Skip to end of metadata
Go to start of metadata

While we recommend use of the Shibboleth Service Provider software whenever possible there might be pressure to run an application and its SAML SP implementation in severely constrained environments, including ones where running the Shibbleth SP software would be overly difficult. But if PHP code can still be run in such environments SimpleSAMLphp might be a viable alternative.

The fact that a given resource/application itself is written in PHP is immaterial as the Shibboleth Service Provider software can protect that just fine and also avoids API-level integration or PHP session complexity issues that come with the use of SimpleSAMLphp.

Getting started

Install and configure SimpleSAMLphp as per the documentation. Also make a plan right now how you will be keeping the software current and up-to-date, esp. if you don't install from vendor- or OS distribution-supported packages. In almost all cases this will involve the use of an alternative location for SimpleSAMLphp's configuration files (see section "Location of configuration files" in the install documentation) by making use of the SIMPLESAMLPHP_CONFIG_DIR environment variable. (This is also being demonstrated in section "Configuring Apache" of the installation documentation.)


Use the metarefresh module and its documentation to configure automated loading and verification of the Metadata.

$config = array(
    'sets' => array(
        'aconet' => array(
            'cron' => array('hourly', 'daily'),
            'sources' => array(
                    'conditionalGET' => TRUE,
                    'src' => '',
                    'certificates' => array('aconet-metadata-signing.crt'),
                    'types' => array('saml20-idp-remote'),
            'expireAfter'  => 60*60*24*3, // Maximum 3 days cache time
            'outputDir'    => 'metadata/federation/',
            'outputFormat' => 'flatfile',

This way the metadata will be put into files within a separate sub-directory of the default metadata directory (metadata/federation/), leaving the existing files in the default metadata/ directory for other, manually managed, entities. In order for SimpleSAMLphp to find these files you'll have to adjust its metadata configuration by adding another metadata source location:

'metadata.sources' => array(
    array('type' => 'flatfile'),
    array('type' => 'flatfile', 'directory' => 'metadata/federation/'), // add this line!

For setting up the required cron module please follow the upstream documentation for now.

SAML SP details

By default there's no easy way to process persistent SAML NameIDs the same way as SAML attributes. Using an authproc filter like the one below fixes this:

'sp' => array(
    'privatekey' => 'saml.key',
    'certificate' => 'saml.crt',
    'sign.logout' => true,
    'signature.algorithm' => '',
    // The entity ID of this SP.
    'entityID' => '', // CHANGE THIS
    // The entity ID of a single IdP this should SP should initiate SSO with.
    // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
    'idp' => null,
    // The URL to the discovery service.
    // Can be NULL/unset, in which case a builtin discovery service will be used.
    // Or pick one from
    'discoURL' => null,
    // *Not* requesting a specific NameID format is essential for large-scale interop but
    // only works since SimpleSAMLphp 1.17.0 (and that had a bug only fixed in 1.17.5):
    'NameIDPolicy' => false,
    'authproc' => array(
        // Create an intermediate attribute with NameID Format and Qualifiers spelled out:
        10 => array(
            'class' => 'saml:NameIDAttribute',
            'format' => '%F|%I!%S!%V',
            'attribute' => 'nameid_qualified',
        // Create 'persistent-id' attribute only from/for *persistent* NameIDs:
        20 => array(
            'class' => 'core:AttributeAlter',
            'subject' => 'nameid_qualified',
            'pattern' => '/^urn:oasis:names:tc:SAML:2\.0:nameid-format:persistent\|/',
            'target' => 'persistent-id',
            'replacement' => '',

You could then add the created persistent-id internal attribute to a list of attributes to check for a usable identifier within a SmartID authproc filter, recreating something like the Shibboleth Service Provider's REMOTE_USER precedence list. Also note that a similar approach to the filter above could be used to support other NameID formats, e.g. emailAddress. Use of these other NameID formats is not recommended, though, so this is illustrated elsewhere.

  • No labels