Projects/nettsiden
8
3
Fork 0
Code Issues 20 Pull Requests Activity

dist/simplesamlphp-config: renew to 2.5

Browse Source
This commit is contained in:
Oystein Kristoffer Tveit
2025-12-17 04:50:44 +09:00
parent f782d20e56
commit 6fd4a0599c
1 changed files with 439 additions and 333 deletions
Download Patch File Download Diff File Expand all files Collapse all files

208
dist/simplesamlphp-config.php vendored
View File

@@ -5,15 +5,16 @@ declare(strict_types=1);
require_once dirname(__DIR__, 4) . \DIRECTORY_SEPARATOR . 'config.php'; require_once dirname(__DIR__, 4) . \DIRECTORY_SEPARATOR . 'config.php';
/** /**
* The configuration of SimpleSAMLphp. * The configuration of SimpleSAMLphp
*/ */
$httpUtils = new SimpleSAML\Utils\HTTP();
$httpUtils = new \SimpleSAML\Utils\HTTP();
$config = [ $config = [
/* /*******************************
| BASIC CONFIGURATION OPTIONS | | BASIC CONFIGURATION OPTIONS |
*/ *******************************/
/* /*
* Setup the following parameters to match your installation. * Setup the following parameters to match your installation.
@@ -65,15 +66,12 @@ $config = [
* - 'loggingdir': Where to write logs. MUST be set to NULL when using a logging * - 'loggingdir': Where to write logs. MUST be set to NULL when using a logging
* handler other than `file`. * handler other than `file`.
* - 'datadir': Storage of general data. * - 'datadir': Storage of general data.
* - 'tempdir': Saving temporary files. SimpleSAMLphp will attempt to create
* this directory if it doesn't exist. DEPRECATED - replaced by cachedir.
* When specified as a relative path, this is relative to the SimpleSAMLphp * When specified as a relative path, this is relative to the SimpleSAMLphp
* root directory. * root directory.
*/ */
'cachedir' => $CACHE_DIRECTORY, 'cachedir' => $CACHE_DIRECTORY,
//'loggingdir' => '/var/log/', //'loggingdir' => '/var/log/',
//'datadir' => '/var/data/', //'datadir' => '/var/data/',
// 'tempdir' => '/tmp/simplesamlphp',
/* /*
* Certificate and key material can be loaded from different possible * Certificate and key material can be loaded from different possible
@@ -180,9 +178,9 @@ $config = [
/* /**********************************
| SECURITY CONFIGURATION OPTIONS | | SECURITY CONFIGURATION OPTIONS |
*/ **********************************/
/* /*
* This is a secret salt used by SimpleSAMLphp when it needs to generate a secure hash * This is a secret salt used by SimpleSAMLphp when it needs to generate a secure hash
@@ -199,6 +197,10 @@ $config = [
* This password will give access to the installation page of SimpleSAMLphp with * This password will give access to the installation page of SimpleSAMLphp with
* metadata listing and diagnostics pages. * metadata listing and diagnostics pages.
* You can also put a hash here; run "bin/pwgen.php" to generate one. * You can also put a hash here; run "bin/pwgen.php" to generate one.
*
* If you are using Ansible you might like to use
* ansible.builtin.password_hash(hashtype='blowfish', ident='2y', rounds=13)
* to generate this hashed value.
*/ */
'auth.adminpassword' => $SAML_ADMIN_PASSWORD, 'auth.adminpassword' => $SAML_ADMIN_PASSWORD,
@@ -280,7 +282,17 @@ $config = [
* Whenever you change any of these headers, make sure to validate your config by running your * Whenever you change any of these headers, make sure to validate your config by running your
* hostname through a security-test like https://en.internet.nl * hostname through a security-test like https://en.internet.nl
'headers.security' => [ 'headers.security' => [
'Content-Security-Policy' => "default-src 'none'; frame-ancestors 'self'; object-src 'none'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self'; img-src 'self' data:; base-uri 'none'", 'Content-Security-Policy' =>
"default-src 'none'; " .
"frame-ancestors 'self'; " .
"object-src 'none'; " .
"script-src 'self'; " .
"style-src 'self'; " .
"font-src 'self'; " .
"connect-src 'self'; " .
"media-src data:; " .
"img-src 'self' data:; " .
"base-uri 'none'",
'X-Frame-Options' => 'SAMEORIGIN', 'X-Frame-Options' => 'SAMEORIGIN',
'X-Content-Type-Options' => 'nosniff', 'X-Content-Type-Options' => 'nosniff',
'Referrer-Policy' => 'origin-when-cross-origin', 'Referrer-Policy' => 'origin-when-cross-origin',
@@ -288,9 +300,9 @@ $config = [
*/ */
/* /************************
| ERRORS AND DEBUGGING | | ERRORS AND DEBUGGING |
*/ ************************/
/* /*
* The 'debug' option allows you to control how SimpleSAMLphp behaves in certain * The 'debug' option allows you to control how SimpleSAMLphp behaves in certain
@@ -336,9 +348,69 @@ $config = [
* When 'errorreporting' is enabled, a form will be presented for the user to report * When 'errorreporting' is enabled, a form will be presented for the user to report
* the error to 'technicalcontact_email'. * the error to 'technicalcontact_email'.
*/ */
'showerrors' => true, 'showerrors' => false,
'errorreporting' => true, 'errorreporting' => true,
/*
* When showerrors is true, this is an array of which errors
* should still be shown to the user. By default an error will
* always be shown if showerrors==true and this setting is at the default value to allow all.
*
* If you list anything in this option you have to explicitly list each error
* you would like to be shown to the user. You can also set the value to false
* to hide that error. If this setting is used with anything other than the default
* value and an error is not listed in the list then a backtrace for that error
* will not be shown.
*
* These can be any of the error codes in
* src/SimpleSAML/Error/ErrorCodes.php
*
*/
'showerrors.whitelist' => [ '*' => true ],
/*
some of the many possibilities for this setting
'showerrors.whitelist' => [
'ACSPARAMS' => true,
'ADMINNOTHASHED' => true,
'ARSPARAMS' => true,
'AUTHSOURCEERROR' => true,
'BADREQUEST' => true,
'CASERROR' => true,
'CONFIG' => true,
'CREATEREQUEST' => true,
'DISCOPARAMS' => true,
'GENERATEAUTHNRESPONSE' => true,
'INVALIDCERT' => true,
'LDAPERROR' => true,
'LOGOUTINFOLOST' => true,
'LOGOUTREQUEST' => true,
'MEMCACHEDOWN' => true,
'METADATA' => true,
'METADATANOTFOUND' => true,
'METHODNOTALLOWED' => true,
'NOACCESS' => true,
'NOCERT' => true,
'NORELAYSTATE' => true,
'NOSTATE' => true,
'NOTFOUND' => true,
'NOTFOUNDREASON' => true,
'NOTSET' => true,
'NOTVALIDCERT' => true,
'NOTVALIDCERTSIGNATURE' => true,
'PROCESSASSERTION' => true,
'PROCESSAUTHNREQUEST' => true,
'RESPONSESTATUSNOSUCCESS' => true,
'SLOSERVICEPARAMS' => true,
'SSOPARAMS' => true,
'UNHANDLEDEXCEPTION' => true,
'UNKNOWNCERT' => true,
'USERABORTED' => true,
'WRONGUSERPASS' => true,
],
*/
/* /*
* Custom error show function called from SimpleSAML\Error\Error::show. * Custom error show function called from SimpleSAML\Error\Error::show.
* See docs/simplesamlphp-errorhandling.md for function code example. * See docs/simplesamlphp-errorhandling.md for function code example.
@@ -348,9 +420,9 @@ $config = [
*/ */
/* /**************************
| LOGGING AND STATISTICS | | LOGGING AND STATISTICS |
*/ **************************/
/* /*
* Define the minimum log level to log. Available levels: * Define the minimum log level to log. Available levels:
@@ -410,7 +482,7 @@ $config = [
* *
* The default is to use LOG_LOCAL5 if available, and fall back to LOG_USER if not. * The default is to use LOG_LOCAL5 if available, and fall back to LOG_USER if not.
*/ */
'logging.facility' => defined('LOG_LOCAL5') ? constant('LOG_LOCAL5') : \LOG_USER, 'logging.facility' => defined('LOG_LOCAL5') ? constant('LOG_LOCAL5') : LOG_USER,
/* /*
* The process name that should be used when logging to syslog. * The process name that should be used when logging to syslog.
@@ -446,15 +518,15 @@ $config = [
/* /***********************
| PROXY CONFIGURATION | | PROXY CONFIGURATION |
*/ ***********************/
/* /*
* Proxy to use for retrieving URLs. * Proxy to use for retrieving URLs.
* *
* Example: * Example:
* 'proxy' => 'tcp://proxy.example.com:5100' * 'proxy' => 'http://proxy.example.com:5100'
*/ */
'proxy' => null, 'proxy' => null,
@@ -467,9 +539,9 @@ $config = [
/* /**************************
| DATABASE CONFIGURATION | | DATABASE CONFIGURATION |
*/ **************************/
/* /*
* This database configuration is optional. If you are not using * This database configuration is optional. If you are not using
@@ -529,9 +601,9 @@ $config = [
/* /*************
| PROTOCOLS | | PROTOCOLS |
*/ *************/
/* /*
* Which functionality in SimpleSAMLphp do you want to enable. Normally you would enable only * Which functionality in SimpleSAMLphp do you want to enable. Normally you would enable only
@@ -543,33 +615,31 @@ $config = [
/* /***********
| MODULES | | MODULES |
*/ ***********/
/* /*
* Configuration for enabling/disabling modules. By default the 'core', 'admin' and 'saml' modules are enabled. * Configuration for enabling/disabling modules. By default, the 'core', 'admin' and 'saml' modules are enabled.
* *
* Example: * Example:
* *
* 'module.enable' => [ * 'module.enable' => [
* 'exampleauth' => true, // Setting to TRUE enables. * 'exampleauth' => true, // Setting to TRUE enables.
* 'consent' => false, // Setting to FALSE disables. * 'consent' => false, // Setting to FALSE disables.
* 'core' => null, // Unset or NULL uses default. * 'core' => null, // Unset or NULL uses default from \SimpleSAML\Module::$core_modules.
* ], * ],
*/ */
'module.enable' => [ 'module.enable' => [
'exampleauth' => false,
'core' => true, 'core' => true,
'admin' => true, 'admin' => true,
'saml' => true, 'saml' => true,
], ],
/* /*************************
| SESSION CONFIGURATION | | SESSION CONFIGURATION |
*/ *************************/
/* /*
* This value is the duration of the session in seconds. Make sure that the time duration of * This value is the duration of the session in seconds. Make sure that the time duration of
@@ -693,9 +763,9 @@ $config = [
/* /**************************
| MEMCACHE CONFIGURATION | | MEMCACHE CONFIGURATION |
*/ **************************/
/* /*
* Configuration for the 'memcache' session store. This allows you to store * Configuration for the 'memcache' session store. This allows you to store
@@ -815,16 +885,16 @@ $config = [
/* /*************************************
| LANGUAGE AND INTERNATIONALIZATION | | LANGUAGE AND INTERNATIONALIZATION |
*/ *************************************/
/* /*
* Languages available, RTL languages, and what language is the default. * Languages available, RTL languages, and what language is the default.
*/ */
'language.available' => [ 'language.available' => [
'en', 'no', 'nn', 'se', 'da', 'de', 'sv', 'fi', 'es', 'ca', 'fr', 'it', 'nl', 'lb', 'en', 'no', 'nn', 'se', 'da', 'de', 'sv', 'fi', 'es', 'ca', 'fr', 'it', 'nl', 'lb',
'cs', 'sk', 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt-br', 'tr', 'ja', 'zh', 'zh-tw', 'cs', 'sk', 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt_BR', 'tr', 'ja', 'zh', 'zh_TW',
'ru', 'et', 'he', 'id', 'sr', 'lv', 'ro', 'eu', 'el', 'af', 'zu', 'xh', 'st', 'ru', 'et', 'he', 'id', 'sr', 'lv', 'ro', 'eu', 'el', 'af', 'zu', 'xh', 'st',
], ],
'language.rtl' => ['ar', 'dv', 'fa', 'ur', 'he'], 'language.rtl' => ['ar', 'dv', 'fa', 'ur', 'he'],
@@ -847,7 +917,7 @@ $config = [
'language.cookie.lifetime' => (60 * 60 * 24 * 900), 'language.cookie.lifetime' => (60 * 60 * 24 * 900),
'language.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null, 'language.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
/* /**
* Custom getLanguage function called from SimpleSAML\Locale\Language::getLanguage(). * Custom getLanguage function called from SimpleSAML\Locale\Language::getLanguage().
* Function should return language code of one of the available languages or NULL. * Function should return language code of one of the available languages or NULL.
* See SimpleSAML\Locale\Language::getLanguage() source code for more info. * See SimpleSAML\Locale\Language::getLanguage() source code for more info.
@@ -859,9 +929,9 @@ $config = [
* 'language.get_language_function' => ['\SimpleSAML\Module\example\Template', 'getLanguage'], * 'language.get_language_function' => ['\SimpleSAML\Module\example\Template', 'getLanguage'],
*/ */
/* /**************
| APPEARANCE | | APPEARANCE |
*/ **************/
/* /*
* Which theme directory should be used? * Which theme directory should be used?
@@ -874,7 +944,7 @@ $config = [
*/ */
//'theme.header' => 'SimpleSAMLphp', //'theme.header' => 'SimpleSAMLphp',
/* /**
* A template controller, if any. * A template controller, if any.
* *
* Used to intercept certain parts of the template handling, while keeping away unwanted/unexpected hooks. Set * Used to intercept certain parts of the template handling, while keeping away unwanted/unexpected hooks. Set
@@ -900,6 +970,14 @@ $config = [
*/ */
'template.auto_reload' => false, 'template.auto_reload' => false,
/*
* Set the 'template.debug' to true to enable debugging for Twig templates.
* This is useful during development as it provides better error messages.
* Defaults to false.
*/
//'template.debug' => false,
/* /*
* Set this option to true to indicate that your installation of SimpleSAMLphp * Set this option to true to indicate that your installation of SimpleSAMLphp
* is running in a production environment. This will affect the way resources * is running in a production environment. This will affect the way resources
@@ -917,6 +995,19 @@ $config = [
* The serving of the resources can be configured through these settings. * The serving of the resources can be configured through these settings.
*/ */
'assets' => [ 'assets' => [
/*
* Used to generate cache buster tags. This salt is only used for this purpose.
* You should set this in the same way as secretsalt.
*
* You can change this salt at any time. This will have the effect of explicit
* cache busting as the tags for resources will change and thus all resources
* will be fetched again.
*
* Leaving the default value in place can allow an attacker the opportunity
* to work out the version of SSP you have installed.
*/
'salt' => 'assets.salt.default',
/* /*
* These settings adjust the caching headers that are sent * These settings adjust the caching headers that are sent
* when serving static resources. * when serving static resources.
@@ -938,16 +1029,16 @@ $config = [
], ],
], ],
/* /**
* Set to a full URL if you want to redirect users that land on SimpleSAMLphp's * Set to a full URL if you want to redirect users that land on SimpleSAMLphp's
* front page to somewhere more useful. If left unset, a basic welcome message * front page to somewhere more useful. If left unset, a basic welcome message
* is shown. * is shown.
*/ */
//'frontpage.redirect' => 'https://example.com/', //'frontpage.redirect' => 'https://example.com/',
/* /*********************
| DISCOVERY SERVICE | | DISCOVERY SERVICE |
*/ *********************/
/* /*
* Whether the discovery service should allow the user to save his choice of IdP. * Whether the discovery service should allow the user to save his choice of IdP.
@@ -976,9 +1067,9 @@ $config = [
/* /*************************************
| AUTHENTICATION PROCESSING FILTERS | | AUTHENTICATION PROCESSING FILTERS |
*/ *************************************/
/* /*
* Authentication processing filters that will be executed for all IdPs * Authentication processing filters that will be executed for all IdPs
@@ -1060,9 +1151,9 @@ $config = [
/* /**************************
| METADATA CONFIGURATION | | METADATA CONFIGURATION |
*/ **************************/
/* /*
* This option allows you to specify a directory for your metadata outside of the standard metadata directory * This option allows you to specify a directory for your metadata outside of the standard metadata directory
@@ -1130,6 +1221,21 @@ $config = [
* ['type' => 'xml', 'file' => 'idp.example.org-idpMeta.xml'], * ['type' => 'xml', 'file' => 'idp.example.org-idpMeta.xml'],
* ], * ],
* *
* This example defines a remote xml-file with optional connection context.
* See PHP documentation for possible context options: https://www.php.net/manual/en/context.php
*
* 'metadata.sources' => [
* [
* 'type' => 'xml',
* 'url' => 'https://example.org/idp.example.org-idpMeta.xml',
* 'context' => [
* 'ssl' => [
* 'verify_peer' => true,
* ],
* ],
* ],
* ],
*
* This example defines an mdq source. * This example defines an mdq source.
* 'metadata.sources' => [ * 'metadata.sources' => [
* [ * [
@@ -1182,9 +1288,9 @@ $config = [
'metadata.sign.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', 'metadata.sign.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
/* /****************************
| DATA STORE CONFIGURATION | | DATA STORE CONFIGURATION |
*/ ****************************/
/* /*
* Configure the data store for SimpleSAMLphp. * Configure the data store for SimpleSAMLphp.
@@ -1288,9 +1394,9 @@ $config = [
*/ */
'store.redis.sentinels' => [], 'store.redis.sentinels' => [],
/* /*********************
| IdP/SP PROXY MODE | | IdP/SP PROXY MODE |
*/ *********************/
/* /*
* If the IdP in front of SimpleSAMLphp in IdP/SP proxy mode sends * If the IdP in front of SimpleSAMLphp in IdP/SP proxy mode sends