Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
en:2.0:single_sign_on [2025/05/04 17:19] kainhoferen:2.0:single_sign_on [2025/05/09 00:21] (current) kainhofer
Line 19: Line 19:
 | |
  
-Other systems like Prestashop do not provide any freely available SAML plugin, only some very expensive commercial extensions. +Other systems like Prestashop do not provide any freely available SAML or OpenID plugin, only some very expensive commercial extensions. 
  
  
Line 63: Line 63:
       - Admidio will show a "Client Secret", which must be copied to the client's config.        - Admidio will show a "Client Secret", which must be copied to the client's config. 
       - Select which scopes (classes of information) should be allowed to be sent to the client, and optionally select / map Admidio's profile fields and groups to OpenID claims (individual pieces/fields of information)       - Select which scopes (classes of information) should be allowed to be sent to the client, and optionally select / map Admidio's profile fields and groups to OpenID claims (individual pieces/fields of information)
-    - OpenID does NOT provide any automatic configuration of the client using metadata((There is an OpenID extension for dynamic/automatic client registration, but that has other complexities!)).+    - OpenID does NOT provide any automatic configuration of the client using metadata((There is an OpenID extension specification for dynamic/automatic client registration, but that has other complexities!)).
  
  
Line 109: Line 109:
 ==== Single-Sign-On with OpenID Connect using an external Identity Provider (IdP) ==== ==== Single-Sign-On with OpenID Connect using an external Identity Provider (IdP) ====
  
-OpenID Connect is based on exchanging data with JSON objects. Rather than working only with browser redirects like SAML, OpenID is based on OAuth and extensively uses direct communication ("backchannel") between the Relying Party and the IdP. Rather than documenting only a successful login, OpenID separates authentication (successfull login) and authorization (roles that grant user rights). It also does not rely on an active session at the IdP. Rather it generates a dedicated password (the "token") for the client and thus replaces the user's individual password with app-specific passwords, which are handled internally by the client and the IdP without the user noticing. When such a token expires, another (refresh) token can be used to create a new token, so that no new login is required. All this is done in the background and the user experience is basically the same as with a direct login or with SAML.+OpenID Connect is based on exchanging data with JSON objects. It is an extension of the OAuth 2.0 protocol, which only handles authentication. The OpenID layer adds additional profile information and permissions, but uses OAuth for the basic authorization.  
 + 
 +Rather than working only with browser redirects like SAML, OpenID is based on OAuth and extensively uses direct communication ("backchannel") between the Relying Party and the IdP. Rather than documenting only a successful login, OpenID separates authentication (successfull login) and authorization (roles that grant user rights). It also does not rely on an active session at the IdP. Rather it generates a dedicated password (the "token") for the client and thus replaces the user's individual password with app-specific passwords, which are handled internally by the client and the IdP without the user noticing. When such a token expires, another (refresh) token can be used to create a new token, so that no new login is required. All this is done in the background and the user experience is basically the same as with a direct login or with SAML.
  
  
Line 188: Line 190:
 To ensure only legitimate login requests from the real client are processed, Admidio needs the entity ID, the URL for redirect as well as the x509 certificate (if messages are cryptographically signed). The following settings are needed for setup. They MUST be consistent with the settings configured in the SAML client (SP). Many SPs provide a Metadata XML link or file with all required settings included for automatic client setup. In Admidio's SAML client section, one can input the metadata URL and Admidio will pre-configure the client, but manual adjustments are possible (and in many areas even needed). To ensure only legitimate login requests from the real client are processed, Admidio needs the entity ID, the URL for redirect as well as the x509 certificate (if messages are cryptographically signed). The following settings are needed for setup. They MUST be consistent with the settings configured in the SAML client (SP). Many SPs provide a Metadata XML link or file with all required settings included for automatic client setup. In Admidio's SAML client section, one can input the metadata URL and Admidio will pre-configure the client, but manual adjustments are possible (and in many areas even needed).
  
-  * **Metadata URL** (for automatic setup of clients): https://[YOUR_ADMIDIO_URL]/modules/sso/index.php/saml/metadata +  * **Metadata URL** (for automatic setup of clients):  
-    * If your SP supports entering and loading the metadata XML, make sure to use it. It will load the correct settings from the SAML IdP and set up most settings correctly!{{ :en:2.0:sso:sso_saml_01-08a_clientsetup1_metadata.png?direct&400 |}} +    * If your SP provides a metadata URL, make sure to use it. It will load the correct settings from the SAML SP and set up most settings correctly!{{ :en:2.0:sso:sso_saml_01-08a_clientsetup1_metadata.png?direct&400 |}} 
-  * **IdP SAML Entity ID** (unique identifier of the Admidio instance): https://[YOUR_ADMIDIO_URL] +  * **Client ID** (unique identifier of the Client
-  * **SSO Endpoint** (where the SP sends the login request): https://[YOUR_ADMIDIO_URL]/modules/sso/index.php/saml/sso +  * **ACS URL** (where responses to login requests are sent to
-  * **SLO Endpoint** (where logout requests are sent to): https://[YOUR_ADMIDIO_URL]/modules/sso/index.php/saml/slo +  * **Single-Log-Out URL** (optional): Backchannel endpoint to log out from all clients 
-  * **x509 Certificate** (to allow clients to verify the cryptographic signatures): PEM-format needs to be copied out of the Admidio preferences+  * **x509 Certificate** (to allow verification of the messages sent by the SP): PEM-format needs to be copied out from the client
  
-  * **User ID**: Whether the client gets the numeric Admidio user id, the globally unique UUID, or the user's login name as user ID+  * **User ID field**: Whether the client gets the numeric Admidio user id, the globally unique UUID, or the user's login name as user ID
   * Further **profile data/fields** transmitted to the client on successful login   * Further **profile data/fields** transmitted to the client on successful login
   * Which **roles / group memberships** are sent to the client on successful login. The data fields and groups can be mapped to different names, if the client cannot handle Admidio's fields and role names. On particular case is the admin role, where many clients use a role named "admin" to grant admin access to a user logged in via SAML.   * Which **roles / group memberships** are sent to the client on successful login. The data fields and groups can be mapped to different names, if the client cannot handle Admidio's fields and role names. On particular case is the admin role, where many clients use a role named "admin" to grant admin access to a user logged in via SAML.
Line 245: Line 247:
 ===== B. Configuring an App (Relying Party) to use SSO with Admidio ===== ===== B. Configuring an App (Relying Party) to use SSO with Admidio =====
  
-<WRAP center round todo 60%> + 
-todo box +Once Admidio is set up to act as an OpenID IdP, the clients (Relying Parties, "RP") can be configured to use Admidio as their login provider. Many systems either support OpenID Connect out of the box or with some plugin. The following settings are needed for setup. They are also available for copying at Admidio's SSO preferences page, as well as in the metadata json (from the discovery URL). 
-</WRAP>+ 
 +  * **Discovery URL** (optional; for automatic setup of clients): https://[YOUR_ADMIDIO_URL]//modules/sso/index.php/oidc 
 +    * If your RP supports auto-configuration, make sure to use it. It will load the correct settings from the SAML IdP and set up most settings correctly! 
 +  * **IdP Isuer** (unique identifier of the Admidio instance): https://modules/sso/index.php/oidc 
 +  * **Authorization Endpoint** (where the RP sends the login request): https://[YOUR_ADMIDIO_URL]/modules/sso/index.php/saml/sso 
 +  * **Token Endpoint** (where the RP sends requests to convert an auth code to a token, i.e. an app-specific password replacement): https://[YOUR_ADMIDIO_URL]/modules/sso/index.php/saml/slo 
 +  * **Userinfo Indpoint** (where the RP can request details about the user):  
 +  * **Scopes** (which groups of profile data are requested by the client): Any of openid (required), profile, address, phone, email, custom, groups, roles 
 +  * **User attribute mapping**: Which data fields (OpenID claims) returned by Admidio correspond to the login name, the full name, the email and possibly the user's group memberships in the RP system. 
 + 
 +In addition each client typically has settings to for further customization.  
 +Also, some clients offer a setting that SAML login is only possible for users that are already manually created in the RP, while others offer a setting to automatically create user accounts on successful SAML login.  
 + 
 +The details always depend on the particular client. See the client-specific instructions for details for a particular client. Other clients should work, too, if they properly implement SAML. The configuration will be similar to the documented clients. 
 + 
 + 
 +[[en:2.0:single_sign_on:oidc_nextcloud|{{:en:2.0:sso:logos:nextcloud.svg?40&nolink|Nextcloud}}]][[en:2.0:single_sign_on:oidc_nextcloud| Nextcloud]] 
 +[[en:2.0:single_sign_on:oidc_dokuwiki|{{:en:2.0:sso:logos:dokuwiki.png?45&nolink|DokuWiki}}]][[en:2.0:single_sign_on:oidc_dokuwiki| DokuWiki]] 
 +[[en:2.0:single_sign_on:oidc_wordpress|{{:en:2.0:sso:logos:wordpress-logotype-standard.png?150&nolink|Wordpress}}]] 
 +[[en:2.0:single_sign_on:oidc_joomla|{{:en:2.0:sso:logos:joomla.png?120&nolink|Joomla}}]] 
 +[[en:2.0:single_sign_on:oidc_mediawiki|{{:en:2.0:sso:logos:mediawiki.svg?120&nolink|MediaWiki}}]] 
 +[[en:2.0:single_sign_on:oidc_moodle|{{:en:2.0:sso:logos:moodle.png?150&nolink|Moodle}}]] 
 +[[en:2.0:single_sign_on:oidc_gitlab|{{:en:2.0:sso:logos:gitlab.svg?110&nolink|Gitlab}}]] 
 +[[en:2.0:single_sign_on:oidc_odoo|{{:en:2.0:sso:logos:odoo_logo.svg?80&nolink|Odoo}}]] 
 +[[en:2.0:single_sign_on:oidc_keycloak|{{:en:2.0:sso:logos:keycloak.svg?120&nolink|Keycloak}}]]
  
  
 ===== C. Configuring Admidio with the Relying Party ===== ===== C. Configuring Admidio with the Relying Party =====
  
-<WRAP center round todo 60%> 
-todo box 
-</WRAP> 
  
 +Once the client is set up to send authentication requests to Admidio, Admidio needs to be configured to respond to them. All OpenID clients (Relying Parties) are configured in the SSO Client Administration page, which can be reached from the SSO Preferences page (https://admidio.local/modules/preferences.php?panel=sso) from the SSO OIDC preferences page.
 +
 +{{ :en:2.0:sso:sso_saml_01-07_clientlist.png?direct&600 |}}
 +
 +To ensure only legitimate login requests from the real client are processed, Admidio needs the entity ID and the Redirect URI. In addition, Admidio will generate a Client Secret (a random string) that needs to be copied to the client's configuration and acts as a client password.
 +The following settings are needed for setup. They MUST be consistent with the settings configured in the OpenID Connect client (RP). 
 +
 +  * **Client ID** (unique identifier of the client): typically the URL of the OpenID client (RP)((Some RPs use basic auth by default, which does not allow special characters in the username. In this case, the URL MUST NOT be used, as this will prevent successful login! Other OpenID clients hardcode the client ID as their URL.))
 +  * **Client Secret** (basically the client's password to access Admidio): Admidio will create this secret when the RP is created and will store it only as a hash in the database. Make sure to copy the secret before saving, as it is not possible to retrieve it later! One can, however, simply recreate a new secret and paste that into the RP's configuration.
 +  * **Redirect URI** (where the user is redirected after successful login)
 +
 +  * **User ID field**: Whether the client gets the numeric Admidio user id, the globally unique UUID, or the user's login name as user ID
 +  * **Permitted scopes**: OpenID defines certain groups of profile data, for which permission can be granted. The RP will include the scopes it is interested in in its login request, and the OpenID Provider (OP, Admidio in our case) will return the profile fields ("claims") corresponding to those scopes, if permission is given. The "openid" scope MUST always be present in OpenID!
 +  * Further **profile data/fields** transmitted to the client on successful login
 +  * Which **roles / group memberships** are sent to the client on successful login. The data fields and groups can be mapped to different names, if the client cannot handle Admidio's fields and role names. On particular case is the admin role, where many clients use a role named "admin" to grant admin access to a user logged in via OpenID.
 +
 +In addition each client typically has some more settings regarding fields <=> claims mapping, groups, auto-generating accounts for new logins, etc. The details depend on the capabilities of the client.
 +
 +{{:en:2.0:sso:sso_oidc_01-08_clientsetup1.png?direct&300|}}{{:en:2.0:sso:sso_oidc_01-09_clientsetup2.png?direct&300|}}{{:en:2.0:sso:sso_oidc_01-10_clientsetup3.png?direct&300|}}
  
  • en/2.0/single_sign_on.1746371945.txt.gz
  • Last modified: 2025/05/04 17:19
  • by kainhofer