Is LightSAML compatible with Laravel 8/9/10, or do I need to fork it for PHP 8.x support?

LightSAML’s last release predates PHP 8.x, so you’ll likely encounter deprecated functions (e.g., `create_function`, `mb_*`) or strict typing issues. A fork with PHP 8.x polyfills or containerized PHP (e.g., Docker) is recommended. The package lacks Laravel-specific helpers, so manual session/route handling is required.

How do I integrate LightSAML into Laravel’s authentication system (e.g., Auth::loginUsingId) after SAML SSO?

LightSAML doesn’t natively integrate with Laravel’s auth system. You’ll need to manually handle post-SAML authentication by creating a custom Laravel guard or middleware that bridges LightSAML’s session state (e.g., RelayState, NameID) to Laravel’s `Auth::loginUsingId()`. Use Laravel’s `Auth::attempt()` or `Auth::login()` with parsed SAML attributes.

Does LightSAML support SAML 2.0 Profiles like ECP (Enhanced Client or Proxy) or Holder-of-Key for my enterprise use case?

LightSAML implements core SAML 2.0 bindings (HTTP-Redirect, HTTP-POST, SOAP) but lacks explicit documentation for advanced profiles like ECP or Holder-of-Key. Review the [LightSAML website](http://www.lightsaml.com) or source code to confirm support. For enterprise needs, consider `onelogin/php-saml` or `shibboleth/sp`, which offer broader profile coverage.

How can I handle SAML state (e.g., AuthnRequest IDs, RelayState) in Laravel’s stateless middleware or session storage?

SAML is stateful, so you’ll need to store request/response IDs (e.g., `AuthnRequestID`, `RelayState`) in Laravel’s session or database. Use `session()->put('saml_state', $id)` or a dedicated table with TTL cleanup. LightSAML provides XML serialization but leaves state management to the developer—wrap it in a Laravel Service Provider for consistency.

Are there security risks using LightSAML in production, given its last release was in 2015? Does it address CVEs like CVE-2021-45044 (PHP XML vulnerabilities)?

LightSAML’s unmaintained status is a **critical risk**. It likely lacks patches for PHP XML vulnerabilities (e.g., CVE-2021-45044) or SAML-specific flaws (e.g., metadata poisoning). Mitigate by: 1) Forking to backport security fixes, 2) Using a reverse proxy (e.g., Nginx) to isolate SAML traffic, or 3) switching to `onelogin/php-saml`, which is actively maintained.

Can LightSAML be used as a Service Provider (SP) or Identity Provider (IdP) in Laravel? What endpoints do I need to configure?

LightSAML supports both SP and IdP roles but requires manual endpoint configuration. For SP: Implement `/saml/acs` (Assertion Consumer Service) and `/saml/ls` (Logout Service). For IdP: Handle `/saml/sso` (SSO) and `/saml/acs`. Use Laravel routes to proxy requests to LightSAML’s core classes (e.g., `SamlAuthnRequest`, `SamlResponse`).

How do I validate or manage SAML metadata (e.g., parsing SP/IdP metadata XML, checking signatures) with LightSAML?

LightSAML provides XML parsing and signature validation for metadata, but you’ll need to write custom logic to load, validate, and cache metadata (e.g., using `SimpleXMLElement` or `DOMDocument`). Store metadata in Laravel’s `config/saml.php` or a database table. For signature validation, use LightSAML’s `SamlSecurity` class with your certificate keys.

What are the performance implications of LightSAML’s XML parsing in high-traffic Laravel apps (e.g., 1000+ SAML requests/sec)?

LightSAML’s XML parsing (e.g., `SamlMessage`, `SamlAssertion`) can be CPU-intensive under load. Mitigate by: 1) Offloading parsing to Laravel Queues (e.g., `dispatch(new ProcessSamlResponse($xml))`), 2) caching parsed metadata, or 3) using a micro-service architecture. Test with tools like `k6` to simulate SAML traffic before production.

Are there Laravel-specific wrappers or packages that build on LightSAML to simplify integration?

No official Laravel wrappers exist for LightSAML, but you can create one by extending it with: 1) A Laravel Service Provider to bootstrap LightSAML, 2) Middleware for SAML request/response handling, and 3) Facades for common tasks (e.g., `Saml::login()`, `Saml::logout()`). The [PHP SAML Symfony2 Bundle](https://github.com/aerialship/SamlSPBundle) (linked in the README) may serve as a reference.

What alternatives to LightSAML should I consider for Laravel SAML integration, especially if maintenance is a concern?

For actively maintained alternatives, evaluate: 1) `onelogin/php-saml` (feature-rich, Laravel-compatible via middleware), 2) `league/oauth2-saml` (modern, PSR-7 compliant), or 3) `shibboleth/sp` (enterprise-grade but complex). If you need LightSAML’s lightweight approach, fork it and modernize dependencies (e.g., replace `ext-soap` with Guzzle for HTTP bindings).

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Lightsaml Laravel Package

aerialship/lightsaml

SAML 2.0 toolkit for Laravel/PHP to add SSO and identity federation to your apps. Provides helpers for SAML authentication flows, metadata, and certificate handling, making it easier to integrate with common IdPs and SPs.

View on GitHub

Deep Wiki

Context7

SAML 2.0 PHP Library - new version available at

Frequently asked questions about Lightsaml

Is LightSAML compatible with Laravel 8/9/10, or do I need to fork it for PHP 8.x support?: LightSAML’s last release predates PHP 8.x, so you’ll likely encounter deprecated functions (e.g., `create_function`, `mb_*`) or strict typing issues. A fork with PHP 8.x polyfills or containerized PHP (e.g., Docker) is recommended. The package lacks Laravel-specific helpers, so manual session/route handling is required.
How do I integrate LightSAML into Laravel’s authentication system (e.g., Auth::loginUsingId) after SAML SSO?: LightSAML doesn’t natively integrate with Laravel’s auth system. You’ll need to manually handle post-SAML authentication by creating a custom Laravel guard or middleware that bridges LightSAML’s session state (e.g., RelayState, NameID) to Laravel’s `Auth::loginUsingId()`. Use Laravel’s `Auth::attempt()` or `Auth::login()` with parsed SAML attributes.
Does LightSAML support SAML 2.0 Profiles like ECP (Enhanced Client or Proxy) or Holder-of-Key for my enterprise use case?: LightSAML implements core SAML 2.0 bindings (HTTP-Redirect, HTTP-POST, SOAP) but lacks explicit documentation for advanced profiles like ECP or Holder-of-Key. Review the [LightSAML website](http://www.lightsaml.com) or source code to confirm support. For enterprise needs, consider `onelogin/php-saml` or `shibboleth/sp`, which offer broader profile coverage.
How can I handle SAML state (e.g., AuthnRequest IDs, RelayState) in Laravel’s stateless middleware or session storage?: SAML is stateful, so you’ll need to store request/response IDs (e.g., `AuthnRequestID`, `RelayState`) in Laravel’s session or database. Use `session()->put('saml_state', $id)` or a dedicated table with TTL cleanup. LightSAML provides XML serialization but leaves state management to the developer—wrap it in a Laravel Service Provider for consistency.
Are there security risks using LightSAML in production, given its last release was in 2015? Does it address CVEs like CVE-2021-45044 (PHP XML vulnerabilities)?: LightSAML’s unmaintained status is a **critical risk**. It likely lacks patches for PHP XML vulnerabilities (e.g., CVE-2021-45044) or SAML-specific flaws (e.g., metadata poisoning). Mitigate by: 1) Forking to backport security fixes, 2) Using a reverse proxy (e.g., Nginx) to isolate SAML traffic, or 3) switching to `onelogin/php-saml`, which is actively maintained.
Can LightSAML be used as a Service Provider (SP) or Identity Provider (IdP) in Laravel? What endpoints do I need to configure?: LightSAML supports both SP and IdP roles but requires manual endpoint configuration. For SP: Implement `/saml/acs` (Assertion Consumer Service) and `/saml/ls` (Logout Service). For IdP: Handle `/saml/sso` (SSO) and `/saml/acs`. Use Laravel routes to proxy requests to LightSAML’s core classes (e.g., `SamlAuthnRequest`, `SamlResponse`).
How do I validate or manage SAML metadata (e.g., parsing SP/IdP metadata XML, checking signatures) with LightSAML?: LightSAML provides XML parsing and signature validation for metadata, but you’ll need to write custom logic to load, validate, and cache metadata (e.g., using `SimpleXMLElement` or `DOMDocument`). Store metadata in Laravel’s `config/saml.php` or a database table. For signature validation, use LightSAML’s `SamlSecurity` class with your certificate keys.
What are the performance implications of LightSAML’s XML parsing in high-traffic Laravel apps (e.g., 1000+ SAML requests/sec)?: LightSAML’s XML parsing (e.g., `SamlMessage`, `SamlAssertion`) can be CPU-intensive under load. Mitigate by: 1) Offloading parsing to Laravel Queues (e.g., `dispatch(new ProcessSamlResponse($xml))`), 2) caching parsed metadata, or 3) using a micro-service architecture. Test with tools like `k6` to simulate SAML traffic before production.
Are there Laravel-specific wrappers or packages that build on LightSAML to simplify integration?: No official Laravel wrappers exist for LightSAML, but you can create one by extending it with: 1) A Laravel Service Provider to bootstrap LightSAML, 2) Middleware for SAML request/response handling, and 3) Facades for common tasks (e.g., `Saml::login()`, `Saml::logout()`). The [PHP SAML Symfony2 Bundle](https://github.com/aerialship/SamlSPBundle) (linked in the README) may serve as a reference.
What alternatives to LightSAML should I consider for Laravel SAML integration, especially if maintenance is a concern?: For actively maintained alternatives, evaluate: 1) `onelogin/php-saml` (feature-rich, Laravel-compatible via middleware), 2) `league/oauth2-saml` (modern, PSR-7 compliant), or 3) `shibboleth/sp` (enterprise-grade but complex). If you need LightSAML’s lightweight approach, fork it and modernize dependencies (e.g., replace `ext-soap` with Guzzle for HTTP bindings).

Popularity trends

Recorded values over time (once-a-day snapshots). May 9, 2026 – Jun 7, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

Favorites

Forks

Score

2.5

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 40

+0.2
Forks

input: 25

+0.8
Open issues + PRs

input: 0

+0.0
Releases

input: 5

+1.5
Recency

input: 4110

+0.0
Issue opportunity

input: 0

+0.0
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 2.5

Opportunity

4.6

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

7.9
Contribution need

open_issues + open_prs: 0

0.0
Health factor

archived + recency + open issues

×0.85

Total 4.4

License

MIT

Last release

Mar 7, 2015

Watchers

Downloads

44/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

jayeshmepani/jpl-moshier-ephemeris-php

elnasnato/laraliveui

labrodev/rest-sdk

sampaui/sampaui

babelqueue/php-sdk

facebook/capi-param-builder-php

babelqueue/symfony

hamzi/corewatch

minionfactory/raw-hydrator

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver

mkwebdesign/filament-watchdog-v5

renatomarinho/laravel-page-speed

zedmagdy/filament-business-hours

renatovdemoura/blade-elements-ui

devgeek/beacon-admin

benjamin-rqt/data-watcher-bundle