1 /* zxidconf.h - Configuration of ZXID 2 * Copyright (c) 2012-2015 Synergetics (sampo@synergetics.be), All Rights Reserved. 3 * Copyright (c) 2009-2011 Sampo Kellomaki (sampo@iki.fi), All Rights Reserved. 4 * Copyright (c) 2006-2009 Symlabs (symlabs@symlabs.com), All Rights Reserved. 5 * Author: Sampo Kellomaki (sampo@iki.fi) 6 * This is confidential unpublished proprietary source code of the author. 7 * NO WARRANTY, not even implied warranties. Contains trade secrets. 8 * Distribution prohibited unless authorized in writing. 9 * Licensed under Apache License 2.0, see file COPYING. 10 * $Id: zxidconf.h,v 1.51 2010-01-08 02:10:09 sampo Exp $ 11 * 12 * 12.8.2006, created --Sampo 13 * 29.8.2009, added PDP_URL --Sampo 14 * 7.1.2010, added WSC and WSP signing options --Sampo 15 * 12.2.2011, added proxy IdP related options --Sampo 16 * 10.12.2011, added VPATH, VURL, BUTTON_URL, delete ORG_URL --Sampo 17 * 17.8.2012, added audit bus configuration --Sampo 18 * 16.2.2013, added WD option --Sampo 19 * 21.6.2013, added wsp_pat --Sampo 20 * 28.5.2015, formatted documentation --Sampo 21 * 22 * Most of the configuration options can be set via configuration 23 * file /var/zxid/zxid.conf or using -c command line flag(s). In 24 * config file or on command line you should omit the ZXID_ prefix 25 * and use attribute=value syntax separated by newlines or & characters 26 * (the parser implements CGI query string syntax with extension that 27 * also \n is accepted as separator). 28 * 29 * N.B. The options marked as "(compile)" can not be set on command line 30 * or configuration file. They require a recompile. 31 */ 32 33 #ifndef _zxidconf_h 34 #define _zxidconf_h 35 36 /*(c) Compile time configuration enforcement 37 * Whether configuration is entirely determined at compile time by this file 38 * or whether it is possible to use a config file or provide options on 39 * command line using -c flags (such as via shell script wrapper) or via ZXID_CONF 40 * environment variable. When zxid is used as a library, it depends on application to 41 * call zxid_parse_conf(). 42 * 43 * See also ZXID_CONF_PATH compile time macro. 44 * 45 * Generally we recommend you leave these turned on (1). */ 46 47 #define ZXID_CONF_FILE_ENA 1 /* (compile) */ 48 #define ZXID_CONF_FLAG 1 /* (compile) ZXID_CONF environment variable and -c flag enable. */ 49 #define ZXID_SHOW_CONF 1 /* Whether configuration is viewable from URL?o=d */ 50 51 #define ZXID_PATH_MAX_RECURS_EXPAND_DEPTH 5 /* (compile) Max no of includes, nested PATH or VPATH */ 52 53 /*(c) VPATH - CPATH for a virtual server 54 * The VPATH allows different configuration CPATH for different 55 * virtual servers (multihoming) to exist, thus allowing 56 * different zxid.conf files and different /var/zxid/ subdirectory. 57 * If the config file <CPATH><VPATH>zxid.conf exists (i.e. /var/zxid/<VPATH>zxid.conf 58 * when using default CPATH), then the CPATH configuration variable is changed 59 * to point to the VPATH, and the virtual host specific config file is read. 60 * 61 * VPATH is rendered by first inserting current CPATH, unless VPATH starts by '/', 62 * and then rendering each ordinary letter as is, but expanding the 63 * following % (percent) specifications, inline: 64 * 65 * %% expands as single percent sign 66 * %a access protocol prefix, e.g. "https://" or "http://" 67 * %h the contents of environment variable HTTP_HOST (see CGI spec) This 68 * usually ends in :port if the port is nonstandard (thus usually 69 * you do not need %p or %P). 70 * %p the contents of environment variable SERVER_PORT (see CGI spec) 71 * %s the contents of environment variable SCRIPT_NAME (see CGI spec) 72 * 73 * > N.B. All other %-specs are reserved for future expansion 74 * 75 * After % expansion, the values are squashed to file path safe character set. In 76 * particular, the / (slash) characters are converted to _ (underscore). 77 * 78 * VPATH is not really a configuration option on its own right (there is 79 * no corresponding entry in struct zxid_conf), but rather a directive 80 * that instructs on point of occurrance of the CPATH variable (see zxid.h) 81 * to change and configuration file to be read. 82 * 83 * Default value: "%h/" (see definition of CPATH for example). 84 * See also: VURL, INCLUDE 85 */ 86 87 #define ZXID_VPATH "%h/" 88 89 /*(c) INCLUDE=file - Include a file into configuration. 90 * This is an alternative to VPATH and inheritance for implementing multiple 91 * entities that share some common configutation, e.g. CONTACT metadata items. */ 92 93 #define ZXID_INCLUDE 0 /* path */ 94 95 /*(c) OPT_INCLUDE=file - Like INCLUDE but does not fail if the file is missing */ 96 97 #define ZXID_OPT_INCLUDE 0 /* path */ 98 99 /*(c) SP Nickname for IdP User Interface 100 * IMPORTANT: You should really configure this option. 101 * The nice name may be used by IdP user interface to refer to the SP. It 102 * is usually a short human readable name or description. It will also 103 * appear in metadata as Organization/OrganizationDisplayName */ 104 #define ZXID_NICE_NAME "Configuration NICE_NAME: Set this to describe your site to humans, see " ZXID_CONF_PATH 105 106 /*(c) Branding button image URL for user interfaces 107 * IdP BUTTON_URL is (may be) shown in SP IdP selection screens as 108 * a button (provided that IDP_LIST_METH=2 (IDP_LIST_BRAND)) that 109 * user can click to login using that IdP. 110 * 111 * SP BUTTON_URL is shown by IdP login screen so user understands which SP 112 * requested the SSO. In this use, the "button" is not (usually?) clickable. 113 * 114 * BUTTON_URL will also appear in metadata as Organization/OrganizationURL, 115 * see symlabs-saml-displayname-2008.pdf (submitted to OASIS SSTC) for 116 * specification. 117 * 118 * The BUTTON_URL MUST contain substring "saml2_icon" and size designator (see spec), 119 * to distinguish it from other uses of SAML2 MD Organization/OrganizationURL (which 120 * are unspecified, but presumably include home page URL; original SAML2 MD spec 121 * was too loose). ZXID only supports the usage as button image URL (as of 20111210). 122 * BUTTON_URL is typically absolute URL (relative would not make sense as it 123 * is referenced from other web site referring to your web site). 124 * 125 * Typical value:: https://your-site.com/YOUR_BRAND_saml2_icon_150x60.png 126 * 127 * Other possible values:: Depending on SP user interface, you may 128 * use any of 129 * 130 * https://your-site.com/your_brand_saml2_icon_468x60.png 131 * https://your-site.com/your_brand_saml2_icon_150x60.png 132 * https://your-site.com/your_brand_saml2_icon_16x16.png 133 * 134 * This allows different types of user interfaces to be rendered, see 135 * PREF_BUTTON_SIZE config option. Check with your Trust Operator 136 * organization to understand the convention they use. 137 * 138 * > N.B. As of 20111210, you can only specify one in configuration and 139 * > your own metadata, but any number are tolerated in foreign metadata. 140 * 141 * If BUTTON_URL is not supplied (the default (0)), the NICE_NAME, and 142 * possibly EntityID, is displayed instead. 143 * 144 * Changing BUTTON_URL requires new metadata export to CoT partners. */ 145 #define ZXID_BUTTON_URL 0 /* By default no button URL is supplied. */ 146 147 /*(c) Preferred branding button size (squash or ignore others) 148 * See description of BUTTON_URL, above, for general notion of branding button. 149 * 150 * Since different user interfaces may require different sizes of branding button, 151 * many SAML2 metadata provide several. PREF_BUTTON_SIZE must be a substring 152 * of the OrganizationURL for it to be considered as preferred branding button. 153 * Branding button will also have "saml2_icon" as substring. Lacking correct size, 154 * any other branding button may be squashed to fit the right size, or textual 155 * NICE_NAME and possibly EntityID may be displayed instead. Value SHOULD be 156 * one of "468x60" (banners only mode, typically one per row), "150x60" (default, 157 * multicolumn mode), "16x16" (detailed listing mode, typically with 158 * OreanizationDisplayName and EntityID displayed as well). 159 * 160 * Changing PREF_BUTTON_SIZE requires new metadata export to CoT partners. */ 161 #define ZXID_PREF_BUTTON_SIZE "150x60" 162 163 /*(c) Web Site Base URL - root of EntityID 164 * IMPORTANT: Failure to config this option may block zxid from operating. 165 * BURL is the stem for EntityID and most zxid SSO operations. It must end 166 * in whatever triggers the ZXID functionality in the web server. The hostname 167 * and port number should match the server under which zxid CGI is accessible. 168 * The BURL config option may be set dynamically by VURL, see below, or from 169 * program code. 170 * 171 * N.B. There is no explicit way to configure EntityID (ProviderID) for 172 * the zxid SP. The EntityID is always of form BURL?o=B, for example 173 * https://sp1.zxidsp.org:8443/zxid?o=B 174 * 175 * Changing BURL may require regenerating certificates (if domain name changed) and 176 * requires new metadata export to CoT partners. */ 177 #define ZXID_BURL "https://sp1.please-set-BURL-conf-variable-to-some-useful-site-dep-value.org:8443/zxidhlo" 178 179 /*(c) VURL - BURL for a virtual server 180 * The VURL allows different BURL for different 181 * virtual servers (multihoming) to be generated automatically based 182 * on the (CGI) environment variables. However, often you would 183 * override the BURL in /var/zxid/zxid.conf 184 * 185 * In VURL each ordinary letter is rendered as is, but the 186 * following % (percent) specifications are expanded inline: 187 * 188 * %% expands as single percent sign 189 * %a access protocol prefix, e.g. "https://" or "http://" 190 * %h the contents of environment variable HTTP_HOST (see CGI spec). This 191 * usually ends in :port if the port is nonstandard (thus usually 192 * you do not need %p or %P). 193 * %p the contents of environment variable SERVER_PORT (see CGI spec). 194 * %P Similar to %p, but renders a colon before the portnumber, unless 195 * the SERVER_PORT is 443 or 80, in which case nothing is rendered. 196 * This deals with default ports of the https and http protocols. 197 * %s the contents of environment variable SCRIPT_NAME (see CGI spec) 198 * 199 * > N.B. All other %-specs are reserved for future expansion 200 * 201 * VURL is not really a configuration option on its own right (there is 202 * no corresponding entry in struct zxid_conf), but rather a directive 203 * that instructs, on point of its occurrance, the BURL variable (see zxid.h) 204 * to be computed. It will not have any effect unless evaluted at run time, 205 * thus this "default value" is rather moot. You really need to specify 206 * VURL in your own configuration. 207 * 208 * Default value: "%a%h%s" 209 * 210 * See also: VPATH 211 * 212 * Changing VURL may change BURL which requires new metadata export to CoT partners. */ 213 214 #define ZXID_VURL "%a%h%s" 215 216 /*(c) Override standard EntityID Construction 217 * The best practise is that SP Entity ID is chosen by the SP (and not 218 * forced upon SP by IdP). In ZXID this is done by setting BURL, 219 * see above. However, should you have to work with an obstinate IdP 220 * that refuses to follow this best practise, you can use this option 221 * to manually set the Entity ID string. Not following the best practise 222 * breaks automatic metadata exchange (Auto-CoT). Recommended 223 * value: leave as 0 so that Entity ID is formed from BURL 224 * 225 * Changing NON_STANDARD_ENTITYID requires new metadata export to CoT partners. */ 226 #define ZXID_NON_STANDARD_ENTITYID 0 227 228 /*(c) Bare URL EntityID 229 * Omit o=B from entity ID, i.e. make the BURL be the entity ID. 230 * Values: 0 or 1. 231 * 232 * Changing BARE_URL_ENTITYID requires new metadata export to CoT partners. */ 233 #define ZXID_BARE_URL_ENTITYID 0 234 235 /*(c) Illadviced ACS URL Hack 236 * Sometimes an illadvised authority may impose to you Assertion 237 * Consumer Service URL, this URL happens to be different than 238 * ZXID uses, and you do not have political leverage to change 239 * these decisions. In those times you can use this hack to 240 * try to map the imposed URL to the one that works in ZXID. 241 * Normally you should register at IdP to use the ZXID default 242 * URLs (the easiest way to do this is to use metadata). This 243 * config option only works in mod_auth_saml. 244 * 245 * Changing REDIRECT_HACK_IMPOSED_URL or REDIRECT_HACK_ZXID_URL requires 246 * new metadata export to CoT partners. */ 247 #define ZXID_REDIRECT_HACK_IMPOSED_URL 0 248 #define ZXID_REDIRECT_HACK_ZXID_URL 0 249 250 /*(c) Additional Metadata Fields. 251 * Safe to leave all as NULL. 252 * The LOCALITY, STATE, and COUNTRY will appear in certificates 253 * so you may want to set them to sensible values. 254 * 255 * Changing any of the organization or contact details requires 256 * regenerating certificates and new metadata export to CoT partners. */ 257 #define ZXID_ORG_NAME "Unspecified ORG_NAME conf variable" 258 #define ZXID_LOCALITY "Lisboa" 259 #define ZXID_STATE "Lisboa" 260 #define ZXID_COUNTRY "PT" 261 #define ZXID_CONTACT_ORG 0 262 #define ZXID_CONTACT_NAME 0 263 #define ZXID_CONTACT_EMAIL 0 264 #define ZXID_CONTACT_TEL 0 265 266 /*(c) Federated Username Suffix 267 * If set (by default this is always set when BURL is set, you have to 268 * explicitly unset it if you do not want it), causes IdP to include 269 * fedusername attribute in the assertion. The value of this attribute 270 * will be the (persistent) nameid followed by @ sign and this suffix, 271 * for example: FXyysxhM4F6d3DIwrtoiFdi0i@zxidp.org 272 * 273 * The fedusername attribute is a helper for the SP web sites that 274 * are fixated on the notion of needing a username and/or requiring 275 * the username to look like an email. By packaging the psedonym this 276 * way it is easy to get them to work with minimal modification. 277 * N.B. Although it looks like an email address, it is not. Do not try 278 * sending mail to it (unless you hack your mailserver to understand it). 279 * 280 * Does not affect metadata. 281 */ 282 #define ZXID_FEDUSERNAME_SUFFIX "set-this-or-url-to-site-dependent-value" 283 284 /*(c) IdP Attribute Generation Options 285 * 0x01:: If fedusername is generated, also generate 286 * urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (aka ~eduPersonPrincipalName~) 287 * 288 * Does not affect metadata. 289 */ 290 #define ZXID_IDPATOPT 0x01 291 292 /*(c) Common Domain Cookie URL 293 * URL for reading Common Domain Cookie. It must end in "zxid". The hostname 294 * and port number should match the server under which zxid CGI is accessible. 295 * Specifying empty CDC_URL disables CDC check in zxid_simple() API. 296 * 297 * Does not affect metadata. */ 298 /*#define ZXID_CDC_URL "https://sp1.zxidcommon.org:8443/zxid"*/ 299 /*#define ZXID_CDC_URL "https://a-sp.cot.projectliberty.org:8443/zxid"*/ 300 #define ZXID_CDC_URL "" /* CDC disabled */ 301 302 /*(c) CDC designated IdP Handling 303 * How to handle CDC designated IdP. See zxid.h for explanation of constants. 304 * 305 * Does not affect metadata. */ 306 #define ZXID_CDC_CHOICE ZXID_CDC_CHOICE_UI_PREF 307 308 /*(c) Metadata Fetching Options (Auto-CoT) 309 * Following four boolean configuration options control how metadata 310 * is obtained. It can be in a cache (by default directory /var/zxid/cot) 311 * or it can be fetched "on the fly" using the well known location (WKL) 312 * method. 313 * 314 * MD_FETCH:: controls whether fetching is performed. This necessitates 315 * that ZXID was linked with libcurl. If you do not enable fetching, you 316 * will need to populate the cache manually, perhaps by using a web browser 317 * to fetch the meta data xml files from well known location URLs (or other 318 * URLs if you know better) and then running on commandline zxcot -a. 319 * Or you could use zxidcot.pl?op=md or zxcot(1) tool. 320 * 321 * N.B. Even if fetching is enabled, the fetch can still fail due to 322 * network connectivity issues or due to other end not supporting it. 323 * 324 * MD_FETCH=1:: Fetch from WKL (Auto-CoT) 325 * MD_FETCH=2:: Fetch from metadata authority, see MD_AUTHORITY, below. 326 * 327 * MD_POPULATE_CACHE:: controls whether ZXID will write the metadata to 328 * the on-disk cache. This requires ZXID_MD_FETCH to be enabled 329 * and the file system permissions of the cache directory 330 * (e.g. /var/zxid/cot) to allow writing. 331 * 332 * MD_CACHE_FIRST:: controls whether cache will be checked before fetching 333 * is attempted. If cache misses, ZXID_MD_FETCH governs whether fetch 334 * is tried. 335 * 336 * MD_CACHE_LAST:: If true, metadata is obtained from cache 337 * if fetch was disabled or failed. 338 * 339 * If you want to control manually your CoT (e.g. because human process is 340 * needed to verify that all the paperwork is in place), set MD_FETCH to 0. 341 * 342 * If you want as automatic operation as possible, set all four to 1. 343 * 344 * Does not affect metadata of the entity itself (no new exchange needed). 345 */ 346 347 #define ZXID_MD_FETCH 1 /* The Auto-CoT ena option */ 348 #define ZXID_MD_POPULATE_CACHE 1 349 #define ZXID_MD_CACHE_FIRST 1 350 #define ZXID_MD_CACHE_LAST 1 351 352 /*(c) Metadata Authority EntityID 353 * If MD_FETCH=2 and this is set to an EntityID (whose metadata MUST already 354 * be in the CoT cache, typically manually populated using zxcot -a) 355 * then in situations where metadata is missing, the authority is queried 356 * for the missing metadata. The returned metadata 3rd party should be 357 * signed by the authority and the authority's own metadata is used 358 * in validating the signature. 359 * 360 * The URL from where the metadata is fetched is formed by looking at 361 * <md:AdditionalMetadataLocation> element in the authority's metadata 362 * and concatenating the succinct ID of the entity. 363 * 364 * Usually the authority is the IdP that the SP trusts. This allows 365 * centralized management of a Circle of Trust. Such IdP will know 366 * to include the AdditionalMetadataLocation in its own metadata. 367 * See also: MD_AUTHORITY_ENA in IdP configuration. 368 * 369 * Does not affect metadata of the entity itself. 370 */ 371 #define ZXID_MD_AUTHORITY 0 372 373 /*(c) Load Initial CoT Cache 374 * Whether to load CoT cache from a file containing the concatenated 375 * metadata of the Circle of Trust. Some real world federations distribute 376 * their metadata this way. Setting this to 0 disables the feature (default). 377 * Setting this to file name or path enables this feature. 378 * 379 * Does not affect metadata of the entity itself. 380 */ 381 #define ZXID_LOAD_COT_CACHE 0 382 383 /*(c) Automatic Self-signed Cert Generation (Auto-Cert) 384 * If ZXID does not find one of the certificate plus private key pairs 385 * it needs to operate, it will generate automatically a self-signed 386 * certificate and private key and populate it to the assigned 387 * place. The certificate will be valid until the end of the Unix 388 * epoch (2037). If you do not want this to happen, you should 389 * disable this option and install the certificate - private key pairs 390 * manually to 391 * 392 * /var/zxid/pem/enc-nopw-cert.pem 393 * /var/zxid/pem/sign-nopw-cert.pem 394 * /var/zxid/pem/logenc-nopw-cert.pem 395 * /var/zxid/pem/logsign-nopw-cert.pem 396 * /var/zxid/pem/ssl-nopw-cert.pem 397 * 398 * Does not affect metadata when correctly used, but beware that if you change 399 * certificates, you will need to perform new metadata export to your CoT partners. 400 */ 401 #define ZXID_AUTO_CERT 1 402 403 /*(c) Authentication Request Signing 404 * Whether AuthnReq is signed by SP (controls both metadata and actual behavior). 405 * 406 * Changing AUTHN_REQ_SIGN requires new metadata export to CoT partners. */ 407 #define ZXID_AUTHN_REQ_SIGN 1 408 409 /*(c) IdP Insitence on Signed AuthnReq 410 * Must AuthnReq be signed (controls both IdP metadata and actual behavior, i.e. the check). 411 * 412 * Changing WANT_AUTHN_REQ_SIGNED requires new metadata export to CoT partners. */ 413 #define ZXID_WANT_AUTHN_REQ_SIGNED 1 414 415 /*(c) Assertion Signing 416 * Whether SP insists that SSO assertions are signed. Affects metadata. The 417 * actual insistence on signing is controlled by ZXID_NOSIG_FATAL, far below. 418 * Boolean. Recommended value: 1. 419 * 420 * Changing WANT_SSO_A7N_SIGNED requires new metadata export to CoT partners. */ 421 #define ZXID_WANT_SSO_A7N_SIGNED 1 422 423 /*(c) SSO SOAP Message Signing 424 * Whether SOAP messages for ArtifactResolution, SLO, and MNI are signed. Whether 425 * responses are signed as well. (*** doc) 426 * 427 * Does not affect metadata. */ 428 #define ZXID_SSO_SOAP_SIGN 1 429 #define ZXID_SSO_SOAP_RESP_SIGN 1 430 431 /*(c) IdP Signing Options 432 * Which components should be signed by IdP in SSO Response and Assertion. 433 * Bit mask: 434 * 435 * 0x01 Assertion should be signed (default and highly recommended) 436 * 0x02 The surrounding Response element should be signed 437 * 0x03 Both Assertion and Response are signed. 438 * 439 * Does not affect metadata. */ 440 #define ZXID_SSO_SIGN 0x01 441 442 /*(c) NameID Encryption 443 * Whether SLO and MNI requests emitted by ZXID will encrypt the 444 * NameID (on received requests ZXID accepts either plain or encrypted 445 * automatically and without configuration). (*** doc) 446 * 447 * Does not affect metadata. */ 448 #define ZXID_NAMEID_ENC 0x0f 449 450 /*(c) Assertion Encryption in POST 451 * Whether to encrypt assertions when using POST bindings. This 452 * is enabled by default as it protects against Man-in-the-Middle 453 * attack by compromised web browser. Do not disable unless you know 454 * what you are doing. 455 * 456 * Does not affect metadata. */ 457 #define ZXID_POST_A7N_ENC 1 458 459 /*(c) Position of EncryptedKey relative to EncryptedData 460 * When producing EncryptedID, EncruptedAssertion, or EncryptedAttribute, 461 * how is the EncryptedKey stored relative to EncryptedData 462 * 463 * 0x00:: Sibling, without Recipient hint (interops with many commercial implementations and Shibboleth Sept 2010) 464 * 0x01:: Sibling, with Recipient hint (interops with many commercial implementations and Shibboleth as of August 2010) 465 * 0x20:: Nested method, i.e. EncryptedData/KeyInfo/EncryptedKey (interops with all versions of Shibboleth and many others) 466 * 467 * > N.B: SAML2 specs fail to say which approach is preferred, therefore both 468 * > approaches are valid. In reading messages ZXID automatically understands both. 469 * > This option only controls how outbound messages are generated so that others 470 * > can understand them (ideally they would autodetect so we would not need this option). 471 * 472 * Does not affect metadata. 473 */ 474 #define ZXID_ENCKEY_OPT 0x20 475 476 /*(c) Controls whether new fedarations can be created during discovery 477 * Does not affect metadata. */ 478 #define ZXID_DI_ALLOW_CREATE '1' 479 480 /*(c) Controls the default NameID Format for discovery 481 * p=persistent, t=transient 482 * 483 * Does not affect metadata. */ 484 #define ZXID_DI_NID_FMT 'p' 485 486 /*(c) Controls whether assertions emitted by discovery are encrypted 487 * It is highly recommended to encrypt the assertions to avoid man-in-the-middle 488 * attacks. 489 * 490 * Does not affect metadata. */ 491 #define ZXID_DI_A7N_ENC 1 492 493 /*(c) Control how many levels of bootstraps are added to assertions 494 * Normally 495 * only first level is added, i.e. all available bootstraps are embedded in 496 * the assertion, but the assertions of the embedded bootstraps only 497 * get discovery bootstrap. 2 would cause the assertions of the first order 498 * bootstraps to have further bootstraps embedded, etc. Since bootstrap 499 * generation tends to be expensive and wasteful, you should use discovery 500 * instead and leave BOOTSTRAP_LEVEL set to 1. 501 * 502 * Does not affect metadata. */ 503 #define ZXID_BOOTSTRAP_LEVEL 1 504 505 /*(c) WSC Content-Type header generation 506 * For SOAP 1.1 (SOAP11) that TAS3 and IF-WSF2 use, 507 * the value should be "Content-Type: text/xml" (n.b. even 508 * the header name has to be included) per 509 * http://www.w3.org/TR/2000/NOTE-SOAP-20000508/ section 6.1.1 510 * If WSP asks this to be anything else, the chances are 511 * it is misconfigured, not standards compliant, or using SOAP 1.2. 512 * This should be fixed in WSP end. Changing the value in WSC end 513 * should only be desperate last resort as it will cause WSC 514 * to be incompatible with standards compliant WSPs. 515 * 516 * Does not affect metadata. */ 517 #define ZXID_WSC_SOAP_CONTENT_TYPE "Content-Type: text/xml" 518 519 /*(c) WSC <a:To> header generation 520 * The default is not to 521 * generate which, according to http://www.w3.org/TR/ws-addr-core/ section 3.2 522 * produces same semantics as http://www.w3.org/2005/08/addressing/anonymous, 523 * i.e. responding end of HTTP connection. Special values: 524 * 525 * 0 (null):: No To header generated 526 * "#inhibit":: No To header generated 527 * "#url":: To header has same value as end point URL (this is the default, see below). 528 * Other values:: The value to supply as To header. 529 * 530 * N.B. Although WS-Addressing states that this header is optional, as it is 531 * one of the signed headers, it may have significance in showing the 532 * intended recipient of the message (the Audience for the Assertion is 533 * an other place where intended recipient is expressed, albeit as 534 * entity ID rather than end point URL). 535 * 536 * Does not affect metadata. */ 537 #define ZXID_WSC_TO_HDR "#url" 538 539 /*(c) WSC <a:ReplyTo> header generation 540 * The default is not to 541 * generate which, according to http://www.w3.org/TR/ws-addr-core/ section 3.2 542 * produces same semantics as http://www.w3.org/2005/08/addressing/anonymous, 543 * i.e. reply to the requesting end of HTTP connection. In 544 * liberty-idwsf-soap-binding-2.0-errata-v1.0.pdf value 545 * http://www.w3.org/2005/03/addressing/role/anonymous is 546 * illustrated, but this is in violation of http://www.w3.org/2005/08/addressing 547 * namespace. The Liberty specification also hints that ReplyTo can be 548 * omitted to get the default semantics. Special values: 549 * 550 * 0 (null):: No ReplyTo header generated 551 * "#inhibit":: No ReplyTo header generated 552 * "#anon":: http://www.w3.org/2005/08/addressing/anonymous 553 * "#anon_2005_03":: http://www.w3.org/2005/03/addressing/role/anonymous 554 * Other values:: The value to supply as To header. 555 * 556 * Does not affect metadata. */ 557 #define ZXID_WSC_REPLYTO_HDR 0 558 559 /*(c) WSC <a:Action> header generation 560 * The most reliable way 561 * to dispatch SOAP web services is to simply look at the first 562 * child element of <e:Body>. If, however, you are cursed with 563 * having to interoperate with WSP that insists on seeing some 564 * specific Action header, this option gives you some control 565 * as to what it should be. 566 * 567 * First method of generating Action header is to pass it in as 568 * input to zxid_call(), e.g. 569 * 570 * ret = zxid_call(cf, ses, svctype, url, 0, 0, 571 * "<e:Envelope xmlns:e=\"http://schemas.xmlsoap.org/soap/envelope/\">" 572 * "<e:Header>"" 573 * "<a:Action xmlns:a=\"http://www.w3.org/2005/08/addressing\" " 574 * "actor=\"http://schemas.xmlsoap.org/soap/actor/next\" " 575 * "mustUnderstand=\"1\">toimikaa</a:Action>" 576 * "</e:Header>" 577 * "<e:Body><r:Req xmlns:r=\"urn:test\"/></e:Body></e:Envelope>"); 578 * 579 * This method overrides any other, i.e. if WSC code sees an already existing 580 * Action header, it will not replace it. 581 * 582 * Other methods depend on the WSC_ACTION_HDR option with following special values: 583 * 584 * 0 (null):: No Action header will be generated, 585 * "#ses":: Look for key "Action" in session attribute pool 586 * "#body1st":: Special value that will use the name of the first child element 587 * of the <e:Body> tag. 588 * "#body1stns":: Same as #body1st, but will prefix by namespace URI 589 * Other values:: cause the Action header to be set to the given value. 590 * 591 * Does not affect metadata. */ 592 #define ZXID_WSC_ACTION_HDR "#body1stns" 593 594 /*(c) Like WSC_ACTION_HDR, but deals with the HTTP level SOAPAction header 595 * Dependence on HTTP layer header to say what is inside <e:Body> is poor 596 * programming and architecture. WSPs should be coded to ignore the 597 * SOAPAction http header. 598 * 599 * The ID-WSF2 default value for this is empty string "", which generally 600 * does not cause indigestion to the buggy softwares and causes them to 601 * route the request to default place. For semantics of "" and omitting, see 602 * http://www.w3.org/TR/2000/NOTE-SOAP-20000508/ section 6.1.1 603 * 604 * Possible values: 605 * 606 * 0 (null):: Do not generate SOAPAction 607 * "#inhibit":: Do not generate SOAPAction (use this in configuration) 608 * "#same":: Same as <a:Action> SOAP header. This is often the #body1stns, i.e. the namespace 609 * qualified name of the 1st child element of <e:Body> 610 * "" (empty string):: the default for ID-WSF 611 * Other values:: use the value of this config option as SOAPAction HTTP header. 612 * 613 * Does not affect metadata. */ 614 #define ZXID_SOAP_ACTION_HDR "#same" 615 616 /*(c) WSC Signing Options 617 * Which components of a web service request should be signed by WSC. 618 * Bit mask: 619 * 620 * 0x01 SOAP Headers 621 * 0x02 SOAP Body 622 * 0x03 Both Headers and Body are signed. 623 * 624 * Does not affect metadata. */ 625 #define ZXID_WSC_SIGN 0x03 626 627 /*(c) WSP Signing Options 628 * Which components of a web service response should be signed by WSP. 629 * Bit mask: 630 * 631 * 0x01 SOAP Headers 632 * 0x02 SOAP Body 633 * 0x03 Both Headers and Body are signed. 634 * 635 * Does not affect metadata. */ 636 #define ZXID_WSP_SIGN 0x03 637 638 /*(c) OAUTH2 / OpenID-Connect1 id_token signing and encryption options 639 * - 'n': alg=none 640 * - 'h': alg=HS256 (HMAC using SHA256) 641 * - 'r': alg=RS256 (RSA using SHA256) 642 * 643 * Does not affect metadata. */ 644 #define ZXID_OAZ_JWT_SIGENC_ALG 'n' 645 646 /*(c) JSON client Content-Type header generation 647 * Various styles exist. 648 * 649 * Does not affect metadata. */ 650 //#define ZXID_JSON_CONTENT_TYPE "Content-Type: text/json" 651 #define ZXID_JSON_CONTENT_TYPE "Content-Type: application/json" 652 653 654 /*(c) Command that will be executed by zxidwspcgi to respond to a web service call. */ 655 #ifndef ZXID_WSPCGICMD 656 #define ZXID_WSPCGICMD "./zxid-wspcgicmd.sh" 657 #endif 658 659 /*(c) Bit length of identifiers, unguessability 660 * How many random bits to use in an ID. It would be useful if this was 661 * such that it produces nice unpadded base64 string, i.e. multiple of 24 bits. 662 * Longer IDs reduce chances of random collision (most code does not 663 * check uniqueness of ID) and may increase security. For security purposes 664 * 144 bits is probably good enough. The unguessability of ID has security 665 * implications, among others, in session IDs. You may want to use less than 666 * 144 bits if your application could benefit from shorter IDs (e.g. you target 667 * browsers with length constrained URLs) and does not need to be 668 * secure against attacks with government level resources. 669 * 670 * E.g: 24 bits == 3 bytes == 4 safe_base64 chars, 671 * 48 bits == 6 bytes == 8 safe_base64 chars, 672 * 120 bits == 15 bytes == 20 safe_base64 chars, 673 * 144 bits == 18 bytes == 24 safe_base64 chars 674 * 675 * Does not affect metadata. */ 676 #define ZXID_ID_BITS 144 /* (compile) */ 677 #define ZXID_ID_MAX_BITS 168 /* used for static buffer allocation (compile) */ 678 679 /*(c) True randomness vs. pseudorandom source 680 * Whether true randomness is obtained. 681 * 0=use OpenSSL RAND_pseudo_bytes(), which usually uses /dev/urandom 682 * 1=use OpenSSL RAND_bytes(), which usually uses /dev/random 683 * 684 * Although true randomness may be more secure, it is operationally 685 * problematic because if not enough randomness is available, the 686 * system will block (stop) until enough randomness arrives. Generally 687 * true randomness is not feasible in a server environment unless 688 * you have a hardware random number generator. 689 * 690 * Does not affect metadata. */ 691 #define ZXID_TRUE_RAND 0 /* (compile) */ 692 693 /*(c) Session Archival Directory 694 * If set to a string, indicates a file system directory to which 695 * dead sessions are moved (sessions are files). This directory 696 * must be on the same file system as active session directory, 697 * usually /var/zxid/ses, for example /var/zxid/oldses. 698 * You may want to archive old sessions because they contain 699 * the SSO assertions that allowed the users to log in. This 700 * may have legal value for your application, you may even be required 701 * by law to keep this audit trail. On the other hand, other 702 * jurisdictions will require you to delete this information. 703 * 704 * If set to 0, causes old sessions to be unlink(2)'d. 705 * 706 * Does not affect metadata. */ 707 #define ZXID_SES_ARCH_DIR 0 /* 0=Remove dead sessions. */ 708 709 /*(c) Session cookies 710 * For original Netscape cookie spec see: http://curl.haxx.se/rfc/cookie_spec.html (Oct2007) 711 * 712 * If SES_COOKIE_NAME is nonempty string, then 713 * zxid_simple() will look for said cookie and use it as session ID. 714 * It will also attempt to set a cookie by that name when new session 715 * is created (but this may rely on some support in the calling app, 716 * generally the need to set a cookie is expressed by presence of 717 * setcookie attribute in the LDIF entry. setcookie specifies what 718 * should appear in the Set-Cookie HTTP header of HTTP response). 719 * 720 * Does not affect metadata. */ 721 #ifndef ZXID_SES_COOKIE_NAME 722 #define ZXID_SES_COOKIE_NAME "ZXIDSES" 723 #endif 724 725 /*(c) PTM hint cookie 726 * If PTM_COOKIE_NAME is nonempty string, then 727 * zxid_simple() will attempt to set a cookie by that name when new session 728 * is created (but this may rely on some support in the calling app, 729 * generally the need to set a cookie is expressed by presence of 730 * setcookie attribute in the LDIF entry. setcookie specifies what 731 * should appear in the Set-Cookie HTTP header of HTTP response). 732 * 733 * Does not affect metadata. */ 734 #ifndef ZXID_PTM_COOKIE_NAME 735 #define ZXID_PTM_COOKIE_NAME "ZXIDPTM" 736 #endif 737 738 /*(c) Local user account management 739 * Local user database in filesystem. 740 * 741 * This is optional unless you require IdP 742 * initiated ManageNameID requests to work. Local user account management 743 * may be useful on its own right if your application does not yet have 744 * such system. If it already has, you probably want to continue to use 745 * the application's own system. Local accounts are stored under 746 * /var/zxid/user/SHA1 747 * 748 * Does not affect metadata. */ 749 #define ZXID_USER_LOCAL 1 750 751 /*(c) Mini IdP 752 * Whether limited IdP functionality is enabled. Affects generated metadata. 753 * 754 * Affects metadata. */ 755 #define ZXID_IDP_ENA 0 756 757 /*(c) IdP Proxying, i.e. IdP can be SP towards another IdP. 758 * Affects metadata. */ 759 #define ZXID_IDP_PXY_ENA 0 760 761 /*(c) Identity Mapper and People Service 762 * Whether limited Identity Mapper and People Service functionality is enabled. 763 * For this to work, IDP_ENA=1 is needed. 764 * 765 * Does not affect metadata. */ 766 #define ZXID_IMPS_ENA 0 767 768 /*(c) Mini Authentication Service 769 * Whether limited Authentication Service functionality is enabled. 770 * Please note that the AuthenticationService implementation at present (2010) 771 * is incomplete and fails to properly authenticate and authorize the caller 772 * system entity, i.e. anyone who knows a username and password can call it 773 * 774 * Does not affect metadata. */ 775 #define ZXID_AS_ENA 0 776 777 /*(c) Metadata Authority 778 * Whether IdP will serve as Metadata Authority (see also MD_AUTHORITY and MD_FETCH=2). 779 * Enables generation of <md:AdditionalMetadataLocation namespace="#md-authority"> 780 * element in the metadata of the IdP. 781 * 782 * Changing MD_AUTHORITY_ENA requires new metadata export to CoT partners. */ 783 #define ZXID_MD_AUTHORITY_ENA 1 784 785 /*(c) Dummy PDP 786 * Whether limited PDP functionality is enabled. 787 * 788 * Does not affect metadata. */ 789 #define ZXID_PDP_ENA 1 790 791 /*(c) Maximum filesystem path length (compile) 792 * Used in /var/zxid tree. */ 793 #define ZXID_MAX_BUF 1024 /* Directories and filenames combined. */ 794 795 /*(c) Logging Options 796 * See zxid-log.pd for further explanation. Generally you 797 * need error and activity logs to know yourself what is going on. 798 * You need the issue logs to know whether other's claims towards you are 799 * justified. You need the rely logs to hold others responsible. 800 * 801 * > N.B. In addition to act, err, rely, and issue logging, there is also 802 * > debug logging to stderr, typically found in your web server error.log 803 * > or in /var/tmp/zxid.stderr or log/xml.dbg. The debugging logs are 804 * > not conteolled by these options - they are controlled by the debug flag. 805 * > A production site should not enable debugging logs, as they may cause 806 * > exposure of sensitive material, unless there is a problem to investigate. 807 * 808 * The bits of the value are as follows 809 * 810 * 0x00 Do not log. 811 * 0x01 Log enable 812 * 0x06 Signing options 813 * 0:: no signing (Px) 814 * 2:: sha1 MD only (Sx) 815 * 4:: RSA-SHA1 (Rx) 816 * 6:: DSA-SHA1 (Dx) 817 * 0x08 reserved 818 * 0x70 Encryption options 819 * 0x00:: no encryption (xP) 820 * 0x10:: zip-base64 (xZ) 821 * 0x20:: RSA-AES (xA) 822 * 0x30:: RSA-3DES (xT) 823 * 0x40:: Symmetric AES (xB) 824 * 0x50:: Symmetric 3DES (xU) 825 * 0x60:: reserved 826 * 0x70:: reserved 827 * 0x80 reserved 828 * 829 * N.B. Every encryption and signature has computational cost so be 830 * sure to factor this in when doing benchmarks - or disable log enc 831 * and sign when performance is at premium. 832 * 833 * Log signing may help you to argue that log evidence was (not) tampered with. 834 * The private key for signing must be available 835 * in /var/zxid/pem/logsign-nopw-cert.pem 836 * Often this is just a copy of sign-nopw-cert.pem 837 * 838 * Log encryption may help to keep the logs confidential. 839 * For RSA modes the public key for encryption must be available 840 * in /var/zxid/pem/logenc-nopw-cert.pem. For symmetric encryption the key 841 * is the sha1 hash of file /var/zxid/pem/logenc.key 842 * All modes, except 0x01, also RFC1951 zip compress the log line and 843 * safe-base64 encode the result of the encryption. 844 * 845 * None of the logging options affect metadata. */ 846 847 848 /* Most common combinations of the above flags. */ 849 #define ZXLOG_OP_NOLOG 0x00 850 #define ZXLOG_OP_LOG 0x01 851 #define ZXLOG_OP_LOG_SIGN 0x05 852 #define ZXLOG_OP_LOG_ENC 0x21 853 #define ZXLOG_OP_LOG_SIGN_ENC 0x25 /* RSA-AES enc + RSA-SAH1 sign */ 854 855 #if 1 856 /* Production settings to ship. */ 857 #define ZXLOG_ERR 0x01 /* Log errors to /var/zxid/log/err */ 858 #define ZXLOG_ACT 0x01 /* Log activity to /var/zxid/log/act */ 859 #define ZXLOG_ISSUE_A7N 0x01 /* Log each issued assertion to /var/zxid/log/issue/SHA1/a7n/asn */ 860 #define ZXLOG_ISSUE_MSG 0x01 /* Log each issued PDU to /var/zxid/log/issue/SHA1/msg/asn */ 861 #define ZXLOG_RELY_A7N 0x01 /* Log each received assertion to /var/zxid/log/rely/SHA1/a7n/asn */ 862 #define ZXLOG_RELY_MSG 0x01 /* Log each received PDU to /var/zxid/log/rely/SHA1/msg/MSGID */ 863 #else 864 /* Test settings */ 865 #define ZXLOG_ERR 0x00 866 #define ZXLOG_ACT 0x25 867 #define ZXLOG_ISSUE_A7N 0x23 868 #define ZXLOG_ISSUE_MSG 0x45 869 #define ZXLOG_RELY_A7N 0x41 870 #define ZXLOG_RELY_MSG 0x11 871 #endif 872 873 /*(c) Choice of log given Error or Action 874 * Each operation has its status code and generally those lines that indicate 875 * successful status (or intermediate status like "continue" or "redirect") 876 * are considered normal activity. However, you may want to consider 877 * carefully whether signature failure in assertion or message disqualifies 878 * an operation as "activity". One approach is to simply log everything (errors and all) to 879 * activity log and rely on some log analysis software to flag the errors. 880 * 881 * Does not affect metadata. */ 882 #define ZXLOG_ERR_IN_ACT 1 /* Log errors to /var/zxid/log/act (in addition to err) */ 883 #define ZXLOG_ACT_IN_ERR 1 /* Log actions to /var/zxid/log/err (in addition to act) */ 884 #define ZXLOG_SIGFAIL_IS_ERR 1 /* Log line with signature validation error to /var/zxid/log/err */ 885 886 /*(c) Log level for activity log 887 * - 0 = Only essential audit relevant events are logged. Note that 888 * there is no way to turn off logging audit relevant events. 889 * - 1 = Audit and external interactions 890 * - 2 = Audit, external interactions, and significant internal events 891 * - 3 and higher: reserved for future definition and debugging 892 * 893 * Does not affect metadata. */ 894 #define ZXLOG_LEVEL 2 895 896 /*(c) Per user activity logging. 897 * This option enables logging in /var/zxid/idpuid/UID/.log some key 898 * events such as authentication, SSO, and SLO. 899 * 900 * Does not affect metadata. */ 901 #define ZXID_LOGUSER 1 902 903 /*(c) Set debug option 904 * You can also set this via zxid_set_opt(). 905 * 906 * - 0 = debug output off 907 * - 3 = debug on 908 * 909 * other values are reserved, experimental, or otherwise undocumented. 910 * Setting debug option will enable numerous, sometimes copious, debugging 911 * messages to stderr, which often ends in web server's error.log file. 912 * This option may also create log/xml.dbg file. 913 * 914 * Does not affect metadata. */ 915 #define ZXID_DEBUG 0 916 917 /*(c) Send debug output to a file 918 * You can also set this via zxid_set_opt_cstr(). 919 * By default the debug output goes to stderr, which often goes to 920 * web server's error.log. 921 * 922 * Does not affect metadata. */ 923 #define ZXID_DEBUG_LOG 0 924 925 /*(c) Audit Bus servers 926 * Multiple, comma separated, URLs may be 927 * specified (audit bus servers are instances of zxbusd, which see). 928 * The url is used for both contact and entity id of the audit bus server. 929 * Typical url would be "stomps://ab.ssoid.com:2229/,stomps://ab2.ssoid.com:2229/" 930 * 931 * If no BUS_URL is configured, no audit bus logging is performed. 932 * 933 * Does not affect metadata. */ 934 #define ZXID_BUS_URL 0 935 936 /*(c) Audit bus password if not using ClientTLS 937 * Generally using ClientTLS is RECOMMENDED and the certificate is taken 938 * from metadata encryption certificate field so there is nothing 939 * special to configure here. However, if for some reason you 940 * need to run plain TLS, with STOMP 1.1 passcode filed for authentication, 941 * then set this option to the passcode. Note that using passcode is much 942 * less secure than using ClientTLS. Another limitation of BUS_PW 943 * approach is that it is shared across all audit bus servers. 944 * 945 * Does not affect metadata. */ 946 #define ZXID_BUS_PW 0 947 948 /*(c) How Audit Bus receipts are issued 949 * 0x00 = no receipt, 0x01 = plain, 0x03 SHA, 0x05 = RSA-SHA. 950 * In 0x05 case the actual signing algorithm depends on key type of sign_key (see metadata) 951 * and the ZXID_BLOGSIG_DIGEST_ALGO setting. 952 * 953 * Does not affect metadata. */ 954 #define ZXBUS_RCPT 0x05 955 956 /*(c) Assertion validation options. 957 * These MUST all be turned on (and assertions signed) 958 * if you want to rely on assertions to hold the other party liable. 959 * 960 * Do not affect metadata. */ 961 962 #define ZXID_SIG_FATAL 1 /* Signature validation error is fatal (prevents SSO) */ 963 #define ZXID_NOSIG_FATAL 1 /* Missing signature is fatal (prevents SSO) */ 964 #define ZXID_MSG_SIG_OK 1 /* Message layer signature (e.g. SimpleSign) is sufficeint when assertion signature is missing. */ 965 #define ZXID_AUDIENCE_FATAL 1 /* AudienceRestriction is checked. */ 966 #define ZXID_TIMEOUT_FATAL 1 /* NotBefore and NotOnOrAfter are checked */ 967 #define ZXID_DUP_A7N_FATAL 1 /* duplicate AssertionID is considered fatal. */ 968 #define ZXID_DUP_MSG_FATAL 1 /* duplicate MessageID or message is considered fatal. */ 969 #define ZXID_RELTO_FATAL 1 /* failure to correlate RelatesTo to MessageID, or total lack of RelatesTo, is considered fatal. */ 970 971 /*(c) Web service request and response validation options 972 * For the token in the request, the assertion validation options apply. 973 * 974 * Do not affect metadata. */ 975 #define ZXID_WSP_NOSIG_FATAL 1 /* Missing Security/Signature is fatal. */ 976 #define ZXID_NOTIMESTAMP_FATAL 1 /* Missing Security/Timestamp is fatal. */ 977 978 /*(c) XML canonicalization compatibility kludges 979 * Shibboleth 2.1.5 IdP miscanonicalizes by 980 * ignoring InclusiveNamespaces/@PrefixList, yet 981 * it still supplies such list. The miscanonicalization 982 * leads namespaces missing. This has been reported to Scott Cantor as of 20101005 983 * Set this option to 0x01 to avvoid the trouble. 984 * 985 * Does not affect metadata. */ 986 987 #define ZXID_CANON_INOPT 0 988 #define ZXID_CANON_INOPT_SHIB215IDP_INCLUSIVENAMESPACES 0x01 989 990 /*(c) XML encoding optimizations. 991 * 1 = optimize close tag of empty elements as <ns:foo/> 992 * 993 * Does not affect metadata. */ 994 #define ZXID_ENC_TAIL_OPT 1 995 996 /*(c) SOAP Envelope validation options 997 * In a well configured and 998 * bug free environment, you should not need any of these options. 999 * Turning them on will reduce security as validations are not made. 1000 * 1001 * 0x01 Skip response header validation entirely, see zxid_wsc_valid_re_env() 1002 * 1003 * Does not affect metadata. */ 1004 #define ZXID_VALID_OPT 0x00 1005 #define ZXID_VALID_OPT_SKIP_RESP_HDR 0x01 1006 1007 /*(c) Time Slop 1008 * Because clock sychronization amoung the servers in the CoT is unlikely 1009 * to be perfect, not to speak of timezone misconfigurations and the 1010 * dreaded officially introduced time errors (e.g. daylight "savings" time), 1011 * you can configure some slop in how the timeout is evaluated. For production 1012 * use something like 60 seconds could be a good value. 3600 = 1 hour, 86400 = 1 day. 1013 * All servers of CoT MUST use GMT (aka UTC), not local timezones. You can synchronize 1014 * clocks with ntpdate pool.ntp.org (see man ntpdate). 1015 * 1016 * Slop is used in assessing validity of assertions as well as message timestamps. 1017 * 1018 * Time skew allows our end to lie about the time, e.g. if we are in GMT, but 1019 * the other end is not and therefore we are rejected. Note that the time skew 1020 * is same for all other ends, therefore this is not really a good solution. 1021 * Only good solution is to have all servers synchronized to GMT (UTC) as the specs say. 1022 * 1023 * While flexibility is nice, there is enough rope here to hang yourself so don't do that. :-) 1024 * 1025 * Does not affect metadata. 1026 */ 1027 #define ZXID_BEFORE_SLOP 39600 /* Number of seconds before that is acceptable. */ 1028 #define ZXID_AFTER_SLOP 7300 /* Number of seconds after that is acceptable. */ 1029 1030 #define ZXID_TIMESKEW 0 /* Timeskew, in seconds, for timestamps we emit. */ 1031 #define ZXID_A7NTTL 3600 /* Time To Live for IdP issued Assertions */ 1032 1033 /*(c) Redirect to Content 1034 * Should explicit redirect to content be used (vs. internal redir). With 1035 * internal redirect there is one over-the-wire transaction less, but 1036 * the URL appears as whatever was sent by the IdP. With explicit (302) 1037 * redirect the URL will appear as the true content URL, without the SAML SSO goo. 1038 * 1039 * Does not affect metadata. */ 1040 #define ZXID_REDIR_TO_CONTENT 1 1041 1042 /*(c) ID-WSF SOAP Call parameters 1043 * 1044 * Does not affect metadata. */ 1045 #define ZXID_MAX_SOAP_RETRY 5 /* Maximum retries due, e.g., EndpointMoved */ 1046 1047 /*(c) Session Management Trigger Suffix 1048 * In mod_auth_saml the URL ending that triggers session management (e.g. SLO MNI). 1049 * 1050 * Does not affect metadata. */ 1051 // *** remove #define ZXID_MOD_SAML_MGMT_SUFFIX "/saml" 1052 1053 /*(c) Attribute Prefix 1054 * In mod_auth_saml the prefix (potentially empty) for attributes brought into environment. 1055 * 1056 * Does not affect metadata. */ 1057 #define ZXID_MOD_SAML_ATTR_PREFIX "SAML_" 1058 1059 /*(c) Fake Basic Auth by generating REMOTE_USER 1060 * In mod_auth_saml generate REMOTE_USER subprocess environment variable. 1061 * 1062 * Does not affect metadata. */ 1063 #define ZXID_REMOTE_USER_ENA 1 1064 1065 /*(c) Query String if None Given 1066 * Does not affect metadata. 1067 */ 1068 1069 #define ZXID_DEFAULTQS "" /* Default Query String used by mod_auth_saml for protected page */ 1070 1071 /*(c) WSP Pattern 1072 * Any URL matching this pattern is treated as web service call rather 1073 * than SSO attempt. Understood by mod_auth_saml, zxid_httpd and mini_httpd_zxid. 1074 * WSP_PAT is matched before UMA_PAT and SSO_PAT. 1075 * 1076 * Does not affect metadata. */ 1077 #define ZXID_WSP_PAT "*.wsp" 1078 1079 /*(c) UMA Pattern 1080 * Any URL matching this pattern is treated as web service call protected by UMA rather 1081 * than SSO attempt. Understood by mod_auth_saml, zxid_httpd and mini_httpd_zxid. 1082 * UMA_PAT is matched after WSP_PAT but before SSO_PAT. 1083 * 1084 * Does not affect metadata. */ 1085 #define ZXID_UMA_PAT "*/uma/*" 1086 1087 /*(c) Single Sign-On URL Pattern 1088 * Any URL matching this pattern requires SSO. However 1089 * WSP_PAT is matched first. Understood by mod_auth_saml (additional 1090 * Apache configuration needed), zxid_httpd and mini_httpd_zxid. 1091 * 1092 * Does not affect metadata. */ 1093 #define ZXID_SSO_PAT "**" 1094 1095 /*(c) Anonymous can see protected content 1096 * If ANON_OK is set and matches the local URL - see zx_match(), SSO failure 1097 * does not block protected content from being 1098 * shown. While this usually is a security problem, in some circumstances 1099 * you may want to show error message or nonpersonalized content from the 1100 * application layer. If application checks that the SSO really happened, 1101 * then there is no security problem - the responsibility is application's. 1102 * Typically ANON_OK=/dir/ is used with IsPassive (fp=1) to implement personalization 1103 * if user already has session, but allow the user to access page anonymously 1104 * without logging in if he does not have session. 1105 * 1106 * > N.B. This option does not prevent the SSO from being tried in the 1107 * > first place and consequently, IdP selection will be invoked in any 1108 * > case - even if user has no meaningful IdP in mind. This option only 1109 * > controls what happens after IdP redirects back without having 1110 * > authenticated the user. By clever manupulation of DEFAULTQS and fp=1 1111 * > this could be made to work, if there is only one IdP. 1112 * 1113 * Does not affect metadata. */ 1114 #define ZXID_ANON_OK 0 1115 1116 /*(c) Optional Login URL Pattern 1117 * If a page matching OPTIONAL_LOGIN_PAT is accessed, then 1118 * 1119 * a. If session is already active, session is used and attributes of session 1120 * are visible to the page. 1121 * b. If no session is active, then no login is requested, unless the 1122 * URL matches BURL. 1123 * 1124 * N.B. This option tries to do what many people try to use ANON_OK for. 1125 * 1126 * Does not affect metadata. */ 1127 #define ZXID_OPTIONAL_LOGIN_PAT 0 1128 1129 /*(c) Required Authentication Context Class Ref 1130 * This can be used 1131 * to ensure that the IdP has authenticated user sufficiently. 1132 * In some cases this can trigger step-up authentication. 1133 * Value should be dollar separated string of acceptable authn context 1134 * class refs, e.g. "" 1135 * 1136 * If step-up authentication is triggered, you need to ensure the fa query 1137 * string argument of the IdP selection page also requests the desired 1138 * authentication contrext class reference. 1139 * If not specified, then any authentication context is acceptable. 1140 * 1141 * Does not affect metadata. */ 1142 #define ZXID_REQUIRED_AUTHNCTX 0 1143 1144 /*(c) IdP: Authentication Context Class Refs 1145 * What authentication context IdP issues for for different authentication methods. The 1146 * problem here is that ZXID does not know whether transport layer is TLS (assumed). 1147 * If it is not, you should configure this to be 1148 * "urn:oasis:names:tc:SAML:2.0:ac:classes:Password" 1149 * or you can configure this according to your IdP operational policies. 1150 * 1151 * Comma separated list corresponding to internal authentication levels. 1152 * 1153 * - 0 = no authentication, used as default if no other value is available 1154 * - 1 = weaker than password 1155 * - 2 = password 1156 * - 3 = yubikey 1157 * - 4 = pin + yubikey 1158 * 1159 * Does not affect metadata. */ 1160 #define ZXID_ISSUE_AUTHNCTX "none,weak,urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,yubikey,pin-yubikey" 1161 1162 /*(c) IdP preference for ACS 1163 * If SP does not manifest preference regarding the binding for Assertion Consumer Service, 1164 * then this IdP preference is used, unless SP metadata indicates it can not 1165 * support this binding, in which case the first ACS from metadata is used. 1166 * 1167 * Does not affect metadata. */ 1168 #define ZXID_IDP_PREF_ACS_BINDING "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 1169 1170 /*(c) List of unsuppressible attributes 1171 * Every SSO and discovery will include 1172 * these attributes, if they are defined for the user. Comma separated list. 1173 * 1174 * Does not affect metadata. */ 1175 1176 #define ZXID_MANDATORY_ATTR "zxidvers,zxidloa" 1177 1178 /* ----------------------------------------------------------------------------- */ 1179 1180 /*(c) Attribute Broker definitions 1181 * Do not affect metadata. */ 1182 1183 #define ZXID_NEED "idpnid,affid,role$undisclosed,log$400000$$" 1184 #define ZXID_WANT "*,authnctxlevel,sesid,setcookie,cookie,rs,cn$undisclosed,log$400000$$" 1185 #define ZXID_ATTRSRC "" 1186 #define ZXID_INMAP "" 1187 #define ZXID_OUTMAP "rsrc$rs$unsb64-inf$$" 1188 //#define ZXID_SUPPRESS "" 1189 1190 /* ----------------------------------------------------------------------------- */ 1191 1192 /*(c) Policy Decision Point (PDP) URLs 1193 * If PDP_URL is set, then the indicated PDP will be consulted in 1194 * the end of SSO, i.e. by zxid_simple(). 1195 * PDP_CALL_URL is used if zxid_az() family of functions 1196 * are called. If PDP_CALL_URL is not set, but PDP_URL is 1197 * set, the PDP_URL value will be used by zxid_az(). If you 1198 * always want to explicitly call zxid_az() and do not want 1199 * zxid_simple() to make implicit calls to PDP, just set 1200 * PDP_CALL_URL and leave PDP_URL as 0. 1201 * 1202 * Does not affect metadata. */ 1203 #define ZXID_PDP_URL 0 1204 #define ZXID_PDP_CALL_URL 0 1205 1206 /*(c) Trust Policy Decision Point (PDP) URL 1207 * If TRUSTPDP_URL is set and 1208 * appropriate discovery options are passed, then the indicated PDP 1209 * will be consulted during discovery processing to determine if a 1210 * service should be returned. Default value 0 prevents such processing. 1211 * 1212 * Does not affect metadata. */ 1213 #define ZXID_TRUSTPDP_URL 0 1214 1215 /*(c) Enable TAS3 CPN 1216 * Enable discovery and web service call to perform TAS3 Credentials 1217 * and Privacy Negotiation call. For this to work, there must be discovery registration 1218 * for service type urn:tas3:cpn-agent as well. 1219 * 1220 * Does not affect metadata. */ 1221 #define ZXID_CPN_ENA 0 1222 1223 /*(c) Kludgy options for AZ debugging 1224 * Also work-around bugs of others. 1225 * 1226 * 0x01:: prevent WS-Security header in SOAP XACML requests. 1227 * 1228 * Does not affect metadata. */ 1229 #define ZXID_AZ_OPT 0 1230 1231 /*(c) Authorization failure mode 1232 * 0x00:: Any failure is Deny (sane default) 1233 * 0x01:: Missing PDP_URL or PDP_CALL_URL is Permit (allows you to 1234 * run code that makes explicit az calls even if you do not have PDP) 1235 * 0x02:: Network connectivity error is Permit (emergency panic 1236 * option - do not enable unless you are willing to assume 1237 * the liability: that failure to contact PDP is interpretted as Permit 1238 * may be the express objective of the attack you are under) 1239 * 0x03:: Combine the two above: Missing URL or no connectivity is Permit 1240 * 0x04:: Always return Permit (only for development use) 1241 * 1242 * Does not affect metadata. */ 1243 #define ZXID_AZ_FAIL_MODE 0 1244 1245 /* Use these constants in code */ 1246 #define ZXID_AZ_FAIL_MODE0_DENY 0 1247 #define ZXID_AZ_FAIL_MODE1_MISSING_URL 1 1248 #define ZXID_AZ_FAIL_MODE2_NET_FAIL 2 1249 #define ZXID_AZ_FAIL_MODE4_PERMIT_ALWAYS 4 1250 1251 /*(c) Which version of XACML to speak 1252 * E.g. "2.0" or "2.0-cd1" or "xac-soap" 1253 * 1254 * Does not affect metadata. */ 1255 1256 #define ZXID_XASP_VERS "2.0" 1257 1258 /*(c) What to pass in XACML PolicySetIdReference when calling PDP 1259 * Empty means not to pass PolicySetIdReference. 1260 * 1261 * Does not affect metadata. */ 1262 #define ZXID_XA_POLICY_SET_ID_REF "" /* *** implement */ 1263 1264 /*(c) Common XACML Attributes for PEPs (compile) 1265 * Format ns$A$rule$b$ext 1266 * 1267 * The ZXID_COMMAP can only be specified at compile time. At run time 1268 * each map has to be specified separately, sorry. 1269 * The order of processing rules has not been fixed yet, but 1270 * currently (Feb2011/R0.76) the first rule is processed last, e.g. 1271 * the "env$*$$$" stanza that appears as first, below, causes 1272 * all other attributes to be considered environment attributes. 1273 * See documentation for INMAP for syntax of the stanzas. 1274 * 1275 * Does not affect metadata. */ 1276 #define ZXID_COMMAP "env$*$$$;subj$idpnid$rename$urn:oasis:names:tc:xacml:1.0:subject:subject-id$;subj$urn:oasis:names:tc:xacml:1.0:subject:subject-id$$$;subj$urn:oid:1.3.6.1.4.1.5923.1.1.1.1$$$;subj$urn:oid:1.3.6.1.4.1.5923.1.1.1.7$$$;subj$eduPersonAffiliation$$$;subj$eduPersonEntitlement$$$;subj$role$$$;rsrc$rs$unsb64-inf$urn:oasis:names:tc:xacml:1.0:resource:resource-id$;rsrc$urn:oasis:names:tc:xacml:1.0:resource:resource-id$$$;rsrc$Resource$rename$urn:oasis:names:tc:xacml:1.0:resource:resource-id$;act$Action$rename$urn:oasis:names:tc:xacml:1.0:action:action-id$;act$urn:oasis:names:tc:xacml:1.0:action:action-id$$$;env$ZXID_PEPvers$$$;$cookie$del$$;$setcookie$del$$;$setptmcookie$del$$" 1277 1278 /*(c) XACML Attributes for SSO / frontchannel request in PEP 1279 * Format ns$A$rule$b$ext 1280 * 1281 * Does not affect metadata. */ 1282 #define ZXID_PEPMAP ZXID_COMMAP 1283 1284 /*(c) XACML Attributes for Request Outbound PEP at WSC (1) 1285 * Format ns$A$rule$b$ext 1286 * 1287 * Does not affect metadata. */ 1288 #define ZXID_PEPMAP_RQOUT ZXID_COMMAP 1289 1290 /*(c) XACML Attributes for Request Inbound PEP at WSP (2) 1291 * Format ns$A$rule$b$ext 1292 * 1293 * Does not affect metadata. */ 1294 #define ZXID_PEPMAP_RQIN ZXID_COMMAP 1295 1296 /*(c) XACML Attributes for Response Outbound PEP at WSP (3) 1297 * Format ns$A$rule$b$ext 1298 * 1299 * Does not affect metadata. */ 1300 #define ZXID_PEPMAP_RSOUT ZXID_COMMAP 1301 1302 /*(c) XACML Attributes for Response Inbound PEP at WSC (4) 1303 * Format ns$A$rule$b$ext 1304 * 1305 * Does not affect metadata. */ 1306 #define ZXID_PEPMAP_RSIN ZXID_COMMAP 1307 1308 //#define ZXID_XACML2_SUBJ "idpnid=$idpnid&role=$role" 1309 //#define ZXID_XACML2_RSRC "URL=$URL" 1310 //#define ZXID_XACML2_ACT "Action=$Action" 1311 //#define ZXID_XACML2_ENV "ZXID_PEPVers" 1312 1313 /*(c) Default AAMAP 1314 * Pass all attributes (except dangerous ones) through. 1315 * 1316 * idpsesid is blocked on grounds of being a sessionwide correlation handle. 1317 * 1318 * Does not affect metadata. */ 1319 #define ZXID_DEFAULT_IDP_AAMAP "$*$$$;$idpsesid$del$$" /* (compile) */ 1320 1321 /*(c) Whitelists and blacklists for the primitive SSO local PDP 1322 * Comma separated lists. 1323 * 1324 * Do not affect metadata. */ 1325 1326 #define ZXID_LOCALPDP_ROLE_PERMIT 0 /* Whitelist of roles, comma separated (empty: anything goes) */ 1327 #define ZXID_LOCALPDP_ROLE_DENY "local_deny" /* Blacklist of roles, comma separated */ 1328 #define ZXID_LOCALPDP_IDPNID_PERMIT 0 /* Whitelist of permitted users, comma separated (empty: anything goes) */ 1329 #define ZXID_LOCALPDP_IDPNID_DENY "denynid" /* Blacklist of denied users, comma separated */ 1330 1331 /*(c) Obligations 1332 * Obligations we are willing to respect (unless an explicit UsageDirectives header 1333 * is specified by caller), require, generate, and accept. Examples: 1334 * 1335 * WSC_LOCALPDP_OBL_PLEDGE=urn:tas3:sol1:contract-fwk=urn:syn-trust:obl:base-contract:2012-11 1336 * WSC_LOCALPDP_OBL_PLEDGE=urn:tas3:sol1:contract-fwk=urn:syn-trust:obl:base-contract:2012-11%26urn:tas3:sol1:xborder=urn:tas3:sol1:xdom:eu 1337 * WSC_LOCALPDP_OBL_PLEDGE=urn:tas3:sol1:contract-fwk=urn:syn-trust:obl:base-contract:2012-11$urn:tas3:sol1:xborder=urn:tas3:sol1:xdom:eu 1338 * 1339 * Since SOL expressions are parsed according to URL query string 1340 * rules and since the configuration directives are also parsed 1341 * according to query string rules, a problem arises with multipart SOL 1342 * expressions. The second expression shows how to use URL quoting 1343 * (%26) to protect the SOL ampersand from being processed by the 1344 * configuration file. Since this is such a common situation, a 1345 * special separator dollar ($, 0x24) may be used instead, as 1346 * illustrated in third example. 1347 * 1348 * Multiple WSP_LOCALPDP_OBL_REQ and WSP_LOCALPDP_OBL_EMIT directives 1349 * accumulate. Special pledge name "reset" can be used to reset the 1350 * list. 1351 * 1352 * See further discussion in tas3-proto.pd section 2.12 Simple Obligations Language (SOL). 1353 * 1354 * Does not affect metadata. */ 1355 #define ZXID_WSC_LOCALPDP_OBL_PLEDGE 0 /* String: WSC pledged obligations in SOL notation */ 1356 #define ZXID_WSP_LOCALPDP_OBL_REQ 0 /* String: WSP required obligations in SOL notation */ 1357 #define ZXID_WSP_LOCALPDP_OBL_EMIT 0 /* String: WSP obligations emitted on resp */ 1358 #define ZXID_WSC_LOCALPDP_OBL_ACCEPT 0 /* String: WSC acceptable obligations in SOL notation */ 1359 1360 /*(c) Unix Group Authorization 1361 * 1362 * UNIX_GRP_AZ_MAP=affil$attr$val$group$ext 1363 * 1364 * where 1365 * 1366 * affil:: Specifies who is allowed to supply the attribute. Typically 1367 * the IdP EntityID. Specifying '**' accepts any IdP, but this 1368 * is problematic if different IdPs use same attribute name to 1369 * mean different things. Suffix and prefix matching can be 1370 * performed using "**" and "*". 1371 * attr:: The name of the SSO attribute, e.g "role" or "o" (organization). 1372 * Can also be specified as "*", which is interpretted as any 1373 * user from the IdP specified in affil. No other wildcarding. 1374 * val:: The value of the attribute that needs to match. Prefix and 1375 * suffix matching using "*" and "**" is supported. Use | to 1376 * supply alternatives. 1377 * group:: The Unix group name. 1378 * ext:: Extension field. 1379 * 1380 * Leave as empty (null) to disable the feature. 1381 * 1382 * Does not affect metadata. */ 1383 1384 #define ZXID_UNIX_GRP_AZ_MAP 0 1385 1386 /*(c) Enable obsolete ciphers 1387 * Enable CBC (instead of GCM) and PKCS#1 v1.5 padding, both of which 1388 * are vulnearable and can compromise modern crypto through Backwards 1389 * Compatibility Attacks. 1390 * See paper: Tibor Jager, Kenneth G. Paterson, Juraj Somorovsky: "One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography", 2013 http://www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibility/ /t/BackwardsCompatibilityAttacks.pdf 1391 * 1392 * Does not affect metadata. */ 1393 #define ZXID_BACKWARDS_COMPAT_ENA 0 /* safe default, 1=enable acceptance of old unsafe ciphers, 2=use old unsafe ciphers when generating protocol messages, 3=be backwards compatible in input and output */ 1394 1395 #define ZXID_BACKWARDS_COMPAT_ACCEPT 1 1396 #define ZXID_BACKWARDS_COMPAT_GEN 2 1397 1398 /*(c) String used as SignatureMethod@Algorithm 1399 * Typically a special URL like "http://www.w3.org/2000/09/xmldsig#rsa-sha1". 1400 * The public key part must agree with certificate used for signature. The 1401 * hash part is used for choosing a hash algorithm. If specified as 0 or "0", 1402 * the public key part is determined from the certificate and the hash 1403 * part from the XMLDSIG_DIGEST_ALGO. Since the mapping is 1404 * nontrivial, not all combinations can be autodetected. 1405 */ 1406 #define ZXID_XMLDSIG_SIG_METH 0 1407 1408 /*(c) Digest algorithm to use when generating XMLDSIG signatures 1409 * The string is used as Reference/DigestMethod@Algorithm and is also 1410 * used to choose (by looking at the local part of the URL) the actual 1411 * digest algorithm for the crypto engine. 1412 * If XMLDSIG_SIG_METH is specified as 0 or "0", as it often is, this 1413 * option also determines the hash algorithm part for the signature. 1414 * Special value 0 means to use the same hash algorithm as in 1415 * signing certificate. 1416 * Traditional default value (as of 2015): "http://www.w3.org/2000/09/xmldsig#sha1" 1417 */ 1418 #define ZXID_XMLDSIG_DIGEST_ALGO DIGEST_ALGO 1419 1420 /*(c) Digest algorithm to use when generating SAML blob (not XMLDSIG) signatures 1421 * Blob signatures occur in SAML2 messages where XML signature 1422 * is not used, e.g. redirect bindings and POST bindings. 1423 * Where XMLDSIG is used by SAML, XMLDSIG_SIG_METH and XMLDSIG_DIGEST_ALGO 1424 * configuration options are used. 1425 * The string, such as "SHA1" or "SHA256" should be understood 1426 * by OpenSSL EVP_get_digestbyname(3) API. If passed as 0 or "0" 1427 * the default hash algorithm is used ("SHA1" as of 2015). 1428 */ 1429 #define ZXID_SAMLSIG_DIGEST_ALGO "SHA1" 1430 1431 /*(c) Digest algorithm to use when generating blob (not XMLDSIG or SAML) signatures 1432 * Blob signatures occur in several places where XML signature 1433 * is not used. For example when performing signed logging or audit bus operations. 1434 * The string, such as "SHA1" or "SHA256" should be understood 1435 * by OpenSSL EVP_get_digestbyname(3) API. If passed as 0 or "0" 1436 * the default hash algorithm is used ("SHA256" as of 2015). 1437 */ 1438 #define ZXID_BLOBSIG_DIGEST_ALGO "SHA256" 1439 1440 /* ----------------------------------------------------------------------------- */ 1441 /*(c) Change current working directory 1442 * Apache httpd sometimes changes working directory unpredictably 1443 * (usually to /). This is in violation of Apache httpd documentation, 1444 * but apparently the bug has not gotten fixed as of 2013. This seems 1445 * to be related to mod_rewrite. Use this option to change working 1446 * directory back to whatever you desire, such as document root of a 1447 * virtual host so that relative paths to templates, etc. work. 0 means 1448 * not to change (i.e. leave working directory as-is, even if unpredictably 1449 * changed to wrong value). 1450 * 1451 * Does not affect metadata. */ 1452 #define ZXID_WD 0 1453 1454 /*(c) Simple API HTML customization. 1455 * These allow simple branding and customization. 1456 * If these options are not enough for you, consider simply rendering your own forms. */ 1457 1458 /*(c) Whether to show more technical fields in the GUI 1459 * Normally they are hidden and POST profile is used. 1460 * Does not affect metadata. */ 1461 #define ZXID_SHOW_TECH 0 1462 1463 /*(c) Body tag for some old ZXID generated pages 1464 * Edit this to change the colors. But usually 1465 * you should be editing stylesheet or template. 1466 * Does not affect metadata. */ 1467 #define ZXID_BODY_TAG "<body bgcolor=white>" /* (compile) */ 1468 1469 /*(c) IdP Selector Page URL 1470 * If the IDP_SEL_TEMPL_FILE or IDP_SEL_TEMPL, above, is not sufficient for 1471 * your customization needs, you can provide URL to page of your own design. 1472 * This page will receive as query string argument the relay state. 1473 * 0 (zero) disables. 1474 * 1475 * Does not affect metadata. */ 1476 1477 #define ZXID_IDP_SEL_PAGE 0 1478 1479 /*(c) Path for Template for IdP Selector Page 1480 * This template is used 1481 * by Service Provider to render the SP "login" screen which really 1482 * is the IdP selection screen (as the authentication login is done 1483 * on IdP side). 1484 * 1485 * Does not affect metadata. */ 1486 #define ZXID_IDP_SEL_TEMPL_FILE "idpsel.html" 1487 1488 /*(c) Template for IdP Selector Page 1489 * Used if the path does not work. This is really meant to be the last resort. 1490 * 1491 * Does not affect metadata. */ 1492 1493 #define ZXID_IDP_SEL_TEMPL "<title>SP SSO: Choose IdP</title>"\ 1494 "<link type=\"text/css\" rel=stylesheet href=\"idpsel.css\"><body bgcolor=white>"\ 1495 "<h1 class=zxtop>SP Federated SSO (user NOT logged in, no session)</h1>"\ 1496 "<form method=get action=\"!!URL\">"\ 1497 "<div class=zxerr>!!ERR</div><div class=zxmsg>!!MSG</div><div class=zxdbg>!!DBG</div>"\ 1498 "<h3>Login Using New IdP</h3>"\ 1499 "<i>A new IdP is one whose metadata we do not have yet. We need to know "\ 1500 "the IdP URL (aka Entity ID) in order to fetch the metadata using the "\ 1501 "well known location method. You will need to ask the adminstrator of "\ 1502 "the IdP to tell you what the EntityID is.</i>"\ 1503 "<p>IdP URL <input name=e size=60><input type=submit name=l0 value=\" Login \"><br>"\ 1504 "Entity ID of this SP (click on the link to fetch the SP metadata): <a href=\"!!EID\">!!EID</a>"\ 1505 "<p>!!IDP_LIST<h3>Technical options</h3>"\ 1506 "<input type=hidden name=fc value=1><input type=hidden name=fn value=prstnt>"\ 1507 "<!-- built-in defaults, see IDP_SEL_TEMPL in zxidconf.h and zxid-conf.pd for explanation -->"\ 1508 "<input type=hidden name=fr value=\"!!FR\">"\ 1509 "<input type=hidden name=fq value=\"\">"\ 1510 "<input type=hidden name=fy value=\"\">"\ 1511 "<input type=hidden name=fa value=\"\">"\ 1512 "<input type=hidden name=fm value=\"\">"\ 1513 "<input type=hidden name=fp value=0>"\ 1514 "<input type=hidden name=ff value=0>"\ 1515 "</form>"\ 1516 "<div class=zxbot>!!VERSION (builtin)</div>" 1517 1518 /*(c) Choose the method for rendeing IdP list. 1519 * 1520 * - 0 = popup menu 1521 * - 1 = buttons 1522 * - 2 = branded image buttons (a la "nascar") 1523 * 1524 * This configuration option is effective if !!IDP_LIST variable 1525 * is used in template. The variables !!IDP_POPUP, !!IDP_BUTTON, and !!IDP_BRAND 1526 * in template override this option. 1527 * 1528 * Do not affect metadata. */ 1529 #define ZXID_IDP_LIST_METH 0 1530 1531 #define ZXID_IDP_LIST_POPUP 0 1532 #define ZXID_IDP_LIST_BUTTON 1 1533 #define ZXID_IDP_LIST_BRAND 2 1534 1535 /*(c) Create New User Page 1536 * If user clicks "Create New User" (o=N) he is redirected to this page. 1537 * E.g. "zxidnewuser.pl" 1538 * 1539 * Does not affect metadata. */ 1540 1541 #define ZXID_NEW_USER_PAGE "zxidnewuser.pl" 1542 1543 /*(c) Recover Password Page 1544 * If user clicks on recover password link (o=W), redirect to this page. 1545 * E.g. "zxidrecoverpw.pl" 1546 * 1547 * Does not affect metadata. */ 1548 1549 #define ZXID_RECOVER_PASSWD "zxidrecoverpw.pl" 1550 1551 /*(c) Attribute selection page 1552 * If attribute selection is desired during SSO, redirect to this page. 1553 * E.g. "zxidatsel.pl" 1554 * 1555 * Does not affect metadata. */ 1556 1557 #define ZXID_ATSEL_PAGE 0 1558 1559 /*(c) Authentication Page URL 1560 * If the template customization options are not sufficient, you can 1561 * provide URL to page of your own design. If set, takes priority over AN_TEMPL_FILE. 1562 * 0 (zero) disables. 1563 * 1564 * Does not affect metadata. */ 1565 1566 #define ZXID_AN_PAGE 0 1567 1568 /*(c) Path for Template for IdP Authentication Page 1569 * Does not affect metadata. */ 1570 1571 #define ZXID_AN_TEMPL_FILE "an-main.html" 1572 1573 /*(c) Template for IdP Authentication Page 1574 * Used if the path does not work. This is really meant to be the last resort. 1575 * 1576 * Does not affect metadata. */ 1577 1578 #define ZXID_AN_TEMPL "<title>IdP: Authentication</title>"\ 1579 "<link type=\"text/css\" rel=stylesheet href=\"an.css\"><body bgcolor=white>"\ 1580 "<form method=get action=\"!!URL\">"\ 1581 "<h1 class=zxtop>IdP Authentication for Federated SSO</h1>"\ 1582 "<p>Entity ID of this IdP (click for the IdP metadata): <a href=\"!!EID\">!!EID</a><br>"\ 1583 "<p>Login requested by <img src=\"!!SP_BUTTON_URL\"> !!SP_DPY_NAME (<a href=\"!!SP_EID\">!!SP_EID</a>)"\ 1584 "<div class=zxerr>!!ERR</div><div class=zxmsg>!!MSG</div><div class=zxdbg>!!DBG</div>"\ 1585 "User NOT logged in, no session."\ 1586 "<h3>Please authenticate using one of the following methods:</h3>"\ 1587 "<!--input type=checkbox name=at> Adjust attribute sharing after authentication-->"\ 1588 "<ol><li> Yubikey <a href=\"http://yubico.com\"><img src=\"yubiright_16x16.gif\" width=16 height=16 border=0></a>:<input name=au><input type=submit name=alp value=\" Login \">"\ 1589 "<li> User: <input name=au> Password: <input type=password name=ap><input type=submit name=alp value=\" Login \">"\ 1590 "<li><input type=submit name=an value=\" Create New User \"></ol>"\ 1591 "<input type=hidden name=fc value=1><input type=hidden name=fn value=prstnt><br>"\ 1592 "<input type=hidden name=fq value=\"\"><input type=hidden name=fy value=\"\"><input type=hidden name=fa value=\"\"><input type=hidden name=fm value=\"\"><input type=hidden name=fp value=0><input type=hidden name=ff value=0><!-- ZXID built-in defaults, see AN_TEMPL zxidconf.h-->"\ 1593 "<input type=hidden name=ar value=\"!!SSOREQ\">"\ 1594 "<input type=hidden name=zxapp value=\"!!ZXAPP\">"\ 1595 "</form><div class=zxbot>!!VERSION (builtin)</div>" 1596 1597 /*(c) Path for Template for POST profile page 1598 * Does not affect metadata. */ 1599 1600 #define ZXID_POST_TEMPL_FILE "post.html" 1601 1602 /*(c) Template for POST profile page 1603 * Used if the path does not work. This is really meant to be the last resort. 1604 * 1605 * Does not affect metadata. */ 1606 1607 #define ZXID_POST_TEMPL "<title>Post Profile</title>"\ 1608 "<link type=\"text/css\" rel=stylesheet href=\"an.css\">"\ 1609 "<body bgcolor=white OnLoad=\"document.forms[0].submit()\">"\ 1610 "<form method=post action=\"!!ACTION_URL\">"\ 1611 "<h1 class=zxtop>POST Profile POST</h1>"\ 1612 "<div class=zxerr>!!ERR</div><div class=zxmsg>!!MSG</div><div class=zxdbg>!!DBG</div>"\ 1613 "<input type=hidden name=!!SAML_ART value=\"!!SAML_RESP\">!!RS!!SIG"\ 1614 "<input type=submit name=ok value=\" If JavaScript is not on, please click here to complete the transaction \">"\ 1615 "</form><div class=zxbot>!!VERSION (builtin)</div>" 1616 1617 /*(c) Error Page URL 1618 * If the template customization options are not sufficient, you can 1619 * provide URL to page of your own design. If set, takes priority over ERR_TEMPL_FILE. 1620 * 0 (zero) disables. 1621 * 1622 * Does not affect metadata. */ 1623 1624 #define ZXID_ERR_PAGE 0 1625 1626 /*(c) Path for Template for Error Page 1627 * 1628 * Does not affect metadata. */ 1629 1630 #define ZXID_ERR_TEMPL_FILE "err.html" 1631 1632 /*(c) Template for Error Page 1633 * Used if the path does not work. This is really meant to be the last resort. 1634 * 1635 * Does not affect metadata. */ 1636 1637 #define ZXID_ERR_TEMPL "<title>ZXID: Error</title>"\ 1638 "<link type=\"text/css\" rel=stylesheet href=\"an.css\"><body bgcolor=white>"\ 1639 "<form method=get action=\"!!URL\">"\ 1640 "<h1 class=zxtop>ZXID Error Message</h1>"\ 1641 "<div class=zxerr>!!ERR</div><div class=zxmsg>!!MSG</div><div class=zxdbg>!!DBG</div>"\ 1642 "<input type=hidden name=zxapp value=\"!!ZXAPP\">"\ 1643 "</form><div class=zxbot>!!VERSION (builtin)</div>" 1644 1645 #define ZXID_MGMT_START "<title>ZXID SP Mgmt</title><link type=\"text/css\" rel=stylesheet href=\"idpsel.css\"><body bgcolor=white><h1 class=zxtop>ZXID SP Management (user logged in, session active)</h1>\n" 1646 1647 #define ZXID_MGMT_LOGOUT "<input type=submit name=gl value=\" Local Logout \">\n<input type=submit name=gr value=\" Single Logout (R) \">\n<input type=submit name=gs value=\" Single Logout (S) \">\n" 1648 1649 #define ZXID_MGMT_DEFED "<input type=submit name=gt value=\" Defederate (R) \">\n<input type=submit name=gu value=\" Defederate (S) \">\n" 1650 1651 #define ZXID_MGMT_FOOTER "<div class=zxbot>" 1652 #define ZXID_MGMT_END "</div>" 1653 1654 /*(c) ECHO - Print to debug out that given line in configuration has been reached. 1655 * Used for debugging complex sequences of VPATH and INCLUDE. */ 1656 1657 /* FYI, ERR config file option already has another meaning: error log */ 1658 1659 /*(c) INFO - Like ECHO, but prints at debug level INFO. 1660 */ 1661 1662 /*(c) WARN - Like ECHO, but prints at debug level WARN. 1663 */ 1664 1665 /*(c) DIE - Like ECHO, but prints at debug level ERR and the aborts (exits) the process. 1666 */ 1667 1668 /*(c) REM - Remark. A comment that is not printed anywhere. Alternate mechanism 1669 * when compated to using hash sign ("#") in configuration files. */ 1670 1671 /*(c) PRAGMA - Implementation dependent config parsing time option. Ignore if not understood. 1672 */ 1673 1674 #endif 1675