simplesamlphp-reference-idp-hosted.md

IdP hosted metadata reference

• IdP hosted metadata reference
  • Common options
  • SAML 2.0 options
    • Fields for signing and validating messages
  • Metadata extensions
  • Examples
    • Minimal SAML 2.0 IdP
    • A custom metadata extension (eduGAIN republish request)

This is a reference for the metadata file metadata/saml20-idp-hosted.php. Both files have the following format:

<?php
/* The index of the array is the entity ID of this IdP. */
$metadata['entity-id-1'] = [
    'host' => 'idp.example.org',
    /* Configuration options for the first IdP. */
];
$metadata['entity-id-2'] = [
    'host' => '__DEFAULT__',
    /* Configuration options for the default IdP. */
];
/* ... */

The entity ID should be an URI. It can, also be on the form __DYNAMIC:1__, __DYNAMIC:2__, .... In that case, the entity ID will be generated automatically.

The host option is the hostname of the IdP, and will be used to select the correct configuration. One entry in the metadata-list can have the host __DEFAULT__. This entry will be used when no other entry matches.

Common options

auth : Which authentication module should be used to authenticate users on this IdP.

authproc : Used to manipulate attributes, and limit access for each SP. See the authentication processing filter manual.

certificate : Certificate file which should be used by this IdP, in PEM format. The filename is relative to the cert/-directory.

contacts : Specify contacts in addition to the technical contact configured through config/config.php. For example, specifying a support contact:

	'contacts' => [
	    [
	        'contactType'       => 'support',
	        'emailAddress'      => 'support@example.org',
	        'givenName'         => 'John',
	        'surName'           => 'Doe',
	        'telephoneNumber'   => '+31(0)12345678',
	        'company'           => 'Example Inc.',
	    ],
	],

: If you have support for a trust framework that requires extra attributes on the contact person element in your IdP metadata (for example, SIRTFI), you can specify an array of attributes on a contact.

	'contacts' => [
	    [
	        'contactType'       => 'other',
	        'emailAddress'      => 'mailto:abuse@example.org',
	        'givenName'         => 'John',
	        'surName'           => 'Doe',
	        'telephoneNumber'   => '+31(0)12345678',
	        'company'           => 'Example Inc.',
	        'attributes'        => [
	            'xmlns:remd'        => 'http://refeds.org/metadata',
	            'remd:contactType'  => 'http://refeds.org/metadata/contactType/security',
	        ],
	    ],
	],

host : The hostname for this IdP. One IdP can also have the host-option set to __DEFAULT__, and that IdP will be used when no other entries in the metadata matches.

logouttype : The logout handler to use. Either iframe or traditional. traditional is the default.

OrganizationName, OrganizationDisplayName, OrganizationURL : The name and URL of the organization responsible for this IdP. You need to either specify all three or none of these options.

: The Name does not need to be suitable for display to end users, the DisplayName should be. The URL is a website the user can access for more information about the organization.

: This option can be translated into multiple languages by specifying the value as an array of language-code to translated name:

    'OrganizationName' => [
        'en' => 'Voorbeeld Organisatie Foundation b.a.',
        'nl' => 'Stichting Voorbeeld Organisatie b.a.',
    ],
    'OrganizationDisplayName' => [
        'en' => 'Example organization',
        'nl' => 'Voorbeeldorganisatie',
    ],
    'OrganizationURL' => [
        'en' => 'https://example.com',
        'nl' => 'https://example.com/nl',
    ],