Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
GIP RENATER
switch-wayf
Commits
f3c67c01
Commit
f3c67c01
authored
Nov 18, 2010
by
haemmer
Browse files
Set default config $useEmbeddedWAYF = false
Corrected some typos
parent
70d1b712
Changes
2
Hide whitespace changes
Inline
Side-by-side
README
View file @
f3c67c01
...
...
@@ -14,12 +14,12 @@ Service protocol for use withing a Shibboleth architecture.
-------------------------------------------------------------------------------
Security Note (25. October 2010):
The
current implementation of the
Discovery Service protocol as defined in
The Discovery Service protocol as defined in
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf
states that the protocol creates opportunities for phishing attacks as do all
SSO protocols that make use of redirection. The
refore, the
specification states
that an
implementation should examine the 'return' parameter used in a
Discovery
Service request and match it against the <idpdisc:DiscoveryResponse>
SSO protocols that make use of redirection. The specification states
that an
implementation should examine the 'return' parameter used in a
Discovery
Service request and match it against the <idpdisc:DiscoveryResponse>
extension in SAML metadata. The implementation of the Discovery Service protocol
in the SWITCHwayf prior to version 1.14 does NOT verify the return parameter
even if SAML metadata was used to generate the list of Identity Provider.
...
...
@@ -29,9 +29,7 @@ Thanks to Tom Scavo for making us aware of this issue.
-------------------------------------------------------------------------------
Features:
Some of the features include
Some of the Features:
- Preselecting entry in drop down list by
- SAML common domain cookie that contains selected Identity Providers
- resource path info hint (e.g.
...
...
@@ -41,12 +39,13 @@ Some of the features include
- IP range preselection
- IP reverse DNS lookup preselection
- Transparent redirection mode, e.g. /WAYF/unige.ch/redirect?shire=https://...
- Support for SAML2 metadata files
- Various customizations optionas for header, footer, language strings etc.
- Can read SAML2 metadata files
- Supports Discovery Service and the Shibboleth authentication request protocol
- Various customizations options for header, footer, language strings etc.
- HTML code generation for embedding the WAYF directly into a web page
- Support for templates
- Support for remembering IdP selection permanently
- I18N support, currently language packs for en, de, it, fr and pt are included
- Support for templates
-------------------------------------------------------------------------------
...
...
@@ -59,11 +58,12 @@ Requirements:
-------------------------------------------------------------------------------
Installation:
Unpack the Zip archive into an arbitrary directory on a host that has a deployed
Apache (IIS also should work though). Make sure that permissions for the files
Unpack the Zip archive into a directory on a host where Apache (IIS also should
work) is deployed. Make sure that permissions for the files
'SProvider.metadata.php' and 'IDProvider.metadata.php' are set such that the
web server user (e.g. www-data, www or httpd) has write access on the files:
web server user (e.g. www-data, www or httpd) has write permissions for these
two files. If logging is enabled, also make sure the web server user also
has write permissions for the log file configured in $WAYFLogFile:
If you use Apache 2, add the following statement to the Apache configugration:
...
...
@@ -347,6 +347,8 @@ Version History:
has no <idpdisc:DiscoveryResponse> extension defined. In such a case
there will only be a check if $useACURLsForReturnParamCheck is enabled.
- Fixed a bug in readMetadata.php that prevented CLI execution
- Changed the default configuration option to generate the Embedded WAYF
to false due to some concerns regarding phishing attacks
1.14 - Added the configuration option wayf_force_remember_for_session to
the Embedded WAYF on request of Wolgang Lierz from ETH Zurich. This
option allows setting the remember for session checkbox to true
...
...
config.dist.php
View file @
f3c67c01
...
...
@@ -8,7 +8,6 @@
//******************
$defaultLanguage
=
'en'
;
// Cookie settings
//****************
...
...
@@ -66,32 +65,36 @@ $includeLocalConfEntries = true;
// to mitigate phising problems.
// You must have $useSAML2Metadata = true in order to activate this check.
// The return parameter will only be checked if the Service Provider's metadata
// contains an <idpdisc:DiscoveryResponse> or if
//
$useACURLsForReturnParamCheck = true
// contains an <idpdisc:DiscoveryResponse> or if
the assertion consumer url
//
check below is enabled
$enableDSReturnParamCheck
=
true
;
// If true, the return parameter is checked
also
for Service Providers that
// If true, the return parameter is checked for Service Providers that
// don't have and <idpdisc:DiscoveryResponse> extension set. Instead of this
// extension the hostnames of the assertion consumer URLs are used to check
// the return para
e
mter against.
// extension
,
the hostnames of the assertion consumer URLs are used to check
// the return param
e
ter against.
// This feature is useful in case the Service Provider's metadata doesn't contain
// a <idpdisc:DiscoveryResponse> extension. Enabling this feature increases
// security for Service Provider's that don't have an <idpdisc:DiscoveryResponse>
// extensions.
// a <idpdisc:DiscoveryResponse> extension. It increases security for Service
// Provider's that don't have an <idpdisc:DiscoveryResponse> extensions.
// This feature only is active if $enableDSReturnParamCheck = true
// and if $useSAML2Metadata = true
$useACURLsForReturnParamCheck
=
false
;
// Whether to turn on Kerberos support for Id
P
preselection
// Whether to turn on Kerberos support for Id
entity Provider
preselection
$useKerberos
=
false
;
// If
true
, the users IP is used for a reverse DNS lookup whose
//
resulting
domain name then is matched with the URN values of the Id
P
s
// If
enabled
, the user
'
s IP is used for a reverse DNS lookup whose
resulting
// domain name then is matched with the URN values of the Id
entity Provider
s
$useReverseDNSLookup
=
false
;
// Whether the JavaScript for embedding the WAYF
// Whether the JavaScript
required
for embedding the WAYF
// on a remote site shall be generated or not
$useEmbeddedWAYF
=
true
;
// Lowers security against phising!
// If this value is set to true, any web page in the world can
// (with some efforts) find out with a high probability from which
// organization a user is from. This could be misused for phishing attacks.
// Therefore, only enable this feature if you know what you are doing!
$useEmbeddedWAYF
=
false
;
// Whether to enable logging of WAYF/DS requests
// If turned on make sure to also configure $WAYFLogFile
...
...
@@ -99,11 +102,11 @@ $useLogging = true;
// Whether or not to add the entityID of the preselected IdP to the
// exported JSON/Text/PHP Code
// You have to be aware that if this value is set to true, any web page
// Lowers security against phising!
// If this value is set to true, any web page
// in the world can easily find out with a high probability from which
// organization a user is from. This could be misused for various kinds of
// things and even for phishing attacks. Therefore, only enable this feature
// if you know what you are doing!
// organization a user is from. This could be misused for phishing attacks.
// Therefore, only enable this feature if you know what you are doing!
$exportPreselectedIdP
=
false
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment