Single-Sign-On into Plesk using Admidio as an OpenID Provider

Starting with version 5.0, Admidio can be used by other applications to authenticate users against Admidio's user base. These instructions will guide you through the process of connecting Plesk to Admidio to use Admidio's login. For general instructions, and other apps, please visit the general Single-Sign-On overview page.

Plesk provides OpenID Connect login through the OAuth Login plugin. This is not a free plugin, but charges a yearly or monthly license fee. In this tutorial, we will describe how to set it up properly for single-sign on using Admido's user accounts.

Throughout the document we will assume you have both Admidio and Plesk already set up properly at https://admidio.local/ and https://plesk.local/. Please modify these URLs to your actual installation.

As a first step, one needs to configure Admidio to act as an OpenID Provider (OP). This has to be done once and is not specific to Plesk. Please follow this guide: #a_basic_setup_for_admidio_as_an_oidc_id_provider

Basically, one (1) needs to create a cryptographic key to sign message and choose a unique EntityID. The page https://admidio.local/adm_program/modules/preferences.php?panel=sso also provides the link to the metadata xml, and the individual settings in case a client does not support auto-configuration via metadata.

Setting up a client (OpenID “Relying Party” - short RP) to use Admidio's user accounts for logging in consists of two steps: (1) The client (RP, Plesk in our case) needs to be set up with the data about the OpenID Provider (OP). One has to manually paste the Admidio endpoint URLs of the OpenID provider into the client's configuration. Admidio provides copy buttons in the preferences screen, so this is rather straightforward. (2) Admidio needs to be told about the client. In particular, the entity ID and the redirect URL must be given, and a custom-generated (random) secret must be copied to the client configuration.

The concrete steps are:

• At the Relying Party (RP) - Plesk in our case - install the extension to support OpenID login.
  • Configure it with Admidio's endpoint URLs for authentication, token and userinfo, and enter the EntityID. Auto-discover is currently not supported by the Plesk plugin.
  • Also, choose which scopes (groups of profile fields) should be requested from Admidio (“openid” is required; Since the OpenID Plesk plugin does not support groups mapping, the “groups” scope is not relevant and has no use, but other profile fields might be useful.
• In Admidio, create a new OpenID client.
  • Choose an easily understood label for the client (only used in Admidio's list of clients and in the login form, but has no technical use)
  • Enter the ClientID from the RP, Copy the created Client Secret (you will later need to paste it into the Plesk configuration), and enter the Redirect URI for the RP. The latter can be found on the plugin's configuration page in Plesk.
  • In Admidio, map the user ID, username, email and fullname to fields that are included in the OpenID login response (so-called “claims”) and enter the corresponding claim names in Plesk.

First, install the OAuth Login plugin in Plesk from the plugin directory:

• After installing this plugin, go to the plugin list and click the “Open” button of the OAuth Login plugin.
• It is now a good idea to keep two browser windows open with Admidio and Plesk's configuration so one can easily select and copy the settings. Admidio even provides little “copy” buttons/icons to copy the various settings to the clipboard for easy pasting into the Plesk configuration.

The next step is to set up Admidio to receive login requests from Plesk. This is done by adding an OpenID client in Admidio. Return to Admidio's SSO preferences page, go to the “Single-Sign-On Client Administration” (the button right below the endpoint URLs and above the “Save” button), and create a new client.

The settings in Plesk's and Admidio's OpenID setup need to match. Most of the settings can be copied over from Admidio to Plesk or vice versa:

• The Client Name is the label of the client in Admidio's client list, it can be anything you like.
• The “Client ID” and “Client Secret” in Admidio and Plesk have to match exactly. The ID is typically the client's URL, although some clients allow any unique identifier. The Client Secret should a random string and will serve like a password. Admidio will create one and allow it to be copied to the client. Afterwards it is only stored as a hash in the database and not be recovered any more. However, one can create a new Client Secret in Admidio and copy that to the client's configuration.
• Copy over the various endpoint URLs from Admidio into Plesk. Admidio provides little “copy” icons for this.
• Enter the scopes you desire in the Plesk config and make sure that Admidio's config matches it. At least openid must be included (Admidio will implicitly add it).

• Plesk will display its Redirect URL at the top of the plugin config. Enter this URL in Admidio.

After saving the changes (both in Plesk and Admidio), the apps should should now be set up for single-sign-on in Plesk.

OpenID Login in Plesk does not work for the main administrator, but only for “additional administrator acounts”. They can be set up as main administrator in the “Tools & Settings” area:

The email address will be used to match logins to existing additional admin accounts.

Admidio and Plesk should now be set up to use Admidio for logging in to Plesk. If you log out of Plesk and try to log in again, you will be shown the Admidio login screen and then redirected back to Plesk after a successful login.

• The OpenID (OAuth Login) plugin in Plesk only allows additional admin accounts to log in, not the main admin account and neither all “ordinary” users that try to adjust their email settings.