PHPackages klemenb/simplesamlphp-module-negotiateserver - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. klemenb/simplesamlphp-module-negotiateserver ActiveSimplesamlphp-module[Authentication & Authorization](/categories/authentication) klemenb/simplesamlphp-module-negotiateserver ============================================ A SimpleSAMLphp module for authenticating users via Apache/IIS integrated HTTP Negotiate support. 1551[1 PRs](https://github.com/klemenb/simplesamlphp-module-negotiateserver/pulls)PHP Since Sep 5Pushed 6y ago2 watchersCompare [ Source](https://github.com/klemenb/simplesamlphp-module-negotiateserver)[ Packagist](https://packagist.org/packages/klemenb/simplesamlphp-module-negotiateserver)[ RSS](/packages/klemenb-simplesamlphp-module-negotiateserver/feed)WikiDiscussions master Synced 3w ago READMEChangelogDependenciesVersions (1)Used By (0) Negotiate Server ================ [](#negotiate-server) This SimpleSAMLphp module allows for users to authenticate via Apache/IIS integrated "HTTP Negotiate" support. It is roughly based on the original ["negotiate" module](https://github.com/simplesamlphp/simplesamlphp/blob/master/modules/negotiate/docs/negotiate.md)without the **php\_krb5** dependency. All authentication (Kerberos/NTLM) processing is done by the web server. `negotiateserver:Negotiate`: Authenticates users via Apache/IIS integrated "HTTP Negotiate" authentication `negotiateserver:Negotiate` --------------------------- [](#negotiateservernegotiate) The primary goal of this extension is to use your Kerberos session to automaticaly retrieve a corresponding SAML session. A common use case would be for a network of domain joined workstations to allow seamless login into web services that use SAML for authentication. A domain user logged into a workstation would not be prompted for credentials when accessing these web services. Basic requirements for the server hosting SimpleSAMLphp: - Apache 2.4 with **mod\_auth\_kerb** or IIS 7.0+ (web server should be joined into a domain) - SimpleSAMLphp 1.14.x or newer **Note:** This module has been tested in an environment with Microsoft Active Directory and IIS 8.5 running on Windows Server 2012 R2 and Apache 2.4 on CentOS 7. There can be some issues with different combinations and/or server versions, but everything should also work on Windows Server from 2008 onwards and Linux distributions with at least Apache 2.2. ### Installation [](#installation) This module can be installed via composer: ``` composer require klemenb/simplesamlphp-module-negotiateserver:dev-master ``` Since we depend on web server's handling of "HTTP Negotiate" authentication, we have to manually add a configuration file into your SimpleSAMLphp's **www** folder or properly edit our virtual host definition. ### Apache configuration [](#apache-configuration) Add the following **<Location>** directive to your **VirtualHost** definition: ``` AuthName "[MY_ORGANIZATION_NAME] Authentication" AuthType Kerberos Krb5Keytab /etc/httpd/conf/HTTP.idp.keytab KrbMethodNegotiate On KrbMethodK5Passwd On require valid-user ``` Make sure to properly update the path to your Kerberos keytab file. An example of a complete **VirtualHost** definition where SimpleSAMLphp is installed in **/var/www/idp.example.com** is below: ``` DocumentRoot /var/www/idp.example.com/www ServerName idp.example.com AllowOverride None Require all granted AuthName "[MY_ORGANIZATION_NAME] Authentication" AuthType Kerberos Krb5Keytab /etc/httpd/conf/HTTP.idp.keytab KrbMethodNegotiate On KrbMethodK5Passwd On require valid-user ``` ### IIS configuration [](#iis-configuration) Create a **web.config** file inside **www** directory of your SimpleSAMLphp installation (e.g. /var/www/idp.example.com/www) with below content: ``` ``` ### Module configuration [](#module-configuration) All **negotiateserver** module configuration is handled in **authsources.php**. Add below entry to your **$config** array inside **config/authsources.php**: ``` 'negotiateserver' => array( 'negotiateserver:Negotiate', // Entry in authsources.php that this module will // fallback to in case of an error 'auth_fallback' => 'ldap', // Connection parameters for your Active Directory or LDAP // from which user attributes will be retrieved after a successful // user authentication 'ldap.hostname' => '127.0.0.1', 'ldap.base' => ['OU=Users,OU=Example,DC=example,DC=local'], 'ldap.admin_user' => 'admin@example.local', 'ldap.admin_password' => 'password123', 'ldap.identifier' => 'sAMAccountName', // The list of attributes to retrieve from Active Directory or LDAP // (leave empty to retrieve all available attributes) 'attributes' => ['userPrincipalName', 'displayName', 'givenName', 'sn'], // Use this module only on the subnets defined below // (leave empty to enable it for all requests) 'subnets' => [ '10.0.0.0/16', ], // Use this module only on allowed subnets (or all requests) // except for the ones defined below 'subnets_exclude' => [ '10.0.5.0/24' ] ), ``` ### Browser configuration [](#browser-configuration) #### Internet Explorer [](#internet-explorer) Internet Explorer uses security zones for distinguishing between different types of web sites. To enable integrated windows authentication for your site, you should add it to the **Trusted sites**security zone. Navigate to the **Security** tab under **Internet Options**, select **Trusted sites** and click **Sites** button to open the list. [![Internet Explorer "Security" tab](img/ie_tab_security.png)](img/ie_tab_security.png) Add the URL of your identity provider to the list and close the window. [![Internet Explorer "Trusted sites"](img/ie_tab_trusted_sites.png)](img/ie_tab_trusted_sites.png) #### Google Chrome [](#google-chrome) Google Chrome will follow Internet Explorer's settings described above. #### Mozilla Firefox [](#mozilla-firefox) To enable HTTP Negotiate authentication in Firefox, navigate to the URL **about:config** and promise to be careful while changing these advanced settings. [![Firefox "about:config" promise](img/ff_config_warning.png)](img/ff_config_warning.png) Search for a preference named **network.negotiate-auth.trusted-uris** and add your identity provider to the list. [![Firefox "about:config" promise](img/ff_config_trusted_uris.png)](img/ff_config_trusted_uris.png) ### Health Score 22 — LowBetter than 21% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity11 Limited adoption so far Community9 Small or concentrated contributor base Maturity41 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Community Maintainers ![](https://www.gravatar.com/avatar/6a298f7b9846bff7f6d2b4890abb17e0e51efdda5c60ac60da958c44501f01e3?d=identicon)[klemenb](/maintainers/klemenb) --- Top Contributors [![klemenb](https://avatars.githubusercontent.com/u/2099210?v=4)](https://github.com/klemenb "klemenb (4 commits)") ### Embed Badge ![Health badge](/badges/klemenb-simplesamlphp-module-negotiateserver/health.svg) ``` [![Health](https://phpackages.com/badges/klemenb-simplesamlphp-module-negotiateserver/health.svg)](https://phpackages.com/packages/klemenb-simplesamlphp-module-negotiateserver) ``` ### Alternatives [kartik-v/yii2-password Useful password strength validation utilities for Yii Framework 2.0 761.2M17](/packages/kartik-v-yii2-password)[better-futures-studio/filament-local-logins This is my package filament-local-logins 1334.6k](/packages/better-futures-studio-filament-local-logins) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)