netresearch / nr-saml-auth
TYPO3 Saml Authentication for frontend
Installs: 19
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 7
Forks: 0
Open Issues: 0
Type:typo3-cms-extension
Requires
- php: >=7.1.0
- onelogin/php-saml: ^3.0.0
- typo3/cms-core: ^10.4
- typo3/cms-frontend: ^10.4
This package is auto-updated.
Last update: 2024-10-14 09:17:49 UTC
README
With this TYPO3 extension you can authenticate against a SAML SSO server.
It works for backend and frontend users and make use of theonelogin/php-saml
package.
Installation
Require the package.
composer require netresearch/nr-saml-auth
Then you have to add a new record of SAML Auth Settings
on the root page in the TYPO3 backend and configure it properly.
Example configuration
Entity ID: your-sp
Customer service URL: https://domain.tld/?logintype=login
Customer service binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Name ID format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Certificate: -----BEGIN CERTIFICATE-----
MIIFYDCCA0igAwIBAgIJAMWkGz7F5peWMA0GCSqGSIb3DQEB
...
6E29QdAP/7OlaUjL8yb0hAQfcweKg7A9Kw+nVngScgiq99FT
-----END CERTIFICATE-----
Private key: -----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCk/hHdRe3
...
3gxX31MgSwnYq6RTKQvPUlEX2UmMcjk=
-----END PRIVATE KEY-----
Entity ID: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
SSO URL: http://sso-url.de:80/sso
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# Provided by the SSO server else just input something
Certificate: ...
# Prefix for created users
Other: sso-
Groups: Choose you frontenduser folder
Groups: Select the Frontendusergroup which should every logged in user assigned to
As example SSO server you could use https://capriza.github.io/samling/samling.html.
Auto discovery
- the login service will try to autodetect the configuration for the current login/logout request
- Therefor ensure, that your sp_entity_id matches your domain
Middleware
- the extension provides a middleware to redirect the client to the page he came from after login/logout
- ensure that RelayState parameter contains the target URL and is transmitted via post/get from SAML server to the configured ACS urls