Netresearch TYPO3 Saml Auth 

With this TYPO3 extension you can authenticate against a SAML SSO server. It works for backend and frontend users and make use of the onelogin/php-saml package.

Installation 

Require the package.

composer require netresearch/nr-saml-auth
Copied!

Then you have to add a new record of SAML Auth Settings on the root page in the TYPO3 backend and configure it properly.

Example configuration

Entity ID: your-sp

Customer service URL: https://domain.tld/?logintype=login

Customer service binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

Name ID format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Certificate: -----BEGIN CERTIFICATE-----
MIIFYDCCA0igAwIBAgIJAMWkGz7F5peWMA0GCSqGSIb3DQEB
...
6E29QdAP/7OlaUjL8yb0hAQfcweKg7A9Kw+nVngScgiq99FT
-----END CERTIFICATE-----

Private key: -----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCk/hHdRe3
...
3gxX31MgSwnYq6RTKQvPUlEX2UmMcjk=
-----END PRIVATE KEY-----

Entity ID: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

SSO URL: http://sso-url.de:80/sso

Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

# Provided by the SSO server else just input something
Certificate: ...

# Prefix for created users
Other: sso-

Groups: Choose you frontenduser folder

Groups: Select the Frontendusergroup which should every logged in user assigned to
Copied!

As example SSO server you could use https://capriza.github.io/samling/samling.html.

Auto discovery 

  • the login service will try to autodetect the configuration for the current login/logout request
  • Therefor ensure, that your sp_entity_id matches your domain

Middleware 

  • the extension provides a middleware to redirect the client to the page he came from after login/logout
  • ensure that RelayState parameter contains the target URL and is transmitted via post/get from SAML server to the configured ACS urls