Newer
Older
`saml:SP`
=========
This authentication source is used to authenticate against SAML 1 and SAML 2 IdPs.
Metadata
--------
The metadata for your SP will be available from the federation page on your simpleSAMLphp installation.
These are parameters that can be used at runtime to control the authentication.
All these parameters override the equivalent option from the configuration.
`saml:AuthnContextClassRef`
: The AuthnContextClassRef that will be sent in the login request.
: *Note*: SAML 2 specific.
`saml:ForceAuthn`
: Force authentication allows you to force re-authentication of users even if the user has a SSO session at the IdP.
: *Note*: SAML 2 specific.
`saml:idp`
: The entity ID of the IdP we should send an authentication request to.
: Send a passive authentication request.
: *Note*: SAML 2 specific.
`saml:NameIDPolicy`
: The format of the NameID we request from the IdP.
Defaults to the transient format if unspecified.
: *Note*: SAML 2 specific.
Here we will list some examples for this authentication source.
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
### Minimal
'example-minimal' => array(
'saml:SP',
),
### Connecting to a specific IdP
'example' => array(
'saml:SP',
'idp' => 'https://idp.example.net/',
),
### Using a specific entity ID
'example' => array(
'saml:SP',
'entityID' => 'https://sp.example.net',
),
### Encryption and signing
This SP will accept encrypted assertions, and will sign and validate all messages.
'example-enc' => array(
'saml:SP',
'certificate' => 'example.crt',
'privatekey' => 'example.key',
'privatekey_pass' => 'secretpassword',
'redirect.sign' => TRUE,
'redirect.validate' => TRUE,
),
### Requesting a specific authentication method.
$auth = new SimpleSAML_Auth_Simple('default-sp');
$auth->login(array(
'saml:AuthnContextClassRef' => 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password',
));
`assertion.encryption`
: Whether assertions received by this SP must be encrypted. The default value is `FALSE`.
If this option is set to `TRUE`, unencrypted assertions will be rejected.
: Note that this option can be overridden for a specific IdP in saml20-idp-remote.
: *Note*: SAML 2 specific.
`attributes`
: List of attributes this SP requests from the IdP.
This list will be added to the generated metadata.
: The attributes will be added without a `NameFormat` by default.
Use the `attributes.NameFormat` option to specify the `NameFormat` for the attributes.
: *Note*: This list will only be added to the metadata if the `name`-option is also specified.
`attributes.NameFormat`
: The `NameFormat` for the requested attributes.
`AuthnContextClassRef`
: The SP can request authentication with a specific authentication context class.
One example of usage could be if the IdP supports both username/password authentication as well as software-PKI.
: *Note*: SAML 2 specific.
`authproc`
: Processing filters that should be run after SP authentication.
See the [authentication processing filter manual](simplesamlphp-authproc).
`certData`
: Base64 encoded certificate data. Can be used instead of the `certificate` option.
`certificate`
: File name of certificate for this SP. This certificate will be included in generated metadata.
`description`
: A description of this SP.
Will be added to the generated metadata, in an AttributeConsumingService element.
: This option can be translated into multiple languages by specifying the value as an array of language-code to translated description:
'description' => array(
'en' => 'A service',
'no' => 'En tjeneste',
),
: *Note*: For this to be added to the metadata, you must also specify the `attributes` and `name` options.
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
`discoURL`
: Set which IdP discovery service this SP should use.
If this is unset, the IdP discovery service specified in the global option `idpdisco.url.{saml20|shib13}` in `config/config.php` will be used.
If that one is also unset, the builtin default discovery service will be used.
`entityID`
: The entity ID this SP should use.
: If this option is unset, a default entity ID will be generated.
The generated entity ID will be a URL where the metadata of this SP can be downloaded.
`ForceAuthn`
: Force authentication allows you to force re-authentication of users even if the user has a SSO session at the IdP.
: *Note*: SAML 2 specific.
`idp`
: The entity ID this SP should connect to.
: If this option is unset, an IdP discovery service page will be shown.
`IsPassive`
: IsPassive allows you to enable passive authentication by default for this SP.
: *Note*: SAML 2 specific.
`name`
: The name of this SP.
Will be added to the generated metadata, in an AttributeConsumingService element.
: This option can be translated into multiple languages by specifying the value as an array of language-code to translated name:
'name' => array(
'en' => 'A service',
'no' => 'En tjeneste',
),
: *Note*: You must also specify at least one attribute in the `attributes` option for this element to be added to the metadata.
`NameIDPolicy`
: The format of the NameID we request from the IdP.
Defaults to the transient format if unspecified.
: *Note 1*: This option replaces the `NameIDFormat` option found in `saml20-sp-hosted`.
: *Note 2*: SAML 2 specific.
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
`OrganizationName`
: The name of the organization responsible for this SP.
This name does not need to be suitable for display to end users.
: This option can be translated into multiple languages by specifying the value as an array of language-code to translated name:
'OrganizationName' => array(
'en' => 'Example organization',
'no' => 'Eksempel organisation',
),
: *Note*: If you specify this option, you must also specify the `OrganizationURL` option.
`OrganizationDisplayName`
: The name of the organization responsible for this SP.
This name must be suitable for display to end users.
If this option isn't specified, `OrganizationName` will be used instead.
: This option can be translated into multiple languages by specifying the value as an array of language-code to translated name.
: *Note*: If you specify this option, you must also specify the `OrganizationName` option.
`OrganizationURL`
: An URL the end user can access for more information about the organization.
: This option can be translated into multiple languages by specifying the value as an array of language-code to translated URL.
: *Note*: If you specify this option, you must also specify the `OrganizationName` option.
`privatekey`
: File name of private key to be used for signing messages and decrypting messages from the IdP. This option is only required if you use encrypted assertions or if you enable signing of messages.
: *Note*: SAML 2 specific.
`privatekey_pass`
: The passphrase for the private key, if it is encrypted. If the private key is unencrypted, this can be left out.
: *Note*: SAML 2 specific.
`saml1.useartifact`
: Request that the IdP returns the result to the artifact binding.
The default is to use the POST binding, set this option to TRUE to use the artifact binding instead.
: This option can also be set in the `shib13-idp-remote` metadata, in which case the setting in `shib13-idp-remote` takes precedence.
: *Note*: SAML 1 specific.
`redirect.sign`
: Whether authentication requests, logout requests and logout responses sent from this SP should be signed. The default is `FALSE`.
: *Note*: SAML 2 specific.
`redirect.validate`
: Whether logout requests and logout responses received received by this SP should be validated. The default is `FALSE`.
: *Note*: SAML 2 specific.
`RelayState`
: The page the user should be redirected to after an IdP initiated SSO.
: *Note*: SAML 2 specific.
`url`
: An URL to your service provider. Will be added as an OrganizationURL-element in the metadata.
: This option can be translated into multiple languages by specifying the value as an array of language-code to language-specific URL:
'url' => array(
'en' => 'http://sp.example.net/en/info.html',
'no' => 'http://sp.example.net/no/info.html',
),