PHPackages mediadreams/md\_saml - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. mediadreams/md\_saml ActiveTypo3-cms-extension[Authentication & Authorization](/categories/authentication) mediadreams/md\_saml ==================== SSO frontend or backend login with SAML authentication. 5.0.0(1mo ago)732.5k↓17.8%15[1 issues](https://github.com/cdaecke/md_saml/issues)GPL-2.0-or-laterPHPPHP >=8.2 Since Apr 13Pushed 1mo ago4 watchersCompare [ Source](https://github.com/cdaecke/md_saml)[ Packagist](https://packagist.org/packages/mediadreams/md_saml)[ RSS](/packages/mediadreams-md-saml/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (6)Dependencies (31)Versions (30)Used By (0) TYPO3 Extension `md_saml` ========================= [](#typo3-extension-md_saml) Single Sign-on extension for TYPO3. It enables you, to log into the TYPO3 backend or the website frontend by using an Identity Provider (IdP), for example an ADFS server (Active Directory Federation Services). It is fully configurable via Site Sets and `settings.yaml`. Screenshots ----------- [](#screenshots) TYPO3 login: [![TYPO3 login](./Documentation/Images/typo3_login.png?raw=true)](./Documentation/Images/typo3_login.png?raw=true) Frontend login: [![Frontend login](./Documentation/Images/frontend_login.png?raw=true)](./Documentation/Images/frontend_login.png?raw=true) Requirements ------------ [](#requirements) - TYPO3 v13.4 Installation ------------ [](#installation) - Install the extension with the following composer command: `composer req mediadreams/md_saml` or use the extension manager - In module `Site Configuration` add `MdSaml base configuration (ext:md_saml)` in section `Sets for this Site` - Activate backend login in the extension configuration. Frontend login is activated in the settings of the extension. - Configure the extension by overriding the site settings of the extension Login and logout flows ---------------------- [](#login-and-logout-flows) - [Backend login](./Documentation/BackendLogin.md) - [Backend logout](./Documentation/BackendLogout.md) - [Frontend login](./Documentation/FrontendLogin.md) - [Frontend logout](./Documentation/FrontendLogout.md) Configuration ------------- [](#configuration) ### Site Set [](#site-set) The Service Provider (SP) and Identity Provider (IdP) can be configured by adding the settings in the Site Set `MdSaml base configuration (ext:md_saml)`, which is shipped with this extension. Include the Site Set `MdSaml base configuration (ext:md_saml)` in the Site Configuration of your website. Now modify the settings according to your needs. In order to get your custom configuration in place, add a Site Set in your site package as shown below: The following example shows, how to modify the default configuration of ext:md\_saml: `EXT:my_extension/Configuration/Sets/MdSamlOverrides/config.yaml`: ``` name: my_extension/md_saml label: MdSaml config for my website dependencies: - mediadreams/md_saml ``` `EXT:my_extension/Configuration/Sets/MdSamlOverrides/settings.yaml`: ``` md_saml: mdsamlSpBaseUrl: 'https://%env(BASE_DOMAIN)%' be_users: databaseDefaults: usergroup: 3 lang: 'de' fe_users: saml: sp: entityId: '/login/?loginProvider=1648123062&mdsamlmetadata' assertionConsumerService: url: '/login/?loginProvider=1648123062&login-provider=md_saml&login_status=login&acs&logintype=login' saml: sp: x509cert: '%env(SAML_SP_X509CERT)%' privateKey: '%env(SAML_SP_PRIVATE_KEY)%' idp: entityId: 'https://auth.myprovider.de/adfs/services/trust' singleSignOnService: url: 'https://auth.myprovider.de/adfs/ls/' singleLogoutService: url: 'https://auth.myprovider.de/adfs/ls/' x509cert: '%env(SAML_IDP_X509CERT)%' baseVariants: - condition: 'applicationContext == "Development"' md_saml: mdsamlSpBaseUrl: "https://mysite.ddev.site" - condition: 'applicationContext == "Testing"' md_saml: mdsamlSpBaseUrl: "https://test.domain.com" ``` As you can see, you can use either environment variables or `baseVariants` in your configuration in order to configure different setups. ATTENTION Somehow, it is not possible to use environment variables in site sets at the moment. So if you want to use env vars, do it in the general site configuration in `/config/sites//settings.yaml`. Add following in the settings file: ``` md_saml: mdsamlSpBaseUrl: '%env(SAML_BASE_DOMAIN)%' ``` General information on site sets can be found [here](https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/ApiOverview/SiteHandling/SiteSets.html). #### SAML [](#saml) - Set a base url in `md_saml.mdsamlSpBaseUrl` for all endpoints - Generate a certificate for the Service Provider (SP) `openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out sp.crt -keyout sp.key` - Set `md_saml.saml.sp.x509cert` and `md_saml.saml.sp.privateKey` to the generated files. You can either provide the **file path** to the PEM file (recommended): `md_saml.saml.sp.x509cert: '/path/to/sp.crt'` `md_saml.saml.sp.privateKey: '/path/to/sp.key'` Or paste the **raw base64 content** directly (strip the `-----BEGIN/END-----` headers and all line breaks first). **Backend** Activate backend login in the extension configuration. Go to `Settings -> Extension Configuration -> md_saml` and check/uncheck the checkbox. - `md_saml.be_users.saml.sp.entityId` Identifier of the backend (TYPO3) SP entity (must be a URI) ATTENTION: `mdsamlSpBaseUrl` will be attached automatically Default: `/typo3/index.php?loginProvider=1648123062&mdsamlmetadata` - `md_saml.be_users.saml.sp.assertionConsumerService.url` Specifies info about where and how the message of a backend (TYPO3) login MUST be returned to the requester, in this case our SP. Default: `/typo3/index.php?loginProvider=1648123062&login-provider=md_saml&login_status=login&acs` **Frontend** By default frontend login is enabled and it will load a different login template. Deactivate the frontend login by setting `md_saml.fe_users.active = false`. - `md_saml.fe_users.saml.sp.entityId` Identifier of the frontend SP entity (must be a URI) ATTENTION: `mdsamlSpBaseUrl` will be attached automatically Example (just replace the speaking path ("/login/") according to your needs): `/login/?loginProvider=1648123062&mdsamlmetadata` - `md_saml..fe_users.saml.sp.assertionConsumerService.url` Specifies info about where and how the message of a frontend login MUST be returned to the requester, in this case our SP. Example (just replace the speaking path ("/login/") according to your needs): `/login/?loginProvider=1648123062&login-provider=md_saml&login_status=login&acs&logintype=login` **Note** All default settings, which are configured in `md_saml.saml` can be overwritten for backend or frontend needs with properties in `md_saml.be_users.saml...` (backend) and `md_saml.fe_users.saml...` (frontend). As underlying SAML toolkit the library of OneLogin is used (no account with OneLogin is needed!). See full [documentation](https://github.com/onelogin/php-saml) for details on the configuration. #### Users [](#users) **Backend** - `md_saml.be_users.createIfNotExist` Decide whether a new backend user should be created (Default = 1) - `md_saml.be_users.updateIfExist` Decide whether a backend user should be updated (Default = 1) - `md_saml.be_users.databaseDefaults`... This section allows you to set defaults for a newly created backend user. You can add any fields of the database here. Example: `md_saml.be_users.databaseDefaults.usergroup = 123` will create a new user with usergroup 123 attached. **Frontend** - `md_saml.fe_users.createIfNotExist` Decide whether a new frontend user should be created (Default = 1) - `md_saml.fe_users.updateIfExist` Decide whether a frontend user should be updated (Default = 1) - `md_saml.fe_users.databaseDefaults`... This section allows you to set defaults for a newly created frontend user. You can add any fields of the database here. Example: `md_saml.fe_users.databaseDefaults.usergroup = 123` will create a new user with usergroup 123 attached. ATTENTION: `md_saml.fe_users.databaseDefaults.pid` will be used as storage for newly created fe\_users. #### SSO [](#sso) The returned value of the SSO provider can be anything. With the following configuration set the names of the returned values to the ones needed in TYPO3: **Backend** - `md_saml.be_users.transformationArr` Example: `md_saml.be_users.transformationArr.username = http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname` The above example shows the returning value of an ADFS server, which contains the username for TYPO3. **Frontend** - `md_saml.fe_users.transformationArr` Example: `md_saml.fe_users.transformationArr.username = http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname` The above example shows the returning value of an ADFS server, which contains the username for a frontend user. ### ADFS [](#adfs) The following steps are an example on how to configure an ADFS server as IdP (Identity Provider). Since I don't have the configuration in english, the following section is available in german only. I am sorry for that! - Get SP (Service Provider) meta data. Log into TYPO3 (important!) and call `/typo3/index.php?loginProvider=1648123062&mdsamlmetadata&loginType=backend`for the backend configuration and `/typo3/index.php?loginProvider=1648123062&mdsamlmetadata&loginType=frontend` for the frontend configuration. - Neue `Vertrauensstellung der vertrauenden Seite` erstellen 1. Willkommen - Modus `Ansprüche unterstützen` auswählen - Knopf `Start` klicken 2. Datenquelle auswählen - Option `Daten über vertrauende Seite aus einer Datei importieren` auswählen - XML der Metadaten aus dem ersten Schritt auswählen - Knopf `Weiter` klicken 3. Anzeigennamen angeben - Einen Wert für `Anzeige Name` eintragen - `Weiter` klicken 4. Zugriffssteuerungsrichtline auswählen - Im Feld `Wählen Sie eine Zugriffssteuerungsrichtlinie aus`, den `Zugriff-OTP` auswählen - `Weiter` klicken 5. Bereit zum Hinzufügen der Vertrauensstellung - Daten prüfen und `Weiter` klicken 6. Fertig stellen - `Schließen` klicken - Die `Ansprucheaustellungsrichtlinie für diese Anwendung konfigurieren` prüfen - Neue Regel mit `Regel hinzufügen ...` hinzufügen - Im Feld `Anspruchsregelvorlage` die Option `Ansprüche mithilfe einer benutzerdefinierten Regel senden` auswählen und `Weiter` klicken - Im Feld `Anspruchsregelname` den Wert `Name Identifier` eingeben - Im Feld `Benutzerdefinierte Regel` folgendes eingeben: `c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName");` - Knopf `Fertig stellen` klicken - Neue Regel hinzufügen mit klick auf `Regel hinzufügen ...` - Im Feld `Anspruchsregelvorlage` den Wert `Ansprüche mithilfe einer benutzerdefinierten Regel senden` auswählen und `Weiter` klicken - Im Feld `Anspruchsregelname` den `Data Rule` eingeben - Im Feld `Benutzerdefinierte Regel` folgendes eingeben: `c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "distinguishedName", "memberOf"), query = ";mail,displayName,sn,sAMAccountName,distinguishedName,memberOf;{0}", param = c.Value);` - Knopf `Fertig stellen` klicken - Die `Ansprucheaustellungsrichtlinie` mit `OK` verlassen ACHTUNG: Die Reihenfolge der Regeln ist wichtig! Die erste muss die `Name Identifier` Regel sein! Als letztes muss noch im Reiter `Bezeichner` der `Vertrauensstellung` im Feld `Bezeichner der vertrauenden Seite` der Wert, der in `md_saml.mdsamlSpBaseUrl` eingegeben werden. ### TYPO3 [](#typo3) #### General [](#general) - In `settings.php` or `additional.php` the `\['BE'\]\['cookieSameSite'\]` must be set to `lax`: ``` $GLOBALS['TYPO3_CONF_VARS']['BE']['cookieSameSite'] = 'lax' ``` - In `Site Configuration` set the value of `Entry Point` (`base`) to a full qualified entry point. For example set ` instead of just using `/`. #### Site Config [](#site-config) ``` errorHandling: errorCode: 403 errorHandler: PHP errorPhpClassFQCN: Mediadreams\MdSaml\Error\ForbiddenHandling ``` #### Change User Event [](#change-user-event) event to customize user data before insert/update on login ``` namespace XXX\XXX\EventListener; use Mediadreams\MdSaml\Event\ChangeUserEvent; use TYPO3\CMS\Core\Utility\GeneralUtility; final class AddGroupChangeUserEventListener { protected int $adminGroupUid = 3; // SSO User Changes public function __invoke(ChangeUserEvent $event): void { // get current data $userData = $event->getUserData(); $email = $userData['email'] ?? null; // some conditions, if true add group if (1) { $usergroups = GeneralUtility::intExplode(',', $userData['usergroup']); $usergroups[] = $this->adminGroupUid; // change some data $userData['usergroup'] = implode(',', $usergroups); // save new data $event->setUserData($userData); } } } ``` You must register the event listener in `Services.yaml` FAQ --- [](#faq) Is is possible, to remove the default login with username and password? Yes, just add following line in the `ext\_localconf.php` of your the extension: ``` unset($GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['backend']['loginProviders'][1433416747]); ``` I get a `1648646492 RuntimeException, The site configuration could not be resolved.` Make sure, that the domain of your website is configured in the site configuration (`sites/identifier/config.yaml`) for `base`. The template for the frontend login is not loaded. If the website uses a mixed setup consisting of a TypoScript template (sys\_template) and site sets, it is important to uncheck the "Clear" flag for constants and setup in the TypoScript template. If the "Clear" flag is checked (default), TypoScript settings from site sets are cleared and do therefore not apply. Troubleshooting --------------- [](#troubleshooting) If your login fails with the parameter `?commandLI=setCookie` (typo3/index.php?commandLI=setCookie), please make sure, that you have set `$GLOBALS['TYPO3_CONF_VARS']['BE']['cookieSameSite'] = 'lax'`. Bugs and Known Issues --------------------- [](#bugs-and-known-issues) If you find a bug, it would be nice if you add an issue on [Github](https://github.com/cdaecke/md_saml/issues). THANKS ====== [](#thanks) Thanks a lot to all who make this outstanding TYPO3 project possible! Credits ------- [](#credits) - Thanks to the guys at OneLogin who provide the [SAML toolkit for PHP](https://github.com/onelogin/php-saml), which I use. - Extension icon by [Font Awesome](https://fontawesome.com/icons/key?s=solid). ### Health Score 58 — FairBetter than 98% of packages Maintenance86 Actively maintained with recent releases Popularity38 Limited adoption so far Community22 Small or concentrated contributor base Maturity72 Established project with proven stability Bus Factor1 Top contributor holds 72.4% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~60 days Recently: every ~75 days Total 25 Last Release 56d ago Major Versions 1.0.7 → 2.0.02022-08-12 2.0.0 → 3.0.02023-12-08 3.0.7 → 4.0.02025-04-04 3.0.8 → 5.0.02026-03-23 PHP version history (4 changes)1.0.0PHP >=7.3 3.0.2PHP >=7.4 3.0.7PHP >=8.1 4.0.0PHP >=8.2 ### Community Maintainers ![](https://www.gravatar.com/avatar/c5d77efbf0d5d788c58c6c783c044fc88a8009cdc65dff094a6b8d7de862de94?d=identicon)[mediadreams](/maintainers/mediadreams) --- Top Contributors [![cdaecke](https://avatars.githubusercontent.com/u/2102444?v=4)](https://github.com/cdaecke "cdaecke (113 commits)")[![julianhofmann](https://avatars.githubusercontent.com/u/25646388?v=4)](https://github.com/julianhofmann "julianhofmann (17 commits)")[![abplana](https://avatars.githubusercontent.com/u/94911483?v=4)](https://github.com/abplana "abplana (8 commits)")[![AlexKvrlp](https://avatars.githubusercontent.com/u/31535838?v=4)](https://github.com/AlexKvrlp "AlexKvrlp (6 commits)")[![sypets](https://avatars.githubusercontent.com/u/13206455?v=4)](https://github.com/sypets "sypets (4 commits)")[![christophs78](https://avatars.githubusercontent.com/u/10461942?v=4)](https://github.com/christophs78 "christophs78 (2 commits)")[![Bruno86](https://avatars.githubusercontent.com/u/10096958?v=4)](https://github.com/Bruno86 "Bruno86 (2 commits)")[![jwtue](https://avatars.githubusercontent.com/u/1065702?v=4)](https://github.com/jwtue "jwtue (1 commits)")[![kauz56](https://avatars.githubusercontent.com/u/121489265?v=4)](https://github.com/kauz56 "kauz56 (1 commits)")[![benwalch](https://avatars.githubusercontent.com/u/7903333?v=4)](https://github.com/benwalch "benwalch (1 commits)")[![web-it-solutions](https://avatars.githubusercontent.com/u/40667603?v=4)](https://github.com/web-it-solutions "web-it-solutions (1 commits)") --- Tags adfsauthenticationsamlssotypo3typo3-cms-extensiontypo3-extensionSSOsamlextensionTYPO3 CMStypo3adfs ### Code Quality Static AnalysisPHPStan, Rector Code StylePHP CS Fixer Type Coverage Yes ### Embed Badge ![Health badge](/badges/mediadreams-md-saml/health.svg) ``` [![Health](https://phpackages.com/badges/mediadreams-md-saml/health.svg)](https://phpackages.com/packages/mediadreams-md-saml) ``` ### Alternatives [humanmade/wp-simple-saml WordPress Simple SAML plugin 124284.7k2](/packages/humanmade-wp-simple-saml)[scaler-tech/laravel-saml2 SAML2 Service Provider integration for Laravel applications, based on OneLogin toolkit 2737.5k](/packages/scaler-tech-laravel-saml2)[nbgrp/onelogin-saml-bundle OneLogin SAML Symfony Bundle 551.2M](/packages/nbgrp-onelogin-saml-bundle)[leuchtfeuer/locate Locate - The users country, preferred language and other facts will be detected. Depending on configurable rules the user can be redirected to other languages or pages. Locate also provides geo blocking for configurable pages in configurable countries. 1182.8k](/packages/leuchtfeuer-locate)[netresearch/contexts Multi-channel content visibility for TYPO3 - by Netresearch 1117.4k1](/packages/netresearch-contexts) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)