3 $advancedSettings = array(
5 // Compression settings
6 // Handle if the getRequest/getResponse methods will return the Request/Response deflated.
7 // But if we provide a $deflate boolean parameter to the getRequest or getResponse
8 // method it will have priority over the compression settings.
17 /** signatures and encryptions offered */
19 // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
21 'nameIdEncrypted' => false,
23 // Indicates whether the <samlp:AuthnRequest> messages sent by this SP
24 // will be signed. [The Metadata of the SP will offer this info]
25 'authnRequestsSigned' => false,
27 // Indicates whether the <samlp:logoutRequest> messages sent by this SP
29 'logoutRequestSigned' => false,
31 // Indicates whether the <samlp:logoutResponse> messages sent by this SP
33 'logoutResponseSigned' => false,
36 False || True (use sp certs) || array (
37 'keyFileName' => 'metadata.key',
38 'certFileName' => 'metadata.crt'
45 'signMetadata' => false,
48 /** signatures and encryptions required **/
50 // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
51 // <samlp:LogoutResponse> elements received by this SP to be signed.
52 'wantMessagesSigned' => false,
54 // Indicates a requirement for the <saml:Assertion> elements received by
55 // this SP to be encrypted.
56 'wantAssertionsEncrypted' => false,
58 // Indicates a requirement for the <saml:Assertion> elements received by
59 // this SP to be signed. [The Metadata of the SP will offer this info]
60 'wantAssertionsSigned' => false,
62 // Indicates a requirement for the NameID element on the SAMLResponse received
63 // by this SP to be present.
66 // Indicates a requirement for the NameID received by
67 // this SP to be encrypted.
68 'wantNameIdEncrypted' => false,
70 // Authentication context.
71 // Set to false and no AuthContext will be sent in the AuthNRequest,
72 // Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
73 // Set an array with the possible auth context values: array('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
74 'requestedAuthnContext' => false,
76 // Allows the authn comparison parameter to be set, defaults to 'exact' if
77 // the setting is not present.
78 'requestedAuthnContextComparison' => 'exact',
80 // Indicates if the SP will validate all received xmls.
81 // (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
82 'wantXMLValidation' => true,
84 // If true, SAMLResponses with an empty value at its Destination
85 // attribute will not be rejected for this fact.
86 'relaxDestinationValidation' => false,
88 // If true, Destination URL should strictly match to the address to
89 // which the response has been sent.
90 // Notice that if 'relaxDestinationValidation' is true an empty Destintation
92 'destinationStrictlyMatches' => false,
94 // If true, the toolkit will not raised an error when the Statement Element
95 // contain atribute elements with name duplicated
96 'allowRepeatAttributeName' => false,
98 // If true, SAMLResponses with an InResponseTo value will be rejectd if not
99 // AuthNRequest ID provided to the validation method.
100 'rejectUnsolicitedResponsesWithInResponseTo' => false,
102 // Algorithm that the toolkit will use on signing process. Options:
103 // 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
104 // 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
105 // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
106 // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
107 // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
108 // Notice that rsa-sha1 is a deprecated algorithm and should not be used
109 'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
111 // Algorithm that the toolkit will use on digest process. Options:
112 // 'http://www.w3.org/2000/09/xmldsig#sha1'
113 // 'http://www.w3.org/2001/04/xmlenc#sha256'
114 // 'http://www.w3.org/2001/04/xmldsig-more#sha384'
115 // 'http://www.w3.org/2001/04/xmlenc#sha512'
116 // Notice that sha1 is a deprecated algorithm and should not be used
117 'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256',
119 // Algorithm that the toolkit will use for encryption process. Options:
120 // 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc'
121 // 'http://www.w3.org/2001/04/xmlenc#aes128-cbc'
122 // 'http://www.w3.org/2001/04/xmlenc#aes192-cbc'
123 // 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
124 // 'http://www.w3.org/2009/xmlenc11#aes128-gcm'
125 // 'http://www.w3.org/2009/xmlenc11#aes192-gcm'
126 // 'http://www.w3.org/2009/xmlenc11#aes256-gcm';
127 // Notice that aes-cbc are not consider secure anymore so should not be used
128 'encryption_algorithm' => 'http://www.w3.org/2009/xmlenc11#aes128-gcm',
130 // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
131 // uppercase. Turn it True for ADFS compatibility on signature verification
132 'lowercaseUrlencoding' => false,
135 // Contact information template, it is recommended to suply a technical and support contacts
136 'contactPerson' => array(
137 'technical' => array(
147 // Organization information template, the info in en_US lang is recomended, add more if required
148 'organization' => array(
158 /* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int] http://saml2int.org/profile/current
160 'authnRequestsSigned' => false, // SP SHOULD NOT sign the <samlp:AuthnRequest>,
161 // MUST NOT assume that the IdP validates the sign
162 'wantAssertionsSigned' => true,
163 'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled
164 'wantNameIdEncrypted' => false,