Description

SimpleSAMLphp is a lightweight IDP and SP implemented in (drumroll) PHP.  Its development is sponsored/hosted by Uninett, a "state owned company responsible for Norway's National Research and Education Network."

Fact Finder

Ben Poliakoff (Reed College)

Example Deployments

https://simplesamlphp.org/users

Judging from the users enumerated on the above site, most production instances of this software are in European Universities, Federations, and companies serving those entities.

Support for the Recommended Technical Basics for IdPs, including the ability to consume metadata

SimpleSAMLphp supports a subset of the features of the Shibboleth IdP

  • supports automated consumption of SAML metadata
  • scope in metadata
  • x509 certificates in metadata
  • SAML V2.0 Web Browser SSO
  • Supports authentication requests via the SAML V2.0 HTTP-Redirect binding, the SAML V2.0 HTTP-Post binding, and (optionally) the legacy Shibboleth 1.x AuthnRequest protocol
  • Supports ECP with a third party patch (not well integrated or tested)
  • Does *not* support SAML V1.1 attribute queries
  • Endpoint protection protected with SSL/TLS optionally

Support for Attribute Release

The software does support sophisticated attribute filtering, release (including consent, using the bundled consent module).

Support for Entity Attributes/categories (e.g., R&S)

Not currently supported, this is an open issue: https://github.com/simplesamlphp/simplesamlphp/issues/49

Support for Multiple Authentication Contexts for Multi-Factor Authentication and Assurance

The IdP software is quite flexible and extensible, supporting multiple authentication methods (LDAP, Radius, various databases, OpenID, Yubikey, etc) and multiple factors.

I'm not certain about "Assurance".

Support for ECP (Enhanced Client or Proxy)

ECP is supported with a third party patch, not widely implemented.

Support for User Consent

Supported with a bundled extension, https://simplesamlphp.org/docs/stable/consent:consent

Expertise Required

Experience with the deployment of PHP applications is required, including the maintenance and management of associated web server software (Apache, Nginx, etc)

Resources Required

The service itself is quite lightweight, serving as middleware, requiring a web server that can serve PHP.  There is, of course, an implicit requirement for a local IdMS.  The software is most commonly integrated with LDAP directories.

Upkeep and Feeding Required

As with any of the locally hosted IdPs, the software itself needs to be kept up to date.  Additionally the underlying web server must be well cared for.

Applicable Environments

  • Organizations with little experience with Java and/or with little desire for hosting Java applications
  • Organizations with existing local PHP hosting expertise and/or investment in PHP hosting architecture
  • Organizations that might want to quickly extend the functionality of the software by writing PHP extensions and/or patches

Benefits

SimpleSAMLphp is easy to deploy in LAMP environments, can be easily extended or patched, has an active development community, and probably starts up about 15 times faster than a Java servlet. ;)

  • No labels

1 Comment

  1. trscavo@internet2.edu

    Ben, this may be more than you bargained for but I'll ask anyway:

    How many of the Attribute Filter Policy Examples published in the Shibboleth wiki does simpleSAMLphp support?

    Knowing this would be helpful when choosing between Shibboleth and simpleSAMLphp in terms of attribute release.