Third-party modules

SimpleSAMLphp contains an Extension API, allowing third-party modules to extend some parts of SimpleSAMLphp. Some of the most important extension points of SimpleSAMLphp include:

SimpleSAMLphp comes with a number of modules, authentication modules and processing filters that you may use, or use as a base for customizing SimpleSAMLphp to fit your specific needs. It also provides:

Apart from the modules that ship by default with SimpleSAMLphp, there’s plenty of modules that third-party developers make available for you to cover specific features. Here we provide a (non-exhaustive) list of modules available:

How to install third-party modules

SimpleSAMLphp makes use of Composer to manage dependencies and third-party modules. Those modules that have been properly configured can be easily installed with composer. Just execute the following command:

composer.phar require vendor/simplesamlphp-module-mymodule version

where vendor is the name of the vendor of the module, mymodule is the name of the module itself and version is the version of the module you want to install, for example, 1.0.

Please note that if you don’t have console access to your web server, you will need to deploy the module somewhere else and then copy the files to your server.

Attribute Authority

This module provides back-end SAML Attribute Authority functionality.

Attribute Aggregator

The Attribute Aggregator module is implemented as an Authentication Processing Filter. It can be configured in the SP’s config.php file.

It is recommended to run the Attribute Aggregator module at the SP and configure the filter to run after the federated identity, usually eduPersonPrincipalName, is resolved.

Attribute Scope Filter

This module ensures that scoped attributes (such as eduPersonPrincipalName) have the right scopes defined in the entity metadata. It removes values:

Additionally, it is also capable of handling scope attributes such as schacHomeOrganization that should be equivalent to the shibmd:Scope element in the metadata.


This module implements Auth MemCookie support for SimpleSAMLphp. This allows you to integrate SimpleSAMLphp with web applications written in languages other than PHP.


This module provides an interface to do automatic testing of authentication sources. OTP

This module provides an authentication processing filter that will interface with the OTP API to send and verify one-time passwords through text messages.

A SimpleSAMLphp module implementing a very simple user interface for managing consent.


A SimpleSAMLphp module to provide a very flexible User Interface implementing an IdP Discovery Service. See the web page for more information.


This SimpleSAMLphp authentication processing filter allows you to provide additional attributes based on entity attributes in the metadata. It is useful when entity metadata contains definitive information that you wish to convert into a SAML attribute (e.g. an entity attribute containing the value that should be used for schacHomeOrganization in remote IdP metadata).


Log statistics in the F-ticks federation log format.

The filter aims to produce as many F-ticks attributes as possible, irrespective of whether SimpleSAMLphp is acting as an Identity Provider or a SAML Service Provider.

Generate Unique ID

Generate an eduPersonUniqueId attribute from various LDAP implementations’ objectGUID.


This is a SimpleSAMLphp module that works with Information Cards technologies and provides some basic functionalities:


Kerberos 5 authentication module for SimpleSAMLphp.


This module provides a web API that you can use to search for all to lines in the logs corresponding to a specific session identifier.

Metadata aggregator

This module aggregates a set of SAML entities into SAML 2.0 metadata documents. The resulting metadata documents contain an EntitiesDescriptor element with the multiple entities configured as sources inside. Multiple aggregates can be configured at the same time.

Please note that this module has been deprecated in favour of the more recent Aggregator2 module.

Metadata aggregator 2

This is a module for metadata aggregation. It is designed to preserve most of the common metadata items, and it also attempts to preserve unknown elements. It parses and rebuilds metadata sources, so small differences between them and the generated metadata may occur.

Please note that this aggregator works only with XML metadata, and does its work independently of other parts of SimpleSAMLphp, such as the metarefresh module.


This module allows you to do very basic editing of metadata (AssertionConsumerService, SingleLogoutService, name and description, as well as manually registering metadata for service providers.


A very straightforward module for SimpleSAMLphp that displays the list of modules and their status in the web interface.


A SimpleSAMLphp module that can monitor authsources, metadata, certificate validity, etc. It can output results as HTML, XML or JSON it can be easily extended with your own test cases


A module adding support for the OAuth2 protocol.


This authentication module makes use of an external library, phpPoA, in order to authenticate users by means of the PAPI protocol. It can therefore be used to bridge between protocols, behaving like a PAPI Point of Access or as a Service Provider.


This module enables SimpleSAMLphp to perform two-factor authentication against a privacyIDEA server. Users can authenticate with normal OTP tokens, challenge-response tokens via email or text messages, or U2F devices.


This authentication module adds ReadID Ready App as auth source to SimpleSAMLphp. ReadID Ready is an app that can read the data from your passport or other identity documents. Besides collecting your personal data from the document chip it also verifies if your identity document is valid and authentic. By using this module you can use an ID-card, passport or drivers-licence to authenticate.

SAML 2.0 Debugger

This module allows you to debug SAML 2.0 messages by decoding or encoding them according to the binding they are using, supporting both the HTTP-Redirect and HTTP-POST bindings.


A module that allows registration of users accounts. The original version was developed by UNINETT and supported LDAP as a backend. This fork adds support for SQL databases as the back-end.

SQL Attributes

An authentication processing filter that allows you to provide additional attributes from a SQL datastore. It is useful in situations where your primary authentication source is a directory (e.g. AD) that you do not have direct control over, and you need to add additional attributes for specific users but cannot add them to the directory or modify the schema.

VOOT Groups

A module to fetch group memberships from an API service protected with OAuth 2.0 using the VOOT protocol and add them to the list of attributes received from the identity provider.

Extending SimpleSAMLphp

If you plan to extend SimpleSAMLphp with some functionality, we advise you to follow these recommendations:

  1. Check the existing functionalities and modules. The feature you want to implement may already exist.

  2. Try to code with the PHP PSR-2 guidelines in mind.

  3. Make sure your module is installable through composer.

  4. Let us know about your module so we can reference it in this web site, so that our users can easily find it.