PHP ADFS Single Sign-On (SSO) | PHP ADFS SAML SSO

PHP ADFS Single Sign-On (SSO) | PHP ADFS SAML SSO


PHP SAML 2.0 Connector acts as a SAML Service Provider which can be configured to establish the trust between the application and a SAML capable Identity Provider to securely authenticate the users into your application. Here we will go through a step-by-step guide to configure ADFS as IdP (Identity Provider) and PHP SAML 2.0 Connector as SP (Service Provider).

Pre-requisites : Download And Installation

  • To get the miniOrange PHP SAML 2.0 Connector Contact us .
  • Unzip the PHP connector in the directory where your PHP application is running.
  • Access SSO connector settings from your browser with URL https://<application-url>/sso
  • Login to the PHP connector using your miniOrange credentials.
  • In miniOrange PHP SAML 2.0 Connector, Under Plugin Settings tab you will get the SP Entity ID and ACS URL values which will be used while configuring your Identity Provider.
PHP ADFS SSO - SAML Integration - Successful authentication.

Steps to configure ADFS Single Sign-On (SSO)

1. Setup ADFS as IdP (Identity Provider)

Follow the steps below to configure ADFS as IdP

miniorange img Configure ADFS as IdP
  • In the miniOrange SAML SP SSO plugin, navigate to Service Provider Metadata tab. Here, you can find the SP metadata such as SP Entity ID and ACS (AssertionConsumerService) URL which are required to configure the Identity Provider.
  • PHP ADFS SSO - SAML Integration ADFS SSO Login
  • On ADFS, search for ADFS Management application.
  • PHP ADFS SSO - SAML Integration Admin_Dashboard
  • In AD FS Management, select Relying Party Trust and click on Add Relying Party Trust.
  • PHP ADFS SSO - SAML Integration - Add Relying Party Trust
  • Select Claims aware from the Relying Party Trust Wizard and click on Start button.
  •  PHP ADFS SSO - SAML Integration - Claims Aware
miniorange img Select Data Source
  • In Select Data Source, select the data source for adding a relying party trust.

  • Navigate to Service Provider Metadata tab from the plugin and copy the Metadata URL.
  • Select Import data about the relying party published online or on the local network option and add the metadata URL in Federation metadata address.
  • Click on Next.
  • PHP ADFS SSO - SAML Integration - support for the SAML 2.0 Wizard Metadata

    Note: In the next step enter the desired Display Name and click Next.

miniorange img Choose Access Control Policy
  • Select Permit everyone as an Access Control Policy and click on Next.
  • PHP ADFS SSO - SAML Integration - for SAML 2.0 Wizard Multi-Factor
miniorange img Ready to Add Trust
  • In Ready to Add Trust click on Next and then Close.
  • PHP ADFS SSO - SAML Integration
miniorange img Edit Claim Issuance Policy
  • In the list of Relying Party Trust, select the application you created and click on Edit Claim Issuance Policy.
  • PHP ADFS SSO - SAML Integration - SAML 2.0 Wizard Edit Claim
  • In Issuance Transform Rule tab click on Add Rule button.
  • PHP ADFS SSO - SAML Integration
miniorange img Choose Rule Type
  • Select Send LDAP Attributes as Claims and click on Next.
  • PHP ADFS SSO - SAML Integration - for SAML 2.0 Configure_LDAP Attributes
miniorange img Configure Claim Rule
  • Add a Claim Rule Name and select the Attribute Store as required from the dropdown.
  • Under Mapping of LDAP Attributes to outgoing claim types, Select LDAP Attribute as E-Mail-Addresses and Outgoing Claim Type as Name ID.
  • PHP ADFS SSO - SAML Integration - for the SAML 2.0 Add Transform Claim Rule
  • Once you have configured the attributes, click on Finish.
  • After configuring ADFS as IDP, you will need the Federation Metadata to configure your Service Provider.
  • To get the ADFS Federation Metadata, you can use this URL
    https://< ADFS_Server_Name >/federationmetadata/2007-06/federationmetadata.xml
  • You have successfully configured ADFS as SAML IdP (Identity Provider) for achieving ADFS Single Sign-On (SSO) Login

Windows SSO (Optional)

Follow the steps below to configure Windows SSO

miniorange img Steps to configure ADFS for Windows Authentication
  • Open elevated Command Prompt on the ADFS Server and execute the following command on it:
    • miniorange img setspn -a HTTP/##ADFS Server FQDN## ##Domain Service Account##

      miniorange img FQDN is Fully Qualified Domain Name (Example : adfs4.example.com)

      miniorange img Domain Service Account is the username of the account in AD.

      miniorange img Example : setspn -a HTTP/adfs.example.com username/domain

  • Open AD FS Management Console, click on Services and go to the Authentication Methods section. On the right, click on Edit Primary Authentication Methods. Check Windows Authentication in Intranet zone.
  • PHP PHP
  • Open Internet Explorer. Navigate to Security tab in Internet Options.
  • Add the FQDN of AD FS to the list of sites in Local Intranet and restart the browser.
  • Select Custom Level for the Security Zone. In the list of options, select Automatic Logon only in Intranet Zone.
  • PHP ADFS SSO - SAML Integration - for the SAML 2.0 Wizard_Enable SAML
  • Open the powershell and execute following two commands to enable windows authentication in Chrome browser.
    • Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome")
      Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents;
  • You have successfully configured ADFS for Windows Authentication.

2. Configure PHP Connector as SP

  • In Plugin Settings, use your Identity Provider details to configure the plugin.
  • PHP ADFS SSO - SAML Integration - Identity provider settings
  • You can configure the SP base url or leave this option as it is. Other fields are optional.
  • Click on the Save button to save your settings.
Test the Configuration
  • You can test if the plugin is configured properly or by clicking on the Test Configuration button.
  • PHP ADFS SSO - SAML Integration - Test configuration settings.
  • You should see a Test Successful screen as shown below along with the user's attribute values as being sent by your Identity Provider

  • PHP ADFS SSO - SAML Integration - Successful authentication.

3. Attribute Mapping

  • From the Test Configuration window copy the attribute which is returning email and username.
  • You can add any Custom Attribute and click on Save.

  • PHP ADFS SSO - SAML Integration - Successful authentication.

4. Enable SSO into your Application

Once the SSO test was successful, you can provide an Application URL, to where the users will be redirected after logging in.

  • To do so, click on the How to Setup? menu in SSO connector.
  • In the input field for Application URL, enter the url of your application (where you want the users to redirect after logging in).
  • To login the user into your application, you can read the session attribute set by the SSO connector.
 if(session_status() === PHP_SESSION_NONE)
            {
             session_start();
            }
             $email = $_SESSION['email'];
             $username = $_SESSION['username'];
  • You can use the variables $email and $username in your application to find the user in your php application and start session for the user.
  • Now that the plugin is configured, you're ready to use it in your application.
  • Use the following URL as a link in your application from where you want to perform SSO:  "http://<application-url>/sso/login.php"
  • For Example, you can use it as:
    <a href="http://<application-url>/sso/login.php">Log in</a>
  • Your users will be able to SSO in your application by clicking on the Log in link.

NOTE:

The miniOrange PHP SAML 2.0 Connector is supported by various PHP Frameworks such as Laravel, CodeIgniter, CakePHP, Symfony, Zend Framework, Phalcon, Yii Framework, Aura, Fat-Free, PHP-MVC, Kohana, FuelPHP, Slim, Flight, Zikula, PHPixie, Li3, Nett, Medoo, POP PHP, PHP Mini, Silex, Agavi, Typo 3 Flow, Prado, Cappuccino, Limonade, Webasyst, Guzzle PHP, YAF, Akelos PHP Framework, Qcodo, evoCore, Stratus, Seagull, Maintainable, Limb, Phocoa, AjaxAC, Zoop, BlueShoes, Recess, PHPDevShell, Ice Framework, QueryPHP, Dash PHP Framework, Zest Framework, Roducks, and many more.


In this Guide, you have successfully configured ADFS SAML Single Sign-On (ADFS SSO Login) choosing ADFS as IdP .This solution ensures that you are ready to roll out secure access to your PHP application using ADFS login credentials within minutes.

Additional Resources


If you are looking for anything which you cannot find, please drop us an email on samlsupport@xecurify.com

Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com