php-saml-sp

SAML Service Provider library

Introduction

This library allows adding SAML Service Provider (SP) support to your PHP web application and interface with SAML Identity Providers (IdPs).

NOTE: this library did NOT receive a security audit. Do NOT use it in production until there is a 1.0 release!

Why

I wanted to have a minimal implementation of a SAML SP library. Existing (PHP) software either has a much larger scope, or tries to conform fully to the SAML specification. This library only tries to implement the minimum amount to work with real world deployed IdPs, and be secure at all times.

Features

Requirements

Crypto

This library only supports algorithms that are not currently broken and easy to implement. There is no choice, only the below algorithms are supported.

Signatures

Encryption

NOTE: currently only MGF1+SHA1 is supported due to PHP's OpenSSL limitations, we aim for MGF1+SHA256 support in version 1.1 of this library.

X.509

Use the following command to create a self-signed certificate for use with the SP library.

$ openssl req \
    -nodes \
    -subj "/CN=SAML SP" \
    -x509 \
    -sha256 \
    -newkey rsa:3072 \
    -keyout "sp.key" \
    -out "sp.crt" \
    -days 3650

Example

An example is provided in the example/ directory. In order run it:

$ /path/to/composer install
$ php -S localhost:8081 -t example

The example performs authentication and shows the attributes received from the IdP. It also supports logout at the IdP if supported by the IdP.

With your browser you can go to http://localhost:8081/. The example will redirect immediately to the IdP. The metadata of the SP can be found at this URL: http://localhost:8081/metadata

IdP Configuration

Make sure:

simpleSAMLphp

In your simpleSAMLphp's metadata/saml20-sp-remote.php file, configure this for this SP library:

'validate.authnrequest' => true,
'sign.logout' => true,
'validate.logout' => true,

As of writing, simpleSAMLphp does not support EncryptedAssertion with aes-256-gcm. Follow the progress.

Tests

In order to run the tests:

$ /path/to/composer install
$ vendor/bin/phpunit

Browser Session

You MUST secure your PHP cookie/session settings. See this resource.

Resources