forked from ausaccessfed/shibboleth-idp4-installer
-
Notifications
You must be signed in to change notification settings - Fork 0
/
bootstrap-v4.ini
156 lines (134 loc) · 6.38 KB
/
bootstrap-v4.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
[main]
############################ BOOTSTRAP CONFIGURATION ###########################
#
# MANDATORY SECTION - YOU MUST REVIEW AND SET EACH VALUE
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Specify the entity ID (technical name) of the IdP. This value is options and
# can be left unset. If usent, the entity ID will be created based on the HOST_NAME
# value below.
#ENTITY_ID=https://idp.example.edu/idp/shibboleth
# Specify the externally facing address for this IdP. Typically you would have
# a DNS entry for this. Do *NOT* use 'localhost' or any other local address.
#HOST_NAME=idp.example.edu
# The federation environment
# Allowable values: {test, production} (case-sensitive)
#ENVIRONMENT=test
# Your Organisation's name
#ORGANISATION_NAME="The University of Example"
# The base domain for your organisation
#ORGANISATION_BASE_DOMAIN=example.edu
# Your schacHomeOrganizationType.
# See http://www.terena.org/activities/tf-emc2/schacreleases.html
# Relevant values are:
# urn:mace:terena.org:schac:homeOrganizationType:au:university
# urn:mace:terena.org:schac:homeOrganizationType:au:research-institution
# urn:mace:terena.org:schac:homeOrganizationType:au:other
#HOME_ORG_TYPE=urn:mace:terena.org:schac:homeOrganizationType:au:university
# The attribute used for AuEduPersonSharedToken, eduPersonTargetedId and
# the persistent Name ID value generation.
#
# IMPORTANT: The generation of AuEduPersonSharedToken and EduPersonTargetedId
# require the value from the specified source attribute. If the value changes,
# it will change the AuEduPersonSharedToken and EduPersonTargetedId. This will
# cause the user to lose access in the federation. It is *critical* that you
# specify an attribute that will never change.
#
# Generally use uid for most LDAP servers and sAMAccountName for MS Active
# Directoy. In some situations the directory will use cn (commonName) to hold
# the users unique login name.
#
# The attribute choose MUST provide a unique single value for ALL user. If
# this is not the case no value will be provide for the auEduPersonSharedToken.
#
#SOURCE_ATTRIBUTE_ID=uid
# The attribute used to generate the subject ID and pairwise ID attributes.
# These are new attributes values that will eventually replace eduPersonTargetedID
# and may replace auEduPersonSharedToken.
#
# These attributes will be crated on the fly and based on the persisten attribute
# that MUST have the following properties:
# * Persistent - NEVER changes once assigned to a user
# * Non-reassignable - Is NEVER reassigned to another user
# * Opaque - A value that does NOT allow the relying party to positivly identify
# the subject
# If your Identity system does not currently have such an attribute provided for
# each user you MUST leave the following value blank.
#
# WARNING: Once you have assigned a value, you can NOT change it. If it does change
# all of your user's identities will change!
#
#PERSISTENT_ATTRIBUTE_ID=
# Perform a system update as part of the bootstrap and every time you run
# the update-idp script to ensure all of your operating system software is
# patched and up to date. Setting this value to "true" is recommended.
# Valid values are either "true" or "false".
#OS_UPDATE=true
[ldap]
# OPTIONAL SECTION
# ~~~~~~~~~~~~~~~~
# LDAP address Shibboleth IdP will connect to
#LDAP_URL=ldap://ldap.example.edu:389
# Point from where LDAP will search for users
#LDAP_BASE_DN="ou=Users,dc=example,dc=edu"
# The administrator's bind dn
#LDAP_BIND_DN="cn=Manager,dc=example,dc=edu"
# The adminstrator's password
# Note: If any of the following special characters appear in your
# password you must add an escape "\" before each one.
# The special characters are
# - $ (Dollars),
# - " (Double quote),
# - / (Forward Slash)
# Back Slash MUST never be used!
# The password: 'ReQ$-"/xxp4' would be entered as 'ReQ\$-\"\/xxp4'
#
#LDAP_BIND_DN_PASSWORD="p@ssw0rd"
# Specify the attribute for user queries
#
# Generally use uid for most LDAP servers and sAMAccountName for MS Active
# Directoy. In some situations the directory will use cn (commonName) to hold
# the users unique login name.
#
#LDAP_USER_FILTER_ATTRIBUTE="uid"
[advanced]
# ADVANCED SECTION
# ~~~~~~~~~~~~~~~~
# The base path for Shibboleth and the IdP Installer configuration.
# Changing the base path MUST only occur here, do not attempt to change
# the base after the initial install.
INSTALL_BASE=/opt
# Select the local Firewall that will be running on your server. The default
# is firewalld which is the default for CentOS and RHEL 7. Some organisations
# have selected to maintain iptables. You can also select to not have the
# installer maintain your local firewall but this is definitly NOT recommeded.
# Relevant values are:
# firewalld (default)
# Adds ports 433 (https) and 8443 (IdP backchannel) ports to the
# firewalld config. All other configuration remains unchanged.
# iptables
# Adds ports 22 (ssh), 443 (https) and 8443 (IdP backchannel) ports
# to the iptables config. Other firewall settings may be overwritten!
# none
# You are responsible for the maintance of the servers firewall. No
# changes to the local firewall are made in this mode.
#
FIREWALL=firewalld
#
# The Shibboleth IdP can provide a back channel for Service Providers to
# communicate directly with the Identity Provider. This has been used for
# attribute release, transmission of messages via SAML Artifact and more recently
# for backchannel SLO. The AAF have idenified that none of the use cases for
# the backchannel are relivant to operation within the AAF, and therefor
# recommend it no longer be enable be default. If it is required, for example
# for a standalone Attribute Authority service, then setting the following to true
# will enable configuration for the backchannel.
#
ENABLE_BACKCHANNEL=false
#
# Enable your IdP to participate in eduGAIN (https://www.singaren.net.sg/network-services/edugain/). Your
# orgainisation must be enable at the federation before being enabled to use
# eduGAIN services. Setting the following values to true will only technically
# enable your IdP. You MUST complete the steps described AAF eduGAIN web site in
# addition to making the technical changes.
#
ENABLE_EDUGAIN=false