PHPackages                             ivan-novakov/php-saml-ecp-client - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. ivan-novakov/php-saml-ecp-client

AbandonedLibrary[Authentication &amp; Authorization](/categories/authentication)

ivan-novakov/php-saml-ecp-client
================================

SAML ECP client implementation in PHP

0.1.0(12y ago)141.6k8BSD-3-ClausePHPPHP &gt;=5.3.3

Since Sep 13Pushed 12y ago4 watchersCompare

[ Source](https://github.com/ivan-novakov/php-saml-ecp-client)[ Packagist](https://packagist.org/packages/ivan-novakov/php-saml-ecp-client)[ Docs](https://github.com/ivan-novakov/php-saml-ecp-client)[ RSS](/packages/ivan-novakov-php-saml-ecp-client/feed)WikiDiscussions master Synced 4w ago

READMEChangelogDependencies (4)Versions (2)Used By (0)

PHP SAML ECP Client
===================

[](#php-saml-ecp-client)

[![Dependency Status](https://camo.githubusercontent.com/7bb12b9d4731a71ba6a38ab4dcbaebf5daeaf02306e212e6b6ada1d7a3c70e6d/68747470733a2f2f7777772e76657273696f6e6579652e636f6d2f757365722f70726f6a656374732f3532396130313463363332626163356130613030303031382f62616467652e706e67)](https://www.versioneye.com/user/projects/529a014c632bac5a0a000018)

Introduction
------------

[](#introduction)

As described in the current [specification draft](https://wiki.oasis-open.org/security/SAML2EnhancedClientProfile), the SAML V2.0 Enhanced Client or Proxy (ECP) profile is a SSO profile for use with HTTP, and clients with the capability to directly contact a principal's identity provider(s) without requiring discovery and redirection by the service provider, as in the case of a browser. It is particularly useful for desktop or server-side HTTP clients.

This library tries to follow the ECP profile specification. Currently, it doesn't support the „Holder of Key“ and „Channel Bindings“ features. The status of the library is „highly experimental“. It is not 100% ready and it hasn't been tested in different environments.

Requirements
------------

[](#requirements)

- PHP &gt;= 5.3
- Zend Framework &gt;= 2.\*
- Shibboleth SP/IdP

Installation
------------

[](#installation)

If you use [composer](http://getcomposer.org/) in your project, you can just add the following requirement to your `composer.json` file:

```
"ivan-novakov/php-saml-ecp-client": "dev-master"

```

Otherwise, clone the repository and configure your autoloader to look for the *Saml* namespace in the `lib/` directory of the repository.

Basic usage
-----------

[](#basic-usage)

```
use Saml\Ecp\Flow;
use Saml\Ecp\Client\Client;
use Saml\Ecp\Discovery\Method\StaticIdp;
use Saml\Ecp\Authentication\Method\BasicAuth;

$flow = new Flow\Basic();

$client = new Client(array(
    'http_client' => array(
        'options' => array(
            'cafile' => '/etc/ssl/certs/tcs-ca-bundle.pem'
        )
    )
));
$flow->setClient($client);

$authenticationMethod = new BasicAuth(array(
    'username' => 'user',
    'password' => 'passwd'
));

$discoveryMethod = new StaticIdp(array(
    'idp_ecp_endpoint' => 'https://idp.example.org/idp/profile/SAML2/SOAP/ECP'
));

$response = $flow->authenticate('https://sp.example.com/secure', $discoveryMethod, $authenticationMethod);

```

The Client object is responsible for the actual work - sending requests and validating responses. The Flow object uses the client object to issue requests in the apropriate order. The authenticate() method performs the whole ECP flow, when the client tries to access the protected resource and then it is redirected to the IdP for authentication. Besides the resource URL, the authenticate() method needs a discovery method object, which determines the IdP to use for authentication and an authentication method object, which adjusts the authentication request.

In this case the discovery method ( *StaticIdP* ) just returns the IdP endpoint. The authentication method ( *BasicAuth* ) adjusts the request to perform a HTTP Basic authentication based on the provided credentials.

Shibboleth SP configuration
---------------------------

[](#shibboleth-sp-configuration)

Shibboleth SP supports the ECP profile, but it needs to be „switched on“ in the [SessionInitiator configuration](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator#NativeSPSessionInitiator-SAML2SessionInitiatorProtocolHandler):

```

```

In case this is not the default session initiator (as the above example), you need to configure Apache to use the right session initiator for the secured resource:

```

    AuthType shibboleth
    ShibRequestSetting requireSessionWith ECP
    Require valid-user

```

Shibboleth IdP configuration
----------------------------

[](#shibboleth-idp-configuration)

The IdP supports the ECP profile ["out of the box"](https://wiki.shibboleth.net/confluence/display/SHIB2/IdPEnableECP). Currently the ECP profile handler requires external web server based authentication. Basically, it means thet you need to protect the ECP profile handler endpoint with some kind of HTTP Basic authentication in the same way as in case of using the RemoteUser login handler.

```

    AuthType Basic
    AuthName "IdP ECP endpoint authentication"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://127.0.0.1/o=example.org"
    AuthzLDAPAuthoritative off
    require valid-user

```

Advanced usage
--------------

[](#advanced-usage)

This library is more a framework than a ready to use application. There are numerous environments and use cases and it's not possible to cover them all „out of the box“. That is why the library has been designed to be as flexible and extensible as possible. Some parts may be easily exchanged with alternative implementations or extended with additional features.

### The HTTP client

[](#the-http-client)

The *Saml\\Ecp\\Client\\Client* object uses internally the *Zend\\Http\\Client* object with the cURL adapter ( *Zend\\Http\\Client\\Adapter\\Curl* ). For security reasons the peer and host validation is on by default (`CURLOPT_SSL_VERIFYPEER = true`, `CURLOPT_SSL_VERIFYHOST = 2`). You have to pass one of the following options:

- **cafile** - path to the file containing CA certificates used for peer/host validation
- **capath** - path the the directory contiaining CA certificates used for peer/host validation

You can also pass options directly to the HTTP client and the cURL adapter through these options:

- **zend\_client\_options** - array of options as described in [ZF2 manual](https://packages.zendframework.com/docs/latest/manual/en/modules/zend.http.client.html)
- **curl\_adapter\_options** - array of options as described in [ZF2 manual](https://packages.zendframework.com/docs/latest/manual/en/modules/zend.http.client.adapters.html#the-curl-adapter)

Example:

```
$client = new \Saml\Ecp\Client\Client(array(
    'http_client' => array(
        'options' => array(
            'cafile' => '/etc/ssl/certs/ca-bundle.crt'
        ),
        'zend_client_options' => array(
            'useragent' => 'My ECP Client v0.1'
        ),
        'curl_adapter_options' => array(
            CURLOPT_FORBID_REUSE => true
        )
    )
));

```

The Client object uses the *Saml\\Ecp\\Client\\HttpClientFactory* to create the HTTP client object bases on the „http\_client“ option. Instead of passing the „http\_client“ option to the Client object, you can explicitly create the *Zend\\Http\\Client* object and inject it:

```
$httpClient = new \Zend\Http\Client();
$httpClient->setOptions(array(
    // options
));

$adapter = new \Zend\Http\Client\Adapter\Curl();
$adapter->setOptions(array(
    // options
));

$httpClient->setAdapter($adapter);

$client = new \Saml\Ecp\Client\Client();
$client->setHttpClient($httpClient);

```

### Discovery method

[](#discovery-method)

You can write your own IdP discovery method by implementing the *Saml\\Ecp\\Discovery\\Method\\MethodInterface*.

### Authentication method

[](#authentication-method)

You can code another authentication method by implementing the *Saml\\Ecp\\Authentication\\Method\\MethodInterface*.

### Requests

[](#requests)

If you need to implement alternative request objects, you can extend the *Saml\\Ecp\\Request\\AbstractRequest* object or just implement the *Saml\\Ecp\\Request\\RequestInterface*. You will also have to implement your own request factory by implementing the *Saml\\Ecp\\Request\\RequestFactoryInterface* and inject it into the *Saml\\Ecp\\Client\\Client* object so the client can use your alternative request objects instead of the „standard“ ones.

### Responses

[](#responses)

Similar to the requests, you can write your own by extending the abstract response class ( *Saml\\Ecp\\Response\\AbstractResponse* ) or by implementing the response interface ( *Saml\\Ecp\\Response\\ResponseInterface* ). Additionaly you need to write an alternative response factory implementing the *Saml\\Ecp\\Response\\ResponseFactoryInterface*.

### Response validation

[](#response-validation)

Response validation is achieved through validators created by the *Saml\\Ecp\\Response\\Validator\\ValidatorFactory*. The validators must implement the *Saml\\Ecp\\Response\\Validator\\ValidatorInterface* and the validator factory must implement the *Saml\\Ecp\\Response\\Validator\\ValidatorFactoryInterface*. The validator factory has to be injected into the client object ( *Saml\\Ecp\\Client\\Client* ).

Licence
-------

[](#licence)

- [BSD 3 Clause](http://debug.cz/license/bsd-3-clause)

Links
-----

[](#links)

- [API docs](http://debug.cz/apidocs/ecp/)

Specifications
--------------

[](#specifications)

-
-
-
-
-

###  Health Score

29

—

LowBetter than 57% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity25

Limited adoption so far

Community12

Small or concentrated contributor base

Maturity48

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

4674d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/1208505?v=4)[Ivan Novakov](/maintainers/ivan-novakov)[@ivan-novakov](https://github.com/ivan-novakov)

---

Top Contributors

[![ivan-novakov](https://avatars.githubusercontent.com/u/1208505?v=4)](https://github.com/ivan-novakov "ivan-novakov (78 commits)")

---

Tags

phpAuthenticationsamlshibbolethэцп

### Embed Badge

![Health badge](/badges/ivan-novakov-php-saml-ecp-client/health.svg)

```
[![Health](https://phpackages.com/badges/ivan-novakov-php-saml-ecp-client/health.svg)](https://phpackages.com/packages/ivan-novakov-php-saml-ecp-client)
```

###  Alternatives

[kinde-oss/kinde-auth-php

Kinde PHP SDK for authentication

2287.5k3](/packages/kinde-oss-kinde-auth-php)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
