Configuring service provider metadata for SimpleSAMLphp

The information on this documentation page is part of the SimpleSAMLphp installation process.

After you have provided information about your service provider (SP) and identity provider (IdP) to SimpleSAMLphp, you must obtain SP metadata and define your IdP’s configuration, based on the IdP’s metadata.

If your production and non-production environments have different needs, you can configure per-environment IdPs.

Obtaining SP metadata

After configuring your SP, as described in Installing the SimpleSAMLphp library, you must obtain its metadata from SimpleSAMLphp by completing the following steps:

  1. In a web browser, open http://[]/simplesaml/, replacing [] with the domain name of your website.

  2. In the SimpleSAMLphp page that appears, click the Federation tab.

  3. Click Show Metadata for the SP. This value defaults to default-sp unless you have configured another value in authsources.php.

    SimpleSAMLphp displays the metadata. The first line contains the link to the metadata you must provide to your IdP.

  4. (Optional) If your IdP requires the Assertion Endpoint URL, it can be found in the SP metadata as the value of Location in a line similar to the following:


After obtaining this SP metadata, you can define and configure your IdP.

Defining and configuring your IdP

IdP metadata is provided in XML format, which you must convert into a PHP-readable format, using a tool included with SimpleSAMLphp.

To define and configure your IdP:

  1. Obtain your IdP metadata from your service provider, as described in Obtaining SP metadata. Ensure the metadata is in XML format.

  2. Visit the XML to SimpleSAMLphp metadata converter included with SimpleSAMLphp at http://[]/simplesaml/admin/metadata-converter.php, replacing [] with the domain name of your website.

  3. Paste the XML-formatted IdP metadata into the XML Metadata field.

  4. Click Parse. SimpleSAMLphp displays formatted metadata for the following files:

    • saml20-sp-remote.php

    • saml20-idp-remote.php

  5. Save your changes to the saml20-idp-remote.php file.

  6. (Optional) If your application uses per-environment IdPs, change the saml20-idp-remote.php file, as described in Configuring per-environment IdPs.

  7. Upload saml20-idp-remote.php into the metadata directory inside the simplesamlphp directory you created in Installing the SimpleSAMLphp library.

After completing these steps, test your connection with the SimpleSAMLphp library.

Configuring per-environment IdPs

To use different IdPs for different environments without having to add logic, you can require a file from the file system, which can contain different information for each environment. To vary the IdP values, complete the following steps:

  1. Add the following require statement to the /simplesamlphp/metadata/saml20-idp-remote.php file:

    if (file_exists('/var/www/site-php')) {
  2. On your local computer, create a file named saml20-idp-remote.php, and then add the PHP-formatted version of your per-environment IdP metadata to the file.


    Be sure the opening <?php tag is present in your file, or the file won’t load correctly.

  3. Upload saml20-idp-remote.php to the /mnt/gfs/{$_ENV['AH_SITE_NAME']}/config/saml/ directory, replacing {$_ENV['AH_SITE_NAME']} with the sitename for that environment.

Example IdP configuration file

The following file is an example of an IdP configuration after conversion to a PHP-readable format:

// The key to the metadata should be the Entity ID of the IdP
$metadata['<entity id from the IdP metadata'] = array(
  'name' => array(
    'en' => '<a short description of the IdP>',

  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' =>
    array (
      0 =>
        array (
          // Binding and Location can be found in the IdP’s metadata.
          // DO NOT USE HTTP-POST.
          // It is not supported by older versions of SimpleSAMLphp and
          // doesn’t work well with newer versions.
          'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
          'Location' => '<the location from the IdP metadata',

  // NameIDFormat can be found in the IdP’s metadata.
  'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
  'keys' =>
    array (
      0 =>
        array (
          // If the connection requires a key, enter that information here.
          // The key will be in the IdP’s metadata.
          'encryption' => false,
          'signing' => true,
          'type' => 'X509Certificate',
          'X509Certificate' => '<certificate value>',