166 lines
7.1 KiB
PHP
166 lines
7.1 KiB
PHP
|
<?php
|
||
|
|
||
|
$advancedSettings = array(
|
||
|
|
||
|
// Compression settings
|
||
|
// Handle if the getRequest/getResponse methods will return the Request/Response deflated.
|
||
|
// But if we provide a $deflate boolean parameter to the getRequest or getResponse
|
||
|
// method it will have priority over the compression settings.
|
||
|
'compress' => array(
|
||
|
'requests' => true,
|
||
|
'responses' => true
|
||
|
),
|
||
|
|
||
|
// Security settings
|
||
|
'security' => array(
|
||
|
|
||
|
/** signatures and encryptions offered */
|
||
|
|
||
|
// Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
|
||
|
// will be encrypted.
|
||
|
'nameIdEncrypted' => false,
|
||
|
|
||
|
// Indicates whether the <samlp:AuthnRequest> messages sent by this SP
|
||
|
// will be signed. [The Metadata of the SP will offer this info]
|
||
|
'authnRequestsSigned' => false,
|
||
|
|
||
|
// Indicates whether the <samlp:logoutRequest> messages sent by this SP
|
||
|
// will be signed.
|
||
|
'logoutRequestSigned' => false,
|
||
|
|
||
|
// Indicates whether the <samlp:logoutResponse> messages sent by this SP
|
||
|
// will be signed.
|
||
|
'logoutResponseSigned' => false,
|
||
|
|
||
|
/* Sign the Metadata
|
||
|
False || True (use sp certs) || array (
|
||
|
'keyFileName' => 'metadata.key',
|
||
|
'certFileName' => 'metadata.crt'
|
||
|
)
|
||
|
|| array (
|
||
|
'x509cert' => '',
|
||
|
'privateKey' => ''
|
||
|
)
|
||
|
*/
|
||
|
'signMetadata' => false,
|
||
|
|
||
|
|
||
|
/** signatures and encryptions required **/
|
||
|
|
||
|
// Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
|
||
|
// <samlp:LogoutResponse> elements received by this SP to be signed.
|
||
|
'wantMessagesSigned' => false,
|
||
|
|
||
|
// Indicates a requirement for the <saml:Assertion> elements received by
|
||
|
// this SP to be encrypted.
|
||
|
'wantAssertionsEncrypted' => false,
|
||
|
|
||
|
// Indicates a requirement for the <saml:Assertion> elements received by
|
||
|
// this SP to be signed. [The Metadata of the SP will offer this info]
|
||
|
'wantAssertionsSigned' => false,
|
||
|
|
||
|
// Indicates a requirement for the NameID element on the SAMLResponse received
|
||
|
// by this SP to be present.
|
||
|
'wantNameId' => true,
|
||
|
|
||
|
// Indicates a requirement for the NameID received by
|
||
|
// this SP to be encrypted.
|
||
|
'wantNameIdEncrypted' => false,
|
||
|
|
||
|
// Authentication context.
|
||
|
// Set to false and no AuthContext will be sent in the AuthNRequest,
|
||
|
// Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
|
||
|
// Set an array with the possible auth context values: array('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
|
||
|
'requestedAuthnContext' => false,
|
||
|
|
||
|
// Allows the authn comparison parameter to be set, defaults to 'exact' if
|
||
|
// the setting is not present.
|
||
|
'requestedAuthnContextComparison' => 'exact',
|
||
|
|
||
|
// Indicates if the SP will validate all received xmls.
|
||
|
// (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
|
||
|
'wantXMLValidation' => true,
|
||
|
|
||
|
// If true, SAMLResponses with an empty value at its Destination
|
||
|
// attribute will not be rejected for this fact.
|
||
|
'relaxDestinationValidation' => false,
|
||
|
|
||
|
// If true, Destination URL should strictly match to the address to
|
||
|
// which the response has been sent.
|
||
|
// Notice that if 'relaxDestinationValidation' is true an empty Destintation
|
||
|
// will be accepted.
|
||
|
'destinationStrictlyMatches' => false,
|
||
|
|
||
|
// If true, the toolkit will not raised an error when the Statement Element
|
||
|
// contain atribute elements with name duplicated
|
||
|
'allowRepeatAttributeName' => false,
|
||
|
|
||
|
// If true, SAMLResponses with an InResponseTo value will be rejectd if not
|
||
|
// AuthNRequest ID provided to the validation method.
|
||
|
'rejectUnsolicitedResponsesWithInResponseTo' => false,
|
||
|
|
||
|
// Algorithm that the toolkit will use on signing process. Options:
|
||
|
// 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
|
||
|
// 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
|
||
|
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
|
||
|
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
|
||
|
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
|
||
|
// Notice that rsa-sha1 is a deprecated algorithm and should not be used
|
||
|
'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
|
||
|
|
||
|
// Algorithm that the toolkit will use on digest process. Options:
|
||
|
// 'http://www.w3.org/2000/09/xmldsig#sha1'
|
||
|
// 'http://www.w3.org/2001/04/xmlenc#sha256'
|
||
|
// 'http://www.w3.org/2001/04/xmldsig-more#sha384'
|
||
|
// 'http://www.w3.org/2001/04/xmlenc#sha512'
|
||
|
// Notice that sha1 is a deprecated algorithm and should not be used
|
||
|
'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256',
|
||
|
|
||
|
// Algorithm that the toolkit will use for encryption process. Options:
|
||
|
// 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc'
|
||
|
// 'http://www.w3.org/2001/04/xmlenc#aes128-cbc'
|
||
|
// 'http://www.w3.org/2001/04/xmlenc#aes192-cbc'
|
||
|
// 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
|
||
|
// 'http://www.w3.org/2009/xmlenc11#aes128-gcm'
|
||
|
// 'http://www.w3.org/2009/xmlenc11#aes192-gcm'
|
||
|
// 'http://www.w3.org/2009/xmlenc11#aes256-gcm';
|
||
|
// Notice that aes-cbc are not consider secure anymore so should not be used
|
||
|
'encryption_algorithm' => 'http://www.w3.org/2009/xmlenc11#aes128-gcm',
|
||
|
|
||
|
// ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
|
||
|
// uppercase. Turn it True for ADFS compatibility on signature verification
|
||
|
'lowercaseUrlencoding' => false,
|
||
|
),
|
||
|
|
||
|
// Contact information template, it is recommended to suply a technical and support contacts
|
||
|
'contactPerson' => array(
|
||
|
'technical' => array(
|
||
|
'givenName' => '',
|
||
|
'emailAddress' => ''
|
||
|
),
|
||
|
'support' => array(
|
||
|
'givenName' => '',
|
||
|
'emailAddress' => ''
|
||
|
),
|
||
|
),
|
||
|
|
||
|
// Organization information template, the info in en_US lang is recomended, add more if required
|
||
|
'organization' => array(
|
||
|
'en-US' => array(
|
||
|
'name' => '',
|
||
|
'displayname' => '',
|
||
|
'url' => ''
|
||
|
),
|
||
|
),
|
||
|
);
|
||
|
|
||
|
|
||
|
/* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int] http://saml2int.org/profile/current
|
||
|
|
||
|
'authnRequestsSigned' => false, // SP SHOULD NOT sign the <samlp:AuthnRequest>,
|
||
|
// MUST NOT assume that the IdP validates the sign
|
||
|
'wantAssertionsSigned' => true,
|
||
|
'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled
|
||
|
'wantNameIdEncrypted' => false,
|
||
|
*/
|