This manual is written for CentOS 7.  Adjust accordingly for other OS distributions.

SimpleSAMLphp is an alternative SP implementation that can be used in place of Shibboleth SP - and can be particularly suitable on hosted servers without root access or the ability to install full software packages. This page documents the basic install of SimpleSAMLphp Service Provider and the configuration steps necessary to integrate the SP into Tuakiri.

Full SimpleSAMLphp documentation is available at

Note that while this page uses Apache as the web server SimpleSAMLphp is deployed into, SimpleSAMLphp could be used with a number of other web servers - and it's advantage over Shibboleth SP would be the independence of Apache. Please adjust the Apache specific steps to what would work with your web server.


Basic steps

Configuring SP

We will be using to refer to the hostname of your Service Provider - please substitute that with the actual hostname of your SP.

Loading the federation metadata

Configure the SP to use the Tuakiri Discovery Service

I.e., either

                'discoURL' => '',


                'discoURL' => '',

Configure Additional Tuakiri Attributes

From the list of attributes used within Tuakiri and the list of Attributes supported by SimpleSAMLphp in the default configuration, the following need to be explicitly added:

        "attribute_schachomeorganizationtype": {
                "en": "Home organization type"
        "attribute_auedupersonsharedtoken": {
                "en": "Shared token"

Configuring Persistent NameID

SimpleSAMLphp includes a NameIDPolicy in the SSO request sent to the IdP - and if not set, the requested format is urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

To request the urn:oasis:names:tc:SAML:2.0:nameid-format:persistent NameIDFormat (used in place of the eduPersonTargetedID attribute), add the following line into the default-sp parameters in config/authsources.php :

        'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

Configure signing of logout messages

As IdPs typically expect logout messages to be signed, configure SimpleSAMLphp to sign logout messages.

Add the following line into the default-sp parameters in config/authsources.php :

        'sign.logout' => true,

Clean up SP configuration

Remove (comment-out) pre-configured IdPs and SPs

Register into Federation Registry

The Tuakiri Federation Registry (FR) has in the initial setup only pre-configured support for Shibboleth SP implementation, not SimpleSAMLphp. Without the pre-configured support, it is necessary to enter all endpoints URLs manually. There is an ongoing project to add support to FR to support SimpleSAMLphp, until then, please use the Advanced Registration form as described in this section.

As a reference point, the metadata for your SP can be accessed at

For reference, please also see the attached image mapping SimpleSAMLphp metadata to Federation Registry form (credits: Bevan Rudge, University of Auckland).

Access the Federation Registry at the correct URL for the respective federation:


Test authentication by going to

Or, to test integration with a simple application, create a PHP file with the following contents within your document space:

<!DOCTYPE html>

// load the SimpleSAMLphp classes

// select the default authentication source
$as = new SimpleSAML_Auth_Simple('default-sp');

// require authentication

// get the attributes
$attributes = $as->getAttributes();

// print the attributes and the NameID

// print out eduPersonTargetedID (which is a DOM XML NameID node as of SimpleSAMLphp 1.14)
if (isset($attributes['eduPersonTargetedID'])) {
  $eptid = $attributes['eduPersonTargetedID'][0]->item(0);
  $nameID = new SAML2_XML_saml_NameID($eptid);