Skip to content

Latest commit



150 lines (119 loc) · 4.94 KB

File metadata and controls

150 lines (119 loc) · 4.94 KB


The sso connector is disabled by default for flexibility reasons. But it's quite easy to enable it. Use our helper command, which guides you through the installation process:

Helper Command

oauth2 helper command

$ bin/console members:oauth:setup

If you don't want to use it, you need to check several steps which we're going to explain to you right now:

Install Classes

You need an additional Class for the SSO Identity. Every provider (e.g. Google or Facebook) creates an SsoIdentity entity, which gets appended to a user object. If you're using all the default Members Classes, you can simply re-run the command:

$ bin/console members:install:class -o

By adding the -o argument, this command will install the SsoIdentity. Already installed classes will be skipped.

If you want to use a different name, just create the class and import it from src/MembersBundle/config/install/classes/class_SsoIdentity_export.json. Read more about changing the default class name here.

Add SSO Identity Relation Field

Important! This step is only required if you're updating an existing installation! If you have installed Members from scratch via the class installer, this field is already available!

Add this to your var/classes/definition_YOUR_USER_CLASS_NAME.php (right after the group section):

    "fieldtype": "manyToManyObjectRelation",
    "width": "",
    "height": "",
    "maxItems": "",
    "queryColumnType": "text",
    "phpdocType": "array",
    "relationType": true,
    "visibleFields": "key",
    "optimizedAdminLoading": false,
    "visibleFieldDefinitions": [],
    "lazyLoading": true,
    "classes": [
            "classes": "SsoIdentity"
    "pathFormatterClass": "",
    "name": "ssoIdentities",
    "title": "SSO Identities",
    "tooltip": "",
    "mandatory": false,
    "noteditable": false,
    "index": false,
    "locked": false,
    "style": "",
    "permissions": null,
    "datatype": "data",
    "invisible": false,
    "visibleGridView": false,
    "visibleSearch": false

Add SSO IdentityAwareInterface


You need to change the parent class of your existing user class to \MembersBundle\Adapter\User\AbstractSsoAwareUser.

Install Dependencies

Install the KnpUOAuth2ClientBundle:

$ composer require knpuniversity/oauth2-client-bundle:^2.0

You also need to add some providers. There is a list of all available provider. In this example, we're going to install the google client:

$ composer require league/oauth2-google:^3.0

Set Cookie SameSite to Lax

Otherwise, the oauth connection won't work.

If you have any hints to allow processing an oauth connection within strict mode, please tell us.

        cookie_samesite: 'lax'

Enable Feature

Read more about the activation_type here.

        enabled: true
        activation_type: 'complete_profile' # choose between "complete_profile" and  "instant"

Configure Firewall

If your using a different name for your firewall than members_fe you need to configure the container parameter:

    members.firewall_name: your_fw_name

Configure Client

Every provider comes with its own configuration. In this example, we're going to setup the google client:

Attention: Always use the members_user_security_oauth_check route in redirect_route.

There is also a full list of all configurations

            type: google
            client_id: 'YOUR_CLIENT_ID'
            client_secret: 'YOUR_CLIENT_SECRET'
            redirect_route: members_user_security_oauth_check
            redirect_params: {}

Configure Client Scope

If you need a special scope definition, you can add them in the Members configuration. Just add your client (googlein your example) to the scopes node. Value needs to be an array.

If there is no configured scope, the oauth2 client will trigger getDefaultScopes() (see documentation. Default scope values vary from client to client.

            google: ['email']

Registration Types

Finally, checkout the registration type for SSO here.