Last updated 21 June 2015. Created on 6 January 2015.
Edited by gaards, widukind, snufkin. Log in to edit this page.

The SimpleSAML PHP Auth module integrates the simplesamlphp library into Drupal.

For a full description of the module, visit:


Installation instructions can be found on the module page at:


Recommended releases:

Development releases:

The 3.x branch of the module contains architectural changes from the 2.x branch.


  • Just-in-time provisioning of Drupal user accounts based on SAML attributes (configurable).
  • Automatic role assignment based on SAML attributes (configurable).
  • Dual mode - support for traditional Drupal accounts and SAML-authenticated accounts at the same time (configurable).
  • Support for multiple authentication protocols (thanks to SimpleSAMLphp)
    • OpenID (e.g., Google, Yahoo)
    • Facebook
    • OAuth (e.g., Twitter)
    • SAML 1.1, SAML 2.0
    • Shibboleth 1.3
    • A-Select
    • X509 Client Certificates
    • Radius

Enforcing SSL

In the 3.x series the enforcing of the SSL on the authentication page is removed from the module. The following snippet applied to the .htaccess file can do the same thing:

# Force redirect to HTTPS for SimpleSAMLphp Auth module's login path
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^saml_login https://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L]

Alternatively, this may be handled in-code by implementing hook_url_inbound_alter() in a custom module.
The following code snippet provides equivalent functionality to the mod_rewrite rule shown above:

 * Implements hook_url_inbound_alter().
function MYMODULE_url_inbound_alter(&$path, $original_path, $path_language) {
  if ('saml_login' === $path && !_MYMODULE_is_https_request()) {

    $options = array('absolute' => TRUE);
    if (isset($_GET['destination'])) {
      $options['query']['destination'] = $_GET['destination'];

    $url = url($path, $options);
    $url = str_replace('http://', 'https://', $url);


 * Checks whether the current request has been received over HTTPS or not.
 * @return TRUE if the current request has been received over HTTPS, FALSE otherwise.
 * @link
function _MYMODULE_is_https_request() {
  $is_https = isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on';

  if (!$is_https) {
    $reverse_proxy_proto_header = 'HTTP_X_FORWARDED_PROTO';
    $is_https = isset($_SERVER[$reverse_proxy_proto_header])
      && 'https' === strtolower($_SERVER[$reverse_proxy_proto_header]);
  return $is_https;

Looking for support? Visit the forums, or join #drupal-support in IRC.


ashish.mahajan’s picture


Thanks for the great turorial this is really helpful. i am able to setup SAML login and it is working as expected. But i can see one restriction here to use Attributes, means we can use only 3 attributes ex(Federation ID1, Federation ID2 and email), if i have to use 5 attributes(Federation ID1, Federation ID2, Federation ID3, Federation ID4 and email) how can we achieve that? Please suggest any way to fix this?