Esta es una referencia para las opciones de metadatos disponibles para metadata/saml20-sp-

remote.php y metadata/shib13-sp-remote.php. Ambos archivos tienen el siguiente

formato:
<?php
/* The index of the array is the entity ID of this SP. */
$metadata['entity-id-1'] = array(
/* Configuration options for the first SP. */
);
$metadata['entity-id-2'] = array(
/* Configuration options for the second SP. */
);
/* ... */

1 Opciones comunes
Las siguientes opciones son comunes entre el protocolo SAML 2.0 y el protocolo Shibboleth 1.3:
attributes
Esta debería indicar qué atributos debe recibir un SP. Es utilizado, por ejemplo, por el módulo
consent:Consent para indicar al usuario qué atributos recibirá el SP, y el módulo
core:AttributeLimit para limitar qué atributos se envían al SP.
authproc
Se usa para manipular atributos y limitar el acceso para cada SP. Ver el manual del filtro de
procesamiento de autenticación.
base64attributes
Si los atributos enviados a este SP deben estar codificados en base64. El valor predeterminado
es FALSE.
description
Una descripción de este SP. Será utilizado por varios módulos cuando necesiten mostrar una
descripción del SP al usuario.

Esta opción se puede traducir a varios idiomas de la misma manera que la opción name.

name
El nombre de este SP. Será utilizado por varios módulos cuando necesiten mostrar un nombre
del SP al usuario.

Si esta opción no está configurada, se usará el nombre de la organización en su lugar (si está
disponible).

Esta opción se puede traducir a varios idiomas especificando el valor como un array de código
de idioma a nombre traducido:

'name' => array(

'en' => 'A service',
'no' => 'En tjeneste',
),
OrganizationName
El nombre de la organización responsable de este SPP. Este nombre no necesita ser adecuado
para mostrar a los usuarios finales.

Esta opción se puede traducir a varios idiomas especificando el valor como un array de código
de idioma a nombre traducido:

'OrganizationName' => array(

'en' => 'Example organization',
'no' => 'Eksempel organisation',
),

Nota: Si especifica esta opción, también debe especificar la opción OrganizationURL.

OrganizationDisplayName
El nombre de la organización responsable de este IdP. Este nombre debe ser adecuado para
mostrar a los usuarios finales. Si no se especifica esta opción, se utilizará
OrganizationName en su lugar.

Esta opción se puede traducir a varios idiomas especificando el valor como un array de código
de idioma a nombre traducido.

Nota: si especifica esta opción, también debe especificar la opción OrganizationName.

OrganizationURL
Una URL a la que el usuario final puede acceder para obtener más información sobre la
organización.

Esta opción se puede traducir a varios idiomas especificando el valor como un array de código
de idioma a URL traducida.

Nota: si especifica esta opción, también debe especificar la opción OrganizationName.

privacypolicy
Esta es una URL absoluta para que un usuario pueda encontrar una política de privacidad para
este SP. Si se establece, esto se mostrará en la página de consentimiento. %SPENTITYID%
en la URL se reemplazará con la identificación de la entidad de este proveedor de servicios.

Tenga en cuenta que esta opción también existe en los metadatos IdP-hosted. Esta entrada en
los metadatos SP-remote anula la opción en los metadatos IdP-hosted.

userid.attribute
El nombre de atributo de un atributo que identifica de manera única al usuario. Este atributo
se usa si SimpleSAMLphp necesita generar un identificador único persistente para el usuario.
Esta opción se puede establecer tanto en los metadatos IdP-hosted como en los SP-remote. El
valor en los metadatos SP-remote tiene la prioridad más alta. El valor predeterminado es
eduPersonPrincipalName.

Tenga en cuenta que esta opción también existe en los metadatos IdP-hosted. Esta entrada en
los metadatos SP-remote anula la opción en los metadatos IdP-hosted.
2 Opciones SAML 2.0
Las siguientes opciones SAML 2.0 están disponibles:
AssertionConsumerService
El URL del punto final AssertionConsumerService para este SP. Esta opción es obligatoria;
sin ella, no podrá enviar respuestas al SP.

El valor de esta opción está especificada en uno de varios formatos de endpoint.

attributes.NameFormat
What value will be set in the Format field of attribute statements. This parameter can be
configured multiple places, and the actual value used is fetched from metadata by the
following priority:
1. SP Remote Metadata

2. IdP Hosted Metadata

The default value is: urn:oasis:names:tc:SAML:2.0:attrname-

format:basic

Some examples of values specified in the SAML 2.0 Core Specification:

 urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

 urn:oasis:names:tc:SAML:2.0:attrname-format:uri (The default in

Shibboleth 2.0)

 urn:oasis:names:tc:SAML:2.0:attrname-format:basic (The default

in Sun Access Manager)

You can also define your own value.

Note that this option also exists in the IdP-hosted metadata. This entry in the SP-remote
metadata overrides the option in the IdP-hosted metadata.

(This option was previously named AttributeNameFormat.)

encryption.blacklisted-algorithms
Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.

Note that this option also exists in the IdP-hosted metadata. This entry in the SP-remote
metadata overrides the option in the IdP-hosted metadata.

The RSA encryption algorithm with PKCS#1 v1.5 padding is blacklisted by default for
security reasons. Any assertions encrypted with this algorithm will therefore fail to decrypt.
You can override this limitation by defining an empty array in this option (or blacklisting any
other algorithms not including that one). However, it is strongly discouraged to do so. For
your own safety, please include the string 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' if you
make use of this option.

ForceAuthn
 Set this TRUE to force the user to reauthenticate when the IdP receives authentication requests
from this SP. The default is FALSE.
NameIDFormat
The NameIDFormat this SP should receive. The three most commonly used values are:
1. urn:oasis:names:tc:SAML:2.0:nameid-format:transient
2. urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
3. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

The transient format will generate a new unique ID every time the SP logs in.

To properly support the persistent and emailAddress formats, you should configure
NameID generation filters on your IdP.

nameid.encryption
Whether NameIDs sent to this SP should be encrypted. The default value is FALSE.

Note that this option also exists in the IdP-hosted metadata. This entry in the SP-remote
metadata overrides the option in the IdP-hosted metadata.

SingleLogoutService
The URL of the SingleLogoutService endpoint for this SP. This option is required if you want
to implement single logout for this SP. If the option isn't specified, this SP will not be logged
out automatically when a single logout operation is initialized.

The value of this option is specified in one of several endpoint formats.

SingleLogoutServiceResponse
The URL logout responses to this SP should be sent. If this option is unspecified, the
SingleLogoutService endpoint will be used as the recipient of logout responses.
SPNameQualifier
SP NameQualifier for this SP. If not set, the IdP will set the SPNameQualifier to be the SP
entity ID.
certData
The base64 encoded certificate for this SP. This is an alternative to storing the certificate in a
file on disk and specifying the filename in the certificate-option.
certificate
Name of certificate file for this SP. The certificate is used to verify the signature of messages
received from the SP (if redirect.validateis set to TRUE), and to encrypting assertions
(if assertion.encryption is set to TRUE and sharedkey is unset.)
saml20.sign.response
Whether <samlp:Response> messages should be signed. Defaults to TRUE.

Note that this option also exists in the IdP-hosted metadata. The value in the SP-remote
metadata overrides the value in the IdP-hosted metadata.

saml20.sign.assertion
Whether <saml:Assertion> elements should be signed. Defaults to TRUE.

Note that this option also exists in the IdP-hosted metadata. The value in the SP-remote
metadata overrides the value in the IdP-hosted metadata.
signature.algorithm
The algorithm to use when signing any message sent to this specific service provider. Defaults
to RSA-SHA1.
Note that this option also exists in the IdP-hosted metadata. The value in the SP-remote
metadata overrides the value in the IdP-hosted metadata.

Possible values:

 http://www.w3.org/2000/09/xmldsig#rsa-sha1 Note: the use of SHA1

is deprecated and will be disallowed in the future.
 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
 http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
 http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
signature.privatekey
Name of private key file for this IdP, in PEM format. The filename is relative to the cert/-
directory.
Note that this option also exists in the IdP-hosted metadata. This entry in the SP-remote
metadata overrides the option privatekey in the IdP-hosted metadata.
signature.privatekey_pass
Passphrase for the private key. Leave this option out if the private key is unencrypted.
Note that this option only is used if signature.privatekey is present.
signature.certificate
Certificate file included by IdP for KeyInfo within the signature for the SP, in PEM format.
The filename is relative to the cert/-directory.
If signature.privatekey is present and signature.certificate is left blank,
X509Certificate will not be included with the signature.
simplesaml.nameidattribute
When the value of the NameIDFormat-option is set to either email or persistent, this
is the name of the attribute which should be used as the value of the NameID. The attribute
must be in the set of attributes exported to the SP (that is, be in the attributes array). For
more advanced control over NameID, including the ability to specify any attribute regardless
of the set sent to the SP, see the NameID processing filters.

Typical values can be mail for when using the email format, and
eduPersonTargetedID when using the persistent format.

simplesaml.attributes
Whether the SP should receive any attributes from the IdP. The default value is TRUE.
attributeencodings
What encoding should be used for the different attributes. This is an array which maps
attribute names to attribute encodings. There are three different encodings:
 string: Will include the attribute as a normal string. This is the default.
 base64: Store the attribute as a base64 encoded string. This is the default when the
base64attributes-option is set to TRUE.
 raw: Store the attribute without any modifications. This makes it possible to include
raw XML in the response.
sign.logout
Whether to sign logout messages sent to this SP.

Note that this option also exists in the IdP-hosted metadata. The value in the SP-remote
metadata overrides the value in the IdP-hosted metadata.
validate.authnrequest
Whether we require signatures on authentication requests sent from this SP.

Note that this option also exists in the IdP-hosted metadata. The value in the SP-remote
metadata overrides the value in the IdP-hosted metadata.

validate.logout
Whether we require signatures on logout messages sent from this SP.

Note that this option also exists in the IdP-hosted metadata. The value in the SP-remote
metadata overrides the value in the IdP-hosted metadata.

2.1 Encrypting assertions

It is possible to encrypt the assertions sent to a SP. Currently the only algorithm supported is
AES128_CBC or RIJNDAEL_128.

There are two modes of encryption supported by SimpleSAMLphp. One is symmetric encryption,
in which case both the SP and the IdP needs to share a key. The other mode is the use of public key
encryption. In that mode, the public key of the SP is extracted from the certificate of the SP.
assertion.encryption
Whether assertions sent to this SP should be encrypted. The default value is FALSE.

Note that this option also exists in the IdP-hosted metadata. This entry in the SP-remote
metadata overrides the option in the IdP-hosted metadata.

sharedkey
Symmetric key which should be used for encryption. This should be a 128-bit key. If this
option is not specified, public key encryption will be used instead.

2.2 Fields for signing and validating messages

SimpleSAMLphp only signs authentication responses by default. Signing of logout requests and
logout responses can be enabled by setting the redirect.sign option. Validation of received
messages can be enabled by the redirect.validate option.

These options overrides the options set in saml20-idp-hosted.

redirect.sign
Whether logout requests and logout responses sent to this SP should be signed. The default is
FALSE.
redirect.validate
Whether authentication requests, logout requests and logout responses received from this SP
should be validated. The default is FALSE

Example: Configuration for validating messages

'redirect.validate' => TRUE,
'certificate' => 'example.org.crt',
2.3 Fields for scoping
Only relevant if you are a proxy/bridge and wants to limit the idps this sp can use.
IDPList
The list of scoped idps ie. the list of entityids for idps that are relevant for this sp. The final
list is the concatenation of the list given as parameter to InitSSO (at the sp), the list configured
at the sp and the list configured at the ipd (here) for this sp. The intersection of the final list
and the idps configured at the at this idp will be presented to the user at the discovery service
if neccessary. If only one idp is in the intersection the discoveryservice will go directly to the
idp.

Example: Configuration for scoping

'IDPList' => array('https://idp1.wayf.dk', 'https://idp2.wayf.dk'),

3 Shibboleth 1.3 options

The following options for Shibboleth 1.3 SP's are avaiblable:
AssertionConsumerService
The URL of the AssertionConsumerService endpoint for this SP. This endpoint must accept
the SAML responses encoded with the
urn:oasis:names:tc:SAML:1.0:profiles:browser-post encoding. This
option is required - without it you will not be able to send responses back to the SP.

The value of this option is specified in one of several endpoint formats.

NameQualifier
What the value of the NameQualifier-attribute of the <NameIdentifier>-element
should be. The default value is the entity ID of the SP.
audience
The value which should be given in the <Audience>-element in the
<AudienceRestrictionCondition>-element in the response. The default value is the
entity ID of the SP.
scopedattributes
Array with names of attributes which should be scoped. Scoped attributes will receive a
Scope-attribute on the AttributeValue-element. The value of the Scope-attribute will
be taken from the attribute value:

<AttributeValue>someuser@example.org</AttributeValue>

will be transformed into

<AttributeValue Scope="example.org">someuser</AttributeValue>

By default, no attributes are scoped. This option overrides the option with the same name in
the shib13-idp-hosted.php metadata file.