[root@hostname ~]# openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out server.crt -keyout server.pem
Generating a 2048 bit RSA private key
writing new private key to 'server.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:国名
State or Province Name (full name) :都道府県名
Locality Name (eg, city) [Default City]:市名
Organization Name (eg, company) [Default Company Ltd]:組織名
Organizational Unit Name (eg, section) :部署名
Common Name (eg, your name or your server's hostname) :IdPドメイン
Email Address :メールアドレス
[root@hostname ~]# mv server.* /var/www/simplesamlphp/cert/
[root@hostname ~]# vim /var/www/simplesamlphp/config/authsources.php
'ldap' => array(
// Give the user an option to save their username for future login attempts
// And when enabled, what should the default be, to save the username or not
//'remember.username.enabled' => FALSE,
//'remember.username.checked' => FALSE,
// The hostname of the LDAP server.
'hostname' => 'ldaps://LDAPドメイン',
// Whether SSL/TLS should be used when contacting the LDAP server.
'enable_tls' => FALSE,
// Whether debug output from the LDAP library should be enabled.
// Default is FALSE.
'debug' => FALSE,
// The timeout for accessing the LDAP server, in seconds.
// The default is 0, which means no timeout.
'timeout' => 0,
// The port used when accessing the LDAP server.
// The default is 389.
'port' => port,
// Set whether to follow referrals. AD Controllers may require FALSE to function.
'referrals' => TRUE,
// Which attributes should be retrieved from the LDAP server.
// This can be an array of attribute names, or NULL, in which case
// all attributes are fetched.
'attributes' => NULL,
// The pattern which should be used to create the users DN given the username.
// %username% in this pattern will be replaced with the users username.
// This option is not used if the search.enable option is set to TRUE.
'dnpattern' => 'uid=%username%,ou=people,dc=example,dc=org',
// As an alternative to specifying a pattern for the users DN, it is possible to
// search for the username in a set of attributes. This is enabled by this option.
'search.enable' => TRUE,
// The DN which will be used as a base for the search.
// This can be a single string, in which case only that DN is searched, or an
// array of strings, in which case they will be searched in the order given.
'search.base' => 'Base DN',
// The attribute(s) the username should match against.
// This is an array with one or more attribute names. Any of the attributes in
// the array may match the value the username.
'search.attributes' => array('uid'),
// Additional LDAP filters appended to the search attributes
'search.filter' => '特定の属性を持っていれば許可する等のフィルタを記述',
// The username & password the SimpleSAMLphp should bind to before searching. If
// this is left as NULL, no bind will be performed before searching.
'search.username' => 'Bind DN',
'search.password' => 'password',
// If the directory uses privilege separation,
// the authenticated user may not be able to retrieve
// all required attribures, a privileged entity is required
// to get them. This is enabled with this option.
'priv.read' => FALSE,
// The DN & password the SimpleSAMLphp should bind to before
// retrieving attributes. These options are required if
// 'priv.read' is set to TRUE.
'priv.username' => NULL,
'priv.password' => NULL,