This document give instructions for installing the simpleSAMLphp framework. simpleSAMLphp is an alternative to using the Internet2 Shibboleth service provider software. This means that if you want to use simpleSAMLphp, then you do not have to install the Internet2 shibd software.

Install simpleSAMLphp

Download SimpleSAMLphp:


Install it in /var, then sym link it to simplesamlphp:
ln -s /var/simplesamlphp-1.8.1 /var/simplesamlphp

Configure Apache

Apache has to know where SimpleSAMLphp is located. So, in ssl.conf add the following in the VirtualHost section:

Alias /simplesaml /var/simplesamlphp/www

The restart Apache:

sudo /sbin/service httpd restart

Configure SP

See the "Configuring the SP" section of the following doc:


After you generate the X509 cert, edit config/authsources.php and make 'default-sp' section look like this:

// An authentication source which can authenticate against both SAML 2.0
// and Shibboleth 1.3 IdPs.
'default-sp' => array(
     'privatekey' => 'saml.pem',
     'certificate' => 'saml.crt',
     // The entity ID of this SP.
     // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
     'entityID' => 'https://hostname.ucsf.edu/simplesaml/module.php/saml/sp/metadata.php/default-sp',

     // The entity ID of the IdP this should SP should contact.
     // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
     'idp' => 'https://d5n1.ucsf.edu/idp/shibboleth',

     // The URL to the discovery service.
     // Can be NULL/unset, in which case a builtin discovery service will be used.
     'discoURL' => NULL,

Set Admin Password and Contact Info

In /var/simplesamlphp/config/config.php set 'auth.adminpassword' to the password of your choosing, then set the following:

'technicalcontact_name'     => 'Your app or department name',
'technicalcontact_email'    => 'your.support.email@ucsf.edu',

Also, set oid2name attribute mapper in the authproc.sp section. It should look like this:

'authproc.sp' => array(
        10 => array(
                'class' => 'core:AttributeMap', 'removeurnprefix'

        /* When called without parameters, it will fallback to filter attributes ‹the old way›
         * by checking the 'attributes' parameter in metadata on SP hosted and IdP remote.
        50 => 'core:AttributeLimit', 
        51 => array('class' => 'core:AttributeMap', 'oid2name'),
         * Generate the 'group' attribute populated from other variables, including eduPersonAffiliation.
        60 => array('class' => 'core:GenerateGroups', 'eduPersonAffiliation'),
        // All users will be members of 'users' and 'members'   
        61 => array('class' => 'core:AttributeAdd', 'groups' => array('users', 'members')),
        // Adopts language from attribute to use in UI
        90 => 'core:LanguageAdaptor',


Convert MyAccess Metadata

Use the following URL to convert the MyAccess IdP metadata to simpleSAMLphp metadata: /admin/metadata-converter.php

Once parsed, you want the saml20-idp-remote metadata. Copy this and replace the contents of the following file:


Don't forget to put <?php at the top!

Also, for the SingleLogoutService, change it to look like this:

'SingleLogoutService' => 'https://d5n1.ucsf.edu/idp/shib_logout.jsp?url=https://hostname.ucsf.edu',
//array (

Configure PHP

PHP needs to have mcrypt enabled, to do this, do the following (assuming you are on a Linux RedHat or CentOS system):

sudo yum -y install php-mcrypt.x86_64
sudo /sbin/service httpd restart

Integrate With MyAccess

At this point you are ready to integrate with MyAccess. You should open up a service ticket with ITS (http://help.ucsf.edu/ then click on "Submit a ticket for ITS or School of Nursing IT") and include the following information:

Subject indicating that the request is for "MyAccess Shibboleth test or production"
Attributes you want to get back from their IdP (and if you want ones that were not covered above, then you need to ask them for the OID for the attribute and configure it in attribute-map.xml)
URL for your metadata (so that they can download the metadata, or attach the metadata file to the ticket)
Indicate which attributes you would like to receive from MyAccess

To get the metadata for your simpleSAMLphp installation, go to the following URL (you will have to authenticate to simpleSAMLphp using the password you used in the configuration when installing simpleSAMLphp):