If you don’t know what SAML is, now’s your time to get out. Seriously, it’s not for the faint hearted.

Still with me? OK, here’s what you need to do to make your PHP application act as a service provider (SP) to authenticate users with a third party identity provider (IdP).

For the local part, we’re going to use a library called SimpleSAMLphp. The PHP and SAML parts are accurate, the simple part is debatable.

For the remote part we’re going to use TestShib although OpenIdP is pretty similar.

Set up SimpleSAMLphp

Below is a condensed version of the official set up instructions.

  1. Download SimpleSAMLphp.
  2. Extract it somewhere in your web root.
  3. Open config/config.php and
    1. update baseurlpath to point from the web root to the www folder, e.g. “simplesamlphp-1.0/www/”,
    2. change auth.adminpassword to something else (it won’t let you keep the default).
  4. Generate a certificate and add it to config/authsources.php as explained in section 1 of this doc.
  5. Point your browser to whatever you set as the base URL above, e.g. localhost/simplesamlphp-1.0/www/and you should see the simpleSAMLphp installation page.

Exchange metadata

Unlike OpenID, in SAML the SP and IdP need to have pre-existing knowledge of each other.

  1. Generate the XML metadata for your SP by clicking on Show metadata on the Federation tab.
  2. Save this to a file with a name unlikely to be used by someone else such as my-company-saml-test-2013.xml.
  3. Upload your metadata to the IdP.
  4. Download the IdP metadata.
  5. Convert the IdP metadata XML to SimpleSAMLphp’s PHP format.
    1. Paste the XML into the converter tool on the Federation tab.
    2. Find the result named saml20-idp-remote and copy the PHP code (starting $metadata[‘… ).
  6. Install the metadata by pasting it into metadata/saml20-idp-remote.php either below or replacing the existing openidp.feide.no definition.

Test it

Start at the Authentication tab and follow the links. At the end you should be redirected to a page titled SAML 2.0 SP Demo Example showing some bogus user data.

Hooray! Now go and do something useful.

Hiring: we are looking for experienced developers