diff --git a/docs/resources/simplesamlphp-googleapps/googleapps-cert.png b/docs/resources/simplesamlphp-googleapps/googleapps-cert.png
new file mode 100644
index 0000000000000000000000000000000000000000..a07187fa13441e0d5e8f87228f89e94eaa6acb2a
Binary files /dev/null and b/docs/resources/simplesamlphp-googleapps/googleapps-cert.png differ
diff --git a/docs/resources/simplesamlphp-googleapps/googleapps-menu.png b/docs/resources/simplesamlphp-googleapps/googleapps-menu.png
new file mode 100644
index 0000000000000000000000000000000000000000..0690ccd455a362b900f8d7a9eebee53ee110aa2b
Binary files /dev/null and b/docs/resources/simplesamlphp-googleapps/googleapps-menu.png differ
diff --git a/docs/resources/simplesamlphp-googleapps/googleapps-sso.png b/docs/resources/simplesamlphp-googleapps/googleapps-sso.png
new file mode 100644
index 0000000000000000000000000000000000000000..ddeeb21e1e64e338023afb8ec339ff7f0f01abef
Binary files /dev/null and b/docs/resources/simplesamlphp-googleapps/googleapps-sso.png differ
diff --git a/docs/resources/simplesamlphp-googleapps/googleapps-ssoconfig.png b/docs/resources/simplesamlphp-googleapps/googleapps-ssoconfig.png
new file mode 100644
index 0000000000000000000000000000000000000000..630dc5b8161ac2bbb2f2e69a77971e6b66413dcd
Binary files /dev/null and b/docs/resources/simplesamlphp-googleapps/googleapps-ssoconfig.png differ
diff --git a/docs/simplesamlphp-bridge.html b/docs/simplesamlphp-bridge.html
index e65afc6e786eea2eeda3288ec5ee3eed217d2555..aeb3faf9ccfc948cddd14c2e47ac324ccf78f794 100644
--- a/docs/simplesamlphp-bridge.html
+++ b/docs/simplesamlphp-bridge.html
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Using simpleSAMLphp as a SAML bridge</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721994"></a>Using simpleSAMLphp as a SAML bridge</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Mon Oct 15 16:53:14 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856632">Setting up WebSSO bridges</a></span></dt><dd><dl><dt><span class="section"><a href="#id856643">Bridging SAML 2.0 <-> SAML 2.0</a></span></dt><dt><span class="section"><a href="#id856690">Bridging Shibboleth 1.3 <-> Shibboleth 1.3</a></span></dt><dt><span class="section"><a href="#id856701">Bridging Shibboleth 1.3 <-> SAML 2.0</a></span></dt><dt><span class="section"><a href="#id856712">Bridging SAML 2.0 <-> Shibboleth 1.3</a></span></dt><dt><span class="section"><a href="#id856721">Bridging SAML 2.0 <-> OpenID</a></span></dt><dt><span class="section"><a href="#id856731">Bridging Shibboelth 1.3 <-> OpenID</a></span></dt></dl></dd></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856632"></a>Setting up WebSSO bridges</h2></div></div></div><p>simpleSAMLphp can be used to bridge between two WebSSO protocols.
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Using simpleSAMLphp as a SAML bridge</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721994"></a>Using simpleSAMLphp as a SAML bridge</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Sun Oct 21 13:48:37 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856632">Setting up WebSSO bridges</a></span></dt><dd><dl><dt><span class="section"><a href="#id856643">Bridging SAML 2.0 <-> SAML 2.0</a></span></dt><dt><span class="section"><a href="#id856690">Bridging Shibboleth 1.3 <-> Shibboleth 1.3</a></span></dt><dt><span class="section"><a href="#id856701">Bridging Shibboleth 1.3 <-> SAML 2.0</a></span></dt><dt><span class="section"><a href="#id856712">Bridging SAML 2.0 <-> Shibboleth 1.3</a></span></dt><dt><span class="section"><a href="#id856721">Bridging SAML 2.0 <-> OpenID</a></span></dt><dt><span class="section"><a href="#id856731">Bridging Shibboelth 1.3 <-> OpenID</a></span></dt></dl></dd><dt><span class="section"><a href="#id856743">Support</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856632"></a>Setting up WebSSO bridges</h2></div></div></div><p>simpleSAMLphp can be used to bridge between two WebSSO protocols.
Here is some short descriptions of how to setup the different bridge
configurations.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856643"></a>Bridging SAML 2.0 <-> SAML 2.0</h3></div></div></div><p>In this setup you can bridge between two federations using SAML
2.0.</p><p>To approach this, you must configure both saml 2.0 IdP and SP
@@ -8,4 +8,8 @@
parameter to the initalization endpoint.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This section of the documentation is only a placeholder. There
will be more detailed information added later. For now, ask the author
if you want more details of such a setup.</p><p>Briding SAML 2.0 SLO is not implemented. Will be improved
- soon.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856690"></a>Bridging Shibboleth 1.3 <-> Shibboleth 1.3</h3></div></div></div><p>Documentation will be added.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856701"></a>Bridging Shibboleth 1.3 <-> SAML 2.0</h3></div></div></div><p>Documentation will be added.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856712"></a>Bridging SAML 2.0 <-> Shibboleth 1.3</h3></div></div></div><p>Documentation will be added.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856721"></a>Bridging SAML 2.0 <-> OpenID</h3></div></div></div><p>Documentation will be added.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856731"></a>Bridging Shibboelth 1.3 <-> OpenID</h3></div></div></div><p>Documentation will be added.</p></div></div></div></body></html>
+ soon.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856690"></a>Bridging Shibboleth 1.3 <-> Shibboleth 1.3</h3></div></div></div><p>Documentation will be added.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856701"></a>Bridging Shibboleth 1.3 <-> SAML 2.0</h3></div></div></div><p>Documentation will be added.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856712"></a>Bridging SAML 2.0 <-> Shibboleth 1.3</h3></div></div></div><p>Documentation will be added.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856721"></a>Bridging SAML 2.0 <-> OpenID</h3></div></div></div><p>Documentation will be added.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856731"></a>Bridging Shibboelth 1.3 <-> OpenID</h3></div></div></div><p>Documentation will be added.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856743"></a>Support</h2></div></div></div><p>If you have problems to get this work, or want to discuss
+ simpleSAMLphp with other users of the software you are lucky! Around
+ simpleSAMLphp there is a great Open source community, and you are welcome
+ to join! Both for asking question, answer other questions, request
+ improvements or contribute with code or plugins of your own.</p><p>Visit the project page of simpleSAMLphp at: <a href="http://code.google.com/p/simplesamlphp/" target="_top">http://code.google.com/p/simplesamlphp/</a></p><p>And please join the mailinglist: <a href="???" target="_top">https://postlister.uninett.no/sympa/subscribe/simplesaml</a></p></div></div></body></html>
diff --git a/docs/simplesamlphp-googleapps.html b/docs/simplesamlphp-googleapps.html
new file mode 100644
index 0000000000000000000000000000000000000000..6c1520ba96a50ac36d4818977eddd70825d802e0
--- /dev/null
+++ b/docs/simplesamlphp-googleapps.html
@@ -0,0 +1,123 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Setting up a simpleSAMLphp SAML 2.0 IdP to use with Google Apps for
+ Education</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721994"></a>Setting up a simpleSAMLphp SAML 2.0 IdP to use with Google Apps for
+ Education</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Sun Oct 21 13:51:26 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856634">Introduction</a></span></dt><dt><span class="section"><a href="#id856660">Setting up a SSL signing certificate</a></span></dt><dt><span class="section"><a href="#sect.authmodule">Authentication modules</a></span></dt><dd><dl><dt><span class="section"><a href="#id856829">Configuring the LDAP authentication module</a></span></dt><dt><span class="section"><a href="#id856898">Configuring the multi-LDAP authenticaiton module</a></span></dt></dl></dd><dt><span class="section"><a href="#id856923">Configuring metadata for an SAML 2.0 IdP</a></span></dt><dd><dl><dt><span class="section"><a href="#id856944">Configuring SAML 2.0 IdP Hosted metadata</a></span></dt><dt><span class="section"><a href="#id857092">Configuring SAML 2.0 SP Remote metadata</a></span></dt></dl></dd><dt><span class="section"><a href="#id857145">Configure Google Apps for education</a></span></dt><dd><dl><dt><span class="section"><a href="#id857301">Add a user in Google Apps that is also in the IdP</a></span></dt></dl></dd><dt><span class="section"><a href="#id857317">Test to login to Google Apps for education</a></span></dt><dt><span class="section"><a href="#id857341">Security Considerations</a></span></dt><dt><span class="section"><a href="#id857358">Support</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856634"></a>Introduction</h2></div></div></div><p>This article assumes that you have already read the simpleSAMLphp
+ installation manual, and installed a version of simpleSAMLphp at your
+ server.</p><p>In this example we will setup this server as an IdP for Google Apps
+ for Education:</p><div class="literallayout"><p>dev2.andreas.feide.no</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856660"></a>Setting up a SSL signing certificate</h2></div></div></div><p>For test purposes, you can skip this section, and use the included
+ certificate.</p><p>For a production system, uou must generate a new certificate for
+ your IdP.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>There is a certificate that follows this package that you can use
+ for test purposes, but off course <span class="emphasis"><em>NEVER</em></span> use this in
+ production as the private key is also included in the package and can be
+ downloaded by anyone.</p></div><p>Here is an examples of openssl commands to generate a new key and a
+ selfsigned certificate to use for signing SAML messages:</p><pre class="screen">openssl genrsa -des3 -out googleappsidp.key 1024
+openssl rsa -in googleappsidp.key -out googleappsidp.pem
+openssl req -new -key googleappsidp.key -out googleappsidp.csr
+openssl x509 -req -days 1095 -in googleappsidp.csr -signkey googleappsidp.key -out googleappsidp.crt</pre><p>The certificate above will be valid for 1095 days (3 years).</p><p>Here is an example of what can be typed in when creating a
+ certificate request:</p><pre class="screen">Country Name (2 letter code) [AU]:NO
+State or Province Name (full name) [Some-State]:Trondheim
+Locality Name (eg, city) []:Trondheim
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:UNINETT
+Organizational Unit Name (eg, section) []:
+Common Name (eg, YOUR name) []:dev2.andreas.feide.no
+Email Address []:
+
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []:
+An optional company name []:</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>simpleSAMLphp will only work with RSA and not DSA
+ certificates.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="sect.authmodule"></a>Authentication modules</h2></div></div></div><p>You will need to connect the IdP to your existing user storage. For
+ different technologies of user storage, there are different authentication
+ modules.</p><p>In the <code class="filename">www/auth</code> directory, you see multiple
+ files, each representing an authentication module. In the IdP hosted
+ metadata configuration you specify which authentication module that should
+ be used for that specific IdP. You can implement your own authentication
+ module, see the IdP documentation.</p><p>These authentication modules are included:</p><div class="glosslist"><dl><dt>auth/login.php</dt><dd><p>This is the standard LDAP backend authentication module, it
+ uses LDAP configuration from the config.php file.</p></dd><dt>auth/login-ldapmulti.php</dt><dd><p>This authentication module lets you connect to multiple LDAPS
+ depending on what organization the user selects in the login
+ form.</p></dd><dt>auth/login-radius.php</dt><dd><p>This authentication module will authenticate users against an
+ RADIUS server instead of LDAP.</p></dd><dt>auth/login-auto.php</dt><dd><p>This module will automatically login the user with some test
+ details. You can use this to test the IdP functionality if you do
+ not have</p><p>This module is not completed yet. Work in progress.</p></dd></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856829"></a>Configuring the LDAP authentication module</h3></div></div></div><p>The LDAP module is <code class="filename">auth/login.php</code>.</p><p>If you want to perform local authentication on this server, and
+ you want to use the LDAP authenticaiton plugin, then you need to
+ configure the following parameters in
+ <code class="filename">config.php</code>:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">auth.ldap.dnpattern</code>: What DN should you
+ bind to? Replacing %username% with the username the user types
+ in.</p></li><li><p><code class="literal">auth.ldap.hostname</code>: The hostname of the
+ LDAP server</p></li><li><p><code class="literal">auth.ldap.attributes</code>: Search parameter to
+ LDAP. What attributes should be extracted?
+ <code class="literal">objectclass=*</code> gives you all.</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856898"></a>Configuring the multi-LDAP authenticaiton module</h3></div></div></div><p>The module is
+ <code class="filename">auth/login-ldapmulti.php</code>.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Documentation will be added later. For now, contact the
+ author.</p></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856923"></a>Configuring metadata for an SAML 2.0 IdP</h2></div></div></div><p>If you want to setup a SAML 2.0 IdP for Google Apps, you need to
+ configure two metadata files: <code class="filename">saml20-idp-hosted.php</code>
+ and <code class="filename">saml20-sp-remote.php</code>.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856944"></a>Configuring SAML 2.0 IdP Hosted metadata</h3></div></div></div><p>This is the configuration of the IdP itself. Here is some example
+ config:</p><pre class="programlisting"> // The SAML entity ID is the index of this config.
+ 'dev2.andreas.feide.no' => array(
+
+ // The hostname of the server (VHOST) that this SAML entity will use.
+ 'host' => 'sp.example.org',
+
+ // X.509 key and certificate. Relative to the cert directory.
+ 'privatekey' => 'googleappsidp.pem',
+ 'certificate' => 'googleappsidp.crt',
+
+ /* If base64attributes is set to true, then all attributes will be base64 encoded. Make sure
+ * that you set the SP to have the same value for this.
+ */
+ 'base64attributes' => false,
+
+ // Authentication plugin to use. login.php is the default one that uses LDAP.
+ 'auth' => 'auth/login.php'
+ )</pre><p>Here are some details of each of the parameters:</p><div class="glosslist"><dl><dt>index (index of array)</dt><dd><p>The entity ID of the IdP. In this example this value is set
+ to: <code class="literal">dev2.andreas.feide.no</code>.</p></dd><dt>host</dt><dd><p>The hostname of the server running this IdP, in this case:
+ <code class="literal">dev2.andreas.feide.no</code>.</p></dd><dt>privatekey</dt><dd><p>Pointing to the private key in PEM format, in the certs
+ directory. Remeber we created the <code class="literal">googleappsidp</code>
+ key?</p></dd><dt>certificate</dt><dd><p>Pointing to the certificate file in PEM format, in the certs
+ directory. Remeber we created the <code class="literal">googleappsidp</code>
+ key?</p></dd><dt>base64attributes</dt><dd><p>Google Apps do not want us to base64encode any attributes,
+ so we set it to <code class="literal">false</code>.</p></dd><dt>auth</dt><dd><p>Which authentication module to use? Default is:
+ <code class="filename">auth/login.php</code> which is the LDAP
+ authentication module. See the <a href="#sect.authmodule" title="Authentication modules">the section called “Authentication modules”</a>
+ for more information on the authentication modules.</p></dd></dl></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857092"></a>Configuring SAML 2.0 SP Remote metadata</h3></div></div></div><p>In the (saml20-sp-remote.php) file we will configure an entry for
+ Google Apps for education. There is already an entry for Google Apps in
+ the template, but we will change the domain name:</p><pre class="programlisting"> /*
+ * This example shows an example config that works with Google Apps for education.
+ * What is important is that you have an attribute in your IdP that maps to the local part of the email address
+ * at Google Apps. In example, if your google account is foo.com, and you have a user that has an email john@foo.com, then you
+ * must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the value of 'john'.
+ */
+ 'google.com' => array(
+ 'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
+ 'spNameQualifier' => 'google.com',
+ 'ForceAuthn' => 'false',
+ 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
+ 'simplesaml.nameidattribute' => 'uid',
+ 'simplesaml.attributes' => false
+ ),</pre><p>You also need to map some attribute from the IdP into the email
+ field sent to Google Apps. The attributes comes from the authentication
+ module, and in this example we have an LDAP that returns the uid
+ attribute. The uid attribute contains the local part of </p><p>What you need to do is modify the
+ <code class="literal">AssertionConsumerService</code> to include your Google Apps
+ domain name instead of <code class="literal">g.feide.no</code>.</p><p>To understand what the different parameters mean, see in the
+ <a href="simplesamlphp-idp.html" target="_top">simpleSAMLphp IdP
+ documentation</a>.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857145"></a>Configure Google Apps for education</h2></div></div></div><p>Now, we are ready to configure Google Apps to use our IdP. We start
+ by logging in to our Google Apps for education account panel. We then go
+ to "Advanced tools":</p><div class="figure"><a id="id857158"></a><p class="title"><b>Figure 1. We go to advanced tools</b></p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-googleapps/googleapps-menu.png" alt="We go to advanced tools" /></div></div></div><p>Then we go to "Set up single sign-on (SSO)":</p><div class="figure"><a id="id857185"></a><p class="title"><b>Figure 2. We go to setup SSO</b></p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-googleapps/googleapps-sso.png" alt="We go to setup SSO" /></div></div></div><p>Then, we start off by uploading a certificate, and we upload the
+ certificate we created in an earlier section, the googleappsidp.crt file:
+ </p><div class="figure"><a id="id857213"></a><p class="title"><b>Figure 3. Uploading certificate</b></p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-googleapps/googleapps-cert.png" alt="Uploading certificate" /></div></div></div><p>Then we need to fill out the remaining fields:</p><p>The important field to fill out is the Sign-in page URL. Set it to
+ something similar to:</p><div class="literallayout"><p>http://dev2.andreas.feide.no/simplesaml/saml2/idp/SSOService.php</p></div><p>but use the hostname of your IdP server.</p><p>The Sign-out page or change password url can be static pages on your
+ server.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Single Logout functionality with SAML 2.0 in simpleSAMlphp and
+ Google Apps is not yet fully tested. We will do more testing about that,
+ and then include a detailed descrition in this document.</p></div><p>The network mask, is which IP addresses that will be asked for SSO
+ login. IP addresses that do not match this mask will be presented with the
+ normal Google Apps login page.</p><div class="figure"><a id="id857278"></a><p class="title"><b>Figure 4. Fill out the remaining fields</b></p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-googleapps/googleapps-ssoconfig.png" alt="Fill out the remaining fields" /></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857301"></a>Add a user in Google Apps that is also in the IdP</h3></div></div></div><p>Add a new user in Google Apps, before we can test login. This user
+ needs to have the mail field to match the email prefix mapped from the
+ attribute as described in the metadata section.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857317"></a>Test to login to Google Apps for education</h2></div></div></div><p>Go to the URL of your mail account for this domain, the URL is
+ similar to the following:</p><div class="literallayout"><p>http://mail.google.com/a/yourgoogleappsdomain.com</p></div><p>but remember to replace with your own google apps domain
+ name.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857341"></a>Security Considerations</h2></div></div></div><p>You should make sure that your IdP server runs on HTTPS (SSL). Check
+ the Apache documentation if you need to know how to configure that.</p><p>And make sure you have switched away from the default certificate
+ that follows the simpleSAMLphp distribution.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857358"></a>Support</h2></div></div></div><p>If you have problems to get this work, or want to discuss
+ simpleSAMLphp with other users of the software you are lucky! Around
+ simpleSAMLphp there is a great Open source community, and you are welcome
+ to join! Both for asking question, answer other questions, request
+ improvements or contribute with code or plugins of your own.</p><p>Visit the project page of simpleSAMLphp at: <a href="http://code.google.com/p/simplesamlphp/" target="_top">http://code.google.com/p/simplesamlphp/</a></p><p>And please join the mailinglist: <a href="???" target="_top">https://postlister.uninett.no/sympa/subscribe/simplesaml</a></p></div></div></body></html>
diff --git a/docs/simplesamlphp-idp.html b/docs/simplesamlphp-idp.html
index 7558c976139eeff5b2a0a73413240a8e8276a792..7abad21e815a1cafb3ec8c3a122f1780dcb5e75b 100644
--- a/docs/simplesamlphp-idp.html
+++ b/docs/simplesamlphp-idp.html
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Using simpleSAMLphp as an identity provider</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721993"></a>Using simpleSAMLphp as an identity provider</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Mon Oct 15 16:54:09 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856631">Authentication modules</a></span></dt><dd><dl><dt><span class="section"><a href="#id856727">Configuring the LDAP authentication module</a></span></dt><dt><span class="section"><a href="#id856794">Configuring the multi-LDAP authenticaiton module</a></span></dt></dl></dd><dt><span class="section"><a href="#id856819">Setting up a SSL signing certificate</a></span></dt><dt><span class="section"><a href="#id856875">Configuring metadata for an SAML 2.0 IdP</a></span></dt><dd><dl><dt><span class="section"><a href="#id856896">Configuring SAML 2.0 IdP Hosted metadata</a></span></dt><dt><span class="section"><a href="#id857020">Configuring SAML 2.0 SP Remote metadata</a></span></dt></dl></dd><dt><span class="section"><a href="#id857152">Configuring metadata for a Shibboleth 1.3 IdP</a></span></dt><dt><span class="section"><a href="#id857176">Test IdP</a></span></dt><dt><span class="appendix"><a href="#id857198">A. Writing your own authentication module</a></span></dt><dd><dl><dt><span class="section"><a href="#id857224">Authentication API</a></span></dt></dl></dd></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856631"></a>Authentication modules</h2></div></div></div><p>In the <code class="filename">www/auth</code> directory, you see multiple
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Using simpleSAMLphp as an identity provider</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721993"></a>Using simpleSAMLphp as an identity provider</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Sun Oct 21 13:49:41 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856631">Authentication modules</a></span></dt><dd><dl><dt><span class="section"><a href="#id856727">Configuring the LDAP authentication module</a></span></dt><dt><span class="section"><a href="#id856794">Configuring the multi-LDAP authenticaiton module</a></span></dt></dl></dd><dt><span class="section"><a href="#id856819">Setting up a SSL signing certificate</a></span></dt><dt><span class="section"><a href="#id856875">Configuring metadata for an SAML 2.0 IdP</a></span></dt><dd><dl><dt><span class="section"><a href="#id856896">Configuring SAML 2.0 IdP Hosted metadata</a></span></dt><dt><span class="section"><a href="#id857020">Configuring SAML 2.0 SP Remote metadata</a></span></dt></dl></dd><dt><span class="section"><a href="#id857152">Configuring metadata for a Shibboleth 1.3 IdP</a></span></dt><dt><span class="section"><a href="#id857176">Test IdP</a></span></dt><dt><span class="section"><a href="#id857198">Support</a></span></dt><dt><span class="appendix"><a href="#id857232">A. Writing your own authentication module</a></span></dt><dd><dl><dt><span class="section"><a href="#id857258">Authentication API</a></span></dt></dl></dd></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856631"></a>Authentication modules</h2></div></div></div><p>In the <code class="filename">www/auth</code> directory, you see multiple
files, each representing an authentication module. In the IdP hosted
metadata configuration you specify which authentication module that should
be used for that specific IdP. You can implement your own authentication
@@ -21,7 +21,7 @@
<code class="filename">auth/login-ldapmulti.php</code>.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Documentation will be added later. For now, contact the
author.</p></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856819"></a>Setting up a SSL signing certificate</h2></div></div></div><p>For test purposes, you can skip this section, and use the included
certificate.</p><p>For a production system, uou must generate a new certificate for
- your IdP. </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>There is a certificate that follows this package that you can use
+ your IdP.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>There is a certificate that follows this package that you can use
for test purposes, but off course <span class="emphasis"><em>NEVER</em></span> use this in
production as the private key is also included in the package and can be
downloaded by anyone.</p></div><p>Here is an examples of openssl commands to generate a new key and a
@@ -80,7 +80,11 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
so go look there for now.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857176"></a>Test IdP</h2></div></div></div><p>To test the IdP, it is best to configure two hosts with
simpleSAMLphp, and use the SP demo example to test the IdP.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>To make the initial test up and running with minimal hassle, use
the login-auto if you do not want to setup a user storage, and use the
- included cert so you do not need to create a new certificate.</p></div></div><div class="appendix" lang="en" xml:lang="en"><h2 class="title" style="clear: both"><a id="id857198"></a>A. Writing your own authentication module</h2><p>You can write your own authentication module. Just copy one of the
+ included cert so you do not need to create a new certificate.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857198"></a>Support</h2></div></div></div><p>If you have problems to get this work, or want to discuss
+ simpleSAMLphp with other users of the software you are lucky! Around
+ simpleSAMLphp there is a great Open source community, and you are welcome
+ to join! Both for asking question, answer other questions, request
+ improvements or contribute with code or plugins of your own.</p><p>Visit the project page of simpleSAMLphp at: <a href="http://code.google.com/p/simplesamlphp/" target="_top">http://code.google.com/p/simplesamlphp/</a></p><p>And please join the mailinglist: <a href="???" target="_top">https://postlister.uninett.no/sympa/subscribe/simplesaml</a></p></div><div class="appendix" lang="en" xml:lang="en"><h2 class="title" style="clear: both"><a id="id857232"></a>A. Writing your own authentication module</h2><p>You can write your own authentication module. Just copy one of the
files in the www/auth directory and play with it, then configure an IdP to
use that module with the auth parameter in the metadata. The file must
support incoming URL parameters, massage the session object with login
@@ -88,7 +92,7 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
to do!</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Instead of changing the code of the builtin authentication module,
copy it into a new file and edit that. That way, your module will not be
replaced or in conflict when you upgrade simpleSAMLphp to a newer
- version.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857224"></a>Authentication API</h3></div></div></div><p>The authentication plugin should be placed in the auth
+ version.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857258"></a>Authentication API</h3></div></div></div><p>The authentication plugin should be placed in the auth
directory.</p><p>The following parameters must be accepted in the incomming
URL:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">RelayState</code>: This is the URL that the user
should be sent back to after authentication within the
diff --git a/docs/simplesamlphp-install.html b/docs/simplesamlphp-install.html
index 0e21aad77664406ac37cbe61667319ed207c156c..d9409e3ada1a563ee5aa1af32ffc024f13b8d911 100644
--- a/docs/simplesamlphp-install.html
+++ b/docs/simplesamlphp-install.html
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>simpleSAMLphp Installation and Configuration</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721994"></a>simpleSAMLphp Installation and Configuration</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Mon Oct 15 16:54:59 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856632">The history of simpleSAMLphp</a></span></dt><dd><dl><dt><span class="section"><a href="#id856684">Contributors</a></span></dt></dl></dd><dt><span class="section"><a href="#id856714">Changelog</a></span></dt><dd><dl><dt><span class="section"><a href="#id856725">Version 0.5</a></span></dt><dt><span class="section"><a href="#id856841">Version 0.4</a></span></dt></dl></dd><dt><span class="section"><a href="#id856955">News about simpleSAMLphp</a></span></dt><dt><span class="section"><a href="#id856984">Download and install simpleSAMLphp</a></span></dt><dd><dl><dt><span class="section"><a href="#id857004">Getting a working copy of simpleSAMLphp from subversion</a></span></dt></dl></dd><dt><span class="section"><a href="#id857042">Making configuration and metadata files</a></span></dt><dt><span class="section"><a href="#id857065">Configuring apache</a></span></dt><dt><span class="section"><a href="#id857163">The simpleSAMLphp installation webpage</a></span></dt><dt><span class="section"><a href="#id857227">Next steps</a></span></dt><dt><span class="appendix"><a href="#sect.altlocations">A. Installing simpleSAMLphp in alternative locations</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856632"></a>The history of simpleSAMLphp</h2></div></div></div><p>simpleSAMLphp is an iteration of what was earlier referred to as
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>simpleSAMLphp Installation and Configuration</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721994"></a>simpleSAMLphp Installation and Configuration</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Sun Oct 21 11:56:20 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856632">The history of simpleSAMLphp</a></span></dt><dd><dl><dt><span class="section"><a href="#id856684">Contributors</a></span></dt></dl></dd><dt><span class="section"><a href="#id856714">Changelog</a></span></dt><dd><dl><dt><span class="section"><a href="#id856725">Version 0.5</a></span></dt><dt><span class="section"><a href="#id856847">Version 0.4</a></span></dt></dl></dd><dt><span class="section"><a href="#id856961">News about simpleSAMLphp</a></span></dt><dt><span class="section"><a href="#id856990">Download and install simpleSAMLphp</a></span></dt><dd><dl><dt><span class="section"><a href="#id857010">Getting a working copy of simpleSAMLphp from subversion</a></span></dt></dl></dd><dt><span class="section"><a href="#id857049">Making configuration and metadata files</a></span></dt><dt><span class="section"><a href="#id857078">Configuring apache</a></span></dt><dt><span class="section"><a href="#id857177">The simpleSAMLphp installation webpage</a></span></dt><dt><span class="section"><a href="#id857241">Next steps</a></span></dt><dt><span class="appendix"><a href="#sect.altlocations">A. Installing simpleSAMLphp in alternative locations</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856632"></a>The history of simpleSAMLphp</h2></div></div></div><p>simpleSAMLphp is an iteration of what was earlier referred to as
lightbulb (<a href="https://opensso.dev.java.net/public/extensions/" target="_top">Sun OpenSSO
Extensions</a>), written by <a href="http://blogs.sun.com/superpat/" target="_top">Pat Patterson, Sun</a>. There are
not much code left from lightbulb, but credits go to Pat for introducing a
@@ -7,14 +7,15 @@
a simple and elegant way.</p><p>The simpleSAMLphp project is currently led by <a href="http://claimid.com/erlang" target="_top">Andreas Åkre Solberg</a>, <a href="http://uninett.no" target="_top">UNINETT</a>.</p><p>The product is used to bridge AAI protocols in the GÉANT project,
<a href="http://geant2.net" target="_top">http://geant2.net</a>.</p><p>We have received a bunch of external contributions.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856684"></a>Contributors</h3></div></div></div><p>Thank you very much for your contributions to
simpleSAMLphp:</p><div class="itemizedlist"><ul type="disc"><li><p>Lukas Hammerle, SWITCH, Switzerland</p></li><li><p>Stefan Winter, Restena, Luxemborg</p></li></ul></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856714"></a>Changelog</h2></div></div></div><p>Here is changes between simpleSAML versions. Look here if you are
- upgrading, to see if there are any changes to the config format.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856725"></a>Version 0.5</h3></div></div></div><p>Released . Revision X.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Both config.php and metadata format is changed. Look at the
- templates to understand the new format.</p></div><div class="itemizedlist"><ul type="disc"><li><p>Documentation is updated!</p></li><li><p>Metadata files have been more tidy. Removed unused entries.
+ upgrading, to see if there are any changes to the config format.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856725"></a>Version 0.5</h3></div></div></div><p>Released 2007-10-15. Revision 28.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Both <code class="filename">config.php</code> and metadata format is
+ changed. Look at the templates to understand the new format.</p></div><div class="itemizedlist"><ul type="disc"><li><p>Documentation is updated!</p></li><li><p>Metadata files have been more tidy. Removed unused entries.
Look at the new templates on how to change your existing
metadata.</p></li><li><p>Support for sending metadata on mail to Feide. Automatically
- detecting if you have configured Feide as the default IdP.</p></li><li><p>Improved SAML 2.0 Metadata generation</p></li><li><p>Added support for Shibboleth 1.3 IdP functionality.</p></li><li><p>Added RADIUS authentication backend</p></li><li><p>Added support for HTTP-Redirect debugging when enable
+ detecting if you have configured Feide as the default IdP.</p></li><li><p>Improved SAML 2.0 Metadata generation</p></li><li><p>Added support for Shibboleth 1.3 IdP functionality (beta,
+ contact me if any problems)</p></li><li><p>Added RADIUS authentication backend</p></li><li><p>Added support for HTTP-Redirect debugging when enable
<code class="literal">debug=true</code></p></li><li><p>SAML 2.0 SP example now contains a logout page.</p></li><li><p>Added new authentication backend with support for multiple
LDAP based on which organization the user selects.</p></li><li><p>Added SAML 2.0 Discovery Service</p></li><li><p>Initial proof of concept implementation of "User consent on
- attribute release"</p></li><li><p>Fixed some minor bugs.</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856841"></a>Version 0.4</h3></div></div></div><p>Released 2007-09-14. Revision X.</p><div class="itemizedlist"><ul type="disc"><li><p>Improved documentation</p></li><li><p>Authentication plugin API. Only LDAP authenticaiton plugin is
+ attribute release"</p></li><li><p>Fixed some minor bugs.</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856847"></a>Version 0.4</h3></div></div></div><p>Released 2007-09-14. Revision X.</p><div class="itemizedlist"><ul type="disc"><li><p>Improved documentation</p></li><li><p>Authentication plugin API. Only LDAP authenticaiton plugin is
included, but it is now easier to implement your own plugin.</p></li><li><p>Added support for SAML 2.0 IdP to work with Google Apps for
Education. Tested.</p></li><li><p>Initial implementation of SAML 2.0 Single Log-Out
functionality both for SP and IdP. Seems to work, but not yet
@@ -28,15 +29,15 @@
environments.</p></li><li><p>Cleaned out some debug messages, and added a debug option in
the configuration file. This debug option let's you turn on the
possibility of showing all SAML messages to users in the web
- browser, and manually submit them.</p></li><li><p>Several minor bugfixes.</p></li></ul></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856955"></a>News about simpleSAMLphp</h2></div></div></div><p>To get the latest news about simpleSAMLphp you can follow this url:
- <a href="http://rnd.feide.no/category/simplesamlphp/" target="_top">http://rnd.feide.no/category/simplesamlphp/</a>.</p><p>Currently simpleSAMLphp has a project page at Google Code:</p><p><a href="http://code.google.com/p/simplesamlphp/" target="_top">http://code.google.com/p/simplesamlphp/</a></p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856984"></a>Download and install simpleSAMLphp</h2></div></div></div><p>You can go to <a href="http://code.google.com/p/simplesamlphp/" target="_top">code.google.com/p/simplesamlphp/</a>
+ browser, and manually submit them.</p></li><li><p>Several minor bugfixes.</p></li></ul></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856961"></a>News about simpleSAMLphp</h2></div></div></div><p>To get the latest news about simpleSAMLphp you can follow this url:
+ <a href="http://rnd.feide.no/category/simplesamlphp/" target="_top">http://rnd.feide.no/category/simplesamlphp/</a>.</p><p>Currently simpleSAMLphp has a project page at Google Code:</p><p><a href="http://code.google.com/p/simplesamlphp/" target="_top">http://code.google.com/p/simplesamlphp/</a></p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856990"></a>Download and install simpleSAMLphp</h2></div></div></div><p>You can go to <a href="http://code.google.com/p/simplesamlphp/" target="_top">code.google.com/p/simplesamlphp/</a>
to find the most recent release of simpleSAMLphp. Download the zipped
file, and unzip it on your webserver. However I hightly reccomend running
- from a subversion checkout instead.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857004"></a>Getting a working copy of simpleSAMLphp from subversion</h3></div></div></div><p>Go to the directory where you want to install
+ from a subversion checkout instead.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857010"></a>Getting a working copy of simpleSAMLphp from subversion</h3></div></div></div><p>Go to the directory where you want to install
simpleSAMLphp:</p><pre class="screen">cd /var</pre><p>Then do a subversion checkout:</p><pre class="screen">svn checkout http://simplesamlphp.googlecode.com/svn/trunk/ simplesamlphp</pre><p>If you know subversion you know how to view logs and review
changes to the files. To update the version you have checked out,
enter:</p><pre class="screen">cd /var/simplesamlphp
-svn up</pre></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857042"></a>Making configuration and metadata files</h2></div></div></div><p>Configuration and metadata files are stored in a template format,
+svn up</pre></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857049"></a>Making configuration and metadata files</h2></div></div></div><p>Configuration and metadata files are stored in a template format,
you need to copy them to have your local copies. The reason why it is done
this way, is that when you upgrade you can do svn up in subversion or just
copy the whole directory over your installation, without replacing your
@@ -46,7 +47,7 @@ svn up</pre></div></div><div class="section" lang="en" xml:lang="en"><div class=
files:</p><pre class="screen">cd /var/simplesamlphp
cp config/config-template.php config/config.php
cp -r metadata-templates/*.php metadata/
-</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857065"></a>Configuring apache</h2></div></div></div><p>In this example simpleSAMLphp is located in
+</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857078"></a>Configuring apache</h2></div></div></div><p>In this example simpleSAMLphp is located in
<code class="filename">/var/simplesamlphp</code>, that is the default location. If
you want to modify this location, you can do so freely, but then you need
to update the path in a few files. <a href="#sect.altlocations" title="A. Installing simpleSAMLphp in alternative locations">I
@@ -70,13 +71,13 @@ cp -r metadata-templates/*.php metadata/
<code class="filename">config.php</code> file of simpleSAML as described in ???. Here is an example of how this configuration may
look like in <code class="filename">config.php</code>:</p><pre class="programlisting">$config = array (
[...]
- 'baseurlpath' => 'simplesaml/',</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857163"></a>The simpleSAMLphp installation webpage</h2></div></div></div><p>When you have installed simpleSAMLphp, you can access the homepage
+ 'baseurlpath' => 'simplesaml/',</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857177"></a>The simpleSAMLphp installation webpage</h2></div></div></div><p>When you have installed simpleSAMLphp, you can access the homepage
of your installation, which contains some information and a few links to
the test services. The url of an installation can be in example:</p><div class="literallayout"><p>https://service.example.com/simplesaml/</p></div><p>The exact link depends on how you set it up with apache and off
course your hostname.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Don't click on any of the links yet, because they require you to
eigther have setup simpleSAMLphp as an Service Provider or as an
Identity Provider.</p></div><p>Here is an example screenshot of what the simpleSAMLphp page looks
- like:</p><div class="figure"><a id="id857202"></a><p class="title"><b>Figure 1. Screenshot of the simpleSAMLphp installation page.</b></p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-install/screenshot-installationpage.png" alt="Screenshot of the simpleSAMLphp installation page." /></div></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857227"></a>Next steps</h2></div></div></div><p>You have now successfully installed simpleSAMLphp, and the next
+ like:</p><div class="figure"><a id="id857216"></a><p class="title"><b>Figure 1. Screenshot of the simpleSAMLphp installation page.</b></p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-install/screenshot-installationpage.png" alt="Screenshot of the simpleSAMLphp installation page." /></div></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857241"></a>Next steps</h2></div></div></div><p>You have now successfully installed simpleSAMLphp, and the next
steps depends on whether you want to setup a service provider, to protect
a website with authentication or if you want to setup an identity provider
and connect it to a user storage. We will also provide documentation on
diff --git a/docs/simplesamlphp-sp.html b/docs/simplesamlphp-sp.html
index f25821dbfe21942210f96124c88ab12f3b30abd6..abb73461f656d33132f26f2832aee7d7dd11a552 100644
--- a/docs/simplesamlphp-sp.html
+++ b/docs/simplesamlphp-sp.html
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Using simpleSAMLphp as a Service Provider</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721993"></a>Using simpleSAMLphp as a Service Provider</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Mon Oct 15 16:55:49 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856631">Introduction</a></span></dt><dt><span class="section"><a href="#id856645">Configuring metadata for SAML 2.0 SP</a></span></dt><dd><dl><dt><span class="section"><a href="#id856660">Configuring SAML 2.0 SP Hosted metadata</a></span></dt><dt><span class="section"><a href="#id856786">Configuring SAML 2.0 IdP Remote metadata</a></span></dt><dt><span class="section"><a href="#id856919">Setting the default SAML 2.0 IdP</a></span></dt><dt><span class="section"><a href="#id856961">Using the SAML 2.0 IdP Discovery Service</a></span></dt></dl></dd><dt><span class="section"><a href="#id856988">Configuring metadata for Shibboleth 1.3 SP</a></span></dt><dd><dl><dt><span class="section"><a href="#id857004">Configuring Shibboleth 1.3 SP Hosted metadata</a></span></dt><dt><span class="section"><a href="#id857059">Configuring Shibboleth 1.3 IdP Remote metadata</a></span></dt></dl></dd><dt><span class="section"><a href="#id857142">Exchange metadata with the IdP</a></span></dt><dd><dl><dt><span class="section"><a href="#id857155">Automatically generation of SP metadata for SAML 2.0</a></span></dt></dl></dd><dt><span class="section"><a href="#id857220">Test the SAML 2.0 SP examples</a></span></dt><dt><span class="section"><a href="#id857271">Integrating authentication with your own application</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856631"></a>Introduction</h2></div></div></div><p>simpleSAMLphp can run as both a SAML 2.0 Service Provider and as a
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Using simpleSAMLphp as a Service Provider</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721993"></a>Using simpleSAMLphp as a Service Provider</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Sun Oct 21 13:50:29 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856631">Introduction</a></span></dt><dt><span class="section"><a href="#id856645">Configuring metadata for SAML 2.0 SP</a></span></dt><dd><dl><dt><span class="section"><a href="#id856660">Configuring SAML 2.0 SP Hosted metadata</a></span></dt><dt><span class="section"><a href="#id856786">Configuring SAML 2.0 IdP Remote metadata</a></span></dt><dt><span class="section"><a href="#id856919">Setting the default SAML 2.0 IdP</a></span></dt><dt><span class="section"><a href="#id856961">Using the SAML 2.0 IdP Discovery Service</a></span></dt></dl></dd><dt><span class="section"><a href="#id856988">Configuring metadata for Shibboleth 1.3 SP</a></span></dt><dd><dl><dt><span class="section"><a href="#id857004">Configuring Shibboleth 1.3 SP Hosted metadata</a></span></dt><dt><span class="section"><a href="#id857059">Configuring Shibboleth 1.3 IdP Remote metadata</a></span></dt></dl></dd><dt><span class="section"><a href="#id857142">Exchange metadata with the IdP</a></span></dt><dd><dl><dt><span class="section"><a href="#id857155">Automatically generation of SP metadata for SAML 2.0</a></span></dt></dl></dd><dt><span class="section"><a href="#id857220">Test the SAML 2.0 SP examples</a></span></dt><dt><span class="section"><a href="#id857271">Integrating authentication with your own application</a></span></dt><dt><span class="section"><a href="#id857386">Support</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856631"></a>Introduction</h2></div></div></div><p>simpleSAMLphp can run as both a SAML 2.0 Service Provider and as a
Shibboleth 1.3 Service Provider. The configuration and metadata would be
somewhat different, therefore there are separate chapter for the two,
although the configuration is similar.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856645"></a>Configuring metadata for SAML 2.0 SP</h2></div></div></div><p>When you are setting up a SAML 2.0 SP, you would need to configure
@@ -62,8 +62,7 @@
there is a parameter to set the default IdP to use. Alternatively you
can specify which IdP to use in a parameter to the initSSO.php script
when you initiate logon in your application.</p><p>Here is an example from <code class="filename">config.php</code>:</p><pre class="programlisting"> 'default-saml20-idp' => 'sam.feide.no',</pre><p>The configuration above will use the IdP configured in IdP Remote
- metadata with entity ID equal to <code class="literal">sam.feide.no</code>.
- </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856961"></a>Using the SAML 2.0 IdP Discovery Service</h3></div></div></div><p>If you want end users to be able to select one of all the
+ metadata with entity ID equal to <code class="literal">sam.feide.no</code>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856961"></a>Using the SAML 2.0 IdP Discovery Service</h3></div></div></div><p>If you want end users to be able to select one of all the
specified entries in IdP remote metadata, you can set the default IdP to
be null, then simpleSAMLphp will initiate the builtin IdP discovery
service to let the user select IdP. Here is the neccessary configuration
@@ -148,4 +147,8 @@ if (!isset($session) || !$session->isValid() ) {
$attributes = $session->getAttributes();
print_r($attributes);
-</pre></div></div></body></html>
+</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857386"></a>Support</h2></div></div></div><p>If you have problems to get this work, or want to discuss
+ simpleSAMLphp with other users of the software you are lucky! Around
+ simpleSAMLphp there is a great Open source community, and you are welcome
+ to join! Both for asking question, answer other questions, request
+ improvements or contribute with code or plugins of your own.</p><p>Visit the project page of simpleSAMLphp at: <a href="http://code.google.com/p/simplesamlphp/" target="_top">http://code.google.com/p/simplesamlphp/</a></p><p>And please join the mailinglist: <a href="???" target="_top">https://postlister.uninett.no/sympa/subscribe/simplesaml</a></p></div></div></body></html>
diff --git a/docs/source/simplesamlphp-bridge.xml b/docs/source/simplesamlphp-bridge.xml
index b0c92b182beafec22e8602048c56a55ad11e0cd0..b9b758f9bf278af263b283522317273c6fb43da6 100644
--- a/docs/source/simplesamlphp-bridge.xml
+++ b/docs/source/simplesamlphp-bridge.xml
@@ -7,7 +7,7 @@
<articleinfo>
<date>2007-10-15</date>
- <pubdate>Mon Oct 15 16:53:14 2007</pubdate>
+ <pubdate>Sun Oct 21 13:48:37 2007</pubdate>
<author>
<firstname>Andreas Ă…kre</firstname>
@@ -80,4 +80,20 @@
<para>Documentation will be added.</para>
</section>
</section>
+
+ <section>
+ <title>Support</title>
+
+ <para>If you have problems to get this work, or want to discuss
+ simpleSAMLphp with other users of the software you are lucky! Around
+ simpleSAMLphp there is a great Open source community, and you are welcome
+ to join! Both for asking question, answer other questions, request
+ improvements or contribute with code or plugins of your own.</para>
+
+ <para>Visit the project page of simpleSAMLphp at: <ulink
+ url="http://code.google.com/p/simplesamlphp/">http://code.google.com/p/simplesamlphp/</ulink></para>
+
+ <para>And please join the mailinglist: <ulink
+ url="???">https://postlister.uninett.no/sympa/subscribe/simplesaml</ulink></para>
+ </section>
</article>
\ No newline at end of file
diff --git a/docs/source/simplesamlphp-googleapps.xml b/docs/source/simplesamlphp-googleapps.xml
new file mode 100644
index 0000000000000000000000000000000000000000..c8194de57b2f834a76609e4ceebc2522eb636fe1
--- /dev/null
+++ b/docs/source/simplesamlphp-googleapps.xml
@@ -0,0 +1,444 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<article>
+ <title>Setting up a simpleSAMLphp SAML 2.0 IdP to use with Google Apps for
+ Education</title>
+
+ <articleinfo>
+ <date>2007-10-15</date>
+
+ <pubdate>Sun Oct 21 13:51:26 2007</pubdate>
+
+ <author>
+ <firstname>Andreas Ă…kre</firstname>
+
+ <surname>Solberg</surname>
+
+ <email>andreas.solberg@uninett.no</email>
+ </author>
+ </articleinfo>
+
+ <section>
+ <title>Introduction</title>
+
+ <para>This article assumes that you have already read the simpleSAMLphp
+ installation manual, and installed a version of simpleSAMLphp at your
+ server.</para>
+
+ <para>In this example we will setup this server as an IdP for Google Apps
+ for Education:</para>
+
+ <literallayout>dev2.andreas.feide.no</literallayout>
+ </section>
+
+ <section>
+ <title>Setting up a SSL signing certificate</title>
+
+ <para>For test purposes, you can skip this section, and use the included
+ certificate.</para>
+
+ <para>For a production system, uou must generate a new certificate for
+ your IdP.</para>
+
+ <warning>
+ <para>There is a certificate that follows this package that you can use
+ for test purposes, but off course <emphasis>NEVER</emphasis> use this in
+ production as the private key is also included in the package and can be
+ downloaded by anyone.</para>
+ </warning>
+
+ <para>Here is an examples of openssl commands to generate a new key and a
+ selfsigned certificate to use for signing SAML messages:</para>
+
+ <screen>openssl genrsa -des3 -out googleappsidp.key 1024
+openssl rsa -in googleappsidp.key -out googleappsidp.pem
+openssl req -new -key googleappsidp.key -out googleappsidp.csr
+openssl x509 -req -days 1095 -in googleappsidp.csr -signkey googleappsidp.key -out googleappsidp.crt</screen>
+
+ <para>The certificate above will be valid for 1095 days (3 years).</para>
+
+ <para>Here is an example of what can be typed in when creating a
+ certificate request:</para>
+
+ <screen>Country Name (2 letter code) [AU]:NO
+State or Province Name (full name) [Some-State]:Trondheim
+Locality Name (eg, city) []:Trondheim
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:UNINETT
+Organizational Unit Name (eg, section) []:
+Common Name (eg, YOUR name) []:dev2.andreas.feide.no
+Email Address []:
+
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []:
+An optional company name []:</screen>
+
+ <note>
+ <para>simpleSAMLphp will only work with RSA and not DSA
+ certificates.</para>
+ </note>
+ </section>
+
+ <section id="sect.authmodule">
+ <title>Authentication modules</title>
+
+ <para>You will need to connect the IdP to your existing user storage. For
+ different technologies of user storage, there are different authentication
+ modules.</para>
+
+ <para>In the <filename>www/auth</filename> directory, you see multiple
+ files, each representing an authentication module. In the IdP hosted
+ metadata configuration you specify which authentication module that should
+ be used for that specific IdP. You can implement your own authentication
+ module, see the IdP documentation.</para>
+
+ <para>These authentication modules are included:</para>
+
+ <glosslist>
+ <glossentry>
+ <glossterm>auth/login.php</glossterm>
+
+ <glossdef>
+ <para>This is the standard LDAP backend authentication module, it
+ uses LDAP configuration from the config.php file.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>auth/login-ldapmulti.php</glossterm>
+
+ <glossdef>
+ <para>This authentication module lets you connect to multiple LDAPS
+ depending on what organization the user selects in the login
+ form.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>auth/login-radius.php</glossterm>
+
+ <glossdef>
+ <para>This authentication module will authenticate users against an
+ RADIUS server instead of LDAP.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>auth/login-auto.php</glossterm>
+
+ <glossdef>
+ <para>This module will automatically login the user with some test
+ details. You can use this to test the IdP functionality if you do
+ not have</para>
+
+ <para>This module is not completed yet. Work in progress.</para>
+ </glossdef>
+ </glossentry>
+ </glosslist>
+
+ <section>
+ <title>Configuring the LDAP authentication module</title>
+
+ <para>The LDAP module is <filename>auth/login.php</filename>.</para>
+
+ <para>If you want to perform local authentication on this server, and
+ you want to use the LDAP authenticaiton plugin, then you need to
+ configure the following parameters in
+ <filename>config.php</filename>:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><literal>auth.ldap.dnpattern</literal>: What DN should you
+ bind to? Replacing %username% with the username the user types
+ in.</para>
+ </listitem>
+
+ <listitem>
+ <para><literal>auth.ldap.hostname</literal>: The hostname of the
+ LDAP server</para>
+ </listitem>
+
+ <listitem>
+ <para><literal>auth.ldap.attributes</literal>: Search parameter to
+ LDAP. What attributes should be extracted?
+ <literal>objectclass=*</literal> gives you all.</para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section>
+ <title>Configuring the multi-LDAP authenticaiton module</title>
+
+ <para>The module is
+ <filename>auth/login-ldapmulti.php</filename>.</para>
+
+ <note>
+ <para>Documentation will be added later. For now, contact the
+ author.</para>
+ </note>
+ </section>
+ </section>
+
+ <section>
+ <title>Configuring metadata for an SAML 2.0 IdP</title>
+
+ <para>If you want to setup a SAML 2.0 IdP for Google Apps, you need to
+ configure two metadata files: <filename>saml20-idp-hosted.php</filename>
+ and <filename>saml20-sp-remote.php</filename>.</para>
+
+ <section>
+ <title>Configuring SAML 2.0 IdP Hosted metadata</title>
+
+ <para>This is the configuration of the IdP itself. Here is some example
+ config:</para>
+
+ <programlisting> // The SAML entity ID is the index of this config.
+ 'dev2.andreas.feide.no' => array(
+
+ // The hostname of the server (VHOST) that this SAML entity will use.
+ 'host' => 'sp.example.org',
+
+ // X.509 key and certificate. Relative to the cert directory.
+ 'privatekey' => 'googleappsidp.pem',
+ 'certificate' => 'googleappsidp.crt',
+
+ /* If base64attributes is set to true, then all attributes will be base64 encoded. Make sure
+ * that you set the SP to have the same value for this.
+ */
+ 'base64attributes' => false,
+
+ // Authentication plugin to use. login.php is the default one that uses LDAP.
+ 'auth' => 'auth/login.php'
+ )</programlisting>
+
+ <para>Here are some details of each of the parameters:</para>
+
+ <glosslist>
+ <glossentry>
+ <glossterm>index (index of array)</glossterm>
+
+ <glossdef>
+ <para>The entity ID of the IdP. In this example this value is set
+ to: <literal>dev2.andreas.feide.no</literal>.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>host</glossterm>
+
+ <glossdef>
+ <para>The hostname of the server running this IdP, in this case:
+ <literal>dev2.andreas.feide.no</literal>.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>privatekey</glossterm>
+
+ <glossdef>
+ <para>Pointing to the private key in PEM format, in the certs
+ directory. Remeber we created the <literal>googleappsidp</literal>
+ key?</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>certificate</glossterm>
+
+ <glossdef>
+ <para>Pointing to the certificate file in PEM format, in the certs
+ directory. Remeber we created the <literal>googleappsidp</literal>
+ key?</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>base64attributes</glossterm>
+
+ <glossdef>
+ <para>Google Apps do not want us to base64encode any attributes,
+ so we set it to <literal>false</literal>.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>auth</glossterm>
+
+ <glossdef>
+ <para>Which authentication module to use? Default is:
+ <filename>auth/login.php</filename> which is the LDAP
+ authentication module. See the <xref linkend="sect.authmodule" />
+ for more information on the authentication modules.</para>
+ </glossdef>
+ </glossentry>
+ </glosslist>
+ </section>
+
+ <section>
+ <title>Configuring SAML 2.0 SP Remote metadata</title>
+
+ <para>In the (saml20-sp-remote.php) file we will configure an entry for
+ Google Apps for education. There is already an entry for Google Apps in
+ the template, but we will change the domain name:</para>
+
+ <programlisting> /*
+ * This example shows an example config that works with Google Apps for education.
+ * What is important is that you have an attribute in your IdP that maps to the local part of the email address
+ * at Google Apps. In example, if your google account is foo.com, and you have a user that has an email john@foo.com, then you
+ * must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the value of 'john'.
+ */
+ 'google.com' => array(
+ 'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
+ 'spNameQualifier' => 'google.com',
+ 'ForceAuthn' => 'false',
+ 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
+ 'simplesaml.nameidattribute' => 'uid',
+ 'simplesaml.attributes' => false
+ ),</programlisting>
+
+ <para>You also need to map some attribute from the IdP into the email
+ field sent to Google Apps. The attributes comes from the authentication
+ module, and in this example we have an LDAP that returns the uid
+ attribute. The uid attribute contains the local part of </para>
+
+ <para>What you need to do is modify the
+ <literal>AssertionConsumerService</literal> to include your Google Apps
+ domain name instead of <literal>g.feide.no</literal>.</para>
+
+ <para>To understand what the different parameters mean, see in the
+ <ulink url="simplesamlphp-idp.html">simpleSAMLphp IdP
+ documentation</ulink>.</para>
+ </section>
+ </section>
+
+ <section>
+ <title>Configure Google Apps for education</title>
+
+ <para>Now, we are ready to configure Google Apps to use our IdP. We start
+ by logging in to our Google Apps for education account panel. We then go
+ to "Advanced tools":</para>
+
+ <figure>
+ <title>We go to advanced tools</title>
+
+ <screenshot>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="resources/simplesamlphp-googleapps/googleapps-menu.png" />
+ </imageobject>
+ </mediaobject>
+ </screenshot>
+ </figure>
+
+ <para>Then we go to "Set up single sign-on (SSO)":</para>
+
+ <figure>
+ <title>We go to setup SSO</title>
+
+ <screenshot>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="resources/simplesamlphp-googleapps/googleapps-sso.png" />
+ </imageobject>
+ </mediaobject>
+ </screenshot>
+ </figure>
+
+ <para>Then, we start off by uploading a certificate, and we upload the
+ certificate we created in an earlier section, the googleappsidp.crt file:
+ </para>
+
+ <figure>
+ <title>Uploading certificate</title>
+
+ <screenshot>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="resources/simplesamlphp-googleapps/googleapps-cert.png" />
+ </imageobject>
+ </mediaobject>
+ </screenshot>
+ </figure>
+
+ <para>Then we need to fill out the remaining fields:</para>
+
+ <para>The important field to fill out is the Sign-in page URL. Set it to
+ something similar to:</para>
+
+ <literallayout>http://dev2.andreas.feide.no/simplesaml/saml2/idp/SSOService.php</literallayout>
+
+ <para>but use the hostname of your IdP server.</para>
+
+ <para>The Sign-out page or change password url can be static pages on your
+ server.</para>
+
+ <warning>
+ <para>Single Logout functionality with SAML 2.0 in simpleSAMlphp and
+ Google Apps is not yet fully tested. We will do more testing about that,
+ and then include a detailed descrition in this document.</para>
+ </warning>
+
+ <para>The network mask, is which IP addresses that will be asked for SSO
+ login. IP addresses that do not match this mask will be presented with the
+ normal Google Apps login page.</para>
+
+ <figure>
+ <title>Fill out the remaining fields</title>
+
+ <screenshot>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="resources/simplesamlphp-googleapps/googleapps-ssoconfig.png" />
+ </imageobject>
+ </mediaobject>
+ </screenshot>
+ </figure>
+
+ <section>
+ <title>Add a user in Google Apps that is also in the IdP</title>
+
+ <para>Add a new user in Google Apps, before we can test login. This user
+ needs to have the mail field to match the email prefix mapped from the
+ attribute as described in the metadata section.</para>
+ </section>
+ </section>
+
+ <section>
+ <title>Test to login to Google Apps for education</title>
+
+ <para>Go to the URL of your mail account for this domain, the URL is
+ similar to the following:</para>
+
+ <literallayout>http://mail.google.com/a/yourgoogleappsdomain.com</literallayout>
+
+ <para>but remember to replace with your own google apps domain
+ name.</para>
+ </section>
+
+ <section>
+ <title>Security Considerations</title>
+
+ <para>You should make sure that your IdP server runs on HTTPS (SSL). Check
+ the Apache documentation if you need to know how to configure that.</para>
+
+ <para>And make sure you have switched away from the default certificate
+ that follows the simpleSAMLphp distribution.</para>
+ </section>
+
+ <section>
+ <title>Support</title>
+
+ <para>If you have problems to get this work, or want to discuss
+ simpleSAMLphp with other users of the software you are lucky! Around
+ simpleSAMLphp there is a great Open source community, and you are welcome
+ to join! Both for asking question, answer other questions, request
+ improvements or contribute with code or plugins of your own.</para>
+
+ <para>Visit the project page of simpleSAMLphp at: <ulink
+ url="http://code.google.com/p/simplesamlphp/">http://code.google.com/p/simplesamlphp/</ulink></para>
+
+ <para>And please join the mailinglist: <ulink
+ url="???">https://postlister.uninett.no/sympa/subscribe/simplesaml</ulink></para>
+ </section>
+</article>
\ No newline at end of file
diff --git a/docs/source/simplesamlphp-idp.xml b/docs/source/simplesamlphp-idp.xml
index ec8c47ec45dd1d996474f191830129cce04fcf87..463e844bfaf2ba464a26438a21b5959d24984307 100644
--- a/docs/source/simplesamlphp-idp.xml
+++ b/docs/source/simplesamlphp-idp.xml
@@ -7,7 +7,7 @@
<articleinfo>
<date>2007-10-15</date>
- <pubdate>Mon Oct 15 16:54:09 2007</pubdate>
+ <pubdate>Sun Oct 21 13:49:41 2007</pubdate>
<author>
<firstname>Andreas Ă…kre</firstname>
@@ -121,7 +121,7 @@
certificate.</para>
<para>For a production system, uou must generate a new certificate for
- your IdP. </para>
+ your IdP.</para>
<warning>
<para>There is a certificate that follows this package that you can use
@@ -347,6 +347,22 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
</tip>
</section>
+ <section>
+ <title>Support</title>
+
+ <para>If you have problems to get this work, or want to discuss
+ simpleSAMLphp with other users of the software you are lucky! Around
+ simpleSAMLphp there is a great Open source community, and you are welcome
+ to join! Both for asking question, answer other questions, request
+ improvements or contribute with code or plugins of your own.</para>
+
+ <para>Visit the project page of simpleSAMLphp at: <ulink
+ url="http://code.google.com/p/simplesamlphp/">http://code.google.com/p/simplesamlphp/</ulink></para>
+
+ <para>And please join the mailinglist: <ulink
+ url="???">https://postlister.uninett.no/sympa/subscribe/simplesaml</ulink></para>
+ </section>
+
<appendix>
<title>Writing your own authentication module</title>
diff --git a/docs/source/simplesamlphp-install.xml b/docs/source/simplesamlphp-install.xml
index 855b53787f9ad4b76cb3dc340d0456bfdb1e3709..8d4b007b0ffeef74217a0d128df7c9ba7bf41db2 100644
--- a/docs/source/simplesamlphp-install.xml
+++ b/docs/source/simplesamlphp-install.xml
@@ -7,7 +7,7 @@
<articleinfo>
<date>2007-08-30</date>
- <pubdate>Fri Sep 14 10:49:49 2007</pubdate>
+ <pubdate>Sun Oct 21 11:56:20 2007</pubdate>
<author>
<firstname>Andreas Ă…kre</firstname>
diff --git a/docs/source/simplesamlphp-sp.xml b/docs/source/simplesamlphp-sp.xml
index 5c6080e945081a4c2ff1d05b4841f771077269c2..c4614bde03a07deb1ad230ff6d055370c5c288aa 100644
--- a/docs/source/simplesamlphp-sp.xml
+++ b/docs/source/simplesamlphp-sp.xml
@@ -7,7 +7,7 @@
<articleinfo>
<date>2007-10-15</date>
- <pubdate>Mon Oct 15 16:55:49 2007</pubdate>
+ <pubdate>Sun Oct 21 13:50:29 2007</pubdate>
<author>
<firstname>Andreas Ă…kre</firstname>
@@ -225,8 +225,7 @@
<programlisting> 'default-saml20-idp' => 'sam.feide.no',</programlisting>
<para>The configuration above will use the IdP configured in IdP Remote
- metadata with entity ID equal to <literal>sam.feide.no</literal>.
- </para>
+ metadata with entity ID equal to <literal>sam.feide.no</literal>.</para>
</section>
<section>
@@ -485,4 +484,20 @@ $attributes = $session->getAttributes();
print_r($attributes);
</programlisting>
</section>
+
+ <section>
+ <title>Support</title>
+
+ <para>If you have problems to get this work, or want to discuss
+ simpleSAMLphp with other users of the software you are lucky! Around
+ simpleSAMLphp there is a great Open source community, and you are welcome
+ to join! Both for asking question, answer other questions, request
+ improvements or contribute with code or plugins of your own.</para>
+
+ <para>Visit the project page of simpleSAMLphp at: <ulink
+ url="http://code.google.com/p/simplesamlphp/">http://code.google.com/p/simplesamlphp/</ulink></para>
+
+ <para>And please join the mailinglist: <ulink
+ url="???">https://postlister.uninett.no/sympa/subscribe/simplesaml</ulink></para>
+ </section>
</article>
\ No newline at end of file