-
Notifications
You must be signed in to change notification settings - Fork 1
The Hub
https://github.com/silinternational/simplesamlphp-module-sildisco/wiki/The-Hub
The Hub has a unique way of managing metadata for remote SP's. Normally, there is a special file that holds all
the remote SP metadata ( .../simplesamlphp/simplesamlphp/metadata/saml20-sp-remote.php).
In the hub, by contrast, that file has php code that pulls metadata in from other files in that folder and
its sub-folders. Warning: it's best not to modify the hub's saml20-sp-remote.php file.
It pulls in metadata from any file (in or under the metadata/ folder) that has a name that matches "sp-*.php".
For that to work, those files need to return the metadata in an array. For example,
/**
* SAML 2.0 remote SP metadata for SimpleSAMLphp.
* Each entry in the array is the metadata for one SP.
*/
return [
"our-first-sp" => [
'AssertionConsumerService' => 'https://our-first-sp.org/module.php/saml/sp/saml2-acs.php/ssp-hub',
...
],
...
"our-last-sp" => [
'AssertionConsumerService' => 'https://our-last-sp.org/module.php/saml/sp/saml2-acs.php/ssp-hub',
...
]
];
This setup allows for SP metadata to be organized in separate folders and files. For example, you can have the following folder structure under the metadata/ folder.
- first_org/
- sp-team11.php
- sp-team12.php
- second_org/
- sp-team21.php
- sp-team22.php
In order to limit which IDP's the hub will expose to a certain SP, it's recommended that you include the following in each of the SP's metadata entry.
'IDPList' => ['idp1_metadata_key', 'idp2_metadata_key'],
The Hub has a unique way of managing metadata for remote IDP's. Normally, there is a special file that holds all
the remote IDP metadata ( .../simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php).
In the hub, by contrast, that file has php code that pulls metadata in from other files in that folder and
its sub-folders. Warning: it's best not to modify the hub's saml20-idp-remote.php file.
It pulls in metadata from any file (in or under the metadata/ folder) that has a name that matches "idp-*.php".
For that to work, those files need to return the metadata in an array. For example,
/**
* SAML 2.0 remote IDP metadata for SimpleSAMLphp.
* Each entry in the array is the metadata for one IDP.
*/
return [
"the-first-idp" => [
'metadata-set' => 'saml20-idp-remote',
...
],
...
"the-last-idp" => [
'metadata-set' => 'saml20-idp-remote',
...
]
];
In order to allow the Hub to use the sildisco modules to add an identifier for an IDP to the NameID attribute or the group membership entries, it's important to include the following in each IDP's metadata entry.
'IDPNamespace' => 'idp1-label', // a short identifing string for the idp
In order to do this, add an array entry to the IDP remote metadata with 'SPList' as the key and an array of SP entity ID's as the value. For example,
'SPList' => ['https://our-first-sp.org', ... ]
This can be the basic smal20-sp-hosted.php file you would normally use with simplesamlphp
In order for the Hub to know when not to force reauthentication, it's important to include the following in your .../metadata/saml20-idp-hosted.php metadata stanza.
'authproc' => [
95 => [
'class' =>'sildisco:TrackIdps',
]
],