Skip to content
Snippets Groups Projects
Commit 6f32a6c6 authored by Andreas Åkre Solberg's avatar Andreas Åkre Solberg
Browse files

Updating SP markdown docs 

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1220 44740490-163a-0410-bde0-09ae8108e29a
parent b045bd60
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
docs/simplesamlphp-sp.txt
+ 24
81
View file @ 6f32a6c6
......@@ -18,30 +18,21 @@ This document is part of the simpleSAMLphp documentation suite.
[List of all simpleSAMLphp documentation](http://rnd.feide.no/view/simplesamlphpdocs)
This document assumes that you already have a installation of
simpleSAMLphp. Before you continue make sure all the required
entries in the check list at the buttom is showing green light.
This document assumes that you already have a installation of simpleSAMLphp. Before you continue make sure all the required entries in the check list at the buttom is showing green light.
Introduction
------------
simpleSAMLphp can run as both a SAML 2.0 Service Provider and as a
Shibboleth 1.3 Service Provider. Although the configuration is
similar for the two alternatives, there are some differences in
configuration and metadata differs somewhat, so they are treated in
separate chapters.
simpleSAMLphp can run as both a SAML 2.0 Service Provider and as a Shibboleth 1.3 Service Provider. Although the configuration is similar for the two alternatives, there are some differences in configuration and metadata differs somewhat, so they are treated in separate chapters.
Selecting the desired Service Provider functionality
----------------------------------------------------
Your identity provider (IdP) may offer user authentication either
using the SAML 2.0 protocol, or the older Shibboleth 1.3 protocol.
Your identity provider (IdP) may offer user authentication either using the SAML 2.0 protocol, or the older Shibboleth 1.3 protocol.
SAML 2.0 SP functionality is enabled by default. If this is what
you want to use, leave the default configuration unmodified.
SAML 2.0 SP functionality is enabled by default. If this is what you want to use, leave the default configuration unmodified.
To setup a Shibboleth 1.3 SP, you must disable SAML 2.0 SP and
enable Shib 1.3 SP in `config.php`:
To setup a Shibboleth 1.3 SP, you must disable SAML 2.0 SP and enable Shib 1.3 SP in `config.php`:
'enable.saml20-sp' => false,
'enable.saml20-idp' => false,
......@@ -51,17 +42,11 @@ enable Shib 1.3 SP in `config.php`:
Configuring metadata for SAML 2.0 SP
------------------------------------
To set up a SAML 2.0 SP, configure two metadata files:
`saml20-sp-hosted.php` and `saml20-idp-remote.php`. The former
represents the SAML entity of your SP, the latter lists all the
SAML 2.0 IdPs you trust to authenticate users, and how to connect
to them.
To set up a SAML 2.0 SP, configure two metadata files: `saml20-sp-hosted.php` and `saml20-idp-remote.php`. The former represents the SAML entity of your SP, the latter lists all the SAML 2.0 IdPs you trust to authenticate users, and how to connect to them.
## Configuring SAML 2.0 SP Hosted metadata
To se tup these metadata, you must know the host name of your web
server, and select an entity ID for this server. The IdP may impose
restrictions on your choice of entity ID.
To se tup these metadata, you must know the host name of your web server, and select an entity ID for this server. The IdP may impose restrictions on your choice of entity ID.
**Example 1. Example of metadata for hosted SAML 2.0 SP**
......@@ -83,17 +68,11 @@ Here is a real life example from Feide:
'host' => 'foodle.feide.no',
),
Here the service run on the host `foodle.feide.no` and have the
entity ID `urn:mace:feide.no:services:no.feide.foodle`.
Here the service run on the host `foodle.feide.no` and have the entity ID `urn:mace:feide.no:services:no.feide.foodle`.
You may add any number of SP definitions in the same installation
of simpleSAMLphp. simpleSAMLphp will discover automatically which
configuration to use in a specific scenario, by mapping current
hostname in the URL sent by the end user client to the `host` entry
in the metadata.
You may add any number of SP definitions in the same installation of simpleSAMLphp. simpleSAMLphp will discover automatically which configuration to use in a specific scenario, by mapping current hostname in the URL sent by the end user client to the `host` entry in the metadata.
Below is a description of mandatory and optional fields in the SAML
2.0 SP hosted metadata.
Below is a description of mandatory and optional fields in the SAML 2.0 SP hosted metadata.
### Mandatory metadata fields
......@@ -441,44 +420,30 @@ redirect.validate
## Setting the default SAML 2.0 IdP
The global configuration (`config.php`) holds a parameter to set
the default IdP to use. Alternatively you can specify which IdP to
use in a parameter to the initSSO.php script when you initiate
logon in your application.
The global configuration (`config.php`) holds a parameter to set the default IdP to use. Alternatively you can specify which IdP to use in a parameter to the initSSO.php script when you initiate logon in your application.
Here is an example from `config.php`:
'default-saml20-idp' => 'sam.feide.no',
'default-saml20-idp' => 'sam.feide.no',
The configuration above will use the IdP configured in IdP Remote
metadata with entity ID equal to `sam.feide.no`.
The configuration above will use the IdP configured in IdP Remote metadata with entity ID equal to `sam.feide.no`.
## Using the SAML 2.0 IdP Discovery Service
If you want end users to be able to select one of several specified
entries in IdP remote metadata, set the default IdP to be null.
simpleSAMLphp will then use its builtin IdP discovery service to
let the user select IdP. Here is the neccessary configuration from
`config.php`:
If you want end users to be able to select one of several specified entries in IdP remote metadata, set the default IdP to be null. simpleSAMLphp will then use its builtin IdP discovery service to let the user select IdP. Here is the neccessary configuration from `config.php`:
'default-saml20-idp' => null,
Configuring metadata for Shibboleth 1.3 SP
------------------------------------------
To set up a Shibboleth 1.3 SP, configure two metadata files.
shib13-sp-hosted.php and shib13-idp-remote.php.The former
represents the SAML entity of your service provider, the latter
lists all the trusted Shibboleth 1.3 IdPs and how to connect to
them.
To set up a Shibboleth 1.3 SP, configure two metadata files. shib13-sp-hosted.php and shib13-idp-remote.php.The former represents the SAML entity of your service provider, the latter lists all the trusted Shibboleth 1.3 IdPs and how to connect to them.
Note: Shibboleth 2.0 IdPs should be configured as SAML 2.0 IdPs.
## Configuring Shibboleth 1.3 SP Hosted metadata
Two parameters, the entity ID and the host name of the web server
running this SP, are configured in the hosted metadata
(`shib13-sp-hosted.php`).
Two parameters, the entity ID and the host name of the web server running this SP, are configured in the hosted metadata (`shib13-sp-hosted.php`).
**Example 7. Shibboleth 1.3 SP hosted metadata**
......@@ -595,16 +560,11 @@ icon
Exchange metadata with the IdP
------------------------------
Before you can run the test examples, you need the people running
the IdP to load the metadata for your SP. If you run Shibboleth 1.3
SP, you must manually create metadata for your SP and send to the
IdP. If you use SAML 2.0, metadata can be generated automatically.
Before you can run the test examples, you need the people running the IdP to load the metadata for your SP. If you run Shibboleth 1.3 SP, you must manually create metadata for your SP and send to the IdP. If you use SAML 2.0, metadata can be generated automatically.
## Automatic generation of SAML 2.0 SP metadata
On the installation page there is a link named "Look at your SAML
2.0 SP metadata". Click to inspect the metadata for your SP. Send
this metadata document to the IdP and ask them to load it.
On the installation page there is a link named "Look at your SAML 2.0 SP metadata". Click to inspect the metadata for your SP. Send this metadata document to the IdP and ask them to load it.
![image](http://rnd.feide.no/files/saml2metadata.png)
......@@ -673,17 +633,9 @@ can copy this lines into your application without changes:
$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getInstance();
Then check whether the session is valid. If not, redirect the user
to the IdP, specifying the `initSSO.php` script (for SAML 2.0 or
Shibboleth 1.3, respectively). adding the current URL as a
`RelayState` parameter. The user will leave your web page
temporarily. When he returns after successful authentication, there
will be a valid session, and the body of the `if` statement is
skipped.
Then check whether the session is valid. If not, redirect the user to the IdP, specifying the `initSSO.php` script (for SAML 2.0 or Shibboleth 1.3, respectively). adding the current URL as a `RelayState` parameter. The user will leave your web page temporarily. When he returns after successful authentication, there will be a valid session, and the body of the `if` statement is skipped.
After successful athentication, user attributes supplied by the IdP
are available in session object. To take a closer look at the
attributes array, you may print it out...
After successful athentication, user attributes supplied by the IdP are available in session object. To take a closer look at the attributes array, you may print it out...
/* Check if valid local session exists.. */
if (!isset($session) || !$session->isValid('saml2') ) {
......@@ -697,12 +649,9 @@ attributes array, you may print it out...
$attributes = $session->getAttributes();
print_r($attributes);
(Obviously, printing out all attributes this way would be done in a
test phase only!)
(Obviously, printing out all attributes this way would be done in a test phase only!)
Each attribute name can be used as an index into $attributes to
obtain the value. Every attribute value is an array - a
single-valued attribute is an array of a single element.
Each attribute name can be used as an index into $attributes to obtain the value. Every attribute value is an array - a single-valued attribute is an array of a single element.
## Upgrading service integration from version 0.5 to 1.0
......@@ -713,12 +662,7 @@ single-valued attribute is an array of a single element.
Support
-------
If you need help to make this work, or want to discuss
simpleSAMLphp with other users of the software, you are fortunate:
Around simpleSAMLphp there is a great Open source community, and
you are welcome to join! The forums are open for you to ask
questions, contribute answers other further questions, request
improvements or contribute with code or plugins of your own.
If you need help to make this work, or want to discuss simpleSAMLphp with other users of the software, you are fortunate: Around simpleSAMLphp there is a great Open source community, and you are welcome to join! The forums are open for you to ask questions, contribute answers other further questions, request improvements or contribute with code or plugins of your own.
- [simpleSAMLphp homepage (at Feide RnD)](http://rnd.feide.no/simplesamlphp)
- [List of all available simpleSAMLphp documentation](http://rnd.feide.no/view/simplesamlphpdocs)
......@@ -728,8 +672,7 @@ improvements or contribute with code or plugins of your own.
## A. Calculating the fingerprint of a certificate
If you have obtained a certificate file, and want to calculate the
fingerprint of the file, you can use the `openssl` command:
If you have obtained a certificate file, and want to calculate the fingerprint of the file, you can use the `openssl` command:
$ cat server.crt|openssl x509 -fingerprint
MD5 Fingerprint=D1:BA:B0:17:66:6D:7F:42:7B:91:1E:22:7E:3A:27:D2
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment