Add SAML addon.

2025-06-09 10:54:27 +02:00 · 2021-05-16 20:56:37 -07:00 · 2021-05-16 20:56:37 -07:00 · 4b3b79c894
commit 4b3b79c894
parent f04493b5bb
62 changed files with 16277 additions and 0 deletions
--- a/saml/vendor/onelogin/php-saml/advanced_settings_example.php
+++ b/saml/vendor/onelogin/php-saml/advanced_settings_example.php
@ -0,0 +1,165 @@
+<?php
+
+$advancedSettings = array(
+
+    // Compression settings
+    // Handle if the getRequest/getResponse methods will return the Request/Response deflated.
+    // But if we provide a $deflate boolean parameter to the getRequest or getResponse
+    // method it will have priority over the compression settings.
+    'compress' => array(
+        'requests' => true,
+        'responses' => true
+    ),
+
+    // Security settings
+    'security' => array(
+
+        /** signatures and encryptions offered */
+
+        // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
+        // will be encrypted.
+        'nameIdEncrypted' => false,
+
+        // Indicates whether the <samlp:AuthnRequest> messages sent by this SP
+        // will be signed.              [The Metadata of the SP will offer this info]
+        'authnRequestsSigned' => false,
+
+        // Indicates whether the <samlp:logoutRequest> messages sent by this SP
+        // will be signed.
+        'logoutRequestSigned' => false,
+
+        // Indicates whether the <samlp:logoutResponse> messages sent by this SP
+        // will be signed.
+        'logoutResponseSigned' => false,
+
+        /* Sign the Metadata
+         False || True (use sp certs) || array (
+                                                    'keyFileName' => 'metadata.key',
+                                                    'certFileName' => 'metadata.crt'
+                                               )
+                                      || array (
+                                                    'x509cert' => '',
+                                                    'privateKey' => ''
+                                               )
+        */
+        'signMetadata' => false,
+
+
+        /** signatures and encryptions required **/
+
+        // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
+        // <samlp:LogoutResponse> elements received by this SP to be signed.
+        'wantMessagesSigned' => false,
+
+        // Indicates a requirement for the <saml:Assertion> elements received by
+        // this SP to be encrypted.
+        'wantAssertionsEncrypted' => false,
+
+        // Indicates a requirement for the <saml:Assertion> elements received by
+        // this SP to be signed.        [The Metadata of the SP will offer this info]
+        'wantAssertionsSigned' => false,
+
+        // Indicates a requirement for the NameID element on the SAMLResponse received
+        // by this SP to be present.
+        'wantNameId' => true,
+
+        // Indicates a requirement for the NameID received by
+        // this SP to be encrypted.
+        'wantNameIdEncrypted' => false,
+
+        // Authentication context.
+        // Set to false and no AuthContext will be sent in the AuthNRequest,
+        // Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
+        // Set an array with the possible auth context values: array('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
+        'requestedAuthnContext' => false,
+
+        // Allows the authn comparison parameter to be set, defaults to 'exact' if
+        // the setting is not present.
+        'requestedAuthnContextComparison' => 'exact',
+
+        // Indicates if the SP will validate all received xmls.
+        // (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
+        'wantXMLValidation' => true,
+
+        // If true, SAMLResponses with an empty value at its Destination
+        // attribute will not be rejected for this fact.
+        'relaxDestinationValidation' => false,
+
+        // If true, Destination URL should strictly match to the address to
+        // which the response has been sent.
+        // Notice that if 'relaxDestinationValidation' is true an empty Destintation
+        // will be accepted.
+        'destinationStrictlyMatches' => false,
+
+        // If true, the toolkit will not raised an error when the Statement Element
+        // contain atribute elements with name duplicated
+        'allowRepeatAttributeName' => false,
+
+        // If true, SAMLResponses with an InResponseTo value will be rejectd if not
+        // AuthNRequest ID provided to the validation method.
+        'rejectUnsolicitedResponsesWithInResponseTo' => false,
+
+        // Algorithm that the toolkit will use on signing process. Options:
+        //    'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+        //    'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
+        //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
+        //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
+        //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
+        // Notice that rsa-sha1 is a deprecated algorithm and should not be used
+        'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
+
+        // Algorithm that the toolkit will use on digest process. Options:
+        //    'http://www.w3.org/2000/09/xmldsig#sha1'
+        //    'http://www.w3.org/2001/04/xmlenc#sha256'
+        //    'http://www.w3.org/2001/04/xmldsig-more#sha384'
+        //    'http://www.w3.org/2001/04/xmlenc#sha512'
+        // Notice that sha1 is a deprecated algorithm and should not be used
+        'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256',
+
+        // Algorithm that the toolkit will use for encryption process. Options:
+        // 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc'
+        // 'http://www.w3.org/2001/04/xmlenc#aes128-cbc'
+        // 'http://www.w3.org/2001/04/xmlenc#aes192-cbc'
+        // 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
+        // 'http://www.w3.org/2009/xmlenc11#aes128-gcm'
+        // 'http://www.w3.org/2009/xmlenc11#aes192-gcm'
+        // 'http://www.w3.org/2009/xmlenc11#aes256-gcm';
+        // Notice that aes-cbc are not consider secure anymore so should not be used
+        'encryption_algorithm' => 'http://www.w3.org/2009/xmlenc11#aes128-gcm',
+
+        // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
+        // uppercase. Turn it True for ADFS compatibility on signature verification
+        'lowercaseUrlencoding' => false,
+    ),
+
+    // Contact information template, it is recommended to suply a technical and support contacts
+    'contactPerson' => array(
+        'technical' => array(
+            'givenName' => '',
+            'emailAddress' => ''
+        ),
+        'support' => array(
+            'givenName' => '',
+            'emailAddress' => ''
+        ),
+    ),
+
+    // Organization information template, the info in en_US lang is recomended, add more if required
+    'organization' => array(
+        'en-US' => array(
+            'name' => '',
+            'displayname' => '',
+            'url' => ''
+        ),
+    ),
+);
+
+
+/* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int]   http://saml2int.org/profile/current
+
+   'authnRequestsSigned' => false,    // SP SHOULD NOT sign the <samlp:AuthnRequest>,
+                                      // MUST NOT assume that the IdP validates the sign
+   'wantAssertionsSigned' => true,
+   'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled
+   'wantNameIdEncrypted' => false,
+*/