SAML Discovery Service


This is a SAML discovery service written in PHP.

It follows Identity Provider Discovery Service Protocol and Profile because mod_auth_mellon seems to support that. So why not?


Browser Support

The discovery service is tested with the following browsers:



A generator script that takes SAML metadata file(s) and extracts the IdPs based on the entityIDs that are set in the configuration file. It writes out two files:

  1. A stripped down SAML metadata file containing only the required entries for use by mod_auth_mellon;
  2. A JSON file containing information about the IdPs for use by the discovery service.

The stripped down SAML metadata file is needed because mod_auth_mellon, at least the version shipped with CentOS 7, is unusably slow if you use e.g. the entire eduGAIN metadata file.

Discovery Service

A service that used the JSON file to display a discovery page where the user can select their IdP. See the screenshots.

Without logos:


With logos (optional):



In case you want to override the default template, it usually suffices to copy views/base.twig to config/views/base.twig and modify it there, e.g. adding additional CSS files.


The software is written in PHP, and requires PHP >= 5.4 together with the imagick PECL extension. This extension is available on RHEL/CentOS (EPEL) and Debian.

Obtaining Metadata

The contrib/ directory contains some scripts to download SAML metadata from eduGAIN, verify the signature and place it in the config/metadata directory.


All (source) metadata files you want to use should be placed in the config/metadata directory and have a .xml extension.

Specify the entityIDs of the IdPs you want to support in the config/config.php file.


To run the generator, make sure the metadata files are located in the config/metadata directory and a writable data/ directory exists.

    $ php bin/generate.php

This will generate the JSON and XML file mentioned above, and download and scale/compress all IdP logos if enabled, and if they are available in the metadata file.


I found some other options when investigating how to do SAML discovery:

They were not really what I wanted.


    $ git clone
    $ cd php-saml-ds
    $ composer install
    $ cp config/config.php.example config/config.php

Now, you need to configure something in config/config.php and add some metadata files to read from in config/metadata, e.g.:

    $ mkdir config/metadata
    $ curl -L -o config/metadata/SURFconext.xml

Create a data/ directory and run the generator script that creates a JSON and SAML metadata file and (optionally) fetches the logos specified in the metadata:

    $ mkdir data
    $ php bin/generate.php

Create a symlink, so the logos are available under the web/ directory:

    $ (cd web && ln -s ../data/logo)

Now, you can start the PHP built-in web server:

    $ php -S localhost:8080 -t web/

Browse to http://localhost:8080/index.php and provide the following query parameters:

The entityID MUST match one of the registered SPs in your config/config.php.