Typo3 SAML Single Sign-On (SSO) Setup Guide

Typo3 SAML Single Sign-On (SSO) can be achieved by using our Typo3 SAML SP Single Sign-On (SSO) plugin. Our SSO solution will make Typo3 SAML 2.0 compliant Service Provider establishing trust between the Typo3 site and your Identity Provider (IdP) to securely authenticate and login users to the Typo3 site. Our Typo3 Single Sign-On (SSO) solution helps to secure Typo3 sites behind the SSO login so that users are authenticated using their Identity Provider login credentials. Seamless support for advanced SSO features like Attribute / Custom Mapping, Role Mapping etc.

SAML allows information to be exchanged between Service Providers and Identity Providers; SAML is the integration of Service Providers and Identity Providers. When a user attempts to log in, your Service provider delivers SAML assertions to Identity Provider, which contain information about the user. The assertion is received by Identity Provider, which validates it against your Service Provider settings before allowing the user access to your org.

Configuration Steps

1. Configure Service Provider

• Go to miniOrange SAML SP, and switch to Service Provider settings tab.
• Enter all the URL fields with their respective URL's.
• You will get URL with fesaml from the fesaml standard page, URL with Response from the response standard page and SINGLE LOGOUT URL from the Logout standard page.
• Revising again you can get URL by going to Pages section, in that right click on FESAML Page select edit and you will get your FESAML URL.

• Don't get confused over ACS URL, your response URL itself is your ACS URL.
• SP entity ID and Base URL will be your basic TYPO3 URL.
• After filling all the fields, Save the SP settings accordingly.

• TYPO3 Single Sign-On SP URL's
• Keep all this URL with you, as you will require this to configure IDP.

2. Configure Identity Provider

• Go to miniOrange SAML SP Plugin, and switch to Identity provider settings tab, fill the necessary configuration options provided by your Identity Provider (IdP). ( Identity Provider Name, IdP Entity Id, SAML Login URL, SAML x509 Certificate ) and click on “Save”. You will get all these inputs by your Identity Provider.
• Let's see how IDP is configured, here we will consider miniOrange as IDP.
• Log in to miniOrange Admin Console.
• Go to Apps and click on Add Application button.

• Click on SAML / WS-FED tab.

• Search for TYPO3. If you can't find your application you can select Custom App

• Now you will be directed to the “Add/Application” Panel.
• In SP Entity ID/Issuer and Audience URL section enter the base URL of your TYPO3, from SP settings of the TYPO3 which we configured before.
• Enter your TYPO3 Response URL in ACS URL section.
• Click on Save button to add TYPO3 Application

• Go to Apps >> Manage Apps.
• Search for your app and click on the Select in action menu against your app.
• Click on Edit and configure the required settings.

• Select attribute.(Here we will select email as an attribute)
• Click on Save to add TYPO3 settings.

• You can get metadata certificate and metadata details by using the following steps:
• Go to Apps >> Manage Apps.
• Search for your app and click on the select in action menu against your app.
• Click on Metadata to get metadata details, which you need to fill up in Typo3 Identity Provider Settings. Click on Link to see the IDP initiated SSO link for TYPO3.

• Here you will see options, if you are setting up miniOrange as IDP copy the metadetails related to miniOrange.
• Copy SAML Login URL , SAML Logout URL IDP entity ID and SAML x509 Certificate.

• Paste the respective URL in Identity Provider settings respectively anc click on save button to complete your IDP configuration.

3. Test Configuration

• This feature will help you to find out if submitted configurations are correct or not. You will also get the attributes you have configured in response.
• To get test Configuration checked go to SAML SP plugin, in that go to IDP settings section, in the bottom you will find Test Configuration button, click on it it will show you the results as shown in the given diagram.

4. Attribute Mapping

• Attribute Mapping is not provided in the free version of SAML SP extension. To enable Attribute Mapping upgrade your SAML SP extension to the premium plugin.
• Attribute mapping maps the incoming attributes from SAML Response to user profile of TYPO3 website.
• To map attributes go to SAML SP Plugin and switch to attribute mapping tab, enter attribute fields and scroll down to save the settings.

5. Group Mapping

• Group Mapping is not provided in the free version of SAML SP extension. To enable Group Mapping upgrade your SAML SP extension to the premium plugin.
• Group mapping maps group name of IDP to the group name of SP and passes user attributes accordingly.
• For group mapping go to miniOrange SAML SP Plugin and switch to group mapping tab enter the required fields and scroll down to save the settings.
• As shown in the given diagram "Default" is user group of IDP while "Group10" is the group we created in TYPO3 which is your SP.

Additional Resources

• What is Single Sign-On (SSO) Login?
• Typo3 OAuth and OpenID Single Sign On (SSO).
• Typo3 SAML Single Sign On (SSO).

If you are looking for anything which you cannot find, please drop us an email on info@xecurify.com