Netresearch SAML Auth

Netresearch SAML Auth 

Extension key

nr_saml_auth

Package name

netresearch/nr-saml-auth

Version

main

Language

en

Author

Netresearch DTT GmbH

License

This document is published under the Creative Commons BY 4.0 license.

Rendered

Thu, 26 Feb 2026 05:05:30 +0000

TYPO3 extension for SAML SSO authentication supporting frontend and backend users using the onelogin/php-saml library.

Introduction 

Learn about SAML SSO and how this extension can help you implement single sign-on for your TYPO3 installation.

Installation 

How to install and set up the extension via Composer or manually.

Configuration 

Configure the Service Provider (SP) and Identity Provider (IdP) settings for your SAML authentication.

Developer Guide 

Information for developers on PSR-14 events and extending the extension.

Table of Contents

Introduction 

What is SAML SSO? 

SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties, specifically between an Identity Provider (IdP) and a Service Provider (SP).

Single Sign-On (SSO) allows users to authenticate once with an Identity Provider and then access multiple applications without re-entering credentials.

Extension Features 

The Netresearch SAML Auth extension provides:

  • Frontend Authentication: SAML-based login for frontend users
  • Backend Authentication: SAML-based login for backend users
  • Auto-Discovery: Automatic SAML configuration detection based on domain
  • User Provisioning: Automatic creation of TYPO3 users from SAML attributes
  • Deep Link Support: Redirect users to their original destination after login
  • PSR-14 Events: Modern event system for customization

Requirements 

  • TYPO3 12.4 LTS or 13.4 LTS
  • PHP 8.1 - 8.4
  • onelogin/php-saml 4.0+
  • TYPO3 10.4 LTS or 11.5 LTS
  • PHP 7.4 - 8.1
  • onelogin/php-saml 3.x

Support 

For issues and feature requests, please use the GitHub issue tracker.

Installation 

The extension can be installed via Composer (recommended) or manually.

Composer Installation 

Install the extension using Composer:

composer require netresearch/nr-saml-auth
Copied!

After installation, activate the extension in the Extension Manager or via CLI:

vendor/bin/typo3 extension:setup
Copied!

Initial Setup 

After installation, you need to:

  1. Create a SAML Auth Settings record on the root page (PID 0) in the TYPO3 backend under List > Create new record > SAML Auth Settings
  2. Configure the Service Provider (SP) settings (your TYPO3 installation)
  3. Configure the Identity Provider (IdP) settings (your SSO server)
  4. Select the user folder and default user groups for new users

See the Configuration section for detailed setup instructions.

Verification 

To verify the installation:

  1. Access the Admin Tools > SAML Auth backend module
  2. Check that your SAML metadata is correctly generated
  3. Share the SP metadata with your Identity Provider administrator

Configuration 

The extension is configured through a SAML Auth Settings record in the TYPO3 backend.

Creating a Settings Record 

  1. Go to List module on the root page (PID 0)
  2. Click Create new record
  3. Select SAML Auth Settings

Service Provider (SP) Configuration 

The Service Provider represents your TYPO3 installation.

Entity ID 

The unique identifier for your Service Provider. Typically your domain URL:

https://your-domain.tld
Copied!

Customer Service URL (ACS) 

The Assertion Consumer Service URL where SAML responses are received:

https://your-domain.tld/?logintype=login
Copied!

Name ID Format 

The format for the Name ID in SAML assertions:

  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient - Temporary identifier
  • urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress - Email address
  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent - Persistent identifier

Certificates 

You can optionally configure SP certificates for signed requests:

  • Certificate: Public certificate (PEM format)
  • Private Key: Private key (PEM format)

Identity Provider (IdP) Configuration 

The Identity Provider is your SSO server (e.g., Azure AD, Okta, SimpleSAMLphp).

Entity ID 

The unique identifier provided by your IdP.

SSO URL 

The Single Sign-On URL where authentication requests are sent.

Logout URL 

The Single Logout URL for ending sessions (optional).

Certificate 

The IdP's public certificate for validating SAML responses (required).

User Configuration 

Username Prefix 

Optional prefix added to usernames created from SAML authentication:

sso-
Copied!

This helps identify SSO-created users in the system.

User Folder 

Select the page (folder) where new frontend users will be stored.

User Groups 

Select the default user groups assigned to newly created users.

Auto-Discovery 

The extension supports automatic configuration discovery based on the request domain. When a user attempts to login, the extension matches the current domain against configured sp_entity_id values to find the appropriate SAML configuration.

This allows multiple SAML configurations for different domains within the same TYPO3 installation.

Configuration Reference 

SAML Settings Record Fields 

Name
name
sp_entity_id
sp_customer_service_url
sp_customer_service_binding
sp_name_id_format
sp_cert
sp_key
idp_entity_id
idp_sso_url
idp_sso_binding
idp_logout_url
idp_cert
username_prefix
users_pid
usergroup

name

name
Type
string
Required

true

A descriptive name for this SAML configuration.

sp_entity_id

sp_entity_id
Type
string
Required

true

The unique identifier for your Service Provider (typically your domain URL).

sp_customer_service_url

sp_customer_service_url
Type
string
Required

true

The Assertion Consumer Service URL where SAML responses are received.

sp_customer_service_binding

sp_customer_service_binding
Type
string
Default
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

The binding method for the ACS endpoint.

sp_name_id_format

sp_name_id_format
Type
string
Default
urn:oasis:names:tc:SAML:2.0:nameid-format:transient

The format for the Name ID in SAML assertions.

sp_cert

sp_cert
Type
text

The Service Provider's public certificate (PEM format).

sp_key

sp_key
Type
text

The Service Provider's private key (PEM format).

idp_entity_id

idp_entity_id
Type
string
Required

true

The unique identifier of the Identity Provider.

idp_sso_url

idp_sso_url
Type
string
Required

true

The Single Sign-On URL of the Identity Provider.

idp_sso_binding

idp_sso_binding
Type
string
Default
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

The binding method for the SSO endpoint.

idp_logout_url

idp_logout_url
Type
string

The Single Logout URL of the Identity Provider.

idp_cert

idp_cert
Type
text
Required

true

The Identity Provider's public certificate for validating responses.

username_prefix

username_prefix
Type
string

Optional prefix for usernames created via SAML authentication.

users_pid

users_pid
Type
int
Required

true

The page ID (folder) where new users will be created.

usergroup

usergroup
Type
string

Comma-separated list of user group UIDs assigned to new users.

Example Configuration 

# Service Provider Settings
Entity ID: https://your-domain.tld
Customer Service URL: https://your-domain.tld/?logintype=login
Customer Service Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Name ID Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient

# Identity Provider Settings
Entity ID: urn:example:idp
SSO URL: https://idp.example.com/sso
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Certificate: [IDP Certificate]

# User Settings
Username Prefix: sso-
User Folder: [Select frontend user folder]
User Groups: [Select default frontend user groups]
Copied!

Developer Guide 

This section provides information for developers who want to extend or customize the SAML authentication functionality.

Architecture Overview 

The extension uses the following key components:

AuthenticationService 

The AuthenticationService class extends TYPO3's authentication service and handles:

  • SAML response validation
  • User lookup and creation
  • Authentication status management

Location: Classes/Sv/AuthenticationService.php

SamlService 

The SamlService class provides the interface to the onelogin/php-saml library:

  • SAML configuration management
  • SSO redirect handling
  • Response parsing

Location: Classes/Service/SamlService.php

SettingsRepository 

The SettingsRepository provides access to SAML configuration records:

  • Auto-discovery by host
  • Settings retrieval

Location: Classes/Domain/Repository/SettingsRepository.php

Middleware 

The RelayStateMiddleware handles post-authentication redirects:

  • Deep link support
  • Logout redirect handling

Location: Classes/Middleware/RelayStateMiddleware.php

Dependency Injection 

All services are registered in the DI container and can be injected into your own classes:

use Netresearch\NrSamlAuth\Service\SamlService;

class MyController
{
    public function __construct(
        private readonly SamlService $samlService
    ) {}
}
Copied!

Extending User Creation 

To customize user creation, listen to the PSR-14 events documented in the Events section.

Example: Adding custom user attributes from SAML response:

use Netresearch\NrSamlAuth\Event\BeforeUserCreationEvent;

class CustomUserAttributeListener
{
    public function __invoke(BeforeUserCreationEvent $event): void
    {
        $attributes = $event->getSamlAttributes();
        $userData = $event->getUserData();

        // Add custom attribute mapping
        $userData['custom_field'] = $attributes['customAttribute'][0] ?? '';

        $event->setUserData($userData);
    }
}
Copied!

PSR-14 Events 

The extension provides PSR-14 events for customizing the authentication process.

Available Events 

BeforeUserCreationEvent 

Dispatched before a new user is created from SAML attributes.

namespace Netresearch\NrSamlAuth\Event;

final class BeforeUserCreationEvent
{
    public function getSamlAttributes(): array;
    public function getUserData(): array;
    public function setUserData(array $userData): void;
    public function getSettings(): Settings;
}
Copied!

AfterUserCreationEvent 

Dispatched after a new user has been created.

namespace Netresearch\NrSamlAuth\Event;

final class AfterUserCreationEvent
{
    public function getUser(): array;
    public function getSamlAttributes(): array;
    public function getSettings(): Settings;
}
Copied!

BeforeAuthenticationEvent 

Dispatched before authentication is processed.

namespace Netresearch\NrSamlAuth\Event;

final class BeforeAuthenticationEvent
{
    public function getSamlResponse(): Response;
    public function getSettings(): Settings;
    public function setSkipAuthentication(bool $skip): void;
}
Copied!

Registering Event Listeners 

Register your event listeners in your extension's Services.yaml:

# Configuration/Services.yaml
services:
  Vendor\MyExtension\EventListener\CustomUserCreationListener:
    tags:
      - name: event.listener
        identifier: 'myextension/custom-user-creation'
        event: Netresearch\NrSamlAuth\Event\BeforeUserCreationEvent
Copied!

Example Implementation 

Custom attribute mapping:

namespace Vendor\MyExtension\EventListener;

use Netresearch\NrSamlAuth\Event\BeforeUserCreationEvent;

final class CustomUserCreationListener
{
    public function __invoke(BeforeUserCreationEvent $event): void
    {
        $attributes = $event->getSamlAttributes();
        $userData = $event->getUserData();

        // Map department to custom field
        if (isset($attributes['department'][0])) {
            $userData['tx_myext_department'] = $attributes['department'][0];
        }

        // Map employee ID
        if (isset($attributes['employeeId'][0])) {
            $userData['tx_myext_employee_id'] = $attributes['employeeId'][0];
        }

        $event->setUserData($userData);
    }
}
Copied!

Migration Guide 

This section provides guidance for upgrading between major versions.

Upgrading from 10.x to 12.x 

Version 12.x includes breaking changes for TYPO3 12.4/13.4 compatibility.

Requirements Changes 

  • PHP 8.1+ required: Upgrade your PHP version
  • TYPO3 12.4+ required: Upgrade your TYPO3 installation
  • onelogin/php-saml 4.0: Library upgraded with security improvements

Breaking Changes 

PSR-14 Events 

Legacy hooks have been replaced with PSR-14 events. If you used the old hook system, migrate to the new events:

// OLD: Legacy hook (removed)
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['nr_saml_auth']['beforeUserCreation']

// NEW: PSR-14 event
Netresearch\NrSamlAuth\Event\BeforeUserCreationEvent
Copied!

See Events for the complete event reference.

Dependency Injection 

Services now use TYPO3's DI container. Direct instantiation is deprecated:

// OLD: Direct instantiation (deprecated)
$service = new \Netresearch\NrSamlAuth\Service\SamlService();

// NEW: Dependency injection
public function __construct(
    private readonly SamlService $samlService
) {}
Copied!

Configuration 

The SAML Settings record structure remains unchanged. No database migrations are required.

Migration Steps 

  1. Update PHP: Ensure PHP 8.1 or higher is installed
  2. Update TYPO3: Upgrade to TYPO3 12.4 LTS or 13.4 LTS
  3. Update Extension: Run composer update netresearch/nr-saml-auth
  4. Clear Caches: Clear all TYPO3 caches
  5. Test Authentication: Verify SAML login still works
  6. Update Custom Code: Migrate any custom hooks to PSR-14 events

Backward Compatibility 

The extension maintains backward compatibility for:

  • SAML Settings record structure
  • Database schema
  • SAML response handling

The following are NOT backward compatible:

  • PHP 7.x support (requires 8.1+)
  • TYPO3 10.4/11.5 support (requires 12.4+)
  • Legacy hook system (use PSR-14 events)

Changelog 

All notable changes to this project are documented here.

Version 12.0.0 

Released: (not yet released)

Added 

  • TYPO3 12.4 LTS support
  • TYPO3 13.4 LTS support
  • PHP 8.1, 8.2, 8.3, 8.4 support
  • PSR-14 events for authentication customization
  • Dependency injection for all services
  • Comprehensive unit and functional tests
  • RST documentation for docs.typo3.org

Changed 

  • Upgraded onelogin/php-saml to version 4.0
  • Replaced legacy hooks with PSR-14 events
  • Modernized code to PHP 8.1+ standards
  • Improved code quality with PHPStan level 6

Removed 

  • PHP 7.x support
  • TYPO3 10.4 and 11.5 support
  • Legacy hook system

Version 10.0.10 

Released: 2024

Fixed 

  • Extension icon updated to Netresearch logo

Version 10.0.x 

  • TYPO3 10.4 and 11.5 LTS support
  • PHP 7.4 - 8.1 support
  • Initial SAML SSO implementation