Skip to content
Snippets Groups Projects
Commit db911147 authored by Jaime Pérez Crespo's avatar Jaime Pérez Crespo
Browse files

Update the documentation regarding certificates.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3305 44740490-163a-0410-bde0-09ae8108e29a
parent e16394ed
No related branches found
No related tags found
No related merge requests found
...@@ -109,8 +109,8 @@ Filters can be added both in `hosted` and `remote` metadata. Here is an example ...@@ -109,8 +109,8 @@ Filters can be added both in `hosted` and `remote` metadata. Here is an example
'__DYNAMIC:1__' => array( '__DYNAMIC:1__' => array(
'host' => '__DEFAULT_', 'host' => '__DEFAULT_',
'privatekey' => 'server.pem', 'privatekey' => 'example.org.pem',
'certificate' => 'server.crt', 'certificate' => 'example.org.crt',
'auth' => 'feide', 'auth' => 'feide',
'authproc' => array( 'authproc' => array(
40 => 'core:AttributeRealm', 40 => 'core:AttributeRealm',
......
...@@ -122,6 +122,23 @@ This configuration creates two users - `student` and `employee`, with the passwo ...@@ -122,6 +122,23 @@ This configuration creates two users - `student` and `employee`, with the passwo
The attributes will be returned by the IdP when the user logs on. The attributes will be returned by the IdP when the user logs on.
Creating a SSL self signed certificate
--------------------------------------
Here is an example of an `openssl`-command which can be used to generate a new private key key and the corresponding self-signed certificate.
This key and certificate can be used to sign SAML messages:
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out example.org.crt -keyout example.org.pem
The certificate above will be valid for 10 years.
### Note ###
simpleSAMLphp will only work with RSA certificates. DSA certificates are not supported.
Configuring the IdP Configuring the IdP
------------------- -------------------
...@@ -142,8 +159,8 @@ This is a minimal configuration of a SAML 2.0 IdP: ...@@ -142,8 +159,8 @@ This is a minimal configuration of a SAML 2.0 IdP:
* The private key and certificate to use when signing responses. * The private key and certificate to use when signing responses.
* These are stored in the cert-directory. * These are stored in the cert-directory.
*/ */
'privatekey' => 'server.pem', 'privatekey' => 'example.org.pem',
'certificate' => 'server.crt', 'certificate' => 'example.org.crt',
/* /*
* The authentication source which should be used to authenticate the * The authentication source which should be used to authenticate the
...@@ -189,30 +206,6 @@ If you have the metadata of the remote SP as an XML file, you can use the built- ...@@ -189,30 +206,6 @@ If you have the metadata of the remote SP as an XML file, you can use the built-
For more information about available options in the sp-remote metadata files, see the [SP remote reference](simplesamlphp-reference-sp-remote). For more information about available options in the sp-remote metadata files, see the [SP remote reference](simplesamlphp-reference-sp-remote).
Creating a SSL self signed certificate
--------------------------------------
For test purposes, you can skip this section, and use the certificate included in the simpleSAMLphp distribution.
Here is an example of an `openssl`-command which can be used to generate a new private key key and the corresponding self-signed certificate.
This key and certificate can be used to sign SAML messages:
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out example.org.crt -keyout example.org.pem
The certificate above will be valid for 10 years.
### Note ###
simpleSAMLphp will only work with RSA certificates. DSA certificates are not supported.
### Warning ###
The certificate that is included in the simpleSAMLphp distribution must **NEVER** be used in production, as the private key is also included in the package and can be downloaded by anyone.
Adding this IdP to other SPs Adding this IdP to other SPs
---------------------------- ----------------------------
......
...@@ -79,8 +79,8 @@ If given the following configuration... ...@@ -79,8 +79,8 @@ If given the following configuration...
$metadata['https://www.example.com/saml/saml2/idp/metadata.php'] = array( $metadata['https://www.example.com/saml/saml2/idp/metadata.php'] = array(
'host' => 'www.example.com', 'host' => 'www.example.com',
'certificate' => 'server.crt', 'certificate' => 'example.com.crt',
'privatekey' => 'server.pem', 'privatekey' => 'example.com.pem',
'auth' => 'example-userpass', 'auth' => 'example-userpass',
'EntityAttributes' => array( 'EntityAttributes' => array(
......
...@@ -184,8 +184,8 @@ If given the following configuration... ...@@ -184,8 +184,8 @@ If given the following configuration...
$metadata['https://www.example.com/saml/saml2/idp/metadata.php'] = array( $metadata['https://www.example.com/saml/saml2/idp/metadata.php'] = array(
'host' => 'www.example.com', 'host' => 'www.example.com',
'certificate' => 'server.crt', 'certificate' => 'example.com.crt',
'privatekey' => 'server.pem', 'privatekey' => 'example.com.pem',
'auth' => 'example-userpass', 'auth' => 'example-userpass',
'UIInfo' => array( 'UIInfo' => array(
......
...@@ -140,8 +140,8 @@ To use this authentication source in a SAML 2.0 IdP, set the ...@@ -140,8 +140,8 @@ To use this authentication source in a SAML 2.0 IdP, set the
'__DYNAMIC:1__' => array( '__DYNAMIC:1__' => array(
'host' => '__DEFAULT__', 'host' => '__DEFAULT__',
'privatekey' => 'server.pem', 'privatekey' => 'example.org.pem',
'certificate' => 'server.crt', 'certificate' => 'example.org.crt',
'auth' => 'example-static', 'auth' => 'example-static',
), ),
......
...@@ -362,8 +362,8 @@ These are some examples of IdP metadata ...@@ -362,8 +362,8 @@ These are some examples of IdP metadata
'host' => '__DEFAULT__', 'host' => '__DEFAULT__',
/* The private key and certificate used by this IdP. */ /* The private key and certificate used by this IdP. */
'certificate' => 'server.crt', 'certificate' => 'example.org.crt',
'privatekey' => 'server.pem', 'privatekey' => 'example.org.pem',
/* /*
* The authentication source for this IdP. Must be one * The authentication source for this IdP. Must be one
......
...@@ -196,7 +196,7 @@ These options overrides the options set in `saml20-sp-hosted`. ...@@ -196,7 +196,7 @@ These options overrides the options set in `saml20-sp-hosted`.
**Example: Configuration for validating messages** **Example: Configuration for validating messages**
'redirect.validate' => TRUE, 'redirect.validate' => TRUE,
'certificate' => 'server.crt', 'certificate' => 'example.org.crt',
Shibboleth 1.3 options Shibboleth 1.3 options
...@@ -238,7 +238,7 @@ Calculating the fingerprint of a certificate ...@@ -238,7 +238,7 @@ Calculating the fingerprint of a certificate
If you have obtained a certificate file, and want to calculate the fingerprint of the file, you can use the `openssl` command: If you have obtained a certificate file, and want to calculate the fingerprint of the file, you can use the `openssl` command:
$ openssl x509 -noout -fingerprint -in "server.crt" $ openssl x509 -noout -fingerprint -in "example.org.crt"
SHA1 Fingerprint=AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9 SHA1 Fingerprint=AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9
In this case, the certFingerprint option should be set to `AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9`. In this case, the certFingerprint option should be set to `AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9`.
...@@ -339,7 +339,7 @@ These options overrides the options set in `saml20-idp-hosted`. ...@@ -339,7 +339,7 @@ These options overrides the options set in `saml20-idp-hosted`.
**Example: Configuration for validating messages** **Example: Configuration for validating messages**
'redirect.validate' => TRUE, 'redirect.validate' => TRUE,
'certificate' => 'server.crt', 'certificate' => 'example.org.crt',
### Fields for scoping ### Fields for scoping
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment