PHPackages                             aidan/simplesamlphp-module-simpletotp - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. aidan/simplesamlphp-module-simpletotp

ActiveSimplesamlphp-module[Authentication &amp; Authorization](/categories/authentication)

aidan/simplesamlphp-module-simpletotp
=====================================

A highly configurable yet simple to use TOTP based two-factor authentication processing module for SimpleSAMLphp

1.0.0(10y ago)201.1k19[3 issues](https://github.com/aidan-/SimpleTOTP/issues)PHP

Since Sep 24Pushed 3y ago2 watchersCompare

[ Source](https://github.com/aidan-/SimpleTOTP)[ Packagist](https://packagist.org/packages/aidan/simplesamlphp-module-simpletotp)[ RSS](/packages/aidan-simplesamlphp-module-simpletotp/feed)WikiDiscussions master Synced 2d ago

READMEChangelog (1)Dependencies (1)Versions (2)Used By (0)

SimpleTOTP
==========

[](#simpletotp)

SimpleTOTP is a [SimpleSAMLphp](https://simplesamlphp.org/) [auth processing filter](https://simplesamlphp.org/docs/stable/simplesamlphp-authproc) that enables the use of the *Time-Based One-Time Password Algorithm* (TOTP) as a second-factor authentication mechanism on either an Identity Provider or Service Provider (...or both!).

This has been tested with *Google Authenticator* on iOS and Android.

Why?
----

[](#why)

While a there are a few two-factor authentication modules that already exist for SimpleSAMLphp, they are all implemented as [authentication sources](https://simplesamlphp.org/docs/stable/simplesamlphp-authsource).

As an auth processing filter, this module is flexible in a number of ways:

- agnostic to where the TOTP secret is stored
- can be enabled on select Service Providers or an entire Identity Provider

Usage
-----

[](#usage)

Like any other auth process filter, this module needs to be configured in an authproc array in either config.php or in the metadata for a particular service provider or identity provider.

### Prerequisites

[](#prerequisites)

The `secret_attr` needs to be available in the attribute payload as it is used to generate the token for comparison. This can be added using other auth process filters to look up an external databases of sorts (SQL, LDAP, etc).

After the module has been called, the attribute will be moved out of the user attribute array. As a safety precaution an extra step should be taken ensure this attribute is removed. This can be done using the `core:AttributeAlter` filter or similar.

### Example

[](#example)

Placed in either config.php's authproc or in the appropriate metadata entity:

```
10 => array(
	'class' => 'simpletotp:mfa',
	'secret_attr' => 'ga_secret', //default
	'enforce_mfa' => false, //default
	'not_configured_url' => NULL,  //default
	'validation_timeout' => , //default 60 (units: minutes) - optional timeout value for re-validation
),
```

Placed in config.php authproc as one of the last functions to be processed:

```
99 => array(
	'class' => 'core:AttributeAlter',
	'subject' => 'ga_secret',
	'pattern' => '/.*/',
	'%remove',
),
```

Example of how it can work with example-userpass module. Below config goes in authsource.php This module is enabled by default but if it is not make sure you create a file called enable inside modules/exampleauth directory.

```
	'example-userpass' => array(
		'exampleauth:UserPass',
		'student:studentpass' => array(
			'uid' => array('test'),
			'ga_secret' => array('4HX4WBKVIJWDUV5I'),
			'eduPersonAffiliation' => array('member', 'student'),
		),
	),
```

After logging in with username: student password: studentpass, you will be challenged for TOTP. 4HX4WBKVIJWDUV5I is a secret key that can be generate by visiting /simplesaml/module.php/simpletotp/generate\_token.php

A random one will be generated everytime. You can also use the QR code to register your IdP with apps such as FreeOTP or Google Authenticator etc.

**NOTE**: for TOTP to work you **MUST** ensure that the clock on your server is in sync. If it is not, a matching token will never be generated and authentication will fail.

Installation
------------

[](#installation)

### Via Git

[](#via-git)

A simple `git clone` in the SimpleSAMLphp module directory is all that is required.

### Via Composer

[](#via-composer)

`composer.phar require aidan/simplesamlphp-module-simpletotp`

TODO
----

[](#todo)

- improve usage documentation with examples using external database(s) as data sources
- add basic brute force prevention

###  Health Score

34

—

LowBetter than 75% of packages

Maintenance17

Infrequent updates — may be unmaintained

Popularity28

Limited adoption so far

Community18

Small or concentrated contributor base

Maturity63

Established project with proven stability

 Bus Factor2

2 contributors hold 50%+ of commits

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

3935d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/66aa29e162c9bc397fb01005b2ebd9d94b435e7bc97171994c84fedbc9b7778e?d=identicon)[aidan-](/maintainers/aidan-)

---

Top Contributors

[![clmcavaney](https://avatars.githubusercontent.com/u/5875512?v=4)](https://github.com/clmcavaney "clmcavaney (13 commits)")[![aidan-](https://avatars.githubusercontent.com/u/327286?v=4)](https://github.com/aidan- "aidan- (10 commits)")[![shoaibali](https://avatars.githubusercontent.com/u/180494?v=4)](https://github.com/shoaibali "shoaibali (5 commits)")[![jfautley](https://avatars.githubusercontent.com/u/241795?v=4)](https://github.com/jfautley "jfautley (2 commits)")[![ziemek99](https://avatars.githubusercontent.com/u/15923635?v=4)](https://github.com/ziemek99 "ziemek99 (1 commits)")

---

Tags

2fagoogle-authenticatoridentity-provideridpmfamulti-factor-authenticationsamlsimplesamlphpssptotptwo-factor-authentication

### Embed Badge

![Health badge](/badges/aidan-simplesamlphp-module-simpletotp/health.svg)

```
[![Health](https://phpackages.com/badges/aidan-simplesamlphp-module-simpletotp/health.svg)](https://phpackages.com/packages/aidan-simplesamlphp-module-simpletotp)
```

###  Alternatives

[simplesamlphp/simplesamlphp

A PHP implementation of a SAML 2.0 service provider and identity provider.

1.1k13.0M218](/packages/simplesamlphp-simplesamlphp)[simplesamlphp/simplesamlphp-module-oidc

A SimpleSAMLphp module adding support for the OpenID Connect protocol

5018.2k1](/packages/simplesamlphp-simplesamlphp-module-oidc)[drupalauth/simplesamlphp-module-drupalauth

A SimpleSAMLphp module adding support for Drupal as the authentication source.

25323.4k1](/packages/drupalauth-simplesamlphp-module-drupalauth)[cirrusidentity/simplesamlphp-module-authoauth2

SSP Module for Oauth2 authentication sources

33109.4k](/packages/cirrusidentity-simplesamlphp-module-authoauth2)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
