Providing Single Sign On (SSO) over common protocol

[alexander-schranz]

Problem description

Single Sign On is a feature which is common when you have multiple websites or installation of sulu and want not to create again on every installation the same user.

Proposed solution

There should be the possibility to use a single sign on over some providers. There are some common protocols which provides SSO:

• LDAP
• Oauth / OAuth 2 / SAML
• Open ID connect
• ID4ME

In sulu it is not enough to just get authenticated against a system. Sulu requires a user in the database, this is required for features like "Author", "Creator", "Changer" and the current role implementation (Role over ids instead of keys and language specific role).
So Sulu can example not use the exist LDAPUserProvider of symfony instead it would need to decorate that one to create and update the user.
If we implement one of the other protocols the same thing is required, after authentication it is needed to check to create or update the user with its data from the authentication provider. If possible atleast the following fields should then be provided (Firstname, Lastname, Email) and kept up2date.

[benr77]

We are very interested in using Sulu for our project, but SSO is a must-have.

It might be possible for us to develop this feature for Sulu as part of our development.

What is the current status of this SSO integration? Has any work already been started?

[alexander-schranz]

Hello @benr77,

we did yesterday have the roadmap update for the 2.6 features and SSO over OpenId is on the plan and we are currently making the technical concept for it. I already created some kind of a prototype which challenges were documented here: symfony/symfony#50896. We already used that kind of implementation in a project but we will make it more flexible for Sulu Bundle.

I hope OpenId does fit your usecase, we successfully connected with it Google Business Account, Microsoft 365 or self hosted Keycloak instances. Behind a Keycloak instance you even can put other protocols like LDAP, OAUTH, Kerberos, .... https://www.keycloak.org/docs/latest/server_admin/

I will try to keep you uptodate on the changes here.

[shochdoerfer]

@alexander-schranz awesome news! Glad I can remove one item from my long todo list :)

[NicoHaase]

Even if this is not implemented in the core: using knpuniversity/oauth2-client-bundle and league/oauth2-google, I've built such a feature in a project of mine some weeks ago. It hasn't been that hard, having the mail address as the user's identifier and an extended OAuth2Authenticator that checks whether a user with that address is already registered and adding it in case it's not

[benr77]

@alexander-schranz Thank you for your detailed answer. If Sulu is to support OpenId in core that sounds great.

Using a self-hosted Keycloak instance is certainly something we could consider, and that would then allow us to support whatever authentication protocols we need (other than OpenId) on our non-Sulu applications. (is this correct?)

[alexander-schranz]

@benr77 yes that should work, you can quickly start a keycloak instance also via docker compose if you want to have a deeper look at it.

Keycloak Docker compose

# docker-compose.yml
version: '3'

services:
  keycloak:
    image: quay.io/keycloak/keycloak:${KEYCLOAK_VERSION:-21.1.2}
    environment:
      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-admin}
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
    command: start

# docker-compose.override.yml
version: '3'

services:
  keycloak:
    ports:
      - "8080:8080"
    command: start-dev

[alexander-schranz]

We started implementing sso openid provider in: #7262 currently doing some conception how to create such interfaces for single sign on providers.

[alexander-schranz]

OpenID implementation which is supported via Self Hosted Keycloak, Google, Azure, AWS and other Identity providers are implemented in 2.6.