1 <?php 2 3 $advancedSettings = array ( 4 5 // Compression settings 6 // Handle if the getRequest/getResponse methods will return the Request/Response deflated. 7 // But if we provide a $deflate boolean parameter to the getRequest or getResponse 8 // method it will have priority over the compression settings. 9 'compress' => array ( 10 'requests' => true, 11 'responses' => true 12 ), 13 14 // Security settings 15 'security' => array ( 16 17 /** signatures and encryptions offered */ 18 19 // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP 20 // will be encrypted. 21 'nameIdEncrypted' => false, 22 23 // Indicates whether the <samlp:AuthnRequest> messages sent by this SP 24 // will be signed. [The Metadata of the SP will offer this info] 25 'authnRequestsSigned' => false, 26 27 // Indicates whether the <samlp:logoutRequest> messages sent by this SP 28 // will be signed. 29 'logoutRequestSigned' => false, 30 31 // Indicates whether the <samlp:logoutResponse> messages sent by this SP 32 // will be signed. 33 'logoutResponseSigned' => false, 34 35 /* Sign the Metadata 36 False || True (use sp certs) || array ( 37 keyFileName => 'metadata.key', 38 certFileName => 'metadata.crt' 39 ) 40 || array ( 41 'x509cert' => '', 42 'privateKey' => '' 43 ) 44 */ 45 'signMetadata' => false, 46 47 48 /** signatures and encryptions required **/ 49 50 // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and 51 // <samlp:LogoutResponse> elements received by this SP to be signed. 52 'wantMessagesSigned' => false, 53 54 // Indicates a requirement for the <saml:Assertion> elements received by 55 // this SP to be encrypted. 56 'wantAssertionsEncrypted' => false, 57 58 // Indicates a requirement for the <saml:Assertion> elements received by 59 // this SP to be signed. [The Metadata of the SP will offer this info] 60 'wantAssertionsSigned' => false, 61 62 // Indicates a requirement for the NameID element on the SAMLResponse received 63 // by this SP to be present. 64 'wantNameId' => true, 65 66 // Indicates a requirement for the NameID received by 67 // this SP to be encrypted. 68 'wantNameIdEncrypted' => false, 69 70 // Authentication context. 71 // Set to false and no AuthContext will be sent in the AuthNRequest, 72 // Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' 73 // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'), 74 'requestedAuthnContext' => false, 75 76 // Allows the authn comparison parameter to be set, defaults to 'exact' if 77 // the setting is not present. 78 'requestedAuthnContextComparison' => 'exact', 79 80 // Indicates if the SP will validate all received xmls. 81 // (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true). 82 'wantXMLValidation' => true, 83 84 // If true, SAMLResponses with an empty value at its Destination 85 // attribute will not be rejected for this fact. 86 'relaxDestinationValidation' => false, 87 88 // If true, Destination URL should strictly match to the address to 89 // which the response has been sent. 90 // Notice that if 'relaxDestinationValidation' is true an empty Destintation 91 // will be accepted. 92 'destinationStrictlyMatches' => false, 93 94 // If true, SAMLResponses with an InResponseTo value will be rejectd if not 95 // AuthNRequest ID provided to the validation method. 96 'rejectUnsolicitedResponsesWithInResponseTo' => false, 97 98 // Algorithm that the toolkit will use on signing process. Options: 99 // 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' 100 // 'http://www.w3.org/2000/09/xmldsig#dsa-sha1' 101 // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' 102 // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' 103 // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' 104 // Notice that sha1 is a deprecated algorithm and should not be used 105 'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', 106 107 // Algorithm that the toolkit will use on digest process. Options: 108 // 'http://www.w3.org/2000/09/xmldsig#sha1' 109 // 'http://www.w3.org/2001/04/xmlenc#sha256' 110 // 'http://www.w3.org/2001/04/xmldsig-more#sha384' 111 // 'http://www.w3.org/2001/04/xmlenc#sha512' 112 // Notice that sha1 is a deprecated algorithm and should not be used 113 'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256', 114 115 // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses 116 // uppercase. Turn it True for ADFS compatibility on signature verification 117 'lowercaseUrlencoding' => false, 118 ), 119 120 // Contact information template, it is recommended to suply a technical and support contacts 121 'contactPerson' => array ( 122 'technical' => array ( 123 'givenName' => '', 124 'emailAddress' => '' 125 ), 126 'support' => array ( 127 'givenName' => '', 128 'emailAddress' => '' 129 ), 130 ), 131 132 // Organization information template, the info in en_US lang is recomended, add more if required 133 'organization' => array ( 134 'en-US' => array( 135 'name' => '', 136 'displayname' => '', 137 'url' => '' 138 ), 139 ), 140 ); 141 142 143 /* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int] http://saml2int.org/profile/current 144 145 'authnRequestsSigned' => false, // SP SHOULD NOT sign the <samlp:AuthnRequest>, 146 // MUST NOT assume that the IdP validates the sign 147 'wantAssertionsSigned' => true, 148 'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled 149 'wantNameIdEncrypted' => false, 150 */ 151