diff --git a/docs/README b/docs/README
index 5c950331844e82e6e13487c2002df04b1cd28d03..4403e304626fc6cce780a994a37ccb440cdd56d9 100644
--- a/docs/README
+++ b/docs/README
@@ -1,29 +1,17 @@
-README
+Updated: December 19th, 2007
-Installation instructions:
-==========================
+All you need to know to install and configure simpleSAMLphp is available at:
+http://rnd.feide.no/view/simplesamlphpdocs
-Store the simplesamlphp directory somewhere...
+simpleSAMLphp homepage:
+http://rnd.feide.no/simplesamlphp
-In there there is a www directory, it have to be accessible from web, on the root of a vhost. The www can be moved outside the simplesamlphp folder. You can in example drop the content of the www folder into your existing web site folder.
+simpleSAMLphp mailinglist (for support):
+http://rnd.feide.no/content/simplesamlphp-users-mailinglist
-IF you decide to move the www folder out of the simplesamlphp folder, then you need to update the www/_include.php file properly.
-Next, configure config.php:
-- set the path and hostnames.
-- Use sam.feide.no as default idp.
-- Set the default duration of a session to be in example 3 hours.
-
-
-Then, configure saml20-sp-hosted to match your SP metadata. Change dev.andreas.feide.no to your hostname. Contact feide to ensure that your meta data is added to the Feide IdP.
-
-Then configure the saml20-idp-remote to match Feide. If there exists an entry for sam.feide.no it is probably already there.
-
-Then test the /example-simple/saml2-example.php log in with the feide test user, and look at the attributes. then test sp initated logout.
-
-Look at the example code of how to integrate with a service.
-
-Contact Andreas for questions:
+To contact the author team:
andreas@uninett.no
+(please use the mailinglist as often as possible for support questions and feature requests)
diff --git a/docs/html.css b/docs/html.css
deleted file mode 100755
index 22bb75d61b283c59b6db6092fa1e884442ea7907..0000000000000000000000000000000000000000
--- a/docs/html.css
+++ /dev/null
@@ -1,223 +0,0 @@
-/* General layout */
-
-body {
- background: #FFFFFF;
- margin: 1em;
- padding: 2px .3em .3em .3em;
- border: thin solid #eee;
-}
-
-body > div.article, body > div.section {
- margin: 1em;
-}
-div {
- margin: 0; padding: 0;
-}
-div.literallayout {
- font-family: "Monaco" monospace;
- border-bottom: 1px solid #ccc;
- border-left: 1px solid #ccc;
- padding-left: 1em;
-}
-.application {
- color: #030;
- font-weight: bold;
-}
-
-h1, h2, h3, h4, h5 {
- color: #800000;
- font-family: sans-serif;
-}
-h1 {
- margin: .3em 0px 0px 2px;
-}
-h2, h3 {
- margin: 2em 0px 0px 2px;
-}
-div.figure p.title {
- text-align: center;
-}
-
-div.note {
- background-color: #FF9;
- background-image: url('icons/note.png');
- background-repeat: no-repeat;
-
- border: thin solid #444;
- padding: .2em .2em .2em 60px;
- margin: 0px ! important;
-}
-div.note .title {
- color: #444; margin: 0.1em;
-}
-
-div.example {
- background-color: #9cb;
- background-image: url('icons/example.png');
- background-repeat: no-repeat;
-
- border: thin solid #444;
- padding: .2em .2em .2em 60px;
- margin: 0px ! important;
-}
-div.example .title {
- color: #444; margin: 0.1em;
-}
-
-div.tip {
- background-color: #FC0;
- background-image: url('icons/tip.png');
- background-repeat: no-repeat;
-
- border: thin solid #444;
- padding: .2em .2em .2em 60px;
- margin: 0px ! important;
-}
-div.tip .title {
- color: #444; margin: 0.1em;
-}
-
-
-div.important {
- background-color: #FF3;
- background-image: url('icons/important.png');
- background-repeat: no-repeat;
-
- border: thin solid #444;
- padding: .2em .2em .2em 60px;
- margin: 0px ! important;
-}
-div.important .title {
- color: #444; margin: 0.1em;
-}
-
-div.warning {
- background-color: #C90;
- background-image: url('icons/warning.png');
- background-repeat: no-repeat;
-
- border: thin solid #444;
- padding: .2em .2em .2em 60px;
- margin: 0px ! important;
-}
-div.warning .title {
- color: #444; margin: 0.1em;
-}
-
-
-div.caution {
- background-color: #3C9;
- background-image: url('icons/caution.png');
- background-repeat: no-repeat;
-
- border: thin solid #444;
- padding: .2em .2em .2em 60px;
- margin: 0px ! important;
-}
-div.caution .title {
- color: #444; margin: 0.1em;
-}
-
-
-
-
-
-div.sidebar {
- background: #F0F0F0;
- border: 1px solid gray;
- padding: 5px;
- margin: 20px;
-}
-
-div.table {
-}
-
-div.table table td,div.table table th {
- padding: .1em .1em .1em 1em;
- border-top: thin solid #ccc;
- border-left: thin solid #ccc;
-
-}
-div.table table th {
- border-bottom: 2px solid #999;
-}
-div.table table {
- width: 90%;
- border: 2px solid #333;
- border-collapse: collapse;
-}
-img {
- max-width: 90%;
- margin-bottom: 1em;
-}
-
-.navheader > table, .navfooter > table {
- font-family: sans-serif;
- background: #eee;
-}
-.navheader > table {
- border-bottom: thin solid #666;
-}
-.navfooter table {
- position: fixed;
- height: 3em;
- bottom: 0px;
- border-top: thin solid #666;
-}
-hr {
- display: none;
-}
-
-.navfooter hr {
- display: block;
- visibility: hidden;
- height: 3em;
-}
-a {
- color: #020;
-}
-a:hover {
- color: #060;
-}
-
-/* Layout bound to specific docbook tags */
-span.term {
- font-weight: bold;
-}
-span.strong {
- font-weight: bold;
-}
-
-
-pre.programlisting {
- background: #F0e0e0;
- border: 1px solid #666;
- color: #300;
- padding: 2px;
- font-size: 10pt;
- white-space: pre;
-}
-pre.screen {
- background: #F0F0F0;
- border: 1px solid gray;
- padding: 2px;
- font-size: 10pt;
- white-space: pre;
-}
-
-tt.filename {
- font-weight: bold;
- color: #600;
-}
-
-
-
-dl dt {
- color: #060;
- font-weight: bold;
-}
-dl dl dt {
- font-weight: normal;
-}
-
-
diff --git a/docs/icons/caution.png b/docs/icons/caution.png
deleted file mode 100755
index e3897db8771158c562faec8dfa675633ba677007..0000000000000000000000000000000000000000
Binary files a/docs/icons/caution.png and /dev/null differ
diff --git a/docs/icons/example.png b/docs/icons/example.png
deleted file mode 100755
index 2e68475feb328759e494c3badc4b65cd3e364d57..0000000000000000000000000000000000000000
Binary files a/docs/icons/example.png and /dev/null differ
diff --git a/docs/icons/home.png b/docs/icons/home.png
deleted file mode 100755
index 17003611d9df2b066afc682cbde962f3a575002d..0000000000000000000000000000000000000000
Binary files a/docs/icons/home.png and /dev/null differ
diff --git a/docs/icons/important.png b/docs/icons/important.png
deleted file mode 100755
index 2e1a2a3646189a9d424282765234187f63dbbc26..0000000000000000000000000000000000000000
Binary files a/docs/icons/important.png and /dev/null differ
diff --git a/docs/icons/next.png b/docs/icons/next.png
deleted file mode 100755
index 92832e3a4566e59d6e4092010e08d28f3be3a68d..0000000000000000000000000000000000000000
Binary files a/docs/icons/next.png and /dev/null differ
diff --git a/docs/icons/note.png b/docs/icons/note.png
deleted file mode 100755
index df1e0a9265dc6ce7602d3da91195b2a84d278e01..0000000000000000000000000000000000000000
Binary files a/docs/icons/note.png and /dev/null differ
diff --git a/docs/icons/prev.png b/docs/icons/prev.png
deleted file mode 100755
index 2d05b3d5b4aeec9384bbfe404bfc4ed0897051c4..0000000000000000000000000000000000000000
Binary files a/docs/icons/prev.png and /dev/null differ
diff --git a/docs/icons/tip.png b/docs/icons/tip.png
deleted file mode 100755
index 33aa88b5efa86b5023277cd229062893d3cc5403..0000000000000000000000000000000000000000
Binary files a/docs/icons/tip.png and /dev/null differ
diff --git a/docs/icons/up.png b/docs/icons/up.png
deleted file mode 100755
index 85b3e2a2755fece72d0d09fbf1cf28d51fa71077..0000000000000000000000000000000000000000
Binary files a/docs/icons/up.png and /dev/null differ
diff --git a/docs/icons/warning.png b/docs/icons/warning.png
deleted file mode 100755
index 3c8a37df51861ef31171987ef06c59fffa044f61..0000000000000000000000000000000000000000
Binary files a/docs/icons/warning.png and /dev/null differ
diff --git a/docs/simplesamlphp-bridge.html b/docs/simplesamlphp-bridge.html
deleted file mode 100644
index aeb3faf9ccfc948cddd14c2e47ac324ccf78f794..0000000000000000000000000000000000000000
--- a/docs/simplesamlphp-bridge.html
+++ /dev/null
@@ -1,15 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Using simpleSAMLphp as a SAML bridge</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721994"></a>Using simpleSAMLphp as a SAML bridge</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Sun Oct 21 13:48:37 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856632">Setting up WebSSO bridges</a></span></dt><dd><dl><dt><span class="section"><a href="#id856643">Bridging SAML 2.0 <-> SAML 2.0</a></span></dt><dt><span class="section"><a href="#id856690">Bridging Shibboleth 1.3 <-> Shibboleth 1.3</a></span></dt><dt><span class="section"><a href="#id856701">Bridging Shibboleth 1.3 <-> SAML 2.0</a></span></dt><dt><span class="section"><a href="#id856712">Bridging SAML 2.0 <-> Shibboleth 1.3</a></span></dt><dt><span class="section"><a href="#id856721">Bridging SAML 2.0 <-> OpenID</a></span></dt><dt><span class="section"><a href="#id856731">Bridging Shibboelth 1.3 <-> OpenID</a></span></dt></dl></dd><dt><span class="section"><a href="#id856743">Support</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856632"></a>Setting up WebSSO bridges</h2></div></div></div><p>simpleSAMLphp can be used to bridge between two WebSSO protocols.
- Here is some short descriptions of how to setup the different bridge
- configurations.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856643"></a>Bridging SAML 2.0 <-> SAML 2.0</h3></div></div></div><p>In this setup you can bridge between two federations using SAML
- 2.0.</p><p>To approach this, you must configure both saml 2.0 IdP and SP
- hosted metadata, and in the IdP hosted metadata configure the auth
- parameter to be the SP initialization endpoint, like this:</p><pre class="screen"> 'auth' => 'saml2/sp/initSSO.php?idpentityid=sam.feide.no'</pre><p>As you can see you specify the IdP in the remote federation as a
- parameter to the initalization endpoint.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This section of the documentation is only a placeholder. There
- will be more detailed information added later. For now, ask the author
- if you want more details of such a setup.</p><p>Briding SAML 2.0 SLO is not implemented. Will be improved
- soon.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856690"></a>Bridging Shibboleth 1.3 <-> Shibboleth 1.3</h3></div></div></div><p>Documentation will be added.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856701"></a>Bridging Shibboleth 1.3 <-> SAML 2.0</h3></div></div></div><p>Documentation will be added.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856712"></a>Bridging SAML 2.0 <-> Shibboleth 1.3</h3></div></div></div><p>Documentation will be added.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856721"></a>Bridging SAML 2.0 <-> OpenID</h3></div></div></div><p>Documentation will be added.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856731"></a>Bridging Shibboelth 1.3 <-> OpenID</h3></div></div></div><p>Documentation will be added.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856743"></a>Support</h2></div></div></div><p>If you have problems to get this work, or want to discuss
- simpleSAMLphp with other users of the software you are lucky! Around
- simpleSAMLphp there is a great Open source community, and you are welcome
- to join! Both for asking question, answer other questions, request
- improvements or contribute with code or plugins of your own.</p><p>Visit the project page of simpleSAMLphp at: <a href="http://code.google.com/p/simplesamlphp/" target="_top">http://code.google.com/p/simplesamlphp/</a></p><p>And please join the mailinglist: <a href="???" target="_top">https://postlister.uninett.no/sympa/subscribe/simplesaml</a></p></div></div></body></html>
diff --git a/docs/simplesamlphp-googleapps.html b/docs/simplesamlphp-googleapps.html
deleted file mode 100644
index 6c1520ba96a50ac36d4818977eddd70825d802e0..0000000000000000000000000000000000000000
--- a/docs/simplesamlphp-googleapps.html
+++ /dev/null
@@ -1,123 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Setting up a simpleSAMLphp SAML 2.0 IdP to use with Google Apps for
- Education</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721994"></a>Setting up a simpleSAMLphp SAML 2.0 IdP to use with Google Apps for
- Education</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Sun Oct 21 13:51:26 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856634">Introduction</a></span></dt><dt><span class="section"><a href="#id856660">Setting up a SSL signing certificate</a></span></dt><dt><span class="section"><a href="#sect.authmodule">Authentication modules</a></span></dt><dd><dl><dt><span class="section"><a href="#id856829">Configuring the LDAP authentication module</a></span></dt><dt><span class="section"><a href="#id856898">Configuring the multi-LDAP authenticaiton module</a></span></dt></dl></dd><dt><span class="section"><a href="#id856923">Configuring metadata for an SAML 2.0 IdP</a></span></dt><dd><dl><dt><span class="section"><a href="#id856944">Configuring SAML 2.0 IdP Hosted metadata</a></span></dt><dt><span class="section"><a href="#id857092">Configuring SAML 2.0 SP Remote metadata</a></span></dt></dl></dd><dt><span class="section"><a href="#id857145">Configure Google Apps for education</a></span></dt><dd><dl><dt><span class="section"><a href="#id857301">Add a user in Google Apps that is also in the IdP</a></span></dt></dl></dd><dt><span class="section"><a href="#id857317">Test to login to Google Apps for education</a></span></dt><dt><span class="section"><a href="#id857341">Security Considerations</a></span></dt><dt><span class="section"><a href="#id857358">Support</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856634"></a>Introduction</h2></div></div></div><p>This article assumes that you have already read the simpleSAMLphp
- installation manual, and installed a version of simpleSAMLphp at your
- server.</p><p>In this example we will setup this server as an IdP for Google Apps
- for Education:</p><div class="literallayout"><p>dev2.andreas.feide.no</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856660"></a>Setting up a SSL signing certificate</h2></div></div></div><p>For test purposes, you can skip this section, and use the included
- certificate.</p><p>For a production system, uou must generate a new certificate for
- your IdP.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>There is a certificate that follows this package that you can use
- for test purposes, but off course <span class="emphasis"><em>NEVER</em></span> use this in
- production as the private key is also included in the package and can be
- downloaded by anyone.</p></div><p>Here is an examples of openssl commands to generate a new key and a
- selfsigned certificate to use for signing SAML messages:</p><pre class="screen">openssl genrsa -des3 -out googleappsidp.key 1024
-openssl rsa -in googleappsidp.key -out googleappsidp.pem
-openssl req -new -key googleappsidp.key -out googleappsidp.csr
-openssl x509 -req -days 1095 -in googleappsidp.csr -signkey googleappsidp.key -out googleappsidp.crt</pre><p>The certificate above will be valid for 1095 days (3 years).</p><p>Here is an example of what can be typed in when creating a
- certificate request:</p><pre class="screen">Country Name (2 letter code) [AU]:NO
-State or Province Name (full name) [Some-State]:Trondheim
-Locality Name (eg, city) []:Trondheim
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:UNINETT
-Organizational Unit Name (eg, section) []:
-Common Name (eg, YOUR name) []:dev2.andreas.feide.no
-Email Address []:
-
-Please enter the following 'extra' attributes
-to be sent with your certificate request
-A challenge password []:
-An optional company name []:</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>simpleSAMLphp will only work with RSA and not DSA
- certificates.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="sect.authmodule"></a>Authentication modules</h2></div></div></div><p>You will need to connect the IdP to your existing user storage. For
- different technologies of user storage, there are different authentication
- modules.</p><p>In the <code class="filename">www/auth</code> directory, you see multiple
- files, each representing an authentication module. In the IdP hosted
- metadata configuration you specify which authentication module that should
- be used for that specific IdP. You can implement your own authentication
- module, see the IdP documentation.</p><p>These authentication modules are included:</p><div class="glosslist"><dl><dt>auth/login.php</dt><dd><p>This is the standard LDAP backend authentication module, it
- uses LDAP configuration from the config.php file.</p></dd><dt>auth/login-ldapmulti.php</dt><dd><p>This authentication module lets you connect to multiple LDAPS
- depending on what organization the user selects in the login
- form.</p></dd><dt>auth/login-radius.php</dt><dd><p>This authentication module will authenticate users against an
- RADIUS server instead of LDAP.</p></dd><dt>auth/login-auto.php</dt><dd><p>This module will automatically login the user with some test
- details. You can use this to test the IdP functionality if you do
- not have</p><p>This module is not completed yet. Work in progress.</p></dd></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856829"></a>Configuring the LDAP authentication module</h3></div></div></div><p>The LDAP module is <code class="filename">auth/login.php</code>.</p><p>If you want to perform local authentication on this server, and
- you want to use the LDAP authenticaiton plugin, then you need to
- configure the following parameters in
- <code class="filename">config.php</code>:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">auth.ldap.dnpattern</code>: What DN should you
- bind to? Replacing %username% with the username the user types
- in.</p></li><li><p><code class="literal">auth.ldap.hostname</code>: The hostname of the
- LDAP server</p></li><li><p><code class="literal">auth.ldap.attributes</code>: Search parameter to
- LDAP. What attributes should be extracted?
- <code class="literal">objectclass=*</code> gives you all.</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856898"></a>Configuring the multi-LDAP authenticaiton module</h3></div></div></div><p>The module is
- <code class="filename">auth/login-ldapmulti.php</code>.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Documentation will be added later. For now, contact the
- author.</p></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856923"></a>Configuring metadata for an SAML 2.0 IdP</h2></div></div></div><p>If you want to setup a SAML 2.0 IdP for Google Apps, you need to
- configure two metadata files: <code class="filename">saml20-idp-hosted.php</code>
- and <code class="filename">saml20-sp-remote.php</code>.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856944"></a>Configuring SAML 2.0 IdP Hosted metadata</h3></div></div></div><p>This is the configuration of the IdP itself. Here is some example
- config:</p><pre class="programlisting"> // The SAML entity ID is the index of this config.
- 'dev2.andreas.feide.no' => array(
-
- // The hostname of the server (VHOST) that this SAML entity will use.
- 'host' => 'sp.example.org',
-
- // X.509 key and certificate. Relative to the cert directory.
- 'privatekey' => 'googleappsidp.pem',
- 'certificate' => 'googleappsidp.crt',
-
- /* If base64attributes is set to true, then all attributes will be base64 encoded. Make sure
- * that you set the SP to have the same value for this.
- */
- 'base64attributes' => false,
-
- // Authentication plugin to use. login.php is the default one that uses LDAP.
- 'auth' => 'auth/login.php'
- )</pre><p>Here are some details of each of the parameters:</p><div class="glosslist"><dl><dt>index (index of array)</dt><dd><p>The entity ID of the IdP. In this example this value is set
- to: <code class="literal">dev2.andreas.feide.no</code>.</p></dd><dt>host</dt><dd><p>The hostname of the server running this IdP, in this case:
- <code class="literal">dev2.andreas.feide.no</code>.</p></dd><dt>privatekey</dt><dd><p>Pointing to the private key in PEM format, in the certs
- directory. Remeber we created the <code class="literal">googleappsidp</code>
- key?</p></dd><dt>certificate</dt><dd><p>Pointing to the certificate file in PEM format, in the certs
- directory. Remeber we created the <code class="literal">googleappsidp</code>
- key?</p></dd><dt>base64attributes</dt><dd><p>Google Apps do not want us to base64encode any attributes,
- so we set it to <code class="literal">false</code>.</p></dd><dt>auth</dt><dd><p>Which authentication module to use? Default is:
- <code class="filename">auth/login.php</code> which is the LDAP
- authentication module. See the <a href="#sect.authmodule" title="Authentication modules">the section called “Authentication modules”</a>
- for more information on the authentication modules.</p></dd></dl></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857092"></a>Configuring SAML 2.0 SP Remote metadata</h3></div></div></div><p>In the (saml20-sp-remote.php) file we will configure an entry for
- Google Apps for education. There is already an entry for Google Apps in
- the template, but we will change the domain name:</p><pre class="programlisting"> /*
- * This example shows an example config that works with Google Apps for education.
- * What is important is that you have an attribute in your IdP that maps to the local part of the email address
- * at Google Apps. In example, if your google account is foo.com, and you have a user that has an email john@foo.com, then you
- * must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the value of 'john'.
- */
- 'google.com' => array(
- 'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
- 'spNameQualifier' => 'google.com',
- 'ForceAuthn' => 'false',
- 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
- 'simplesaml.nameidattribute' => 'uid',
- 'simplesaml.attributes' => false
- ),</pre><p>You also need to map some attribute from the IdP into the email
- field sent to Google Apps. The attributes comes from the authentication
- module, and in this example we have an LDAP that returns the uid
- attribute. The uid attribute contains the local part of </p><p>What you need to do is modify the
- <code class="literal">AssertionConsumerService</code> to include your Google Apps
- domain name instead of <code class="literal">g.feide.no</code>.</p><p>To understand what the different parameters mean, see in the
- <a href="simplesamlphp-idp.html" target="_top">simpleSAMLphp IdP
- documentation</a>.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857145"></a>Configure Google Apps for education</h2></div></div></div><p>Now, we are ready to configure Google Apps to use our IdP. We start
- by logging in to our Google Apps for education account panel. We then go
- to "Advanced tools":</p><div class="figure"><a id="id857158"></a><p class="title"><b>Figure 1. We go to advanced tools</b></p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-googleapps/googleapps-menu.png" alt="We go to advanced tools" /></div></div></div><p>Then we go to "Set up single sign-on (SSO)":</p><div class="figure"><a id="id857185"></a><p class="title"><b>Figure 2. We go to setup SSO</b></p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-googleapps/googleapps-sso.png" alt="We go to setup SSO" /></div></div></div><p>Then, we start off by uploading a certificate, and we upload the
- certificate we created in an earlier section, the googleappsidp.crt file:
- </p><div class="figure"><a id="id857213"></a><p class="title"><b>Figure 3. Uploading certificate</b></p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-googleapps/googleapps-cert.png" alt="Uploading certificate" /></div></div></div><p>Then we need to fill out the remaining fields:</p><p>The important field to fill out is the Sign-in page URL. Set it to
- something similar to:</p><div class="literallayout"><p>http://dev2.andreas.feide.no/simplesaml/saml2/idp/SSOService.php</p></div><p>but use the hostname of your IdP server.</p><p>The Sign-out page or change password url can be static pages on your
- server.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Single Logout functionality with SAML 2.0 in simpleSAMlphp and
- Google Apps is not yet fully tested. We will do more testing about that,
- and then include a detailed descrition in this document.</p></div><p>The network mask, is which IP addresses that will be asked for SSO
- login. IP addresses that do not match this mask will be presented with the
- normal Google Apps login page.</p><div class="figure"><a id="id857278"></a><p class="title"><b>Figure 4. Fill out the remaining fields</b></p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-googleapps/googleapps-ssoconfig.png" alt="Fill out the remaining fields" /></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857301"></a>Add a user in Google Apps that is also in the IdP</h3></div></div></div><p>Add a new user in Google Apps, before we can test login. This user
- needs to have the mail field to match the email prefix mapped from the
- attribute as described in the metadata section.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857317"></a>Test to login to Google Apps for education</h2></div></div></div><p>Go to the URL of your mail account for this domain, the URL is
- similar to the following:</p><div class="literallayout"><p>http://mail.google.com/a/yourgoogleappsdomain.com</p></div><p>but remember to replace with your own google apps domain
- name.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857341"></a>Security Considerations</h2></div></div></div><p>You should make sure that your IdP server runs on HTTPS (SSL). Check
- the Apache documentation if you need to know how to configure that.</p><p>And make sure you have switched away from the default certificate
- that follows the simpleSAMLphp distribution.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857358"></a>Support</h2></div></div></div><p>If you have problems to get this work, or want to discuss
- simpleSAMLphp with other users of the software you are lucky! Around
- simpleSAMLphp there is a great Open source community, and you are welcome
- to join! Both for asking question, answer other questions, request
- improvements or contribute with code or plugins of your own.</p><p>Visit the project page of simpleSAMLphp at: <a href="http://code.google.com/p/simplesamlphp/" target="_top">http://code.google.com/p/simplesamlphp/</a></p><p>And please join the mailinglist: <a href="???" target="_top">https://postlister.uninett.no/sympa/subscribe/simplesaml</a></p></div></div></body></html>
diff --git a/docs/simplesamlphp-idp.html b/docs/simplesamlphp-idp.html
deleted file mode 100644
index 7abad21e815a1cafb3ec8c3a122f1780dcb5e75b..0000000000000000000000000000000000000000
--- a/docs/simplesamlphp-idp.html
+++ /dev/null
@@ -1,107 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Using simpleSAMLphp as an identity provider</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721993"></a>Using simpleSAMLphp as an identity provider</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Sun Oct 21 13:49:41 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856631">Authentication modules</a></span></dt><dd><dl><dt><span class="section"><a href="#id856727">Configuring the LDAP authentication module</a></span></dt><dt><span class="section"><a href="#id856794">Configuring the multi-LDAP authenticaiton module</a></span></dt></dl></dd><dt><span class="section"><a href="#id856819">Setting up a SSL signing certificate</a></span></dt><dt><span class="section"><a href="#id856875">Configuring metadata for an SAML 2.0 IdP</a></span></dt><dd><dl><dt><span class="section"><a href="#id856896">Configuring SAML 2.0 IdP Hosted metadata</a></span></dt><dt><span class="section"><a href="#id857020">Configuring SAML 2.0 SP Remote metadata</a></span></dt></dl></dd><dt><span class="section"><a href="#id857152">Configuring metadata for a Shibboleth 1.3 IdP</a></span></dt><dt><span class="section"><a href="#id857176">Test IdP</a></span></dt><dt><span class="section"><a href="#id857198">Support</a></span></dt><dt><span class="appendix"><a href="#id857232">A. Writing your own authentication module</a></span></dt><dd><dl><dt><span class="section"><a href="#id857258">Authentication API</a></span></dt></dl></dd></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856631"></a>Authentication modules</h2></div></div></div><p>In the <code class="filename">www/auth</code> directory, you see multiple
- files, each representing an authentication module. In the IdP hosted
- metadata configuration you specify which authentication module that should
- be used for that specific IdP. You can implement your own authentication
- module, see ???.</p><p>These authentication modules are included:</p><div class="glosslist"><dl><dt>auth/login.php</dt><dd><p>This is the standard LDAP backend authentication module, it
- uses LDAP configuration from the config.php file.</p></dd><dt>auth/login-ldapmulti.php</dt><dd><p>This authentication module lets you connect to multiple LDAPS
- depending on what organization the user selects in the login
- form.</p></dd><dt>auth/login-radius.php</dt><dd><p>This authentication module will authenticate users against an
- RADIUS server instead of LDAP.</p></dd><dt>auth/login-auto.php</dt><dd><p>This module will automatically login the user with some test
- details. You can use this to test the IdP functionality if you do
- not have</p><p>This module is not completed yet. Work in progress.</p></dd></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856727"></a>Configuring the LDAP authentication module</h3></div></div></div><p>The LDAP module is <code class="filename">auth/login.php</code>.</p><p>If you want to perform local authentication on this server, and
- you want to use the LDAP authenticaiton plugin, then you need to
- configure the following parameters in
- <code class="filename">config.php</code>:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">auth.ldap.dnpattern</code>: What DN should you
- bind to? Replacing %username% with the username the user types
- in.</p></li><li><p><code class="literal">auth.ldap.hostname</code>: The hostname of the
- LDAP server</p></li><li><p><code class="literal">auth.ldap.attributes</code>: Search parameter to
- LDAP. What attributes should be extracted?
- <code class="literal">objectclass=*</code> gives you all.</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856794"></a>Configuring the multi-LDAP authenticaiton module</h3></div></div></div><p>The module is
- <code class="filename">auth/login-ldapmulti.php</code>.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Documentation will be added later. For now, contact the
- author.</p></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856819"></a>Setting up a SSL signing certificate</h2></div></div></div><p>For test purposes, you can skip this section, and use the included
- certificate.</p><p>For a production system, uou must generate a new certificate for
- your IdP.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>There is a certificate that follows this package that you can use
- for test purposes, but off course <span class="emphasis"><em>NEVER</em></span> use this in
- production as the private key is also included in the package and can be
- downloaded by anyone.</p></div><p>Here is an examples of openssl commands to generate a new key and a
- selfsigned certificate to use for signing SAML messages:</p><pre class="screen">openssl genrsa -des3 -out server2.key 1024
-openssl rsa -in server2.key -out server2.pem
-openssl req -new -key server.key -out server2.csr
-openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt</pre><p>The certificate above will be valid for 60 days.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>simpleSAMLphp will only work with RSA and not DSA
- certificates.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856875"></a>Configuring metadata for an SAML 2.0 IdP</h2></div></div></div><p>If you want to setup a SAML 2.0 IdP you need to configure two
- metadata files: <code class="filename">saml20-idp-hosted.php</code> and
- <code class="filename">saml20-sp-remote.php</code>.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856896"></a>Configuring SAML 2.0 IdP Hosted metadata</h3></div></div></div><p>This is the configuration of the IdP itself. Here is some example
- config:</p><pre class="programlisting"> // The SAML entity ID is the index of this config.
- 'idp.example.org' => array(
-
- // The hostname of the server (VHOST) that this SAML entity will use.
- 'host' => 'sp.example.org',
-
- // X.509 key and certificate. Relative to the cert directory.
- 'privatekey' => 'server.pem',
- 'certificate' => 'server.crt',
-
- /* If base64attributes is set to true, then all attributes will be base64 encoded. Make sure
- * that you set the SP to have the same value for this.
- */
- 'base64attributes' => false,
-
- // Authentication plugin to use. login.php is the default one that uses LDAP.
- 'auth' => 'auth/login.php'
- )</pre><p>Here are some details of each of the parameters:</p><div class="glosslist"><dl><dt>index (index of array)</dt><dd><p>The entity ID of the IdP. In this example this value is set
- to: <code class="literal">idp.example.org</code>.</p></dd><dt>host</dt><dd><p>The hostname of the server running this IdP.</p></dd><dt>privatekey</dt><dd><p>Pointing to the private key in PEM format, in the certs
- directory.</p></dd><dt>certificate</dt><dd><p>Pointing to the certificate file in PEM format, in the certs
- directory.</p></dd><dt>base64attributes</dt><dd><p>Do you want to encode all attributes in base64? If so,
- remember to turn on the same option on the SP.</p></dd><dt>auth</dt><dd><p>Which authentication module to use? Default is:
- <code class="filename">auth/login.php</code> which is the LDAP
- authentication module.</p></dd></dl></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857020"></a>Configuring SAML 2.0 SP Remote metadata</h3></div></div></div><p>Here (saml20-sp-remote.php) you configure all SPs that you trust.
- Here is an example:</p><pre class="programlisting"> /*
- * Example simpleSAMLphp SAML 2.0 SP
- */
- 'saml2sp.example.org' => array(
- 'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/saml2/sp/AssertionConsumerService.php',
- 'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/saml2/sp/SingleLogoutService.php',
- 'spNameQualifier' => 'dev.andreas.feide.no',
- 'ForceAuthn' => 'false',
- 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
- 'simplesaml.attributes' => true
- ),</pre><p>Here are some details about each of the parameters:;</p><div class="glosslist"><dl><dt>index (index of array)</dt><dd><p>The entity ID of the given SP. Here it is:
- <code class="literal">saml2sp.example.org</code>.</p></dd><dt>AssertionConsumerService</dt><dd><p>The URL of this SAML 2.0 endpoint. Ask the SP if you are
- unsure. If the SP sent you SAML 2.0 metadata, you can find the
- parameter in there.</p></dd><dt>SingleLogoutService</dt><dd><p>The URL of this SAML 2.0 endpoint. Ask the SP if you are
- unsure. If the SP sent you SAML 2.0 metadata, you can find the
- parameter in there.</p></dd><dt>spNameQualifier</dt><dd><p>The SP NameQualifier for this SP. If unsure, set it to the
- same as the entityID.</p></dd><dt>ForceAuthn</dt><dd><p>This basicly means you turn off SSO for this SP.</p></dd><dt>NameIDFormat</dt><dd><p>Set it to the default: transient.</p></dd><dt>simplesaml.attributes</dt><dd><p>Set to true to include attribtues, if not no attribute
- statements will be sent.</p></dd></dl></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857152"></a>Configuring metadata for a Shibboleth 1.3 IdP</h2></div></div></div><p>You need to configure the <code class="filename">shib13-idp-hosted.php</code>
- metadata, as well as the list of trusted SPs in the
- <code class="filename">shib13-sp-remote-php</code> metadata. This configuration is
- very similar to the SAML 2.0 metadata mentioned in the previous section,
- so go look there for now.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857176"></a>Test IdP</h2></div></div></div><p>To test the IdP, it is best to configure two hosts with
- simpleSAMLphp, and use the SP demo example to test the IdP.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>To make the initial test up and running with minimal hassle, use
- the login-auto if you do not want to setup a user storage, and use the
- included cert so you do not need to create a new certificate.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857198"></a>Support</h2></div></div></div><p>If you have problems to get this work, or want to discuss
- simpleSAMLphp with other users of the software you are lucky! Around
- simpleSAMLphp there is a great Open source community, and you are welcome
- to join! Both for asking question, answer other questions, request
- improvements or contribute with code or plugins of your own.</p><p>Visit the project page of simpleSAMLphp at: <a href="http://code.google.com/p/simplesamlphp/" target="_top">http://code.google.com/p/simplesamlphp/</a></p><p>And please join the mailinglist: <a href="???" target="_top">https://postlister.uninett.no/sympa/subscribe/simplesaml</a></p></div><div class="appendix" lang="en" xml:lang="en"><h2 class="title" style="clear: both"><a id="id857232"></a>A. Writing your own authentication module</h2><p>You can write your own authentication module. Just copy one of the
- files in the www/auth directory and play with it, then configure an IdP to
- use that module with the auth parameter in the metadata. The file must
- support incoming URL parameters, massage the session object with login
- state information and return to the RelayState, and that is all you need
- to do!</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Instead of changing the code of the builtin authentication module,
- copy it into a new file and edit that. That way, your module will not be
- replaced or in conflict when you upgrade simpleSAMLphp to a newer
- version.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857258"></a>Authentication API</h3></div></div></div><p>The authentication plugin should be placed in the auth
- directory.</p><p>The following parameters must be accepted in the incomming
- URL:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">RelayState</code>: This is the URL that the user
- should be sent back to after authentication within the
- plugin.</p></li><li><p><code class="literal">RequestID</code>: This is the ID of an incomming
- request.</p></li></ul></div><p>The initSSO.php takes in addition the following parameters:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">idpentityid</code>: This is the entityid of the
- IdP to authenticate with. This parameter is optional, if not set the
- default for this host will be used.</p></li><li><p><code class="literal">spentityid</code>: This is which SP config to use.
- This parameter is optional, if not set the default for this host
- will be used.</p></li></ul></div><p>In hosted IdP metadata there is a config parameter auth that will
- tell simpleSAML which authentication plugin that can be used.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>The authentication API is pretty basic. The easiest way to
- understand how it works is to look at one of the existing plugins that
- is located in the auth directory of your installation.</p></div></div></div></div></body></html>
diff --git a/docs/simplesamlphp-install.html b/docs/simplesamlphp-install.html
deleted file mode 100644
index d9409e3ada1a563ee5aa1af32ffc024f13b8d911..0000000000000000000000000000000000000000
--- a/docs/simplesamlphp-install.html
+++ /dev/null
@@ -1,92 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>simpleSAMLphp Installation and Configuration</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721994"></a>simpleSAMLphp Installation and Configuration</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Sun Oct 21 11:56:20 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856632">The history of simpleSAMLphp</a></span></dt><dd><dl><dt><span class="section"><a href="#id856684">Contributors</a></span></dt></dl></dd><dt><span class="section"><a href="#id856714">Changelog</a></span></dt><dd><dl><dt><span class="section"><a href="#id856725">Version 0.5</a></span></dt><dt><span class="section"><a href="#id856847">Version 0.4</a></span></dt></dl></dd><dt><span class="section"><a href="#id856961">News about simpleSAMLphp</a></span></dt><dt><span class="section"><a href="#id856990">Download and install simpleSAMLphp</a></span></dt><dd><dl><dt><span class="section"><a href="#id857010">Getting a working copy of simpleSAMLphp from subversion</a></span></dt></dl></dd><dt><span class="section"><a href="#id857049">Making configuration and metadata files</a></span></dt><dt><span class="section"><a href="#id857078">Configuring apache</a></span></dt><dt><span class="section"><a href="#id857177">The simpleSAMLphp installation webpage</a></span></dt><dt><span class="section"><a href="#id857241">Next steps</a></span></dt><dt><span class="appendix"><a href="#sect.altlocations">A. Installing simpleSAMLphp in alternative locations</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856632"></a>The history of simpleSAMLphp</h2></div></div></div><p>simpleSAMLphp is an iteration of what was earlier referred to as
- lightbulb (<a href="https://opensso.dev.java.net/public/extensions/" target="_top">Sun OpenSSO
- Extensions</a>), written by <a href="http://blogs.sun.com/superpat/" target="_top">Pat Patterson, Sun</a>. There are
- not much code left from lightbulb, but credits go to Pat for introducing a
- new way of thinking when it comes to implementing federation protocols in
- a simple and elegant way.</p><p>The simpleSAMLphp project is currently led by <a href="http://claimid.com/erlang" target="_top">Andreas Åkre Solberg</a>, <a href="http://uninett.no" target="_top">UNINETT</a>.</p><p>The product is used to bridge AAI protocols in the GÉANT project,
- <a href="http://geant2.net" target="_top">http://geant2.net</a>.</p><p>We have received a bunch of external contributions.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856684"></a>Contributors</h3></div></div></div><p>Thank you very much for your contributions to
- simpleSAMLphp:</p><div class="itemizedlist"><ul type="disc"><li><p>Lukas Hammerle, SWITCH, Switzerland</p></li><li><p>Stefan Winter, Restena, Luxemborg</p></li></ul></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856714"></a>Changelog</h2></div></div></div><p>Here is changes between simpleSAML versions. Look here if you are
- upgrading, to see if there are any changes to the config format.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856725"></a>Version 0.5</h3></div></div></div><p>Released 2007-10-15. Revision 28.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Both <code class="filename">config.php</code> and metadata format is
- changed. Look at the templates to understand the new format.</p></div><div class="itemizedlist"><ul type="disc"><li><p>Documentation is updated!</p></li><li><p>Metadata files have been more tidy. Removed unused entries.
- Look at the new templates on how to change your existing
- metadata.</p></li><li><p>Support for sending metadata on mail to Feide. Automatically
- detecting if you have configured Feide as the default IdP.</p></li><li><p>Improved SAML 2.0 Metadata generation</p></li><li><p>Added support for Shibboleth 1.3 IdP functionality (beta,
- contact me if any problems)</p></li><li><p>Added RADIUS authentication backend</p></li><li><p>Added support for HTTP-Redirect debugging when enable
- <code class="literal">debug=true</code></p></li><li><p>SAML 2.0 SP example now contains a logout page.</p></li><li><p>Added new authentication backend with support for multiple
- LDAP based on which organization the user selects.</p></li><li><p>Added SAML 2.0 Discovery Service</p></li><li><p>Initial proof of concept implementation of "User consent on
- attribute release"</p></li><li><p>Fixed some minor bugs.</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856847"></a>Version 0.4</h3></div></div></div><p>Released 2007-09-14. Revision X.</p><div class="itemizedlist"><ul type="disc"><li><p>Improved documentation</p></li><li><p>Authentication plugin API. Only LDAP authenticaiton plugin is
- included, but it is now easier to implement your own plugin.</p></li><li><p>Added support for SAML 2.0 IdP to work with Google Apps for
- Education. Tested.</p></li><li><p>Initial implementation of SAML 2.0 Single Log-Out
- functionality both for SP and IdP. Seems to work, but not yet
- well-tested.</p></li><li><p>Added support for bridging SAML 2.0 to SAML 2.0.</p></li><li><p>Added some time skew offset to the NotBefore timestamp on the
- assertion, to allow some time skew between the SP and IdP.</p></li><li><p>Fixed Browser/POST page to automaticly submit, and have fall
- back functionality for user agents with no javascript
- support.</p></li><li><p>Fixed some bug with warning traversing Shibboleth 1.3
- Assertions.</p></li><li><p>Fixed tabindex on the login page of the LDAP authentication
- module to allow you to tab from username, to password and then to
- submit.</p></li><li><p>Fixed bug on autodiscovering hostname in multihost
- environments.</p></li><li><p>Cleaned out some debug messages, and added a debug option in
- the configuration file. This debug option let's you turn on the
- possibility of showing all SAML messages to users in the web
- browser, and manually submit them.</p></li><li><p>Several minor bugfixes.</p></li></ul></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856961"></a>News about simpleSAMLphp</h2></div></div></div><p>To get the latest news about simpleSAMLphp you can follow this url:
- <a href="http://rnd.feide.no/category/simplesamlphp/" target="_top">http://rnd.feide.no/category/simplesamlphp/</a>.</p><p>Currently simpleSAMLphp has a project page at Google Code:</p><p><a href="http://code.google.com/p/simplesamlphp/" target="_top">http://code.google.com/p/simplesamlphp/</a></p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856990"></a>Download and install simpleSAMLphp</h2></div></div></div><p>You can go to <a href="http://code.google.com/p/simplesamlphp/" target="_top">code.google.com/p/simplesamlphp/</a>
- to find the most recent release of simpleSAMLphp. Download the zipped
- file, and unzip it on your webserver. However I hightly reccomend running
- from a subversion checkout instead.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857010"></a>Getting a working copy of simpleSAMLphp from subversion</h3></div></div></div><p>Go to the directory where you want to install
- simpleSAMLphp:</p><pre class="screen">cd /var</pre><p>Then do a subversion checkout:</p><pre class="screen">svn checkout http://simplesamlphp.googlecode.com/svn/trunk/ simplesamlphp</pre><p>If you know subversion you know how to view logs and review
- changes to the files. To update the version you have checked out,
- enter:</p><pre class="screen">cd /var/simplesamlphp
-svn up</pre></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857049"></a>Making configuration and metadata files</h2></div></div></div><p>Configuration and metadata files are stored in a template format,
- you need to copy them to have your local copies. The reason why it is done
- this way, is that when you upgrade you can do svn up in subversion or just
- copy the whole directory over your installation, without replacing your
- existing configuration. When you are updating, you should investigate
- whether the config format is changed, this should be documented in the
- changelog.</p><p>Here are the steps you need to do to create local configuration
- files:</p><pre class="screen">cd /var/simplesamlphp
-cp config/config-template.php config/config.php
-cp -r metadata-templates/*.php metadata/
-</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857078"></a>Configuring apache</h2></div></div></div><p>In this example simpleSAMLphp is located in
- <code class="filename">/var/simplesamlphp</code>, that is the default location. If
- you want to modify this location, you can do so freely, but then you need
- to update the path in a few files. <a href="#sect.altlocations" title="A. Installing simpleSAMLphp in alternative locations">I
- wrote a separate chapter about that, read on</a>.</p><p>Of the folders inside simplesamlphp, only the www folder needs to be
- accessible from the web. There are several ways of putting the
- simpleSAMLphp depending on the way web sites are structured on your apache
- web server. Here is what I believe is the best configuration.</p><p>Find the apache configuration file for the virtual hosts that you
- want to run simpleSAML on. The configuration may look like this:</p><pre class="programlisting"><VirtualHost *>
- ServerName service.example.com
- DocumentRoot /var/www/service.example.com
-
- Alias /simplesaml /var/simplesamlphp/www
-</VirtualHost>
-</pre><p>What is special is the <code class="literal">Alias</code> directive. That
- directive will give control to simpleSAMLphp for all urls that matches
- <code class="literal">http(s)://service.example.com/simplesaml/*</code>.
- simpleSAMLphp will need to have several SAML interfaces available on the
- web, and all these interfaces are included in the <code class="filename">www</code>
- subdirectory of your simpleSAMLphp installation. You can set the alias to
- whatever you want, but this alias must be set in the
- <code class="filename">config.php</code> file of simpleSAML as described in ???. Here is an example of how this configuration may
- look like in <code class="filename">config.php</code>:</p><pre class="programlisting">$config = array (
-[...]
- 'baseurlpath' => 'simplesaml/',</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857177"></a>The simpleSAMLphp installation webpage</h2></div></div></div><p>When you have installed simpleSAMLphp, you can access the homepage
- of your installation, which contains some information and a few links to
- the test services. The url of an installation can be in example:</p><div class="literallayout"><p>https://service.example.com/simplesaml/</p></div><p>The exact link depends on how you set it up with apache and off
- course your hostname.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Don't click on any of the links yet, because they require you to
- eigther have setup simpleSAMLphp as an Service Provider or as an
- Identity Provider.</p></div><p>Here is an example screenshot of what the simpleSAMLphp page looks
- like:</p><div class="figure"><a id="id857216"></a><p class="title"><b>Figure 1. Screenshot of the simpleSAMLphp installation page.</b></p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-install/screenshot-installationpage.png" alt="Screenshot of the simpleSAMLphp installation page." /></div></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857241"></a>Next steps</h2></div></div></div><p>You have now successfully installed simpleSAMLphp, and the next
- steps depends on whether you want to setup a service provider, to protect
- a website with authentication or if you want to setup an identity provider
- and connect it to a user storage. We will also provide documentation on
- bridging federation protocols in a separate document.</p><div class="itemizedlist"><ul type="disc"><li><p><a href="simplesamlphp-sp.html" target="_top">Setting up simpleSAMLphp as a
- service provider</a></p></li><li><p><a href="simplesamlphp-idp.html" target="_top">Setting up simpleSAMLphp as
- an identity provider</a></p></li><li><p><a href="simplesamlphp-bridge.html" target="_top">Setting up simpleSAMLphp
- as a bridge</a></p></li></ul></div></div><div class="appendix" lang="en" xml:lang="en"><h2 class="title" style="clear: both"><a id="sect.altlocations"></a>A. Installing simpleSAMLphp in alternative locations</h2><p>If you want to install simpleSAMLphp in an alternative directory,
- feel free to do so. You need to set the path of the installation directory
- in the config.php file:</p><pre class="programlisting">$config = array (
-[...]
- 'basedir' => '/usr/local/simplesaml/simplesamlphp',</pre><p>And you also need to modify the Alias directive in the apache
- configuration:</p><pre class="programlisting"> Alias /simplesaml /usr/local/simplesaml/simplesamlphp/www</pre></div></div></body></html>
diff --git a/docs/simplesamlphp-install.pdf b/docs/simplesamlphp-install.pdf
deleted file mode 100644
index aecd7d045e1c15b4f8840ed6fb1ff8a9fc2d4b30..0000000000000000000000000000000000000000
Binary files a/docs/simplesamlphp-install.pdf and /dev/null differ
diff --git a/docs/simplesamlphp-sp.html b/docs/simplesamlphp-sp.html
deleted file mode 100644
index abb73461f656d33132f26f2832aee7d7dd11a552..0000000000000000000000000000000000000000
--- a/docs/simplesamlphp-sp.html
+++ /dev/null
@@ -1,154 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Using simpleSAMLphp as a Service Provider</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id721993"></a>Using simpleSAMLphp as a Service Provider</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andreas Ă…kre</span> <span class="surname">Solberg</span></h3><code class="email"><<a href="mailto:andreas.solberg@uninett.no">andreas.solberg@uninett.no</a>></code></div></div><div><p class="pubdate">Sun Oct 21 13:50:29 2007</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id856631">Introduction</a></span></dt><dt><span class="section"><a href="#id856645">Configuring metadata for SAML 2.0 SP</a></span></dt><dd><dl><dt><span class="section"><a href="#id856660">Configuring SAML 2.0 SP Hosted metadata</a></span></dt><dt><span class="section"><a href="#id856786">Configuring SAML 2.0 IdP Remote metadata</a></span></dt><dt><span class="section"><a href="#id856919">Setting the default SAML 2.0 IdP</a></span></dt><dt><span class="section"><a href="#id856961">Using the SAML 2.0 IdP Discovery Service</a></span></dt></dl></dd><dt><span class="section"><a href="#id856988">Configuring metadata for Shibboleth 1.3 SP</a></span></dt><dd><dl><dt><span class="section"><a href="#id857004">Configuring Shibboleth 1.3 SP Hosted metadata</a></span></dt><dt><span class="section"><a href="#id857059">Configuring Shibboleth 1.3 IdP Remote metadata</a></span></dt></dl></dd><dt><span class="section"><a href="#id857142">Exchange metadata with the IdP</a></span></dt><dd><dl><dt><span class="section"><a href="#id857155">Automatically generation of SP metadata for SAML 2.0</a></span></dt></dl></dd><dt><span class="section"><a href="#id857220">Test the SAML 2.0 SP examples</a></span></dt><dt><span class="section"><a href="#id857271">Integrating authentication with your own application</a></span></dt><dt><span class="section"><a href="#id857386">Support</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856631"></a>Introduction</h2></div></div></div><p>simpleSAMLphp can run as both a SAML 2.0 Service Provider and as a
- Shibboleth 1.3 Service Provider. The configuration and metadata would be
- somewhat different, therefore there are separate chapter for the two,
- although the configuration is similar.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856645"></a>Configuring metadata for SAML 2.0 SP</h2></div></div></div><p>When you are setting up a SAML 2.0 SP, you would need to configure
- two metadata files. saml20-sp-hosted.php and saml20-idp-remote.php.
- saml20-sp-hosted.php represent the SAML entity of the service provider
- itself, while the saml20-idp-remote.php configuration lists all the
- trusted SAML 2.0 IdP and how to connect to them.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856660"></a>Configuring SAML 2.0 SP Hosted metadata</h3></div></div></div><p>You need to know at least two variables to be able to setup this
- metadata. You need to know the hostname of the server you are using, and
- you need to set an entity ID for this server. Talk to the people running
- the IdP of what entity ID you should use.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Feide has special rules for setting entity IDs, so if you want
- to connect to Feide, contact them and ask what entity ID you should
- use.</p></div><p>Here is an example of the metadata file:</p><pre class="programlisting">$metadata = array(
-
- /*
- * Example of a hosted SP
- */
- 'entityid' => array(
- 'host' => 'hostname',
- 'spNameQualifier' => 'entityid',
- 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
- 'ForceAuthn' => 'false'
- )
-
-);</pre><p>Here are the description of the possible fields:</p><div class="glosslist"><dl><dt>index (the index of the array)</dt><dd><p>The entity ID of the hosted SP entity.</p></dd><dt>spNameQualifier</dt><dd><p>The name qualifier of the SP. If this is not important to
- you, you can set it to be identical with the entity ID
- above.</p></dd><dt>host</dt><dd><p>The hostname of the server running this SAML 2.0 SP. This
- option allows simpleSAMLphp to automatically discover which SP
- metadata to use, when it runs multiple virtual hosts.</p></dd><dt>NameIDFormat</dt><dd><p>The NameIDFormat in the request. If you don't know what this
- is, or don't need it to be anything specific, leave it with the
- default configuration.</p></dd><dt>ForceAuthn</dt><dd><p>Force authentication is a parameter that allows you to force
- re-authenticatino of users even if the user contains a SSO session
- at the IdP.</p></dd></dl></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856786"></a>Configuring SAML 2.0 IdP Remote metadata</h3></div></div></div><p>This metadata file lists all the IdPs that you trust.</p><pre class="programlisting"> /*
- * Example simpleSAMLphp SAML 2.0 IdP
- */
- 'idp.example.org' => array(
- 'name' => 'Test',
- 'description' => 'Description of this example entry',
- 'SingleSignOnService' => 'https://idp.example.org/simplesaml/saml2/idp/SSOService.php',
- 'SingleLogoutService' => 'https://idp.example.org/simplesaml/saml2/idp/LogoutService.php',
- 'certFingerprint' => '3fa158e8abfd4b5203315b08c0b791b6ee4715f6',
- 'base64attributes' => true
- ),</pre><div class="glosslist"><dl><dt>index (the index of the array)</dt><dd><p>The entity ID of this SAML 2.0 IdP entity.</p></dd><dt>name</dt><dd><p>Set the name of this identity provider. Will just be used in
- the UI of the discovery service, so set it to whatever you
- want.</p></dd><dt>description</dt><dd><p>Set the description of this identity provider. Will just be
- used in the UI of the discovery service, so set it to whatever you
- want.</p></dd><dt>SingleSignOnService</dt><dd><p>Contact the IdP to get the endpoint URL of this service.
- This is the URL which the user is redirected with the AuthnRequest
- using HTTP-REDIRECT.</p></dd><dt>SingleLogoutService</dt><dd><p>Contact the IdP to get the endpoint URL of this service.
- This is the URL which the user is redirected with the
- LogoutRequest using HTTP-REDIRECT.</p></dd><dt>certFingerprint</dt><dd><p>The md5sum of the certificate used by the IdP. If you don't
- know how to compute this, you can leave it as it is, and then
- you'll get an error message the first time you try to login. In
- this error message you are told what is the fingerprint of the IdP
- certiciate, so you can copy and use that.</p></dd><dt>base64encode</dt><dd><p>Is the IdP base64 encoding all the attributes?
- Base64encoding should be avoided but makes it much easier to send
- data in different formats and characterencodings, so you can leave
- it on when you test. If you are using simpleSAMLphp at the IdP,
- remember to set the parameter in the metadata at the IdP to be the
- same.</p></dd></dl></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856919"></a>Setting the default SAML 2.0 IdP</h3></div></div></div><p>In the global configuration (<code class="filename">config.php</code>)
- there is a parameter to set the default IdP to use. Alternatively you
- can specify which IdP to use in a parameter to the initSSO.php script
- when you initiate logon in your application.</p><p>Here is an example from <code class="filename">config.php</code>:</p><pre class="programlisting"> 'default-saml20-idp' => 'sam.feide.no',</pre><p>The configuration above will use the IdP configured in IdP Remote
- metadata with entity ID equal to <code class="literal">sam.feide.no</code>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id856961"></a>Using the SAML 2.0 IdP Discovery Service</h3></div></div></div><p>If you want end users to be able to select one of all the
- specified entries in IdP remote metadata, you can set the default IdP to
- be null, then simpleSAMLphp will initiate the builtin IdP discovery
- service to let the user select IdP. Here is the neccessary configuration
- from <code class="filename">config.php</code>:</p><pre class="programlisting"> 'default-saml20-idp' => null,</pre></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id856988"></a>Configuring metadata for Shibboleth 1.3 SP</h2></div></div></div><p>When you are setting up a Shibboleth 1.3 SP, you need to configure
- two metadata files. shib13-sp-hosted.php and shib13-idp-remote.php.
- shib13-sp-hosted.php represents the SAML entity of the service provider
- itself, while the shib13-idp-remote.php metadata lists all the trusted
- SAML 2.0 IdPs and contains information on how to connect to them.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857004"></a>Configuring Shibboleth 1.3 SP Hosted metadata</h3></div></div></div><p>In the hosted metadata (shib13-sp-hosted.php) you will need to
- configure two parameters, the entity ID and the hostname of the server
- running this SP.</p><pre class="programlisting"> /*
- * Example of hosted Shibboleth 1.3 SP.
- */
- 'sp1entityid' => array(
- 'host' => 'sp.example.org'
- )</pre><div class="glosslist"><dl><dt>index (the index of the array)</dt><dd><p>The entity ID of the hosted SP entity.</p></dd><dt>host</dt><dd><p>The hostname of the server running this Shibboleth 1.3 SP.
- This option allows simpleSAMLphp to automatically discover which
- SP metadata to use, when it runs multiple virtual hosts.</p></dd></dl></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857059"></a>Configuring Shibboleth 1.3 IdP Remote metadata</h3></div></div></div><p>Here (shib13-idp-remote.php) you configure which IdPs that you
- trust.</p><pre class="programlisting"> 'urn:mace:switch.ch:aaitest:dukono.switch.ch' => array(
- 'SingleSignOnUrl' => 'https://dukono.switch.ch/shibboleth-idp/SSO',
- 'certFingerprint' => 'c7279a9f28f11380509e075441e3dc55fb9ab864'
- ),</pre><div class="glosslist"><dl><dt>index (the index of the array)</dt><dd><p>The entity ID of this Shibboleth 1.3 IdP entity. In this
- example the entity ID is set to
- <code class="literal">urn:mace:switch.ch:aaitest:dukono.switch.ch</code>.</p></dd><dt>SingleSignOnUrl</dt><dd><p>Contact the IdP to get the endpoint URL of this service.
- This is the URL which the user is redirected with the request for
- authentication.</p></dd><dt>certFingerprint</dt><dd><p>The md5sum of the certificate used by the IdP. If you don't
- know how to compute this, you can leave it as it is, and then
- you'll get an error message the first time you try to login. In
- this error message you are told what is the fingerprint of the IdP
- certiciate, so you can copy and use that.</p></dd></dl></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857142"></a>Exchange metadata with the IdP</h2></div></div></div><p>Before you can run the test examples, you need the people running
- the IdP to load the metadata for your SP. If you run Shibboleth 1.3 SP,
- you will need to manually create metadata for your SP and send to the IdP,
- if you use SAML 2.0, metadata can be generated automatically.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id857155"></a>Automatically generation of SP metadata for SAML 2.0</h3></div></div></div><p>On the installation page there is a link named "Look at your SAML
- 2.0 SP metadata". Click there to look at the metadata for your SP. Send
- this metadata document to the IdP and ask them to load it.</p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-sp/saml2metadata.png" /></div></div><p>If you are connected to Feide, and put one of Feides entity IDs as
- default IdP, you will see an additional section on this page:</p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-sp/saml2metadata-feide.png" /></div></div><p>Enter your email address and click the button to send the metadata
- to Feide. Remeber to get in contact with Feide to discuss your new
- service, and how you can be connected to Feides test environment.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857220"></a>Test the SAML 2.0 SP examples</h2></div></div></div><p>When you have installed simpleSAMLphp, configured apache, and setup
- metadata and exchanged metadata with the IdP you are ready to test the
- example service that is included in the simpleSAMLphp installation.</p><p>On the installation page of simpleSAMLphp as you remember from the
- installation guide, there is a link to a Shibboleth 1.3 and SAML 2.0
- example. When you click on that example, you should be automatically
- redirected to the IdP. Then login as usual, and you should get back to a
- status page with .</p><p>You should be redirected to the IdP. Login, and you should be sent
- back and shown all the attributes sent form the IdP.</p><div class="figure"><a id="id857246"></a><p class="title"><b>Figure 1. Screenshot of the status page after an user have succesfully
- authenticated</b></p><div class="screenshot"><div class="mediaobject"><img src="resources/simplesamlphp-sp/screenshot-example.png" alt="Screenshot of the status page after an user have succesfully authenticated" /></div></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857271"></a>Integrating authentication with your own application</h2></div></div></div><p>You will need to hook some code into your application executed for
- every protected HTTP request. The flow in that code goes like:</p><div class="itemizedlist"><ul type="disc"><li><p>Check whether the user is authenticated or not.</p></li><li><p>If the user is not authenticated, and it should be, then
- redirect the user to the initSSO.php script with the appropriate
- parameters. In particular the RelayState that tells the URL to return
- to after login.</p></li><li><p>If the user is authenticated then your done, map to your own
- user database if neccessary, and access the attributes from the
- session object as you like.</p></li></ul></div><p>Here are some example code from the included example that you can
- reuse:</p><p>We start off with including a common file _include.php. All this
- file is doing is adding simpleSAMLphp to the classpath. If you want you
- can do this in php.ini instead. Or you can include all the content of
- _include.php in the application it self.</p><pre class="programlisting">require_once('../_include.php');</pre><p>Including class specifications. This is for SAML 2.0, for shibboleth
- look at the shibboleth example in
- <code class="filename">www/example-simple/shib13-example.php</code>.</p><pre class="programlisting">require_once('SimpleSAML/Utilities.php');
-require_once('SimpleSAML/Session.php');
-require_once('SimpleSAML/XML/MetaDataStore.php');
-require_once('SimpleSAML/XML/SAML20/AuthnRequest.php');
-require_once('SimpleSAML/XML/SAML20/AuthnResponse.php');
-require_once('SimpleSAML/Bindings/SAML20/HTTPRedirect.php');
-require_once('SimpleSAML/Bindings/SAML20/HTTPPost.php');
-require_once('SimpleSAML/XHTML/Template.php');
-</pre><p>Then enable using PHP Sessions, and load configuration and metadata
- with simpleSAMLphp. You can copy this lines into your application without
- changes:</p><pre class="programlisting">session_start();
-
-/* Load simpleSAMLphp, configuration and metadata */
-$config = SimpleSAML_Configuration::getInstance();
-$metadata = new SimpleSAML_XML_MetaDataStore($config);
-$session = SimpleSAML_Session::getInstance();
-</pre><p>Then at last, you check whether the session is valid. If it is not,
- redirect to the initSSO.php script adding the current URL as a RelayState
- parameter. If you are authenticated, then retrieve all the attributes from
- the session object. You may want to look closer at the attributes array,
- so why don't you print_r it out right away to get the structure...</p><pre class="programlisting">/* Check if valid local session exists.. */
-if (!isset($session) || !$session->isValid() ) {
- header('Location: /' . $config->getValue('baseurlpath') . 'saml2/sp/initSSO.php?RelayState=' . urlencode(SimpleSAML_Utilities::selfURL()));
- exit(0);
-}
-
-$attributes = $session->getAttributes();
-print_r($attributes);
-</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id857386"></a>Support</h2></div></div></div><p>If you have problems to get this work, or want to discuss
- simpleSAMLphp with other users of the software you are lucky! Around
- simpleSAMLphp there is a great Open source community, and you are welcome
- to join! Both for asking question, answer other questions, request
- improvements or contribute with code or plugins of your own.</p><p>Visit the project page of simpleSAMLphp at: <a href="http://code.google.com/p/simplesamlphp/" target="_top">http://code.google.com/p/simplesamlphp/</a></p><p>And please join the mailinglist: <a href="???" target="_top">https://postlister.uninett.no/sympa/subscribe/simplesaml</a></p></div></div></body></html>
diff --git a/docs/source/simplesamlphp-idp.xml b/docs/source/simplesamlphp-idp.xml
index 463e844bfaf2ba464a26438a21b5959d24984307..ffff04a1d581bf5983553260c87e2eb5932efae6 100644
--- a/docs/source/simplesamlphp-idp.xml
+++ b/docs/source/simplesamlphp-idp.xml
@@ -7,7 +7,7 @@
<articleinfo>
<date>2007-10-15</date>
- <pubdate>Sun Oct 21 13:49:41 2007</pubdate>
+ <pubdate>Wed Dec 19 12:03:28 2007</pubdate>
<author>
<firstname>Andreas Ă…kre</firstname>
@@ -356,11 +356,11 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
to join! Both for asking question, answer other questions, request
improvements or contribute with code or plugins of your own.</para>
- <para>Visit the project page of simpleSAMLphp at: <ulink
- url="http://code.google.com/p/simplesamlphp/">http://code.google.com/p/simplesamlphp/</ulink></para>
+ <para>Go to simpleSAMLphp homepage: <ulink
+ url="http://rnd.feide.no/simplesamlphp">http://rnd.feide.no/simplesamlphp</ulink></para>
<para>And please join the mailinglist: <ulink
- url="???">https://postlister.uninett.no/sympa/subscribe/simplesaml</ulink></para>
+ url="http://rnd.feide.no/content/simplesamlphp-users-mailinglist">http://rnd.feide.no/content/simplesamlphp-users-mailinglist</ulink></para>
</section>
<appendix>
diff --git a/docs/source/simplesamlphp-install.xml b/docs/source/simplesamlphp-install.xml
index 8d4b007b0ffeef74217a0d128df7c9ba7bf41db2..574cfc40211b02476b0b8987173379bd86071534 100644
--- a/docs/source/simplesamlphp-install.xml
+++ b/docs/source/simplesamlphp-install.xml
@@ -7,7 +7,7 @@
<articleinfo>
<date>2007-08-30</date>
- <pubdate>Sun Oct 21 11:56:20 2007</pubdate>
+ <pubdate>Wed Dec 19 12:03:53 2007</pubdate>
<author>
<firstname>Andreas Ă…kre</firstname>
@@ -207,12 +207,12 @@
<para>To get the latest news about simpleSAMLphp you can follow this url:
<ulink
- url="http://rnd.feide.no/category/simplesamlphp/">http://rnd.feide.no/category/simplesamlphp/</ulink>.</para>
+ url="http://rnd.feide.no/taxonomy/term/4">http://rnd.feide.no/taxonomy/term/4</ulink>.</para>
- <para>Currently simpleSAMLphp has a project page at Google Code:</para>
+ <para>Here is the simpleSAMLphp homepage:</para>
<para><ulink
- url="http://code.google.com/p/simplesamlphp/">http://code.google.com/p/simplesamlphp/</ulink></para>
+ url="http://rnd.feide.no/simplesamlphp">http://rnd.feide.no/simplesamlphp</ulink></para>
</section>
<section>
@@ -351,18 +351,21 @@ cp -r metadata-templates/*.php metadata/
<itemizedlist>
<listitem>
- <para><ulink url="simplesamlphp-sp.html">Setting up simpleSAMLphp as a
- service provider</ulink></para>
+ <para><ulink
+ url="http://rnd.feide.no/content/using-simplesamlphp-service-provider">Setting
+ up simpleSAMLphp as a service provider</ulink></para>
</listitem>
<listitem>
- <para><ulink url="simplesamlphp-idp.html">Setting up simpleSAMLphp as
- an identity provider</ulink></para>
+ <para><ulink
+ url="http://rnd.feide.no/content/using-simplesamlphp-identity-provider">Setting
+ up simpleSAMLphp as an identity provider</ulink></para>
</listitem>
<listitem>
- <para><ulink url="simplesamlphp-bridge.html">Setting up simpleSAMLphp
- as a bridge</ulink></para>
+ <para><ulink
+ url="http://rnd.feide.no/content/using-simplesamlphp-bridge-federation-protocols">Setting
+ up simpleSAMLphp as a bridge</ulink></para>
</listitem>
</itemizedlist>
</section>
diff --git a/docs/source/simplesamlphp-sp.xml b/docs/source/simplesamlphp-sp.xml
index c4614bde03a07deb1ad230ff6d055370c5c288aa..bad8467426460a93469e07983ff40d004c4d6bb6 100644
--- a/docs/source/simplesamlphp-sp.xml
+++ b/docs/source/simplesamlphp-sp.xml
@@ -7,7 +7,7 @@
<articleinfo>
<date>2007-10-15</date>
- <pubdate>Sun Oct 21 13:50:29 2007</pubdate>
+ <pubdate>Wed Dec 19 12:04:13 2007</pubdate>
<author>
<firstname>Andreas Ă…kre</firstname>
@@ -494,10 +494,10 @@ print_r($attributes);
to join! Both for asking question, answer other questions, request
improvements or contribute with code or plugins of your own.</para>
- <para>Visit the project page of simpleSAMLphp at: <ulink
- url="http://code.google.com/p/simplesamlphp/">http://code.google.com/p/simplesamlphp/</ulink></para>
+ <para>Go to simpleSAMLphp homepage: <ulink
+ url="http://rnd.feide.no/simplesamlphp">http://rnd.feide.no/simplesamlphp</ulink></para>
<para>And please join the mailinglist: <ulink
- url="???">https://postlister.uninett.no/sympa/subscribe/simplesaml</ulink></para>
+ url="http://rnd.feide.no/content/simplesamlphp-users-mailinglist">http://rnd.feide.no/content/simplesamlphp-users-mailinglist</ulink></para>
</section>
</article>
\ No newline at end of file