Update the documentation regarding certificates.
git-svn-id: http://simplesamlphp.googlecode.com/svn/trunk@3305 44740490-163a-0410-bde0-09ae8108e29a
This commit is contained in:
parent
425f7c6167
commit
53b591799d
|
@ -109,8 +109,8 @@ Filters can be added both in `hosted` and `remote` metadata. Here is an example
|
|||
|
||||
'__DYNAMIC:1__' => array(
|
||||
'host' => '__DEFAULT_',
|
||||
'privatekey' => 'server.pem',
|
||||
'certificate' => 'server.crt',
|
||||
'privatekey' => 'example.org.pem',
|
||||
'certificate' => 'example.org.crt',
|
||||
'auth' => 'feide',
|
||||
'authproc' => array(
|
||||
40 => 'core:AttributeRealm',
|
||||
|
|
|
@ -122,6 +122,23 @@ This configuration creates two users - `student` and `employee`, with the passwo
|
|||
The attributes will be returned by the IdP when the user logs on.
|
||||
|
||||
|
||||
Creating a SSL self signed certificate
|
||||
--------------------------------------
|
||||
|
||||
Here is an example of an `openssl`-command which can be used to generate a new private key key and the corresponding self-signed certificate.
|
||||
|
||||
This key and certificate can be used to sign SAML messages:
|
||||
|
||||
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out example.org.crt -keyout example.org.pem
|
||||
|
||||
The certificate above will be valid for 10 years.
|
||||
|
||||
|
||||
### Note ###
|
||||
|
||||
simpleSAMLphp will only work with RSA certificates. DSA certificates are not supported.
|
||||
|
||||
|
||||
Configuring the IdP
|
||||
-------------------
|
||||
|
||||
|
@ -142,8 +159,8 @@ This is a minimal configuration of a SAML 2.0 IdP:
|
|||
* The private key and certificate to use when signing responses.
|
||||
* These are stored in the cert-directory.
|
||||
*/
|
||||
'privatekey' => 'server.pem',
|
||||
'certificate' => 'server.crt',
|
||||
'privatekey' => 'example.org.pem',
|
||||
'certificate' => 'example.org.crt',
|
||||
|
||||
/*
|
||||
* The authentication source which should be used to authenticate the
|
||||
|
@ -189,30 +206,6 @@ If you have the metadata of the remote SP as an XML file, you can use the built-
|
|||
For more information about available options in the sp-remote metadata files, see the [SP remote reference](simplesamlphp-reference-sp-remote).
|
||||
|
||||
|
||||
Creating a SSL self signed certificate
|
||||
--------------------------------------
|
||||
|
||||
For test purposes, you can skip this section, and use the certificate included in the simpleSAMLphp distribution.
|
||||
|
||||
Here is an example of an `openssl`-command which can be used to generate a new private key key and the corresponding self-signed certificate.
|
||||
|
||||
This key and certificate can be used to sign SAML messages:
|
||||
|
||||
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out example.org.crt -keyout example.org.pem
|
||||
|
||||
The certificate above will be valid for 10 years.
|
||||
|
||||
|
||||
### Note ###
|
||||
|
||||
simpleSAMLphp will only work with RSA certificates. DSA certificates are not supported.
|
||||
|
||||
|
||||
### Warning ###
|
||||
|
||||
The certificate that is included in the simpleSAMLphp distribution must **NEVER** be used in production, as the private key is also included in the package and can be downloaded by anyone.
|
||||
|
||||
|
||||
Adding this IdP to other SPs
|
||||
----------------------------
|
||||
|
||||
|
|
|
@ -79,8 +79,8 @@ If given the following configuration...
|
|||
|
||||
$metadata['https://www.example.com/saml/saml2/idp/metadata.php'] = array(
|
||||
'host' => 'www.example.com',
|
||||
'certificate' => 'server.crt',
|
||||
'privatekey' => 'server.pem',
|
||||
'certificate' => 'example.com.crt',
|
||||
'privatekey' => 'example.com.pem',
|
||||
'auth' => 'example-userpass',
|
||||
|
||||
'EntityAttributes' => array(
|
||||
|
|
|
@ -184,8 +184,8 @@ If given the following configuration...
|
|||
|
||||
$metadata['https://www.example.com/saml/saml2/idp/metadata.php'] = array(
|
||||
'host' => 'www.example.com',
|
||||
'certificate' => 'server.crt',
|
||||
'privatekey' => 'server.pem',
|
||||
'certificate' => 'example.com.crt',
|
||||
'privatekey' => 'example.com.pem',
|
||||
'auth' => 'example-userpass',
|
||||
|
||||
'UIInfo' => array(
|
||||
|
|
|
@ -140,8 +140,8 @@ To use this authentication source in a SAML 2.0 IdP, set the
|
|||
|
||||
'__DYNAMIC:1__' => array(
|
||||
'host' => '__DEFAULT__',
|
||||
'privatekey' => 'server.pem',
|
||||
'certificate' => 'server.crt',
|
||||
'privatekey' => 'example.org.pem',
|
||||
'certificate' => 'example.org.crt',
|
||||
'auth' => 'example-static',
|
||||
),
|
||||
|
||||
|
|
|
@ -362,8 +362,8 @@ These are some examples of IdP metadata
|
|||
'host' => '__DEFAULT__',
|
||||
|
||||
/* The private key and certificate used by this IdP. */
|
||||
'certificate' => 'server.crt',
|
||||
'privatekey' => 'server.pem',
|
||||
'certificate' => 'example.org.crt',
|
||||
'privatekey' => 'example.org.pem',
|
||||
|
||||
/*
|
||||
* The authentication source for this IdP. Must be one
|
||||
|
|
|
@ -196,7 +196,7 @@ These options overrides the options set in `saml20-sp-hosted`.
|
|||
**Example: Configuration for validating messages**
|
||||
|
||||
'redirect.validate' => TRUE,
|
||||
'certificate' => 'server.crt',
|
||||
'certificate' => 'example.org.crt',
|
||||
|
||||
|
||||
Shibboleth 1.3 options
|
||||
|
@ -238,7 +238,7 @@ Calculating the fingerprint of a certificate
|
|||
|
||||
If you have obtained a certificate file, and want to calculate the fingerprint of the file, you can use the `openssl` command:
|
||||
|
||||
$ openssl x509 -noout -fingerprint -in "server.crt"
|
||||
$ openssl x509 -noout -fingerprint -in "example.org.crt"
|
||||
SHA1 Fingerprint=AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9
|
||||
|
||||
In this case, the certFingerprint option should be set to `AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9`.
|
||||
|
|
|
@ -339,7 +339,7 @@ These options overrides the options set in `saml20-idp-hosted`.
|
|||
**Example: Configuration for validating messages**
|
||||
|
||||
'redirect.validate' => TRUE,
|
||||
'certificate' => 'server.crt',
|
||||
'certificate' => 'example.org.crt',
|
||||
|
||||
### Fields for scoping
|
||||
|
||||
|
|
Reference in New Issue