SimpleSAMLphp is an open-source implementation for federated AAI based on SAML.


SimpleSAMLphp primarily focuses on providing support for SAML2 SPs and IdPs.

At the same time, SimpleSAMLphp supports other identity protocols and frameworks, such as Shibboleth 1.3, A-Select, CAS, OpenID, ADFS, WS-Federation or OAuth. It also supports popular social media identity providers, such as Facebook, LinkedIn, MySpace, Twitter and Windows Live. SimpleSAMLphp is easily extendable due to its modular architecture. Some of the most important extension points of SimpleSAMLphp include:

  • Authentication Modules: For implementing custom authentication methods, such as PKI-based, or using proprietary user data sources. 
  • Authentication Processing Filters: To allow any kind of processing right after authentication has taken place. 
  • Themes: To customise the look of any page served by SimpleSAMLphp by modifying the CSS, headers, and footers. 
  • Modules: For extending SimpleSAMLphp with new identity protocols, pages, registry systems etc.

SimpleSAMLphp comes with a number of built-in modules, authentication modules and processing filters that may be used as is, or modified to fit specific needs. It also provides:

  • an abstract datastore API, allowing alternative ways of storing data
  • an abstraction layer of metadata handling, allowing alternative implementations of metadata consumption
  • multiple session handlers, e.g. PHP built-in session handling or Memcache
  •  step-up authentication based on different Levels of Assurance  

Apart from the modules that ship by default with SimpleSAMLphp, a number of extra modules have been made available by third-party developers covering specific features. A non-exhaustive list of such modules follows:

  • Attribute Authority: Provides back-end SAML Attribute Authority functionality 
  • Attribute Aggregator: Supports attribute aggregation as an Authentication Processing Filter.   
  • Content Simple Admin: Implements a very simple user interface for managing user consent. 
  • Kerberos: Enables Kerberos 5 authentication.   
  • Metadata aggregator2: Aggregates a set of SAML entities into SAML2 metadata documents
  •  Metaedit: Allows basic editing of metadata, as well as manually registering metadata for service providers.   
  • OAuth 2.0: Adds support for the OAuth 2.0 protocol. 
  • OpenID Consumer: A module adding support for the OpenID protocol as a Consumer.   
  • OpenID Provider: A module adding support for the OpenID protocol as an Identity Provider. 
  • Selfregister: Allows registration of users accounts.   
  • VOOT Groups: Allows retrieving group memberships from an API service protected with OAuth 2.0 using the VOOT protocol and adds this information to the list of attributes received from the IdP.
  • Attribute Aggregator module (developed by NIIF): Issues SAML2 AttributeQuery to an Attribute 
  • Authority that supports SAML2 SOAP binding 
  • Attribute-from-rest-api module (developed by NIIF): Requests attributes from REST API in JSON forma

Supported Standards

SAML2/1.1, OpenID, OAuth 2.0, Kerberos, VOOT, SQL, LDAP, RADIUS

User Interfaces and APIs

  • Web-based UIs
  • SAML SP/IdP metadata in XML exposed through HTTP
  • PHP-formatted configuration files

Support for Virtual Organisations


Dependencies and other technologies


Expercted level of support



Operational Overview