diff --git a/docs/simplesamlphp-reference-idp-hosted.md b/docs/simplesamlphp-reference-idp-hosted.md
index a0cf7db5c3aafe1bc9bcb7f78ddc003936d66057..a35e512d2434df6b41deef9ce9299381009fef96 100644
--- a/docs/simplesamlphp-reference-idp-hosted.md
+++ b/docs/simplesamlphp-reference-idp-hosted.md
@@ -249,12 +249,6 @@ The following SAML 2.0 options are available:
: Allows to specify information about the registrar of this SP. Please refer to the
[MDRPI extension](./simplesamlphp-metadata-extensions-rpi) document for further information.
-`saml20.sendartifact`
-: Set to `TRUE` to enable the IdP to send responses with the HTTP-Artifact binding.
- Defaults to `FALSE`.
-
-: Note that this requires a configured memcache server.
-
`saml20.ecp`
: Set to `true` to enable the IdP to recieve authnrequests and send responses according the Enhanced Client or Proxy (ECP) Profile. Note: authentication filters that require interaction with the user will not work with ECP.
Defaults to `false`.
@@ -263,22 +257,39 @@ The following SAML 2.0 options are available:
: Set to `TRUE` to enable the IdP to send responses according the [Holder-of-Key Web Browser SSO Profile](./simplesamlphp-hok-idp).
Defaults to `FALSE`.
-`saml20.sign.response`
-: Whether `<samlp:Response>` messages should be signed.
+`saml20.sendartifact`
+: Set to `TRUE` to enable the IdP to send responses with the HTTP-Artifact binding.
+ Defaults to `FALSE`.
+
+: Note that this requires a configured memcache server.
+
+`saml20.sign.assertion`
+: Whether `<saml:Assertion>` elements should be signed.
Defaults to `TRUE`.
: Note that this option also exists in the SP-remote metadata, and
any value in the SP-remote metadata overrides the one configured
in the IdP metadata.
-`saml20.sign.assertion`
-: Whether `<saml:Assertion>` elements should be signed.
+`saml20.sign.response`
+: Whether `<samlp:Response>` messages should be signed.
Defaults to `TRUE`.
: Note that this option also exists in the SP-remote metadata, and
any value in the SP-remote metadata overrides the one configured
in the IdP metadata.
+`signature.algorithm`
+: The algorithm to use when signing any message generated by this identity provider. Defaults to RSA-SHA256.
+: Possible values:
+
+ * `http://www.w3.org/2000/09/xmldsig#rsa-sha1`
+ *Note*: the use of SHA1 is **deprecated** and will be disallowed in the future.
+ * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`
+ The default.
+ * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384`
+ * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512`
+
`sign.logout`
: Whether to sign logout messages sent from this IdP.
@@ -328,17 +339,6 @@ The following SAML 2.0 options are available:
specified will be kept in the metadata, making the first binding
the default one.
-`signature.algorithm`
-: The algorithm to use when signing any message generated by this identity provider. Defaults to RSA-SHA256.
-: Possible values:
-
- * `http://www.w3.org/2000/09/xmldsig#rsa-sha1`
- *Note*: the use of SHA1 is **deprecated** and will be disallowed in the future.
- * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`
- The default.
- * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384`
- * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512`
-
`validate.authnrequest`
: Whether we require signatures on authentication requests sent to this IdP.
diff --git a/docs/simplesamlphp-reference-idp-remote.md b/docs/simplesamlphp-reference-idp-remote.md
index dc96af4e73532cc60682b61f5ea0194042423504..95b4eda3e9d0b049267cf551a5d9b04f32986a60 100644
--- a/docs/simplesamlphp-reference-idp-remote.md
+++ b/docs/simplesamlphp-reference-idp-remote.md
@@ -44,6 +44,18 @@ The following options are common between both the SAML 2.0 protocol and Shibbole
`icon`
: A logo which will be shown next to this IdP in the discovery service.
+`name`
+: The name of this IdP. Will be used by various modules when they need to show a name of the SP to the user.
+
+: If this option is unset, the organization name will be used instead (if it is available).
+
+: This option can be translated into multiple languages by specifying the value as an array of language-code to translated name:
+
+ 'name' => [
+ 'en' => 'A service',
+ 'no' => 'En tjeneste',
+ ],
+
`OrganizationName`
: The name of the organization responsible for this SPP.
This name does not need to be suitable for display to end users.
@@ -73,18 +85,6 @@ The following options are common between both the SAML 2.0 protocol and Shibbole
: *Note*: If you specify this option, you must also specify the `OrganizationName` option.
-`name`
-: The name of this IdP. Will be used by various modules when they need to show a name of the SP to the user.
-
-: If this option is unset, the organization name will be used instead (if it is available).
-
-: This option can be translated into multiple languages by specifying the value as an array of language-code to translated name:
-
- 'name' => [
- 'en' => 'A service',
- 'no' => 'En tjeneste',
- ],
-
`scope`
: An array with scopes valid for this IdP.
The IdP will send scopes in scoped attributes, that is, attributes containing a value with an `@` sign and a domain name
@@ -169,6 +169,19 @@ The following SAML 2.0 options are available:
: For compatibility purposes, `null` is equivalent to Transient and a format
can be defined as a string instead of an array. These variants are deprecated.
+`signature.algorithm`
+: The algorithm to use when signing any message sent to this specific identity provider. Defaults to RSA-SHA256.
+: Note that this option also exists in the SP configuration.
+ This value in the IdP remote metadata overrides the value in the SP configuration.
+: Possible values:
+
+ * `http://www.w3.org/2000/09/xmldsig#rsa-sha1`
+ *Note*: the use of SHA1 is **deprecated** and will be disallowed in the future.
+ * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`
+ The default.
+ * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384`
+ * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512`
+
`sign.authnrequest`
: Whether to sign authentication requests sent to this IdP.
@@ -189,19 +202,6 @@ The following SAML 2.0 options are available:
`SingleLogoutServiceResponse`
: Endpoint URL for logout responses. Overrides the `SingleLogoutService`-option for responses.
-`signature.algorithm`
-: The algorithm to use when signing any message sent to this specific identity provider. Defaults to RSA-SHA256.
-: Note that this option also exists in the SP configuration.
- This value in the IdP remote metadata overrides the value in the SP configuration.
-: Possible values:
-
- * `http://www.w3.org/2000/09/xmldsig#rsa-sha1`
- *Note*: the use of SHA1 is **deprecated** and will be disallowed in the future.
- * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`
- The default.
- * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384`
- * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512`
-
`SPNameQualifier`
: This corresponds to the SPNameQualifier in the SAML 2.0 specification. It allows to give subjects a SP specific namespace. This option is rarely used, so if you don't need it, leave it out. When left out, SimpleSAMLphp assumes the entityID of your SP as the SPNameQualifier.
diff --git a/docs/simplesamlphp-reference-sp-remote.md b/docs/simplesamlphp-reference-sp-remote.md
index 96a01825ac2b949594fb55061f90f419aa22da18..8fb93248573554f6493fe4b94b1a7d878accc34e 100644
--- a/docs/simplesamlphp-reference-sp-remote.md
+++ b/docs/simplesamlphp-reference-sp-remote.md
@@ -119,6 +119,21 @@ The following SAML 2.0 options are available:
: The value of this option is specified in one of several [endpoint formats](./simplesamlphp-metadata-endpoints).
+`attributeencodings`
+: What encoding should be used for the different attributes. This is
+ an array which maps attribute names to attribute encodings. There
+ are three different encodings:
+
+: - `string`: Will include the attribute as a normal string. This is
+ the default.
+
+: - `base64`: Store the attribute as a base64 encoded string. This
+ is the default when the `base64attributes`-option is set to
+ `TRUE`.
+
+: - `raw`: Store the attribute without any modifications. This
+ makes it possible to include raw XML in the response.
+
`attributes.NameFormat`
: What value will be set in the Format field of attribute
statements. This parameter can be configured multiple places, and
@@ -151,6 +166,16 @@ The following SAML 2.0 options are available:
: (This option was previously named `AttributeNameFormat`.)
+`certData`
+: The base64 encoded certificate for this SP. This is an alternative to storing the certificate in a file on disk and specifying the filename in the `certificate`-option.
+
+`certificate`
+: Name of certificate file for this SP. The certificate is used to
+ verify the signature of messages received from the SP (if
+ `redirect.validate`is set to `TRUE`), and to encrypting assertions
+ (if `assertion.encryption` is set to TRUE and `sharedkey` is
+ unset.)
+
`encryption.blacklisted-algorithms`
: Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.
@@ -193,33 +218,6 @@ The following SAML 2.0 options are available:
entry in the SP-remote metadata overrides the option in the
[IdP-hosted metadata](./simplesamlphp-reference-idp-hosted).
-`SingleLogoutService`
-: The URL of the SingleLogoutService endpoint for this SP.
- This option is required if you want to implement single logout for
- this SP. If the option isn't specified, this SP will not be logged
- out automatically when a single logout operation is initialized.
-
-: The value of this option is specified in one of several [endpoint formats](./simplesamlphp-metadata-endpoints).
-
-`SingleLogoutServiceResponse`
-: The URL logout responses to this SP should be sent. If this option
- is unspecified, the `SingleLogoutService` endpoint will be used as
- the recipient of logout responses.
-
-`SPNameQualifier`
-: SP NameQualifier for this SP. If not set, the IdP will set the
- SPNameQualifier to be the SP entity ID.
-
-`certData`
-: The base64 encoded certificate for this SP. This is an alternative to storing the certificate in a file on disk and specifying the filename in the `certificate`-option.
-
-`certificate`
-: Name of certificate file for this SP. The certificate is used to
- verify the signature of messages received from the SP (if
- `redirect.validate`is set to `TRUE`), and to encrypting assertions
- (if `assertion.encryption` is set to TRUE and `sharedkey` is
- unset.)
-
`saml20.sign.response`
: Whether `<samlp:Response>` messages should be signed.
Defaults to `TRUE`.
@@ -259,6 +257,12 @@ The following SAML 2.0 options are available:
: Certificate file included by IdP for KeyInfo within the signature for the SP, in PEM format. The filename is relative to the cert/-directory.
: If `signature.privatekey` is present and `signature.certificate` is left blank, X509Certificate will not be included with the signature.
+`sign.logout`
+: Whether to sign logout messages sent to this SP.
+
+: Note that this option also exists in the IdP-hosted metadata.
+ The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
+
`simplesaml.nameidattribute`
: When the value of the `NameIDFormat`-option is set to either
`email` or `persistent`, this is the name of the attribute which
@@ -276,26 +280,22 @@ The following SAML 2.0 options are available:
: Whether the SP should receive any attributes from the IdP. The
default value is `TRUE`.
-`attributeencodings`
-: What encoding should be used for the different attributes. This is
- an array which maps attribute names to attribute encodings. There
- are three different encodings:
-
-: - `string`: Will include the attribute as a normal string. This is
- the default.
-
-: - `base64`: Store the attribute as a base64 encoded string. This
- is the default when the `base64attributes`-option is set to
- `TRUE`.
+`SingleLogoutService`
+: The URL of the SingleLogoutService endpoint for this SP.
+ This option is required if you want to implement single logout for
+ this SP. If the option isn't specified, this SP will not be logged
+ out automatically when a single logout operation is initialized.
-: - `raw`: Store the attribute without any modifications. This
- makes it possible to include raw XML in the response.
+: The value of this option is specified in one of several [endpoint formats](./simplesamlphp-metadata-endpoints).
-`sign.logout`
-: Whether to sign logout messages sent to this SP.
+`SingleLogoutServiceResponse`
+: The URL logout responses to this SP should be sent. If this option
+ is unspecified, the `SingleLogoutService` endpoint will be used as
+ the recipient of logout responses.
-: Note that this option also exists in the IdP-hosted metadata.
- The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
+`SPNameQualifier`
+: SP NameQualifier for this SP. If not set, the IdP will set the
+ SPNameQualifier to be the SP entity ID.
`validate.authnrequest`
: Whether we require signatures on authentication requests sent from this SP.
@@ -383,6 +383,11 @@ Shibboleth 1.3 options
The following options for Shibboleth 1.3 SP's are avaiblable:
+`audience`
+: The value which should be given in the `<Audience>`-element in the
+ `<AudienceRestrictionCondition>`-element in the response. The
+ default value is the entity ID of the SP.
+
`AssertionConsumerService`
: The URL of the AssertionConsumerService endpoint for this SP.
This endpoint must accept the SAML responses encoded with the
@@ -397,11 +402,6 @@ The following options for Shibboleth 1.3 SP's are avaiblable:
`<NameIdentifier>`-element should be. The default value is the
entity ID of the SP.
-`audience`
-: The value which should be given in the `<Audience>`-element in the
- `<AudienceRestrictionCondition>`-element in the response. The
- default value is the entity ID of the SP.
-
`scopedattributes`
: Array with names of attributes which should be scoped. Scoped
attributes will receive a `Scope`-attribute on the