diff --git a/flake.nix b/flake.nix
index 733d6d4..26c6e6d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -121,6 +121,8 @@
           (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
         all-machines = pkgs.linkFarm "all-machines"
           (nixlib.getAttrs allMachines self.packages.x86_64-linux);
+
+        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
       } // nixlib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
     };
diff --git a/packages/simplesamlphp/default.nix b/packages/simplesamlphp/default.nix
new file mode 100644
index 0000000..233f421
--- /dev/null
+++ b/packages/simplesamlphp/default.nix
@@ -0,0 +1,38 @@
+{ lib
+, php
+, writeText
+, fetchFromGitHub
+, extra_files ? { }
+
+}:
+
+php.buildComposerProject rec {
+  pname = "simplesamlphp";
+  version = "2.2.1";
+
+  src = fetchFromGitHub {
+    owner = "simplesamlphp";
+    repo = "simplesamlphp";
+    rev = "v${version}";
+    hash = "sha256-jo7xma60M4VZgeDgyFumvJp1Sm+RP4XaugDkttQVB+k=";
+  };
+
+  composerStrictValidation = false;
+
+  vendorHash = "sha256-n6lJ/Fb6xI124PkKJMbJBDiuISlukWQcHl043uHoBb4=";
+
+  # TODO: metadata could be fetched automagically with these:
+  #   - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
+  #   - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
+  postPatch = lib.pipe extra_files [
+    (lib.mapAttrsToList (target_path: source_path: ''
+      mkdir -p $(dirname "${target_path}")
+      cp -r "${source_path}" "${target_path}"
+    ''))
+    (lib.concatStringsSep "\n")
+  ];
+
+  postInstall = ''
+    ln -sr $out/share/php/simplesamlphp/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/simplesamlphp/public/assets/base
+  '';
+}