BookStack Code Mirror - bookstack/blob - app/Config/saml2

1 <?php

2

3 //This is variable is an example - Just make sure that the urls in the 'idp' config are ok.

4 $idp_host = env('SAML2_IDP_HOST', 'http://localhost:8000/simplesaml');

5

6 return $settings = array(

7

8 /**

9 * Whether the SAML login is enabled

10 */

11 'enabled' => env("SAML2_ENABLED", false),

12

13 /**

14 * If 'useRoutes' is set to true, the package defines five new routes:

15 *

16 * Method | URI | Name

17 * -------|--------------------------|------------------

18 * POST | {routesPrefix}/acs | saml_acs

19 * GET | {routesPrefix}/login | saml_login

20 * GET | {routesPrefix}/logout | saml_logout

21 * GET | {routesPrefix}/metadata | saml_metadata

22 * GET | {routesPrefix}/sls | saml_sls

23 */

24 'useRoutes' => true,

25

26 'routesPrefix' => '/saml2',

27

28 /**

29 * which middleware group to use for the saml routes

30 * Laravel 5.2 will need a group which includes StartSession

31 */

32 'routesMiddleware' => ['saml'],

33

34 /**

35 * Indicates how the parameters will be

36 * retrieved from the sls request for signature validation

37 */

38 'retrieveParametersFromServer' => false,

39

40 /**

41 * Where to redirect after logout

42 */

43 'logoutRoute' => '/',

44

45 /**

46 * Where to redirect after login if no other option was provided

47 */

48 'loginRoute' => '/',

49

50

51 /**

52 * Where to redirect after login if no other option was provided

53 */

54 'errorRoute' => '/',

59 /*****

60 * One Login Settings

61 */

62

63

64

65 // If 'strict' is True, then the PHP Toolkit will reject unsigned

66 // or unencrypted messages if it expects them signed or encrypted

67 // Also will reject the messages if not strictly follow the SAML

68 // standard: Destination, NameId, Conditions ... are validated too.

69 'strict' => true, //@todo: make this depend on laravel config

70

71 // Enable debug mode (to print errors)

72 'debug' => env('APP_DEBUG', false),

73

74 // If 'proxyVars' is True, then the Saml lib will trust proxy headers

75 // e.g X-Forwarded-Proto / HTTP_X_FORWARDED_PROTO. This is useful if

76 // your application is running behind a load balancer which terminates

77 // SSL.

78 'proxyVars' => false,

79

80 // Service Provider Data that we are deploying

81 'sp' => array(

82

83 // Specifies constraints on the name identifier to be used to

84 // represent the requested subject.

85 // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported

86 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

87

88 // Usually x509cert and privateKey of the SP are provided by files placed at

89 // the certs folder. But we can also provide them with the following parameters

90 'x509cert' => env('SAML2_SP_x509',''),

91 'privateKey' => env('SAML2_SP_PRIVATEKEY',''),

92

93 // Identifier (URI) of the SP entity.

94 // Leave blank to use the 'saml_metadata' route.

95 'entityId' => env('SAML2_SP_ENTITYID',''),

96

97 // Specifies info about where and how the <AuthnResponse> message MUST be

98 // returned to the requester, in this case our SP.

99 'assertionConsumerService' => array(

100 // URL Location where the <Response> from the IdP will be returned,

101 // using HTTP-POST binding.

102 // Leave blank to use the 'saml_acs' route

103 'url' => '',

104

105 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',

106 ),

107 // Specifies info about where and how the <Logout Response> message MUST be

108 // returned to the requester, in this case our SP.

109 // Remove this part to not include any URL Location in the metadata.

110 'singleLogoutService' => array(

111 // URL Location where the <Response> from the IdP will be returned,

112 // using HTTP-Redirect binding.

113 // Leave blank to use the 'saml_sls' route

114 'url' => '',

115 ),

116 ),

117

118 // Identity Provider Data that we want connect with our SP

119 'idp' => array(

120 // Identifier of the IdP entity (must be a URI)

121 'entityId' => env('SAML2_IDP_ENTITYID', $idp_host . '/saml2/idp/metadata.php'),

122 // SSO endpoint info of the IdP. (Authentication Request protocol)

123 'singleSignOnService' => array(

124 // URL Target of the IdP where the SP will send the Authentication Request Message,

125 // using HTTP-Redirect binding.

126 'url' => env('SAML2_IDP_SSO', $idp_host . '/saml2/idp/SSOService.php'),

127 ),

128 // SLO endpoint info of the IdP.

129 'singleLogoutService' => array(

130 // URL Location of the IdP where the SP will send the SLO Request,

131 // using HTTP-Redirect binding.

132 'url' => env('SAML2_IDP_SLO', $idp_host . '/saml2/idp/SingleLogoutService.php'),

133 ),

134 // Public x509 certificate of the IdP

135 'x509cert' => env('SAML2_IDP_x509', 'MIID/TCCAuWgAwIBAgIJAI4R3WyjjmB1MA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3MgQWlyZXMxDDAKBgNVBAoMA1NJVTERMA8GA1UECwwIU2lzdGVtYXMxFDASBgNVBAMMC09yZy5TaXUuQ29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbmlAc2l1LmVkdS5hcjAeFw0xNDEyMDExNDM2MjVaFw0yNDExMzAxNDM2MjVaMIGUMQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3MgQWlyZXMxDDAKBgNVBAoMA1NJVTERMA8GA1UECwwIU2lzdGVtYXMxFDASBgNVBAMMC09yZy5TaXUuQ29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbmlAc2l1LmVkdS5hcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbzW/EpEv+qqZzfT1Buwjg9nnNNVrxkCfuR9fQiQw2tSouS5X37W5h7RmchRt54wsm046PDKtbSz1NpZT2GkmHN37yALW2lY7MyVUC7itv9vDAUsFr0EfKIdCKgxCKjrzkZ5ImbNvjxf7eA77PPGJnQ/UwXY7W+cvLkirp0K5uWpDk+nac5W0JXOCFR1BpPUJRbz2jFIEHyChRt7nsJZH6ejzNqK9lABEC76htNy1Ll/D3tUoPaqo8VlKW3N3MZE0DB9O7g65DmZIIlFqkaMH3ALd8adodJtOvqfDU/A6SxuwMfwDYPjoucykGDu1etRZ7dF2gd+W+1Pn7yizPT1q8CAwEAAaNQME4wHQYDVR0OBBYEFPsn8tUHN8XXf23ig5Qro3beP8BuMB8GA1UdIwQYMBaAFPsn8tUHN8XXf23ig5Qro3beP8BuMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGu60odWFiK+DkQekozGnlpNBQz5lQ/bwmOWdktnQj6HYXu43e7sh9oZWArLYHEOyMUekKQAxOK51vbTHzzw66BZU91/nqvaOBfkJyZKGfluHbD0/hfOl/D5kONqI9kyTu4wkLQcYGyuIi75CJs15uA03FSuULQdY/Liv+czS/XYDyvtSLnu43VuAQWN321PQNhuGueIaLJANb2C5qq5ilTBUw6PxY9Z+vtMjAjTJGKEkE/tQs7CvzLPKXX3KTD9lIILmX5yUC3dLgjVKi1KGDqNApYGOMtjr5eoxPQrqDBmyx3flcy0dQTdLXud3UjWVW3N0PYgJtw5yBsS74QTGD4='),

136 /*

137 * Instead of use the whole x509cert you can use a fingerprint

138 * (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)

139 */

140 // 'certFingerprint' => '',

141 ),

142

143 /***

144 * OneLogin compression settings

145 *

146 */

147 'compress' => array(

148 /** Whether requests should be GZ encoded */

149 'requests' => true,

150 /** Whether responses should be GZ compressed */

151 'responses' => true,

152 ),

153

154 /***

155 *

156 * OneLogin advanced settings

157 *

158 *

159 */

160 // Security settings

161 'security' => array(

162

163 /** signatures and encryptions offered */

164

165 // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP

166 // will be encrypted.

167 'nameIdEncrypted' => false,

168

169 // Indicates whether the <samlp:AuthnRequest> messages sent by this SP

170 // will be signed. [The Metadata of the SP will offer this info]

171 'authnRequestsSigned' => false,

172

173 // Indicates whether the <samlp:logoutRequest> messages sent by this SP

174 // will be signed.

175 'logoutRequestSigned' => false,

176

177 // Indicates whether the <samlp:logoutResponse> messages sent by this SP

178 // will be signed.

179 'logoutResponseSigned' => false,

180

181 /* Sign the Metadata

182 False || True (use sp certs) || array (

183 keyFileName => 'metadata.key',

184 certFileName => 'metadata.crt'

185 )

186 */

187 'signMetadata' => false,

188

189

190 /** signatures and encryptions required **/

191

192 // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and

193 // <samlp:LogoutResponse> elements received by this SP to be signed.

194 'wantMessagesSigned' => false,

195

196 // Indicates a requirement for the <saml:Assertion> elements received by

197 // this SP to be signed. [The Metadata of the SP will offer this info]

198 'wantAssertionsSigned' => false,

199

200 // Indicates a requirement for the NameID received by

201 // this SP to be encrypted.

202 'wantNameIdEncrypted' => false,

203

204 // Authentication context.

205 // Set to false and no AuthContext will be sent in the AuthNRequest,

206 // Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'

207 // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),

208 'requestedAuthnContext' => true,

209 ),

210

211 // Contact information template, it is recommended to suply a technical and support contacts

212 'contactPerson' => array(

213 'technical' => array(

214 'givenName' => 'name',

215 'emailAddress' => '[email protected]'

216 ),

217 'support' => array(

218 'givenName' => 'Support',

219 'emailAddress' => '[email protected]'