Typo3 SAML Single Sign-On (SSO) can be achieved by using our Typo3 SAML SP Single Sign-On (SSO) plugin. Our SSO solution will make Typo3 SAML 2.0 compliant Service Provider establishing trust between the Typo3 site and your Identity Provider (IdP) to securely authenticate and login users to the Typo3 site. Our Typo3 Single Sign-On (SSO) solution helps to secure Typo3 sites behind the SSO login so that users are authenticated using their Identity Provider login credentials. Seamless support for advanced SSO features like Attribute / Custom Mapping, Role Mapping etc.

SAML allows information to be exchanged between Service Providers and Identity Providers; SAML is the integration of Service Providers and Identity Providers. When a user attempts to log in, your Service provider delivers SAML assertions to Identity Provider, which contain information about the user. The assertion is received by Identity Provider, which validates it against your Service Provider settings before allowing the user access to your org.

Click here to know more about other features we provide in Typo3 SAML Single Sign-On extension.

Installation Steps

1. Installing SAML extension in TYPO3

• Download the zip file of the SAML SP extension from TYPO3 marketplace
• Go to your TYPO3 backend, and click on Extensions section at the left side of your screen.
• Upload the zip file,as represented in the below image.

• Now search for the "miniOrange SAML" in Installed extensions section and activate the extension by clicking on activate button.

• After installation, click on the newly installed extension "miniOrange SAML SP extension" for TYPO3 SSO and login with your registered miniOrange credentials.

• After entering username and password you will require license key to proceed further if you are a premium customer. (You will get this key from the miniOrange team. After entering license key, you can activate the license and proceed further.)

• If you are not a premium customer you can direcly login submitting miniOrange credentials.
• After successful login, you can see the details related to your account.

• Now you are ready to configure your IdP. But, it's important to integrate frontend first.

2. Integrate extension with TYPO3

• Now you have to design your frontend by left clicking on the Home tab then click on New Subpage

• You need to add two STANDARD pages within the HOME page. If you are using Premium Plugin you can create three pages.
• Here we will consider Page Names as: FESAML, RESPONSE, LOGOUT (Logout is optional for premium customers).
• Enter the Standard Page name as: FESAML.

• Click on FESAML Page and click on Add content. Go to plugins and add FESAML Plugin.

• Navigate to plugin tab and select FESAML plugin. Add website users in Record Storage Page and save the settings.

• If you need to make changes in URL segment, which will also be your initial SSO URL, right click on FESAML page, select edit and click on "toggle URL" button to set URL according to your way.

• Follow the same steps to create and configure Standard pages of Response.
• Ensure you will be selecting Response Plugin for Response page and Logout Plugin for Logout Page.
• Your TYPO3 directory should look like this.

• Also, you must create at least one group as TYPO3 doesn’t allow to create users unless there’s one usergroup at least.
• To create group go to list tab from the left panel, click on Website users folder and hit the "+" button at the top of the screen.

• Now select Websiteuser group ? from the list.

• Insert Group Name in group title section and click on Save button at the top. User group will be created.

• You can also create a SSO button on login page. Click on Home, proceed to the +Content option.

• Switch to Special elements tab and select Plain HTML.

• Here what you will be doing is, you are adding SSO login button, URL in the button section will be of FESAML Standard Page.
• The code snippet to do so is mentioned in the given image. Enter the code and hit the Save button at the top.

• Now you can configure plugin in the backend.

3. Configure Service Provider

• Go to miniOrange SAML SP, and switch to Service Provider settings tab.
• Enter all the URL fields with their respective URL's.
• You will get URL with fesaml from the fesaml standard page, URL with Response from the response standard page and SINGLE LOGOUT URL from the Logout standard page.
• Revising again you can get URL by going to Pages section, in that right click on FESAML Page select edit and you will get your FESAML URL.

• Don't get confused over ACS URL, your response URL itself is your ACS URL.
• SP entity ID and Base URL will be your basic TYPO3 URL.
• After filling all the fields, Save the SP settings accordingly.

• TYPO3 Single Sign-On SP URL's
• Keep all this URL with you, as you will require this to configure IDP.

4. Configure Identity Provider

• Go to miniOrange SAML SP Plugin, and switch to Identity provider settings tab, fill the necessary configuration options provided by your Identity Provider (IdP). ( Identity Provider Name, IdP Entity Id, SAML Login URL, SAML x509 Certificate ) and click on “Save”. You will get all these inputs by your Identity Provider.
• Let's see how IDP is configured, here we will consider miniOrange as IDP.
• Log in to miniOrange Admin Console.
• Go to Apps and click on Add Application button.

• Click on SAML / WS-FED tab.

• Search for TYPO3. If you can't find your application you can select Custom App

• Now you will be directed to the “Add/Application” Panel.
• In SP Entity ID/Issuer and Audience URL section enter the base URL of your TYPO3, from SP settings of the TYPO3 which we configured before.
• Enter your TYPO3 Response URL in ACS URL section.
• Click on Save button to add TYPO3 Application

• Go to Apps >> Manage Apps.
• Search for your app and click on the Select in action menu against your app.
• Click on Edit and configure the required settings.

• Select attribute.(Here we will select email as an attribute)
• Click on Save to add TYPO3 settings.

• You can get metadata certificate and metadata details by using the following steps:
• Go to Apps >> Manage Apps.
• Search for your app and click on the select in action menu against your app.
• Click on Metadata to get metadata details, which you need to fill up in Typo3 Identity Provider Settings. Click on Link to see the IDP initiated SSO link for TYPO3.

• Here you will see options, if you are setting up miniOrange as IDP copy the metadetails related to miniOrange.
• Copy SAML Login URL , SAML Logout URL IDP entity ID and SAML x509 Certificate.

• Paste the respective URL in Identity Provider settings respectively anc click on save button to complete your IDP configuration.

5. Test Configuration

• This feature will help you to find out if submitted configurations are correct or not. You will also get the attributes you have configured in response.
• To get test Configuration checked go to SAML SP plugin, in that go to IDP settings section, in the bottom you will find Test Configuration button, click on it it will show you the results as shown in the given diagram.

6. Attribute Mapping

• Attribute Mapping is not provided in the free version of SAML SP extension. To enable Attribute Mapping upgrade your SAML SP extension to the premium plugin.
• Attribute mapping maps the incoming attributes from SAML Response to user profile of TYPO3 website.
• To map attributes go to SAML SP Plugin and switch to attribute mapping tab, enter attribute fields and scroll down to save the settings.

7. Group Mapping

• Group Mapping is not provided in the free version of SAML SP extension. To enable Group Mapping upgrade your SAML SP extension to the premium plugin.
• Group mapping maps group name of IDP to the group name of SP and passes user attributes accordingly.
• For group mapping go to miniOrange SAML SP Plugin and switch to group mapping tab enter the required fields and scroll down to save the settings.
• As shown in the given diagram "Default" is user group of IDP while "Group10" is the group we created in TYPO3 which is your SP.

Additional Resources

• What is Single Sign-On (SSO) Login?
• Typo3 OAuth and OpenID Single Sign On (SSO).
• Typo3 SAML Single Sign On (SSO).

If you are looking for anything which you cannot find, please drop us an email on info@xecurify.com