From d457260a44e4b0eb52e19d10b4c3af1cc0376cfa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no>
Date: Wed, 5 Mar 2008 14:42:39 +0000
Subject: [PATCH] Updating documentation about Google apps logout
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@358 44740490-163a-0410-bde0-09ae8108e29a
---
docs/source/simplesamlphp-googleapps.xml | 56 ++++++++++++------------
1 file changed, 27 insertions(+), 29 deletions(-)
diff --git a/docs/source/simplesamlphp-googleapps.xml b/docs/source/simplesamlphp-googleapps.xml
index c8194de57..fc210f2e2 100644
--- a/docs/source/simplesamlphp-googleapps.xml
+++ b/docs/source/simplesamlphp-googleapps.xml
@@ -8,7 +8,7 @@
<articleinfo>
<date>2007-10-15</date>
- <pubdate>Sun Oct 21 13:51:26 2007</pubdate>
+ <pubdate>Wed Mar 5 15:37:46 2008</pubdate>
<author>
<firstname>Andreas Ă…kre</firstname>
@@ -160,9 +160,9 @@ An optional company name []:</screen>
</listitem>
<listitem>
- <para><literal>auth.ldap.attributes</literal>: Search parameter to
- LDAP. What attributes should be extracted?
- <literal>objectclass=*</literal> gives you all.</para>
+ <para><literal>auth.ldap.attributes</literal>: A list of attributes
+ that will be retrieved from LDAP. Setting this option to
+ <literal>null</literal> will retrieve all attributes.</para>
</listitem>
</itemizedlist>
</section>
@@ -203,13 +203,9 @@ An optional company name []:</screen>
'privatekey' => 'googleappsidp.pem',
'certificate' => 'googleappsidp.crt',
- /* If base64attributes is set to true, then all attributes will be base64 encoded. Make sure
- * that you set the SP to have the same value for this.
- */
- 'base64attributes' => false,
-
// Authentication plugin to use. login.php is the default one that uses LDAP.
- 'auth' => 'auth/login.php'
+ 'auth' => 'auth/login.php',
+ 'authority' => 'login'
)</programlisting>
<para>Here are some details of each of the parameters:</para>
@@ -254,22 +250,23 @@ An optional company name []:</screen>
</glossentry>
<glossentry>
- <glossterm>base64attributes</glossterm>
+ <glossterm>auth</glossterm>
<glossdef>
- <para>Google Apps do not want us to base64encode any attributes,
- so we set it to <literal>false</literal>.</para>
+ <para>Which authentication module to use? Default is:
+ <filename>auth/login.php</filename> which is the LDAP
+ authentication module. See the <xref linkend="sect.authmodule" />
+ for more information on the authentication modules.</para>
</glossdef>
</glossentry>
<glossentry>
- <glossterm>auth</glossterm>
+ <glossterm>authority</glossterm>
<glossdef>
- <para>Which authentication module to use? Default is:
- <filename>auth/login.php</filename> which is the LDAP
- authentication module. See the <xref linkend="sect.authmodule" />
- for more information on the authentication modules.</para>
+ <para>This refer to the ID of the authentication module you are
+ using. Set this value if you only allow one authentication
+ module.</para>
</glossdef>
</glossentry>
</glosslist>
@@ -291,7 +288,6 @@ An optional company name []:</screen>
'google.com' => array(
'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
'spNameQualifier' => 'google.com',
- 'ForceAuthn' => 'false',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
'simplesaml.nameidattribute' => 'uid',
'simplesaml.attributes' => false
@@ -300,7 +296,7 @@ An optional company name []:</screen>
<para>You also need to map some attribute from the IdP into the email
field sent to Google Apps. The attributes comes from the authentication
module, and in this example we have an LDAP that returns the uid
- attribute. The uid attribute contains the local part of </para>
+ attribute. The uid attribute contains the local part of</para>
<para>What you need to do is modify the
<literal>AssertionConsumerService</literal> to include your Google Apps
@@ -346,8 +342,8 @@ An optional company name []:</screen>
</figure>
<para>Then, we start off by uploading a certificate, and we upload the
- certificate we created in an earlier section, the googleappsidp.crt file:
- </para>
+ certificate we created in an earlier section, the googleappsidp.crt
+ file:</para>
<figure>
<title>Uploading certificate</title>
@@ -370,18 +366,20 @@ An optional company name []:</screen>
<para>but use the hostname of your IdP server.</para>
+ <para>You will also need to configure the IdP initiated Single LogOut
+ endpoint of your server. This endpoint takes a RelayState parameter, which
+ is the URL to redirect the user to after successfull logout. Here is the
+ reccomended value:</para>
+
+ <literallayout>http://dev2.andreas.feide.no/simplesaml/saml2/idp/initSLO.php?RelayState=/simplesaml/logout.html</literallayout>
+
<para>The Sign-out page or change password url can be static pages on your
server.</para>
- <warning>
- <para>Single Logout functionality with SAML 2.0 in simpleSAMlphp and
- Google Apps is not yet fully tested. We will do more testing about that,
- and then include a detailed descrition in this document.</para>
- </warning>
-
<para>The network mask, is which IP addresses that will be asked for SSO
login. IP addresses that do not match this mask will be presented with the
- normal Google Apps login page.</para>
+ normal Google Apps login page. I think you can leave this field empty to
+ enable authentication for all URLs.</para>
<figure>
<title>Fill out the remaining fields</title>
--
GitLab