From 409bfeec66d5df295f57fb856c78b0f2c798ecc5 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Sat, 6 Apr 2024 17:23:15 +0200 Subject: [PATCH] Update simplesaml config to match 2.2.1 version --- dist/simplesamlphp-config.php | 372 ++++++++++++++++++++-------------- 1 file changed, 219 insertions(+), 153 deletions(-) diff --git a/dist/simplesamlphp-config.php b/dist/simplesamlphp-config.php index cde6952..73f69fe 100644 --- a/dist/simplesamlphp-config.php +++ b/dist/simplesamlphp-config.php @@ -1,19 +1,11 @@ '/simplesaml/', + 'baseurlpath' => 'simplesaml/', /* * The 'application' configuration array groups a set configuration options * relative to an application protected by SimpleSAMLphp. */ - //'application' => [ + 'application' => [ /* * The 'baseURL' configuration option allows you to specify a protocol, * host and optionally a port that serves as the canonical base for all @@ -59,23 +53,74 @@ $config = [ * to SimpleSAMLphp's API. */ //'baseURL' => 'https://example.com', - //], + ], /* * The following settings are *filesystem paths* which define where * SimpleSAMLphp can find or write the following things: - * - 'certdir': The base directory for certificate and key material. - * - 'loggingdir': Where to write logs. + * - 'cachedir': Where SimpleSAMLphp can write its cache. + * - 'loggingdir': Where to write logs. MUST be set to NULL when using a logging + * handler other than `file`. * - 'datadir': Storage of general data. * - 'tempdir': Saving temporary files. SimpleSAMLphp will attempt to create - * this directory if it doesn't exist. + * this directory if it doesn't exist. DEPRECATED - replaced by cachedir. * When specified as a relative path, this is relative to the SimpleSAMLphp * root directory. */ + 'cachedir' => '/var/cache/simplesamlphp', + //'loggingdir' => '/var/log/', + //'datadir' => '/var/data/', + //'tempdir' => '/tmp/simplesamlphp', + + /* + * Certificate and key material can be loaded from different possible + * locations. Currently two locations are supported, the local filesystem + * and the database via pdo using the global database configuration. Locations + * are specified by a URL-link prefix before the file name/path or database + * identifier. + */ + + /* To load a certificate or key from the filesystem, it should be specified + * as 'file://' where is either a relative filename or a fully + * qualified path to a file containing the certificate or key in PEM + * format, such as 'cert.pem' or '/path/to/cert.pem'. If the path is + * relative, it will be searched for in the directory defined by the + * 'certdir' parameter below. When 'certdir' is specified as a relative + * path, it will be interpreted as relative to the SimpleSAMLphp root + * directory. Note that locations with no prefix included will be treated + * as file locations. + */ 'certdir' => 'cert/', - 'loggingdir' => 'log/', - 'datadir' => 'data/', - 'tempdir' => '/tmp/simplesaml', + + /* To load a certificate or key from the database, it should be specified + * as 'pdo://' where is the identifier in the database table that + * should be matched. While the certificate and key tables are expected to + * be in the simplesaml database, they are not created or managed by + * simplesaml. The following parameters control how the pdo location + * attempts to retrieve certificates and keys from the database: + * + * - 'cert.pdo.table': name of table where certificates are stored + * - 'cert.pdo.keytable': name of table where keys are stored + * - 'cert.pdo.apply_prefix': whether or not to prepend the database.prefix + * parameter to the table names; if you are using + * database.prefix to separate multiple SSP instances + * in the same database but want to share certificate/key + * data between them, set this to false + * - 'cert.pdo.id_column': name of column to use as identifier + * - 'cert.pdo.data_column': name of column where PEM data is stored + * + * Basically, the query executed will be: + * + * SELECT cert.pdo.data_column FROM cert.pdo.table WHERE cert.pdo.id_column = :id + * + * Defaults are shown below, to change them, uncomment the line and update as + * needed + */ + //'cert.pdo.table' => 'certificates', + //'cert.pdo.keytable' => 'private_keys', + //'cert.pdo.apply_prefix' => true, + //'cert.pdo.id_column' => 'id', + //'cert.pdo.data_column' => 'data', /* * Some information about the technical persons running this installation. @@ -97,18 +142,22 @@ $config = [ * Set the transport options for the transport method specified. The valid settings are relative to the * selected transport method. */ - // // smtp mail transport options - // 'mail.transport.options' => [ - // 'host' => 'mail.example.org', // required - // 'port' => 25, // optional - // 'username' => 'user@example.org', // optional: if set, enables smtp authentication - // 'password' => 'password', // optional: if set, enables smtp authentication - // 'security' => 'tls', // optional: defaults to no smtp security - // ], - // // sendmail mail transport options - // 'mail.transport.options' => [ - // 'path' => '/usr/sbin/sendmail' // optional: defaults to php.ini path - // ], + /* + 'mail.transport.options' => [ + 'host' => 'mail.example.org', // required + 'port' => 25, // optional + 'username' => 'user@example.org', // optional: if set, enables smtp authentication + 'password' => 'password', // optional: if set, enables smtp authentication + 'security' => 'tls', // optional: defaults to no smtp security + 'smtpOptions' => [], // optional: passed to stream_context_create when connecting via SMTP + ], + + // sendmail mail transport options + /* + 'mail.transport.options' => [ + 'path' => '/usr/sbin/sendmail' // optional: defaults to php.ini path + ], + */ /* * The envelope from address for outgoing emails. @@ -138,7 +187,7 @@ $config = [ * 'secretsalt' can be any valid string of any length. * * A possible way to generate a random salt is by running the following command from a unix shell: - * LC_CTYPE=C tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' /dev/null;echo + * LC_ALL=C tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' /dev/null;echo */ 'secretsalt' => $SAML_COOKIE_SALT, @@ -151,10 +200,8 @@ $config = [ 'auth.adminpassword' => $SAML_ADMIN_PASSWORD, /* - * Set this options to true if you want to require administrator password to access the web interface - * or the metadata pages, respectively. + * Set this option to true if you want to require administrator password to access the metadata. */ - 'admin.protectindexpage' => false, 'admin.protectmetadata' => false, /* @@ -214,7 +261,7 @@ $config = [ /* * Set the allowed clock skew between encrypting/decrypting assertions * - * If you have an server that is constantly out of sync, this option + * If you have a server that is constantly out of sync, this option * allows you to adjust the allowed clock-skew. * * Allowed range: 180 - 300 @@ -222,6 +269,21 @@ $config = [ */ 'assertion.allowed_clock_skew' => 180, + /* + * Set custom security headers. The defaults can be found in \SimpleSAML\Configuration::DEFAULT_SECURITY_HEADERS + * + * NOTE: When a header is already set on the response we will NOT overrule it and leave it untouched. + * + * Whenever you change any of these headers, make sure to validate your config by running your + * hostname through a security-test like https://en.internet.nl + 'headers.security' => [ + 'Content-Security-Policy' => "default-src 'none'; frame-ancestors 'self'; object-src 'none'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self'; img-src 'self' data:; base-uri 'none'", + 'X-Frame-Options' => 'SAMEORIGIN', + 'X-Content-Type-Options' => 'nosniff', + 'Referrer-Policy' => 'origin-when-cross-origin', + ], + */ + /************************ | ERRORS AND DEBUGGING | @@ -276,14 +338,13 @@ $config = [ /* * Custom error show function called from SimpleSAML\Error\Error::show. - * See docs/simplesamlphp-errorhandling.txt for function code example. + * See docs/simplesamlphp-errorhandling.md for function code example. * * Example: * 'errors.show_function' => ['SimpleSAML\Module\example\Error', 'show'], */ - /************************** | LOGGING AND STATISTICS | **************************/ @@ -300,6 +361,9 @@ $config = [ * * Options: [syslog,file,errorlog,stderr] * + * If you set the handler to 'file', the directory specified in loggingdir above + * must exist and be writable for SimpleSAMLphp. If set to something else, set + * loggingdir above to 'null'. */ 'logging.level' => SimpleSAML\Logger::NOTICE, 'logging.handler' => 'syslog', @@ -310,7 +374,7 @@ $config = [ * are: * * - %date{}: the date and time, with its format specified inside the brackets. See the PHP documentation - * of the strftime() function for more information on the format. If the brackets are omitted, the standard + * of the date() function for more information on the format. If the brackets are omitted, the standard * format is applied. This can be useful if you just want to control the placement of the date, but don't care * about the format. * @@ -330,7 +394,7 @@ $config = [ * - %msg: the message to be logged. * */ - //'logging.format' => '%date{%b %d %H:%M:%S} %process %level %stat[%trackid] %msg', + //'logging.format' => '%date{M j H:i:s} %process %level %stat[%trackid] %msg', /* * Choose which facility should be used when logging with syslog. @@ -360,7 +424,8 @@ $config = [ * This is an array of outputs. Each output has at least a 'class' option, which * selects the output. */ - 'statistics.out' => [// Log statistics to the normal log. + 'statistics.out' => [ + // Log statistics to the normal log. /* [ 'class' => 'core:Log', @@ -439,19 +504,19 @@ $config = [ 'database.persistent' => false, /* - * Database slave configuration is optional as well. If you are only + * Database secondary configuration is optional as well. If you are only * running a single database server, leave this blank. If you have - * a master/slave configuration, you can define as many slave servers - * as you want here. Slaves will be picked at random to be queried from. + * a primary/secondary configuration, you can define as many secondary servers + * as you want here. Secondaries will be picked at random to be queried from. * - * Configuration options in the slave array are exactly the same as the - * options for the master (shown above) with the exception of the table + * Configuration options in the secondary array are exactly the same as the + * options for the primary (shown above) with the exception of the table * prefix and driver options. */ - 'database.slaves' => [ + 'database.secondaries' => [ /* [ - 'dsn' => 'mysql:host=myslave;dbname=saml', + 'dsn' => 'mysql:host=mysecondary;dbname=saml', 'username' => 'simplesamlphp', 'password' => 'secret', 'persistent' => false, @@ -469,23 +534,10 @@ $config = [ * Which functionality in SimpleSAMLphp do you want to enable. Normally you would enable only * one of the functionalities below, but in some cases you could run multiple functionalities. * In example when you are setting up a federation bridge. - * - * Note that shib13-idp has been deprecated and will be removed in SimpleSAMLphp 2.0. */ 'enable.saml20-idp' => false, - 'enable.shib13-idp' => false, 'enable.adfs-idp' => false, - /* - * Whether SimpleSAMLphp should sign the response or the assertion in SAML 1.1 authentication - * responses. - * - * The default is to sign the assertion element, but that can be overridden by setting this - * option to TRUE. It can also be overridden on a pr. SP basis by adding an option with the - * same name to the metadata of the SP. - */ - 'shib13.signresponse' => true, - /*********** @@ -493,23 +545,23 @@ $config = [ ***********/ /* - * Configuration to override module enabling/disabling. + * Configuration for enabling/disabling modules. By default the 'core', 'admin' and 'saml' modules are enabled. * * Example: * * 'module.enable' => [ - * 'exampleauth' => true, // Setting to TRUE enables. - * 'consent' => false, // Setting to FALSE disables. - * 'core' => null, // Unset or NULL uses default. + * 'exampleauth' => true, // Setting to TRUE enables. + * 'consent' => false, // Setting to FALSE disables. + * 'core' => null, // Unset or NULL uses default. * ], - * */ - 'module.enable' => [ - 'exampleauth' => false, - 'core' => true, - 'saml' => true - ], + 'module.enable' => [ + 'exampleauth' => false, + 'core' => true, + 'admin' => true, + 'saml' => true + ], /************************* @@ -567,7 +619,7 @@ $config = [ * Example: * 'session.cookie.domain' => '.example.org', */ - 'session.cookie.domain' => null, + 'session.cookie.domain' => '', /* * Set the secure flag in the cookie. @@ -575,6 +627,8 @@ $config = [ * Set this to TRUE if the user only accesses your service * through https. If the user can access the service through * both http and https, this must be set to FALSE. + * + * If unset, SimpleSAMLphp will try to automatically determine the right value */ 'session.cookie.secure' => $SAML_COOKIE_SECURE, @@ -595,7 +649,7 @@ $config = [ * Example: * 'session.cookie.samesite' => 'None', */ - 'session.cookie.samesite' => \SimpleSAML\Utils\HTTP::canSetSameSiteNone() ? 'None' : null, + 'session.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null, /* * Options to override the default settings for php sessions. @@ -628,7 +682,7 @@ $config = [ /* * Custom function for session checking called on session init and loading. - * See docs/simplesamlphp-advancedfeatures.txt for function code example. + * See docs/simplesamlphp-advancedfeatures.md for function code example. * * Example: * 'session.check_function' => ['\SimpleSAML\Module\example\Util', 'checkSession'], @@ -762,48 +816,13 @@ $config = [ | LANGUAGE AND INTERNATIONALIZATION | *************************************/ - /* - * Language-related options. - */ - 'language' => [ - /* - * An array in the form 'language' => . - * - * Each key in the array is the ISO 639 two-letter code for a language, - * and its value is an array with a list of alternative languages that - * can be used if the given language is not available at some point. - * Each alternative language is also specified by its ISO 639 code. - * - * For example, for the "no" language code (Norwegian), we would have: - * - * 'priorities' => [ - * 'no' => ['nb', 'nn', 'en', 'se'], - * ... - * ], - * - * establishing that if a translation for the "no" language code is - * not available, we look for translations in "nb", - * and so on, in that order. - */ - 'priorities' => [ - 'no' => ['nb', 'nn', 'en', 'se'], - 'nb' => ['no', 'nn', 'en', 'se'], - 'nn' => ['no', 'nb', 'en', 'se'], - 'se' => ['nb', 'no', 'nn', 'en'], - 'nr' => ['zu', 'en'], - 'nd' => ['zu', 'en'], - 'tw' => ['st', 'en'], - 'nso' => ['st', 'en'], - ], - ], - /* * Languages available, RTL languages, and what language is the default. */ 'language.available' => [ 'en', 'no', 'nn', 'se', 'da', 'de', 'sv', 'fi', 'es', 'ca', 'fr', 'it', 'nl', 'lb', - 'cs', 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt-br', 'tr', 'ja', 'zh', 'zh-tw', 'ru', - 'et', 'he', 'id', 'sr', 'lv', 'ro', 'eu', 'el', 'af', 'zu', 'xh', 'st', + 'cs', 'sk', 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt-br', 'tr', 'ja', 'zh', 'zh-tw', + 'ru', 'et', 'he', 'id', 'sr', 'lv', 'ro', 'eu', 'el', 'af', 'zu', 'xh', 'st', ], 'language.rtl' => ['ar', 'dv', 'fa', 'ur', 'he'], 'language.default' => 'en', @@ -818,12 +837,12 @@ $config = [ * Options to override the default settings for the language cookie */ 'language.cookie.name' => 'language', - 'language.cookie.domain' => null, + 'language.cookie.domain' => '', 'language.cookie.path' => '/', 'language.cookie.secure' => true, 'language.cookie.httponly' => false, 'language.cookie.lifetime' => (60 * 60 * 24 * 900), - 'language.cookie.samesite' => \SimpleSAML\Utils\HTTP::canSetSameSiteNone() ? 'None' : null, + 'language.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null, /** * Custom getLanguage function called from SimpleSAML\Locale\Language::getLanguage(). @@ -837,34 +856,6 @@ $config = [ * 'language.get_language_function' => ['\SimpleSAML\Module\example\Template', 'getLanguage'], */ - /* - * Extra dictionary for attribute names. - * This can be used to define local attributes. - * - * The format of the parameter is a string with :. - * - * Specifying this option will cause us to look for modules//dictionaries/.definition.json - * The dictionary should look something like: - * - * { - * "firstattribute": { - * "en": "English name", - * "no": "Norwegian name" - * }, - * "secondattribute": { - * "en": "English name", - * "no": "Norwegian name" - * } - * } - * - * Note that all attribute names in the dictionary must in lowercase. - * - * Example: 'attributes.extradictionary' => 'ourmodule:ourattributes', - */ - 'attributes.extradictionary' => null, - - - /************** | APPEARANCE | **************/ @@ -878,7 +869,7 @@ $config = [ * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want * any text to appear in the header. */ - //'theme.header' => 'SimpleSAMLphp' + //'theme.header' => 'SimpleSAMLphp', /** * A template controller, if any. @@ -944,6 +935,12 @@ $config = [ ], ], + /** + * Set to a full URL if you want to redirect users that land on SimpleSAMLphp's + * front page to somewhere more useful. If left unset, a basic welcome message + * is shown. + */ + //'frontpage.redirect' => 'https://example.com/', /********************* | DISCOVERY SERVICE | @@ -964,7 +961,7 @@ $config = [ /* * IdP Discovery service look configuration. - * Wether to display a list of idp or to display a dropdown box. For many IdP' a dropdown box + * Whether to display a list of idp or to display a dropdown box. For many IdP' a dropdown box * gives the best use experience. * * When using dropdown box a cookie is used to highlight the previously chosen IdP in the dropdown. @@ -982,11 +979,10 @@ $config = [ /* * Authentication processing filters that will be executed for all IdPs - * Both Shibboleth and SAML 2.0 */ 'authproc.idp' => [ /* Enable the authproc filter below to add URN prefixes to all attributes - 10 => array[ + 10 => [ 'class' => 'core:AttributeMap', 'addurnprefix' ], */ @@ -997,12 +993,6 @@ $config = [ // Adopts language from attribute to use in UI 30 => 'core:LanguageAdaptor', - 45 => [ - 'class' => 'core:StatisticsWithAttribute', - 'attributename' => 'realm', - 'type' => 'saml20-idp-SSO', - ], - /* When called without parameters, it will fallback to filter attributes 'the old way' * by checking the 'attributes' parameter in metadata on IdP hosted and SP remote. */ @@ -1038,7 +1028,6 @@ $config = [ /* * Authentication processing filters that will be executed for all SPs - * Both Shibboleth and SAML 2.0 */ 'authproc.sp' => [ /* @@ -1107,7 +1096,7 @@ $config = [ * The MDQ metadata handler defines the following options: * - 'type': This is always 'mdq'. * - 'server': Base URL of the MDQ server. Mandatory. - * - 'validateFingerprint': The fingerprint of the certificate used to sign the metadata. You don't need this + * - 'validateCertificate': The certificates file that may be used to sign the metadata. You don't need this * option if you don't want to validate the signature on the metadata. Optional. * - 'cachedir': Directory where metadata can be cached. Optional. * - 'cachelength': Maximum time metadata can be cached, in seconds. Defaults to 24 @@ -1143,6 +1132,10 @@ $config = [ * [ * 'type' => 'mdq', * 'server' => 'http://mdq.server.com:8080', + * 'validateCertificate' => [ + * '/var/simplesamlphp/cert/metadata-key.new.crt', + * '/var/simplesamlphp/cert/metadata-key.old.crt' + * ], * 'cachedir' => '/var/simplesamlphp/mdq-cache', * 'cachelength' => 86400 * ] @@ -1183,6 +1176,7 @@ $config = [ 'metadata.sign.privatekey' => null, 'metadata.sign.privatekey_pass' => null, 'metadata.sign.certificate' => null, + 'metadata.sign.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', /**************************** @@ -1220,14 +1214,86 @@ $config = [ */ 'store.sql.prefix' => 'SimpleSAMLphp', + /* + * The driver-options we should pass to the PDO-constructor. + */ + 'store.sql.options' => [], + /* * The hostname and port of the Redis datastore instance. */ 'store.redis.host' => 'localhost', 'store.redis.port' => 6379, + /* + * The credentials to use when connecting to Redis. + * + * If your Redis server is using the legacy password protection (config + * directive "requirepass" in redis.conf) then you should only provide + * a password. + * + * If your Redis server is using ACL's (which are recommended as of + * Redis 6+) then you should provide both a username and a password. + * See https://redis.io/docs/manual/security/acl/ + */ + 'store.redis.username' => '', + 'store.redis.password' => '', + + /* + * Communicate with Redis over a secure connection instead of plain TCP. + * + * This setting affects both single host connections as + * well as Sentinel mode. + */ + 'store.redis.tls' => false, + + /* + * Verify the Redis server certificate. + */ + 'store.redis.insecure' => false, + + /* + * Files related to secure communication with Redis. + * + * Files are searched in the 'certdir' when using relative paths. + */ + 'store.redis.ca_certificate' => null, + 'store.redis.certificate' => null, + 'store.redis.privatekey' => null, + /* * The prefix we should use on our Redis datastore. */ 'store.redis.prefix' => 'SimpleSAMLphp', + + /* + * The master group to use for Redis Sentinel. + */ + 'store.redis.mastergroup' => 'mymaster', + + /* + * The Redis Sentinel hosts. + * Example: + * 'store.redis.sentinels' => [ + * 'tcp://[yoursentinel1]:[port]', + * 'tcp://[yoursentinel2]:[port]', + * 'tcp://[yoursentinel3]:[port] + * ], + * + * Use 'tls' instead of 'tcp' in order to make use of the additional + * TLS settings. + */ + 'store.redis.sentinels' => [], + + /********************* + | IdP/SP PROXY MODE | + *********************/ + + /* + * If the IdP in front of SimpleSAMLphp in IdP/SP proxy mode sends + * AuthnContextClassRef, decide whether the AuthnContextClassRef will be + * processed by the IdP/SP proxy or if it will be passed to the SP behind + * the IdP/SP proxy. + */ + 'proxymode.passAuthnContextClassRef' => false, ];