Configuring a SAML IDP with LDAP as authentication source

In this setup, the SAML IDP will be available at and we will use the ldap server configured in this post.

Start by moving to the directory above the DocumentRoot for the domain. Let’s say that it is /var/www/, so

cd /var/www/

Download the latest simplesamlphp version

wget && tar xvfz simplesamlphp-1.14.4.tar.gz

I like to rename it to something simpler like

mv simplesamlphp-1.14.4

Then go to the vhost of the domain and add this somewhere, like after the DocumentRoot declaration (adapt to your domain)

  Alias /auth /var/www/

Now edit the config file

vim /var/www/

And set the desired base url

'baseurlpath' => 'auth/',

In this same file, define these other variables

'auth.adminpassword' => 'AdminPassword',
'secretsalt' => 'xxxxxxxxxxxxxxxxx',
'technicalcontact_name' => 'Administrator',
'technicalcontact_email' => '',

And finally enable the IDP. Write and quit afterwards.

'enable.saml20-idp' => true,

Now edit config/authsources.php and look for the “example-ldap” array. I will rename it to “examplecom”. And then set other variables in this array, like

'hostname' => '',
'dnpattern' => 'uid=%username%,ou=people,dc=example,dc=org',
'search.base' => 'ou=users,dc=example,dc=com',
'search.attributes' => array('cn'),

Now change to the “cert” folder and generate a new certificate

openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out server.crt -keyout server.pem

Then go back one level and change to the “metadata” folder. Edit the file saml20-idp-hosted.php and set our authentication source

'auth' => 'examplecom',

And if you want to enable SHA256 by default (make sure all your future SPs support it already)

'signature.algorithm' => '',

It’s recommended to use the uri NameFormat on attributes. Uncomment this, then write and quit the text editor:

'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
        'authproc' => array(
                // Convert LDAP names to oids.
                100 => array('class' => 'core:AttributeMap', 'name2oid'),

Now you can go to your IDP at and test your LDAP authentication source. Enjoy.

Leave a Reply

Your email address will not be published. Required fields are marked *

Loading Facebook Comments ...
Loading Disqus Comments ...