# See https://github.com/SAML-Toolkits/php-saml for more information about the SAML settings

# Define a parameter here, so we can access it later in the default fallback
parameters:
  saml.sp.privateKey: '%env(string:SAML_SP_PRIVATE_KEY)%'

nbgrp_onelogin_saml:
  onelogin_settings:
    default:
      # Basic settings
      idp:
        entityId: '%env(string:SAML_IDP_ENTITY_ID)%'
        singleSignOnService:
          url: '%env(string:SAML_IDP_SINGLE_SIGN_ON_SERVICE)%'
          binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
        singleLogoutService:
          url: '%env(string:SAML_IDP_SINGLE_LOGOUT_SERVICE)%'
          binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
        x509cert: '%env(string:SAML_IDP_X509_CERT)%'
      sp:
        entityId: '%env(string:SAML_SP_ENTITY_ID)%'
        assertionConsumerService:
          url: '%partdb.default_uri%saml/acs'
          binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
        singleLogoutService:
          url: '%partdb.default_uri%logout'
          binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
        x509cert: '%env(string:SAML_SP_X509_CERT)%'
        # Before the env variable was wrongly named "SAMLP_SP_PRIVATE_KEY".
        # For compatibility reasons we keep it and only fallback to the new name if the old one is not set. This may be removed in the future.
        privateKey: '%env(string:default:saml.sp.privateKey:string:SAMLP_SP_PRIVATE_KEY)%'

      # Optional settings
      #baseurl: 'http://myapp.com'
      strict: true
      debug: false
      security:
         allowRepeatAttributeName: true
      #  nameIdEncrypted: false
         authnRequestsSigned: true
         logoutRequestSigned: true
         logoutResponseSigned: true
      #  wantMessagesSigned: false
      #   wantAssertionsSigned: true
      #  wantNameIdEncrypted: false
      #  requestedAuthnContext: true
      #  signMetadata: false
      #  wantXMLValidation: true
      #  relaxDestinationValidation: false
      #  destinationStrictlyMatches: true
      #  rejectUnsolicitedResponsesWithInResponseTo: false
      #  signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
      #  digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256'
      #contactPerson:
      #  technical:
      #    givenName: 'Tech User'
      #    emailAddress: 'techuser@example.com'
      #  support:
      #    givenName: 'Support User'
      #    emailAddress: 'supportuser@example.com'
      #  administrative:
      #    givenName: 'Administrative User'
      #    emailAddress: 'administrativeuser@example.com'
      #organization:
      #  en:
      #    name: 'Part-DB-name'
      #    displayname: 'Displayname'
      #    url: 'http://example.com'