Switching on the Lightbulb

Over the past few months I’ve had a side project - implementing a SAML 2.0 service provider (SP) in PHP. I originally set out using PHP/Java Bridge and got something working (I even presented it [pdf] at Identity Open Space in Vancouver), but I was inspired by Kim Cameron’s success in implementing InfoCard in PHP to try a more direct approach.

Rob Richard’s XML Security implementation provided the impetus I needed to get a ‘pure’ PHP SAML 2.0 SP working. Rob kindly allowed me to adopt the XML Security code into OpenSSO (note that the base XML security code is still, and will continue to be, available, in its original public domain form, at Rob’s page) and I set forth hacking away.

Well - I’m done with an initial version. SAML 2.0 POST profile works. There is no artifact profile, no single log out, no bells or whistles. It does verify the assertion signature (via PHP’s integration with openssl) and checks that the certificate fingerprint matches what it expects from that identity provider.

There is some general documentation on SAML-enabling PHP [odt], and some specific documentation on this code [odt]. I’ll write a step-by-step guide to getting it up and running next…

UPDATE - some FAQs here.