bookstack/app/Config/saml2_settings.php

<?php

//This is variable is an example - Just make sure that the urls in the 'idp' config are ok.
$idp_host = env('SAML2_IDP_HOST', 'http://localhost:8000/simplesaml');

return $settings = array(

    /**
     * Whether the SAML login is enabled
     */
    'enabled' => env("SAML2_ENABLED", false),

    /**
     * If 'useRoutes' is set to true, the package defines five new routes:
     *
     *    Method | URI                      | Name
     *    -------|--------------------------|------------------
     *    POST   | {routesPrefix}/acs       | saml_acs
     *    GET    | {routesPrefix}/login     | saml_login
     *    GET    | {routesPrefix}/logout    | saml_logout
     *    GET    | {routesPrefix}/metadata  | saml_metadata
     *    GET    | {routesPrefix}/sls       | saml_sls
     */
    'useRoutes' => true,

    'routesPrefix' => '/saml2',

    /**
     * which middleware group to use for the saml routes
     * Laravel 5.2 will need a group which includes StartSession
     */
    'routesMiddleware' => ['saml'],

    /**
     * Indicates how the parameters will be
     * retrieved from the sls request for signature validation
     */
    'retrieveParametersFromServer' => false,

    /**
     * Where to redirect after logout
     */
    'logoutRoute' => '/',

    /**
     * Where to redirect after login if no other option was provided
     */
    'loginRoute' => '/',


    /**
     * Where to redirect after login if no other option was provided
     */
    'errorRoute' => '/',


    /*****
     * One Login Settings
     */


    // If 'strict' is True, then the PHP Toolkit will reject unsigned
    // or unencrypted messages if it expects them signed or encrypted
    // Also will reject the messages if not strictly follow the SAML
    // standard: Destination, NameId, Conditions ... are validated too.
    'strict' => true, //@todo: make this depend on laravel config

    // Enable debug mode (to print errors)
    'debug' => env('APP_DEBUG', false),

    // If 'proxyVars' is True, then the Saml lib will trust proxy headers
    // e.g X-Forwarded-Proto / HTTP_X_FORWARDED_PROTO. This is useful if
    // your application is running behind a load balancer which terminates
    // SSL.
    'proxyVars' => false,

    // Service Provider Data that we are deploying
    'sp' => array(

        // Specifies constraints on the name identifier to be used to
        // represent the requested subject.
        // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

        // Usually x509cert and privateKey of the SP are provided by files placed at
        // the certs folder. But we can also provide them with the following parameters
        'x509cert' => env('SAML2_SP_x509',''),
        'privateKey' => env('SAML2_SP_PRIVATEKEY',''),

        // Identifier (URI) of the SP entity.
        // Leave blank to use the 'saml_metadata' route.
        'entityId' => env('SAML2_SP_ENTITYID',''),

        // Specifies info about where and how the <AuthnResponse> message MUST be
        // returned to the requester, in this case our SP.
        'assertionConsumerService' => array(
            // URL Location where the <Response> from the IdP will be returned,
            // using HTTP-POST binding.
            // Leave blank to use the 'saml_acs' route
            'url' => '',

            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ),
        // Specifies info about where and how the <Logout Response> message MUST be
        // returned to the requester, in this case our SP.
        // Remove this part to not include any URL Location in the metadata.
        'singleLogoutService' => array(
            // URL Location where the <Response> from the IdP will be returned,
            // using HTTP-Redirect binding.
            // Leave blank to use the 'saml_sls' route
            'url' => '',
        ),
    ),

    // Identity Provider Data that we want connect with our SP
    'idp' => array(
        // Identifier of the IdP entity  (must be a URI)
        'entityId' => env('SAML2_IDP_ENTITYID', $idp_host . '/saml2/idp/metadata.php'),
        // SSO endpoint info of the IdP. (Authentication Request protocol)
        'singleSignOnService' => array(
            // URL Target of the IdP where the SP will send the Authentication Request Message,
            // using HTTP-Redirect binding.
            'url' => env('SAML2_IDP_SSO', $idp_host . '/saml2/idp/SSOService.php'),
        ),
        // SLO endpoint info of the IdP.
        'singleLogoutService' => array(
            // URL Location of the IdP where the SP will send the SLO Request,
            // using HTTP-Redirect binding.
            'url' => env('SAML2_IDP_SLO', $idp_host . '/saml2/idp/SingleLogoutService.php'),
        ),
        // Public x509 certificate of the IdP
        'x509cert' => env('SAML2_IDP_x509', 'MIID/TCCAuWgAwIBAgIJAI4R3WyjjmB1MA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3MgQWlyZXMxDDAKBgNVBAoMA1NJVTERMA8GA1UECwwIU2lzdGVtYXMxFDASBgNVBAMMC09yZy5TaXUuQ29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbmlAc2l1LmVkdS5hcjAeFw0xNDEyMDExNDM2MjVaFw0yNDExMzAxNDM2MjVaMIGUMQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3MgQWlyZXMxDDAKBgNVBAoMA1NJVTERMA8GA1UECwwIU2lzdGVtYXMxFDASBgNVBAMMC09yZy5TaXUuQ29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbmlAc2l1LmVkdS5hcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbzW/EpEv+qqZzfT1Buwjg9nnNNVrxkCfuR9fQiQw2tSouS5X37W5h7RmchRt54wsm046PDKtbSz1NpZT2GkmHN37yALW2lY7MyVUC7itv9vDAUsFr0EfKIdCKgxCKjrzkZ5ImbNvjxf7eA77PPGJnQ/UwXY7W+cvLkirp0K5uWpDk+nac5W0JXOCFR1BpPUJRbz2jFIEHyChRt7nsJZH6ejzNqK9lABEC76htNy1Ll/D3tUoPaqo8VlKW3N3MZE0DB9O7g65DmZIIlFqkaMH3ALd8adodJtOvqfDU/A6SxuwMfwDYPjoucykGDu1etRZ7dF2gd+W+1Pn7yizPT1q8CAwEAAaNQME4wHQYDVR0OBBYEFPsn8tUHN8XXf23ig5Qro3beP8BuMB8GA1UdIwQYMBaAFPsn8tUHN8XXf23ig5Qro3beP8BuMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGu60odWFiK+DkQekozGnlpNBQz5lQ/bwmOWdktnQj6HYXu43e7sh9oZWArLYHEOyMUekKQAxOK51vbTHzzw66BZU91/nqvaOBfkJyZKGfluHbD0/hfOl/D5kONqI9kyTu4wkLQcYGyuIi75CJs15uA03FSuULQdY/Liv+czS/XYDyvtSLnu43VuAQWN321PQNhuGueIaLJANb2C5qq5ilTBUw6PxY9Z+vtMjAjTJGKEkE/tQs7CvzLPKXX3KTD9lIILmX5yUC3dLgjVKi1KGDqNApYGOMtjr5eoxPQrqDBmyx3flcy0dQTdLXud3UjWVW3N0PYgJtw5yBsS74QTGD4='),
        /*
         *  Instead of use the whole x509cert you can use a fingerprint
         *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
         */
        // 'certFingerprint' => '',
    ),

    /***
     *   OneLogin compression settings
     *
     */
    'compress' => array(
        /** Whether requests should be GZ encoded */
        'requests' => true,
        /** Whether responses should be GZ compressed */
        'responses' => true,
    ),

    /***
     *
     *  OneLogin advanced settings
     *
     *
     */
    // Security settings
    'security' => array(

        /** signatures and encryptions offered */

        // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
        // will be encrypted.
        'nameIdEncrypted' => false,

        // Indicates whether the <samlp:AuthnRequest> messages sent by this SP
        // will be signed.              [The Metadata of the SP will offer this info]
        'authnRequestsSigned' => false,

        // Indicates whether the <samlp:logoutRequest> messages sent by this SP
        // will be signed.
        'logoutRequestSigned' => false,

        // Indicates whether the <samlp:logoutResponse> messages sent by this SP
        // will be signed.
        'logoutResponseSigned' => false,

        /* Sign the Metadata
         False || True (use sp certs) || array (
                                                    keyFileName => 'metadata.key',
                                                    certFileName => 'metadata.crt'
                                                )
        */
        'signMetadata' => false,


        /** signatures and encryptions required **/

        // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
        // <samlp:LogoutResponse> elements received by this SP to be signed.
        'wantMessagesSigned' => false,

        // Indicates a requirement for the <saml:Assertion> elements received by
        // this SP to be signed.        [The Metadata of the SP will offer this info]
        'wantAssertionsSigned' => false,

        // Indicates a requirement for the NameID received by
        // this SP to be encrypted.
        'wantNameIdEncrypted' => false,

        // Authentication context.
        // Set to false and no AuthContext will be sent in the AuthNRequest,
        // Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
        // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
        'requestedAuthnContext' => true,
    ),

    // Contact information template, it is recommended to suply a technical and support contacts
    'contactPerson' => array(
        'technical' => array(
            'givenName' => 'name',
            'emailAddress' => 'no@reply.com'
        ),
        'support' => array(
            'givenName' => 'Support',
            'emailAddress' => 'no@reply.com'
        ),
    ),

    // Organization information template, the info in en_US lang is recomended, add more if required
    'organization' => array(
        'en-US' => array(
            'name' => 'Name',
            'displayname' => 'Display Name',
            'url' => 'http://url'
        ),
    ),

/* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int]   http://saml2int.org/profile/current

   'authnRequestsSigned' => false,    // SP SHOULD NOT sign the <samlp:AuthnRequest>,
                                      // MUST NOT assume that the IdP validates the sign
   'wantAssertionsSigned' => true,
   'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled
   'wantNameIdEncrypted' => false,
*/

);
Initial work on SAML integration 2019-08-06 02:06:39 +08:00			`<?php`

			`//This is variable is an example - Just make sure that the urls in the 'idp' config are ok.`
			`$idp_host = env('SAML2_IDP_HOST', 'http://localhost:8000/simplesaml');`

			`return $settings = array(`

			`/**`
			`* Whether the SAML login is enabled`
			`*/`
			`'enabled' => env("SAML2_ENABLED", false),`

			`/**`
			`* If 'useRoutes' is set to true, the package defines five new routes:`
			`*`
			`* Method \| URI \| Name`
			`* -------\|--------------------------\|------------------`
			`* POST \| {routesPrefix}/acs \| saml_acs`
			`* GET \| {routesPrefix}/login \| saml_login`
			`* GET \| {routesPrefix}/logout \| saml_logout`
			`* GET \| {routesPrefix}/metadata \| saml_metadata`
			`* GET \| {routesPrefix}/sls \| saml_sls`
			`*/`
			`'useRoutes' => true,`

			`'routesPrefix' => '/saml2',`

			`/**`
			`* which middleware group to use for the saml routes`
			`* Laravel 5.2 will need a group which includes StartSession`
			`*/`
Add login and automatic registration; Prepare Group sync 2019-08-07 05:42:46 +08:00			`'routesMiddleware' => ['saml'],`
Initial work on SAML integration 2019-08-06 02:06:39 +08:00
			`/**`
			`* Indicates how the parameters will be`
			`* retrieved from the sls request for signature validation`
			`*/`
			`'retrieveParametersFromServer' => false,`

			`/**`
			`* Where to redirect after logout`
			`*/`
			`'logoutRoute' => '/',`

			`/**`
			`* Where to redirect after login if no other option was provided`
			`*/`
			`'loginRoute' => '/',`


			`/**`
			`* Where to redirect after login if no other option was provided`
			`*/`
			`'errorRoute' => '/',`




			`/*****`
			`* One Login Settings`
			`*/`



			`// If 'strict' is True, then the PHP Toolkit will reject unsigned`
			`// or unencrypted messages if it expects them signed or encrypted`
			`// Also will reject the messages if not strictly follow the SAML`
			`// standard: Destination, NameId, Conditions ... are validated too.`
			`'strict' => true, //@todo: make this depend on laravel config`

			`// Enable debug mode (to print errors)`
			`'debug' => env('APP_DEBUG', false),`

			`// If 'proxyVars' is True, then the Saml lib will trust proxy headers`
			`// e.g X-Forwarded-Proto / HTTP_X_FORWARDED_PROTO. This is useful if`
			`// your application is running behind a load balancer which terminates`
			`// SSL.`
			`'proxyVars' => false,`

			`// Service Provider Data that we are deploying`
			`'sp' => array(`

			`// Specifies constraints on the name identifier to be used to`
			`// represent the requested subject.`
			`// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported`
			`'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',`

			`// Usually x509cert and privateKey of the SP are provided by files placed at`
			`// the certs folder. But we can also provide them with the following parameters`
			`'x509cert' => env('SAML2_SP_x509',''),`
			`'privateKey' => env('SAML2_SP_PRIVATEKEY',''),`

			`// Identifier (URI) of the SP entity.`
			`// Leave blank to use the 'saml_metadata' route.`
			`'entityId' => env('SAML2_SP_ENTITYID',''),`

			`// Specifies info about where and how the <AuthnResponse> message MUST be`
			`// returned to the requester, in this case our SP.`
			`'assertionConsumerService' => array(`
			`// URL Location where the <Response> from the IdP will be returned,`
			`// using HTTP-POST binding.`
			`// Leave blank to use the 'saml_acs' route`
			`'url' => '',`
Add login and automatic registration; Prepare Group sync 2019-08-07 05:42:46 +08:00
			`'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',`
Initial work on SAML integration 2019-08-06 02:06:39 +08:00			`),`
			`// Specifies info about where and how the <Logout Response> message MUST be`
			`// returned to the requester, in this case our SP.`
			`// Remove this part to not include any URL Location in the metadata.`
			`'singleLogoutService' => array(`
			`// URL Location where the <Response> from the IdP will be returned,`
			`// using HTTP-Redirect binding.`
			`// Leave blank to use the 'saml_sls' route`
			`'url' => '',`
			`),`
			`),`

			`// Identity Provider Data that we want connect with our SP`
			`'idp' => array(`
			`// Identifier of the IdP entity (must be a URI)`
			`'entityId' => env('SAML2_IDP_ENTITYID', $idp_host . '/saml2/idp/metadata.php'),`
			`// SSO endpoint info of the IdP. (Authentication Request protocol)`
			`'singleSignOnService' => array(`
			`// URL Target of the IdP where the SP will send the Authentication Request Message,`
			`// using HTTP-Redirect binding.`
			`'url' => env('SAML2_IDP_SSO', $idp_host . '/saml2/idp/SSOService.php'),`
			`),`
			`// SLO endpoint info of the IdP.`
			`'singleLogoutService' => array(`
			`// URL Location of the IdP where the SP will send the SLO Request,`
			`// using HTTP-Redirect binding.`
			`'url' => env('SAML2_IDP_SLO', $idp_host . '/saml2/idp/SingleLogoutService.php'),`
			`),`
			`// Public x509 certificate of the IdP`
			'x509cert' => env('SAML2_IDP_x509', 'MIID/TCCAuWgAwIBAgIJAI4R3WyjjmB1MA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3MgQWlyZXMxDDAKBgNVBAoMA1NJVTERMA8GA1UECwwIU2lzdGVtYXMxFDASBgNVBAMMC09yZy5TaXUuQ29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbmlAc2l1LmVkdS5hcjAeFw0xNDEyMDExNDM2MjVaFw0yNDExMzAxNDM2MjVaMIGUMQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3MgQWlyZXMxDDAKBgNVBAoMA1NJVTERMA8GA1UECwwIU2lzdGVtYXMxFDASBgNVBAMMC09yZy5TaXUuQ29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbmlAc2l1LmVkdS5hcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbzW/EpEv+qqZzfT1Buwjg9nnNNVrxkCfuR9fQiQw2tSouS5X37W5h7RmchRt54wsm046PDKtbSz1NpZT2GkmHN37yALW2lY7MyVUC7itv9vDAUsFr0EfKIdCKgxCKjrzkZ5ImbNvjxf7eA77PPGJnQ/UwXY7W+cvLkirp0K5uWpDk+nac5W0JXOCFR1BpPUJRbz2jFIEHyChRt7nsJZH6ejzNqK9lABEC76htNy1Ll/D3tUoPaqo8VlKW3N3MZE0DB9O7g65DmZIIlFqkaMH3ALd8adodJtOvqfDU/A6SxuwMfwDYPjoucykGDu1etRZ7dF2gd+W+1Pn7yizPT1q8CAwEAAaNQME4wHQYDVR0OBBYEFPsn8tUHN8XXf23ig5Qro3beP8BuMB8GA1UdIwQYMBaAFPsn8tUHN8XXf23ig5Qro3beP8BuMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGu60odWFiK+DkQekozGnlpNBQz5lQ/bwmOWdktnQj6HYXu43e7sh9oZWArLYHEOyMUekKQAxOK51vbTHzzw66BZU91/nqvaOBfkJyZKGfluHbD0/hfOl/D5kONqI9kyTu4wkLQcYGyuIi75CJs15uA03FSuULQdY/Liv+czS/XYDyvtSLnu43VuAQWN321PQNhuGueIaLJANb2C5qq5ilTBUw6PxY9Z+vtMjAjTJGKEkE/tQs7CvzLPKXX3KTD9lIILmX5yUC3dLgjVKi1KGDqNApYGOMtjr5eoxPQrqDBmyx3flcy0dQTdLXud3UjWVW3N0PYgJtw5yBsS74QTGD4='),
			`/*`
			`* Instead of use the whole x509cert you can use a fingerprint`
			`* (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)`
			`*/`
			`// 'certFingerprint' => '',`
			`),`

Add login and automatic registration; Prepare Group sync 2019-08-07 05:42:46 +08:00			`/***`
			`* OneLogin compression settings`
			`*`
			`*/`
			`'compress' => array(`
			`/** Whether requests should be GZ encoded */`
			`'requests' => true,`
			`/** Whether responses should be GZ compressed */`
			`'responses' => true,`
			`),`
Initial work on SAML integration 2019-08-06 02:06:39 +08:00
			`/***`
			`*`
			`* OneLogin advanced settings`
			`*`
			`*`
			`*/`
			`// Security settings`
			`'security' => array(`

			`/** signatures and encryptions offered */`

			`// Indicates that the nameID of the <samlp:logoutRequest> sent by this SP`
			`// will be encrypted.`
			`'nameIdEncrypted' => false,`

			`// Indicates whether the <samlp:AuthnRequest> messages sent by this SP`
			`// will be signed. [The Metadata of the SP will offer this info]`
			`'authnRequestsSigned' => false,`

			`// Indicates whether the <samlp:logoutRequest> messages sent by this SP`
			`// will be signed.`
			`'logoutRequestSigned' => false,`

			`// Indicates whether the <samlp:logoutResponse> messages sent by this SP`
			`// will be signed.`
			`'logoutResponseSigned' => false,`

			`/* Sign the Metadata`
			`False \|\| True (use sp certs) \|\| array (`
			`keyFileName => 'metadata.key',`
			`certFileName => 'metadata.crt'`
			`)`
			`*/`
			`'signMetadata' => false,`


			`/ signatures and encryptions required /`

			`// Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and`
			`// <samlp:LogoutResponse> elements received by this SP to be signed.`
			`'wantMessagesSigned' => false,`

			`// Indicates a requirement for the <saml:Assertion> elements received by`
			`// this SP to be signed. [The Metadata of the SP will offer this info]`
			`'wantAssertionsSigned' => false,`

			`// Indicates a requirement for the NameID received by`
			`// this SP to be encrypted.`
			`'wantNameIdEncrypted' => false,`

			`// Authentication context.`
			`// Set to false and no AuthContext will be sent in the AuthNRequest,`
			`// Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'`
			`// Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),`
			`'requestedAuthnContext' => true,`
			`),`

			`// Contact information template, it is recommended to suply a technical and support contacts`
			`'contactPerson' => array(`
			`'technical' => array(`
			`'givenName' => 'name',`
			`'emailAddress' => 'no@reply.com'`
			`),`
			`'support' => array(`
			`'givenName' => 'Support',`
			`'emailAddress' => 'no@reply.com'`
			`),`
			`),`

			`// Organization information template, the info in en_US lang is recomended, add more if required`
			`'organization' => array(`
			`'en-US' => array(`
			`'name' => 'Name',`
			`'displayname' => 'Display Name',`
			`'url' => 'http://url'`
			`),`
			`),`

			`/* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int] http://saml2int.org/profile/current`

			`'authnRequestsSigned' => false, // SP SHOULD NOT sign the <samlp:AuthnRequest>,`
			`// MUST NOT assume that the IdP validates the sign`
			`'wantAssertionsSigned' => true,`
			`'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled`
			`'wantNameIdEncrypted' => false,`
			`*/`

			`);`