4 // If 'strict' is True, then the PHP Toolkit will reject unsigned
5 // or unencrypted messages if it expects them signed or encrypted
6 // Also will reject the messages if not strictly follow the SAML
7 // standard: Destination, NameId, Conditions ... are validated too.
10 // Enable debug mode (to print errors)
13 // Set a BaseURL to be used instead of try to guess
14 // the BaseURL of the view that process the SAML Message.
15 // Ex. http://sp.example.com/
16 // http://example.com/sp/
19 // Service Provider Data that we are deploying
21 // Identifier of the SP entity (must be a URI)
23 // Specifies info about where and how the <AuthnResponse> message MUST be
24 // returned to the requester, in this case our SP.
25 'assertionConsumerService' => array(
26 // URL Location where the <Response> from the IdP will be returned
28 // SAML protocol binding to be used when returning the <Response>
29 // message. Onelogin Toolkit supports for this endpoint the
30 // HTTP-POST binding only
31 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
33 // If you need to specify requested attributes, set a
34 // attributeConsumingService. nameFormat, attributeValue and
35 // friendlyName can be omitted. Otherwise remove this section.
36 "attributeConsumingService"=> array(
37 "serviceName" => "SP test",
38 "serviceDescription" => "Test Service",
39 "requestedAttributes" => array(
42 "isRequired" => false,
45 "attributeValue" => ""
49 // Specifies info about where and how the <Logout Response> message MUST be
50 // returned to the requester, in this case our SP.
51 'singleLogoutService' => array(
52 // URL Location where the <Response> from the IdP will be returned
54 // SAML protocol binding to be used when returning the <Response>
55 // message. Onelogin Toolkit supports for this endpoint the
56 // HTTP-Redirect binding only
57 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
59 // Specifies constraints on the name identifier to be used to
60 // represent the requested subject.
61 // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
62 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
64 // Usually x509cert and privateKey of the SP are provided by files placed at
65 // the certs folder. But we can also provide them with the following parameters
71 * If you plan to update the SP x509cert and privateKey
72 * you can define here the new x509cert and it will be
73 * published on the SP metadata so Identity Providers can
74 * read them and get ready for rollover.
76 // 'x509certNew' => '',
79 // Identity Provider Data that we want connect with our SP
81 // Identifier of the IdP entity (must be a URI)
83 // SSO endpoint info of the IdP. (Authentication Request protocol)
84 'singleSignOnService' => array(
85 // URL Target of the IdP where the SP will send the Authentication Request Message
87 // SAML protocol binding to be used when returning the <Response>
88 // message. Onelogin Toolkit supports for this endpoint the
89 // HTTP-Redirect binding only
90 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
92 // SLO endpoint info of the IdP.
93 'singleLogoutService' => array(
94 // URL Location of the IdP where the SP will send the SLO Request
96 // URL location of the IdP where the SP SLO Response will be sent (ResponseLocation)
97 // if not set, url for the SLO Request will be used
99 // SAML protocol binding to be used when returning the <Response>
100 // message. Onelogin Toolkit supports for this endpoint the
101 // HTTP-Redirect binding only
102 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
104 // Public x509 certificate of the IdP
107 * Instead of use the whole x509cert you can use a fingerprint in
108 * order to validate the SAMLResponse, but we don't recommend to use
109 * that method on production since is exploitable by a collision
111 * (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
112 * or add for example the -sha256 , -sha384 or -sha512 parameter)
114 * If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
115 * let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
116 * 'sha1' is the default value.
118 // 'certFingerprint' => '',
119 // 'certFingerprintAlgorithm' => 'sha1',
121 /* In some scenarios the IdP uses different certificates for
122 * signing/encryption, or is under key rollover phase and more
123 * than one certificate is published on IdP metadata.
124 * In order to handle that the toolkit offers that parameter.
125 * (when used, 'x509cert' and 'certFingerprint' values are
128 // 'x509certMulti' => array(
129 // 'signing' => array(
130 // 0 => '<cert1-string>',
132 // 'encryption' => array(
133 // 0 => '<cert2-string>',