Follow the Step-by-Step Guide given below to integrate your PHP app with SAML IDP using JWT.
Step 1: Set up an Identity Source in miniOrange
- Login as a customer from Admin Console of miniOrange's Administrator Console, now go to Identity Sources Tab from menu and click Add Identity Source. Make sure SAML tab is selected.
- Enter the following:
IDP Name |
<Your IDP Display Name> |
IDP Identifier |
<Your IDP App Name> |
IdP Entity ID |
https://<YOUR_SAML_IDP_DOMAIN> |
SAML SSO Login URL |
https://<YOUR_SAML_IDP_DOMAIN> |
X.509 Certificate |
Provide the SAML IDP signing certificate |
Override Return URL |
Yes |
Return URL |
Leave blank |
- Click on Save

Step 2: Configure miniOrange as relying party in your SAML IDP
- In your IDP enter the following URL in the Relying Party URL textbox: https://login.xecurify.com/moas/broker/login/saml/acs/{YOUR_CUSTOMER_KEY}
- Enter the following in Relying Party trust identifier textbox: https://login.xecurify.com/moas/
Step 3: Creating an external app in miniOrange
- Login to miniOrange Admin console and go to Apps > Manage Apps
- Click on the Add Applications button on the right upper corner.
- Choose Application type as a JWT and click on Create App button. Select External App.
- Enter the Custom Application Name and Description. Enter Redirect-URL as this: http://<file-path>/callback.php.
For details regarding the callback.php file refer to Step 4.

- Click on Save.
- Select Certificate dropdown option against the application you just added.You will need the content of this to validate the JWT Token signature later.
- Select Edit option from dropdown against the App you just created. Save/Note down the App Secret. This will be required for generating the Encrypted Token.

Step 4: Adding the response page
- Now, create a new file named callback.php with the following code given below. This file will act as an endpoint i.e response to the jwt token which is received.
callback.php
if(isset($_GET['id_token'])) {
$id_token = $_GET['id_token'];
$id_array = explode(".", $id_token);
if(sizeof($id_array)==3) {
$id_body = base64_decode($id_array[1]);
$user_attributes = json_decode($id_body, true);
if(isset($user_attributes['NameID'])) {
$expiry = $user_attributes['exp'];
if($expiry > time()) {
$username = $email = $user_attributes['NameID'];
echo $username;
// Login user with email $email or $username
}
else {
echo "Response expired. Try login again.";
}
}
}
}
exit;
- For generating authentication request token hit the Single Sign On URL .

- Receiving and Verifying the JWT token
The JWT token can be found in Query String Parameter id_token.
For Example, in Java you can get the JWT token like this:
String jwtToken = request.getParameter("id_token");
For verifying the JWT token, you will need the Certificate you downloaded from miniOrange. You can use the open source libraries available on http://jwt.io/
If you are using the library for Java, you can use jose4j library https://bitbucket.org/b_c/jose4j/wiki/Home
You can follow this example of jose4j to verify the JWT token received:
https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples