| Both sides previous revision Previous revision Next revision | Previous revision |
| en:2.0:single_sign_on:saml_joomla [2025/04/26 02:07] – kainhofer | en:2.0:single_sign_on:saml_joomla [2025/04/27 10:24] (current) – kainhofer |
|---|
| ==== Configuring the Service Provider (Joomla) ==== | ==== Configuring the Service Provider (Joomla) ==== |
| |
| Currently, the only available SAML 2.0 extension for Joomla is "SAML SSO for Joomla" by miniOrange, which provides basic SAML in its free version, but other features like group mapping or profile fields are only available in the (quite expensive) paid version. | Currently, the only available SAML 2.0 extension for Joomla is "SAML SSO for Joomla" by miniOrange, which provides basic SAML in its free version, but other features like group mapping or profile fields are only available in the (quite expensive) paid version. As the plugin support loading metadata from Admidio and provides its own metadata file for Admidio's auto-setup, the configuration basically consists of: |
| | * Pasting and loading Admidio's metadata URL into the plugin |
| | * Pasting and loading the Joomla plugin's client metadata URL into admidio's SAML client |
| | Extended options are not supported by the free plugin version, but basic login will work fine. |
| |
| The free version allows login via Admidio's user accounts, but does not assign any groups in Joomla, and does not transfer profile fields from Admidio to Joomla's user profile. If that is sufficient, install the plugin from the Joomla Extension Directory ("System" -> "Extensions" -> "Install Extensions" -> "Install from Web" -> search for "SAML SSO for Joomla" and install the plugin). | The free version allows login via Admidio's user accounts, but does not assign any groups in Joomla, and does not transfer profile fields from Admidio to Joomla's user profile. If that is sufficient, install the plugin from the Joomla Extension Directory ("System" -> "Extensions" -> "Install Extensions" -> "Install from Web" -> search for "SAML SSO for Joomla" and install the plugin). |
| {{ :en:2.0:sso:sso_saml_joomla_01_install_saml_plugin.png?direct&800 |}} | {{ :en:2.0:sso:sso_saml_joomla_01_install_saml_plugin.png?direct&800 |}} |
| |
| After installation it can be configured in "Components" -> "miniOrange SAML Single Sign-On". | After installation it can be configured in "Components" -> "miniOrange SAML Single Sign-On". The plugin supports reading the metadata file from Admidio's SAML IdP implementation: In the "Service Provider Setup" Tab, select "Upload IdP Metadata", enter the URL and click fetch. |
| |
| | {{ :en:2.0:sso:sso_saml_joomla_02_setup_metadata.png?direct |}}{{ :en:2.0:sso:sso_saml_joomla_02a_admidio_metadata.png?direct&500 |}} |
| |
| | The plugin's configure fields will be populated correctly. Just choose a label for the login button at the "Enable Login with SAML" input box and click Save. |
| | {{ :en:2.0:sso:sso_saml_joomla_02_setup_settingsauto.png?direct&400 |}} |
| |
| <WRAP center round todo 60%> | |
| todo box | |
| </WRAP> | |
| Nextcloud's "Administration settings" in the section "SSO & SAML authentication". First, one needs to choose the built-in SAML authentication (one-time setting after first installation). | |
| {{ :en:2.0:sso:sso_saml_02-02_nc_saml_setup1.png?direct&600 |}} | |
| |
| Nextcloud does not support automatic configuration from IdP metadata, so one has to copy the correct settings over from the Admidio preferences. It is a good idea to keep two browser windows open so one can easily select and copy the settings. Admidio even provides little "copy" buttons/icons to copy the various settings to the clipboard for easy pasting into Nextcloud's configuration. | Once these basic SAML settings are done, set up the SP in Admidio. The required metadata URL from Joomla's plugin can be found in the "Service Provider Metadata" tab. |
| | {{ :en:2.0:sso:sso_saml_joomla_04_setup_spmetadata.png?direct&400 |}} |
| |
| This is a typical configuration of the Nextcloud SAML plugin for Admidio as an idP: | |
| {{ :en:2.0:sso:sso_saml_02-03_nc_saml_setup2.png?direct&600 |}} | |
| |
| Once these basic SAML settings are done, I would recommend to set up the SP in Admidio, and do the remaining settings (transmitted fields and roles, as well as signing/encryption requirements) in parallel in Nextcloud and Admidio. | |
| |
| If the basic settings are valid, Nextcloud should indicate "Metadata valid" at the bottom of the page next to a button to download the metadata XML. Copy the URL of the metadata XML button (right-click on the "Download metadata XML" button and choose "copy link address"). | |
| {{ :en:2.0:sso:sso_saml_02-04_nc_saml_metadata_link.png?direct&400 |}} | |
| |
| === Setting up encryption === | |
| |
| If encryption is desired for all SAML messages sent by Admidio to Nextcloud, or if Nextcloud should sign all its requests, then Nextcloud needs a private/public key pair to decrypt or sign messages. These need to be entered into the Nextcloud SAML config in PEM format and can be generated by openssl's command line tools, or in Admidio's key administration. Simply create a new Key for Nextcloud (RSA 2048 bits). The certificate can be copied directly from the key's edit page, but the private key is not available in Admidio's GUI for security reason. Instead, it can be downloaded (secured with a password!) from the list of keys in Admidio: | |
| |
| {{ :en:2.0:sso:sso_saml_02-03a_nc_saml_keysetup1.png?direct&400 |}} | |
| |
| After downloading the .p12 file, Applications like [[https://keystore-explorer.org/|KeyStore Explorer]] can be used to read the private key and copy the private key and the certificate in PEM format to the clipboard and paste it into Nextcloud's SAML configuration. | |
| |
| {{:en:2.0:sso:sso_saml_02-03b_nc_saml_keystoreexplorer1.png?direct&400|}}{{:en:2.0:sso:sso_saml_02-03c_nc_saml_keystoreexplorer2.png?direct&400|}} | |
| |
| {{ :en:2.0:sso:sso_saml_02-03d_nc_saml_keyconfig.png?direct&400 |}} | |
| ==== Setting up the Client (SP) in Admidio ==== | ==== Setting up the Client (SP) in Admidio ==== |
| |
| |
| |
| Paste the metadata URL copied from Nextcloud into the corresponding input field at the top and click "Load Client Metadata". This should load all settings from Nextcloud and pre-fill the following fields correctly. Only the Client Name needs to be entered. Choose any name to clearly identify the client in the list of SAML clients. There is no functionality depending on the name. | Paste the metadata URL copied from Joomla into the corresponding input field at the top and click "Load Client Metadata". This should load all settings from Joomla and pre-fill the following fields correctly. Only the Client Name needs to be entered. Choose any name to clearly identify the client in the list of SAML clients. There is no functionality depending on the name. |
| {{ :en:2.0:sso:sso_saml_02-05_nc_admidio_clientsetup1.png?direct&600 |}} | {{ :en:2.0:sso:sso_saml_joomla_05_saml_client.png?direct&600 |}} |
| |
| | The only other setting that is relevant for the limited features of the free Joomla plugin is the User ID field. The Joomla plugin insists on matching only E-Mail Addresses, so make sure to select it: |
| | {{ :en:2.0:sso:sso_saml_joomla_06_saml_userid.png?direct&600 |}} |
| |
| In addition to the Entity ID and URLs to connect SP and IdP and the certificate, which are configured automatically, one also needs to define the attribute and role mapping. The username is the most relevant. To use Admidio's group memberships as Nextcloud groups, make sure to include the "Roles" field and provide the correct field name in Nextcloud. Internally, Nextcloud will add a prefix to the role names, which makes it impossible to assign admin rights to SAML groups (Nextcloud uses the group with internal name "admin" for administrators). If you want to assign admin rights through SAML, too, then you must enter a single space into the prefix field. This causes Nextcloud to take the role names verbatim as Nextcloud group names, including "admin". | The other advanded features like fields or group mapping can be ignored or cleared in the client config. The restriction to certain groups, however, is implemented in Admidio and works with Joomla, too. |
| |
| {{ :en:2.0:sso:sso_saml_02-06_nc_admidio_clientsetup1.png?direct&600 |}} | |
| |
| <WRAP center round todo 60%> | ==== Setup completed, test Single-Sign-On ==== |
| TODO: Describe signing and encryption settings (synced) | Admidio and Joomla should now be set up to use Admidio for logging in to Nextcloud. To check, you can go back to the plugin config page and use the "Test Configuration" button at the bottom of the page. |
| </WRAP> | |
| {{ :en:2.0:sso:sso_saml_02-07_nc_admidio_clientsetup3.png?direct&600 |}} | |
| |
| | If you log out of Joomla (or open the page in an incognito browser window), you should see the login screen with the choice of logging in with password or via SAML. |
| ==== Setup completed, test Single-Sign-On ==== | {{ :en:2.0:sso:sso_saml_joomla_07_login_form.png?direct |}} |
| Admidio and Nextcloud should now be set up to use Admidio for logging in to Nextcloud. If you log out of Nextcloud, you should see the login screen with the choice of logging in with password or via SAML. | |
| {{ :en:2.0:sso:sso_saml_02-08_nc_saml_login.png?direct&400 |}} | |
| |
| After choosing SAML login and loggin in with a user from Admidio, you should be logged in to Nextcloud. | After choosing SAML login and loggin in with a user from Admidio, you should be logged in to Nextcloud. |
| {{:en:2.0:sso:sso_saml_02-09_nc_saml_loggedin.png?direct&200|}} | {{ :en:2.0:sso:sso_saml_joomla_08_joomla_login_form.png?direct |}}{{ :en:2.0:sso:sso_saml_joomla_09_logged_in.png?direct |}} |
| {{:en:2.0:sso:sso_saml_02-10_nc_saml_users.png?direct&600|}} | |
| |
| |
| ==== Caveats and Things to Consider ==== | ==== Caveats and Things to Consider ==== |
| |
| * For security reasons, Nextcloud will prepend **SAML_ prefix to the group names** obtained from the SAML IdP. This makes hybrid environments quite hard in practice, where some users authenticate via SAML, others via local accounts or other network accounts. In these hybrid cases, the SAML-generated groups will be different than the local groups and all group permissions need to be set twice! As a **workaround**, one can **enter a single space into the prefix input box**. This will cause Nextcloud's SAML extension to clear the prefix, but the input field will appear empty in the future, so it is not clarly visible whether the prefix was "cleared" or the default prefix will be applied! | * The miniOrange Joomla plugin requires the email address to be used as the user ID, so only users with a valid email in Admidio can log in! Oone also has to make sure the Admidio SAML client is configured to use the email as the user ID. |
| |
