27.8.11

SimpleSAMLphp - identity & service providers

SimpleSAMLphp

SimpleSAMLphp is an award-winning application written in native PHP that deals with authentication. The project is led by UNINETT, has a large user base, a helpful user community and a large set of external contributors.

SimpleSAMLphp is having a main focus on providing support for:

  • SAML 2.0 as a Service Provider.
  • SAML 2.0 as a Identity Provider.

But also supports some other identity protocols, such as Shibboleth 1.3, A-Select, CAS, OpenID, WS-Federation and OAuth.

SimpleSAMLphp as a Service Provider

If you have an web appliation that needs to authenticate users, simpleSAMLphp can help you out. In addition to support local authentication with one of the authentication module, you can use the service provider functionality. If you are using SimpleSAMLphp as an service provider, it will communicate and delegate authentication with an Identity Provider. SimpleSAMLphp may connect to both a Shibboleth or a SAML 2.0 Identity Provider.

As simpleSAMLphp is written in PHP, it is the most convenient and simple choice for integrating web-based PHP application into a federation. That said, simpleSAMLphp now also support non-PHP environment by using the Auth Memcookie approach. This setup is supported from version 1.0, and not yet fully documented, but it will be very soon. Basically simpleSAMLphp adds a special cookie in memcache that the well-known Apache module Auth MemCookie understands, and it passes authentication information in header variables and allows you to setup authorization in Apache.

If you want to connect the same same SP to mulitple IdPs, and want to let the user select between the IdPs, you can use the built-in SAML 2.0 Discovery Service.

SimpleSAMLphp as an Identity Provider

If you have a storage of users, a database, a LDAP or a radius interface, you can setup a instalation of simpleSAMLphp to have your own federated Single Sign-On environment.

If you run SimpleSAMLphp as an Idetity Provider both Shibboleth and SAML 2.0 services may connect to you.

You may use one of the following included authentication modules or you can very simply make your own:

  • Simple LDAP
  • Multiple LDAP
  • CAS remote authentication lets you connect authentication to your existsing CAS service, and subsequently retrieve attributes from LDAP.
  • Radius authentication lets to check the credentials against a Radius server
  • SQL authentication
  • OpenID
  • YubiKey

Documentation

SimpleSAMLphp is well-documented. Access the online documention, and make sure you access the documentation for the version of simpleSAMLphp you are using.

Multi-lingual

Thanks to several contributors, simpleSAMLphp now has translations in these languages: English, Norwegian (bokmål), Norwegian (Nynorsk), Swedish, Danish, Spanish, German, Finnish, Spanish, French, Dutch, Luxembourgish, Czech, Slovenian, Croatian, Hungarian, Polish, Portugise, Brazilian-Portugize and Turkish.

Extending SimpleSAMLphp

SimpleSAMLphp contains an Extension API, allowing third party modules extending some parts of SimpleSAMLphp. Some of the most important extension points of SimpleSAMLphp includes:

  • Authentication Modules; that allows you to implement your own authentication method, such as PKI-based, using a proprietary user data source, or any other kind of authentication mechanism.
  • Authentication Processing Filters; that allows any kind of processing right after authentication have taken place.
  • Themes allows you to customize the look of any pages served by SimpleSAMLphp. You can change only the CSS, headers, footers, or you can modify the look of any particular page.
  • SimpleSAMLphp Modules; allows you extend simpleSAMLphp by any new identity protocols, pages, registry systems or anything you'd like.

SimpleSAMLphp comes with a number of modules, authentication modules and processing filters that you may use, or use as a base for customizing simpleSAMLphp to fit your exact needs.

SimpleSAMLphp provides an abstract data store API, allowing alternative ways of storing data.

SimpleSAMLphp provides an abstraction layer of metadata handling, allowing alternative implementation of metadata consumption.

SimpleSAMLphp has multiple session handlers. You can use the session handling built-in to PHP or use memcache.

SimpleSAMLphp has multiple handlers for logging: you can choose between syslog and normal file logger.

Scalability

With the memcache session handler, simpleSAMLphp scales pretty well. A replication layer is built upon memcache, such that an unlimited number of simpleSAMLphp web frontends can work with a backend matrix of memcache servers with both replication (fail-over) and load-balacing.

Tested with other vendor's implementations

SimpleSAMLphp is tested with a bunch of other federation software implementations. Among other; Shibboleth 1.3, Shibboleth 2.2, PingID, Sun Federation Manager, Sun Federated Access Manager, Sun Access Manager, mod_mellon, CA, and more. If people discover icompatibility issues, we try to sort them out pretty quick, if reported properly through the mailinglist.

Open source community

There is a large set of developers that are working with simpleSAMLphp, and several contributors that provides documentation, translations, authentication modules, new protocols, and much more.