Single-Sign-On into Mailman3 using Admidio as an OpenID Provider

Starting with version 5.0, Admidio can be used by other applications to authenticate users against Admidio's user base. These instructions will guide you through the process of connecting Mailman3 to Admidio to use Admidio's login. For general instructions, and other apps, please visit the general Single-Sign-On overview page.

Mailman3 provides OpenID Connect login] out of the box using the [[https://docs.allauth.org/en/latest/index.html|django-allauth library.

Throughout the document we will assume you have both Admidio and Mailman3 already set up properly at https://admidio.local/ and https://mailman.local/. Please modify these URLs to your actual installation.

As a first step, one needs to configure Admidio to act as an OpenID Provider (OP). This has to be done once and is not specific to Mailman3. Please follow this guide: #a_basic_setup_for_admidio_as_an_oidc_id_provider

Basically, one (1) needs to create a cryptographic key to sign message and choose a unique EntityID. The page https://admidio.local/adm_program/modules/preferences.php?panel=sso also provides the link to the metadata xml, and the individual settings in case a client does not support auto-configuration via metadata.

Setting up a client (OpenID “Relying Party” - short RP) to use Admidio's user accounts for logging in consists of two steps: (1) The client (RP, Mailman3 in our case) needs to be set up with the data about the OpenID Provider (OP). One has to manually paste the Admidio endpoint URLs of the OpenID provider into the client's configuration. Admidio provides copy buttons in the preferences screen, so this is rather straightforward. (2) Admidio needs to be told about the client. In particular, the entity ID and the redirect URL must be given, and a custom-generated (random) secret must be copied to the client configuration.

The concrete steps are:

• At the Relying Party (RP) - Mailman3 in our case - install the extension to support OpenID login.
  • Configure it with Admidio's Discovery URL in the settings. Auto-discovery means that the JSON file provided by Admidio will always contain the current endpoint URLs for authorization, token, userinfo, jwks, etc. Admidio already provides this information out of the box
  • Also, choose which scopes (groups of profile fields) should be requested from Admidio (“openid” is required; Since the OpenID Mailman3 plugin does not support groups mapping, the “groups” scope is not relevant and has no use, but other profile fields might be useful.
• In Admidio, create a new OpenID client.
  • Choose an easily understood label for the client (only used in Admidio's list of clients and in the login form, but has no technical use)
  • Enter the ClientID from the RP, Copy the created Client Secret (you will later need to paste it into the Mailman3 configuration), and enter the Redirect URI for the RP. The latter includes the provider_id and has the form https://[YOUR_MAILMAN]/accounts/[PROVIDER_ID]/login/callback/.
  • In Admidio, map the user ID, username, email and fullname to fields that are included in the OpenID login response (so-called “claims”) and enter the corresponding claim names in Mailman3.

Although Mailman3 already provides the OpenID login functionality, the corresponding backend needs to be enabled in the /opt/mailman-web/settings_local.py:

MAILMAN_WEB_SOCIAL_AUTH = [
    'allauth.socialaccount.providers.openid_connect',
]

Also make sure the /opt/mailman-web/urls.py contains the correct routes to the allauth plugin:

urlpatterns = [
    ...
    path(r'accounts/', include('allauth.urls')),
    ...
]

The OpenID Provider can be configured in Mailman3 either textually in the /opt/mailman-web/settings_local.py configuration file or via the graphic Django UI available at https://[YOUR_MAILMAN]/admin/. Both methods are equivalent. However, Mailman currently only supports one OpenID provider at the same time. If you set up two or more providers, an error message about duplicate objects will be triggered ('MultipleObjectsReturned at /accounts/login/').

To set up the OpenID provider with the admin GUI, go to the Django admin backend https://[YOUR_MAILMAN]/admin/ and log in as Mailman admin.

• Go to the Accounts section and select “Social Apps”, where you can add a new OpenID provider through Admidio:

• It is now a good idea to keep two browser windows open with Admidio and Mailman3's configuration so one can easily select and copy the settings. Admidio even provides little “copy” buttons/icons to copy the various settings to the clipboard for easy pasting into the Mailman3 configuration.

Return to Admidio's SSO preferences page, go to the “Single-Sign-On Client Administration” (the button right below the endpoint URLs and above the “Save” button), and create a new client.

The settings in Mailman3's and Admidio's OpenID setup need to match. Most of the settings can be copied over from Admidio to Mailman3 or vice versa:

• The Client Name is the label of the client in Admidio's client list, it can be anything you like.
• The “Client ID” and “Client Secret” in Admidio and Mailman3 have to match exactly. The ID is typically the client's URL, although some clients allow any unique identifier. The Client Secret should a random string and will serve like a password. Admidio will create one and allow it to be copied to the client. Afterwards it is only stored as a hash in the database and not be recovered any more. However, one can create a new Client Secret in Admidio and copy that to the client's configuration.
• Copy over the Discovery URL from Admidio into Mailman3. Admidio provides little “copy” icons for this. The URL needs to be entered in the Settings: field in the form:

  {"server_url": "[DISCOVERY_URL]"}

• Enter the scopes you desire in the Mailman3 config and make sure that Admidio's config matches it. At least openid must be included (Admidio will implicitly add it).
• In mailman, choose a provider_id, which will be part of the redirect URL that needs to be entered into Admidio. The Redirect URL for Admidio is:

  https://[YOUR_MAILMAN]/accounts/[PROVIDER_ID]/login/callback/

After saving the changes (both in Mailman3 and Admidio), the apps should should now be set up for single-sign-on in Mailman3.

OpenID Login in Mailman3 does not work for the main administrator, but only for “additional administrator acounts”. They can be set up as main administrator in the “Tools & Settings” area:

The email address will be used to match logins to existing additional admin accounts.

Admidio and Mailman3 should now be set up to use Admidio for logging in to Mailman3. If you log out of Mailman3 and try to log in again, you will be shown the Admidio login screen and then redirected back to Mailman3 after a successful login.

• Mailman currently only supports one OpenID provider at the same time. If you set up two or more providers, an error message about duplicate objects will be triggered ('MultipleObjectsReturned at /accounts/login/'). You need to remove (or comment out in settings_local.py) all OpenID providers except for one.