SimpleSAMLphp as a SAML proxy

18 views

Skip to first unread message

Waqas Ahmed Khan

unread,

Jun 8, 2025, 6:29:44 PMJun 8

to simple...@googlegroups.com

Hi All,

I'm trying to configure SimpleSAMLphp as a SAML proxy in the following setup:

Morpheus SP → SimpleSAMLphp Proxy (WAYF) → Multiple IdPs

The authentication flow works — users from all IdPs can successfully log in to Morpheus. However, Morpheus creates a new user on every login, even for the same person.

The problem appears to be with username mapping. Morpheus uses the SAML NameID value as the username. When I use the IdPs directly, Morpheus sees a proper email like us...@domain.edu. But when routed through the SimpleSAMLphp proxy, the NameID becomes a pseudonymous string like _57e4d31c07139e93d26e..., which causes the duplication.

I’ve tried modifying the authproc configuration to set the NameID to the mail attribute, using:

'authproc' => [

10 => [

'class' => 'core:NameID',

'format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',

'attribute' => 'mail',

But this does not solve the issue — the NameID remains a hashed or persistent identifier.

Has anyone successfully configured SimpleSAMLphp to rewrite or forward NameID as an email address in a proxy setup like this? I'd really appreciate any guidance or working examples.

Thanks!

Regards,

Waqas Ahmed Khan
p: +923212608044

Skype: waqas-ahmed00
waqas....@gmail.com

Mark Boyce

unread,

Jun 8, 2025, 9:43:05 PMJun 8

to simple...@googlegroups.com

Good afternoon,

You need to map the ‘attribute’ to the value coming from the IdP, for instance:

V2.x –

'authproc' => [

1 => [

'class' => 'core:AttributeMap',

'name2oid'

2 => [

'class' => 'saml:AttributeNameID',

'identifyingAttribute' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6',

'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',

V1.19.x -

'simplesaml.nameidattribute' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6',

'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',

Note: for v1.19.x you still need the authproc filter :

'authproc' => [

1 => [

'class' => 'core:AttributeMap',

'name2oid'

You can capture the SAML Assertion coming from the IdP and map the attribute accordingly.

Thanks,

Mark L. Boyce

Senior Identity Management Analyst

University of California, Office of the President

Office: 510.987.9681

Cell: 209.851.0196

From: simple...@googlegroups.com <simple...@googlegroups.com> On Behalf Of Waqas Ahmed Khan
Sent: Sunday, June 8, 2025 2:49 AM
To: simple...@googlegroups.com
Subject: [simplesamlphp-users] SimpleSAMLphp as a SAML proxy

CAUTION: EXTERNAL EMAIL

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:

https://simplesamlphp.org/support

Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.

Make sure to read the documentation:

https://simplesamlphp.org/docs/stable/

If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:

http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/simplesamlphp/CAKtRc29CT1qwc9wa3HRdzHSN0TFuYo-3cRt5iJqG%2BhWkeWVP0g%40mail.gmail.com.

Reply all

Reply to author

Forward

0 new messages