/.*)?$ {
30 | fastcgi_pass unix:/var/run/php-fpm.sock;
31 | fastcgi_index index.php;
32 | include fastcgi_params;
33 | fastcgi_param SCRIPT_FILENAME $document_root$phpfile;
34 | fastcgi_param PATH_INFO $pathinfo if_not_empty;
35 | }
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/resources/nginx/nginx.conf:
--------------------------------------------------------------------------------
1 | # For more information on configuration, see:
2 | # * Official English Documentation: http://nginx.org/en/docs/
3 | # * Official Russian Documentation: http://nginx.org/ru/docs/
4 |
5 | user nginx;
6 | worker_processes auto;
7 | error_log /var/log/nginx/error.log;
8 | pid /run/nginx.pid;
9 |
10 | # Load dynamic modules. See /usr/share/nginx/README.dynamic.
11 | include /usr/share/nginx/modules/*.conf;
12 |
13 | events {
14 | worker_connections 1024;
15 | }
16 |
17 | http {
18 | log_format main '$remote_addr - $remote_user [$time_local] "$request" '
19 | '$status $body_bytes_sent "$http_referer" '
20 | '"$http_user_agent" "$http_x_forwarded_for"';
21 |
22 | access_log /var/log/nginx/access.log main;
23 |
24 | sendfile on;
25 | tcp_nopush on;
26 | tcp_nodelay on;
27 | keepalive_timeout 65;
28 | types_hash_max_size 2048;
29 |
30 | include /etc/nginx/mime.types;
31 | default_type application/octet-stream;
32 |
33 | # Load modular configuration files from the /etc/nginx/conf.d directory.
34 | # See http://nginx.org/en/docs/ngx_core_module.html#include
35 | # for more information.
36 | include /etc/nginx/conf.d/*.conf;
37 | }
38 |
39 |
--------------------------------------------------------------------------------
/resources/etc/templates/module_metarefresh-test.php.j2:
--------------------------------------------------------------------------------
1 | [
5 | 'gakunin-metadata' => [
6 | 'cron' => ['daily'],
7 | 'sources' => [
8 | [
9 | 'src' => 'https://metadata.gakunin.nii.ac.jp/gakunin-test-metadata.xml',
10 | 'certificates' => [
11 | 'gakunin-signer.cer'
12 | ],
13 | 'validateFingerprint' => 'FA:11:11:5B:EC:13:4D:55:85:AF:60:32:E1:6C:01:01:EF:9C:A0:6B:17:8C:8B:9C:7F:2B:69:41:EB:68:30:1E',
14 | 'validateFingerprintAlgorithm' => 'XMLSecurityDSig::SHA256'
15 | ]
16 | ],
17 | 'outputDir' => 'metadata/gakunin-metadata/',
18 | 'outputFormat' => 'flatfile',
19 | 'expireAfter' => 60*60*24*4
20 | ],
21 | 'orthros-metadata' => [
22 | 'cron' => ['daily'],
23 | 'sources' => [
24 | [
25 | 'src' => 'https://core-stg.orthros.gakunin.nii.ac.jp/metadata/orthrosstg-idp-metadata.xml',
26 | ]
27 | ],
28 | 'outputDir' => 'metadata/orthros-metadata/',
29 | 'outputFormat' => 'flatfile',
30 | 'expireAfter' => 60*60*24*4
31 | ],
32 | ]
33 | ];
34 |
--------------------------------------------------------------------------------
/resources/simplesamlphp/bin/add_auth_proxy_metadata.php:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env php
2 | load($metadataFilePath);
20 |
21 | $existNode = getEntityDescriptorNode($md->childNodes, $entityID);
22 | if (is_null($existNode)) {
23 | $addMd = new DOMDocument();
24 | $addMd->load($addMetadataPath);
25 | $addNode = getEntityDescriptorNode($addMd->childNodes, $entityID);
26 | $md->firstChild->appendChild($md->importNode($addNode, true));
27 | $md->firstChild->appendChild($md->createTextNode("\n"));
28 | $md->save($metadataFilePath);
29 | } else {
30 | $exit_code = EXIT_ALREADY_EXIST_ENTITY_ID;
31 | }
32 | } catch (Exciption $e) {
33 | echo $e->getMessage()."\n";
34 | $exit_code = EXIT_ERROR;
35 | }
36 |
37 | @unlink($addMetadataPath);
38 | $md = null;
39 | $addMd = null;
40 |
41 | exit($exit_code);
42 | ?>
43 |
--------------------------------------------------------------------------------
/.github/workflows/docker.yml:
--------------------------------------------------------------------------------
1 | name: Build and push Docker image
2 |
3 | on:
4 | push:
5 |
6 | jobs:
7 | docker:
8 | runs-on: ubuntu-latest
9 | steps:
10 | -
11 | name: Checkout
12 | uses: actions/checkout@v3
13 | -
14 | name: Extract branch name
15 | shell: bash
16 | run: echo "branch=$(echo ${GITHUB_REF#refs/heads/} | sed -e s,/,-,)" >> $GITHUB_OUTPUT
17 | id: extract_branch
18 | -
19 | name: Set up QEMU
20 | uses: docker/setup-qemu-action@v2
21 | -
22 | name: Set up Docker Buildx
23 | uses: docker/setup-buildx-action@v2
24 | -
25 | name: Login to DockerHub
26 | uses: docker/login-action@v2
27 | with:
28 | username: ${{ secrets.DOCKERHUB_USERNAME }}
29 | password: ${{ secrets.DOCKERHUB_TOKEN }}
30 | -
31 | name: "Build and push: idp-proxy"
32 | uses: docker/build-push-action@v3
33 | with:
34 | context: ./
35 | push: true
36 | tags: "${{ secrets.DOCKERHUB_NAMESPACE }}/coursewarehub-idp-proxy:${{ steps.extract_branch.outputs.branch }}"
37 | build-args: |
38 | ATTRIBUTE_AGGREGATOR_URL=${{ vars.ATTRIBUTE_AGGREGATOR_URL || 'https://github.com/NII-cloud-operation/simplesamlphp-module-attributeaggregator' }}
39 | ATTRIBUTE_AGGREGATOR_BRANCH=${{ vars.ATTRIBUTE_AGGREGATOR_BRANCH || 'dev-2.x-gakunin-cloud-gateway' }}
40 |
--------------------------------------------------------------------------------
/bin/start.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | set -xe
4 |
5 | # Setup the keys for nginx
6 | cp -p $CERT_DIR/idp-proxy.chained.cer /etc/pki/nginx/
7 | cp -p $CERT_DIR/idp-proxy.key /etc/pki/nginx/private/
8 |
9 | # Setup the keys for simplesamlphp
10 | cp -p $CERT_DIR/idp-proxy.cer /var/www/simplesamlphp/cert/
11 | cp -p $CERT_DIR/idp-proxy.key /var/www/simplesamlphp/cert/
12 | cp -p $CERT_DIR/gakunin-signer.cer /var/www/simplesamlphp/cert/
13 |
14 | # Setup config files
15 | TEMPLATE_DIR=/etc/templates
16 |
17 | j2 ${TEMPLATE_DIR}/embedded-wayf-config.js.j2 -o /var/www/simplesamlphp/templates/includes/embedded-wayf-config.js
18 | j2 ${TEMPLATE_DIR}/embedded-wayf-loader.js.j2 -o /var/www/simplesamlphp/templates/includes/embedded-wayf-loader.js
19 | j2 ${TEMPLATE_DIR}/idp-proxy.conf.j2 -o /etc/nginx/conf.d/idp-proxy.conf
20 | j2 ${TEMPLATE_DIR}/config.php.j2 -o /var/www/simplesamlphp/config/config.php
21 | j2 ${TEMPLATE_DIR}/authsources.php.j2 -o /var/www/simplesamlphp/config/authsources.php
22 | j2 ${TEMPLATE_DIR}/module_cron.php.j2 -o /var/www/simplesamlphp/config/module_cron.php
23 | j2 ${TEMPLATE_DIR}/cron_root.j2 -o /var/spool/cron/root
24 | j2 ${TEMPLATE_DIR}/saml20-idp-hosted.php.j2 -o /var/www/simplesamlphp/metadata/saml20-idp-hosted.php
25 |
26 | if [[ "$ENABLE_TEST_FEDERATION" == "1" || "$ENABLE_TEST_FEDERATION" == "yes" ]]; then
27 | j2 ${TEMPLATE_DIR}/module_metarefresh-test.php.j2 -o /var/www/simplesamlphp/config/module_metarefresh.php
28 | else
29 | j2 ${TEMPLATE_DIR}/module_metarefresh.php.j2 -o /var/www/simplesamlphp/config/module_metarefresh.php
30 | fi
31 |
32 | /usr/bin/supervisord -n -c /etc/supervisord.conf
33 |
--------------------------------------------------------------------------------
/resources/saml/www/sp/discoresp.php:
--------------------------------------------------------------------------------
1 | startSSO($req['idpentityid'], $state);
45 |
--------------------------------------------------------------------------------
/LICENSE.txt:
--------------------------------------------------------------------------------
1 | BSD 3-Clause License
2 |
3 | Copyright (c) 2017-2018, National Institute of Informatics.
4 | All rights reserved.
5 |
6 | Redistribution and use in source and binary forms, with or without
7 | modification, are permitted provided that the following conditions are met:
8 |
9 | * Redistributions of source code must retain the above copyright notice, this
10 | list of conditions and the following disclaimer.
11 |
12 | * Redistributions in binary form must reproduce the above copyright notice,
13 | this list of conditions and the following disclaimer in the documentation
14 | and/or other materials provided with the distribution.
15 |
16 | * Neither the name of the copyright holder nor the names of its
17 | contributors may be used to endorse or promote products derived from
18 | this software without specific prior written permission.
19 |
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # IdP-Proxy
2 |
3 | ## Prerequisite
4 | * Docker version 1.12.5 later
5 | * Be abailable 'sudo'
6 |
7 | ## Prepare Server certificate and key
8 | 1. Prepare the Server certificate of IdP-Proxy as follow names.
9 | * idp-proxy.cer
10 | + Server certificte of IdP-Proxy issued by NII.
11 | * idp-proxy.chained.cer
12 | + Authenticated server certificate of IdP-Proxy (Intermediate certificate + Server certificate).
13 | * idp-proxy.key
14 | + Private key of IdP-Proxy.
15 | 2. Place 'idp-proxy.cer', 'idp-proxy.chained.cer', 'idp-proxy.ey' in arbitrary directory.
16 |
17 | ## Clone the repository of IdP-Proxy
18 | Make the clone of the repository of IdP-Proxy on GitHub.
19 | ```
20 | $ cd GIT_CLONE_DIR
21 | $ git clone git@github.com:axsh/idp-proxy.git
22 | ```
23 |
24 | ## Build image of IdP-Proxy
25 | Build IdP-Proxy container image as 'idp-proxy:latest'.
26 | ```
27 | $ cd GIT_CLONE_DIR/idp-proxy
28 | $ ./build-idp-proxy CERT_DIR
29 | ```
30 | * Specify the path of the directory where the server certifcates and the private key are placed by 'CERT_DIR'.
31 |
32 | ## Run IdP-Proxy
33 | Run IdP-Proxy container using 'idp-proxy:latest' image.
34 | ```
35 | $ cd GIT_CLONE_DIR/idp-proxy
36 | $ ./bin/idpproxyctl run
37 | ```
38 |
39 | ## Add Courseware SP to IdP-Proxy
40 | You need to add the Courseware to IdP-Proxy to use the authentication of Gakunin federation.
41 | Add the metadata of Courseware SP into IdP-Proxy.
42 | ```
43 | $ cd GIT_CLONE_DIR/idp-proxy
44 | $ ./bin/idpproxyctl add-courseware SP_HOST
45 | ```
46 | * Specify the FQDN of the SP of the Courseware by 'SP_HOST'.
47 | * IdP-Proxy accesses the Courseware SP using the specified FQDN, and gets the SP's metadata.
48 |
--------------------------------------------------------------------------------
/resources/etc/templates/module_metarefresh.php.j2:
--------------------------------------------------------------------------------
1 | [
5 | 'gakunin-metadata' => [
6 | 'cron' => ['daily'],
7 | 'sources' => [
8 | [
9 | 'src' => 'https://metadata.gakunin.nii.ac.jp/gakunin-metadata.xml?generation=2',
10 | 'certificates' => [
11 | 'gakunin-signer.cer'
12 | ],
13 | 'validateFingerprint' => '5E:D6:A8:C5:E9:30:49:3F:B4:BA:77:54:6A:FB:66:BA:14:7D:CB:50:5B:EF:0F:D9:7C:26:04:C2:D9:36:FD:81',
14 | 'validateFingerprintAlgorithm' => 'XMLSecurityDSig::SHA256'
15 | ]
16 | ],
17 | 'outputDir' => 'metadata/gakunin-metadata/',
18 | 'outputFormat' => 'flatfile',
19 | 'expireAfter' => 60*60*24*4
20 | ],
21 | 'attributeauthority-remote' => [
22 | 'cron' => ['daily'],
23 | 'sources' => [
24 | [
25 | 'src' => 'https://meatwiki.nii.ac.jp/confluence/download/attachments/6684843/cgidp-metadata.xml?api=v2'
26 | ]
27 | ],
28 | 'outputDir' => 'metadata/attributeauthority-remote/',
29 | 'outputFormat' => 'flatfile',
30 | 'expireAfter' => 60*60*24*4
31 | ],
32 | 'orthros-metadata' => [
33 | 'cron' => ['daily'],
34 | 'sources' => [
35 | [
36 | 'src' => 'https://core.orthros.gakunin.nii.ac.jp/metadata/orthros-idp-metadata.xml',
37 | ]
38 | ],
39 | 'outputDir' => 'metadata/orthros-metadata/',
40 | 'outputFormat' => 'flatfile',
41 | 'expireAfter' => 60*60*24*4
42 | ]
43 | ]
44 | ];
45 |
--------------------------------------------------------------------------------
/resources/etc/templates/saml20-idp-hosted.php.j2:
--------------------------------------------------------------------------------
1 | '__DEFAULT__',
16 |
17 | // X.509 key and certificate. Relative to the cert directory.
18 | 'privatekey' => 'idp-proxy.key',
19 | 'certificate' => 'idp-proxy.cer',
20 |
21 |
22 | /*
23 | * Authentication source to use. Must be one that is configured in
24 | * 'config/authsources.php'.
25 | */
26 | 'auth' => 'default-sp',
27 |
28 | 'assertion.encryption' => true,
29 |
30 | /* Uncomment the following to use the uri NameFormat on attributes. */
31 | /*
32 | 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
33 | 'authproc' => [
34 | // Convert LDAP names to oids.
35 | 100 => ['class' => 'core:AttributeMap', 'name2oid'],
36 | ],
37 | */
38 |
39 | /*
40 | * Uncomment the following to specify the registration information in the
41 | * exported metadata. Refer to:
42 | * http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html
43 | * for more information.
44 | */
45 | /*
46 | 'RegistrationInfo' => [
47 | 'authority' => 'urn:mace:example.org',
48 | 'instant' => '2008-01-17T11:28:03Z',
49 | 'policies' => [
50 | 'en' => 'http://example.org/policy',
51 | 'es' => 'http://example.org/politica',
52 | ],
53 | ],
54 | */
55 | ];
56 |
--------------------------------------------------------------------------------
/resources/simplesamlphp/templates/selectidp-dropdown.twig:
--------------------------------------------------------------------------------
1 | {% set pagetitle = "Select your identity provider"|trans %}
2 | {% extends "base.twig" %}
3 |
4 | {% block content %}
5 |
6 | {{ pagetitle }}
7 |
8 | {{ include('includes/selectidp-embedded-wayf-start.twig') }}
9 |
10 | {% if idplist|length == 0 %}
11 | {{ "No identity providers found. Cannot continue." | trans }}
12 | {% else %}
13 |
14 | {{ "Please select the identity provider where you want to authenticate:" | trans }}
15 |
40 | {% endif %}
41 |
42 | {{ include('includes/selectidp-embedded-wayf-end.twig')}}
43 | {% endblock %}
44 |
--------------------------------------------------------------------------------
/bin/idpproxyctl:
--------------------------------------------------------------------------------
1 | #/bin/bash
2 |
3 | IDP_PROXY=idp-proxy
4 | IDP_PROXY_IMAGE="idp-proxy:latest"
5 |
6 | usage()
7 | {
8 | cat <&2
37 | usage
38 | exit 255
39 | }
40 |
41 | function run_idp_proxy()
42 | {
43 | echo "Run idp-proxy ..."
44 | sudo docker run -v /var/log --privileged --name $IDP_PROXY -p 443:443 -d $IDP_PROXY_IMAGE /sbin/init
45 |
46 | echo "Download Gakunin DS metadata ..."
47 | sudo docker exec -i $IDP_PROXY bash << EOF
48 | /var/www/simplesamlphp/bin/update_ds_metadata.sh
49 | EOF
50 | echo "Done."
51 | }
52 |
53 | function start_idp_proxy()
54 | {
55 | sudo docker start $IDP_PROXY
56 | }
57 |
58 | function stop_idp_proxy()
59 | {
60 | sudo docker stop $IDP_PROXY
61 | }
62 |
63 | function restart_idp_proxy()
64 | {
65 | sudo docker restart $IDP_PROXY
66 | }
67 |
68 | function add_auth_proxy()
69 | {
70 | local auth_proxy_host="$1"
71 |
72 | # check parameters
73 | if [ -z "$auth_proxy_host" ] ; then
74 | reportfailed "too few arguments."
75 | fi
76 | entity_id="https://$auth_proxy_host/simplesaml/module.php"
77 | metadata_url="https://$auth_proxy_host/simplesaml/module.php/saml/sp/metadata.php/default-sp"
78 | tempfile=`mktemp /tmp/xml_XXXXXX`
79 | curl --insecure -o $tempfile $metadata_url
80 | chmod 666 $tempfile
81 | sudo docker cp $tempfile $IDP_PROXY:/root
82 | copyto='/root/'$(basename $tempfile)
83 | sudo docker exec -i $IDP_PROXY bash << EOF
84 | /var/www/simplesamlphp/bin/add_auth_proxy_metadata.php $entity_id $copyto
85 | EOF
86 | rm -f $tempfile
87 | }
88 |
89 | function delete_auth_proxy()
90 | {
91 | local auth_proxy_host="$1"
92 |
93 | # check parameters
94 | if [ -z "$auth_proxy_host" ] ; then
95 | reportfailed "missing arguments."
96 | fi
97 |
98 | entity_id="https://$auth_proxy_host/simplesaml/module.php"
99 | sudo docker exec -i $IDP_PROXY bash << EOF
100 | /var/www/simplesamlphp/bin/remove_auth_proxy_metadata.php $entity_id
101 | EOF
102 | }
103 |
104 |
105 |
106 | #----- main -----
107 | cmd="$1"
108 | shift
109 |
110 | case "$cmd" in
111 | run) run_idp_proxy "$@"
112 | ;;
113 | start) start_idp_proxy "$@"
114 | ;;
115 | stop) stop_idp_proxy "$@"
116 | ;;
117 | restart) restart_idp_proxy "$@"
118 | ;;
119 | add-courseware) add_auth_proxy "$@"
120 | ;;
121 | del-courseware) delete_auth_proxy "$@"
122 | ;;
123 | *) usage
124 | ;;
125 | esac
126 |
127 |
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM rockylinux:9
2 |
3 | ARG SIMPLESAMLPHP_VERSION="2.3.7"
4 | ARG ATTRIBUTE_AGGREGATOR_URL="https://github.com/NII-cloud-operation/simplesamlphp-module-attributeaggregator"
5 | ARG ATTRIBUTE_AGGREGATOR_BRANCH="dev-2.x-gakunin-cloud-gateway"
6 |
7 | # Install packages
8 | RUN set -x \
9 | && rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9 \
10 | && dnf -y update \
11 | && dnf -y install epel-release \
12 | && rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9 \
13 | && dnf -y install less which cronie logrotate supervisor git unzip findutils patch \
14 | && systemctl enable crond \
15 | && dnf -y install yum-utils \
16 | # Install nginx and php
17 | && dnf -y install --enablerepo=epel nginx python3 python3-pip \
18 | && systemctl enable nginx \
19 | && dnf -y install https://rpms.remirepo.net/enterprise/remi-release-9.rpm \
20 | && rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-remi.el9 \
21 | && dnf -y module reset php \
22 | && dnf -y module install php:remi-8.3 \
23 | && dnf -y install --enablerepo=remi php php-fpm php-xml php-gmp php-soap php-ldap \
24 | && php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" \
25 | && php -r "if (hash_file('sha384', 'composer-setup.php') === '$(curl -q https://composer.github.io/installer.sig)') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" \
26 | && php composer-setup.php \
27 | && php -r "unlink('composer-setup.php');" \
28 | && mv composer.phar /usr/local/bin/composer \
29 | && chmod +x /usr/local/bin/composer \
30 | && systemctl enable php-fpm \
31 | # Install simplesamlphp
32 | && cd /var/www \
33 | && curl -Lo downloaded-simplesamlphp.tar.gz https://github.com/simplesamlphp/simplesamlphp/releases/download/v${SIMPLESAMLPHP_VERSION}/simplesamlphp-${SIMPLESAMLPHP_VERSION}-full.tar.gz \
34 | && tar xvfz downloaded-simplesamlphp.tar.gz \
35 | && mv $( ls | grep simplesaml | grep -v *tar.gz ) simplesamlphp \
36 | && rm /var/www/downloaded-simplesamlphp.tar.gz \
37 | # Install simplesamlphp-module-attributeaggregator
38 | && cd /var/www/simplesamlphp \
39 | && composer config repositories.attributeaggregator "{\"type\": \"vcs\", \"url\": \"${ATTRIBUTE_AGGREGATOR_URL}\", \"no-api\": true}" \
40 | && composer require --update-no-dev niif/simplesamlphp-module-attributeaggregator:${ATTRIBUTE_AGGREGATOR_BRANCH}
41 |
42 | # Patch simplesamlphp
43 | COPY resources/simplesamlphp/simplesamlphp.patch /tmp/
44 | RUN set -x \
45 | && cd /var/www/simplesamlphp \
46 | && patch -p1 < /tmp/simplesamlphp.patch \
47 | && rm -f /tmp/simplesamlphp.patch
48 |
49 | # Setup nginx
50 | # Copy the nginx configuration files
51 | COPY resources/nginx/nginx.conf /etc/nginx/
52 | RUN mkdir -p /etc/pki/nginx/private/
53 |
54 | # Setup php-fpm
55 | COPY resources/php-fpm/www.conf /etc/php-fpm.d/
56 | RUN chgrp nginx /var/lib/php/session \
57 | && mkdir -p /run/php-fpm
58 |
59 | # Setup simplesamlphp
60 | RUN set -x \
61 | && mkdir -p /var/www/simplesamlphp/metadata/xml \
62 | && mkdir -p /var/www/simplesamlphp/metadata/gakunin-metadata \
63 | /var/www/simplesamlphp/metadata/attributeauthority-remote \
64 | && chown -R nginx:nginx /var/www/simplesamlphp
65 | COPY resources/simplesamlphp/bin/add_auth_proxy_metadata.php /var/www/simplesamlphp/bin
66 | COPY resources/simplesamlphp/bin/remove_auth_proxy_metadata.php /var/www/simplesamlphp/bin
67 | COPY resources/simplesamlphp/bin/auth_proxy_functions.php /var/www/simplesamlphp/bin
68 | COPY resources/simplesamlphp/metadata/xml/auth-proxies.xml /var/www/simplesamlphp/metadata/xml
69 | COPY resources/simplesamlphp/templates/selectidp-dropdown.twig /var/www/simplesamlphp/templates
70 | COPY resources/simplesamlphp/templates/selectidp-embedded-wayf-start.twig /var/www/simplesamlphp/templates/includes
71 | COPY resources/simplesamlphp/templates/selectidp-embedded-wayf-end.twig /var/www/simplesamlphp/templates/includes
72 | COPY resources/saml/www/sp/discoresp.php /var/www/simplesamlphp/modules/saml/www/sp/discoresp.php
73 | COPY resources/simplesamlphp/bin/add_auth_proxy.sh /usr/local/sbin/
74 | COPY bin/start.sh /start.sh
75 | RUN chmod +x /start.sh \
76 | /usr/local/sbin/add_auth_proxy.sh
77 |
78 | # Install j2li
79 | RUN pip3 install --no-cache-dir j2cli
80 |
81 | # Install config template files
82 | COPY resources/etc/templates /etc/templates
83 |
84 | VOLUME /etc/cert
85 | ENV CERT_DIR=/etc/cert
86 |
87 | # supervisord
88 | COPY resources/supervisord.conf /etc/
89 |
90 | CMD ["/start.sh"]
91 |
--------------------------------------------------------------------------------
/resources/simplesamlphp/simplesamlphp.patch:
--------------------------------------------------------------------------------
1 | diff -urN simplesamlphp-2.1.1.org/modules/saml/routing/routes/routes.yml simplesamlphp-2.1.1/modules/saml/routing/routes/routes.yml
2 | --- simplesamlphp-2.1.1.org/modules/saml/routing/routes/routes.yml 2023-11-30 01:51:18.000000000 +0900
3 | +++ simplesamlphp-2.1.1/modules/saml/routing/routes/routes.yml 2024-02-15 17:07:41.913566972 +0900
4 | @@ -21,6 +21,13 @@
5 | }
6 | methods: [GET]
7 |
8 | +saml-legacy-sp-discoResponse:
9 | + path: /sp/discoresp.php
10 | + defaults: {
11 | + _controller: 'SimpleSAML\Module\saml\Controller\ServiceProvider::discoResponse'
12 | + }
13 | + methods: [GET]
14 | +
15 | saml-sp-login:
16 | path: /sp/login/{sourceId}
17 | defaults: {
18 | diff -urN simplesamlphp-2.1.1.org/modules/saml/src/Auth/Source/SP.php simplesamlphp-2.1.1/modules/saml/src/Auth/Source/SP.php
19 | --- simplesamlphp-2.1.1.org/modules/saml/src/Auth/Source/SP.php 2023-11-30 01:51:18.000000000 +0900
20 | +++ simplesamlphp-2.1.1/modules/saml/src/Auth/Source/SP.php 2024-02-08 18:00:31.882041163 +0900
21 | @@ -112,6 +112,7 @@
22 | $this->entityId = $entityId;
23 | $this->idp = $this->metadata->getOptionalString('idp', null);
24 | $this->discoURL = $this->metadata->getOptionalString('discoURL', null);
25 | + $this->discoReturnURL = $this->metadata->getOptionalString('discoReturnURL', 'saml/sp/discoResponse');
26 | $this->disable_scoping = $this->metadata->getOptionalBoolean('disable_scoping', false);
27 | $this->passAuthnContextClassRef = $this->metadata->getOptionalBoolean(
28 | 'proxymode.passAuthnContextClassRef',
29 | @@ -708,7 +709,7 @@
30 | $discoURL = Module::getModuleURL('saml/disco');
31 | }
32 |
33 | - $returnTo = Module::getModuleURL('saml/sp/discoResponse', ['AuthID' => $id]);
34 | + $returnTo = Module::getModuleURL($this->discoReturnURL, ['AuthID' => $id]);
35 |
36 | $params = [
37 | 'entityID' => $this->entityId,
38 | diff -urN simplesamlphp-2.1.1.org/modules/saml/src/Controller/Disco.php simplesamlphp-2.1.1/modules/saml/src/Controller/Disco.php
39 | --- simplesamlphp-2.1.1.org/modules/saml/src/Controller/Disco.php 2023-11-30 01:51:18.000000000 +0900
40 | +++ simplesamlphp-2.1.1/modules/saml/src/Controller/Disco.php 2024-02-15 16:49:12.394125909 +0900
41 | @@ -39,6 +39,16 @@
42 | public function disco(): RunnableResponse
43 | {
44 | $disco = new IdPDisco(['saml20-idp-remote'], 'saml');
45 | - return new RunnableResponse([$disco, 'handleRequest']);
46 | + $response = new RunnableResponse([$disco, 'handleRequest']);
47 | +
48 | + /* override Content-Security-Policy for embedded DS */
49 | + $headers = $this->config->getOptionalArray('disco.headers.security', []);
50 | + foreach ($headers as $header => $value) {
51 | + if (!$response->headers->has($header)) {
52 | + $response->headers->set($header, $value);
53 | + }
54 | + }
55 | +
56 | + return $response;
57 | }
58 | }
59 | diff -urN simplesamlphp-2.1.1.org/modules/saml/src/Controller/Metadata.php simplesamlphp-2.1.1/modules/saml/src/Controller/Metadata.php
60 | --- simplesamlphp-2.1.1.org/modules/saml/src/Controller/Metadata.php 2023-11-30 01:51:18.000000000 +0900
61 | +++ simplesamlphp-2.1.1/modules/saml/src/Controller/Metadata.php 2024-02-14 21:07:56.489583730 +0900
62 | @@ -87,6 +87,7 @@
63 | $idpentityid = $this->mdHandler->getMetaDataCurrentEntityID('saml20-idp-hosted');
64 | }
65 | $metaArray = SAML2_IdP::getHostedMetadata($idpentityid, $this->mdHandler);
66 | + $metaConfig = $this->mdHandler->getMetaDataConfig($idpentityid, $metaArray['metadata-set']);
67 |
68 | $metaBuilder = new SSPMetadata\SAMLBuilder($idpentityid);
69 | $metaBuilder->addMetadataIdP20($metaArray);
70 | @@ -95,7 +96,7 @@
71 | $metaxml = $metaBuilder->getEntityDescriptorText();
72 |
73 | // sign the metadata if enabled
74 | - $metaxml = SSPMetadata\Signer::sign($metaxml, $metaArray, 'SAML 2 IdP');
75 | + $metaxml = SSPMetadata\Signer::sign($metaxml, $metaConfig->toArray(), 'SAML 2 IdP');
76 |
77 | $response = new Response();
78 | $response->setEtag(hash('sha256', $metaxml));
79 | diff -urN simplesamlphp-2.1.1.org/modules/saml/src/Controller/ServiceProvider.php simplesamlphp-2.1.1/modules/saml/src/Controller/ServiceProvider.php
80 | --- simplesamlphp-2.1.1.org/modules/saml/src/Controller/ServiceProvider.php 2023-11-30 01:51:18.000000000 +0900
81 | +++ simplesamlphp-2.1.1/modules/saml/src/Controller/ServiceProvider.php 2024-02-15 17:23:06.961684962 +0900
82 | @@ -140,15 +140,28 @@
83 | */
84 | public function discoResponse(Request $request): RunnableResponse
85 | {
86 | - if (!$request->query->has('AuthID')) {
87 | + if ($request->query->has('target')) {
88 | + $target_query = parse_url($request->query->get('target'), PHP_URL_QUERY);
89 | + parse_str($target_query, $req);
90 | + } else {
91 | + $req = [];
92 | + }
93 | +
94 | + if ($request->query->has('AuthID')) {
95 | + $authId = $request->query->get('AuthID');
96 | + } else if (array_key_exists('AuthID', $req)) {
97 | + $authId = $req['AuthID'];
98 | + } else {
99 | throw new Error\BadRequest('Missing AuthID to discovery service response handler');
100 | }
101 | - $authId = $request->query->get('AuthID');
102 |
103 | - if (!$request->query->has('idpentityid')) {
104 | + if ($request->query->has('entityID')) {
105 | + $idpEntityId = $request->query->get('entityID');
106 | + } else if ($request->query->has('idpentityid')) {
107 | + $idpEntityId = $request->query->get('idpentityid');
108 | + } else {
109 | throw new Error\BadRequest('Missing idpentityid to discovery service response handler');
110 | }
111 | - $idpEntityId = $request->query->get('idpentityid');
112 |
113 | $state = $this->authState::loadState($authId, 'saml:sp:sso');
114 |
115 |
--------------------------------------------------------------------------------
/resources/php-fpm/www.conf:
--------------------------------------------------------------------------------
1 | ; Start a new pool named 'www'.
2 | [www]
3 |
4 | ; The address on which to accept FastCGI requests.
5 | ; Valid syntaxes are:
6 | ; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on
7 | ; a specific port;
8 | ; 'port' - to listen on a TCP socket to all addresses on a
9 | ; specific port;
10 | ; '/path/to/unix/socket' - to listen on a unix socket.
11 | ; Note: This value is mandatory.
12 | listen = /var/run/php-fpm.sock
13 |
14 | ; Set listen(2) backlog. A value of '-1' means unlimited.
15 | ; Default Value: -1
16 | ;listen.backlog = -1
17 |
18 | ; List of ipv4 addresses of FastCGI clients which are allowed to connect.
19 | ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
20 | ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
21 | ; must be separated by a comma. If this value is left blank, connections will be
22 | ; accepted from any ip address.
23 | ; Default Value: any
24 | listen.allowed_clients = 127.0.0.1
25 |
26 | ; Set permissions for unix socket, if one is used. In Linux, read/write
27 | ; permissions must be set in order to allow connections from a web server. Many
28 | ; BSD-derived systems allow connections regardless of permissions.
29 | ; Default Values: user and group are set as the running user
30 | ; mode is set to 0666
31 | listen.owner = nginx
32 | listen.group = nginx
33 | ;listen.mode = 0666
34 |
35 | ; Unix user/group of processes
36 | ; Note: The user is mandatory. If the group is not set, the default user's group
37 | ; will be used.
38 | ; RPM: apache Choosed to be able to access some dir as httpd
39 | user = nginx
40 | ; RPM: Keep a group allowed to write in log dir.
41 | group = nginx
42 |
43 | ; Choose how the process manager will control the number of child processes.
44 | ; Possible Values:
45 | ; static - a fixed number (pm.max_children) of child processes;
46 | ; dynamic - the number of child processes are set dynamically based on the
47 | ; following directives:
48 | ; pm.max_children - the maximum number of children that can
49 | ; be alive at the same time.
50 | ; pm.start_servers - the number of children created on startup.
51 | ; pm.min_spare_servers - the minimum number of children in 'idle'
52 | ; state (waiting to process). If the number
53 | ; of 'idle' processes is less than this
54 | ; number then some children will be created.
55 | ; pm.max_spare_servers - the maximum number of children in 'idle'
56 | ; state (waiting to process). If the number
57 | ; of 'idle' processes is greater than this
58 | ; number then some children will be killed.
59 | ; Note: This value is mandatory.
60 | pm = dynamic
61 |
62 | ; The number of child processes to be created when pm is set to 'static' and the
63 | ; maximum number of child processes to be created when pm is set to 'dynamic'.
64 | ; This value sets the limit on the number of simultaneous requests that will be
65 | ; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
66 | ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
67 | ; CGI.
68 | ; Note: Used when pm is set to either 'static' or 'dynamic'
69 | ; Note: This value is mandatory.
70 | pm.max_children = 50
71 |
72 | ; The number of child processes created on startup.
73 | ; Note: Used only when pm is set to 'dynamic'
74 | ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
75 | pm.start_servers = 5
76 |
77 | ; The desired minimum number of idle server processes.
78 | ; Note: Used only when pm is set to 'dynamic'
79 | ; Note: Mandatory when pm is set to 'dynamic'
80 | pm.min_spare_servers = 5
81 |
82 | ; The desired maximum number of idle server processes.
83 | ; Note: Used only when pm is set to 'dynamic'
84 | ; Note: Mandatory when pm is set to 'dynamic'
85 | pm.max_spare_servers = 35
86 |
87 | ; The number of requests each child process should execute before respawning.
88 | ; This can be useful to work around memory leaks in 3rd party libraries. For
89 | ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
90 | ; Default Value: 0
91 | ;pm.max_requests = 500
92 |
93 | ; The URI to view the FPM status page. If this value is not set, no URI will be
94 | ; recognized as a status page. By default, the status page shows the following
95 | ; information:
96 | ; accepted conn - the number of request accepted by the pool;
97 | ; pool - the name of the pool;
98 | ; process manager - static or dynamic;
99 | ; idle processes - the number of idle processes;
100 | ; active processes - the number of active processes;
101 | ; total processes - the number of idle + active processes.
102 | ; The values of 'idle processes', 'active processes' and 'total processes' are
103 | ; updated each second. The value of 'accepted conn' is updated in real time.
104 | ; Example output:
105 | ; accepted conn: 12073
106 | ; pool: www
107 | ; process manager: static
108 | ; idle processes: 35
109 | ; active processes: 65
110 | ; total processes: 100
111 | ; By default the status page output is formatted as text/plain. Passing either
112 | ; 'html' or 'json' as a query string will return the corresponding output
113 | ; syntax. Example:
114 | ; http://www.foo.bar/status
115 | ; http://www.foo.bar/status?json
116 | ; http://www.foo.bar/status?html
117 | ; Note: The value must start with a leading slash (/). The value can be
118 | ; anything, but it may not be a good idea to use the .php extension or it
119 | ; may conflict with a real PHP file.
120 | ; Default Value: not set
121 | ;pm.status_path = /status
122 |
123 | ; The ping URI to call the monitoring page of FPM. If this value is not set, no
124 | ; URI will be recognized as a ping page. This could be used to test from outside
125 | ; that FPM is alive and responding, or to
126 | ; - create a graph of FPM availability (rrd or such);
127 | ; - remove a server from a group if it is not responding (load balancing);
128 | ; - trigger alerts for the operating team (24/7).
129 | ; Note: The value must start with a leading slash (/). The value can be
130 | ; anything, but it may not be a good idea to use the .php extension or it
131 | ; may conflict with a real PHP file.
132 | ; Default Value: not set
133 | ;ping.path = /ping
134 |
135 | ; This directive may be used to customize the response of a ping request. The
136 | ; response is formatted as text/plain with a 200 response code.
137 | ; Default Value: pong
138 | ;ping.response = pong
139 |
140 | ; The timeout for serving a single request after which the worker process will
141 | ; be killed. This option should be used when the 'max_execution_time' ini option
142 | ; does not stop script execution for some reason. A value of '0' means 'off'.
143 | ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
144 | ; Default Value: 0
145 | ;request_terminate_timeout = 0
146 |
147 | ; The timeout for serving a single request after which a PHP backtrace will be
148 | ; dumped to the 'slowlog' file. A value of '0s' means 'off'.
149 | ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
150 | ; Default Value: 0
151 | ;request_slowlog_timeout = 0
152 |
153 | ; The log file for slow requests
154 | ; Default Value: not set
155 | ; Note: slowlog is mandatory if request_slowlog_timeout is set
156 | slowlog = /var/log/php-fpm/www-slow.log
157 |
158 | ; Set open file descriptor rlimit.
159 | ; Default Value: system defined value
160 | ;rlimit_files = 1024
161 |
162 | ; Set max core size rlimit.
163 | ; Possible Values: 'unlimited' or an integer greater or equal to 0
164 | ; Default Value: system defined value
165 | ;rlimit_core = 0
166 |
167 | ; Chroot to this directory at the start. This value must be defined as an
168 | ; absolute path. When this value is not set, chroot is not used.
169 | ; Note: chrooting is a great security feature and should be used whenever
170 | ; possible. However, all PHP paths will be relative to the chroot
171 | ; (error_log, sessions.save_path, ...).
172 | ; Default Value: not set
173 | ;chroot =
174 |
175 | ; Chdir to this directory at the start. This value must be an absolute path.
176 | ; Default Value: current directory or / when chroot
177 | ;chdir = /var/www
178 |
179 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and
180 | ; stderr will be redirected to /dev/null according to FastCGI specs.
181 | ; Default Value: no
182 | ;catch_workers_output = yes
183 |
184 | ; Limits the extensions of the main script FPM will allow to parse. This can
185 | ; prevent configuration mistakes on the web server side. You should only limit
186 | ; FPM to .php extensions to prevent malicious users to use other extensions to
187 | ; exectute php code.
188 | ; Note: set an empty value to allow all extensions.
189 | ; Default Value: .php
190 | ;security.limit_extensions = .php .php3 .php4 .php5
191 |
192 | ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
193 | ; the current environment.
194 | ; Default Value: clean env
195 | ;env[HOSTNAME] = $HOSTNAME
196 | ;env[PATH] = /usr/local/bin:/usr/bin:/bin
197 | ;env[TMP] = /tmp
198 | ;env[TMPDIR] = /tmp
199 | ;env[TEMP] = /tmp
200 |
201 | ; Additional php.ini defines, specific to this pool of workers. These settings
202 | ; overwrite the values previously defined in the php.ini. The directives are the
203 | ; same as the PHP SAPI:
204 | ; php_value/php_flag - you can set classic ini defines which can
205 | ; be overwritten from PHP call 'ini_set'.
206 | ; php_admin_value/php_admin_flag - these directives won't be overwritten by
207 | ; PHP call 'ini_set'
208 | ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
209 |
210 | ; Defining 'extension' will load the corresponding shared extension from
211 | ; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
212 | ; overwrite previously defined php.ini values, but will append the new value
213 | ; instead.
214 |
215 | ; Default Value: nothing is defined by default except the values in php.ini and
216 | ; specified at startup with the -d argument
217 | ;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
218 | ;php_flag[display_errors] = off
219 | php_admin_value[error_log] = /var/log/php-fpm/www-error.log
220 | php_admin_flag[log_errors] = on
221 | ;php_admin_value[memory_limit] = 128M
222 |
223 | ; Set session path to a directory owned by process user
224 | php_value[session.save_handler] = files
225 | php_value[session.save_path] = /var/lib/php/session
226 |
227 |
--------------------------------------------------------------------------------
/resources/etc/templates/embedded-wayf-config.js.j2:
--------------------------------------------------------------------------------
1 |
263 |
--------------------------------------------------------------------------------
/resources/etc/templates/authsources.php.j2:
--------------------------------------------------------------------------------
1 | [
18 | // The default is to use core:AdminPassword, but it can be replaced with
19 | // any authentication source.
20 |
21 | 'core:AdminPassword',
22 | ],
23 |
24 |
25 | // An authentication source which can authenticate against SAML 2.0 IdPs.
26 | 'default-sp' => [
27 | 'saml:SP',
28 | 'privatekey' => 'idp-proxy.key',
29 | 'certificate' => 'idp-proxy.cer',
30 |
31 | // The entity ID of this SP.
32 | 'entityID' => 'https://{{ env("AUTH_FQDN") }}/shibboleth-sp',
33 |
34 | // The entity ID of the IdP this SP should contact.
35 | // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
36 | 'idp' => null,
37 |
38 | // The URL to the discovery service.
39 | // Can be NULL/unset, in which case a builtin discovery service will be used.
40 | //'discoURL' => null,
41 |
42 | 'discoReturnURL' => 'saml/sp/discoresp.php',
43 |
44 | /*
45 | * If SP behind the SimpleSAMLphp in IdP/SP proxy mode requests
46 | * AuthnContextClassRef, decide whether the AuthnContextClassRef will be
47 | * processed by the IdP/SP proxy or if it will be passed to the original
48 | * IdP in front of the IdP/SP proxy.
49 | */
50 | 'proxymode.passAuthnContextClassRef' => false,
51 |
52 | /*
53 | * The attributes parameter must contain an array of desired attributes by the SP.
54 | * The attributes can be expressed as an array of names or as an associative array
55 | * in the form of 'friendlyName' => 'name'. This feature requires 'name' to be set.
56 | * The metadata will then be created as follows:
57 | *
58 | */
59 | /*
60 | 'name' => [
61 | 'en' => 'A service',
62 | 'no' => 'En tjeneste',
63 | ],
64 |
65 | 'attributes' => [
66 | 'attrname' => 'urn:oid:x.x.x.x',
67 | ],
68 | 'attributes.required' => [
69 | 'urn:oid:x.x.x.x',
70 | ],
71 | */
72 | ],
73 |
74 |
75 | /*
76 | 'example-sql' => [
77 | 'sqlauth:SQL',
78 | 'dsn' => 'pgsql:host=sql.example.org;port=5432;dbname=simplesaml',
79 | 'username' => 'simplesaml',
80 | 'password' => 'secretpassword',
81 | 'query' => 'SELECT uid, givenName, email, eduPersonPrincipalName FROM users WHERE uid = :username ' .
82 | 'AND password = SHA2(CONCAT((SELECT salt FROM users WHERE uid = :username), :password), 256);',
83 | ],
84 | */
85 |
86 | /*
87 | 'example-static' => [
88 | 'exampleauth:StaticSource',
89 | 'uid' => ['testuser'],
90 | 'eduPersonAffiliation' => ['member', 'employee'],
91 | 'cn' => ['Test User'],
92 | ],
93 | */
94 |
95 | /*
96 | 'example-userpass' => [
97 | 'exampleauth:UserPass',
98 |
99 | // Give the user an option to save their username for future login attempts
100 | // And when enabled, what should the default be, to save the username or not
101 | //'remember.username.enabled' => false,
102 | //'remember.username.checked' => false,
103 |
104 | 'student:studentpass' => [
105 | 'uid' => ['test'],
106 | 'eduPersonAffiliation' => ['member', 'student'],
107 | ],
108 | 'employee:employeepass' => [
109 | 'uid' => ['employee'],
110 | 'eduPersonAffiliation' => ['member', 'employee'],
111 | ],
112 | ],
113 | */
114 |
115 | /*
116 | 'crypto-hash' => [
117 | 'authcrypt:Hash',
118 | // hashed version of 'verysecret', made with bin/pwgen.php
119 | 'professor:{SSHA256}P6FDTEEIY2EnER9a6P2GwHhI5JDrwBgjQ913oVQjBngmCtrNBUMowA==' => [
120 | 'uid' => ['prof_a'],
121 | 'eduPersonAffiliation' => ['member', 'employee', 'board'],
122 | ],
123 | ],
124 | */
125 |
126 | /*
127 | 'htpasswd' => [
128 | 'authcrypt:Htpasswd',
129 | 'htpasswd_file' => '/var/www/foo.edu/legacy_app/.htpasswd',
130 | 'static_attributes' => [
131 | 'eduPersonAffiliation' => ['member', 'employee'],
132 | 'Organization' => ['University of Foo'],
133 | ],
134 | ],
135 | */
136 |
137 | /*
138 | // This authentication source serves as an example of integration with an
139 | // external authentication engine. Take a look at the comment in the beginning
140 | // of modules/exampleauth/lib/Auth/Source/External.php for a description of
141 | // how to adjust it to your own site.
142 | 'example-external' => [
143 | 'exampleauth:External',
144 | ],
145 | */
146 |
147 | /*
148 | 'yubikey' => [
149 | 'authYubiKey:YubiKey',
150 | 'id' => '000',
151 | // 'key' => '012345678',
152 | ],
153 | */
154 |
155 | /*
156 | 'facebook' => [
157 | 'authfacebook:Facebook',
158 | // Register your Facebook application on http://www.facebook.com/developers
159 | // App ID or API key (requests with App ID should be faster; https://github.com/facebook/php-sdk/issues/214)
160 | 'api_key' => 'xxxxxxxxxxxxxxxx',
161 | // App Secret
162 | 'secret' => 'xxxxxxxxxxxxxxxx',
163 | // which additional data permissions to request from user
164 | // see http://developers.facebook.com/docs/authentication/permissions/ for the full list
165 | // 'req_perms' => 'email,user_birthday',
166 | // Which additional user profile fields to request.
167 | // When empty, only the app-specific user id and name will be returned
168 | // See https://developers.facebook.com/docs/graph-api/reference/v2.6/user for the full list
169 | // 'user_fields' => 'email,birthday,third_party_id,name,first_name,last_name',
170 | ],
171 | */
172 |
173 | /*
174 | // Twitter OAuth Authentication API.
175 | // Register your application to get an API key here:
176 | // http://twitter.com/oauth_clients
177 | 'twitter' => [
178 | 'authtwitter:Twitter',
179 | 'key' => 'xxxxxxxxxxxxxxxx',
180 | 'secret' => 'xxxxxxxxxxxxxxxx',
181 | // Forces the user to enter their credentials to ensure the correct users account is authorized.
182 | // Details: https://dev.twitter.com/docs/api/1/get/oauth/authenticate
183 | 'force_login' => false,
184 | ],
185 | */
186 |
187 | /*
188 | // Microsoft Account (Windows Live ID) Authentication API.
189 | // Register your application to get an API key here:
190 | // https://apps.dev.microsoft.com/
191 | 'windowslive' => [
192 | 'authwindowslive:LiveID',
193 | 'key' => 'xxxxxxxxxxxxxxxx',
194 | 'secret' => 'xxxxxxxxxxxxxxxx',
195 | ],
196 | */
197 |
198 | /*
199 | // Example of a LDAP authentication source.
200 | 'example-ldap' => [
201 | 'ldap:Ldap',
202 |
203 | // The connection string for the LDAP-server.
204 | // You can add multiple by separating them with a space.
205 | 'connection_string' => 'ldap.example.org',
206 |
207 | // Whether SSL/TLS should be used when contacting the LDAP server.
208 | // Possible values are 'ssl', 'tls' or 'none'
209 | 'encryption' => 'ssl',
210 |
211 | // The LDAP version to use when interfacing the LDAP-server.
212 | // Defaults to 3
213 | 'version' => 3,
214 |
215 | // Set to TRUE to enable LDAP debug level. Passed to the LDAP connector class.
216 | //
217 | // Default: FALSE
218 | // Required: No
219 | 'ldap.debug' => false,
220 |
221 | // The LDAP-options to pass when setting up a connection
222 | // See [Symfony documentation][1]
223 | 'options' => [
224 |
225 | // Set whether to follow referrals.
226 | // AD Controllers may require 0x00 to function.
227 | // Possible values are 0x00 (NEVER), 0x01 (SEARCHING),
228 | // 0x02 (FINDING) or 0x03 (ALWAYS).
229 | 'referrals' => 0x00,
230 |
231 | 'network_timeout' => 3,
232 | ],
233 |
234 | // The connector to use.
235 | // Defaults to '\SimpleSAML\Module\ldap\Connector\Ldap', but can be set
236 | // to '\SimpleSAML\Module\ldap\Connector\ActiveDirectory' when
237 | // authenticating against Microsoft Active Directory. This will
238 | // provide you with more specific error messages.
239 | 'connector' => '\SimpleSAML\Module\ldap\Connector\Ldap',
240 |
241 | // Which attributes should be retrieved from the LDAP server.
242 | // This can be an array of attribute names, or NULL, in which case
243 | // all attributes are fetched.
244 | 'attributes' => null,
245 |
246 | // Which attributes should be base64 encoded after retrieval from
247 | // the LDAP server.
248 | 'attributes.binary' => [
249 | 'jpegPhoto',
250 | 'objectGUID',
251 | 'objectSid',
252 | 'mS-DS-ConsistencyGuid'
253 | ],
254 |
255 | // The pattern which should be used to create the user's DN given
256 | // the username. %username% in this pattern will be replaced with
257 | // the user's username.
258 | //
259 | // This option is not used if the search.enable option is set to TRUE.
260 | 'dnpattern' => 'uid=%username%,ou=people,dc=example,dc=org',
261 |
262 | // As an alternative to specifying a pattern for the users DN, it is
263 | // possible to search for the username in a set of attributes. This is
264 | // enabled by this option.
265 | 'search.enable' => false,
266 |
267 | // An array on DNs which will be used as a base for the search. In
268 | // case of multiple strings, they will be searched in the order given.
269 | 'search.base' => [
270 | 'ou=people,dc=example,dc=org',
271 | ],
272 |
273 | // The scope of the search. Valid values are 'sub' and 'one' and
274 | // 'base', first one being the default if no value is set.
275 | 'search.scope' => 'sub',
276 |
277 | // The attribute(s) the username should match against.
278 | //
279 | // This is an array with one or more attribute names. Any of the
280 | // attributes in the array may match the value the username.
281 | 'search.attributes' => ['uid', 'mail'],
282 |
283 | // Additional filters that must match for the entire LDAP search to
284 | // be true.
285 | //
286 | // This should be a single string conforming to [RFC 1960][2]
287 | // and [RFC 2544][3]. The string is appended to the search attributes
288 | 'search.filter' => '(&(objectClass=Person)(|(sn=Doe)(cn=John *)))',
289 |
290 | // The username & password where SimpleSAMLphp should bind to before
291 | // searching. If this is left NULL, no bind will be performed before
292 | // searching.
293 | 'search.username' => null,
294 | 'search.password' => null,
295 | ],
296 | */
297 |
298 | /*
299 | // Example of an LDAPMulti authentication source.
300 | 'example-ldapmulti' => [
301 | 'ldap:LdapMulti',
302 |
303 | // The way the organization as part of the username should be handled.
304 | // Three possible values:
305 | // - 'none': No handling of the organization. Allows '@' to be part
306 | // of the username.
307 | // - 'allow': Will allow users to type 'username@organization'.
308 | // - 'force': Force users to type 'username@organization'. The dropdown
309 | // list will be hidden.
310 | //
311 | // The default is 'none'.
312 | 'username_organization_method' => 'none',
313 |
314 | // Whether the organization should be included as part of the username
315 | // when authenticating. If this is set to TRUE, the username will be on
316 | // the form @. If this is FALSE, the
317 | // username will be used as the user enters it.
318 | //
319 | // The default is FALSE.
320 | 'include_organization_in_username' => false,
321 |
322 | // A list of available LDAP servers.
323 | //
324 | // The index is an identifier for the organization/group. When
325 | // 'username_organization_method' is set to something other than 'none',
326 | // the organization-part of the username is matched against the index.
327 | //
328 | // The value of each element is an array in the same format as an LDAP
329 | // authentication source.
330 | 'mapping' => [
331 | 'employees' => [
332 | // A short name/description for this group. Will be shown in a
333 | // dropdown list when the user logs on.
334 | //
335 | // This option can be a string or an array with
336 | // language => text mappings.
337 | 'description' => 'Employees',
338 | 'authsource' => 'example-ldap',
339 | ],
340 |
341 | 'students' => [
342 | 'description' => 'Students',
343 | 'authsource' => 'example-ldap-2',
344 | ],
345 | ],
346 | ],
347 | */
348 | ];
349 |
--------------------------------------------------------------------------------
/resources/etc/templates/config.php.j2:
--------------------------------------------------------------------------------
1 | 'simplesaml/',
35 |
36 | /*
37 | * The 'application' configuration array groups a set configuration options
38 | * relative to an application protected by SimpleSAMLphp.
39 | */
40 | 'application' => [
41 | /*
42 | * The 'baseURL' configuration option allows you to specify a protocol,
43 | * host and optionally a port that serves as the canonical base for all
44 | * your application's URLs. This is useful when the environment
45 | * observed in the server differs from the one observed by end users,
46 | * for example, when using a load balancer to offload TLS.
47 | *
48 | * Note that this configuration option does not allow setting a path as
49 | * part of the URL. If your setup involves URL rewriting or any other
50 | * tricks that would result in SimpleSAMLphp observing a URL for your
51 | * application's scripts different than the canonical one, you will
52 | * need to compute the right URLs yourself and pass them dynamically
53 | * to SimpleSAMLphp's API.
54 | */
55 | //'baseURL' => 'https://example.com',
56 | ],
57 |
58 | /*
59 | * The following settings are *filesystem paths* which define where
60 | * SimpleSAMLphp can find or write the following things:
61 | * - 'loggingdir': Where to write logs. MUST be set to NULL when using a logging
62 | * handler other than `file`.
63 | * - 'datadir': Storage of general data.
64 | * - 'tempdir': Saving temporary files. SimpleSAMLphp will attempt to create
65 | * this directory if it doesn't exist.
66 | * When specified as a relative path, this is relative to the SimpleSAMLphp
67 | * root directory.
68 | */
69 | 'loggingdir' => 'log/',
70 | 'datadir' => 'data/',
71 | 'tempdir' => '/tmp/simplesaml',
72 |
73 | /*
74 | * Certificate and key material can be loaded from different possible
75 | * locations. Currently two locations are supported, the local filesystem
76 | * and the database via pdo using the global database configuration. Locations
77 | * are specified by a URL-link prefix before the file name/path or database
78 | * identifier.
79 | */
80 |
81 | /* To load a certificate or key from the filesystem, it should be specified
82 | * as 'file://' where is either a relative filename or a fully
83 | * qualified path to a file containing the certificate or key in PEM
84 | * format, such as 'cert.pem' or '/path/to/cert.pem'. If the path is
85 | * relative, it will be searched for in the directory defined by the
86 | * 'certdir' parameter below. When 'certdir' is specified as a relative
87 | * path, it will be interpreted as relative to the SimpleSAMLphp root
88 | * directory. Note that locations with no prefix included will be treated
89 | * as file locations.
90 | */
91 | 'certdir' => 'cert/',
92 |
93 | /* To load a certificate or key from the database, it should be specified
94 | * as 'pdo://' where is the identifier in the database table that
95 | * should be matched. While the certificate and key tables are expected to
96 | * be in the simplesaml database, they are not created or managed by
97 | * simplesaml. The following parameters control how the pdo location
98 | * attempts to retrieve certificates and keys from the database:
99 | *
100 | * - 'cert.pdo.table': name of table where certificates are stored
101 | * - 'cert.pdo.keytable': name of table where keys are stored
102 | * - 'cert.pdo.apply_prefix': whether or not to prepend the database.prefix
103 | * parameter to the table names; if you are using
104 | * database.prefix to separate multiple SSP instances
105 | * in the same database but want to share certificate/key
106 | * data between them, set this to false
107 | * - 'cert.pdo.id_column': name of column to use as identifier
108 | * - 'cert.pdo.data_column': name of column where PEM data is stored
109 | *
110 | * Basically, the query executed will be:
111 | *
112 | * SELECT cert.pdo.data_column FROM cert.pdo.table WHERE cert.pdo.id_column = :id
113 | *
114 | * Defaults are shown below, to change them, uncomment the line and update as
115 | * needed
116 | */
117 | //'cert.pdo.table' => 'certificates',
118 | //'cert.pdo.keytable' => 'private_keys',
119 | //'cert.pdo.apply_prefix' => true,
120 | //'cert.pdo.id_column' => 'id',
121 | //'cert.pdo.data_column' => 'data',
122 |
123 | /*
124 | * Some information about the technical persons running this installation.
125 | * The email address will be used as the recipient address for error reports, and
126 | * also as the technical contact in generated metadata.
127 | */
128 | 'technicalcontact_name' => 'Administrator',
129 | 'technicalcontact_email' => 'na@example.org',
130 |
131 | /*
132 | * (Optional) The method by which email is delivered. Defaults to mail which utilizes the
133 | * PHP mail() function.
134 | *
135 | * Valid options are: mail, sendmail and smtp.
136 | */
137 | //'mail.transport.method' => 'smtp',
138 |
139 | /*
140 | * Set the transport options for the transport method specified. The valid settings are relative to the
141 | * selected transport method.
142 | */
143 | /*
144 | 'mail.transport.options' => [
145 | 'host' => 'mail.example.org', // required
146 | 'port' => 25, // optional
147 | 'username' => 'user@example.org', // optional: if set, enables smtp authentication
148 | 'password' => 'password', // optional: if set, enables smtp authentication
149 | 'security' => 'tls', // optional: defaults to no smtp security
150 | 'smtpOptions' => [], // optional: passed to stream_context_create when connecting via SMTP
151 | ],
152 |
153 | // sendmail mail transport options
154 | /*
155 | 'mail.transport.options' => [
156 | 'path' => '/usr/sbin/sendmail' // optional: defaults to php.ini path
157 | ],
158 | */
159 |
160 | /*
161 | * The envelope from address for outgoing emails.
162 | * This should be in a domain that has your application's IP addresses in its SPF record
163 | * to prevent it from being rejected by mail filters.
164 | */
165 | //'sendmail_from' => 'no-reply@example.org',
166 |
167 | /*
168 | * The timezone of the server. This option should be set to the timezone you want
169 | * SimpleSAMLphp to report the time in. The default is to guess the timezone based
170 | * on your system timezone.
171 | *
172 | * See this page for a list of valid timezones: http://php.net/manual/en/timezones.php
173 | */
174 | 'timezone' => 'Asia/Tokyo',
175 |
176 |
177 |
178 | /**********************************
179 | | SECURITY CONFIGURATION OPTIONS |
180 | **********************************/
181 |
182 | /*
183 | * This is a secret salt used by SimpleSAMLphp when it needs to generate a secure hash
184 | * of a value. It must be changed from its default value to a secret value. The value of
185 | * 'secretsalt' can be any valid string of any length.
186 | *
187 | * A possible way to generate a random salt is by running the following command from a unix shell:
188 | * LC_ALL=C tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' /dev/null;echo
189 | */
190 | 'secretsalt' => 'c8z455lf1tm7pum2vmatflb4mpl85721',
191 |
192 | /*
193 | * This password must be kept secret, and modified from the default value 123.
194 | * This password will give access to the installation page of SimpleSAMLphp with
195 | * metadata listing and diagnostics pages.
196 | * You can also put a hash here; run "bin/pwgen.php" to generate one.
197 | */
198 | 'auth.adminpassword' => '{{ env("SIMPLESAMLPHP_ADMIN_PASSWORD", "axsh0720") }}',
199 |
200 | /*
201 | * Set this option to true if you want to require administrator password to access the metadata.
202 | */
203 | 'admin.protectmetadata' => false,
204 |
205 | /*
206 | * Set this option to false if you don't want SimpleSAMLphp to check for new stable releases when
207 | * visiting the configuration tab in the web interface.
208 | */
209 | 'admin.checkforupdates' => true,
210 |
211 | /*
212 | * Array of domains that are allowed when generating links or redirects
213 | * to URLs. SimpleSAMLphp will use this option to determine whether to
214 | * to consider a given URL valid or not, but you should always validate
215 | * URLs obtained from the input on your own (i.e. ReturnTo or RelayState
216 | * parameters obtained from the $_REQUEST array).
217 | *
218 | * SimpleSAMLphp will automatically add your own domain (either by checking
219 | * it dynamically, or by using the domain defined in the 'baseurlpath'
220 | * directive, the latter having precedence) to the list of trusted domains,
221 | * in case this option is NOT set to NULL. In that case, you are explicitly
222 | * telling SimpleSAMLphp to verify URLs.
223 | *
224 | * Set to an empty array to disallow ALL redirects or links pointing to
225 | * an external URL other than your own domain. This is the default behaviour.
226 | *
227 | * Set to NULL to disable checking of URLs. DO NOT DO THIS UNLESS YOU KNOW
228 | * WHAT YOU ARE DOING!
229 | *
230 | * Example:
231 | * 'trusted.url.domains' => ['sp.example.com', 'app.example.com'],
232 | */
233 | 'trusted.url.domains' => [],
234 |
235 | /*
236 | * Enable regular expression matching of trusted.url.domains.
237 | *
238 | * Set to true to treat the values in trusted.url.domains as regular
239 | * expressions. Set to false to do exact string matching.
240 | *
241 | * If enabled, the start and end delimiters ('^' and '$') will be added to
242 | * all regular expressions in trusted.url.domains.
243 | */
244 | 'trusted.url.regex' => false,
245 |
246 | /*
247 | * Enable secure POST from HTTPS to HTTP.
248 | *
249 | * If you have some SP's on HTTP and IdP is normally on HTTPS, this option
250 | * enables secure POSTing to HTTP endpoint without warning from browser.
251 | *
252 | * For this to work, module.php/core/postredirect.php must be accessible
253 | * also via HTTP on IdP, e.g. if your IdP is on
254 | * https://idp.example.org/ssp/, then
255 | * http://idp.example.org/ssp/module.php/core/postredirect.php must be accessible.
256 | */
257 | 'enable.http_post' => false,
258 |
259 | /*
260 | * Set the allowed clock skew between encrypting/decrypting assertions
261 | *
262 | * If you have a server that is constantly out of sync, this option
263 | * allows you to adjust the allowed clock-skew.
264 | *
265 | * Allowed range: 180 - 300
266 | * Defaults to 180.
267 | */
268 | 'assertion.allowed_clock_skew' => 180,
269 |
270 | /*
271 | * Set custom security headers. The defaults can be found in \SimpleSAML\Configuration::DEFAULT_SECURITY_HEADERS
272 | *
273 | * NOTE: When a header is already set on the response we will NOT overrule it and leave it untouched.
274 | *
275 | * Whenever you change any of these headers, make sure to validate your config by running your
276 | * hostname through a security-test like https://en.internet.nl
277 | */
278 | 'headers.security' => [
279 | 'Content-Security-Policy' => "default-src 'none'; frame-ancestors 'self'; object-src 'none'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self'; img-src 'self' data:; base-uri 'none'",
280 | 'X-Frame-Options' => 'SAMEORIGIN',
281 | 'X-Content-Type-Options' => 'nosniff',
282 | 'Referrer-Policy' => 'origin-when-cross-origin',
283 | ],
284 |
285 | 'disco.headers.security' => [
286 | 'Content-Security-Policy' => "default-src 'none'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' https://{{ env("DS_FQDN", default="ds.gakunin.nii.ac.jp" )}}; style-src 'self' 'unsafe-inline' https://{{ env("DS_FQDN", default="ds.gakunin.nii.ac.jp") }}; font-src 'self'; connect-src 'self'; img-src 'self' data: https:; base-uri 'none'",
287 | ],
288 |
289 | /************************
290 | | ERRORS AND DEBUGGING |
291 | ************************/
292 |
293 | /*
294 | * The 'debug' option allows you to control how SimpleSAMLphp behaves in certain
295 | * situations where further action may be taken
296 | *
297 | * It can be left unset, in which case, debugging is switched off for all actions.
298 | * If set, it MUST be an array containing the actions that you want to enable, or
299 | * alternatively a hashed array where the keys are the actions and their
300 | * corresponding values are booleans enabling or disabling each particular action.
301 | *
302 | * SimpleSAMLphp provides some pre-defined actions, though modules could add new
303 | * actions here. Refer to the documentation of every module to learn if they
304 | * allow you to set any more debugging actions.
305 | *
306 | * The pre-defined actions are:
307 | *
308 | * - 'saml': this action controls the logging of SAML messages exchanged with other
309 | * entities. When enabled ('saml' is present in this option, or set to true), all
310 | * SAML messages will be logged, including plaintext versions of encrypted
311 | * messages.
312 | *
313 | * - 'backtraces': this action controls the logging of error backtraces so you
314 | * can debug any possible errors happening in SimpleSAMLphp.
315 | *
316 | * - 'validatexml': this action allows you to validate SAML documents against all
317 | * the relevant XML schemas. SAML 1.1 messages or SAML metadata parsed with
318 | * the XML to SimpleSAMLphp metadata converter or the metaedit module will
319 | * validate the SAML documents if this option is enabled.
320 | *
321 | * If you want to disable debugging completely, unset this option or set it to an
322 | * empty array.
323 | */
324 | 'debug' => [
325 | 'saml' => false,
326 | 'backtraces' => true,
327 | 'validatexml' => false,
328 | ],
329 |
330 | /*
331 | * When 'showerrors' is enabled, all error messages and stack traces will be output
332 | * to the browser.
333 | *
334 | * When 'errorreporting' is enabled, a form will be presented for the user to report
335 | * the error to 'technicalcontact_email'.
336 | */
337 | 'showerrors' => true,
338 | 'errorreporting' => true,
339 |
340 | /*
341 | * Custom error show function called from SimpleSAML\Error\Error::show.
342 | * See docs/simplesamlphp-errorhandling.md for function code example.
343 | *
344 | * Example:
345 | * 'errors.show_function' => ['SimpleSAML\Module\example\Error', 'show'],
346 | */
347 |
348 |
349 | /**************************
350 | | LOGGING AND STATISTICS |
351 | **************************/
352 |
353 | /*
354 | * Define the minimum log level to log. Available levels:
355 | * - SimpleSAML\Logger::ERR No statistics, only errors
356 | * - SimpleSAML\Logger::WARNING No statistics, only warnings/errors
357 | * - SimpleSAML\Logger::NOTICE Statistics and errors
358 | * - SimpleSAML\Logger::INFO Verbose logs
359 | * - SimpleSAML\Logger::DEBUG Full debug logs - not recommended for production
360 | *
361 | * Choose logging handler.
362 | *
363 | * Options: [syslog,file,errorlog,stderr]
364 | *
365 | * If you set the handler to 'file', the directory specified in loggingdir above
366 | * must exist and be writable for SimpleSAMLphp. If set to something else, set
367 | * loggingdir above to 'null'.
368 | */
369 | 'logging.level' => SimpleSAML\Logger::{{ env("SIMPLESAMLPHP_LOGLEVEL", "DEBUG") }},
370 | 'logging.handler' => 'file',
371 |
372 | /*
373 | * Specify the format of the logs. Its use varies depending on the log handler used (for instance, you cannot
374 | * control here how dates are displayed when using the syslog or errorlog handlers), but in general the options
375 | * are:
376 | *
377 | * - %date{}: the date and time, with its format specified inside the brackets. See the PHP documentation
378 | * of the date() function for more information on the format. If the brackets are omitted, the standard
379 | * format is applied. This can be useful if you just want to control the placement of the date, but don't care
380 | * about the format.
381 | *
382 | * - %process: the name of the SimpleSAMLphp process. Remember you can configure this in the 'logging.processname'
383 | * option below.
384 | *
385 | * - %level: the log level (name or number depending on the handler used).
386 | *
387 | * - %stat: if the log entry is intended for statistical purposes, it will print the string 'STAT ' (bear in mind
388 | * the trailing space).
389 | *
390 | * - %trackid: the track ID, an identifier that allows you to track a single session.
391 | *
392 | * - %srcip: the IP address of the client. If you are behind a proxy, make sure to modify the
393 | * $_SERVER['REMOTE_ADDR'] variable on your code accordingly to the X-Forwarded-For header.
394 | *
395 | * - %msg: the message to be logged.
396 | *
397 | */
398 | {% raw %}
399 | //'logging.format' => '%date{M j H:i:s} %process %level %stat[%trackid] %msg',
400 | {% endraw %}
401 |
402 | /*
403 | * Choose which facility should be used when logging with syslog.
404 | *
405 | * These can be used for filtering the syslog output from SimpleSAMLphp into its
406 | * own file by configuring the syslog daemon.
407 | *
408 | * See the documentation for openlog (http://php.net/manual/en/function.openlog.php) for available
409 | * facilities. Note that only LOG_USER is valid on windows.
410 | *
411 | * The default is to use LOG_LOCAL5 if available, and fall back to LOG_USER if not.
412 | */
413 | 'logging.facility' => defined('LOG_LOCAL5') ? constant('LOG_LOCAL5') : LOG_USER,
414 |
415 | /*
416 | * The process name that should be used when logging to syslog.
417 | * The value is also written out by the other logging handlers.
418 | */
419 | 'logging.processname' => 'simplesamlphp',
420 |
421 | /*
422 | * Logging: file - Logfilename in the loggingdir from above.
423 | */
424 | 'logging.logfile' => 'simplesamlphp.log',
425 |
426 | /*
427 | * This is an array of outputs. Each output has at least a 'class' option, which
428 | * selects the output.
429 | */
430 | 'statistics.out' => [
431 | // Log statistics to the normal log.
432 | /*
433 | [
434 | 'class' => 'core:Log',
435 | 'level' => 'notice',
436 | ],
437 | */
438 | // Log statistics to files in a directory. One file per day.
439 | /*
440 | [
441 | 'class' => 'core:File',
442 | 'directory' => '/var/log/stats',
443 | ],
444 | */
445 | ],
446 |
447 |
448 |
449 | /***********************
450 | | PROXY CONFIGURATION |
451 | ***********************/
452 |
453 | /*
454 | * Proxy to use for retrieving URLs.
455 | *
456 | * Example:
457 | * 'proxy' => 'tcp://proxy.example.com:5100'
458 | */
459 | 'proxy' => null,
460 |
461 | /*
462 | * Username/password authentication to proxy (Proxy-Authorization: Basic)
463 | * Example:
464 | * 'proxy.auth' = 'myuser:password'
465 | */
466 | //'proxy.auth' => 'myuser:password',
467 |
468 |
469 |
470 | /**************************
471 | | DATABASE CONFIGURATION |
472 | **************************/
473 |
474 | /*
475 | * This database configuration is optional. If you are not using
476 | * core functionality or modules that require a database, you can
477 | * skip this configuration.
478 | */
479 |
480 | /*
481 | * Database connection string.
482 | * Ensure that you have the required PDO database driver installed
483 | * for your connection string.
484 | */
485 | 'database.dsn' => 'mysql:host=localhost;dbname=saml',
486 |
487 | /*
488 | * SQL database credentials
489 | */
490 | 'database.username' => 'simplesamlphp',
491 | 'database.password' => 'secret',
492 | 'database.options' => [],
493 |
494 | /*
495 | * (Optional) Table prefix
496 | */
497 | 'database.prefix' => '',
498 |
499 | /*
500 | * (Optional) Driver options
501 | */
502 | 'database.driver_options' => [],
503 |
504 | /*
505 | * True or false if you would like a persistent database connection
506 | */
507 | 'database.persistent' => false,
508 |
509 | /*
510 | * Database secondary configuration is optional as well. If you are only
511 | * running a single database server, leave this blank. If you have
512 | * a primary/secondary configuration, you can define as many secondary servers
513 | * as you want here. Secondaries will be picked at random to be queried from.
514 | *
515 | * Configuration options in the secondary array are exactly the same as the
516 | * options for the primary (shown above) with the exception of the table
517 | * prefix and driver options.
518 | */
519 | 'database.secondaries' => [
520 | /*
521 | [
522 | 'dsn' => 'mysql:host=mysecondary;dbname=saml',
523 | 'username' => 'simplesamlphp',
524 | 'password' => 'secret',
525 | 'persistent' => false,
526 | ],
527 | */
528 | ],
529 |
530 |
531 |
532 | /*************
533 | | PROTOCOLS |
534 | *************/
535 |
536 | /*
537 | * Which functionality in SimpleSAMLphp do you want to enable. Normally you would enable only
538 | * one of the functionalities below, but in some cases you could run multiple functionalities.
539 | * In example when you are setting up a federation bridge.
540 | */
541 | 'enable.saml20-idp' => true,
542 | 'enable.adfs-idp' => false,
543 |
544 |
545 |
546 | /***********
547 | | MODULES |
548 | ***********/
549 |
550 | /*
551 | * Configuration for enabling/disabling modules. By default the 'core', 'admin' and 'saml' modules are enabled.
552 | *
553 | * Example:
554 | *
555 | * 'module.enable' => [
556 | * 'exampleauth' => true, // Setting to TRUE enables.
557 | * 'consent' => false, // Setting to FALSE disables.
558 | * 'core' => null, // Unset or NULL uses default.
559 | * ],
560 | */
561 |
562 | 'module.enable' => [
563 | 'exampleauth' => false,
564 | 'core' => true,
565 | 'admin' => true,
566 | 'saml' => true,
567 | 'cron' => true,
568 | 'statistics' => false,
569 | 'metarefresh' => true,
570 | 'attributeaggregator' => true
571 | ],
572 |
573 |
574 | /*************************
575 | | SESSION CONFIGURATION |
576 | *************************/
577 |
578 | /*
579 | * This value is the duration of the session in seconds. Make sure that the time duration of
580 | * cookies both at the SP and the IdP exceeds this duration.
581 | */
582 | 'session.duration' => 8 * (60 * 60), // 8 hours.
583 |
584 | /*
585 | * Sets the duration, in seconds, data should be stored in the datastore. As the data store is used for
586 | * login and logout requests, this option will control the maximum time these operations can take.
587 | * The default is 4 hours (4*60*60) seconds, which should be more than enough for these operations.
588 | */
589 | 'session.datastore.timeout' => (4 * 60 * 60), // 4 hours
590 |
591 | /*
592 | * Sets the duration, in seconds, auth state should be stored.
593 | */
594 | 'session.state.timeout' => (60 * 60), // 1 hour
595 |
596 | /*
597 | * Option to override the default settings for the session cookie name
598 | */
599 | 'session.cookie.name' => 'SimpleSAMLSessionID',
600 |
601 | /*
602 | * Expiration time for the session cookie, in seconds.
603 | *
604 | * Defaults to 0, which means that the cookie expires when the browser is closed.
605 | *
606 | * Example:
607 | * 'session.cookie.lifetime' => 30*60,
608 | */
609 | 'session.cookie.lifetime' => 0,
610 |
611 | /*
612 | * Limit the path of the cookies.
613 | *
614 | * Can be used to limit the path of the cookies to a specific subdirectory.
615 | *
616 | * Example:
617 | * 'session.cookie.path' => '/simplesaml/',
618 | */
619 | 'session.cookie.path' => '/',
620 |
621 | /*
622 | * Cookie domain.
623 | *
624 | * Can be used to make the session cookie available to several domains.
625 | *
626 | * Example:
627 | * 'session.cookie.domain' => '.example.org',
628 | */
629 | 'session.cookie.domain' => '',
630 |
631 | /*
632 | * Set the secure flag in the cookie.
633 | *
634 | * Set this to TRUE if the user only accesses your service
635 | * through https. If the user can access the service through
636 | * both http and https, this must be set to FALSE.
637 | */
638 | 'session.cookie.secure' => true,
639 |
640 | /*
641 | * Set the SameSite attribute in the cookie.
642 | *
643 | * You can set this to the strings 'None', 'Lax', or 'Strict' to support
644 | * the RFC6265bis SameSite cookie attribute. If set to null, no SameSite
645 | * attribute will be sent.
646 | *
647 | * A value of "None" is required to properly support cross-domain POST
648 | * requests which are used by different SAML bindings. Because some older
649 | * browsers do not support this value, the canSetSameSiteNone function
650 | * can be called to only set it for compatible browsers.
651 | *
652 | * You must also set the 'session.cookie.secure' value above to true.
653 | *
654 | * Example:
655 | * 'session.cookie.samesite' => 'None',
656 | */
657 | 'session.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
658 |
659 | /*
660 | * Options to override the default settings for php sessions.
661 | */
662 | 'session.phpsession.cookiename' => 'SimpleSAML',
663 | 'session.phpsession.savepath' => null,
664 | 'session.phpsession.httponly' => true,
665 |
666 | /*
667 | * Option to override the default settings for the auth token cookie
668 | */
669 | 'session.authtoken.cookiename' => 'SimpleSAMLAuthToken',
670 |
671 | /*
672 | * Options for remember me feature for IdP sessions. Remember me feature
673 | * has to be also implemented in authentication source used.
674 | *
675 | * Option 'session.cookie.lifetime' should be set to zero (0), i.e. cookie
676 | * expires on browser session if remember me is not checked.
677 | *
678 | * Session duration ('session.duration' option) should be set according to
679 | * 'session.rememberme.lifetime' option.
680 | *
681 | * It's advised to use remember me feature with session checking function
682 | * defined with 'session.check_function' option.
683 | */
684 | 'session.rememberme.enable' => false,
685 | 'session.rememberme.checked' => false,
686 | 'session.rememberme.lifetime' => (14 * 86400),
687 |
688 | /*
689 | * Custom function for session checking called on session init and loading.
690 | * See docs/simplesamlphp-advancedfeatures.md for function code example.
691 | *
692 | * Example:
693 | * 'session.check_function' => ['\SimpleSAML\Module\example\Util', 'checkSession'],
694 | */
695 |
696 |
697 |
698 | /**************************
699 | | MEMCACHE CONFIGURATION |
700 | **************************/
701 |
702 | /*
703 | * Configuration for the 'memcache' session store. This allows you to store
704 | * multiple redundant copies of sessions on different memcache servers.
705 | *
706 | * 'memcache_store.servers' is an array of server groups. Every data
707 | * item will be mirrored in every server group.
708 | *
709 | * Each server group is an array of servers. The data items will be
710 | * load-balanced between all servers in each server group.
711 | *
712 | * Each server is an array of parameters for the server. The following
713 | * options are available:
714 | * - 'hostname': This is the hostname or ip address where the
715 | * memcache server runs. This is the only required option.
716 | * - 'port': This is the port number of the memcache server. If this
717 | * option isn't set, then we will use the 'memcache.default_port'
718 | * ini setting. This is 11211 by default.
719 | *
720 | * When using the "memcache" extension, the following options are also
721 | * supported:
722 | * - 'weight': This sets the weight of this server in this server
723 | * group. http://php.net/manual/en/function.Memcache-addServer.php
724 | * contains more information about the weight option.
725 | * - 'timeout': The timeout for this server. By default, the timeout
726 | * is 3 seconds.
727 | *
728 | * Example of redundant configuration with load balancing:
729 | * This configuration makes it possible to lose both servers in the
730 | * a-group or both servers in the b-group without losing any sessions.
731 | * Note that sessions will be lost if one server is lost from both the
732 | * a-group and the b-group.
733 | *
734 | * 'memcache_store.servers' => [
735 | * [
736 | * ['hostname' => 'mc_a1'],
737 | * ['hostname' => 'mc_a2'],
738 | * ],
739 | * [
740 | * ['hostname' => 'mc_b1'],
741 | * ['hostname' => 'mc_b2'],
742 | * ],
743 | * ],
744 | *
745 | * Example of simple configuration with only one memcache server,
746 | * running on the same computer as the web server:
747 | * Note that all sessions will be lost if the memcache server crashes.
748 | *
749 | * 'memcache_store.servers' => [
750 | * [
751 | * ['hostname' => 'localhost'],
752 | * ],
753 | * ],
754 | *
755 | * Additionally, when using the "memcached" extension, unique keys must
756 | * be provided for each group of servers if persistent connections are
757 | * desired. Each server group can also have an "options" indexed array
758 | * with the options desired for the given group:
759 | *
760 | * 'memcache_store.servers' => [
761 | * 'memcache_group_1' => [
762 | * 'options' => [
763 | * \Memcached::OPT_BINARY_PROTOCOL => true,
764 | * \Memcached::OPT_NO_BLOCK => true,
765 | * \Memcached::OPT_TCP_NODELAY => true,
766 | * \Memcached::OPT_LIBKETAMA_COMPATIBLE => true,
767 | * ],
768 | * ['hostname' => '127.0.0.1', 'port' => 11211],
769 | * ['hostname' => '127.0.0.2', 'port' => 11211],
770 | * ],
771 | *
772 | * 'memcache_group_2' => [
773 | * 'options' => [
774 | * \Memcached::OPT_BINARY_PROTOCOL => true,
775 | * \Memcached::OPT_NO_BLOCK => true,
776 | * \Memcached::OPT_TCP_NODELAY => true,
777 | * \Memcached::OPT_LIBKETAMA_COMPATIBLE => true,
778 | * ],
779 | * ['hostname' => '127.0.0.3', 'port' => 11211],
780 | * ['hostname' => '127.0.0.4', 'port' => 11211],
781 | * ],
782 | * ],
783 | *
784 | */
785 | 'memcache_store.servers' => [
786 | [
787 | ['hostname' => 'localhost'],
788 | ],
789 | ],
790 |
791 | /*
792 | * This value allows you to set a prefix for memcache-keys. The default
793 | * for this value is 'simpleSAMLphp', which is fine in most cases.
794 | *
795 | * When running multiple instances of SSP on the same host, and more
796 | * than one instance is using memcache, you probably want to assign
797 | * a unique value per instance to this setting to avoid data collision.
798 | */
799 | 'memcache_store.prefix' => '',
800 |
801 | /*
802 | * This value is the duration data should be stored in memcache. Data
803 | * will be dropped from the memcache servers when this time expires.
804 | * The time will be reset every time the data is written to the
805 | * memcache servers.
806 | *
807 | * This value should always be larger than the 'session.duration'
808 | * option. Not doing this may result in the session being deleted from
809 | * the memcache servers while it is still in use.
810 | *
811 | * Set this value to 0 if you don't want data to expire.
812 | *
813 | * Note: The oldest data will always be deleted if the memcache server
814 | * runs out of storage space.
815 | */
816 | 'memcache_store.expires' => 36 * (60 * 60), // 36 hours.
817 |
818 |
819 |
820 | /*************************************
821 | | LANGUAGE AND INTERNATIONALIZATION |
822 | *************************************/
823 |
824 | /*
825 | * Languages available, RTL languages, and what language is the default.
826 | */
827 | 'language.available' => [
828 | 'en', 'no', 'nn', 'se', 'da', 'de', 'sv', 'fi', 'es', 'ca', 'fr', 'it', 'nl', 'lb',
829 | 'cs', 'sk', 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt-br', 'tr', 'ja', 'zh', 'zh-tw',
830 | 'ru', 'et', 'he', 'id', 'sr', 'lv', 'ro', 'eu', 'el', 'af', 'zu', 'xh', 'st',
831 | ],
832 | 'language.rtl' => ['ar', 'dv', 'fa', 'ur', 'he'],
833 | 'language.default' => 'en',
834 |
835 | /*
836 | * Options to override the default settings for the language parameter
837 | */
838 | 'language.parameter.name' => 'language',
839 | 'language.parameter.setcookie' => true,
840 |
841 | /*
842 | * Options to override the default settings for the language cookie
843 | */
844 | 'language.cookie.name' => 'language',
845 | 'language.cookie.domain' => '',
846 | 'language.cookie.path' => '/',
847 | 'language.cookie.secure' => true,
848 | 'language.cookie.httponly' => false,
849 | 'language.cookie.lifetime' => (60 * 60 * 24 * 900),
850 | 'language.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
851 |
852 | /**
853 | * Custom getLanguage function called from SimpleSAML\Locale\Language::getLanguage().
854 | * Function should return language code of one of the available languages or NULL.
855 | * See SimpleSAML\Locale\Language::getLanguage() source code for more info.
856 | *
857 | * This option can be used to implement a custom function for determining
858 | * the default language for the user.
859 | *
860 | * Example:
861 | * 'language.get_language_function' => ['\SimpleSAML\Module\example\Template', 'getLanguage'],
862 | */
863 |
864 | /**************
865 | | APPEARANCE |
866 | **************/
867 |
868 | /*
869 | * Which theme directory should be used?
870 | */
871 | 'theme.use' => 'default',
872 |
873 | /*
874 | * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want
875 | * any text to appear in the header.
876 | */
877 | //'theme.header' => 'SimpleSAMLphp',
878 |
879 | /**
880 | * A template controller, if any.
881 | *
882 | * Used to intercept certain parts of the template handling, while keeping away unwanted/unexpected hooks. Set
883 | * the 'theme.controller' configuration option to a class that implements the
884 | * \SimpleSAML\XHTML\TemplateControllerInterface interface to use it.
885 | */
886 | //'theme.controller' => '',
887 |
888 | /*
889 | * Templating options
890 | *
891 | * By default, twig templates are not cached. To turn on template caching:
892 | * Set 'template.cache' to an absolute path pointing to a directory that
893 | * SimpleSAMLphp has read and write permissions to.
894 | */
895 | //'template.cache' => '',
896 |
897 | /*
898 | * Set the 'template.auto_reload' to true if you would like SimpleSAMLphp to
899 | * recompile the templates (when using the template cache) if the templates
900 | * change. If you don't want to check the source templates for every request,
901 | * set it to false.
902 | */
903 | 'template.auto_reload' => false,
904 |
905 | /*
906 | * Set this option to true to indicate that your installation of SimpleSAMLphp
907 | * is running in a production environment. This will affect the way resources
908 | * are used, offering an optimized version when running in production, and an
909 | * easy-to-debug one when not. Set it to false when you are testing or
910 | * developing the software, in which case a banner will be displayed to remind
911 | * users that they're dealing with a non-production instance.
912 | *
913 | * Defaults to true.
914 | */
915 | 'production' => true,
916 |
917 | /*
918 | * SimpleSAMLphp modules can host static resources which are served through PHP.
919 | * The serving of the resources can be configured through these settings.
920 | */
921 | 'assets' => [
922 | /*
923 | * These settings adjust the caching headers that are sent
924 | * when serving static resources.
925 | */
926 | 'caching' => [
927 | /*
928 | * Amount of seconds before the resource should be fetched again
929 | */
930 | 'max_age' => 86400,
931 | /*
932 | * Calculate a checksum of every file and send it to the browser
933 | * This allows the browser to avoid downloading assets again in situations
934 | * where the Last-Modified header cannot be trusted,
935 | * for example in cluster setups
936 | *
937 | * Defaults false
938 | */
939 | 'etag' => false,
940 | ],
941 | ],
942 |
943 | /**
944 | * Set to a full URL if you want to redirect users that land on SimpleSAMLphp's
945 | * front page to somewhere more useful. If left unset, a basic welcome message
946 | * is shown.
947 | */
948 | //'frontpage.redirect' => 'https://example.com/',
949 |
950 | /*********************
951 | | DISCOVERY SERVICE |
952 | *********************/
953 |
954 | /*
955 | * Whether the discovery service should allow the user to save his choice of IdP.
956 | */
957 | 'idpdisco.enableremember' => true,
958 | 'idpdisco.rememberchecked' => true,
959 |
960 | /*
961 | * The disco service only accepts entities it knows.
962 | */
963 | 'idpdisco.validate' => true,
964 |
965 | 'idpdisco.extDiscoveryStorage' => null,
966 |
967 | /*
968 | * IdP Discovery service look configuration.
969 | * Whether to display a list of idp or to display a dropdown box. For many IdP' a dropdown box
970 | * gives the best use experience.
971 | *
972 | * When using dropdown box a cookie is used to highlight the previously chosen IdP in the dropdown.
973 | * This makes it easier for the user to choose the IdP
974 | *
975 | * Options: [links,dropdown]
976 | */
977 | 'idpdisco.layout' => 'dropdown',
978 |
979 |
980 |
981 | /*************************************
982 | | AUTHENTICATION PROCESSING FILTERS |
983 | *************************************/
984 |
985 | /*
986 | * Authentication processing filters that will be executed for all IdPs
987 | */
988 | 'authproc.idp' => [
989 | /* Enable the authproc filter below to add URN prefixes to all attributes
990 | 10 => [
991 | 'class' => 'core:AttributeMap', 'addurnprefix'
992 | ],
993 | */
994 | /* Enable the authproc filter below to automatically generated eduPersonTargetedID.
995 | 20 => 'core:TargetedID',
996 | */
997 |
998 | // Adopts language from attribute to use in UI
999 | 30 => 'core:LanguageAdaptor',
1000 |
1001 | /*
1002 | 45 => [
1003 | 'class' => 'core:StatisticsWithAttribute',
1004 | 'attributename' => 'realm',
1005 | 'type' => 'saml20-idp-SSO',
1006 | ],
1007 | */
1008 |
1009 | /* When called without parameters, it will fallback to filter attributes 'the old way'
1010 | * by checking the 'attributes' parameter in metadata on IdP hosted and SP remote.
1011 | */
1012 | 50 => 'core:AttributeLimit',
1013 |
1014 | /*
1015 | * Search attribute "distinguishedName" for pattern and replaces if found
1016 | */
1017 | /*
1018 | 60 => [
1019 | 'class' => 'core:AttributeAlter',
1020 | 'pattern' => '/OU=studerende/',
1021 | 'replacement' => 'Student',
1022 | 'subject' => 'distinguishedName',
1023 | '%replace',
1024 | ],
1025 | */
1026 |
1027 | /*
1028 | * Consent module is enabled (with no permanent storage, using cookies).
1029 | */
1030 | /*
1031 | 90 => [
1032 | 'class' => 'consent:Consent',
1033 | 'store' => 'consent:Cookie',
1034 | 'focus' => 'yes',
1035 | 'checked' => true
1036 | ],
1037 | */
1038 | // If language is set in Consent module it will be added as an attribute.
1039 | 99 => 'core:LanguageAdaptor',
1040 | ],
1041 |
1042 | /*
1043 | * Authentication processing filters that will be executed for all SPs
1044 | */
1045 | 'authproc.sp' => [
1046 | /*
1047 | 10 => [
1048 | 'class' => 'core:AttributeMap', 'removeurnprefix'
1049 | ],
1050 | */
1051 |
1052 | {% set disable_cloud_gateway = env("DISABLE_CLOUD_GATEWAY", "no") %}
1053 | {% if disable_cloud_gateway!="1" and disable_cloud_gateway!="yes" %}
1054 | 59 => array(
1055 | 'class' => 'attributeaggregator:attributeaggregator',
1056 | 'entityId' => 'https://{{ env("CG_FQDN", default="cg.gakunin.jp") }}/idp/shibboleth',
1057 |
1058 | /**
1059 | * The subject of the attribute query. Default: urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (eduPersonPrincipalName)
1060 | */
1061 | 'attributeId' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6',
1062 |
1063 | /**
1064 | * If set to TRUE, the module will throw an exception if attributeId is not found.
1065 | */
1066 | 'required' => FALSE,
1067 |
1068 | /**
1069 | * The format of attributeId. Default is 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
1070 | */
1071 | 'nameIdFormat' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6',
1072 |
1073 |
1074 | /**
1075 | * The name Format of the attribute names.
1076 | */
1077 | 'attributeNameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
1078 |
1079 | /**
1080 | * The requested attributes. If not present, we will get all
1081 | * the attributes. The keys of the array is the attribute name in (''urn:oid'') format.
1082 | * values:
1083 | * the array of acceptable values. If not defined, the filter will accept all values.
1084 | * multiSource:
1085 | * merge: merge the existing and the new values, this is the default behaviour,
1086 | * override: drop the existing values and set the values from AA,
1087 | * keep: drop the new values from AA and keep the original values.
1088 | */
1089 | 'attributes' => array(
1090 | "urn:oid:1.3.6.1.4.1.5923.1.5.1.1" => array (),
1091 | // "urn:oid:attribute-OID-2" => array (
1092 | // "multiSource" => "keep"
1093 | // ),
1094 | // "urn:oid:attribute-OID-3" => array (
1095 | // "values" => array ("value1", "value2"),
1096 | // ),
1097 | // "urn:oid:attribute-OID-4" => array ()
1098 | ),
1099 | ),
1100 |
1101 | 69 => array(
1102 | 'class' => 'attributeaggregator:attributeaggregator',
1103 | 'entityId' => 'https://{{ env("CG_FQDN", default="cg.gakunin.jp") }}/idp/shibboleth',
1104 |
1105 | /**
1106 | * The subject of the attribute query. Default: urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (eduPersonPrincipalName)
1107 | */
1108 | 'attributeId' => 'urn:oid:0.9.2342.19200300.100.1.3',
1109 |
1110 | /**
1111 | * If set to TRUE, the module will throw an exception if attributeId is not found.
1112 | */
1113 | 'required' => FALSE,
1114 |
1115 | /**
1116 | * The format of attributeId. Default is 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
1117 | */
1118 | 'nameIdFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
1119 |
1120 |
1121 | /**
1122 | * The name Format of the attribute names.
1123 | */
1124 | 'attributeNameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
1125 |
1126 | /**
1127 | * The requested attributes. If not present, we will get all
1128 | * the attributes. The keys of the array is the attribute name in (''urn:oid'') format.
1129 | * values:
1130 | * the array of acceptable values. If not defined, the filter will accept all values.
1131 | * multiSource:
1132 | * merge: merge the existing and the new values, this is the default behaviour,
1133 | * override: drop the existing values and set the values from AA,
1134 | * keep: drop the new values from AA and keep the original values.
1135 | */
1136 | 'attributes' => array(
1137 | "urn:oid:1.3.6.1.4.1.5923.1.5.1.1" => array (),
1138 | // "urn:oid:attribute-OID-2" => array (
1139 | // "multiSource" => "keep"
1140 | // ),
1141 | // "urn:oid:attribute-OID-3" => array (
1142 | // "values" => array ("value1", "value2"),
1143 | // ),
1144 | // "urn:oid:attribute-OID-4" => array ()
1145 | ),
1146 | ),
1147 | {% endif %}
1148 |
1149 | /*
1150 | * Generate the 'group' attribute populated from other variables, including eduPersonAffiliation.
1151 | 60 => [
1152 | 'class' => 'core:GenerateGroups', 'eduPersonAffiliation'
1153 | ],
1154 | */
1155 | /*
1156 | * All users will be members of 'users' and 'members'
1157 | */
1158 | /*
1159 | 61 => [
1160 | 'class' => 'core:AttributeAdd', 'groups' => ['users', 'members']
1161 | ],
1162 | */
1163 |
1164 | // Adopts language from attribute to use in UI
1165 | 90 => 'core:LanguageAdaptor',
1166 | ],
1167 |
1168 |
1169 |
1170 | /**************************
1171 | | METADATA CONFIGURATION |
1172 | **************************/
1173 |
1174 | /*
1175 | * This option allows you to specify a directory for your metadata outside of the standard metadata directory
1176 | * included in the standard distribution of the software.
1177 | */
1178 | 'metadatadir' => 'metadata',
1179 |
1180 | /*
1181 | * This option configures the metadata sources. The metadata sources is given as an array with
1182 | * different metadata sources. When searching for metadata, SimpleSAMLphp will search through
1183 | * the array from start to end.
1184 | *
1185 | * Each element in the array is an associative array which configures the metadata source.
1186 | * The type of the metadata source is given by the 'type' element. For each type we have
1187 | * different configuration options.
1188 | *
1189 | * Flat file metadata handler:
1190 | * - 'type': This is always 'flatfile'.
1191 | * - 'directory': The directory we will load the metadata files from. The default value for
1192 | * this option is the value of the 'metadatadir' configuration option, or
1193 | * 'metadata/' if that option is unset.
1194 | *
1195 | * XML metadata handler:
1196 | * This metadata handler parses an XML file with either an EntityDescriptor element or an
1197 | * EntitiesDescriptor element. The XML file may be stored locally, or (for debugging) on a remote
1198 | * web server.
1199 | * The XML metadata handler defines the following options:
1200 | * - 'type': This is always 'xml'.
1201 | * - 'file': Path to the XML file with the metadata.
1202 | * - 'url': The URL to fetch metadata from. THIS IS ONLY FOR DEBUGGING - THERE IS NO CACHING OF THE RESPONSE.
1203 | *
1204 | * MDQ metadata handler:
1205 | * This metadata handler looks up for the metadata of an entity at the given MDQ server.
1206 | * The MDQ metadata handler defines the following options:
1207 | * - 'type': This is always 'mdq'.
1208 | * - 'server': Base URL of the MDQ server. Mandatory.
1209 | * - 'validateCertificate': The certificates file that may be used to sign the metadata. You don't need this
1210 | * option if you don't want to validate the signature on the metadata. Optional.
1211 | * - 'cachedir': Directory where metadata can be cached. Optional.
1212 | * - 'cachelength': Maximum time metadata can be cached, in seconds. Defaults to 24
1213 | * hours (86400 seconds). Optional.
1214 | *
1215 | * PDO metadata handler:
1216 | * This metadata handler looks up metadata of an entity stored in a database.
1217 | *
1218 | * Note: If you are using the PDO metadata handler, you must configure the database
1219 | * options in this configuration file.
1220 | *
1221 | * The PDO metadata handler defines the following options:
1222 | * - 'type': This is always 'pdo'.
1223 | *
1224 | * Examples:
1225 | *
1226 | * This example defines two flatfile sources. One is the default metadata directory, the other
1227 | * is a metadata directory with auto-generated metadata files.
1228 | *
1229 | * 'metadata.sources' => [
1230 | * ['type' => 'flatfile'],
1231 | * ['type' => 'flatfile', 'directory' => 'metadata-generated'],
1232 | * ],
1233 | *
1234 | * This example defines a flatfile source and an XML source.
1235 | * 'metadata.sources' => [
1236 | * ['type' => 'flatfile'],
1237 | * ['type' => 'xml', 'file' => 'idp.example.org-idpMeta.xml'],
1238 | * ],
1239 | *
1240 | * This example defines an mdq source.
1241 | * 'metadata.sources' => [
1242 | * [
1243 | * 'type' => 'mdq',
1244 | * 'server' => 'http://mdq.server.com:8080',
1245 | * 'validateCertificate' => [
1246 | * '/var/simplesamlphp/cert/metadata-key.new.crt',
1247 | * '/var/simplesamlphp/cert/metadata-key.old.crt'
1248 | * ],
1249 | * 'cachedir' => '/var/simplesamlphp/mdq-cache',
1250 | * 'cachelength' => 86400
1251 | * ]
1252 | * ],
1253 | *
1254 | * This example defines an pdo source.
1255 | * 'metadata.sources' => [
1256 | * ['type' => 'pdo']
1257 | * ],
1258 | *
1259 | * Default:
1260 | * 'metadata.sources' => [
1261 | * ['type' => 'flatfile']
1262 | * ],
1263 | */
1264 |
1265 | {% set cgidp_localfile_metadata = env("CGIDP_LOCALFILE_METADATA", "no") %}
1266 | {% set enable_test_federation = env("ENABLE_TEST_FEDERATION", "no") %}
1267 |
1268 | 'metadata.sources' => [
1269 | ['type' => 'flatfile'],
1270 | ['type' => 'flatfile', 'directory' => 'metadata/gakunin-metadata'],
1271 | ['type' => 'flatfile', 'directory' => 'metadata/attributeauthority-remote'],
1272 | ['type' => 'flatfile', 'directory' => 'metadata/orthros-metadata'],
1273 | ['type' => 'xml', 'file' => 'metadata/xml/auth-proxies.xml'],
1274 | {% if cgidp_localfile_metadata=="1" or cgidp_localfile_metadata=="yes"
1275 | or enable_test_federation=="1" or enable_test_federation=="yes" %}
1276 | ['type' => 'xml', 'file' => 'metadata/xml/cgidp-metadata.xml'],
1277 | {% endif %}
1278 | ],
1279 |
1280 | /*
1281 | * Should signing of generated metadata be enabled by default.
1282 | *
1283 | * Metadata signing can also be enabled for a individual SP or IdP by setting the
1284 | * same option in the metadata for the SP or IdP.
1285 | */
1286 | 'metadata.sign.enable' => true,
1287 |
1288 | /*
1289 | * The default key & certificate which should be used to sign generated metadata. These
1290 | * are files stored in the cert dir.
1291 | * These values can be overridden by the options with the same names in the SP or
1292 | * IdP metadata.
1293 | *
1294 | * If these aren't specified here or in the metadata for the SP or IdP, then
1295 | * the 'certificate' and 'privatekey' option in the metadata will be used.
1296 | * if those aren't set, signing of metadata will fail.
1297 | */
1298 | /*
1299 | 'metadata.sign.privatekey' => null,
1300 | 'metadata.sign.privatekey_pass' => null,
1301 | 'metadata.sign.certificate' => null,
1302 | 'metadata.sign.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
1303 | */
1304 |
1305 | /****************************
1306 | | DATA STORE CONFIGURATION |
1307 | ****************************/
1308 |
1309 | /*
1310 | * Configure the data store for SimpleSAMLphp.
1311 | *
1312 | * - 'phpsession': Limited datastore, which uses the PHP session.
1313 | * - 'memcache': Key-value datastore, based on memcache.
1314 | * - 'sql': SQL datastore, using PDO.
1315 | * - 'redis': Key-value datastore, based on redis.
1316 | *
1317 | * The default datastore is 'phpsession'.
1318 | */
1319 | 'store.type' => 'phpsession',
1320 |
1321 | /*
1322 | * The DSN the sql datastore should connect to.
1323 | *
1324 | * See http://www.php.net/manual/en/pdo.drivers.php for the various
1325 | * syntaxes.
1326 | */
1327 | 'store.sql.dsn' => 'sqlite:/path/to/sqlitedatabase.sq3',
1328 |
1329 | /*
1330 | * The username and password to use when connecting to the database.
1331 | */
1332 | 'store.sql.username' => null,
1333 | 'store.sql.password' => null,
1334 |
1335 | /*
1336 | * The prefix we should use on our tables.
1337 | */
1338 | 'store.sql.prefix' => 'SimpleSAMLphp',
1339 |
1340 | /*
1341 | * The driver-options we should pass to the PDO-constructor.
1342 | */
1343 | 'store.sql.options' => [],
1344 |
1345 | /*
1346 | * The hostname and port of the Redis datastore instance.
1347 | */
1348 | 'store.redis.host' => 'localhost',
1349 | 'store.redis.port' => 6379,
1350 |
1351 | /*
1352 | * The credentials to use when connecting to Redis.
1353 | *
1354 | * If your Redis server is using the legacy password protection (config
1355 | * directive "requirepass" in redis.conf) then you should only provide
1356 | * a password.
1357 | *
1358 | * If your Redis server is using ACL's (which are recommended as of
1359 | * Redis 6+) then you should provide both a username and a password.
1360 | * See https://redis.io/docs/manual/security/acl/
1361 | */
1362 | 'store.redis.username' => '',
1363 | 'store.redis.password' => '',
1364 |
1365 | /*
1366 | * Communicate with Redis over a secure connection instead of plain TCP.
1367 | *
1368 | * This setting affects both single host connections as
1369 | * well as Sentinel mode.
1370 | */
1371 | 'store.redis.tls' => false,
1372 |
1373 | /*
1374 | * Verify the Redis server certificate.
1375 | */
1376 | 'store.redis.insecure' => false,
1377 |
1378 | /*
1379 | * Files related to secure communication with Redis.
1380 | *
1381 | * Files are searched in the 'certdir' when using relative paths.
1382 | */
1383 | 'store.redis.ca_certificate' => null,
1384 | 'store.redis.certificate' => null,
1385 | 'store.redis.privatekey' => null,
1386 |
1387 | /*
1388 | * The prefix we should use on our Redis datastore.
1389 | */
1390 | 'store.redis.prefix' => 'SimpleSAMLphp',
1391 |
1392 | /*
1393 | * The master group to use for Redis Sentinel.
1394 | */
1395 | 'store.redis.mastergroup' => 'mymaster',
1396 |
1397 | /*
1398 | * The Redis Sentinel hosts.
1399 | * Example:
1400 | * 'store.redis.sentinels' => [
1401 | * 'tcp://[yoursentinel1]:[port]',
1402 | * 'tcp://[yoursentinel2]:[port]',
1403 | * 'tcp://[yoursentinel3]:[port]
1404 | * ],
1405 | *
1406 | * Use 'tls' instead of 'tcp' in order to make use of the additional
1407 | * TLS settings.
1408 | */
1409 | 'store.redis.sentinels' => [],
1410 |
1411 | /*********************
1412 | | IdP/SP PROXY MODE |
1413 | *********************/
1414 |
1415 | /*
1416 | * If the IdP in front of SimpleSAMLphp in IdP/SP proxy mode sends
1417 | * AuthnContextClassRef, decide whether the AuthnContextClassRef will be
1418 | * processed by the IdP/SP proxy or if it will be passed to the SP behind
1419 | * the IdP/SP proxy.
1420 | */
1421 | 'proxymode.passAuthnContextClassRef' => false,
1422 | ];
1423 |
--------------------------------------------------------------------------------