Category Archives: Web Development

Integrating SimpleSAMLphp with ADFS 2012R2

In my previous two posts, I’ve discussed two solutions for using Azure Active Directory authentication from a bespoke PHP web application.

In the first post I essentially re-wrote an article that originally was written on the Azure website which unfortunately no longer seems valid (EDIT 07/2016: Has since been completely removed!). The solution written there used SimpleSAMLphp and libraries written by Microsoft to implement WS-Federation for authenticating custom PHP applications with Azure AD. My first post clears up some issues and demonstrates a more logical method of configuring SimpleSAMLphp on IIS.

In my second post, I showed a more elegant solution that did away with the Microsoft WS-Federation libraries and used only SimpleSAMLphp and SAML2 to authenticate a custom PHP application with Azure Active Directory. I also showed how you can configure an Azure application to pass through groups claims in the token.

In this third (and hopefully final) post, I’ll combine components of the two previous posts and demonstrate how you can use SimpleSAMLphp to integrate directly with ADFS 2012R2.


  • A working ADFS 2012R2 implementation.
    Apologies but this isn’t something I’ve blogged about yet (I will, soon). For now, there are plenty of fantastic articles on setting up ADFS out there but when you do it, make sure you’re setting up ADFS 2012R2 (It’s on Windows Server 2012R2 of course). Why am I telling you to set it up on Windows Server 2012R2? Simple, Alternate Login ID.
  • Access to a Linux box with an updated version of OpenSSL.
    OK, so strictly you don’t need a Linux box – it’s just easier if you have access to one. We need to generate a certificate and key for token signing purposes and fiddling with installations of OpenSSL on Windows isn’t something I want to document. Spin one up in Azure and bin it once you’re done with it!

Continue reading Integrating SimpleSAMLphp with ADFS 2012R2

Single Sign-on to Azure AD using SimpleSAMLphp

In my last mammoth post, I posted an update/re-write to an article originally written on the Azure website that used some libraries provided by Microsoft to enable custom PHP applications to sign-on to Azure AD using WS-Federation. In that post I described a method for installing and configuring SimpleSAMLphp to IIS that enables it to be used by any number of sites on the same server, all that’s required is to add a simple Virtual Directory to each site. If you want to configure SimpleSAMLphp on IIS, check that post out.

The intention with this post is to do away with Microsoft’s libraries altogether and use only SimpleSAMLphp in a more integrated way. The purpose is to avoid having to re-write a lot of functionality already provided by SimpleSAMLphp that’s likely to be missing from Microsoft’s libraries, and of course open up access to SimpleSAMLphp’s documented API.

I will assume you have configured SimpleSAMLphp already using the method documented in the last post. In order to proceed in this post, you also need to have configured an application within Azure Active Directory. Again, you can find instructions for that included in the previous post.

The largest difference with this post is, as I mentioned, better integration with SimpleSAMLphp – as such, there’s more configuration to complete within SimpleSAMLphp than there was in the previous post.

  • We’ll import federation data from our Azure application in to SimpleSAMLphp.
  • We’ll configure SimpleSAMLphp as a Service Provider.
  • We’ll create a little code to get us authenticating.

Continue reading Single Sign-on to Azure AD using SimpleSAMLphp

Single sign-on with Azure AD in PHP

So, what’s this massive post about? I recently read an article on the Azure website about using Azure AD authentication with bespoke PHP applications. While the article is quick and concise – it has a number of serious issues.

First and foremost, the end result is that the solution just doesn’t work. It obviously took the writer a good amount of time to write the code for the article (assuming he did that is) but despite that, it has suffered from bit rot and a lot of people have tried and failed to use the article as a learning tool.

I’d still suggest using the article as reference material – everything has its value at the end of the day but if you do actually want custom PHP applications with Azure AD authentication to work, that article won’t give you a working solution. I’ve re-written the article and explained a few more of the concepts and expanded on a few decision points that are useful to the reader while doing battle with the code and its bit rot.

As per the original article’s introduction:

This tutorial will show PHP developers how to leverage Azure Active Directory to enable single sign-on for your own custom PHP applications. You will learn how to:

  • Install and configure SimpleSAMLphp on to an IIS web server.
  • Obtain and edit the necessary sample code associated with the original article.
  • Create and configure a custom Azure application inside Azure AD.
  • Protect the application (err, page) using WS-Federation.
  • Demonstrate actual authentication with Azure AD as well as federated authentication with an on-premises domain via Azure AD.

Continue reading Single sign-on with Azure AD in PHP

Browser Extension Show External IP

Show External IP

I’ve recently written a very small browser extension for both Chrome and Firefox to allow you to see your external IP address with just a single click. No need to open a new tab or ask Google.

Chrome Version

If you’re running Chrome, you can get the extension from the Chrome Web Store. I’ve added a screenshot of the Chrome version below. The intention is that a single click shows you your current external IP address. It works with proxies too so if, like me, you switch between proxies frequently and still need to know your external IP address, this is the tool for you.

Chrome Show External IP Extension

Firefox Version

If you’re running Firefox, you can get that version from the Mozilla Add-on Site (AMO). I’ll admit, Firefox, is, for now, my preferred browser since Chrome keeps inexplicably crashing with no reason or usable information that might allow me to resolve it so the extension was first written for Firefox. I made a couple of changes to the logo/icon between writing the Firefox version and the Chrome version but the Firefox version will get the new icon in due course – I’m just waiting for first approval of the extension in AMO before I submit an update.

showextip (1)

Yes, there are plenty of other extensions out there that do the same thing but the purpose of this exercise was to both learn and give myself an extension that isn’t subject to author changes and the introduction of more “features” (or worse, adverts) that I simply don’t want or need.

I also tend to frequently swap between proxy servers I have running on my network that are attached to VPNs that offer me a number of egress points on the Internet and I’m always curious what my IP address is so a small extension that works in Firefox and Chrome for proxies and direct connections was a good learning opportunity.

There’s nothing mind bendingly difficult in creating the extensions but it’s not bad for knowing nothing about the Mozilla SDK High Level APIs less than 24 hours ago and after I’d done the Firefox extension, doing it in Chrome took just a couple of hours.

If you have feedback or comments, leave them below.


Handling website maintenance in IIS

I’m the proud owner of a few websites, all of which run from an IIS 8.5 server. I also help friends and family run a few sites from the same server and some are business sites that, ideally, shouldn’t be offline for long periods of time. From time-to-time, that server needs a reboot for updates or some other type of maintenance. My friends and family are very understanding that, for the low-low price of free* they occasionally suffer downtime while I patch the server and give it a bounce so they suffer a little website maintenance message.

With some of the websites I help host being business sites, there’s half a chance that a search engine is crawling the site when I’m merrily going about my patching. Having a site become completely unresponsive, or worse, sending a 404 isn’t good for search rankings so it makes sense to use the best solution for dealing with search engines while still being informative for users as well.

While a site is temporarily unavailable, it is best to send an HTTP 503 Service Unavailable status code. Continue reading Handling website maintenance in IIS

HTML5 Canvas Scaling

Recently I’ve had some time to fettle with things other than Infrastructure and Windows servers so I’ve decided to do my company website with HTML 5. It’s nothing special but as part of my tinkering, I created a new logo and I thought it’d be cool to re-create it in HTML5 Canvas so it was unique and somewhat versatile.

The process starts out as quite a difficult task. How on earth do you re-create a logo by drawing some lines? Well, to cut a long story short, I opened it up in my favourite vector drawing app (the one I used to create it) and just copied the x,y coordinates of the anchor points on to an HTML5 canvas that was the same size as the artboard the illustration was on.

First you’ll need a canvas element on your HTML5 page. Something like:
Continue reading HTML5 Canvas Scaling

Convert GET to POST with jQuery

A bit of code to convert GET values obtained from a clicked link in to a POST and send it as a post using jQuery.

If you generate href values in your code for dynamic effects with jQuery, you need to convert the href attribute in the <a>  tag to a post. I use the above code to do just that.

Say you have the following bit of html in your page:

If a user clicks that link, the browser performs a GET request for the page with those vars. If you would like to do something a bit more sexy than a GET, say, some animation, you need jQuery to step in.

With the code at the top of this post, we can alter this GET to a POST using jQuery thus:

Here we bind a click event to the “delete_item” class which overrides the browser default action of doing a GET. We then use jQuery’s $(this) , that is, the <a>  tag, to pull the href attribute from the link and split it where the question mark is.

The split()  method creates an array and assigns it to the “postvar” variable at the start of that line.

Given the above html example, this would give us the following array within postvar:

Now we can use jQuery’s $.post()  method to send the original request as a POST instead of a GET.

There, simple.

The only thing I can think of that would trip this code up is the use of a second ? within the href attribute, though why anyone would do that is a mystery since they should probably encode the question mark instead.

– Lewis