miniOrange SAML 2.0 SP Plugin
SAML 2.0 Single Sign On (SSO) Authentication for OctoberCMS
miniOrange SAML 2.0 SSO allows users residing at SAML 2.0 compliant Identity Provider to login to your OctoberCMS website. We support all known IdPs - miniOrange, Google Apps, ADFS, Okta, Salesforce, Shibboleth, SimpleSAMLphp, OpenAM, Centrify, Ping, RSA, IBM, Oracle, OneLogin, Bitium, WSO2, NetIQ etc. If you need detailed instructions on setting up these IdPs, we can give you step by step instructions.
miniOrange SAML SSO Plugin acts as a SAML 2.0 Service Provider which can be configured to establish the trust between the plugin and various SAML 2.0 supported Identity Providers to securely authenticate the user to the October CMS.
Easily Configure the Identity Provider by providing just the SAML login URL, IDP Entity ID and Certificate.
Easily integrate the login link with your OctoberCMS site using SSO Button Component. Just drop it in a desirable place on your site.
Automatic user registration after login if the user is not already registered with your site.
Standard Attribute Mapping maps the response to your Users' username and email credentials.
Supports both Backend and Frontend authentication
This plugin requires the RainLab.User plugin to be installed in your OctoberCMS instance.
The plugin depends on and automatically integrates with the user management provided by RainLab.User plugin. All users are created and authenticated based on email address received in NameID through the SAML 2.0 SP plugin, and can be seen in the Users view provided by the RainLab.User plugin.
This plugin creates a Main menu item Single Sign On found at the main nav bar at the top of the page. This menu has three side menu items - Plugin Settings, Upgrade and Support. Plugin settings allows the configuration of SAML settings. You will be able to see three tabs - IdP Settings, SP Settings and Attribute Mapping - which are explained in detail below.
In this tab, you are supposed to fill in the Single Sign On endpoints/URLs/details supplied by your Identity Provider.
- IDP Name : This field is not critical to the functionality of the plugin and is provided only for your convenience.
- IDP Entity ID : This is the first of the required fields for working functionality and is provided by your Identity Provider. Also known as IDP Issuer ID.
- SAML Login URL : This is the second of the required fields for working functionality and is provided by your Identity Provider. Also known as Single Sign On URL.
- SAML x509 Certificate : This is the third of the required fields for working functionality and is provided by your Identity Provider.
Make sure to click Save.
All the three required fields are critical to SAML Authentication and the Test Configuration feature provided at the bottom of the page should be used to make sure your configurations are correct. Make sure to hit Save before clicking Test Configuration
This tab automatically generates and provides you with the minimum endpoints that you need to provide to your Identity Provider - SP Entity ID also known as Audience URI or SP Issuer ID and ACS URL also known as Single Sign On URL. The Download Certificate link can be used to download the SP's public certificate in case the Identity Provider requires it.
This tab is disabled in the free version. However, you will be able to see "NameID" as the default value in the Username and Email fields. The value received in NameID will be stored against the User's username and email while creating a new user.
On the left-hand side pane, you will see the Upgrade menu. Here you can compare the features of the Free version with the Premium version of the plugin.
On the left-hand side pane, you will see the Support menu. Using the form on this page you can send us at MiniOrange Security Software a query regarding technical difficulties or a premium upgrade. You will have to enter a valid email address and a password and nothing more to quickly register for free with miniOrange to access the support form.
SSO Button Component
The SSO Button can be placed on any page and clicking it will start the Single Sign On flow. For ease of understanding to the end user, place it on the same page as your login/account form provided by User plugin but it's totally upto you and the placement of this button does not affect the functionality in any way. The working of the SSO Button does not depend on another component being present on the same page.
Admin/backend users can Single Sign On into the backend using the same SAML configuration. They will be authenticated against email address registered under their backend account. A "Single Sign On" button will be automatically generated on the backend login screen.
You can upgrade to the premium version of this plugin for the following features.
- Advanced Attribute Mapping
- Configurable SAML request binding type
- SAML Single Logout
- Force Authentication and Auto-Redirect to IdP
- Signed Response and Assertion
The following plugin is required
php artisan plugin:install Miniorange.Samlsp
Main Navigation Bar Single Sign On > Plugin Settings
IDP Settings Example
IDP Name : YouCanNameYourIdpAnything
SAML Login URL : https://your-idp.com/saml/sso
IDP Entity ID : https://your-id.com/some-random-string
The plugin generates a SAML request consisting of the various tags and their values based on your IDP settings configuration. This request is sent to the URL specified in SAML Login URL field. Provided you have entered the details from the SP settings tab at your IDP correctly, the IDP will send a response which will be received at the ACS URL. The plugin will then process the response and verify it against the x509 certificate provided in IDP settings. It will also check other parameters regardless of them being a configurable option of the plugin (like SP settings. Not to be understood as the locked premium features). On successful verification of the response, a user will be created if not already existing and logged into the front end. Existing email addresses will be logged in directly. A similar process happens in case of backend in the context of backend users except it does not create a backend user if not existing. The plugin will only login existing backend users against their registered email addresses. A similar process happens in case of Test Configuration in IDP settings without the steps of involving user management. It will display whether the response was a success or in case of a "misconfiguration", a failure. The report will display the attributes received in the response and in some cases, suggestions on how to rectify a certain failure.
Found the plugin useful on 27 Jun, 2019
One of the great things, if one goes with the MinOrange SSO plugin, is the high-quality support. MinOrange has multiple support staff who know what they are doing and will help you to ensure that the plugin is working correctly. Thank you!
Updated table miniorange_samlsp_saml_config
Nov 13, 2019
Improved upgrade flow
Jun 05, 2019
May 24, 2019
Fixed Support Form
May 23, 2019
Created table miniorange_samlsp_customer_details
May 21, 2019
May 21, 2019