Summary: Secure SAML Service Provider
Description: Secure SAML Service Provider with a focus on saml2int compatibility and easy integration in PHP applications.
A SAML Service Provider (SP) with an easy API to use SAML authentication from your existing PHP applications.
There are various options for integrating SAML in your PHP application. However, most are either (very) complicated, include too many (useless) features, have hard requirements on Apache and are not easy to package for server operating systems like CentOS/Fedora and/or Debian.
We only need SAML SP support, so there is no need to include any IdP features, or other (obsolete) authentication protocols.
In addition, we only implement what is actually used "in the field" and that which is secure. So you won't find SHA1 support or insecure encryption.
AuthnContextClassRefas part of the
urn:oidSAML attributes from a list of allowed attributes, ignores the rest
<shibmd:Scope>metadata element when the IdP metadata contains this element
urn:oidattribute names to "friendly" names for use by applications
We do aim to eventually support everything as mentioned in SAML V2.0 Deployment Profile for Federation Interoperability.
|Key Transport Digest||
<EncryptedAssertion>) support, PHP >= 7.1
composer.jsonfor additional dependencies
See the installation instructions.
src/ directory contains the SAML SP implementation library. The directory
src/Web contains everything related to the built-in web interface providing
the landing page and WAYF. The
src/Api directory contains everything related
to the API to use from your PHP application.
Run composer to install the dependencies:
$ /path/to/composer install
Use the following command to create self-signed certificates for use with the
SP library. It will be used for signing the
<LogoutRequest>. Another set will be used for decryption of
$ cd keys $ ./generate_keys.sh
Now copy the configuration template:
$ cp config/config.php.example config/config.php
Secure session cookie parameter by setting the
A neat IdP to use for testing is
https://x509idp.moonshot.utr.surfcloud.nl/metadata. There's no need to register
your SP with that IdP. Put the metadata in
$ mkdir config/metadata $ curl -L -o config/metadata/x509idp.moonshot.utr.surfcloud.nl.xml https://x509idp.moonshot.utr.surfcloud.nl/metadata
Run the application using PHP's built-in web server:
$ php -S localhost:8082 -t web
With your browser you can go to http://localhost:8082/ and take it from there!
In case you want to add / configure your IdP to use with this software, make sure:
samlp:Responseto the SP;
Some of these requirements are also exposed through the SP metadata.
In your simpleSAMLphp's
metadata/saml20-sp-remote.php file, configure this
for this SP:
'validate.authnrequest' => true, 'sign.logout' => true, 'validate.logout' => true,
See API for how to use php-saml-sp from your PHP application.
In order to run the included test suite: