This document is part of the simpleSAMLphp documentation suite.
- [List of all simpleSAMLphp documentation](http://simplesamlphp.org/docs)
This document assumes that you already have a installation of
simpleSAMLphp running, configured and working. This is the next
step :)
Bridging between protocols
--------------------------
A bridge between two protocols is built using both an IdP and an SP, connected together.
To let a SAML 2.0 SP talk to a SAML 1.1 IdP, you build a simpleSAMLphp bridge from a SAML 2.0 IdP and a SAML 1.1 SP.
The SAML 2.0 SP talks to the SAML 2.0 IdP, which hands the request over to the SAML 1.1 SP, which forwards it to the SAML 1.1 IdP.
If you have followed the instructions for setting up an SP, and have configured an authentication source, all you need to do is to add that authentication source to the IdP.
**Example of bridge configuration**
In `metadata/saml20-idp-hosted.php`:
'auth' => 'default-sp',
In `config/authsources.php`:
'default-sp' => array(
'saml:SP',
),
Attribute control
-----------------
Filtering, mapping, etc can be performed by using existing or create new *Authentication Processing Filters*. For more information, read:
* [Authentication Processing Filters in SimpleSAMLphp](simplesamlphp-authproc)
Automatic update of SAML 2.0 Metadata XML from HTTPS
The `metarefresh` module is the preferred method for doing this.
Please see the [metarefresh documentation](simplesamlphp-automated_metadata).
Auth MemCookie
--------------
It is possible to integrate simpleSAMLphp with [Auth MemCookie](http://authmemcookie.sourceforge.net/). This allows you to integrate simpleSAMLphp with web applications written in another language than PHP.
Auth MemCookie works by reading authentication data from a memcache server and setting environment variables based on attributes in this data. It also allows you to use the default Apache access control features to restrict access to your site.
The simpleSAMLphp Auth MemCookie module can be found in `www/authmemcookie.php` and the configuration should be stored in `config/authmemcookie.php`. You may have to copy this file from `config-template/authmemcookie.php`.
To use Auth MemCookie, you need to do the following steps:
1. Install and configure simpleSAMLphp for running as an SP.
2. Install and configure a memcache server.
3. Install and configure Auth MemCookie. Go to the
You should now be able to go to `http://yourserver/secret/` to test
the configuration. You should be redirected to your IdP, and after
entering your username and password you should be taken back to
`http://yourserver/secret/`. The resulting page should list all
environment variables set by Apache, including the ones set by Auth
MemCookie.
Metadata signing
----------------
simpleSAMLphp supports signing of the metadata it generates. Metadata signing is configured by four options:
- `metadata.sign.enable`: Whether metadata signing should be enabled or not. Set to `TRUE` to enable metadata signing. Defaults to `FALSE`.
- `metadata.sign.privatekey`: Name of the file with the private key which should be used to sign the metadata. This file must exist in in the `cert` directory.
- `metadata.sign.privatekey_pass`: Passphrase which should be used to open the private key. This parameter is optional, and should be left out if the private key is unencrypted.
- `metadata.sign.certificate`: Name of the file with the certificate which matches the private key. This file must exist in in the `cert` directory.
These options can be configured globally in the `config/config.php`-file, or per SP/IdP by adding them to the hosted metadata for the SP/IdP. The configuration in the metadata for the SP/IdP takes precedence over the global configuration.
There is also an additional fallback for the private key and the certificate. If `metadata.sign.privatekey` and `metadata.sign.certificate` isn't configured, simpleSAMLphp will use the `privatekey`, `privatekey_pass` and `certificate` options in the metadata for the SP/IdP.