diff --git a/flake.nix b/flake.nix
index 5fecdef..0e38e50 100644
--- a/flake.nix
+++ b/flake.nix
@@ -131,6 +131,8 @@
           inherit (pkgs.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
           autoreconfHook = pkgs.buildPackages.autoreconfHook269;
 	};
+
+        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
       } // nixlib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
     };
diff --git a/packages/simplesamlphp/default.nix b/packages/simplesamlphp/default.nix
new file mode 100644
index 0000000..9cef217
--- /dev/null
+++ b/packages/simplesamlphp/default.nix
@@ -0,0 +1,36 @@
+{ php
+, writeText
+, fetchFromGitHub
+, configFile ? "config/config.php.dist"
+, authsourcesFile ? "config/authsources.php.dist"
+, saml20-idp-remoteFile ? writeText "saml20-idp-remote.php" "<?php ?>"
+}:
+
+php.buildComposerProject rec {
+  pname = "simplesamlphp";
+  version = "2.2.1";
+
+  src = fetchFromGitHub {
+    owner = "simplesamlphp";
+    repo = "simplesamlphp";
+    rev = "v${version}";
+    hash = "sha256-jo7xma60M4VZgeDgyFumvJp1Sm+RP4XaugDkttQVB+k=";
+  };
+
+  composerStrictValidation = false;
+
+  vendorHash = "sha256-n6lJ/Fb6xI124PkKJMbJBDiuISlukWQcHl043uHoBb4=";
+
+  # TODO: metadata could be fetched automagically with these:
+  #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
+  #   - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
+  postPatch = ''
+    install -Dm444 "${configFile}" "config/config.php"
+    install -Dm444 "${authsourcesFile}" "config/authsources.php"
+    install -Dm444 "${saml20-idp-remoteFile}" "metadata/saml20-idp-remote.php"
+  '';
+
+  postInstall = ''
+    ln -sr $out/share/php/simplesamlphp/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/simplesamlphp/public/assets/base
+  '';
+}