Upgrade to new Gitlab Version 13.9 on Saturday 19th April 20:00. Expect an interruption of about 30 to 60 minutes

config.dist.php 10.2 KB
Newer Older
haemmer's avatar
haemmer committed
1
<?php // Copyright (c) 2013, SWITCH - Serving Swiss Universities
haemmer's avatar
haemmer committed
2

haemmer's avatar
haemmer committed
3
//******************************************************************************
haemmer's avatar
haemmer committed
4 5 6 7
// This file contains the configuration of SWITCHwayf, a light-weight 
// implementation of a SAML Discovery Service. Adapt the settings to reflect
// your environment and then do some testing before going into production.
// Unless specifically set, default values will be used for all options.
haemmer's avatar
haemmer committed
8 9
//******************************************************************************

10 11
// 1. Language settings
//*********************
haemmer's avatar
haemmer committed
12 13 14 15 16
// Language that is used by default if the language of the user's web browser
// is not available in languages.php or custom-languages.php.
// If string in local language is not available, english ('en') will be used
// as last resort.
//$defaultLanguage = 'en'; 
haemmer's avatar
haemmer committed
17

18 19
// 2. Cookie settings
//*******************
haemmer's avatar
haemmer committed
20

haemmer's avatar
haemmer committed
21
// Domain within the WAYF cookie should be readable. Must start with a .
haemmer's avatar
haemmer committed
22
// $commonDomain = '.example.org';
haemmer's avatar
haemmer committed
23 24 25 26

// Optionnal cookie name prefix in case you run several 
// instances of the WAYF in the same domain. 
// Example: $cookieNamePrefix = '_mywayf';
haemmer's avatar
haemmer committed
27
//$cookieNamePrefix = '';
haemmer's avatar
haemmer committed
28 29 30

// Names of the cookies where to store the settings to temporarily
// redirect users transparently to their last selected IdP
haemmer's avatar
haemmer committed
31
//$redirectCookieName = $cookieNamePrefix.'_redirect_user_idp';
haemmer's avatar
haemmer committed
32 33 34 35

// Stores last selected IdPs 
// This value shouldn't be changed because _saml_idp is the officilly
// defined name in the SAML specification
haemmer's avatar
haemmer committed
36
//$SAMLDomainCookieName = $cookieNamePrefix.'_saml_idp';
haemmer's avatar
haemmer committed
37 38 39 40 41 42 43

// Stores last selected SP
// This value can be choosen as you like because it is something specific
// to this WAYF implementation. It can be used to display help/contact 
// information on a page in the same domain as $commonDomain by accessing
// the federation metadata and parsing out the contact information of the 
// selected IdP and SP using $SAMLDomainCookieName and $SPCookieName
haemmer's avatar
haemmer committed
44
//$SPCookieName = $cookieNamePrefix.'_saml_sp';
haemmer's avatar
haemmer committed
45

46
// If enabled cookies are set/transmitted only via https connections
47 48
// and the http only option is set to prevent javascripts from reading the
// cookies
haemmer's avatar
haemmer committed
49
//$cookieSecurity = false;
50

haemmer's avatar
haemmer committed
51
// Number of days longterm cookies should be valid
haemmer's avatar
haemmer committed
52
//$cookieValidity = 100;
haemmer's avatar
haemmer committed
53

54 55
// 3. Features and extensions
//***************************
haemmer's avatar
haemmer committed
56 57

// Whether to show the checkbox to permanently remember a setting
haemmer's avatar
haemmer committed
58
//$showPermanentSetting = false;
haemmer's avatar
haemmer committed
59

60
// Whether or not to use the search-as-you-type feature of the drop down list
haemmer's avatar
haemmer committed
61
//$useImprovedDropDownList = true;
62

63 64
// Set to true in order to enable reading the Identity Provider from a SAML2 
// metadata file defined below in $metadataFile
haemmer's avatar
haemmer committed
65
//$useSAML2Metadata = false; 
haemmer's avatar
haemmer committed
66

haemmer's avatar
haemmer committed
67
  // If true parsed metadata should have precedence if there are entries defined 
68 69
  // in metadata as well as the local IDProviders configuration file.
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
70
  //$SAML2MetaOverLocalConf = false;
71 72 73 74 75 76

  // If includeLocalConfEntries parameter is set to true, Identity Providers
  // not listed in metadata but defined in the local IDProviders file will also
  // be displayed in the drop down list. This is required if you need to add 
  // local exceptions over the federation metadata
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
77
  //$includeLocalConfEntries = true;
78 79 80 81 82 83 84 85

  // Whether the return parameter is checked against SAML2 metadata or not
  // The Discovery Service specification says the DS SHOULD check this in order
  // to mitigate phising problems.
  // The return parameter will only be checked if the Service Provider's metadata 
  // contains an <idpdisc:DiscoveryResponse> or if the assertion consumer url 
  // check below is enabled
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
86
  //$enableDSReturnParamCheck = true;
87 88 89 90 91 92 93 94 95

    // If true, the return parameter is checked for Service Providers that
    // don't have and <idpdisc:DiscoveryResponse> extension set. Instead of this
    // extension, the hostnames of the assertion consumer URLs are used to check 
    // the return parameter against. 
    // This feature is useful in case the Service Provider's metadata doesn't contain 
    // a <idpdisc:DiscoveryResponse> extension. It increases security for Service 
    // Provider's that don't have an <idpdisc:DiscoveryResponse> extensions.
    // Requires $useSAML2Metadata and $enableDSReturnParamCheck to be true
haemmer's avatar
haemmer committed
96
    //$useACURLsForReturnParamCheck = false;
97

98
// Whether to turn on Kerberos support for Identity Provider preselection
haemmer's avatar
haemmer committed
99 100 101 102
//$useKerberos = false;

  // A Kerboros-protected page that redirects back to the WAYF script
  //$kerberosRedirectURL = '/myFederation/kerberosRedirect.php';
haemmer's avatar
haemmer committed
103

104 105
// If enabled, the user's IP is used for a reverse DNS lookup whose resulting 
// domain name then is matched with the URN values of the Identity Providers
haemmer's avatar
haemmer committed
106
//$useReverseDNSLookup = false;
haemmer's avatar
haemmer committed
107

108
// Whether the JavaScript required for embedding the WAYF
haemmer's avatar
haemmer committed
109
// on a remote site should be generated or not
110 111 112 113 114
// Lowers security against phising!
// If this value is set to true, any web page in the world can 
// (with some efforts) find out with a high probability from which 
// organization a user is from. This could be misused for phishing attacks. 
// Therefore, only enable this feature if you know what you are doing!
haemmer's avatar
haemmer committed
115
//$useEmbeddedWAYF = false;
haemmer's avatar
haemmer committed
116

117 118 119 120 121 122
  // If enabled the Embedded WAYF will prevent releasing information
  // about the user's preselected Identity Provider 
  // While this is benefical to the data protection of the user, it will also
  // prevent preselecting the user's Identity Provider. Thus, users will have
  // to preselect their IdP each and every time
  // Requires $useEmbeddedWAYF to be true
haemmer's avatar
haemmer committed
123
  //$useEmbeddedWAYFPrivacyProtection = false;
124 125 126 127 128 129 130 131

  // If enabled, the referer hostname of the request must match tan assertion 
  // consumer URL or a discovery URL of a Service Provider in $metadataSPFile
  // in order to let the Embedded WAYF preselect an Identity Provider.
  // Therefore, this option is a good compromise between data protection and
  // userfriendlyness.
  // Requires $useSAML2Metadata to be true and $useEmbeddedWAYFPrivacyProtection
  // to be false
haemmer's avatar
haemmer committed
132
  //$useEmbeddedWAYFRefererForPrivacyProtection = false;
haemmer's avatar
haemmer committed
133 134 135

// Whether or not to add the entityID of the preselected IdP to the
// exported JSON/Text/PHP Code
136 137
// Lowers security against phising!
// If this value is set to true, any web page
haemmer's avatar
haemmer committed
138
// in the world can easily find out with a high probability from which 
139 140
// organization a user is from. This could be misused for phishing attacks. 
// Therefore, only enable this feature if you know what you are doing!
haemmer's avatar
haemmer committed
141
//$exportPreselectedIdP = false;
haemmer's avatar
haemmer committed
142

143 144
// Whether to enable logging of WAYF/DS requests
// If turned on make sure to also configure $WAYFLogFile
haemmer's avatar
haemmer committed
145 146 147 148 149
//$useLogging = true; 

  // Where to log the access
  // Make sure the web server user has write access to this file!
  //$WAYFLogFile = '/var/log/apache2/wayf.log'; 
150

haemmer's avatar
haemmer committed
151

152
// 4. Appearance settings
153
//**************************
haemmer's avatar
haemmer committed
154 155

// Name of the federation
haemmer's avatar
haemmer committed
156
//$federationName = 'myFederation';
haemmer's avatar
haemmer committed
157 158

// URL to send user to when clicking on federation logo
haemmer's avatar
haemmer committed
159 160 161 162 163 164 165 166 167
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
//$federationURL = 'http://www.example.org/myFed/';

// Absolute URL to the federation logo that should be displayed in the Embedded WAYF
//$logoURL = 'http://ds.example.org/SWITCHwayf/images/federation-logo.png'; 

// Absolute URL to the small federation logo that should be displayed in the 
// embedded WAYF if dimensions must be small
//$smallLogoURL = 'http://ds.example.org/SWITCHwayf/images/small-federation-logo.png';
haemmer's avatar
haemmer committed
168

169
// Support contact email address
haemmer's avatar
haemmer committed
170
//$supportContactEmail = 'helpdesk@example.org';
171

haemmer's avatar
haemmer committed
172 173
// Absolute URL to the logo of the organization operating this Discovery Service
//$organizationLogoURL = 'https://ds.example.org/SWITCHwayf/images/organization-logo.png'; 
haemmer's avatar
haemmer committed
174

haemmer's avatar
haemmer committed
175 176 177
// Absolute URL to the organization's web page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
//$organizationURL = 'http://www.example.org/'; 
178

haemmer's avatar
haemmer committed
179 180 181 182
// Absolute URL to an FAQ page
// This entries local string is 'faq' in languages.php
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
//$faqURL = 'http://www.example.org/%s/myFed/faq/';
183

haemmer's avatar
haemmer committed
184 185 186
// Absolute URL to a help/support page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
//$helpURL = 'http://www.example.org/%s/myFed/help/';
haemmer's avatar
haemmer committed
187

haemmer's avatar
haemmer committed
188 189 190
// Absolute URL to a privacy policy page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
//$privacyURL = 'http://www.example.org/%s/myFed/privacy/';
haemmer's avatar
haemmer committed
191 192


193 194 195
// 5. Files and path settings
//***************************

haemmer's avatar
haemmer committed
196 197 198
// Set both config files to the same value if you don't want to use the 
// the WAYF to read a (potential) automatically generated file that undergoes
// some plausability checks before being used
haemmer's avatar
haemmer committed
199 200
//$IDPConfigFile = 'IDProvider.conf.php';
//$backupIDPConfigFile = 'IDProvider.conf.php';
haemmer's avatar
haemmer committed
201 202

// Use $metadataFile as source federation's metadata.
haemmer's avatar
haemmer committed
203
//$metadataFile = '/etc/shibboleth/metadata.myFederation.xml';
haemmer's avatar
haemmer committed
204

205 206 207
// File to store the parsed IdP list
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
haemmer's avatar
haemmer committed
208
// The user running the script must have permission to create $metadataIdpFile
haemmer's avatar
haemmer committed
209
//$metadataIDPFile = 'IDProvider.metadata.php';
haemmer's avatar
haemmer committed
210

211 212 213 214
// File to store the parsed SP list.
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
haemmer's avatar
haemmer committed
215
//$metadataSPFile = 'SProvider.metadata.php';
216

217 218
// File to use as the lock file for writing the parsed IdP and SP lists.
// The user running the script must have permission to write $metadataLockFile
haemmer's avatar
haemmer committed
219
//$metadataLockFile = '/tmp/wayf_metadata.lock';
haemmer's avatar
haemmer committed
220

haemmer's avatar
haemmer committed
221 222
// Use an absolute URL in case you want to use the embedded WAYF
//$imageURL = 'https://ds.example.org/SWITCHwayf/images';
haemmer's avatar
haemmer committed
223

haemmer's avatar
haemmer committed
224 225
// Absolute URL to point to css directory
//$cssURL = 'https://ds.example.org/SWITCHwayf/css';
haemmer's avatar
haemmer committed
226

haemmer's avatar
haemmer committed
227 228
// Absolute URL to point to javascript directory
//$javascriptURL = 'https://ds.example.org/SWITCHwayf/js';
229 230


231

haemmer's avatar
haemmer committed
232 233 234
// Development mode settings
//**************************
// If the development mode is activated, PHP errors and warnings will be displayed
haemmer's avatar
haemmer committed
235 236
// on pages the SWITCHwayf generates
//$developmentMode = false;
haemmer's avatar
haemmer committed
237 238

?>