Newer
Older
SimpleSAMLphp Identity Provider Advanced Topics
===============================================
<!--
This file is written in Markdown syntax.
For more information about how to use the Markdown syntax, read here:
http://daringfireball.net/projects/markdown/syntax
-->
* Version: `$Id$`
AJAX iFrame Single Log-Out
--------------------------
If you have read about the AJAX iFrame Single Log-Out approach at Andreas' blog and want to enable it, edit your saml20-idp-hosted.php metadata, and add this configuration line for the IdP:
'logouttype' => 'iframe',
Notice that when setting this option after already having shared metadata with Service Providers, you need to send new metadata. The automatically genereated metadata will change.
Attribute Release Consent
-------------------------
The attribute release consent is documented in a separate document.
* [Documentation on the consent module](https://rnd.feide.no/content/consent-module)
IdP-first flow
--------------
If you do not want to start the SSO flow at the SP, you may use the IdP-first setup. To do this, redirect the user to the SSOService endpoint on the IdP with one parameter `spentityid` that match the SP EntityId that the user should be logged into.
Here is an example of such an url:
https://sp.example.org/simplesaml/saml2/idp/SSOService.php?spentityid=dev.andreas.feide.no
When the IdP-first flow is used an extra parameter is needed in the `saml20-sp-hosted` metadata. This is the `RelayState` parameter that tells the SP which URL to redirect the user to after the user is successfully authenticated. This typically is the frontpage of your application. An example of this can be:
'RelayState' => '/',