SimpleSAMLphp 2.3.7 security update - fix configuration

Author: back-2-95

misc/saml-idp/files/app/simplesamlphp/config/config.php

@@ -1,5 +1,11 @@
 <?php
 
+if (isset($_GET['_debug']) && $_GET['_debug'] === '1') {
+    echo '<pre>';
+    print_r(getenv());
+    exit;
+}
+
 /**
  * The configuration of SimpleSAMLphp
  */
@@ -196,6 +202,10 @@
      * This password will give access to the installation page of SimpleSAMLphp with
      * metadata listing and diagnostics pages.
      * You can also put a hash here; run "bin/pwgen.php" to generate one.
+     *
+     * If you are using Ansible you might like to use
+     * ansible.builtin.password_hash(hashtype='blowfish', ident='2y', rounds=13)
+     * to generate this hashed value.
      */
     'auth.adminpassword' => 'debugpass',
 
@@ -366,7 +376,7 @@
      * loggingdir above to 'null'.
      */
     'logging.level' => SimpleSAML\Logger::DEBUG,
-    'logging.handler' => 'stderr',
+    'logging.handler' => 'syslog',
 
     /*
      * Specify the format of the logs. Its use varies depending on the log handler used (for instance, you cannot
@@ -451,7 +461,7 @@
      * Proxy to use for retrieving URLs.
      *
      * Example:
-     *   'proxy' => 'tcp://proxy.example.com:5100'
+     *   'proxy' => 'http://proxy.example.com:5100'
      */
     'proxy' => null,
 
@@ -661,7 +671,7 @@
     /*
      * Option to override the default settings for the auth token cookie
      */
-    'session.authtoken.cookiename' => 'SimpleSAMLAuthTokenIdp',
+    'session.authtoken.cookiename' => 'SimpleSAMLAuthToken',
 
     /*
      * Options for remember me feature for IdP sessions. Remember me feature
@@ -821,8 +831,8 @@
      */
     'language.available' => [
         'en', 'no', 'nn', 'se', 'da', 'de', 'sv', 'fi', 'es', 'ca', 'fr', 'it', 'nl', 'lb',
-        'cs', 'sk', 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt-br', 'tr', 'ja', 'zh', 'zh-tw',
-        'ru', 'et', 'he', 'id', 'sr', 'lv', 'ro', 'eu', 'el', 'af', 'zu', 'xh', 'st',
+        'cs', 'sk', 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt_BR', 'tr', 'ja', 'zh', 'zh_TW',
+        'ru', 'et', 'he', 'id', 'sr', 'lv', 'ro', 'eu', 'el', 'af', 'zu', 'xh', 'st'
     ],
     'language.rtl' => ['ar', 'dv', 'fa', 'ur', 'he'],
     'language.default' => 'en',
@@ -993,12 +1003,6 @@
         // Adopts language from attribute to use in UI
         30 => 'core:LanguageAdaptor',
 
-        45 => [
-            'class'         => 'core:StatisticsWithAttribute',
-            'attributename' => 'realm',
-            'type'          => 'saml20-idp-SSO',
-        ],
-
         /* When called without parameters, it will fallback to filter attributes 'the old way'
          * by checking the 'attributes' parameter in metadata on IdP hosted and SP remote.
          */

misc/saml-idp/files/app/simplesamlphp/metadata/saml20-sp-remote.php

@@ -7,6 +7,22 @@
  */
 
 $metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = [
-    'AssertionConsumerService' => getenv('SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE'),
-    'SingleLogoutService' => getenv('SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE'),
+    'AssertionConsumerService' => [
+        [
+            'Location' => getenv('SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE'),
+            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+        ],
+    ],
+    'SingleLogoutService' => [
+        [
+            'Location' => getenv('SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE'),
+            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+        ],
+    ],
 ];
+
+if (isset($_GET['_debug']) && $_GET['_debug'] === '2') {
+    echo '<pre>';
+    print_r($metadata);
+    exit;
+}

misc/saml-idp/files/entrypoints/20-php-fpm.sh

@@ -1,5 +1,16 @@
 #!/bin/bash
 
+EP="sudo --preserve-env ep"; [ "$APP_ENV" = "dev" ] && EP+=" -v"
+TEMPLATE=/etc/php$PHP_INSTALL_VERSION/php-fpm.d/www.conf.ep
+TARGET=/etc/php$PHP_INSTALL_VERSION/php-fpm.d/www.conf
+
+if [ -f "$TEMPLATE" ]; then
+  echo "- Prepare PHP-FPM www.conf file..."
+
+  $EP "$TEMPLATE"
+  sudo mv "$TEMPLATE" "$TARGET"
+fi
+
 echo "Start up PHP-FPM..."
 
 sudo -E LD_PRELOAD=/usr/lib/preloadable_libiconv.so php-fpm -F -R &