├── .simplesamlphp_version ├── .hadolint.yaml ├── config ├── apache │ ├── ports.conf.mo │ └── simplesamlphp.conf.mo └── simplesamlphp │ ├── authsources.php │ ├── saml20-sp-remote.php │ ├── server.crt │ ├── server.pem │ └── config.php ├── .github ├── dependabot.yml └── workflows │ ├── ci.yml │ ├── release-develop.yml │ ├── release.yml │ └── upgrade.yml ├── goss.yaml ├── .gitignore ├── docker-compose.yml ├── LICENSE ├── Makefile ├── Dockerfile └── README.md /.simplesamlphp_version: -------------------------------------------------------------------------------- 1 | 1.19.9 2 | -------------------------------------------------------------------------------- /.hadolint.yaml: -------------------------------------------------------------------------------- 1 | ignored: 2 | - DL3008 3 | -------------------------------------------------------------------------------- /config/apache/ports.conf.mo: -------------------------------------------------------------------------------- 1 | Listen {{HTTP_PORT}} 2 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "github-actions" 4 | directory: "/" 5 | schedule: 6 | interval: monthly 7 | time: '20:00' 8 | -------------------------------------------------------------------------------- /goss.yaml: -------------------------------------------------------------------------------- 1 | process: 2 | apache2: 3 | running: true 4 | 5 | port: 6 | tcp:8080: 7 | listening: true 8 | ip: 9 | - 0.0.0.0 10 | 11 | http: 12 | http://localhost:8080: 13 | status: 200 14 | no-follow-redirects: false 15 | timeout: 1000 16 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Created by https://www.gitignore.io/api/visualstudiocode 2 | # Edit at https://www.gitignore.io/?templates=visualstudiocode 3 | 4 | ### VisualStudioCode ### 5 | .vscode/* 6 | !.vscode/settings.json 7 | !.vscode/tasks.json 8 | !.vscode/launch.json 9 | !.vscode/extensions.json 10 | 11 | ### VisualStudioCode Patch ### 12 | # Ignore all local history of files 13 | .history 14 | 15 | # End of https://www.gitignore.io/api/visualstudiocode 16 | -------------------------------------------------------------------------------- /config/simplesamlphp/authsources.php: -------------------------------------------------------------------------------- 1 | array( 5 | 'core:AdminPassword', 6 | ), 7 | 8 | 'example-userpass' => array( 9 | 'exampleauth:UserPass', 10 | 'user1:password' => array( 11 | 'email' => 'user1@example.com', 12 | ), 13 | 'user2:password' => array( 14 | 'email' => 'user2@example.com', 15 | ), 16 | ), 17 | 18 | ); 19 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | services: 3 | idp: 4 | build: 5 | context: . 6 | args: 7 | SIMPLESAMLPHP_VERSION: "1.19.9" 8 | environment: 9 | SIMPLESAMLPHP_SP_ENTITY_ID: http://app.example.com 10 | SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/test-sp 11 | SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost/simplesaml/module.php/saml/sp/saml2-logout.php/test-sp 12 | SIMPLESAMLPHP_IDP_ADMIN_PASSWORD: 13 | SIMPLESAMLPHP_IDP_SECRET_SALT: 14 | ports: 15 | - "8080:8080" 16 | -------------------------------------------------------------------------------- /config/apache/simplesamlphp.conf.mo: -------------------------------------------------------------------------------- 1 | 2 | ServerName localhost 3 | DocumentRoot /var/www/simplesamlphp 4 | Alias /simplesaml /var/www/simplesamlphp/www 5 | 6 | 7 | RewriteEngine On 8 | RewriteBase / 9 | RewriteRule ^$ www [L] 10 | RewriteRule ^/(.+)$ www/$1 [L] 11 | 12 | 13 | 14 | 15 | Require all granted 16 | 17 | 18 | 19 | 20 | ServerName localhost 21 | -------------------------------------------------------------------------------- /config/simplesamlphp/saml20-sp-remote.php: -------------------------------------------------------------------------------- 1 | getenv('SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE'), 17 | 'SingleLogoutService' => getenv('SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE'), 18 | ); 19 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | on: 3 | push: 4 | branches: 5 | - master 6 | tags: 7 | - "!*" 8 | pull_request: 9 | 10 | jobs: 11 | test: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - uses: actions/checkout@v4 15 | - name: Install dgoss 16 | run: | 17 | curl -sfL https://goss.rocks/install | sudo sh 18 | - name: Set up QEMU 19 | uses: docker/setup-qemu-action@v3 20 | - name: Set up Docker Buildx 21 | uses: docker/setup-buildx-action@v3 22 | - name: Run test 23 | run: | 24 | for platform in ${PLATFORMS}; do 25 | echo "Testing ${platform}" 26 | make build PLATFORM="${platform}" 27 | docker images 28 | make test PLATFORM="${platform}" 29 | done 30 | env: 31 | PLATFORMS: linux/amd64 linux/arm64 32 | 33 | lint: 34 | runs-on: ubuntu-latest 35 | steps: 36 | - uses: actions/checkout@v4 37 | - uses: hadolint/hadolint-action@v3.1.0 38 | -------------------------------------------------------------------------------- /config/simplesamlphp/server.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICmjCCAYICCQDX5sKPsYV3+jANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0 3 | ZXN0MB4XDTE5MTIyMzA5MDI1MVoXDTIwMDEyMjA5MDI1MVowDzENMAsGA1UEAwwE 4 | dGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdtDJ278DQTp84O 5 | 5Nq5F8s5YOR34GFOGI2Swb/3pU7X7918lVljiKv7WVM65S59nJSyXV+fa15qoXLf 6 | sdRnq3yw0hTSTs2YDX+jl98kK3ksk3rROfYh1LIgByj4/4NeNpExgeB6rQk5Ay7Y 7 | S+ARmMzEjXa0favHxu5BOdB2y6WvRQyjPS2lirT/PKWBZc04QZepsZ56+W7bd557 8 | tdedcYdY/nKI1qmSQClG2qgslzgqFOv1KCOw43a3mcK/TiiD8IXyLMJNC6OFW3xT 9 | L/BG6SOZ3dQ9rjQOBga+6GIaQsDjC4Xp7Kx+FkSvgaw0sJV8gt1mlZy+27Sza6d+ 10 | hHD2pWECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAm2fk1+gd08FQxK7TL04O8EK1 11 | f0bzaGGUxWzlh98a3Dm8+OPhVQRi/KLsFHliLC86lsZQKunYdDB+qd0KUk2oqDG6 12 | tstG/htmRYD/S/jNmt8gyPAVi11dHUqW3IvQgJLwxZtoAv6PNs188hvT1WK3VWJ4 13 | YgFKYi5XQYnR5sv69Vsr91lYAxyrIlMKahjSW1jTD3ByRfAQghsSLk6fV0OyJHyh 14 | uF1TxOVBVf8XOdaqfmvD90JGIPGtfMLPUX4m35qaGAU48PwCL7L3cRHYs9wZWc0i 15 | fXZcBENLtHYCLi5txR8c5lyHB9d3AQHzKHMFNjLswn5HsckKg83RH7+eVqHqGw== 16 | -----END CERTIFICATE----- 17 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2019 Tadayuki Onishi 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of 6 | this software and associated documentation files (the "Software"), to deal in 7 | the Software without restriction, including without limitation the rights to 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software is furnished to do so, 10 | subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 21 | -------------------------------------------------------------------------------- /.github/workflows/release-develop.yml: -------------------------------------------------------------------------------- 1 | name: Release docker image as develop 2 | on: 3 | push: 4 | branches: 5 | - master 6 | 7 | jobs: 8 | release-image-to-github: 9 | name: Release image to GitHub 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v4 13 | - name: Set up QEMU 14 | uses: docker/setup-qemu-action@v3 15 | - name: Set up Docker Buildx 16 | uses: docker/setup-buildx-action@v3 17 | - name: Build and Push to GitHub 18 | run: | 19 | echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${REGISTRY_USERNAME}" --password-stdin 20 | make release RELEASE_TAGS="develop" 21 | env: 22 | REGISTRY_HOST: ghcr.io 23 | REGISTRY_USERNAME: ${{ github.repository_owner }} 24 | REGISTRY_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} 25 | 26 | release-image-to-docker-hub: 27 | name: Release image to Docker Hub 28 | runs-on: ubuntu-latest 29 | steps: 30 | - uses: actions/checkout@v4 31 | - name: Set up QEMU 32 | uses: docker/setup-qemu-action@v3 33 | - name: Set up Docker Buildx 34 | uses: docker/setup-buildx-action@v3 35 | - name: Build and Push to Docker Hub 36 | run: | 37 | echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USERNAME}" --password-stdin 38 | make release RELEASE_TAGS="develop" 39 | env: 40 | REGISTRY_HOST: index.docker.io 41 | REGISTRY_USERNAME: kenchan0130 42 | REGISTRY_TOKEN: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} 43 | -------------------------------------------------------------------------------- /config/simplesamlphp/server.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpAIBAAKCAQEAx20MnbvwNBOnzg7k2rkXyzlg5HfgYU4YjZLBv/elTtfv3XyV 3 | WWOIq/tZUzrlLn2clLJdX59rXmqhct+x1GerfLDSFNJOzZgNf6OX3yQreSyTetE5 4 | 9iHUsiAHKPj/g142kTGB4HqtCTkDLthL4BGYzMSNdrR9q8fG7kE50HbLpa9FDKM9 5 | LaWKtP88pYFlzThBl6mxnnr5btt3nnu1151xh1j+cojWqZJAKUbaqCyXOCoU6/Uo 6 | I7DjdreZwr9OKIPwhfIswk0Lo4VbfFMv8EbpI5nd1D2uNA4GBr7oYhpCwOMLhens 7 | rH4WRK+BrDSwlXyC3WaVnL7btLNrp36EcPalYQIDAQABAoIBADy43JWOqxYAQiEA 8 | 8fgTUcZkYzdNtPmL4PgCjpIYIrJ+F6A2FfeQ0gWj08/+59efEbVJFhtOnE+0YhJr 9 | QGdvZYzi/iSu4KXDPaD2vACKr94Gj6Ve3aovJOdTzzpPjuV+I1lUXLpwQA3F2U1D 10 | ON8yHHeFBZn2XSmX+9+B5sut0FZTHHDuVDJ3ZYkR8bXvJj17JmjZ0DfqCt7euqNP 11 | GrvSKNuss/rXDc/bG3jNyC9uvUa9oduWOUQ9y1XiLC8EtTKVZlW/n8PHIEaSSixV 12 | 9tb034hJ0/cRwNZfCRKai7LIo53cs5AE6lUpohHYpHrZSTYRJib31eTv0RS0pa0c 13 | bKUPkkECgYEA+ziw2qi2gQx5c2uQslhiaLrolrTejYCWpCyEJS/+Ht1clOUVrQpg 14 | wNnP7udQmcd4i3zjzzUsRNnKiZeSXi5fVJMM+ZLyPipfYueZB1qD2vSlsN3VAwIj 15 | p0avTowdzrKDeuHEkA1Dx6G7v6dSbMbdJZAu5WzcC2QH3o4e/nffhwkCgYEAyzgk 16 | qNY/kIJjmZTcNgiHcEF4i09KDNttqqLV44RybQ4bqvkIQ51B2ZNQKkC5wOUG3eVz 17 | lHOhK1L5U6IZutYSynop0+mk4DUO67sy/cn3XYCRAViAgYZ1mJmn/brjIwkSJnKL 18 | Hagrf+s704YwYQohiUB3PoNuZ4Wx/8rSGd7qqZkCgYA6n079p1L3KC8LFPWt+Fv2 19 | bm8qA8jPIkuEwfKQLvPQxfz9rbtyJrLPLcSMziOLzvU9L4aFarYK1vuhQeJg4ddT 20 | CAGGF5k5km+xx7N4+NE9/crQS+OSESS6uw7beGzYN+XgfeB9cOr5Ia+LGINuaLVg 21 | N5YJ6W4rpksDzwxCezyI6QKBgQCjAS2mn/Psnin2Dwlz7fN1f46Jb9gd6ARXUrXu 22 | AVcnUqGuyoJueb1QIHG08qYMq6iOZHYJJZapgaysAOJSk1QPRV43tLmjfeux+j40 23 | g8P/JBkr0ymAu7Gn7dhqFXYLrEL6w/YCm9oIiU87o+86Zz3vMd50LkhokTztyGou 24 | hjgEQQKBgQDiohVC5mnZ8gUJhXuEUpXNMA4pQZycakSA9aL6lkMqbz1mMapJdEzS 25 | HM5ETzOHXcJKActWKRHZqUAGGDf/FFntALy9Aw+BPjikMQdlVVOSQvUHBdHDiQsc 26 | eXUbkRa9oPkkeq5QODpI1qJ8fctJgyKrr9MXztyvkWED7bA5wh0RKQ== 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | NAME := $(shell basename $(CURDIR) | sed -e "s/^docker-//g") 2 | REVISION := $(shell git rev-parse --short HEAD) 3 | ORIGIN := $(shell git remote get-url origin) 4 | SIMPLESAMLPHP_VERSION := $(shell cat .simplesamlphp_version) 5 | REGISTRY_HOST ?= index.docker.io 6 | REGISTRY_USERNAME ?= defaultusername 7 | IMAGE := $(REGISTRY_HOST)/$(REGISTRY_USERNAME)/$(NAME) 8 | RELEASE_TAGS := $(SIMPLESAMLPHP_VERSION) latest 9 | 10 | .PHONY: release 11 | release: ## build and push docker images. e.g.) make release 12 | docker buildx build \ 13 | --push \ 14 | --platform linux/amd64,linux/arm64 \ 15 | --build-arg GIT_REVISION="$(REVISION)" \ 16 | --build-arg GIT_ORIGIN="$(ORIGIN)" \ 17 | --build-arg IMAGE_NAME="$(IMAGE)" \ 18 | --build-arg SIMPLESAMLPHP_VERSION="$(SIMPLESAMLPHP_VERSION)" \ 19 | $(addprefix -t $(IMAGE):,$(RELEASE_TAGS)) . 20 | 21 | .PHONY: build 22 | build: ## build a docker image. e.g.) make build PLATFORM=linux/amd64 23 | docker buildx build \ 24 | --load \ 25 | --platform "$(PLATFORM)" \ 26 | --build-arg GIT_REVISION="$(REVISION)" \ 27 | --build-arg GIT_ORIGIN="$(ORIGIN)" \ 28 | --build-arg IMAGE_NAME="$(IMAGE)" \ 29 | --build-arg SIMPLESAMLPHP_VERSION="$(SIMPLESAMLPHP_VERSION)" \ 30 | $(addprefix -t $(IMAGE):,$(RELEASE_TAGS)) . 31 | 32 | .PHONY: test 33 | test: ## test a docker image. e.g.) make test PLATFORM=linux/amd64 34 | dgoss run \ 35 | --rm \ 36 | --platform "$(PLATFORM)" \ 37 | -e SIMPLESAMLPHP_SP_ENTITY_ID=http://app.example.com \ 38 | -e SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/test-sp \ 39 | -e SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost/simplesaml/module.php/saml/sp/saml2-logout.php/test-sp \ 40 | "$(IMAGE)" 41 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM --platform=$BUILDPLATFORM php:8.2-apache 2 | 3 | RUN apt-get update && \ 4 | apt-get -y install apt-transport-https git curl vim --no-install-recommends && \ 5 | rm -r /var/lib/apt/lists/* && \ 6 | curl -sSL -o /tmp/mo https://git.io/get-mo && \ 7 | chmod +x /tmp/mo 8 | 9 | # Docker build 10 | ARG GIT_REVISION=unkown 11 | ARG GIT_ORIGIN=unkown 12 | ARG IMAGE_NAME=unkown 13 | LABEL git-revision=$GIT_REVISION \ 14 | git-origin=$GIT_ORIGIN \ 15 | image-name=$IMAGE_NAME \ 16 | maintainer="Tadayuki Onishi " 17 | 18 | # SimpleSAMLphp 19 | ARG SIMPLESAMLPHP_VERSION 20 | RUN curl -sSL -o /tmp/simplesamlphp.tar.gz https://github.com/simplesamlphp/simplesamlphp/releases/download/v$SIMPLESAMLPHP_VERSION/simplesamlphp-$SIMPLESAMLPHP_VERSION.tar.gz && \ 21 | tar xzf /tmp/simplesamlphp.tar.gz -C /tmp && \ 22 | mv /tmp/simplesamlphp-* /var/www/simplesamlphp && \ 23 | touch /var/www/simplesamlphp/modules/exampleauth/enable 24 | 25 | COPY config/simplesamlphp/config.php /var/www/simplesamlphp/config 26 | COPY config/simplesamlphp/authsources.php /var/www/simplesamlphp/config 27 | COPY config/simplesamlphp/saml20-sp-remote.php /var/www/simplesamlphp/metadata 28 | COPY config/simplesamlphp/server.crt /var/www/simplesamlphp/cert/ 29 | COPY config/simplesamlphp/server.pem /var/www/simplesamlphp/cert/ 30 | 31 | RUN echo " /var/www/simplesamlphp/metadata/shib13-sp-remote.php 32 | 33 | # Apache 34 | ENV HTTP_PORT 8080 35 | 36 | COPY config/apache/ports.conf.mo /tmp 37 | COPY config/apache/simplesamlphp.conf.mo /tmp 38 | RUN /tmp/mo /tmp/ports.conf.mo > /etc/apache2/ports.conf && \ 39 | /tmp/mo /tmp/simplesamlphp.conf.mo > /etc/apache2/sites-available/simplesamlphp.conf 40 | 41 | # hadolint ignore=DL3059 42 | RUN a2dissite 000-default.conf default-ssl.conf && \ 43 | a2enmod rewrite && \ 44 | a2ensite simplesamlphp.conf 45 | 46 | # Clean up 47 | # hadolint ignore=DL3059 48 | RUN rm -rf /tmp/* 49 | 50 | # Set work dir 51 | WORKDIR /var/www/simplesamlphp 52 | 53 | # General setup 54 | EXPOSE ${HTTP_PORT} 55 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Release docker image 2 | on: 3 | push: 4 | branches: 5 | - master 6 | 7 | jobs: 8 | check-release: 9 | runs-on: ubuntu-latest 10 | outputs: 11 | is_skip: ${{ steps.compare_docker_registory_and_local_repository_version.outputs.is_skip }} 12 | steps: 13 | - uses: actions/checkout@v4 14 | - name: Compare Docker Registory and Local Repository Version 15 | id: compare_docker_registory_and_local_repository_version 16 | run: | 17 | release_version=$(cat .simplesamlphp_version) 18 | echo "Release version is ${release_version}" 19 | if [[ "$( curl -sfL https://registry.hub.docker.com/v2/repositories/kenchan0130/simplesamlphp/tags | jq --arg version "${release_version}" '.results[] | select(.name == $version)' )" ]]; then 20 | echo "${release_version} is already released." 21 | echo "::set-output name=is_skip::true" 22 | else 23 | echo "::set-output name=is_skip::false" 24 | fi 25 | - name: Show is_skip output 26 | run: | 27 | echo 'is_skip: ${{ steps.compare_docker_registory_and_local_repository_version.outputs.is_skip }}' 28 | 29 | release-image-to-github: 30 | name: Release image to GitHub 31 | needs: check-release 32 | if: ${{ needs.check-release.outputs.is_skip == 'false' }} 33 | runs-on: ubuntu-latest 34 | steps: 35 | - uses: actions/checkout@v4 36 | - name: Set up QEMU 37 | uses: docker/setup-qemu-action@v3 38 | - name: Set up Docker Buildx 39 | uses: docker/setup-buildx-action@v3 40 | - name: Build and Push to GitHub 41 | run: | 42 | echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${REGISTRY_USERNAME}" --password-stdin 43 | make release 44 | env: 45 | REGISTRY_HOST: ghcr.io 46 | REGISTRY_USERNAME: ${{ github.repository_owner }} 47 | REGISTRY_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} 48 | 49 | release-image-to-docker-hub: 50 | name: Release image to Docker Hub 51 | needs: check-release 52 | if: ${{ needs.check-release.outputs.is_skip == 'false' }} 53 | runs-on: ubuntu-latest 54 | steps: 55 | - uses: actions/checkout@v4 56 | - name: Set up QEMU 57 | uses: docker/setup-qemu-action@v3 58 | - name: Set up Docker Buildx 59 | uses: docker/setup-buildx-action@v3 60 | - name: Build and Push to Docker Hub 61 | run: | 62 | echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USERNAME}" --password-stdin 63 | make release 64 | env: 65 | REGISTRY_HOST: index.docker.io 66 | REGISTRY_USERNAME: kenchan0130 67 | REGISTRY_TOKEN: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} 68 | - name: Sync Docker Hub Description 69 | uses: peter-evans/dockerhub-description@v4 70 | env: 71 | DOCKERHUB_USERNAME: kenchan0130 72 | DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} 73 | DOCKERHUB_REPOSITORY: kenchan0130/simplesamlphp 74 | -------------------------------------------------------------------------------- /.github/workflows/upgrade.yml: -------------------------------------------------------------------------------- 1 | name: Create Pull Request of SimpleSAMLphp new version 2 | on: 3 | schedule: 4 | - cron: '0 0 * * *' 5 | workflow_dispatch: 6 | 7 | env: 8 | PULL_REQUEST_BRANCH_PREFIX: create-pull-request/simplesamlphp- 9 | 10 | jobs: 11 | check-latest-version: 12 | runs-on: ubuntu-latest 13 | outputs: 14 | is-continued-pr: ${{ steps.check-latest-version.outputs.update == 'required' && steps.check-pull-request.outputs.pr == 'required' }} 15 | simplesamlphp-latest: ${{ steps.simplesamlphp-latest.outputs.tag }} 16 | 17 | steps: 18 | - uses: actions/checkout@v4 19 | - uses: oprypin/find-latest-tag@v1 20 | with: 21 | repository: simplesamlphp/simplesamlphp 22 | releases-only: true 23 | id: simplesamlphp-latest 24 | - name: Get current simplesamlphp version 25 | run: | 26 | echo "::set-output name=version::$( cat .simplesamlphp_version )" 27 | id: simplesamlphp-current 28 | - name: Echo simplesamlphp versions 29 | run: | 30 | echo "The latest simplesamlphp version is ${{ steps.simplesamlphp-latest.outputs.tag }}" 31 | echo "The current simplesamlphp version is ${{ steps.simplesamlphp-current.outputs.version }}" 32 | - name: Check latest version 33 | id: check-latest-version 34 | run: | 35 | latest=$(echo "${{ steps.simplesamlphp-latest.outputs.tag }}" | tr -d 'v.') 36 | current=$(echo "${{ steps.simplesamlphp-current.outputs.version }}" | tr -d 'v.') 37 | if [[ "${latest}" -lt "${current}" ]]; then 38 | echo "${{ steps.simplesamlphp-latest.outputs.tag }} may be already exist." 39 | echo "::set-output name=update::none" 40 | else 41 | echo "::set-output name=update::required" 42 | fi 43 | - name: Check current pull request 44 | id: check-pull-request 45 | run: | 46 | branch_name="${{ env.PULL_REQUEST_BRANCH_PREFIX }}${{ steps.simplesamlphp-latest.outputs.tag }}" 47 | remote_url=$( git config --get remote.origin.url ) 48 | has_branch=$( git ls-remote --heads "${remote_url}" "${branch_name}" ) 49 | if [[ "${has_branch}" ]]; then 50 | echo "${branch_name} branch is already exist." 51 | echo "::set-output name=pr::none" 52 | else 53 | echo "::set-output name=pr::required" 54 | fi 55 | 56 | create-pull-request: 57 | needs: check-latest-version 58 | runs-on: ubuntu-latest 59 | if: needs.check-latest-version.outputs.is-continued-pr == 'true' 60 | steps: 61 | - uses: actions/checkout@v4 62 | - name: Update current version file 63 | run: | 64 | version=$(echo "${{ needs.check-latest-version.outputs.simplesamlphp-latest }}" | tr -d 'v') 65 | echo "${version}" > .simplesamlphp_version 66 | sed -i -e "s/\(SIMPLESAMLPHP_VERSION\):.\+/\1: \"${version}\"/g" docker-compose.yml 67 | - name: Git status 68 | run: | 69 | git status 70 | - name: Git diff 71 | run: | 72 | git diff 73 | - name: Create Pull Request 74 | uses: peter-evans/create-pull-request@v6.0.2 75 | id: create-pull-request 76 | with: 77 | token: ${{ secrets.GITHUB_TOKEN }} 78 | title: Bump simplesamlphp version to ${{ needs.check-latest-version.outputs.simplesamlphp-latest }} 79 | body: | 80 | This is an automated PR to update the [simplesamlphp](https://github.com/simplesamlphp/simplesamlphp). 81 | 82 | - Check if there is any omission between [${{ needs.check-latest-version.outputs.simplesamlphp-latest }}](https://github.com/simplesamlphp/simplesamlphp/releases/tag/${{ needs.check-latest-version.outputs.simplesamlphp-latest }}) and the existing version. 83 | - This is auto-generated by [create-pull-request](https://github.com/peter-evans/create-pull-request) 84 | branch: ${{ env.PULL_REQUEST_BRANCH_PREFIX }}${{ needs.check-latest-version.outputs.simplesamlphp-latest }} 85 | base: master 86 | labels: automated pr 87 | - name: Check outputs 88 | run: | 89 | echo "Created a pull request - ${{ steps.create-pull-request.outputs.pull-request-url }}" 90 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Docker Test SAML 2.0 Identity Provider (IdP) 2 | 3 | [![](https://img.shields.io/docker/v/kenchan0130/simplesamlphp?sort=semver)](https://hub.docker.com/r/kenchan0130/simplesamlphp) 4 | [![](https://github.com/kenchan0130/docker-simplesamlphp/workflows/CI/badge.svg)](https://github.com/kenchan0130/docker-simplesamlphp/actions?query=workflow%3ACI) 5 | [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://github.com/kenchan0130/docker-simplesamlphp/blob/master/LICENSE) 6 | 7 | Docker container with a plug and play SAML 2.0 Identity Provider (IdP) for development and testing. 8 | 9 | Built with [SimpleSAMLphp](https://simplesamlphp.org/). Based on [official PHP8 Apache image](https://hub.docker.com/_/php/). 10 | 11 | SimpleSAMLphp is logging to stdout on debug log level. Apache is logging error and access log to stdout. 12 | 13 | **You must not use at your production. This is for test.** 14 | 15 | ## Usage 16 | 17 | ### Using docker run command 18 | 19 | ```sh 20 | docker run --name=idp \ 21 | -p 8080:8080 \ 22 | -e SIMPLESAMLPHP_SP_ENTITY_ID=http://app.example.com \ 23 | -e SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/test-sp \ 24 | -e SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost/simplesaml/module.php/saml/sp/saml2-logout.php/test-sp \ 25 | -d kenchan0130/simplesamlphp 26 | ``` 27 | 28 | ### Using docker-compose 29 | 30 | ```yml 31 | version: "3" 32 | services: 33 | idp: 34 | image: kenchan0130/simplesamlphp 35 | container_name: idp 36 | ports: 37 | - "8080:8080" 38 | environment: 39 | SIMPLESAMLPHP_SP_ENTITY_ID: http://app.example.com 40 | SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/test-sp 41 | SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost/simplesaml/module.php/saml/sp/saml2-logout.php/test-sp 42 | ``` 43 | 44 | There are two static users configured in the IdP with the following data: 45 | 46 | Username|Password 47 | ---|--- 48 | user1|password 49 | user2|password 50 | 51 | And there is one admin: 52 | 53 | Username|Password 54 | ---|--- 55 | admin|secret 56 | 57 | ## Environment Variables 58 | 59 | Name|Required/Optional|Description 60 | ---|---|--- 61 | `SIMPLESAMLPHP_SP_ENTITY_ID`|Required|The entity ID of your SP. 62 | `SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE`|Requried|The assertion consumer service of your SP. 63 | `SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE`|Optional|The single logout url of your SP. 64 | `SIMPLESAMLPHP_IDP_ADMIN_PASSWORD`|Optional|The password of admin of this IdP. Default is `secret`. 65 | `SIMPLESAMLPHP_IDP_SECRET_SALT`|Optional|This is a secret salt used by this IdP when it needs to generate a secure hash of a value. Default is `defaultsecretsalt`. 66 | `SIMPLESAMLPHP_IDP_SESSION_DURATION_SECONDS`|Optional|This value is the duration of the session of this IdP in seconds. 67 | `SIMPLESAMLPHP_IDP_BASE_URL`|Optional|This value allows you to override the base URL. Valuable for setting an `https://` base url behind a reverse proxy. **If you set this variable, please end it with a trailing `/`** example: `https://my.proxy.com/` Default is `` (empty string). 68 | 69 | ## Advanced Usage 70 | 71 | ### Customize IdP Users 72 | 73 | If you want to customize IdP users, you can define your own users by mounting a configuration file. 74 | 75 | ```php 76 | 'ab4f07dc-b661-48a3-a173-d0103d6981b2', 80 | 'http://schemas.microsoft.com/identity/claims/objectidentifier' => '', 81 | 'http://schemas.microsoft.com/identity/claims/displayname' => '', 82 | 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' => array(), 83 | 'http://schemas.microsoft.com/identity/claims/identityprovider' => 'https://sts.windows.net/da2a1472-abd3-47c9-95a4-4a0068312122/', 84 | 'http://schemas.microsoft.com/claims/authnmethodsreferences' => array('http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password', 'http://schemas.microsoft.com/claims/multipleauthn'), 85 | 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' => '', 86 | 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' => '', 87 | 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' => '', 88 | 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' => '' 89 | ); 90 | 91 | $config = array( 92 | 'admin' => array( 93 | 'core:AdminPassword', 94 | ), 95 | 'example-userpass' => array( 96 | 'exampleauth:UserPass', 97 | 'user1:password' => array_merge($test_user_base, array( 98 | 'http://schemas.microsoft.com/identity/claims/objectidentifier' => 'f2d75402-e1ae-40fe-8cc9-98ca1ab9cd5e', 99 | 'http://schemas.microsoft.com/identity/claims/displayname' => 'User1 Taro', 100 | 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' => 'user1@example.com', 101 | 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' => 'Taro', 102 | 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' => 'User1', 103 | 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' => 'user1@example.com' 104 | )), 105 | 'user2:password' => array_merge($test_user_base, array( 106 | 'http://schemas.microsoft.com/identity/claims/objectidentifier' => 'f2a94916-2fcb-4b68-9eb1-5436309006a3', 107 | 'http://schemas.microsoft.com/identity/claims/displayname' => 'User2 Taro', 108 | 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' => 'user2@example.com', 109 | 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' => 'Taro', 110 | 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' => 'User2', 111 | 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' => 'user2@example.com' 112 | )), 113 | ), 114 | ); 115 | ``` 116 | 117 | If you save this source as `authsources.php`, you can customize IdP users by volume mount like: 118 | 119 | **docker run command** 120 | 121 | ```sh 122 | docker run --name=idp \ 123 | -p 8080:8080 \ 124 | -e SIMPLESAMLPHP_SP_ENTITY_ID=http://app.example.com \ 125 | -e SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/test-sp \ 126 | -e SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost/simplesaml/module.php/saml/sp/saml2-logout.php/test-sp \ 127 | -v $PWD/authsources.php:/var/www/simplesamlphp/config/authsources.php \ 128 | -d kenchan0130/simplesamlphp 129 | ``` 130 | 131 | **docker-compose** 132 | 133 | ```yml 134 | version: "3" 135 | services: 136 | idp: 137 | image: kenchan0130/simplesamlphp 138 | container_name: idp 139 | ports: 140 | - "8080:8080" 141 | environment: 142 | SIMPLESAMLPHP_SP_ENTITY_ID: http://app.example.com 143 | SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/test-sp 144 | SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost/simplesaml/module.php/saml/sp/saml2-logout.php/test-sp 145 | volumes: 146 | - authsources.php:/var/www/simplesamlphp/config/authsources.php 147 | ``` 148 | 149 | For detailed attributes, see [SimpleSAMLphp Identity Provider QuickStart#Authentication module](https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_2). 150 | 151 | ### Customize SP remote metadata reference 152 | 153 | If you want to customize SP remote metadata reference, you can define your own users by mounting a configuration file. 154 | 155 | ```php 156 | 'http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/test-sp', 160 | ForceAuthn => true 161 | ); 162 | $metadata['entity-id-2'] = array( 163 | 'AssertionConsumerService' => 'http://localhost/saml/acs', 164 | 'SingleLogoutService' => 'http://localhost/saml/logout' 165 | ); 166 | ``` 167 | 168 | If you save this source as `saml20-sp-remote.php`, you can customize IdP users by volume mount like: 169 | 170 | **docker run command** 171 | 172 | ```sh 173 | docker run --name=idp \ 174 | -p 8080:8080 \ 175 | -v saml20-sp-remote.php:/var/www/simplesamlphp/metadata/saml20-sp-remote.php \ 176 | -d kenchan0130/simplesamlphp 177 | ``` 178 | 179 | **docker-compose** 180 | 181 | ```yml 182 | version: "3" 183 | services: 184 | idp: 185 | image: kenchan0130/simplesamlphp 186 | container_name: idp 187 | ports: 188 | - "8080:8080" 189 | volumes: 190 | - saml20-sp-remote.php:/var/www/simplesamlphp/metadata/saml20-sp-remote.php 191 | ``` 192 | 193 | For detailed attributes, see [SP remote metadata reference#SAML 2.0 options](https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote#section_2). 194 | 195 | ## Inspired By 196 | 197 | - https://github.com/kristophjunge/docker-test-saml-idp 198 | 199 | ## License 200 | 201 | MIT 202 | -------------------------------------------------------------------------------- /config/simplesamlphp/config.php: -------------------------------------------------------------------------------- 1 | getenv('SIMPLESAMLPHP_IDP_BASE_URL') ?: '' . 'simplesaml/', 25 | 'certdir' => 'cert/', 26 | 'loggingdir' => 'log/', 27 | 'datadir' => 'data/', 28 | 29 | /* 30 | * A directory where SimpleSAMLphp can save temporary files. 31 | * 32 | * SimpleSAMLphp will attempt to create this directory if it doesn't exist. 33 | */ 34 | 'tempdir' => '/tmp/simplesaml', 35 | 36 | 37 | /* 38 | * If you enable this option, SimpleSAMLphp will log all sent and received messages 39 | * to the log file. 40 | * 41 | * This option also enables logging of the messages that are encrypted and decrypted. 42 | * 43 | * Note: The messages are logged with the DEBUG log level, so you also need to set 44 | * the 'logging.level' option to LOG_DEBUG. 45 | */ 46 | 'debug' => true, 47 | 48 | /* 49 | * When showerrors is enabled, all error messages and stack traces will be output 50 | * to the browser. 51 | * 52 | * When errorreporting is enabled, a form will be presented for the user to report 53 | * the error to technicalcontact_email. 54 | */ 55 | 'showerrors' => true, 56 | 'errorreporting' => true, 57 | 58 | /** 59 | * Custom error show function called from SimpleSAML_Error_Error::show. 60 | * See docs/simplesamlphp-errorhandling.txt for function code example. 61 | * 62 | * Example: 63 | * 'errors.show_function' => array('sspmod_example_Error_Show', 'show'), 64 | */ 65 | 66 | /** 67 | * This option allows you to enable validation of XML data against its 68 | * schemas. A warning will be written to the log if validation fails. 69 | */ 70 | 'debug.validatexml' => false, 71 | 72 | /** 73 | * This password must be kept secret, and modified from the default value 123. 74 | * This password will give access to the installation page of SimpleSAMLphp with 75 | * metadata listing and diagnostics pages. 76 | * You can also put a hash here; run "bin/pwgen.php" to generate one. 77 | */ 78 | 'auth.adminpassword' => getenv('SIMPLESAMLPHP_IDP_ADMIN_PASSWORD') ?: 'secret', 79 | 'admin.protectindexpage' => false, 80 | 'admin.protectmetadata' => false, 81 | 82 | /** 83 | * This is a secret salt used by SimpleSAMLphp when it needs to generate a secure hash 84 | * of a value. It must be changed from its default value to a secret value. The value of 85 | * 'secretsalt' can be any valid string of any length. 86 | * 87 | * A possible way to generate a random salt is by running the following command from a unix shell: 88 | * tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' /dev/null;echo 89 | */ 90 | 'secretsalt' => getenv('SIMPLESAMLPHP_IDP_SECRET_SALT') ?: 'defaultsecretsalt', 91 | 92 | /* 93 | * Some information about the technical persons running this installation. 94 | * The email address will be used as the recipient address for error reports, and 95 | * also as the technical contact in generated metadata. 96 | */ 97 | 'technicalcontact_name' => 'Administrator', 98 | 'technicalcontact_email' => 'na@example.com', 99 | 100 | /* 101 | * The timezone of the server. This option should be set to the timezone you want 102 | * SimpleSAMLphp to report the time in. The default is to guess the timezone based 103 | * on your system timezone. 104 | * 105 | * See this page for a list of valid timezones: http://php.net/manual/en/timezones.php 106 | */ 107 | 'timezone' => null, 108 | 109 | /* 110 | * Logging. 111 | * 112 | * define the minimum log level to log 113 | * SimpleSAML_Logger::ERR No statistics, only errors 114 | * SimpleSAML_Logger::WARNING No statistics, only warnings/errors 115 | * SimpleSAML_Logger::NOTICE Statistics and errors 116 | * SimpleSAML_Logger::INFO Verbose logs 117 | * SimpleSAML_Logger::DEBUG Full debug logs - not recommended for production 118 | * 119 | * Choose logging handler. 120 | * 121 | * Options: [syslog,file,errorlog] 122 | * 123 | */ 124 | 'logging.level' => SimpleSAML_Logger::DEBUG, 125 | 'logging.handler' => 'errorlog', 126 | 127 | /* 128 | * Specify the format of the logs. Its use varies depending on the log handler used (for instance, you cannot 129 | * control here how dates are displayed when using the syslog or errorlog handlers), but in general the options 130 | * are: 131 | * 132 | * - %date{}: the date and time, with its format specified inside the brackets. See the PHP documentation 133 | * of the strftime() function for more information on the format. If the brackets are omitted, the standard 134 | * format is applied. This can be useful if you just want to control the placement of the date, but don't care 135 | * about the format. 136 | * 137 | * - %process: the name of the SimpleSAMLphp process. Remember you can configure this in the 'logging.processname' 138 | * option below. 139 | * 140 | * - %level: the log level (name or number depending on the handler used). 141 | * 142 | * - %stat: if the log entry is intended for statistical purposes, it will print the string 'STAT ' (bear in mind 143 | * the trailing space). 144 | * 145 | * - %trackid: the track ID, an identifier that allows you to track a single session. 146 | * 147 | * - %srcip: the IP address of the client. If you are behind a proxy, make sure to modify the 148 | * $_SERVER['REMOTE_ADDR'] variable on your code accordingly to the X-Forwarded-For header. 149 | * 150 | * - %msg: the message to be logged. 151 | * 152 | */ 153 | //'logging.format' => '%date{%b %d %H:%M:%S} %process %level %stat[%trackid] %msg', 154 | 155 | /* 156 | * Choose which facility should be used when logging with syslog. 157 | * 158 | * These can be used for filtering the syslog output from SimpleSAMLphp into its 159 | * own file by configuring the syslog daemon. 160 | * 161 | * See the documentation for openlog (http://php.net/manual/en/function.openlog.php) for available 162 | * facilities. Note that only LOG_USER is valid on windows. 163 | * 164 | * The default is to use LOG_LOCAL5 if available, and fall back to LOG_USER if not. 165 | */ 166 | 'logging.facility' => defined('LOG_LOCAL5') ? constant('LOG_LOCAL5') : LOG_USER, 167 | 168 | /* 169 | * The process name that should be used when logging to syslog. 170 | * The value is also written out by the other logging handlers. 171 | */ 172 | 'logging.processname' => 'simplesamlphp', 173 | 174 | /* Logging: file - Logfilename in the loggingdir from above. 175 | */ 176 | 'logging.logfile' => 'simplesamlphp.log', 177 | 178 | /* (New) statistics output configuration. 179 | * 180 | * This is an array of outputs. Each output has at least a 'class' option, which 181 | * selects the output. 182 | */ 183 | 'statistics.out' => array(// Log statistics to the normal log. 184 | /* 185 | array( 186 | 'class' => 'core:Log', 187 | 'level' => 'notice', 188 | ), 189 | */ 190 | // Log statistics to files in a directory. One file per day. 191 | /* 192 | array( 193 | 'class' => 'core:File', 194 | 'directory' => '/var/log/stats', 195 | ), 196 | */ 197 | ), 198 | 199 | 200 | 201 | /* 202 | * Database 203 | * 204 | * This database configuration is optional. If you are not using 205 | * core functionality or modules that require a database, you can 206 | * skip this configuration. 207 | */ 208 | 209 | /* 210 | * Database connection string. 211 | * Ensure that you have the required PDO database driver installed 212 | * for your connection string. 213 | */ 214 | 'database.dsn' => 'mysql:host=localhost;dbname=saml', 215 | 216 | /* 217 | * SQL database credentials 218 | */ 219 | 'database.username' => 'simplesamlphp', 220 | 'database.password' => 'secret', 221 | 222 | /* 223 | * (Optional) Table prefix 224 | */ 225 | 'database.prefix' => '', 226 | 227 | /* 228 | * True or false if you would like a persistent database connection 229 | */ 230 | 'database.persistent' => false, 231 | 232 | /* 233 | * Database slave configuration is optional as well. If you are only 234 | * running a single database server, leave this blank. If you have 235 | * a master/slave configuration, you can define as many slave servers 236 | * as you want here. Slaves will be picked at random to be queried from. 237 | * 238 | * Configuration options in the slave array are exactly the same as the 239 | * options for the master (shown above) with the exception of the table 240 | * prefix. 241 | */ 242 | 'database.slaves' => array( 243 | /* 244 | array( 245 | 'dsn' => 'mysql:host=myslave;dbname=saml', 246 | 'username' => 'simplesamlphp', 247 | 'password' => 'secret', 248 | 'persistent' => false, 249 | ), 250 | */ 251 | ), 252 | 253 | 254 | 255 | /* 256 | * Enable 257 | * 258 | * Which functionality in SimpleSAMLphp do you want to enable. Normally you would enable only 259 | * one of the functionalities below, but in some cases you could run multiple functionalities. 260 | * In example when you are setting up a federation bridge. 261 | */ 262 | 'enable.saml20-idp' => true, 263 | 'enable.shib13-idp' => true, 264 | 'enable.adfs-idp' => false, 265 | 'enable.wsfed-sp' => false, 266 | 'enable.authmemcookie' => false, 267 | 268 | 269 | /* 270 | * Module enable configuration 271 | * 272 | * Configuration to override module enabling/disabling. 273 | * 274 | * Example: 275 | * 276 | * 'module.enable' => array( 277 | * // Setting to TRUE enables. 278 | * 'exampleauth' => TRUE, 279 | * // Setting to FALSE disables. 280 | * 'saml' => FALSE, 281 | * // Unset or NULL uses default. 282 | * 'core' => NULL, 283 | * ), 284 | * 285 | */ 286 | 287 | 288 | /* 289 | * This value is the duration of the session in seconds. Make sure that the time duration of 290 | * cookies both at the SP and the IdP exceeds this duration. 291 | */ 292 | 'session.duration' => intval(getenv('SIMPLESAMLPHP_IDP_SESSION_DURATION_SECONDS')) > 0 ? intval(getenv('SIMPLESAMLPHP_IDP_SESSION_DURATION_SECONDS')) : 8 * (60 * 60), // default 8 hours. 293 | 294 | /* 295 | * Sets the duration, in seconds, data should be stored in the datastore. As the datastore is used for 296 | * login and logout requests, thid option will control the maximum time these operations can take. 297 | * The default is 4 hours (4*60*60) seconds, which should be more than enough for these operations. 298 | */ 299 | 'session.datastore.timeout' => (4 * 60 * 60), // 4 hours 300 | 301 | /* 302 | * Sets the duration, in seconds, auth state should be stored. 303 | */ 304 | 'session.state.timeout' => (60 * 60), // 1 hour 305 | 306 | /* 307 | * Option to override the default settings for the session cookie name 308 | */ 309 | 'session.cookie.name' => 'SimpleSAMLSessionIDIdp', 310 | 311 | /* 312 | * Expiration time for the session cookie, in seconds. 313 | * 314 | * Defaults to 0, which means that the cookie expires when the browser is closed. 315 | * 316 | * Example: 317 | * 'session.cookie.lifetime' => 30*60, 318 | */ 319 | 'session.cookie.lifetime' => 0, 320 | 321 | /* 322 | * Limit the path of the cookies. 323 | * 324 | * Can be used to limit the path of the cookies to a specific subdirectory. 325 | * 326 | * Example: 327 | * 'session.cookie.path' => '/simplesaml/', 328 | */ 329 | 'session.cookie.path' => '/', 330 | 331 | /* 332 | * Cookie domain. 333 | * 334 | * Can be used to make the session cookie available to several domains. 335 | * 336 | * Example: 337 | * 'session.cookie.domain' => '.example.org', 338 | */ 339 | 'session.cookie.domain' => null, 340 | 341 | /* 342 | * Set the secure flag in the cookie. 343 | * 344 | * Set this to TRUE if the user only accesses your service 345 | * through https. If the user can access the service through 346 | * both http and https, this must be set to FALSE. 347 | */ 348 | 'session.cookie.secure' => false, 349 | 350 | /* 351 | * Enable secure POST from HTTPS to HTTP. 352 | * 353 | * If you have some SP's on HTTP and IdP is normally on HTTPS, this option 354 | * enables secure POSTing to HTTP endpoint without warning from browser. 355 | * 356 | * For this to work, module.php/core/postredirect.php must be accessible 357 | * also via HTTP on IdP, e.g. if your IdP is on 358 | * https://idp.example.org/ssp/, then 359 | * http://idp.example.org/ssp/module.php/core/postredirect.php must be accessible. 360 | */ 361 | 'enable.http_post' => false, 362 | 363 | /* 364 | * Options to override the default settings for php sessions. 365 | */ 366 | 'session.phpsession.cookiename' => 'PHPSESSIDIDP', 367 | 'session.phpsession.savepath' => null, 368 | 'session.phpsession.httponly' => true, 369 | 370 | /* 371 | * Option to override the default settings for the auth token cookie 372 | */ 373 | 'session.authtoken.cookiename' => 'SimpleSAMLAuthTokenIdp', 374 | 375 | /* 376 | * Options for remember me feature for IdP sessions. Remember me feature 377 | * has to be also implemented in authentication source used. 378 | * 379 | * Option 'session.cookie.lifetime' should be set to zero (0), i.e. cookie 380 | * expires on browser session if remember me is not checked. 381 | * 382 | * Session duration ('session.duration' option) should be set according to 383 | * 'session.rememberme.lifetime' option. 384 | * 385 | * It's advised to use remember me feature with session checking function 386 | * defined with 'session.check_function' option. 387 | */ 388 | 'session.rememberme.enable' => false, 389 | 'session.rememberme.checked' => false, 390 | 'session.rememberme.lifetime' => (14 * 86400), 391 | 392 | /** 393 | * Custom function for session checking called on session init and loading. 394 | * See docs/simplesamlphp-advancedfeatures.txt for function code example. 395 | * 396 | * Example: 397 | * 'session.check_function' => array('sspmod_example_Util', 'checkSession'), 398 | */ 399 | 400 | /* 401 | * Languages available, RTL languages, and what language is default 402 | */ 403 | 'language.available' => array( 404 | 'en', 'no', 'nn', 'se', 'da', 'de', 'sv', 'fi', 'es', 'fr', 'it', 'nl', 'lb', 'cs', 405 | 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt-br', 'tr', 'ja', 'zh', 'zh-tw', 'ru', 'et', 406 | 'he', 'id', 'sr', 'lv', 'ro', 'eu' 407 | ), 408 | 'language.rtl' => array('ar', 'dv', 'fa', 'ur', 'he'), 409 | 'language.default' => 'en', 410 | 411 | /* 412 | * Options to override the default settings for the language parameter 413 | */ 414 | 'language.parameter.name' => 'language', 415 | 'language.parameter.setcookie' => true, 416 | 417 | /* 418 | * Options to override the default settings for the language cookie 419 | */ 420 | 'language.cookie.name' => 'language', 421 | 'language.cookie.domain' => null, 422 | 'language.cookie.path' => '/', 423 | 'language.cookie.lifetime' => (60 * 60 * 24 * 900), 424 | 425 | /** 426 | * Custom getLanguage function called from SimpleSAML_XHTML_Template::getLanguage(). 427 | * Function should return language code of one of the available languages or NULL. 428 | * See SimpleSAML_XHTML_Template::getLanguage() source code for more info. 429 | * 430 | * This option can be used to implement a custom function for determining 431 | * the default language for the user. 432 | * 433 | * Example: 434 | * 'language.get_language_function' => array('sspmod_example_Template', 'getLanguage'), 435 | */ 436 | 437 | /* 438 | * Extra dictionary for attribute names. 439 | * This can be used to define local attributes. 440 | * 441 | * The format of the parameter is a string with :. 442 | * 443 | * Specifying this option will cause us to look for modules//dictionaries/.definition.json 444 | * The dictionary should look something like: 445 | * 446 | * { 447 | * "firstattribute": { 448 | * "en": "English name", 449 | * "no": "Norwegian name" 450 | * }, 451 | * "secondattribute": { 452 | * "en": "English name", 453 | * "no": "Norwegian name" 454 | * } 455 | * } 456 | * 457 | * Note that all attribute names in the dictionary must in lowercase. 458 | * 459 | * Example: 'attributes.extradictionary' => 'ourmodule:ourattributes', 460 | */ 461 | 'attributes.extradictionary' => null, 462 | 463 | /* 464 | * Which theme directory should be used? 465 | */ 466 | 'theme.use' => 'default', 467 | 468 | 469 | /* 470 | * Default IdP for WS-Fed. 471 | */ 472 | 'default-wsfed-idp' => 'urn:federation:pingfederate:localhost', 473 | 474 | /* 475 | * Whether the discovery service should allow the user to save his choice of IdP. 476 | */ 477 | 'idpdisco.enableremember' => true, 478 | 'idpdisco.rememberchecked' => true, 479 | 480 | // Disco service only accepts entities it knows. 481 | 'idpdisco.validate' => true, 482 | 483 | 'idpdisco.extDiscoveryStorage' => null, 484 | 485 | /* 486 | * IdP Discovery service look configuration. 487 | * Wether to display a list of idp or to display a dropdown box. For many IdP' a dropdown box 488 | * gives the best use experience. 489 | * 490 | * When using dropdown box a cookie is used to highlight the previously chosen IdP in the dropdown. 491 | * This makes it easier for the user to choose the IdP 492 | * 493 | * Options: [links,dropdown] 494 | * 495 | */ 496 | 'idpdisco.layout' => 'dropdown', 497 | 498 | /* 499 | * Whether SimpleSAMLphp should sign the response or the assertion in SAML 1.1 authentication 500 | * responses. 501 | * 502 | * The default is to sign the assertion element, but that can be overridden by setting this 503 | * option to TRUE. It can also be overridden on a pr. SP basis by adding an option with the 504 | * same name to the metadata of the SP. 505 | */ 506 | 'shib13.signresponse' => true, 507 | 508 | 509 | /* 510 | * Authentication processing filters that will be executed for all IdPs 511 | * Both Shibboleth and SAML 2.0 512 | */ 513 | 'authproc.idp' => array( 514 | /* Enable the authproc filter below to add URN Prefixces to all attributes 515 | 10 => array( 516 | 'class' => 'core:AttributeMap', 'addurnprefix' 517 | ), */ 518 | /* Enable the authproc filter below to automatically generated eduPersonTargetedID. 519 | 20 => 'core:TargetedID', 520 | */ 521 | 522 | // Adopts language from attribute to use in UI 523 | 30 => 'core:LanguageAdaptor', 524 | 525 | /* Add a realm attribute from edupersonprincipalname 526 | 40 => 'core:AttributeRealm', 527 | */ 528 | 45 => array( 529 | 'class' => 'core:StatisticsWithAttribute', 530 | 'attributename' => 'realm', 531 | 'type' => 'saml20-idp-SSO', 532 | ), 533 | 534 | /* When called without parameters, it will fallback to filter attributes ‹the old way› 535 | * by checking the 'attributes' parameter in metadata on IdP hosted and SP remote. 536 | */ 537 | 50 => 'core:AttributeLimit', 538 | 539 | /* 540 | * Search attribute "distinguishedName" for pattern and replaces if found 541 | 542 | 60 => array( 543 | 'class' => 'core:AttributeAlter', 544 | 'pattern' => '/OU=studerende/', 545 | 'replacement' => 'Student', 546 | 'subject' => 'distinguishedName', 547 | '%replace', 548 | ), 549 | */ 550 | 551 | /* 552 | * Consent module is enabled (with no permanent storage, using cookies). 553 | 554 | 90 => array( 555 | 'class' => 'consent:Consent', 556 | 'store' => 'consent:Cookie', 557 | 'focus' => 'yes', 558 | 'checked' => TRUE 559 | ), 560 | */ 561 | // If language is set in Consent module it will be added as an attribute. 562 | 99 => 'core:LanguageAdaptor', 563 | ), 564 | /* 565 | * Authentication processing filters that will be executed for all SPs 566 | * Both Shibboleth and SAML 2.0 567 | */ 568 | 'authproc.sp' => array( 569 | /* 570 | 10 => array( 571 | 'class' => 'core:AttributeMap', 'removeurnprefix' 572 | ), 573 | */ 574 | 575 | /* 576 | * Generate the 'group' attribute populated from other variables, including eduPersonAffiliation. 577 | 60 => array( 578 | 'class' => 'core:GenerateGroups', 'eduPersonAffiliation' 579 | ), 580 | */ 581 | /* 582 | * All users will be members of 'users' and 'members' 583 | 61 => array( 584 | 'class' => 'core:AttributeAdd', 'groups' => array('users', 'members') 585 | ), 586 | */ 587 | 588 | // Adopts language from attribute to use in UI 589 | 90 => 'core:LanguageAdaptor', 590 | 591 | ), 592 | 593 | 594 | /* 595 | * This option configures the metadata sources. The metadata sources is given as an array with 596 | * different metadata sources. When searching for metadata, simpleSAMPphp will search through 597 | * the array from start to end. 598 | * 599 | * Each element in the array is an associative array which configures the metadata source. 600 | * The type of the metadata source is given by the 'type' element. For each type we have 601 | * different configuration options. 602 | * 603 | * Flat file metadata handler: 604 | * - 'type': This is always 'flatfile'. 605 | * - 'directory': The directory we will load the metadata files from. The default value for 606 | * this option is the value of the 'metadatadir' configuration option, or 607 | * 'metadata/' if that option is unset. 608 | * 609 | * XML metadata handler: 610 | * This metadata handler parses an XML file with either an EntityDescriptor element or an 611 | * EntitiesDescriptor element. The XML file may be stored locally, or (for debugging) on a remote 612 | * web server. 613 | * The XML hetadata handler defines the following options: 614 | * - 'type': This is always 'xml'. 615 | * - 'file': Path to the XML file with the metadata. 616 | * - 'url': The URL to fetch metadata from. THIS IS ONLY FOR DEBUGGING - THERE IS NO CACHING OF THE RESPONSE. 617 | * 618 | * MDX metadata handler: 619 | * This metadata handler looks up for the metadata of an entity at the given MDX server. 620 | * The MDX metadata handler defines the following options: 621 | * - 'type': This is always 'mdx'. 622 | * - 'server': URL of the MDX server (url:port). Mandatory. 623 | * - 'validateFingerprint': The fingerprint of the certificate used to sign the metadata. 624 | * You don't need this option if you don't want to validate the signature on the metadata. Optional. 625 | * - 'cachedir': Directory where metadata can be cached. Optional. 626 | * - 'cachelength': Maximum time metadata cah be cached, in seconds. Default to 24 627 | * hours (86400 seconds). Optional. 628 | * 629 | * PDO metadata handler: 630 | * This metadata handler looks up metadata of an entity stored in a database. 631 | * 632 | * Note: If you are using the PDO metadata handler, you must configure the database 633 | * options in this configuration file. 634 | * 635 | * The PDO metadata handler defines the following options: 636 | * - 'type': This is always 'pdo'. 637 | * 638 | * 639 | * Examples: 640 | * 641 | * This example defines two flatfile sources. One is the default metadata directory, the other 642 | * is a metadata directory with autogenerated metadata files. 643 | * 644 | * 'metadata.sources' => array( 645 | * array('type' => 'flatfile'), 646 | * array('type' => 'flatfile', 'directory' => 'metadata-generated'), 647 | * ), 648 | * 649 | * This example defines a flatfile source and an XML source. 650 | * 'metadata.sources' => array( 651 | * array('type' => 'flatfile'), 652 | * array('type' => 'xml', 'file' => 'idp.example.org-idpMeta.xml'), 653 | * ), 654 | * 655 | * This example defines an mdx source. 656 | * 'metadata.sources' => array( 657 | * array('type' => 'mdx', server => 'http://mdx.server.com:8080', 'cachedir' => '/var/simplesamlphp/mdx-cache', 'cachelength' => 86400) 658 | * ), 659 | * 660 | * This example defines an pdo source. 661 | * 'metadata.sources' => array( 662 | * array('type' => 'pdo') 663 | * ), 664 | * 665 | * Default: 666 | * 'metadata.sources' => array( 667 | * array('type' => 'flatfile') 668 | * ), 669 | */ 670 | 'metadata.sources' => array( 671 | array('type' => 'flatfile'), 672 | ), 673 | 674 | 675 | /* 676 | * Configure the datastore for SimpleSAMLphp. 677 | * 678 | * - 'phpsession': Limited datastore, which uses the PHP session. 679 | * - 'memcache': Key-value datastore, based on memcache. 680 | * - 'sql': SQL datastore, using PDO. 681 | * 682 | * The default datastore is 'phpsession'. 683 | * 684 | * (This option replaces the old 'session.handler'-option.) 685 | */ 686 | 'store.type' => 'phpsession', 687 | 688 | 689 | /* 690 | * The DSN the sql datastore should connect to. 691 | * 692 | * See http://www.php.net/manual/en/pdo.drivers.php for the various 693 | * syntaxes. 694 | */ 695 | 'store.sql.dsn' => 'sqlite:/path/to/sqlitedatabase.sq3', 696 | 697 | /* 698 | * The username and password to use when connecting to the database. 699 | */ 700 | 'store.sql.username' => null, 701 | 'store.sql.password' => null, 702 | 703 | /* 704 | * The prefix we should use on our tables. 705 | */ 706 | 'store.sql.prefix' => 'SimpleSAMLphp', 707 | 708 | 709 | /* 710 | * Configuration for the 'memcache' session store. This allows you to store 711 | * multiple redundant copies of sessions on different memcache servers. 712 | * 713 | * 'memcache_store.servers' is an array of server groups. Every data 714 | * item will be mirrored in every server group. 715 | * 716 | * Each server group is an array of servers. The data items will be 717 | * load-balanced between all servers in each server group. 718 | * 719 | * Each server is an array of parameters for the server. The following 720 | * options are available: 721 | * - 'hostname': This is the hostname or ip address where the 722 | * memcache server runs. This is the only required option. 723 | * - 'port': This is the port number of the memcache server. If this 724 | * option isn't set, then we will use the 'memcache.default_port' 725 | * ini setting. This is 11211 by default. 726 | * - 'weight': This sets the weight of this server in this server 727 | * group. http://php.net/manual/en/function.Memcache-addServer.php 728 | * contains more information about the weight option. 729 | * - 'timeout': The timeout for this server. By default, the timeout 730 | * is 3 seconds. 731 | * 732 | * Example of redundant configuration with load balancing: 733 | * This configuration makes it possible to lose both servers in the 734 | * a-group or both servers in the b-group without losing any sessions. 735 | * Note that sessions will be lost if one server is lost from both the 736 | * a-group and the b-group. 737 | * 738 | * 'memcache_store.servers' => array( 739 | * array( 740 | * array('hostname' => 'mc_a1'), 741 | * array('hostname' => 'mc_a2'), 742 | * ), 743 | * array( 744 | * array('hostname' => 'mc_b1'), 745 | * array('hostname' => 'mc_b2'), 746 | * ), 747 | * ), 748 | * 749 | * Example of simple configuration with only one memcache server, 750 | * running on the same computer as the web server: 751 | * Note that all sessions will be lost if the memcache server crashes. 752 | * 753 | * 'memcache_store.servers' => array( 754 | * array( 755 | * array('hostname' => 'localhost'), 756 | * ), 757 | * ), 758 | * 759 | */ 760 | 'memcache_store.servers' => array( 761 | array( 762 | array('hostname' => 'localhost'), 763 | ), 764 | ), 765 | 766 | 767 | /* 768 | * This value allows you to set a prefix for memcache-keys. The default 769 | * for this value is 'SimpleSAMLphp', which is fine in most cases. 770 | * 771 | * When running multiple instances of SSP on the same host, and more 772 | * than one instance is using memcache, you probably want to assign 773 | * a unique value per instance to this setting to avoid data collision. 774 | */ 775 | 'memcache_store.prefix' => null, 776 | 777 | 778 | /* 779 | * This value is the duration data should be stored in memcache. Data 780 | * will be dropped from the memcache servers when this time expires. 781 | * The time will be reset every time the data is written to the 782 | * memcache servers. 783 | * 784 | * This value should always be larger than the 'session.duration' 785 | * option. Not doing this may result in the session being deleted from 786 | * the memcache servers while it is still in use. 787 | * 788 | * Set this value to 0 if you don't want data to expire. 789 | * 790 | * Note: The oldest data will always be deleted if the memcache server 791 | * runs out of storage space. 792 | */ 793 | 'memcache_store.expires' => 36 * (60 * 60), // 36 hours. 794 | 795 | 796 | /* 797 | * Should signing of generated metadata be enabled by default. 798 | * 799 | * Metadata signing can also be enabled for a individual SP or IdP by setting the 800 | * same option in the metadata for the SP or IdP. 801 | */ 802 | 'metadata.sign.enable' => false, 803 | 804 | /* 805 | * The default key & certificate which should be used to sign generated metadata. These 806 | * are files stored in the cert dir. 807 | * These values can be overridden by the options with the same names in the SP or 808 | * IdP metadata. 809 | * 810 | * If these aren't specified here or in the metadata for the SP or IdP, then 811 | * the 'certificate' and 'privatekey' option in the metadata will be used. 812 | * if those aren't set, signing of metadata will fail. 813 | */ 814 | 'metadata.sign.privatekey' => null, 815 | 'metadata.sign.privatekey_pass' => null, 816 | 'metadata.sign.certificate' => null, 817 | 818 | 819 | /* 820 | * Proxy to use for retrieving URLs. 821 | * 822 | * Example: 823 | * 'proxy' => 'tcp://proxy.example.com:5100' 824 | */ 825 | 'proxy' => null, 826 | 827 | /* 828 | * Array of domains that are allowed when generating links or redirections 829 | * to URLs. SimpleSAMLphp will use this option to determine whether to 830 | * to consider a given URL valid or not, but you should always validate 831 | * URLs obtained from the input on your own (i.e. ReturnTo or RelayState 832 | * parameters obtained from the $_REQUEST array). 833 | * 834 | * SimpleSAMLphp will automatically add your own domain (either by checking 835 | * it dynamically, or by using the domain defined in the 'baseurlpath' 836 | * directive, the latter having precedence) to the list of trusted domains, 837 | * in case this option is NOT set to NULL. In that case, you are explicitly 838 | * telling SimpleSAMLphp to verify URLs. 839 | * 840 | * Set to an empty array to disallow ALL redirections or links pointing to 841 | * an external URL other than your own domain. This is the default behaviour. 842 | * 843 | * Set to NULL to disable checking of URLs. DO NOT DO THIS UNLESS YOU KNOW 844 | * WHAT YOU ARE DOING! 845 | * 846 | * Example: 847 | * 'trusted.url.domains' => array('sp.example.com', 'app.example.com'), 848 | */ 849 | 'trusted.url.domains' => array(), 850 | 851 | ); 852 | --------------------------------------------------------------------------------