SAML Single Sign-On into Joomla using ADFS

miniOrange Joomla SAML SP SSO plugin helps you to integrate your Joomla site to ADFS using SAML 2.0 protocol. Our user-friendly plugin simplifies the process of setting up Single Sign-on (SSO) with ADFS (Active Directory Federation Services) in Joomla, ensuring a secure login experience. This enables users to access various Joomla sites effortlessly using their ADFS IDP credentials.

Our plugin is designed to be compatible with Joomla 3, 4 as well as 5 and works seamlessly with all SAML 2.0 compliant Identity Providers. For a detailed overview of the comprehensive features offered by the Joomla SAML SP plugin, please visit our page here. Below, we provide a step-by-step guide on configuring SAML SSO login between your Joomla site and ADFS, with ADFS serving as the Identity Provider (IDP) and Joomla as the Service Provider (SP).

Pre-requisites: Download And Installation

Download

Setup Video

Handbook

Free Trial

Steps to Integrate ADFS Single Sign-On (SSO) with Joomla SAML SP

1. Setup Joomla SAML SP plugin

• Download the zip file for the miniOrange SAML SP plugin for Joomla.
• Login into your Joomla site’s Administrator console.
• From left toggle menu, click on System, then under Install section click on Extensions.
• Now click on Or Browse for file button to locate and install the plugin file downloaded earlier.

• Installation of plugin is successful. Now click on Get Started!

• Go to the Service Provider Metadata tab and scroll down to copy the SP-EntityID and the ACS URL.

2. Configure ADFS (Active Directory Federation Services) as IdP

• On ADFS, search for ADFS Management application.

• After opening the AD FS Management, select Relying Party Trust & then click on Add Relying Party Trust.

• Click the Start button from the Relying Party Trust Wizard pop up. But before that please make sure Claims aware is selected.

• Select the options for adding a relying party trust.
 Using Metadata URL
• In Select Data Source: Import data about the relying party published online or on the local network option & then add URL in Federation metadata address (Navigate to Service Provider Metadata tab from the plugin for getting SP Meatadata URL).

• If you have metadata URL then you can skip below steps of Import mentadata file and enter data manually, then start configuring from this step.

 Using Metadata XML file

• In Select Data Source: Import data about the relying party from a file option & then browse the metadata file(You can download the SP metadata file from the plugin under the Service Provider Metadata tab).


 Using Manual configuration

• In Select Data Source: Enter Data about the relying party manually & Click on Next.

• Enter Display Name & Click Next.
• Upload the certificate & click Next. Download the certificate from plugin & use the same certificate to upload on ADFS.
• Select Enable support for the SAML 2.0 WebSSO protocol & Enter ACS URL from the plugins Service Provider Metadata Tab. Click Next.

• Add Entity ID from plugins Service Provider Metadata Tab as Relying party trust identifier then click Add button & then click Next.

• Also download the Signing certificate from Service Provider Metadata Tab from the plugin.
• Select Permit everyone as an Access Control Policy & click on Next.

• Click the Next button from Ready to Add Trust & click Close.
• It will show you the list of Relying Party Trusts. Select the respective application & click on Edit Claim Issuance Policy.

• Click on Add Rule button.

• Select Send LDAP Attributes as Claims & click on Next.

• Enter the following details & click on Finish.

Claim rule name: Attributes

Attribute Store: Active Directory

LDAP Attribute: E-Mail-Addresses

Outgoing Claim Type: Name ID


• Click Apply and then Ok.
• Select property of the application & add the certificate downloaded from the add-on.

• You can download your ADFS metadata, using following URL. You can use this metadata URL in the Service Provider Setup tab.
{ <https://Your-Domain/federationmetadata/2007-06/federationmetadata.xml> }

Windows SSO (optional)

 Steps to configure ADFS for Windows Authentication

• Open elevated Command Prompt on the ADFS Server and execute the following command on it:

setspn -a HTTP/##ADFS Server FQDN## ##Domain Service Account##

FQDN is Fully Qualified Domain Name (Example : adfs4.example.com)

Domain Service Account is the username of the account in AD.

Example : setspn -a HTTP/adfs.example.com username/domain

• Open AD FS Management Console and go to Authentication Policies section, edit the Global Authentication Policies. Check Windows Authentication in Intranet zone.

• Open Internet Explorer. Navigate to Security tab in Internet Options.
• Add the FQDN of AD FS to the list of sites in Local Intranet and restart the browser.
• Select Custom Level for the Security Zone. In the list of options, select Automatic Logon only in Intranet Zone.

• Open the powershell and execute following two commands to enable windows authentication in Chrome browser.

         Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome")

       Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents;

• You have configured ADFS for Windows Authentication. Now to add Relying Party for your Joomla you can follow these steps.