diff --git a/docs/source/resources/simplesamlphp-install/screenshot-installationpage.png b/docs/source/resources/simplesamlphp-install/screenshot-installationpage.png
new file mode 100644
index 0000000000000000000000000000000000000000..b9337f1159d574a4483bd031d9cbc2d4fc4ca1d4
Binary files /dev/null and b/docs/source/resources/simplesamlphp-install/screenshot-installationpage.png differ
diff --git a/docs/source/resources/simplesamlphp-sp/saml2metadata-feide.png b/docs/source/resources/simplesamlphp-sp/saml2metadata-feide.png
new file mode 100644
index 0000000000000000000000000000000000000000..727ccc43199939f65071e8162a2c27ca7d63680b
Binary files /dev/null and b/docs/source/resources/simplesamlphp-sp/saml2metadata-feide.png differ
diff --git a/docs/source/resources/simplesamlphp-sp/saml2metadata.png b/docs/source/resources/simplesamlphp-sp/saml2metadata.png
new file mode 100644
index 0000000000000000000000000000000000000000..545343ac8ac8e9e08c24734c4db499d8af812b2c
Binary files /dev/null and b/docs/source/resources/simplesamlphp-sp/saml2metadata.png differ
diff --git a/docs/source/resources/simplesamlphp-sp/screenshot-example.png b/docs/source/resources/simplesamlphp-sp/screenshot-example.png
new file mode 100644
index 0000000000000000000000000000000000000000..5c4e6878bf4cc0582399c0d201c3e26e96aa1899
Binary files /dev/null and b/docs/source/resources/simplesamlphp-sp/screenshot-example.png differ
diff --git a/docs/source/simplesamlphp-bridge.xml b/docs/source/simplesamlphp-bridge.xml
new file mode 100644
index 0000000000000000000000000000000000000000..b0c92b182beafec22e8602048c56a55ad11e0cd0
--- /dev/null
+++ b/docs/source/simplesamlphp-bridge.xml
@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<article>
+ <title>Using simpleSAMLphp as a SAML bridge</title>
+
+ <articleinfo>
+ <date>2007-10-15</date>
+
+ <pubdate>Mon Oct 15 16:53:14 2007</pubdate>
+
+ <author>
+ <firstname>Andreas Ă…kre</firstname>
+
+ <surname>Solberg</surname>
+
+ <email>andreas.solberg@uninett.no</email>
+ </author>
+ </articleinfo>
+
+ <section>
+ <title>Setting up WebSSO bridges</title>
+
+ <para>simpleSAMLphp can be used to bridge between two WebSSO protocols.
+ Here is some short descriptions of how to setup the different bridge
+ configurations.</para>
+
+ <section>
+ <title>Bridging SAML 2.0 <-> SAML 2.0</title>
+
+ <para>In this setup you can bridge between two federations using SAML
+ 2.0.</para>
+
+ <para>To approach this, you must configure both saml 2.0 IdP and SP
+ hosted metadata, and in the IdP hosted metadata configure the auth
+ parameter to be the SP initialization endpoint, like this:</para>
+
+ <screen> 'auth' => 'saml2/sp/initSSO.php?idpentityid=sam.feide.no'</screen>
+
+ <para>As you can see you specify the IdP in the remote federation as a
+ parameter to the initalization endpoint.</para>
+
+ <note>
+ <para>This section of the documentation is only a placeholder. There
+ will be more detailed information added later. For now, ask the author
+ if you want more details of such a setup.</para>
+
+ <para>Briding SAML 2.0 SLO is not implemented. Will be improved
+ soon.</para>
+ </note>
+ </section>
+
+ <section>
+ <title>Bridging Shibboleth 1.3 <-> Shibboleth 1.3</title>
+
+ <para>Documentation will be added.</para>
+ </section>
+
+ <section>
+ <title>Bridging Shibboleth 1.3 <-> SAML 2.0</title>
+
+ <para>Documentation will be added.</para>
+ </section>
+
+ <section>
+ <title>Bridging SAML 2.0 <-> Shibboleth 1.3</title>
+
+ <para>Documentation will be added.</para>
+ </section>
+
+ <section>
+ <title>Bridging SAML 2.0 <-> OpenID</title>
+
+ <para>Documentation will be added.</para>
+ </section>
+
+ <section>
+ <title>Bridging Shibboelth 1.3 <-> OpenID</title>
+
+ <para>Documentation will be added.</para>
+ </section>
+ </section>
+</article>
\ No newline at end of file
diff --git a/docs/source/simplesamlphp-idp.xml b/docs/source/simplesamlphp-idp.xml
new file mode 100644
index 0000000000000000000000000000000000000000..ec8c47ec45dd1d996474f191830129cce04fcf87
--- /dev/null
+++ b/docs/source/simplesamlphp-idp.xml
@@ -0,0 +1,415 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<article>
+ <title>Using simpleSAMLphp as an identity provider</title>
+
+ <articleinfo>
+ <date>2007-10-15</date>
+
+ <pubdate>Mon Oct 15 16:54:09 2007</pubdate>
+
+ <author>
+ <firstname>Andreas Ă…kre</firstname>
+
+ <surname>Solberg</surname>
+
+ <email>andreas.solberg@uninett.no</email>
+ </author>
+ </articleinfo>
+
+ <section>
+ <title>Authentication modules</title>
+
+ <para>In the <filename>www/auth</filename> directory, you see multiple
+ files, each representing an authentication module. In the IdP hosted
+ metadata configuration you specify which authentication module that should
+ be used for that specific IdP. You can implement your own authentication
+ module, see <xref linkend="sect.customauth" />.</para>
+
+ <para>These authentication modules are included:</para>
+
+ <glosslist>
+ <glossentry>
+ <glossterm>auth/login.php</glossterm>
+
+ <glossdef>
+ <para>This is the standard LDAP backend authentication module, it
+ uses LDAP configuration from the config.php file.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>auth/login-ldapmulti.php</glossterm>
+
+ <glossdef>
+ <para>This authentication module lets you connect to multiple LDAPS
+ depending on what organization the user selects in the login
+ form.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>auth/login-radius.php</glossterm>
+
+ <glossdef>
+ <para>This authentication module will authenticate users against an
+ RADIUS server instead of LDAP.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>auth/login-auto.php</glossterm>
+
+ <glossdef>
+ <para>This module will automatically login the user with some test
+ details. You can use this to test the IdP functionality if you do
+ not have</para>
+
+ <para>This module is not completed yet. Work in progress.</para>
+ </glossdef>
+ </glossentry>
+ </glosslist>
+
+ <section>
+ <title>Configuring the LDAP authentication module</title>
+
+ <para>The LDAP module is <filename>auth/login.php</filename>.</para>
+
+ <para>If you want to perform local authentication on this server, and
+ you want to use the LDAP authenticaiton plugin, then you need to
+ configure the following parameters in
+ <filename>config.php</filename>:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><literal>auth.ldap.dnpattern</literal>: What DN should you
+ bind to? Replacing %username% with the username the user types
+ in.</para>
+ </listitem>
+
+ <listitem>
+ <para><literal>auth.ldap.hostname</literal>: The hostname of the
+ LDAP server</para>
+ </listitem>
+
+ <listitem>
+ <para><literal>auth.ldap.attributes</literal>: Search parameter to
+ LDAP. What attributes should be extracted?
+ <literal>objectclass=*</literal> gives you all.</para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section>
+ <title>Configuring the multi-LDAP authenticaiton module</title>
+
+ <para>The module is
+ <filename>auth/login-ldapmulti.php</filename>.</para>
+
+ <note>
+ <para>Documentation will be added later. For now, contact the
+ author.</para>
+ </note>
+ </section>
+ </section>
+
+ <section>
+ <title>Setting up a SSL signing certificate</title>
+
+ <para>For test purposes, you can skip this section, and use the included
+ certificate.</para>
+
+ <para>For a production system, uou must generate a new certificate for
+ your IdP. </para>
+
+ <warning>
+ <para>There is a certificate that follows this package that you can use
+ for test purposes, but off course <emphasis>NEVER</emphasis> use this in
+ production as the private key is also included in the package and can be
+ downloaded by anyone.</para>
+ </warning>
+
+ <para>Here is an examples of openssl commands to generate a new key and a
+ selfsigned certificate to use for signing SAML messages:</para>
+
+ <screen>openssl genrsa -des3 -out server2.key 1024
+openssl rsa -in server2.key -out server2.pem
+openssl req -new -key server.key -out server2.csr
+openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt</screen>
+
+ <para>The certificate above will be valid for 60 days.</para>
+
+ <note>
+ <para>simpleSAMLphp will only work with RSA and not DSA
+ certificates.</para>
+ </note>
+ </section>
+
+ <section>
+ <title>Configuring metadata for an SAML 2.0 IdP</title>
+
+ <para>If you want to setup a SAML 2.0 IdP you need to configure two
+ metadata files: <filename>saml20-idp-hosted.php</filename> and
+ <filename>saml20-sp-remote.php</filename>.</para>
+
+ <section>
+ <title>Configuring SAML 2.0 IdP Hosted metadata</title>
+
+ <para>This is the configuration of the IdP itself. Here is some example
+ config:</para>
+
+ <programlisting> // The SAML entity ID is the index of this config.
+ 'idp.example.org' => array(
+
+ // The hostname of the server (VHOST) that this SAML entity will use.
+ 'host' => 'sp.example.org',
+
+ // X.509 key and certificate. Relative to the cert directory.
+ 'privatekey' => 'server.pem',
+ 'certificate' => 'server.crt',
+
+ /* If base64attributes is set to true, then all attributes will be base64 encoded. Make sure
+ * that you set the SP to have the same value for this.
+ */
+ 'base64attributes' => false,
+
+ // Authentication plugin to use. login.php is the default one that uses LDAP.
+ 'auth' => 'auth/login.php'
+ )</programlisting>
+
+ <para>Here are some details of each of the parameters:</para>
+
+ <glosslist>
+ <glossentry>
+ <glossterm>index (index of array)</glossterm>
+
+ <glossdef>
+ <para>The entity ID of the IdP. In this example this value is set
+ to: <literal>idp.example.org</literal>.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>host</glossterm>
+
+ <glossdef>
+ <para>The hostname of the server running this IdP.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>privatekey</glossterm>
+
+ <glossdef>
+ <para>Pointing to the private key in PEM format, in the certs
+ directory.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>certificate</glossterm>
+
+ <glossdef>
+ <para>Pointing to the certificate file in PEM format, in the certs
+ directory.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>base64attributes</glossterm>
+
+ <glossdef>
+ <para>Do you want to encode all attributes in base64? If so,
+ remember to turn on the same option on the SP.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>auth</glossterm>
+
+ <glossdef>
+ <para>Which authentication module to use? Default is:
+ <filename>auth/login.php</filename> which is the LDAP
+ authentication module.</para>
+ </glossdef>
+ </glossentry>
+ </glosslist>
+ </section>
+
+ <section>
+ <title>Configuring SAML 2.0 SP Remote metadata</title>
+
+ <para>Here (saml20-sp-remote.php) you configure all SPs that you trust.
+ Here is an example:</para>
+
+ <programlisting> /*
+ * Example simpleSAMLphp SAML 2.0 SP
+ */
+ 'saml2sp.example.org' => array(
+ 'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/saml2/sp/AssertionConsumerService.php',
+ 'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/saml2/sp/SingleLogoutService.php',
+ 'spNameQualifier' => 'dev.andreas.feide.no',
+ 'ForceAuthn' => 'false',
+ 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+ 'simplesaml.attributes' => true
+ ),</programlisting>
+
+ <para>Here are some details about each of the parameters:;</para>
+
+ <glosslist>
+ <glossentry>
+ <glossterm>index (index of array)</glossterm>
+
+ <glossdef>
+ <para>The entity ID of the given SP. Here it is:
+ <literal>saml2sp.example.org</literal>.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>AssertionConsumerService</glossterm>
+
+ <glossdef>
+ <para>The URL of this SAML 2.0 endpoint. Ask the SP if you are
+ unsure. If the SP sent you SAML 2.0 metadata, you can find the
+ parameter in there.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>SingleLogoutService</glossterm>
+
+ <glossdef>
+ <para>The URL of this SAML 2.0 endpoint. Ask the SP if you are
+ unsure. If the SP sent you SAML 2.0 metadata, you can find the
+ parameter in there.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>spNameQualifier</glossterm>
+
+ <glossdef>
+ <para>The SP NameQualifier for this SP. If unsure, set it to the
+ same as the entityID.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>ForceAuthn</glossterm>
+
+ <glossdef>
+ <para>This basicly means you turn off SSO for this SP.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>NameIDFormat</glossterm>
+
+ <glossdef>
+ <para>Set it to the default: transient.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>simplesaml.attributes</glossterm>
+
+ <glossdef>
+ <para>Set to true to include attribtues, if not no attribute
+ statements will be sent.</para>
+ </glossdef>
+ </glossentry>
+ </glosslist>
+ </section>
+ </section>
+
+ <section>
+ <title>Configuring metadata for a Shibboleth 1.3 IdP</title>
+
+ <para>You need to configure the <filename>shib13-idp-hosted.php</filename>
+ metadata, as well as the list of trusted SPs in the
+ <filename>shib13-sp-remote-php</filename> metadata. This configuration is
+ very similar to the SAML 2.0 metadata mentioned in the previous section,
+ so go look there for now.</para>
+ </section>
+
+ <section>
+ <title>Test IdP</title>
+
+ <para>To test the IdP, it is best to configure two hosts with
+ simpleSAMLphp, and use the SP demo example to test the IdP.</para>
+
+ <tip>
+ <para>To make the initial test up and running with minimal hassle, use
+ the login-auto if you do not want to setup a user storage, and use the
+ included cert so you do not need to create a new certificate.</para>
+ </tip>
+ </section>
+
+ <appendix>
+ <title>Writing your own authentication module</title>
+
+ <para>You can write your own authentication module. Just copy one of the
+ files in the www/auth directory and play with it, then configure an IdP to
+ use that module with the auth parameter in the metadata. The file must
+ support incoming URL parameters, massage the session object with login
+ state information and return to the RelayState, and that is all you need
+ to do!</para>
+
+ <tip>
+ <para>Instead of changing the code of the builtin authentication module,
+ copy it into a new file and edit that. That way, your module will not be
+ replaced or in conflict when you upgrade simpleSAMLphp to a newer
+ version.</para>
+ </tip>
+
+ <section>
+ <title>Authentication API</title>
+
+ <para>The authentication plugin should be placed in the auth
+ directory.</para>
+
+ <para>The following parameters must be accepted in the incomming
+ URL:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><literal>RelayState</literal>: This is the URL that the user
+ should be sent back to after authentication within the
+ plugin.</para>
+ </listitem>
+
+ <listitem>
+ <para><literal>RequestID</literal>: This is the ID of an incomming
+ request.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>The initSSO.php takes in addition the following parameters:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><literal>idpentityid</literal>: This is the entityid of the
+ IdP to authenticate with. This parameter is optional, if not set the
+ default for this host will be used.</para>
+ </listitem>
+
+ <listitem>
+ <para><literal>spentityid</literal>: This is which SP config to use.
+ This parameter is optional, if not set the default for this host
+ will be used.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>In hosted IdP metadata there is a config parameter auth that will
+ tell simpleSAML which authentication plugin that can be used.</para>
+
+ <tip>
+ <para>The authentication API is pretty basic. The easiest way to
+ understand how it works is to look at one of the existing plugins that
+ is located in the auth directory of your installation.</para>
+ </tip>
+ </section>
+ </appendix>
+</article>
\ No newline at end of file
diff --git a/docs/source/simplesamlphp-install.xml b/docs/source/simplesamlphp-install.xml
index 3ffd86fcb39bb32b25c6bacc981ff535798986d5..773d02faaf6c5e7ebbf6285df109f2450d679162 100644
--- a/docs/source/simplesamlphp-install.xml
+++ b/docs/source/simplesamlphp-install.xml
@@ -7,7 +7,7 @@
<articleinfo>
<date>2007-08-30</date>
- <pubdate>Fri Sep 14 10:49:49 2007</pubdate>
+ <pubdate>Mon Oct 15 16:54:59 2007</pubdate>
<author>
<firstname>Andreas Ă…kre</firstname>
@@ -21,19 +21,40 @@
<section>
<title>The history of simpleSAMLphp</title>
- <para>simpleSAMLphp is based on code from <ulink
+ <para>simpleSAMLphp is an iteration of what was earlier referred to as
+ lightbulb (<ulink
url="https://opensso.dev.java.net/public/extensions/">Sun OpenSSO
- Extensions</ulink> (formerly known as Lightbulb).</para>
+ Extensions</ulink>), written by <ulink
+ url="http://blogs.sun.com/superpat/">Pat Patterson, Sun</ulink>. There are
+ not much code left from lightbulb, but credits go to Pat for introducing a
+ new way of thinking when it comes to implementing federation protocols in
+ a simple and elegant way.</para>
- <para>The initial versions of the SAML 2.0 SP part was written by <ulink
- url="http://blogs.sun.com/superpat/">Pat Patterson, Sun</ulink>.</para>
-
- <para>The functionality has been extended and <ulink
+ <para>The simpleSAMLphp project is currently led by <ulink
url="http://claimid.com/erlang">Andreas Ă…kre Solberg</ulink>, <ulink
- url="http://uninett.no">UNINETT</ulink>, has rewritten the library and
- added support for Shibboleth. The product is used to bridge AAI protocols
- in the GÉANT project, <ulink
- url="http://geant2.net">http://geant2.net</ulink>.</para>
+ url="http://uninett.no">UNINETT</ulink>.</para>
+
+ <para>The product is used to bridge AAI protocols in the GÉANT project,
+ <ulink url="http://geant2.net">http://geant2.net</ulink>.</para>
+
+ <para>We have received a bunch of external contributions.</para>
+
+ <section>
+ <title>Contributors</title>
+
+ <para>Thank you very much for your contributions to
+ simpleSAMLphp:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>Lukas Hammerle, SWITCH, Switzerland</para>
+ </listitem>
+
+ <listitem>
+ <para>Stefan Winter, Restena, Luxemborg</para>
+ </listitem>
+ </itemizedlist>
+ </section>
</section>
<section>
@@ -47,7 +68,16 @@
<para>Released . Revision X.</para>
+ <warning>
+ <para>Both config.php and metadata format is changed. Look at the
+ templates to understand the new format.</para>
+ </warning>
+
<itemizedlist>
+ <listitem>
+ <para>Documentation is updated!</para>
+ </listitem>
+
<listitem>
<para>Metadata files have been more tidy. Removed unused entries.
Look at the new templates on how to change your existing
@@ -80,6 +110,20 @@
<para>SAML 2.0 SP example now contains a logout page.</para>
</listitem>
+ <listitem>
+ <para>Added new authentication backend with support for multiple
+ LDAP based on which organization the user selects.</para>
+ </listitem>
+
+ <listitem>
+ <para>Added SAML 2.0 Discovery Service</para>
+ </listitem>
+
+ <listitem>
+ <para>Initial proof of concept implementation of "User consent on
+ attribute release"</para>
+ </listitem>
+
<listitem>
<para>Fixed some minor bugs.</para>
</listitem>
@@ -158,10 +202,23 @@
</section>
<section>
- <title>Download and get simpleSAMLphp</title>
+ <title>News about simpleSAMLphp</title>
+
+ <para>To get the latest news about simpleSAMLphp you can follow this url:
+ <ulink
+ url="http://rnd.feide.no/category/simplesamlphp/">http://rnd.feide.no/category/simplesamlphp/</ulink>.</para>
+
+ <para>Currently simpleSAMLphp has a project page at Google Code:</para>
+
+ <para><ulink
+ url="http://code.google.com/p/simplesamlphp/">http://code.google.com/p/simplesamlphp/</ulink></para>
+ </section>
+
+ <section>
+ <title>Download and install simpleSAMLphp</title>
<para>You can go to <ulink
- url="http://rnd.feide.no/category/simplesamlphp/">http://rnd.feide.no/category/simplesamlphp/</ulink>
+ url="http://code.google.com/p/simplesamlphp/">code.google.com/p/simplesamlphp/</ulink>
to find the most recent release of simpleSAMLphp. Download the zipped
file, and unzip it on your webserver. However I hightly reccomend running
from a subversion checkout instead.</para>
@@ -169,77 +226,24 @@
<section>
<title>Getting a working copy of simpleSAMLphp from subversion</title>
- <warning>
- <para>Right now the subversion repository is requiring a username /
- password. I'll update the access control, so that everyone can get
- read access without authentication. I'll announce it on the rnd blog
- when it is ready.</para>
- </warning>
+ <para>Go to the directory where you want to install
+ simpleSAMLphp:</para>
+
+ <screen>cd /var</screen>
- <para>If you want a working copy from subversion enter:</para>
+ <para>Then do a subversion checkout:</para>
- <screen>svn co https://svn.uninett.no/svn/feidernd/simplesamlphp</screen>
+ <screen>svn checkout http://simplesamlphp.googlecode.com/svn/trunk/ simplesamlphp</screen>
<para>If you know subversion you know how to view logs and review
changes to the files. To update the version you have checked out,
enter:</para>
- <screen>cd simplesamlphp
+ <screen>cd /var/simplesamlphp
svn up</screen>
</section>
</section>
- <section>
- <title>Installing simpleSAMLphp</title>
-
- <para>First find an appropriate place for the <filename>simplesamlphp
- </filename>folder. In example
- <filename>/var/simplesamlphp</filename>.</para>
-
- <para>Of the folders inside simplesamlphp, only the www folder needs to be
- accessible from the web. There are several ways of putting the
- simpleSAMLphp depending on the way web sites are structured on your apache
- web server. Here is what I believe is the best configuration.</para>
-
- <para>Find the apache configuration file for the virtual hosts that you
- want to run simpleSAML on. The configuration may look like this:</para>
-
- <programlisting><VirtualHost *>
- ServerName service.example.com
- DocumentRoot /var/www/service.example.com
-
- Alias /simplesamlphp /var/simplesamlphp/www
-</VirtualHost>
-</programlisting>
-
- <para>What is special is tha Alias directive. That directive will give
- control to simplesamlphp to all urls that matches
- <literal>http(s)://service.example.com/simplesamlphp/*</literal>.
- SimpleSAML will need to have several SAML interfaces available on the web,
- and all these interfaces are included in the www subdirectory of your
- simplesamlphp installation. You can set the alias to whatever you want,
- but this alias must be set in the config.php file of simpleSAML as
- described in <xref linkend="sect.config" />. Here is an example of how
- this configuration may look like in config.php:</para>
-
- <programlisting>$config = array (
- 'basedir' => '/var/simplesamlphp/',
- 'baseurl' => 'http://service.example.com',
- 'baseurlpath' => 'simplesamlphp/',</programlisting>
-
- <section>
- <title>The simpleSAMLphp installation webpage</title>
-
- <para>When you have installed simpleSAMLphp, you can access the homepage
- of your installation, which contains some information and a few links to
- the test services. The url of an installation can be in example:</para>
-
- <literallayout>https://service.example.com/simplesamlphp/</literallayout>
-
- <para>But it depends on how you set it up with apache.</para>
- </section>
- </section>
-
<section>
<title>Making configuration and metadata files</title>
@@ -260,373 +264,122 @@ cp -r metadata-templates/*.php metadata/
</screen>
</section>
- <section id="sect.config">
- <title>Configuring simpleSAMLphp</title>
-
- <para>First configure all the paths in the beginning of the config file,
- to correspond to your organization of the apache web server, and where you
- place simpleSAMLphp.</para>
-
- <para>You will need to set the entityid of a default IdP in
- <literal>default-saml20-idp</literal> or
- <literal>default-shib13-idp</literal> depending on whether you use
- shibboleth or SAML 2.0.</para>
-
- <para>There is one parameter debug that may be set to true or false. If
- you set it to true, then all Browser/POST SAML messages will be printed to
- the web browser, and the user will have to manually submit it.</para>
-
- <para>The session.duration parameter says how many seconds that a session
- should be valid. After this amont of time, the session is not valid
- anymore.</para>
-
- <section>
- <title>Configuration for LDAP authentication plugin</title>
-
- <para>If you want to perform local authentication on this server, and
- you want to use the LDAP authenticaiton plugin, then you need to
- configure the following parameters:</para>
-
- <itemizedlist>
- <listitem>
- <para><literal>auth.ldap.dnpattern</literal>: What DN should you
- bind to? Replacing %username% with the username the user types
- in.</para>
- </listitem>
-
- <listitem>
- <para><literal>auth.ldap.hostname</literal>: The hostname of the
- LDAP server</para>
- </listitem>
-
- <listitem>
- <para><literal>auth.ldap.attributes</literal>: Search parameter to
- LDAP. What attributes should be extracted?
- <literal>objectclass=*</literal> gives you all.</para>
- </listitem>
- </itemizedlist>
- </section>
- </section>
-
- <section>
- <title>Setting up a SAML 2.0 SP</title>
-
- <para>This functionality is relevant if you want to integrate SAML 2.0
- authentication on a service of yours, and you know one or more IdPs that
- you can connect to. You would need metadata for those IdPs.</para>
-
- <section>
- <title>Configuring metadata for a SAML 2.0 SP</title>
-
- <para>To configure a SAML 2.0 SP, you first need to configure the SP
- data for all your vhosts. If you run only one host, you need only one
- entry. This metadata is stored in the
- <filename>metadata/saml20-sp-hosted.php</filename> file. Here is an
- example of a metadata:</para>
-
- <programlisting> "dev.andreas.feide.no" => array(
- 'host' => 'dev.andreas.feide.no',
- "assertionConsumerServiceURL" => "http://dev.andreas.feide.no/saml2/sp/AssertionConsumerService.php",
- "issuer" => "dev.andreas.feide.no",
- "spNameQualifier" => "dev.andreas.feide.no",
- "ForceAuthn" => "false",
- "NameIDFormat" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
- ),</programlisting>
-
- <para>Note that you should fill in the host field matching the hostname
- of your vhost. That way simpleSAMLphp can automatically detect what SP
- metadata to use based on the <literal>Host:</literal> header sent by the
- HTTP user agent.</para>
-
- <para>You also need to configure the metadata for the IdP that you want
- to use. Here is a metadata example for the Feide IdP:</para>
-
- <programlisting> "sam.feide.no" => array(
- "SingleSignOnUrl" => "https://sam.feide.no/amserver/SSORedirect/metaAlias/idp",
- "SingleLogOutUrl" => "https://sam.feide.no/amserver/IDPSloRedirect/metaAlias/idp",
- "certFingerprint" => "3a:e7:d3:d3:06:ba:57:fd:7f:62:6a:4b:a8:64:b3:4a:53:d9:5d:d0",
- "base64attributes" => true),</programlisting>
-
- <para>The IdP metadata is stored in the
- <filename>metadata/saml20-idp-remote.php</filename> file. Configure the
- correct URLs of the endpoints, the hash of the certificate, and whether
- the IdP is base64 encoding attributes or not. Most IdPs don't use
- base64, so if you do not connect to Feide you should turn this parameter
- to <literal>false</literal>. Notice that the key of the array is the
- entity id of the IdP, in this example:
- <literal>sam.feide.no</literal>.</para>
- </section>
-
- <section>
- <title>Test the SAML 2.0 SP example</title>
-
- <para>Go to the URL of the test page, similar to:</para>
-
- <literallayout>http://service.example.com/simplesamlphp/example-simple/saml2-example.php</literallayout>
-
- <note>
- <para>The simpleSAMLphp installation homepage will link you to this
- example, so you do not need to type in the full url.</para>
- </note>
-
- <para>You should be redirected to the IdP. Login, and you should be sent
- back and shown all the attributes sent form the IdP.</para>
- </section>
- </section>
-
<section>
- <title>Setting up a Shibboleth 1.3 SP</title>
-
- <para>If you want to configure a service with authentication towards an
- external Shibboleth 1.3 IdP, this section describes you how to
- proceed.</para>
-
- <section>
- <title>Configuring metadata for Shibboleth 1.3 SP</title>
+ <title>Configuring apache</title>
- <para>Configure Shibboleth 1.3 SP metadata for all your vhosts. If you
- run only one host, you need only one entry. This metadata is stored in
- the <filename>metadata/shib13-sp-hosted.php</filename> file. Here is an
- example:</para>
+ <para>In this example simpleSAMLphp is located in
+ <filename>/var/simplesamlphp</filename>, that is the default location. If
+ you want to modify this location, you can do so freely, but then you need
+ to update the path in a few files. <link linkend="sect.altlocations">I
+ wrote a separate chapter about that, read on</link>.</para>
- <programlisting> 'http://dev.andreas.feide.no' => array(
- 'AssertionConsumerService' => 'http://dev.andreas.feide.no/shib13/sp/AssertionConsumerService.php',
- 'host' => 'dev.andreas.feide.no'
- ),</programlisting>
-
- <para>Note that you should fill in the host field matching the hostname
- of your vhost. That way simpleSAMLphp can automatically detect what SP
- metadata to use based on the <literal>Host:</literal> header sent by the
- HTTP user agent.</para>
-
- <para>You also need to configure the metadata for the Shibboleth 1.3
- IdPs that you want to connect to. Here is an example:</para>
-
- <programlisting> 'urn:mace:switch.ch:aaitest:dukono.switch.ch' => array(
- 'SingleSignOnUrl' => 'https://dukono.switch.ch/shibboleth-idp/SSO',
- 'certFingerprint' => 'c7279a9f28f11380509e075441e3dc55fb9ab864'
- ),</programlisting>
-
- <para>Notice that the key of the array is the entity ID.</para>
- </section>
-
- <section>
- <title>Test the Shibboleth 1.3 SP example</title>
-
- <para>Go to the URL of the shibboleth test page, similar to:</para>
-
- <literallayout>http://service.example.com/example-simple/shib13-example.php</literallayout>
-
- <para>You should be redirected to the IdP. Login, and you should be sent
- back and shown all the attributes sent form the IdP.</para>
-
- <note>
- <para>simpleSAMLphp does not support the attribute profile that
- Shibboleth is using by default. To make attributes work, you need to
- configure the IdP to perform attribute push.</para>
- </note>
- </section>
- </section>
-
- <section>
- <title>Setting up a SAML 2.0 IdP</title>
-
- <para>If you have a user database and want to offer a SAML 2.0 IdP
- functinoality towards external services, here is how you set it up.</para>
-
- <section>
- <title>Configuring the SAML 2.0 IdP</title>
-
- <para>Setup idp metadata in saml20-idp-hosted. Then for all the SP the
- IdP shold trust in saml20-sp-remote. Then configure in config.php, ldap
- DN patterns, ldap host etc. Next add a certificate with openssl.</para>
-
- <para>Example config.php:</para>
-
- <programlisting> 'auth.ldap.dnpattern' => 'uid=%username%,dc=feide,dc=no,ou=feide,dc=uninett,dc=no',
- 'auth.ldap.hostname' => 'ldap.uninett.no',
- 'auth.ldap.attributes' => 'objectclass=*'</programlisting>
-
- <para>Example IdP Metadata saml20-idp-hosted:</para>
-
- <programlisting> 'dev2.andreas.feide.no' => array(
- 'host' => 'dev2.andreas.feide.no',
- 'SingleSignOnUrl' => "http://dev2.andreas.feide.no/saml2/idp/SSOService.php",
- 'SingleLogOutUrl' => "http://dev2.andreas.feide.no/saml2/idp/LogoutService.php",
- 'privatekey' => 'server.pem',
- 'certificate' => 'server.crt',
- 'base64attributes' => true,
- 'auth' => 'auth/login.php'
- )</programlisting>
-
- <para>The server.pem and server.crt is an example certificate shipped
- with the package, and be used for demo purposes, but you must generate
- your own to use in production services.</para>
-
- <para>You also need to configure metadata for trusted SPs, here is an
- example:</para>
-
- <programlisting>_ "dev.andreas.feide.no" => array(
- 'host' => 'dev.andreas.feide.no',
- "assertionConsumerServiceURL" => "http://dev.andreas.feide.no/saml2/sp/AssertionConsumerService.php",
- "issuer" => "dev.andreas.feide.no",
- "spNameQualifier" => "dev.andreas.feide.no",
- "ForceAuthn" => "false",
- "NameIDFormat" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
- ),</programlisting>
- </section>
-
- <section>
- <title>Adding a SAML IdP signing certificate</title>
-
- <para>You should generate a new certificate for your IdP.</para>
-
- <warning>
- <para>There is a certificate that follows this package that you can
- use for test purposes, but off course NEVER use this in production as
- the private key is also included in the package and can be downloaded
- by anyone.</para>
- </warning>
-
- <para>Here is an examples of openssl commands to generate a new key and
- a selfsigned certificate to use for signing SAML messages:</para>
-
- <screen>openssl genrsa -des3 -out server2.key 1024
-openssl rsa -in server2.key -out server2.pem
-openssl req -new -key server.key -out server2.csr
-openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt</screen>
-
- <para>The certificate above will be valid for 60 days.</para>
+ <para>Of the folders inside simplesamlphp, only the www folder needs to be
+ accessible from the web. There are several ways of putting the
+ simpleSAMLphp depending on the way web sites are structured on your apache
+ web server. Here is what I believe is the best configuration.</para>
- <note>
- <para>simpleSAMLphp will only work with RSA and not DSA
- certificates.</para>
- </note>
- </section>
+ <para>Find the apache configuration file for the virtual hosts that you
+ want to run simpleSAML on. The configuration may look like this:</para>
- <section>
- <title>Test SAML 2.0 IdP</title>
+ <programlisting><VirtualHost *>
+ ServerName service.example.com
+ DocumentRoot /var/www/service.example.com
- <para>To test the SAML 2.0 IdP, it is best to configure two hosts with
- simpleSAMLphp, and use the SAML 2.0 SP demo example to test the
- IdP.</para>
- </section>
- </section>
+ Alias /simplesaml /var/simplesamlphp/www
+</VirtualHost>
+</programlisting>
- <section>
- <title>Using the built-in SP WAYF functionality</title>
+ <para>What is special is the <literal>Alias</literal> directive. That
+ directive will give control to simpleSAMLphp for all urls that matches
+ <literal>http(s)://service.example.com/simplesaml/*</literal>.
+ simpleSAMLphp will need to have several SAML interfaces available on the
+ web, and all these interfaces are included in the <filename>www</filename>
+ subdirectory of your simpleSAMLphp installation. You can set the alias to
+ whatever you want, but this alias must be set in the
+ <filename>config.php</filename> file of simpleSAML as described in <xref
+ linkend="sect.config" />. Here is an example of how this configuration may
+ look like in <filename>config.php</filename>:</para>
- <para>The WAYF is not yet a part of the simpleSAMLphp release. This
- functionality will be added soon.</para>
+ <programlisting>$config = array (
+[...]
+ 'baseurlpath' => 'simplesaml/',</programlisting>
</section>
<section>
- <title>Setting up WebSSO bridges</title>
-
- <para>simpleSAMLphp can be used to bridge between two WebSSO protocols.
- Here is some short descriptions of how to setup the different bridge
- configurations.</para>
-
- <section>
- <title>Bridging SAML 2.0 <-> SAML 2.0</title>
-
- <para>In this setup you can bridge between two federations using SAML
- 2.0.</para>
-
- <para>To approach this, you must configure both saml 2.0 IdP and SP
- hosted metadata, and in the IdP hosted metadata configure the auth
- parameter to be the SP initialization endpoint, like this:</para>
-
- <screen> 'auth' => 'saml2/sp/initSSO.php?idpentityid=sam.feide.no'</screen>
-
- <para>As you can see you specify the IdP in the remote federation as a
- parameter to the initalization endpoint.</para>
-
- <note>
- <para>This section of the documentation is only a placeholder. There
- will be more detailed information added later. For now, ask the author
- if you want more details of such a setup.</para>
-
- <para>Briding SAML 2.0 SLO is not implemented. Will be improved
- soon.</para>
- </note>
- </section>
-
- <section>
- <title>Bridging Shibboleth 1.3 <-> Shibboleth 1.3</title>
-
- <para>Will be supported soon.</para>
- </section>
-
- <section>
- <title>Bridging Shibboleth 1.3 <-> SAML 2.0</title>
+ <title>The simpleSAMLphp installation webpage</title>
- <para>Will be supported soon.</para>
- </section>
+ <para>When you have installed simpleSAMLphp, you can access the homepage
+ of your installation, which contains some information and a few links to
+ the test services. The url of an installation can be in example:</para>
- <section>
- <title>Bridging SAML 2.0 <-> Shibboleth 1.3</title>
+ <literallayout>https://service.example.com/simplesaml/</literallayout>
- <para>Will be supported soon.</para>
- </section>
+ <para>The exact link depends on how you set it up with apache and off
+ course your hostname.</para>
- <section>
- <title>Bridging SAML 2.0 <-> OpenID</title>
+ <warning>
+ <para>Don't click on any of the links yet, because they require you to
+ eigther have setup simpleSAMLphp as an Service Provider or as an
+ Identity Provider.</para>
+ </warning>
- <para>Will be supported soon.</para>
- </section>
+ <para>Here is an example screenshot of what the simpleSAMLphp page looks
+ like:</para>
- <section>
- <title>Bridging Shibboelth 1.3 <-> OpenID</title>
+ <figure>
+ <title>Screenshot of the simpleSAMLphp installation page.</title>
- <para>Will be supported soon.</para>
- </section>
+ <screenshot>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="resources/simplesamlphp-install/screenshot-installationpage.png" />
+ </imageobject>
+ </mediaobject>
+ </screenshot>
+ </figure>
</section>
<section>
- <title>Authentication API</title>
-
- <para>The authentication plugin should be placed in the auth
- directory.</para>
+ <title>Next steps</title>
- <para>The following parameters must be accepted in the incomming
- URL:</para>
+ <para>You have now successfully installed simpleSAMLphp, and the next
+ steps depends on whether you want to setup a service provider, to protect
+ a website with authentication or if you want to setup an identity provider
+ and connect it to a user storage. We will also provide documentation on
+ bridging federation protocols in a separate document.</para>
<itemizedlist>
<listitem>
- <para><literal>RelayState</literal>: This is the URL that the user
- should be sent back to after authentication within the plugin.</para>
+ <para><ulink url="simplesamlphp-sp.html">Setting up simpleSAMLphp as a
+ service provider</ulink></para>
</listitem>
<listitem>
- <para><literal>RequestID</literal>: This is the ID of an incomming
- request.</para>
- </listitem>
- </itemizedlist>
-
- <para>The initSSO.php takes in addition the following parameters:</para>
-
- <itemizedlist>
- <listitem>
- <para><literal>idpentityid</literal>: This is the entityid of the IdP
- to authenticate with. This parameter is optional, if not set the
- default for this host will be used.</para>
+ <para><ulink url="simplesamlphp-idp.html">Setting up simpleSAMLphp as
+ an identity provider</ulink></para>
</listitem>
<listitem>
- <para><literal>spentityid</literal>: This is which SP config to use.
- This parameter is optional, if not set the default for this host will
- be used.</para>
+ <para><ulink url="simplesamlphp-bridge.html">Setting up simpleSAMLphp
+ as a bridge</ulink></para>
</listitem>
</itemizedlist>
+ </section>
- <para>In hosted IdP metadata there is a config parameter auth that will
- tell simpleSAML which authentication plugin that can be used.</para>
+ <appendix id="sect.altlocations">
+ <title>Installing simpleSAMLphp in alternative locations</title>
- <tip>
- <para>The authentication API is pretty basic. The easiest way to
- understand how it works is to look at one of the existing plugins that
- is located in the auth directory of your installation.</para>
- </tip>
- </section>
+ <para>If you want to install simpleSAMLphp in an alternative directory,
+ feel free to do so. You need to set the path of the installation directory
+ in the config.php file:</para>
+
+ <programlisting>$config = array (
+[...]
+ 'basedir' => '/usr/local/simplesaml/simplesamlphp',</programlisting>
+
+ <para>And you also need to modify the Alias directive in the apache
+ configuration:</para>
+
+ <programlisting> Alias /simplesaml /usr/local/simplesaml/simplesamlphp/www</programlisting>
+ </appendix>
</article>
\ No newline at end of file
diff --git a/docs/source/simplesamlphp-sp.xml b/docs/source/simplesamlphp-sp.xml
new file mode 100644
index 0000000000000000000000000000000000000000..5c6080e945081a4c2ff1d05b4841f771077269c2
--- /dev/null
+++ b/docs/source/simplesamlphp-sp.xml
@@ -0,0 +1,488 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<article>
+ <title>Using simpleSAMLphp as a Service Provider</title>
+
+ <articleinfo>
+ <date>2007-10-15</date>
+
+ <pubdate>Mon Oct 15 16:55:49 2007</pubdate>
+
+ <author>
+ <firstname>Andreas Ă…kre</firstname>
+
+ <surname>Solberg</surname>
+
+ <email>andreas.solberg@uninett.no</email>
+ </author>
+ </articleinfo>
+
+ <section>
+ <title>Introduction</title>
+
+ <para>simpleSAMLphp can run as both a SAML 2.0 Service Provider and as a
+ Shibboleth 1.3 Service Provider. The configuration and metadata would be
+ somewhat different, therefore there are separate chapter for the two,
+ although the configuration is similar.</para>
+ </section>
+
+ <section>
+ <title>Configuring metadata for SAML 2.0 SP</title>
+
+ <para>When you are setting up a SAML 2.0 SP, you would need to configure
+ two metadata files. saml20-sp-hosted.php and saml20-idp-remote.php.
+ saml20-sp-hosted.php represent the SAML entity of the service provider
+ itself, while the saml20-idp-remote.php configuration lists all the
+ trusted SAML 2.0 IdP and how to connect to them.</para>
+
+ <section>
+ <title>Configuring SAML 2.0 SP Hosted metadata</title>
+
+ <para>You need to know at least two variables to be able to setup this
+ metadata. You need to know the hostname of the server you are using, and
+ you need to set an entity ID for this server. Talk to the people running
+ the IdP of what entity ID you should use.</para>
+
+ <note>
+ <para>Feide has special rules for setting entity IDs, so if you want
+ to connect to Feide, contact them and ask what entity ID you should
+ use.</para>
+ </note>
+
+ <para>Here is an example of the metadata file:</para>
+
+ <programlisting>$metadata = array(
+
+ /*
+ * Example of a hosted SP
+ */
+ 'entityid' => array(
+ 'host' => 'hostname',
+ 'spNameQualifier' => 'entityid',
+ 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+ 'ForceAuthn' => 'false'
+ )
+
+);</programlisting>
+
+ <para>Here are the description of the possible fields:</para>
+
+ <glosslist>
+ <glossentry>
+ <glossterm>index (the index of the array)</glossterm>
+
+ <glossdef>
+ <para>The entity ID of the hosted SP entity.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>spNameQualifier</glossterm>
+
+ <glossdef>
+ <para>The name qualifier of the SP. If this is not important to
+ you, you can set it to be identical with the entity ID
+ above.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>host</glossterm>
+
+ <glossdef>
+ <para>The hostname of the server running this SAML 2.0 SP. This
+ option allows simpleSAMLphp to automatically discover which SP
+ metadata to use, when it runs multiple virtual hosts.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>NameIDFormat</glossterm>
+
+ <glossdef>
+ <para>The NameIDFormat in the request. If you don't know what this
+ is, or don't need it to be anything specific, leave it with the
+ default configuration.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>ForceAuthn</glossterm>
+
+ <glossdef>
+ <para>Force authentication is a parameter that allows you to force
+ re-authenticatino of users even if the user contains a SSO session
+ at the IdP.</para>
+ </glossdef>
+ </glossentry>
+ </glosslist>
+ </section>
+
+ <section>
+ <title>Configuring SAML 2.0 IdP Remote metadata</title>
+
+ <para>This metadata file lists all the IdPs that you trust.</para>
+
+ <programlisting> /*
+ * Example simpleSAMLphp SAML 2.0 IdP
+ */
+ 'idp.example.org' => array(
+ 'name' => 'Test',
+ 'description' => 'Description of this example entry',
+ 'SingleSignOnService' => 'https://idp.example.org/simplesaml/saml2/idp/SSOService.php',
+ 'SingleLogoutService' => 'https://idp.example.org/simplesaml/saml2/idp/LogoutService.php',
+ 'certFingerprint' => '3fa158e8abfd4b5203315b08c0b791b6ee4715f6',
+ 'base64attributes' => true
+ ),</programlisting>
+
+ <glosslist>
+ <glossentry>
+ <glossterm>index (the index of the array)</glossterm>
+
+ <glossdef>
+ <para>The entity ID of this SAML 2.0 IdP entity.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>name</glossterm>
+
+ <glossdef>
+ <para>Set the name of this identity provider. Will just be used in
+ the UI of the discovery service, so set it to whatever you
+ want.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>description</glossterm>
+
+ <glossdef>
+ <para>Set the description of this identity provider. Will just be
+ used in the UI of the discovery service, so set it to whatever you
+ want.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>SingleSignOnService</glossterm>
+
+ <glossdef>
+ <para>Contact the IdP to get the endpoint URL of this service.
+ This is the URL which the user is redirected with the AuthnRequest
+ using HTTP-REDIRECT.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>SingleLogoutService</glossterm>
+
+ <glossdef>
+ <para>Contact the IdP to get the endpoint URL of this service.
+ This is the URL which the user is redirected with the
+ LogoutRequest using HTTP-REDIRECT.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>certFingerprint</glossterm>
+
+ <glossdef>
+ <para>The md5sum of the certificate used by the IdP. If you don't
+ know how to compute this, you can leave it as it is, and then
+ you'll get an error message the first time you try to login. In
+ this error message you are told what is the fingerprint of the IdP
+ certiciate, so you can copy and use that.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>base64encode</glossterm>
+
+ <glossdef>
+ <para>Is the IdP base64 encoding all the attributes?
+ Base64encoding should be avoided but makes it much easier to send
+ data in different formats and characterencodings, so you can leave
+ it on when you test. If you are using simpleSAMLphp at the IdP,
+ remember to set the parameter in the metadata at the IdP to be the
+ same.</para>
+ </glossdef>
+ </glossentry>
+ </glosslist>
+ </section>
+
+ <section>
+ <title>Setting the default SAML 2.0 IdP</title>
+
+ <para>In the global configuration (<filename>config.php</filename>)
+ there is a parameter to set the default IdP to use. Alternatively you
+ can specify which IdP to use in a parameter to the initSSO.php script
+ when you initiate logon in your application.</para>
+
+ <para>Here is an example from <filename>config.php</filename>:</para>
+
+ <programlisting> 'default-saml20-idp' => 'sam.feide.no',</programlisting>
+
+ <para>The configuration above will use the IdP configured in IdP Remote
+ metadata with entity ID equal to <literal>sam.feide.no</literal>.
+ </para>
+ </section>
+
+ <section>
+ <title>Using the SAML 2.0 IdP Discovery Service</title>
+
+ <para>If you want end users to be able to select one of all the
+ specified entries in IdP remote metadata, you can set the default IdP to
+ be null, then simpleSAMLphp will initiate the builtin IdP discovery
+ service to let the user select IdP. Here is the neccessary configuration
+ from <filename>config.php</filename>:</para>
+
+ <programlisting> 'default-saml20-idp' => null,</programlisting>
+ </section>
+ </section>
+
+ <section>
+ <title>Configuring metadata for Shibboleth 1.3 SP</title>
+
+ <para>When you are setting up a Shibboleth 1.3 SP, you need to configure
+ two metadata files. shib13-sp-hosted.php and shib13-idp-remote.php.
+ shib13-sp-hosted.php represents the SAML entity of the service provider
+ itself, while the shib13-idp-remote.php metadata lists all the trusted
+ SAML 2.0 IdPs and contains information on how to connect to them.</para>
+
+ <section>
+ <title>Configuring Shibboleth 1.3 SP Hosted metadata</title>
+
+ <para>In the hosted metadata (shib13-sp-hosted.php) you will need to
+ configure two parameters, the entity ID and the hostname of the server
+ running this SP.</para>
+
+ <programlisting> /*
+ * Example of hosted Shibboleth 1.3 SP.
+ */
+ 'sp1entityid' => array(
+ 'host' => 'sp.example.org'
+ )</programlisting>
+
+ <glosslist>
+ <glossentry>
+ <glossterm>index (the index of the array)</glossterm>
+
+ <glossdef>
+ <para>The entity ID of the hosted SP entity.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>host</glossterm>
+
+ <glossdef>
+ <para>The hostname of the server running this Shibboleth 1.3 SP.
+ This option allows simpleSAMLphp to automatically discover which
+ SP metadata to use, when it runs multiple virtual hosts.</para>
+ </glossdef>
+ </glossentry>
+ </glosslist>
+ </section>
+
+ <section>
+ <title>Configuring Shibboleth 1.3 IdP Remote metadata</title>
+
+ <para>Here (shib13-idp-remote.php) you configure which IdPs that you
+ trust.</para>
+
+ <programlisting> 'urn:mace:switch.ch:aaitest:dukono.switch.ch' => array(
+ 'SingleSignOnUrl' => 'https://dukono.switch.ch/shibboleth-idp/SSO',
+ 'certFingerprint' => 'c7279a9f28f11380509e075441e3dc55fb9ab864'
+ ),</programlisting>
+
+ <glosslist>
+ <glossentry>
+ <glossterm>index (the index of the array)</glossterm>
+
+ <glossdef>
+ <para>The entity ID of this Shibboleth 1.3 IdP entity. In this
+ example the entity ID is set to
+ <literal>urn:mace:switch.ch:aaitest:dukono.switch.ch</literal>.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>SingleSignOnUrl</glossterm>
+
+ <glossdef>
+ <para>Contact the IdP to get the endpoint URL of this service.
+ This is the URL which the user is redirected with the request for
+ authentication.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>certFingerprint</glossterm>
+
+ <glossdef>
+ <para>The md5sum of the certificate used by the IdP. If you don't
+ know how to compute this, you can leave it as it is, and then
+ you'll get an error message the first time you try to login. In
+ this error message you are told what is the fingerprint of the IdP
+ certiciate, so you can copy and use that.</para>
+ </glossdef>
+ </glossentry>
+ </glosslist>
+ </section>
+ </section>
+
+ <section>
+ <title>Exchange metadata with the IdP</title>
+
+ <para>Before you can run the test examples, you need the people running
+ the IdP to load the metadata for your SP. If you run Shibboleth 1.3 SP,
+ you will need to manually create metadata for your SP and send to the IdP,
+ if you use SAML 2.0, metadata can be generated automatically.</para>
+
+ <section>
+ <title>Automatically generation of SP metadata for SAML 2.0</title>
+
+ <para>On the installation page there is a link named "Look at your SAML
+ 2.0 SP metadata". Click there to look at the metadata for your SP. Send
+ this metadata document to the IdP and ask them to load it.</para>
+
+ <screenshot>
+ <screeninfo>Example of automatically generated SAML 2.0
+ Metadata</screeninfo>
+
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="resources/simplesamlphp-sp/saml2metadata.png" />
+ </imageobject>
+ </mediaobject>
+ </screenshot>
+
+ <para>If you are connected to Feide, and put one of Feides entity IDs as
+ default IdP, you will see an additional section on this page:</para>
+
+ <screenshot>
+ <screeninfo>Sending metadata to Feide</screeninfo>
+
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="resources/simplesamlphp-sp/saml2metadata-feide.png" />
+ </imageobject>
+ </mediaobject>
+ </screenshot>
+
+ <para>Enter your email address and click the button to send the metadata
+ to Feide. Remeber to get in contact with Feide to discuss your new
+ service, and how you can be connected to Feides test environment.</para>
+ </section>
+ </section>
+
+ <section>
+ <title>Test the SAML 2.0 SP examples</title>
+
+ <para>When you have installed simpleSAMLphp, configured apache, and setup
+ metadata and exchanged metadata with the IdP you are ready to test the
+ example service that is included in the simpleSAMLphp installation.</para>
+
+ <para>On the installation page of simpleSAMLphp as you remember from the
+ installation guide, there is a link to a Shibboleth 1.3 and SAML 2.0
+ example. When you click on that example, you should be automatically
+ redirected to the IdP. Then login as usual, and you should get back to a
+ status page with .</para>
+
+ <para>You should be redirected to the IdP. Login, and you should be sent
+ back and shown all the attributes sent form the IdP.</para>
+
+ <figure>
+ <title>Screenshot of the status page after an user have succesfully
+ authenticated</title>
+
+ <screenshot>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="resources/simplesamlphp-sp/screenshot-example.png" />
+ </imageobject>
+ </mediaobject>
+ </screenshot>
+ </figure>
+ </section>
+
+ <section>
+ <title>Integrating authentication with your own application</title>
+
+ <para>You will need to hook some code into your application executed for
+ every protected HTTP request. The flow in that code goes like:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>Check whether the user is authenticated or not.</para>
+ </listitem>
+
+ <listitem>
+ <para>If the user is not authenticated, and it should be, then
+ redirect the user to the initSSO.php script with the appropriate
+ parameters. In particular the RelayState that tells the URL to return
+ to after login.</para>
+ </listitem>
+
+ <listitem>
+ <para>If the user is authenticated then your done, map to your own
+ user database if neccessary, and access the attributes from the
+ session object as you like.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Here are some example code from the included example that you can
+ reuse:</para>
+
+ <para>We start off with including a common file _include.php. All this
+ file is doing is adding simpleSAMLphp to the classpath. If you want you
+ can do this in php.ini instead. Or you can include all the content of
+ _include.php in the application it self.</para>
+
+ <programlisting>require_once('../_include.php');</programlisting>
+
+ <para>Including class specifications. This is for SAML 2.0, for shibboleth
+ look at the shibboleth example in
+ <filename>www/example-simple/shib13-example.php</filename>.</para>
+
+ <programlisting>require_once('SimpleSAML/Utilities.php');
+require_once('SimpleSAML/Session.php');
+require_once('SimpleSAML/XML/MetaDataStore.php');
+require_once('SimpleSAML/XML/SAML20/AuthnRequest.php');
+require_once('SimpleSAML/XML/SAML20/AuthnResponse.php');
+require_once('SimpleSAML/Bindings/SAML20/HTTPRedirect.php');
+require_once('SimpleSAML/Bindings/SAML20/HTTPPost.php');
+require_once('SimpleSAML/XHTML/Template.php');
+</programlisting>
+
+ <para>Then enable using PHP Sessions, and load configuration and metadata
+ with simpleSAMLphp. You can copy this lines into your application without
+ changes:</para>
+
+ <programlisting>session_start();
+
+/* Load simpleSAMLphp, configuration and metadata */
+$config = SimpleSAML_Configuration::getInstance();
+$metadata = new SimpleSAML_XML_MetaDataStore($config);
+$session = SimpleSAML_Session::getInstance();
+</programlisting>
+
+ <para>Then at last, you check whether the session is valid. If it is not,
+ redirect to the initSSO.php script adding the current URL as a RelayState
+ parameter. If you are authenticated, then retrieve all the attributes from
+ the session object. You may want to look closer at the attributes array,
+ so why don't you print_r it out right away to get the structure...</para>
+
+ <programlisting>/* Check if valid local session exists.. */
+if (!isset($session) || !$session->isValid() ) {
+ header('Location: /' . $config->getValue('baseurlpath') . 'saml2/sp/initSSO.php?RelayState=' . urlencode(SimpleSAML_Utilities::selfURL()));
+ exit(0);
+}
+
+$attributes = $session->getAttributes();
+print_r($attributes);
+</programlisting>
+ </section>
+</article>
\ No newline at end of file
diff --git a/metadata-templates/saml20-idp-hosted.php b/metadata-templates/saml20-idp-hosted.php
index fe31dbaa85c284fa6675213e09c37f1c5b40e99d..ced4295557305d847d08f4609b1763d0901c5e12 100644
--- a/metadata-templates/saml20-idp-hosted.php
+++ b/metadata-templates/saml20-idp-hosted.php
@@ -10,7 +10,7 @@
$metadata = array(
// The SAML entity ID is the index of this config.
- 'sp.example.org' => array(
+ 'idp.example.org' => array(
// The hostname of the server (VHOST) that this SAML entity will use.
'host' => 'sp.example.org',
diff --git a/metadata-templates/saml20-idp-remote.php b/metadata-templates/saml20-idp-remote.php
index 1062e92c3a152886b44f1e2a6328c5af809e7f7b..83badc75ec94a394efa88a3e01632405e5819706 100644
--- a/metadata-templates/saml20-idp-remote.php
+++ b/metadata-templates/saml20-idp-remote.php
@@ -14,6 +14,8 @@ $metadata = array(
* Example simpleSAMLphp SAML 2.0 IdP
*/
'idp.example.org' => array(
+ 'name' => 'Test',
+ 'description' => 'Description of this example entry',
'SingleSignOnService' => 'https://idp.example.org/simplesaml/saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://idp.example.org/simplesaml/saml2/idp/LogoutService.php',
'certFingerprint' => '3fa158e8abfd4b5203315b08c0b791b6ee4715f6',
diff --git a/metadata-templates/saml20-sp-hosted.php b/metadata-templates/saml20-sp-hosted.php
index 396d8d60c574d8b69ebf0b7c46681280cf07c08e..01517f0794103d1cfec8eea1268a5e44e5261826 100644
--- a/metadata-templates/saml20-sp-hosted.php
+++ b/metadata-templates/saml20-sp-hosted.php
@@ -21,4 +21,4 @@ $metadata = array(
);
-?>
+?>
\ No newline at end of file
diff --git a/templates/consent.php b/templates/consent.php
new file mode 100644
index 0000000000000000000000000000000000000000..21353e28fff71c912f7b6af6d8b1a72dc228b8f1
--- /dev/null
+++ b/templates/consent.php
@@ -0,0 +1,95 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+<title><?php echo $data['header']; ?></title>
+
+<style type="text/css">
+
+/* these styles are in the head of this page because this is a unique page */
+
+/* THE BIG GUYS */
+* {margin:0;padding:0}
+body {text-align:center;padding: 20px 0;background: #222;color:#333;font:83%/1.5 arial,tahoma,verdana,sans-serif}
+img {border:none;display:block}
+hr {margin: 1em 0;background:#eee;height:1px;color:#eee;border:none;clear:both}
+
+/* LINKS */
+a,a:link,a:link,a:link,a:hover {font-weight:bold;background:transparent;text-decoration:underline;cursor:pointer}
+a:link {color:#c00}
+a:visited {color:#999}
+a:hover,a:active {color:#069}
+
+/* LISTS */
+ul {margin: .3em 0 1.5em 2em}
+ ul.related {margin-top:-1em}
+li {margin-left:2em}
+dt {font-weight:bold}
+#wrap {border: 1px solid #fff;position:relative;background:#fff;width:600px;margin: 0 auto;text-align:left}
+#header {background: #666 url("/<?php echo $data['baseurlpath']; ?>resources/sprites.gif") repeat-x 0 100%;margin: 0 0 25px;padding: 0 0 8px}
+#header h1 {color:#fff;font-size: 145%;padding:20px 20px 12px}
+#poweredby {width:96px;height:63px;position:absolute;top:0;right:0}
+#content {padding: 0 20px}
+
+/* TYPOGRAPHY */
+p, ul, ol {margin: 0 0 1.5em}
+h1, h2, h3, h4, h5, h6 {letter-spacing: -1px;font-family: arial,verdana,sans-serif;margin: 1.2em 0 .3em;color:#000;border-bottom: 1px solid #eee;padding-bottom: .1em}
+h1 {font-size: 196%;margin-top:0;border:none}
+h2 {font-size: 136%}
+h3 {font-size: 126%}
+h4 {font-size: 116%}
+h5 {font-size: 106%}
+h6 {font-size: 96%}
+
+.old {text-decoration:line-through}
+</style>
+</head>
+<body>
+
+<div id="wrap">
+
+ <div id="header">
+ <h1>User consent on attribute release</h1>
+ <div id="poweredby"><img src="/<?php echo $data['baseurlpath']; ?>resources/icons/bino.png" alt="Bino" /></div>
+ </div>
+
+ <div id="content">
+
+ <p>You are about to login to the service <strong><?php echo $data['spentityid']; ?></strong>. In the login proccess, the identity provider will send attributes containing information about your identity to this service. Do you accept this?</p>
+
+ <p><a href="<?php echo $data['consenturl']; ?>"><strong>Yes</strong>, I accept that attributes are sent to this service</a></p>
+
+ <p style="font-size: x-small">[ <a href="">Show attributes that are sent</a> ]</p>
+ <table style="font-size: x-small">
+<?php
+
+
+ $attributes = $data['attributes'];
+ foreach ($attributes AS $name => $value) {
+ if (sizeof($value) > 1) {
+ echo '<tr><td>' . $name . '</td><td><ul>';
+ foreach ($value AS $v) {
+ echo '<li>' . $v . '</li>';
+ }
+ echo '</ul></td></tr>';
+ } else {
+ echo '<tr><td>' . $name . '</td><td>' . $value[0] . '</td></tr>';
+ }
+ }
+
+?>
+ </table>
+
+
+ <hr />
+
+ Copyright © 2007 <a href="http://rnd.feide.no/">Feide RnD</a>
+
+ <hr />
+
+ </div>
+
+</div>
+
+</body>
+</html>
diff --git a/www/saml2/idp/SSOService.php b/www/saml2/idp/SSOService.php
index 4d744c4facdd3d6459f9aafd98be03673a3c13f3..cb48d260037c85b616795f3845d6c16a12afe70e 100644
--- a/www/saml2/idp/SSOService.php
+++ b/www/saml2/idp/SSOService.php
@@ -105,10 +105,33 @@ if (!$session->isAuthenticated() ) {
try {
- $session->add_sp_session($authnrequest->getIssuer());
+
+ $spentityid = $authnrequest->getIssuer();
+ //$spmetadata = $metadata->getMetaData($spentityid, 'saml20-sp-remote');
+
+
+
+ if ($idpmeta['requireconsent']) {
+
+ if (!isset($_GET['consent'])) {
+
+ $t = new SimpleSAML_XHTML_Template($config, 'consent.php');
+ $t->data['header'] = 'Consent';
+ $t->data['spentityid'] = $spentityid;
+ $t->data['attributes'] = $session->getAttributes();
+ $t->data['consenturl'] = SimpleSAML_Utilities::addURLparameter(SimpleSAML_Utilities::selfURL(), 'consent=1');
+ $t->show();
+ exit(0);
+
+ }
+
+ }
+
+
+ $session->add_sp_session($spentityid);
$ar = new SimpleSAML_XML_SAML20_AuthnResponse($config, $metadata);
- $authnResponseXML = $ar->generate($idpentityid, $authnrequest->getIssuer(),
+ $authnResponseXML = $ar->generate($idpentityid, $spentityid,
$requestid, null, $session->getAttributes());
#echo $authnResponseXML;