VIMP enables the connection of any number of IdPs. If you want to connect only one IdP, it has to be defined in the configuration under Authentication -> SAML.Â
Further IdPs can then be added via the top menu item "SAML IdPs".
The following configuration options are available by default:
IdP Name
Name of IdP we connect to (e.g. SAML IdP).
IdP Display Name
Name of the IdP as it is displayed in the frontend (e.g. in the IdP selection).
Debug
Activates the debug mode. This should always be deactivated in production environments!
Strict mode
Rejects unsigned or unencrypted messages if they are expected to be signed or encrypted.
NameIDFormat
Specifies constraints on the name identifier to be used to represent the requested subject (e.g. urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
IdP Host
The URI to the IdP Host (e.g. https://YOUR_IDP_DOMAIN.com).
IdP Entity ID
e.g. https://YOUR_IDP_DOMAIN.com/saml2/idp/metadata.php
IdP URI to initiate authentication request
e.g. https://YOUR_IDP_DOMAIN.com/saml2/idp/SSOService.php
IdP URI to initiate a logout
e.g. https://YOUR_IDP_DOMAIN.com/saml2/idp/SingleLogoutService.php
X509 Certificate
The X509 signing certificate. The certificate is provided by your IdP.
Encryption Certificate
Encryption specific certificate. The certificate is provided by your IdP.
Username (Field Mapping defaults to uid)
e.g. urn:oid:0.9.2342.19200300.100.1.1
Mail (Field Mapping defaults to mail)
e.g. urn:oid:0.9.2342.19200300.100.1.3
First name (Field Mapping defaults to givenName)
e.g. urn:oid:2.5.4.42
Last name/Surname (Field Mapping defaults to surName)
e.g. urn:oid:2.5.4.4
Retrieve server attributes
Indicates how the parameters will be retrieved from the sls request for signature validation.
Trust proxy headers
If true, then the Saml lib will trust proxy headers e.g X-Forwarded-Proto / HTTP_X_FORWARDED_PROTO. This is useful if your application is running behind a load balancer which terminates SSL.
nameID encrypted
Indicates that the nameID of the <samlp:logoutRequest> sent by this SP will be encrypted.
Authn request signed
Indicates whether the <samlp:AuthnRequest> messages sent by this SP will be signed.
Logout request signed
Indicates whether the <samlp:logoutRequest> messages sent by this SP will be signed.
Logout response signed
Indicates whether the <samlp:logoutResponse> messages sent by this SP will be signed.
Sign metadata
Indicates wheter metatdata should be signed.
Want messages signed
Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and <samlp:LogoutResponse> elements received by this SP to be signed.
Want assertions signed
Indicates a requirement for the <saml:Assertion> elements received by this SP to be signed.
Want nameID encrypted
Indicates a requirement for the NameID received by this SP to be encrypted.
Requested authn context
Set to false and no AuthContext will be sent in the AuthNRequest / Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport / Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509')
Support contact name
Name of contact for support
Support contact mail
E-mail address of contact for support
Technical contact name
Name of contact for technical questions
Technical contact mail
E-mail address of contact for technical questions
Company Name
Name of your company
Company display name
Displayed name of your company
Company URI
URI of your company
Enable these IdP settings in login form
If true, this IdP appears for selection in the login form.
