Lightbulb: Bringing SAML to PHP


Pat Patterson spoke on using SAML in a "Web 2.0 World." SAML provides a good mechanism for transporting identity attributes. But to use SAML on the wild Web, you've got to support dynamic languages like PHP.

Pat has a mechanism for using SAML from PHP. One way to do this is using a PHP/Java bridge that talks to an existing federation manager. This is overkill if you've got one little site you want to use federation on. Pat has a project, called Lightbulb, that puts SAML directly into PHP. No custom PHP modules required. Future parts of Lightbulb may extend this to Ruby and other languages.

There are four integration points:

  1. Give the user some way of signing on with the IdP
  2. Give the user a way to log off
  3. Some way of setting the local ID from the information passed back from the IdP
  4. Some way of removing that when the user logs off

The code Pat shows for each of these is 3 or 4 lines of PHP. Local login still works. Very cool stuff really.