Code Your PHP App to Provide SSO via OneLogin (2024)

1. Home >
2. SAML >
3. Code Your PHP App to Provide SSO via OneLogin

You can use OneLogin’s open-source SAML toolkit for PHP to enable single sign-on (SSO) for your app via any identity provider that offers SAMLauthentication.

Use this document to learn how to set up the SSO connection between your app and OneLogin, specifically. We’ll use the demo1 app (php-saml-master/demo1) delivered in the toolkit to demonstrate how to perform the setuptasks.

The demo1 app is a simple app that demonstrates the SSO and single logout (SLO) flow enabled by the SAMLtoolkit.

For important information about prerequisites and installing and developing an app with the SAML Toolkit for PHP, see OneLogin’s SAML PHP Toolkit.

Note that the downloadable toolkit also includes documentation of the OneLogin SAML Toolkit PHP library. See/php-saml-master/docs/Saml2/index.html.

Task 1: Prepare demo1files

1. Download the SAML Toolkit forPHP.

2. Copy the entire php-saml-master folder into a location where its contents can be processed as PHP by your webserver.

3. Rename settings_example.php located in php-saml-master/demo1 tosettings.php.

Task 2: Create an app connector inOneLogin

Use the SAML Test Connector (Advanced) connector to build an application connector for your app. For demo purposes, we’ll build one for the demo1app.

This app connector will provide you with SAML values that your app needs to communicate with OneLogin as an identity provider. It also provides a place for you to provide SAML values that OneLogin needs to communicate with your app as a serviceprovider.

1. AccessOneLogin.

2. Go to Apps > AddApps.

3. Search for SAML TestConnector.

4. Select the SAML Test Connector (IdP w/ attr)app.

   

5. Edit the Display Name, if required. In the case of working with the demo1 app, enterdemo1.

6. Accept other default values for now and clickSave.

   See Also

   Multiple SSO with Symfony and  OneLogin SAML BundleSAML Explained in Plain English | OneLoginAdding SAML Single Sign-On to a Laravel ApplicationMake Your SAML Configuration a Breeze

7. Keep the OneLogin app connector UI open for the nexttask.

Task 3: Define identity provider values insettings.php

In this step, provide your app with the identity provider values it needs to communicate with OneLogin. For demo purposes, we’ll provide the values for the demo1app.

1. Open settings.php(php-saml-master/demo1/settings.php).

2. In the OneLogin app connector UI you kept open from the previous task, select the SSOtab.

3. Copy values from the SSO tab and paste them into the 'idp' (identity provider) section of settings.php, as shownbelow.

   Copy SSO Tab Field Value	to	settings.php Location
   IssuerURL	➞	entityId
   SAML 2.0 Endpoint(HTTP)	➞	singleSignOnService
   SLO Endpoint(HTTP)	➞	singleLogoutService
   X.509 Certificate > ViewDetails	➞	x509cert

   After copying values from the SSO tab into the 'idp' section of your settings.php file, it should look something likethis:

   'idp' => array ( 'entityId' => 'https://app.onelogin.com/saml/metadata/123456', 'singleSignOnService' => array ( 'url' => 'https://app.onelogin.com/trust/saml2/http-post/sso/123456', ), 'singleLogoutService' => array ( 'url' => 'https://app.onelogin.com/trust/saml2/http-redirect/slo/123456', ), 'x509cert' => 'XXXXxXXX1xXxXXXxXXXXXXxXXxxXx...',)

4. Savesettings.php.

5. Keep the OneLogin app connector UI open for the nexttask.

Task 4: Define service provider values insettings.php

In this step, we’ll define the service provider values that OneLogin will need to identify your app. For demo purposes, we’ll provide the values for the demo1app.

To dothis:

1. Open settings.php(php-saml-master/demo1/settings.php).

2. Set the $spBaseUrl variable to your app’s domain. For example: $spBaseUrl ='http://myapp.com';

3. Notice that the sp (service provider) array URL values are formed based on the value of the $spBaseUrlvariable that you set in the previous step. When resolved, the array values will look something likethis:

   • entityID:http://myapp.com/demo1/metadata.php

   • assertionConsumerService:http://myapp.com/demo1/index.php?acs

   • singleLogoutService:http://myapp.com/demo1/index.php?sls

   Note: Depending on the location of your demo1 folder, you may need to edit the default sp array paths delivered in settings.php. For example, you may need to change /demo1/metadata.php to /php-saml-master/demo1/metadata.php, /demo1/index.php?acs to /php-saml-master/demo1/index.php?acs, and soforth.

4. For the NameIDFormat value, change unspecified to emailAddress. This is the value used byOneLogin.

5. Savesettings.php.

6. In the OneLogin app connector UI you kept open from the previous task, select the Configurationtab.

7. Copy values from settings.php into the Configuration tab fields as shownbelow.

   Copy settings.php Value	to	Configuration Tab Field
   assertionConsumerService	➞	ACS (Consumer)URL Recipient
   singleLogoutService	➞	Single LogoutURL
   entityId	➞	Audience

   For a detailed description of each of the fields on the Configuration tab, see How to Use the OneLogin SAML Test Connector for moredetails.

8. You can leave RelayState blank. It will respect the value sent by the ServiceProvider.

9. For now, set ACS (Consumer) URL Validator to.*.

   Once you have verified that the connection between your app and OneLogin is working, you’ll want to set this value to perform an actual validation. See How to Use the OneLogin SAML Test Connector for moredetails.

10. Your Configuration tab should now look something likethis:

    

11. ClickSave.

If you need advanced security for production, be sure to configure the advanced_settings_example.php file aswell.

For more information about how configure the settings.php and advanced-settings.php files, see the Toolkitdocumentation.

Task 5: Add users to your appconnector

In this task, you’ll give users access to the app connector you just created and configured. For example, you’ll need to ensure that you have access to the app connector to be able to access the demo1app.

To dothis:

1. With your app connector open, select the Accesstab.

2. Ensure that the settings give you access to the app connector. For example, enable a role that will give you access. In this case, let’s say that the selected Default role grants access to relevant users, as shownbelow.

   

3. ClickSave.

Task 6: Log in to yourapp

At this point, the setup is complete and you should be able to single sign-on to and single logout of your app. For demo purposes, we’ll show the login and logout behavior using the demo1app.

Log in using service provider-initiatedSAML

The following login flow illustrates service provider-initiated SAML, in which the request for authentication and authorization is initiated from the app, or serviceprovider.

1. Access the demo1 app, as shown in below. For example, accesshttp://{yourdomain}/php-saml-master/demo1/.

   

2. Select Login. Selecting the Login link in the demo1 app demonstrates the user experience when logging into your app viaSSO.

3. The OneLogin login UI displays. Enter your OneLogin credentials and login.

   A page listing the values from the app connector’s Parameters UI displays. When implemented for your app, this point in the flow would display your app in a logged instate.

4. Select Logout. Selecting the Logout link demonstrates the user experience when logging out of your app via SLO, as shownbelow.

   

Troubleshooting: If you see the following UI instead of the OneLogin login UI, please ensure that you have completed Task 5: Add users to your appconnector.

Log in using identity provider-initiatedSAML

The following login flow illustrates identity provider-initiated SAML, in which the login request is initiated from OneLogin. In this case, that user experience would be asfollows:

1. On your OneLogin App Home page, select the app connector your created. In this case, select the demo1app, as shownbelow.

   

2. The page listing the values from the app connector’s Parameters UI displays. For your app, this would display your app in a logged instate.

3. Select Logout. Selecting the Logout link demonstrates the user experience when logging out of your app viaSLO.

   

ask?tags=onelogin+saml+php”target=”_blank”>StackOverflow.