SimpleSAMLphp is a web application written in native PHP that deals with authentication. This example shows how to configure the SimpleSAMLphp web application as a Service Provider with WSO2 Identity Server as the SAML2 Identity Provider. In this demonstration I am using the Identity Server 5.0.0 version with the Service Pack 1 installed.
First, let’s download the latest version of SimpleSAMLphp. At the time of this writing the latest version is 1.13.2. Once we download, we get simplesamlphp-1.13.2.tar.gz file. Extract this and you get simplesamlphp-1.13.2 directory. Rename the directory to simplesamlphp and copy to the web server. Here I have installed WAMP Server. I copy the simplesamlphp folder to the WAMP Server’s www directory which is located in C:\wamp\www path. Then I start the WAMP Server.
I can access the SimpleSAMLphp application now by visiting the following URL. (Note that the web pages of the application are located in the simplesamlphp/www directory and WAMP Server is running in port 80.
After visiting the above URL, it will automatically redirect to http://localhost/simplesamlphp/www/module.php/core/frontpage_welcome.php URL and you can see the welcome page.
Next step is to set the configurations related to the Service Provider and the Identity Provider.
I am adding the Service Provider configuration in simplesamlphp/authsources.php config file. (In the deployed web app, C:\wamp\www\simplesamlphp\config\authsources.php)
Add the following configuration to the file and save. Here the SAML Issuer is given in entityID and the Identity Provider URL is given in idp property.
'wso2-sp' => array(
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
'entityID' => 'simplesaml',
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
'idp' => 'https://localhost:9443/samlsso',
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
'discoURL' => NULL,
Next step is to add the Identity Provider metadata configuration in the simplesamlphp/metadata/saml20-idp-remote.php config file. (In the deployed web app,
$metadata['https://localhost:9443/samlsso'] = array(
'name' => array(
'en' => 'WSO2 IS',
'no' => 'WSO2 IS',
'description' => 'Login with WSO2 IS SAML2 IdP.',
'SingleSignOnService' => 'https://localhost:9443/samlsso',
'SingleLogoutService' => 'https://localhost:9443/samlsso',
'certFingerprint' => '6bf8e136eb36d4a56ea05c7ae4b9a45b63bf975d'
A detailed description on the above IDP remote metadata is available in .
Note that metadata ['https://localhost:9443/samlsso'] should match value of 'idp' in simplesamlphp/authsources.php service provider configuration.
6bf8e136eb36d4a56ea05c7ae4b9a45b63bf975d is the thumbprint of the default certificate ships with WSO2 IS. SAML2 Response/Assertion is signed with this certificate by default.
You can find these configuration files in  for further reference.
Next step is to configure the Identity Server. Start the Identity Server and login to the management console as admin.
First we need to set the IDP Entity ID of the SAML2 configuration in Resident IDP of Identity Server to the URL of SAML endpoint of IS. Go to Main -> Identity Providers -> List and click on Resident Identity Provider.
Expand the Inbound Authentication Configuration menu and then SAML2 Web SSO Configuration. Set the Identity Provider Entity Id value to the SAML endpoint URL of IS. By default this is https://localhost:9443/samlsso when you run IS with port offset 0. Then Update the configuration.
Next step is to create a Service Provider in IS. Go to Main -> Service Providers -> Add. For the Service Provider name you can specify any name. Here I’m giving the name as simplesaml.
Once the Service Provider is registered, Edit the configuration.
Expand the Inbound Authentication Configuration and SAML2 Web SSO Configuration. Click on Configure link.
Following are the values we have to specify.
Issuer : simplesaml
Assertion Consumer URL : http://localhost/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/wso2-sp
Custom Logout URL :
Note that as the Issuer name we have to give the same name set in the Service Provider configuration in SimpleSAMLphp web app. Set the other configuration as shown below and Register.
Update the Service Provider once the SAML2 issuer is successfully added.
Now we can test the SimpleSAMLphp web application. Open the application in browser (i.e http://localhost/simplesamlphp/www ) and select Authentication tab. Click on Test configured authentication sources link.
Now you see the wso2-sp which was previously added in Service Provider configuration. Click on the wso2-sp link.
It will redirect to the login page of the Identity Server. Here I login as admin.
Now I am successfully authenticated to the SimpleSAMLphp application using the WSO2 Identity Server as the Identity Provider.
If you want to test this further, you can follow the following steps which shows how to retrieve claims of the logged in user.
Here I add a new user in the Identity Server.
I enter the username and password for the new user and click Next.
For demonstration purpose I assign the admin role to this user.
Once the user is created I edit the User Profile.
The user profile attributes are set for the user.
Now I need to select which claims/attributes should be sent to the SimpleSAMLphp application when a user is authenticated. For that, Edit the configuration of the simplesaml Service Provider.
Expand the Claim Configuration menu in the Service Provider configuration.
As the Subject Claim URI, select http://wso2.org/claims/givenname because that is the claim which identifies a user uniquely. Under the Requested Claims I add several claims where I added values in the user profile of the created user. Then Update the Service Provider configuration.
Now again try to login to the SimpleSAMLphp application with wso2-sp Service Provider.
Now in the login page of the Identity Server I enter the credentials of the newly created user.
Upon successful authentication I can see the requested claim attributes are successfully received.
Identity Server Team