SAML Service Provider library


This library allows adding SAML Service Provider (SP) support to your PHP web application and interface with SAML Identity Providers (IdPs).

NOTE: this library did NOT receive a comprehensive security audit. Do NOT use it in production until there is a 1.0 release!


I wanted to have a minimal implementation of a SAML SP library. Existing (PHP) software either has a much larger scope, or tries to conform fully to the SAML specification. This library only tries to implement the minimum amount to work with (most) real world deployed IdPs, and be secure at all times.




This library only supports algorithms that are not currently broken and easy to implement. There is no choice, only the below algorithms are supported.



Use the following command to create a self-signed certificate for use with the SP library. It will be used for signing the AuthnRequest and LogoutRequest.

$ openssl req \
    -nodes \
    -subj "/CN=SAML SP" \
    -x509 \
    -sha256 \
    -newkey rsa:3072 \
    -keyout "sp.key" \
    -out "sp.crt" \
    -days 3650


An example is provided in the example/ directory. In order run it:

$ /path/to/composer install
$ php -S localhost:8081 -t example

The example performs authentication and shows the attributes received from the IdP. It also supports logout at the IdP if supported by the IdP.

With your browser you can go to http://localhost:8081/. The example will redirect immediately to the IdP. The metadata of the SP can be found at this URL: http://localhost:8081/metadata

IdP Configuration

Make sure:


In your simpleSAMLphp's metadata/saml20-sp-remote.php file, configure this for this SP:

'validate.authnrequest' => true,
'sign.logout' => true,
'validate.logout' => true,


In order to run the tests:

$ /path/to/composer install
$ vendor/bin/phpunit

Browser Session

You MUST secure your PHP cookie/session settings. See this resource.