TYPO3 Single Sign-On (SSO)

Follow the Step-by-Step Guide given below for TYPO3 SAML SP Single Sign On ( SSO )

Step 1: Installing SAML SP extension in TYPO3

• Download the zip file of the SAML SP extension from TYPO3 marketplace. You can also download it from TYPO3 extensions.
• Go to your TYPO3 backend, and click on Extensions section at the left side of your screen.
• Upload the zip file,as represented in the below image.



• Now search for the "SAML" in Installed extensions section and activate the extension by clicking on activate button.

(miniOrange has different extensions for premium and non-premium users. Premium extension is named as "SAML SP Premium" and non Premium extension named as "miniorange SAML").




• After installation, click on the newly installed extension "miniOrange SAML SP extension" for TYPO3 SSO and login with your registered miniOrange credentials.



• After entering username and password you will require license key to proceed further if you are a premium customer.

(You will get this key from the miniOrange team. After entering license key, you can activate the license and proceed further.)




• If you are not a premium customer you can direcly login submitting miniOrange credentials.
• After successful login, you can see the details related to your account.



• Now you are ready to configure your IDP. But, it's important to integrate frontend first.

Step 2: Integrate extension with TYPO3

• Now you have to design your frontend by clicking on the PAGE tab in the left top corner of the menu bar.
• You need to add two STANDARD pages within the HOME page. If you are using Premium Plugin you can create three pages.
• Here we will consider Page Names as: FESAML, RESPONSE, LOGOUT (Logout is optional for premium customers).
• To create pages, right click on the HOME page and click on NEW to add new pages.



• Enter the Standard Page name as: FESAML.



• To edit properties, right click on newly created "FESAML" page and select "edit" option and switch to Behavior tab.



• Scroll down to the last and select “website users” from the Contains plugin dropdown of “USE AS CONTAINER” and save the settings.



• Now click on the FESAML page, here you will get option to create Content. We will add Plugin to it.



• Switch to plugins tab and select Fesaml for sending SSO request.



• Now you will be shifted to the new Page Content of "FESAML". Switch to Plugin tab. Select fesaml from the Selected plugin. Along with this in record storage click on folder icon in the right side of your screen.



• Select Website users and save all the settings you did.





• If you need to make changes in URL segment, which will aso be your initial SSO URL, right click on FESAML page, select edit and click on "toggle URL" button to set URL according to your way.



• Follow the same steps to create and configure Standard pages of Response and Logout.
• Ensure you will be selecting Response Plugin for Response page and Logout Plugin for Logout Page.
• Your TYPO3 directory should look like this.



• Also, you must create at least one group as TYPO3 doesn’t allow to create users unless there’s one usergroup at least.
• To create group go to list tab from the left panel, click on Website users folder and hit the "+" button at the top of the screen.



• Now select Websiteuser group ? from the list.



• Insert Group Name in group title section and click on Save button at the top. User group will be created.



• You can also create a SSO button on login page. Click on Home, proceed to the +Content option



• Switch to Special elements tab and select Plain HTML.



• Here what you will be doing is, you are adding SSO login button, URL in the button section will be of FESAML Standard Page.
• The code snippet to do so is mentioned in the given image. Enter the code and hit the Save button at the top.



• Now you can configure plugin in the backend.

Step 3: Configure Service Provider

• Go to miniOrange SAML SP, and switch to Service Provider settings tab.
• Enter all the URL fields with their respective URL's.
• You will get URL with fesaml from the fesaml standard page, URL with Response from the response standard page and SINGLE LOGOUT URL from the Logout standard page.
• Revising again you can get URL by going to Pages section, in that right click on FESAML Page select edit and you will get your FESAML URL.



• Don't get confused over ACS URL, your response URL itself is your ACS URL.
• SP entity ID and Base URL will be your basic TYPO3 URL.
• After filling all the fields, Save the SP settings accordingly.



• Keep all this URL with you, as you wil require this to configure IDP.

Step 4: Configure Identity Provider

• Go to miniOrange SAML SP Plugin, and switch to Identity provider settings tab, fill the necessary configuration options provided by your Identity Provider (IdP). ( Identity Provider Name, IdP Entity Id, SAML Login URL, SAML x509 Certificate ) and click on “Save”. You will get all these inputs by your Identity Provider.
• To use features like Force Authentication and Custom Binding, upgrade to premium plugin.
• Let's see how IDP is configured, here we will consider miniOrange as IDP.
• Log in to miniOrange Admin Console.
• Go to Apps >> Manage Apps. Click on Configure App button.



• Click on Create App in the SAML tab.



• Search for TYPO3.
  If you can't find your application you can select Custom App



• Now you will be directed to the “Add/Application” Panel.
• In SP Entity ID/Issuer and Audience URL section enter the base URL of your TYPO3, from SP settings of the TYPO3 which we configured before.
• Enter your TYPO3 Response URL in ACS URL section.
• Enter the Single Logout URL(optional).
• Click on Save button to add TYPO3 Application.




Now configure your Application by using the following steps:

• Go to Apps >> Manage Apps.
• Search for your app and click on the Select in action menu against your app.
• Click on Editand configure the required settings.



• Select attribute.(Here we will select email as an attribute)
• Click on Save to add TYPO3 settings.




You can get metadata certificate and metadata details by using the following steps:

• Go to Apps >> Manage Apps.
• Search for your app and click on the select in action menu against your app.
• Click on Metadata to get metadata details, which you need to fill up in Typo3 Identity Provider Settings. Click on Link to see the IDP initiated SSO link for TYPO3.



• Here you will see 2 options, if you are setting up miniOrange as IDP copy the metadetails related to miniOrange, if you required to be authenticated via external IDP's(okta,AZURE AD, ADFS, ONELOGIN, GOOGLE APPS) you can get metadata from the 2nd Section as shown below.



• Copy SAML Login URL , SAML Logout URL IDP entity ID and SAML x509 Certificate.



• Paste the respective URL in Identity Provider settings respectively anc click on save button to complete your IDP configuration.








Step 5: Test Configuration

• This feature will help you to find out if submitted configurations are correct or not. You will also get the attributes you have configured in response.
• To get test Configuration checked go to SAML SP plugin, in that go to IDP settings section, in the bottom you will find Test Configuration button, click on it it will show you the results as shown in the given diagram.




Step 6: Attribute Mapping

• Attribute Mapping is not provided in the free version of SAML SP extension. To enable Attribute Mapping upgrade your SAML SP extension to the premium plugin.
• Attribute mapping maps the incoming attributes from SAML Response to user profile of TYPO3 website.
• To map attributes go to SAML SP Plugin and switch to attribute mapping tab, enter attribute fields and scroll down to save the settings.




Step 7: Group Mapping

• Group Mapping is not provided in the free version of SAML SP extension. To enable Group Mapping upgrade your SAML SP extension to the premium plugin.
• Group mapping maps group name of IDP to the group name of SP and passes user attributes accordingly.
• For group mapping go to miniOrange SAML SP Plugin and switch to group mapping tab enter the required fields and scroll down to save the settings.
• As shown in the given diagram "Default" is user group of IDP while "Group10" is the group we created in TYPO3 which is your SP.