Menu

Introducing SAML SSO to Craft CMS

By Nate Iler

We work with associations, large associations that also provide their constituents an online experience across multiple web applications.  These applications range from Jive, collaboration software where users share ideas and documents to Craft CMS, content and user management software.  While these applications operate and fulfill a specific role, they must also share a user’s identity.

The Problem

A technology landscape running multiple web applications seamlessly means managing multiple user identities.  That’s right, separate usernames, passwords and everything between.  With over 100,000 user identities, simply managing credentials inconsistencies, profile conflicts and other user related issues began consuming enough time to rethink the approach entirely.

The legacy solution leveraged a delegated authentication service, which passed user credentials to an authoritative API endpoint.  However, it only addressed one aspect of identity management: authentication.  This mean if you have an active primary session, you must still provide credentials for each additional application.  Even with a handful of complex, single sign on (SSO) like Band Aids in place, the existing solution showed it’s archaic approach when modern and more reliable options are abundant.

The Solution

We chose implementing an SSO solution that is widely used across the enterprise: Security Assertion Markup Language (SAML).  Not only is SAML secure, it’s also easily extendable and perfect for our multiple web application ecosystem.  While much of our experience has been with OpenID and OAuth, we’re always up for rolling up our sleeves and digging in.  Our first task was to identify the application responsible for managing user identities and authentication.

In the world of SAML, an  Identity Provider (IdP) is primarily responsible for authentication.  Craft CMS (built on Yii) ships with identity management and is ridiculously easy to extend.  It was our first and place to begin evaluating it as our IdP.  We considered other options including third party hosted services such as OneLogin, but at a cost of $2/user/month, costs quickly get out of control.  Also, we found these services are targeted towards internal user management (for IT administrators) and come with a slew of features that we don’t really need.  At the end of the day, Craft CMS became our IdP of choice with basic authentication being the method of choice.  Next up, addressing all of the applications that need to authenticate with our IdP.

The application side, know as the Service Provider (SP) in SAML, became a much easier task because most enterprise application such as Jive ship with SSO capabilities.  All we needed to do was enable a few settings, configure our assertions and protocols and we were on our way.  Hooray!

Conclusion

Solving this problem was fun.  It wasn’t easy; it required a lot of reading and studying the SAML spec, but the journey and solution came out well.  We have a backlog of additional features that we would like to introduce, and hopefully some day we’ll get an opportunity to address them.  Our intention is to do a little code refactoring and writing documentation with hopes of releasing it as a commercial Craft CMS plugin.  Until then, if you’re interested in SSO or SAML with Craft CMS, don’t hesitate to contact us.