Single-Sign-On into Joomla using Admidio as a SAML 2.0 Identity Provider

Starting with version 5.0, Admidio can be used by other applications to authenticate users against Admidios user base. These instructions will guide you through the process of connecting Joomla to Admidio to use Admidio's login. For general instructions, and other apps, please visit the general Single-Sign-On overview page.

Throughout the document we will assume you have both Admidio and Joomla already set up properly at https://admidio.local/ and https://joomla.local/. Please modify these URLs to your actual installation.

As a first step, one needs to configure Admidio to act as an SAML 2.0 Identity Provider (IdP). This has to be done once and is not specific to any client. Please follow this guide: #a_basic_setup_for_admidio_as_a_saml_id_provider

Basically, one (1) needs to create a cryptographic key to sign message and choose a unique EntityID. The page preferences https://admidio.local/adm_program/modules/preferences.php?panel=sso also provides the link to the metadata xml, and the individual settings in case a client does not support auto-configuration via metadata.

Setting up a client (SAML “Service Provider” - short SP) to use Admidio's user accounts for logging in consists of two steps. If both the IdP (Admidio in our case) and the SP (Joomla in this document) support metadata loading, the setup is very straightforward and easy. Otherwise, one has to copy URLs manually to the client, but Admidio already provides these in a single place, so this situation is not as bad, either.

• At the Service Provider (SP) - Joomla in our case - install the extension to support SAML login.
• Configure it either with Admidio's link to the metadata file, or enter the EntityID, the Single-Sign-On Endpoint, the SLO Endpoint and the public certificate manually (Admidio provides a simple table to copy these values from).
• Choose whether sent messages should be signed and/or encrypted (these features require an additional private key and certificate for the SP!), and whether received messages are checked for signatures or encryption is expected.
• In Admidio, create a new SAML client. If the SP provides a metadata URL, paste it and let Admidio automatically load the configuration from the SP. One can also manually paste these settings.
  • Choose an easily understood label for the client (only used in Admidio's list of clients, but has no technical use)
  • Enter the ClientID from the SP, as well as the ACS URL and the SLO response URL. These values must be provided by the client.
• In Admidio, also choose whether sent messages should be signed or encrypted. The crypto key generated in the general SAML setup will be used.
• Optionally select which profile fields should be mapped to SAML attributes and sent to the client, and configure which group memberships should be transmitted.

Currently, the only available SAML 2.0 extension for Joomla is “SAML SSO for Joomla” by miniOrange, which provides basic SAML in its free version, but other features like group mapping or profile fields are only available in the (quite expensive) paid version. As the plugin support loading metadata from Admidio and provides its own metadata file for Admidio's auto-setup, the configuration basically consists of:

• Pasting and loading Admidio's metadata URL into the plugin
• Pasting and loading the Joomla plugin's client metadata URL into admidio's SAML client

Extended options are not supported by the free plugin version, but basic login will work fine.

The free version allows login via Admidio's user accounts, but does not assign any groups in Joomla, and does not transfer profile fields from Admidio to Joomla's user profile. If that is sufficient, install the plugin from the Joomla Extension Directory (“System” → “Extensions” → “Install Extensions” → “Install from Web” → search for “SAML SSO for Joomla” and install the plugin).

After installation it can be configured in “Components” → “miniOrange SAML Single Sign-On”. The plugin supports reading the metadata file from Admidio's SAML IdP implementation: In the “Service Provider Setup” Tab, select “Upload IdP Metadata”, enter the URL and click fetch.

The plugin's configure fields will be populated correctly. Just choose a label for the login button at the “Enable Login with SAML” input box and click Save.

Once these basic SAML settings are done, set up the SP in Admidio. The required metadata URL from Joomla's plugin can be found in the “Service Provider Metadata” tab.

Now, return to Admidio's SSO preferences page, go to the “Single-Sign-On Client Administration” (the button right above the “Save” button), and create a new client.

Paste the metadata URL copied from Joomla into the corresponding input field at the top and click “Load Client Metadata”. This should load all settings from Joomla and pre-fill the following fields correctly. Only the Client Name needs to be entered. Choose any name to clearly identify the client in the list of SAML clients. There is no functionality depending on the name.

The only other setting that is relevant for the limited features of the free Joomla plugin is the User ID field. The Joomla plugin insists on matching only E-Mail Addresses, so make sure to select it:

The other advanded features like fields or group mapping can be ignored or cleared in the client config. The restriction to certain groups, however, is implemented in Admidio and works with Joomla, too.

Admidio and Joomla should now be set up to use Admidio for logging in to Nextcloud. To check, you can go back to the plugin config page and use the “Test Configuration” button at the bottom of the page.

If you log out of Joomla (or open the page in an incognito browser window), you should see the login screen with the choice of logging in with password or via SAML.

After choosing SAML login and loggin in with a user from Admidio, you should be logged in to Nextcloud.

• The miniOrange Joomla plugin requires the email address to be used as the user ID, so only users with a valid email in Admidio can log in! Oone also has to make sure the Admidio SAML client is configured to use the email as the user ID.