-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Providing Single Sign On (SSO) over common protocol #6514
Comments
We are very interested in using Sulu for our project, but SSO is a must-have. It might be possible for us to develop this feature for Sulu as part of our development. What is the current status of this SSO integration? Has any work already been started? |
Hello @benr77, we did yesterday have the roadmap update for the 2.6 features and SSO over OpenId is on the plan and we are currently making the technical concept for it. I already created some kind of a prototype which challenges were documented here: symfony/symfony#50896. We already used that kind of implementation in a project but we will make it more flexible for Sulu Bundle. I hope OpenId does fit your usecase, we successfully connected with it Google Business Account, Microsoft 365 or self hosted Keycloak instances. Behind a Keycloak instance you even can put other protocols like LDAP, OAUTH, Kerberos, .... https://www.keycloak.org/docs/latest/server_admin/ I will try to keep you uptodate on the changes here. |
@alexander-schranz awesome news! Glad I can remove one item from my long todo list :) |
Even if this is not implemented in the core: using |
@alexander-schranz Thank you for your detailed answer. If Sulu is to support OpenId in core that sounds great. Using a self-hosted Keycloak instance is certainly something we could consider, and that would then allow us to support whatever authentication protocols we need (other than OpenId) on our non-Sulu applications. (is this correct?) |
@benr77 yes that should work, you can quickly start a keycloak instance also via docker compose if you want to have a deeper look at it. Keycloak Docker compose
|
We started implementing sso openid provider in: #7262 currently doing some conception how to create such interfaces for single sign on providers. |
OpenID implementation which is supported via Self Hosted Keycloak, Google, Azure, AWS and other Identity providers are implemented in 2.6. |
Problem description
Single Sign On is a feature which is common when you have multiple websites or installation of sulu and want not to create again on every installation the same user.
Proposed solution
There should be the possibility to use a single sign on over some providers. There are some common protocols which provides SSO:
In sulu it is not enough to just get authenticated against a system. Sulu requires a user in the database, this is required for features like "Author", "Creator", "Changer" and the current role implementation (Role over ids instead of keys and language specific role).
So Sulu can example not use the exist LDAPUserProvider of symfony instead it would need to decorate that one to create and update the user.
If we implement one of the other protocols the same thing is required, after authentication it is needed to check to create or update the user with its data from the authentication provider. If possible atleast the following fields should then be provided (Firstname, Lastname, Email) and kept up2date.
The text was updated successfully, but these errors were encountered: