diff --git a/modules/negotiate/lib/Auth/Source/Negotiate.php b/modules/negotiate/lib/Auth/Source/Negotiate.php
index bba08d6bbd2aff1b6fee9cbb47dfbd08e29c5b63..d70e21cbbf47984341e20d91b14535b7c1aa9fd9 100644
--- a/modules/negotiate/lib/Auth/Source/Negotiate.php
+++ b/modules/negotiate/lib/Auth/Source/Negotiate.php
@@ -16,20 +16,49 @@ class Negotiate extends \SimpleSAML\Auth\Source
     // Constants used in the module
     const STAGEID = '\SimpleSAML\Module\negotiate\Auth\Source\Negotiate.StageId';
 
+    /** @var \SimpleSAML\Auth\LDAP|null */
     protected $ldap = null;
+
+    /** @var string */
     protected $backend = '';
+
+    /** @var string*/
     protected $hostname = '';
+
+    /** @var int */
     protected $port = 389;
+
+    /** @var bool */
     protected $referrals = true;
+
+    /** @var bool */
     protected $enableTLS = false;
+
+    /** @var bool */
     protected $debugLDAP = false;
+
+    /** @var int */
     protected $timeout = 30;
+
+    /** @var string */
     protected $keytab = '';
+
+    /** @var array */
     protected $base = [];
+
+    /** @var array */
     protected $attr = ['uid'];
+
+    /** @var array|null */
     protected $subnet = null;
+
+    /** @var string|null */
     protected $admin_user = null;
+
+    /** @var string|null */
     protected $admin_pw = null;
+
+    /** @var array|null */
     protected $attributes = null;
 
 
@@ -81,6 +110,7 @@ class Negotiate extends \SimpleSAML\Auth\Source
      * LDAP is used as a user metadata source.
      *
      * @param array &$state Information about the current authentication.
+     * @return void
      */
     public function authenticate(&$state)
     {
@@ -187,6 +217,10 @@ class Negotiate extends \SimpleSAML\Auth\Source
     }
 
 
+    /**
+     * @param array $spMetadata
+     * @return bool
+     */
     public function spDisabledInMetadata($spMetadata)
     {
         if (array_key_exists('negotiate:disable', $spMetadata)) {
@@ -209,7 +243,7 @@ class Negotiate extends \SimpleSAML\Auth\Source
      *
      * Will return TRUE if no subnet option is configured.
      *
-     * @return boolean
+     * @return bool
      */
     public function checkMask()
     {
@@ -235,6 +269,7 @@ class Negotiate extends \SimpleSAML\Auth\Source
      * wants to show the 401 message.
      *
      * @param array $params additional parameters to the URL in the URL in the body.
+     * @return void
      */
     protected function sendNegotiate($params)
     {
@@ -256,6 +291,7 @@ class Negotiate extends \SimpleSAML\Auth\Source
      * Passes control of the login process to a different module.
      *
      * @param array $state Information about the current authentication.
+     * @return void
      *
      * @throws \SimpleSAML\Error\Error If couldn't determine the auth source.
      * @throws \SimpleSAML\Error\Exception
@@ -290,7 +326,7 @@ class Negotiate extends \SimpleSAML\Auth\Source
      *
      * @param string $user The Kerberos user identifier.
      *
-     * @return string The DN to the user or NULL if not found.
+     * @return array|null The attributes for the user or NULL if not found.
      */
     protected function lookupUserData($user)
     {
@@ -315,6 +351,9 @@ class Negotiate extends \SimpleSAML\Auth\Source
     /**
      * Elevates the LDAP connection to allow restricted lookups if
      * so configured. Does nothing if not.
+     *
+     * @return void
+     * @throws \SimpleSAML\Error\AuthSource
      */
     protected function adminBind()
     {
@@ -339,6 +378,7 @@ class Negotiate extends \SimpleSAML\Auth\Source
      * logout call to the fallback module.
      *
      * @param array &$state Information about the current logout operation.
+     * @return void
      */
     public function logout(&$state)
     {
diff --git a/psalm.xml b/psalm.xml
index d7cb185f722a581a51df87e941ce87aaf4ff385d..32b07d6f0f2272c48c480c5de68593d846a216c0 100644
--- a/psalm.xml
+++ b/psalm.xml
@@ -27,4 +27,8 @@
         <UnusedClass errorLevel="info" />
         <PossiblyUnusedMethod errorLevel="info" />
     </issueHandlers>
+
+    <stubs>
+        <file name="tests/Utils/Stubs/krb5.php" />
+    </stubs>
 </psalm>
diff --git a/tests/Utils/Stubs/krb5.php b/tests/Utils/Stubs/krb5.php
new file mode 100644
index 0000000000000000000000000000000000000000..14e86b309e0e0ce6b3bb282b8700bba10968a9fb
--- /dev/null
+++ b/tests/Utils/Stubs/krb5.php
@@ -0,0 +1,173 @@
+<?php
+
+class KRB5NegotiateAuth
+{
+    /**
+     * @param string $keytab
+     * @param string $spn
+     */
+    public function __construct($keytab, $spn)
+    {
+    }
+
+
+    /**
+     * @return bool
+     */
+    public function doAuthentication()
+    {
+    }
+
+
+    /**
+     * @return string
+     */
+    public function getAuthenticatedUser()
+    {
+    }
+
+
+    /**
+     * @param KRB5CCache $ccache
+     * @return void
+     */
+    public function getDelegatedCredentials(KRB5CCache $ccache)
+    {
+    }
+}
+
+
+class KRB5CCache
+{
+    /**
+     *
+     */
+    public function __construct()
+    {
+    }
+
+
+    /**
+     * @return string
+     */
+    public function getName()
+    {
+    }
+
+
+    /**
+     * @param string $src
+     * @return bool
+     */
+    public function open($src)
+    {
+    }
+
+
+    /**
+     * @param string $dest
+     * @return bool
+     */
+    public function save($dest)
+    {
+    }
+
+
+    /**
+     * @param string $principal
+     * @param string $pass
+     * @param array|null $options
+     * @return bool
+     */
+    public function initPassword($principal, $pass, $options = null)
+    {
+    }
+
+
+    /**
+     * @param string $principal
+     * @param string $keytab_file
+     * @param array|null $options
+     * @return bool
+     */
+    public function initKeytab($principal, $keytab_file, $options = null)
+    {
+    }
+
+
+    /**
+     * @return string
+     */
+    public function getPrincipal()
+    {
+    }
+
+
+    /**
+     * @return string
+     */
+    public function getRealm()
+    {
+    }
+
+
+    /**
+     * @return array
+     */
+    public function getLifetime()
+    {
+    }
+
+
+    /**
+     * @return array
+     */
+    public function getEntries()
+    {
+    }
+
+
+    /**
+     * @param int $timeRemain
+     * @return bool
+     */
+    public function isValid($timeRemain = 0)
+    {
+    }
+
+
+    /**
+     * @param string|null $prefix
+     * @return array
+     */
+    public function getTktAttrs($prefix = null)
+    {
+    }
+
+
+    /**
+     * @return bool
+     */
+    public function renew()
+    {
+    }
+
+
+    /**
+     * @param string $principal
+     * @param string $oldpass
+     * @param string $newpass
+     * @return bool
+     */
+    public function changePassword($principal, $oldpass, $newpass)
+    {
+    }
+
+
+    /**
+     * @return array
+     */
+    public function getExpirationTime()
+    {
+    }
+}