1<?php 2 3$settings = array ( 4 // If 'strict' is True, then the PHP Toolkit will reject unsigned 5 // or unencrypted messages if it expects them signed or encrypted 6 // Also will reject the messages if not strictly follow the SAML 7 // standard: Destination, NameId, Conditions ... are validated too. 8 'strict' => true, 9 10 // Enable debug mode (to print errors) 11 'debug' => false, 12 13 // Set a BaseURL to be used instead of try to guess 14 // the BaseURL of the view that process the SAML Message. 15 // Ex. http://sp.example.com/ 16 // http://example.com/sp/ 17 'baseurl' => null, 18 19 // Service Provider Data that we are deploying 20 'sp' => array ( 21 // Identifier of the SP entity (must be a URI) 22 'entityId' => '', 23 // Specifies info about where and how the <AuthnResponse> message MUST be 24 // returned to the requester, in this case our SP. 25 'assertionConsumerService' => array ( 26 // URL Location where the <Response> from the IdP will be returned 27 'url' => '', 28 // SAML protocol binding to be used when returning the <Response> 29 // message. Onelogin Toolkit supports for this endpoint the 30 // HTTP-POST binding only 31 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 32 ), 33 // If you need to specify requested attributes, set a 34 // attributeConsumingService. nameFormat, attributeValue and 35 // friendlyName can be omitted. Otherwise remove this section. 36 "attributeConsumingService"=> array( 37 "serviceName" => "SP test", 38 "serviceDescription" => "Test Service", 39 "requestedAttributes" => array( 40 array( 41 "name" => "", 42 "isRequired" => false, 43 "nameFormat" => "", 44 "friendlyName" => "", 45 "attributeValue" => "" 46 ) 47 ) 48 ), 49 // Specifies info about where and how the <Logout Response> message MUST be 50 // returned to the requester, in this case our SP. 51 'singleLogoutService' => array ( 52 // URL Location where the <Response> from the IdP will be returned 53 'url' => '', 54 // SAML protocol binding to be used when returning the <Response> 55 // message. Onelogin Toolkit supports for this endpoint the 56 // HTTP-Redirect binding only 57 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 58 ), 59 // Specifies constraints on the name identifier to be used to 60 // represent the requested subject. 61 // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported 62 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', 63 64 // Usually x509cert and privateKey of the SP are provided by files placed at 65 // the certs folder. But we can also provide them with the following parameters 66 'x509cert' => '', 67 'privateKey' => '', 68 69 /* 70 * Key rollover 71 * If you plan to update the SP x509cert and privateKey 72 * you can define here the new x509cert and it will be 73 * published on the SP metadata so Identity Providers can 74 * read them and get ready for rollover. 75 */ 76 // 'x509certNew' => '', 77 ), 78 79 // Identity Provider Data that we want connect with our SP 80 'idp' => array ( 81 // Identifier of the IdP entity (must be a URI) 82 'entityId' => '', 83 // SSO endpoint info of the IdP. (Authentication Request protocol) 84 'singleSignOnService' => array ( 85 // URL Target of the IdP where the SP will send the Authentication Request Message 86 'url' => '', 87 // SAML protocol binding to be used when returning the <Response> 88 // message. Onelogin Toolkit supports for this endpoint the 89 // HTTP-Redirect binding only 90 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 91 ), 92 // SLO endpoint info of the IdP. 93 'singleLogoutService' => array ( 94 // URL Location of the IdP where the SP will send the SLO Request 95 'url' => '', 96 // URL location of the IdP where the SP will send the SLO Response (ResponseLocation) 97 // if not set, url for the SLO Request will be used 98 'responseUrl' => '', 99 // SAML protocol binding to be used when returning the <Response> 100 // message. Onelogin Toolkit supports for this endpoint the 101 // HTTP-Redirect binding only 102 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 103 ), 104 // Public x509 certificate of the IdP 105 'x509cert' => '', 106 /* 107 * Instead of use the whole x509cert you can use a fingerprint in 108 * order to validate the SAMLResponse, but we don't recommend to use 109 * that method on production since is exploitable by a collision 110 * attack. 111 * (openssl x509 -noout -fingerprint -in "idp.crt" to generate it, 112 * or add for example the -sha256 , -sha384 or -sha512 parameter) 113 * 114 * If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to 115 * let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512 116 * 'sha1' is the default value. 117 */ 118 // 'certFingerprint' => '', 119 // 'certFingerprintAlgorithm' => 'sha1', 120 121 /* In some scenarios the IdP uses different certificates for 122 * signing/encryption, or is under key rollover phase and more 123 * than one certificate is published on IdP metadata. 124 * In order to handle that the toolkit offers that parameter. 125 * (when used, 'x509cert' and 'certFingerprint' values are 126 * ignored). 127 */ 128 // 'x509certMulti' => array( 129 // 'signing' => array( 130 // 0 => '<cert1-string>', 131 // ), 132 // 'encryption' => array( 133 // 0 => '<cert2-string>', 134 // ) 135 // ), 136 ), 137); 138