $WAYFLogFile = '/var/log/apache2/wayf.log';
// A Kerboros-protected soft link back to this script! // A Kerboros-protected soft link back to this script!
$kerberosRedirectURL = '/SWITCHaai/kerberosRedirect.php'; $kerberosRedirectURL = '/SWITCHaai/kerberosRedirect.php';
// Development mode settings // Development mode settings
//************************** //**************************
// If the development mode is activated, PHP errors and warnings will be displayed // If the development mode is activated, PHP errors and warnings will be displayed
......