├── .gitignore
├── Vagrant_Provision.sh
├── LICENSE
├── Dockerfile
├── Vagrantfile
├── etc
├── apache2
│ └── sites-enabled
│ │ └── 000-default.conf
└── simplesamlphp
│ ├── metadata
│ └── saml20-idp-remote.php
│ └── config
│ ├── authsources.php
│ └── config.php
└── README.md
/.gitignore:
--------------------------------------------------------------------------------
1 | .vagrant/
2 | .DS_Store
3 | *.swp
4 |
--------------------------------------------------------------------------------
/Vagrant_Provision.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | ####################
4 | # Prerequisites
5 |
6 | apt-get update -y
7 | apt-get install -y docker.io
8 | ln -sf /usr/bin/docker.io /usr/local/bin/docker
9 | sed -i '$acomplete -F _docker docker' /etc/bash_completion.d/docker.io
10 |
11 | sudo docker build -t jnyryan/simplesamlphp /vagrant/.
12 | sudo docker run -d -p 58080:80 -p 58443:443 jnyryan/simplesamlphp
13 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | The MIT License (MIT)
2 |
3 | Copyright (c) 2014 John Ryan
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | # simpleSAMLphp
2 | #
3 | # VERSION 1.3.0
4 |
5 | FROM ubuntu:14.04
6 | MAINTAINER John Ryan "jnyryan@gmail.com"
7 |
8 | ENV DEBIAN_FRONTEND noninteractive
9 |
10 | ####################
11 | # apache2 server
12 | RUN apt-get update -y
13 | RUN apt-get install -y git subversion curl htop
14 | RUN apt-get install -y apache2
15 | RUN apt-get install -y apache2-doc apache2-suexec-pristine apache2-suexec-custom apache2-utils openssl-blacklist
16 | RUN apt-get install -y libmcrypt-dev mcrypt
17 | RUN apt-get install -y php5 libapache2-mod-php5 php5-mcrypt php-pear
18 | RUN apt-get install -y php5-common php5-cli php5-curl php5-gmp php5-ldap
19 | RUN apt-get install -y libapache2-mod-gnutls
20 | RUN apt-get install -y php5-sqlite
21 | RUN a2enmod gnutls
22 |
23 | ####################
24 | # SimpleSaml
25 |
26 | RUN rm -rf /var/simplesamlphp
27 | RUN git clone https://github.com/simplesamlphp/simplesamlphp.git /var/simplesamlphp
28 |
29 | RUN mkdir -p /var/simplesamlphp/config && cp -r /var/simplesamlphp/config-templates/* /var/simplesamlphp/config/
30 | RUN mkdir -p /var/simplesamlphp/metadata && cp -r /var/simplesamlphp/metadata-templates/* /var/simplesamlphp/metadata/
31 |
32 | ADD ./etc/simplesamlphp/config/config.php /var/simplesamlphp/config/config.php
33 | ADD ./etc/apache2/sites-enabled/000-default.conf /etc/apache2/sites-enabled/000-default.conf
34 |
35 | ####################
36 | # PKI
37 | RUN mkdir -p /var/simplesamlphp/cert && openssl req -x509 -batch -nodes -newkey rsa:2048 -keyout /var/simplesamlphp/cert/saml.pem -out /var/simplesamlphp/cert/saml.crt
38 |
39 | ##########
40 | #Permissions
41 | RUN chown -R www-data /var/lib/php5
42 |
43 | ####################
44 | # Composer
45 | RUN echo "extension=mcrypt.so" >> /etc/php5/cli/php.ini
46 | RUN echo "extension=mcrypt.so" >> /etc/php5/mods-available/mcrypt.ini
47 | RUN php5enmod mcrypt
48 | WORKDIR /var/simplesamlphp
49 | RUN curl -sS https://getcomposer.org/installer | php
50 | RUN php composer.phar install
51 |
52 | ####################
53 | # Final bits
54 |
55 | EXPOSE 80
56 | EXPOSE 443
57 |
58 | ENTRYPOINT ["/usr/sbin/apache2ctl"]
59 | CMD ["-D", "FOREGROUND"]
60 |
--------------------------------------------------------------------------------
/Vagrantfile:
--------------------------------------------------------------------------------
1 | # -*- mode: ruby -*-
2 | # vi: set ft=ruby :
3 |
4 | # Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
5 | VAGRANTFILE_API_VERSION = "2"
6 |
7 | Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
8 | # All Vagrant configuration is done here. The most common configuration
9 | # options are documented and commented below. For a complete reference,
10 | # please see the online documentation at vagrantup.com.
11 |
12 | # Every Vagrant virtual environment requires a box to build off of.
13 | config.vm.box = "trusty64"
14 | config.vm.provision "shell", path: "Vagrant_Provision.sh"
15 |
16 | # The url from where the 'config.vm.box' box will be fetched if it
17 | # doesn't already exist on the user's system.
18 | config.vm.box_url = "https://cloud-images.ubuntu.com/vagrant/trusty/current/trusty-server-cloudimg-amd64-vagrant-disk1.box"
19 |
20 | # Create a forwarded port mapping which allows access to a specific port
21 | # within the machine from a port on the host machine. In the example below,
22 | # accessing "localhost:8080" will access port 80 on the guest machine.
23 | # config.vm.network :forwarded_port, guest: 80, host: 8080
24 |
25 | # SimpleSAMLphp on Docker
26 | config.vm.network :forwarded_port, host: 58080, guest: 58080, auto_correct: true
27 | config.vm.network :forwarded_port, host: 58443, guest: 58443, auto_correct: true
28 |
29 | # Create a private network, which allows host-only access to the machine
30 | # using a specific IP.
31 | #config.vm.network "private_network", type: "dhcp"
32 |
33 | # Provider-specific configuration so you can fine-tune various
34 | # backing providers for Vagrant. These expose provider-specific options.
35 | # Example for VirtualBox:
36 | #
37 | config.vm.provider :virtualbox do |vb|
38 | # # Don't boot with headless mode
39 | # vb.gui = true
40 |
41 | # Use VBoxManage to customize the VM. For example to change memory:
42 | vb.customize ["modifyvm", :id, "--memory", "2048"]
43 | end
44 | #
45 | # View the documentation for the provider you're using for more
46 | # information on available options.
47 |
48 | end
49 |
--------------------------------------------------------------------------------
/etc/apache2/sites-enabled/000-default.conf:
--------------------------------------------------------------------------------
1 |
2 | # The ServerName directive sets the request scheme, hostname and port that
3 | # the server uses to identify itself. This is used when creating
4 | # redirection URLs. In the context of virtual hosts, the ServerName
5 | # specifies what hostname must appear in the request's Host: header to
6 | # match this virtual host. For the default virtual host (this file) this
7 | # value is not decisive as it is used as a last resort host regardless.
8 | # However, you must set it for any further virtual host explicitly.
9 | #ServerName www.example.com
10 |
11 | ServerAdmin webmaster@localhost
12 | DocumentRoot /var/www/html
13 |
14 | Alias /simplesaml /var/simplesamlphp/www
15 |
16 |
17 | Require all granted
18 |
19 | # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
20 | # error, crit, alert, emerg.
21 | # It is also possible to configure the loglevel for particular
22 | # modules, e.g.
23 | #LogLevel info ssl:warn
24 |
25 | ErrorLog ${APACHE_LOG_DIR}/error.log
26 | CustomLog ${APACHE_LOG_DIR}/access.log combined
27 |
28 | # For most configuration files from conf-available/, which are
29 | # enabled or disabled at a global level, it is possible to
30 | # include a line for only one particular virtual host. For example the
31 | # following line enables the CGI configuration for this host only
32 | # after it has been globally disabled with "a2disconf".
33 | #Include conf-available/serve-cgi-bin.conf
34 |
35 |
36 |
37 |
38 | DocumentRoot /var/www/html
39 |
40 | Alias /simplesaml /var/simplesamlphp/www
41 |
42 |
43 | Require all granted
44 |
45 |
46 | GnuTLSEnable on
47 | GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
48 | GnuTLSCertificateFile /var/simplesamlphp/cert/saml.crt
49 | GnuTLSKeyFile /var/simplesamlphp/cert/saml.pem
50 |
51 |
52 |
53 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
54 |
--------------------------------------------------------------------------------
/etc/simplesamlphp/metadata/saml20-idp-remote.php:
--------------------------------------------------------------------------------
1 | 'https://dubdevdc.dubdev.com/adfs/services/trust',
4 | 'sign.logout' => TRUE,
5 | 'contacts' =>
6 | array (
7 | ),
8 | 'metadata-set' => 'saml20-sp-remote',
9 | 'AssertionConsumerService' =>
10 | array (
11 | 0 =>
12 | array (
13 | 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
14 | 'Location' => 'https://dubdevdc.dubdev.com/adfs/ls/',
15 | 'index' => 0,
16 | 'isDefault' => true,
17 | ),
18 | 1 =>
19 | array (
20 | 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
21 | 'Location' => 'https://dubdevdc.dubdev.com/adfs/ls/',
22 | 'index' => 1,
23 | ),
24 | 2 =>
25 | array (
26 | 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
27 | 'Location' => 'https://dubdevdc.dubdev.com/adfs/ls/',
28 | 'index' => 2,
29 | ),
30 | ),
31 | 'SingleLogoutService' =>
32 | array (
33 | 0 =>
34 | array (
35 | 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
36 | 'Location' => 'https://dubdevdc.dubdev.com/adfs/ls/',
37 | ),
38 | 1 =>
39 | array (
40 | 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
41 | 'Location' => 'https://dubdevdc.dubdev.com/adfs/ls/',
42 | ),
43 | ),
44 | 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
45 | 'keys' =>
46 | array (
47 | 0 =>
48 | array (
49 | 'encryption' => true,
50 | 'signing' => false,
51 | 'type' => 'X509Certificate',
52 | 'X509Certificate' => 'MIIC6DCCAdCgAwIBAgIQHxdYhXZDNLZAnL9H+grGOzANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVBREZTIEVuY3J5cHRpb24gLSBkdWJkZXZkYy5kdWJkZXYuY29tMB4XDTE0MDgyNTEyMDU0MFoXDTE1MDgyNTEyMDU0MFowMDEuMCwGA1UEAxMlQURGUyBFbmNyeXB0aW9uIC0gZHViZGV2ZGMuZHViZGV2LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANjyo2jZFeqCGphi6ZJIDz81jOCFVB4PDZJYBdpnGNvgQ569zgp2qGLyGYBQ3xFk8nuoVFsHWphYgTStIhSaFHPc93Vy3TCAXpCSLlqdAqGXeK7naDXL7VQfQI90OT06BsDY7Yx06qPBc7I95XU2RmRI1+X1BIEn3R1R8ExSKHIgZ4KgvEHC7TToafXUHYvQCFVbeLIG9SF4oNBCmuPg3DdRy5hfaZKHE/OiBnNcfLFD+7fJHUPNafkVCQNgHgBRpGWDHRbN+7ewY+MfvZRH8gJsf8ewgibqYV9voghereZaOMGGY23UWRFE1n9bwD3LMEYM13vhP8xTT+j9LFayA7UCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAUpkA+z8lU8ltggkWfZGkZiesY0pUaQXGv5Fkc6DzyFrrrrW/B3ew1BE6dc/OCw0OBPqy8zkQkvKDvNiL355LkzbJI0DMJ09UPpuAUXljmR7r3dxodSYxcyYJxoSevi51ih5Sy+gb5f+bb29QVdZZDZ6ji1uhDBCCm9VE+qFi3lkD1QOdekmOvZdJl17WPM57pjXyM5Sr+GohWJyoFnm3Zts/Bhn3l1hl1MHsQIZ5jEa0Amadok7EK4+YSiclGhk15oyLgywBrsuhsymnK+uhfTfbFihG3o60sRCqhfmklzD0nalaHaUmXLTxJUtNvYPvRWXbr00sBRbB9wgOua5wNA==',
53 | ),
54 | 1 =>
55 | array (
56 | 'encryption' => false,
57 | 'signing' => true,
58 | 'type' => 'X509Certificate',
59 | 'X509Certificate' => 'MIIC4jCCAcqgAwIBAgIQVDz+x7Ybh79KBXpVODZ2gzANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJBREZTIFNpZ25pbmcgLSBkdWJkZXZkYy5kdWJkZXYuY29tMB4XDTE0MDgyNTEyMDU0MFoXDTE1MDgyNTEyMDU0MFowLTErMCkGA1UEAxMiQURGUyBTaWduaW5nIC0gZHViZGV2ZGMuZHViZGV2LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ3lyRvjXTINcVbvEuzh5f2ScDNknuDRzu09EK1uU2kNN4qKQsEFvz1MMXlcGRyyL19IoB865U4tmvr/jxo41PZsFj/Waa9auw2eeGbJ0scOUioiX1R0Jw8z5VEhDLy8VcD6Kixx0nyUMwuYjBUgAIvLUP1H2sW+h3X4i5vTyJBMw79McjlU3Da0+ctYB6R6FbeME9cCMpd7zss1XfvwqVKs+v5IIfX0hekwrjVXIBSTUf1+7JuujXw2JuAVuwCY3KVIKkAewcJvIOtOYJXtftcGU9R+cORpLY7Uv5mwcaVbnjlC1hJTXuYkwi0NGA92r1TlTXBL40vMPyocPcZgyOUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAW8msIke49KBndVTw1hnY+Y9IGmXqQXKYnK6jXgH0YJ6TqPGoPzBBCZ2KdrTnV9IK9U1xW2oUdj2fgo0iRs5rCbXhAOuxjPKRzvD1BjFqLp1J6gTpvgGlIjksNddVODryz/dfHkVlxRkdRL7KwNqkmhJVZpTuOIrJ6kFsUh1FtEKkTDea8/JuNFRUTTeCFQSNM8o4w+u/8zJg6e5XT1vxfCbI9RrwSfDdEhHvQFjS1kjgNuoFLeS8/NrN9tYzrwN/l8sVPPo73YkALkWvO7M0H9OWfoHeqGFrlOe5VF7RbZTpxohYtXcEBuE0NuTXKaLXwsg5OZLJhFuXToKse0etWg==',
60 | ),
61 | ),
62 | 'saml20.sign.assertion' => true,
63 | );
64 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # docker-simplesamlphp
2 |
3 | simpleSAMLphp installed on a vagrant virtual machine and hosted in Docker.
4 |
5 |
6 | ##Introduction
7 |
8 | This is plug and play. Run the installation and SimpleSAMLphp will be waiting
9 |
10 | ## Prerequisites
11 |
12 | This setup uses VirtualBox and VagrantUp to instanciate the virtual machines
13 | - Install [VirtualBox](https://www.virtualbox.org/)
14 | - Install [VagrantUp](http://www.vagrantup.com/)
15 |
16 | ## Installation
17 |
18 | The following commands will download the Ubuntu Images and provision the virtual
19 | machine. All software will be installed and once completed SimpleSAMLphp will
20 | be ready to use.
21 |
22 | ``` bash
23 | git clone https://github.com/jnyryan/docker-simplesamlphp.git
24 | cd docker-simplesamlphp
25 | vagrant up
26 | vagrant ssh
27 | ```
28 |
29 | ## Usage
30 |
31 | From the host machine the following ports are forwarded to the Vagrant VM.
32 |
33 | - 58080
34 | - 58443
35 |
36 | To get to either the HTTP or HTTPS setup hit the following endpoints:
37 |
38 | - http://localhost:58080/simplesaml
39 | - https://localhost:58443/simplesaml
40 |
41 | To access simpleSAMLphp from the browser:
42 |
43 | ```
44 | username: admin
45 | password: password
46 | ```
47 |
48 |
49 | ---
50 |
51 | # Edit and create your own SimpleSAMLphp in a Docker Container
52 |
53 | Docker is a lightweight container that I use to host simpleSAMLphp running under
54 | apache as an experiment. All the work down below is already done in the Vagrant
55 | setup, the details are included if you would like to further develop it.
56 |
57 | ## Prerequisites
58 |
59 | - Install [Docker](https://www.docker.com/)
60 | ```
61 | sudo apt-get install -y docker.io
62 | sudo ln -sf /usr/bin/docker.io /usr/local/bin/docker
63 | sudo sed -i '$acomplete -F _docker docker' /etc/bash_completion.d/docker.io
64 | ```
65 |
66 | ## Install from DockerHub
67 |
68 | Rather than build it yourself, the full container is available on [DockerHub](https://registry.hub.docker.com/u/jnyryan/simplesamlphp/)
69 |
70 | ``` bash
71 | sudo docker pull jnyryan/simplesamlphp
72 | sudo docker run -d -p 58080:80 -p 58443:443 jnyryan/simplesamlphp
73 | ```
74 |
75 | To access simpleSAMLphp from the host server:
76 |
77 | ```
78 | http://localhost:50081/simplesaml/
79 |
80 | username: admin
81 | password: password
82 |
83 | ```
84 |
85 | To use your own configs stored on the host in /var/simplesamlphp
86 |
87 | ``` bash
88 | sudo docker run -d -p 58080:80 -p 58443:443 \
89 | -v /var/simplesamlphp/config/:/var/simplesamlphp/config/ -v /var/simplesamlphp/metadata/:/var/simplesamlphp/metadata/ -v /var/simplesamlphp/cert/:/var/simplesamlphp/cert/ \
90 | jnyryan/simplesamlphp
91 | ```˛
92 |
93 | ## Build the Package and Publish it to Dockerhub
94 |
95 | Build the package locally and push it to dockerhub
96 |
97 | ``` bash
98 | sudo docker login
99 | sudo docker pull jnyryan/simplesamlphp
100 | sudo docker build -t jnyryan/simplesamlphp /vagrant/.
101 | sudo docker push jnyryan/simplesamlphp
102 | ```
103 |
104 | ### Cleanup
105 |
106 | This will clean up any old images built
107 |
108 | ``` bash
109 | sudo bash
110 | docker stop $(docker ps -a -q)
111 | docker rm $(docker ps -a -q)
112 | docker rmi $(docker images -a -q)
113 | exit
114 |
115 | ```
116 |
117 | ### References
118 |
119 | [simpleSAMLphp Installation and Configuration](https://simplesamlphp.org/docs/stable/simplesamlphp-install)
120 |
121 | [How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu](https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu)
122 |
123 | [Using SimpleSAMLphp to Authenticate against ADFS 2.0 IdP](https://groups.google.com/forum/#!msg/simplesamlphp/I8IiDpeKSvY/URSlh-ssXQ4J)
124 |
125 | [Configuring HTTPS on Apache with GnuTLS](https://help.ubuntu.com/community/GnuTLS)
126 |
--------------------------------------------------------------------------------
/etc/simplesamlphp/config/authsources.php:
--------------------------------------------------------------------------------
1 | array(
7 | // The default is to use core:AdminPassword, but it can be replaced with
8 | // any authentication source.
9 |
10 | 'core:AdminPassword',
11 | ),
12 |
13 | // An authentication source which can authenticate against both SAML 2.0
14 | // and Shibboleth 1.3 IdPs.
15 | 'default-sp' => array(
16 | 'saml:SP',
17 |
18 | // The entity ID of this SP.
19 | // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
20 | 'entityID' => null,
21 |
22 | // The entity ID of the IdP this should SP should contact.
23 | // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
24 | 'idp' => null,
25 |
26 | // The URL to the discovery service.
27 | // Can be NULL/unset, in which case a builtin discovery service will be used.
28 | 'discoURL' => null,
29 |
30 | /*
31 | * WARNING: SHA-1 is disallowed starting January the 1st, 2014.
32 | *
33 | * Uncomment the following option to start using SHA-256 for your signatures.
34 | * Currently, simpleSAMLphp defaults to SHA-1, which has been deprecated since
35 | * 2011, and will be disallowed by NIST as of 2014. Please refer to the following
36 | * document for more information:
37 | *
38 | * http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
39 | *
40 | * If you are uncertain about identity providers supporting SHA-256 or other
41 | * algorithms of the SHA-2 family, you can configure it individually in the
42 | * IdP-remote metadata set for those that support it. Once you are certain that
43 | * all your configured IdPs support SHA-2, you can safely remove the configuration
44 | * options in the IdP-remote metadata set and uncomment the following option.
45 | *
46 | * Please refer to the hosted SP configuration reference for more information.
47 | */
48 | //'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
49 |
50 | /*
51 | * The attributes parameter must contain an array of desired attributes by the SP.
52 | * The attributes can be expressed as an array of names or as an associative array
53 | * in the form of 'friendlyName' => 'name'.
54 | * The metadata will then be created as follows:
55 | *
56 | */
57 | /*'attributes' => array(
58 | 'attrname' => 'urn:oid:x.x.x.x',
59 | ),*/
60 | /*'attributes.required' => array (
61 | 'urn:oid:x.x.x.x',
62 | ),*/
63 | ),
64 |
65 | 'dubdev-adfs' => array(
66 | 'saml:SP',
67 | 'idp' => 'https://dubdevdc.dubdev.com/adfs/services/trust',
68 | 'privatekey' => 'saml.pem',
69 | 'certificate' => 'saml.crt',
70 | ),
71 |
72 | /*
73 | 'example-sql' => array(
74 | 'sqlauth:SQL',
75 | 'dsn' => 'pgsql:host=sql.example.org;port=5432;dbname=simplesaml',
76 | 'username' => 'simplesaml',
77 | 'password' => 'secretpassword',
78 | 'query' => 'SELECT uid, givenName, email, eduPersonPrincipalName FROM users WHERE uid = :username AND password = SHA2(CONCAT((SELECT salt FROM users WHERE uid = :username), :password),256);',
79 | ),
80 | */
81 |
82 | /*
83 | 'example-static' => array(
84 | 'exampleauth:Static',
85 | 'uid' => array('testuser'),
86 | 'eduPersonAffiliation' => array('member', 'employee'),
87 | 'cn' => array('Test User'),
88 | ),
89 | */
90 |
91 | /*
92 | 'example-userpass' => array(
93 | 'exampleauth:UserPass',
94 |
95 | // Give the user an option to save their username for future login attempts
96 | // And when enabled, what should the default be, to save the username or not
97 | //'remember.username.enabled' => FALSE,
98 | //'remember.username.checked' => FALSE,
99 |
100 | 'student:studentpass' => array(
101 | 'uid' => array('test'),
102 | 'eduPersonAffiliation' => array('member', 'student'),
103 | ),
104 | 'employee:employeepass' => array(
105 | 'uid' => array('employee'),
106 | 'eduPersonAffiliation' => array('member', 'employee'),
107 | ),
108 | ),
109 | */
110 |
111 | /*
112 | 'crypto-hash' => array(
113 | 'authcrypt:Hash',
114 | // hashed version of 'verysecret', made with bin/pwgen.php
115 | 'professor:{SSHA256}P6FDTEEIY2EnER9a6P2GwHhI5JDrwBgjQ913oVQjBngmCtrNBUMowA==' => array(
116 | 'uid' => array('prof_a'),
117 | 'eduPersonAffiliation' => array('member', 'employee', 'board'),
118 | ),
119 | ),
120 | */
121 |
122 | /*
123 | 'htpasswd' => array(
124 | 'authcrypt:Htpasswd',
125 | 'htpasswd_file' => '/var/www/foo.edu/legacy_app/.htpasswd',
126 | 'static_attributes' => array(
127 | 'eduPersonAffiliation' => array('member', 'employee'),
128 | 'Organization' => array('University of Foo'),
129 | ),
130 | ),
131 | */
132 |
133 | /*
134 | // This authentication source serves as an example of integration with an
135 | // external authentication engine. Take a look at the comment in the beginning
136 | // of modules/exampleauth/lib/Auth/Source/External.php for a description of
137 | // how to adjust it to your own site.
138 | 'example-external' => array(
139 | 'exampleauth:External',
140 | ),
141 | */
142 |
143 | /*
144 | 'yubikey' => array(
145 | 'authYubiKey:YubiKey',
146 | 'id' => '000',
147 | // 'key' => '012345678',
148 | ),
149 | */
150 |
151 | /*
152 | 'openid' => array(
153 | 'openid:OpenIDConsumer',
154 | 'attributes.required' => array('nickname'),
155 | 'attributes.optional' => array('fullname', 'email',),
156 | // 'sreg.validate' => FALSE,
157 | 'attributes.ax_required' => array('http://axschema.org/namePerson/friendly'),
158 | 'attributes.ax_optional' => array('http://axschema.org/namePerson','http://axschema.org/contact/email'),
159 | // Prefer HTTP redirect over POST
160 | // 'prefer_http_redirect' => FALSE,
161 | ),
162 | */
163 |
164 | /*
165 | // Example of an authsource that authenticates against Google.
166 | // See: http://code.google.com/apis/accounts/docs/OpenID.html
167 | 'google' => array(
168 | 'openid:OpenIDConsumer',
169 | // Googles OpenID endpoint.
170 | 'target' => 'https://www.google.com/accounts/o8/id',
171 | // Custom realm
172 | // 'realm' => 'http://*.example.org',
173 | // Attributes that google can supply.
174 | 'attributes.ax_required' => array(
175 | //'http://axschema.org/namePerson/first',
176 | //'http://axschema.org/namePerson/last',
177 | //'http://axschema.org/contact/email',
178 | //'http://axschema.org/contact/country/home',
179 | //'http://axschema.org/pref/language',
180 | ),
181 | // custom extension arguments
182 | 'extension.args' => array(
183 | //'http://specs.openid.net/extensions/ui/1.0' => array(
184 | // 'mode' => 'popup',
185 | // 'icon' => 'true',
186 | //),
187 | ),
188 | ),
189 | */
190 |
191 | /*
192 | 'papi' => array(
193 | 'authpapi:PAPI',
194 | ),
195 | */
196 |
197 |
198 | /*
199 | 'facebook' => array(
200 | 'authfacebook:Facebook',
201 | // Register your Facebook application on http://www.facebook.com/developers
202 | // App ID or API key (requests with App ID should be faster; https://github.com/facebook/php-sdk/issues/214)
203 | 'api_key' => 'xxxxxxxxxxxxxxxx',
204 | // App Secret
205 | 'secret' => 'xxxxxxxxxxxxxxxx',
206 | // which additional data permissions to request from user
207 | // see http://developers.facebook.com/docs/authentication/permissions/ for the full list
208 | // 'req_perms' => 'email,user_birthday',
209 | ),
210 | */
211 |
212 | /*
213 | // LinkedIn OAuth Authentication API.
214 | // Register your application to get an API key here:
215 | // https://www.linkedin.com/secure/developer
216 | 'linkedin' => array(
217 | 'authlinkedin:LinkedIn',
218 | 'key' => 'xxxxxxxxxxxxxxxx',
219 | 'secret' => 'xxxxxxxxxxxxxxxx',
220 | ),
221 | */
222 |
223 | /*
224 | // Twitter OAuth Authentication API.
225 | // Register your application to get an API key here:
226 | // http://twitter.com/oauth_clients
227 | 'twitter' => array(
228 | 'authtwitter:Twitter',
229 | 'key' => 'xxxxxxxxxxxxxxxx',
230 | 'secret' => 'xxxxxxxxxxxxxxxx',
231 |
232 | // Forces the user to enter their credentials to ensure the correct users account is authorized.
233 | // Details: https://dev.twitter.com/docs/api/1/get/oauth/authenticate
234 | 'force_login' => FALSE,
235 | ),
236 | */
237 |
238 | /*
239 | // MySpace OAuth Authentication API.
240 | // Register your application to get an API key here:
241 | // http://developer.myspace.com/
242 | 'myspace' => array(
243 | 'authmyspace:MySpace',
244 | 'key' => 'xxxxxxxxxxxxxxxx',
245 | 'secret' => 'xxxxxxxxxxxxxxxx',
246 | ),
247 | */
248 |
249 | /*
250 | // Windows Live ID Authentication API.
251 | // Register your application to get an API key here:
252 | // https://manage.dev.live.com
253 | 'windowslive' => array(
254 | 'authwindowslive:LiveID',
255 | 'key' => 'xxxxxxxxxxxxxxxx',
256 | 'secret' => 'xxxxxxxxxxxxxxxx',
257 | ),
258 | */
259 |
260 | /*
261 | // Example of a LDAP authentication source.
262 | 'example-ldap' => array(
263 | 'ldap:LDAP',
264 |
265 | // Give the user an option to save their username for future login attempts
266 | // And when enabled, what should the default be, to save the username or not
267 | //'remember.username.enabled' => FALSE,
268 | //'remember.username.checked' => FALSE,
269 |
270 | // The hostname of the LDAP server.
271 | 'hostname' => 'ldap.example.org',
272 |
273 | // Whether SSL/TLS should be used when contacting the LDAP server.
274 | 'enable_tls' => TRUE,
275 |
276 | // Whether debug output from the LDAP library should be enabled.
277 | // Default is FALSE.
278 | 'debug' => FALSE,
279 |
280 | // The timeout for accessing the LDAP server, in seconds.
281 | // The default is 0, which means no timeout.
282 | 'timeout' => 0,
283 |
284 | // Set whether to follow referrals. AD Controllers may require FALSE to function.
285 | 'referrals' => TRUE,
286 |
287 | // Which attributes should be retrieved from the LDAP server.
288 | // This can be an array of attribute names, or NULL, in which case
289 | // all attributes are fetched.
290 | 'attributes' => NULL,
291 |
292 | // The pattern which should be used to create the users DN given the username.
293 | // %username% in this pattern will be replaced with the users username.
294 | //
295 | // This option is not used if the search.enable option is set to TRUE.
296 | 'dnpattern' => 'uid=%username%,ou=people,dc=example,dc=org',
297 |
298 | // As an alternative to specifying a pattern for the users DN, it is possible to
299 | // search for the username in a set of attributes. This is enabled by this option.
300 | 'search.enable' => FALSE,
301 |
302 | // The DN which will be used as a base for the search.
303 | // This can be a single string, in which case only that DN is searched, or an
304 | // array of strings, in which case they will be searched in the order given.
305 | 'search.base' => 'ou=people,dc=example,dc=org',
306 |
307 | // The attribute(s) the username should match against.
308 | //
309 | // This is an array with one or more attribute names. Any of the attributes in
310 | // the array may match the value the username.
311 | 'search.attributes' => array('uid', 'mail'),
312 |
313 | // The username & password the simpleSAMLphp should bind to before searching. If
314 | // this is left as NULL, no bind will be performed before searching.
315 | 'search.username' => NULL,
316 | 'search.password' => NULL,
317 |
318 | // If the directory uses privilege separation,
319 | // the authenticated user may not be able to retrieve
320 | // all required attribures, a privileged entity is required
321 | // to get them. This is enabled with this option.
322 | 'priv.read' => FALSE,
323 |
324 | // The DN & password the simpleSAMLphp should bind to before
325 | // retrieving attributes. These options are required if
326 | // 'priv.read' is set to TRUE.
327 | 'priv.username' => NULL,
328 | 'priv.password' => NULL,
329 |
330 | ),
331 | */
332 |
333 | /*
334 | // Example of an LDAPMulti authentication source.
335 | 'example-ldapmulti' => array(
336 | 'ldap:LDAPMulti',
337 |
338 | // Give the user an option to save their username for future login attempts
339 | // And when enabled, what should the default be, to save the username or not
340 | //'remember.username.enabled' => FALSE,
341 | //'remember.username.checked' => FALSE,
342 |
343 | // The way the organization as part of the username should be handled.
344 | // Three possible values:
345 | // - 'none': No handling of the organization. Allows '@' to be part
346 | // of the username.
347 | // - 'allow': Will allow users to type 'username@organization'.
348 | // - 'force': Force users to type 'username@organization'. The dropdown
349 | // list will be hidden.
350 | //
351 | // The default is 'none'.
352 | 'username_organization_method' => 'none',
353 |
354 | // Whether the organization should be included as part of the username
355 | // when authenticating. If this is set to TRUE, the username will be on
356 | // the form @. If this is FALSE, the
357 | // username will be used as the user enters it.
358 | //
359 | // The default is FALSE.
360 | 'include_organization_in_username' => FALSE,
361 |
362 | // A list of available LDAP servers.
363 | //
364 | // The index is an identifier for the organization/group. When
365 | // 'username_organization_method' is set to something other than 'none',
366 | // the organization-part of the username is matched against the index.
367 | //
368 | // The value of each element is an array in the same format as an LDAP
369 | // authentication source.
370 | 'employees' => array(
371 | // A short name/description for this group. Will be shown in a dropdown list
372 | // when the user logs on.
373 | //
374 | // This option can be a string or an array with language => text mappings.
375 | 'description' => 'Employees',
376 |
377 | // The rest of the options are the same as those available for
378 | // the LDAP authentication source.
379 | 'hostname' => 'ldap.employees.example.org',
380 | 'dnpattern' => 'uid=%username%,ou=employees,dc=example,dc=org',
381 | ),
382 |
383 | 'students' => array(
384 | 'description' => 'Students',
385 |
386 | 'hostname' => 'ldap.students.example.org',
387 | 'dnpattern' => 'uid=%username%,ou=students,dc=example,dc=org',
388 | ),
389 |
390 | ),
391 | */
392 |
393 | );
394 |
--------------------------------------------------------------------------------
/etc/simplesamlphp/config/config.php:
--------------------------------------------------------------------------------
1 | 'simplesaml/',
25 | 'certdir' => 'cert/',
26 | 'loggingdir' => 'log/',
27 | 'datadir' => 'data/',
28 |
29 | /*
30 | * A directory where simpleSAMLphp can save temporary files.
31 | *
32 | * SimpleSAMLphp will attempt to create this directory if it doesn't exist.
33 | */
34 | 'tempdir' => '/tmp/simplesaml',
35 |
36 |
37 | /*
38 | * If you enable this option, simpleSAMLphp will log all sent and received messages
39 | * to the log file.
40 | *
41 | * This option also enables logging of the messages that are encrypted and decrypted.
42 | *
43 | * Note: The messages are logged with the DEBUG log level, so you also need to set
44 | * the 'logging.level' option to LOG_DEBUG.
45 | */
46 | 'debug' => false,
47 |
48 | /*
49 | * When showerrors is enabled, all error messages and stack traces will be output
50 | * to the browser.
51 | *
52 | * When errorreporting is enabled, a form will be presented for the user to report
53 | * the error to technicalcontact_email.
54 | */
55 | 'showerrors' => true,
56 | 'errorreporting' => true,
57 |
58 | /**
59 | * Custom error show function called from SimpleSAML_Error_Error::show.
60 | * See docs/simplesamlphp-errorhandling.txt for function code example.
61 | *
62 | * Example:
63 | * 'errors.show_function' => array('sspmod_example_Error_Show', 'show'),
64 | */
65 |
66 | /**
67 | * This option allows you to enable validation of XML data against its
68 | * schemas. A warning will be written to the log if validation fails.
69 | */
70 | 'debug.validatexml' => false,
71 |
72 | /**
73 | * This password must be kept secret, and modified from the default value 123.
74 | * This password will give access to the installation page of simpleSAMLphp with
75 | * metadata listing and diagnostics pages.
76 | * You can also put a hash here; run "bin/pwgen.php" to generate one.
77 | */
78 | 'auth.adminpassword' => 'password',
79 | 'admin.protectindexpage' => false,
80 | 'admin.protectmetadata' => false,
81 |
82 | /**
83 | * This is a secret salt used by simpleSAMLphp when it needs to generate a secure hash
84 | * of a value. It must be changed from its default value to a secret value. The value of
85 | * 'secretsalt' can be any valid string of any length.
86 | *
87 | * A possible way to generate a random salt is by running the following command from a unix shell:
88 | * tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' /dev/null;echo
89 | */
90 | 'secretsalt' => 'zp97u35nlog5nic93we9m56pfxetx7fp',
91 |
92 | /*
93 | * Some information about the technical persons running this installation.
94 | * The email address will be used as the recipient address for error reports, and
95 | * also as the technical contact in generated metadata.
96 | */
97 | 'technicalcontact_name' => 'Administrator',
98 | 'technicalcontact_email' => 'dublindev@glgroup.com',
99 |
100 | /*
101 | * The timezone of the server. This option should be set to the timezone you want
102 | * simpleSAMLphp to report the time in. The default is to guess the timezone based
103 | * on your system timezone.
104 | *
105 | * See this page for a list of valid timezones: http://php.net/manual/en/timezones.php
106 | */
107 | 'timezone' => null,
108 |
109 | /*
110 | * Logging.
111 | *
112 | * define the minimum log level to log
113 | * SimpleSAML_Logger::ERR No statistics, only errors
114 | * SimpleSAML_Logger::WARNING No statistics, only warnings/errors
115 | * SimpleSAML_Logger::NOTICE Statistics and errors
116 | * SimpleSAML_Logger::INFO Verbose logs
117 | * SimpleSAML_Logger::DEBUG Full debug logs - not reccomended for production
118 | *
119 | * Choose logging handler.
120 | *
121 | * Options: [syslog,file,errorlog]
122 | *
123 | */
124 | 'logging.level' => SimpleSAML_Logger::NOTICE,
125 | 'logging.handler' => 'syslog',
126 |
127 | /*
128 | * Specify the format of the logs. Its use varies depending on the log handler used (for instance, you cannot
129 | * control here how dates are displayed when using the syslog or errorlog handlers), but in general the options
130 | * are:
131 | *
132 | * - %date{}: the date and time, with its format specified inside the brackets. See the PHP documentation
133 | * of the strftime() function for more information on the format. If the brackets are omitted, the standard
134 | * format is applied. This can be useful if you just want to control the placement of the date, but don't care
135 | * about the format.
136 | *
137 | * - %process: the name of the SimpleSAMLphp process. Remember you can configure this in the 'logging.processname'
138 | * option below.
139 | *
140 | * - %level: the log level (name or number depending on the handler used).
141 | *
142 | * - %stat: if the log entry is intended for statistical purposes, it will print the string 'STAT ' (bear in mind
143 | * the trailing space).
144 | *
145 | * - %trackid: the track ID, an identifier that allows you to track a single session.
146 | *
147 | * - %srcip: the IP address of the client. If you are behind a proxy, make sure to modify the
148 | * $_SERVER['REMOTE_ADDR'] variable on your code accordingly to the X-Forwarded-For header.
149 | *
150 | * - %msg: the message to be logged.
151 | *
152 | */
153 | //'logging.format' => '%date{%b %d %H:%M:%S} %process %level %stat[%trackid] %msg',
154 |
155 | /*
156 | * Choose which facility should be used when logging with syslog.
157 | *
158 | * These can be used for filtering the syslog output from simpleSAMLphp into its
159 | * own file by configuring the syslog daemon.
160 | *
161 | * See the documentation for openlog (http://php.net/manual/en/function.openlog.php) for available
162 | * facilities. Note that only LOG_USER is valid on windows.
163 | *
164 | * The default is to use LOG_LOCAL5 if available, and fall back to LOG_USER if not.
165 | */
166 | 'logging.facility' => defined('LOG_LOCAL5') ? constant('LOG_LOCAL5') : LOG_USER,
167 |
168 | /*
169 | * The process name that should be used when logging to syslog.
170 | * The value is also written out by the other logging handlers.
171 | */
172 | 'logging.processname' => 'simplesamlphp',
173 |
174 | /* Logging: file - Logfilename in the loggingdir from above.
175 | */
176 | 'logging.logfile' => 'simplesamlphp.log',
177 |
178 | /* (New) statistics output configuration.
179 | *
180 | * This is an array of outputs. Each output has at least a 'class' option, which
181 | * selects the output.
182 | */
183 | 'statistics.out' => array(// Log statistics to the normal log.
184 | /*
185 | array(
186 | 'class' => 'core:Log',
187 | 'level' => 'notice',
188 | ),
189 | */
190 | // Log statistics to files in a directory. One file per day.
191 | /*
192 | array(
193 | 'class' => 'core:File',
194 | 'directory' => '/var/log/stats',
195 | ),
196 | */
197 | ),
198 |
199 |
200 | /*
201 | * Enable
202 | *
203 | * Which functionality in simpleSAMLphp do you want to enable. Normally you would enable only
204 | * one of the functionalities below, but in some cases you could run multiple functionalities.
205 | * In example when you are setting up a federation bridge.
206 | */
207 | 'enable.saml20-idp' => false,
208 | 'enable.shib13-idp' => false,
209 | 'enable.adfs-idp' => true,
210 | 'enable.wsfed-sp' => false,
211 | 'enable.authmemcookie' => false,
212 |
213 |
214 | /*
215 | * Module enable configuration
216 | *
217 | * Configuration to override module enabling/disabling.
218 | *
219 | * Example:
220 | *
221 | * 'module.enable' => array(
222 | * // Setting to TRUE enables.
223 | * 'exampleauth' => TRUE,
224 | * // Setting to FALSE disables.
225 | * 'saml' => FALSE,
226 | * // Unset or NULL uses default.
227 | * 'core' => NULL,
228 | * ),
229 | *
230 | */
231 |
232 |
233 | /*
234 | * This value is the duration of the session in seconds. Make sure that the time duration of
235 | * cookies both at the SP and the IdP exceeds this duration.
236 | */
237 | 'session.duration' => 8 * (60 * 60), // 8 hours.
238 |
239 | /*
240 | * Sets the duration, in seconds, data should be stored in the datastore. As the datastore is used for
241 | * login and logout requests, thid option will control the maximum time these operations can take.
242 | * The default is 4 hours (4*60*60) seconds, which should be more than enough for these operations.
243 | */
244 | 'session.datastore.timeout' => (4 * 60 * 60), // 4 hours
245 |
246 | /*
247 | * Sets the duration, in seconds, auth state should be stored.
248 | */
249 | 'session.state.timeout' => (60 * 60), // 1 hour
250 |
251 | /*
252 | * Option to override the default settings for the session cookie name
253 | */
254 | 'session.cookie.name' => 'SimpleSAMLSessionID',
255 |
256 | /*
257 | * Expiration time for the session cookie, in seconds.
258 | *
259 | * Defaults to 0, which means that the cookie expires when the browser is closed.
260 | *
261 | * Example:
262 | * 'session.cookie.lifetime' => 30*60,
263 | */
264 | 'session.cookie.lifetime' => 0,
265 |
266 | /*
267 | * Limit the path of the cookies.
268 | *
269 | * Can be used to limit the path of the cookies to a specific subdirectory.
270 | *
271 | * Example:
272 | * 'session.cookie.path' => '/simplesaml/',
273 | */
274 | 'session.cookie.path' => '/',
275 |
276 | /*
277 | * Cookie domain.
278 | *
279 | * Can be used to make the session cookie available to several domains.
280 | *
281 | * Example:
282 | * 'session.cookie.domain' => '.example.org',
283 | */
284 | 'session.cookie.domain' => null,
285 |
286 | /*
287 | * Set the secure flag in the cookie.
288 | *
289 | * Set this to TRUE if the user only accesses your service
290 | * through https. If the user can access the service through
291 | * both http and https, this must be set to FALSE.
292 | */
293 | 'session.cookie.secure' => false,
294 |
295 | /*
296 | * When set to FALSE fallback to transient session on session initialization
297 | * failure, throw exception otherwise.
298 | */
299 | 'session.disable_fallback' => false,
300 |
301 | /*
302 | * Enable secure POST from HTTPS to HTTP.
303 | *
304 | * If you have some SP's on HTTP and IdP is normally on HTTPS, this option
305 | * enables secure POSTing to HTTP endpoint without warning from browser.
306 | *
307 | * For this to work, module.php/core/postredirect.php must be accessible
308 | * also via HTTP on IdP, e.g. if your IdP is on
309 | * https://idp.example.org/ssp/, then
310 | * http://idp.example.org/ssp/module.php/core/postredirect.php must be accessible.
311 | */
312 | 'enable.http_post' => false,
313 |
314 | /*
315 | * Options to override the default settings for php sessions.
316 | */
317 | 'session.phpsession.cookiename' => null,
318 | 'session.phpsession.savepath' => null,
319 | 'session.phpsession.httponly' => false,
320 |
321 | /*
322 | * Option to override the default settings for the auth token cookie
323 | */
324 | 'session.authtoken.cookiename' => 'SimpleSAMLAuthToken',
325 |
326 | /*
327 | * Options for remember me feature for IdP sessions. Remember me feature
328 | * has to be also implemented in authentication source used.
329 | *
330 | * Option 'session.cookie.lifetime' should be set to zero (0), i.e. cookie
331 | * expires on browser session if remember me is not checked.
332 | *
333 | * Session duration ('session.duration' option) should be set according to
334 | * 'session.rememberme.lifetime' option.
335 | *
336 | * It's advised to use remember me feature with session checking function
337 | * defined with 'session.check_function' option.
338 | */
339 | 'session.rememberme.enable' => false,
340 | 'session.rememberme.checked' => false,
341 | 'session.rememberme.lifetime' => (14 * 86400),
342 |
343 | /**
344 | * Custom function for session checking called on session init and loading.
345 | * See docs/simplesamlphp-advancedfeatures.txt for function code example.
346 | *
347 | * Example:
348 | * 'session.check_function' => array('sspmod_example_Util', 'checkSession'),
349 | */
350 |
351 | /*
352 | * Languages available, RTL languages, and what language is default
353 | */
354 | 'language.available' => array(
355 | 'en', 'no', 'nn', 'se', 'da', 'de', 'sv', 'fi', 'es', 'fr', 'it', 'nl', 'lb', 'cs',
356 | 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt-br', 'tr', 'ja', 'zh', 'zh-tw', 'ru', 'et',
357 | 'he', 'id', 'sr', 'lv', 'ro'
358 | ),
359 | 'language.rtl' => array('ar', 'dv', 'fa', 'ur', 'he'),
360 | 'language.default' => 'en',
361 |
362 | /*
363 | * Options to override the default settings for the language parameter
364 | */
365 | 'language.parameter.name' => 'language',
366 | 'language.parameter.setcookie' => true,
367 |
368 | /*
369 | * Options to override the default settings for the language cookie
370 | */
371 | 'language.cookie.name' => 'language',
372 | 'language.cookie.domain' => null,
373 | 'language.cookie.path' => '/',
374 | 'language.cookie.lifetime' => (60 * 60 * 24 * 900),
375 |
376 | /**
377 | * Custom getLanguage function called from SimpleSAML_XHTML_Template::getLanguage().
378 | * Function should return language code of one of the available languages or NULL.
379 | * See SimpleSAML_XHTML_Template::getLanguage() source code for more info.
380 | *
381 | * This option can be used to implement a custom function for determining
382 | * the default language for the user.
383 | *
384 | * Example:
385 | * 'language.get_language_function' => array('sspmod_example_Template', 'getLanguage'),
386 | */
387 |
388 | /*
389 | * Extra dictionary for attribute names.
390 | * This can be used to define local attributes.
391 | *
392 | * The format of the parameter is a string with :.
393 | *
394 | * Specifying this option will cause us to look for modules//dictionaries/.definition.json
395 | * The dictionary should look something like:
396 | *
397 | * {
398 | * "firstattribute": {
399 | * "en": "English name",
400 | * "no": "Norwegian name"
401 | * },
402 | * "secondattribute": {
403 | * "en": "English name",
404 | * "no": "Norwegian name"
405 | * }
406 | * }
407 | *
408 | * Note that all attribute names in the dictionary must in lowercase.
409 | *
410 | * Example: 'attributes.extradictionary' => 'ourmodule:ourattributes',
411 | */
412 | 'attributes.extradictionary' => null,
413 |
414 | /*
415 | * Which theme directory should be used?
416 | */
417 | 'theme.use' => 'default',
418 |
419 |
420 | /*
421 | * Default IdP for WS-Fed.
422 | */
423 | 'default-wsfed-idp' => 'urn:federation:pingfederate:localhost',
424 |
425 | /*
426 | * Whether the discovery service should allow the user to save his choice of IdP.
427 | */
428 | 'idpdisco.enableremember' => true,
429 | 'idpdisco.rememberchecked' => true,
430 |
431 | // Disco service only accepts entities it knows.
432 | 'idpdisco.validate' => true,
433 |
434 | 'idpdisco.extDiscoveryStorage' => null,
435 |
436 | /*
437 | * IdP Discovery service look configuration.
438 | * Wether to display a list of idp or to display a dropdown box. For many IdP' a dropdown box
439 | * gives the best use experience.
440 | *
441 | * When using dropdown box a cookie is used to highlight the previously chosen IdP in the dropdown.
442 | * This makes it easier for the user to choose the IdP
443 | *
444 | * Options: [links,dropdown]
445 | *
446 | */
447 | 'idpdisco.layout' => 'dropdown',
448 |
449 | /*
450 | * Whether simpleSAMLphp should sign the response or the assertion in SAML 1.1 authentication
451 | * responses.
452 | *
453 | * The default is to sign the assertion element, but that can be overridden by setting this
454 | * option to TRUE. It can also be overridden on a pr. SP basis by adding an option with the
455 | * same name to the metadata of the SP.
456 | */
457 | 'shib13.signresponse' => true,
458 |
459 |
460 | /*
461 | * Authentication processing filters that will be executed for all IdPs
462 | * Both Shibboleth and SAML 2.0
463 | */
464 | 'authproc.idp' => array(
465 | /* Enable the authproc filter below to add URN Prefixces to all attributes
466 | 10 => array(
467 | 'class' => 'core:AttributeMap', 'addurnprefix'
468 | ), */
469 | /* Enable the authproc filter below to automatically generated eduPersonTargetedID.
470 | 20 => 'core:TargetedID',
471 | */
472 |
473 | // Adopts language from attribute to use in UI
474 | 30 => 'core:LanguageAdaptor',
475 |
476 | /* Add a realm attribute from edupersonprincipalname
477 | 40 => 'core:AttributeRealm',
478 | */
479 | 45 => array(
480 | 'class' => 'core:StatisticsWithAttribute',
481 | 'attributename' => 'realm',
482 | 'type' => 'saml20-idp-SSO',
483 | ),
484 |
485 | /* When called without parameters, it will fallback to filter attributes ‹the old way›
486 | * by checking the 'attributes' parameter in metadata on IdP hosted and SP remote.
487 | */
488 | 50 => 'core:AttributeLimit',
489 |
490 | /*
491 | * Search attribute "distinguishedName" for pattern and replaces if found
492 |
493 | 60 => array(
494 | 'class' => 'core:AttributeAlter',
495 | 'pattern' => '/OU=studerende/',
496 | 'replacement' => 'Student',
497 | 'subject' => 'distinguishedName',
498 | '%replace',
499 | ),
500 | */
501 |
502 | /*
503 | * Consent module is enabled (with no permanent storage, using cookies).
504 |
505 | 90 => array(
506 | 'class' => 'consent:Consent',
507 | 'store' => 'consent:Cookie',
508 | 'focus' => 'yes',
509 | 'checked' => TRUE
510 | ),
511 | */
512 | // If language is set in Consent module it will be added as an attribute.
513 | 99 => 'core:LanguageAdaptor',
514 | ),
515 | /*
516 | * Authentication processing filters that will be executed for all SPs
517 | * Both Shibboleth and SAML 2.0
518 | */
519 | 'authproc.sp' => array(
520 | /*
521 | 10 => array(
522 | 'class' => 'core:AttributeMap', 'removeurnprefix'
523 | ),
524 | */
525 |
526 | /*
527 | * Generate the 'group' attribute populated from other variables, including eduPersonAffiliation.
528 | 60 => array(
529 | 'class' => 'core:GenerateGroups', 'eduPersonAffiliation'
530 | ),
531 | */
532 | /*
533 | * All users will be members of 'users' and 'members'
534 | 61 => array(
535 | 'class' => 'core:AttributeAdd', 'groups' => array('users', 'members')
536 | ),
537 | */
538 |
539 | // Adopts language from attribute to use in UI
540 | 90 => 'core:LanguageAdaptor',
541 |
542 | ),
543 |
544 |
545 | /*
546 | * This option configures the metadata sources. The metadata sources is given as an array with
547 | * different metadata sources. When searching for metadata, simpleSAMPphp will search through
548 | * the array from start to end.
549 | *
550 | * Each element in the array is an associative array which configures the metadata source.
551 | * The type of the metadata source is given by the 'type' element. For each type we have
552 | * different configuration options.
553 | *
554 | * Flat file metadata handler:
555 | * - 'type': This is always 'flatfile'.
556 | * - 'directory': The directory we will load the metadata files from. The default value for
557 | * this option is the value of the 'metadatadir' configuration option, or
558 | * 'metadata/' if that option is unset.
559 | *
560 | * XML metadata handler:
561 | * This metadata handler parses an XML file with either an EntityDescriptor element or an
562 | * EntitiesDescriptor element. The XML file may be stored locally, or (for debugging) on a remote
563 | * web server.
564 | * The XML hetadata handler defines the following options:
565 | * - 'type': This is always 'xml'.
566 | * - 'file': Path to the XML file with the metadata.
567 | * - 'url': The URL to fetch metadata from. THIS IS ONLY FOR DEBUGGING - THERE IS NO CACHING OF THE RESPONSE.
568 | *
569 | *
570 | * Examples:
571 | *
572 | * This example defines two flatfile sources. One is the default metadata directory, the other
573 | * is a metadata directory with autogenerated metadata files.
574 | *
575 | * 'metadata.sources' => array(
576 | * array('type' => 'flatfile'),
577 | * array('type' => 'flatfile', 'directory' => 'metadata-generated'),
578 | * ),
579 | *
580 | * This example defines a flatfile source and an XML source.
581 | * 'metadata.sources' => array(
582 | * array('type' => 'flatfile'),
583 | * array('type' => 'xml', 'file' => 'idp.example.org-idpMeta.xml'),
584 | * ),
585 | *
586 | *
587 | * Default:
588 | * 'metadata.sources' => array(
589 | * array('type' => 'flatfile')
590 | * ),
591 | */
592 | 'metadata.sources' => array(
593 | array('type' => 'flatfile'),
594 | ),
595 |
596 |
597 | /*
598 | * Configure the datastore for simpleSAMLphp.
599 | *
600 | * - 'phpsession': Limited datastore, which uses the PHP session.
601 | * - 'memcache': Key-value datastore, based on memcache.
602 | * - 'sql': SQL datastore, using PDO.
603 | *
604 | * The default datastore is 'phpsession'.
605 | *
606 | * (This option replaces the old 'session.handler'-option.)
607 | */
608 | 'store.type' => 'phpsession',
609 |
610 |
611 | /*
612 | * The DSN the sql datastore should connect to.
613 | *
614 | * See http://www.php.net/manual/en/pdo.drivers.php for the various
615 | * syntaxes.
616 | */
617 | 'store.sql.dsn' => 'sqlite:/path/to/sqlitedatabase.sq3',
618 |
619 | /*
620 | * The username and password to use when connecting to the database.
621 | */
622 | 'store.sql.username' => null,
623 | 'store.sql.password' => null,
624 |
625 | /*
626 | * The prefix we should use on our tables.
627 | */
628 | 'store.sql.prefix' => 'simpleSAMLphp',
629 |
630 |
631 | /*
632 | * Configuration for the MemcacheStore class. This allows you to store
633 | * multiple redudant copies of sessions on different memcache servers.
634 | *
635 | * 'memcache_store.servers' is an array of server groups. Every data
636 | * item will be mirrored in every server group.
637 | *
638 | * Each server group is an array of servers. The data items will be
639 | * load-balanced between all servers in each server group.
640 | *
641 | * Each server is an array of parameters for the server. The following
642 | * options are available:
643 | * - 'hostname': This is the hostname or ip address where the
644 | * memcache server runs. This is the only required option.
645 | * - 'port': This is the port number of the memcache server. If this
646 | * option isn't set, then we will use the 'memcache.default_port'
647 | * ini setting. This is 11211 by default.
648 | * - 'weight': This sets the weight of this server in this server
649 | * group. http://php.net/manual/en/function.Memcache-addServer.php
650 | * contains more information about the weight option.
651 | * - 'timeout': The timeout for this server. By default, the timeout
652 | * is 3 seconds.
653 | *
654 | * Example of redudant configuration with load balancing:
655 | * This configuration makes it possible to lose both servers in the
656 | * a-group or both servers in the b-group without losing any sessions.
657 | * Note that sessions will be lost if one server is lost from both the
658 | * a-group and the b-group.
659 | *
660 | * 'memcache_store.servers' => array(
661 | * array(
662 | * array('hostname' => 'mc_a1'),
663 | * array('hostname' => 'mc_a2'),
664 | * ),
665 | * array(
666 | * array('hostname' => 'mc_b1'),
667 | * array('hostname' => 'mc_b2'),
668 | * ),
669 | * ),
670 | *
671 | * Example of simple configuration with only one memcache server,
672 | * running on the same computer as the web server:
673 | * Note that all sessions will be lost if the memcache server crashes.
674 | *
675 | * 'memcache_store.servers' => array(
676 | * array(
677 | * array('hostname' => 'localhost'),
678 | * ),
679 | * ),
680 | *
681 | */
682 | 'memcache_store.servers' => array(
683 | array(
684 | array('hostname' => 'localhost'),
685 | ),
686 | ),
687 |
688 |
689 | /*
690 | * This value is the duration data should be stored in memcache. Data
691 | * will be dropped from the memcache servers when this time expires.
692 | * The time will be reset every time the data is written to the
693 | * memcache servers.
694 | *
695 | * This value should always be larger than the 'session.duration'
696 | * option. Not doing this may result in the session being deleted from
697 | * the memcache servers while it is still in use.
698 | *
699 | * Set this value to 0 if you don't want data to expire.
700 | *
701 | * Note: The oldest data will always be deleted if the memcache server
702 | * runs out of storage space.
703 | */
704 | 'memcache_store.expires' => 36 * (60 * 60), // 36 hours.
705 |
706 |
707 | /*
708 | * Should signing of generated metadata be enabled by default.
709 | *
710 | * Metadata signing can also be enabled for a individual SP or IdP by setting the
711 | * same option in the metadata for the SP or IdP.
712 | */
713 | 'metadata.sign.enable' => false,
714 |
715 | /*
716 | * The default key & certificate which should be used to sign generated metadata. These
717 | * are files stored in the cert dir.
718 | * These values can be overridden by the options with the same names in the SP or
719 | * IdP metadata.
720 | *
721 | * If these aren't specified here or in the metadata for the SP or IdP, then
722 | * the 'certificate' and 'privatekey' option in the metadata will be used.
723 | * if those aren't set, signing of metadata will fail.
724 | */
725 | 'metadata.sign.privatekey' => null,
726 | 'metadata.sign.privatekey_pass' => null,
727 | 'metadata.sign.certificate' => null,
728 |
729 |
730 | /*
731 | * Proxy to use for retrieving URLs.
732 | *
733 | * Example:
734 | * 'proxy' => 'tcp://proxy.example.com:5100'
735 | */
736 | 'proxy' => null,
737 |
738 | /*
739 | * Array of domains that are allowed when generating links or redirections
740 | * to URLs. simpleSAMLphp will use this option to determine whether to
741 | * to consider a given URL valid or not, but you should always validate
742 | * URLs obtained from the input on your own (i.e. ReturnTo or RelayState
743 | * parameters obtained from the $_REQUEST array).
744 | *
745 | * Set to NULL to disable checking of URLs.
746 | *
747 | * simpleSAMLphp will automatically add your own domain (either by checking
748 | * it dinamically, or by using the domain defined in the 'baseurlpath'
749 | * directive, the latter having precedence) to the list of trusted domains,
750 | * in case this option is NOT set to NULL. In that case, you are explicitly
751 | * telling simpleSAMLphp to verify URLs.
752 | *
753 | * Set to an empty array to disallow ALL redirections or links pointing to
754 | * an external URL other than your own domain.
755 | *
756 | * Example:
757 | * 'trusted.url.domains' => array('sp.example.com', 'app.example.com'),
758 | */
759 | 'trusted.url.domains' => null,
760 |
761 | );
762 |
--------------------------------------------------------------------------------