false, // Enable debug mode (to print errors) 'debug' => true, // Set a BaseURL to be used instead of try to guess // the BaseURL of the view that process the SAML Message. // Ex. http://sp.example.com/ // http://example.com/sp/ 'baseurl' => 'https://strange.mirabel-sil.com', // Service Provider Data that we are deploying 'sp' => array ( // Identifier of the SP entity (must be a URI) 'entityId' => 'https://strange.mirabel-sil.com/paracrm.recouveo1611.rayane', // Specifies info about where and how the message MUST be // returned to the requester, in this case our SP. 'assertionConsumerService' => array ( // URL Location where the from the IdP will be returned 'url' => 'https://strange.mirabel-sil.com/paracrm.recouveo1611.rayane/saml-endpoints/acs.php', // SAML protocol binding to be used when returning the // message. Onelogin Toolkit supports for this endpoint the // HTTP-Redirect binding only 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', ), // If you need to specify requested attributes, set a // attributeConsumingService. nameFormat, attributeValue and // friendlyName can be omitted. Otherwise remove this section. // Specifies info about where and how the message MUST be // returned to the requester, in this case our SP. 'singleLogoutService' => array ( // URL Location where the from the IdP will be returned 'url' => 'https://strange.mirabel-sil.com/paracrm.recouveo1611.rayane/saml-endpoints/sls.php', // SAML protocol binding to be used when returning the // message. Onelogin Toolkit supports for this endpoint the // HTTP-Redirect binding only 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', ), // Specifies constraints on the name identifier to be used to // represent the requested subject. // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', // Usually x509cert and privateKey of the SP are provided by files placed at // the certs folder. But we can also provide them with the following parameters 'x509cert' => 'MIIEBzCCAu+gAwIBAgIJALRjMl+oQbjaMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD VQQGEwJGUjEPMA0GA1UECAwGRnJhbmNlMQ8wDQYDVQQHDAZMb2duZXMxETAPBgNV BAoMCFJlY291dmVvMRQwEgYDVQQLDAtSZWNvdXZlbyBTSTEQMA4GA1UEAwwHc3Ry YW5nZTEtMCsGCSqGSIb3DQEJARYecmF5YW5lLmJlbnNhaWRAcmVjb3V2ZW8tc2ku Y29tMB4XDTE5MDIxMjE1MzUyN1oXDTIxMDIxMTE1MzUyN1owgZkxCzAJBgNVBAYT AkZSMQ8wDQYDVQQIDAZGcmFuY2UxDzANBgNVBAcMBkxvZ25lczERMA8GA1UECgwI UmVjb3V2ZW8xFDASBgNVBAsMC1JlY291dmVvIFNJMRAwDgYDVQQDDAdzdHJhbmdl MS0wKwYJKoZIhvcNAQkBFh5yYXlhbmUuYmVuc2FpZEByZWNvdXZlby1zaS5jb20w ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT0Jkgabx6UEsxUo3/y10K LAmBCoAJCVEDG4VYEJ3t03xFabLa0CByAgLJkm0b98HxsFH3ma8//PXJPR7U2Mbv mvV+POuDSeNcxbWaZIxFeMTVesQsk2ICnEOvae9Y0FENJ90gB8JbIi+sgsYpd2rj yEKw3/S74PWRSMAHh4B3et+MX9xqMIhKAktTAR1RJ8Cucfv7aHmzYPSHB/2pUuWX Hw0+dgLAfRU+ut1HrzWb8ufc/cBbi0p2e3kFLfL7EdpXh16CBaJI+e6tjAxvMK1m OnjC28XV0dy2Xw50mZuqqt5HkNR7TZGjaS6O0uKrOUudYg2rQ2OiScEAU7Er4/cP AgMBAAGjUDBOMB0GA1UdDgQWBBSl1LzSajtphNTNXCWhMV6sRekGZDAfBgNVHSME GDAWgBSl1LzSajtphNTNXCWhMV6sRekGZDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 DQEBCwUAA4IBAQByNAlQJqckgoLVxpQlyel/lQATAAbuKRvq2Ub3Xxr5J60XNDCz PDM5FDJqkqasVY4kEjqBS4NS79VFjun7epNbFN+Sxqhi9N2TwENGgOm+ASTEGX/6 TBNRqVnMQZW8OvRluJ73bltWQsGz6qcTH/vpmBzmPGx5afAax+2jEQY+2pF6/0bo UCgUGhQISjW9St6eyu6ZmaS0YqE+tw96yTc1b9vfIDV5t1YC9ZYB36ajONSNrrPZ zin420/dYJG1vSmje3FVMWECoSvKmDe1Zxmh+VTWqvxGEOxIgv/5EsyLjFWUbjzD i7XmYRNRpF9CUoTLxiily0bDROhTBHQvG75H', 'privateKey' => 'MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDT0Jkgabx6UEsx Uo3/y10KLAmBCoAJCVEDG4VYEJ3t03xFabLa0CByAgLJkm0b98HxsFH3ma8//PXJ PR7U2MbvmvV+POuDSeNcxbWaZIxFeMTVesQsk2ICnEOvae9Y0FENJ90gB8JbIi+s gsYpd2rjyEKw3/S74PWRSMAHh4B3et+MX9xqMIhKAktTAR1RJ8Cucfv7aHmzYPSH B/2pUuWXHw0+dgLAfRU+ut1HrzWb8ufc/cBbi0p2e3kFLfL7EdpXh16CBaJI+e6t jAxvMK1mOnjC28XV0dy2Xw50mZuqqt5HkNR7TZGjaS6O0uKrOUudYg2rQ2OiScEA U7Er4/cPAgMBAAECggEAIyeC0pNZ+b7ry+LUuHiLF44ZgbY5a8aFEIv3xJb1byxj eq3BRnm2eNWGmufXfgXPxYorAHocUPVt4ZloTZEw60F/rxTzTZXsy0/xBQ/dDAaw PHIkrvVDFgXTYgCl/cqNOS69j3xaMH/rA6mss+Mi9W0eTHbPCoOaniNB474Ef0+y 6MGkwBej0rzZXVOsbyAyE5gHKHpDStas4rSsBrMhasP2vQMrl1A8ys1IWkYDEOee lDwScFfFy7aUefzEo9N7KRT7Xl5p3t+O75WMpZUlMgxkzq/kpSoDBFHlSID0GDeO h2iUBYg7Xtb2L1eKJYJkOCNvtg/5k5qK8pnGDYMm0QKBgQD4Ikbe4I4l8L7UL/Jl hIlTY1wBedSdKz4OEILBRzrK1/TY1o2z8OSC8jkXvRFkg0lrtLgrbOJgKT+jHDJe pP+WlSmwPDQlzyIiCh6vjFZD4KEW75cJ7lZEjVG/fV/SWDxe1Uv1Mw2V86olIZmX hUcWHXgKWkhorZ45+9p29ekopwKBgQDah5M5UzXKoJvLD9PoSbiMCUDj7F+kBQrI TfR5DMvec0CrbXDHQZug7/A+2x/MLeYaIjs1ylbFjPvQP4S7XkhTtA2BwhHH2s0A Oclh/YY0ue3bGpbd0XAOufbvZouDNFxnmvXIDLi/hu1a2o3212ruVpHT1SpX0JYw 32k7K0ojWQKBgQCKBk8T1SddFXChCVa1f6b/2qooLAPHtXEcU7TYHG4ovT32jEpg iKQj7ucxPDt7hMgHgIxdo4C86tT6P0oJeZCuy6RX4vVC/thGxQhSsCagNUiGQJns rUYRdea+NNhjYi+atN0+tLpe6h5/7xPHxBxJwfSvFY9nowP7zwuz1pBuywKBgQDJ NeHZ+4Lg8mbgXs9350E0N2T3N/KL/FSEQDrkpmKkjSwza85WuVMJqUNlLK+neW+Q CorIKWkh9oD5qzKUrugbogJ5wm5KvWzaU1rYje3faH7Yqi/VR/1Moe/7WEkG4tRe VPEPZJ9LQnoTmH70lD6R+0XEbVbSim1vzJWA9IgL6QKBgQDFL3ESiy7qlC9cUY23 o/36VFVlxY4DDrF1log1Skq501wkFQ6Uyu+9WCLa5Y389VOZCAka3VwkVMPINpku 7jZReUQTCb586JGJ7C7q8fPviNvt5afqG/Qb1S5j8I1Fc0g1lsmH6RhoNm4c/Pbl ljB4j3/9XFdVCwd6C059TybJOA==', /* * Key rollover * If you plan to update the SP x509cert and privateKey * you can define here the new x509cert and it will be * published on the SP metadata so Identity Providers can * read them and get ready for rollover. */ // 'x509certNew' => '', ), // Identity Provider Data that we want connect with our SP 'idp' => array ( // Identifier of the IdP entity (must be a URI) 'entityId' => 'https://app.onelogin.com/saml/metadata/63777194-b44d-4adc-bcba-d43df390bfe3', // SSO endpoint info of the IdP. (Authentication Request protocol) 'singleSignOnService' => array ( // URL Target of the IdP where the SP will send the Authentication Request Message 'url' => 'https://recouveo-dev.onelogin.com/trust/saml2/http-post/sso/890384', // SAML protocol binding to be used when returning the // message. Onelogin Toolkit supports for this endpoint the // HTTP-POST binding only 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', ), // SLO endpoint info of the IdP. 'singleLogoutService' => array ( // URL Location of the IdP where the SP will send the SLO Request 'url' => 'https://recouveo-dev.onelogin.com/trust/saml2/http-redirect/slo/890384', // SAML protocol binding to be used when returning the // message. Onelogin Toolkit supports for this endpoint the // HTTP-Redirect binding only 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', ), // Public x509 certificate of the IdP 'x509cert' => '-----BEGIN CERTIFICATE----- MIID6DCCAtCgAwIBAgIURlti5qovZIl7eFSz8aIFzzCOWMgwDQYJKoZIhvcNAQEF BQAwSTEUMBIGA1UECgwLUmVjb3V2ZW8gU0kxFTATBgNVBAsMDE9uZUxvZ2luIElk UDEaMBgGA1UEAwwRT25lTG9naW4gQWNjb3VudCAwHhcNMTkwMjA2MTAwOTQ4WhcN MjQwMjA2MTAwOTQ4WjBJMRQwEgYDVQQKDAtSZWNvdXZlbyBTSTEVMBMGA1UECwwM T25lTG9naW4gSWRQMRowGAYDVQQDDBFPbmVMb2dpbiBBY2NvdW50IDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBANKkA4I5WALZn7N8xVYnehWVu4YI8liJ 7GCVhpIJLEw/wchliK2jTlA1qiUouKnmVz5YIIBDlSGkat//GSEmpe4R27eaEtqZ 8o8iaxMLfswwgRY+YxYgZs6g3hgeAifJUzPFQzgsTp5HwbizqWBbFfK2KSXO6ebT CbLu+u3zV5zE3T127Sg8+7zTlCwJWqxeIgnKUM/OYpz2i52q3y5x2q+TqhXpP4hc IVbPMEgS5jrp1nrmFYemaKnORI+Btj/Ci01aw+D5rbi8vRRBV6fusZ/0wfOuDs0d TzXuIecW4ZhqTH6wr3sncPg/ZOUAPCRarRRoDm8PgvOFBcMWIMgeM4MCAwEAAaOB xzCBxDAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTdT+UPRxKaI3oGYF8nKgc9b4Q8 KzCBhAYDVR0jBH0we4AU3U/lD0cSmiN6BmBfJyoHPW+EPCuhTaRLMEkxFDASBgNV BAoMC1JlY291dmVvIFNJMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMM EU9uZUxvZ2luIEFjY291bnQgghRGW2Lmqi9kiXt4VLPxogXPMI5YyDAOBgNVHQ8B Af8EBAMCB4AwDQYJKoZIhvcNAQEFBQADggEBABlyrQ3stdMgIIzIUmN8TGM1vYNQ wZhHP64iPz6pjScVF6JTpu0qM6Qj+64ho06HPXLzlBypEwalkivKnUU4jEA9S2QM +br8YP/GXnT//mcPLg6DmxCYyFKdIKDgyZRrmPD+MWMlr32grqJNxpDmFjBZbcOV O+/b9FtpBVZINjie9trvYQQkErzGCKTkXbA/bqWHCkknEp/3pPhTxd8lw1C080Yd rM4vJVHIQv4fd6htLYBVf8p2AVOsJFtjrZdeYWXgJm3m+7LE7DlfKtTndRYK+YPa O2w24f7Kfj6FIoFwlcDRuumzlFvqmJ44/+umgM+NSErINPxPQOY/NXp3TIQ= -----END CERTIFICATE----- ' /* * Instead of use the whole x509cert you can use a fingerprint in * order to validate the SAMLResponse, but we don't recommend to use * that method on production since is exploitable by a collision * attack. * (openssl x509 -noout -fingerprint -in "idp.crt" to generate it, * or add for example the -sha256 , -sha384 or -sha512 parameter) * * If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to * let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512 * 'sha1' is the default value. */ // 'certFingerprint' => '', // 'certFingerprintAlgorithm' => 'sha1', /* In some scenarios the IdP uses different certificates for * signing/encryption, or is under key rollover phase and more * than one certificate is published on IdP metadata. * In order to handle that the toolkit offers that parameter. * (when used, 'x509cert' and 'certFingerprint' values are * ignored). */ // 'x509certMulti' => array( // 'signing' => array( // 0 => '', // ), // 'encryption' => array( // 0 => '', // ) // ), ), );