Open source authentication solution for smart phones and web applications

tiqr simpleSAMLphp installation howto

tiqr is available in a number of flavours. One is the base library that you can integrate into your own security solution, another is a plugin for simpleSAMLphp that allows easy tiqr integration into an existing simpleSAMLphp setup.

This post explains how to install the simpleSAMLphp plugin and how to configure it.

We are going to assume you have a working simpleSAMLphp installation. If you don’t, we’d like to refer you to the excellent documentation of simpleSAMLphp itself.

Downloading the plugin and required libraries

Download the latest version of the simpleSAMLphp plugin from the download page. There’s a package with a demo setup, but for this howto we’re focussing on the plugin itself, which is what you’ll be using to integrate tiqr into your own setup.

Also download the tiqr library from the download page, as the plugin as basically a wrapper around this library, which does all the hard work.

Install the plugin in the modules/ directory of your simpleSAMLphp setup (or symlink it if you want to keep the directory structure clean). Also do ‘touch enable’ inside the plugin directly to enable the plugin in simpleSAMLphp. In the rest of this post, we’re going to assume the plugin is in /var/www/simplesamlphp/modules/authTiqr

Install the library anywhere you like, but preferably outside your document root so it can’t be browsed directly. In the rest of this post we’ll assume it’s in /var/www/library/libTiqr – adjust accordingly if you have it installed somewhere else.

Finally you’ll need to download phpqrcode and if you plan on using step-up authentication you’ll also need c2dm (for android) and apns-php (for iphone) for the push notifications. We’re assuming /var/www/library/apns-php and /var/www/library/c2dm in this post; again, adjust accordingly.


Copy the file /var/www/simplesamlphp/modules/authTiqr/config-templates/module_tiqr.php to /var/www/simplesamlphp/config and edit the file. Here’s a description of the configuration values:

Using tiqr for general authentication

To use tiqr for general authentication in a simpleSAMLphp setup, you should configure tiqr as an authsource. To do this, you have to add it to simpleSAMLphp/config/authsources.php like this:

 'authTiqr' =>

This allows users to login using the tiqr mechanism. The default implementation has a ‘create new account’ link in the login screen which allows uses to do a simple enrollment (typically you’ll want to integrate enrollment into your business processes, but this should get you started).

Using tiqr for step-up authentication

Tiqr works great as a step-up authentication method. This means that the user logs in using a regular username/password method first, and then confirms his identity using his phone and a tiqr app. To accomplish this, tiqr supports use as a processing filter. This way you can append tiqr authentication to an existing authsource. To do this, edit config/authsources.php and hook up tiqr like this:

‘default-sp’ => array(
‘saml:SP’, ‘idp’ => ‘’, ‘authproc’ => array( 10 => array( ‘class’ => ‘authTiqr:Tiqr’, ‘uidAttribute’ => ‘urn:oid:0.9.2342.19200300.100.1.1’, ‘cnAttribute’ => ‘urn:oid:’, ), ), ), This configures a federated authsource that uses a hypothetical Identity Provider for the first login. It then attaches a processing filter to it by adding an entry to the authproc array. All it takes is defining that the class for this filter is authTiqr:Tiqr, and a definition of which attributres Tiqr should use as the display name and user id in its authentication process. (in this case urn:oid:… identifiers since our hypothetical IDP uses oids).

Using tiqr for basic authentication, but another source for enrollment

There is a third way to use Tiqr. Suppose you want to use it as the primary authentication method for a site, but you don’t want anybody to be able to create accounts. Suppose you have an alternative login through another authsource that you want users to complete before they can enroll for Tiqr. This usecase is supported.

Suppose that we want the user to login to the authsource ‘example-userpass’ first (one of the simpleSAMLphp demo authsources) before they can enroll, and effectively link the phone identity to a userpass identity. In that case, we would configure tiqr in config/authsources.php like this:

'authTiqr' => array(

This configures authTiqr as the main authsource, but it tells tiqr that for enrollment, it should use example-userpass (or any other authsource you have defined in authsources.php). Similar to the previous example we need to map the userid and display name of the other authsource to tiqr’s fields, so that tiqr knows which fields to use for the user.