Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • cesnet_simplesamlphp-1.19.8
  • elixir_simplesamlphp-1.19.8
  • simplesamlphp-1.19.8
  • cesnet_simplesamlphp-1.19.5
  • simplesamlphp-2.0
  • feature/assets
  • feature/rac-source-selector
  • cleanup/remove-base64-attributes
  • simplesamlphp-1.19
  • elixir_simplesamlphp-1.19.5
  • aarc_idp_hinting
  • feature/validate-authstate-before-processing
  • feature/build-two-tarballs
  • dependabot/composer/twig/twig-3.4.3
  • tvdijen-patch-1
  • unchanged-acs-url-no-www-script
  • feature/translation-improvements
  • symfony6
  • move_tests
  • v1.19.9
  • v2.1.3
  • v2.0.10
  • v2.1.2
  • v2.0.9
  • v2.1.1
  • v2.0.8
  • v2.1.0
  • v2.0.7
  • v2.1.0-rc1
  • v2.0.6
  • v2.0.5
  • 2.0.4-alpha.1
  • v2.0.4-alpha.1
  • v2.0.4
  • v2.0.3
  • v2.0.2
  • v2.0.1-alpha.1
  • v2.0.1
  • v1.19.8
40 results
Blame History Permalink
  • Guy Halse's avatar
    Update OpenSSL RSA bit length in docs · 4da9282c
    Guy Halse authored 
    Change documentation from recommending 2048 bit keys to using 3072 bit
keys.

Given that we're recommending people generate ten-year keys, 2048 bit
keys are probably a bit short. Almost all commercial certificate
authorities now recommend 4096 bit keys, and eduGAIN requires 3072 bit
keys for new federations.

This change aligns the SimpleSAMLphp documentation with the lower
eduGAIN requirement, since that still meets most standards bodies
recommendations for 2028 (ten years from now). cf
https://www.keylength.com/
    4da9282c
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
simplesamlphp-artifact-sp.md 1.37 KiB

Using HTTP-Artifact from a SimpleSAMLphp SP

This document describes how to use the HTTP-Artifact binding to receive authentication responses from the IdP.

Which binding the IdP should use when sending authentication responses is controlled by the ProtocolBinding in the SP configuration. To make your Service Provider (SP) request that the response from the IdP is sent using the HTTP-Artifact binding, this option must be set to the HTTP-Artifact binding.

In addition to selecting the binding, you must also add a private key and certificate to your SP. This is used for SSL client authentication when contacting the IdP.

To generate a private key and certificate, you may use the openssl commandline utility:

openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out sp.example.org.crt -keyout sp.example.org.pem

You can then add the private key and certificate to the SP configuration. When this is done, you can add the metadata of your SP to the IdP, and test the authentication.

Example configuration

'artifact-sp' => [
    'saml:SP',
    'ProtocolBinding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
    'privatekey' => 'sp.example.org.pem',
    'certificate' => 'sp.example.org.crt',
],

See the SP configuration reference for a description of the options.