Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: drop flatfile metadata


  • Edit /opt/simplesamlphp/config/authsources.php and add references to the certificate to the default-sp definition:

    No Format
        'default-sp' => array(
            'privatekey' => 'saml.pem',
            'certificate' => 'saml.crt',

  • Make SSP issue secure cookies: in config/config.php , change value to true

    No Format
        '' => true,

Loading the federation metadata


  • Download the metadata signing certificate for the federation metadata into /etc/shibboleth:
    • For Tuakiri, run:

      No Format
      wget -O /opt/simplesamlphp/cert/tuakiri-metadata-cert.pem

    • or for Tuakiri-TEST, run:

      No Format
      wget -O /opt/simplesamlphp/cert/tuakiri-test-metadata-cert.pem

  • Edit config/config-metarefresh.php:
    • Replace 'kalmar' with the federation name ('tuakiri')
    • Set the download URL - either for Tuakiri Production:

      No Format
         'src' => '',

    • Or Tuakiri-TEST:

      No Format
         'src' => '',

    • Set output directory and format (use 'serialize'format):

      No Format
                              'outputDir'     => 'metadata/metarefresh-tuakiri/',
                              'outputFormat' => 'serialize',

    • Set expiry date to 7 days to match Tuakiri

      No Format
                              'expireAfter'           => 60*60*24*7, // Maximum 7 days cache time.

    • Change the list of accepted certificates to the metadata signing certificate downloaded above (use tuakiri-test-metadata-cert.pem for Tuakiri-TEST:

      Code Block
                                              'certificates' => array(

    • Remove/comment-out the validateFingerprint entry (see note below for explanation)


      Older versions of SimpleSAMLphp did not support directly referring to a certificate and instead required embedding the certificate fingerprint in the configuration.

      For historical and archival purposes, the instructions are included here - but can be ignored in favour of using the above certificates setting.

      • Set the 'validateFingerprint' to the fingerprint value of the metadata issuing certificate
        • Tuakiri-PROD: 06:85:C5:89:2F:38:83:98:77:1B:A4:5D:58:A4:06:3A:A4:C1:CE:45
        • Tuakiri-TEST: 5E:90:2D:F9:D9:5A:5A:95:BF:58:4D:02:AD:29:35:64:CC:BF:76:45
      • To calculate the fignerprint yourself:
        • Download the metadata signing certificate (for Tuakiri-PROD and Tuakiri-TEST, they are linked from the instructions on registering an SP into Tuakiri)
        • and get the fingerprint value with:

          No Format
                openssl x509 -fingerprint -noout -in metadata-cert.pem 

  • Edit config/config.php and add an extra entry into 'in metadata.sources, replace the existing 'type'=>'flatfile' entry with:

    No Format
       array('type' => 'serialize', 'directory' => 'metadata/metarefresh-tuakiri'),