My assumption is you have full control over your php app/domain, but a different team is managing the sharepoint server. Also assume you can ask the sharepoint team to create a simple webpart for your SSO functionality.

If this is the case, you can ask the sharepoint team to create a webpart which has a link to your site on it. When the user clicks the link, the request is made back to the sharepoint server, the sharepoint server takes the user’s logon name, encrypts it using your public key, and adds it to a url on your php site then sends this as a redirect back to the browser. So the location looks like this:

https://your.php.domain/sso.php?logon=encrypted_users_logon_name&api_key=some_token

Your sso.php script will verify the api_key is a valid token from your sharepoint partner, and then decrypt the logon name of the user trying to get in. You can get more fancy, and have a callback on the sharepoint site to confirm the logon request is legitimate within some time window, or bake that into the encrypted logon name, but this is a barebones way to do it, assuming you trust requests coming from the sharepoint partner.

The sharepoint .net developers will probably be able to do any encryption you want, so pick an algorithm you can use on both php and .net sides and give them the key to use for encryption, and the format of the information to encrypt. something like n=logon_name;expire=timestamp; then when you decrypt, if it is after the expire time then you deny the logon.