After you have provided information about your service provider (SP) and identity provider (IdP) to SimpleSAMLphp, you must obtain SP metadata and define your IdP’s configuration, based on the IdP’s metadata.
If your production and non-production environments have different needs, you can configure per-environment IdPs.
Obtaining SP metadata
After configuring your SP, as described in Installing the SimpleSAMLphp library, you must obtain its metadata from SimpleSAMLphp by completing the following steps:
In a web browser, open
http://[example.com]/simplesaml/
, replacing[example.com]
with the domain name of your website.In the SimpleSAMLphp page that appears, click the Federation tab.
Click Show Metadata for the SP. This value defaults to
default-sp
unless you have configured another value inauthsources.php
.SimpleSAMLphp displays the metadata. The first line contains the link to the metadata you must provide to your IdP.
(Optional) If your IdP requires the Assertion Endpoint URL, it can be found in the SP metadata as the value of Location in a line similar to the following:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" index="0"/>
After obtaining this SP metadata, you can define and configure your IdP.
Defining and configuring your IdP
IdP metadata is provided in XML format, which you must convert into a PHP-readable format, using a tool included with SimpleSAMLphp.
To define and configure your IdP:
Obtain your IdP metadata from your service provider, as described in Obtaining SP metadata. Ensure the metadata is in XML format.
Visit the XML to SimpleSAMLphp metadata converter included with SimpleSAMLphp at
http://[example.com]/simplesaml/admin/metadata-converter.php
, replacing[example.com]
with the domain name of your website.Paste the XML-formatted IdP metadata into the XML Metadata field.
Click Parse. SimpleSAMLphp displays formatted metadata for the following files:
saml20-sp-remote.php
saml20-idp-remote.php
Save your changes to the
saml20-idp-remote.php
file.(Optional) If your application uses per-environment IdPs, change the
saml20-idp-remote.php
file, as described in Configuring per-environment IdPs.Upload
saml20-idp-remote.php
into themetadata
directory inside thesimplesamlphp
directory you created in Installing the SimpleSAMLphp library.
After completing these steps, test your connection with the SimpleSAMLphp library.
Configuring per-environment IdPs
To use different IdPs for different environments without having to add logic, you can require a file from the file system, which can contain different information for each environment. To vary the IdP values, complete the following steps:
Add the following
require
statement to the/simplesamlphp/metadata/saml20-idp-remote.php
file:if (file_exists('/var/www/site-php')) { require("/mnt/gfs/{$_ENV['AH_SITE_NAME']}/config/saml/saml20-idp-remote.php"); }
On your local computer, create a file named
saml20-idp-remote.php
, and then add the PHP-formatted version of your per-environment IdP metadata to the file.Note
Be sure the opening
<?php
tag is present in your file, or the file won’t load correctly.Upload
saml20-idp-remote.php
to the/mnt/gfs/{$_ENV['AH_SITE_NAME']}/config/saml/
directory, replacing{$_ENV['AH_SITE_NAME']}
with the sitename for that environment.
Example IdP configuration file
The following file is an example of an IdP configuration after conversion to a PHP-readable format:
<?php
// The key to the metadata should be the Entity ID of the IdP
$metadata['<entity id from the IdP metadata'] = array(
'name' => array(
'en' => '<a short description of the IdP>',
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' =>
array (
0 =>
array (
// Binding and Location can be found in the IdP’s metadata.
// DO NOT USE HTTP-POST.
// It is not supported by older versions of SimpleSAMLphp and
// doesn’t work well with newer versions.
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => '<the location from the IdP metadata',
),
),
// NameIDFormat can be found in the IdP’s metadata.
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
'keys' =>
array (
0 =>
array (
// If the connection requires a key, enter that information here.
// The key will be in the IdP’s metadata.
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => '<certificate value>',
),
),
);