Set default config $useEmbeddedWAYF = false

Corrected some typos

Set default config $useEmbeddedWAYF = false
Corrected some typos
f3c67c01 · haemmer · 70d1b712 · f3c67c01 · f3c67c01
Commit f3c67c01 authored Nov 18, 2010 by haemmer
Hide whitespace changes
Inline Side-by-side

Showing with 37 additions and 32 deletions

README README +16 -14

config.dist.php config.dist.php +21 -18

No files found.
--- a/README
+++ b/README
@@ -14,12 +14,12 @@ Service protocol for use withing a Shibboleth architecture.
 -------------------------------------------------------------------------------

 Security Note (25. October 2010):
-The current implementation of the Discovery Service protocol as defined in 
+The Discovery Service protocol as defined in 
 http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf 
 states that the protocol creates opportunities for phishing attacks as do all
-SSO protocols that make use of redirection. Therefore, the specification states
-that an implementation should examine the 'return' parameter used in a 
-Discovery Service request and match it against the <idpdisc:DiscoveryResponse> 
+SSO protocols that make use of redirection. The specification states that an 
+implementation should examine the 'return' parameter used in a Discovery 
+Service request and match it against the <idpdisc:DiscoveryResponse> 
 extension in SAML metadata. The implementation of the Discovery Service protocol
 in the SWITCHwayf prior to version 1.14 does NOT verify the return parameter 
 even if SAML metadata was used to generate the list of Identity Provider.
@@ -29,9 +29,7 @@ Thanks to Tom Scavo for making us aware of this issue.

 -------------------------------------------------------------------------------

-Features:
-Some of the features include
-
+Some of the Features:
 - Preselecting entry in drop down list by
  - SAML common domain cookie that contains selected Identity Providers 
  - resource path info hint (e.g. 
@@ -41,12 +39,13 @@ Some of the features include
  - IP range preselection
  - IP reverse DNS lookup preselection
 - Transparent redirection mode, e.g. /WAYF/unige.ch/redirect?shire=https://...
- Support for SAML2 metadata files
- Various customizations optionas for header, footer, language strings etc.
+- Can read SAML2 metadata files
+- Supports Discovery Service and the Shibboleth authentication request protocol 
+- Various customizations options for header, footer, language strings etc.
 - HTML code generation for embedding the WAYF directly into a web page
+- Support for templates
 - Support for remembering IdP selection permanently
 - I18N support, currently language packs for en, de, it, fr and pt are included
- Support for templates

 -------------------------------------------------------------------------------

@@ -59,11 +58,12 @@ Requirements:
 -------------------------------------------------------------------------------

 Installation:
-
-Unpack the Zip archive into an arbitrary directory on a host that has a deployed
-Apache (IIS also should work though). Make sure that permissions for the files 
+Unpack the Zip archive into a directory on a host where Apache (IIS also should 
+work) is deployed. Make sure that permissions for the files 
 'SProvider.metadata.php' and 'IDProvider.metadata.php' are set such that the 
-web server user (e.g. www-data, www or httpd) has write access on the files:
+web server user (e.g. www-data, www or httpd) has write permissions for these 
+two files. If logging is enabled, also make sure the web server user also
+has write permissions for the log file configured in $WAYFLogFile:

 If you use Apache 2, add the following statement to the Apache configugration:

@@ -347,6 +347,8 @@ Version History:
         has no <idpdisc:DiscoveryResponse> extension defined. In such a case
         there will only be a check if $useACURLsForReturnParamCheck is enabled.
       - Fixed a bug in readMetadata.php that prevented CLI execution
+       - Changed the default configuration option to generate the Embedded WAYF
+         to false due to some concerns regarding phishing attacks
 1.14   - Added the configuration option wayf_force_remember_for_session to
         the Embedded WAYF on request of Wolgang Lierz from ETH Zurich. This
         option allows setting the remember for session checkbox to true

--- a/config.dist.php
+++ b/config.dist.php
@@ -8,7 +8,6 @@
 //******************
 $defaultLanguage = 'en'; 

-
 // Cookie settings
 //****************

@@ -66,32 +65,36 @@ $includeLocalConfEntries = true;
 // to mitigate phising problems.
 // You must have $useSAML2Metadata = true in order to activate this check.
 // The return parameter will only be checked if the Service Provider's metadata 
-// contains an <idpdisc:DiscoveryResponse> or if 
-// $useACURLsForReturnParamCheck = true
+// contains an <idpdisc:DiscoveryResponse> or if the assertion consumer url 
+// check below is enabled
 $enableDSReturnParamCheck = true;

-// If true, the return parameter is checked also for Service Providers that
+// If true, the return parameter is checked for Service Providers that
 // don't have and <idpdisc:DiscoveryResponse> extension set. Instead of this
-// extension the hostnames of the assertion consumer URLs are used to check 
-// the return paraemter against. 
+// extension, the hostnames of the assertion consumer URLs are used to check 
+// the return parameter against. 
 // This feature is useful in case the Service Provider's metadata doesn't contain 
-// a <idpdisc:DiscoveryResponse> extension. Enabling this feature increases
-// security for Service Provider's that don't have an <idpdisc:DiscoveryResponse>
-// extensions.
+// a <idpdisc:DiscoveryResponse> extension. It increases security for Service 
+// Provider's that don't have an <idpdisc:DiscoveryResponse> extensions.
 // This feature only is active if $enableDSReturnParamCheck = true 
 // and if  $useSAML2Metadata = true 
 $useACURLsForReturnParamCheck = false;

-// Whether to turn on Kerberos support for IdP preselection
+// Whether to turn on Kerberos support for Identity Provider preselection
 $useKerberos = false;

-// If true, the users IP is used for a reverse DNS lookup whose
-// resulting domain name then is matched with the URN values of the IdPs
+// If enabled, the user's IP is used for a reverse DNS lookup whose resulting 
+// domain name then is matched with the URN values of the Identity Providers
 $useReverseDNSLookup = false;

-// Whether the JavaScript for embedding the WAYF
+// Whether the JavaScript required for embedding the WAYF
 // on a remote site shall be generated or not
-$useEmbeddedWAYF = true;
+// Lowers security against phising!
+// If this value is set to true, any web page in the world can 
+// (with some efforts) find out with a high probability from which 
+// organization a user is from. This could be misused for phishing attacks. 
+// Therefore, only enable this feature if you know what you are doing!
+$useEmbeddedWAYF = false;

 // Whether to enable logging of WAYF/DS requests
 // If turned on make sure to also configure $WAYFLogFile
@@ -99,11 +102,11 @@ $useLogging = true;

 // Whether or not to add the entityID of the preselected IdP to the
 // exported JSON/Text/PHP Code
-// You have to be aware that if this value is set to true, any web page
+// Lowers security against phising!
+// If this value is set to true, any web page
 // in the world can easily find out with a high probability from which 
-// organization a user is from. This could be misused for various kinds of 
-// things and even for phishing attacks. Therefore, only enable this feature
-// if you know what you are doing!
+// organization a user is from. This could be misused for phishing attacks. 
+// Therefore, only enable this feature if you know what you are doing!
 $exportPreselectedIdP = false;