Server has been upgraded to GitLab release 13.9.6

config.dist.php 8.65 KB
Newer Older
haemmer's avatar
haemmer committed
1
<?php // Copyright (c) 2011, SWITCH - Serving Swiss Universities
haemmer's avatar
haemmer committed
2

haemmer's avatar
haemmer committed
3 4 5 6 7
//******************************************************************************
// This file contains the WAYF/DS configuration. Adapt the settings to reflect
// your environment and then do some testing before deploying the WAYF.
//******************************************************************************

8 9
// 1. Language settings
//*********************
haemmer's avatar
haemmer committed
10 11
$defaultLanguage = 'en'; 

12 13
// 2. Cookie settings
//*******************
haemmer's avatar
haemmer committed
14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40

// Domain within the WAYF cookei shall be readable. Must start with a .
$commonDomain = '.switch.ch';

// Optionnal cookie name prefix in case you run several 
// instances of the WAYF in the same domain. 
// Example: $cookieNamePrefix = '_mywayf';
$cookieNamePrefix = '';

// Names of the cookies where to store the settings to temporarily
// redirect users transparently to their last selected IdP
$redirectCookieName = $cookieNamePrefix.'_redirect_user_idp';
$redirectStateCookieName = $cookieNamePrefix.'_redirection_state';

// Stores last selected IdPs 
// This value shouldn't be changed because _saml_idp is the officilly
// defined name in the SAML specification
$SAMLDomainCookieName = $cookieNamePrefix.'_saml_idp';

// Stores last selected SP
// This value can be choosen as you like because it is something specific
// to this WAYF implementation. It can be used to display help/contact 
// information on a page in the same domain as $commonDomain by accessing
// the federation metadata and parsing out the contact information of the 
// selected IdP and SP using $SAMLDomainCookieName and $SPCookieName
$SPCookieName = $cookieNamePrefix.'_saml_sp';

41
// If enabled cookies are set/transmitted only via https connections
42 43
// and the http only option is set to prevent javascripts from reading the
// cookies
44 45 46 47
$cookieSecurity = false;

// Number of days longterm cookies shall be valid
$cookieValidity = 100;
haemmer's avatar
haemmer committed
48

49 50
// 3. Features and extensions
//***************************
haemmer's avatar
haemmer committed
51 52 53 54

// Whether to show the checkbox to permanently remember a setting
$showPermanentSetting = false;

55 56 57
// Whether or not to use the search-as-you-type feature of the drop down list
$userImprovedDropDownList = true;

58 59
// Set to true in order to enable reading the Identity Provider from a SAML2 
// metadata file defined below in $metadataFile
60
$useSAML2Metadata = true; 
haemmer's avatar
haemmer committed
61

62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91
  // If true parsed metadata shall have precedence if there are entries defined 
  // in metadata as well as the local IDProviders configuration file.
  // Requires $useSAML2Metadata to be true
  $SAML2MetaOverLocalConf = false;

  // If includeLocalConfEntries parameter is set to true, Identity Providers
  // not listed in metadata but defined in the local IDProviders file will also
  // be displayed in the drop down list. This is required if you need to add 
  // local exceptions over the federation metadata
  // Requires $useSAML2Metadata to be true
  $includeLocalConfEntries = true;

  // Whether the return parameter is checked against SAML2 metadata or not
  // The Discovery Service specification says the DS SHOULD check this in order
  // to mitigate phising problems.
  // The return parameter will only be checked if the Service Provider's metadata 
  // contains an <idpdisc:DiscoveryResponse> or if the assertion consumer url 
  // check below is enabled
  // Requires $useSAML2Metadata to be true
  $enableDSReturnParamCheck = true;

    // If true, the return parameter is checked for Service Providers that
    // don't have and <idpdisc:DiscoveryResponse> extension set. Instead of this
    // extension, the hostnames of the assertion consumer URLs are used to check 
    // the return parameter against. 
    // This feature is useful in case the Service Provider's metadata doesn't contain 
    // a <idpdisc:DiscoveryResponse> extension. It increases security for Service 
    // Provider's that don't have an <idpdisc:DiscoveryResponse> extensions.
    // Requires $useSAML2Metadata and $enableDSReturnParamCheck to be true
    $useACURLsForReturnParamCheck = false;
92

93
// Whether to turn on Kerberos support for Identity Provider preselection
haemmer's avatar
haemmer committed
94 95
$useKerberos = false;

96 97
// If enabled, the user's IP is used for a reverse DNS lookup whose resulting 
// domain name then is matched with the URN values of the Identity Providers
haemmer's avatar
haemmer committed
98 99
$useReverseDNSLookup = false;

100
// Whether the JavaScript required for embedding the WAYF
haemmer's avatar
haemmer committed
101
// on a remote site shall be generated or not
102 103 104 105 106 107
// Lowers security against phising!
// If this value is set to true, any web page in the world can 
// (with some efforts) find out with a high probability from which 
// organization a user is from. This could be misused for phishing attacks. 
// Therefore, only enable this feature if you know what you are doing!
$useEmbeddedWAYF = false;
haemmer's avatar
haemmer committed
108

109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124
  // If enabled the Embedded WAYF will prevent releasing information
  // about the user's preselected Identity Provider 
  // While this is benefical to the data protection of the user, it will also
  // prevent preselecting the user's Identity Provider. Thus, users will have
  // to preselect their IdP each and every time
  // Requires $useEmbeddedWAYF to be true
  $useEmbeddedWAYFPrivacyProtection = false;

  // If enabled, the referer hostname of the request must match tan assertion 
  // consumer URL or a discovery URL of a Service Provider in $metadataSPFile
  // in order to let the Embedded WAYF preselect an Identity Provider.
  // Therefore, this option is a good compromise between data protection and
  // userfriendlyness.
  // Requires $useSAML2Metadata to be true and $useEmbeddedWAYFPrivacyProtection
  // to be false
  $useEmbeddedWAYFRefererForPrivacyProtection = false;
haemmer's avatar
haemmer committed
125 126 127

// Whether or not to add the entityID of the preselected IdP to the
// exported JSON/Text/PHP Code
128 129
// Lowers security against phising!
// If this value is set to true, any web page
haemmer's avatar
haemmer committed
130
// in the world can easily find out with a high probability from which 
131 132
// organization a user is from. This could be misused for phishing attacks. 
// Therefore, only enable this feature if you know what you are doing!
haemmer's avatar
haemmer committed
133 134
$exportPreselectedIdP = false;

135 136 137 138
// Whether to enable logging of WAYF/DS requests
// If turned on make sure to also configure $WAYFLogFile
$useLogging = true; 

haemmer's avatar
haemmer committed
139

140
// 4. Appearance settings
141
//**************************
haemmer's avatar
haemmer committed
142 143 144 145 146 147 148 149

// Name of the federation
$federationName = 'SWITCHaai Federation';

// URL to send user to when clicking on federation logo
$federationURL = 'http://www.switch.ch/aai/';

// Use an absolute URL in case you want to use the embedded WAYF
150
$imageURL = 'https://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/images';
haemmer's avatar
haemmer committed
151

152 153 154 155 156 157 158
// Absolute URL to point to css directory
$cssURL = 'https://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/css';

// Absolute URL to point to javascript directory
$javascriptURL = 'https://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/js';

// Absolute URL to the logo that shall be displayed in the Embedded WAYF
haemmer's avatar
haemmer committed
159 160
$logoURL = $imageURL.'/switch-aai-transparent.png'; 

161 162
// Absolute URL to the small logo that shall be displayed in the 
// embedded WAYF if dimensions must be small
haemmer's avatar
haemmer committed
163 164 165
$smallLogoURL = $imageURL.'/switch-aai-transparent-small.png';


166 167 168
// 5. Files and path settings
//***************************

haemmer's avatar
haemmer committed
169 170 171
// Set both config files to the same value if you don't want to use the 
// the WAYF to read a (potential) automatically generated file that undergoes
// some plausability checks before being used
172 173
$IDPConfigFile = 'IDProvider.conf.php';
$backupIDPConfigFile = 'IDProvider.conf.php';
haemmer's avatar
haemmer committed
174 175 176 177

// Use $metadataFile as source federation's metadata.
$metadataFile = '/etc/shibboleth/metadata.switchaai.xml';

178 179 180
// File to store the parsed IdP list
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
haemmer's avatar
haemmer committed
181
// The user running the script must have permission to create $metadataIdpFile
182
$metadataIDPFile = 'IDProvider.metadata.php';
haemmer's avatar
haemmer committed
183

184 185 186 187
// File to store the parsed SP list.
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
188
$metadataSPFile = 'SProvider.metadata.php';
189

190 191 192
// File to use as the lock file for writing the parsed IdP and SP lists.
// The user running the script must have permission to write $metadataLockFile
$metadataLockFile = '/tmp/wayf_metadata.lock';
haemmer's avatar
haemmer committed
193 194 195 196 197 198

// Where to log the access
// Make sure the web server user has write access to this file!
$WAYFLogFile = '/var/log/apache2/wayf.log'; 


199 200 201 202 203 204
// 6. Other settings
//******************

// A Kerboros-protected soft link back to this script!
$kerberosRedirectURL = '/SWITCHaai/kerberosRedirect.php';

205

haemmer's avatar
haemmer committed
206 207 208
// Development mode settings
//**************************
// If the development mode is activated, PHP errors and warnings will be displayed
209
$developmentMode = false;
haemmer's avatar
haemmer committed
210 211

?>