Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider (IdP) and a service provider (SP, sometimes called a resource server).
The flow of the current SAML (version 2.0) standard is outlined below
Step C in the image above is optional, if the Client already has a valid session on the IdP we can skip directly to step D.
Exchanging metadata between the SP and the IdP
Metadata ensures a secure transaction between an identity provider and a service provider. The metadata for both the IdP and the SP can and should contain keys for signing and encryption of the messages sent between them. This ensures that no one can impersonate one another.
The metadata also defines bindings to be used and endpoints that the SP and the IdP will use to talk to each other. The metadata itself is also defined in XML files and should be shared between the SP and the IdP to set up the “trust” between them, either by sending them by email or by making it available on a URL. Note that there is no sensitive information in these files. The keys provided are only the public part and the private key is kept a secret at both the SP and the IdP.
Proposed library on the resource server
The resource server will use the OneLogin’s SAML PHP Toolkit (https://github.com/onelogin/php-saml) to handle requests and response