Typo3 SAML Single Sign-On using Azure AD | Azure Active Directory SSO | Login using Azure AD

Pre-requisites : Download And Installation

 Installing SAML extension in TYPO3

 Integrate extension with TYPO3

• Click on the Pages from the left navigation.
• Then you need to create a folder to store the frontend users in it by right clicking on the Home page and select New subpage.

• Select Folder type from the dropdown. Name the folder as Website Users.

• Go to the Behaviour tab and add Website Users (fe_users) and click on Save.

• If you see a hyphen sign in red on the created folder, it means that the folder is not enabled. You can then enable it by right clicking on that folder and clicking Enable.
• You need to add two STANDARD pages within the HOME page. If you are using Premium Plugin you can create three pages.
• Here we will consider Page Names as: FESAML, RESPONSE, LOGOUT (Logout is optional for premium customers).
• To create a FESAML page, right click on Home page then select New subpage and select STANDARD type from dropdown.

• Add Page Title as FESAML and click Save.

• Then again Click on FESAML Page and click on Add content. Go to plugins and add FESAML Plugin and click on the Save.

• Navigate to plugin tab and select FESAML plugin. Add website users in Record Storage Page and save the settings.

• You can enable the FESAML page by right clicking and selecting Enable option.

• If you need to make changes in URL segment, which will also be your initial SSO URL, right click on FESAML page, select edit and click on "toggle URL" button to set URL according to your way.
• Follow the same steps to create and configure Standard pages of Response.
• Ensure you will be selecting Response Plugin for Response page.
• Keep the FESAML and RESPONSE page urls handy as you will need them while configuring the SAML SP.

2. Configure Typo3 as SP (Service Provider)

• In Typo3 SSO extension, go to the SP settings tab and enter Fesaml Plugin Page URL, Response Page URL, ACS URL, Entity ID and all other required details.

• Now, go to the IdP settings tab of the extension. There are two ways to configure the Typo3 SSO extension.

A. By uploading IDP metadata:

• Enter the Identity Provider Name
• Click on Upload IDP metadata button.
• You can either upload a metadata file and click on Upload button or use a metadata URL to fetch the metadata.


B. Manual Configuration:

• Copy SAML Entity ID, SAML Single-Sign-On Endpoint URL and x.509 certificate from Federation Metadata document and paste it in IdP Entity ID or Issuer, Single Sign-on Service URL, x.509 Certificate fields respectively in the extension.
  

IdP Entity ID or Issuer	SAML Entity ID obtained from the IdP
Single Sign-On Service URL	SAML Single-Sign-On Endpoint URL obtained from the IdP
X.509 Certificate	x.509 Certificate obtained from the IdP

• Click on Save button to save all your settings.

• To check if your Typo3 as SP is configured correctly, click the Test Configuration button.

3. Attribute / Custom Mapping (Optional). *This is Premium feature.

• Attributes are user details that are stored in your Identity Provider.
• Attribute Mapping helps you to get user attributes from your Identity Provider (IdP) and map them to Typo3 user attributes like firstname, lastname and so on.
• While auto registering the users in your Typo3 site these attributes will automatically get mapped to your Typo3 user details.
• Only NameID can be mapped to Typo3 Email and Username characteristics with the free extension. Multiple user attributes from the IdP, on the other hand, can be mapped to Typo3 attributes in the premium version of the extension. You can map custom attributes that you've added to your IdP in addition to the default attributes.
• When a user performs SSO, the NameID value sent by the IdP will get mapped to the email and the username of the Typo3 user.

• You can check the Test Configuration Results under Service Provider Setup tab to get a better idea of which values to map here.

4. Group Mapping (Optional). *This is Premium feature.

• You can specify a default Group in the free extension that will be allocated to all non-admin users when they conduct SSO.
• Go to Group mapping tab and navigate to Group Mapping section.
• Select the Default Group and click on the Save button.