Skip to content
Snippets Groups Projects
Commit 2aceb85c authored by Olav Morken's avatar Olav Morken
Browse files

Update SP documentation. 

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1476 44740490-163a-0410-bde0-09ae8108e29a
parent 96907456
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
docs/simplesamlphp-reference-idp-remote.txt 0 → 100644
+ 156
0
View file @ 2aceb85c
IdP remote metadata reference
=============================
This is a reference for metadata options available for `metadata/saml20-idp-remote.php` and `metadata/shib13-idp-remote.php`. Both files have the following format:
<?php
$metadata = array(
/* The index of the array is the entity ID of this IdP. */
'entity-id-1' => array(
/* Configuration options for the first IdP. */
),
'entity-id-2' => array(
/* Configuration options for the second IdP. */
),
/* ... */
);
?>
Common options
--------------
The following options are common between both the SAML 2.0 protocol and Shibboleth 1.3 protocol:
`authproc`
: Used to manipulate attributes, and limit access for each IdP. See the [authentication processing filter manual](http://rnd.feide.no/content/authentication-processing-filters-simplesamlphp).
`base64attributes`
: Whether attributes received from this IdP should be base64 decoded. The default is `FALSE`.
`caFile`
: Alternative to specifying a certificate. Allows you to specify a file with root certificates, and responses from the service be validated against these certificates. Note that simpleSAMLphp doesn't support chains with any itermediate certificates between the root and the certificate used to sign the response.
`certData`
: The base64 encoded certificate for this IdP. This is an alternative to storing the certificate in a file on disk and specifying the filename in the `certificate`-option.
`certFingerprint`
: If you only need to validate signatures received from this IdP, you can specify the certificate fingerprint instead of storing the full certificate. To obtain this, you can enter a bogus value, and attempt to log in. You will then receive an error message with the correct fingerprint.
: It is also possible to add an array of valid fingerprints, where any fingerprints in that array is accepted as valid. This can be used to update the certificate of the IdP without having to update every SP at that exact time. Instead, one can update the SPs with the new fingerprint, and only update the certificate after every SP is updated.
`certificate`
: The file with the certificate for this IdP. The path is relative to the `cert`-directory.
`description`
: A description of this IdP. Will be used by various modules when they need to show a description of the IdP to the user.
: This option can be translated into multiple languages in the same way as the `name`-option.
`icon`
: A logo which will be shown next to this IdP in the discovery service.
`name`
: The name of this IdP. Will be used by various modules when they need to show a name of the SP to the user.</p>
: This option can be translated into multiple languages by specifying the value as an array of language-code to translated name:
'name' => array(
'en' => 'A service',
'no' => 'En tjeneste',
),
`SingleSignOnService`
: Endpoint URL for sign on. You should obtain this from the IdP. For SAML 2.0, simpleSAMLphp will use the HTTP-Redirect binding when contacting this endpoint.
SAML 2.0 options
----------------
The following SAML 2.0 options are available:
`saml2.relaxvalidation`
: Can be used to relax some parts of the validation of assertions received from this IdP. This is an array, and can include one or more of the following flags:
- `unknowncondition` - Disables errors when encountering unknown &lt;Condition> nodes.
- `nosubject` - Ignore missing &lt;Subject&gt; in &lt;Assertion&gt;.
- `noconditions` - Ignore missing &lt;Conditions&gt; in &lt;Assertion&gt;.
- `noauthnstatement` - Ignore missing &lt;AuthnStatement&gt; in &lt;Assertion&gt;.
- `noattributestatement` - Ignore missing &lt;AttributeStatement&gt; in &lt;Assertion&gt;.
`SingleLogoutService`
: Endpoint URL for logout requests and responses. You should obtain this from the IdP. Users who log out from your service is redirected to this URL with the LogoutRequest using HTTP-REDIRECT.
`SingleLogoutServiceResponse`
: Endpoint URL for logout responses. Overrides the `SingleLogoutService`-option for responses.
`SPNameQualifier`
: This corresponds to the SPNameQualifier in the SAML 2.0 specification. It allows to give subjects a SP specific namespace. This option is rarely used, so if you don't need it, leave it out. When left out, simpleSAMLphp assumes the entityID of your SP as the SPNameQualifier.
### Decrypting assertions
It is possible to decrypt the assertions received from an IdP. Currently the only algorithm supported is `AES128_CBC` or `RIJNDAEL_128`.
There are two modes of encryption supported by simpleSAMLphp. One is symmetric encryption, in which case both the SP and the IdP needs to share a key. The other mode is the use of public key encryption. In that mode, the public key of the SP is extracted from the certificate of the SP.
`assertion.encryption`
: Whether assertions received from this IdP are encrypted. The default value is `FALSE`.
`sharedkey`
: Symmetric key which should be used for decryption. This should be a 128-bit key. If this option is not specified, public key encryption will be used instead.
### Fields for signing and validating messages
simpleSAMLphp only signs authentication responses by default. Signing of authentication request, logout requests and logout responses can be enabled by setting the `redirect.sign` option. Validation of received messages can be enabled by the `redirect.validate` option.
These options overrides the options set in `saml20-sp-hosted`.
`redirect.sign`
: Whether authentication request, logout requests and logout responses sent to this IdP should be signed. The default is `FALSE`.
`redirect.validate`
: Whether logout requests and logout responses received from this IdP should be validated. The default is `FALSE`.
**Example: Configuration for validating messages**
'redirect.validate' => TRUE,
'certificate' => 'server.crt',
Shibboleth 1.3 options
----------------------
There are no options specific for a Shibboleth 1.3 IdP.
Examples
--------
### Configuration for openidp.feide.no ###
<?php
$metadata = array();
$metadata['https://openidp.feide.no'] = array(
'name' => array(
'en' => 'Feide OpenIdP - guest users',
'no' => 'Feide Gjestebrukere',
),
'description' => 'Here you can login with your account on Feide RnD OpenID. If you do not already have an account on this identity provider, you can create a new one by following the create new account link and follow the instructions.',
'SingleSignOnService' => 'https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://openidp.feide.no/simplesaml/saml2/idp/SingleLogoutService.php',
'certFingerprint' => 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb',
);
?>
Calculating the fingerprint of a certificate
--------------------------------------------
If you have obtained a certificate file, and want to calculate the fingerprint of the file, you can use the `openssl` command:
$ openssl x509 -noout -fingerprint -in "server.crt"
SHA1 Fingerprint=AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9
In this case, the certFingerprint option should be set to `AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9`.
\ No newline at end of file
docs/simplesamlphp-reference-sp-hosted.txt 0 → 100644
+ 159
0
View file @ 2aceb85c
SP hosted metadata reference
============================
This is a reference for the metadata files `metadata/saml20-sp-hosted.php` and `metadata/shib13-sp-hosted.php`. Both files have the following format:
<?php
$metadata = array(
/* The index of the array is the entity ID of this SP. */
'entity-id-1' => array(
'host' => 'sp.example.org',
/* Configuration options for the first SP. */
),
'entity-id-2' => array(
'host' => '__DEFAULT__',
/* Configuration options for the default SP. */
),
/* ... */
);
?>
The entity ID should be an URI. It can also be on the form `__DYNAMIC:1__`, `__DYNAMIC:2__`, `...`. In that case, the entity ID will be generated automatically.
The `host` option is the hostname of the SP, and will be used to select the correct configuration. One entry in the metadata-list can have the host `__DEFAULT__`. This entry will be used when no other entry matches.
Common options
--------------
`AssertionConsumerService`
: Override the default URL for the AssertionConsumerService for this SP. This is an absolute URL. The default value is `<simpleSAMLphp-root>/{shib13|saml2}/sp/AssertionConsumerService.php`.
: Note that this only changes the values in the generated metadata and in the messages sent to others. You must also configure your webserver to deliver this URL to the correct PHP page.
`authproc`
: Used to manipulate attributes, and limit access for each SP. See the [authentication processing filter manual](http://rnd.feide.no/content/authentication-processing-filters-simplesamlphp).
`certData`
: Base64 encoded certificate data. Can be used instead of the `certificate` option.
`certificate`
: File name of certificate for this SP. This certificate will be included in generated metadata.
`description`
: A description of this SP. Will be added to the generated metadata.
: This option can be translated into multiple languages by specifying the value as an array of language-code to translated description:
'description' => array(
'en' => 'A service',
'no' => 'En tjeneste',
),
`host`
: The hostname for this SP. One SP can also have the `host`-option set to `__DEFAULT__`, and that SP will be used when no other entries in the metadata matches.
`idpdisco.url`
: Set which IdP discovery service this SP should use. If this is unset, the IdP discovery service specified in the global option `idpdisco.url.{saml20|shib13}` in `config/config.php` will be used. If that one is also unset, the builtin default discovery service will be used.
`name`
: The name of this SP. Will be added to the generated metadata.
: This option can be translated into multiple languages by specifying the value as an array of language-code to translated name:
'name' => array(
'en' => 'A service',
'no' => 'En tjeneste',
),
`NameIDFormat`
: Override the default NameIDFormat in the generated metadata and in the authentication request.
: The default value for SAML 2.0 is `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`, while the default for Shibboleth 1.3 is `urn:mace:shibboleth:1.0:nameIdentifier`. If you set the value to `NULL`, the `samlp:NameIDPolicy` element is removed from the authentication request.
`url`
: A URL to your service provider. Will be added as a OrganizationURL-element in the metadata.
: This option can be translated into multiple languages by specifying the value as an array of language-code to language-specific URL:
'url' => array(
'en' => 'http://sp.example.net/en/info.html',
'no' => 'http://sp.example.net/no/info.html',
),
SAML 2.0 options
----------------
The following SAML 2.0 SP options are available:
`AuthnContextClassRef`
: The SP can request authentication with a specific authentication context class. One example of usage could be if the IdP supports both username/password authentication as well as software-PKI.
`ForceAuthn`
: Force authentication allows you to force re-authentication of users even if the user has a SSO session at the IdP.
`IsPassive`
: IsPassive allows you to enable passive authentication by default for this SP.
`privatekey`
: File name of private key to be used for signing messages and decrypting messages from the IdP. This option is only required if you use encrypted assertions or if you enable signing of messages.
`privatekey_pass`
: The passphrase for the private key, if it is encrypted. If the private key is unencrypted, this can be left out.
`RelayState`
: The page the user should be redirected to after an IdP initiated SSO.
`SingleLogoutService`
: Override the default URL for the SingleLogoutService for this SP. This is an absolute URL. The default value is `<simpleSAMLphp-root>/saml2/sp/SingleLogoutService.php`.
: Note that this only changes the values in the generated metadata and in the messages sent to others. You must also configure your webserver to deliver this URL to the correct PHP page.
### Fields for signing and validating messages
simpleSAMLphp SP doesn't signa any messages by default. To enable signing of authentication requests, logout requests and logout responses, enable the `redirect.sign` option. Validation of received messages can be enabled by the `redirect.validate` option.
These options set the default for this SP, but options for each IdP can be set in `saml20-idp-remote`.
`redirect.sign`
: Whether authentication requests, logout requests and logout responses sent from this SP should be signed. The default is `FALSE`.
`redirect.validate`
: Whether logout requests and logout responses received received by this SP should be validated. The default is `FALSE`.
**Example: Configuration for signed messages**
'redirect.sign' => true,
Shibboleth 1.3 SP options
----------------------
There are no options specific for a Shibboleth 1.3 SP.
Examples
--------
These are some examples of SP metadata
### Minimal SAML 2.0 / Shibboleth 1.3 SP ###
<?php
$metadata = array(
/*
* We use the '__DYNAMIC:1__' entity ID so that the entity ID
* will be autogenerated.
*/
'__DYNAMIC:1__' => array(
/*
* We use '__DEFAULT__' as the hostname so we won't have to
* enter a hostname.
*/
'host' => '__DEFAULT__',
),
);
?>
docs/simplesamlphp-sp.txt
+ 62
562
View file @ 2aceb85c
SimpleSAMLphp as a Service Provider SimpleSAMLphp Service Provider QuickStart
=========================================== =========================================
<!-- <!--
This file is written in Markdown syntax. This file is written in Markdown syntax.
...@@ -9,565 +9,95 @@ SimpleSAMLphp as a Service Provider ...@@ -9,565 +9,95 @@ SimpleSAMLphp as a Service Provider
* Version: `$Id$` * Version: `$Id$`
simpleSAMLphp documentation
---------------------------
This document is part of the simpleSAMLphp documentation suite. This guide will describe how to configure simpleSAMLphp as a service provider (SP). You should previously have installed simpleSAMLphp as described in [the simpleSAMLphp installation instructions](http://rnd.feide.no/content/installing-simplesamlphp).
-
[List of all simpleSAMLphp documentation](http://rnd.feide.no/view/simplesamlphpdocs)
This document assumes that you already have a installation of simpleSAMLphp. Before you continue make sure all the required entries in the check list at the buttom is showing green light.
Introduction Enabling the Service Provider functionality
------------ --------------------------------------------
simpleSAMLphp can run as both a SAML 2.0 Service Provider and as a Shibboleth 1.3 Service Provider. Although the configuration is similar for the two alternatives, there are some differences in configuration and metadata differs somewhat, so they are treated in separate chapters. The first that must be done is to enable the service provider functionality. This is done by editing `config/config.php`. The options `enable.saml20-sp` and `enable.shib13-sp` controls whether SAML 2.0 and Shibboleth 1.3 support is enabled. Enable one or both of those by assigning `true` to them:
Selecting the desired Service Provider functionality
----------------------------------------------------
Your identity provider (IdP) may offer user authentication either using the SAML 2.0 protocol, or the older Shibboleth 1.3 protocol. 'enable.saml20-sp' => true,
SAML 2.0 SP functionality is enabled by default. If this is what you want to use, leave the default configuration unmodified.
To setup a Shibboleth 1.3 SP, you must disable SAML 2.0 SP and enable Shib 1.3 SP in `config.php`:
'enable.saml20-sp' => false,
'enable.saml20-idp' => false, 'enable.saml20-idp' => false,
'enable.shib13-sp' => true, 'enable.shib13-sp' => true,
'enable.shib13-idp' => false, 'enable.shib13-idp' => false,
Configuring metadata for SAML 2.0 SP
------------------------------------
To set up a SAML 2.0 SP, configure two metadata files: `saml20-sp-hosted.php` and `saml20-idp-remote.php`. The former represents the SAML entity of your SP, the latter lists all the SAML 2.0 IdPs you trust to authenticate users, and how to connect to them.
## Configuring SAML 2.0 SP Hosted metadata
To se tup these metadata, you must know the host name of your web server, and select an entity ID for this server. The IdP may impose restrictions on your choice of entity ID.
**Example&nbsp;1.&nbsp;Example of metadata for hosted SAML 2.0 SP**
Here is an example of the metadata file:
/*
* Example of a hosted SP
*/
'sp-entityid' => array(
'host' => 'sp.example.org'
)
**Example&nbsp;2.&nbsp;Real life example**
Here is a real life example from Feide:
'urn:mace:feide.no:services:no.feide.foodle' => array(
'host' => 'foodle.feide.no',
),
Here the service run on the host `foodle.feide.no` and have the entity ID `urn:mace:feide.no:services:no.feide.foodle`.
You may add any number of SP definitions in the same installation of simpleSAMLphp. simpleSAMLphp will discover automatically which configuration to use in a specific scenario, by mapping current hostname in the URL sent by the end user client to the `host` entry in the metadata.
Below is a description of mandatory and optional fields in the SAML 2.0 SP hosted metadata.
### Mandatory metadata fields
These metadata fields are required:
index in the `$metadata` array
: The entity ID of the hosted SP entity.
: simpleSAMLphp supports dynamic entityIDs that matches a URL
where simpleSAMLphp automatically generates metadata for the hosted
entity. To enable this functionality, set the index to be
`__DYNAMIC:1__`. The index needs to be unique, so when you have
multiple entries, increase the integer after the colon. When the
index `__DYNAMIC:1__` is used, the resulting generated entity
becomes something like:
: https://sp.example.org/simplesaml/saml2/sp/metadata.php
host
: Host name of the server running this SP. One of your metadata
entries can have the value `__DEFAULT__`. A default entry will be
used when no other entry matches the current hostname.
### Optional metadata fields
These fields can be left out if not needed.
NameIDFormat
: The NameIDFormat in the request. If you don't know what this
is, or do not require a specific format, leave the default value
unmodified.
: If you leave out this entry, the default value
`urn:oasis:names:tc:SAML:2.0:nameid-format:transient` is used in
the authentication request. If you set the value to `null`, the
`samlp:NameIDPolicy` element is completely removed from the
request.
ForceAuthn
: Force authentication allows you to force re-authentication of
users even if the user has a SSO session at the IdP.
AuthnContextClassRef
: The SP can request authentication with a specific
authentication context class. One example of usage could be if the
IdP supports both username/password authentication as well as
software-PKI.
attributemap
: Mapping table for translating attribute names. For further
information, see the *Advances Features* document.
attributealter Configuring the SP
: Table of custom functions that injects or modifies attributes. ------------------
For further information, see the *Advances Features* document.
attributes The SP is configured by the metadata stored in `metadata/saml20-sp-hosted.php` and `metadata/shib13-sp-hosted.php`. Which of the two files you need to edit depends on what protocol you wish to use. This is a minimal configuration for a SP:
: Array of attributes sent to the SP. If this field is not set,
the SP receives all attributes available at the IdP.
IsPassive <?php
: IsPassive allows you to enable passive authentication by $metadata = array(
default for this SP. /*
* Dynamically generated entity id. Will use the address where metadata can be downloaded.
AssertionConsumerService
: Override the default URL for the AssertionConsumerService for
this SP. This is an absolute URL. The default value is
`<simpleSAMLphp-root>/saml2/sp/AssertionConsumerService.php`
: Note that this only changes the values in the generated
metadata and in the messages sent to others. You must also
configure your webserver to deliver this URL to the correct PHP
page.
SingleLogoutService
: Override the default URL for the SingleLogoutService for this
SP. This is an absolute URL. The default value is
`<simpleSAMLphp-root>/saml2/sp/SingleLogoutService.php`
: Note that this only changes the values in the generated
metadata and in the messages sent to others. You must also
configure your webserver to deliver this URL to the correct PHP
page.
idpdisco.url
: Set which IdP discovery service this SP should use. If this is
unset, the IdP discovery service specified in the global option
`idpdisco.url.saml20` in `config/config.php` will be used. If that
one is also unset, the builtin default discovery service will be
used.
RelayState
: This may be a relative or absolute URL on the Service Provider that the user should be redirected to after successful authentication. This parameter MUST be used if you are using an IdP-first setup with SAML 2.0, where no AuthNRequest is sent.
privatekey
: File name of private key to be used for signing messages.
certificate
: File name of certificate corresponding to the private key. This
certificate will be included in generated metadata.
privatekey\_pass
: Optional field with the passphrase for the private key.
### Fields for signing and validating messages
simpleSAMLphp only signs authentication responses by default. Signing of authentication requests, logout requests and logout responses can be enabled by setting the `redirect.sign` option. Validation of received messages can be enabled by the `redirect.validate` option. Note that if you want to sign messages, you will need a keypair/certificate at the SP.
These options set the default for this SP, but options for each IdP can be set in `saml20-idp-remote`.
redirect.sign
: Boolean, default `false`. To turn on signing of authentication
requests, logout requests and logout responses, set this flag to
true.
: This option can be overridden by the `redirect.sign` option in
`saml20-idp-remote`.
redirect.validate
: Boolean, default `false`. To turn on validation of received
logout requests and logout responses, set this flag to true.
: This option can be overridden by the `redirect.validate` option
in `saml20-idp-remote`.
**Example&nbsp;3.&nbsp;Example of configured signed messages**
'redirect.sign' => true,
'privatekey' => 'server.pem',
## Configuring SAML 2.0 IdP Remote metadata
The metadata file `saml20-idp-remote.php` represent the SAML 2.0
IdPs that your service provider trust to authenticate users of your
service.
**Example&nbsp;4.&nbsp;Example of metadata for trusted remote SAML 2.0 IdP**
Here is an example of a metadata entry for a remote trusted IdP:
/*
* Example simpleSAMLphp SAML 2.0 IdP
*/
'idp-entity-id-simple' => array(
'name' => 'Test',
'description' => 'Description of this example entry',
'SingleSignOnService' => 'https://idp.example.org/simplesaml/saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://idp.example.org/simplesaml/saml2/idp/SingleLogoutService.php',
'certFingerprint' => '3fa158e8abfd4b5203315b08c0b791b6ee4715f6'
),
**Example&nbsp;5.&nbsp;More complex example**
Here is an example with more configuration:
/*
* Example simpleSAMLphp SAML 2.0 IdP
*/ */
'idp-entity-id' => array( '__DYNAMIC:1__' => array(
'name' => 'Test',
'description' => 'Description of this example entry',
'SingleSignOnService' => 'https://idp.example.org/simplesaml/saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://idp.example.org/simplesaml/saml2/idp/SingleLogoutService.php',
'certFingerprint' => '3fa158e8abfd4b5203315b08c0b791b6ee4715f6',
'base64attributes' => true,
/*
* When redirect.validate is true the certificate of the IdP will be used
* to verify all messages received with the HTTPRedirect binding.
*
* The certificate from the IdP must be installed in the cert directory
* before verification can be done.
*/
'redirect.validate' => false,
'certificate' => "idp.example.org.crt",
/* /*
* It is possible to relax some parts of the validation of SAML2 messages. * The hostname for this SP. This makes it possible to run multiple
* To relax a part, add the id to the 'saml2.relaxvalidation' array. * SPs from the same configuration. '__DEFAULT__' means that this one
* * should be used by default.
* Valid ids:
* - 'unknowncondition' Disables errors when encountering unknown <Condition> nodes.
* - 'nosubject' Ignore missing <Subject> in <Assertion>.
* - 'noconditions' Ignore missing <Conditions> in <Assertion>.
* - 'noauthnstatement' Ignore missing <AuthnStatement> in <Assertion>.
* - 'noattributestatement' Ignore missing <AttributeStatement> in <Assertion>.
*
* Example:
* 'saml2.relaxvalidation' => array('unknowncondition', 'noattributestatement'),
*
* Default:
* 'saml2.relaxvalidation' => array(),
*/ */
'saml2.relaxvalidation' => array(), 'host' => '__DEFAULT__',
), ),
);
?>
### Mandatory metadata fields For more information about available options in the sp-hosted metadata files, see the [SP hosted reference](https://rnd.feide.no/content/sp-hosted-metadata-reference).
These are the required metadata fields:
index in the `$metadata` array
: Entity ID of the remote IdP.
name
: A textual name of the IdP. This can contain a string or an
associative array of language code => translation pairs. This name
is used in the SAML 2.0 discovery service.
description
: A longer description of the IdP. This can contain a string or
an associative array of language code => translation pairs. The
description is used in the SAML 2.0 discovery service.
SingleSignOnService
: Endpoint URL for sign on. You should obtain this from the IdP.
Your simpleSAMLphp implementation will redirected users who are not
yet authenticated to this URL with the AuthnRequest using
HTTP-REDIRECT.
SingleLogoutService
: Endpoint URL for logout. You should obtain this from the IdP.
Users who log out from your service is redirected to this URL with
the LogoutRequest using HTTP-REDIRECT.
certFingerprint
: The `sha1` checksum of the certificate used by the IdP. If you
don't know how to compute this, you can leave it as it is, and then
you'll get an error message the first time you try to login. In
this error message you are told what is the fingerprint of the IdP
certificiate, which you may copy to this metadata parameter.
: It is also possible to add an array of valid fingerprints,
where any fingerprints in that array is accepted as valid. This can
be used to update the certificate of the IdP without having to
update every SP at that exact time. Instead, one can update the SPs
with the new fingerprint, and only update the certificate after
every SP is updated.
: See
[Appendix&nbsp;A, *Calculating the fingerprint of a certificate*](#a.fingerprint "A. Calculating the fingerprint of a certificate")
for an example of how to calculate the fingerprint with the
`openssl` tool.
### Optional metadata fields
These fields can be left out if not needed.
base64attributes
: If the IdP base64 encodesattributes, you may set this parameter
to `true`. Base64 encoding should be avoided when not strictly
needed, but it allows attributes in any binary format to be
exchanged.
: ### Warning Adding IdPs to the SP
---------------------
: If you are using simpleSAMLphp at the IdP, remember to set the The service provider you are configuring needs to know about the identity providers you are going to connect to it. This is configured by metadata stored in `metadata/saml20-idp-remote.php` and `metadata/shib13-sp-remote.php`. This is a minimal example of a `metadata/saml20-idp-remote.php` metadata file:
parameter in the metadata at the IdP to be the same.
SPNameQualifier <?php
: This corresponds to the SPNameQualifier in the SAML 2.0 $metadata = array(
specification. It allows to give subjects a SP specific namespace. 'https://openidp.feide.no' => array(
This option is rarely used, so if you don't need it, leave it out. 'SingleSignOnService' => 'https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php',
When left out, simpleSAMLphp assumes the entityID of your SP as the 'SingleLogoutService' => 'https://openidp.feide.no/simplesaml/saml2/idp/SingleLogoutService.php',
SPNameQualifier. 'certFingerprint' => 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb',
),
attributemap );
: Mapping table for translating attribute names. For further ?>
information, see the *Advances Features* document.
attributealter
: Table of custom functions that injects or modifies attributes.
For further information, see the *Advances Features* document.
certificate
: Name of certificate file in PEM format, in the `certs`
directory. Used for decrypting assertions and as an alternative to
certFingerprint for validating signatures.
: This option is also required if validating signed logout
requests/responses from this IdP.
assertion.encryption
: Set to true if the remote idp encrypts assertions. Encrypted
assertions are decrypted regardless of the value this field if the
neccesary certificate or key is available, but if it is set to true
and an unencrypted assertion is recieved an exception is raised.
sharedkey
: Used for optional symmetric decryption of assertions. Currently
the algorithm is hardcoded to AES128\_CBC/RIJNDAEL\_128 which uses
up to 128 bit for the passphrase/key. Not necessary if the idp uses
a sessionkey which is encrypted by the idp's private key.
caFile
: Alternative to certFingerprint. Allows you to specify a file
with root certificates, and responses from the service be validated
against these certificates. Note that simpleSAMLphp doesn't support
chains with any itermediate certificates between the root and the
certificate used to sign the response.
icon
: An icon for this IdP. This is a URL to a icon which will be
displayed next to this IdP in the IdP discovery service. The URL
can be absolute or relative. If it is relative, it will be relative
to the simpleSAMPphp www-directory.
### Fields for signing and validating messages
simpleSAMLphp only signs authentication responses by default.
Signing of authentication requests, logout requests and logout
responses can be enabled by setting the `redirect.sign` option.
Validation of received messages can be enabled by the
`redirect.validate` option. Note that if you want to sign messages,
you will need a keypair/certificate at the SP.
These options overrides the options set in `saml20-sp-hosted`.
redirect.sign
: Boolean, default `false`. To turn on signing of authentication
requests, logout requests and logout responses, set this flag to
true.
: This option overrides the `redirect.sign` option in
`saml20-sp-hosted`.
redirect.validate
: Boolean, default `false`. To turn on validation of received
logout requests and logout responses, set this flag to true.
: This option overrides the `redirect.validate` option in For more information about available options in the idp-remote metadata files, see the [IdP remote reference](https://rnd.feide.no/content/idp-remote-metadata-reference).
`saml20-sp-hosted`.
If you have the metadata of the remote IdP as an XML file, you can use the built-in XML to simpleSAMLphp metadata converter, which by default is available as `/admin/metadata-converter.php` in your simpleSAMLphp installation.
**Example&nbsp;6.&nbsp;Example of configuration for validating messages** Note that the idp-remote file lists all IdPs you trust. You should remove all IdPs that you don't use.
'redirect.validate' => true,
'certificate' => 'server.crt'
## Setting the default SAML 2.0 IdP Setting the default IdP
-----------------------
The global configuration (`config.php`) holds a parameter to set the default IdP to use. Alternatively you can specify which IdP to use in a parameter to the initSSO.php script when you initiate logon in your application. The global configuration (`config.php`) holds a parameter to set the default IdP to use. Alternatively you can specify which IdP to use in a parameter to the initSSO.php script when you initiate logon in your application.
Here is an example from `config.php`: Here is an example from `config.php`:
'default-saml20-idp' => 'sam.feide.no', 'default-saml20-idp' => 'https://openidp.feide.no',
The configuration above will use the IdP configured in IdP Remote metadata with entity ID equal to `sam.feide.no`.
## Using the SAML 2.0 IdP Discovery Service
If you want end users to be able to select one of several specified entries in IdP remote metadata, set the default IdP to be null. simpleSAMLphp will then use its builtin IdP discovery service to let the user select IdP. Here is the neccessary configuration from `config.php`:
'default-saml20-idp' => null,
Configuring metadata for Shibboleth 1.3 SP
------------------------------------------
To set up a Shibboleth 1.3 SP, configure two metadata files. shib13-sp-hosted.php and shib13-idp-remote.php.The former represents the SAML entity of your service provider, the latter lists all the trusted Shibboleth 1.3 IdPs and how to connect to them.
Note: Shibboleth 2.0 IdPs should be configured as SAML 2.0 IdPs.
## Configuring Shibboleth 1.3 SP Hosted metadata
Two parameters, the entity ID and the host name of the web server running this SP, are configured in the hosted metadata (`shib13-sp-hosted.php`).
**Example&nbsp;7.&nbsp;Shibboleth 1.3 SP hosted metadata**
/*
* Example of hosted Shibboleth 1.3 SP.
*/
'sp-provider-id' => array(
'host' => 'sp.example.org'
)
### Mandatory fields
index (the index of the array)
: The entity ID of the hosted SP entity.
: simpleSAMLphp supports dynamic entityIDs that matches a URL
where simpleSAMLphp automatically generates metadata for the hosted
entity. To enable this functionality, set the index to be
`__DYNAMIC:1__`. The index needs to be unique, so when you have
multiple entries, increase the integer after the colon. When the
index `__DYNAMIC:1__` is used, the resulting generated entity
becomes something like:
: https://sp.example.org/simplesaml/shib13/sp/metadata.php
host
: Host name of the server running this SP. One of your metadata
entries can have the value `__DEFAULT__`. A default entry will be
used when no other entry matches the current hostname.
### Optional metadata fields
These fields can be left out if not needed.
AssertionConsumerService There is also a `default-shib13-idp`, which configures the same for Shibboleth 1.3 SPs.
: Override the default URL for the AssertionConsumerService for
this SP. This is an absolute URL. The default value is
`<simpleSAMLphp-root>/shib13/sp/AssertionConsumerService.php`
: Note that this only changes the values in the generated
metadata and in the messages sent to others. You must also
configure your webserver to deliver this URL to the correct PHP
page.
idpdisco.url ### Using the discovery service
: Set which IdP discovery service this SP should use. If this is
unset, the IdP discovery service specified in the global option
`idpdisco.url.shib13` in `config/config.php` will be used. If that
one is also unset, the builtin default discovery service will be
used.
If you want end users to be able to select one of several specified entries in IdP remote metadata, set the default IdP to be `NULL`. simpleSAMLphp will then use its builtin IdP discovery service to let the user select IdP. Here is the neccessary configuration from `config.php`:
## Configuring Shibboleth 1.3 IdP Remote metadata 'default-saml20-idp' => NULL,
'default-shib13-idp' => NULL,
Here (`shib13-idp-remote.php`) you configure which IdPs that you
trust to authenticate users of your service.
**Example&nbsp;8.&nbsp;Example of remote Shibboleth 1.3 IdP metadata**
'theproviderid-of-the-idp' => array(
'SingleSignOnService' => 'https://idp.example.org/shibboleth-idp/SSO',
'certFingerprint' => 'c7279a9f28f11380509e072441e3dc55fb9ab864'
)
index in the `$metadata` array
: The `providerID` of this Shibboleth 1.3 IdP entity. In this
example the entity ID is set to
`urn:mace:switch.ch:aaitest:dukono.switch.ch`.
SingleSignOnService
: Contact the IdP to get the endpoint URL of this service. This
is the URL which the user is redirected with the request for
authentication.
: ### Note
: The name of this parameter changed from SingleSignOnUrl to
SingleSignOnService betwen simpleSAMLphp version 0.5 and 1.0.
certFingerprint
: The `sha` checksum of the certificate used by the IdP. If you
don't know how to compute this, you can leave it as it is, and then
you'll get an error message the first time you try to login. In
this error message you are told what is the fingerprint of the IdP
certificiate, which you may copy to this metadata parameter.
: It is also possible to add an array of valid fingerprints,
where any fingerprints in that array is accepted as valid. This can
be used to update the certificate of the IdP without having to
update every SP at that exact time. Instead, one can update the SPs
with the new fingerprint, and only update the certificate after
every SP is updated.
: See
[Appendix&nbsp;A, *Calculating the fingerprint of a certificate*](#a.fingerprint "A. Calculating the fingerprint of a certificate")
for an example of how to calculate the fingerprint with the openssl
tool.
caFile
: Alternative to certFingerprint. Allows you to specify a file
with root certificates, and responses from the service be validated
against these certificates. Note that simpleSAMLphp doesn't support
chains with any itermediate certificates between the root and the
certificate used to sign the response.
icon
: An icon for this IdP. This is a URL to a icon which will be
displayed next to this IdP in the IdP discovery service. The URL
can be absolute or relative. If it is relative, it will be relative
to the simpleSAMPphp www-directory. This field is optional.
Exchange metadata with the IdP Exchange metadata with the IdP
------------------------------ ------------------------------
Before you can run the test examples, you need the people running the IdP to load the metadata for your SP. If you run Shibboleth 1.3 SP, you must manually create metadata for your SP and send to the IdP. If you use SAML 2.0, metadata can be generated automatically. If you are testing against `openidp.feide.no`, you can skip this step. You must however make sure that OpenIdP can download your metadata. This means that if you are installing on `sp.example.org`, and simpleSAMLphp is installed under `https://sp.example.org/simplesaml`, you must make sure that this URL is accessible from the Internet.
## Automatic generation of SAML 2.0 SP metadata Before you can run the test examples, you need the people running the IdP to load the metadata for your SP. This metadata can be generated automatically. Links to the generated metadata can be found under the `Metadata`-tab on the front page.
On the installation page there is a link named "Look at your SAML 2.0 SP metadata". Click to inspect the metadata for your SP. Send this metadata document to the IdP and ask them to load it. Send this metadata document to the IdP and ask them to load it.
![image](http://rnd.feide.no/files/saml2metadata.png) ![image](http://rnd.feide.no/files/saml2metadata.png)
...@@ -577,17 +107,17 @@ If you are connected to Feide, and put one of Feides entity IDs as default IdP, ...@@ -577,17 +107,17 @@ If you are connected to Feide, and put one of Feides entity IDs as default IdP,
Enter your email address and click the button "Send my metadata to Feide". Remeber to get in contact with Feide to discuss your new service, and how you can be connected to Feide's test environment. To test your service, you must have a valid Feide login name. If you are not affiliated with a Feide host institution, you may obtain a test user identity from Feide. Enter your email address and click the button "Send my metadata to Feide". Remeber to get in contact with Feide to discuss your new service, and how you can be connected to Feide's test environment. To test your service, you must have a valid Feide login name. If you are not affiliated with a Feide host institution, you may obtain a test user identity from Feide.
Test the SAML 2.0 SP examples Test the SAML 2.0 SP examples
----------------------------- -----------------------------
After you have installed simpleSAMLphp, configured Apache, set up metadata and exchanged metadata with the IdP, you are ready to test the sample service included in the simpleSAMLphp distribution. After the metadata is is configured on the IdP, you should be able to test the configuration. The installation page of simpleSAMLphp has a link to a Shibboleth 1.3 and a SAML 2.0 sample service. When you click the link, you should be automatically redirected to the IdP. Login, and you should be sent back and shown all the attributes sent form the IdP.
The installation page of simpleSAMLphp has a link to a Shibboleth 1.3 and a SAML 2.0 sample service. When you click the link, you should be automatically redirected to the IdP. Login, and you should be sent back and shown all the attributes sent form the IdP.
**Figure&nbsp;1.&nbsp;Screenshot of the status page after an user have succesfully authenticated** **Figure&nbsp;1.&nbsp;Screenshot of the status page after an user have succesfully authenticated**
![Screenshot of the status page after an user have succesfully authenticated](http://rnd.feide.no/files/screenshot-example.png) ![Screenshot of the status page after an user have succesfully authenticated](http://rnd.feide.no/files/screenshot-example.png)
Integrating authentication with your own application Integrating authentication with your own application
---------------------------------------------------- ----------------------------------------------------
...@@ -600,7 +130,7 @@ lines of PHP code: ...@@ -600,7 +130,7 @@ lines of PHP code:
If the user is not authenticated, but should be for this resource, If the user is not authenticated, but should be for this resource,
redirect him to the `initSSO.php` script with the appropriate redirect him to the `initSSO.php` script with the appropriate
parameters. Note particularly the `RelayState` specifying the parameters. Note particularly the `RelayState` specifying the
treturn URL after login. return URL after login.
- -
If authentication is successful, but you need to determine the If authentication is successful, but you need to determine the
...@@ -612,43 +142,29 @@ lines of PHP code: ...@@ -612,43 +142,29 @@ lines of PHP code:
Sample code: Sample code:
We start off with including a common file \_include.php. All this We start off with including a common file \_include.php. This will add the simpleSAMLphp libraries to the PHP class autoloader.
file does is to add simpleSAMLphp to the classpath. Alternately,
this can be configured in `php.ini`, or the contents of
`_include.php` can be included directly in the application code.
require_once('../_include.php'); require_once('../_include.php');
Including class specifications. This is for SAML 2.0; for We load the current simpleSAMLphp session object:
Shibboleth look at the Shibboleth example in
`www/example-simple/shib13-example.php`.
require_once('SimpleSAML/Utilities.php'); /* Load simpleSAMLphp configuration and session. */
require_once('SimpleSAML/Session.php');
require_once('SimpleSAML/XHTML/Template.php');
Enable PHP Sessions and load configuration with simpleSAMLphp. You
can copy this lines into your application without changes:
/* Load simpleSAMLphp, configuration and metadata */
$config = SimpleSAML_Configuration::getInstance(); $config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getInstance(); $session = SimpleSAML_Session::getInstance();
Then check whether the session is valid. If not, redirect the user to the IdP, specifying the `initSSO.php` script (for SAML 2.0 or Shibboleth 1.3, respectively). adding the current URL as a `RelayState` parameter. The user will leave your web page temporarily. When he returns after successful authentication, there will be a valid session, and the body of the `if` statement is skipped. Then check whether the session is valid. If not, redirect the user to the IdP, specifying the `initSSO.php` script (for SAML 2.0 or Shibboleth 1.3, respectively). adding the current URL as a `RelayState` parameter. The user will leave your web page temporarily. When he returns after successful authentication, there will be a valid session, and the body of the `if` statement is skipped.
After successful athentication, user attributes supplied by the IdP are available in session object. To take a closer look at the attributes array, you may print it out... /* Check if valid local session exists. */
if (!$session->isValid('saml2') ) {
/* Check if valid local session exists.. */ /* Redirect to the IdP for authentication. */
if (!isset($session) || !$session->isValid('saml2') ) {
SimpleSAML_Utilities::redirect( SimpleSAML_Utilities::redirect(
'/' . $config->getBaseURL() . '/' . $config->getBaseURL() . 'saml2/sp/initSSO.php',
'saml2/sp/initSSO.php',
array('RelayState' => SimpleSAML_Utilities::selfURL()) array('RelayState' => SimpleSAML_Utilities::selfURL())
); );
} }
After successful athentication, user attributes supplied by the IdP are available in session object. To take a closer look at the attributes array, you may print it out...
$attributes = $session->getAttributes(); $attributes = $session->getAttributes();
print_r($attributes); print_r($attributes);
...@@ -656,11 +172,6 @@ After successful athentication, user attributes supplied by the IdP are availabl ...@@ -656,11 +172,6 @@ After successful athentication, user attributes supplied by the IdP are availabl
Each attribute name can be used as an index into $attributes to obtain the value. Every attribute value is an array - a single-valued attribute is an array of a single element. Each attribute name can be used as an index into $attributes to obtain the value. Every attribute value is an array - a single-valued attribute is an array of a single element.
## Upgrading service integration from version 0.5 to 1.0
-
[Wiki page describing the differences between integrating a service with simpleSAMLphp 0.5 and simpleSAMLphp 1.0.](https://ow.feide.no/simplesamlphp:spupgrade05to10)
Support Support
------- -------
...@@ -671,14 +182,3 @@ If you need help to make this work, or want to discuss simpleSAMLphp with other ...@@ -671,14 +182,3 @@ If you need help to make this work, or want to discuss simpleSAMLphp with other
- [List of all available simpleSAMLphp documentation](http://rnd.feide.no/view/simplesamlphpdocs) - [List of all available simpleSAMLphp documentation](http://rnd.feide.no/view/simplesamlphpdocs)
- [Join the simpleSAMLphp user's mailing list](http://rnd.feide.no/content/simplesamlphp-users-mailinglist) - [Join the simpleSAMLphp user's mailing list](http://rnd.feide.no/content/simplesamlphp-users-mailinglist)
- [Visit and contribute to the simpleSAMLphp wiki](https://ow.feide.no/simplesamlphp:start) - [Visit and contribute to the simpleSAMLphp wiki](https://ow.feide.no/simplesamlphp:start)
## A.&nbsp;Calculating the fingerprint of a certificate
If you have obtained a certificate file, and want to calculate the fingerprint of the file, you can use the `openssl` command:
$ cat server.crt|openssl x509 -fingerprint
MD5 Fingerprint=D1:BA:B0:17:66:6D:7F:42:7B:91:1E:22:7E:3A:27:D2
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment