fix one more link
update references to codeberg.org
prepare for release
Summary: Secure SAML Service Provider
Description: Secure SAML Service Provider with a focus on saml2int compatibility and easy integration in PHP applications.
License: MIT
Web: https://www.php-saml-sp.eu/
A SAML Service Provider (SP) with an easy API to use SAML authentication from your existing PHP applications.
This project received a comprehensive security audit by Cure53 in November 2020. The identified issues were fixed. You can read the audit report yourself.
There are various options for integrating SAML in your PHP application. However, most are either (very) complicated, include too many (useless) features, have hard requirements on Apache and are not easy to package for server operating systems like CentOS/Fedora and/or Debian.
We only need SAML SP support, so there is no need to include any IdP features, or other (obsolete) authentication protocols.
In addition, we only implement what is actually used "in the field" and that which is secure. So you won't find SHA1 support or insecure encryption.
AuthnRequest
, LogoutRequest
to IdPLogoutResponse
from IdPResponse
from IdPAuthnRequest
LogoutRequest
samlp:Response
and/or signed
samlp:Response/saml:Assertion
AuthnContextClassRef
as part of the AuthnRequest
eduPersonTargetedID
as idpEntityId!spEntityId!persistentId
(like Shibboleth);urn:oid
SAML attributes from a list of allowed attributes,
ignores the rest<shibmd:Scope>
metadata element when
the IdP metadata contains this element
urn:oid
attribute names to "friendly" names for use by
applicationsWe do aim to eventually support everything as mentioned in SAML V2.0 Deployment Profile for Federation Interoperability.
Type | Algorithm(s) | Supported |
---|---|---|
Digest | http://www.w3.org/2001/04/xmlenc#sha256 |
Yes |
http://www.w3.org/2001/04/xmlenc#sha384 |
Yes | |
http://www.w3.org/2001/04/xmlenc#sha512 |
Yes | |
Signature | http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 |
Yes |
http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 |
Yes | |
http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 |
Yes | |
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256 |
No | |
Block Encryption | http://www.w3.org/2009/xmlenc11#aes128-gcm |
Yes |
http://www.w3.org/2009/xmlenc11#aes256-gcm |
Yes | |
Key Transport | http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p |
Yes |
Key Transport Digest | http://www.w3.org/2000/09/xmldsig#sha1 |
Yes |
See the installation instructions.
The src/
directory contains the SAML SP implementation library. The directory
src/Web
contains everything related to the built-in web interface providing
the landing page and WAYF. The src/Api
directory contains everything related
to the API to use from your PHP application.
Run composer to install the dependencies:
$ composer install
Use the following command to create self-signed certificates for use with the
SP library. It will be used for signing the <AuthnRequest>
and
<LogoutRequest>
. Another set will be used for decryption of
<EncryptedAssertion>
.
$ cd keys
$ ./generate_keys.sh
Now copy the configuration template:
$ cp config/config.php.example config/config.php
Run the application using PHP's built-in web server:
$ php -S localhost:8082 -t web
With your browser you can go to http://localhost:8082/ and take it from there!
In case you want to add / configure your IdP to use with this software, make sure:
AuthnRequest
;samlp:Response
to the SP;saml:Assertion
and/or the samlp:Response
;saml:Assertion
;samlp:AuthnRequest
;samlp:LogoutRequest
;samlp:LogoutResponse
.Some of these requirements are also exposed through the SP metadata.
In your simpleSAMLphp's metadata/saml20-sp-remote.php
file, configure this
for this SP:
'validate.authnrequest' => true,
'sign.logout' => true,
'validate.logout' => true,
See API for how to use php-saml-sp from your PHP application.
You can use PHPUnit to run the unit tests. On Debian
install the phpunit
package. On Fedora the phpunit9
package.
$ phpunit