simpleSAMLphpAndreas Åkre Solberg

andreas.solberg@uninett.no

Generic presentationUpdated: November 2009

What is it?

Software with focus on SAML (both SP and IdP),but with support for multiple protocols.

Widespread• Wide adoption, and interest is increasing…• Mostly Europe and US.Both commercial / educational. • 350 users on mailing-list.• Translated into 20 languages• IDDY-award in California 2008.

Visitors of project homepage demography ›

Project structure

Contributors

Secondary commiters

Main developers

Project leader 1

2

~ 5

~ 15

Why people like it • easy to install and maintain just drop a folder to install :) • easy to extend • fully modularized • very helpful open source community.

• authentication sources• processing filters• themes• hooks

Version 1.5 (October 2009)with improved interoperability with Shibboleth

• automated shibboleth-style metadata consumption• Improved experience with combined

SAML 1.1 and SAML 2.0 envir.• Improved SAML 1.1 + 2.0 integrated

IdP Discovery Service.• SAML 1.1 Artifact binding• encrypted NameIDs

Multiple protocols • SAML 2.X SP • SAML 2.X IdP • Shib 1.3 SP • Shib 1.3 IdP • OpenID Provider • OpenID Consumer • OAuth • WS-Fed / ADFS • Infocard • CAS

• Twitter auth • Facebook auth •!YubiKey

*) some protocols experimental support

•!Radius client •!LDAP • SQL

Protocols can be bridged!

SAML 2.0IdP

SimpleSAMLphp bridgeacting as

OpenID Providerand

SAML 2.0 SP

Example I

Protocols can be bridged!

SAML 2.0SP

SimpleSAMLphp bridgeacting as

SAML 2.0 IdPand

SAML 1.1 SP

SAML 1.1IdP

Example II

Apache 2 + PHP 5

simpleSAMLphp

Scalable from simple

to not sosimple

with the memcachesessionhandler

Failover

Failover

Load balancedLoad balanced

Apache 2PHP 5

simpleSAMLphp

Apache 2PHP 5

simpleSAMLphp

Load balancer

memcache1B

memcache2B

memcache1A

memcache2A

Apache 2PHP 5

simpleSAMLphp

Apache 2PHP 5

simpleSAMLphp

Load balanced

memcache3B

memcache3A

Failover

memcache1C

memcache2C

memcache3C

PerformanceLast performance test on IdP: ~ 12.000 SAML logins per minute on one server instance

Possible because of the lightweight design from the group up.

"Self-check" API• Santity-check API allows you to check if everything is "OK".• Can be connected to monitoring systems like NAGIOS.• Hooks for adding sanity check tests in external modules.

Statistics module

User consent

Fancy Robust Single Log-Out

IdP Discovery Service

• Tabbed interface• Drop-down free• Incremental live search

Timed-out HTTP-POST Rescue

The wiki use-caseWhat will happen if you save and the session is timed out?

SimpleSAMLphp rescues the user's

data when session is timed out .

AFAIK No other software does.

Easy log lookupwith TrackID

more...http://rnd.feide.no/simplesamlphp