Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • cesnet_simplesamlphp-1.19.8
  • elixir_simplesamlphp-1.19.8
  • simplesamlphp-1.19.8
  • cesnet_simplesamlphp-1.19.5
  • simplesamlphp-2.0
  • feature/assets
  • feature/rac-source-selector
  • cleanup/remove-base64-attributes
  • simplesamlphp-1.19
  • elixir_simplesamlphp-1.19.5
  • aarc_idp_hinting
  • feature/validate-authstate-before-processing
  • feature/build-two-tarballs
  • dependabot/composer/twig/twig-3.4.3
  • tvdijen-patch-1
  • unchanged-acs-url-no-www-script
  • feature/translation-improvements
  • symfony6
  • move_tests
  • v1.19.9
  • v2.1.3
  • v2.0.10
  • v2.1.2
  • v2.0.9
  • v2.1.1
  • v2.0.8
  • v2.1.0
  • v2.0.7
  • v2.1.0-rc1
  • v2.0.6
  • v2.0.5
  • 2.0.4-alpha.1
  • v2.0.4-alpha.1
  • v2.0.4
  • v2.0.3
  • v2.0.2
  • v2.0.1-alpha.1
  • v2.0.1
  • v1.19.8
40 results
Blame History Permalink
  • Tim van Dijen's avatar
    Remove 2.0 deprecations (#1281) · 2c8aa8a6
    Tim van Dijen authored 
    * Remove deprecated classes

* Remove support for certificate fingerprints

* Remove many deprecated methods and pieces of code

* Remove SAML1.1/Shib1.3 support

* Remove many superfluous annotations

* Update unit test to work with new PHPunit

Closes #1268 
Closes #1020 
Closes #431 
Closes #167 
Closes #151
    Unverified
    2c8aa8a6
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
sp.md 18.65 KiB

saml:SP

This authentication source is used to authenticate against SAML 2 IdPs.

Metadata

The metadata for your SP will be available from the federation page on your SimpleSAMLphp installation.

SimpleSAMLphp supports generating metadata with the MDUI and MDRPI metadata extensions and with entity attributes. See the documentation for those extensions for more details:

Parameters

These are parameters that can be used at runtime to control the authentication. All these parameters override the equivalent option from the configuration.

saml:AuthnContextClassRef : The AuthnContextClassRef that will be sent in the login request.

: Note: SAML 2 specific.

saml:AuthnContextComparison : The Comparison attribute of the AuthnContext that will be sent in the login request. This parameter won't be used unless saml:AuthnContextClassRef is set and contains one or more values. Possible values:

* `SAML2\Constants::COMPARISON_EXACT` (default)
* `SAML2\Constants::COMPARISON_BETTER`
* `SAML2\Constants::COMPARISON_MINIMUM`
* `SAML2\Constants::COMPARISON_MAXIMUM`

: Note: SAML 2 specific.

ForceAuthn : Force authentication allows you to force re-authentication of users even if the user has a SSO session at the IdP.

: Note: SAML 2 specific.

saml:idp : The entity ID of the IdP we should send an authentication request to.

isPassive : Send a passive authentication request.

: Note: SAML 2 specific.

saml:Extensions : The samlp:Extensions that will be sent in the login request.

: Note: SAML 2 specific.

saml:NameID : Add a Subject element with a NameID to the SAML AuthnRequest for the IdP. This must be a \SAML2\XML\saml\NameID object.

: Note: SAML 2 specific.

saml:NameIDPolicy : The format of the NameID we request from the IdP: an array in the form of [ 'Format' => the format, 'allowcreate' => true or false ]. Set to false instead of an array to omit sending any specific NameIDPolicy in the AuthnRequest.

: For compatibility purposes, null is equivalent to transient and a format can be defined as a string instead of an array. These variants are deprecated.

: Note: SAML 2 specific.

saml:Audience : Add a Conditions element to the SAML AuthnRequest containing an AudienceRestriction with one or more audiences.

: Note: SAML 2 specific.

Authentication data

Some SAML-specific attributes are available to the application after authentication. To retrieve these attributes, the application can use the getAuthData()-function from the SP API. The following attributes are available:

saml:sp:IdP : The entityID of the IdP the user is authenticated against.

saml:sp:NameID : The NameID the user was issued by the IdP. This is an associative array with the various fields from the NameID.

saml:sp:SessionIndex : The SessionIndex we received from the IdP.

Options

acs.Bindings : List of bindings the SP should support. If it is unset, all will be added. : Possible values:

* `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST`
* `urn:oasis:names:tc:SAML:1.0:profiles:browser-post`
* `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact`
* `urn:oasis:names:tc:SAML:1.0:profiles:artifact-01`
* `urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser`

assertion.encryption : Whether assertions received by this SP must be encrypted. The default value is FALSE. If this option is set to TRUE, unencrypted assertions will be rejected.

: Note that this option can be overridden for a specific IdP in saml20-idp-remote.

: Note: SAML 2 specific.

AssertionConsumerService : List of Assertion Consumer Services in the generated metadata. Specified in the array of arrays format as seen in the Metadata endpoints documentation.

attributes : List of attributes this SP requests from the IdP. This list will be added to the generated metadata.