Are you looking for implementing SAML SSO on your Joomla site?

SAMLogin is a Joomla extension made to let you easily integrate a Joomla! 2.5/3.X site with almost any SAML-enabled SSO system.

This extension adds SAML2 based Single Sign On support to a Joomla website and is crafted to be easy also for non experts (you can deploy and manage a Joomla SP in minutes) but there are also advanced settings for who need to control any aspect of the deplyoment or implement complex authorization rules.

SAMLogin is compatible with any IdP or Federation that implements the 'Interoperable SAML2 Profile' (e.g. Shibboleth2, OpenSSO, simpleSAMLphp ecc..) 

Feature Overview:

  • Easy Installation
    • All is done uploading a standard Joomla zip extension and in few clicks via the admin UI, no coding required
  • SimpleSAMLphp one click installer and updater
  • UI for the configuration of attribute mappings with fallbacks options and "friendly name" syntax
    • To give you maximum flexibility and interoperability with any IdP/Federation, all with the ease of the Joomla admin UI, no XML files or config file to write
  • Multiple metadata sources support
    • You can join to one or more Shibboleth/SAML2 Federations just in a few clicks
  • Multiple discovery service integration (WAYF)
    • Embedded
    • Embedded Discopower
    • Embedded Discojuice (new! best UX)
      • One click federation feeds
    • Discojuice (new! best UX)
    • External WAYF/DS (Use the one of your federation)
  • Automatic user role management
    • Create rules to assign federated user to Joomla groups using SAML Attributes rules (powerful syntax)
    • Can manage an hybrid situation (you can add some roles manually for specific users via the classic Joomla user admin interface and the system will remember that exception)
    • Admin approval after first login or automatic usergroup assignment (optional)
  • Automatic generation of backend SAML certificates (SAML Endpoints XML signing and encryption) 
    • You can generate/regenerate the endpoint certificate in one click in your Joomla admin interface! No openssl command knowledge required.
    • Supports key rollover best pratices for SAML Federations
  • Seamless integration with Joomla 2.5/3.X frontend login
    • Component View and Module
    • Possibility to apply style overrides in your Joomla templates
    • Configurable messages and labels
  • Administrator SAML login (optional)
  • Metarefresh management (easy configuration for the metadata refreshing cronjob)
  • SAML 2.0 Interoperable Profile
    • Interoperable with many commercial and open source SAML enabled Single Sign On servers and cloud-enabled solutions: Okta, OneLogin, F5, Shibboleth, SimpleSAMLphp, Oracle Identity Federation (OIF), Centrify, Gigya and counting...
  • Supports Single Logout SLO (IdP initiated/SP initiated) and fallbacks to customized logout method or messages for IdP that doesn't support SLO
  • Supports IdP/SP Initiated login
  • Can make your Joomla work as an RP of a Thinktecture IdentityServer 
  • WSFed protocol support (optional)
  • Extensible: It is possible to write custom plugins to achieve advanced system integrations
    • Support for Attribute Authorities to fetch user attributes from external authorities after SSO Login
  • Cross-platform: SAMLogin is compatible with many hosting environments and webservers (e.g. Nginx, Apache, Microsoft Azure, ISS etc.)
  • Many other advanced settings (all you need is configurable! and if not, ask us!)
  • Dedicated support service with direct contact with the developer and SAML expert to solve any issue you can face (solved or refunded!)
  • Easy Federation Bridge with Joomla (coming soon...!)

  • New: Joomla acting as SAML 2.0 IdP (New: The easiest IdP deployment ever, sold apart for another 250EUR!)

 


Documentation & samples


Demo Joomla 2.5 (frontend) (Note: this is just a frontend possible result, but the extension is very customizable in few steps and works also in Joomla 3!)

Buy it now, we offer also dedicated ondemand support caring installation, customization, and configuration of your Joomla SP and/or IdP (a SAML expert will be available 24/7 to assist you and solve any issue)

Want to purchase? 

1 year updates subscription and a lifetime use license for 1 domain is priced only 250.00 EUR.

This includes 1 year access to updates and full support from us!

The support service includes a dedicated SAML expert wich will be available to help you understanding and handling any technical issue, and, if needed, also helping you in the needed technical communication with your external SAML entity managers, for instance if your support request can be: "What do I need to write to the ADFS IdP manager in order to get approved and establish the SSO trust with my Joomla site?" we will analyze your requirements and guide you in any phase of the deplyment with no extra cost.

The license purchased is valid lifetime, so also if after first year you don't want renew the support subscription, 
you are free to continue to use your software forever, renewal is just to get access to support and new updates.

Test it with no risk: We just extended our money back guarantee to 45 days! If you discover that our product and/or support service don't fits your needs you'll get a complete refund.

Purchase a lifetime license for only 250 EUR

Contact us

 

SAMLogin provides to you not only a SSO AuthN (authentication) source but also an automatic/hybrid AuthZ (authorization) system.

You can use AuthZ rules when you want to trust an external IdP, a federation, or a SAML Attribute Authority to also provide roles for an user (not only identity)

This can save you time and for the user it means that there is no need for an approval by you when they login the first time to get privileges on your site.

For instance if you have a convention with french Universities to permit to ANY student of a french university to access some private content on your site you have to create a Joomla user group for them (e.g. Students) and then map it to a rule based on SAML attribute values e.g. the regular expression "^student@.*.fr$" on eduPersonScopedAffiliation. Or you can use eduPersonEntitlement and provide to the IdP managers a value to set up in it for the user that are authorized to access your services (e.g. subscribed personal). Doing that you delegate external enities for the user grouping, anyway attribute values matching an AuthZ rule will be logged at any login this in order to permit to identfy abuses or misconfigurations.

You can also decide to not rely on automatic group assignment and assign user roles only after first login, manually. (Federated user are automatically created also as Joomla users at their first login! So you can manage their groups in the standard Joomla way)

The system is also capable to manage an hybrid situation when you assign some groups automatically to federated users, and some extra groups to manually individually selected federated users (It "Preserve manually assigned groups" option is enable it will remember manually assigned groups and don't override them at each SSO login).

samlogin-authz
 

The standard Joomla! login module/view will not work with SAMLogin.

You should use the SAMLogin Login View or the SAMLogin module

Suggested option is to configure a menu item with the SAMLogin mapped to an URL alias /login on your site and then use the link to provide your user an SSO entry point.

  • Go to your Joomla Menu Manager
  • Create a new menu item
  • Select SAMLogin -> Login as the Menu Item Type
  • Optional: Select an alias for the menu item (e.g. "login") to get a SEF link for the SSO entry point
  • Optional: Configure  custom html messages for the login page in the menu item parameters (e.g. you can write here instructions to login with federated access)
  • Optional: Use SAMLogin global configuration to select your Discovery Service. See: Setting a Discovery Service

samlogin-menumanager

Note: The samlogin view provides also the classic login interface (Joomla username and password) to let non-federated user to login your site and a "register" link (if Joomla registration is enabled). SAMLogin module instead provides only SSO access.

 

Federated login flow requires the logging user to select his home organization during login. This phase is provided by a middleware called "Discovery Service" or "WAYF" (Where Are You From?)

SAMLogin comes by the dault with the "RENATER test federation" DS already configured.

You have different available choices of Discovery Service you can configure in the administrative interface of SAMLogin

1) External Discovery Service

This option is good when your SP joins to just one SAML federation and you want to provide your users a standard experience letting them log-in using the official Discovery Service/WAYF of your federation

To achieve that:

  • Get your federation discovery service URL and copy it
  • Go to Components -> SAMLogin -> Configuration -> Settings -> Discovery Service
  • Select "External" in the discovery service type selectbox
  • Paste your DS/WAYF URL
  • Save & Close Settings
  • Put settings in production (Write configuration to SSP)

discoexternal

2) Embedded simple

This option uses the plain old simpleSAMLphp embedded discovery service, which shows a select box of available IdPs based on the federations you have configured in the metadata sources

  • Go to Components -> SAMLogin -> Configuration -> Settings -> Discovery Service
  • Select "Embedded Simple" in the discovery service type selectbox
  • Save & Close Settings
  • Put settings in production (Write configuration to SSP)

it's very simple and not so usable, so if you need that we suggest to use the Discopower option which is another embedded alternative

 

3) Discopower (embedded)

This option uses the new simpleSAMLphp's embedded discovery service, which shows an UI with a filterable list of available IdPs based on the federations you joined (federations you have configured in your metadata sources)

  • Go to Components -> SAMLogin -> Configuration -> Settings -> Discovery Service
  • Select "Discopower" in the discovery service type selectbox
  • Save & Close Settings
  • Put settings in production (Write configuration to SSP)

4) Discojuice

This options uses the brand new discojuice colud service (http://discojuice.org/), which provides an awesome, fresh, User eXpierience 

  • Go to Components -> SAMLogin -> Configuration -> Settings -> Discovery Service
  • Select "Discojuice embedded page" in the discovery service type selectbox
    • Note: there are also other flavours of discojuce:
      • "Discojuice embedded javascript" which provides an AJAX like experience
      •  "Discojuice global" that uses the centra, external, discojucie login page with all federation feeds enabled.
    • Currently as in SAMLogin 0.7.5 only Discojuice embedded page works so do not select these options that will be available soon
  • Select the federation you joined in the *Discojuice enabled federation feeds  multiple checkbox field (Discojuice currently can't  automatically detect your configured metadata sources, but you have to manually select federation you joined again, note also that only some federation are available as a discojuice feed if your federation is supported by discojuce feed but still missing in our joomla extension please write us and we will update the extension code)

    discojucie
  • Save & Close Settings
  • Put settings in production (Write configuration to SSP)

 

 

The default configuration of SAMLogin is ready to join the RENATER test federation.

You just have to ensure that your SAMLogin's "configuration checklist" reports all PASSED and then you can proceed to registering the SP to the test federation:

Use the web interface for registration of resources in the Test federation.

Access to the web form requires prior authentication with a CRU account.

https://services.renater.fr/federation/en/test-federation )

Once you are logged in the web interface for registration of resources in the Test federation you just have to describe your service, require the attributes needed by Joomla!, and paste in the URL of your self metadata (you can also paste individual fileds extracted from metadata but best way is to let the RENATER interface parse it for you)

Watch the following mini-videotuorial that better explains you how to register a new SP (or updating info for an existing one as in my case)  in the RENATER Test federation:

samlogin-self-register-renater

 

 
Page 1 of 4