diff --git a/README.md b/README.md index 6733a41..e4e57bb 100644 --- a/README.md +++ b/README.md @@ -155,7 +155,8 @@ Required SP environment variables: * SIMPLESAMLPHP_ADMIN_PASSWORD - Password for the default admin user. * SIMPLESAMLPHP_MEMCACHED_SERVER - SimpleSAMLphp's SP cannot use the cookie cache as the wiki side SimpleSAMLphp extension will conflict with it. So we need to use a separate cache. For this purpose, we can just use the same Memcached server that the wiki uses. * SIMPLESAMLPHP_TRUSTED_DOMAIN - Enter the wiki's domain here so that the SP knows it is safe. -* SIMPLESAMLPHP_BASEURL - Base URL for the SP. The SP needs to share the same domain as the wiki (or you run into cookie domain issues), so the base URL should be a path under the wiki domain. +* SIMPLESAMLPHP_BASEURL - Base URL for the SP (no path). The SP needs to share the same domain as the wiki (or you run into cookie domain issues), so the base URL should just be the wiki domain with an http:// or https:// prefix. This config lets SimpleSAMLphp knows it's running externally on https even if internally the backend server is plain http, such as when behind a load balancer/reverse proxy. +* SIMPLESAMLPHP_BASEURLPATH - Base URL plus the path for the SP. * SIMPLESAMLPHP_SP_ENTITY_ID - The identifier that the SP uses to identify itself * SIMPLESAMLPHP_IDP_ENTITY_ID - The target IDP's identifier. * SIMPLESAMLPHP_IDP_METADATA_URL - URL where we can get the IDP's metadata. diff --git a/docker-compose.yml b/docker-compose.yml index 8ff0ba2..f869b4d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -43,7 +43,8 @@ services: SIMPLESAMLPHP_DEV: 1 SIMPLESAMLPHP_MEMCACHED_SERVER: memcached SIMPLESAMLPHP_TRUSTED_DOMAIN: wiki.docker:8080 - SIMPLESAMLPHP_BASEURL: '_saml2/' + SIMPLESAMLPHP_BASEURL: 'http://wiki.docker:8080' + SIMPLESAMLPHP_BASEURLPATH: 'http://wiki.docker:8080/_saml2' SIMPLESAMLPHP_SP_ENTITY_ID: 'http://wiki.docker:8080/_saml2' SIMPLESAMLPHP_IDP_ENTITY_ID: 'http://idp.docker:8190' SIMPLESAMLPHP_IDP_METADATA_URL: 'http://idp.docker:8190/simplesaml/module.php/saml/idp/metadata' diff --git a/docker/simplesamlphp/sp/config/config.php b/docker/simplesamlphp/sp/config/config.php index fedbb92..2d53270 100644 --- a/docker/simplesamlphp/sp/config/config.php +++ b/docker/simplesamlphp/sp/config/config.php @@ -18,7 +18,10 @@ exit("Set env var SIMPLESAMLPHP_TRUSTED_DOMAIN to the wiki's domain so SimpleSAMLphp knows it's safe."); } if (!isset($_ENV['SIMPLESAMLPHP_BASEURL'])) { - exit("Set env var SIMPLESAMLPHP_BASEURL to the SP's expected base url, e.g.: https://wiki.ubc.ca/_saml2/"); + exit("Set env var SIMPLESAMLPHP_BASEURL to the SP's expected base url, e.g.: https://wiki.ubc.ca"); +} +if (!isset($_ENV['SIMPLESAMLPHP_BASEURLPATH'])) { + exit("Set env var SIMPLESAMLPHP_BASEURLPATH to the SP's expected path, e.g.: https://wiki.ubc.ca/_saml2/"); } if (!is_dir('/var/www/simplesamlphp/cert')) { exit("Missing cert directory, generate key+cert and mount them into /var/www/simplesamlphp/cert"); @@ -55,7 +58,7 @@ * external url, no matter where you come from (direct access or via the * reverse proxy). */ - 'baseurlpath' => $_ENV['SIMPLESAMLPHP_BASEURL'], + 'baseurlpath' => $_ENV['SIMPLESAMLPHP_BASEURLPATH'], /* * The 'application' configuration array groups a set configuration options @@ -76,7 +79,7 @@ * need to compute the right URLs yourself and pass them dynamically * to SimpleSAMLphp's API. */ - //'baseURL' => 'https://example.com', + 'baseURL' => $_ENV['SIMPLESAMLPHP_BASEURL'], ], /* @@ -389,8 +392,8 @@ * must exist and be writable for SimpleSAMLphp. If set to something else, set * loggingdir above to 'null'. */ - 'logging.level' => SimpleSAML\Logger::NOTICE, - 'logging.handler' => 'syslog', + 'logging.level' => SimpleSAML\Logger::INFO, + 'logging.handler' => 'stderr', /* * Specify the format of the logs. Its use varies depending on the log handler used (for instance, you cannot @@ -656,7 +659,7 @@ * * If unset, SimpleSAMLphp will try to automatically determine the right value */ - //'session.cookie.secure' => true, + 'session.cookie.secure' => str_starts_with($_ENV['SIMPLESAMLPHP_BASEURL'], 'https') ? true : false, /* * Set the SameSite attribute in the cookie.