Clone wiki

Magento2 WebSSO / Home

About the WebSSO Module

This module allows your Magento 2 installation to communicate with Identity Providers including:

  • Microsoft ADFS2.x / 3.x / SharePoint
  • SalesForce
  • Google Accounts
  • NetIQ
  • OneLogin
  • SimpleSAMLPhp
  • And many more!

Protocols Supported: - SAML2.0 - OAuth2 - OpenID


Setup step 1 - Installing the extension

Composer Installation: Contact us to get a token for your composer installation

You can easily install this extension with composer by going to your account page on our website and follow the composer installation instructions available on the page.

Alternative Installation: Download and unpack the module

The module is in Marketplace format. Therefor, you need to do the following to install it:

Go to your project root and execute the following:

cd /your-project-root
mkdir -p app/code/Wizkunde/WebSSO
cd app/code/Wizkunde/WebSSO
tar -zxvf Wizkunde_WebSSO-<version>.tgz
composer require wizkunde/samlbase:~1.2.8
composer require league/oauth2-client:~2.2

require-samlbase.png composer-oauth.png


Setup step 2: Install the module

bin/magento setup:upgrade

setup-upgrade.png


Setup Step 3: If you were in production mode you have to execute:

bin/magento setup:di:compile


Setup Step 4: Deploy all the template files to the proper location:

bin/magento setup:static-content:deploy


deploy-static-content.png


Setup Step 5: Make sure all the caches are cleaned

Run: bin/magento cache:clean

clean-cache.png


Setup step 6: Creating a Identity Provider configuration setting

In Magento 2 go to Wizkunde -> Servers and click "Add new"

General Information

backend-1.png

  • Name - A friendly name for display purposes
  • Identifier - A unique identifier, especially useful when you use 2 or more IDP's in your installation
  • Server Type - Protocol to use to communicate with your Identity Provider

SAML2: Identity Provider Information

backend-saml.png

  • NameID - The Name ID of your current Service Provider which is known in the trust relation on your IDP
  • Metadata URL - Identity Provider Metadata URL
  • Is Passive - Can allow authentication methods that do not show the user any input
  • SSO Binding - The binding needed for the SSO connection
  • SLO Binding - The binding needed for the SLO connection
  • Metadata expiration in seconds - We cache the metadata to speed up the site loading process
  • Sign SP Metadata - Weather to sign the Service Provider metadata or not
  • Ignore SSO - No session will be stored, if the magento session expires, a IDP login screen reappears
  • Certificate Data (CRT): The X.509 Certificate used to communicate with the SAML2 IDP server (preshared)
  • Private Key (PEM): The X.509 private key used to communicate with the SAML2 IDP Server
  • Certificate Passphrase: Optional passphrase to unlock the certificate

SAML2: Certificate Generation

generate.JPG You can since 1.9.0 conveniently generate a X.509 certificate by filling in the form on the bottom of the page and click "Generate". This will prefill the form fields for you with a unique and secure X.509 certificate.

OAuth2: Identity Provider Information

backend-oauth.png

  • Server Type - The type of server, plain OAuth2 or OpenID
  • Scope Permissions - The permissions requested from the user at the Identity Provider
  • Authorization Endpoint - The endpoint for the OAuth2 request
  • Token Endpoint - The endpoint to request the tokens from
  • Userinfo Endpoint - The endpoint to request the user information
  • Client ID - The ID that has been made in the OAuth2 Identity Provider
  • Client Secret - The secret matching the client ID made in the Identity Provider

Mappings

websso-mappings.JPG

  • External attribute: The attribute as exposed by the Identity Provider.
  • Transform: The transform applied on mappings
  • Internal attribute: The attribute known in magento.

Setup step 7: Enabling the IDP in the proper store / website

  • Go to Stores -> Configuration
  • In the left bar, find Wizkunde Configuration and click on it.
  • Select the right scope of your website / store to make sure you enable the IDP where you want to enable it.
  • Adjust the settings according to your situation

Configuration: General Settings

general.JPG

  • Enable SSO in frontend: Enable SSO for your end customers
  • Enable SSO in backend: Enable SSO for your administrative users
  • Frontend Server: The server that we're using to connect to the frontend
  • Backend Server: The server that we're using to connect to the backend
  • CMS Page for failed login: The page that will be shown when a login cannot be completed

Configuration: Frontend Firewall

firewall.JPG

  • Immediate login in frontend: If set to yes, the user will not see the Magento site before logging in, it will be immediatly redirected to the IDP instead of after clicking on "login". Very useful for B2B sites that only expose data to registered customers

  • CMS Whitelist: The pages which are allowed to be shown without logging in

  • IP Whitelist: The IP's which may access the frontend without facing the SSO login enforcement

Configuration: Audit Logging

log.JPG

  • Logging: Enable logging for this storeview
  • Log Severity: Set logging to either log everything or just failed attempts

Setup step 8: Go to the frontend/backend and see if the login page appears!

login-oauth.png saml-login.png


Your Service Provider Details

Metadata location FRONTEND

https://<your store>/sso/metadata

Metadata location BACKEND

https://<your store>/sso/metadata/backend

All other data is visible in the metadata URL's provided

Updated