- Home >
- SAML >
- Code Your PHP App to Provide SSO via OneLogin
You can use OneLogin’s open-source SAML toolkit for PHP to enable single sign-on (SSO) for your app via any identity provider that offers SAMLauthentication.
Use this document to learn how to set up the SSO connection between your app and OneLogin, specifically. We’ll use the demo1
app (php-saml-master/demo1
) delivered in the toolkit to demonstrate how to perform the setuptasks.
The demo1
app is a simple app that demonstrates the SSO and single logout (SLO) flow enabled by the SAMLtoolkit.
For important information about prerequisites and installing and developing an app with the SAML Toolkit for PHP, see OneLogin’s SAML PHP Toolkit.
Note that the downloadable toolkit also includes documentation of the OneLogin SAML Toolkit PHP library. See/php-saml-master/docs/Saml2/index.html
.
Task 1: Prepare demo1files
-
Download the SAML Toolkit forPHP.
-
Copy the entire
php-saml-master
folder into a location where its contents can be processed as PHP by your webserver. -
Rename
settings_example.php
located inphp-saml-master/demo1
tosettings.php
.
Task 2: Create an app connector inOneLogin
Use the SAML Test Connector (Advanced) connector to build an application connector for your app. For demo purposes, we’ll build one for the demo1
app.
This app connector will provide you with SAML values that your app needs to communicate with OneLogin as an identity provider. It also provides a place for you to provide SAML values that OneLogin needs to communicate with your app as a serviceprovider.
-
AccessOneLogin.
-
Go to Apps > AddApps.
-
Search for SAML TestConnector.
-
Select the SAML Test Connector (IdP w/ attr)app.
-
Edit the Display Name, if required. In the case of working with the
demo1
app, enterdemo1. -
Accept other default values for now and clickSave.
-
Keep the OneLogin app connector UI open for the nexttask.
Task 3: Define identity provider values insettings.php
In this step, provide your app with the identity provider values it needs to communicate with OneLogin. For demo purposes, we’ll provide the values for the demo1
app.
-
Open
settings.php
(php-saml-master/demo1/settings.php
). -
In the OneLogin app connector UI you kept open from the previous task, select the SSOtab.
-
Copy values from the SSO tab and paste them into the
'idp'
(identity provider) section ofsettings.php
, as shownbelow.Copy SSO Tab Field Value to settings.php
LocationIssuerURL
➞ entityId
SAML 2.0 Endpoint(HTTP)
➞ singleSignOnService
SLO Endpoint(HTTP)
➞ singleLogoutService
X.509 Certificate > ViewDetails
➞ x509cert
After copying values from the SSO tab into the
'idp'
section of yoursettings.php
file, it should look something likethis:'idp' => array ( 'entityId' => 'https://app.onelogin.com/saml/metadata/123456', 'singleSignOnService' => array ( 'url' => 'https://app.onelogin.com/trust/saml2/http-post/sso/123456', ), 'singleLogoutService' => array ( 'url' => 'https://app.onelogin.com/trust/saml2/http-redirect/slo/123456', ), 'x509cert' => 'XXXXxXXX1xXxXXXxXXXXXXxXXxxXx...',)
-
Save
settings.php
. -
Keep the OneLogin app connector UI open for the nexttask.
Task 4: Define service provider values insettings.php
In this step, we’ll define the service provider values that OneLogin will need to identify your app. For demo purposes, we’ll provide the values for the demo1
app.
To dothis:
-
Open
settings.php
(php-saml-master/demo1/settings.php
). -
Set the
$spBaseUrl
variable to your app’s domain. For example:$spBaseUrl ='http://myapp.com';
-
Notice that the sp (service provider) array URL values are formed based on the value of the
$spBaseUrlvariable
that you set in the previous step. When resolved, the array values will look something likethis:-
entityID:http://myapp.com/demo1/metadata.php
-
assertionConsumerService:http://myapp.com/demo1/index.php?acs
-
singleLogoutService:http://myapp.com/demo1/index.php?sls
Note: Depending on the location of your
demo1
folder, you may need to edit the defaultsp
array paths delivered insettings.php
. For example, you may need to change/demo1/metadata.php
to/php-saml-master/demo1/metadata.php
,/demo1/index.php?acs
to/php-saml-master/demo1/index.php?acs
, and soforth. -
-
For the
NameIDFormat
value, changeunspecified
toemailAddress
. This is the value used byOneLogin. -
Save
settings.php
. -
In the OneLogin app connector UI you kept open from the previous task, select the Configurationtab.
-
Copy values from
settings.php
into the Configuration tab fields as shownbelow.Copy settings.php
Valueto Configuration Tab Field assertionConsumerService
➞ -
ACS (Consumer)URL
-
Recipient
singleLogoutService
➞ Single LogoutURL
entityId
➞ Audience
For a detailed description of each of the fields on the Configuration tab, see How to Use the OneLogin SAML Test Connector for moredetails.
-
-
You can leave RelayState blank. It will respect the value sent by the ServiceProvider.
-
For now, set ACS (Consumer) URL Validator to
.*
.Once you have verified that the connection between your app and OneLogin is working, you’ll want to set this value to perform an actual validation. See How to Use the OneLogin SAML Test Connector for moredetails.
Your Configuration tab should now look something likethis:
-
ClickSave.
If you need advanced security for production, be sure to configure the advanced_settings_example.php
file aswell.
For more information about how configure the settings.php
and advanced-settings.php
files, see the Toolkitdocumentation.
Task 5: Add users to your appconnector
In this task, you’ll give users access to the app connector you just created and configured. For example, you’ll need to ensure that you have access to the app connector to be able to access the demo1
app.
To dothis:
-
With your app connector open, select the Accesstab.
-
Ensure that the settings give you access to the app connector. For example, enable a role that will give you access. In this case, let’s say that the selected Default role grants access to relevant users, as shownbelow.
-
ClickSave.
Task 6: Log in to yourapp
At this point, the setup is complete and you should be able to single sign-on to and single logout of your app. For demo purposes, we’ll show the login and logout behavior using the demo1
app.
Log in using service provider-initiatedSAML
The following login flow illustrates service provider-initiated SAML, in which the request for authentication and authorization is initiated from the app, or serviceprovider.
-
Access the
demo1
app, as shown in below. For example, accesshttp://{yourdomain}/php-saml-master/demo1/
. -
Select Login. Selecting the Login link in the
demo1
app demonstrates the user experience when logging into your app viaSSO. -
The OneLogin login UI displays. Enter your OneLogin credentials and login.
A page listing the values from the app connector’s Parameters UI displays. When implemented for your app, this point in the flow would display your app in a logged instate.
-
Select Logout. Selecting the Logout link demonstrates the user experience when logging out of your app via SLO, as shownbelow.
Troubleshooting: If you see the following UI instead of the OneLogin login UI, please ensure that you have completed Task 5: Add users to your appconnector.
Log in using identity provider-initiatedSAML
The following login flow illustrates identity provider-initiated SAML, in which the login request is initiated from OneLogin. In this case, that user experience would be asfollows:
-
On your OneLogin App Home page, select the app connector your created. In this case, select the
demo1
app, as shownbelow. -
The page listing the values from the app connector’s Parameters UI displays. For your app, this would display your app in a logged instate.
-
Select Logout. Selecting the Logout link demonstrates the user experience when logging out of your app viaSLO.
ask?tags=onelogin+saml+php”target=”_blank”>StackOverflow.