From 6f32a6c69b03fcf6e241d2f1d750d5a9ff16209a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no>
Date: Fri, 30 Jan 2009 13:01:04 +0000
Subject: [PATCH] Updating SP markdown docs
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1220 44740490-163a-0410-bde0-09ae8108e29a
---
docs/simplesamlphp-sp.txt | 105 +++++++++-----------------------------
1 file changed, 24 insertions(+), 81 deletions(-)
diff --git a/docs/simplesamlphp-sp.txt b/docs/simplesamlphp-sp.txt
index 009635a2c..5434372d3 100644
--- a/docs/simplesamlphp-sp.txt
+++ b/docs/simplesamlphp-sp.txt
@@ -18,30 +18,21 @@ This document is part of the simpleSAMLphp documentation suite.
[List of all simpleSAMLphp documentation](http://rnd.feide.no/view/simplesamlphpdocs)
-This document assumes that you already have a installation of
-simpleSAMLphp. Before you continue make sure all the required
-entries in the check list at the buttom is showing green light.
+This document assumes that you already have a installation of simpleSAMLphp. Before you continue make sure all the required entries in the check list at the buttom is showing green light.
Introduction
------------
-simpleSAMLphp can run as both a SAML 2.0 Service Provider and as a
-Shibboleth 1.3 Service Provider. Although the configuration is
-similar for the two alternatives, there are some differences in
-configuration and metadata differs somewhat, so they are treated in
-separate chapters.
+simpleSAMLphp can run as both a SAML 2.0 Service Provider and as a Shibboleth 1.3 Service Provider. Although the configuration is similar for the two alternatives, there are some differences in configuration and metadata differs somewhat, so they are treated in separate chapters.
Selecting the desired Service Provider functionality
----------------------------------------------------
-Your identity provider (IdP) may offer user authentication either
-using the SAML 2.0 protocol, or the older Shibboleth 1.3 protocol.
+Your identity provider (IdP) may offer user authentication either using the SAML 2.0 protocol, or the older Shibboleth 1.3 protocol.
-SAML 2.0 SP functionality is enabled by default. If this is what
-you want to use, leave the default configuration unmodified.
+SAML 2.0 SP functionality is enabled by default. If this is what you want to use, leave the default configuration unmodified.
-To setup a Shibboleth 1.3 SP, you must disable SAML 2.0 SP and
-enable Shib 1.3 SP in `config.php`:
+To setup a Shibboleth 1.3 SP, you must disable SAML 2.0 SP and enable Shib 1.3 SP in `config.php`:
'enable.saml20-sp' => false,
'enable.saml20-idp' => false,
@@ -51,17 +42,11 @@ enable Shib 1.3 SP in `config.php`:
Configuring metadata for SAML 2.0 SP
------------------------------------
-To set up a SAML 2.0 SP, configure two metadata files:
-`saml20-sp-hosted.php` and `saml20-idp-remote.php`. The former
-represents the SAML entity of your SP, the latter lists all the
-SAML 2.0 IdPs you trust to authenticate users, and how to connect
-to them.
+To set up a SAML 2.0 SP, configure two metadata files: `saml20-sp-hosted.php` and `saml20-idp-remote.php`. The former represents the SAML entity of your SP, the latter lists all the SAML 2.0 IdPs you trust to authenticate users, and how to connect to them.
## Configuring SAML 2.0 SP Hosted metadata
-To se tup these metadata, you must know the host name of your web
-server, and select an entity ID for this server. The IdP may impose
-restrictions on your choice of entity ID.
+To se tup these metadata, you must know the host name of your web server, and select an entity ID for this server. The IdP may impose restrictions on your choice of entity ID.
**Example 1. Example of metadata for hosted SAML 2.0 SP**
@@ -83,17 +68,11 @@ Here is a real life example from Feide:
'host' => 'foodle.feide.no',
),
-Here the service run on the host `foodle.feide.no` and have the
-entity ID `urn:mace:feide.no:services:no.feide.foodle`.
+Here the service run on the host `foodle.feide.no` and have the entity ID `urn:mace:feide.no:services:no.feide.foodle`.
-You may add any number of SP definitions in the same installation
-of simpleSAMLphp. simpleSAMLphp will discover automatically which
-configuration to use in a specific scenario, by mapping current
-hostname in the URL sent by the end user client to the `host` entry
-in the metadata.
+You may add any number of SP definitions in the same installation of simpleSAMLphp. simpleSAMLphp will discover automatically which configuration to use in a specific scenario, by mapping current hostname in the URL sent by the end user client to the `host` entry in the metadata.
-Below is a description of mandatory and optional fields in the SAML
-2.0 SP hosted metadata.
+Below is a description of mandatory and optional fields in the SAML 2.0 SP hosted metadata.
### Mandatory metadata fields
@@ -441,44 +420,30 @@ redirect.validate
## Setting the default SAML 2.0 IdP
-The global configuration (`config.php`) holds a parameter to set
-the default IdP to use. Alternatively you can specify which IdP to
-use in a parameter to the initSSO.php script when you initiate
-logon in your application.
+The global configuration (`config.php`) holds a parameter to set the default IdP to use. Alternatively you can specify which IdP to use in a parameter to the initSSO.php script when you initiate logon in your application.
Here is an example from `config.php`:
- 'default-saml20-idp' => 'sam.feide.no',
+ 'default-saml20-idp' => 'sam.feide.no',
-The configuration above will use the IdP configured in IdP Remote
-metadata with entity ID equal to `sam.feide.no`.
+The configuration above will use the IdP configured in IdP Remote metadata with entity ID equal to `sam.feide.no`.
## Using the SAML 2.0 IdP Discovery Service
-If you want end users to be able to select one of several specified
-entries in IdP remote metadata, set the default IdP to be null.
-simpleSAMLphp will then use its builtin IdP discovery service to
-let the user select IdP. Here is the neccessary configuration from
-`config.php`:
+If you want end users to be able to select one of several specified entries in IdP remote metadata, set the default IdP to be null. simpleSAMLphp will then use its builtin IdP discovery service to let the user select IdP. Here is the neccessary configuration from `config.php`:
'default-saml20-idp' => null,
Configuring metadata for Shibboleth 1.3 SP
------------------------------------------
-To set up a Shibboleth 1.3 SP, configure two metadata files.
-shib13-sp-hosted.php and shib13-idp-remote.php.The former
-represents the SAML entity of your service provider, the latter
-lists all the trusted Shibboleth 1.3 IdPs and how to connect to
-them.
+To set up a Shibboleth 1.3 SP, configure two metadata files. shib13-sp-hosted.php and shib13-idp-remote.php.The former represents the SAML entity of your service provider, the latter lists all the trusted Shibboleth 1.3 IdPs and how to connect to them.
Note: Shibboleth 2.0 IdPs should be configured as SAML 2.0 IdPs.
## Configuring Shibboleth 1.3 SP Hosted metadata
-Two parameters, the entity ID and the host name of the web server
-running this SP, are configured in the hosted metadata
-(`shib13-sp-hosted.php`).
+Two parameters, the entity ID and the host name of the web server running this SP, are configured in the hosted metadata (`shib13-sp-hosted.php`).
**Example 7. Shibboleth 1.3 SP hosted metadata**
@@ -595,16 +560,11 @@ icon
Exchange metadata with the IdP
------------------------------
-Before you can run the test examples, you need the people running
-the IdP to load the metadata for your SP. If you run Shibboleth 1.3
-SP, you must manually create metadata for your SP and send to the
-IdP. If you use SAML 2.0, metadata can be generated automatically.
+Before you can run the test examples, you need the people running the IdP to load the metadata for your SP. If you run Shibboleth 1.3 SP, you must manually create metadata for your SP and send to the IdP. If you use SAML 2.0, metadata can be generated automatically.
## Automatic generation of SAML 2.0 SP metadata
-On the installation page there is a link named "Look at your SAML
-2.0 SP metadata". Click to inspect the metadata for your SP. Send
-this metadata document to the IdP and ask them to load it.
+On the installation page there is a link named "Look at your SAML 2.0 SP metadata". Click to inspect the metadata for your SP. Send this metadata document to the IdP and ask them to load it.
@@ -673,17 +633,9 @@ can copy this lines into your application without changes:
$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getInstance();
-Then check whether the session is valid. If not, redirect the user
-to the IdP, specifying the `initSSO.php` script (for SAML 2.0 or
-Shibboleth 1.3, respectively). adding the current URL as a
-`RelayState` parameter. The user will leave your web page
-temporarily. When he returns after successful authentication, there
-will be a valid session, and the body of the `if` statement is
-skipped.
+Then check whether the session is valid. If not, redirect the user to the IdP, specifying the `initSSO.php` script (for SAML 2.0 or Shibboleth 1.3, respectively). adding the current URL as a `RelayState` parameter. The user will leave your web page temporarily. When he returns after successful authentication, there will be a valid session, and the body of the `if` statement is skipped.
-After successful athentication, user attributes supplied by the IdP
-are available in session object. To take a closer look at the
-attributes array, you may print it out...
+After successful athentication, user attributes supplied by the IdP are available in session object. To take a closer look at the attributes array, you may print it out...
/* Check if valid local session exists.. */
if (!isset($session) || !$session->isValid('saml2') ) {
@@ -697,12 +649,9 @@ attributes array, you may print it out...
$attributes = $session->getAttributes();
print_r($attributes);
-(Obviously, printing out all attributes this way would be done in a
-test phase only!)
+(Obviously, printing out all attributes this way would be done in a test phase only!)
-Each attribute name can be used as an index into $attributes to
-obtain the value. Every attribute value is an array - a
-single-valued attribute is an array of a single element.
+Each attribute name can be used as an index into $attributes to obtain the value. Every attribute value is an array - a single-valued attribute is an array of a single element.
## Upgrading service integration from version 0.5 to 1.0
@@ -713,12 +662,7 @@ single-valued attribute is an array of a single element.
Support
-------
-If you need help to make this work, or want to discuss
-simpleSAMLphp with other users of the software, you are fortunate:
-Around simpleSAMLphp there is a great Open source community, and
-you are welcome to join! The forums are open for you to ask
-questions, contribute answers other further questions, request
-improvements or contribute with code or plugins of your own.
+If you need help to make this work, or want to discuss simpleSAMLphp with other users of the software, you are fortunate: Around simpleSAMLphp there is a great Open source community, and you are welcome to join! The forums are open for you to ask questions, contribute answers other further questions, request improvements or contribute with code or plugins of your own.
- [simpleSAMLphp homepage (at Feide RnD)](http://rnd.feide.no/simplesamlphp)
- [List of all available simpleSAMLphp documentation](http://rnd.feide.no/view/simplesamlphpdocs)
@@ -728,8 +672,7 @@ improvements or contribute with code or plugins of your own.
## A. Calculating the fingerprint of a certificate
-If you have obtained a certificate file, and want to calculate the
-fingerprint of the file, you can use the `openssl` command:
+If you have obtained a certificate file, and want to calculate the fingerprint of the file, you can use the `openssl` command:
$ cat server.crt|openssl x509 -fingerprint
MD5 Fingerprint=D1:BA:B0:17:66:6D:7F:42:7B:91:1E:22:7E:3A:27:D2
--
GitLab