Okta

How to Configure SAML 2.0 for PHP Applications

There are three phases to configure SAML 2.0 for PHP Applications, Dependencies, Configuration, and Integrations. All three phases are required.

Dependencies - Verify the Setup

  1. Be sure the following software is installed on the web server running the SAML PHP plugin.

    • PHP 5.0 or greater
    • php_openssl extension
    • openssl libraries
  2. If the PHP application runs on Linux, be sure the Apache user has write permissions to the [php_application_root_dir]/logs directory.
  3. If the php application is hosted on a third-party server, it is important to verify the file access permissions for both virtual and dedicated servers.

Configuration - Update the Configuration File

  1. Update the okta.config.xml file. Add following xml node to [php_application_root_dir]/okta.config.xml file under root <configuration> section.

    <okta>
      <authentication>
        <issuer>    </issuer>
        <authenticationUrl>    </authenticationUrl>
        <logoutUrl>    </logoutUrl>
        <certificate>
        </certificate>
      </authentication>
    </okta>

Integration - Add PHP Code to your Web Application

  1. Include bootstrap.php at the top of php script that handles SAML authorization.

    Navigate to the place in code where you expect SAMLResponse POSTed and add the following line.

    PHPSAMLProcessor::self()->getUserIdBySAMLResponse($_POST["SAMLResponse"]);

    Best Practice: Wrap this code in a try...catch block because it throws an exception if xml verification fails or something else goes wrong.

    Example
    <?php
    require_once(dirname(__FILE__) . "/lib/bootstrap.php");

    $SAMLResponse = @$_POST["SAMLResponse"];

    if (!empty($SAMLResponse)) {
       try {
         $userId = PHPSAMLProcessor::self()->getUserIdBySAMLResponse($SAMLResponse);
         echo "User id:" . $userId;
       } catch (Exception $e) {
          echo "ERROR:" . $e->getMessage();
       } echo "<br />";
    }
    ?>

  2. Include lib/bootstrap.php at the top of php script that performs SAML requests.

    Navigate to the place in code where you plan to perform SAML request to the OKTA and add code modeled after the following example.

    Example
    <?php
    $authUrl = Config::getAuthUrl(); //taken from okta.config.xml
    $samlRequest = PHPSAMLProcessor::self()->createSAMLRequest();

    //or your url where authenticated user will be redirected after successfully logon
    $relayState = Config::getBaseUrl() . "/dashboard.php";

    $redirUrl = $authUrl . "?SAMLRequest=" . urlencode(base64_encode($samlRequest)) . "&RelayState=" . urlencode($relayState);
    header("Location: " . $redirUrl);
    ?>