Obtaining SP metadata¶

After configuring your SP, as described in Installing the SimpleSAMLphp library, you must obtain its metadata from SimpleSAMLphp by completing the following steps:

1. In a web browser, open http://[example.com]/simplesaml/, replacing [example.com] with the domain name of your website.

2. In the SimpleSAMLphp page that appears, click the Federation tab.

3. Click Show Metadata for the SP. This value defaults to default-sp unless you have configured another value in authsources.php.

   SimpleSAMLphp displays the metadata. The first line contains the link to the metadata you must provide to your IdP.

4. (Optional) If your IdP requires the Assertion Endpoint URL, it can be found in the SP metadata as the value of Location in a line similar to the following:

   <md:AssertionConsumerService
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
   Location="https://example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
   index="0"/>
   

After obtaining this SP metadata, you can define and configure your IdP.

Defining and configuring your IdP¶

IdP metadata is provided in XML format, which you must convert into a PHP-readable format, using a tool included with SimpleSAMLphp.

To define and configure your IdP:

1. Obtain your IdP metadata from your service provider, as described in Obtaining SP metadata. Ensure the metadata is in XML format.

2. Visit the XML to SimpleSAMLphp metadata converter included with SimpleSAMLphp at http://[example.com]/simplesaml/admin/metadata-converter.php, replacing [example.com] with the domain name of your website.

3. Paste the XML-formatted IdP metadata into the XML Metadata field.

4. Click Parse. SimpleSAMLphp displays formatted metadata for the following files:

   • saml20-sp-remote.php

   • saml20-idp-remote.php

5. Save your changes to the saml20-idp-remote.php file.

6. (Optional) If your application uses per-environment IdPs, change the saml20-idp-remote.php file, as described in Configuring per-environment IdPs.

7. Upload saml20-idp-remote.php into the metadata directory inside the simplesamlphp directory you created in Installing the SimpleSAMLphp library.

After completing these steps, test your connection with the SimpleSAMLphp library.

Configuring per-environment IdPs¶

To use different IdPs for different environments without having to add logic, you can require a file from the file system, which can contain different information for each environment. To vary the IdP values, complete the following steps:

1. Add the following require statement to the /simplesamlphp/metadata/saml20-idp-remote.php file:

   if (file_exists('/var/www/site-php')) {
     require("/mnt/gfs/{$_ENV['AH_SITE_NAME']}/config/saml/saml20-idp-remote.php");
   }
   

2. On your local computer, create a file named saml20-idp-remote.php, and then add the PHP-formatted version of your per-environment IdP metadata to the file.

   Note

   Be sure the opening <?php tag is present in your file, or the file won’t load correctly.

3. Upload saml20-idp-remote.php to the /mnt/gfs/{$_ENV['AH_SITE_NAME']}/config/saml/ directory, replacing {$_ENV['AH_SITE_NAME']} with the sitename for that environment.