Home

simpleSAMLphp

SimpleSAMLphp is a simple application written in native PHP that deals with authentication. SimpleSAMLphp supports several federation protocols, authentication mechanisms and can be used both for local authentication, as a service provider or as an identity provider.

Download simpleSAMLphp.

Support Protocols

SimpleSAMLphp version 1.3 supports the following protocols:

  • SAML 2.0 as a Service Provider.
  • SAML 2.0 as an Identity Provider.
  • Shiboleth 1.3 as a Service Provider.
  • Shiboleth 1.3 as an Identity Provider.
  • A-Select as a Service Provider (contribution from SurfNet).
  • A-Select as an Identity Provider (contribution from SurfNet).
  • CAS for remote authentication (contribution from Wayf.dk)
  • OpenID Provider support (experimental)
  • OpenID Consumer support (experimental)
  • WS-Federation as a Service Provider

Furthermore the following protocols exists for simpleSAMLphp but are not yet part of the stable release:

  • InfoCard as an Service Provider
  • PAPI as a Service Provider
  • PAPI as an Identity Provider

Expect these to be included in the stable release pretty soon. If you are impatient and want to use it right away, ask for more details on the mailing list.

Moreover, we plan to implement support for the OAuth protocol for delegated authentication sometime in near future.

SimpleSAMLphp as an service provider

If you have an web appliation that needs to authenticate users, simpleSAMLphp can help you out. In addition to support local authentication with one of the authentication module, you can use the service provider functionality. If you are using SimpleSAMLphp as an service provider, it will communicate and delegate authentication with an Identity Provider. SimpleSAMLphp may connect to both a Shibboleth or a SAML 2.0 Identity Provider.

As simpleSAMLphp is written in PHP, it is the most convenient and simple choice for integrating web-based PHP application into a federation. That said, simpleSAMLphp now also support non-PHP environment by using the Auth Memcookie approach. This setup is supported from version 1.0, and not yet fully documented, but it will be very soon. Basically simpleSAMLphp adds a special cookie in memcache that the well-known Apache module Auth MemCookie understands, and it passes authentication information in header variables and allows you to setup authorization in Apache.

If you want to connect the same same SP to mulitple IdPs, and want to let the user select between the IdPs, you can use the built-in SAML 2.0 Discovery Service.

SimpleSAMLphp to connect services to Feide

SimpleSAMLphp is pre-configured to work with the Feide login-service. If you are a federation administrator, you may contact us to let us preinstall the metadata for your federation into simpleSAMLphp, making the installation phase even more simple.

SimpleSAMLphp as an Identity Provider

If you have a storage of users, a database, a LDAP or a radius interface, you can setup a instalation of simpleSAMLphp to have your own federated Single Sign-On environment.

If you run SimpleSAMLphp as an Idetity Provider both Shibboleth and SAML 2.0 services may connect to you.

You may use one of the following included authentication modules or you can very simply make your own:

  • Simple LDAP
  • Multiple LDAP - Select organization, and connect to different LDAP for each organization.
  • CAS remote authentication lets you connect authentication to your existsing CAS service, and subsequently retrieve attributes from LDAP.
  • Radius authentication lets to check the credentials against a Radius server
  • MySQL authentication implemented but not part of the stable release.

Bridging

As you may be aware of, unfortunately, there is not a single standard for federations and authentiation, there is several, and they are not interoperable.

SimpleSAMLphp allows you to bridge multiple protocols, and in example allows you to connect SAML 2.0 Services to a Shibboleth 1.3 federation.

eduGAIN compatible

The main reason to why simpleSAMLphp exists is because the software is used to bridge federations and services to the eduGAIN cross-federation, a federation of federations in Europe.

More documentation about how to use simpleSAMLphp with eduGAIN will be written, as soon as eduGAIN is more mature, and the integration more tested.

Functionality

There are several functions for attribute name mapping, translation and dynamic attribute injection that are useful when operating a federation. It example it is really easy to add a plugin to generate eduPersonTargetedID dynamically.

In simpleSAMLphp you may optionally turn on attribute release consent from users. User consent can optionally be stored in a database.

SimpleSAMLphp has multiple handlers for logging: you can choose between syslog and normal file logger.

SinpleSAMLphp has multiple session handlers. You can use the session handling built-in to PHP, or use memcache, which enables

Scalability

With the memcache session handler, simpleSAMLphp scales pretty well. A replication layer is built upon memcache, such that an unlimited number of simpleSAMLphp web frontends can work with a backend matrix of memcache servers with both replication (fail-over) and load-balacing.

Customizations

SimpleSAMLphp comes with a easy to use theme engine, letting you create customized versions of all user interface. An example is included of how you customize in example just the login page, and leave the rest to the default theme.

Documentation

SimpleSAMLphp is well-documented.

Tested with other vendor's implementations

SimpleSAMLphp is tested with a bunch of other federation software implementations. Among other; Shibboleth 1.3, Shibboleth 2.0, PingID, Sun Federation Manager, Sun Federated Access Manager, Sun Access Manager, mod_mellon, CA, and more. If people discover icompatibility issues, we try to sort them out pretty quick, if reported properly through the mailinglist.

SimpleSAMLphp in Denmark

These days the educational federation in Denmark, Wayf.dk goes live with a brand new federation built up with simpleSAMLphp.

The cooperation between Feide and Wayf.dk seems to be rather successful, and developers from Wayf.dk have already contributed with several important components, including Attribute Release Consent support and CAS remote authentication.

Open source community

There now is a wide base of developers that are working with simpleSAMLphp, and several contributors that provides documentation, translations, authentication modules, new protocols, and much more.

Multi-lingual

Thanks to several contributors, simpleSAMLphp now has translations in these languages: English, Norwegian (bokmål), Norwegian (Nynorsk), Danish, Spanish, German, French, Dutch, Luxembourgish.

Download simpleSAMLphp

Go to the download page to download simpleSAMLphp.

Or even better, check out the most recent version from subversion:

svn checkout http://simplesamlphp.googlecode.com/svn/trunk/ simplesamlphp