Skip to content

The Hub

Baggerone edited this page Jul 21, 2017 · 8 revisions

For More Information see

https://github.com/silinternational/simplesamlphp-module-sildisco/wiki/The-Hub

SP Remote Metadata in the Hub

The Hub has a unique way of managing metadata for remote SP's. Normally, there is a special file that holds all the remote SP metadata ( .../simplesamlphp/simplesamlphp/metadata/saml20-sp-remote.php).
In the hub, by contrast, that file has php code that pulls metadata in from other files in that folder and its sub-folders. Warning: it's best not to modify the hub's saml20-sp-remote.php file.

It pulls in metadata from any file (in or under the metadata/ folder) that has a name that matches "sp-*.php".

For that to work, those files need to return the metadata in an array. For example,

/**
 * SAML 2.0 remote SP metadata for SimpleSAMLphp.
 * Each entry in the array is the metadata for one SP.
 */
return [
    "our-first-sp" => [
        'AssertionConsumerService' => 'https://our-first-sp.org/module.php/saml/sp/saml2-acs.php/ssp-hub',
        ...
    ],
    ...
    "our-last-sp" => [
        'AssertionConsumerService' => 'https://our-last-sp.org/module.php/saml/sp/saml2-acs.php/ssp-hub',
         ...
    ]
];

This setup allows for SP metadata to be organized in separate folders and files. For example, you can have the following folder structure under the metadata/ folder.

  • first_org/
    • sp-team11.php
    • sp-team12.php
  • second_org/
    • sp-team21.php
    • sp-team22.php

In order to limit which IDP's the hub will expose to a certain SP, it's recommended that you include the following in each of the SP's metadata entry.

'IDPList' => ['idp1_metadata_key', 'idp2_metadata_key'],

IDP Remote Metadata in the Hub

The Hub has a unique way of managing metadata for remote IDP's. Normally, there is a special file that holds all the remote IDP metadata ( .../simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php).
In the hub, by contrast, that file has php code that pulls metadata in from other files in that folder and its sub-folders. Warning: it's best not to modify the hub's saml20-idp-remote.php file.

It pulls in metadata from any file (in or under the metadata/ folder) that has a name that matches "idp-*.php".

For that to work, those files need to return the metadata in an array. For example,

/**
 * SAML 2.0 remote IDP metadata for SimpleSAMLphp.
 * Each entry in the array is the metadata for one IDP.
 */
return [
    "the-first-idp" => [
        'metadata-set' => 'saml20-idp-remote',
        ...
    ],
    ...
    "the-last-idp" => [
        'metadata-set' => 'saml20-idp-remote',
         ...
    ]
];

In order to allow the Hub to use the sildisco modules to add an identifier for an IDP to the NameID attribute or the group membership entries, it's important to include the following in each IDP's metadata entry.

'IDPNamespace' => 'idp1-label', // a short identifing string for the idp

Limiting which SP's can use an IDP

In order to do this, add an array entry to the IDP remote metadata with 'SPList' as the key and an array of SP entity ID's as the value. For example,

'SPList' => ['https://our-first-sp.org', ... ]

SP Hosted Metadata in the Hub

This can be the basic smal20-sp-hosted.php file you would normally use with simplesamlphp

IDP Hosted Metadata in the Hub

In order for the Hub to know when not to force reauthentication, it's important to include the following in your .../metadata/saml20-idp-hosted.php metadata stanza.

   'authproc' => [
       95 => [
                 'class' =>'sildisco:TrackIdps',
             ]
   ],