mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-11-25 04:13:42 +01:00
242 lines
9.9 KiB
PHP
242 lines
9.9 KiB
PHP
<?php
|
|
|
|
//This is variable is an example - Just make sure that the urls in the 'idp' config are ok.
|
|
$idp_host = env('SAML2_IDP_HOST', 'http://localhost:8000/simplesaml');
|
|
|
|
return $settings = array(
|
|
|
|
/**
|
|
* Whether the SAML login is enabled
|
|
*/
|
|
'enabled' => env("SAML2_ENABLED", false),
|
|
|
|
/**
|
|
* If 'useRoutes' is set to true, the package defines five new routes:
|
|
*
|
|
* Method | URI | Name
|
|
* -------|--------------------------|------------------
|
|
* POST | {routesPrefix}/acs | saml_acs
|
|
* GET | {routesPrefix}/login | saml_login
|
|
* GET | {routesPrefix}/logout | saml_logout
|
|
* GET | {routesPrefix}/metadata | saml_metadata
|
|
* GET | {routesPrefix}/sls | saml_sls
|
|
*/
|
|
'useRoutes' => true,
|
|
|
|
'routesPrefix' => '/saml2',
|
|
|
|
/**
|
|
* which middleware group to use for the saml routes
|
|
* Laravel 5.2 will need a group which includes StartSession
|
|
*/
|
|
'routesMiddleware' => ['saml'],
|
|
|
|
/**
|
|
* Indicates how the parameters will be
|
|
* retrieved from the sls request for signature validation
|
|
*/
|
|
'retrieveParametersFromServer' => false,
|
|
|
|
/**
|
|
* Where to redirect after logout
|
|
*/
|
|
'logoutRoute' => '/',
|
|
|
|
/**
|
|
* Where to redirect after login if no other option was provided
|
|
*/
|
|
'loginRoute' => '/',
|
|
|
|
|
|
/**
|
|
* Where to redirect after login if no other option was provided
|
|
*/
|
|
'errorRoute' => '/',
|
|
|
|
|
|
|
|
|
|
/*****
|
|
* One Login Settings
|
|
*/
|
|
|
|
|
|
|
|
// If 'strict' is True, then the PHP Toolkit will reject unsigned
|
|
// or unencrypted messages if it expects them signed or encrypted
|
|
// Also will reject the messages if not strictly follow the SAML
|
|
// standard: Destination, NameId, Conditions ... are validated too.
|
|
'strict' => true, //@todo: make this depend on laravel config
|
|
|
|
// Enable debug mode (to print errors)
|
|
'debug' => env('APP_DEBUG', false),
|
|
|
|
// If 'proxyVars' is True, then the Saml lib will trust proxy headers
|
|
// e.g X-Forwarded-Proto / HTTP_X_FORWARDED_PROTO. This is useful if
|
|
// your application is running behind a load balancer which terminates
|
|
// SSL.
|
|
'proxyVars' => false,
|
|
|
|
// Service Provider Data that we are deploying
|
|
'sp' => array(
|
|
|
|
// Specifies constraints on the name identifier to be used to
|
|
// represent the requested subject.
|
|
// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
|
|
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
|
|
|
|
// Usually x509cert and privateKey of the SP are provided by files placed at
|
|
// the certs folder. But we can also provide them with the following parameters
|
|
'x509cert' => env('SAML2_SP_x509',''),
|
|
'privateKey' => env('SAML2_SP_PRIVATEKEY',''),
|
|
|
|
// Identifier (URI) of the SP entity.
|
|
// Leave blank to use the 'saml_metadata' route.
|
|
'entityId' => env('SAML2_SP_ENTITYID',''),
|
|
|
|
// Specifies info about where and how the <AuthnResponse> message MUST be
|
|
// returned to the requester, in this case our SP.
|
|
'assertionConsumerService' => array(
|
|
// URL Location where the <Response> from the IdP will be returned,
|
|
// using HTTP-POST binding.
|
|
// Leave blank to use the 'saml_acs' route
|
|
'url' => '',
|
|
|
|
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
|
),
|
|
// Specifies info about where and how the <Logout Response> message MUST be
|
|
// returned to the requester, in this case our SP.
|
|
// Remove this part to not include any URL Location in the metadata.
|
|
'singleLogoutService' => array(
|
|
// URL Location where the <Response> from the IdP will be returned,
|
|
// using HTTP-Redirect binding.
|
|
// Leave blank to use the 'saml_sls' route
|
|
'url' => '',
|
|
),
|
|
),
|
|
|
|
// Identity Provider Data that we want connect with our SP
|
|
'idp' => array(
|
|
// Identifier of the IdP entity (must be a URI)
|
|
'entityId' => env('SAML2_IDP_ENTITYID', $idp_host . '/saml2/idp/metadata.php'),
|
|
// SSO endpoint info of the IdP. (Authentication Request protocol)
|
|
'singleSignOnService' => array(
|
|
// URL Target of the IdP where the SP will send the Authentication Request Message,
|
|
// using HTTP-Redirect binding.
|
|
'url' => env('SAML2_IDP_SSO', $idp_host . '/saml2/idp/SSOService.php'),
|
|
),
|
|
// SLO endpoint info of the IdP.
|
|
'singleLogoutService' => array(
|
|
// URL Location of the IdP where the SP will send the SLO Request,
|
|
// using HTTP-Redirect binding.
|
|
'url' => env('SAML2_IDP_SLO', $idp_host . '/saml2/idp/SingleLogoutService.php'),
|
|
),
|
|
// Public x509 certificate of the IdP
|
|
'x509cert' => env('SAML2_IDP_x509', 'MIID/TCCAuWgAwIBAgIJAI4R3WyjjmB1MA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3MgQWlyZXMxDDAKBgNVBAoMA1NJVTERMA8GA1UECwwIU2lzdGVtYXMxFDASBgNVBAMMC09yZy5TaXUuQ29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbmlAc2l1LmVkdS5hcjAeFw0xNDEyMDExNDM2MjVaFw0yNDExMzAxNDM2MjVaMIGUMQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3MgQWlyZXMxDDAKBgNVBAoMA1NJVTERMA8GA1UECwwIU2lzdGVtYXMxFDASBgNVBAMMC09yZy5TaXUuQ29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbmlAc2l1LmVkdS5hcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbzW/EpEv+qqZzfT1Buwjg9nnNNVrxkCfuR9fQiQw2tSouS5X37W5h7RmchRt54wsm046PDKtbSz1NpZT2GkmHN37yALW2lY7MyVUC7itv9vDAUsFr0EfKIdCKgxCKjrzkZ5ImbNvjxf7eA77PPGJnQ/UwXY7W+cvLkirp0K5uWpDk+nac5W0JXOCFR1BpPUJRbz2jFIEHyChRt7nsJZH6ejzNqK9lABEC76htNy1Ll/D3tUoPaqo8VlKW3N3MZE0DB9O7g65DmZIIlFqkaMH3ALd8adodJtOvqfDU/A6SxuwMfwDYPjoucykGDu1etRZ7dF2gd+W+1Pn7yizPT1q8CAwEAAaNQME4wHQYDVR0OBBYEFPsn8tUHN8XXf23ig5Qro3beP8BuMB8GA1UdIwQYMBaAFPsn8tUHN8XXf23ig5Qro3beP8BuMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGu60odWFiK+DkQekozGnlpNBQz5lQ/bwmOWdktnQj6HYXu43e7sh9oZWArLYHEOyMUekKQAxOK51vbTHzzw66BZU91/nqvaOBfkJyZKGfluHbD0/hfOl/D5kONqI9kyTu4wkLQcYGyuIi75CJs15uA03FSuULQdY/Liv+czS/XYDyvtSLnu43VuAQWN321PQNhuGueIaLJANb2C5qq5ilTBUw6PxY9Z+vtMjAjTJGKEkE/tQs7CvzLPKXX3KTD9lIILmX5yUC3dLgjVKi1KGDqNApYGOMtjr5eoxPQrqDBmyx3flcy0dQTdLXud3UjWVW3N0PYgJtw5yBsS74QTGD4='),
|
|
/*
|
|
* Instead of use the whole x509cert you can use a fingerprint
|
|
* (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
|
|
*/
|
|
// 'certFingerprint' => '',
|
|
),
|
|
|
|
/***
|
|
* OneLogin compression settings
|
|
*
|
|
*/
|
|
'compress' => array(
|
|
/** Whether requests should be GZ encoded */
|
|
'requests' => true,
|
|
/** Whether responses should be GZ compressed */
|
|
'responses' => true,
|
|
),
|
|
|
|
/***
|
|
*
|
|
* OneLogin advanced settings
|
|
*
|
|
*
|
|
*/
|
|
// Security settings
|
|
'security' => array(
|
|
|
|
/** signatures and encryptions offered */
|
|
|
|
// Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
|
|
// will be encrypted.
|
|
'nameIdEncrypted' => false,
|
|
|
|
// Indicates whether the <samlp:AuthnRequest> messages sent by this SP
|
|
// will be signed. [The Metadata of the SP will offer this info]
|
|
'authnRequestsSigned' => false,
|
|
|
|
// Indicates whether the <samlp:logoutRequest> messages sent by this SP
|
|
// will be signed.
|
|
'logoutRequestSigned' => false,
|
|
|
|
// Indicates whether the <samlp:logoutResponse> messages sent by this SP
|
|
// will be signed.
|
|
'logoutResponseSigned' => false,
|
|
|
|
/* Sign the Metadata
|
|
False || True (use sp certs) || array (
|
|
keyFileName => 'metadata.key',
|
|
certFileName => 'metadata.crt'
|
|
)
|
|
*/
|
|
'signMetadata' => false,
|
|
|
|
|
|
/** signatures and encryptions required **/
|
|
|
|
// Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
|
|
// <samlp:LogoutResponse> elements received by this SP to be signed.
|
|
'wantMessagesSigned' => false,
|
|
|
|
// Indicates a requirement for the <saml:Assertion> elements received by
|
|
// this SP to be signed. [The Metadata of the SP will offer this info]
|
|
'wantAssertionsSigned' => false,
|
|
|
|
// Indicates a requirement for the NameID received by
|
|
// this SP to be encrypted.
|
|
'wantNameIdEncrypted' => false,
|
|
|
|
// Authentication context.
|
|
// Set to false and no AuthContext will be sent in the AuthNRequest,
|
|
// Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
|
|
// Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
|
|
'requestedAuthnContext' => true,
|
|
),
|
|
|
|
// Contact information template, it is recommended to suply a technical and support contacts
|
|
'contactPerson' => array(
|
|
'technical' => array(
|
|
'givenName' => 'name',
|
|
'emailAddress' => 'no@reply.com'
|
|
),
|
|
'support' => array(
|
|
'givenName' => 'Support',
|
|
'emailAddress' => 'no@reply.com'
|
|
),
|
|
),
|
|
|
|
// Organization information template, the info in en_US lang is recomended, add more if required
|
|
'organization' => array(
|
|
'en-US' => array(
|
|
'name' => 'Name',
|
|
'displayname' => 'Display Name',
|
|
'url' => 'http://url'
|
|
),
|
|
),
|
|
|
|
/* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int] http://saml2int.org/profile/current
|
|
|
|
'authnRequestsSigned' => false, // SP SHOULD NOT sign the <samlp:AuthnRequest>,
|
|
// MUST NOT assume that the IdP validates the sign
|
|
'wantAssertionsSigned' => true,
|
|
'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled
|
|
'wantNameIdEncrypted' => false,
|
|
*/
|
|
|
|
);
|