Starting with version 5.0, Admidio can be used by other applications to authenticate users against Admidios user base via Single-Sign-On (SSO). When initiating a login to the application, the user is redirected to Admidio to log in, and after successful authentication, is redirected back to the client app and logged in there. The user has to log in only to Admidio and is automatically given access to other (configured) applications. The other applications do not have to store or process any passwords.

The two dominant protocols are the XML-based SAML 2.0¹⁾ and the JSON-based OpenId Connect (OIDC)²⁾. Admidio can act as an Identity Provider (IdP) for both protocols. We will describe the configuration in general for both protocols for the following systems:

Client	SAML 2.0	OpenID Connect	Notes
Nextcloud	SAML 2.0 with Nextcloud	OpenID with Nextcloud
DokuWiki	SAML 2.0 with DokuWiki	OpenID with DokuWiki
	SAML 2.0 with Wordpress	OpenID with Wordpress
	SAML 2.0 with Joomla	OpenID with Joomla
	SAML 2.0 with MediaWiki	OpenID with MediaWiki
	SAML 2.0 with Moodle	OpenID with Moodle
	SAML 2.0 with Gitlab	OpenID with Gitlab
	SAML 2.0 with Odoo	OpenID with Odoo
	SAML 2.0 with Keycloak	OpenID with Keycloak
	SAML 2.0 with SimpleSAMLphp
		OpenID with Matomo
		OpenID with Mailman3
		OpenID with Plesk

Other systems like Prestashop do not provide any freely available SAML or OpenID plugin, only some very expensive commercial extensions.

All examples here use the domain https://admidio.demo.open-tools.net/ or https://admidio.local as Admidio domain and https://[appname].demo.open-tools.net/ or https://[appname].local for the client applications.

To set up a third-party web application to use single-sign-on through Admidio as a SAML 2.0 Identity Provider (so that other applications will use Admidio's user accounts for their logins), one has to take three steps:

1. General Setup of the IdP in Admidio:
   1. Create a cryptographic key for signing/encryption
   2. Choose a unique entityID (typically the URL of the Admidio installation)
2. Configuration of the client app (Service Provider): Admidio will provide a link with all required metadata for clients to use (https://[ADMIDIO_URL]/modules/sso/index.php/saml/metadata).
   1. In the simplest case, paste the metadata URL into the client configuration
   2. If the client does not support auto-setup using metadata, manually copy/enter the settings:
      1. Admidio URLs for Single-sign-on (SSO) and Single-Log-Out (SLO)
      2. Public key / certificate of the Admidio IdP.
   3. Choose a unique “Client ID” to identify the client to Admidio.
3. Set up Admidio respond to request from that particular client:
   1. Create a new SAML client in Admidio's SSO client administration (“Preferences” → “Single-Sign-On” → “Single-Sign On Client Administration”)
   2. Ideally, the client (“Service Provider”) will provide a link to xml metadata. Paste this URL and let Admidio automatically load the configuration.
   3. If not, manually copy/enter the Client ID, the URL where the user should be redirected after login (ACS URL) as well as an optional cryptographic certificate used by the client to sign messages.
4. In many cases, the automatic setup via metadata will work, but it is possible to add further configuration, like profile data submitted or groups/role mapping, or whether messages are signed/encrypted.

This page will describe the generic setup of a Admidio and a SAML 2.0 client. It has been tested with several SAML-ready applications, and client-specific instructions are available at separate pages.

To set up a third-party web application (the “Relying Party”, short RP) to use single-sign-on through Admidio as an OpenID Connect Identity Provider (so that other applications will use Admidio's user accounts for their logins), one has to take three steps:

1. General Setup of the OIDC IdP in Admidio:
   1. Create a cryptographic key for signing/encryption
   2. Choose a unique entityID (typically the URL of the Admidio installation)
2. Configuration of the client app (Relying Party): Admidio will provide a link with all required metadata for clients to use (https://[ADMIDIO_URL]/modules/sso/index.php/oidc/.well-known/openid-configuration).
   1. In the simplest case, paste the metadata URL into the client configuration
   2. If the client does not support auto-setup using metadata, manually copy/enter the settings:
      1. Admidio URLs (endpoints) for authorization, token, userinfo an optionally logout
      2. Public key / certificate of the Admidio IdP.
   3. Choose a unique “Client ID” to identify the client to Admidio.
   4. Select the scopes (classes of information) that Admidio should send to the client (e.g. “openid,profile,email,address,phone,groups,custom”, at least “openid” is required)
   5. Optionally a mapping of the OpenID claims (individual data fields) to the client's profile fields
3. Set up Admidio to respond to that particular client (RP):
   1. Create a new OIDC client in Admidio's SSO client administration (“Preferences” → “Single-Sign-On” → “Single-Sign On Client Administration”)
      1. Paste the “Client ID” as given in the client app, and paste the Redirect URI given by the client.
      2. Admidio will show a “Client Secret”, which must be copied to the client's config.
      3. Select which scopes (classes of information) should be allowed to be sent to the client, and optionally select / map Admidio's profile fields and groups to OpenID claims (individual pieces/fields of information)
   2. OpenID does NOT provide any automatic configuration of the client using metadata³⁾.

This page will describe the generic setup of a Admidio and an OpenID client. It has been tested with several OpenID-ready applications, and client-specific instructions are available at separate pages

The default login process to an app (the “Service Provider”, i.e. SP) works with the following steps:

1. User clicks on “Log In”
2. The app determines whether the user has access: It displays a login form, checks the entered Username and Password (hash), and if they exist and match, makes the decision to grant access.
3. the app now knows that the user has successfully logged in and creates an appropriate session to keep the user logged in.

Step 2 are done by the application in this case, but there is no technical requirement for this. In principle, the decision that a user has successfully logged in can be done by any trusted system. This is where single-sign-on hooks in: Rather than each app requesting and processing passwords, step 2 is delegated to a so-called identity provider (“idP”). That identity provider needs to be trusted, and it will take over the part of checking whether a user has access permissions (by e.g. entering a password or using a fingerprint, etc.).

There are two established technical protocols for Single-Sign-On: SAML 2.0 (XML-based, widely used by large-scale bussiness applications and e.g. Microsoft ADFS) and OpenID Connect (OIDC) (JSON-based using “Tokens”; used by many web / social apps like Google, Facebook, etc.).

SAML 2.0 is based on XML messages, and basically just outsources the login form and the resulting login success decision to the IdP. If login is successful, the IdP sends this information (together with the user name and optionally some further profile fields) as a cryptographically signed XML to the SAML client.

In the SAML case, the login flow above changes to the following. But but from a user perspective, the same steps of entering a password are done, just at a different system. The browser redirects involved in the flow, are hardly noticed by the user and don't require user interaction.

1. User clicks on “Log In”
2. The app does not determine user login itself. Instead it relies on a third party (the “Identity Provider”, short IdP) to determine whether a user has access:
   1. It creates an XML containing an XML “AuthnRequest” and redirects the browser to the IdP (Admidio in our case)
   2. If the user is not logged in to Admidio, it shows the login screen
   3. Admidio checks the login of the user (and whether the user is member of the permitted groups)
   4. If login is successful (or the user was already logged in), access should be granted. This is documented in XML data (the “Assertion”; cryptographically signed to prevent man-in-the-middle attacks) and sent back to the Service provider by a browser redirect.
   5. In addition to the username, the Assertion returned to the SP can also contain further user information (email, first/last name, etc.) and groups/roles.
3. The client app (Service Provider) now knows that the user has successfully logged in to Admidio and creates an appropriate session to keep the user logged in.

There are some things to notice about the way SAML authentication works:

1. All password handling and requesting is done by Admidio alone. The Service Provider (client app) never receives, asks or has to handle passwords.
2. It is extremely important to ensure that the requests are really sent to the right system and the returned responses really originate from the authorized IdP. This can be assured by using public key cryptography, in particular by signing each request and response by private keys that ar only known to the SP and IdP, in turn. During initial set up, the corresponding certificates (signed public keys) need to be exchanged, which is the main part of setting up SSO (in addition to providing the URLs of the SP and IdP to each other).
3. The IdP and the SP never communicate directly, only through the user's browser! As a consequence, the IdP and the SP can be in separate networks, e.g. the IdP can even be in a private network without access from the internet, as long as the user's browser can connect to it.

OpenID Connect is based on exchanging data with JSON objects. It is an extension of the OAuth 2.0 protocol, which only handles authentication. The OpenID layer adds additional profile information and permissions, but uses OAuth for the basic authorization.

Rather than working only with browser redirects like SAML, OpenID is based on OAuth and extensively uses direct communication (“backchannel”) between the Relying Party and the IdP. Rather than documenting only a successful login, OpenID separates authentication (successfull login) and authorization (roles that grant user rights). It also does not rely on an active session at the IdP. Rather it generates a dedicated password (the “token”) for the client and thus replaces the user's individual password with app-specific passwords, which are handled internally by the client and the IdP without the user noticing. When such a token expires, another (refresh) token can be used to create a new token, so that no new login is required. All this is done in the background and the user experience is basically the same as with a direct login or with SAML.

Admidio's SSO configuration is done in the preferences (Tab “Modules”, section “Single-Sign-On (SAML 2.0, OpenId Connect)”).

• The first thing to do is to create a cryptographic key (typically an RSA key with 2048 bit). For this, use the “SSO cryptographic Keys Administration” button to switch to the key administration page.
• At the “SSO Cryptographic Keys Administration” page, create a new key (typically RSA with 2048 bits).
  • Also enter the URL of the Admidio installation as “Common Name”. The other required fields (Organisation, OU, city, etc.) must be filled, but their value is not relevant. Make sure that the expiration date is long enough! By default, an expiration of two years is suggested.

• The key should now be listed and activated. Return to the “Preferences” for further setup.

• In the SSO section of the preferences, you now need to enable SAML 2.0 Single-Sign-on and configure the following settings:
  • SAML Entity ID: The URL of your installation (needs to be a unique ID, the URL is usually used, but not required)
  • Key for signatures: Select the key that you just generated; will be used to cryptographically sign the messages to the Service Provider to prevent man-in-the-middle attacks
  • Key for Encryption: If the SP requires (or recommends) encrypting the messages, you can select a key for encryption, too. This can be (but does not have to be) the same key as for signatures.
  • Select whether Admidio adivses all SPs to sign their messages in turn. This requires each client to have a cryptographic key generated for itself, which some clients (e.g. DokuWiki) do not support. Clients that do not support signatures, will still work, this is just a declaration of preference by Admidio!
  • Save

The Preferences page also lists all the relevant data to set up the client as a Service Provider. Particularly useful will be the Metadata URL, which provides all data to set up a client (SP) in XML format. You don't need to do anything, the SSO plugin for Admidio provides this out of the box. Here is an example of such a metadata xml: Notice that it contains both the public key / certificate of the signing and encryption keys, as well as the URLs to the SingleSignOnService (SSO) and the SingleLogOutService (SLO) at the admidio installation. Furthermore, the first half of the XML contains the cryptographic signature of the XML, signed with the private key to prove that the metadata file actually comes from the admidio installation and not from some adversary.

Admidio is now ready to provide single-sign-on functionality to Service Providers.

Each SP first needs to be set up with the URLs (and keys) to connect to Admidio. This can ideally be done by providing the SP with the link to the metadata. After that, Admidio needs to be configured to accept login requests from the SP. Again, each SP typically provides the required data as a metadata XML, which can be loaded in Admidio to set up the client for Single-sign-on functionality. The details depend on the actual client app.

Once Admidio is set up to act as a SAML 2.0 IdP, the clients (Service Providers, “SP”) can be configured to use Admidio as their login provider. Many systems either support SAML 2.0 out of the box or with some plugin. The following settings are needed for setup. They are also available for copying at Admidio's SSO preferences page, as well as in the metadata xml.

• Metadata URL (optional; for automatic setup of clients): https://[YOUR_ADMIDIO_URL]/modules/sso/index.php/saml/metadata
  • If your SP supports entering and loading the metadata XML, make sure to use it. It will load the correct settings from the SAML IdP and set up most settings correctly!
• IdP SAML Entity ID (unique identifier of the Admidio instance): https://[YOUR_ADMIDIO_URL]
• SSO Endpoint (where the SP sends the login request): https://[YOUR_ADMIDIO_URL]/modules/sso/index.php/saml/sso
• SLO Endpoint (where logout requests are sent to): https://[YOUR_ADMIDIO_URL]/modules/sso/index.php/saml/slo
• x509 Certificate (to allow clients to verify the cryptographic signatures): PEM-format needs to be copied out of the Admidio preferences

• User attribute mapping: Which SAML attributes returned with the login confirmation (“Assertion”) correspond to the login name, the full name, the email and possibly the user's group memberships in the SP system.

In addition each client typically has settings to require sent or received SAML messages to be signed and/or encrypted to ensure a secure login process. The details depend on the capabilities of the client. Some clients do not support encryption, other require all SAML messages to be signed (for good reason!). Also, some clients offer a setting that SAML login is only possible for users that are already manually created in the SP, while others offer a setting to automatically create user accounts on successful SAML login.

The details always depend on the particular client. See the client-specific instructions for details for a particular client. Other clients should work, too, if they properly implement SAML. The configuration will be similar to the documented clients.

Nextcloud DokuWiki

Once the client is set up to send authentication requests to Admidio, Admidio needs to be configured to respond to them. All SAML clients (Service Providers) are configured in the SSO Client Administration page, which can be reached from the SSO Preferences page (https://admidio.demo.open-tools.net/modules/preferences.php?panel=sso) from the SSO SAML preferences page.

To ensure only legitimate login requests from the real client are processed, Admidio needs the entity ID, the URL for redirect as well as the x509 certificate (if messages are cryptographically signed). The following settings are needed for setup. They MUST be consistent with the settings configured in the SAML client (SP). Many SPs provide a Metadata XML link or file with all required settings included for automatic client setup. In Admidio's SAML client section, one can input the metadata URL and Admidio will pre-configure the client, but manual adjustments are possible (and in many areas even needed).

• Metadata URL (for automatic setup of clients):
  • If your SP provides a metadata URL, make sure to use it. It will load the correct settings from the SAML SP and set up most settings correctly!
• Client ID (unique identifier of the Client)
• ACS URL (where responses to login requests are sent to)
• Single-Log-Out URL (optional): Backchannel endpoint to log out from all clients
• x509 Certificate (to allow verification of the messages sent by the SP): PEM-format needs to be copied out from the client

• User ID field: Whether the client gets the numeric Admidio user id, the globally unique UUID, or the user's login name as user ID
• Further profile data/fields transmitted to the client on successful login
• Which roles / group memberships are sent to the client on successful login. The data fields and groups can be mapped to different names, if the client cannot handle Admidio's fields and role names. On particular case is the admin role, where many clients use a role named “admin” to grant admin access to a user logged in via SAML.

In addition each client typically has settings to require sent or received SAML messages to be signed and/or encrypted to ensure a secure login process. The details depend on the capabilities of the client. Some clients do not support encryption, other require all SAML messages to be signed (for good reason!).

Admidio's general SSO configuration is done in the preferences (Tab “Modules”, section “Single-Sign-On (SAML 2.0, OpenId Connect)”).

• The first thing to do is to create a cryptographic key (typically an RSA key with 2048 bit). If SAML 2.0 and OpenID are used, they can share the same RSA key.
• To manage keys, use the “SSO cryptographic Keys Administration” button to switch to the key administration page.
• At the “SSO Cryptographic Keys Administration” page, create a new key (typically RSA with 2048 bits).
  • Also enter the URL of the Admidio installation as “Common Name”. The other required fields (Organisation, OU, city, etc.) must be filled, but their value is not relevant. Make sure that the expiration date is long enough! By default, an expiration of two years is suggested.

• The key should now be listed and activated. Return to the “Preferences” for further setup.

• In the SSO section of the preferences, you now need to enable OpenID Connect Single-Sign-on and configure the following settings:
  • Issuer: The URL of your installation (needs to be a unique ID, the URL is usually used; Some clients require this to the the base URL, others accept any random string)
  • Key for signatures: Select the key that you just generated; will be used to cryptographically sign the messages to the Relying Party to prevent man-in-the-middle attacks
  • Save

The Preferences page also lists all the relevant URLs (endpoints) to set up the client as a Relying Party. Particularly useful will be the Discovery URL, which provides all data to set up a client (RP) in JSON format. If an app supports automatic discovery, this will automatically do the basic setup. Otherwise you will have to copy the provided endpoint URLs to the client's config. Here is an example of such a discovery JSON:

In contrast to SAML, the metadata does not contain the public certificate. In OpenID, there is a separate endpoint (the “jwks_uri” in the discovery document) that provides the current key in “JSON Web Key Sets” (JWKS) format. Also notice that the discovery document lists all allowed scopes and technical details about the internal OpenID settings.

Admidio is now ready to provide single-sign-on functionality to Relying Parties.

Each RP first needs to be set up with the URLs to connect to Admidio. This can ideally be done by providing the RP with the discovery link. After that, Admidio needs to be configured to accept login requests from the RP. Unfortunately, OpenID Connect does not provide an automatic way to transfer configuration data from the RP to the IdP, so the client ID and the Redirect URL needs to be manually copied from the RP to Admidio's OpenID client settings. The details on where to find these depend on the actual client app.

Once Admidio is set up to act as an OpenID IdP, the clients (Relying Parties, “RP”) can be configured to use Admidio as their login provider. Many systems either support OpenID Connect out of the box or with some plugin. The following settings are needed for setup. They are also available for copying at Admidio's SSO preferences page, as well as in the metadata json (from the discovery URL).

• Discovery URL (optional; for automatic setup of clients): https://[YOUR_ADMIDIO_URL]//modules/sso/index.php/oidc
  • If your RP supports auto-configuration, make sure to use it. It will load the correct settings from the SAML IdP and set up most settings correctly!
• IdP Isuer (unique identifier of the Admidio instance): https://modules/sso/index.php/oidc
• Authorization Endpoint (where the RP sends the login request): https://[YOUR_ADMIDIO_URL]/modules/sso/index.php/saml/sso
• Token Endpoint (where the RP sends requests to convert an auth code to a token, i.e. an app-specific password replacement): https://[YOUR_ADMIDIO_URL]/modules/sso/index.php/saml/slo
• Userinfo Indpoint (where the RP can request details about the user):
• Scopes (which groups of profile data are requested by the client): Any of openid (required), profile, address, phone, email, custom, groups, roles
• User attribute mapping: Which data fields (OpenID claims) returned by Admidio correspond to the login name, the full name, the email and possibly the user's group memberships in the RP system.

In addition each client typically has settings to for further customization. Also, some clients offer a setting that SAML login is only possible for users that are already manually created in the RP, while others offer a setting to automatically create user accounts on successful SAML login.

The details always depend on the particular client. See the client-specific instructions for details for a particular client. Other clients should work, too, if they properly implement SAML. The configuration will be similar to the documented clients.

Nextcloud DokuWiki

Once the client is set up to send authentication requests to Admidio, Admidio needs to be configured to respond to them. All OpenID clients (Relying Parties) are configured in the SSO Client Administration page, which can be reached from the SSO Preferences page (https://admidio.local/modules/preferences.php?panel=sso) from the SSO OIDC preferences page.

To ensure only legitimate login requests from the real client are processed, Admidio needs the entity ID and the Redirect URI. In addition, Admidio will generate a Client Secret (a random string) that needs to be copied to the client's configuration and acts as a client password. The following settings are needed for setup. They MUST be consistent with the settings configured in the OpenID Connect client (RP).

• Client ID (unique identifier of the client): typically the URL of the OpenID client (RP)⁴⁾
• Client Secret (basically the client's password to access Admidio): Admidio will create this secret when the RP is created and will store it only as a hash in the database. Make sure to copy the secret before saving, as it is not possible to retrieve it later! One can, however, simply recreate a new secret and paste that into the RP's configuration.
• Redirect URI (where the user is redirected after successful login)

• User ID field: Whether the client gets the numeric Admidio user id, the globally unique UUID, or the user's login name as user ID
• Permitted scopes: OpenID defines certain groups of profile data, for which permission can be granted. The RP will include the scopes it is interested in in its login request, and the OpenID Provider (OP, Admidio in our case) will return the profile fields (“claims”) corresponding to those scopes, if permission is given. The “openid” scope MUST always be present in OpenID!
• Further profile data/fields transmitted to the client on successful login
• Which roles / group memberships are sent to the client on successful login. The data fields and groups can be mapped to different names, if the client cannot handle Admidio's fields and role names. On particular case is the admin role, where many clients use a role named “admin” to grant admin access to a user logged in via OpenID.

In addition each client typically has some more settings regarding fields ⇔ claims mapping, groups, auto-generating accounts for new logins, etc. The details depend on the capabilities of the client.