{"id":19879974,"url":"https://github.com/cdaecke/md_saml","last_synced_at":"2026-03-09T19:03:14.654Z","repository":{"id":62526447,"uuid":"475513314","full_name":"cdaecke/md_saml","owner":"cdaecke","description":"TYPO3 SSO Login with SAML authentication","archived":false,"fork":false,"pushed_at":"2025-04-30T13:09:15.000Z","size":325,"stargazers_count":7,"open_issues_count":4,"forks_count":12,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-30T14:28:28.391Z","etag":null,"topics":["adfs","authentication","saml","sso","typo3","typo3-cms-extension","typo3-extension"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cdaecke.png","metadata":{"files":{"readme":"Readme.md","changelog":"Changelog.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-03-29T15:48:42.000Z","updated_at":"2025-04-30T13:09:18.000Z","dependencies_parsed_at":"2023-12-12T20:28:43.962Z","dependency_job_id":"5ef3be90-f493-411b-9ed3-2c1aa705cf78","html_url":"https://github.com/cdaecke/md_saml","commit_stats":null,"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdaecke%2Fmd_saml","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdaecke%2Fmd_saml/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdaecke%2Fmd_saml/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdaecke%2Fmd_saml/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cdaecke","download_url":"https://codeload.github.com/cdaecke/md_saml/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251721192,"owners_count":21632781,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adfs","authentication","saml","sso","typo3","typo3-cms-extension","typo3-extension"],"created_at":"2024-11-12T17:09:53.017Z","updated_at":"2026-03-09T19:03:14.648Z","avatar_url":"https://github.com/cdaecke.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# TYPO3 Extension `md_saml`\nSingle Sign-on extension for TYPO3. It enables you, to log into the TYPO3 backend or the website frontend by using an\nIdentity Provider (IdP), for example an ADFS server (Active Directory Federation Services). It is fully configurable by TypoScript.\n\n## Screenshots\nTYPO3 login:\n\n\u003cimg src=\"./Documentation/Images/typo3_login.png?raw=true\" alt=\"TYPO3 login\" width=\"346\" height=\"389\" style=\"border:1px solid #999999\" /\u003e\n\nFrontend login:\n\n\u003cimg src=\"./Documentation/Images/frontend_login.png?raw=true\" alt=\"Frontend login\" width=\"388\" height=\"389\" style=\"border:1px solid #999999\" /\u003e\n\n## Requirements\n- TYPO3 v13.4\n\n## Installation\n- Install the extension with the following composer command: `composer req mediadreams/md_saml` or use the extension manager\n- In module `Site Configuration` add `MdSaml base configuration (ext:md_saml)` in section `Sets for this Site`\n- Activate backend login in the extension configuration. Frontend login is activated in the settings of the extension.\n- Configure the extension by overriding the site settings of the extension\n\n## Configuration\n### Site Set\n\nThe Service Provider (SP) and Identity Provider (IdP) can be configured by adding the settings in the Site Set\n`MdSaml base configuration (ext:md_saml)`, which is shipped with this extension.\n\nInclude the Site Set `MdSaml base configuration (ext:md_saml)` in the Site Configuration\nof your website.\n\nNow modify the settings according to your needs. In order to get your custom\nconfiguration in place, add a Site Set in your site package as shown below:\n\nThe following example shows, how to modify the default configuration of ext:md_saml:\n\nEXT:my_extension/Configuration/Sets/MdSamlOverrides/config.yaml:\n\n    name: my_extension/md_saml\n    label: MdSaml config for my website\n    dependencies:\n      - mediadreams/md_saml\n\nEXT:my_extension/Configuration/Sets/MdSamlOverrides/settings.yaml:\n\n    md_saml:\n      mdsamlSpBaseUrl: 'https://%env(BASE_DOMAIN)%'\n\n      be_users:\n        databaseDefaults:\n          usergroup: 3\n          lang: 'de'\n\n      fe_users:\n        saml:\n          sp:\n            entityId: '/login/?loginProvider=1648123062\u0026mdsamlmetadata'\n            assertionConsumerService:\n              url: '/login/?loginProvider=1648123062\u0026login-provider=md_saml\u0026login_status=login\u0026acs\u0026logintype=login'\n\n      saml:\n        sp:\n          x509cert: '%env(SAML_SP_X509CERT)%'\n          privateKey: '%env(SAML_SP_PRIVATE_KEY)%'\n\n        idp:\n          entityId: 'https://auth.myprovider.de/adfs/services/trust'\n          singleSignOnService:\n            url: 'https://auth.myprovider.de/adfs/ls/'\n\n          singleLogoutService:\n            url: 'https://auth.myprovider.de/adfs/ls/'\n\n          x509cert: '%env(SAML_IDP_X509CERT)%'\n\n    baseVariants:\n      - condition: 'applicationContext == \"Development\"'\n        md_saml:\n          mdsamlSpBaseUrl: \"https://mysite.ddev.site\"\n\n      - condition: 'applicationContext == \"Testing\"'\n        md_saml:\n          mdsamlSpBaseUrl: \"https://test.domain.com\"\n\nAs you can see, you can use either environment variables or `baseVariants` in your configuration in order\nto configure different setups.\n\nATTENTION\nSomehow, it is not possible to use environment variables in site sets at the moment. So if you want to use env vars, do it in the general site configuration in `\u003cproject-root\u003e/config/sites/\u003cidentifier\u003e/settings.yaml`. Add following in the settings file:\n\n    md_saml:\n      mdsamlSpBaseUrl: '%env(SAML_BASE_DOMAIN)%'\n\nGeneral information on site sets can be found\n[here](https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/ApiOverview/SiteHandling/SiteSets.html).\n\n#### SAML\n\n- Set a base url in `md_saml.mdsamlSpBaseUrl` for all endpoints\n- Generate a certificate for the Service Provider (SP)\u003cbr\u003e\n`openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out sp.crt -keyout sp.key`\n- Open certificate files and remove all line breaks. Copy value of  `sp.crt` to\n`md_saml.saml.sp.x509cert` and value of `sp.key` to `md_saml.saml.sp.privateKey`\n\n**Backend**\n\nActivate backend login in the extension configuration. Go to\n`Settings -\u003e Extension Configuration -\u003e md_saml` and check/uncheck the checkbox.\n\n- `md_saml.be_users.saml.sp.entityId`\u003cbr\u003e\nIdentifier of the backend (TYPO3) SP entity  (must be a URI)\u003cbr\u003e\nATTENTION: `mdsamlSpBaseUrl` will be attached automatically\u003cbr\u003e\nDefault: `/typo3/index.php?loginProvider=1648123062\u0026mdsamlmetadata`\n- `md_saml.be_users.saml.sp.assertionConsumerService.url`\u003cbr\u003e\nSpecifies info about where and how the \u003cAuthnResponse\u003e message of a backend (TYPO3) login MUST be returned to the\nrequester, in this case our SP.\u003cbr\u003e\nDefault: `/typo3/index.php?loginProvider=1648123062\u0026login-provider=md_saml\u0026login_status=login\u0026acs`\n\n**Frontend**\n\nBy default frontend login is enabled and it will load a different login template.\nDeactivate the frontend login by setting `md_saml.fe_users.active = false`.\n\n\n- `md_saml.fe_users.saml.sp.entityId`\u003cbr\u003e\nIdentifier of the frontend SP entity  (must be a URI)\u003cbr\u003e\nATTENTION: `mdsamlSpBaseUrl` will be attached automatically\u003cbr\u003e\nExample (just replace the speaking path (\"/login/\") according to your needs): `/login/?loginProvider=1648123062\u0026mdsamlmetadata`\n- `md_saml..fe_users.saml.sp.assertionConsumerService.url`\u003cbr\u003e\nSpecifies info about where and how the \u003cAuthnResponse\u003e message of a frontend login MUST be returned to the requester,\nin this case our SP.\u003cbr\u003e\nExample (just replace the speaking path (\"/login/\") according to your needs): `/login/?loginProvider=1648123062\u0026login-provider=md_saml\u0026login_status=login\u0026acs\u0026logintype=login`\n\n**Note**\n\nAll default settings, which are configured in `md_saml.saml` can be overwritten for backend or\nfrontend needs with properties in `md_saml.be_users.saml...` (backend) and\n`md_saml.fe_users.saml...` (frontend).\n\nAs underlying SAML toolkit the library of OneLogin is used (no account with OneLogin is needed!).\nSee full [documentation](https://github.com/onelogin/php-saml) for details on the configuration.\n\n#### Users\nYou are able to create new users, if they are not present at the time of login.\n - Backend\u003cbr\u003e\n `md_saml.be_users.createIfNotExist`...\u003cbr\u003e\n Default = 1, so be_users will be created, if they do not exist.\n - Frontend\u003cbr\u003e\n `md_saml.fe_users.createIfNotExist`...\u003cbr\u003e\n  Default = 1, so fe_users will be created, if they do not exist.\n\nYou are able to update existing users, if they are already present at the time of login.\n - Backend\u003cbr\u003e\n `md_saml.be_users.updateIfExist`...\u003cbr\u003e\n Default = 1, so be_users will be updated, if they exist.\n - Frontend\u003cbr\u003e\n `md_saml.fe_users.updateIfExist`...\u003cbr\u003e\n  Default = 1, so fe_users will be updated, if they exist.\n\n**Backend**\n\n- `md_saml.be_users.createIfNotExist`\u003cbr\u003e\nDecide whether a new backend user should be created (Default = 1)\n- `md_saml.be_users.updateIfExist`\u003cbr\u003e\nDecide whether a backend user should be updated (Default = 1)\n- `md_saml.be_users.databaseDefaults`...\u003cbr\u003e\nThis section allows you to set defaults for a newly created backend user. You can add any fields of the database here.\u003cbr\u003e\nExample: `md_saml.be_users.databaseDefaults.usergroup = 123` will create a new user with usergroup 123 attached.\n\n**Frontend**\n\n- `md_saml.fe_users.createIfNotExist`\u003cbr\u003e\nDecide whether a new frontend user should be created (Default = 1)\n- `md_saml.fe_users.updateIfExist`\u003cbr\u003e\nDecide whether a frontend user should be updated (Default = 1)\n- `md_saml.fe_users.databaseDefaults`...\u003cbr\u003e\nThis section allows you to set defaults for a newly created frontend user. You can add any fields of the database here.\u003cbr\u003e\nExample: `md_saml.fe_users.databaseDefaults.usergroup = 123` will create a new user with usergroup 123 attached.\u003cbr\u003e\nATTENTION: `md_saml.fe_users.databaseDefaults.pid` will be used as storage for newsly created fe_users.\n\n#### SSO\nThe returned value of the SSO provider can be anything. With the following configuration set the names of the returned\nvalues to the ones needed in TYPO3:\n\n**Backend**\n\n- `md_saml.be_users.transformationArr`\u003cbr\u003e\nExample: `md_saml.be_users.transformationArr.username = http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname` \u003cbr\u003e\nThe above example shows the returning value of an ADFS server, which contains the username for TYPO3.\n\n**Frontend**\n\n- `md_saml.fe_users.transformationArr`\u003cbr\u003e\nExample: `md_saml.fe_users.transformationArr.username = http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname` \u003cbr\u003e\nThe above example shows the returning value of an ADFS server, which contains the username for a frontend user.\n\n### ADFS\nThe following steps are an example on how to configure an ADFS server as IdP (Identity Provider).\n\nSince I don't have the configuration in english, the following section is available in german only. I am sorry for that!\n\n- Get SP (Service Provider) meta data. Log into TYPO3 (important!) and call `/typo3/index.php?loginProvider=1648123062\u0026mdsamlmetadata\u0026loginType=backend`\nfor the backend configuration and `/typo3/index.php?loginProvider=1648123062\u0026mdsamlmetadata\u0026loginType=frontend` for the\nfrontend configuration.\n- Neue `Vertrauensstellung der vertrauenden Seite` erstellen\n\n    1. Willkommen\n\n        - Modus `Ansprüche unterstützen` auswählen\n        - Knopf `Start` klicken\n\n    2. Datenquelle auswählen\n\n        - Option `Daten über vertrauende Seite aus einer Datei importieren` auswählen\n        - XML der Metadaten aus dem ersten Schritt auswählen\n        - Knopf `Weiter` klicken\n\n    3. Anzeigennamen angeben\n\n        - Einen Wert für `Anzeige Name` eintragen\n        - `Weiter` klicken\n\n    4. Zugriffssteuerungsrichtline auswählen\n\n        - Im Feld `Wählen Sie eine Zugriffssteuerungsrichtlinie aus`, den `Zugriff-OTP` auswählen\n        - `Weiter` klicken\n\n    5. Bereit zum Hinzufügen der Vertrauensstellung\n\n        - Daten prüfen und `Weiter` klicken\n\n    6. Fertig stellen\n\n        - `Schließen` klicken\n\n- Die `Ansprucheaustellungsrichtlinie für diese Anwendung konfigurieren` prüfen\n- Neue Regel mit `Regel hinzufügen ...` hinzufügen\n- Im Feld `Anspruchsregelvorlage` die Option `Ansprüche mithilfe einer benutzerdefinierten Regel senden` auswählen und `Weiter` klicken\n- Im Feld `Anspruchsregelname` den Wert `Name Identifier` eingeben\n- Im Feld `Benutzerdefinierte Regel` folgendes eingeben:\u003cbr\u003e\n`c:[Type == \"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname\"] =\u003e issue(Type = \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties[\"http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format\"] = \"urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName\");`\n- Knopf `Fertig stellen` klicken\n- Neue Regel hinzufügen mit klick auf `Regel hinzufügen ...`\n- Im Feld `Anspruchsregelvorlage` den Wert `Ansprüche mithilfe einer benutzerdefinierten Regel senden` auswählen und `Weiter` klicken\n- Im Feld `Anspruchsregelname` den `Data Rule` eingeben\n- Im Feld `Benutzerdefinierte Regel` folgendes eingeben:\u003cbr\u003e\n`c:[Type == \"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname\", Issuer == \"AD AUTHORITY\"] =\u003e issue(store = \"Active Directory\", types = (\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\", \"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname\", \"distinguishedName\", \"memberOf\"), query = \";mail,displayName,sn,sAMAccountName,distinguishedName,memberOf;{0}\", param = c.Value);`\n- Knopf `Fertig stellen` klicken\n- Die `Ansprucheaustellungsrichtlinie` mit `OK` verlassen\n\nACHTUNG:\u003cbr\u003eDie Reihenfolge der Regeln ist wichtig! Die erste muss die `Name Identifier` Regel sein!\n\nAls letztes muss noch im Reiter `Bezeichner` der `Vertrauensstellung` im Feld `Bezeichner der vertrauenden Seite` der\nWert, der in `md_saml.mdsamlSpBaseUrl` eingegeben werden.\n\n### TYPO3\n\n#### General\n\u003cul\u003e\n    \u003cli\u003e\n        In `settings.php` or `additional.php` the `['BE']['cookieSameSite']` must be set to `lax`:\u003cbr\u003e\n        \u003cpre\u003e\u003ccode\u003e$GLOBALS['TYPO3_CONF_VARS']['BE']['cookieSameSite'] = 'lax'\u003c/code\u003e\u003c/pre\u003e\n    \u003c/li\u003e\n    \u003cli\u003e\n        In `Site Configuration` set the value of `Entry Point` (`base`) to a full qualified entry point.\n        For example set `https://www.domain.tld/` instead of just using `/`.\n    \u003c/li\u003e\n\u003c/ul\u003e\n\n#### Site Config\n```yaml\nerrorHandling:\n    errorCode: 403\n    errorHandler: PHP\n    errorPhpClassFQCN: Mediadreams\\MdSaml\\Error\\ForbiddenHandling\n```\n#### Change User Event\n\nevent to customize user data before insert/update on login\n\n```php\nnamespace XXX\\XXX\\EventListener;\n\nuse Mediadreams\\MdSaml\\Event\\ChangeUserEvent;\nuse TYPO3\\CMS\\Core\\Utility\\GeneralUtility;\n\nfinal class AddGroupChangeUserEventListener {\n\n  protected int $adminGroupUid = 3;\n\n  // SSO User Changes\n  public function __invoke(ChangeUserEvent $event): void\n  {\n      // get current data\n      $userData = $event-\u003egetUserData();\n      $email = $userData['email'] ?? null;\n      // some conditions, if true add group\n      if (1) {\n          $usergroups = GeneralUtility::intExplode(',', $userData['usergroup']);\n          $usergroups[] = $this-\u003eadminGroupUid;\n\t  // change some data\n          $userData['usergroup'] = implode(',', $usergroups);\n\t  // save new data\n          $event-\u003esetUserData($userData);\n      }\n  }\n}\n```\nYou must register the event listener in `Services.yaml`\n\n## FAQ\n\u003cdl\u003e\n    \u003cdt\u003eIs is possible, to remove the default login with username and password?\u003c/dt\u003e\n    \u003cdd\u003e\n        Yes, just add following line in the `ext_localconf.php` of your the extension:\u003cbr\u003e\n        \u003cpre\u003e\u003ccode\u003eunset($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['backend']['loginProviders'][1433416747]);\u003c/code\u003e\u003c/pre\u003e\n    \u003c/dd\u003e\n    \u003cdt\u003eI get a `1648646492 RuntimeException, The site configuration could not be resolved.`\u003c/dt\u003e\n    \u003cdd\u003e\n        Make sure, that the domain of your website is configured in the site configuration\n        (`sites/identifier/config.yaml`) for `base`.\n    \u003c/dd\u003e\n    \u003cdt\u003eThe template for the frontend login is not loaded.\u003c/dt\u003e\n    \u003cdd\u003e\n        If the website uses a mixed setup consisting of a TypoScript template (sys_template)\n        and site sets, it is important to uncheck the \"Clear\" flag for constants and setup in the\n        TypoScript template. If the \"Clear\" flag is checked (default), TypoScript settings\n        from site sets are cleared and do therefore not apply.\n    \u003c/dd\u003e\n\u003c/dl\u003e\n\n## Troubleshooting\nIf your login fails with the parameter `?commandLI=setCookie` (typo3/index.php?commandLI=setCookie), please make sure,\nthat you have set `$GLOBALS['TYPO3_CONF_VARS']['BE']['cookieSameSite'] = 'lax'`.\n\n## Bugs and Known Issues\nIf you find a bug, it would be nice if you add an issue on [Github](https://github.com/cdaecke/md_saml/issues).\n\n# THANKS\nThanks a lot to all who make this outstanding TYPO3 project possible!\n\n## Credits\n- Thanks to the guys at OneLogin who provide the [SAML toolkit for PHP](https://github.com/onelogin/php-saml), which I use.\n- Extension icon by [Font Awesome](https://fontawesome.com/icons/key?s=solid).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcdaecke%2Fmd_saml","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcdaecke%2Fmd_saml","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcdaecke%2Fmd_saml/lists"}