From def4d23efeca5caaeb5c5255ca16034bc8052228 Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst <thijs@kinkhorst.com> Date: Thu, 30 Apr 2020 13:23:41 +0000 Subject: [PATCH] Update docs for Shib 1.3 removal --- composer.json | 2 +- config-templates/authsources.php | 3 +- docs/simplesamlphp-reference-idp-remote.md | 167 +++++++++------------ 3 files changed, 74 insertions(+), 98 deletions(-) diff --git a/composer.json b/composer.json index b56e2abb2..9f3b56688 100644 --- a/composer.json +++ b/composer.json @@ -1,6 +1,6 @@ { "name": "simplesamlphp/simplesamlphp", - "description": "A PHP implementation of a SAML 2.0 service provider and identity provider, also compatible with Shibboleth 1.3 and 2.0.", + "description": "A PHP implementation of a SAML 2.0 service provider and identity provider.", "type": "project", "keywords": [ "saml2", "shibboleth","oauth","ws-federation","sp","idp" ], "homepage": "http://simplesamlphp.org", diff --git a/config-templates/authsources.php b/config-templates/authsources.php index d909a3881..dce39c813 100644 --- a/config-templates/authsources.php +++ b/config-templates/authsources.php @@ -22,8 +22,7 @@ $config = [ ], - // An authentication source which can authenticate against both SAML 2.0 - // and Shibboleth 1.3 IdPs. + // An authentication source which can authenticate against SAML 2.0 IdPs. 'default-sp' => [ 'saml:SP', diff --git a/docs/simplesamlphp-reference-idp-remote.md b/docs/simplesamlphp-reference-idp-remote.md index 30059f2c8..4a12dc74c 100644 --- a/docs/simplesamlphp-reference-idp-remote.md +++ b/docs/simplesamlphp-reference-idp-remote.md @@ -16,10 +16,28 @@ This is a reference for metadata options available for `metadata/saml20-idp-remo /* ... */ -Common options --------------- +Options +------- -The following options are common between both the SAML 2.0 protocol and Shibboleth 1.3 protocol: +`AuthnContextClassRef` +: The AuthnContextClassRef that will be sent in the login request. + +: Note that this option also exists in the SP configuration. This + entry in the IdP-remote metadata overrides the option in the + [SP configuration](./saml:sp). + +`AuthnContextComparison` + +: The Comparison attribute of the AuthnContext that will be sent in the login request. This parameter won't be used unless AuthnContextClassRef is set and contains one or more values. Possible values: + + SAML2\Constants::COMPARISON_EXACT (default) + SAML2\Constants::COMPARISON_BETTER + SAML2\Constants::COMPARISON_MINIMUM + SAML2\Constants::COMPARISON_MAXIMUM + +: Note that this option also exists in the SP configuration. This + entry in the IdP-remote metadata overrides the option in the + [SP configuration](./saml:sp). `authproc` : Used to manipulate attributes, and limit access for each IdP. See the [authentication processing filter manual](simplesamlphp-authproc). @@ -41,9 +59,38 @@ The following options are common between both the SAML 2.0 protocol and Shibbole : This option can be translated into multiple languages in the same way as the `name`-option. +`disable_scoping` +: Whether sending of samlp:Scoping elements in authentication requests should be suppressed. The default value is `FALSE`. + When set to `TRUE`, no scoping elements will be sent. This does not comply with the SAML2 specification, but allows + interoperability with ADFS which [does not support Scoping elements](https://docs.microsoft.com/en-za/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference#scoping). + +: Note that this option also exists in the SP configuration. This + entry in the IdP-remote metadata overrides the option in the + [SP configuration](./saml:sp). + +`encryption.blacklisted-algorithms` +: Blacklisted encryption algorithms. This is an array containing the algorithm identifiers. + +: Note that this option also exists in the SP configuration. This + entry in the IdP-remote metadata overrides the option in the + [SP configuration](./saml:sp). + +: The RSA encryption algorithm with PKCS#1 v1.5 padding is blacklisted by default for security reasons. Any assertions + encrypted with this algorithm will therefore fail to decrypt. You can override this limitation by defining an empty + array in this option (or blacklisting any other algorithms not including that one). However, it is strongly + discouraged to do so. For your own safety, please include the string 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' if + you make use of this option. + +`hide.from.discovery` +: Whether to hide hide this IdP from the local discovery or not. Set to true to hide it. Defaults to false. + + `icon` : A logo which will be shown next to this IdP in the discovery service. +`IDPList` +: The IdP is allowed to respond to an `AuthNRequest` originally sent to entityIDs in this list. + `name` : The name of this IdP. Will be used by various modules when they need to show a name of the SP to the user. @@ -56,6 +103,23 @@ The following options are common between both the SAML 2.0 protocol and Shibbole 'no' => 'En tjeneste', ], +`nameid.encryption` +: Whether NameIDs sent to this IdP should be encrypted. The default + value is `FALSE`. + +: Note that this option also exists in the SP configuration. This + entry in the IdP-remote metadata overrides the option in the + [SP configuration](./saml:sp). + +`NameIDPolicy` +: The format of the NameID we request from this IdP: an array in the form of + `[ 'Format' => the format, 'AllowCreate' => true or false ]`. + Set to `false` instead of an array to omit sending any specific NameIDPolicy + in the AuthnRequest. + +: For compatibility purposes, `null` is equivalent to Transient and a format + can be defined as a string instead of an array. These variants are deprecated. + `OrganizationName` : The name of the organization responsible for this SPP. This name does not need to be suitable for display to end users. @@ -93,82 +157,6 @@ The following options are common between both the SAML 2.0 protocol and Shibbole : When the `saml:FilterScopes` authentication processing filter is used, this list of scopes will determine the valid scopes for attributes. -`SingleSignOnService` -: Endpoint URL for sign on. You should obtain this from the IdP. For SAML 2.0, SimpleSAMLphp will use the HTTP-Redirect binding when contacting this endpoint. - -: The value of this option is specified in one of several [endpoint formats](./simplesamlphp-metadata-endpoints). - - -SAML 2.0 options ----------------- - -The following SAML 2.0 options are available: - -`AuthnContextClassRef` -: The AuthnContextClassRef that will be sent in the login request. - -: Note that this option also exists in the SP configuration. This - entry in the IdP-remote metadata overrides the option in the - [SP configuration](./saml:sp). - -`AuthnContextComparison` - -: The Comparison attribute of the AuthnContext that will be sent in the login request. This parameter won't be used unless AuthnContextClassRef is set and contains one or more values. Possible values: - - SAML2\Constants::COMPARISON_EXACT (default) - SAML2\Constants::COMPARISON_BETTER - SAML2\Constants::COMPARISON_MINIMUM - SAML2\Constants::COMPARISON_MAXIMUM - -: Note that this option also exists in the SP configuration. This - entry in the IdP-remote metadata overrides the option in the - [SP configuration](./saml:sp). - -`disable_scoping` -: Whether sending of samlp:Scoping elements in authentication requests should be suppressed. The default value is `FALSE`. - When set to `TRUE`, no scoping elements will be sent. This does not comply with the SAML2 specification, but allows - interoperability with ADFS which [does not support Scoping elements](https://docs.microsoft.com/en-za/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference#scoping). - -: Note that this option also exists in the SP configuration. This - entry in the IdP-remote metadata overrides the option in the - [SP configuration](./saml:sp). - -`encryption.blacklisted-algorithms` -: Blacklisted encryption algorithms. This is an array containing the algorithm identifiers. - -: Note that this option also exists in the SP configuration. This - entry in the IdP-remote metadata overrides the option in the - [SP configuration](./saml:sp). - -: The RSA encryption algorithm with PKCS#1 v1.5 padding is blacklisted by default for security reasons. Any assertions - encrypted with this algorithm will therefore fail to decrypt. You can override this limitation by defining an empty - array in this option (or blacklisting any other algorithms not including that one). However, it is strongly - discouraged to do so. For your own safety, please include the string 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' if - you make use of this option. - -`hide.from.discovery` -: Whether to hide hide this IdP from the local discovery or not. Set to true to hide it. Defaults to false. - -`IDPList` -: The IdP is allowed to respond to an `AuthNRequest` originally sent to entityIDs in this list. - -`nameid.encryption` -: Whether NameIDs sent to this IdP should be encrypted. The default - value is `FALSE`. - -: Note that this option also exists in the SP configuration. This - entry in the IdP-remote metadata overrides the option in the - [SP configuration](./saml:sp). - -`NameIDPolicy` -: The format of the NameID we request from this IdP: an array in the form of - `[ 'Format' => the format, 'AllowCreate' => true or false ]`. - Set to `false` instead of an array to omit sending any specific NameIDPolicy - in the AuthnRequest. - -: For compatibility purposes, `null` is equivalent to Transient and a format - can be defined as a string instead of an array. These variants are deprecated. - `signature.algorithm` : The algorithm to use when signing any message sent to this specific identity provider. Defaults to RSA-SHA256. : Note that this option also exists in the SP configuration. @@ -202,6 +190,11 @@ The following SAML 2.0 options are available: `SingleLogoutServiceResponse` : Endpoint URL for logout responses. Overrides the `SingleLogoutService`-option for responses. +`SingleSignOnService` +: Endpoint URL for sign on. You should obtain this from the IdP. For SAML 2.0, SimpleSAMLphp will use the HTTP-Redirect binding when contacting this endpoint. + +: The value of this option is specified in one of several [endpoint formats](./simplesamlphp-metadata-endpoints). + `SPNameQualifier` : This corresponds to the SPNameQualifier in the SAML 2.0 specification. It allows to give subjects a SP specific namespace. This option is rarely used, so if you don't need it, leave it out. When left out, SimpleSAMLphp assumes the entityID of your SP as the SPNameQualifier. @@ -243,19 +236,3 @@ SimpleSAMLphp only signs authentication responses by default. Signing of authent 'redirect.validate' => TRUE, 'certificate' => 'example.org.crt', - - -Shibboleth 1.3 options ----------------------- - -`caFile` -: Alternative to specifying a certificate. Allows you to specify a file with root certificates, and responses from the service be validated against these certificates. Note that SimpleSAMLphp doesn't support chains with any itermediate certificates between the root and the certificate used to sign the response. Support for PKIX in SimpleSAMLphp is experimental, and we encourage users to not rely on PKIX for validation of signatures; for background information review [the SAML 2.0 Metadata Interoperability Profile](http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop-cd-01.pdf). - -`saml1.useartifact` -: Request that the IdP returns the result to the artifact binding. - The default is to use the POST binding, set this option to TRUE to use the artifact binding instead. - -: This option can be set for all IdPs connected to a SP by setting it in the entry for the SP in `config/authsources.php`. - -: *Note*: This option only works with the `saml:SP` authentication source. - -- GitLab