See saml Menu

Code Your PHP App to Provide SSO via OneLogin

You can use OneLogin’s open-source SAML toolkit for PHP to enable single sign-on (SSO) for your app via any identity provider that offers SAML authentication.

Use this document to learn how to set up the SSO connection between your app and OneLogin, specifically. We’ll use the demo1 app (php-saml-master/demo1) delivered in the toolkit to demonstrate how to perform the setup tasks.

The demo1 app is a simple app that demonstrates the SSO and single logout (SLO) flow enabled by the SAML toolkit.

For important information about prerequisites and installing and developing an app with the SAML Toolkit for PHP, see OneLogin’s SAML PHP Toolkit. 

Note that the downloadable toolkit also includes documentation of the OneLogin SAML Toolkit PHP library. See /php-saml-master/docs/Saml2/index.html.

Task 1: Prepare demo1 files

  1. Download the SAML Toolkit for PHP.

  2. Copy the entire php-saml-master folder into a location where its contents can be processed as PHP by your web server.

  3. Rename settings_example.php located in php-saml-master/demo1 to settings.php.

Task 2: Create an app connector in OneLogin

You’ll use the SAML Test Connector (IdP w/ attr) (Identity Provider with attributes) app connector to build an application connector for your app. For demo purposes, we’ll build one for the demo1 app.

This app connector will provide you with SAML values that your app needs to communicate with OneLogin as an identity provider. It also provides a place for you to provide SAML values that OneLogin needs to communicate with your app as a service provider.

  1. Access OneLogin.

  2. Go to Apps > Add Apps.

  3. Search for SAML Test Connector.

  4. Select the SAML Test Connector (IdP w/ attr) app.

  5. Edit the Display Name, if required. In the case of working with the demo1 app, enter demo1.

  6. Accept other default values for now and click Save.

  7. Keep the OneLogin app connector UI open for the next task.

Task 3: Define identity provider values in settings.php

In this step, provide your app with the identity provider values it needs to communicate with OneLogin. For demo purposes, we’ll provide the values for the demo1 app.

  1. Open settings.php (php-saml-master/demo1/settings.php).

  2. In the OneLogin app connector UI you kept open from the previous task, select the SSO tab.

  3. Copy values from the SSO tab and paste them into the 'idp' (identity provider) section of settings.php, as shown below.

    Copy SSO Tab Field Value to settings.php Location

    Issuer URL

    entityId

    SAML 2.0 Endpoint (HTTP)

    singleSignOnService

    SLO Endpoint (HTTP)

    singleLogoutService

    X.509 Certificate > View Details

    x509cert

    After copying values from the SSO tab into the 'idp' section of your settings.php file, it should look something like this:

    'idp' => array (
        'entityId' => 'https://app.onelogin.com/saml/metadata/123456',
        'singleSignOnService' => array (
            'url' => 'https://app.onelogin.com/trust/saml2/http-post/sso/123456',
        ),
        'singleLogoutService' => array (
            'url' => 'https://app.onelogin.com/trust/saml2/http-redirect/slo/123456',
        ),
        'x509cert' => 'XXXXxXXX1xXxXXXxXXXXXXxXXxxXx...',
    )
  4. Save settings.php.

  5. Keep the OneLogin app connector UI open for the next task.

Task 4: Define service provider values in settings.php

In this step, we’ll define the service provider values that OneLogin will need to identify your app. For demo purposes, we’ll provide the values for the demo1 app.

To do this:

  1. Open settings.php (php-saml-master/demo1/settings.php).

  2. Set the $spBaseUrl variable to your app’s domain. For example: $spBaseUrl = 'http://myapp.com';

  3. Notice that the sp (service provider) array URL values are formed based on the value of the $spBaseUrlvariable that you set in the previous step. When resolved, the array values will look something like this:

    • entityID: http://myapp.com/demo1/metadata.php

    • assertionConsumerService: http://myapp.com/demo1/index.php?acs

    • singleLogoutService: http://myapp.com/demo1/index.php?sls

    Note: Depending on the location of your demo1 folder, you may need to edit the default sp array paths delivered in settings.php. For example, you may need to change /demo1/metadata.php to /php-saml-master/demo1/metadata.php, /demo1/index.php?acs to /php-saml-master/demo1/index.php?acs, and so forth.

  4. For the NameIDFormat value, change unspecified to emailAddress. This is the value used by OneLogin.

  5. Save settings.php.

  6. In the OneLogin app connector UI you kept open from the previous task, select the Configuration tab.

  7. Copy values from settings.php into the Configuration tab fields as shown below.

    Copy settings.php Value to Configuration Tab Field

    assertionConsumerService

    • ACS (Consumer) URL

    • Recipient

    singleLogoutService

    Single Logout URL

    entityId

    Audience

    For a detailed description of each of the fields on the Configuration tab, see How to Use the OneLogin SAML Test Connector for more details.

  8. You can leave RelayState blank. It will respect the value sent by the Service Provider.

  9. For now, set ACS (Consumer) URL Validator to .*.

    Once you have verified that the connection between your app and OneLogin is working, you’ll want to set this value to perform an actual validation. See How to Use the OneLogin SAML Test Connector for more details.

  10. Your Configuration tab should now look something like this:

  11. Click Save.

If you need advanced security for production, be sure to configure the advanced_settings_example.php file as well.

For more information about how configure the settings.php and advanced-settings.php files, see the Toolkit documentation.

Task 5: Add users to your app connector

In this task, you’ll give users access to the app connector you just created and configured. For example, you’ll need to ensure that you have access to the app connector to be able to access the demo1 app.

To do this:

  1. With your app connector open, select the Access tab.

  2. Ensure that the settings give you access to the app connector. For example, enable a role that will give you access. In this case, let’s say that the selected Default role grants access to relevant users, as shown below.

  3. Click Save.

Task 6: Log in to your app

At this point, the setup is complete and you should be able to single sign-on to and single logout of your app. For demo purposes, we’ll show the login and logout behavior using the demo1 app.

Log in using service provider-initiated SAML

The following login flow illustrates service provider-initiated SAML, in which the request for authentication and authorization is initiated from the app, or service provider.

  1. Access the demo1 app, as shown in below. For example, access http://{yourdomain}/php-saml-master/demo1/.

  2. Select Login. Selecting the Login link in the demo1 app demonstrates the user experience when logging into your app via SSO.

  3. The OneLogin login UI displays. Enter your OneLogin credentials and log in.

    A page listing the values from the app connector’s Parameters UI displays. When implemented for your app, this point in the flow would display your app in a logged in state.

  4. Select Logout. Selecting the Logout link demonstrates the user experience when logging out of your app via SLO, as shown below.

Troubleshooting: If you see the following UI instead of the OneLogin login UI, please ensure that you have completed Task 5: Add users to your app connector.

Log in using identity provider-initiated SAML

The following login flow illustrates identity provider-initiated SAML, in which the login request is initiated from OneLogin. In this case, that user experience would be as follows:

  1. On your OneLogin App Home page, select the app connector your created. In this case, select the demo1app, as shown below.

  2. The page listing the values from the app connector’s Parameters UI displays. For your app, this would display your app in a logged in state.

  3. Select Logout. Selecting the Logout link demonstrates the user experience when logging out of your app via SLO.


Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "onelogin saml php"

  • 5
    Votes

    A: Getting Started with SAML and PHP

    Answered Dec 12 2011

    We used the PHP-SAML toolkit from OneLogin for a project that worked used non-transparant proxies (simpleSAMLphp didn't like not knowing the URL it was hosted on). It is dead simple supporting … the most basic login, but SAML 2.0 is a huge spec and it may not support what you want from it (for instance it doesn't support signing Authentication Requests). …

  • 3
    Votes

    A: How to decode SAML Response and get the attribute values sent by Idp in PHP

    Answered Aug 02 2015

    The online tool that you used is based on the OneLogin's PHP SAML Toolkit [1]. I implemented both. Read the documentation. The processResponse and the getAttributes do what you want. [1] https://github.com/onelogin/php-saml

  • 2
    Votes
    1
    Answers

    Q: How to make a simple SAML request with PHP?

    Asked Jan 08 2013

    getting no where. I have read up on : UC Santa Barbra Lecture on SAML OneLogin example and guide Wiki on SAML Rackspace guide on Auth Tokens Fiede RnD Example Getting started SAML and PHP But still … I have worked with PHP a lot before but I have never used SAML because I never had to connect to a remote server. I have been reading various tutorials, posts, and examples for days now I still am …

  • 2
    Votes
    1
    Answers

    Q: OneLogin .NET SAML CheckSignature Error

    Asked Oct 07 2016

    I've download https://github.com/onelogin/dotnet-saml and am testing against an internal IdP. Initially I thought the error was because of the certificate being SHA256 (since the one referenced … in their code is a 1024-bit SHA1). I changed the IdP certificate to match that criteria, but still receive the error below after authenticating at the IdP. I'm new to .net, but have been writing PHP …

  • 2
    Votes

    A: Python SSO: pysaml2 and python3-saml

    Answered Nov 16 2016

    of Onelogin's SAML toolkit so if you used any other toolkit before (php-saml, ruby-saml, java-saml), will be easy for you to handle with it (similar methods, same settings). Differences Crypto: pysaml2 … Both projects are compatible with Shibboleth. pysaml2 is older than python3-saml, right now both support py2 and py3. Both are kinda active and documented. python3-saml follows the structure …

Loading...