diff --git a/docs/simplesamlphp-reference-idp-hosted.md b/docs/simplesamlphp-reference-idp-hosted.md index a0cf7db5c3aafe1bc9bcb7f78ddc003936d66057..a35e512d2434df6b41deef9ce9299381009fef96 100644 --- a/docs/simplesamlphp-reference-idp-hosted.md +++ b/docs/simplesamlphp-reference-idp-hosted.md @@ -249,12 +249,6 @@ The following SAML 2.0 options are available: : Allows to specify information about the registrar of this SP. Please refer to the [MDRPI extension](./simplesamlphp-metadata-extensions-rpi) document for further information. -`saml20.sendartifact` -: Set to `TRUE` to enable the IdP to send responses with the HTTP-Artifact binding. - Defaults to `FALSE`. - -: Note that this requires a configured memcache server. - `saml20.ecp` : Set to `true` to enable the IdP to recieve authnrequests and send responses according the Enhanced Client or Proxy (ECP) Profile. Note: authentication filters that require interaction with the user will not work with ECP. Defaults to `false`. @@ -263,22 +257,39 @@ The following SAML 2.0 options are available: : Set to `TRUE` to enable the IdP to send responses according the [Holder-of-Key Web Browser SSO Profile](./simplesamlphp-hok-idp). Defaults to `FALSE`. -`saml20.sign.response` -: Whether `<samlp:Response>` messages should be signed. +`saml20.sendartifact` +: Set to `TRUE` to enable the IdP to send responses with the HTTP-Artifact binding. + Defaults to `FALSE`. + +: Note that this requires a configured memcache server. + +`saml20.sign.assertion` +: Whether `<saml:Assertion>` elements should be signed. Defaults to `TRUE`. : Note that this option also exists in the SP-remote metadata, and any value in the SP-remote metadata overrides the one configured in the IdP metadata. -`saml20.sign.assertion` -: Whether `<saml:Assertion>` elements should be signed. +`saml20.sign.response` +: Whether `<samlp:Response>` messages should be signed. Defaults to `TRUE`. : Note that this option also exists in the SP-remote metadata, and any value in the SP-remote metadata overrides the one configured in the IdP metadata. +`signature.algorithm` +: The algorithm to use when signing any message generated by this identity provider. Defaults to RSA-SHA256. +: Possible values: + + * `http://www.w3.org/2000/09/xmldsig#rsa-sha1` + *Note*: the use of SHA1 is **deprecated** and will be disallowed in the future. + * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256` + The default. + * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384` + * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512` + `sign.logout` : Whether to sign logout messages sent from this IdP. @@ -328,17 +339,6 @@ The following SAML 2.0 options are available: specified will be kept in the metadata, making the first binding the default one. -`signature.algorithm` -: The algorithm to use when signing any message generated by this identity provider. Defaults to RSA-SHA256. -: Possible values: - - * `http://www.w3.org/2000/09/xmldsig#rsa-sha1` - *Note*: the use of SHA1 is **deprecated** and will be disallowed in the future. - * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256` - The default. - * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384` - * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512` - `validate.authnrequest` : Whether we require signatures on authentication requests sent to this IdP. diff --git a/docs/simplesamlphp-reference-idp-remote.md b/docs/simplesamlphp-reference-idp-remote.md index dc96af4e73532cc60682b61f5ea0194042423504..95b4eda3e9d0b049267cf551a5d9b04f32986a60 100644 --- a/docs/simplesamlphp-reference-idp-remote.md +++ b/docs/simplesamlphp-reference-idp-remote.md @@ -44,6 +44,18 @@ The following options are common between both the SAML 2.0 protocol and Shibbole `icon` : A logo which will be shown next to this IdP in the discovery service. +`name` +: The name of this IdP. Will be used by various modules when they need to show a name of the SP to the user. + +: If this option is unset, the organization name will be used instead (if it is available). + +: This option can be translated into multiple languages by specifying the value as an array of language-code to translated name: + + 'name' => [ + 'en' => 'A service', + 'no' => 'En tjeneste', + ], + `OrganizationName` : The name of the organization responsible for this SPP. This name does not need to be suitable for display to end users. @@ -73,18 +85,6 @@ The following options are common between both the SAML 2.0 protocol and Shibbole : *Note*: If you specify this option, you must also specify the `OrganizationName` option. -`name` -: The name of this IdP. Will be used by various modules when they need to show a name of the SP to the user. - -: If this option is unset, the organization name will be used instead (if it is available). - -: This option can be translated into multiple languages by specifying the value as an array of language-code to translated name: - - 'name' => [ - 'en' => 'A service', - 'no' => 'En tjeneste', - ], - `scope` : An array with scopes valid for this IdP. The IdP will send scopes in scoped attributes, that is, attributes containing a value with an `@` sign and a domain name @@ -169,6 +169,19 @@ The following SAML 2.0 options are available: : For compatibility purposes, `null` is equivalent to Transient and a format can be defined as a string instead of an array. These variants are deprecated. +`signature.algorithm` +: The algorithm to use when signing any message sent to this specific identity provider. Defaults to RSA-SHA256. +: Note that this option also exists in the SP configuration. + This value in the IdP remote metadata overrides the value in the SP configuration. +: Possible values: + + * `http://www.w3.org/2000/09/xmldsig#rsa-sha1` + *Note*: the use of SHA1 is **deprecated** and will be disallowed in the future. + * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256` + The default. + * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384` + * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512` + `sign.authnrequest` : Whether to sign authentication requests sent to this IdP. @@ -189,19 +202,6 @@ The following SAML 2.0 options are available: `SingleLogoutServiceResponse` : Endpoint URL for logout responses. Overrides the `SingleLogoutService`-option for responses. -`signature.algorithm` -: The algorithm to use when signing any message sent to this specific identity provider. Defaults to RSA-SHA256. -: Note that this option also exists in the SP configuration. - This value in the IdP remote metadata overrides the value in the SP configuration. -: Possible values: - - * `http://www.w3.org/2000/09/xmldsig#rsa-sha1` - *Note*: the use of SHA1 is **deprecated** and will be disallowed in the future. - * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256` - The default. - * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384` - * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512` - `SPNameQualifier` : This corresponds to the SPNameQualifier in the SAML 2.0 specification. It allows to give subjects a SP specific namespace. This option is rarely used, so if you don't need it, leave it out. When left out, SimpleSAMLphp assumes the entityID of your SP as the SPNameQualifier. diff --git a/docs/simplesamlphp-reference-sp-remote.md b/docs/simplesamlphp-reference-sp-remote.md index 96a01825ac2b949594fb55061f90f419aa22da18..8fb93248573554f6493fe4b94b1a7d878accc34e 100644 --- a/docs/simplesamlphp-reference-sp-remote.md +++ b/docs/simplesamlphp-reference-sp-remote.md @@ -119,6 +119,21 @@ The following SAML 2.0 options are available: : The value of this option is specified in one of several [endpoint formats](./simplesamlphp-metadata-endpoints). +`attributeencodings` +: What encoding should be used for the different attributes. This is + an array which maps attribute names to attribute encodings. There + are three different encodings: + +: - `string`: Will include the attribute as a normal string. This is + the default. + +: - `base64`: Store the attribute as a base64 encoded string. This + is the default when the `base64attributes`-option is set to + `TRUE`. + +: - `raw`: Store the attribute without any modifications. This + makes it possible to include raw XML in the response. + `attributes.NameFormat` : What value will be set in the Format field of attribute statements. This parameter can be configured multiple places, and @@ -151,6 +166,16 @@ The following SAML 2.0 options are available: : (This option was previously named `AttributeNameFormat`.) +`certData` +: The base64 encoded certificate for this SP. This is an alternative to storing the certificate in a file on disk and specifying the filename in the `certificate`-option. + +`certificate` +: Name of certificate file for this SP. The certificate is used to + verify the signature of messages received from the SP (if + `redirect.validate`is set to `TRUE`), and to encrypting assertions + (if `assertion.encryption` is set to TRUE and `sharedkey` is + unset.) + `encryption.blacklisted-algorithms` : Blacklisted encryption algorithms. This is an array containing the algorithm identifiers. @@ -193,33 +218,6 @@ The following SAML 2.0 options are available: entry in the SP-remote metadata overrides the option in the [IdP-hosted metadata](./simplesamlphp-reference-idp-hosted). -`SingleLogoutService` -: The URL of the SingleLogoutService endpoint for this SP. - This option is required if you want to implement single logout for - this SP. If the option isn't specified, this SP will not be logged - out automatically when a single logout operation is initialized. - -: The value of this option is specified in one of several [endpoint formats](./simplesamlphp-metadata-endpoints). - -`SingleLogoutServiceResponse` -: The URL logout responses to this SP should be sent. If this option - is unspecified, the `SingleLogoutService` endpoint will be used as - the recipient of logout responses. - -`SPNameQualifier` -: SP NameQualifier for this SP. If not set, the IdP will set the - SPNameQualifier to be the SP entity ID. - -`certData` -: The base64 encoded certificate for this SP. This is an alternative to storing the certificate in a file on disk and specifying the filename in the `certificate`-option. - -`certificate` -: Name of certificate file for this SP. The certificate is used to - verify the signature of messages received from the SP (if - `redirect.validate`is set to `TRUE`), and to encrypting assertions - (if `assertion.encryption` is set to TRUE and `sharedkey` is - unset.) - `saml20.sign.response` : Whether `<samlp:Response>` messages should be signed. Defaults to `TRUE`. @@ -259,6 +257,12 @@ The following SAML 2.0 options are available: : Certificate file included by IdP for KeyInfo within the signature for the SP, in PEM format. The filename is relative to the cert/-directory. : If `signature.privatekey` is present and `signature.certificate` is left blank, X509Certificate will not be included with the signature. +`sign.logout` +: Whether to sign logout messages sent to this SP. + +: Note that this option also exists in the IdP-hosted metadata. + The value in the SP-remote metadata overrides the value in the IdP-hosted metadata. + `simplesaml.nameidattribute` : When the value of the `NameIDFormat`-option is set to either `email` or `persistent`, this is the name of the attribute which @@ -276,26 +280,22 @@ The following SAML 2.0 options are available: : Whether the SP should receive any attributes from the IdP. The default value is `TRUE`. -`attributeencodings` -: What encoding should be used for the different attributes. This is - an array which maps attribute names to attribute encodings. There - are three different encodings: - -: - `string`: Will include the attribute as a normal string. This is - the default. - -: - `base64`: Store the attribute as a base64 encoded string. This - is the default when the `base64attributes`-option is set to - `TRUE`. +`SingleLogoutService` +: The URL of the SingleLogoutService endpoint for this SP. + This option is required if you want to implement single logout for + this SP. If the option isn't specified, this SP will not be logged + out automatically when a single logout operation is initialized. -: - `raw`: Store the attribute without any modifications. This - makes it possible to include raw XML in the response. +: The value of this option is specified in one of several [endpoint formats](./simplesamlphp-metadata-endpoints). -`sign.logout` -: Whether to sign logout messages sent to this SP. +`SingleLogoutServiceResponse` +: The URL logout responses to this SP should be sent. If this option + is unspecified, the `SingleLogoutService` endpoint will be used as + the recipient of logout responses. -: Note that this option also exists in the IdP-hosted metadata. - The value in the SP-remote metadata overrides the value in the IdP-hosted metadata. +`SPNameQualifier` +: SP NameQualifier for this SP. If not set, the IdP will set the + SPNameQualifier to be the SP entity ID. `validate.authnrequest` : Whether we require signatures on authentication requests sent from this SP. @@ -383,6 +383,11 @@ Shibboleth 1.3 options The following options for Shibboleth 1.3 SP's are avaiblable: +`audience` +: The value which should be given in the `<Audience>`-element in the + `<AudienceRestrictionCondition>`-element in the response. The + default value is the entity ID of the SP. + `AssertionConsumerService` : The URL of the AssertionConsumerService endpoint for this SP. This endpoint must accept the SAML responses encoded with the @@ -397,11 +402,6 @@ The following options for Shibboleth 1.3 SP's are avaiblable: `<NameIdentifier>`-element should be. The default value is the entity ID of the SP. -`audience` -: The value which should be given in the `<Audience>`-element in the - `<AudienceRestrictionCondition>`-element in the response. The - default value is the entity ID of the SP. - `scopedattributes` : Array with names of attributes which should be scoped. Scoped attributes will receive a `Scope`-attribute on the