BookStack Code Mirror - bookstack/blob

1 <?php

2

3 $SAML2_IDP_AUTHNCONTEXT = env('SAML2_IDP_AUTHNCONTEXT', true);

4 $SAML2_SP_x509 = env('SAML2_SP_x509', false);

5

6 return [

7

8 // Display name, shown to users, for SAML2 option

9 'name' => env('SAML2_NAME', 'SSO'),

10

11 // Dump user details after a login request for debugging purposes

12 'dump_user_details' => env('SAML2_DUMP_USER_DETAILS', false),

13

14 // Attribute, within a SAML response, to find the user's email address

15 'email_attribute' => env('SAML2_EMAIL_ATTRIBUTE', 'email'),

16 // Attribute, within a SAML response, to find the user's display name

17 'display_name_attributes' => explode('|', env('SAML2_DISPLAY_NAME_ATTRIBUTES', 'username')),

18 // Attribute, within a SAML response, to use to connect a BookStack user to the SAML user.

19 'external_id_attribute' => env('SAML2_EXTERNAL_ID_ATTRIBUTE', null),

20

21 // Group sync options

22 // Enable syncing, upon login, of SAML2 groups to BookStack groups

23 'user_to_groups' => env('SAML2_USER_TO_GROUPS', false),

24 // Attribute, within a SAML response, to find group names on

25 'group_attribute' => env('SAML2_GROUP_ATTRIBUTE', 'group'),

26 // When syncing groups, remove any groups that no longer match. Otherwise sync only adds new groups.

27 'remove_from_groups' => env('SAML2_REMOVE_FROM_GROUPS', false),

28

29 // Autoload IDP details from the metadata endpoint

30 'autoload_from_metadata' => env('SAML2_AUTOLOAD_METADATA', false),

31

32 // Overrides, in JSON format, to the configuration passed to underlying onelogin library.

33 'onelogin_overrides' => env('SAML2_ONELOGIN_OVERRIDES', null),

34

35 'onelogin' => [

36 // If 'strict' is True, then the PHP Toolkit will reject unsigned

37 // or unencrypted messages if it expects them signed or encrypted

38 // Also will reject the messages if not strictly follow the SAML

39 // standard: Destination, NameId, Conditions ... are validated too.

40 'strict' => true,

41

42 // Enable debug mode (to print errors)

43 'debug' => env('APP_DEBUG', false),

44

45 // Set a BaseURL to be used instead of try to guess

46 // the BaseURL of the view that process the SAML Message.

47 // Ex. http://sp.example.com/

48 // http://example.com/sp/

49 'baseurl' => null,

50

51 // Service Provider Data that we are deploying

52 'sp' => [

53 // Identifier of the SP entity (must be a URI)

54 'entityId' => '',

55

56 // Specifies info about where and how the <AuthnResponse> message MUST be

57 // returned to the requester, in this case our SP.

58 'assertionConsumerService' => [

59 // URL Location where the <Response> from the IdP will be returned

60 'url' => '',

61 // SAML protocol binding to be used when returning the <Response>

62 // message. Onelogin Toolkit supports for this endpoint the

63 // HTTP-POST binding only

64 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',

65 ],

66

67 // Specifies info about where and how the <Logout Response> message MUST be

68 // returned to the requester, in this case our SP.

69 'singleLogoutService' => [

70 // URL Location where the <Response> from the IdP will be returned

71 'url' => '',

72 // SAML protocol binding to be used when returning the <Response>

73 // message. Onelogin Toolkit supports for this endpoint the

74 // HTTP-Redirect binding only

75 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',

76 ],

77

78 // Specifies constraints on the name identifier to be used to

79 // represent the requested subject.

80 // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported

81 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',

82

83 // Usually x509cert and privateKey of the SP are provided by files placed at

84 // the certs folder. But we can also provide them with the following parameters

85 'x509cert' => $SAML2_SP_x509 ?: '',

86 'privateKey' => env('SAML2_SP_x509_KEY', ''),

87 ],

88 // Identity Provider Data that we want connect with our SP

89 'idp' => [

90 // Identifier of the IdP entity (must be a URI)

91 'entityId' => env('SAML2_IDP_ENTITYID', null),

92 // SSO endpoint info of the IdP. (Authentication Request protocol)

93 'singleSignOnService' => [

94 // URL Target of the IdP where the SP will send the Authentication Request Message

95 'url' => env('SAML2_IDP_SSO', null),

96 // SAML protocol binding to be used when returning the <Response>

97 // message. Onelogin Toolkit supports for this endpoint the

98 // HTTP-Redirect binding only

99 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',

100 ],

101 // SLO endpoint info of the IdP.

102 'singleLogoutService' => [

103 // URL Location of the IdP where the SP will send the SLO Request

104 'url' => env('SAML2_IDP_SLO', null),

105 // URL location of the IdP where the SP will send the SLO Response (ResponseLocation)

106 // if not set, url for the SLO Request will be used

107 'responseUrl' => null,

108 // SAML protocol binding to be used when returning the <Response>

109 // message. Onelogin Toolkit supports for this endpoint the

110 // HTTP-Redirect binding only

111 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',

112 ],

113 // Public x509 certificate of the IdP

114 'x509cert' => env('SAML2_IDP_x509', null),

115 /*

116 * Instead of use the whole x509cert you can use a fingerprint in

117 * order to validate the SAMLResponse, but we don't recommend to use

118 * that method on production since is exploitable by a collision

119 * attack.

120 * (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,

121 * or add for example the -sha256 , -sha384 or -sha512 parameter)

122 *

123 * If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to

124 * let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512

125 * 'sha1' is the default value.

126 */

127 // 'certFingerprint' => '',

128 // 'certFingerprintAlgorithm' => 'sha1',

129 /* In some scenarios the IdP uses different certificates for

130 * signing/encryption, or is under key rollover phase and more

131 * than one certificate is published on IdP metadata.

132 * In order to handle that the toolkit offers that parameter.

133 * (when used, 'x509cert' and 'certFingerprint' values are

134 * ignored).

135 */

136 // 'x509certMulti' => array(

137 // 'signing' => array(

138 // 0 => '<cert1-string>',

139 // ),

140 // 'encryption' => array(

141 // 0 => '<cert2-string>',

142 // )

143 // ),

144 ],

145 'security' => [

146 // SAML2 Authn context

147 // When set to false no AuthContext will be sent in the AuthNRequest,

148 // When set to true (Default) you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'.

149 // Multiple forced values can be passed via a space separated array, For example:

150 // SAML2_IDP_AUTHNCONTEXT="urn:federation:authentication:windows urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

151 'requestedAuthnContext' => is_string($SAML2_IDP_AUTHNCONTEXT) ? explode(' ', $SAML2_IDP_AUTHNCONTEXT) : $SAML2_IDP_AUTHNCONTEXT,

152 // Sign requests and responses if a certificate is in use

153 'logoutRequestSigned' => (bool) $SAML2_SP_x509,

154 'logoutResponseSigned' => (bool) $SAML2_SP_x509,

155 'authnRequestsSigned' => (bool) $SAML2_SP_x509,

156 'lowercaseUrlencoding' => false,

157 ],

158 ],

159

160 ];