| Software: Apache/2.4.53 (Unix) OpenSSL/1.1.1o PHP/7.4.29 mod_perl/2.0.12 Perl/v5.34.1. PHP/7.4.29 uname -a: Linux vps-2738122-x 4.15.0-213-generic #224-Ubuntu SMP Mon Jun 19 13:30:12 UTC 2023 x86_64 uid=1(daemon) gid=1(daemon) grupos=1(daemon) Safe-mode: OFF (not secure) /opt/apex_led/php/3ros/simplesamlphp/docs/   drwxrwxr-x | |
| Viewing file: Select action/file-type: SimpleSAMLphp Identity Provider Advanced Topics
===============================================
<!-- 
	This file is written in Markdown syntax. 
	For more information about how to use the Markdown syntax, read here:
	http://daringfireball.net/projects/markdown/syntax
-->
  * Version: `$Id: simplesamlphp-idp-more.txt 2884 2011-08-09 06:25:34Z olavmrk $`
<!-- {{TOC}} -->
AJAX iFrame Single Log-Out
--------------------------
If you have read about the AJAX iFrame Single Log-Out approach at Andreas' blog and want to enable it, edit your saml20-idp-hosted.php metadata, and add this configuration line for the IdP:
	'logouttype' => 'iframe',
Attribute Release Consent
-------------------------
The attribute release consent is documented in a separate document.
  * [Documentation on the consent module](./consent:consent)
Support for bookmarking the login page
--------------------------------------
Most SAML software crash fatally when users bookmarks the login page and returns later when the cached session information is lost. This is natural as the login page happens in the middle of a SAML transaction, and the SAML software needs some references to the request in order to be able to produce the SAML Response.
SimpleSAMLphp has implemented a graceful fallback to tackle this situation. When simpleSAMLphp is not able to lookup a session in the login process, it fall-backs to the *IdP-first flow*, described in next section, where the reference to the request is not needed.
What happens in the IdP-first flow is that an *SAML unsolicited response* is sent back to the SP. An *unsolicited response* is a SAML Response with no reference to a SAML Request (no `InReplyTo` field). 
When an SimpleSAMLphp IdP fall-back to IdP-first flow, the `RelayState` parameter sent from the SP in the SAML request is also lost. The RelayState information contain a reference key for the SP to lookup where to send the user after successfull authentication. The SimpleSAMLphp Service Provider supports configuring a static URL to redirect the user after a unsolicited response is received. See more information about the `RelayState` parameter in the next section: *IdP-first flow*.
IdP-first flow
--------------
If you do not want to start the SSO flow at the SP, you may use the IdP-first setup. To do this, redirect the user to the SSOService endpoint on the IdP with one parameter `spentityid` that match the SP EntityId that the user should be logged into.
Here is an example of such an url:
	https://idp.example.org/simplesaml/saml2/idp/SSOService.php?spentityid=urn:mace:feide.no:someservice
You can also add a RelayState parameter to the IdP-first URL:
	https://idp.example.org/simplesaml/saml2/idp/SSOService.php?spentityid=urn:mace:feide.no:someservice&RelayState=https://sp.example.org/somepage
The RelayState parameter is often uset do carry the URL the SP should redirect to after authentication.
### IdP first with SAML 1.1
A SAML 1.1 SP does not send an authentication request to the IdP, but instead triggers IdP initiated authentication directly.
If you want to do it manually, you can access the following URL:
	https://idp.example.org/simplesaml/shib13/idp/SSOService.php?providerId=urn:mace:feide.no:someservice&shire=https://sp.example.org/acs-endpoint&target=https://sp.example.org/somepage
The parameters are as follows:
`providerID`
:   The entityID of the SP.
    This parameter is required.
`shire`
:   The AssertionConsumerService endpoint of the SP.
    This parameter is required.
`target`
:   The target parameter the SP should receive with the authentication response.
    This is often the page the user should be sent to after authentication.
    This parameter is optional for the IdP, but must be specified if the SP you are targeting is running simpleSAMLphp SP.
:   *Note*: This parameter must be sent as `target` (with lowercase letters) when starting the authentication, while it is sent as `TARGET` (with uppercase letters) in the authentication response.
IdP-initiated logout
--------------------
IdP-initiated logout can be initiated by visiting the URL:
    https://idp.example.org/simplesaml/saml2/idp/SingleLogoutService.php?ReturnTo=<URL to return to after logout>
It will send a logout request to each SP, and afterwards return the user to the URL specified in the `ReturnTo` parameter.
 | 
| :: Command execute :: | |
| --[ c99shell v. 2.1 [PHP 8 Update] [02.02.2022] maintained byC99Shell Github | Generation time: 0.6229 ]-- |