config.dist.php 12.4 KB
Newer Older
Lukas Haemmerle's avatar
Lukas Haemmerle committed
1
<?php // Copyright (c) 2018, SWITCH
2

haemmer's avatar
haemmer committed
3
//******************************************************************************
4
// This file contains the configuration of SWITCHwayf, a light-weight
haemmer's avatar
haemmer committed
5 6 7
// implementation of a SAML Discovery Service. Adapt the settings to reflect
// your environment and then do some testing before going into production.
// Unless specifically set, default values will be used for all options.
haemmer's avatar
haemmer committed
8 9
//******************************************************************************

haemmer's avatar
haemmer committed
10

11
// 1. Language Settings
12
//*********************
haemmer's avatar
haemmer committed
13 14 15 16
// Language that is used by default if the language of the user's web browser
// is not available in languages.php or custom-languages.php.
// If string in local language is not available, english ('en') will be used
// as last resort.
17
//$defaultLanguage = 'en';
haemmer's avatar
haemmer committed
18

haemmer's avatar
haemmer committed
19

haemmer's avatar
haemmer committed
20

21
// 2. Cookie Settings
22
//*******************
haemmer's avatar
haemmer committed
23

haemmer's avatar
haemmer committed
24
// Domain within the WAYF cookie should be readable. Must start with a .
haemmer's avatar
haemmer committed
25
//$commonDomain = '.example.org';
haemmer's avatar
haemmer committed
26

27 28
// Optionnal cookie name prefix in case you run several
// instances of the WAYF in the same domain.
haemmer's avatar
haemmer committed
29
// Example: $cookieNamePrefix = '_mywayf';
haemmer's avatar
haemmer committed
30
//$cookieNamePrefix = '';
haemmer's avatar
haemmer committed
31 32 33

// Names of the cookies where to store the settings to temporarily
// redirect users transparently to their last selected IdP
haemmer's avatar
haemmer committed
34
//$redirectCookieName = $cookieNamePrefix.'_redirect_user_idp';
haemmer's avatar
haemmer committed
35

36
// Stores last selected IdPs
haemmer's avatar
haemmer committed
37 38
// This value shouldn't be changed because _saml_idp is the officilly
// defined name in the SAML specification
haemmer's avatar
haemmer committed
39
//$SAMLDomainCookieName = $cookieNamePrefix.'_saml_idp';
haemmer's avatar
haemmer committed
40 41 42

// Stores last selected SP
// This value can be choosen as you like because it is something specific
43
// to this WAYF implementation. It can be used to display help/contact
haemmer's avatar
haemmer committed
44
// information on a page in the same domain as $commonDomain by accessing
45
// the federation metadata and parsing out the contact information of the
haemmer's avatar
haemmer committed
46
// selected IdP and SP using $SAMLDomainCookieName and $SPCookieName
haemmer's avatar
haemmer committed
47
//$SPCookieName = $cookieNamePrefix.'_saml_sp';
haemmer's avatar
haemmer committed
48

49
// If enabled cookies are set/transmitted only via https connections
50 51
// and the http only option is set to prevent javascripts from reading the
// cookies
haemmer's avatar
haemmer committed
52
//$cookieSecurity = false;
53

haemmer's avatar
haemmer committed
54
// Number of days longterm cookies should be valid
haemmer's avatar
haemmer committed
55
//$cookieValidity = 100;
haemmer's avatar
haemmer committed
56

haemmer's avatar
haemmer committed
57

haemmer's avatar
haemmer committed
58

59
// 3. Features and Extensions
60
//***************************
haemmer's avatar
haemmer committed
61 62

// Whether to show the checkbox to permanently remember a setting
haemmer's avatar
haemmer committed
63
//$showPermanentSetting = false;
haemmer's avatar
haemmer committed
64

65
// Whether or not to use the search-as-you-type feature of the drop down list
haemmer's avatar
haemmer committed
66 67
// Enabling this will use JavaScript to convert the select element containing
// all Identity Providers to a searchable search-as-you-type list that also
68
// displays logos if available
haemmer's avatar
haemmer committed
69
//$useImprovedDropDownList = true;
70

haemmer's avatar
haemmer committed
71 72 73
  // If true the improved drop-down-list will not display logos that
  // have to be loaded from remote URLs. That way the web browser
  // does not have to make requests to third party hosts.
74
  // Logos that are embedded using data URIs
haemmer's avatar
haemmer committed
75 76 77 78
  // (src="data:image/png;base64...") will however still be displayed
  //$disableRemoteLogos = false;


79 80 81 82
// Number of previously used Identity Providers to show at top of drop-down list
// Default is 3, set to 0 to disable
//$showNumOfPreviouslyUsedIdPs = 3;

83
// Set to true in order to enable reading the Identity Providers and Service
haemmer's avatar
haemmer committed
84 85
// Providers from a SAML2 metadata file defined below in $metadataFile
// The parsed data will be available in $metadataIDPFile and $metadataSPFile
86
//$useSAML2Metadata = false;
haemmer's avatar
haemmer committed
87

88
  // If true parsed metadata should have precedence if there are entries defined
89 90
  // in metadata as well as the local IDProviders configuration file.
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
91
  //$SAML2MetaOverLocalConf = false;
92 93 94

  // If includeLocalConfEntries parameter is set to true, Identity Providers
  // not listed in metadata but defined in the local IDProviders file will also
95
  // be displayed in the drop down list. This is required if you need to add
96 97
  // local exceptions over the federation metadata
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
98
  //$includeLocalConfEntries = true;
99 100 101 102

  // Whether the return parameter is checked against SAML2 metadata or not
  // The Discovery Service specification says the DS SHOULD check this in order
  // to mitigate phising problems.
103 104
  // The return parameter will only be checked if the Service Provider's metadata
  // contains an <idpdisc:DiscoveryResponse> or if the assertion consumer url
105 106
  // check below is enabled
  // Requires $useSAML2Metadata to be true
haemmer's avatar
haemmer committed
107
  //$enableDSReturnParamCheck = true;
108 109 110

    // If true, the return parameter is checked for Service Providers that
    // don't have and <idpdisc:DiscoveryResponse> extension set. Instead of this
111 112 113 114
    // extension, the hostnames of the assertion consumer URLs are used to check
    // the return parameter against.
    // This feature is useful in case the Service Provider's metadata doesn't contain
    // a <idpdisc:DiscoveryResponse> extension. It increases security for Service
115 116
    // Provider's that don't have an <idpdisc:DiscoveryResponse> extensions.
    // Requires $useSAML2Metadata and $enableDSReturnParamCheck to be true
haemmer's avatar
haemmer committed
117
    //$useACURLsForReturnParamCheck = false;
118

119
// Whether to turn on Kerberos support for Identity Provider preselection
haemmer's avatar
haemmer committed
120 121 122 123
//$useKerberos = false;

  // A Kerboros-protected page that redirects back to the WAYF script
  //$kerberosRedirectURL = '/myFederation/kerberosRedirect.php';
haemmer's avatar
haemmer committed
124

125
// If enabled, the user's IP is used for a reverse DNS lookup whose resulting
126
// domain name then is matched with the URN values of the Identity Providers
haemmer's avatar
haemmer committed
127
//$useReverseDNSLookup = false;
haemmer's avatar
haemmer committed
128

129
// Whether the JavaScript required for embedding the WAYF
haemmer's avatar
haemmer committed
130
// on a remote site should be generated or not
131
// Lowers security against phising!
132 133 134
// If this value is set to true, any web page in the world can
// (with some efforts) find out with a high probability from which
// organization a user is from. This could be misused for phishing attacks.
135
// Therefore, only enable this feature if you know what you are doing!
haemmer's avatar
haemmer committed
136
//$useEmbeddedWAYF = false;
haemmer's avatar
haemmer committed
137

138
  // If enabled the Embedded WAYF will prevent releasing information
139
  // about the user's preselected Identity Provider
140 141 142 143
  // While this is benefical to the data protection of the user, it will also
  // prevent preselecting the user's Identity Provider. Thus, users will have
  // to preselect their IdP each and every time
  // Requires $useEmbeddedWAYF to be true
haemmer's avatar
haemmer committed
144
  //$useEmbeddedWAYFPrivacyProtection = false;
145

146
  // If enabled, the referer hostname of the request must match an assertion	
147 148 149 150 151 152
  // consumer URL or a discovery URL of a Service Provider in $metadataSPFile
  // in order to let the Embedded WAYF preselect an Identity Provider.
  // Therefore, this option is a good compromise between data protection and
  // userfriendlyness.
  // Requires $useSAML2Metadata to be true and $useEmbeddedWAYFPrivacyProtection
  // to be false
haemmer's avatar
haemmer committed
153
  //$useEmbeddedWAYFRefererForPrivacyProtection = false;
haemmer's avatar
haemmer committed
154

155 156
// If enabled (default) Identity Providers that are in the
// "Hide From Discovery" entity category (see
157 158
// https://refeds.org/category/hide-from-discovery/) will not
// be parsed when SAML2 metadata is processed. The effect will
159 160
// be that these IdPs are not shown in the organisation drop
// down list. IdPs in this entity category, however, still can
161
// be manually added using the Embedded WAYF.
haemmer's avatar
haemmer committed
162
//$supportHideFromDiscoveryEntityCategory = true;
163 164


haemmer's avatar
haemmer committed
165 166
// Whether or not to add the entityID of the preselected IdP to the
// exported JSON/Text/PHP Code
167 168
// Lowers security against phising!
// If this value is set to true, any web page
169 170
// in the world can easily find out with a high probability from which
// organization a user is from. This could be misused for phishing attacks.
171
// Therefore, only enable this feature if you know what you are doing!
haemmer's avatar
haemmer committed
172
//$exportPreselectedIdP = false;
haemmer's avatar
haemmer committed
173

174 175
// Whether to enable logging of WAYF/DS requests
// If turned on make sure to also configure $WAYFLogFile
176
//$useLogging = true;
haemmer's avatar
haemmer committed
177

178
  // Where to log the access requests
179
  // This log is only an audit log for access requests.
180
  // Errors (e.g. when parsing SAML metadata) go to the syslog.
haemmer's avatar
haemmer committed
181
  // Make sure the web server user has write access to this file!
182
  //$WAYFLogFile = '/var/log/apache2/wayf.log';
183

haemmer's avatar
haemmer committed
184

haemmer's avatar
haemmer committed
185

186 187
// 4. Files and path Settings
//***************************
188
// all relatives paths are resolved relatively to configuration directory
189

190
// Set both config files to the same value if you don't want to use the
191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215
// the WAYF to read a (potential) automatically generated file that undergoes
// some plausability checks before being used
//$IDPConfigFile = 'IDProvider.conf.php';
//$backupIDPConfigFile = 'IDProvider.conf.php';

// Use $metadataFile as source federation's metadata.
//$metadataFile = '/etc/shibboleth/metadata.myFederation.xml';

// File to store the parsed IdP list
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
//$metadataIDPFile = 'IDProvider.metadata.php';

// File to store the parsed SP list.
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
//$metadataSPFile = 'SProvider.metadata.php';

// File to use as the lock file for writing the parsed IdP and SP lists.
// The user running the script must have permission to write $metadataLockFile
//$metadataLockFile = '/tmp/wayf_metadata.lock';

// Use an absolute URL in case you want to use the embedded WAYF
haemmer's avatar
haemmer committed
216 217
// The default assumes that this is in the same directory like
// the WAYF script.
218 219 220
//$imageURL = 'https://ds.example.org/SWITCHwayf/images';

// Absolute URL to point to css directory
haemmer's avatar
haemmer committed
221 222
// The default assumes that this is in the same directory like
// the WAYF script.
223 224 225
//$cssURL = 'https://ds.example.org/SWITCHwayf/css';

// Absolute URL to point to javascript directory
haemmer's avatar
haemmer committed
226 227
// The default assumes that this is in the same directory like
// the WAYF script.
228 229 230 231 232
//$javascriptURL = 'https://ds.example.org/SWITCHwayf/js';



// 5. Appearance Settings
233
//**************************
haemmer's avatar
haemmer committed
234

235 236 237 238
// Identifier for this particular instance of the SWITCHwayf
// This is mainly used for logging to syslog and in particular
// useful in case multiple instances of the SWITCHwayf are
// operated on the same host
haemmer's avatar
haemmer committed
239
//$instanceIdentifier = 'SWITCHwayf';
240

haemmer's avatar
haemmer committed
241
// URL to send user to when clicking on federation logo
haemmer's avatar
haemmer committed
242
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
243
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
244 245 246
//$federationURL = 'http://www.example.org/myFed/';

// Absolute URL to the federation logo that should be displayed in the Embedded WAYF
haemmer's avatar
haemmer committed
247 248
// Set to an empty string to hide the logo
//$logoURL = 'http://ds.example.org/SWITCHwayf/images/federation-logo.png';
haemmer's avatar
haemmer committed
249

250
// Absolute URL to the small federation logo that should be displayed in the
haemmer's avatar
haemmer committed
251 252
// embedded WAYF. Make sure the dimensions (in particular the height of the logo)
// is small, ideally not larger than 120x30 pixel
haemmer's avatar
haemmer committed
253
//$smallLogoURL = 'http://ds.example.org/SWITCHwayf/images/small-federation-logo.png';
haemmer's avatar
haemmer committed
254

255
// Support contact email address
haemmer's avatar
haemmer committed
256
//$supportContactEmail = 'helpdesk@example.org';
257

haemmer's avatar
haemmer committed
258
// Absolute URL to the logo of the organization operating this Discovery Service
haemmer's avatar
haemmer committed
259
// Set to an empty string to hide the logo
260
//$organizationLogoURL = 'https://ds.example.org/SWITCHwayf/images/organization-logo.png';
haemmer's avatar
haemmer committed
261

haemmer's avatar
haemmer committed
262 263
// Absolute URL to the organization's web page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
264
//$organizationURL = 'http://www.example.org/';
265

haemmer's avatar
haemmer committed
266 267 268
// Absolute URL to an FAQ page
// This entries local string is 'faq' in languages.php
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
269
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
270
//$faqURL = 'http://www.example.org/%s/myFed/faq/';
271

haemmer's avatar
haemmer committed
272 273
// Absolute URL to a help/support page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
274
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
275
//$helpURL = 'http://www.example.org/%s/myFed/help/';
haemmer's avatar
haemmer committed
276

haemmer's avatar
haemmer committed
277 278
// Absolute URL to a privacy policy page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
haemmer's avatar
haemmer committed
279
// Set to an empty string to hide the logo
haemmer's avatar
haemmer committed
280
//$privacyURL = 'http://www.example.org/%s/myFed/privacy/';
haemmer's avatar
haemmer committed
281

282 283 284 285
// Additional strings form custom templates
//$customStrings = array(
//    federationName = 'myFederation'
//);
haemmer's avatar
haemmer committed
286

haemmer's avatar
haemmer committed
287

haemmer's avatar
haemmer committed
288 289 290
// Development mode settings
//**************************
// If the development mode is activated, PHP errors and warnings will be displayed
haemmer's avatar
haemmer committed
291 292
// on pages the SWITCHwayf generates
//$developmentMode = false;