PHP ADFS Single Sign-On (SSO) | PHP ADFS SAML SSO
PHP SAML 2.0 Connector acts as a SAML Service Provider which can be configured to establish the trust between the application and a SAML capable Identity Provider to securely authenticate the users into your application. Here we will go through a step-by-step guide to configure ADFS as IdP (Identity Provider) and PHP SAML 2.0 Connector as SP (Service Provider).
Pre-requisites : Download And Installation
- To get the miniOrange PHP SAML 2.0 Connector Contact us .
- Unzip the PHP connector in the directory where your PHP application is running.
- Access SSO connector settings from your browser with URL https://<application-url>/sso
- Login to the PHP connector using your miniOrange credentials.
- In miniOrange PHP SAML 2.0 Connector, Under Plugin Settings tab you will get the SP Entity ID and ACS URL values which will be used while configuring your Identity Provider.
Steps to configure ADFS Single Sign-On (SSO)
1. Setup ADFS as IdP (Identity Provider)
Follow the steps below to configure ADFS as IdP
Configure ADFS as IdP
- In the miniOrange SAML SP SSO plugin, navigate to Service Provider Metadata tab. Here, you can find the SP metadata such as SP Entity ID and ACS (AssertionConsumerService) URL which are required to configure the Identity Provider.
- On ADFS, search for ADFS Management application.
- In AD FS Management, select Relying Party Trust and click on Add Relying Party Trust.
- Select Claims aware from the Relying Party Trust Wizard and click on Start button.
Select Data Source
- In Select Data Source, select the data source for adding a relying party trust.
- Navigate to Service Provider Metadata tab from the plugin and copy the Metadata URL.
- Select Import data about the relying party published online or on the local network option and add the metadata URL in Federation metadata address.
- Click on Next.
Note: In the next step enter the desired Display Name and click Next.
Choose Access Control Policy
- Select Permit everyone as an Access Control Policy and click on Next.
Ready to Add Trust
- In Ready to Add Trust click on Next and then Close.
Edit Claim Issuance Policy
- In the list of Relying Party Trust, select the application you created and click on Edit Claim Issuance Policy.
- In Issuance Transform Rule tab click on Add Rule button.
Choose Rule Type
- Select Send LDAP Attributes as Claims and click on Next.
Configure Claim Rule
- Add a Claim Rule Name and select the Attribute Store as required from the dropdown.
- Under Mapping of LDAP Attributes to outgoing claim types, Select LDAP Attribute as E-Mail-Addresses and Outgoing Claim Type as Name ID.
- Once you have configured the attributes, click on Finish.
- After configuring ADFS as IDP, you will need the Federation Metadata to configure your Service Provider.
- To get the ADFS Federation Metadata, you can use this URL
https://< ADFS_Server_Name >/federationmetadata/2007-06/federationmetadata.xml - You have successfully configured ADFS as SAML IdP (Identity Provider) for achieving ADFS Single Sign-On (SSO) Login
Windows SSO (Optional)
Follow the steps below to configure Windows SSO
Steps to configure ADFS for Windows Authentication
- Open elevated Command Prompt on the ADFS Server and execute the following command on it:
- Open AD FS Management Console, click on Services and go to the Authentication Methods section. On the right, click on Edit Primary Authentication Methods. Check Windows Authentication in Intranet zone.
- Open Internet Explorer. Navigate to Security tab in Internet Options.
- Add the FQDN of AD FS to the list of sites in Local Intranet and restart the browser.
- Select Custom Level for the Security Zone. In the list of options, select Automatic Logon only in Intranet Zone.
- Open the powershell and execute following two commands to enable windows authentication in Chrome browser.
- You have successfully configured ADFS for Windows Authentication.
setspn -a HTTP/##ADFS Server FQDN## ##Domain Service Account##
FQDN is Fully Qualified Domain Name (Example : adfs4.example.com)
Domain Service Account is the username of the account in AD.
Example : setspn -a HTTP/adfs.example.com username/domain
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome")
Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents;
2. Configure PHP Connector as SP
- In Plugin Settings, use your Identity Provider details to configure the plugin.
- You can configure the SP base url or leave this option as it is. Other fields are optional.
- Click on the Save button to save your settings.
Test the Configuration
- You can test if the plugin is configured properly or by clicking on the Test Configuration button.
- You should see a Test Successful screen as shown below along with the user's attribute values as being sent by your Identity Provider
3. Attribute Mapping
- From the Test Configuration window copy the attribute which is returning email and username.
- You can add any Custom Attribute and click on Save.
4. Enable SSO into your Application
Once the SSO test was successful, you can provide an Application URL, to where the users will be redirected after logging in.
- To do so, click on the How to Setup? menu in SSO connector.
- In the input field for Application URL, enter the url of your application (where you want the users to redirect after logging in).
- To login the user into your application, you can read the session attribute set by the SSO connector.
if(session_status() === PHP_SESSION_NONE)
{
session_start();
}
$email = $_SESSION['email'];
$username = $_SESSION['username'];
- You can use the variables $email and $username in your application to find the user in your php application and start session for the user.
- Now that the plugin is configured, you're ready to use it in your application.
- Use the following URL as a link in your application from where you want to perform SSO: "http://<application-url>/sso/login.php" For Example, you can use it as:
- Your users will be able to SSO in your application by clicking on the Log in link.
<a href="http://<application-url>/sso/login.php">Log in</a>
NOTE:
The miniOrange PHP SAML 2.0 Connector is supported by various PHP Frameworks such as Laravel, CodeIgniter, CakePHP, Symfony, Zend Framework, Phalcon, Yii Framework, Aura, Fat-Free, PHP-MVC, Kohana, FuelPHP, Slim, Flight, Zikula, PHPixie, Li3, Nett, Medoo, POP PHP, PHP Mini, Silex, Agavi, Typo 3 Flow, Prado, Cappuccino, Limonade, Webasyst, Guzzle PHP, YAF, Akelos PHP Framework, Qcodo, evoCore, Stratus, Seagull, Maintainable, Limb, Phocoa, AjaxAC, Zoop, BlueShoes, Recess, PHPDevShell, Ice Framework, QueryPHP, Dash PHP Framework, Zest Framework, Roducks, and many more.
In this Guide, you have successfully configured ADFS SAML Single Sign-On (ADFS SSO Login) choosing ADFS as IdP .This solution ensures that you are ready to roll out secure access to your PHP application using ADFS login credentials within minutes.
Additional Resources
- What is Single Sign-On (SSO)?
- What is ADFS?
- Configure LDAP attributes as claims for attribute mapping
- Frequently Asked Questions (FAQs)
If you are looking for anything which you cannot find, please drop us an email on samlsupport@xecurify.com
Need Help? We are right here!
