diff --git a/docs/source/simplesamlphp-advancedfeatures.xml b/docs/source/simplesamlphp-advancedfeatures.xml index 4e19ed4d51737952fa798cfb2ace6557b28f546f..055f660774e279ccea55f478e95526d2285bdaef 100644 --- a/docs/source/simplesamlphp-advancedfeatures.xml +++ b/docs/source/simplesamlphp-advancedfeatures.xml @@ -7,7 +7,35 @@ <section> <title>Bridging between protocols</title> - <para>To setup a bridge between two protocols, you need to </para> + <para>To setup a bridge between two protocols, you need to would need to + setup an installation with both an IdP and an SP, and then connect them + together. If you want to setup a bridge that allows a SAML 2.0 SP talk to + a Shibboleth IdP, you would need to setup a simpleSAMLphp bridge and + configure a SAML 2.0 IdP and a Shibboleth SP. Next you configure the SAML + 2.0 IdP to use the Shibboleth 1.3 SP for authentication. This is + configured in the IdP hosted metadata, and is controlled by the auth and + the authority parameters.</para> + + <example> + <title>Example of bridge configuration</title> + + <para>A bridge with a configured SAML 2.0 IdP and a Shibboleth 1.3 SP: + in the saml20-idp-hosted.php metadata you configure the authentication + to use Shibboleth 1.3 SP like this:</para> + + <programlisting>'auth' => 'shib13/sp/initSSO.php', +'authority' => 'shib13' +</programlisting> + + <para>As no specific Shibboleth IdP is specified to the initSSO.php + script, the discovery service page will be shown. If you want to connect + the SAML 2.0 IdP to a specific Shibboleth 1.3 IdP, specify the entity id + as a parameter to the initSSO script.</para> + + <programlisting>'auth' => 'shib13/sp/initSSO.php?idpentityid=shib13idp.example.org', +'authority' => 'shib13' +</programlisting> + </example> </section> <section> @@ -31,6 +59,25 @@ <title>Attribute alter functions</title> <para></para> + + <example> + <title>Example of alter script</title> + + <para>This example injects a realm attribute that is generated from + the eduPersonPrincipalName.</para> + + <programlisting>function attributealter_realm(&$attributes, $spentityid = null, $idpentityid = null) { + + if (array_key_exists('eduPersonPrincipalName', $attributes)) { + $eduppn = $attributes['eduPersonPrincipalName'][0]; + $splitted = explode('@', $eduppn); + if (count($splitted) > 1) { + $attributes['realm'] = array($splitted[1]); + } + } + +}</programlisting> + </example> </section> </section> </article> \ No newline at end of file diff --git a/docs/source/simplesamlphp-maintenance.xml b/docs/source/simplesamlphp-maintenance.xml index a26e7ee38f03999715b1b3349a4a60a7fea89d0a..1b1cb9b9fa540e87c12d85fa5aff76a891087955 100644 --- a/docs/source/simplesamlphp-maintenance.xml +++ b/docs/source/simplesamlphp-maintenance.xml @@ -7,7 +7,7 @@ <articleinfo> <date>2007-08-30</date> - <pubdate>Wed Dec 19 12:03:53 2007</pubdate> + <pubdate>Wed Feb 13 10:16:12 2008</pubdate> <author> <firstname>Andreas Ă…kre</firstname> @@ -19,14 +19,125 @@ </articleinfo> <section> - <title>Session management </title> + <title>Session management</title> <para>simpleSAMLphp has an abstraction layer for session management. That means it is possible to choose between different kind of session stores, as well as write new session store plugins.</para> <para>The current version of simpleSAMLphp includes two plugins for - session management. </para> + session management:</para> + + <itemizedlist> + <listitem> + <para>PHPSESSION is using the built in session management in PHP. This + is the default, and is simplest to use. But it will not work in a + load-balanced environement.</para> + </listitem> + + <listitem> + <para>memcache is using the memcache software to cache sessions in + memory. Sessions can be distributed and replicated among several + memcache servers, enabling both load-balancing and fail-over.</para> + </listitem> + </itemizedlist> + + <section> + <title>Configuring memcache</title> + + <para>From config.php</para> + + <programlisting> + /* + * This configuration option allows you to select which session handler + * SimpleSAMLPHP should use to store the session information. Currently + * we have two session handlers: + * - 'phpsession': The default PHP session handler. + * - 'memcache': Stores the session information in one or more + * memcache servers by using the MemcacheStore class. + * + * The default session handler is 'phpsession'. + */ + 'session.handler' => 'phpsession', + + + /* + * Configuration for the MemcacheStore class. This allows you to store + * multiple redudant copies of sessions on different memcache servers. + * + * 'memcache_store.servers' is an array of server groups. Every data + * item will be mirrored in every server group. + * + * Each server group is an array of servers. The data items will be + * load-balanced between all servers in each server group. + * + * Each server is an array of parameters for the server. The following + * options are available: + * - 'hostname': This is the hostname or ip address where the + * memcache server runs. This is the only required option. + * - 'port': This is the port number of the memcache server. If this + * option isn't set, then we will use the 'memcache.default_port' + * ini setting. This is 11211 by default. + * - 'weight': This sets the weight of this server in this server + * group. http://php.net/manual/en/function.Memcache-addServer.php + * contains more information about the weight option. + * - 'timeout': The timeout for this server. By default, the timeout + * is 3 seconds. + * + * Example of redudant configuration with load balancing: + * This configuration makes it possible to lose both servers in the + * a-group or both servers in the b-group without losing any sessions. + * Note that sessions will be lost if one server is lost from both the + * a-group and the b-group. + * + * 'memcache_store.servers' => array( + * array( + * array('hostname' => 'mc_a1'), + * array('hostname' => 'mc_a2'), + * ), + * array( + * array('hostname' => 'mc_b1'), + * array('hostname' => 'mc_b2'), + * ), + * ), + * + * Example of simple configuration with only one memcache server, + * running on the same computer as the web server: + * Note that all sessions will be lost if the memcache server crashes. + * + * 'memcache_store.servers' => array( + * array( + * array('hostname' => 'localhost'), + * ), + * ), + * + */ + 'memcache_store.servers' => array( + array( + array('hostname' => 'localhost'), + ), + ), + + + /* + * This value is the duration data should be stored in memcache. Data + * will be dropped from the memcache servers when this time expires. + * The time will be reset every time the data is written to the + * memcache servers. + * + * This value should always be larger than the 'session.duration' + * option. Not doing this may result in the session being deleted from + * the memcache servers while it is still in use. + * + * Set this value to 0 if you don't want data to expire. + * + * Note: The oldest data will always be deleted if the memcache server + * runs out of storage space. + */ + 'memcache_store.expires' => 36 * (60*60), // 36 hours. + +</programlisting> + </section> </section> <section> @@ -38,24 +149,96 @@ <section> <title>Logging and statistics</title> + <para>Supports standard syslog logging. Also possible to configure + flatfile logging.</para> + </section> + + <section> + <title>Apache configuration</title> + <para></para> </section> + <section> + <title>PHP configuration</title> + + <para>Secure cookies.</para> + </section> + + <section> + <title>Getting ready for production</title> + + <para>Here are some steps that should be checked </para> + + <itemizedlist> + <listitem> + <para>Remove all entities in metadata files that you do not trust. It + is easy to forget about some of the entities that were used for + test.</para> + </listitem> + + <listitem> + <para>Switch signing certificate if you have used one for test phase + that have been exposed.</para> + </listitem> + + <listitem> + <para>Make sure you have the latest security upgrades on your OS, and + </para> + </listitem> + + <listitem> + <para>Make sure you run on HTTPS and not HTTP.</para> + </listitem> + + <listitem> + <para>Block access to your servers anything except port 443. + simpleSAMLphp does not do anything but plan HTTP(s), so no need to + open ports for SOAP or other communication.</para> + </listitem> + </itemizedlist> + </section> + <section> <title>Error handling, error reporting and metadata reporting</title> - <para></para> + <para>Check out the extras folder for a script that can be embedded in a + webpage and enable the possibility of sending UI errors to the + administrators.</para> </section> <section> <title>Multi-language support</title> - <para></para> + <para>Localization files in <filename>dictionaries/</filename>. In + addition some text is stored in the XHTML templates, so you may copy the + <filename>en</filename> directory to in example <filename>no</filename> + directory to do a norwegian translation.</para> </section> <section> <title>Customizing the web frontend</title> - <para></para> + <para>All XHTML templates are stored in the simplesamlphp/templates + directory. They are stored in a two level hierarchy; first the theme name, + and then the language code. </para> + + <example> + <title>Example of organization of themes</title> + + <para>An example of a directory structure:</para> + + <literallayout>templates/default/en +templates/default/no +templates/dkaaitheme/en +templates/dkaaitheme/dk +</literallayout> + </example> + + <para>Which theme to use is specified in the + <filename>config.php</filename> file, where the metadata dir is specified. + To use the dkaaitheme as illustrated in the above example, set the value + of <literal>templatedir</literal> to + <filename>templates/dkaaitheme/</filename>.</para> </section> </article> \ No newline at end of file diff --git a/docs/source/simplesamlphp-sp.xml b/docs/source/simplesamlphp-sp.xml index 13a504ca7cafc3a6a0f697f7c170ece12ca8abdd..fc578b10ca129b98b5ef2afdd39401b23c48a62d 100644 --- a/docs/source/simplesamlphp-sp.xml +++ b/docs/source/simplesamlphp-sp.xml @@ -7,7 +7,7 @@ <articleinfo> <date>2007-10-15</date> - <pubdate>Wed Feb 13 07:57:11 2008</pubdate> + <pubdate>Fri Feb 1 08:44:40 2008</pubdate> <author> <firstname>Andreas Ă…kre</firstname> @@ -53,9 +53,16 @@ the IdP of what entity ID you should use.</para> <note> - <para>Feide has special rules for setting entity IDs, so if you want - to connect to Feide, contact them and ask what entity ID you should - use.</para> + <para>Feide has special rules for setting entity IDs. These rules and + instructions on how to select an entity ID to use in Feide is + documented in this document:</para> + + <itemizedlist> + <listitem> + <para><ulink url="http://docs.feide.no/fs-0051-1.0-en.html">Feide + entity names (in norwegian)</ulink></para> + </listitem> + </itemizedlist> </note> <example> @@ -297,6 +304,18 @@ </warning></para> </glossdef> </glossentry> + + <glossentry> + <glossterm>SPNameQualifier</glossterm> + + <glossdef> + <para>This corresponds to the SPNameQualifier in the SAML 2.0 + specification. It allows to give subjects a SP specific + namespace. This value is seldom used, so if you don't need it, + do not include it. If you do not include it, simpleSAMLphp will + include the entityID of your SP as the SPNameQualifier.</para> + </glossdef> + </glossentry> </glosslist> </section>