See saml Menu

Code Your PHP App to Provide SSO via OneLogin

You can use OneLogin’s open-source SAML toolkit for PHP to enable single sign-on (SSO) for your app via any identity provider that offers SAML authentication.

Use this document to learn how to set up the SSO connection between your app and OneLogin, specifically. We’ll use the demo1 app (php-saml-master/demo1) delivered in the toolkit to demonstrate how to perform the setup tasks.

The demo1 app is a simple app that demonstrates the SSO and single logout (SLO) flow enabled by the SAML toolkit.

For important information about prerequisites and installing and developing an app with the SAML Toolkit for PHP, see OneLogin’s SAML PHP Toolkit. 

Note that the downloadable toolkit also includes documentation of the OneLogin SAML Toolkit PHP library. See /php-saml-master/docs/Saml2/index.html.

Task 1: Prepare demo1 files

  1. Download the SAML Toolkit for PHP.

  2. Copy the entire php-saml-master folder into a location where its contents can be processed as PHP by your web server.

  3. Rename settings_example.php located in php-saml-master/demo1 to settings.php.

Task 2: Create an app connector in OneLogin

Use the SAML Test Connector (Advanced) connector to build an application connector for your app. For demo purposes, we’ll build one for the demo1 app.

This app connector will provide you with SAML values that your app needs to communicate with OneLogin as an identity provider. It also provides a place for you to provide SAML values that OneLogin needs to communicate with your app as a service provider.

  1. Access OneLogin.

  2. Go to Apps > Add Apps.

  3. Search for SAML Test Connector.

  4. Select the SAML Test Connector (IdP w/ attr) app.

    Find Applications

  5. Edit the Display Name, if required. In the case of working with the demo1 app, enter demo1.

  6. Accept other default values for now and click Save.

  7. Keep the OneLogin app connector UI open for the next task.

Task 3: Define identity provider values in settings.php

In this step, provide your app with the identity provider values it needs to communicate with OneLogin. For demo purposes, we’ll provide the values for the demo1 app.

  1. Open settings.php (php-saml-master/demo1/settings.php).

  2. In the OneLogin app connector UI you kept open from the previous task, select the SSO tab.

  3. Copy values from the SSO tab and paste them into the 'idp' (identity provider) section of settings.php, as shown below.

    Copy SSO Tab Field Value to settings.php Location

    Issuer URL

    entityId

    SAML 2.0 Endpoint (HTTP)

    singleSignOnService

    SLO Endpoint (HTTP)

    singleLogoutService

    X.509 Certificate > View Details

    x509cert

    After copying values from the SSO tab into the 'idp' section of your settings.php file, it should look something like this:

    'idp' => array (
        'entityId' => 'https://app.onelogin.com/saml/metadata/123456',
        'singleSignOnService' => array (
            'url' => 'https://app.onelogin.com/trust/saml2/http-post/sso/123456',
        ),
        'singleLogoutService' => array (
            'url' => 'https://app.onelogin.com/trust/saml2/http-redirect/slo/123456',
        ),
        'x509cert' => 'XXXXxXXX1xXxXXXxXXXXXXxXXxxXx...',
    )
  4. Save settings.php.

  5. Keep the OneLogin app connector UI open for the next task.

Task 4: Define service provider values in settings.php

In this step, we’ll define the service provider values that OneLogin will need to identify your app. For demo purposes, we’ll provide the values for the demo1 app.

To do this:

  1. Open settings.php (php-saml-master/demo1/settings.php).

  2. Set the $spBaseUrl variable to your app’s domain. For example: $spBaseUrl = 'http://myapp.com';

  3. Notice that the sp (service provider) array URL values are formed based on the value of the $spBaseUrlvariable that you set in the previous step. When resolved, the array values will look something like this:

    • entityID: http://myapp.com/demo1/metadata.php

    • assertionConsumerService: http://myapp.com/demo1/index.php?acs

    • singleLogoutService: http://myapp.com/demo1/index.php?sls

    Note: Depending on the location of your demo1 folder, you may need to edit the default sp array paths delivered in settings.php. For example, you may need to change /demo1/metadata.php to /php-saml-master/demo1/metadata.php, /demo1/index.php?acs to /php-saml-master/demo1/index.php?acs, and so forth.

  4. For the NameIDFormat value, change unspecified to emailAddress. This is the value used by OneLogin.

  5. Save settings.php.

  6. In the OneLogin app connector UI you kept open from the previous task, select the Configuration tab.

  7. Copy values from settings.php into the Configuration tab fields as shown below.

    Copy settings.php Value to Configuration Tab Field

    assertionConsumerService

    • ACS (Consumer) URL

    • Recipient

    singleLogoutService

    Single Logout URL

    entityId

    Audience

    For a detailed description of each of the fields on the Configuration tab, see How to Use the OneLogin SAML Test Connector for more details.

  8. You can leave RelayState blank. It will respect the value sent by the Service Provider.

  9. For now, set ACS (Consumer) URL Validator to .*.

    Once you have verified that the connection between your app and OneLogin is working, you’ll want to set this value to perform an actual validation. See How to Use the OneLogin SAML Test Connector for more details.

  10. Your Configuration tab should now look something like this:

    SAML Test Connector Configuration tab

  11. Click Save.

If you need advanced security for production, be sure to configure the advanced_settings_example.php file as well.

For more information about how configure the settings.php and advanced-settings.php files, see the Toolkit documentation.

Task 5: Add users to your app connector

In this task, you’ll give users access to the app connector you just created and configured. For example, you’ll need to ensure that you have access to the app connector to be able to access the demo1 app.

To do this:

  1. With your app connector open, select the Access tab.

  2. Ensure that the settings give you access to the app connector. For example, enable a role that will give you access. In this case, let’s say that the selected Default role grants access to relevant users, as shown below.

    SAML Test Connector Access tab

  3. Click Save.

Task 6: Log in to your app

At this point, the setup is complete and you should be able to single sign-on to and single logout of your app. For demo purposes, we’ll show the login and logout behavior using the demo1 app.

Log in using service provider-initiated SAML

The following login flow illustrates service provider-initiated SAML, in which the request for authentication and authorization is initiated from the app, or service provider.

  1. Access the demo1 app, as shown in below. For example, access http://{yourdomain}/php-saml-master/demo1/.

    Login and access to attrs.php page

  2. Select Login. Selecting the Login link in the demo1 app demonstrates the user experience when logging into your app via SSO.

  3. The OneLogin login UI displays. Enter your OneLogin credentials and log in.

    A page listing the values from the app connector’s Parameters UI displays. When implemented for your app, this point in the flow would display your app in a logged in state.

  4. Select Logout. Selecting the Logout link demonstrates the user experience when logging out of your app via SLO, as shown below.

    Successfully logged out

Troubleshooting: If you see the following UI instead of the OneLogin login UI, please ensure that you have completed Task 5: Add users to your app connector.

You do not have access to this application. Please contact your administrator.

Log in using identity provider-initiated SAML

The following login flow illustrates identity provider-initiated SAML, in which the login request is initiated from OneLogin. In this case, that user experience would be as follows:

  1. On your OneLogin App Home page, select the app connector your created. In this case, select the demo1app, as shown below.

    Select the OneLogin App Home demo1 app

  2. The page listing the values from the app connector’s Parameters UI displays. For your app, this would display your app in a logged in state.

  3. Select Logout. Selecting the Logout link demonstrates the user experience when logging out of your app via SLO.

    Successfully logged out

ask?tags=onelogin+saml+php” target=”_blank”>StackOverflow.


Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.