Commit f3c67c01 authored by haemmer's avatar haemmer

Set default config $useEmbeddedWAYF = false

Corrected some typos
parent 70d1b712
......@@ -14,12 +14,12 @@ Service protocol for use withing a Shibboleth architecture.
-------------------------------------------------------------------------------
Security Note (25. October 2010):
The current implementation of the Discovery Service protocol as defined in
The Discovery Service protocol as defined in
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf
states that the protocol creates opportunities for phishing attacks as do all
SSO protocols that make use of redirection. Therefore, the specification states
that an implementation should examine the 'return' parameter used in a
Discovery Service request and match it against the <idpdisc:DiscoveryResponse>
SSO protocols that make use of redirection. The specification states that an
implementation should examine the 'return' parameter used in a Discovery
Service request and match it against the <idpdisc:DiscoveryResponse>
extension in SAML metadata. The implementation of the Discovery Service protocol
in the SWITCHwayf prior to version 1.14 does NOT verify the return parameter
even if SAML metadata was used to generate the list of Identity Provider.
......@@ -29,9 +29,7 @@ Thanks to Tom Scavo for making us aware of this issue.
-------------------------------------------------------------------------------
Features:
Some of the features include
Some of the Features:
- Preselecting entry in drop down list by
- SAML common domain cookie that contains selected Identity Providers
- resource path info hint (e.g.
......@@ -41,12 +39,13 @@ Some of the features include
- IP range preselection
- IP reverse DNS lookup preselection
- Transparent redirection mode, e.g. /WAYF/unige.ch/redirect?shire=https://...
- Support for SAML2 metadata files
- Various customizations optionas for header, footer, language strings etc.
- Can read SAML2 metadata files
- Supports Discovery Service and the Shibboleth authentication request protocol
- Various customizations options for header, footer, language strings etc.
- HTML code generation for embedding the WAYF directly into a web page
- Support for templates
- Support for remembering IdP selection permanently
- I18N support, currently language packs for en, de, it, fr and pt are included
- Support for templates
-------------------------------------------------------------------------------
......@@ -59,11 +58,12 @@ Requirements:
-------------------------------------------------------------------------------
Installation:
Unpack the Zip archive into an arbitrary directory on a host that has a deployed
Apache (IIS also should work though). Make sure that permissions for the files
Unpack the Zip archive into a directory on a host where Apache (IIS also should
work) is deployed. Make sure that permissions for the files
'SProvider.metadata.php' and 'IDProvider.metadata.php' are set such that the
web server user (e.g. www-data, www or httpd) has write access on the files:
web server user (e.g. www-data, www or httpd) has write permissions for these
two files. If logging is enabled, also make sure the web server user also
has write permissions for the log file configured in $WAYFLogFile:
If you use Apache 2, add the following statement to the Apache configugration:
......@@ -347,6 +347,8 @@ Version History:
has no <idpdisc:DiscoveryResponse> extension defined. In such a case
there will only be a check if $useACURLsForReturnParamCheck is enabled.
- Fixed a bug in readMetadata.php that prevented CLI execution
- Changed the default configuration option to generate the Embedded WAYF
to false due to some concerns regarding phishing attacks
1.14 - Added the configuration option wayf_force_remember_for_session to
the Embedded WAYF on request of Wolgang Lierz from ETH Zurich. This
option allows setting the remember for session checkbox to true
......
......@@ -8,7 +8,6 @@
//******************
$defaultLanguage = 'en';
// Cookie settings
//****************
......@@ -66,32 +65,36 @@ $includeLocalConfEntries = true;
// to mitigate phising problems.
// You must have $useSAML2Metadata = true in order to activate this check.
// The return parameter will only be checked if the Service Provider's metadata
// contains an <idpdisc:DiscoveryResponse> or if
// $useACURLsForReturnParamCheck = true
// contains an <idpdisc:DiscoveryResponse> or if the assertion consumer url
// check below is enabled
$enableDSReturnParamCheck = true;
// If true, the return parameter is checked also for Service Providers that
// If true, the return parameter is checked for Service Providers that
// don't have and <idpdisc:DiscoveryResponse> extension set. Instead of this
// extension the hostnames of the assertion consumer URLs are used to check
// the return paraemter against.
// extension, the hostnames of the assertion consumer URLs are used to check
// the return parameter against.
// This feature is useful in case the Service Provider's metadata doesn't contain
// a <idpdisc:DiscoveryResponse> extension. Enabling this feature increases
// security for Service Provider's that don't have an <idpdisc:DiscoveryResponse>
// extensions.
// a <idpdisc:DiscoveryResponse> extension. It increases security for Service
// Provider's that don't have an <idpdisc:DiscoveryResponse> extensions.
// This feature only is active if $enableDSReturnParamCheck = true
// and if $useSAML2Metadata = true
$useACURLsForReturnParamCheck = false;
// Whether to turn on Kerberos support for IdP preselection
// Whether to turn on Kerberos support for Identity Provider preselection
$useKerberos = false;
// If true, the users IP is used for a reverse DNS lookup whose
// resulting domain name then is matched with the URN values of the IdPs
// If enabled, the user's IP is used for a reverse DNS lookup whose resulting
// domain name then is matched with the URN values of the Identity Providers
$useReverseDNSLookup = false;
// Whether the JavaScript for embedding the WAYF
// Whether the JavaScript required for embedding the WAYF
// on a remote site shall be generated or not
$useEmbeddedWAYF = true;
// Lowers security against phising!
// If this value is set to true, any web page in the world can
// (with some efforts) find out with a high probability from which
// organization a user is from. This could be misused for phishing attacks.
// Therefore, only enable this feature if you know what you are doing!
$useEmbeddedWAYF = false;
// Whether to enable logging of WAYF/DS requests
// If turned on make sure to also configure $WAYFLogFile
......@@ -99,11 +102,11 @@ $useLogging = true;
// Whether or not to add the entityID of the preselected IdP to the
// exported JSON/Text/PHP Code
// You have to be aware that if this value is set to true, any web page
// Lowers security against phising!
// If this value is set to true, any web page
// in the world can easily find out with a high probability from which
// organization a user is from. This could be misused for various kinds of
// things and even for phishing attacks. Therefore, only enable this feature
// if you know what you are doing!
// organization a user is from. This could be misused for phishing attacks.
// Therefore, only enable this feature if you know what you are doing!
$exportPreselectedIdP = false;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment