Skip to content
Snippets Groups Projects
Commit b34ad16b authored by Tim van Dijen's avatar Tim van Dijen
Browse files

Update docs

parent f5e8e426
No related branches found
No related tags found
No related merge requests found
......@@ -154,13 +154,19 @@ In the `saml20-sp-remote.php` file we will configure an entry for Google Workspa
* This example shows an example config that works with Google Workspace (G Suite / Google Apps) for education.
* What is important is that you have an attribute in your IdP that maps to the local part of the email address
* at Google Workspace. E.g. if your google account is foo.com, and you have a user with email john@foo.com, then you
* must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the value of 'john'.
* must properly configure the saml:AttributeNameID authproc-filter with the name of an attribute that for this user has the value of 'john'.
*/
$metadata['https://www.google.com/a/g.feide.no'] => [
'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'simplesaml.nameidattribute' => 'uid',
'simplesaml.attributes' => false
'simplesaml.attributes' => false,
'authproc' => [
1 => [
'saml:AttributeNameID',
'attribute' => 'uid',
'format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
],
],
];
You must also map some attributes received from the authentication module into email field sent to Google Workspace. In this example, the `uid` attribute is set. When you later configure the IdP to connect to a LDAP directory or some other authentication source, make sure that the `uid` attribute is set properly, or you can configure another attribute to use here. The `uid` attribute contains the local part of the user name.
......
......@@ -238,19 +238,6 @@ The following options can be set:
: Note that this option also exists in the IdP-hosted metadata.
The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
`simplesaml.nameidattribute`
: When the value of the `NameIDFormat`-option is set to either
`email` or `persistent`, this is the name of the attribute which
should be used as the value of the `NameID`. The attribute must
be in the set of attributes exported to the SP (that is, be in
the `attributes` array). For more advanced control over `NameID`,
including the ability to specify any attribute regardless of
the set sent to the SP, see the [NameID processing filters](./saml:nameid).
Note that the value of the attribute is collected **after** authproc-filters have run.
: Typical values can be `mail` for when using the `email` format,
and `eduPersonTargetedID` when using the `persistent` format.
`simplesaml.attributes`
: Whether the SP should receive any attributes from the IdP. The
default value is `TRUE`.
......
......@@ -18,13 +18,19 @@ $metadata['https://saml2sp.example.org'] = [
* This example shows an example config that works with Google Workspace (G Suite / Google Apps) for education.
* What is important is that you have an attribute in your IdP that maps to the local part of the email address at
* Google Workspace. In example, if your Google account is foo.com, and you have a user that has an email john@foo.com,
* then you must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the
* value of 'john'.
* then you must properly configure the saml:AttributeNameID authproc-filter with the name of an attribute that for
* this user has the value of 'john'.
*/
$metadata['google.com'] = [
'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'simplesaml.nameidattribute' => 'uid',
'authproc' => [
1 => [
'saml:AttributeNameID',
'attribute' => 'uid',
'format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
],
],
'simplesaml.attributes' => false,
];
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment