combodo-saml/module.combodo-saml.php at master · Combodo/combodo-saml · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
<?php

/**
 * @copyright   Copyright (C) 2010-2019 Combodo SARL
 * @license     https://www.combodo.com/documentation/combodo-software-license.html
 *
 */
//
// iTop module definition file
//

SetupWebPage::AddModule(
	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
	'combodo-saml/1.2.6',
	[
		// Identification
		//
		'label' => 'SAML SSO',
		'category' => 'business',

		// Setup
		//
		'dependencies' => [
			'itop-config-mgmt/2.6.0',
			'itop-config/2.6.0',
		],
		'mandatory' => false,
		'visible' => true,

		// Components
		//
		'datamodel' => [
			'model.combodo-saml.php',
			'src/SAMLLoginExtension.php',
			'vendor/autoload.php',
		],
		'webservice' => [

		],
		'data.struct' => [
			// add your 'structure' definition XML files here,
		],
		'data.sample' => [
			// add your sample data XML files here,
		],

		// Documentation
		//
		'doc.manual_setup' => '', // hyperlink to manual setup documentation, if any
		'doc.more_information' => '', // hyperlink to more information, if any

		// Security
		'delegated_authentication_endpoints' => [
			'acs.php',
			'sls.php',
			'sp-metadata.php',
		],

		// Default settings
		//
		'settings' => [
			// If 'strict' is True, then the PHP Toolkit will reject unsigned
			// or unencrypted messages if it expects them to be signed or encrypted.
			// Also it will reject the messages if the SAML standard is not strictly
			// followed: Destination, NameId, Conditions ... are validated too.
			'strict' => true,
			// Enable debug mode (to print errors).
			'debug' => false,
			// Identity Provider Data that we want connected with our SP.
			'idp' =>  [
				// Identifier of the IdP entity  (must be a URI)
				'entityId' => '',
				// SSO endpoint info of the IdP. (Authentication Request protocol)
				'singleSignOnService' =>  [
					// URL Target of the IdP where the Authentication Request Message
					// will be sent.
					'url' => '',
					// SAML protocol binding to be used when returning the <Response>
					// message. OneLogin Toolkit supports the HTTP-Redirect binding
					// only for this endpoint.
					'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
				],
				// SLO endpoint info of the IdP.
				'singleLogoutService' =>  [
					// URL Location of the IdP where SLO Request will be sent.
					'url' => '',
					// URL location of the IdP where the SP will send the SLO Response (ResponseLocation)
					// if not set, url for the SLO Request will be used
					'responseUrl' => '',
					// SAML protocol binding to be used when returning the <Response>
					// message. OneLogin Toolkit supports the HTTP-Redirect binding
					// only for this endpoint.
					'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
				],
				// Public x509 certificate of the IdP
				'x509cert' => '',
				/*
				 *  Instead of use the whole x509cert you can use a fingerprint in order to
				 *  validate a SAMLResponse, but we don't recommend to use that
				 *  method on production since is exploitable by a collision attack.
				 *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
				 *   or add for example the -sha256 , -sha384 or -sha512 parameter)
				 *
				 *  If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
				 *  let the toolkit know which algorithm was used. Possible values: sha1, sha256, sha384 or sha512
				 *  'sha1' is the default value.
				 *
				 *  Notice that if you want to validate any SAML Message sent by the HTTP-Redirect binding, you
				 *  will need to provide the whole x509cert.
				 */
				// 'certFingerprint' => '',
				// 'certFingerprintAlgorithm' => 'sha1',

				/* In some scenarios the IdP uses different certificates for
				 * signing/encryption, or is under key rollover phase and
				 * more than one certificate is published on IdP metadata.
				 * In order to handle that the toolkit offers that parameter.
				 * (when used, 'x509cert' and 'certFingerprint' values are
				 * ignored).
				 */
				// 'x509certMulti' => array(
				//      'signing' => array(
				//          0 => '<cert1-string>',
				//      ),
				//      'encryption' => array(
				//          0 => '<cert2-string>',
				//      )
				// ),
			],
		],
	]
);