From 6fd4a0599c66d228c2f1c6209f203e0da3cbe109 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Wed, 17 Dec 2025 04:50:44 +0900 Subject: [PATCH] dist/simplesamlphp-config: renew to 2.5 --- dist/simplesamlphp-config.php | 772 +++++++++++++++++++--------------- 1 file changed, 439 insertions(+), 333 deletions(-) diff --git a/dist/simplesamlphp-config.php b/dist/simplesamlphp-config.php index 5ff1643..f3e2548 100644 --- a/dist/simplesamlphp-config.php +++ b/dist/simplesamlphp-config.php @@ -5,22 +5,23 @@ declare(strict_types=1); require_once dirname(__DIR__, 4) . \DIRECTORY_SEPARATOR . 'config.php'; /** - * The configuration of SimpleSAMLphp. + * The configuration of SimpleSAMLphp */ -$httpUtils = new SimpleSAML\Utils\HTTP(); + +$httpUtils = new \SimpleSAML\Utils\HTTP(); $config = [ - /* + /******************************* | BASIC CONFIGURATION OPTIONS | - */ + *******************************/ - /* + /* * Setup the following parameters to match your installation. * See the user manual for more details. */ - /* + /* * baseurlpath is a *URL path* (not a filesystem path). * A valid format for 'baseurlpath' is: * [(http|https)://(hostname|fqdn)[:port]]/[path/to/simplesaml/] @@ -34,14 +35,14 @@ $config = [ * external url, no matter where you come from (direct access or via the * reverse proxy). */ - 'baseurlpath' => 'simplesaml/', + 'baseurlpath' => 'simplesaml/', - /* + /* * The 'application' configuration array groups a set configuration options * relative to an application protected by SimpleSAMLphp. */ - 'application' => [ - /* + 'application' => [ + /* * The 'baseURL' configuration option allows you to specify a protocol, * host and optionally a port that serves as the canonical base for all * your application's URLs. This is useful when the environment @@ -55,27 +56,24 @@ $config = [ * need to compute the right URLs yourself and pass them dynamically * to SimpleSAMLphp's API. */ - // 'baseURL' => 'https://example.com', - ], + //'baseURL' => 'https://example.com', + ], - /* + /* * The following settings are *filesystem paths* which define where * SimpleSAMLphp can find or write the following things: * - 'cachedir': Where SimpleSAMLphp can write its cache. * - 'loggingdir': Where to write logs. MUST be set to NULL when using a logging * handler other than `file`. * - 'datadir': Storage of general data. - * - 'tempdir': Saving temporary files. SimpleSAMLphp will attempt to create - * this directory if it doesn't exist. DEPRECATED - replaced by cachedir. * When specified as a relative path, this is relative to the SimpleSAMLphp * root directory. */ - 'cachedir' => $CACHE_DIRECTORY, - // 'loggingdir' => '/var/log/', - // 'datadir' => '/var/data/', - // 'tempdir' => '/tmp/simplesamlphp', + 'cachedir' => $CACHE_DIRECTORY, + //'loggingdir' => '/var/log/', + //'datadir' => '/var/data/', - /* + /* * Certificate and key material can be loaded from different possible * locations. Currently two locations are supported, the local filesystem * and the database via pdo using the global database configuration. Locations @@ -83,7 +81,7 @@ $config = [ * identifier. */ - /* To load a certificate or key from the filesystem, it should be specified + /* To load a certificate or key from the filesystem, it should be specified * as 'file://' where is either a relative filename or a fully * qualified path to a file containing the certificate or key in PEM * format, such as 'cert.pem' or '/path/to/cert.pem'. If the path is @@ -93,9 +91,9 @@ $config = [ * directory. Note that locations with no prefix included will be treated * as file locations. */ - 'certdir' => 'cert/', + 'certdir' => 'cert/', - /* To load a certificate or key from the database, it should be specified + /* To load a certificate or key from the database, it should be specified * as 'pdo://' where is the identifier in the database table that * should be matched. While the certificate and key tables are expected to * be in the simplesaml database, they are not created or managed by @@ -119,33 +117,33 @@ $config = [ * Defaults are shown below, to change them, uncomment the line and update as * needed */ - // 'cert.pdo.table' => 'certificates', - // 'cert.pdo.keytable' => 'private_keys', - // 'cert.pdo.apply_prefix' => true, - // 'cert.pdo.id_column' => 'id', - // 'cert.pdo.data_column' => 'data', + //'cert.pdo.table' => 'certificates', + //'cert.pdo.keytable' => 'private_keys', + //'cert.pdo.apply_prefix' => true, + //'cert.pdo.id_column' => 'id', + //'cert.pdo.data_column' => 'data', - /* + /* * Some information about the technical persons running this installation. * The email address will be used as the recipient address for error reports, and * also as the technical contact in generated metadata. */ - 'technicalcontact_name' => $SAML_ADMIN_NAME, - 'technicalcontact_email' => $SAML_ADMIN_EMAIL, + 'technicalcontact_name' => $SAML_ADMIN_NAME, + 'technicalcontact_email' => $SAML_ADMIN_EMAIL, - /* + /* * (Optional) The method by which email is delivered. Defaults to mail which utilizes the * PHP mail() function. * * Valid options are: mail, sendmail and smtp. */ - // 'mail.transport.method' => 'smtp', + //'mail.transport.method' => 'smtp', - /* + /* * Set the transport options for the transport method specified. The valid settings are relative to the * selected transport method. */ - /* + /* 'mail.transport.options' => [ 'host' => 'mail.example.org', // required 'port' => 25, // optional @@ -162,29 +160,29 @@ $config = [ ], */ - /* + /* * The envelope from address for outgoing emails. * This should be in a domain that has your application's IP addresses in its SPF record * to prevent it from being rejected by mail filters. */ - // 'sendmail_from' => 'no-reply@example.org', + //'sendmail_from' => 'no-reply@example.org', - /* + /* * The timezone of the server. This option should be set to the timezone you want * SimpleSAMLphp to report the time in. The default is to guess the timezone based * on your system timezone. * * See this page for a list of valid timezones: http://php.net/manual/en/timezones.php */ - 'timezone' => null, + 'timezone' => null, - /* + /********************************** | SECURITY CONFIGURATION OPTIONS | - */ + **********************************/ - /* + /* * This is a secret salt used by SimpleSAMLphp when it needs to generate a secure hash * of a value. It must be changed from its default value to a secret value. The value of * 'secretsalt' can be any valid string of any length. @@ -192,28 +190,32 @@ $config = [ * A possible way to generate a random salt is by running the following command from a unix shell: * LC_ALL=C tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' /dev/null;echo */ - 'secretsalt' => $SAML_COOKIE_SALT, + 'secretsalt' => $SAML_COOKIE_SALT, - /* + /* * This password must be kept secret, and modified from the default value 123. * This password will give access to the installation page of SimpleSAMLphp with * metadata listing and diagnostics pages. * You can also put a hash here; run "bin/pwgen.php" to generate one. + * + * If you are using Ansible you might like to use + * ansible.builtin.password_hash(hashtype='blowfish', ident='2y', rounds=13) + * to generate this hashed value. */ - 'auth.adminpassword' => $SAML_ADMIN_PASSWORD, + 'auth.adminpassword' => $SAML_ADMIN_PASSWORD, - /* + /* * Set this option to true if you want to require administrator password to access the metadata. */ - 'admin.protectmetadata' => false, + 'admin.protectmetadata' => false, - /* + /* * Set this option to false if you don't want SimpleSAMLphp to check for new stable releases when * visiting the configuration tab in the web interface. */ - 'admin.checkforupdates' => true, + 'admin.checkforupdates' => true, - /* + /* * Array of domains that are allowed when generating links or redirects * to URLs. SimpleSAMLphp will use this option to determine whether to * to consider a given URL valid or not, but you should always validate @@ -235,9 +237,9 @@ $config = [ * Example: * 'trusted.url.domains' => ['sp.example.com', 'app.example.com'], */ - 'trusted.url.domains' => $SAML_TRUSTED_DOMAINS, + 'trusted.url.domains' => $SAML_TRUSTED_DOMAINS, - /* + /* * Enable regular expression matching of trusted.url.domains. * * Set to true to treat the values in trusted.url.domains as regular @@ -246,9 +248,9 @@ $config = [ * If enabled, the start and end delimiters ('^' and '$') will be added to * all regular expressions in trusted.url.domains. */ - 'trusted.url.regex' => false, + 'trusted.url.regex' => false, - /* + /* * Enable secure POST from HTTPS to HTTP. * * If you have some SP's on HTTP and IdP is normally on HTTPS, this option @@ -259,9 +261,9 @@ $config = [ * https://idp.example.org/ssp/, then * http://idp.example.org/ssp/module.php/core/postredirect.php must be accessible. */ - 'enable.http_post' => false, + 'enable.http_post' => false, - /* + /* * Set the allowed clock skew between encrypting/decrypting assertions * * If you have a server that is constantly out of sync, this option @@ -270,9 +272,9 @@ $config = [ * Allowed range: 180 - 300 * Defaults to 180. */ - 'assertion.allowed_clock_skew' => 180, + 'assertion.allowed_clock_skew' => 180, - /* + /* * Set custom security headers. The defaults can be found in \SimpleSAML\Configuration::DEFAULT_SECURITY_HEADERS * * NOTE: When a header is already set on the response we will NOT overrule it and leave it untouched. @@ -280,7 +282,17 @@ $config = [ * Whenever you change any of these headers, make sure to validate your config by running your * hostname through a security-test like https://en.internet.nl 'headers.security' => [ - 'Content-Security-Policy' => "default-src 'none'; frame-ancestors 'self'; object-src 'none'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self'; img-src 'self' data:; base-uri 'none'", + 'Content-Security-Policy' => + "default-src 'none'; " . + "frame-ancestors 'self'; " . + "object-src 'none'; " . + "script-src 'self'; " . + "style-src 'self'; " . + "font-src 'self'; " . + "connect-src 'self'; " . + "media-src data:; " . + "img-src 'self' data:; " . + "base-uri 'none'", 'X-Frame-Options' => 'SAMEORIGIN', 'X-Content-Type-Options' => 'nosniff', 'Referrer-Policy' => 'origin-when-cross-origin', @@ -288,11 +300,11 @@ $config = [ */ - /* + /************************ | ERRORS AND DEBUGGING | - */ + ************************/ - /* + /* * The 'debug' option allows you to control how SimpleSAMLphp behaves in certain * situations where further action may be taken * @@ -323,23 +335,83 @@ $config = [ * If you want to disable debugging completely, unset this option or set it to an * empty array. */ - 'debug' => [ - 'saml' => false, - 'backtraces' => true, - 'validatexml' => false, - ], + 'debug' => [ + 'saml' => false, + 'backtraces' => true, + 'validatexml' => false, + ], - /* + /* * When 'showerrors' is enabled, all error messages and stack traces will be output * to the browser. * * When 'errorreporting' is enabled, a form will be presented for the user to report * the error to 'technicalcontact_email'. */ - 'showerrors' => true, - 'errorreporting' => true, + 'showerrors' => false, + 'errorreporting' => true, - /* + /* + * When showerrors is true, this is an array of which errors + * should still be shown to the user. By default an error will + * always be shown if showerrors==true and this setting is at the default value to allow all. + * + * If you list anything in this option you have to explicitly list each error + * you would like to be shown to the user. You can also set the value to false + * to hide that error. If this setting is used with anything other than the default + * value and an error is not listed in the list then a backtrace for that error + * will not be shown. + * + * These can be any of the error codes in + * src/SimpleSAML/Error/ErrorCodes.php + * + */ + 'showerrors.whitelist' => [ '*' => true ], + /* + some of the many possibilities for this setting + + 'showerrors.whitelist' => [ + 'ACSPARAMS' => true, + 'ADMINNOTHASHED' => true, + 'ARSPARAMS' => true, + 'AUTHSOURCEERROR' => true, + 'BADREQUEST' => true, + 'CASERROR' => true, + 'CONFIG' => true, + 'CREATEREQUEST' => true, + 'DISCOPARAMS' => true, + 'GENERATEAUTHNRESPONSE' => true, + 'INVALIDCERT' => true, + 'LDAPERROR' => true, + 'LOGOUTINFOLOST' => true, + 'LOGOUTREQUEST' => true, + 'MEMCACHEDOWN' => true, + 'METADATA' => true, + 'METADATANOTFOUND' => true, + 'METHODNOTALLOWED' => true, + 'NOACCESS' => true, + 'NOCERT' => true, + 'NORELAYSTATE' => true, + 'NOSTATE' => true, + 'NOTFOUND' => true, + 'NOTFOUNDREASON' => true, + 'NOTSET' => true, + 'NOTVALIDCERT' => true, + 'NOTVALIDCERTSIGNATURE' => true, + 'PROCESSASSERTION' => true, + 'PROCESSAUTHNREQUEST' => true, + 'RESPONSESTATUSNOSUCCESS' => true, + 'SLOSERVICEPARAMS' => true, + 'SSOPARAMS' => true, + 'UNHANDLEDEXCEPTION' => true, + 'UNKNOWNCERT' => true, + 'USERABORTED' => true, + 'WRONGUSERPASS' => true, + ], + */ + + + /* * Custom error show function called from SimpleSAML\Error\Error::show. * See docs/simplesamlphp-errorhandling.md for function code example. * @@ -348,11 +420,11 @@ $config = [ */ - /* + /************************** | LOGGING AND STATISTICS | - */ + **************************/ - /* + /* * Define the minimum log level to log. Available levels: * - SimpleSAML\Logger::ERR No statistics, only errors * - SimpleSAML\Logger::WARNING No statistics, only warnings/errors @@ -368,10 +440,10 @@ $config = [ * must exist and be writable for SimpleSAMLphp. If set to something else, set * loggingdir above to 'null'. */ - 'logging.level' => SimpleSAML\Logger::NOTICE, - 'logging.handler' => 'syslog', + 'logging.level' => SimpleSAML\Logger::NOTICE, + 'logging.handler' => 'syslog', - /* + /* * Specify the format of the logs. Its use varies depending on the log handler used (for instance, you cannot * control here how dates are displayed when using the syslog or errorlog handlers), but in general the options * are: @@ -397,9 +469,9 @@ $config = [ * - %msg: the message to be logged. * */ - // 'logging.format' => '%date{M j H:i:s} %process %level %stat[%trackid] %msg', + //'logging.format' => '%date{M j H:i:s} %process %level %stat[%trackid] %msg', - /* + /* * Choose which facility should be used when logging with syslog. * * These can be used for filtering the syslog output from SimpleSAMLphp into its @@ -410,103 +482,103 @@ $config = [ * * The default is to use LOG_LOCAL5 if available, and fall back to LOG_USER if not. */ - 'logging.facility' => defined('LOG_LOCAL5') ? constant('LOG_LOCAL5') : \LOG_USER, + 'logging.facility' => defined('LOG_LOCAL5') ? constant('LOG_LOCAL5') : LOG_USER, - /* + /* * The process name that should be used when logging to syslog. * The value is also written out by the other logging handlers. */ - 'logging.processname' => 'simplesamlphp', + 'logging.processname' => 'simplesamlphp', - /* + /* * Logging: file - Logfilename in the loggingdir from above. */ - 'logging.logfile' => 'simplesamlphp.log', + 'logging.logfile' => 'simplesamlphp.log', - /* + /* * This is an array of outputs. Each output has at least a 'class' option, which * selects the output. */ - 'statistics.out' => [ - // Log statistics to the normal log. - /* + 'statistics.out' => [ + // Log statistics to the normal log. + /* [ 'class' => 'core:Log', 'level' => 'notice', ], */ - // Log statistics to files in a directory. One file per day. - /* + // Log statistics to files in a directory. One file per day. + /* [ 'class' => 'core:File', 'directory' => '/var/log/stats', ], */ - ], + ], - /* + /*********************** | PROXY CONFIGURATION | - */ + ***********************/ - /* + /* * Proxy to use for retrieving URLs. * * Example: - * 'proxy' => 'tcp://proxy.example.com:5100' + * 'proxy' => 'http://proxy.example.com:5100' */ - 'proxy' => null, + 'proxy' => null, - /* + /* * Username/password authentication to proxy (Proxy-Authorization: Basic) * Example: * 'proxy.auth' = 'myuser:password' */ - // 'proxy.auth' => 'myuser:password', + //'proxy.auth' => 'myuser:password', - /* + /************************** | DATABASE CONFIGURATION | - */ + **************************/ - /* + /* * This database configuration is optional. If you are not using * core functionality or modules that require a database, you can * skip this configuration. */ - /* + /* * Database connection string. * Ensure that you have the required PDO database driver installed * for your connection string. */ - 'database.dsn' => 'mysql:host=localhost;dbname=saml', + 'database.dsn' => 'mysql:host=localhost;dbname=saml', - /* + /* * SQL database credentials */ - 'database.username' => 'simplesamlphp', - 'database.password' => 'secret', - 'database.options' => [], + 'database.username' => 'simplesamlphp', + 'database.password' => 'secret', + 'database.options' => [], - /* + /* * (Optional) Table prefix */ - 'database.prefix' => '', + 'database.prefix' => '', - /* + /* * (Optional) Driver options */ - 'database.driver_options' => [], + 'database.driver_options' => [], - /* + /* * True or false if you would like a persistent database connection */ - 'database.persistent' => false, + 'database.persistent' => false, - /* + /* * Database secondary configuration is optional as well. If you are only * running a single database server, leave this blank. If you have * a primary/secondary configuration, you can define as many secondary servers @@ -516,8 +588,8 @@ $config = [ * options for the primary (shown above) with the exception of the table * prefix and driver options. */ - 'database.secondaries' => [ - /* + 'database.secondaries' => [ + /* [ 'dsn' => 'mysql:host=mysecondary;dbname=saml', 'username' => 'simplesamlphp', @@ -525,76 +597,74 @@ $config = [ 'persistent' => false, ], */ - ], + ], - /* + /************* | PROTOCOLS | - */ + *************/ - /* + /* * Which functionality in SimpleSAMLphp do you want to enable. Normally you would enable only * one of the functionalities below, but in some cases you could run multiple functionalities. * In example when you are setting up a federation bridge. */ - 'enable.saml20-idp' => false, - 'enable.adfs-idp' => false, + 'enable.saml20-idp' => false, + 'enable.adfs-idp' => false, - /* + /*********** | MODULES | - */ + ***********/ - /* - * Configuration for enabling/disabling modules. By default the 'core', 'admin' and 'saml' modules are enabled. + /* + * Configuration for enabling/disabling modules. By default, the 'core', 'admin' and 'saml' modules are enabled. * * Example: * * 'module.enable' => [ * 'exampleauth' => true, // Setting to TRUE enables. * 'consent' => false, // Setting to FALSE disables. - * 'core' => null, // Unset or NULL uses default. + * 'core' => null, // Unset or NULL uses default from \SimpleSAML\Module::$core_modules. * ], */ - - 'module.enable' => [ - 'exampleauth' => false, - 'core' => true, - 'admin' => true, - 'saml' => true, - ], + 'module.enable' => [ + 'core' => true, + 'admin' => true, + 'saml' => true, + ], - /* + /************************* | SESSION CONFIGURATION | - */ + *************************/ - /* + /* * This value is the duration of the session in seconds. Make sure that the time duration of * cookies both at the SP and the IdP exceeds this duration. */ - 'session.duration' => 8 * (60 * 60), // 8 hours. + 'session.duration' => 8 * (60 * 60), // 8 hours. - /* + /* * Sets the duration, in seconds, data should be stored in the datastore. As the data store is used for * login and logout requests, this option will control the maximum time these operations can take. * The default is 4 hours (4*60*60) seconds, which should be more than enough for these operations. */ - 'session.datastore.timeout' => (4 * 60 * 60), // 4 hours + 'session.datastore.timeout' => (4 * 60 * 60), // 4 hours - /* + /* * Sets the duration, in seconds, auth state should be stored. */ - 'session.state.timeout' => (60 * 60), // 1 hour + 'session.state.timeout' => (60 * 60), // 1 hour - /* + /* * Option to override the default settings for the session cookie name */ - 'session.cookie.name' => 'SimpleSAMLSessionID', + 'session.cookie.name' => 'SimpleSAMLSessionID', - /* + /* * Expiration time for the session cookie, in seconds. * * Defaults to 0, which means that the cookie expires when the browser is closed. @@ -602,9 +672,9 @@ $config = [ * Example: * 'session.cookie.lifetime' => 30*60, */ - 'session.cookie.lifetime' => 0, + 'session.cookie.lifetime' => 0, - /* + /* * Limit the path of the cookies. * * Can be used to limit the path of the cookies to a specific subdirectory. @@ -612,9 +682,9 @@ $config = [ * Example: * 'session.cookie.path' => '/simplesaml/', */ - 'session.cookie.path' => '/', + 'session.cookie.path' => '/', - /* + /* * Cookie domain. * * Can be used to make the session cookie available to several domains. @@ -622,9 +692,9 @@ $config = [ * Example: * 'session.cookie.domain' => '.example.org', */ - 'session.cookie.domain' => '', + 'session.cookie.domain' => '', - /* + /* * Set the secure flag in the cookie. * * Set this to TRUE if the user only accesses your service @@ -633,9 +703,9 @@ $config = [ * * If unset, SimpleSAMLphp will try to automatically determine the right value */ - 'session.cookie.secure' => $SAML_COOKIE_SECURE, + 'session.cookie.secure' => $SAML_COOKIE_SECURE, - /* + /* * Set the SameSite attribute in the cookie. * * You can set this to the strings 'None', 'Lax', or 'Strict' to support @@ -652,21 +722,21 @@ $config = [ * Example: * 'session.cookie.samesite' => 'None', */ - 'session.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null, + 'session.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null, - /* + /* * Options to override the default settings for php sessions. */ - 'session.phpsession.cookiename' => 'SimpleSAML', - 'session.phpsession.savepath' => null, - 'session.phpsession.httponly' => true, + 'session.phpsession.cookiename' => 'SimpleSAML', + 'session.phpsession.savepath' => null, + 'session.phpsession.httponly' => true, - /* + /* * Option to override the default settings for the auth token cookie */ - 'session.authtoken.cookiename' => 'SimpleSAMLAuthToken', + 'session.authtoken.cookiename' => 'SimpleSAMLAuthToken', - /* + /* * Options for remember me feature for IdP sessions. Remember me feature * has to be also implemented in authentication source used. * @@ -679,11 +749,11 @@ $config = [ * It's advised to use remember me feature with session checking function * defined with 'session.check_function' option. */ - 'session.rememberme.enable' => false, - 'session.rememberme.checked' => false, - 'session.rememberme.lifetime' => (14 * 86400), + 'session.rememberme.enable' => false, + 'session.rememberme.checked' => false, + 'session.rememberme.lifetime' => (14 * 86400), - /* + /* * Custom function for session checking called on session init and loading. * See docs/simplesamlphp-advancedfeatures.md for function code example. * @@ -693,11 +763,11 @@ $config = [ - /* + /************************** | MEMCACHE CONFIGURATION | - */ + **************************/ - /* + /* * Configuration for the 'memcache' session store. This allows you to store * multiple redundant copies of sessions on different memcache servers. * @@ -780,13 +850,13 @@ $config = [ * ], * */ - 'memcache_store.servers' => [ - [ - ['hostname' => 'localhost'], + 'memcache_store.servers' => [ + [ + ['hostname' => 'localhost'], + ], ], - ], - /* + /* * This value allows you to set a prefix for memcache-keys. The default * for this value is 'simpleSAMLphp', which is fine in most cases. * @@ -794,9 +864,9 @@ $config = [ * than one instance is using memcache, you probably want to assign * a unique value per instance to this setting to avoid data collision. */ - 'memcache_store.prefix' => '', + 'memcache_store.prefix' => '', - /* + /* * This value is the duration data should be stored in memcache. Data * will be dropped from the memcache servers when this time expires. * The time will be reset every time the data is written to the @@ -811,96 +881,104 @@ $config = [ * Note: The oldest data will always be deleted if the memcache server * runs out of storage space. */ - 'memcache_store.expires' => 36 * (60 * 60), // 36 hours. + 'memcache_store.expires' => 36 * (60 * 60), // 36 hours. - /* + /************************************* | LANGUAGE AND INTERNATIONALIZATION | - */ + *************************************/ - /* + /* * Languages available, RTL languages, and what language is the default. */ - 'language.available' => [ - 'en', 'no', 'nn', 'se', 'da', 'de', 'sv', 'fi', 'es', 'ca', 'fr', 'it', 'nl', 'lb', - 'cs', 'sk', 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt-br', 'tr', 'ja', 'zh', 'zh-tw', - 'ru', 'et', 'he', 'id', 'sr', 'lv', 'ro', 'eu', 'el', 'af', 'zu', 'xh', 'st', - ], - 'language.rtl' => ['ar', 'dv', 'fa', 'ur', 'he'], - 'language.default' => 'en', + 'language.available' => [ + 'en', 'no', 'nn', 'se', 'da', 'de', 'sv', 'fi', 'es', 'ca', 'fr', 'it', 'nl', 'lb', + 'cs', 'sk', 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt_BR', 'tr', 'ja', 'zh', 'zh_TW', + 'ru', 'et', 'he', 'id', 'sr', 'lv', 'ro', 'eu', 'el', 'af', 'zu', 'xh', 'st', + ], + 'language.rtl' => ['ar', 'dv', 'fa', 'ur', 'he'], + 'language.default' => 'en', - /* + /* * Options to override the default settings for the language parameter */ - 'language.parameter.name' => 'language', - 'language.parameter.setcookie' => true, + 'language.parameter.name' => 'language', + 'language.parameter.setcookie' => true, - /* + /* * Options to override the default settings for the language cookie */ - 'language.cookie.name' => 'language', - 'language.cookie.domain' => '', - 'language.cookie.path' => '/', - 'language.cookie.secure' => true, - 'language.cookie.httponly' => false, - 'language.cookie.lifetime' => (60 * 60 * 24 * 900), - 'language.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null, + 'language.cookie.name' => 'language', + 'language.cookie.domain' => '', + 'language.cookie.path' => '/', + 'language.cookie.secure' => true, + 'language.cookie.httponly' => false, + 'language.cookie.lifetime' => (60 * 60 * 24 * 900), + 'language.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null, - /* - * Custom getLanguage function called from SimpleSAML\Locale\Language::getLanguage(). - * Function should return language code of one of the available languages or NULL. - * See SimpleSAML\Locale\Language::getLanguage() source code for more info. - * - * This option can be used to implement a custom function for determining - * the default language for the user. - * - * Example: - * 'language.get_language_function' => ['\SimpleSAML\Module\example\Template', 'getLanguage'], - */ - - /* - | APPEARANCE | + /** + * Custom getLanguage function called from SimpleSAML\Locale\Language::getLanguage(). + * Function should return language code of one of the available languages or NULL. + * See SimpleSAML\Locale\Language::getLanguage() source code for more info. + * + * This option can be used to implement a custom function for determining + * the default language for the user. + * + * Example: + * 'language.get_language_function' => ['\SimpleSAML\Module\example\Template', 'getLanguage'], */ - /* + /************** + | APPEARANCE | + **************/ + + /* * Which theme directory should be used? */ - 'theme.use' => 'default', + 'theme.use' => 'default', - /* + /* * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want * any text to appear in the header. */ - // 'theme.header' => 'SimpleSAMLphp', + //'theme.header' => 'SimpleSAMLphp', - /* - * A template controller, if any. - * - * Used to intercept certain parts of the template handling, while keeping away unwanted/unexpected hooks. Set - * the 'theme.controller' configuration option to a class that implements the - * \SimpleSAML\XHTML\TemplateControllerInterface interface to use it. - */ - // 'theme.controller' => '', + /** + * A template controller, if any. + * + * Used to intercept certain parts of the template handling, while keeping away unwanted/unexpected hooks. Set + * the 'theme.controller' configuration option to a class that implements the + * \SimpleSAML\XHTML\TemplateControllerInterface interface to use it. + */ + //'theme.controller' => '', - /* + /* * Templating options * * By default, twig templates are not cached. To turn on template caching: * Set 'template.cache' to an absolute path pointing to a directory that * SimpleSAMLphp has read and write permissions to. */ - // 'template.cache' => '', + //'template.cache' => '', - /* + /* * Set the 'template.auto_reload' to true if you would like SimpleSAMLphp to * recompile the templates (when using the template cache) if the templates * change. If you don't want to check the source templates for every request, * set it to false. */ - 'template.auto_reload' => false, + 'template.auto_reload' => false, - /* + + /* + * Set the 'template.debug' to true to enable debugging for Twig templates. + * This is useful during development as it provides better error messages. + * Defaults to false. + */ + //'template.debug' => false, + + /* * Set this option to true to indicate that your installation of SimpleSAMLphp * is running in a production environment. This will affect the way resources * are used, offering an optimized version when running in production, and an @@ -910,23 +988,36 @@ $config = [ * * Defaults to true. */ - 'production' => true, + 'production' => true, - /* + /* * SimpleSAMLphp modules can host static resources which are served through PHP. * The serving of the resources can be configured through these settings. */ - 'assets' => [ - /* + 'assets' => [ + /* + * Used to generate cache buster tags. This salt is only used for this purpose. + * You should set this in the same way as secretsalt. + * + * You can change this salt at any time. This will have the effect of explicit + * cache busting as the tags for resources will change and thus all resources + * will be fetched again. + * + * Leaving the default value in place can allow an attacker the opportunity + * to work out the version of SSP you have installed. + */ + 'salt' => 'assets.salt.default', + + /* * These settings adjust the caching headers that are sent * when serving static resources. */ - 'caching' => [ - /* + 'caching' => [ + /* * Amount of seconds before the resource should be fetched again */ - 'max_age' => 86400, - /* + 'max_age' => 86400, + /* * Calculate a checksum of every file and send it to the browser * This allows the browser to avoid downloading assets again in situations * where the Last-Modified header cannot be trusted, @@ -934,35 +1025,35 @@ $config = [ * * Defaults false */ - 'etag' => false, + 'etag' => false, + ], ], - ], - /* - * Set to a full URL if you want to redirect users that land on SimpleSAMLphp's - * front page to somewhere more useful. If left unset, a basic welcome message - * is shown. - */ - // 'frontpage.redirect' => 'https://example.com/', - - /* - | DISCOVERY SERVICE | + /** + * Set to a full URL if you want to redirect users that land on SimpleSAMLphp's + * front page to somewhere more useful. If left unset, a basic welcome message + * is shown. */ + //'frontpage.redirect' => 'https://example.com/', - /* + /********************* + | DISCOVERY SERVICE | + *********************/ + + /* * Whether the discovery service should allow the user to save his choice of IdP. */ - 'idpdisco.enableremember' => true, - 'idpdisco.rememberchecked' => true, + 'idpdisco.enableremember' => true, + 'idpdisco.rememberchecked' => true, - /* + /* * The disco service only accepts entities it knows. */ - 'idpdisco.validate' => true, + 'idpdisco.validate' => true, - 'idpdisco.extDiscoveryStorage' => null, + 'idpdisco.extDiscoveryStorage' => null, - /* + /* * IdP Discovery service look configuration. * Whether to display a list of idp or to display a dropdown box. For many IdP' a dropdown box * gives the best use experience. @@ -972,39 +1063,39 @@ $config = [ * * Options: [links,dropdown] */ - 'idpdisco.layout' => 'dropdown', + 'idpdisco.layout' => 'dropdown', - /* + /************************************* | AUTHENTICATION PROCESSING FILTERS | - */ + *************************************/ - /* + /* * Authentication processing filters that will be executed for all IdPs */ - 'authproc.idp' => [ - /* Enable the authproc filter below to add URN prefixes to all attributes + 'authproc.idp' => [ + /* Enable the authproc filter below to add URN prefixes to all attributes 10 => [ 'class' => 'core:AttributeMap', 'addurnprefix' ], */ - /* Enable the authproc filter below to automatically generated eduPersonTargetedID. + /* Enable the authproc filter below to automatically generated eduPersonTargetedID. 20 => 'core:TargetedID', */ - // Adopts language from attribute to use in UI - 30 => 'core:LanguageAdaptor', + // Adopts language from attribute to use in UI + 30 => 'core:LanguageAdaptor', - /* When called without parameters, it will fallback to filter attributes 'the old way' + /* When called without parameters, it will fallback to filter attributes 'the old way' * by checking the 'attributes' parameter in metadata on IdP hosted and SP remote. */ - 50 => 'core:AttributeLimit', + 50 => 'core:AttributeLimit', - /* + /* * Search attribute "distinguishedName" for pattern and replaces if found */ - /* + /* 60 => [ 'class' => 'core:AttributeAlter', 'pattern' => '/OU=studerende/', @@ -1014,10 +1105,10 @@ $config = [ ], */ - /* + /* * Consent module is enabled (with no permanent storage, using cookies). */ - /* + /* 90 => [ 'class' => 'consent:Consent', 'store' => 'consent:Cookie', @@ -1025,52 +1116,52 @@ $config = [ 'checked' => true ], */ - // If language is set in Consent module it will be added as an attribute. - 99 => 'core:LanguageAdaptor', - ], + // If language is set in Consent module it will be added as an attribute. + 99 => 'core:LanguageAdaptor', + ], - /* + /* * Authentication processing filters that will be executed for all SPs */ - 'authproc.sp' => [ - /* + 'authproc.sp' => [ + /* 10 => [ 'class' => 'core:AttributeMap', 'removeurnprefix' ], */ - /* + /* * Generate the 'group' attribute populated from other variables, including eduPersonAffiliation. 60 => [ 'class' => 'core:GenerateGroups', 'eduPersonAffiliation' ], */ - /* + /* * All users will be members of 'users' and 'members' */ - /* + /* 61 => [ 'class' => 'core:AttributeAdd', 'groups' => ['users', 'members'] ], */ - // Adopts language from attribute to use in UI - 90 => 'core:LanguageAdaptor', - ], + // Adopts language from attribute to use in UI + 90 => 'core:LanguageAdaptor', + ], - /* + /************************** | METADATA CONFIGURATION | - */ + **************************/ - /* + /* * This option allows you to specify a directory for your metadata outside of the standard metadata directory * included in the standard distribution of the software. */ - 'metadatadir' => 'metadata', + 'metadatadir' => 'metadata', - /* + /* * This option configures the metadata sources. The metadata sources is given as an array with * different metadata sources. When searching for metadata, SimpleSAMLphp will search through * the array from start to end. @@ -1130,6 +1221,21 @@ $config = [ * ['type' => 'xml', 'file' => 'idp.example.org-idpMeta.xml'], * ], * + * This example defines a remote xml-file with optional connection context. + * See PHP documentation for possible context options: https://www.php.net/manual/en/context.php + * + * 'metadata.sources' => [ + * [ + * 'type' => 'xml', + * 'url' => 'https://example.org/idp.example.org-idpMeta.xml', + * 'context' => [ + * 'ssl' => [ + * 'verify_peer' => true, + * ], + * ], + * ], + * ], + * * This example defines an mdq source. * 'metadata.sources' => [ * [ @@ -1154,19 +1260,19 @@ $config = [ * ['type' => 'flatfile'] * ], */ - 'metadata.sources' => [ - ['type' => 'flatfile'], - ], + 'metadata.sources' => [ + ['type' => 'flatfile'], + ], - /* + /* * Should signing of generated metadata be enabled by default. * * Metadata signing can also be enabled for a individual SP or IdP by setting the * same option in the metadata for the SP or IdP. */ - 'metadata.sign.enable' => false, + 'metadata.sign.enable' => false, - /* + /* * The default key & certificate which should be used to sign generated metadata. These * are files stored in the cert dir. * These values can be overridden by the options with the same names in the SP or @@ -1176,17 +1282,17 @@ $config = [ * the 'certificate' and 'privatekey' option in the metadata will be used. * if those aren't set, signing of metadata will fail. */ - 'metadata.sign.privatekey' => null, - 'metadata.sign.privatekey_pass' => null, - 'metadata.sign.certificate' => null, - 'metadata.sign.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', + 'metadata.sign.privatekey' => null, + 'metadata.sign.privatekey_pass' => null, + 'metadata.sign.certificate' => null, + 'metadata.sign.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', - /* + /**************************** | DATA STORE CONFIGURATION | - */ + ****************************/ - /* + /* * Configure the data store for SimpleSAMLphp. * * - 'phpsession': Limited datastore, which uses the PHP session. @@ -1196,39 +1302,39 @@ $config = [ * * The default datastore is 'phpsession'. */ - 'store.type' => 'phpsession', + 'store.type' => 'phpsession', - /* + /* * The DSN the sql datastore should connect to. * * See http://www.php.net/manual/en/pdo.drivers.php for the various * syntaxes. */ - 'store.sql.dsn' => 'sqlite:/path/to/sqlitedatabase.sq3', + 'store.sql.dsn' => 'sqlite:/path/to/sqlitedatabase.sq3', - /* + /* * The username and password to use when connecting to the database. */ - 'store.sql.username' => null, - 'store.sql.password' => null, + 'store.sql.username' => null, + 'store.sql.password' => null, - /* + /* * The prefix we should use on our tables. */ - 'store.sql.prefix' => 'SimpleSAMLphp', + 'store.sql.prefix' => 'SimpleSAMLphp', - /* + /* * The driver-options we should pass to the PDO-constructor. */ - 'store.sql.options' => [], + 'store.sql.options' => [], - /* + /* * The hostname and port of the Redis datastore instance. */ - 'store.redis.host' => 'localhost', - 'store.redis.port' => 6379, + 'store.redis.host' => 'localhost', + 'store.redis.port' => 6379, - /* + /* * The credentials to use when connecting to Redis. * * If your Redis server is using the legacy password protection (config @@ -1239,42 +1345,42 @@ $config = [ * Redis 6+) then you should provide both a username and a password. * See https://redis.io/docs/manual/security/acl/ */ - 'store.redis.username' => '', - 'store.redis.password' => '', + 'store.redis.username' => '', + 'store.redis.password' => '', - /* + /* * Communicate with Redis over a secure connection instead of plain TCP. * * This setting affects both single host connections as * well as Sentinel mode. */ - 'store.redis.tls' => false, + 'store.redis.tls' => false, - /* + /* * Verify the Redis server certificate. */ - 'store.redis.insecure' => false, + 'store.redis.insecure' => false, - /* + /* * Files related to secure communication with Redis. * * Files are searched in the 'certdir' when using relative paths. */ - 'store.redis.ca_certificate' => null, - 'store.redis.certificate' => null, - 'store.redis.privatekey' => null, + 'store.redis.ca_certificate' => null, + 'store.redis.certificate' => null, + 'store.redis.privatekey' => null, - /* + /* * The prefix we should use on our Redis datastore. */ - 'store.redis.prefix' => 'SimpleSAMLphp', + 'store.redis.prefix' => 'SimpleSAMLphp', - /* + /* * The master group to use for Redis Sentinel. */ - 'store.redis.mastergroup' => 'mymaster', + 'store.redis.mastergroup' => 'mymaster', - /* + /* * The Redis Sentinel hosts. * Example: * 'store.redis.sentinels' => [ @@ -1286,17 +1392,17 @@ $config = [ * Use 'tls' instead of 'tcp' in order to make use of the additional * TLS settings. */ - 'store.redis.sentinels' => [], + 'store.redis.sentinels' => [], - /* + /********************* | IdP/SP PROXY MODE | - */ + *********************/ - /* + /* * If the IdP in front of SimpleSAMLphp in IdP/SP proxy mode sends * AuthnContextClassRef, decide whether the AuthnContextClassRef will be * processed by the IdP/SP proxy or if it will be passed to the SP behind * the IdP/SP proxy. */ - 'proxymode.passAuthnContextClassRef' => false, + 'proxymode.passAuthnContextClassRef' => false, ];