diff --git a/docs/simplesamlphp-bridge.html b/docs/simplesamlphp-bridge.html
new file mode 100644
index 0000000000000000000000000000000000000000..e65afc6e786eea2eeda3288ec5ee3eed217d2555
--- /dev/null
+++ b/docs/simplesamlphp-bridge.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Using simpleSAMLphp as a SAML bridge</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721994"></a>Using simpleSAMLphp as a SAML bridge</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Mon Oct 15 16:53:14 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856632">Setting up WebSSO bridges</a></span></dt><dd><dl><dt><span class="section"><a href="#id856643">Bridging SAML 2.0 <-> SAML 2.0</a></span></dt><dt><span class="section"><a href="#id856690">Bridging Shibboleth 1.3 <-> Shibboleth 1.3</a></span></dt><dt><span class="section"><a href="#id856701">Bridging Shibboleth 1.3 <-> SAML 2.0</a></span></dt><dt><span class="section"><a href="#id856712">Bridging SAML 2.0 <-> Shibboleth 1.3</a></span></dt><dt><span class="section"><a href="#id856721">Bridging SAML 2.0 <-> OpenID</a></span></dt><dt><span class="section"><a href="#id856731">Bridging Shibboelth 1.3 <-> OpenID</a></span></dt></dl></dd></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856632"></a>Setting up WebSSO bridges</h2></div></div></div><p>simpleSAMLphp can be used to bridge between two WebSSO protocols.
+ Here is some short descriptions of how to setup the different bridge
+ configurations.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856643"></a>Bridging SAML 2.0 <-> SAML 2.0</h3></div></div></div><p>In this setup you can bridge between two federations using SAML
+ 2.0.</p><p>To approach this, you must configure both saml 2.0 IdP and SP
+ hosted metadata, and in the IdP hosted metadata configure the auth
+ parameter to be the SP initialization endpoint, like this:</p><pre class="screen"> 'auth' => 'saml2/sp/initSSO.php?idpentityid=sam.feide.no'</pre><p>As you can see you specify the IdP in the remote federation as a
+ parameter to the initalization endpoint.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This section of the documentation is only a placeholder. There
+ will be more detailed information added later. For now, ask the author
+ if you want more details of such a setup.</p><p>Briding SAML 2.0 SLO is not implemented. Will be improved
+ soon.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856690"></a>Bridging Shibboleth 1.3 <-> Shibboleth 1.3</h3></div></div></div><p>Documentation will be added.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856701"></a>Bridging Shibboleth 1.3 <-> SAML 2.0</h3></div></div></div><p>Documentation will be added.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856712"></a>Bridging SAML 2.0 <-> Shibboleth 1.3</h3></div></div></div><p>Documentation will be added.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856721"></a>Bridging SAML 2.0 <-> OpenID</h3></div></div></div><p>Documentation will be added.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856731"></a>Bridging Shibboelth 1.3 <-> OpenID</h3></div></div></div><p>Documentation will be added.</p></div></div></div></body></html>
diff --git a/docs/simplesamlphp-idp.html b/docs/simplesamlphp-idp.html
new file mode 100644
index 0000000000000000000000000000000000000000..7558c976139eeff5b2a0a73413240a8e8276a792
--- /dev/null
+++ b/docs/simplesamlphp-idp.html
@@ -0,0 +1,103 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Using simpleSAMLphp as an identity provider</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721993"></a>Using simpleSAMLphp as an identity provider</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Mon Oct 15 16:54:09 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856631">Authentication modules</a></span></dt><dd><dl><dt><span class="section"><a href="#id856727">Configuring the LDAP authentication module</a></span></dt><dt><span class="section"><a href="#id856794">Configuring the multi-LDAP authenticaiton module</a></span></dt></dl></dd><dt><span class="section"><a href="#id856819">Setting up a SSL signing certificate</a></span></dt><dt><span class="section"><a href="#id856875">Configuring metadata for an SAML 2.0 IdP</a></span></dt><dd><dl><dt><span class="section"><a href="#id856896">Configuring SAML 2.0 IdP Hosted metadata</a></span></dt><dt><span class="section"><a href="#id857020">Configuring SAML 2.0 SP Remote metadata</a></span></dt></dl></dd><dt><span class="section"><a href="#id857152">Configuring metadata for a Shibboleth 1.3 IdP</a></span></dt><dt><span class="section"><a href="#id857176">Test IdP</a></span></dt><dt><span class="appendix"><a href="#id857198">A. Writing your own authentication module</a></span></dt><dd><dl><dt><span class="section"><a href="#id857224">Authentication API</a></span></dt></dl></dd></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856631"></a>Authentication modules</h2></div></div></div><p>In the <code class="filename">www/auth</code> directory, you see multiple
+ files, each representing an authentication module. In the IdP hosted
+ metadata configuration you specify which authentication module that should
+ be used for that specific IdP. You can implement your own authentication
+ module, see ???.</p><p>These authentication modules are included:</p><div class="glosslist"><dl><dt>auth/login.php</dt><dd><p>This is the standard LDAP backend authentication module, it
+ uses LDAP configuration from the config.php file.</p></dd><dt>auth/login-ldapmulti.php</dt><dd><p>This authentication module lets you connect to multiple LDAPS
+ depending on what organization the user selects in the login
+ form.</p></dd><dt>auth/login-radius.php</dt><dd><p>This authentication module will authenticate users against an
+ RADIUS server instead of LDAP.</p></dd><dt>auth/login-auto.php</dt><dd><p>This module will automatically login the user with some test
+ details. You can use this to test the IdP functionality if you do
+ not have</p><p>This module is not completed yet. Work in progress.</p></dd></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856727"></a>Configuring the LDAP authentication module</h3></div></div></div><p>The LDAP module is <code class="filename">auth/login.php</code>.</p><p>If you want to perform local authentication on this server, and
+ you want to use the LDAP authenticaiton plugin, then you need to
+ configure the following parameters in
+ <code class="filename">config.php</code>:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">auth.ldap.dnpattern</code>: What DN should you
+ bind to? Replacing %username% with the username the user types
+ in.</p></li><li><p><code class="literal">auth.ldap.hostname</code>: The hostname of the
+ LDAP server</p></li><li><p><code class="literal">auth.ldap.attributes</code>: Search parameter to
+ LDAP. What attributes should be extracted?
+ <code class="literal">objectclass=*</code> gives you all.</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856794"></a>Configuring the multi-LDAP authenticaiton module</h3></div></div></div><p>The module is
+ <code class="filename">auth/login-ldapmulti.php</code>.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Documentation will be added later. For now, contact the
+ author.</p></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856819"></a>Setting up a SSL signing certificate</h2></div></div></div><p>For test purposes, you can skip this section, and use the included
+ certificate.</p><p>For a production system, uou must generate a new certificate for
+ your IdP. </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>There is a certificate that follows this package that you can use
+ for test purposes, but off course <span class="emphasis"><em>NEVER</em></span> use this in
+ production as the private key is also included in the package and can be
+ downloaded by anyone.</p></div><p>Here is an examples of openssl commands to generate a new key and a
+ selfsigned certificate to use for signing SAML messages:</p><pre class="screen">openssl genrsa -des3 -out server2.key 1024
+openssl rsa -in server2.key -out server2.pem
+openssl req -new -key server.key -out server2.csr
+openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt</pre><p>The certificate above will be valid for 60 days.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>simpleSAMLphp will only work with RSA and not DSA
+ certificates.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856875"></a>Configuring metadata for an SAML 2.0 IdP</h2></div></div></div><p>If you want to setup a SAML 2.0 IdP you need to configure two
+ metadata files: <code class="filename">saml20-idp-hosted.php</code> and
+ <code class="filename">saml20-sp-remote.php</code>.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856896"></a>Configuring SAML 2.0 IdP Hosted metadata</h3></div></div></div><p>This is the configuration of the IdP itself. Here is some example
+ config:</p><pre class="programlisting"> // The SAML entity ID is the index of this config.
+ 'idp.example.org' => array(
+
+ // The hostname of the server (VHOST) that this SAML entity will use.
+ 'host' => 'sp.example.org',
+
+ // X.509 key and certificate. Relative to the cert directory.
+ 'privatekey' => 'server.pem',
+ 'certificate' => 'server.crt',
+
+ /* If base64attributes is set to true, then all attributes will be base64 encoded. Make sure
+ * that you set the SP to have the same value for this.
+ */
+ 'base64attributes' => false,
+
+ // Authentication plugin to use. login.php is the default one that uses LDAP.
+ 'auth' => 'auth/login.php'
+ )</pre><p>Here are some details of each of the parameters:</p><div class="glosslist"><dl><dt>index (index of array)</dt><dd><p>The entity ID of the IdP. In this example this value is set
+ to: <code class="literal">idp.example.org</code>.</p></dd><dt>host</dt><dd><p>The hostname of the server running this IdP.</p></dd><dt>privatekey</dt><dd><p>Pointing to the private key in PEM format, in the certs
+ directory.</p></dd><dt>certificate</dt><dd><p>Pointing to the certificate file in PEM format, in the certs
+ directory.</p></dd><dt>base64attributes</dt><dd><p>Do you want to encode all attributes in base64? If so,
+ remember to turn on the same option on the SP.</p></dd><dt>auth</dt><dd><p>Which authentication module to use? Default is:
+ <code class="filename">auth/login.php</code> which is the LDAP
+ authentication module.</p></dd></dl></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857020"></a>Configuring SAML 2.0 SP Remote metadata</h3></div></div></div><p>Here (saml20-sp-remote.php) you configure all SPs that you trust.
+ Here is an example:</p><pre class="programlisting"> /*
+ * Example simpleSAMLphp SAML 2.0 SP
+ */
+ 'saml2sp.example.org' => array(
+ 'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/saml2/sp/AssertionConsumerService.php',
+ 'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/saml2/sp/SingleLogoutService.php',
+ 'spNameQualifier' => 'dev.andreas.feide.no',
+ 'ForceAuthn' => 'false',
+ 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+ 'simplesaml.attributes' => true
+ ),</pre><p>Here are some details about each of the parameters:;</p><div class="glosslist"><dl><dt>index (index of array)</dt><dd><p>The entity ID of the given SP. Here it is:
+ <code class="literal">saml2sp.example.org</code>.</p></dd><dt>AssertionConsumerService</dt><dd><p>The URL of this SAML 2.0 endpoint. Ask the SP if you are
+ unsure. If the SP sent you SAML 2.0 metadata, you can find the
+ parameter in there.</p></dd><dt>SingleLogoutService</dt><dd><p>The URL of this SAML 2.0 endpoint. Ask the SP if you are
+ unsure. If the SP sent you SAML 2.0 metadata, you can find the
+ parameter in there.</p></dd><dt>spNameQualifier</dt><dd><p>The SP NameQualifier for this SP. If unsure, set it to the
+ same as the entityID.</p></dd><dt>ForceAuthn</dt><dd><p>This basicly means you turn off SSO for this SP.</p></dd><dt>NameIDFormat</dt><dd><p>Set it to the default: transient.</p></dd><dt>simplesaml.attributes</dt><dd><p>Set to true to include attribtues, if not no attribute
+ statements will be sent.</p></dd></dl></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857152"></a>Configuring metadata for a Shibboleth 1.3 IdP</h2></div></div></div><p>You need to configure the <code class="filename">shib13-idp-hosted.php</code>
+ metadata, as well as the list of trusted SPs in the
+ <code class="filename">shib13-sp-remote-php</code> metadata. This configuration is
+ very similar to the SAML 2.0 metadata mentioned in the previous section,
+ so go look there for now.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857176"></a>Test IdP</h2></div></div></div><p>To test the IdP, it is best to configure two hosts with
+ simpleSAMLphp, and use the SP demo example to test the IdP.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>To make the initial test up and running with minimal hassle, use
+ the login-auto if you do not want to setup a user storage, and use the
+ included cert so you do not need to create a new certificate.</p></div></div><div class="appendix" lang="en" xml:lang="en"><h2 class="title" style="clear: both"><a id="id857198"></a>A. Writing your own authentication module</h2><p>You can write your own authentication module. Just copy one of the
+ files in the www/auth directory and play with it, then configure an IdP to
+ use that module with the auth parameter in the metadata. The file must
+ support incoming URL parameters, massage the session object with login
+ state information and return to the RelayState, and that is all you need
+ to do!</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Instead of changing the code of the builtin authentication module,
+ copy it into a new file and edit that. That way, your module will not be
+ replaced or in conflict when you upgrade simpleSAMLphp to a newer
+ version.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857224"></a>Authentication API</h3></div></div></div><p>The authentication plugin should be placed in the auth
+ directory.</p><p>The following parameters must be accepted in the incomming
+ URL:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">RelayState</code>: This is the URL that the user
+ should be sent back to after authentication within the
+ plugin.</p></li><li><p><code class="literal">RequestID</code>: This is the ID of an incomming
+ request.</p></li></ul></div><p>The initSSO.php takes in addition the following parameters:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">idpentityid</code>: This is the entityid of the
+ IdP to authenticate with. This parameter is optional, if not set the
+ default for this host will be used.</p></li><li><p><code class="literal">spentityid</code>: This is which SP config to use.
+ This parameter is optional, if not set the default for this host
+ will be used.</p></li></ul></div><p>In hosted IdP metadata there is a config parameter auth that will
+ tell simpleSAML which authentication plugin that can be used.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>The authentication API is pretty basic. The easiest way to
+ understand how it works is to look at one of the existing plugins that
+ is located in the auth directory of your installation.</p></div></div></div></div></body></html>
diff --git a/docs/simplesamlphp-install.html b/docs/simplesamlphp-install.html
index 3c13eb2c8a00d42a9ad1f2f0f55b39ce8d3bd2c5..0e21aad77664406ac37cbe61667319ed207c156c 100644
--- a/docs/simplesamlphp-install.html
+++ b/docs/simplesamlphp-install.html
@@ -1,9 +1,20 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>simpleSAMLphp Installation and Configuration</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721994"></a>simpleSAMLphp Installation and Configuration</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Fri Sep 14 10:49:49 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856632">The history of simpleSAMLphp</a></span></dt><dt><span class="section"><a href="#id856682">Changelog</a></span></dt><dd><dl><dt><span class="section"><a href="#id856693">Version 0.4</a></span></dt></dl></dd><dt><span class="section"><a href="#id856807">Download and get simpleSAMLphp</a></span></dt><dd><dl><dt><span class="section"><a href="#id856826">Getting a working copy of simpleSAMLphp from subversion</a></span></dt></dl></dd><dt><span class="section"><a href="#id856866">Installing simpleSAMLphp</a></span></dt><dd><dl><dt><span class="section"><a href="#id856941">The simpleSAMLphp installation webpage</a></span></dt></dl></dd><dt><span class="section"><a href="#id856967">Making configuration and metadata files</a></span></dt><dt><span class="section"><a href="#sect.config">Configuring simpleSAMLphp</a></span></dt><dd><dl><dt><span class="section"><a href="#id857037">Configuration for LDAP authentication plugin</a></span></dt></dl></dd><dt><span class="section"><a href="#id857095">Setting up a SAML 2.0 SP</a></span></dt><dd><dl><dt><span class="section"><a href="#id857107">Configuring metadata for a SAML 2.0 SP</a></span></dt><dt><span class="section"><a href="#id857190">Test the SAML 2.0 SP example</a></span></dt></dl></dd><dt><span class="section"><a href="#id857224">Setting up a Shibboleth 1.3 SP</a></span></dt><dd><dl><dt><span class="section"><a href="#id857235">Configuring metadata for Shibboleth 1.3 SP</a></span></dt><dt><span class="section"><a href="#id857296">Test the Shibboleth 1.3 SP example</a></span></dt></dl></dd><dt><span class="section"><a href="#id857331">Setting up a SAML 2.0 IdP</a></span></dt><dd><dl><dt><span class="section"><a href="#id857342">Configuring the SAML 2.0 IdP</a></span></dt><dt><span class="section"><a href="#id857376">Adding a SAML IdP signing certificate</a></span></dt><dt><span class="section"><a href="#id857440">Test SAML 2.0 IdP</a></span></dt></dl></dd><dt><span class="section"><a href="#id857453">Using the built-in SP WAYF functionality</a></span></dt><dt><span class="section"><a href="#id857466">Setting up WebSSO bridges</a></span></dt><dd><dl><dt><span class="section"><a href="#id857477">Bridging SAML 2.0 <-> SAML 2.0</a></span></dt><dt><span class="section"><a href="#id857522">Bridging Shibboleth 1.3 <-> Shibboleth 1.3</a></span></dt><dt><span class="section"><a href="#id857533">Bridging Shibboleth 1.3 <-> SAML 2.0</a></span></dt><dt><span class="section"><a href="#id857544">Bridging SAML 2.0 <-> Shibboleth 1.3</a></span></dt><dt><span class="section"><a href="#id857554">Bridging SAML 2.0 <-> OpenID</a></span></dt><dt><span class="section"><a href="#id857564">Bridging Shibboelth 1.3 <-> OpenID</a></span></dt></dl></dd><dt><span class="section"><a href="#id857576">Authentication API</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856632"></a>The history of simpleSAMLphp</h2></div></div></div><p>simpleSAMLphp is based on code from <a href="https://opensso.dev.java.net/public/extensions/" target="_top">Sun OpenSSO
- Extensions</a> (formerly known as Lightbulb).</p><p>The initial versions of the SAML 2.0 SP part was written by <a href="http://blogs.sun.com/superpat/" target="_top">Pat Patterson, Sun</a>.</p><p>The functionality has been extended and <a href="http://claimid.com/erlang" target="_top">Andreas Ă…kre Solberg</a>, <a href="http://uninett.no" target="_top">UNINETT</a>, has rewritten the library and
- added support for Shibboleth. The product is used to bridge AAI protocols
- in the GÉANT project, <a href="http://geant2.net" target="_top">http://geant2.net</a>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856682"></a>Changelog</h2></div></div></div><p>Here is changes between simpleSAML versions. Look here if you are
- upgrading, to see if there are any changes to the config format.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856693"></a>Version 0.4</h3></div></div></div><p>Released 2007-09-14. Revision X.</p><div class="itemizedlist"><ul type="disc"><li><p>Improved documentation</p></li><li><p>Authentication plugin API. Only LDAP authenticaiton plugin is
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>simpleSAMLphp Installation and Configuration</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721994"></a>simpleSAMLphp Installation and Configuration</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Mon Oct 15 16:54:59 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856632">The history of simpleSAMLphp</a></span></dt><dd><dl><dt><span class="section"><a href="#id856684">Contributors</a></span></dt></dl></dd><dt><span class="section"><a href="#id856714">Changelog</a></span></dt><dd><dl><dt><span class="section"><a href="#id856725">Version 0.5</a></span></dt><dt><span class="section"><a href="#id856841">Version 0.4</a></span></dt></dl></dd><dt><span class="section"><a href="#id856955">News about simpleSAMLphp</a></span></dt><dt><span class="section"><a href="#id856984">Download and install simpleSAMLphp</a></span></dt><dd><dl><dt><span class="section"><a href="#id857004">Getting a working copy of simpleSAMLphp from subversion</a></span></dt></dl></dd><dt><span class="section"><a href="#id857042">Making configuration and metadata files</a></span></dt><dt><span class="section"><a href="#id857065">Configuring apache</a></span></dt><dt><span class="section"><a href="#id857163">The simpleSAMLphp installation webpage</a></span></dt><dt><span class="section"><a href="#id857227">Next steps</a></span></dt><dt><span class="appendix"><a href="#sect.altlocations">A. Installing simpleSAMLphp in alternative locations</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856632"></a>The history of simpleSAMLphp</h2></div></div></div><p>simpleSAMLphp is an iteration of what was earlier referred to as
+ lightbulb (<a href="https://opensso.dev.java.net/public/extensions/" target="_top">Sun OpenSSO
+ Extensions</a>), written by <a href="http://blogs.sun.com/superpat/" target="_top">Pat Patterson, Sun</a>. There are
+ not much code left from lightbulb, but credits go to Pat for introducing a
+ new way of thinking when it comes to implementing federation protocols in
+ a simple and elegant way.</p><p>The simpleSAMLphp project is currently led by <a href="http://claimid.com/erlang" target="_top">Andreas Åkre Solberg</a>, <a href="http://uninett.no" target="_top">UNINETT</a>.</p><p>The product is used to bridge AAI protocols in the GÉANT project,
+ <a href="http://geant2.net" target="_top">http://geant2.net</a>.</p><p>We have received a bunch of external contributions.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856684"></a>Contributors</h3></div></div></div><p>Thank you very much for your contributions to
+ simpleSAMLphp:</p><div class="itemizedlist"><ul type="disc"><li><p>Lukas Hammerle, SWITCH, Switzerland</p></li><li><p>Stefan Winter, Restena, Luxemborg</p></li></ul></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856714"></a>Changelog</h2></div></div></div><p>Here is changes between simpleSAML versions. Look here if you are
+ upgrading, to see if there are any changes to the config format.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856725"></a>Version 0.5</h3></div></div></div><p>Released . Revision X.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Both config.php and metadata format is changed. Look at the
+ templates to understand the new format.</p></div><div class="itemizedlist"><ul type="disc"><li><p>Documentation is updated!</p></li><li><p>Metadata files have been more tidy. Removed unused entries.
+ Look at the new templates on how to change your existing
+ metadata.</p></li><li><p>Support for sending metadata on mail to Feide. Automatically
+ detecting if you have configured Feide as the default IdP.</p></li><li><p>Improved SAML 2.0 Metadata generation</p></li><li><p>Added support for Shibboleth 1.3 IdP functionality.</p></li><li><p>Added RADIUS authentication backend</p></li><li><p>Added support for HTTP-Redirect debugging when enable
+ <code class="literal">debug=true</code></p></li><li><p>SAML 2.0 SP example now contains a logout page.</p></li><li><p>Added new authentication backend with support for multiple
+ LDAP based on which organization the user selects.</p></li><li><p>Added SAML 2.0 Discovery Service</p></li><li><p>Initial proof of concept implementation of "User consent on
+ attribute release"</p></li><li><p>Fixed some minor bugs.</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856841"></a>Version 0.4</h3></div></div></div><p>Released 2007-09-14. Revision X.</p><div class="itemizedlist"><ul type="disc"><li><p>Improved documentation</p></li><li><p>Authentication plugin API. Only LDAP authenticaiton plugin is
included, but it is now easier to implement your own plugin.</p></li><li><p>Added support for SAML 2.0 IdP to work with Google Apps for
Education. Tested.</p></li><li><p>Initial implementation of SAML 2.0 Single Log-Out
functionality both for SP and IdP. Seems to work, but not yet
@@ -17,41 +28,15 @@
environments.</p></li><li><p>Cleaned out some debug messages, and added a debug option in
the configuration file. This debug option let's you turn on the
possibility of showing all SAML messages to users in the web
- browser, and manually submit them.</p></li><li><p>Several minor bugfixes.</p></li></ul></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856807"></a>Download and get simpleSAMLphp</h2></div></div></div><p>You can go to <a href="http://rnd.feide.no/category/simplesamlphp/" target="_top">http://rnd.feide.no/category/simplesamlphp/</a>
+ browser, and manually submit them.</p></li><li><p>Several minor bugfixes.</p></li></ul></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856955"></a>News about simpleSAMLphp</h2></div></div></div><p>To get the latest news about simpleSAMLphp you can follow this url:
+ <a href="http://rnd.feide.no/category/simplesamlphp/" target="_top">http://rnd.feide.no/category/simplesamlphp/</a>.</p><p>Currently simpleSAMLphp has a project page at Google Code:</p><p><a href="http://code.google.com/p/simplesamlphp/" target="_top">http://code.google.com/p/simplesamlphp/</a></p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856984"></a>Download and install simpleSAMLphp</h2></div></div></div><p>You can go to <a href="http://code.google.com/p/simplesamlphp/" target="_top">code.google.com/p/simplesamlphp/</a>
to find the most recent release of simpleSAMLphp. Download the zipped
file, and unzip it on your webserver. However I hightly reccomend running
- from a subversion checkout instead.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856826"></a>Getting a working copy of simpleSAMLphp from subversion</h3></div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Right now the subversion repository is requiring a username /
- password. I'll update the access control, so that everyone can get
- read access without authentication. I'll announce it on the rnd blog
- when it is ready.</p></div><p>If you want a working copy from subversion enter:</p><pre class="screen">svn co https://svn.uninett.no/svn/feidernd/simplesamlphp</pre><p>If you know subversion you know how to view logs and review
+ from a subversion checkout instead.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857004"></a>Getting a working copy of simpleSAMLphp from subversion</h3></div></div></div><p>Go to the directory where you want to install
+ simpleSAMLphp:</p><pre class="screen">cd /var</pre><p>Then do a subversion checkout:</p><pre class="screen">svn checkout http://simplesamlphp.googlecode.com/svn/trunk/ simplesamlphp</pre><p>If you know subversion you know how to view logs and review
changes to the files. To update the version you have checked out,
- enter:</p><pre class="screen">cd simplesamlphp
-svn up</pre></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856866"></a>Installing simpleSAMLphp</h2></div></div></div><p>First find an appropriate place for the <code class="filename">simplesamlphp
- </code>folder. In example
- <code class="filename">/var/simplesamlphp</code>.</p><p>Of the folders inside simplesamlphp, only the www folder needs to be
- accessible from the web. There are several ways of putting the
- simpleSAMLphp depending on the way web sites are structured on your apache
- web server. Here is what I believe is the best configuration.</p><p>Find the apache configuration file for the virtual hosts that you
- want to run simpleSAML on. The configuration may look like this:</p><pre class="programlisting"><VirtualHost *>
- ServerName service.example.com
- DocumentRoot /var/www/service.example.com
-
- Alias /simplesamlphp /var/simplesamlphp/www
-</VirtualHost>
-</pre><p>What is special is tha Alias directive. That directive will give
- control to simplesamlphp to all urls that matches
- <code class="literal">http(s)://service.example.com/simplesamlphp/*</code>.
- SimpleSAML will need to have several SAML interfaces available on the web,
- and all these interfaces are included in the www subdirectory of your
- simplesamlphp installation. You can set the alias to whatever you want,
- but this alias must be set in the config.php file of simpleSAML as
- described in <a href="#sect.config" title="Configuring simpleSAMLphp">the section called “Configuring simpleSAMLphp”</a>. Here is an example of how
- this configuration may look like in config.php:</p><pre class="programlisting">$config = array (
- 'basedir' => '/var/simplesamlphp/',
- 'baseurl' => 'http://service.example.com',
- 'baseurlpath' => 'simplesamlphp/',</pre><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856941"></a>The simpleSAMLphp installation webpage</h3></div></div></div><p>When you have installed simpleSAMLphp, you can access the homepage
- of your installation, which contains some information and a few links to
- the test services. The url of an installation can be in example:</p><div class="literallayout"><p>https://service.example.com/simplesamlphp/</p></div><p>But it depends on how you set it up with apache.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856967"></a>Making configuration and metadata files</h2></div></div></div><p>Configuration and metadata files are stored in a template format,
+ enter:</p><pre class="screen">cd /var/simplesamlphp
+svn up</pre></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857042"></a>Making configuration and metadata files</h2></div></div></div><p>Configuration and metadata files are stored in a template format,
you need to copy them to have your local copies. The reason why it is done
this way, is that when you upgrade you can do svn up in subversion or just
copy the whole directory over your installation, without replacing your
@@ -61,122 +46,46 @@ svn up</pre></div></div><div class="section" lang="en" xml:lang="en"><div class=
files:</p><pre class="screen">cd /var/simplesamlphp
cp config/config-template.php config/config.php
cp -r metadata-templates/*.php metadata/
-</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="sect.config"></a>Configuring simpleSAMLphp</h2></div></div></div><p>First configure all the paths in the beginning of the config file,
- to correspond to your organization of the apache web server, and where you
- place simpleSAMLphp.</p><p>You will need to set the entityid of a default IdP in
- <code class="literal">default-saml20-idp</code> or
- <code class="literal">default-shib13-idp</code> depending on whether you use
- shibboleth or SAML 2.0.</p><p>There is one parameter debug that may be set to true or false. If
- you set it to true, then all Browser/POST SAML messages will be printed to
- the web browser, and the user will have to manually submit it. </p><p>The session.duration parameter says how many seconds that a session
- should be valid. After this amont of time, the session is not valid
- anymore.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857037"></a>Configuration for LDAP authentication plugin</h3></div></div></div><p>If you want to perform local authentication on this server, and
- you want to use the LDAP authenticaiton plugin, then you need to
- configure the following parameters:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">auth.ldap.dnpattern</code>: What DN should you
- bind to? Replacing %username% with the username the user types
- in.</p></li><li><p><code class="literal">auth.ldap.hostname</code>: The hostname of the
- LDAP server</p></li><li><p><code class="literal">auth.ldap.attributes</code>: Search parameter to
- LDAP. What attributes should be extracted?
- <code class="literal">objectclass=*</code> gives you all.</p></li></ul></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857095"></a>Setting up a SAML 2.0 SP</h2></div></div></div><p>This functionality is relevant if you want to integrate SAML 2.0
- authentication on a service of yours, and you know one or more IdPs that
- you can connect to. You would need metadata for those IdPs.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857107"></a>Configuring metadata for a SAML 2.0 SP</h3></div></div></div><p>To configure a SAML 2.0 SP, you first need to configure the SP
- data for all your vhosts. If you run only one host, you need only one
- entry. This metadata is stored in the
- <code class="filename">metadata/saml20-sp-hosted.php</code> file. Here is an
- example of a metadata:</p><pre class="programlisting"> "dev.andreas.feide.no" => array(
- 'host' => 'dev.andreas.feide.no',
- "assertionConsumerServiceURL" => "http://dev.andreas.feide.no/saml2/sp/AssertionConsumerService.php",
- "issuer" => "dev.andreas.feide.no",
- "spNameQualifier" => "dev.andreas.feide.no",
- "ForceAuthn" => "false",
- "NameIDFormat" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
- ),</pre><p>Note that you should fill in the host field matching the hostname
- of your vhost. That way simpleSAMLphp can automatically detect what SP
- metadata to use based on the <code class="literal">Host:</code> header sent by the
- HTTP user agent.</p><p>You also need to configure the metadata for the IdP that you want
- to use. Here is a metadata example for the Feide IdP:</p><pre class="programlisting"> "sam.feide.no" => array(
- "SingleSignOnUrl" => "https://sam.feide.no/amserver/SSORedirect/metaAlias/idp",
- "SingleLogOutUrl" => "https://sam.feide.no/amserver/IDPSloRedirect/metaAlias/idp",
- "certFingerprint" => "3a:e7:d3:d3:06:ba:57:fd:7f:62:6a:4b:a8:64:b3:4a:53:d9:5d:d0",
- "base64attributes" => true),</pre><p>The IdP metadata is stored in the
- <code class="filename">metadata/saml20-idp-remote.php</code> file. Configure the
- correct URLs of the endpoints, the hash of the certificate, and whether
- the IdP is base64 encoding attributes or not. Most IdPs don't use
- base64, so if you do not connect to Feide you should turn this parameter
- to <code class="literal">false</code>. Notice that the key of the array is the
- entity id of the IdP, in this example:
- <code class="literal">sam.feide.no</code>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857190"></a>Test the SAML 2.0 SP example</h3></div></div></div><p>Go to the URL of the test page, similar to:</p><div class="literallayout"><p>http://service.example.com/simplesamlphp/example-simple/saml2-example.php</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The simpleSAMLphp installation homepage will link you to this
- example, so you do not need to type in the full url.</p></div><p>You should be redirected to the IdP. Login, and you should be sent
- back and shown all the attributes sent form the IdP.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857224"></a>Setting up a Shibboleth 1.3 SP</h2></div></div></div><p>If you want to configure a service with authentication towards an
- external Shibboleth 1.3 IdP, this section describes you how to proceed.
- </p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857235"></a>Configuring metadata for Shibboleth 1.3 SP</h3></div></div></div><p>Configure Shibboleth 1.3 SP metadata for all your vhosts. If you
- run only one host, you need only one entry. This metadata is stored in
- the <code class="filename">metadata/shib13-sp-hosted.php</code> file. Here is an
- example:</p><pre class="programlisting"> 'http://dev.andreas.feide.no' => array(
- 'AssertionConsumerService' => 'http://dev.andreas.feide.no/shib13/sp/AssertionConsumerService.php',
- 'host' => 'dev.andreas.feide.no'
- ),</pre><p>Note that you should fill in the host field matching the hostname
- of your vhost. That way simpleSAMLphp can automatically detect what SP
- metadata to use based on the <code class="literal">Host:</code> header sent by the
- HTTP user agent.</p><p>You also need to configure the metadata for the Shibboleth 1.3
- IdPs that you want to connect to. Here is an example:</p><pre class="programlisting"> 'urn:mace:switch.ch:aaitest:dukono.switch.ch' => array(
- 'SingleSignOnUrl' => 'https://dukono.switch.ch/shibboleth-idp/SSO',
- 'certFingerprint' => 'c7279a9f28f11380509e075441e3dc55fb9ab864'
- ),</pre><p>Notice that the key of the array is the entity ID.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857296"></a>Test the Shibboleth 1.3 SP example</h3></div></div></div><p>Go to the URL of the shibboleth test page, similar to:</p><div class="literallayout"><p>http://service.example.com/example-simple/shib13-example.php</p></div><p>You should be redirected to the IdP. Login, and you should be sent
- back and shown all the attributes sent form the IdP.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>simpleSAMLphp does not support the attribute profile that
- Shibboleth is using by default. To make attributes work, you need to
- configure the IdP to perform attribute push.</p></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857331"></a>Setting up a SAML 2.0 IdP</h2></div></div></div><p>If you have a user database and want to offer a SAML 2.0 IdP
- functinoality towards external services, here is how you set it up.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857342"></a>Configuring the SAML 2.0 IdP</h3></div></div></div><p>Setup idp metadata in saml20-idp-hosted. Then for all the SP the
- IdP shold trust in saml20-sp-remote. Then configure in config.php, ldap
- DN patterns, ldap host etc. Next add a certificate with openssl.</p><p>Example config.php:</p><pre class="programlisting"> 'auth.ldap.dnpattern' => 'uid=%username%,dc=feide,dc=no,ou=feide,dc=uninett,dc=no',
- 'auth.ldap.hostname' => 'ldap.uninett.no',
- 'auth.ldap.attributes' => 'objectclass=*'</pre><p>Example IdP Metadata saml20-idp-hosted:</p><pre class="programlisting"> 'dev2.andreas.feide.no' => array(
- 'host' => 'dev2.andreas.feide.no',
- 'SingleSignOnUrl' => "http://dev2.andreas.feide.no/saml2/idp/SSOService.php",
- 'SingleLogOutUrl' => "http://dev2.andreas.feide.no/saml2/idp/LogoutService.php",
- 'privatekey' => 'server.pem',
- 'certificate' => 'server.crt',
- 'base64attributes' => true,
- 'auth' => 'auth/login.php'
- )</pre><p>The server.pem and server.crt is an example certificate shipped
- with the package, and be used for demo purposes, but you must generate
- your own to use in production services.</p><p>You also need to configure metadata for trusted SPs, here is an
- example:</p><pre class="programlisting">_ "dev.andreas.feide.no" => array(
- 'host' => 'dev.andreas.feide.no',
- "assertionConsumerServiceURL" => "http://dev.andreas.feide.no/saml2/sp/AssertionConsumerService.php",
- "issuer" => "dev.andreas.feide.no",
- "spNameQualifier" => "dev.andreas.feide.no",
- "ForceAuthn" => "false",
- "NameIDFormat" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
- ),</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857376"></a>Adding a SAML IdP signing certificate</h3></div></div></div><p>You should generate a new certificate for your IdP.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>There is a certificate that follows this package that you can
- use for test purposes, but off course NEVER use this in production as
- the private key is also included in the package and can be downloaded
- by anyone.</p></div><p>Here is an examples of openssl commands to generate a new key and
- a selfsigned certificate to use for signing SAML messages:</p><pre class="screen">openssl genrsa -des3 -out server2.key 1024
-openssl rsa -in server2.key -out server2.pem
-openssl req -new -key server.key -out server2.csr
-openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt</pre><p>The certificate above will be valid for 60 days.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>simpleSAMLphp will only work with RSA and not DSA
- certificates.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857440"></a>Test SAML 2.0 IdP</h3></div></div></div><p>To test the SAML 2.0 IdP, it is best to configure two hosts with
- simpleSAMLphp, and use the SAML 2.0 SP demo example to test the
- IdP.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857453"></a>Using the built-in SP WAYF functionality</h2></div></div></div><p>The WAYF is not yet a part of the simpleSAMLphp release. This
- functionality will be added soon.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857466"></a>Setting up WebSSO bridges</h2></div></div></div><p>simpleSAMLphp can be used to bridge between two WebSSO protocols.
- Here is some short descriptions of how to setup the different bridge
- configurations.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857477"></a>Bridging SAML 2.0 <-> SAML 2.0</h3></div></div></div><p>In this setup you can bridge between two federations using SAML
- 2.0.</p><p>To approach this, you must configure both saml 2.0 IdP and SP
- hosted metadata, and in the IdP hosted metadata configure the auth
- parameter to be the SP initialization endpoint, like this:</p><pre class="screen"> 'auth' => 'saml2/sp/initSSO.php?idpentityid=sam.feide.no'</pre><p>As you can see you specify the IdP in the remote federation as a
- parameter to the initalization endpoint.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This section of the documentation is only a placeholder. There
- will be more detailed information added later. For now, ask the author
- if you want more details of such a setup.</p><p>Briding SAML 2.0 SLO is not implemented. Will be improved
- soon.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857522"></a>Bridging Shibboleth 1.3 <-> Shibboleth 1.3</h3></div></div></div><p>Will be supported soon.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857533"></a>Bridging Shibboleth 1.3 <-> SAML 2.0</h3></div></div></div><p>Will be supported soon.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857544"></a>Bridging SAML 2.0 <-> Shibboleth 1.3</h3></div></div></div><p>Will be supported soon.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857554"></a>Bridging SAML 2.0 <-> OpenID</h3></div></div></div><p>Will be supported soon.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857564"></a>Bridging Shibboelth 1.3 <-> OpenID</h3></div></div></div><p>Will be supported soon.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857576"></a>Authentication API</h2></div></div></div><p>The authentication plugin should be placed in the auth directory.
- </p><p>The following parameters must be accepted in the incomming
- URL:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">RelayState</code>: This is the URL that the user
- should be sent back to after authentication within the plugin.</p></li><li><p><code class="literal">RequestID</code>: This is the ID of an incomming
- request.</p></li></ul></div><p>The initSSO.php takes in addition the following parameters:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">idpentityid</code>: This is the entityid of the IdP
- to authenticate with. This parameter is optional, if not set the
- default for this host will be used.</p></li><li><p><code class="literal">spentityid</code>: This is which SP config to use.
- This parameter is optional, if not set the default for this host will
- be used.</p></li></ul></div><p>In hosted IdP metadata there is a config parameter auth that will
- tell simpleSAML which authentication plugin that can be used.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>The authentication API is pretty basic. The easiest way to
- understand how it works is to look at one of the existing plugins that
- is located in the auth directory of your installation.</p></div></div></div></body></html>
+</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857065"></a>Configuring apache</h2></div></div></div><p>In this example simpleSAMLphp is located in
+ <code class="filename">/var/simplesamlphp</code>, that is the default location. If
+ you want to modify this location, you can do so freely, but then you need
+ to update the path in a few files. <a href="#sect.altlocations" title="A. Installing simpleSAMLphp in alternative locations">I
+ wrote a separate chapter about that, read on</a>.</p><p>Of the folders inside simplesamlphp, only the www folder needs to be
+ accessible from the web. There are several ways of putting the
+ simpleSAMLphp depending on the way web sites are structured on your apache
+ web server. Here is what I believe is the best configuration.</p><p>Find the apache configuration file for the virtual hosts that you
+ want to run simpleSAML on. The configuration may look like this:</p><pre class="programlisting"><VirtualHost *>
+ ServerName service.example.com
+ DocumentRoot /var/www/service.example.com
+
+ Alias /simplesaml /var/simplesamlphp/www
+</VirtualHost>
+</pre><p>What is special is the <code class="literal">Alias</code> directive. That
+ directive will give control to simpleSAMLphp for all urls that matches
+ <code class="literal">http(s)://service.example.com/simplesaml/*</code>.
+ simpleSAMLphp will need to have several SAML interfaces available on the
+ web, and all these interfaces are included in the <code class="filename">www</code>
+ subdirectory of your simpleSAMLphp installation. You can set the alias to
+ whatever you want, but this alias must be set in the
+ <code class="filename">config.php</code> file of simpleSAML as described in ???. Here is an example of how this configuration may
+ look like in <code class="filename">config.php</code>:</p><pre class="programlisting">$config = array (
+[...]
+ 'baseurlpath' => 'simplesaml/',</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857163"></a>The simpleSAMLphp installation webpage</h2></div></div></div><p>When you have installed simpleSAMLphp, you can access the homepage
+ of your installation, which contains some information and a few links to
+ the test services. The url of an installation can be in example:</p><div class="literallayout"><p>https://service.example.com/simplesaml/</p></div><p>The exact link depends on how you set it up with apache and off
+ course your hostname.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Don't click on any of the links yet, because they require you to
+ eigther have setup simpleSAMLphp as an Service Provider or as an
+ Identity Provider.</p></div><p>Here is an example screenshot of what the simpleSAMLphp page looks
+ like:</p><div class="figure"><a id="id857202"></a><p class="title"><b>Figure 1. Screenshot of the simpleSAMLphp installation page.</b></p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-install/screenshot-installationpage.png" alt="Screenshot of the simpleSAMLphp installation page." /></div></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857227"></a>Next steps</h2></div></div></div><p>You have now successfully installed simpleSAMLphp, and the next
+ steps depends on whether you want to setup a service provider, to protect
+ a website with authentication or if you want to setup an identity provider
+ and connect it to a user storage. We will also provide documentation on
+ bridging federation protocols in a separate document.</p><div class="itemizedlist"><ul type="disc"><li><p><a href="simplesamlphp-sp.html" target="_top">Setting up simpleSAMLphp as a
+ service provider</a></p></li><li><p><a href="simplesamlphp-idp.html" target="_top">Setting up simpleSAMLphp as
+ an identity provider</a></p></li><li><p><a href="simplesamlphp-bridge.html" target="_top">Setting up simpleSAMLphp
+ as a bridge</a></p></li></ul></div></div><div class="appendix" lang="en" xml:lang="en"><h2 class="title" style="clear: both"><a id="sect.altlocations"></a>A. Installing simpleSAMLphp in alternative locations</h2><p>If you want to install simpleSAMLphp in an alternative directory,
+ feel free to do so. You need to set the path of the installation directory
+ in the config.php file:</p><pre class="programlisting">$config = array (
+[...]
+ 'basedir' => '/usr/local/simplesaml/simplesamlphp',</pre><p>And you also need to modify the Alias directive in the apache
+ configuration:</p><pre class="programlisting"> Alias /simplesaml /usr/local/simplesaml/simplesamlphp/www</pre></div></div></body></html>
diff --git a/docs/simplesamlphp-sp.html b/docs/simplesamlphp-sp.html
new file mode 100644
index 0000000000000000000000000000000000000000..f25821dbfe21942210f96124c88ab12f3b30abd6
--- /dev/null
+++ b/docs/simplesamlphp-sp.html
@@ -0,0 +1,151 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Using simpleSAMLphp as a Service Provider</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721993"></a>Using simpleSAMLphp as a Service Provider</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Mon Oct 15 16:55:49 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856631">Introduction</a></span></dt><dt><span class="section"><a href="#id856645">Configuring metadata for SAML 2.0 SP</a></span></dt><dd><dl><dt><span class="section"><a href="#id856660">Configuring SAML 2.0 SP Hosted metadata</a></span></dt><dt><span class="section"><a href="#id856786">Configuring SAML 2.0 IdP Remote metadata</a></span></dt><dt><span class="section"><a href="#id856919">Setting the default SAML 2.0 IdP</a></span></dt><dt><span class="section"><a href="#id856961">Using the SAML 2.0 IdP Discovery Service</a></span></dt></dl></dd><dt><span class="section"><a href="#id856988">Configuring metadata for Shibboleth 1.3 SP</a></span></dt><dd><dl><dt><span class="section"><a href="#id857004">Configuring Shibboleth 1.3 SP Hosted metadata</a></span></dt><dt><span class="section"><a href="#id857059">Configuring Shibboleth 1.3 IdP Remote metadata</a></span></dt></dl></dd><dt><span class="section"><a href="#id857142">Exchange metadata with the IdP</a></span></dt><dd><dl><dt><span class="section"><a href="#id857155">Automatically generation of SP metadata for SAML 2.0</a></span></dt></dl></dd><dt><span class="section"><a href="#id857220">Test the SAML 2.0 SP examples</a></span></dt><dt><span class="section"><a href="#id857271">Integrating authentication with your own application</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856631"></a>Introduction</h2></div></div></div><p>simpleSAMLphp can run as both a SAML 2.0 Service Provider and as a
+ Shibboleth 1.3 Service Provider. The configuration and metadata would be
+ somewhat different, therefore there are separate chapter for the two,
+ although the configuration is similar.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856645"></a>Configuring metadata for SAML 2.0 SP</h2></div></div></div><p>When you are setting up a SAML 2.0 SP, you would need to configure
+ two metadata files. saml20-sp-hosted.php and saml20-idp-remote.php.
+ saml20-sp-hosted.php represent the SAML entity of the service provider
+ itself, while the saml20-idp-remote.php configuration lists all the
+ trusted SAML 2.0 IdP and how to connect to them.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856660"></a>Configuring SAML 2.0 SP Hosted metadata</h3></div></div></div><p>You need to know at least two variables to be able to setup this
+ metadata. You need to know the hostname of the server you are using, and
+ you need to set an entity ID for this server. Talk to the people running
+ the IdP of what entity ID you should use.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Feide has special rules for setting entity IDs, so if you want
+ to connect to Feide, contact them and ask what entity ID you should
+ use.</p></div><p>Here is an example of the metadata file:</p><pre class="programlisting">$metadata = array(
+
+ /*
+ * Example of a hosted SP
+ */
+ 'entityid' => array(
+ 'host' => 'hostname',
+ 'spNameQualifier' => 'entityid',
+ 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+ 'ForceAuthn' => 'false'
+ )
+
+);</pre><p>Here are the description of the possible fields:</p><div class="glosslist"><dl><dt>index (the index of the array)</dt><dd><p>The entity ID of the hosted SP entity.</p></dd><dt>spNameQualifier</dt><dd><p>The name qualifier of the SP. If this is not important to
+ you, you can set it to be identical with the entity ID
+ above.</p></dd><dt>host</dt><dd><p>The hostname of the server running this SAML 2.0 SP. This
+ option allows simpleSAMLphp to automatically discover which SP
+ metadata to use, when it runs multiple virtual hosts.</p></dd><dt>NameIDFormat</dt><dd><p>The NameIDFormat in the request. If you don't know what this
+ is, or don't need it to be anything specific, leave it with the
+ default configuration.</p></dd><dt>ForceAuthn</dt><dd><p>Force authentication is a parameter that allows you to force
+ re-authenticatino of users even if the user contains a SSO session
+ at the IdP.</p></dd></dl></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856786"></a>Configuring SAML 2.0 IdP Remote metadata</h3></div></div></div><p>This metadata file lists all the IdPs that you trust.</p><pre class="programlisting"> /*
+ * Example simpleSAMLphp SAML 2.0 IdP
+ */
+ 'idp.example.org' => array(
+ 'name' => 'Test',
+ 'description' => 'Description of this example entry',
+ 'SingleSignOnService' => 'https://idp.example.org/simplesaml/saml2/idp/SSOService.php',
+ 'SingleLogoutService' => 'https://idp.example.org/simplesaml/saml2/idp/LogoutService.php',
+ 'certFingerprint' => '3fa158e8abfd4b5203315b08c0b791b6ee4715f6',
+ 'base64attributes' => true
+ ),</pre><div class="glosslist"><dl><dt>index (the index of the array)</dt><dd><p>The entity ID of this SAML 2.0 IdP entity.</p></dd><dt>name</dt><dd><p>Set the name of this identity provider. Will just be used in
+ the UI of the discovery service, so set it to whatever you
+ want.</p></dd><dt>description</dt><dd><p>Set the description of this identity provider. Will just be
+ used in the UI of the discovery service, so set it to whatever you
+ want.</p></dd><dt>SingleSignOnService</dt><dd><p>Contact the IdP to get the endpoint URL of this service.
+ This is the URL which the user is redirected with the AuthnRequest
+ using HTTP-REDIRECT.</p></dd><dt>SingleLogoutService</dt><dd><p>Contact the IdP to get the endpoint URL of this service.
+ This is the URL which the user is redirected with the
+ LogoutRequest using HTTP-REDIRECT.</p></dd><dt>certFingerprint</dt><dd><p>The md5sum of the certificate used by the IdP. If you don't
+ know how to compute this, you can leave it as it is, and then
+ you'll get an error message the first time you try to login. In
+ this error message you are told what is the fingerprint of the IdP
+ certiciate, so you can copy and use that.</p></dd><dt>base64encode</dt><dd><p>Is the IdP base64 encoding all the attributes?
+ Base64encoding should be avoided but makes it much easier to send
+ data in different formats and characterencodings, so you can leave
+ it on when you test. If you are using simpleSAMLphp at the IdP,
+ remember to set the parameter in the metadata at the IdP to be the
+ same.</p></dd></dl></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856919"></a>Setting the default SAML 2.0 IdP</h3></div></div></div><p>In the global configuration (<code class="filename">config.php</code>)
+ there is a parameter to set the default IdP to use. Alternatively you
+ can specify which IdP to use in a parameter to the initSSO.php script
+ when you initiate logon in your application.</p><p>Here is an example from <code class="filename">config.php</code>:</p><pre class="programlisting"> 'default-saml20-idp' => 'sam.feide.no',</pre><p>The configuration above will use the IdP configured in IdP Remote
+ metadata with entity ID equal to <code class="literal">sam.feide.no</code>.
+ </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856961"></a>Using the SAML 2.0 IdP Discovery Service</h3></div></div></div><p>If you want end users to be able to select one of all the
+ specified entries in IdP remote metadata, you can set the default IdP to
+ be null, then simpleSAMLphp will initiate the builtin IdP discovery
+ service to let the user select IdP. Here is the neccessary configuration
+ from <code class="filename">config.php</code>:</p><pre class="programlisting"> 'default-saml20-idp' => null,</pre></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856988"></a>Configuring metadata for Shibboleth 1.3 SP</h2></div></div></div><p>When you are setting up a Shibboleth 1.3 SP, you need to configure
+ two metadata files. shib13-sp-hosted.php and shib13-idp-remote.php.
+ shib13-sp-hosted.php represents the SAML entity of the service provider
+ itself, while the shib13-idp-remote.php metadata lists all the trusted
+ SAML 2.0 IdPs and contains information on how to connect to them.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857004"></a>Configuring Shibboleth 1.3 SP Hosted metadata</h3></div></div></div><p>In the hosted metadata (shib13-sp-hosted.php) you will need to
+ configure two parameters, the entity ID and the hostname of the server
+ running this SP.</p><pre class="programlisting"> /*
+ * Example of hosted Shibboleth 1.3 SP.
+ */
+ 'sp1entityid' => array(
+ 'host' => 'sp.example.org'
+ )</pre><div class="glosslist"><dl><dt>index (the index of the array)</dt><dd><p>The entity ID of the hosted SP entity.</p></dd><dt>host</dt><dd><p>The hostname of the server running this Shibboleth 1.3 SP.
+ This option allows simpleSAMLphp to automatically discover which
+ SP metadata to use, when it runs multiple virtual hosts.</p></dd></dl></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857059"></a>Configuring Shibboleth 1.3 IdP Remote metadata</h3></div></div></div><p>Here (shib13-idp-remote.php) you configure which IdPs that you
+ trust.</p><pre class="programlisting"> 'urn:mace:switch.ch:aaitest:dukono.switch.ch' => array(
+ 'SingleSignOnUrl' => 'https://dukono.switch.ch/shibboleth-idp/SSO',
+ 'certFingerprint' => 'c7279a9f28f11380509e075441e3dc55fb9ab864'
+ ),</pre><div class="glosslist"><dl><dt>index (the index of the array)</dt><dd><p>The entity ID of this Shibboleth 1.3 IdP entity. In this
+ example the entity ID is set to
+ <code class="literal">urn:mace:switch.ch:aaitest:dukono.switch.ch</code>.</p></dd><dt>SingleSignOnUrl</dt><dd><p>Contact the IdP to get the endpoint URL of this service.
+ This is the URL which the user is redirected with the request for
+ authentication.</p></dd><dt>certFingerprint</dt><dd><p>The md5sum of the certificate used by the IdP. If you don't
+ know how to compute this, you can leave it as it is, and then
+ you'll get an error message the first time you try to login. In
+ this error message you are told what is the fingerprint of the IdP
+ certiciate, so you can copy and use that.</p></dd></dl></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857142"></a>Exchange metadata with the IdP</h2></div></div></div><p>Before you can run the test examples, you need the people running
+ the IdP to load the metadata for your SP. If you run Shibboleth 1.3 SP,
+ you will need to manually create metadata for your SP and send to the IdP,
+ if you use SAML 2.0, metadata can be generated automatically.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857155"></a>Automatically generation of SP metadata for SAML 2.0</h3></div></div></div><p>On the installation page there is a link named "Look at your SAML
+ 2.0 SP metadata". Click there to look at the metadata for your SP. Send
+ this metadata document to the IdP and ask them to load it.</p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-sp/saml2metadata.png" /></div></div><p>If you are connected to Feide, and put one of Feides entity IDs as
+ default IdP, you will see an additional section on this page:</p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-sp/saml2metadata-feide.png" /></div></div><p>Enter your email address and click the button to send the metadata
+ to Feide. Remeber to get in contact with Feide to discuss your new
+ service, and how you can be connected to Feides test environment.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857220"></a>Test the SAML 2.0 SP examples</h2></div></div></div><p>When you have installed simpleSAMLphp, configured apache, and setup
+ metadata and exchanged metadata with the IdP you are ready to test the
+ example service that is included in the simpleSAMLphp installation.</p><p>On the installation page of simpleSAMLphp as you remember from the
+ installation guide, there is a link to a Shibboleth 1.3 and SAML 2.0
+ example. When you click on that example, you should be automatically
+ redirected to the IdP. Then login as usual, and you should get back to a
+ status page with .</p><p>You should be redirected to the IdP. Login, and you should be sent
+ back and shown all the attributes sent form the IdP.</p><div class="figure"><a id="id857246"></a><p class="title"><b>Figure 1. Screenshot of the status page after an user have succesfully
+ authenticated</b></p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-sp/screenshot-example.png" alt="Screenshot of the status page after an user have succesfully authenticated" /></div></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857271"></a>Integrating authentication with your own application</h2></div></div></div><p>You will need to hook some code into your application executed for
+ every protected HTTP request. The flow in that code goes like:</p><div class="itemizedlist"><ul type="disc"><li><p>Check whether the user is authenticated or not.</p></li><li><p>If the user is not authenticated, and it should be, then
+ redirect the user to the initSSO.php script with the appropriate
+ parameters. In particular the RelayState that tells the URL to return
+ to after login.</p></li><li><p>If the user is authenticated then your done, map to your own
+ user database if neccessary, and access the attributes from the
+ session object as you like.</p></li></ul></div><p>Here are some example code from the included example that you can
+ reuse:</p><p>We start off with including a common file _include.php. All this
+ file is doing is adding simpleSAMLphp to the classpath. If you want you
+ can do this in php.ini instead. Or you can include all the content of
+ _include.php in the application it self.</p><pre class="programlisting">require_once('../_include.php');</pre><p>Including class specifications. This is for SAML 2.0, for shibboleth
+ look at the shibboleth example in
+ <code class="filename">www/example-simple/shib13-example.php</code>.</p><pre class="programlisting">require_once('SimpleSAML/Utilities.php');
+require_once('SimpleSAML/Session.php');
+require_once('SimpleSAML/XML/MetaDataStore.php');
+require_once('SimpleSAML/XML/SAML20/AuthnRequest.php');
+require_once('SimpleSAML/XML/SAML20/AuthnResponse.php');
+require_once('SimpleSAML/Bindings/SAML20/HTTPRedirect.php');
+require_once('SimpleSAML/Bindings/SAML20/HTTPPost.php');
+require_once('SimpleSAML/XHTML/Template.php');
+</pre><p>Then enable using PHP Sessions, and load configuration and metadata
+ with simpleSAMLphp. You can copy this lines into your application without
+ changes:</p><pre class="programlisting">session_start();
+
+/* Load simpleSAMLphp, configuration and metadata */
+$config = SimpleSAML_Configuration::getInstance();
+$metadata = new SimpleSAML_XML_MetaDataStore($config);
+$session = SimpleSAML_Session::getInstance();
+</pre><p>Then at last, you check whether the session is valid. If it is not,
+ redirect to the initSSO.php script adding the current URL as a RelayState
+ parameter. If you are authenticated, then retrieve all the attributes from
+ the session object. You may want to look closer at the attributes array,
+ so why don't you print_r it out right away to get the structure...</p><pre class="programlisting">/* Check if valid local session exists.. */
+if (!isset($session) || !$session->isValid() ) {
+ header('Location: /' . $config->getValue('baseurlpath') . 'saml2/sp/initSSO.php?RelayState=' . urlencode(SimpleSAML_Utilities::selfURL()));
+ exit(0);
+}
+
+$attributes = $session->getAttributes();
+print_r($attributes);
+</pre></div></div></body></html>