-
Notifications
You must be signed in to change notification settings - Fork 1
/
local.env.dist
177 lines (144 loc) · 8.25 KB
/
local.env.dist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
#-----------------------------------------------------------------------------------
# Required configuration
# ADMIN_PASS should be set to a good password with high entropy. It is for authentication to the
# SimpleSAMLphp admin pages.
ADMIN_PASS=
# SECRET_SALT should be set to a random string. It is used by SimpleSAMLphp when hashing values
# such as a generated NameID attribute. Search for 'secretsalt' in SimpleSAMLphp documentation
# for more information.
SECRET_SALT=
# === MySQL database config ===
# These variables in this section are required for the SimpleSAMLphp session store. It is also used
# in the silauth Auth Source to store login failure information.
#
# set MYSQL_HOST to the hostname of the database server
MYSQL_HOST=
# set MYSQL_DATABASE to the name of the database
MYSQL_DATABASE=
# set MYSQL_USER to the username for database access
MYSQL_USER=
# set MYSQL_PASSWORD to the password for database access
MYSQL_PASSWORD=
#-----------------------------------------------------------------------------------
# Conditionally-required configuration
# === ID Broker config ===
# These variables in this section are required if the silauth or mfa AuthProc filters
# are enabled and configured.
#
# ID_BROKER_ACCESS_TOKEN is an authentication token for access to the id-broker API
ID_BROKER_ACCESS_TOKEN=
# ID_BROKER_BASE_URI is the base URL for the id-broker API. Must be a full http URL.
ID_BROKER_BASE_URI=
# ID_BROKER_TRUSTED_IP_RANGES is a comma-separated list of CIDR-formatted IPv4 or IPv6 networks. The PHP
# client for the id-broker API performs a DNS check against this list. If the resulting IP address is
# not in any of the trusted ranges, it will not proceed with connection to the API.
ID_BROKER_TRUSTED_IP_RANGES=
# ID_BROKER_ASSERT_VALID_IP can be set to 'false' to bypass IP checks. The default is 'true'.
ID_BROKER_ASSERT_VALID_IP=
# IDP_DOMAIN_NAME is required if silauth or mfa AuthProc filters are enabled and
# configured. It is used for assembling the eduPersonPrincipalName for users (e.g.
# "[email protected]"). It is also used to assemble the Relying Party Origin (RP Origin)
# for calls to the id-broker API, which uses it for calling the WebAuthn MFA API.
# Do not include the protocol ('https://') at the front.
IDP_DOMAIN_NAME=
# MFA_SETUP_URL is required if the mfa AuthProc filter is enabled and configured. It must be set to
# the profile manager URL for setting up MFA options. It is used for redirects and links.
# Example: https://pw.example.com/#/2sv/intro
MFA_SETUP_URL=
# PASSWORD_CHANGE_URL is required if the expirychecker AuthProc filter is enabled and configured. It
# must be set to the profile manager URL for setting the user's password. It is used to redirect the
# browers when the user's password has expired and to present a link the user can click when their
# password is nearing expiration.
# Example: https://pw.example.com/#/password/create
PASSWORD_CHANGE_URL=
# PROFILE_URL is required if the profilereview AuthProc filter is enabled and configured. It
# is used to show a link to the profile manager. It is also used by the silauth Auth Source to
# display a link to the profile manager on the 'loginuserpass' page.
# Example: https://pw.example.com/#/
PROFILE_URL=
# REMEMBER_ME_SECRET is required if the mfa AuthProc filter is enabled and configured. It is used
# to generate a cookie to remember the user from one session to the next.
REMEMBER_ME_SECRET=
#-----------------------------------------------------------------------------------
# Optional configuration
# ADMIN_EMAIL and ADMIN_NAME are not currently used. These values would be used if email alerts
# or generated metadata are enabled.
ADMIN_EMAIL=
ADMIN_NAME=
# ANALYTICS_ID can be set to a Google Analytics measurement ID if analytic tracking is desired.
ANALYTICS_ID=
# === AWS AppConfig (optional) ===
# To use AWS AppConfig to supply configuration values to override environment variables, define the
# following variables:
#
# AWS_REGION should be set to the AWS region where your AppConfig application is defined, e.g. us-east-1.
AWS_REGION=
# APP_ID should be set to the ID or name of the AppConfig Application
APP_ID=
# CONFIG_ID should be set to the ID or name of the AppConfig Configuration Profile
CONFIG_ID=
# ENV_ID should be set to the ID or name of the AppConfig Environment
ENV_ID=
# BASE_URL_PATH is a URL path for SimpleSAMLphp to direct external requests to this server. The default is '/'.
# A valid format for 'baseurlpath' is: [(http|https)://(hostname|fqdn)[:port]]/[path/to/simplesaml/]
BASE_URL_PATH=
# DYNAMO_ACCESS_KEY_ID and DYNAMO_SECRET_ACCESS_KEY can be set to AWS IAM credentials with access
# to a DynamoDB table for storage of user access logs. For more information see docs/editing_authprocs.md
DYNAMO_ACCESS_KEY_ID
DYNAMO_SECRET_ACCESS_KEY
# HELP_CENTER_URL can be set to a URL for an end-user support site. If provided, it will be used for a
# link address on the IdP selection page (selectidp-links) and the IdP login page (loginuserpass).
HELP_CENTER_URL=
# Set HUB_MODE to 'false' for IdP application and to 'true' for Hub (proxy) application. Enabling hub mode
# adds 'TagGroup' and 'AddIdp2NameId' Authentication Process (AuthProc) filters and several metadata tests.
# The default is 'false'.
HUB_MODE=false
# LOGGING_LEVEL filters which log messages are output to stderr. The default is NOTICE.
# It may be set to one of the following: ERR, WARNING, NOTICE, INFO, or DEBUG.
LOGGING_LEVEL=
# MFA_LEARN_MORE_URL can be set to a URL the user can visit to learn more about MFA. It is
# used in a link on the profilereview 'nag-for-mfa' page.
MFA_LEARN_MORE_URL=
# PASSWORD_FORGOT_URL can be set to the profile manager URL to initiate a password reset. If set, it
# will be used in a "Forgot password?" link on the 'loginuserpass' page.
PASSWORD_FORGOT_URL=
# RECAPTCHA_SITE_KEY and RECAPTCHA_SECRET can be set to a Google reCAPTCHA key and secret. If set,
# excessive failed logins will trigger a CAPTCHA prompt that must be completed for continued login
# attempts.
# See "https://developers.google.com/recaptcha/docs/faq" for test key/secret.
RECAPTCHA_SITE_KEY=
RECAPTCHA_SECRET=
# SESSION_STORE_TYPE sets the SimpleSAMLphp session store type. It can be 'sql' or 'phpsession'.
# The default is 'phpsession'. It is not recommended to use 'phpsession' in production.
SESSION_STORE_TYPE=
# When SHOW_SAML_ERRORS is set to 'true', all error messages and stack traces will be output
# to the browser.
SHOW_SAML_ERRORS=
# THEME_COLOR_SCHEME can be set to one of the following values to change the user interface color
# scheme: 'indigo-purple', 'blue_grey-teal', 'red-teal', 'orange-light_blue', 'brown-orange', 'teal-blue'.
# The default is 'indigo-purple'.
THEME_COLOR_SCHEME=
# TRUSTED_IP_ADDRESSES should be set to a list of IP addresses and/or IP address ranges (CIDR) that
# should NOT be rate-limited but which might be included in REMOTE_ADDR or the X-Forwarded-For
# header, such as a load balancer.
# Example: TRUSTED_IP_ADDRESSES=11.22.33.44,11.22.55.0/24
TRUSTED_IP_ADDRESSES=
# TRUSTED_URL_DOMAINS should be set to a comma-separated list of domains trusted for redirect. It should
# include, at a minimum, all SP logout redirect URL domains.
TRUSTED_URL_DOMAINS=
#-----------------------------------------------------------------------------------
# Development configuration
# COMPOSER_AUTH is only used for local development and not directly related to ssp-base. Replace
# the 'token-here' placeholder with a token from https://github.com/settings/tokens?type=beta. This
# allows composer to bypass rate limiting imposed by GitHub. The token you create does not need
# permissions other than read permission on public repositories.
COMPOSER_AUTH={"github-oauth":{"github.com":"token-here"}}
# ENABLE_DEBUG enables logging of additional detail in the log output. It is not recommended for
# production use since it may cause plaintext SAML messages to be included in log messages.
ENABLE_DEBUG=
# set SECURE_COOKIE to 'true' to set the 'secure' flag in the cookie. It should only be set to 'false'
# for local development. It defaults to 'true' if not defined.
SECURE_COOKIE=
# to enable Xdebug debugging, set XDEBUG_REMOTE_HOST to your host address. If running in Docker,
# try 172.17.0.1.
XDEBUG_REMOTE_HOST=