PHPackages                             mrmaniak/seat-identity-provider - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. mrmaniak/seat-identity-provider

ActiveSeat-plugin[Authentication &amp; Authorization](/categories/authentication)

mrmaniak/seat-identity-provider
===============================

Turn SeAT into an enterprise identity provider for 3rd party services.

118PHPCI failing

Since Feb 1Pushed 5mo agoCompare

[ Source](https://github.com/MrManiak/seat-identity-provider)[ Packagist](https://packagist.org/packages/mrmaniak/seat-identity-provider)[ RSS](/packages/mrmaniak-seat-identity-provider/feed)WikiDiscussions main Synced today

READMEChangelogDependenciesVersions (2)Used By (0)

SeAT Identity Provider
======================

[](#seat-identity-provider)

An Identity Provider plugin for [SeAT](https://github.com/eveseat/seat) that allows you to use your SeAT installation as an enterprise identity provider for third-party services. Supports both **SAML 2.0** and **OpenID Connect (OIDC)** protocols.

Features
--------

[](#features)

### SAML 2.0

[](#saml-20)

- **SAML 2.0 SSO** - Single Sign-On using SAML 2.0 protocol
- **SAML 2.0 SLO** - Single Logout support
- **Multiple Applications** - Configure multiple Service Providers
- **Automatic Certificate Generation** - RSA 2048-bit X.509 certificates generated per application
- **Metadata Import** - Fetch and parse SP metadata from URL
- **IdP Metadata Export** - Download IdP metadata XML for SP configuration
- **Signed Assertions** - All SAML responses signed with RSA-SHA256

### OpenID Connect

[](#openid-connect)

- **Authorization Code Flow** - Standard OIDC authorization code grant
- **Refresh Tokens** - Long-lived sessions with refresh token support
- **Discovery Endpoint** - Auto-configuration via `/.well-known/openid-configuration`
- **JWKS Endpoint** - Public key distribution for token validation
- **UserInfo Endpoint** - Standard claims endpoint
- **Custom Scopes** - EVE Online and SeAT-specific claims
- **Key Management** - Generate and rotate signing keys via UI

Requirements
------------

[](#requirements)

- SeAT 5.x
- PHP 8.1+
- OpenSSL extension

Installation
------------

[](#installation)

### Via Composer

[](#via-composer)

```
composer require mrmaniak/seat-identity-provider
```

### Manual Installation

[](#manual-installation)

1. Clone or download this repository to `packages/mrmaniak/seat-identity-provider`
2. Add the following to your `composer.json`:

```
{
    "repositories": [
        {
            "type": "path",
            "url": "packages/mrmaniak/seat-identity-provider"
        }
    ]
}
```

3. Run:

```
composer require mrmaniak/seat-identity-provider
```

4. Publish and run migrations:

```
php artisan migrate
```

---

SAML 2.0
--------

[](#saml-20-1)

### SAML Attributes

[](#saml-attributes)

The following attributes are included in SAML assertions:

AttributeDescription`user_id`SeAT user ID`email`Generated email in format `seatuser.{user_id}@{seat_domain}``name`User's main character name`squads`Multi-valued attribute containing all squad names the user belongs to`character_id`EVE Online character ID of the user's main character`corporation_id`EVE Online corporation ID of the user's main character`is_admin`Whether the user is a SeAT administrator### Creating a SAML Application

[](#creating-a-saml-application)

1. Navigate to **Identity Provider &gt; SAML Applications** in SeAT
2. Click **Create Application**
3. Fill in the application details:
    - **Application Name**: A friendly name for the application
    - **Entity ID**: The SP's unique identifier (from SP metadata)
    - **ACS URL**: Assertion Consumer Service URL (from SP metadata)
    - **SLO URL**: Single Logout URL (optional)
    - **Name ID Format**: Choose the appropriate format for the SP
    - **SP Certificate**: The SP's X.509 certificate for signature verification (optional)

Alternatively, enter the SP's **Metadata URL** and click **Fetch** to auto-populate fields.

### Configuring the Service Provider

[](#configuring-the-service-provider)

1. From the application edit page, click **Download IdP Metadata**
2. Import the metadata XML into your Service Provider
3. Or manually configure using:
    - **IdP Entity ID**: `https://your-seat-url/saml/idp`
    - **SSO URL**: `https://your-seat-url/saml/{application_id}/sso`
    - **SLO URL**: `https://your-seat-url/saml/{application_id}/slo`
    - **Certificate**: Download from IdP metadata

### SAML Endpoints

[](#saml-endpoints)

EndpointMethodDescription`/saml/{application}/sso`GET, POSTSingle Sign-On endpoint`/saml/{application}/slo`GET, POSTSingle Logout endpoint`/seat-identity-provider/saml/applications/{application}/metadata`GETIdP metadata download---

OpenID Connect
--------------

[](#openid-connect-1)

### OIDC Scopes and Claims

[](#oidc-scopes-and-claims)

#### Standard Scopes

[](#standard-scopes)

ScopeClaims`openid``sub` (required)`profile``name`, `preferred_username`, `updated_at``email``email`, `email_verified`#### Custom SeAT/EVE Scopes

[](#custom-seateve-scopes)

ScopeClaimsDescription`seat:user``is_admin`SeAT administrator status`seat:character``character_id`, `character_name`EVE main character info`seat:corporation``corporation_id`, `alliance_id`EVE corporation/alliance info`seat:squads``squads`Array of SeAT squad names### Creating an OIDC Application

[](#creating-an-oidc-application)

1. Navigate to **Identity Provider &gt; OIDC Applications** in SeAT
2. Click **Create Application**
3. Fill in the application details:
    - **Application Name**: A friendly name for the application
    - **Description**: Optional description
    - **Redirect URIs**: One or more authorized callback URLs (one per line)
    - **Allowed Scopes**: Select which scopes this application can request
4. Save the application and **copy the Client Secret** - it will only be shown once

### Configuring the OIDC Client

[](#configuring-the-oidc-client)

Use the discovery endpoint for auto-configuration:

```
https://your-seat-url/.well-known/openid-configuration

```

Or manually configure using:

SettingValue**Issuer**`https://your-seat-url`**Authorization Endpoint**`https://your-seat-url/oauth2/authorize`**Token Endpoint**`https://your-seat-url/oauth2/token`**UserInfo Endpoint**`https://your-seat-url/oidc/userinfo`**JWKS URI**`https://your-seat-url/oidc/jwks`### OIDC Endpoints

[](#oidc-endpoints)

EndpointMethodDescription`/.well-known/openid-configuration`GETDiscovery document`/oauth2/authorize`GETAuthorization endpoint`/oauth2/token`POSTToken endpoint`/oidc/userinfo`GETUserInfo endpoint (requires Bearer token)`/oidc/jwks`GETJSON Web Key Set### Key Management

[](#key-management)

OIDC tokens are signed with RSA-256 keys. To manage signing keys:

1. Navigate to **Identity Provider &gt; OIDC Keys**
2. View all keypairs with their status (active/inactive)
3. **Generate New Key** - Creates an inactive keypair
4. **Activate** - Make a keypair the active signing key
5. **Delete** - Remove inactive keypairs

**Note**: Rotating keys will invalidate tokens signed with the previous key. Clients should fetch the JWKS periodically to handle key rotation.

---

Permissions
-----------

[](#permissions)

PermissionDescription`seat-identity-provider.view`View applications and keys`seat-identity-provider.security`Create, edit, delete applications and manage keysSecurity Considerations
-----------------------

[](#security-considerations)

### SAML

[](#saml)

- All SAML assertions are signed using RSA-SHA256
- Each SAML application has its own unique X.509 certificate
- SP metadata fetch includes SSRF mitigations:
    - HTTPS-only URLs
    - Private IP range blocking
    - 3-second timeout
- Optional signature verification for incoming AuthnRequests

### OIDC

[](#oidc)

- All ID tokens signed with RS256 (RSA-SHA256)
- Access tokens validated on each request
- Tokens are revoked when user is deleted or deactivated
- Client secrets are hashed (bcrypt) in the database
- Supports `client_secret_basic` and `client_secret_post` authentication

License
-------

[](#license)

This project is licensed under the GPL-3.0-or-later license.

###  Health Score

20

—

LowBetter than 13% of packages

Maintenance50

Moderate activity, may be stable

Popularity8

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity14

Early-stage or recently created project

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/4130718?v=4)[Ariel Gadbois-Roy](/maintainers/MrManiak)[@MrManiak](https://github.com/MrManiak)

---

Top Contributors

[![MrManiak](https://avatars.githubusercontent.com/u/4130718?v=4)](https://github.com/MrManiak "MrManiak (16 commits)")

### Embed Badge

![Health badge](/badges/mrmaniak-seat-identity-provider/health.svg)

```
[![Health](https://phpackages.com/badges/mrmaniak-seat-identity-provider/health.svg)](https://phpackages.com/packages/mrmaniak-seat-identity-provider)
```

###  Alternatives

[kartik-v/yii2-password

Useful password strength validation utilities for Yii Framework 2.0

761.3M17](/packages/kartik-v-yii2-password)[vitalybaev/laravel5-dkim

Laravel 5/6 package for signing outgoing messages with DKIM.

3163.1k](/packages/vitalybaev-laravel5-dkim)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
