-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathparameters.yaml.dist
178 lines (145 loc) · 9.12 KB
/
parameters.yaml.dist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
parameters:
app_env: prod
app_debug: false
app_secret: SeTW1ThY0uR0WnS3cR37
# Set to a unique string at each update te prevent asset cashing issues after an update
asset_version: 1
# Secret used for XSRF protection
secret: NotSoSecretReplaceMe!
# Debug options, relevant when running in debug mode only
debug_toolbar: true
debug_redirects: false
# Display name of application
app_name: "Stepup Gateway"
# IP addresses of any HTTP proxies that are sitting in front of the application
# See: http://symfony.com/doc/current/request/load_balancer_reverse_proxy.html
trusted_proxies: []
# Database connection
database_driver: pdo_mysql
database_host: mariadb
database_port: ~
# The database server version is used in the dbal configuration and is required to prevent issues when the database
# connection is booted. See https://github.com/doctrine/DoctrineBundle/issues/351 for more details on this.
# Also see: https://symfony.com/doc/current/reference/configuration/doctrine.html#doctrine-dbal-configuration
database_server_version: 5.6
# Credentials for the gateway database
database_gateway_name: gateway
database_gateway_user: gateway_user
database_gateway_password: gateway_secret
database_deploy_user: gw_deploy_user
database_deploy_password: gw_deploy_secret
mailer_transport: smtp
mailer_host: mailcatcher
mailer_user: ~
mailer_password: ~
# Default locale
default_locale: en_GB
# Available locales
locales: [nl_NL, en_GB]
# Domain for the locale cookie that is set by the Gateway, SelfService and the RA and that is used to share the
# user's locale preference with other (stepup) components
locale_cookie_domain: openconext.local
# Choose which SMS service to use. At this moment you can choose: 'spryng'
sms_service: 'spryng'
# Spryng config for sending SMS messages
spryng_api_key: Your_Spryng_Api_Key_Here
spryng_route: 1234
# Yubico Yubico Web Services API key
# Get one for free at: https://upgrade.yubico.com/getapikey/ (requires a YubiKey)
# API client_id
yubikey_client_id: 12345
# API Secret
yubikey_client_secret: YubiSecret
# Password for the "selfservice" Gateway API user
selfservice_api_password: sa_secret
# Password for the "ra" Gateway API user
registration_authority_api_password: ra_secret
# Message originator as displayed in SMS
# "This can be a telephone number (including country code) or an alphanumeric string.
# In case of an alphanumeric string, the maximum length is 11 characters."
sms_originator: OpenConext
# Validity time of an OTP send using SMS in seconds
sms_otp_expiry_interval: 900 # 15 minutes
# Maximum number of times a user may resend an SMS during authenticaton
sms_maximum_otp_requests: 3
# The private key and certificate that are used by the Gateway SP to sign SAML AuthnRequests
# Filename of the PEM CERTIFICATE
saml_sp_publickey: /config/gateway/gateway_sp.crt
# Filename of the PEM RSA PRIVATE KEY
saml_sp_privatekey: /config/gateway/gateway_sp.key
# The private key and certificate that are used by the Gateway IdP to sign SAML Responses/Assertions
# Filename of the PEM CERTIFICATE
saml_idp_publickey: /config/gateway/gateway_idp.crt
# Filename of the PEM RSA PRIVATE KEY
saml_idp_privatekey: /config/gateway/gateway_idp.key
# The certificate and private key that are used by the Gateway to sign the metadata that it publishes
# Filename of the PEM CERTIFICATE
saml_metadata_publickey: /config/gateway/gateway_idp.crt
# Filename of the PEM RSA PRIVATE KEY
saml_metadata_privatekey: /config/gateway/gateway_idp.key
# The remote IdP (i.e. not the local IdP that is part of the Gateway) is the IdP that provides the first
# factor authentication of users to the Gateway.
# The Gateway does publish very basic SAML Metadata that can be used by the Remote IdP (it currently does
# not include the signing certificate in the SPSSODescriptor). The Stepup-Gateway cannot import
# SAML Metadata published by the Remote IdP, you must configure that here by hand.
# The location of the metadata is: https://{{ gateway_vhost_name }}/authentication/metadata
# The Gateway uses the HTTP-Redirect binding to send the AuthnRequest to the Remote IdP. The AuthnRequest
# is signed using SHA256 (`http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`)
# The Remote IdP must use the HTTP-POST Binding to send the Response back to to the Gateway
# The Remote IdP may sign the Assertion in the Response using either:
# - SHA-1 (http://www.w3.org/2000/09/xmldsig#rsa-sha1); or
# - SHA256 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha256)
# The ACS location is: https://{{ gateway_vhost_name }}/authentication/consume-assertion
# The SAML EntityID of the Remote IdP
saml_remote_idp_entity_id: https://ssp.dev.openconext.local/simplesaml/saml2/idp/metadata.php
# The SAML SSO Location of the Remote IdP
saml_remote_idp_sso_url: https://ssp.dev.openconext.local/simplesaml/module.php/saml/idp/singleSignOnService
# The SAML Base64 encoded DER X.509 SAML Signing certificate of the Remote IdP. This is the value of the
# X509Certificate element in the SAML Metadata of the Remote IdP.
saml_remote_idp_certificate: 'MIIECzCCAnMCFB5yH62OMDs5L8unoJeyJOBK3rQ9MA0GCSqGSIb3DQEBCwUAMEIxFzAVBgNVBAMMDnNpbXBsZXNhbWwgSWRQMScwJQYDVQQKDB5EZXZlbG9wbWVudCBEb2NrZXIgZW52aXJvbm1lbnQwHhcNMjMwNTI1MDkzMzE1WhcNMjgwNTIzMDkzMzE1WjBCMRcwFQYDVQQDDA5zaW1wbGVzYW1sIElkUDEnMCUGA1UECgweRGV2ZWxvcG1lbnQgRG9ja2VyIGVudmlyb25tZW50MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwT9bwWfEPAHHHFmKmH3MBbIAdg10gDGqyOB5bV73KY/UZG53Wqx30RNz2tuvP2HGn1VW3hCK0NM0nbZbrIYAuvwfR7QZHW98/GrYMYtZWAfqb2XxWX/uirQjXQNtxtp3gEN7u23qZdsKn6JE1DmFXx7lfcG367+IXrYdO5ySIeTZ7VXAGeXgeaubFAQjOLqpolcIM/DTyD4Tfj3vWQaHcxVvrpMs/MCZMOGPhaz29truOEAfbVaGubu+dBLtMe7MH/eogUmeOU5Xw6MFxnkWBeByzk8bOJ5bmRN6Pe4YcHjmydylMHqnNLd6I2iBx+GDnwwV3sT9E8XzYVHuC288cPHgoSiKtbEcuflBs9zn1sMMXW7CZUlEWYAxBN/fG+UDGBEx0NTjEowrYPUfP4BzHQSTkv/U2XDTTB2pmc14Vj1Jmh68+dYLuFJ+Dayet8gjC6XwjdPnQdNN9wXjPKz938qSrkPsaf0G3rNhWuHnk7ndahOLiibnqskLz2F/SXhXAgMBAAEwDQYJKoZIhvcNAQELBQADggGBALEvo9DKooOTun0TcSjT4ziumwvkDeR8yIDuHNqsE4bNJKp/oxiSDRDQyA1AT7qPbTabcgOw0wxHGB1iFY2urmXKcu2ryjsxnN7M13fUE6n6Z2Z+9u3ZuHB4hBAb1WNdjStrGexyReTkOeFtTB3XjZXxMf/FrQ7b84UPb/zUyuz+khSFUAN03Zdf7PEbGav3SFdsaLQoCtDWrJTduG3JDnoG3X+kWY8hIYuQhmzqYV1LxJDX9SBPYC2bgiM8AfnzQVxdV9pQqiuaiM9L/9wP1ZOBjudDrguOPB2mo4/wqEKdJQsVnsXp5GJvS28fI3GysuaKZbcqwwObdw8xzQnil8tUZalx2PUnTiDPNv7yoACRIc4jNFLiU+fNULaU4KbT3XjfmAzJUftHG+O60522lqVC67kA+vOwIJbz/SiikBnkmT5kr4dftbjt3YT22kVmaV0BBwMg0cvJMHquo8qjg1LwaDmGj7CAqR+OpFUGnH1CFcdT0V2svQX2XKkI5O8O9g=='
# The uri's that are used to define the LoA levels used in AuthnContextClassRef
gateway_loa_loa1: http://dev.openconext.local/assurance/loa1
gateway_loa_loa2: http://dev.openconext.local/assurance/loa2
gateway_loa_loa3: http://dev.openconext.local/assurance/loa3
# The uri's used by the second factor only (SFO) endpoint
second_factor_only_loa_loa2: http://dev.openconext.local/assurance/sfo-level2
second_factor_only_loa_loa3: http://dev.openconext.local/assurance/sfo-level3
# Self-asserted token LoA uri's
second_factor_only_loa_self_asserted: 'http://dev.openconext.local/assurance/sfo-level1.5'
gateway_loa_self_asserted: 'http://dev.openconext.local/assurance/loa1.5'
# Boolean: Whether to enable (true) or disable (false) the SFO endpoint
second_factor_only: true
# The second factor types to enable
# Available second factor types: sms, yubikey, tiqr, biometric
enabled_second_factors:
- sms
- yubikey
- tiqr
- demo_gssp
- webauthn
- azuremfa
enabled_generic_second_factors:
azuremfa:
loa: 2
tiqr:
loa: 2
webauthn:
loa: 3
demo_gssp:
loa: 3
# The lifetime of the SSO on second factor authentications lifetime in seconds
# For example, 8h is 28800 seconds.
sso_cookie_lifetime: 28800
# Is the SSO on second factor authentications cookie persistent or a session cookie?
# Allowed values: persistent, session
sso_cookie_type: 'persistent'
# The name used for the sso on second factor authentication cookie
sso_cookie_name: 'stepup-gateway_sso-on-second-factor-authentication'
# The secret key is used for the authenticated encryption (AE) of the SSO cookies, it is stored in the
# parameters.yaml of the Stepup-Gateway. This secret may only be used for the AE of the SSO cookies.
# The secret key size is fixed, it must be 256 bits (32 bytes (64 hex digits))
# We use hex encoding to store the key in the configuration, so the key will be 64 hex digits long
# Please use this encryption key only for this purpose, do not re-use it for other crypto work.
#
# Example value: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
sso_encryption_key: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f