Skip to content
Snippets Groups Projects
Commit ebb992e7 authored by Ketil Albertsen's avatar Ketil Albertsen
Browse files

Language check and correction of a number of errors. 

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@455 44740490-163a-0410-bde0-09ae8108e29a
parent 7adcc156
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
docs/source/simplesamlphp-idp.xml
+ 178
171
View file @ ebb992e7
......@@ -32,16 +32,16 @@
</itemizedlist>
<para>This document assumes that you already have a installation of
simpleSAMLphp. Before you continue make sure all the required entries in
the check list at the buttom is showing green light.</para>
simpleSAMLphp. Before you continue, make sure all the required entries in
the check list at the bottom is showing green light.</para>
</section>
<section>
<title>Enabling the Identity Provider functionality</title>
<para>The SAML 2.0 SP functionality is enabled per default. Edit
<filename>config.php</filename>, and enable either the SAML 2.0 IdP or the
Shib 1.3 IdP, depending on your needs. Here is an example of SAML 2.0 IdP
<para>Edit <filename>config.php</filename>, and enable either the SAML 2.0
IdP or the Shib 1.3 IdP, depending on your needs. By default, SAML 2.0 SP
IdP functionality is enabled. Here is an example of SAML 2.0 IdP
enabled:</para>
<programlisting>'enable.saml20-sp' =&gt; false,
......@@ -53,105 +53,107 @@
<section>
<title>Authentication modules</title>
<para>In the <filename>www/auth</filename> directory, you see multiple
files, each representing an authentication module. In the IdP hosted
metadata configuration you specify which authentication module that should
be used for that specific IdP. You can implement your own authentication
module, see <xref linkend="sect.customauth" />.</para>
<para>In the <filename>www/auth</filename> directory, each file represents
an authentication module. The IdP hosted metadata configuration specifies
which authentication module to use for that specific IdP. You can
implement your own authentication module, see <xref
linkend="sect.customauth" />.</para>
<para>These authentication modules are included:</para>
<glosslist>
<glossentry>
<glossterm>auth/login.php</glossterm>
<glossdef>
<para>This is the standard LDAP backend authentication module, it
uses LDAP configuration from the config.php file.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>auth/login-ldapmulti.php</glossterm>
<glossdef>
<para>This authentication module lets you connect to multiple LDAPS
depending on what organization the user selects in the login
form.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>auth/login-feide.php</glossterm>
<glossdef>
<para>A multi-LDAP module which looks up the users in LDAP first
searching for <literal>eduPersonPrincipalName</literal>.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>auth/login-radius.php</glossterm>
<glossdef>
<para>This authentication module will authenticate users against an
RADIUS server instead of LDAP.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>auth/login-auto.php</glossterm>
<glossdef>
<para>This module will automatically login the user with some test
details. You can use this to test the IdP functionality if you do
not have</para>
<para>This module is not completed yet. Work in progress.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>auth/login-cas-ldap.php</glossterm>
<glossdef>
<para>Authentication via CAS. Then look up attributes via
LDAP.</para>
</glossdef>
</glossentry>
</glosslist>
<para><glosslist>
<glossentry>
<glossterm>auth/login.php</glossterm>
<glossdef>
<para>This is the standard LDAP backend authentication module. It
uses LDAP configuration from the <filename>config.php</filename>
file.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>auth/login-ldapmulti.php</glossterm>
<glossdef>
<para>This authentication module lets you connect to multiple
LDAPs depending on the home organization selected by the
user.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>auth/login-feide.php</glossterm>
<glossdef>
<para>A multi-LDAP module which looks up the users in LDAP, first
searching for <literal>eduPersonPrincipalName</literal>.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>auth/login-radius.php</glossterm>
<glossdef>
<para>This authentication module will authenticate users against
an RADIUS server instead of LDAP.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>auth/login-auto.php</glossterm>
<glossdef>
<para>This module will automatically login the user with some test
details. You can use this to test the IdP functionality if you do
not have</para>
<para>This module is not completed yet. Work in progress.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>auth/login-cas-ldap.php</glossterm>
<glossdef>
<para>Authentication via CAS, followed by attribute lookup in
LDAP.</para>
</glossdef>
</glossentry>
</glosslist></para>
<section>
<title>Configuring the LDAP authentication module</title>
<para>The LDAP module is <filename>auth/login.php</filename>.</para>
<para>The LDAP module is found in
<filename>auth/login.php</filename>.</para>
<para>If you want to perform local authentication on this server, and
you want to use the LDAP authenticaiton plugin, then you need to
configure the following parameters in
<filename>config/ldap.php</filename>:</para>
<para>If you want to perform local authentication using this server,
using the LDAP authentication plugin, the following parameters should be
configured in <filename>config/ldap.php</filename>:</para>
<itemizedlist>
<listitem>
<para><literal>auth.ldap.dnpattern</literal>: What DN should you
bind to? Replacing %username% with the username the user types
<para><literal>auth.ldap.dnpattern</literal>: Which DN to bind to.
<literal>%username%</literal> is replaced with the user name typed
in.</para>
</listitem>
<listitem>
<para><literal>auth.ldap.hostname</literal>: The hostname of the
LDAP server</para>
<para><literal>auth.ldap.hostname</literal>: Host name of the LDAP
server</para>
</listitem>
<listitem>
<para><literal>auth.ldap.attributes</literal>: Search parameter to
LDAP. What attributes should be extracted?
<literal>objectclass=*</literal> gives you all.</para>
LDAP. List of attributes to be extracted. Set this option to
<literal>null</literal> to retrieve all attributes available.</para>
</listitem>
<listitem>
<para><literal>auth.ldap.enable_tls</literal>: Will perform
start_tls() after creation the connectino to the LDAP server.</para>
<code>ldap_start_tls()</code> after creation the connectino to the
LDAP server.</para>
</listitem>
</itemizedlist>
</section>
......@@ -159,7 +161,7 @@
<section>
<title>Configuring the multi-LDAP authenticaiton module</title>
<para>The module is
<para>The module is found in
<filename>auth/login-ldapmulti.php</filename>.</para>
<note>
......@@ -172,17 +174,16 @@
<section>
<title>Setting up a SSL signing certificate</title>
<para>For test purposes, you can skip this section, and use the included
certificate.</para>
<para>For test purposes, you can skip this section, and use the
certificate included in the simpleSAMLphp distribution.</para>
<para>For a production system, uou must generate a new certificate for
<para>For a production system, you must generate a new certificate for
your IdP.</para>
<warning>
<para>There is a certificate that follows this package that you can use
for test purposes, but off course <emphasis>NEVER</emphasis> use this in
production as the private key is also included in the package and can be
downloaded by anyone.</para>
<para>The certificate that follows the simpleSAMLphp distribution must
<emphasis>NEVER</emphasis> be used in production, as the private key is
also included in the package and can be downloaded by anyone.</para>
</warning>
<para>Here is an examples of openssl commands to generate a new key and a
......@@ -204,8 +205,8 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<section>
<title>Configuring metadata for an SAML 2.0 IdP</title>
<para>If you want to setup a SAML 2.0 IdP you need to configure two
metadata files: <filename>saml20-idp-hosted.php</filename> and
<para>To setup a SAML 2.0 IdP you must configure two metadata files:
<filename>saml20-idp-hosted.php</filename> and
<filename>saml20-sp-remote.php</filename>.</para>
<section>
......@@ -218,18 +219,18 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
'idp.example.org' =&gt; array(
// The hostname of the server (VHOST) that this SAML entity will use.
'host' =&gt; 'sp.example.org',
'host' =&gt; 'sp.example.org',
// X.509 key and certificate. Relative to the cert directory.
'privatekey' =&gt; 'server.pem',
'certificate' =&gt; 'server.crt',
'privatekey' =&gt; 'server.pem',
'certificate' =&gt; 'server.crt',
// Authentication plugin to use. login.php is the default one that uses LDAP.
'auth' =&gt; 'auth/login.php',
'auth' =&gt; 'auth/login.php',
'authority' =&gt; 'login',
),</programlisting>
<para>Here are some details of each of the parameters:</para>
<para>Parameter details:</para>
<section>
<title>Mandatory metadata fields</title>
......@@ -239,8 +240,8 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>key (the key of the associative array)</glossterm>
<glossdef>
<para>The entity ID of the IdP. In this example this value is
set to: <literal>idp.example.org</literal>.</para>
<para>The entity ID of the IdP. In this example:
<literal>idp.example.org</literal>.</para>
</glossdef>
</glossentry>
......@@ -248,7 +249,7 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>host</glossterm>
<glossdef>
<para>The hostname of the server running this IdP.</para>
<para>Host name of the server running this IdP.</para>
</glossdef>
</glossentry>
......@@ -256,8 +257,8 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>privatekey</glossterm>
<glossdef>
<para>Pointing to the private key in PEM format, in the certs
directory.</para>
<para>Name of private key file in PEM format, in the
<filename>certs</filename> directory.</para>
</glossdef>
</glossentry>
......@@ -265,8 +266,8 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>certificate</glossterm>
<glossdef>
<para>Pointing to the certificate file in PEM format, in the
certs directory.</para>
<para>Name of certificate file in PEM format, in the
<filename>certs</filename> directory.</para>
</glossdef>
</glossentry>
......@@ -274,9 +275,9 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>auth</glossterm>
<glossdef>
<para>Which authentication module to use? Default is:
<filename>auth/login.php</filename> which is the LDAP
authentication module.</para>
<para>Which authentication module to use. Default:
<filename>auth/login.php, </filename>the LDAP authentication
module.</para>
</glossdef>
</glossentry>
</glosslist>
......@@ -300,8 +301,9 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossdef>
<para>Who is authorized to create sessions for this IdP. Can be
login for LDAP login module, or saml2 for SAML 2.0 SP. It is
highly reccomended to set this parameter.</para>
<literal>login</literal> for LDAP login module, or
<literal>saml2</literal> for SAML 2.0 SP. Specifying this
parameter is highly recommended.</para>
</glossdef>
</glossentry>
......@@ -309,8 +311,8 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>attributemap</glossterm>
<glossdef>
<para>An attribute map is a mapping table that translate
attribute names. Read more in the advances features
<para>Mapping table for translating attribute names. For further
information, see the <emphasis>Advances Features</emphasis>
document.</para>
</glossdef>
</glossentry>
......@@ -319,9 +321,9 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>attributealter</glossterm>
<glossdef>
<para>You can implement custom functions that injects or
modifies attributes. Here you can specify an array of such
fuctions. Read more in the advances features document.</para>
<para>Table of custom functions that injects or modifies
attributes. For further information, see the <emphasis>Advances
Features</emphasis> document.</para>
</glossdef>
</glossentry>
</glosslist>
......@@ -330,8 +332,10 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<section>
<title>Fields for signing authentication requests</title>
<para>simpleSAMLphp supports signing the HTTP-REDIRECT LogoutRequest,
but by default it will not sign it. It will use the same
<para>By default, simpleSAMLphp will not sign the HTTP-REDIRECT
LogoutRequest. To activate signing, set the
<literal>request.signing</literal> parameter to
<literal>true</literal>. The signing will use the same
privatekey/certificate as used for signing the AuthnResponse.</para>
<glosslist>
......@@ -340,8 +344,7 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossdef>
<para>A boolean value, that should be true or false. Default is
false. To turn on signing authentication requests, set this flag
to true.</para>
false.</para>
</glossdef>
</glossentry>
</glosslist>
......@@ -357,8 +360,8 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<section>
<title>Configuring SAML 2.0 SP Remote metadata</title>
<para>Here (saml20-sp-remote.php) you configure all SPs that you trust.
Here is an example:</para>
<para>In the file <filename>saml20-sp-remote.php</filename>, you
configure all SPs that you trust. Here is an example:</para>
<programlisting>/*
* Example simpleSAMLphp SAML 2.0 SP
......@@ -367,11 +370,11 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
'AssertionConsumerService' =&gt; 'https://saml2sp.example.org/simplesaml/saml2/sp/AssertionConsumerService.php',
'SingleLogoutService' =&gt; 'https://saml2sp.example.org/simplesaml/saml2/sp/SingleLogoutService.php',
'attributes' =&gt; array('email', 'eduPersonPrincipalName'),
'name' =&gt; 'Example service provider',
'attributes' =&gt; array('email', 'eduPersonPrincipalName'),
'name' =&gt; 'Example service provider',
),</programlisting>
<para>Here are some details about each of the parameters:</para>
<para>Parameter details:</para>
<section>
<title>Mandatory metadata fields</title>
......@@ -381,7 +384,7 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>key (the key of the associative array)</glossterm>
<glossdef>
<para>The entity ID of the given SP. Here it is:
<para>Entity ID of the given SP. Here:
<literal>saml2sp.example.org</literal>.</para>
</glossdef>
</glossentry>
......@@ -390,9 +393,9 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>AssertionConsumerService</glossterm>
<glossdef>
<para>The URL of this SAML 2.0 endpoint. Ask the SP if you are
unsure. If the SP sent you SAML 2.0 metadata, you can find the
parameter in there.</para>
<para>URL of this SAML 2.0 endpoint. Ask the SP if you are
uncertain. You may find the endpoint URL in SAML 2.0 metadata
received from the SP.</para>
</glossdef>
</glossentry>
</glosslist>
......@@ -406,9 +409,9 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>SingleLogoutService</glossterm>
<glossdef>
<para>The URL of this SAML 2.0 endpoint. Ask the SP if you are
unsure. If the SP sent you SAML 2.0 metadata, you can find the
parameter in there.</para>
<para>URL of this SAML 2.0 endpoint. Ask the SP if you are
uncertain. You may find the endpoint URL in SAML 2.0 metadata
received from the SP.</para>
</glossdef>
</glossentry>
......@@ -416,7 +419,8 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>NameIDFormat</glossterm>
<glossdef>
<para>Set it to the default: transient.</para>
<para>Set it to the default:
<literal>transient</literal>.</para>
</glossdef>
</glossentry>
......@@ -424,8 +428,8 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>SPNameQualifier</glossterm>
<glossdef>
<para>The SP NameQualifier for this SP. If not set, the IdP will
set the SPNameQualifier to be the SP entity ID.</para>
<para>SP NameQualifier for this SP. If not set, the IdP will set
the SPNameQualifier to be the SP entity ID.</para>
</glossdef>
</glossentry>
......@@ -433,8 +437,9 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>base64attributes</glossterm>
<glossdef>
<para>Perform base64 encoding of attributes sent to this
SP.</para>
<para>Boolean, default <literal>false</literal>: Perform base64
encoding of attributes sent to this SP. This parameter must be
set according to what the SP expects.</para>
</glossdef>
</glossentry>
......@@ -442,11 +447,13 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>simplesaml.nameidattribute</glossterm>
<glossdef>
<para>If the NameIDFormat is set to email, then the email
address will be retrieved from the attribute with this name. In
example, the simplesaml.nameidattribute can be set to uid, and
then the authentcation module sets an attribute with name uid.
The value of this attribute will be set as the NameID.</para>
<para>If the <code>NameIDFormat</code> is set to
<literal>email</literal>, then the email address is extracted
from the attribute with this name. E.g. if
<code>simplesaml.nameidattribute</code> is set to uid, and the
authentcation module provides an attribute named
<code>uid</code>, this attribute value is set as the
NameID.</para>
</glossdef>
</glossentry>
......@@ -454,8 +461,8 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>attributemap</glossterm>
<glossdef>
<para>An attribute map is a mapping table that translate
attribute names. Read more in the advanced features
<para>Mapping table for translating attribute names. For further
information, see the <emphasis>Advances Features</emphasis>
document.</para>
</glossdef>
</glossentry>
......@@ -464,9 +471,9 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>attributealter</glossterm>
<glossdef>
<para>You can implement custom functions that injects or
modifies attributes. Here you can specify an array of such
fuctions. Read more in the advances features document.</para>
<para>Table of custom functions that injects or modifies
attributes. For further information, see the <emphasis>Advances
Features</emphasis> document.</para>
</glossdef>
</glossentry>
......@@ -474,8 +481,8 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>simplesaml.attributes</glossterm>
<glossdef>
<para>Should an attribute statement be sent to the SP? Default
is <literal>true</literal>.</para>
<para>Boolean, default <literal>true</literal>: Send an
attribute statement to the SP.</para>
</glossdef>
</glossentry>
......@@ -483,9 +490,8 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>attributes</glossterm>
<glossdef>
<para>An array of attributes that will be sent to the SP. If
this field is not set, the SP will get all attributes available
at the IdP.</para>
<para>Array of attributes sent to the SP. If this field is not
set, the SP receives all attributes available at the IdP.</para>
</glossdef>
</glossentry>
......@@ -510,8 +516,8 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>request.signing</glossterm>
<glossdef>
<para>A boolean value set to true or false. Defines whether this
IdP should require signed requests from this SP.</para>
<para>Boolean, default <literal>false</literal>. Defines whether
this IdP should require signed requests from this SP.</para>
</glossdef>
</glossentry>
......@@ -519,9 +525,9 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<glossterm>certificate</glossterm>
<glossdef>
<para>The name of the certificate file used to verify the
signature, if <literal>request.signing</literal> is set to
true.</para>
<para>Name of certificate file for verifying the signature when
<literal>request.signing</literal> is set to
<literal>true</literal>.</para>
</glossdef>
</glossentry>
</glosslist>
......@@ -532,11 +538,12 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<section>
<title>Configuring metadata for a Shibboleth 1.3 IdP</title>
<para>You need to configure the <filename>shib13-idp-hosted.php</filename>
metadata, as well as the list of trusted SPs in the
<filename>shib13-sp-remote-php</filename> metadata. This configuration is
very similar to the SAML 2.0 metadata mentioned in the previous section,
so go look there for now.</para>
<para>In the file <filename>shib13-idp-hosted.php</filename>, you
configure metadata for the Shibboleth 1.3 IdP. In the file
<filename>shib13-sp-remote.php</filename>, you configurethe list of
trusted SPs using the Shibboleth 1.3 protocol. This configuration is very
similar to configuring SAML 2.0 metadata; please find information in the
previous chapter.</para>
</section>
<section>
......@@ -548,18 +555,19 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<tip>
<para>To make the initial test up and running with minimal hassle, use
the login-auto if you do not want to setup a user storage, and use the
included cert so you do not need to create a new certificate.</para>
included certificate so you do not need to create a new one.</para>
</tip>
</section>
<section>
<title>Support</title>
<para>If you have problems to get this work, or want to discuss
simpleSAMLphp with other users of the software you are lucky! Around
simpleSAMLphp there is a great Open source community, and you are welcome
to join! Both for asking question, answer other questions, request
improvements or contribute with code or plugins of your own.</para>
<para>If you need help to make this work, or want to discuss simpleSAMLphp
with other users of the software, you are fortunate: Around simpleSAMLphp
there is a great Open source community, and you are welcome to join! The
forums are open for you to ask questions, contribute answers other further
questions, request improvements or contribute with code or plugins of your
own.</para>
<itemizedlist>
<listitem>
......@@ -605,21 +613,20 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
<section>
<title>Authentication API</title>
<para>The authentication plugin should be placed in the auth
directory.</para>
<para>The authentication plugin should be placed in the
<filename>auth</filename> directory.</para>
<para>The following parameters must be accepted in the incomming
URL:</para>
<itemizedlist>
<listitem>
<para><literal>RelayState</literal>: This is the URL that the user
should be sent back to after authentication within the
plugin.</para>
<para><literal>RelayState</literal>: URL where the user is sent
after authentication within the plugin.</para>
</listitem>
<listitem>
<para><literal>RequestID</literal>: This is the ID of an incomming
<para><literal>RequestID</literal>: ID of an incomming
request.</para>
</listitem>
</itemizedlist>
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment