SP remote metadata reference
============================
<!-- {{TOC}} -->
This is a reference for metadata options available for
`metadata/saml20-sp-remote.php` and `metadata/shib13-sp-remote.php`.
Both files have the following format:
<?php
/* The index of the array is the entity ID of this SP. */
$metadata['entity-id-1'] = array(
/* Configuration options for the first SP. */
);
$metadata['entity-id-2'] = array(
/* Configuration options for the second SP. */
);
/* ... */
Common options
--------------
The following options are common between both the SAML 2.0 protocol
and Shibboleth 1.3 protocol:
`attributes`
: This should indicate which attributes an SP should receive. It is
used by for example the `consent:Consent` module to tell the user
which attributes the SP will receive, and the `core:AttributeLimit`
module to limit which attributes are sent to the SP.
`authproc`
: Used to manipulate attributes, and limit access for each SP. See
the [authentication processing filter manual](simplesamlphp-authproc).
`base64attributes`
: Whether attributes sent to this SP should be base64 encoded. The
default is `FALSE`.
`description`
: A description of this SP. Will be used by various modules when they
need to show a description of the SP to the user.
: This option can be translated into multiple languages in the same
way as the `name`-option.
`name`
: The name of this SP. Will be used by various modules when they need
to show a name of the SP to the user.
: If this option is unset, the organization name will be used instead (if it is available).
: This option can be translated into multiple languages by specifying
the value as an array of language-code to translated name:
'name' => array(
'en' => 'A service',
'no' => 'En tjeneste',
),
`OrganizationName`
: The name of the organization responsible for this SPP.
This name does not need to be suitable for display to end users.
: This option can be translated into multiple languages by specifying the value as an array of language-code to translated name:
'OrganizationName' => array(
'en' => 'Example organization',
'no' => 'Eksempel organisation',
),
: *Note*: If you specify this option, you must also specify the `OrganizationURL` option.
`OrganizationDisplayName`
: The name of the organization responsible for this IdP.
This name must be suitable for display to end users.
If this option isn't specified, `OrganizationName` will be used instead.
: This option can be translated into multiple languages by specifying the value as an array of language-code to translated name.
: *Note*: If you specify this option, you must also specify the `OrganizationName` option.
`OrganizationURL`
: A URL the end user can access for more information about the organization.
: This option can be translated into multiple languages by specifying the value as an array of language-code to translated URL.
: *Note*: If you specify this option, you must also specify the `OrganizationName` option.
`privacypolicy`
: This is an absolute URL for where an user can find a privacypolicy
for this SP. If set, this will be shown on the consent page.
`%SPENTITYID%` in the URL will be replaced with the entity id of
this service provider.
: Note that this option also exists in the IdP-hosted metadata. This
entry in the SP-remote metadata overrides the option in the
IdP-hosted metadata.
`userid.attribute`
: The attribute name of an attribute which uniquely identifies
the user. This attribute is used if simpleSAMLphp needs to generate
a persistent unique identifier for the user. This option can be set
in both the IdP-hosted and the SP-remote metadata. The value in the
sp-remote metadata has the highest priority. The default value is
`eduPersonPrincipalName`.
: Note that this option also exists in the IdP-hosted metadata. This
entry in the SP-remote metadata overrides the option in the
IdP-hosted metadata.
SAML 2.0 options
----------------
The following SAML 2.0 options are available:
`AssertionConsumerService`
: The URL of the AssertionConsumerService endpoint for this SP.
This option is required - without it you will not be able to send
responses back to the SP.
: The value of this option is specified in one of several [endpoint formats](./simplesamlphp-metadata-endpoints).
`attributes.NameFormat`
: What value will be set in the Format field of attribute
statements. This parameter can be configured multiple places, and
the actual value used is fetched from metadata by the following
priority:
: 1. SP Remote Metadata
2. IdP Hosted Metadata
: The default value is:
`urn:oasis:names:tc:SAML:2.0:attrname-format:basic`
: Some examples of values specified in the SAML 2.0 Core
Specification:
: - `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified`
- `urn:oasis:names:tc:SAML:2.0:attrname-format:uri` (The default
in Shibboleth 2.0)
- `urn:oasis:names:tc:SAML:2.0:attrname-format:basic` (The
default in Sun Access Manager)
: You can also define your own value.
: Note that this option also exists in the IdP-hosted metadata. This
entry in the SP-remote metadata overrides the option in the
IdP-hosted metadata.
: (This option was previously named `AttributeNameFormat`.)
`encryption.blacklisted-algorithms`
: Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.
: Note that this option also exists in the IdP-hosted metadata. This
entry in the SP-remote metadata overrides the option in the
[IdP-hosted metadata](./simplesamlphp-reference-idp-hosted).
: The RSA encryption algorithm with PKCS#1 v1.5 padding is blacklisted by default for security reasons. Any assertions
encrypted with this algorithm will therefore fail to decrypt. You can override this limitation by defining an empty
array in this option (or blacklisting any other algorithms not including that one). However, it is strongly
discouraged to do so. For your own safety, please include the string 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' if
you make use of this option.
`ForceAuthn`
: Set this `TRUE` to force the user to reauthenticate when the IdP
receives authentication requests from this SP. The default is
`FALSE`.
`NameIDFormat`
: The `NameIDFormat` this SP should receive. The three most commonly
used values are:
: 1. `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`
2. `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`
3. `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`
: The `transient` format will generate a new unique ID every time
the SP logs in.
: To properly support the `persistent` and `emailAddress` formats,
you should configure [NameID generation filters](./saml:nameid)
on your IdP.
`nameid.encryption`
: Whether NameIDs sent to this SP should be encrypted. The default
value is `FALSE`.
: Note that this option also exists in the IdP-hosted metadata. This
entry in the SP-remote metadata overrides the option in the
[IdP-hosted metadata](./simplesamlphp-reference-idp-hosted).
`SingleLogoutService`
: The URL of the SingleLogoutService endpoint for this SP.
This option is required if you want to implement single logout for
this SP. If the option isn't specified, this SP will not be logged
out automatically when a single logout operation is initialized.
: The value of this option is specified in one of several [endpoint formats](./simplesamlphp-metadata-endpoints).
`SingleLogoutServiceResponse`
: The URL logout responses to this SP should be sent. If this option
is unspecified, the `SingleLogoutService` endpoint will be used as
the recipient of logout responses.
`SPNameQualifier`
: SP NameQualifier for this SP. If not set, the IdP will set the
SPNameQualifier to be the SP entity ID.
`certData`
: The base64 encoded certificate for this SP. This is an alternative to storing the certificate in a file on disk and specifying the filename in the `certificate`-option.
`certificate`
: Name of certificate file for this SP. The certificate is used to
verify the signature of messages received from the SP (if
`redirect.validate`is set to `TRUE`), and to encrypting assertions
(if `assertion.encryption` is set to TRUE and `sharedkey` is
unset.)
`saml20.sign.response`
: Whether `<samlp:Response>` messages should be signed.
Defaults to `TRUE`.
: Note that this option also exists in the IdP-hosted metadata.
The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
`saml20.sign.assertion`
: Whether `<saml:Assertion>` elements should be signed.
Defaults to `TRUE`.
: Note that this option also exists in the IdP-hosted metadata.
The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
`signature.algorithm`
: The algorithm to use when signing any message sent to this specific service provider. Defaults to RSA-SHA1.
: Note that this option also exists in the IdP-hosted metadata.
The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
: Possible values:
* `http://www.w3.org/2000/09/xmldsig#rsa-sha1`
*Note*: the use of SHA1 is **deprecated** and will be disallowed in the future.
* `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`
* `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384`
* `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512`
`simplesaml.nameidattribute`
: When the value of the `NameIDFormat`-option is set to either
`email` or `persistent`, this is the name of the attribute which
should be used as the value of the `NameID`. The attribute must
be in the set of attributes exported to the SP (that is, be in
the `attributes` array). For more advanced control over `NameID`,
including the ability to specify any attribute regardless of
the set sent to the SP, see the [NameID processing filters](./saml:nameid).
: Typical values can be `mail` for when using the `email` format,
and `eduPersonTargetedID` when using the `persistent` format.
`simplesaml.attributes`
: Whether the SP should receive any attributes from the IdP. The
default value is `TRUE`.
`attributeencodings`
: What encoding should be used for the different attributes. This is
an array which maps attribute names to attribute encodings. There
are three different encodings:
: - `string`: Will include the attribute as a normal string. This is
the default.
: - `base64`: Store the attribute as a base64 encoded string. This
is the default when the `base64attributes`-option is set to
`TRUE`.
: - `raw`: Store the attribute without any modifications. This
makes it possible to include raw XML in the response.
`sign.logout`
: Whether to sign logout messages sent to this SP.
: Note that this option also exists in the IdP-hosted metadata.
The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
`validate.authnrequest`
: Whether we require signatures on authentication requests sent from this SP.
: Note that this option also exists in the IdP-hosted metadata.
The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
`validate.logout`
: Whether we require signatures on logout messages sent from this SP.
: Note that this option also exists in the IdP-hosted metadata.
The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
### Encrypting assertions
It is possible to encrypt the assertions sent to a SP. Currently the
only algorithm supported is `AES128_CBC` or `RIJNDAEL_128`.
There are two modes of encryption supported by simpleSAMLphp. One is
symmetric encryption, in which case both the SP and the IdP needs to
share a key. The other mode is the use of public key encryption. In
that mode, the public key of the SP is extracted from the certificate
of the SP.
`assertion.encryption`
: Whether assertions sent to this SP should be encrypted. The default
value is `FALSE`.
: Note that this option also exists in the IdP-hosted metadata. This
entry in the SP-remote metadata overrides the option in the
IdP-hosted metadata.
`sharedkey`
: Symmetric key which should be used for encryption. This should be a
128-bit key. If this option is not specified, public key encryption
will be used instead.
### Fields for signing and validating messages
simpleSAMLphp only signs authentication responses by default.
Signing of logout requests and logout responses can be enabled by
setting the `redirect.sign` option. Validation of received messages
can be enabled by the `redirect.validate` option.
These options overrides the options set in `saml20-idp-hosted`.
`redirect.sign`
: Whether logout requests and logout responses sent to this SP should
be signed. The default is `FALSE`.
`redirect.validate`
: Whether authentication requests, logout requests and logout
responses received from this SP should be validated. The default is
`FALSE`
**Example: Configuration for validating messages**
'redirect.validate' => TRUE,
'certificate' => 'example.org.crt',
### Fields for scoping
Only relevant if you are a proxy/bridge and wants to limit the idps this
sp can use.
`IDPList`
: The list of scoped idps ie. the list of entityids for idps that are
relevant for this sp. The final list is the concatenation of the list
given as parameter to InitSSO (at the sp), the list configured at the
sp and the list configured at the ipd (here) for this sp. The intersection
of the final list and the idps configured at the at this idp will be
presented to the user at the discovery service if neccessary. If only one
idp is in the intersection the discoveryservice will go directly to the idp.
**Example: Configuration for scoping**
'IDPList' => array('https://idp1.wayf.dk', 'https://idp2.wayf.dk'),
Shibboleth 1.3 options
----------------------
The following options for Shibboleth 1.3 SP's are avaiblable:
`AssertionConsumerService`
: The URL of the AssertionConsumerService endpoint for this SP.
This endpoint must accept the SAML responses encoded with the
`urn:oasis:names:tc:SAML:1.0:profiles:browser-post` encoding.
This option is required - without it you will not be able to send
responses back to the SP.
: The value of this option is specified in one of several [endpoint formats](./simplesamlphp-metadata-endpoints).
`NameQualifier`
: What the value of the `NameQualifier`-attribute of the
`<NameIdentifier>`-element should be. The default value is the
entity ID of the SP.
`audience`
: The value which should be given in the `<Audience>`-element in the
`<AudienceRestrictionCondition>`-element in the response. The
default value is the entity ID of the SP.
`scopedattributes`
: Array with names of attributes which should be scoped. Scoped
attributes will receive a `Scope`-attribute on the
`AttributeValue`-element. The value of the Scope-attribute will
be taken from the attribute value:
: `<AttributeValue>someuser@example.org</AttributeValue>`
: will be transformed into
: `<AttributeValue Scope="example.org">someuser</AttributeValue>`
: By default, no attributes are scoped. This option overrides the
option with the same name in the `shib13-idp-hosted.php` metadata
file.
|