Typo3 SAML Single Sign-On (SSO) can be achieved by using our Typo3 SAML SP Single Sign-On (SSO) plugin.
Our SSO solution will make Typo3 SAML 2.0 compliant Service Provider establishing trust between the Typo3 site and your Identity Provider (IdP) to securely authenticate and login users to the Typo3 site. Our Typo3 Single Sign-On (SSO) solution helps to
secure Typo3 sites behind the SSO login so that users are authenticated using their Identity Provider login credentials. Seamless support for advanced SSO features like Attribute / Custom Mapping, Role Mapping etc.
SAML allows information to be exchanged between Service Providers and Identity Providers; SAML is the integration of Service Providers and Identity Providers. When a user attempts to log in, your Service provider delivers SAML assertions to Identity Provider, which contain information about the user. The assertion is received by Identity Provider, which validates it against your Service Provider settings before allowing the user access to your org.
Pre-requisites : Download And Installation
Installing SAML extension in TYPO3
- Use the below command to install the extension using composer:
composer req miniorange/miniorange-saml
- Now search for the "miniOrange SAML" in Installed extensions section and activate the extension by clicking on activate button.
- After installation, click on the newly installed extension "miniOrange SAML SP extension" for TYPO3 SSO and login with your registered miniOrange credentials.
- After entering username and password you will require license key to proceed further if you are a premium customer. (You will get this key from the miniOrange team. After entering license key, you can activate the license and proceed further.)
- If you are not a premium customer you can direcly login submitting miniOrange credentials.
- After successful login, you can see the details related to your account.
- Now you are ready to configure your IdP. But, it's important to integrate frontend first.
- Download the zip file of the SAML SP extension from TYPO3 marketplace
- Go to your TYPO3 backend, and click on Extensions section at the left side of your screen.
- Upload the zip file,as represented in the below image.
- Now search for the "miniOrange SAML" in Installed extensions section and activate the extension by clicking on activate button.
- After installation, click on the newly installed extension "miniOrange SAML SP extension" for TYPO3 SSO and login with your registered miniOrange credentials.
- After entering username and password you will require license key to proceed further if you are a premium customer. (You will get this key from the miniOrange team. After entering license key, you can activate the license and proceed further.)
- If you are not a premium customer you can direcly login submitting miniOrange credentials.
- After successful login, you can see the details related to your account.
- Now you are ready to configure your IdP. But, it's important to integrate frontend first.
Integrate extension with TYPO3
- Click on the Pages from the left navigation.
- Then you need to create a folder to store the frontend users in it by right clicking on the Home page and select New subpage.
- Select Folder type from the dropdown. Name the folder as Website Users.
- Go to the Behaviour tab and add Website Users (fe_users) and click on Save.
- If you see a hyphen sign in red on the created folder, it means that the folder is not enabled. You can then enable it by right clicking on that folder and clicking Enable.
- You need to add two STANDARD pages within the HOME page. If you are using Premium Plugin you can create three pages.
- Here we will consider Page Names as: FESAML, RESPONSE, LOGOUT (Logout is optional for premium customers).
- To create a FESAML page, right click on Home page then select New subpage and select STANDARD type from dropdown.
- Add Page Title as FESAML and click Save.
- Then again Click on FESAML Page and click on Add content. Go to plugins and add FESAML Plugin and click on the Save.
- Navigate to plugin tab and select FESAML plugin. Add website users in Record Storage Page and save the settings.
- You can enable the FESAML page by right clicking and selecting Enable option.
- If you need to make changes in URL segment, which will also be your initial SSO URL, right click on FESAML page, select edit and click on "toggle URL" button to set URL according to your way.
- Follow the same steps to create and configure Standard pages of Response.
- Ensure you will be selecting Response Plugin for Response page.
- Keep the FESAML and RESPONSE page urls handy as you will need them while configuring the SAML SP.
Configuration Steps
1. Configure Service Provider
- Go to miniOrange SAML SP, and switch to Service Provider settings tab.
- Enter all the URL fields with their respective URL's.
- You will get URL with fesaml from the fesaml standard page, URL with Response from the response standard page and SINGLE LOGOUT URL from the Logout standard page.
- Revising again you can get URL by going to Pages section, in that right click on FESAML Page select edit and you will get your FESAML URL.
- Don't get confused over ACS URL, your response URL itself is your ACS URL.
- SP entity ID and Base URL will be your basic TYPO3 URL.
- After filling all the fields, Save the SP settings accordingly.
- TYPO3 Single Sign-On SP URL's
- Keep all this URL with you, as you will require this to configure IDP.
2. Configure Identity Provider
- Go to miniOrange SAML SP Plugin, and switch to Identity provider settings tab, fill the necessary configuration options provided by your Identity Provider (IdP). ( Identity Provider Name, IdP Entity Id, SAML Login URL, SAML x509 Certificate ) and click on “Save”. You will get all these inputs by your Identity Provider.
- Let's see how IDP is configured, here we will consider miniOrange as IDP.
- Log in to miniOrange Admin Console.
- Go to Apps and click on Add Application button.
- Click on SAML / WS-FED tab.
- Search for TYPO3. If you can't find your application you can select Custom App
- Now you will be directed to the “Add/Application” Panel.
- In SP Entity ID/Issuer and Audience URL section enter the base URL of your TYPO3, from SP settings of the TYPO3 which we configured before.
- Enter your TYPO3 Response URL in ACS URL section.
- Click on Save button to add TYPO3 Application
- Go to Apps >> Manage Apps.
- Search for your app and click on the Select in action menu against your app.
- Click on Edit and configure the required settings.
- Select attribute.(Here we will select email as an attribute)
- Click on Save to add TYPO3 settings.
- You can get metadata certificate and metadata details by using the following steps:
- Go to Apps >> Manage Apps.
- Search for your app and click on the select in action menu against your app.
- Click on Metadata to get metadata details, which you need to fill up in Typo3 Identity Provider Settings. Click on Link to see the IDP initiated SSO link for TYPO3.
- Here you will see options, if you are setting up miniOrange as IDP copy the metadetails related to miniOrange.
- Copy SAML Login URL , SAML Logout URL IDP entity ID and SAML x509 Certificate.
- Paste the respective URL in Identity Provider settings respectively anc click on save button to complete your IDP configuration.
3. Test Configuration
- This feature will help you to find out if submitted configurations are correct or not. You will also get the attributes you have configured in response.
- To get test Configuration checked go to SAML SP plugin, in that go to IDP settings section, in the bottom you will find Test Configuration button, click on it it will show you the results as shown in the given diagram.
4. Attribute Mapping
- Attribute Mapping is not provided in the free version of SAML SP extension. To enable Attribute Mapping upgrade your SAML SP extension to the premium plugin.
- Attribute mapping maps the incoming attributes from SAML Response to user profile of TYPO3 website.
- To map attributes go to SAML SP Plugin and switch to attribute mapping tab, enter attribute fields and scroll down to save the settings.
5. Group Mapping
- Group Mapping is not provided in the free version of SAML SP extension. To enable Group Mapping upgrade your SAML SP extension to the premium plugin.
- Group mapping maps group name of IDP to the group name of SP and passes user attributes accordingly.
- For group mapping go to miniOrange SAML SP Plugin and switch to group mapping tab enter the required fields and scroll down to save the settings.
- As shown in the given diagram "Default" is user group of IDP while "Group10" is the group we created in TYPO3 which is your SP.
Additional Resources
If you are looking for anything which you cannot find, please drop us an email on info@xecurify.com