Information for:

# Configuring service provider metadata for SimpleSAMLphp¶

The information on this documentation page is part of the SimpleSAMLphp installation process.

If your production and non-production environments have different needs, you can configure per-environment IdPs.

After configuring your SP, as described in Installing the SimpleSAMLphp library, you must obtain its metadata from SimpleSAMLphp by completing the following steps:

1. In a web browser, open http://[example.com]/simplesaml/, replacing [example.com] with the domain name of your website.

2. In the SimpleSAMLphp page that appears, click the Federation tab.

3. Click Show Metadata for the SP. This value defaults to default-sp unless you have configured another value in authsources.php.

4. (Optional) If your IdP requires the Assertion Endpoint URL, it can be found in the SP metadata as the value of Location in a line similar to the following:

<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
index="0"/>


After obtaining this SP metadata, you can define and configure your IdP.

## Defining and configuring your IdP¶

IdP metadata is provided in XML format, which you must convert into a PHP-readable format, using a tool included with SimpleSAMLphp.

To define and configure your IdP:

2. Visit the XML to SimpleSAMLphp metadata converter included with SimpleSAMLphp at http://[example.com]/simplesaml/admin/metadata-converter.php, replacing [example.com] with the domain name of your website.
4. Click Parse. SimpleSAMLphp displays formatted metadata for the following files:
• saml20-sp-remote.php
• saml20-idp-remote.php
5. Save your changes to the saml20-idp-remote.php file.
6. (Optional) If your application uses per-environment IdPs, change the saml20-idp-remote.php file, as described in Configuring per-environment IdPs.
7. Upload saml20-idp-remote.php into the metadata directory inside the simplesamlphp directory you created in Installing the SimpleSAMLphp library.

After completing these steps, test your connection with the SimpleSAMLphp library.

## Configuring per-environment IdPs¶

To use different IdPs for different environments without having to add logic, you can require a file from the file system, which can contain different information for each environment. To vary the IdP values, complete the following steps:

1. Add the following require statement to the /simplesamlphp/metadata/saml20-idp-remote.php file:

if (file_exists('/var/www/site-php')) {
require("/mnt/gfs/{$_ENV['AH_SITE_NAME']}/config/saml/saml20-idp-remote.php"); }  2. On your local computer, create a file named saml20-idp-remote.php, and then add the PHP-formatted version of your per-environment IdP metadata to the file. Note Be sure the opening <?php tag is present in your file, or the file won’t load correctly. 3. Upload saml20-idp-remote.php to the /mnt/gfs/{$_ENV['AH_SITE_NAME']}/config/saml/ directory, replacing {$_ENV['AH_SITE_NAME']} with the sitename for that environment. ## Example IdP configuration file¶ The following file is an example of an IdP configuration after conversion to a PHP-readable format: <?php // The key to the metadata should be the Entity ID of the IdP$metadata['<entity id from the IdP metadata'] = array(
'name' => array(
'en' => '<a short description of the IdP>',
),

'SingleSignOnService' =>
array (
0 =>
array (
// Binding and Location can be found in the IdP’s metadata.
// DO NOT USE HTTP-POST.
// It is not supported by older versions of SimpleSAMLphp and
// doesn’t work well with newer versions.
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => '<the location from the IdP metadata',
),
),

// NameIDFormat can be found in the IdP’s metadata.
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
'keys' =>
array (
0 =>
array (
// If the connection requires a key, enter that information here.
// The key will be in the IdP’s metadata.
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => '<certificate value>',
),
),
);