# SP entityId # Identifier of the SP entity (must be a URI) onelogin.saml2.sp.entityid = http://localhost:8080/metadata.jsp
# SP 断言解析服务地址 # Specifies info about where and how the <AuthnResponse> message MUST be # returned to the requester, in this case our SP. # URL Location where the <Response> from the IdP will be returned onelogin.saml2.sp.assertion_consumer_service.url = http://localhost:8080/acs.jsp
# SAML protocol binding to be used when returning the <Response> # message. Onelogin Toolkit supports for this endpoint the # HTTP-POST binding only onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
#单点登出 服务地址 主要是提供给 IDP端用于接收登出响应的 # Specifies info about where and how the <Logout Response> message MUST be # returned to the requester, in this case our SP. onelogin.saml2.sp.single_logout_service.url = http://localhost:8080/sls.jsp
# SAML protocol binding to be used when returning the <LogoutResponse> or sending the <LogoutRequest> # message. Onelogin Toolkit supports for this endpoint the # HTTP-Redirect binding only onelogin.saml2.sp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# nameID 格式 一般使用 unspecified 默认参数 # Specifies constraints on the name identifier to be used to # represent the requested subject. # Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported onelogin.saml2.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
# Usually x509cert and privateKey of the SP are provided by files placed at # the certs folder. But we can also provide them with the following parameters onelogin.saml2.sp.x509cert =MIICRDCCAa2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADA/MQswCQYDVQQGEwJjbjEOMAwGA1UECAwFaHViZWkxDDAKBgNVBAoMA1RTTDESMBAGA1UEAwwJMTI3LjAuMC4xMB4XDTIwMDMwOTE0MzAxN1oXDTIxMDMwOTE0MzAxN1owPzELMAkGA1UEBhMCY24xDjAMBgNVBAgMBWh1YmVpMQwwCgYDVQQKDANUU0wxEjAQBgNVBAMMCTEyNy4wLjAuMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsi27eDSbpKh4J3snBktGjLxSDVotU3BEwuz9AZs8rXzC6aZmfLa7E6TOgq8+aaaOgjMGkSCotsLv91REvD/lnc4wsO4AXRePzL4duPFyJZK/XHxpKS+kSLredQwgt5yN0KeJotXOor5HKuGV8lS9yIYRkxpFA8Rglr1NS2WQSy0CAwEAAaNQME4wHQYDVR0OBBYEFJaUIDCkzQqhVE08KDn8WiSrPvvIMB8GA1UdIwQYMBaAFJaUIDCkzQqhVE08KDn8WiSrPvvIMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAJhLq5AQerT29AdoYUIvyxo8ce8BS2qqp+WU6dnWB8pUEQ163nC1goPZfE7gKRjpR3MdGU4FWz1PAe4ZAolcvGbqAcOdd4IxEFcXQam1QWEvGaRCflA5KlvhdPyQglhaM5EnuwJ4eFry9VgFFgmaFtBuq+aPo6o2W+E6DQfsXIXY=
# Requires Format PKCS#8 BEGIN PRIVATE KEY # If you have PKCS#1 BEGIN RSA PRIVATE KEY convert it by openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem onelogin.saml2.sp.privatekey =MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALItu3g0m6SoeCd7JwZLRoy8Ug1aLVNwRMLs/QGbPK18wummZny2uxOkzoKvPmmmjoIzBpEgqLbC7/dURLw/5Z3OMLDuAF0Xj8y+HbjxciWSv1x8aSkvpEi63nUMILecjdCniaLVzqK+RyrhlfJUvciGEZMaRQPEYJa9TUtlkEstAgMBAAECgYA4zCE1aTewHk/m7ff7pqU/mYxiWzuVnHUe2eKwz2ZhOyL6ziNfX/R0h5WYzPoNPZ2x3UgbnRiK4csSwVcD1y5/PZzMoXaedxEl7ertKUkomvQQVPz8SAEyzlufqxmQVAdNJIW3EZlZq/YDtEv5ZYEXHxDi5cE65Kf7rgxHlFWBoQJBAOj1jfTfCbkyhefnTp7TDrMHAaORWUi1h0BUAiIvfE7oHXE4O0x+R6dTn8w80bP0ZdD7GssAqLxv13MRDq6j8rUCQQDDzSc7/2UdykO5MliTg9/W5riHYuFgY6M0S4+Eq/diSaUyF5H36gGkr5YVcBhpdz0iayiKO2oXuaYVPKVn6GmZAkA8vOERKiG/3nNZPk6aTE710GrV+ax8r4+e7whLX3Qaopwii9WyIO6PqtbsCiNmtt7g+MdIjFhyIPrcbmMUl3xNAkBXHqkeYPy0zJJljKksubiW/gGM+8ocATlUw2oQNhPUf8ApEaO5Ez238QhucXnrM0rYTaW0G8uQ0uG7AUj3esnBAkB7jjXJloxpWaz/cT8Ystqe/oL6JKgyXsbHj9nVYnKwXCZY1TM9X9tE3nP9pyTO7w0Np4WadkH1goyVKRpkdMbL
# IDP端配置
# IDP entityId # Identifier of the IdP entity (must be a URI) onelogin.saml2.idp.entityid = https://app.onelogin.com/saml/metadata/2edb5038-be70-40f5-ad3b-2de9d00ab1a3
# SSO endpoint info of the IdP. (Authentication Request protocol) # URL Target of the IdP where the SP will send the Authentication Request Message onelogin.saml2.idp.single_sign_on_service.url = https://westinfosoft-dev.onelogin.com/trust/saml2/http-post/sso/2edb5038-be70-40f5-ad3b-2de9d00ab1a3 # SAML protocol binding to be used when returning the <Response> # message. Onelogin Toolkit supports for this endpoint the # HTTP-Redirect binding only onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# SLO endpoint info of the IdP. # URL Location of the IdP where the SP will send the SLO Request onelogin.saml2.idp.single_logout_service.url =https://westinfosoft-dev.onelogin.com/trust/saml2/http-redirect/slo/1095020
# Optional SLO Response endpoint info of the IdP. # URL Location of the IdP where the SP will send the SLO Response. If left blank, same URL as onelogin.saml2.idp.single_logout_service.url will be used. # Some IdPs use a separate URL for sending a logout request and response, use this property to set the separate response url onelogin.saml2.idp.single_logout_service.response.url =
# SAML protocol binding to be used when returning the <Response> # message. Onelogin Toolkit supports for this endpoint the # HTTP-Redirect binding only onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# 正式项目中 sp端都是从SP_metadata 中获取 的 # Public x509 certificate of the IdP onelogin.saml2.idp.x509cert =MIID6zCCAtOgAwIBAgIUFzBUjmLFkpZwWqy5YSpvAcWFUOswDQYJKoZIhvcNAQEFBQAwSjEVMBMGA1UECgwMd2VzdGluZm9zb2Z0MRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFjY291bnQgMB4XDTIwMDMwOTEyMjIwMVoXDTI1MDMwOTEyMjIwMVowSjEVMBMGA1UECgwMd2VzdGluZm9zb2Z0MRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFjY291bnQgMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp2ooweqHRLI/L7SPe1DrlvdyeRQGUnmXbBPZ/lj6pWEBhu6mgwHDLcC+4wknZKQqq4EGCtoE9Tk1/bMRDxU7kPdzyZfhh/W3M8TDIB7gR/nbkMKTPBfcC2xNQ7n2gK6q9801B6zwcAoPhdfkV0M6O9mIMlqwscLG3Xyrn/+82wrpMSVl85tlkS9BprzYVdre6B599QAcTSh3WSE9cbIKyVxb27XlfuRcmbSYD5EW67PtlutOE03WlQKagX6HHrnpdIUXZWSt8xjXnVxBINZeq8GPU4kow6glLZG6jrd2kh7qTa1meCHxdtjjvJXpsJASKlizlmUCPjpKtncdju6aTQIDAQABo4HIMIHFMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOsEW3B51SXIjuFbKqN3d5eaMTJsMIGFBgNVHSMEfjB8gBTrBFtwedUlyI7hWyqjd3eXmjEybKFOpEwwSjEVMBMGA1UECgwMd2VzdGluZm9zb2Z0MRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFjY291bnQgghQXMFSOYsWSlnBarLlhKm8BxYVQ6zAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQEFBQADggEBABaMiNIq/SYKeYezFvKJx7RB9eECSzbyBZYjpYt55XtJV0UWKaHvjvtRiT7XTgqQ/S9uUFPBqOLk09jBAOt1UiLELyuzX6KFC0ghwL6y7BLWL/W7AsxUQCiOAimyGUMTxAcjvFsqWQX3n6eSUr9y0LWqVz9esTj0joxApbejRNiW7Y4Mz/b1OEHT40UN9HxIC2IvQ5/tiU/c84wopOOeHtxb/hYKk1HQnPY2tfkJvKqJJZY8SIG8GlEPlVfwcm1mRrts8VMvbysTAsOJdLhLGLh8SsFkZ6jTTRed3XU+fwKARgg25+MsAQbsaVuXvMOUFlpYwcBhmmU5VseEPpJt3HU=
# 以下是 指纹模式的配置 不过官方不建议使用 应为hash碰撞的问题 # Instead of use the whole x509cert you can use a fingerprint # (openssl x509 -noout -fingerprint -in "idp.crt" to generate it, # or add for example the -sha256 , -sha384 or -sha512 parameter) # # If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to # let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512 # 'sha1' is the default value. # onelogin.saml2.idp.certfingerprint = 3E:3B:0D:FA:F2:80:B2:0E:95:46:36:07:9A:78:BD:04:CC:76:CE:A8 # onelogin.saml2.idp.certfingerprint_algorithm = sha1
# Security settings
#安全配置 在演示项目中使用不多 不过在正式环境中 需要注意开启对应的加密项
# Indicates that the nameID of the <samlp:logoutRequest> sent by this SP # will be encrypted. onelogin.saml2.security.nameid_encrypted = false
#认证请求的加密 # Indicates whether the <samlp:AuthnRequest> messages sent by this SP # will be signed. [The Metadata of the SP will offer this info] onelogin.saml2.security.authnrequest_signed = false
#登出请求的加密 # Indicates whether the <samlp:logoutRequest> messages sent by this SP # will be signed. onelogin.saml2.security.logoutrequest_signed = false
#登出响应的加密 # Indicates whether the <samlp:logoutResponse> messages sent by this SP # will be signed. onelogin.saml2.security.logoutresponse_signed = false
# Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and # <samlp:LogoutResponse> elements received by this SP to be signed. onelogin.saml2.security.want_messages_signed = false
# Indicates a requirement for the <saml:Assertion> elements received by this SP to be signed. onelogin.saml2.security.want_assertions_signed = false
# Indicates a requirement for the Metadata of this SP to be signed. # Right now supported null (in order to not sign) or true (sign using SP private key) onelogin.saml2.security.sign_metadata =
# Indicates a requirement for the Assertions received by this SP to be encrypted onelogin.saml2.security.want_assertions_encrypted = false
# Indicates a requirement for the NameID received by this SP to be encrypted onelogin.saml2.security.want_nameid_encrypted = false
# Authentication context. # Set Empty and no AuthContext will be sent in the AuthNRequest # You can set multiple values (comma separated them) onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:Password
# Allows the authn comparison parameter to be set, defaults to 'exact' onelogin.saml2.security.onelogin.saml2.security.requested_authncontextcomparison = exact
# Indicates if the SP will validate all received xmls. # (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true). onelogin.saml2.security.want_xml_validation = true
# Algorithm that the toolkit will use on signing process. Options: # 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' # 'http://www.w3.org/2000/09/xmldsig#dsa-sha1' # 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' # 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' # 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' onelogin.saml2.security.signature_algorithm = http://www.w3.org/2000/09/xmldsig#rsa-sha1