Update simplesaml config to match 2.2.1 version

This commit is contained in:
Oystein Kristoffer Tveit 2024-04-06 17:23:15 +02:00
parent 4d3adf7258
commit 409bfeec66
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
1 changed files with 219 additions and 153 deletions

View File

@ -1,19 +1,11 @@
<?php
# require_once(dirname(dirname(dirname(dirname(__DIR__)))) . DIRECTORY_SEPARATOR . 'config.php');
/*
$config_dir = dirname(__DIR__);
while (!file_exists($config_dir . DIRECTORY_SEPARATOR . 'config.php')) {
$config_dir = dirname($config_dir);
}
include $config_dir . DIRECTORY_SEPARATOR . 'config.php';
*/
/**
* The configuration of SimpleSAMLphp
*/
$httpUtils = new \SimpleSAML\Utils\HTTP();
$config = [
/*******************************
@ -32,18 +24,20 @@ $config = [
*
* The full url format is useful if your SimpleSAMLphp setup is hosted behind
* a reverse proxy. In that case you can specify the external url here.
* Specifying the full URL including https: will let SimpleSAMLphp know
* that it runs on HTTPS even if the backend server is plain HTTP.
*
* Please note that SimpleSAMLphp will then redirect all queries to the
* external url, no matter where you come from (direct access or via the
* reverse proxy).
*/
'baseurlpath' => '/simplesaml/',
'baseurlpath' => 'simplesaml/',
/*
* The 'application' configuration array groups a set configuration options
* relative to an application protected by SimpleSAMLphp.
*/
//'application' => [
'application' => [
/*
* The 'baseURL' configuration option allows you to specify a protocol,
* host and optionally a port that serves as the canonical base for all
@ -59,23 +53,74 @@ $config = [
* to SimpleSAMLphp's API.
*/
//'baseURL' => 'https://example.com',
//],
],
/*
* The following settings are *filesystem paths* which define where
* SimpleSAMLphp can find or write the following things:
* - 'certdir': The base directory for certificate and key material.
* - 'loggingdir': Where to write logs.
* - 'cachedir': Where SimpleSAMLphp can write its cache.
* - 'loggingdir': Where to write logs. MUST be set to NULL when using a logging
* handler other than `file`.
* - 'datadir': Storage of general data.
* - 'tempdir': Saving temporary files. SimpleSAMLphp will attempt to create
* this directory if it doesn't exist.
* this directory if it doesn't exist. DEPRECATED - replaced by cachedir.
* When specified as a relative path, this is relative to the SimpleSAMLphp
* root directory.
*/
'cachedir' => '/var/cache/simplesamlphp',
//'loggingdir' => '/var/log/',
//'datadir' => '/var/data/',
//'tempdir' => '/tmp/simplesamlphp',
/*
* Certificate and key material can be loaded from different possible
* locations. Currently two locations are supported, the local filesystem
* and the database via pdo using the global database configuration. Locations
* are specified by a URL-link prefix before the file name/path or database
* identifier.
*/
/* To load a certificate or key from the filesystem, it should be specified
* as 'file://<name>' where <name> is either a relative filename or a fully
* qualified path to a file containing the certificate or key in PEM
* format, such as 'cert.pem' or '/path/to/cert.pem'. If the path is
* relative, it will be searched for in the directory defined by the
* 'certdir' parameter below. When 'certdir' is specified as a relative
* path, it will be interpreted as relative to the SimpleSAMLphp root
* directory. Note that locations with no prefix included will be treated
* as file locations.
*/
'certdir' => 'cert/',
'loggingdir' => 'log/',
'datadir' => 'data/',
'tempdir' => '/tmp/simplesaml',
/* To load a certificate or key from the database, it should be specified
* as 'pdo://<id>' where <id> is the identifier in the database table that
* should be matched. While the certificate and key tables are expected to
* be in the simplesaml database, they are not created or managed by
* simplesaml. The following parameters control how the pdo location
* attempts to retrieve certificates and keys from the database:
*
* - 'cert.pdo.table': name of table where certificates are stored
* - 'cert.pdo.keytable': name of table where keys are stored
* - 'cert.pdo.apply_prefix': whether or not to prepend the database.prefix
* parameter to the table names; if you are using
* database.prefix to separate multiple SSP instances
* in the same database but want to share certificate/key
* data between them, set this to false
* - 'cert.pdo.id_column': name of column to use as identifier
* - 'cert.pdo.data_column': name of column where PEM data is stored
*
* Basically, the query executed will be:
*
* SELECT cert.pdo.data_column FROM cert.pdo.table WHERE cert.pdo.id_column = :id
*
* Defaults are shown below, to change them, uncomment the line and update as
* needed
*/
//'cert.pdo.table' => 'certificates',
//'cert.pdo.keytable' => 'private_keys',
//'cert.pdo.apply_prefix' => true,
//'cert.pdo.id_column' => 'id',
//'cert.pdo.data_column' => 'data',
/*
* Some information about the technical persons running this installation.
@ -97,18 +142,22 @@ $config = [
* Set the transport options for the transport method specified. The valid settings are relative to the
* selected transport method.
*/
// // smtp mail transport options
// 'mail.transport.options' => [
// 'host' => 'mail.example.org', // required
// 'port' => 25, // optional
// 'username' => 'user@example.org', // optional: if set, enables smtp authentication
// 'password' => 'password', // optional: if set, enables smtp authentication
// 'security' => 'tls', // optional: defaults to no smtp security
// ],
// // sendmail mail transport options
// 'mail.transport.options' => [
// 'path' => '/usr/sbin/sendmail' // optional: defaults to php.ini path
// ],
/*
'mail.transport.options' => [
'host' => 'mail.example.org', // required
'port' => 25, // optional
'username' => 'user@example.org', // optional: if set, enables smtp authentication
'password' => 'password', // optional: if set, enables smtp authentication
'security' => 'tls', // optional: defaults to no smtp security
'smtpOptions' => [], // optional: passed to stream_context_create when connecting via SMTP
],
// sendmail mail transport options
/*
'mail.transport.options' => [
'path' => '/usr/sbin/sendmail' // optional: defaults to php.ini path
],
*/
/*
* The envelope from address for outgoing emails.
@ -138,7 +187,7 @@ $config = [
* 'secretsalt' can be any valid string of any length.
*
* A possible way to generate a random salt is by running the following command from a unix shell:
* LC_CTYPE=C tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
* LC_ALL=C tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
*/
'secretsalt' => $SAML_COOKIE_SALT,
@ -151,10 +200,8 @@ $config = [
'auth.adminpassword' => $SAML_ADMIN_PASSWORD,
/*
* Set this options to true if you want to require administrator password to access the web interface
* or the metadata pages, respectively.
* Set this option to true if you want to require administrator password to access the metadata.
*/
'admin.protectindexpage' => false,
'admin.protectmetadata' => false,
/*
@ -214,7 +261,7 @@ $config = [
/*
* Set the allowed clock skew between encrypting/decrypting assertions
*
* If you have an server that is constantly out of sync, this option
* If you have a server that is constantly out of sync, this option
* allows you to adjust the allowed clock-skew.
*
* Allowed range: 180 - 300
@ -222,6 +269,21 @@ $config = [
*/
'assertion.allowed_clock_skew' => 180,
/*
* Set custom security headers. The defaults can be found in \SimpleSAML\Configuration::DEFAULT_SECURITY_HEADERS
*
* NOTE: When a header is already set on the response we will NOT overrule it and leave it untouched.
*
* Whenever you change any of these headers, make sure to validate your config by running your
* hostname through a security-test like https://en.internet.nl
'headers.security' => [
'Content-Security-Policy' => "default-src 'none'; frame-ancestors 'self'; object-src 'none'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self'; img-src 'self' data:; base-uri 'none'",
'X-Frame-Options' => 'SAMEORIGIN',
'X-Content-Type-Options' => 'nosniff',
'Referrer-Policy' => 'origin-when-cross-origin',
],
*/
/************************
| ERRORS AND DEBUGGING |
@ -276,14 +338,13 @@ $config = [
/*
* Custom error show function called from SimpleSAML\Error\Error::show.
* See docs/simplesamlphp-errorhandling.txt for function code example.
* See docs/simplesamlphp-errorhandling.md for function code example.
*
* Example:
* 'errors.show_function' => ['SimpleSAML\Module\example\Error', 'show'],
*/
/**************************
| LOGGING AND STATISTICS |
**************************/
@ -300,6 +361,9 @@ $config = [
*
* Options: [syslog,file,errorlog,stderr]
*
* If you set the handler to 'file', the directory specified in loggingdir above
* must exist and be writable for SimpleSAMLphp. If set to something else, set
* loggingdir above to 'null'.
*/
'logging.level' => SimpleSAML\Logger::NOTICE,
'logging.handler' => 'syslog',
@ -310,7 +374,7 @@ $config = [
* are:
*
* - %date{<format>}: the date and time, with its format specified inside the brackets. See the PHP documentation
* of the strftime() function for more information on the format. If the brackets are omitted, the standard
* of the date() function for more information on the format. If the brackets are omitted, the standard
* format is applied. This can be useful if you just want to control the placement of the date, but don't care
* about the format.
*
@ -330,7 +394,7 @@ $config = [
* - %msg: the message to be logged.
*
*/
//'logging.format' => '%date{%b %d %H:%M:%S} %process %level %stat[%trackid] %msg',
//'logging.format' => '%date{M j H:i:s} %process %level %stat[%trackid] %msg',
/*
* Choose which facility should be used when logging with syslog.
@ -360,7 +424,8 @@ $config = [
* This is an array of outputs. Each output has at least a 'class' option, which
* selects the output.
*/
'statistics.out' => [// Log statistics to the normal log.
'statistics.out' => [
// Log statistics to the normal log.
/*
[
'class' => 'core:Log',
@ -439,19 +504,19 @@ $config = [
'database.persistent' => false,
/*
* Database slave configuration is optional as well. If you are only
* Database secondary configuration is optional as well. If you are only
* running a single database server, leave this blank. If you have
* a master/slave configuration, you can define as many slave servers
* as you want here. Slaves will be picked at random to be queried from.
* a primary/secondary configuration, you can define as many secondary servers
* as you want here. Secondaries will be picked at random to be queried from.
*
* Configuration options in the slave array are exactly the same as the
* options for the master (shown above) with the exception of the table
* Configuration options in the secondary array are exactly the same as the
* options for the primary (shown above) with the exception of the table
* prefix and driver options.
*/
'database.slaves' => [
'database.secondaries' => [
/*
[
'dsn' => 'mysql:host=myslave;dbname=saml',
'dsn' => 'mysql:host=mysecondary;dbname=saml',
'username' => 'simplesamlphp',
'password' => 'secret',
'persistent' => false,
@ -469,23 +534,10 @@ $config = [
* Which functionality in SimpleSAMLphp do you want to enable. Normally you would enable only
* one of the functionalities below, but in some cases you could run multiple functionalities.
* In example when you are setting up a federation bridge.
*
* Note that shib13-idp has been deprecated and will be removed in SimpleSAMLphp 2.0.
*/
'enable.saml20-idp' => false,
'enable.shib13-idp' => false,
'enable.adfs-idp' => false,
/*
* Whether SimpleSAMLphp should sign the response or the assertion in SAML 1.1 authentication
* responses.
*
* The default is to sign the assertion element, but that can be overridden by setting this
* option to TRUE. It can also be overridden on a pr. SP basis by adding an option with the
* same name to the metadata of the SP.
*/
'shib13.signresponse' => true,
/***********
@ -493,7 +545,7 @@ $config = [
***********/
/*
* Configuration to override module enabling/disabling.
* Configuration for enabling/disabling modules. By default the 'core', 'admin' and 'saml' modules are enabled.
*
* Example:
*
@ -502,12 +554,12 @@ $config = [
* 'consent' => false, // Setting to FALSE disables.
* 'core' => null, // Unset or NULL uses default.
* ],
*
*/
'module.enable' => [
'exampleauth' => false,
'core' => true,
'admin' => true,
'saml' => true
],
@ -567,7 +619,7 @@ $config = [
* Example:
* 'session.cookie.domain' => '.example.org',
*/
'session.cookie.domain' => null,
'session.cookie.domain' => '',
/*
* Set the secure flag in the cookie.
@ -575,6 +627,8 @@ $config = [
* Set this to TRUE if the user only accesses your service
* through https. If the user can access the service through
* both http and https, this must be set to FALSE.
*
* If unset, SimpleSAMLphp will try to automatically determine the right value
*/
'session.cookie.secure' => $SAML_COOKIE_SECURE,
@ -595,7 +649,7 @@ $config = [
* Example:
* 'session.cookie.samesite' => 'None',
*/
'session.cookie.samesite' => \SimpleSAML\Utils\HTTP::canSetSameSiteNone() ? 'None' : null,
'session.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
/*
* Options to override the default settings for php sessions.
@ -628,7 +682,7 @@ $config = [
/*
* Custom function for session checking called on session init and loading.
* See docs/simplesamlphp-advancedfeatures.txt for function code example.
* See docs/simplesamlphp-advancedfeatures.md for function code example.
*
* Example:
* 'session.check_function' => ['\SimpleSAML\Module\example\Util', 'checkSession'],
@ -762,48 +816,13 @@ $config = [
| LANGUAGE AND INTERNATIONALIZATION |
*************************************/
/*
* Language-related options.
*/
'language' => [
/*
* An array in the form 'language' => <list of alternative languages>.
*
* Each key in the array is the ISO 639 two-letter code for a language,
* and its value is an array with a list of alternative languages that
* can be used if the given language is not available at some point.
* Each alternative language is also specified by its ISO 639 code.
*
* For example, for the "no" language code (Norwegian), we would have:
*
* 'priorities' => [
* 'no' => ['nb', 'nn', 'en', 'se'],
* ...
* ],
*
* establishing that if a translation for the "no" language code is
* not available, we look for translations in "nb",
* and so on, in that order.
*/
'priorities' => [
'no' => ['nb', 'nn', 'en', 'se'],
'nb' => ['no', 'nn', 'en', 'se'],
'nn' => ['no', 'nb', 'en', 'se'],
'se' => ['nb', 'no', 'nn', 'en'],
'nr' => ['zu', 'en'],
'nd' => ['zu', 'en'],
'tw' => ['st', 'en'],
'nso' => ['st', 'en'],
],
],
/*
* Languages available, RTL languages, and what language is the default.
*/
'language.available' => [
'en', 'no', 'nn', 'se', 'da', 'de', 'sv', 'fi', 'es', 'ca', 'fr', 'it', 'nl', 'lb',
'cs', 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt-br', 'tr', 'ja', 'zh', 'zh-tw', 'ru',
'et', 'he', 'id', 'sr', 'lv', 'ro', 'eu', 'el', 'af', 'zu', 'xh', 'st',
'cs', 'sk', 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt-br', 'tr', 'ja', 'zh', 'zh-tw',
'ru', 'et', 'he', 'id', 'sr', 'lv', 'ro', 'eu', 'el', 'af', 'zu', 'xh', 'st',
],
'language.rtl' => ['ar', 'dv', 'fa', 'ur', 'he'],
'language.default' => 'en',
@ -818,12 +837,12 @@ $config = [
* Options to override the default settings for the language cookie
*/
'language.cookie.name' => 'language',
'language.cookie.domain' => null,
'language.cookie.domain' => '',
'language.cookie.path' => '/',
'language.cookie.secure' => true,
'language.cookie.httponly' => false,
'language.cookie.lifetime' => (60 * 60 * 24 * 900),
'language.cookie.samesite' => \SimpleSAML\Utils\HTTP::canSetSameSiteNone() ? 'None' : null,
'language.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
/**
* Custom getLanguage function called from SimpleSAML\Locale\Language::getLanguage().
@ -837,34 +856,6 @@ $config = [
* 'language.get_language_function' => ['\SimpleSAML\Module\example\Template', 'getLanguage'],
*/
/*
* Extra dictionary for attribute names.
* This can be used to define local attributes.
*
* The format of the parameter is a string with <module>:<dictionary>.
*
* Specifying this option will cause us to look for modules/<module>/dictionaries/<dictionary>.definition.json
* The dictionary should look something like:
*
* {
* "firstattribute": {
* "en": "English name",
* "no": "Norwegian name"
* },
* "secondattribute": {
* "en": "English name",
* "no": "Norwegian name"
* }
* }
*
* Note that all attribute names in the dictionary must in lowercase.
*
* Example: 'attributes.extradictionary' => 'ourmodule:ourattributes',
*/
'attributes.extradictionary' => null,
/**************
| APPEARANCE |
**************/
@ -878,7 +869,7 @@ $config = [
* Set this option to the text you would like to appear at the header of each page. Set to false if you don't want
* any text to appear in the header.
*/
//'theme.header' => 'SimpleSAMLphp'
//'theme.header' => 'SimpleSAMLphp',
/**
* A template controller, if any.
@ -944,6 +935,12 @@ $config = [
],
],
/**
* Set to a full URL if you want to redirect users that land on SimpleSAMLphp's
* front page to somewhere more useful. If left unset, a basic welcome message
* is shown.
*/
//'frontpage.redirect' => 'https://example.com/',
/*********************
| DISCOVERY SERVICE |
@ -964,7 +961,7 @@ $config = [
/*
* IdP Discovery service look configuration.
* Wether to display a list of idp or to display a dropdown box. For many IdP' a dropdown box
* Whether to display a list of idp or to display a dropdown box. For many IdP' a dropdown box
* gives the best use experience.
*
* When using dropdown box a cookie is used to highlight the previously chosen IdP in the dropdown.
@ -982,11 +979,10 @@ $config = [
/*
* Authentication processing filters that will be executed for all IdPs
* Both Shibboleth and SAML 2.0
*/
'authproc.idp' => [
/* Enable the authproc filter below to add URN prefixes to all attributes
10 => array[
10 => [
'class' => 'core:AttributeMap', 'addurnprefix'
],
*/
@ -997,12 +993,6 @@ $config = [
// Adopts language from attribute to use in UI
30 => 'core:LanguageAdaptor',
45 => [
'class' => 'core:StatisticsWithAttribute',
'attributename' => 'realm',
'type' => 'saml20-idp-SSO',
],
/* When called without parameters, it will fallback to filter attributes 'the old way'
* by checking the 'attributes' parameter in metadata on IdP hosted and SP remote.
*/
@ -1038,7 +1028,6 @@ $config = [
/*
* Authentication processing filters that will be executed for all SPs
* Both Shibboleth and SAML 2.0
*/
'authproc.sp' => [
/*
@ -1107,7 +1096,7 @@ $config = [
* The MDQ metadata handler defines the following options:
* - 'type': This is always 'mdq'.
* - 'server': Base URL of the MDQ server. Mandatory.
* - 'validateFingerprint': The fingerprint of the certificate used to sign the metadata. You don't need this
* - 'validateCertificate': The certificates file that may be used to sign the metadata. You don't need this
* option if you don't want to validate the signature on the metadata. Optional.
* - 'cachedir': Directory where metadata can be cached. Optional.
* - 'cachelength': Maximum time metadata can be cached, in seconds. Defaults to 24
@ -1143,6 +1132,10 @@ $config = [
* [
* 'type' => 'mdq',
* 'server' => 'http://mdq.server.com:8080',
* 'validateCertificate' => [
* '/var/simplesamlphp/cert/metadata-key.new.crt',
* '/var/simplesamlphp/cert/metadata-key.old.crt'
* ],
* 'cachedir' => '/var/simplesamlphp/mdq-cache',
* 'cachelength' => 86400
* ]
@ -1183,6 +1176,7 @@ $config = [
'metadata.sign.privatekey' => null,
'metadata.sign.privatekey_pass' => null,
'metadata.sign.certificate' => null,
'metadata.sign.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
/****************************
@ -1220,14 +1214,86 @@ $config = [
*/
'store.sql.prefix' => 'SimpleSAMLphp',
/*
* The driver-options we should pass to the PDO-constructor.
*/
'store.sql.options' => [],
/*
* The hostname and port of the Redis datastore instance.
*/
'store.redis.host' => 'localhost',
'store.redis.port' => 6379,
/*
* The credentials to use when connecting to Redis.
*
* If your Redis server is using the legacy password protection (config
* directive "requirepass" in redis.conf) then you should only provide
* a password.
*
* If your Redis server is using ACL's (which are recommended as of
* Redis 6+) then you should provide both a username and a password.
* See https://redis.io/docs/manual/security/acl/
*/
'store.redis.username' => '',
'store.redis.password' => '',
/*
* Communicate with Redis over a secure connection instead of plain TCP.
*
* This setting affects both single host connections as
* well as Sentinel mode.
*/
'store.redis.tls' => false,
/*
* Verify the Redis server certificate.
*/
'store.redis.insecure' => false,
/*
* Files related to secure communication with Redis.
*
* Files are searched in the 'certdir' when using relative paths.
*/
'store.redis.ca_certificate' => null,
'store.redis.certificate' => null,
'store.redis.privatekey' => null,
/*
* The prefix we should use on our Redis datastore.
*/
'store.redis.prefix' => 'SimpleSAMLphp',
/*
* The master group to use for Redis Sentinel.
*/
'store.redis.mastergroup' => 'mymaster',
/*
* The Redis Sentinel hosts.
* Example:
* 'store.redis.sentinels' => [
* 'tcp://[yoursentinel1]:[port]',
* 'tcp://[yoursentinel2]:[port]',
* 'tcp://[yoursentinel3]:[port]
* ],
*
* Use 'tls' instead of 'tcp' in order to make use of the additional
* TLS settings.
*/
'store.redis.sentinels' => [],
/*********************
| IdP/SP PROXY MODE |
*********************/
/*
* If the IdP in front of SimpleSAMLphp in IdP/SP proxy mode sends
* AuthnContextClassRef, decide whether the AuthnContextClassRef will be
* processed by the IdP/SP proxy or if it will be passed to the SP behind
* the IdP/SP proxy.
*/
'proxymode.passAuthnContextClassRef' => false,
];