I am learning about SAML and already read many articles and forums but I still having confusion about setup IdP. I am using "https://simplesamlphp.org/"

For example, I have 3 websites "example.com", "one.example.com", "two.example.com"; All are on three different server. Now, I want to setup single sign on login using SAML then on which server I need to setup IdP. As "example.com" is main domain which has all the information about user.

As I learn, when I login to "example.com" then it sends request to IdP.

But I don't get any idea where I have to set IdP and what Idp contains?. Its on same server where "example.com" hosted OR its different server and what logic I have to write on that server? It's simple login function OR I need to setup "simplesaml" for this and set login logic to there.

After setting up IdP, what I need to do on other server "one.example.com", "two.example.com"? Do I need to install again "simplesaml" to both server and set SP and IdP?

In sort, which server has IdP and SP? And on which server I need to install "simplesaml"?

Thanks in advance

simpleSAMLphp is the IDP.

You don't need to write any code, just setup the config.

You will also have 3 SP = the three websites.

They can all be on the same server or you can have one server for the IDP and one server each for the websites. It doesn't actually matter.

The simpleSAMLphp web site shows you the changes you need to make to each of the SP in order to communicate with the IDP.

Identity provider is the one who supplies info about users. You'd create one, let's call it idp.example.com.

You'd install simpleSAML there and configure it so it can read info about your users, be it in MySQL, LDAP etc. (this is the tricky part with IdP setup).

Now, your websites would be service providers and if user isn't authenticated, they'd redirect the user to idp.example.com, user logs in, idp.example.com returns the user to service provider with the XML document containing assertions.

That means your SP needs to be able to consume the SAMLResponse which IdP sends to your site.

You can consume this with simpleSAML, which you'd configure in SP mode now.

Bear in mind that SSP (simplesamlphp) isn't the only option in PHP to deal with SAML. There's also Lightsaml - a proper library. SimpleSAML isn't just a library, it's a complete solution and quite honestly - a super SUPER terrible one at that, it's the epitome of crap code one can type out and make a system that actually works (much like wordpress).

TL;DR:

1. create an IdP -> idp.example.com -> configure or create the module that authenticates users against your user source (LDAP, ActiveDirectory, relational database etc.)
2. configure your 3 websites to authenticate using idp.example.com
3. configure your 3 websites to be able to consume responses from idp.example.com

It's all doable with simplesamlphp. If you want to take it further and implement or play with SAML on your own - you can use the library I linked. It'll take way, way, way longer to do it via Lightsaml library though since you have to take care of single logout and single sign-on, encryption, digital signatures, endpoints, metadata etc.