From d4d461bcf45400c7902238babe3ef61b4fa33110 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no>
Date: Sun, 30 Sep 2007 13:33:14 +0000
Subject: [PATCH] Simplified metadata! tidy up in metadata. Added support for
sending metadata to feide.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@16 44740490-163a-0410-bde0-09ae8108e29a
---
config/config-template.php | 6 +-
lib/SimpleSAML/Bindings/SAML20/HTTPPost.php | 4 +-
.../Bindings/SAML20/HTTPRedirect.php | 2 +-
lib/SimpleSAML/Bindings/Shib13/HTTPPost.php | 4 +-
lib/SimpleSAML/Utilities.php | 19 ++++++
lib/SimpleSAML/XHTML/Template.php | 3 +-
lib/SimpleSAML/XML/MetaDataStore.php | 42 +++++++++++-
lib/SimpleSAML/XML/SAML20/AuthnRequest.php | 5 +-
lib/SimpleSAML/XML/SAML20/AuthnResponse.php | 4 +-
lib/SimpleSAML/XML/SAML20/LogoutRequest.php | 2 +-
lib/SimpleSAML/XML/SAML20/LogoutResponse.php | 2 +-
metadata-templates/saml20-idp-hosted.php | 8 +--
metadata-templates/saml20-idp-remote.php | 54 ++++++++-------
metadata-templates/saml20-sp-hosted.php | 42 +++---------
metadata-templates/saml20-sp-remote.php | 66 +++----------------
metadata-templates/shib13-idp-remote.php | 20 +++---
metadata-templates/shib13-sp-hosted.php | 29 ++------
metadata-templates/shib13-sp-remote.php | 9 +--
templates/metadata.php | 29 ++++++++
www/saml2/idp/SingleLogoutService.php | 8 +--
www/saml2/sp/SingleLogoutService.php | 2 +-
www/saml2/sp/initSLO.php | 4 +-
www/saml2/sp/metadata.php | 10 ++-
23 files changed, 194 insertions(+), 180 deletions(-)
diff --git a/config/config-template.php b/config/config-template.php
index e7744d7b8..9f90338f6 100644
--- a/config/config-template.php
+++ b/config/config-template.php
@@ -11,10 +11,10 @@ $config = array (
* Setup the following parameters to match the directory of your installation.
* See the user manual for more details.
*/
- 'basedir' => '/var/www/simplesamlphp/',
+ 'basedir' => '/var/simplesamlphp/',
'baseurlpath' => 'simplesamlphp/',
- 'templatedir' => '/var/www/simplesamlphp/templates',
- 'metadatadir' => '/var/www/simplesamlphp/metadata',
+ 'templatedir' => 'templates/',
+ 'metadatadir' => 'metadata/',
/*
* If you set the debug parameter to true, all SAML messages will be visible in the
diff --git a/lib/SimpleSAML/Bindings/SAML20/HTTPPost.php b/lib/SimpleSAML/Bindings/SAML20/HTTPPost.php
index 6845a0e6d..1e71b49bc 100644
--- a/lib/SimpleSAML/Bindings/SAML20/HTTPPost.php
+++ b/lib/SimpleSAML/Bindings/SAML20/HTTPPost.php
@@ -29,7 +29,7 @@ class SimpleSAML_Bindings_SAML20_HTTPPost {
}
- public function sendResponseUnsigned($response, $idpentityid, $spentityid, $relayState = null, $endpoint = 'assertionConsumerServiceURL') {
+ public function sendResponseUnsigned($response, $idpentityid, $spentityid, $relayState = null, $endpoint = 'AssertionConsumerService') {
$idpmd = $this->metadata->getMetaData($idpentityid, 'saml20-idp-hosted');
$spmd = $this->metadata->getMetaData($spentityid, 'saml20-sp-remote');
@@ -71,7 +71,7 @@ class SimpleSAML_Bindings_SAML20_HTTPPost {
$idpmd = $this->metadata->getMetaData($idpentityid, 'saml20-idp-hosted');
$spmd = $this->metadata->getMetaData($spentityid, 'saml20-sp-remote');
- $destination = $spmd['assertionConsumerServiceURL'];
+ $destination = $spmd['AssertionConsumerService'];
/*
$privatekey = "/home/as/erlang/feide2/cert/edugain/server1Key.pem";
diff --git a/lib/SimpleSAML/Bindings/SAML20/HTTPRedirect.php b/lib/SimpleSAML/Bindings/SAML20/HTTPRedirect.php
index cf12376a5..eba7383df 100644
--- a/lib/SimpleSAML/Bindings/SAML20/HTTPRedirect.php
+++ b/lib/SimpleSAML/Bindings/SAML20/HTTPRedirect.php
@@ -27,7 +27,7 @@ class SimpleSAML_Bindings_SAML20_HTTPRedirect {
$this->metadata = $metadatastore;
}
- public function sendMessage($request, $remoteentityid, $relayState = null, $endpoint = 'SingleSignOnUrl', $direction = 'SAMLRequest', $mode = 'SP') {
+ public function sendMessage($request, $remoteentityid, $relayState = null, $endpoint = 'SingleSignOnService', $direction = 'SAMLRequest', $mode = 'SP') {
if (!in_array($mode, array('SP', 'IdP'))) {
throw new Exception('mode parameter of sendMessage() must be either SP or IdP');
}
diff --git a/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php b/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php
index 6ff9771cf..376889379 100644
--- a/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php
+++ b/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php
@@ -29,7 +29,7 @@ class SimpleSAML_Bindings_Shib13_HTTPPost {
}
- public function sendResponseUnsigned($response, $idpentityid, $spentityid, $relayState = null, $endpoint = 'assertionConsumerServiceURL') {
+ public function sendResponseUnsigned($response, $idpentityid, $spentityid, $relayState = null, $endpoint = 'AssertionConsumerService') {
$idpmd = $this->metadata->getMetaData($idpentityid, 'saml20-idp-hosted');
$spmd = $this->metadata->getMetaData($spentityid, 'saml20-sp-remote');
@@ -71,7 +71,7 @@ class SimpleSAML_Bindings_Shib13_HTTPPost {
$idpmd = $this->metadata->getMetaData($idpentityid, 'shib13-idp-hosted');
$spmd = $this->metadata->getMetaData($spentityid, 'shib13-sp-remote');
- $destination = $spmd['shire'];
+ $destination = $spmd['AssertionConsumerService'];
$privatekey = $this->configuration->getValue('basedir') . '/cert/' . $idpmd['privatekey'];
$publiccert = $this->configuration->getValue('basedir') . '/cert/' . $idpmd['certificate'];
diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php
index 361acd85f..a5772df2f 100644
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -19,6 +19,25 @@ require_once('SimpleSAML/Configuration.php');
class SimpleSAML_Utilities {
+ public static function selfURLhost() {
+
+ $currenthost = $_SERVER['HTTP_HOST'];
+ if(strstr($currenthost, ":")) {
+ $currenthostdecomposed = explode(":", $currenthost);
+ $currenthost = $currenthostdecomposed[0];
+ }
+
+ $s = empty($_SERVER["HTTPS"]) ? ''
+ : ($_SERVER["HTTPS"] == "on") ? "s"
+ : "";
+ $protocol = self::strleft(strtolower($_SERVER["SERVER_PROTOCOL"]), "/").$s;
+ $port = ($_SERVER["SERVER_PORT"] == "80") ? ""
+ : (":".$_SERVER["SERVER_PORT"]);
+ $querystring = '';
+ return $protocol."://" . $currenthost . $port;
+
+ }
+
public static function selfURLNoQuery() {
$currenthost = $_SERVER['HTTP_HOST'];
diff --git a/lib/SimpleSAML/XHTML/Template.php b/lib/SimpleSAML/XHTML/Template.php
index 11e845ee4..8c23f3467 100644
--- a/lib/SimpleSAML/XHTML/Template.php
+++ b/lib/SimpleSAML/XHTML/Template.php
@@ -32,7 +32,8 @@ class SimpleSAML_XHTML_Template {
public function show() {
$data = $this->data;
- $filename = $this->configuration->getValue('templatedir') . '/' . $this->template;
+ $filename = $this->configuration->getValue('basedir') . '/' .
+ $this->configuration->getValue('templatedir') . '/' . $this->template;
if (!file_exists($filename)) {
throw new Exception('Could not find template file [' . $this->template . '] at [' . $filename . ']');
}
diff --git a/lib/SimpleSAML/XML/MetaDataStore.php b/lib/SimpleSAML/XML/MetaDataStore.php
index bf550d730..1ae3bc1a0 100644
--- a/lib/SimpleSAML/XML/MetaDataStore.php
+++ b/lib/SimpleSAML/XML/MetaDataStore.php
@@ -12,6 +12,7 @@
*/
require_once('SimpleSAML/Configuration.php');
+require_once('SimpleSAML/Utilities.php');
/**
* Configuration of SimpleSAMLphp
@@ -34,7 +35,9 @@ class SimpleSAML_XML_MetaDataStore {
throw new Exception('Trying to load illegal set of Meta data [' . $set . ']');
}
- $metadatasetfile = $this->configuration->getValue('metadatadir') . '/' . $set . '.php';
+ $metadatasetfile = $this->configuration->getValue('basedir') . '/' .
+ $this->configuration->getValue('metadatadir') . '/' . $set . '.php';
+
if (!file_exists($metadatasetfile)) {
throw new Exception('Could not open file: ' . $metadatasetfile);
@@ -105,6 +108,43 @@ class SimpleSAML_XML_MetaDataStore {
return $this->metadata[$set][$entityid];
}
+ public function getGenerated($property, $set = 'saml20-sp-hosted') {
+
+ $baseurl = SimpleSAML_Utilities::selfURLhost() . '/' . $this->configuration->getValue('baseurlpath');
+
+
+ if ($set == 'saml20-sp-hosted') {
+ switch ($property) {
+ case 'AssertionConsumerService' :
+ return $baseurl . 'saml2/sp/AssertionConsumerService.php';
+
+ case 'SingleLogoutService' :
+ return $baseurl . 'saml2/sp/SingleLogoutService.php';
+ }
+ } elseif($set == 'saml20-idp-hosted') {
+ switch ($property) {
+ case 'SingleSignOnService' :
+ return $baseurl . 'saml2/idp/SSOService.php';
+
+ case 'SingleLogoutService' :
+ return $baseurl . 'saml2/idp/SingleLogoutService.php';
+ }
+ } elseif($set == 'shib13-sp-hosted') {
+ switch ($property) {
+ case 'AssertionConsumerService' :
+ return $baseurl . 'shib13/sp/AssertionConsumerService.php';
+ }
+ } elseif($set == 'shib13-idp-hosted') {
+ switch ($property) {
+ case 'SingleSignOnService' :
+ return $baseurl . 'shib13/idp/SSOService.php';
+ }
+ }
+
+ throw new Exception('Could not generate metadata property ' . $property . ' for set ' . $set . '.');
+ }
+
+
}
diff --git a/lib/SimpleSAML/XML/SAML20/AuthnRequest.php b/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
index 83986d75b..eb203f915 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
@@ -138,7 +138,10 @@ class SimpleSAML_XML_SAML20_AuthnRequest {
$id = self::generateID();
$issueInstant = self::generateIssueInstant();
- $assertionConsumerServiceURL = $md['assertionConsumerServiceURL'];
+ //$assertionConsumerServiceURL = $md['AssertionConsumerService'];
+ $assertionConsumerServiceURL = $this->metadata->getGenerated('AssertionConsumerService', 'saml20-sp-hosted');
+
+
$spNameQualifier = $md['spNameQualifier'];
$nameidformat = isset($md['NameIDformat']) ?
$md['NameIDformat'] :
diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index 2a46accc3..96c52e07b 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -357,10 +357,10 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
$issuer = $idpentityid;
- $assertionConsumerServiceURL = $spmd['assertionConsumerServiceURL'];
+ $assertionConsumerServiceURL = $spmd['AssertionConsumerService'];
$spNameQualifier = $spmd['spNameQualifier'];
- $destination = $spmd['assertionConsumerServiceURL'];
+ $destination = $spmd['AssertionConsumerService'];
$base64 = isset($idpmd['base64attributes']) ? $idpmd['base64attributes'] : false;
diff --git a/lib/SimpleSAML/XML/SAML20/LogoutRequest.php b/lib/SimpleSAML/XML/SAML20/LogoutRequest.php
index 8dfb35d6a..9900daee9 100644
--- a/lib/SimpleSAML/XML/SAML20/LogoutRequest.php
+++ b/lib/SimpleSAML/XML/SAML20/LogoutRequest.php
@@ -129,7 +129,7 @@ class SimpleSAML_XML_SAML20_LogoutRequest {
$id = self::generateID();
$issueInstant = self::generateIssueInstant();
- $destination = $receivermd['SingleLogOutUrl'];
+ $destination = $receivermd['SingleLogoutService'];
/*
$spNameQualifier = $md['spNameQualifier'];
diff --git a/lib/SimpleSAML/XML/SAML20/LogoutResponse.php b/lib/SimpleSAML/XML/SAML20/LogoutResponse.php
index c83cde719..d80bf35f0 100644
--- a/lib/SimpleSAML/XML/SAML20/LogoutResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/LogoutResponse.php
@@ -111,7 +111,7 @@ class SimpleSAML_XML_SAML20_LogoutResponse {
$id = self::generateID();
$issueInstant = self::generateIssueInstant();
- $destination = $receivermd['SingleLogOutUrl'];
+ $destination = $receivermd['SingleLogoutService'];
$samlResponse = '<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_' . $id . '" Version="2.0" IssueInstant="' . $issueInstant . '" Destination="'. $destination. '" InResponseTo="' . $inresponseto . '">
diff --git a/metadata-templates/saml20-idp-hosted.php b/metadata-templates/saml20-idp-hosted.php
index b1eab5941..fe31dbaa8 100644
--- a/metadata-templates/saml20-idp-hosted.php
+++ b/metadata-templates/saml20-idp-hosted.php
@@ -10,14 +10,10 @@
$metadata = array(
// The SAML entity ID is the index of this config.
- 'dev2.andreas.feide.no' => array(
+ 'sp.example.org' => array(
// The hostname of the server (VHOST) that this SAML entity will use.
- 'host' => 'dev2.andreas.feide.no',
-
- // SAML endpoints.
- 'SingleSignOnUrl' => "http://dev2.andreas.feide.no/saml2/idp/SSOService.php",
- 'SingleLogOutUrl' => "http://dev2.andreas.feide.no/saml2/idp/LogoutService.php",
+ 'host' => 'sp.example.org',
// X.509 key and certificate. Relative to the cert directory.
'privatekey' => 'server.pem',
diff --git a/metadata-templates/saml20-idp-remote.php b/metadata-templates/saml20-idp-remote.php
index 3f0afacb3..b6436dadd 100644
--- a/metadata-templates/saml20-idp-remote.php
+++ b/metadata-templates/saml20-idp-remote.php
@@ -9,33 +9,37 @@
$metadata = array(
- "feide2.erlang.no-saml2" =>
- array(
- "SingleSignOnUrl" => "https://feide2.erlang.no/saml2/idp/SSOService.php",
- "SingleLogOutUrl" => "https://feide2.erlang.no/saml2/idp/LogoutService.php",
- "certFingerprint" => "afe71c28ef740bc87425be13a2263d37971da1f9",
- "base64attributes" => true),
- 'dev2.andreas.feide.no' =>
- array(
- "SingleSignOnUrl" => "http://dev2.andreas.feide.no/saml2/idp/SSOService.php",
- "SingleLogOutUrl" => "http://dev2.andreas.feide.no/saml2/idp/LogoutService.php",
- "certFingerprint" => "afe71c28ef740bc87425be13a2263d37971da1f9",
- "base64attributes" => false),
-
- "sam.feide.no" =>
- array(
- "SingleSignOnUrl" => "https://sam.feide.no/amserver/SSORedirect/metaAlias/idp",
- "SingleLogOutUrl" => "https://sam.feide.no/amserver/IDPSloRedirect/metaAlias/idp",
- "certFingerprint" => "3a:e7:d3:d3:06:ba:57:fd:7f:62:6a:4b:a8:64:b3:4a:53:d9:5d:d0",
- "base64attributes" => true),
+ /*
+ * Example simpleSAMLphp SAML 2.0 IdP
+ */
+ 'idp.example.org' => array(
+ 'SingleSignOnService' => 'https://idp.example.org/simplesaml/saml2/idp/SSOService.php',
+ 'SingleLogoutService' => 'https://idp.example.org/simplesaml/saml2/idp/LogoutService.php',
+ 'certFingerprint' => '3fa158e8abfd4b5203315b08c0b791b6ee4715f6',
+ 'base64attributes' => true
+ ),
+
+
+ /*
+ * Metadata for Feide's test environment.
+ */
+ 'max.feide.no' => array(
+ 'SingleSignOnService' => 'https://max.feide.no/amserver/SSORedirect/metaAlias/idp',
+ 'SingleLogoutService' => 'https://max.feide.no/amserver/IDPSloRedirect/metaAlias/idp',
+ 'certFingerprint' => '3fa158e8abfd4b5203315b08c0b791b6ee4715f6',
+ 'base64attributes' => true
+ ),
- "max.feide.no" =>
- array(
- "SingleSignOnUrl" => "https://max.feide.no/amserver/SSORedirect/metaAlias/idp",
- "SingleLogOutUrl" => "https://max.feide.no/amserver/IDPSloRedirect/metaAlias/idp",
- "certFingerprint" => "d79b0e23c0833d2f5b8d94abd54ae693708b1eef",
- "base64attributes" => false )
+ /*
+ * Metadata for Feide's production environment.
+ */
+ 'sam.feide.no' => array(
+ 'SingleSignOnService' => 'https://sam.feide.no/amserver/SSORedirect/metaAlias/idp',
+ 'SingleLogoutService' => 'https://sam.feide.no/amserver/IDPSloRedirect/metaAlias/idp',
+ 'certFingerprint' => '3a:e7:d3:d3:06:ba:57:fd:7f:62:6a:4b:a8:64:b3:4a:53:d9:5d:d0',
+ 'base64attributes' => true
+ )
);
?>
diff --git a/metadata-templates/saml20-sp-hosted.php b/metadata-templates/saml20-sp-hosted.php
index ff284d571..396d8d60c 100644
--- a/metadata-templates/saml20-sp-hosted.php
+++ b/metadata-templates/saml20-sp-hosted.php
@@ -7,39 +7,17 @@
*/
$metadata = array(
- "dev.andreas.feide.no" => array(
- 'host' => 'dev.andreas.feide.no',
- "assertionConsumerServiceURL" => "http://dev.andreas.feide.no/saml2/sp/AssertionConsumerService.php",
- 'SingleLogOutUrl' => 'http://dev.andreas.feide.no/saml2/sp/SingleLogoutService.php',
- "issuer" => "dev.andreas.feide.no",
- "spNameQualifier" => "dev.andreas.feide.no",
- "ForceAuthn" => "false",
- "NameIDFormat" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
- ),
- "dev2.andreas.feide.no" => array(
- 'host' => 'dev2.andreas.feide.no',
- "assertionConsumerServiceURL" => "http://dev2.andreas.feide.no/saml2/sp/AssertionConsumerService.php",
- "issuer" => "dev2.andreas.feide.no",
- "spNameQualifier" => "dev2.andreas.feide.no",
- "ForceAuthn" => "false",
- "NameIDFormat" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
- ),
- "feide2.erlang.no" => array(
- 'host' => 'feide2.erlang.no',
- "assertionConsumerServiceURL" => "https://feide2.erlang.no/saml2/sp/AssertionConsumerService.php",
- "issuer" => "feide2.erlang.no",
- "spNameQualifier" => "feide2.erlang.no",
- "ForceAuthn" => "false",
- "NameIDFormat" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
- ),
- "feide3.erlang.no" => array(
- 'host' => 'feide3.erlang.no',
- "assertionConsumerServiceURL" => "https://feide3.erlang.no/saml2/sp/AssertionConsumerService.php", //
- "issuer" => "feide3.erlang.no",
- "spNameQualifier" => "feide3.erlang.no",
- "ForceAuthn" => "false",
- "NameIDFormat" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+
+ /*
+ * Example of a hosted SP
+ */
+ 'sp.example.org' => array(
+ 'host' => 'sp.example.org',
+ 'spNameQualifier' => 'sp.example.org',
+ 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+ 'ForceAuthn' => 'false'
)
+
);
diff --git a/metadata-templates/saml20-sp-remote.php b/metadata-templates/saml20-sp-remote.php
index 3cf919fb7..3fd1e5375 100644
--- a/metadata-templates/saml20-sp-remote.php
+++ b/metadata-templates/saml20-sp-remote.php
@@ -6,7 +6,6 @@
*
* Required parameters:
*
- * assertionConsumerServiceURL
* spNameQualifier
* NameIDFormat
* simplesaml.attributes (Will you send an attributestatement [true/false])
@@ -20,9 +19,12 @@
$metadata = array(
- 'dev.andreas.feide.no' => array(
- 'assertionConsumerServiceURL' => 'http://dev.andreas.feide.no/saml2/sp/AssertionConsumerService.php',
- 'SingleLogOutUrl' => 'http://dev.andreas.feide.no/saml2/sp/SingleLogoutService.php',
+ /*
+ * Example simpleSAMLphp SAML 2.0 SP
+ */
+ 'saml2sp.example.org' => array(
+ 'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/saml2/sp/AssertionConsumerService.php',
+ 'SingleLogOutUrl' => 'https://saml2sp.example.org/simplesaml/saml2/sp/SingleLogoutService.php',
'spNameQualifier' => 'dev.andreas.feide.no',
'ForceAuthn' => 'false',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
@@ -36,66 +38,14 @@ $metadata = array(
* must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the value of 'john'.
*/
'google.com' => array(
- 'assertionConsumerServiceURL' => 'https://www.google.com/a/foo.no/acs',
+ 'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
'spNameQualifier' => 'google.com',
'ForceAuthn' => 'false',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
'simplesaml.nameidattribute' => 'uid',
'simplesaml.attributes' => false
- ),
-
- "feide2.erlang.no" => array(
- "assertionConsumerServiceURL" => "https://feide2.erlang.no/saml2/sp/AssertionConsumerService.php",
- 'SingleLogOutUrl' => 'http://feide2.erlang.no/saml2/sp/SingleLogoutService.php',
- "spNameQualifier" => "feide2.erlang.no",
- "ForceAuthn" => "false",
- "NameIDFormat" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
- 'simplesaml.nameidattribute' => 'uid',
- 'simplesaml.attributes' => true
- ),
-
- /*
- * This example is an OpenFM service provider.
- */
- 'services.feide.no' => array(
- "assertionConsumerServiceURL" => 'https://services.feide.no/openfm/Consumer/metaAlias/sp_meta_alias',
- 'SingleLogOutUrl' => 'https://services.feide.no/openfm/SPSloRedirect/metaAlias/sp_meta_alias',
- "spNameQualifier" => 'services.feide.no',
- "ForceAuthn" => 'false',
- "NameIDFormat" => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
- 'simplesaml.attributes' => true
- ),
-
- "feide3.erlang.no" => array(
- "assertionConsumerServiceURL" => "https://feide3.erlang.no/saml2/sp/AssertionConsumerService.php", //
- 'SingleLogOutUrl' => 'https://feide3.erlang.no/saml2/sp/SPSloRedirect/metaAlias/sp_meta_alias',
- "spNameQualifier" => "feide3.erlang.no",
- "ForceAuthn" => "false",
- "NameIDFormat" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
- 'simplesaml.attributes' => true
- ),
+ )
- /*
- * This example is a Shibboleth 2.0 service provider.
- */
- "skjak.uninett.no" => array(
- "assertionConsumerServiceURL" => "https://skjak.uninett.no/Shibboleth.sso/SAML2/POST", //
- 'SingleLogOutUrl' => 'http://skjak.uninett.no/foo',
- "spNameQualifier" => "skjak.uninett.no",
- "ForceAuthn" => "false",
- "NameIDFormat" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
- 'simplesaml.attributes' => true
- ),
- "skjak2.uninett.no" => array(
-// "assertionConsumerServiceURL" => "https://skjak2.uninett.no:443/fam/Consumer/metaAlias/sp_meta_alias", //
- "assertionConsumerServiceURL" => "https://skjak.uninett.no/Shibboleth.sso/SAML2/POST", //
- 'SingleLogOutUrl' => 'http://skjak.uninett.no/foo',
- "spNameQualifier" => "skjak.uninett.no",
- "ForceAuthn" => "false",
- "NameIDFormat" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
- 'simplesaml.attributes' => true
- )
-
);
diff --git a/metadata-templates/shib13-idp-remote.php b/metadata-templates/shib13-idp-remote.php
index aba114a16..131dedb16 100644
--- a/metadata-templates/shib13-idp-remote.php
+++ b/metadata-templates/shib13-idp-remote.php
@@ -7,22 +7,26 @@
$metadata = array(
+
'urn:mace:switch.ch:aaitest:dukono.switch.ch' => array(
'SingleSignOnUrl' => 'https://dukono.switch.ch/shibboleth-idp/SSO',
'certFingerprint' => 'c7279a9f28f11380509e075441e3dc55fb9ab864'
-// 'certFingerprint' => '4e730f327ce8d9fe6269298d8f777a4bd0937ba5'
-// c7279a9f28f11380509e075441e3dc55fb9ab864
- // "SingleLogOutUrl" => "https://mars.feide.no/amserver/IDPSloRedirect/metaAlias/idp",
),
- 'feide.erlang.no-shib13' => array(
- 'issuer' => 'feide.erlang.no',
- 'assertionDurationMinutes' => 10,
- 'audience' => 'urn:mace:feide:shiblab'
+
+ 'hbe.edugain.bridge.feide.no' => array(
+ 'SingleSignOnUrl' => 'https://hbe.edugain.bridge.feide.no/simplesaml/shib13/idp/SSOService.php',
+ 'certFingerprint' => 'afe71c28ef740bc87425be13a2263d37971da1f9'
),
+ 'urn:mace:switch.ch:aaitest:dukono.switch.ch' => array(
+ 'SingleSignOnUrl' => 'https://dukono.switch.ch/shibboleth-idp/SSO',
+ 'certFingerprint' => 'c7279a9f28f11380509e075441e3dc55fb9ab864'
+ ),
+
'urn:mace:dfnwayf' => array(
- 'SingleSignOnUrl' => 'https://dfn.wayf.com/WAYF'
+ 'SingleSignOnUrl' => 'https://dfn.wayf.com/WAYF',
+ 'certFingerprint' => '---'
)
);
diff --git a/metadata-templates/shib13-sp-hosted.php b/metadata-templates/shib13-sp-hosted.php
index 70c78d235..0f94bba10 100644
--- a/metadata-templates/shib13-sp-hosted.php
+++ b/metadata-templates/shib13-sp-hosted.php
@@ -5,29 +5,12 @@
*/
$metadata = array(
- 'http://dev.andreas.feide.no' => array(
- 'AssertionConsumerService' => 'http://dev.andreas.feide.no/shib13/sp/AssertionConsumerService.php',
- 'host' => 'dev.andreas.feide.no'
- ),
- 'https://sp.shiblab.feide.no' => array(
- 'shire' => 'http://sp.shiblab.feide.no/Shibboleth.sso/SAML/POST',
- 'spnamequalifier' => 'urn:feide.no',
- 'audience' => 'urn:mace:feide:shiblab'
- ),
- 'urn:geant:edugain:component:be:switchaai-test:central' => array(
- 'shire' => 'https://edugain-login.switch.ch/ShiBE-R/WebSSOResponseListener',
- 'spnamequalifier' => 'urn:geant:edugain:component:be:rediris:rediris.es',
- 'audience' => 'urn:geant:edugain:component:be:switchaai-test:central'
- ),
- 'urn:geant:edugain:component:be:rediris:rediris.es' => array(
- 'shire' => 'http://serrano.rediris.es:8080/PAPIWebSSOResponseListener/request',
- 'spnamequalifier' => 'urn:geant:edugain:component:be:rediris:rediris.es',
- 'audience' => 'urn:geant:edugain:component:be:rediris:rediris.es'
- ),
- 'https://skjak.uninett.no/shibboleth/target' => array(
- 'shire' => 'https://skjak.uninett.no/Shibboleth.shire',
- 'spnamequalifier' => 'https://skjak.uninett.no/shibboleth/target',
- 'audience' => 'https://skjak.uninett.no/shibboleth/target'
+
+ /*
+ * Example of hosted Shibboleth 1.3 SP.
+ */
+ 'sp.example.org' => array(
+ 'host' => 'sp.example.org'
)
);
diff --git a/metadata-templates/shib13-sp-remote.php b/metadata-templates/shib13-sp-remote.php
index e44d5b000..e998cfa1d 100644
--- a/metadata-templates/shib13-sp-remote.php
+++ b/metadata-templates/shib13-sp-remote.php
@@ -9,23 +9,24 @@
$metadata = array(
+
'https://sp.shiblab.feide.no' => array(
- 'shire' => 'http://sp.shiblab.feide.no/Shibboleth.sso/SAML/POST',
+ 'AssertionConsumerService' => 'http://sp.shiblab.feide.no/Shibboleth.sso/SAML/POST',
'spnamequalifier' => 'urn:feide.no',
'audience' => 'urn:mace:feide:shiblab'
),
'urn:geant:edugain:component:be:switchaai-test:central' => array(
- 'shire' => 'https://edugain-login.switch.ch/ShiBE-R/WebSSOResponseListener',
+ 'AssertionConsumerService' => 'https://edugain-login.switch.ch/ShiBE-R/WebSSOResponseListener',
'spnamequalifier' => 'urn:geant:edugain:component:be:rediris:rediris.es',
'audience' => 'urn:geant:edugain:component:be:switchaai-test:central'
),
'urn:geant:edugain:component:be:rediris:rediris.es' => array(
- 'shire' => 'http://serrano.rediris.es:8080/PAPIWebSSOResponseListener/request',
+ 'AssertionConsumerService' => 'http://serrano.rediris.es:8080/PAPIWebSSOResponseListener/request',
'spnamequalifier' => 'urn:geant:edugain:component:be:rediris:rediris.es',
'audience' => 'urn:geant:edugain:component:be:rediris:rediris.es'
),
'https://skjak.uninett.no/shibboleth/target' => array(
- 'shire' => 'https://skjak.uninett.no/Shibboleth.shire',
+ 'AssertionConsumerService' => 'https://skjak.uninett.no/Shibboleth.shire',
'spnamequalifier' => 'https://skjak.uninett.no/shibboleth/target',
'audience' => 'https://skjak.uninett.no/shibboleth/target'
)
diff --git a/templates/metadata.php b/templates/metadata.php
index 7f847a4ee..bb6e93c18 100644
--- a/templates/metadata.php
+++ b/templates/metadata.php
@@ -64,7 +64,36 @@ h6 {font-size: 96%}
<pre style="overflow: scroll; border: 1px solid #eee; padding: 2px"><?php echo $data['metadata']; ?></pre>
+ <?php if($data['feide']) { ?>
+
+
+ <div style="border: 1px solid #444; margin: 2em; padding: 1em; background: #eee">
+
+ <img src="http://clippings.erlang.no/ZZ076BD170.jpg" style="float: right; " />
+
+ <h2>Send your metadata to Feide</h2>
+
+ <p>simpleSAMLphp has detected that you have configured Feide as your default IdP.</p>
+
+ <p>Before you can connect to Feide, Feide needs to add your service in its trust configuration. When you
+ contact Feide to add you as a new service, you will be asked to send your metadata. Here you can easily send
+ the metadata to Feide by clicking the button below.</p>
+
+ <form action="http://rnd.feide.no/post-metadata/index.php" method="post">
+ <p>Feide needs to know how to get in contact with you, so you need to type in <strong>your email address</strong>:
+ <input type="text" size="25" name="email" value="" />
+ </p>
+
+ <input type="hidden" name="metadata" value="<?php echo urlencode(base64_encode($data['metadata'])); ?>" />
+ <input type="hidden" name="defaultidp" value="<?php echo $data['defaultidp']; ?>" />
+ <input type="submit" name="send" value="Send my metadata to Feide" />
+
+ </form>
+
+ </div>
+
+ <?php } ?>
<hr />
diff --git a/www/saml2/idp/SingleLogoutService.php b/www/saml2/idp/SingleLogoutService.php
index 39ba55d17..f797641d6 100644
--- a/www/saml2/idp/SingleLogoutService.php
+++ b/www/saml2/idp/SingleLogoutService.php
@@ -79,8 +79,8 @@ if ($spentityid) {
$relayState = $_GET['RelayState'];
}
- //$request, $remoteentityid, $relayState = null, $endpoint = 'SingleSignOnUrl', $direction = 'SAMLRequest', $mode = 'SP'
- $httpredirect->sendMessage($req, $spentityid, $relayState, 'SingleLogOutUrl', 'SAMLRequest', 'IdP');
+ //$request, $remoteentityid, $relayState = null, $endpoint = 'SingleLogoutService', $direction = 'SAMLRequest', $mode = 'SP'
+ $httpredirect->sendMessage($req, $spentityid, $relayState, 'SingleLogoutService', 'SAMLRequest', 'IdP');
exit();
@@ -126,8 +126,8 @@ try {
$relayState = $_GET['RelayState'];
}
- //$request, $remoteentityid, $relayState = null, $endpoint = 'SingleSignOnUrl', $direction = 'SAMLRequest', $mode = 'SP'
- $httpredirect->sendMessage($logoutResponseXML, $logoutrequest->getIssuer(), $relayState, 'SingleLogOutUrl', 'SAMLResponse', 'IdP');
+ //$request, $remoteentityid, $relayState = null, $endpoint = 'SingleLogoutService', $direction = 'SAMLRequest', $mode = 'SP'
+ $httpredirect->sendMessage($logoutResponseXML, $logoutrequest->getIssuer(), $relayState, 'SingleLogoutService', 'SAMLResponse', 'IdP');
} catch(Exception $exception) {
diff --git a/www/saml2/sp/SingleLogoutService.php b/www/saml2/sp/SingleLogoutService.php
index c31ebd546..22e84ad50 100644
--- a/www/saml2/sp/SingleLogoutService.php
+++ b/www/saml2/sp/SingleLogoutService.php
@@ -58,7 +58,7 @@ if (isset($_GET['SAMLRequest'])) {
$httpredirect = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
// Send the Logout response using HTTP POST binding.
- $httpredirect->sendMessage($logoutResponseXML, $requester, $logoutrequest->getRelayState(), 'SingleLogOutUrl', 'SAMLResponse');
+ $httpredirect->sendMessage($logoutResponseXML, $requester, $logoutrequest->getRelayState(), 'SingleLogoutService', 'SAMLResponse');
} elseif(isset($_GET['SAMLResponse'])) {
diff --git a/www/saml2/sp/initSLO.php b/www/saml2/sp/initSLO.php
index e3aae4e17..f2e4a8f05 100644
--- a/www/saml2/sp/initSLO.php
+++ b/www/saml2/sp/initSLO.php
@@ -36,8 +36,8 @@ if (isset($session) ) {
$relayState = $_GET['RelayState'];
}
- //$request, $remoteentityid, $relayState = null, $endpoint = 'SingleSignOnUrl', $direction = 'SAMLRequest', $mode = 'SP'
- $httpredirect->sendMessage($req, $idpentityid, $relayState, 'SingleLogOutUrl', 'SAMLRequest', 'SP');
+ //$request, $remoteentityid, $relayState = null, $endpoint = 'SingleLogoutService', $direction = 'SAMLRequest', $mode = 'SP'
+ $httpredirect->sendMessage($req, $idpentityid, $relayState, 'SingleLogoutService', 'SAMLRequest', 'SP');
} catch(Exception $exception) {
diff --git a/www/saml2/sp/metadata.php b/www/saml2/sp/metadata.php
index 722a12910..b560cd15c 100644
--- a/www/saml2/sp/metadata.php
+++ b/www/saml2/sp/metadata.php
@@ -19,8 +19,10 @@ try {
$spmeta = isset($_GET['spentityid']) ? $_GET['spentityid'] : $metadata->getMetaDataCurrent();
$spentityid = isset($_GET['spentityid']) ? $_GET['spentityid'] : $metadata->getMetaDataCurrentEntityID();
+ /*
if (!$spmeta['assertionConsumerServiceURL']) throw new Exception('The following parameter is not set in your SAML 2.0 SP Hosted metadata: assertionConsumerServiceURL');
if (!$spmeta['SingleLogOutUrl']) throw new Exception('The following parameter is not set in your SAML 2.0 SP Hosted metadata: SingleLogOutUrl');
+ */
$metaxml = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="' . $spentityid . '" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
@@ -32,7 +34,7 @@ try {
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
- Location="' . $spmeta['SingleLogOutUrl'] . '"/>
+ Location="' . $metadata->getGenerated('SingleLogoutService', 'saml20-sp-hosted') . '"/>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
@@ -40,17 +42,21 @@ try {
index="0"
isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
- Location="' . $spmeta['assertionConsumerServiceURL'] . '" />
+ Location="' . $metadata->getGenerated('AssertionConsumerService', 'saml20-sp-hosted') . '" />
</SPSSODescriptor>
</EntityDescriptor>';
+ $defaultidp = $config->getValue('default-saml20-idp');
$et = new SimpleSAML_XHTML_Template($config, 'metadata.php');
+
$et->data['header'] = 'SAML 2.0 SP Metadata';
$et->data['metadata'] = htmlentities($metaxml);
+ $et->data['feide'] = in_array($defaultidp, array('sam.feide.no', 'max.feide.no'));
+ $et->data['defaultidp'] = $defaultidp;
$et->show();
--
GitLab