How to configure simpleSAMLphp 1.3 as SP and Shibboleth 2.1 as IdP ?

I suppose here you already have a server with a working Shibboleth 2.1 IdP at this address:


We will explain now how to configure simpleSAMLphp 1.3 as a Service Provider (SP) relying on the Shibboleth IdP for the user's authentications.

simpleSAMLphp installation/configuration

First of all you have to install simplesaml:

  • cd /var
    svn co simplesamlphp
    cd simplesaml
    cp -r config-templates/*.php config/
    cp -r metadata-templates/*.php metadata/
  • Then configure your apache server to map this path

    to this url (using https is not required):


    To accomplish this task, you can simply add this directive in your apache configuration:

    Alias /simplesaml /var/simplesamlphp/www

Now you have to configure it as a SP:

  • Edit /var/simplesamlphp/metadata/saml20-sp-hosted.php and add this metadata to the array:
      'your-sp-id' => array(
            'host' => 'your-sp-host',
            'certificate' => 'server.crt',
            'privatekey'  => 'server.pem',
    • your-sp-id is the string used to identify your SP to other IdP, you can change it if you want.
    • server.crt and server.pem are public and private keys of your SP certificate located in /var/simplesamlphp/cert/. This certificate will be published in the SP metadata and then will be used by Shibboleth to encrypt the transmitted data (assertions).
  • Edit /var/simplesamlphp/metadata/saml20-idp-remote.php and add this metadata to the end of the file:
    $metadata['https://your-idp-host/idp/shibboleth'] = array (
      'name' => 'The sexy name of your IdP',
      'description' => 'The description of your idp',
      'SingleSignOnService' => 'https://your-idp-host/idp/profile/SAML2/Redirect/SSO',
      'certFingerprint' => 'xxx',
    • certFingerprint can be calculated from your Shibboleth IdP certificate this way:
      cat idp.crt | openssl x509 -fingerprint  | grep SHA1 | sed "s/^[^=]*=//g" | sed "s/://g"

      (In a default shibboleth installation, idp.crt is located in shibboleth-idp/credentials/)

Shibboleth 2.1 configuration

Last step is to configure Shibboleth to handled simpleSAMLphp specificities:

  • Edit shibboleth-idp/conf/relying-party.xml and just after the DefaultRelyingParty entry, add this XML block:
        <RelyingParty id="your-sp-id"
                      defaultSigningCredentialRef="IdPCredential" >
           <ProfileConfiguration xsi:type="saml:SAML2SSOProfile"

    This part of code will override the default profile only for your SP. It will disable the encryption of the NameIDs which is not yet supported in simpleSAMLphp. More informations about the NameIDs problem can be found in this thread. In addition, there is also a discussion about removing the NameIDs encryption in the default shibboleth idp configuration.
    Notice : in the next 2.2 shibb release, NameIDs encryption will be disabled by default in the shibboleth configuration.

  • Configure a new metadata provider for this SP in shibboleth-idp/conf/relying-party.xml:
    <MetadataProvider id="MDSIMPLSAMLPHP" 
      <MetadataResource xsi:type="resource:FilesystemResource"
                        file="/path/to/your/sp/metadata/shibboleth-idp/metadata/yoursp-metadata.xml" />

    I used the ResourceBackedMetadataProvider type which just reads data from a static file because Shibboleth 2.1 doesn't support yet HTTP proxies for the ''FileBackedHTTPMetadataProvider'' type. So you'll have also to configure a crontab to retrieve periodically fresh metadata from your SP. For example your can use this:

    0 * * * * wget http://your-sp-host/simplesaml/saml2/sp/metadata.php -O /path/to/your/sp/metadata/shibboleth-idp/metadata/yoursp-metadata.xml
  • Restart your shibboleth server

Now you should be ready to test it ! Try to open



Question a bout shibboleth2Question a bout shibboleth2, 2009/07/24 14:24

hay I am traying to test shibboleth2, i have installed idp2.1.2 with Sp2.1 and i can't configure one mini-fedetation just for the two parts, when I change the relaying-part.xml i get a sax exeption and error (187) can you help me, with any information for example where do I have to create the new MetadataProvider for referencing the SP and how to do for editing a sp-metadata.xml in the idp part

Best regard :)

Martin HaaseMartin Haase, 2009/09/08 16:31

You have in the example Shib2.1 configuration encryptNameIds=“never” AND encryptAssertions=“never”. While the further is inevitable, the latter is clearly a security risk and you should NOT do that. However, it is a little more difficult to configure: you need to tell the IdP in the Metadata about the SP that this SP does not just use its certificate to sign (use=“signing”) but also to encrypt (delete that “use” attribute, or make another certificate section with use=“encryption”). On the simpleSAMLphp end, you need to make sure PHP is able to decrypt things, so you need to install the mcrypt php library package (it is called php5-mcrypt on Ubuntu) and restart your Apache. Cheers, Martin

Francisco EstanqueiroFrancisco Estanqueiro, 2009/10/19 18:12

I've configured everything like you said but I keep having the same problem: In the simpleSAMLphp page appears

//Debug information

The debug information below may be of interest to the administrator / help desk:

Status = urn:oasis:names:tc:SAML:2.0:status:Responder

#0 {main}	//

after i successfully authenticated in IdP server. I checked the logs and i found this:

      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>
      <samlp:StatusMessage>Format not supported: urn:oasis:names:tc:SAML:2.0:nameid-format:transient</samlp:StatusMessage>

Can you help me?

Francisco EstanqueiroFrancisco Estanqueiro, 2009/11/03 15:44

solved, bad attribute definitions…

Enter your comment

Recent changes RSS feed Valid XHTML 1.0 Valid CSS Driven by DokuWiki