1<?php
2
3$advancedSettings = array (
4
5    // Compression settings
6    // Handle if the getRequest/getResponse methods will return the Request/Response deflated.
7    // But if we provide a $deflate boolean parameter to the getRequest or getResponse
8    // method it will have priority over the compression settings.
9    'compress' => array (
10        'requests' => true,
11        'responses' => true
12    ),
13
14    // Security settings
15    'security' => array (
16
17        /** signatures and encryptions offered */
18
19        // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
20        // will be encrypted.
21        'nameIdEncrypted' => false,
22
23        // Indicates whether the <samlp:AuthnRequest> messages sent by this SP
24        // will be signed.              [The Metadata of the SP will offer this info]
25        'authnRequestsSigned' => false,
26
27        // Indicates whether the <samlp:logoutRequest> messages sent by this SP
28        // will be signed.
29        'logoutRequestSigned' => false,
30
31        // Indicates whether the <samlp:logoutResponse> messages sent by this SP
32        // will be signed.
33        'logoutResponseSigned' => false,
34
35        /* Sign the Metadata
36         False || True (use sp certs) || array (
37                                                    keyFileName => 'metadata.key',
38                                                    certFileName => 'metadata.crt'
39                                               )
40                                      || array (
41                                                    'x509cert' => '',
42                                                    'privateKey' => ''
43                                               )
44        */
45        'signMetadata' => false,
46
47
48        /** signatures and encryptions required **/
49
50        // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
51        // <samlp:LogoutResponse> elements received by this SP to be signed.
52        'wantMessagesSigned' => false,
53
54        // Indicates a requirement for the <saml:Assertion> elements received by
55        // this SP to be encrypted.
56        'wantAssertionsEncrypted' => false,
57
58        // Indicates a requirement for the <saml:Assertion> elements received by
59        // this SP to be signed.        [The Metadata of the SP will offer this info]
60        'wantAssertionsSigned' => false,
61
62        // Indicates a requirement for the NameID element on the SAMLResponse received
63        // by this SP to be present.
64        'wantNameId' => true,
65
66        // Indicates a requirement for the NameID received by
67        // this SP to be encrypted.
68        'wantNameIdEncrypted' => false,
69
70        // Authentication context.
71        // Set to false and no AuthContext will be sent in the AuthNRequest,
72        // Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
73        // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
74        'requestedAuthnContext' => false,
75
76        // Allows the authn comparison parameter to be set, defaults to 'exact' if
77        // the setting is not present.
78        'requestedAuthnContextComparison' => 'exact',
79
80        // Indicates if the SP will validate all received xmls.
81        // (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
82        'wantXMLValidation' => true,
83
84        // If true, SAMLResponses with an empty value at its Destination
85        // attribute will not be rejected for this fact.
86        'relaxDestinationValidation' => false,
87
88        // If true, Destination URL should strictly match to the address to
89        // which the response has been sent.
90        // Notice that if 'relaxDestinationValidation' is true an empty Destintation
91        // will be accepted.
92        'destinationStrictlyMatches' => false,
93
94        // If true, SAMLResponses with an InResponseTo value will be rejectd if not
95        // AuthNRequest ID provided to the validation method.
96        'rejectUnsolicitedResponsesWithInResponseTo' => false,
97
98        // Algorithm that the toolkit will use on signing process. Options:
99        //    'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
100        //    'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
101        //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
102        //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
103        //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
104        // Notice that sha1 is a deprecated algorithm and should not be used
105        'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
106
107        // Algorithm that the toolkit will use on digest process. Options:
108        //    'http://www.w3.org/2000/09/xmldsig#sha1'
109        //    'http://www.w3.org/2001/04/xmlenc#sha256'
110        //    'http://www.w3.org/2001/04/xmldsig-more#sha384'
111        //    'http://www.w3.org/2001/04/xmlenc#sha512'
112        // Notice that sha1 is a deprecated algorithm and should not be used
113        'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256',
114
115        // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
116        // uppercase. Turn it True for ADFS compatibility on signature verification
117        'lowercaseUrlencoding' => false,
118    ),
119
120    // Contact information template, it is recommended to suply a technical and support contacts
121    'contactPerson' => array (
122        'technical' => array (
123            'givenName' => '',
124            'emailAddress' => ''
125        ),
126        'support' => array (
127            'givenName' => '',
128            'emailAddress' => ''
129        ),
130    ),
131
132    // Organization information template, the info in en_US lang is recomended, add more if required
133    'organization' => array (
134        'en-US' => array(
135            'name' => '',
136            'displayname' => '',
137            'url' => ''
138        ),
139    ),
140);
141
142
143/* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int]   http://saml2int.org/profile/current
144
145   'authnRequestsSigned' => false,    // SP SHOULD NOT sign the <samlp:AuthnRequest>,
146                                      // MUST NOT assume that the IdP validates the sign
147   'wantAssertionsSigned' => true,
148   'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled
149   'wantNameIdEncrypted' => false,
150*/
151