diff --git a/docs/simplesamlphp-artifact-idp.md b/docs/simplesamlphp-artifact-idp.md
index 6d993fa9e6f374eac9b8599f09d1dca4a236ea0a..bb08461ea4dc9777e08573cc19636a9ee6dfaa38 100644
--- a/docs/simplesamlphp-artifact-idp.md
+++ b/docs/simplesamlphp-artifact-idp.md
@@ -35,7 +35,7 @@ Enabling artifact on the IdP
To enable the IdP to send artifacts, you must add the `saml20.sendartifact` option to the `saml20-idp-hosted` metadata file:
- $metadata['urn:x-simplesamlphp:example-idp'] = [
+ $metadata['https://example.org/saml-idp'] = [
[....]
'auth' => 'example-userpass',
'saml20.sendartifact' => TRUE,
@@ -89,7 +89,7 @@ You may therefore have to add the webserver certificate to the metadata that you
To do this, you need to set the `https.certificate` option in the `saml20-idp-hosted` metadata file.
That option should refer to a file containing the webserver certificate.
- $metadata['urn:x-simplesamlphp:example-idp'] = [
+ $metadata['https://example.org/saml-idp'] = [
[....]
'auth' => 'example-userpass',
'saml20.sendartifact' => TRUE,
diff --git a/docs/simplesamlphp-authproc.md b/docs/simplesamlphp-authproc.md
index a8ab604b702e70fc4064d528c7ef51eff36bbfc8..3d0bad674c22c1e72ddf4e1e33b4f99f0b9d3190 100644
--- a/docs/simplesamlphp-authproc.md
+++ b/docs/simplesamlphp-authproc.md
@@ -99,7 +99,7 @@ The filters in `authproc.sp` will be executed at the SP side regardless of which
Filters can be added both in `hosted` and `remote` metadata. Here is an example of a filter added in a metadata file:
```php
-'urn:x-simplesamlphp:example-idp' => [
+'https://example.org/saml-idp' => [
'host' => '__DEFAULT_',
'privatekey' => 'example.org.pem',
'certificate' => 'example.org.crt',
diff --git a/docs/simplesamlphp-customauth.md b/docs/simplesamlphp-customauth.md
index cb3fe97739167c30ea7f2e80e45c9af937792acf..2e48d002a7bd1dbf87ba2409ef340b2b92fba909 100644
--- a/docs/simplesamlphp-customauth.md
+++ b/docs/simplesamlphp-customauth.md
@@ -120,7 +120,7 @@ In that file you should locate the `auth`-option for your IdP, and change it to
<?php
/* ... */
- $metadata['urn:x-simplesamlphp:example-idp'] = [
+ $metadata['https://example.org/saml-idp'] = [
/* ... */
/*
* Authentication source to use. Must be one that is configured in
diff --git a/docs/simplesamlphp-ecp-idp.md b/docs/simplesamlphp-ecp-idp.md
index c61818dcc437672139091ec900ba4bf3b4736bbc..54e291971ad613e7b996967a04343f9f4170f5dc 100644
--- a/docs/simplesamlphp-ecp-idp.md
+++ b/docs/simplesamlphp-ecp-idp.md
@@ -19,7 +19,7 @@ Enabling ECP Profile on the IdP
To enable the IdP to send ECP assertions you must add the `saml20.ecp` option to the `saml20-idp-hosted` metadata file:
- $metadata['urn:x-simplesamlphp:example-idp'] = [
+ $metadata['https://example.org/saml-idp'] = [
[....]
'auth' => 'example-userpass',
'saml20.ecp' => true,
diff --git a/docs/simplesamlphp-googleapps.md b/docs/simplesamlphp-googleapps.md
index 3058d97b38926a6ec4e98d154d1e6ff237fd7714..1eedd439affe0ab71c651fe0ae208fbdd82512f3 100644
--- a/docs/simplesamlphp-googleapps.md
+++ b/docs/simplesamlphp-googleapps.md
@@ -132,7 +132,7 @@ This is the configuration of the IdP itself. Here is some example config:
```php
// The SAML entity ID is the index of this config.
-$metadata['urn:x-simplesamlphp:example-idp'] => [
+$metadata['https://example.org/saml-idp'] => [
// The hostname of the server (VHOST) that this SAML entity will use.
'host' => '__DEFAULT__',
diff --git a/docs/simplesamlphp-hok-idp.md b/docs/simplesamlphp-hok-idp.md
index 872fc05bfa7b1effb697a926a3226d953279a9f6..ae055188405597feb0c07496368178b586f6c167 100644
--- a/docs/simplesamlphp-hok-idp.md
+++ b/docs/simplesamlphp-hok-idp.md
@@ -29,7 +29,7 @@ Enabling HoK SSO Profile on the IdP
To enable the IdP to send HoK assertions you must add the `saml20.hok.assertion` option to the `saml20-idp-hosted` metadata file:
- $metadata['urn:x-simplesamlphp:example-idp'] = [
+ $metadata['https://example.org/saml-idp'] = [
[....]
'auth' => 'example-userpass',
'saml20.hok.assertion' => TRUE,
diff --git a/docs/simplesamlphp-idp.md b/docs/simplesamlphp-idp.md
index 2ba329a11222b7cadfcbd13fcc2e508dc59d6427..b52ea0d5e39df87b4caf81675b596b786c797974 100644
--- a/docs/simplesamlphp-idp.md
+++ b/docs/simplesamlphp-idp.md
@@ -142,7 +142,7 @@ The SAML 2.0 IdP is configured by the metadata stored in
This is a minimal configuration:
<?php
- $metadata['urn:x-simplesamlphp:example-idp'] = [
+ $metadata['https://example.org/saml-idp'] = [
/*
* The hostname for this IdP. This makes it possible to run multiple
* IdPs from the same configuration. '__DEFAULT__' means that this one
diff --git a/docs/simplesamlphp-metadata-extensions-attributes.md b/docs/simplesamlphp-metadata-extensions-attributes.md
index e9374011693793bb02d2b47b18db6c0e17d1b113..0eb03e096e2d074131341d669c95b403df8cdf1e 100644
--- a/docs/simplesamlphp-metadata-extensions-attributes.md
+++ b/docs/simplesamlphp-metadata-extensions-attributes.md
@@ -1,12 +1,6 @@
SAML V2.0 Metadata Attribute Extensions
=======================================
-<!--
- This file is written in Markdown syntax.
- For more information about how to use the Markdown syntax, read here:
- http://daringfireball.net/projects/markdown/syntax
--->
-
[TOC]
This is a reference for the SimpleSAMLphp implementation of the [SAML
@@ -76,7 +70,7 @@ Examples
If given the following configuration...
- $metadata['https://www.example.com/saml/saml2/idp/metadata.php'] = [
+ $metadata['https://example.com/saml-idp'] = [
'host' => 'www.example.com',
'certificate' => 'example.com.crt',
'privatekey' => 'example.com.pem',
@@ -91,7 +85,7 @@ If given the following configuration...
... will generate the following XML metadata:
<?xml version="1.0"?>
- <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://www.example.com/saml/saml2/idp/metadata.php">
+ <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://example.com/saml-idp">
<md:Extensions>
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="urn:simplesamlphp:v1:simplesamlphp" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
diff --git a/docs/simplesamlphp-metadata-extensions-rpi.md b/docs/simplesamlphp-metadata-extensions-rpi.md
index 9371cd89c2e71e0352ca8852b128aa58d888ed1e..896105109cea13bdb5234fc90da4ac3f2780591e 100644
--- a/docs/simplesamlphp-metadata-extensions-rpi.md
+++ b/docs/simplesamlphp-metadata-extensions-rpi.md
@@ -72,7 +72,7 @@ Service Provider:
Identity Provider:
- $metadata['urn:x-simplesamlphp:example-idp'] = [
+ $metadata['https://example.org/saml-idp'] = [
'host' => '__DEFAULT__',
...
'RegistrationInfo' => [
diff --git a/docs/simplesamlphp-metadata-extensions-ui.md b/docs/simplesamlphp-metadata-extensions-ui.md
index 4791bd730ed12f94b1ebfe755802614131870a18..2d131609e6609bc66cffad096667d0690c2f8817 100644
--- a/docs/simplesamlphp-metadata-extensions-ui.md
+++ b/docs/simplesamlphp-metadata-extensions-ui.md
@@ -1,14 +1,6 @@
SAML V2.0 Metadata Extensions for Login and Discovery User Interface
=============================
-<!--
- This file is written in Markdown syntax.
- For more information about how to use the Markdown syntax, read here:
- http://daringfireball.net/projects/markdown/syntax
--->
-
- * Author: Timothy Ace [tace@synacor.com](mailto:tace@synacor.com)
-
[TOC]
This is a reference for the SimpleSAMLphp implementation of the [SAML
@@ -209,7 +201,7 @@ Generated XML Metadata Examples
If given the following configuration...
- $metadata['https://www.example.com/saml/saml2/idp/metadata.php'] = [
+ $metadata['https://example.com/saml-idp'] = [
'host' => 'www.example.com',
'certificate' => 'example.com.crt',
'privatekey' => 'example.com.pem',
@@ -259,7 +251,7 @@ If given the following configuration...
... will generate the following XML metadata:
<?xml version="1.0"?>
- <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://www.example.com/saml/saml2/idp/metadata.php">
+ <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://example.com/saml-idp">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:Extensions>
<mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
diff --git a/docs/simplesamlphp-modules.md b/docs/simplesamlphp-modules.md
index 15fcdf08dd12ba7280c7c126a5818b99f3f3d185..3b38eb0fc072f1fd194aa161c607e006d09c6748 100644
--- a/docs/simplesamlphp-modules.md
+++ b/docs/simplesamlphp-modules.md
@@ -154,7 +154,7 @@ this:
To use this authentication source in a SAML 2.0 IdP, set the
`auth`-option of the IdP to `'example-static'`:
- 'urn:x-simplesamlphp:example-idp' => [
+ 'https://example.org/saml-idp' => [
'host' => '__DEFAULT__',
'privatekey' => 'example.org.pem',
'certificate' => 'example.org.crt',
diff --git a/docs/simplesamlphp-reference-idp-hosted.md b/docs/simplesamlphp-reference-idp-hosted.md
index 7b7740961a1830d7834dcbb86c4ae577b444f860..6a3f11ef752cfc52d838c4b393b2b879e80ceb77 100644
--- a/docs/simplesamlphp-reference-idp-hosted.md
+++ b/docs/simplesamlphp-reference-idp-hosted.md
@@ -18,7 +18,17 @@ Both files have the following format:
];
/* ... */
-The entity ID must be a URI.
+The entity ID must be a URI, that is unlikely to change for technical or
+political reasons. We recommend it to be a domain name you own.
+The URL does not have to resolve to actual content, it's
+just an identifier. If your organization's domain is `example.org`:
+
+ https://example.org/saml-idp
+
+For guidance in picking an entityID, see
+[InCommon's best practice](https://spaces.at.internet2.edu/display/federation/saml-metadata-entityid)
+on the matter.
+
The `host` option is the hostname of the IdP, and will be used to
select the correct configuration. One entry in the metadata-list can
@@ -391,7 +401,7 @@ These are some examples of IdP metadata
<?php
- $metadata['urn:x-simplesamlphp:example-idp'] = [
+ $metadata['https://example.org/saml-idp'] = [
/*
* We use '__DEFAULT__' as the hostname so we won't have to
* enter a hostname.
@@ -420,7 +430,7 @@ $republishTarget = $dom->createElementNS('http://eduid.cz/schema/metadata/1.0',
$republishRequest->appendChild($republishTarget);
$ext = [new \SAML2\XML\Chunk($republishRequest)];
-$metadata['urn:x-simplesamlphp:example-idp'] = [
+$metadata['https://example.org/saml-idp'] = [
'host' => '__DEFAULT__',
'certificate' => 'example.org.crt',
'privatekey' => 'example.org.pem',
diff --git a/docs/simplesamlphp-sp.md b/docs/simplesamlphp-sp.md
index 6aade7b6350ee66c99b1c7f39166af6e3d41a521..5df29f4a3b27fb7607732710448c2fb49fca4079 100644
--- a/docs/simplesamlphp-sp.md
+++ b/docs/simplesamlphp-sp.md
@@ -22,10 +22,20 @@ $config = [
/* This is the name of this authentication source, and will be used to access it later. */
'default-sp' => [
'saml:SP',
- 'entityID' => 'https://sp1.example.org/',
+ 'entityID' => 'https://myapp.example.org/',
],
];
```
+The entity ID must be a URI, that is unlikely to change for technical or
+political reasons. We recommend it to be a domain name that you own.
+Like above, if your organization's main domain is `example.org` and this SP is
+for the application `myapp`. The URL does not have to resolve to actual
+content, it's just an identifier. Hence you don't need to and should not change
+it if the actual domain of your application changes.
+
+For guidance in picking an entityID, see
+[InCommon's best practice](https://spaces.at.internet2.edu/display/federation/saml-metadata-entityid)
+on the matter.
For more information about additional options available for the SP,
see the [`saml:SP` reference](./saml:sp).
@@ -37,11 +47,11 @@ remember to set the EntityID explicitly. Here is an example:
```php
'sp1' => [
'saml:SP',
- 'entityID' => 'https://sp1.example.org/',
+ 'entityID' => 'https://myapp.example.org/',
],
'sp2' => [
'saml:SP',
- 'entityID' => 'https://sp2.example.org/',
+ 'entityID' => 'https://myotherapp.example.org/',
],
```
@@ -64,6 +74,7 @@ Then edit your `authsources.php` entry, and add references to your certificate:
```php
'default-sp' => [
'saml:SP',
+ 'entityID' => 'https://myapp.example.org/',
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
],
@@ -81,9 +92,9 @@ metadata file:
```php
<?php
-$metadata['https://example.com'] = [
- 'SingleSignOnService' => 'https://example.com/simplesaml/saml2/idp/SSOService.php',
- 'SingleLogoutService' => 'https://example.com/simplesaml/saml2/idp/SingleLogoutService.php',
+$metadata['https://example.org/saml-idp'] = [
+ 'SingleSignOnService' => 'https://example.org/simplesaml/saml2/idp/SSOService.php',
+ 'SingleLogoutService' => 'https://example.org/simplesaml/saml2/idp/SingleLogoutService.php',
'certificate' => 'example.pem',
];
```
@@ -120,7 +131,7 @@ $config = [
* The entity ID of the IdP this should SP should contact.
* Can be NULL/unset, in which case the user will be shown a list of available IdPs.
*/
- 'idp' => 'https://idp.example.com',
+ 'idp' => 'https://example.org/saml-idp',
],
];
```
@@ -217,7 +228,7 @@ We can also request authentication with a specific IdP:
```php
$as->login([
- 'saml:idp' => 'https://idp.example.org/',
+ 'saml:idp' => 'https://example.org/saml-idp',
]);
```
diff --git a/modules/multiauth/docs/multiauth.md b/modules/multiauth/docs/multiauth.md
index bd08dc8b6f67c5ec72bc11a95ec9fa38bf8a427d..4b68bdecbebce2e910c146e28be0c7d002271f56 100644
--- a/modules/multiauth/docs/multiauth.md
+++ b/modules/multiauth/docs/multiauth.md
@@ -50,7 +50,7 @@ authentication source:
'example-saml' => [
'saml:SP',
- 'entityId' => 'my-entity-id',
+ 'entityId' => 'https://myapp.example.org',
'idp' => 'my-idp',
],
diff --git a/modules/saml/docs/sp.md b/modules/saml/docs/sp.md
index 26f6c8b1270ae8fb23bce2048c338c2941c0e6be..ed133bc69cebaf731865e49084c94425fafdbbb7 100644
--- a/modules/saml/docs/sp.md
+++ b/modules/saml/docs/sp.md
@@ -239,8 +239,16 @@ Options
`entityID`
: The entity ID this SP should use.
-: If this option is unset, a default entity ID will be generated.
- The generated entity ID will be a URL where the metadata of this SP can be downloaded.
+: The entity ID must be a URI, that is unlikely to change for technical or political
+ reasons. We recommend it to be a domain name, like above, if your organization's main
+ domain is `example.org` and this SP is for the application `myapp`.
+ The URL does not have to resolve to actual content, it's
+ just an identifier. Hence you don't need to and should not change it if the actual domain
+ of your application changes.
+
+: For guidance in picking an entityID, see
+ [InCommon's best practice](https://spaces.at.internet2.edu/display/federation/saml-metadata-entityid)
+ on the matter.
`ForceAuthn`
: Force authentication allows you to force re-authentication of users even if the user has a SSO session at the IdP.
@@ -420,20 +428,15 @@ Here we will list some examples for this authentication source.
'example-minimal' => [
'saml:SP',
+ 'entityID' => 'https://myapp.example.org',
],
### Connecting to a specific IdP
'example' => [
'saml:SP',
- 'idp' => 'https://idp.example.net/',
- ],
-
-### Using a specific entity ID
-
- 'example' => [
- 'saml:SP',
- 'entityID' => 'https://sp.example.net',
+ 'entityID' => 'https://myapp.example.org',
+ 'idp' => 'https://example.net/saml-idp',
],
### Encryption and signing
@@ -442,6 +445,7 @@ Here we will list some examples for this authentication source.
'example-enc' => [
'saml:SP',
+ 'entityID' => 'https://myapp.example.org',
'certificate' => 'example.crt',
'privatekey' => 'example.key',
@@ -457,6 +461,7 @@ Here we will list some examples for this authentication source.
'example-attributes => [
'saml:SP',
+ 'entityID' => 'https://myapp.example.org',
'name' => [ // Name required for AttributeConsumingService-element.
'en' => 'Example service',
'no' => 'Eksempeltjeneste',
@@ -479,6 +484,7 @@ Here we will list some examples for this authentication source.
'example-acs-limit' => [
'saml:SP',
+ 'entityID' => 'https://myapp.example.org',
'acs.Bindings' => [
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
],