Squatting Namespaces

Recently I've been involved in an integration of SPID, the SSO system used by Italian public administrations. It is an extension of SAML (an OIDC implementation was supposed to exist, until mostly political issue raised during the deployment...), and the reference PHP implementation was built on top of the popular SimpleSAMLphp library.

But that reference implementation has not been really maintaned for years, is badly organized and hard to use, due his dependencies it is not compatible with more recent versions of Laravel, so I had to adjust it both for compatibility and for easy of use (as the client who commissioned the work handles many different services for many different entities, and needs scalable solutions easy to maintain).

Migrating it from SimpleSAMLphp 1.0 to SimpleSAMLphp 2.0 was easy. In theory. In practise, the SPID specification includes a few caveats not natively handled by SimpleSAMLphp (nor by SAML itself, just the essential to make this protocol not suitable for any standard implementation), so the most quick and dirty solution (actually used also by the official reference implementation...) has been to "squat" a few internal PHP classes by occupying the same classnames with equivalent implementations involving the few custom lines required by SPID, just to hijack a few internal behavior and replace with the intended ones.

This implies some ugly warning during the Composer installation, due the clashing namespaces, but at least it works. The "elegant" solution would have been to fork the whole SimpleSAMLphp package just to inject more or less 30 lines of code: at the end of the day, not so more convenient.

It has been interesting to exploit this "feature" of PHP. I hope I never need it again.

For the sake of sharing, I've opensourced my own package including a few utilities for Laravel integration and also a CIE/OIDC implementation.