• v3.2
    • Versions
    • v3.2

 

  • Install Akeneo PIM
    • Install Akeneo PIM with Docker
    • Install Akeneo PIM manually
      • System Requirements
      • System installation on Debian 9 (Stretch)
      • System installation on Ubuntu 16.04 (Xenial Xerus)
      • Installing Akeneo PIM Community Edition (CE) with the Archive
      • Installing Akeneo PIM Enterprise Edition (EE) with the Archive
      • Setting up the job queue daemon
    • How to customize the Dataset
    • How to Add Translation Packs
  • Migrate Akeneo PIM projects
    • How to apply a patch?
      • How to apply a patch - Community Edition
      • How to apply a patch - Enterprise Edition - Flexibility Cloud offer
      • How to apply a patch - Enterprise Edition - On Premise offer
    • Where is the Changelog?
    • How to upgrade to a minor version?
    • How to upgrade to a major version?
  • Import and Export data
    • How import works
    • Understanding the Product Import
    • Understanding the Product Export
    • Formats
      • Localized labels
      • Scopable labels
      • Association types data structure
      • Attribute data structure
      • Category data structure
      • Family data structure
      • Family variant data structure
      • Group data structure
      • Options data structure
      • Product data structure
      • Product model data structure
    • Akeneo Connectors
    • How to Customize Import / Export
      • How to create a new Connector
      • How to import Products from a XML file
      • How to clean a CSV file during a Product import
      • How to automate imports/exports
  • Manipulate the Akeneo PIM data
    • How to Customize Mass Edit Operations
      • How to register a new bulk action
      • How to Register a New Mass Edit Action on Products
      • How to Avoid Rules Execution on Mass Edit Actions
    • How to Manipulate Products
      • How to Query Products
      • How to Create Products
      • How to Update Products
      • How to Validate Products
      • How to Save Products
      • How to Remove Products
    • How to Manipulate Non-Product Objects
      • How to Query Non-Product Objects
      • How to Create Non-Product Objects
      • How to Update Non-Product Objects
      • How to Validate Non-Product Objects
      • How to Save Non-Product Objects
      • How to Remove Non-Product Objects
    • How to add a custom action rule
      • General information about rule format
      • How to add a custom action in the rule engine
    • How to Define Access Control List
    • How to Customize the Catalog Structure
      • How to Create a Reference Data
      • How to add a custom unit of measure
      • How to Add New Properties to a Category
    • How to Customize Product Assets
      • How to Add a New Transformation
      • How to Add a Default Thumbnail For Unknown File Types
      • How to connect to an external server for storage
      • How to change the validation rule to match a reference file to an asset
      • How to Mass Import Assets
    • How To Customize Teamwork Assistant (Enterprise Edition)
      • Customize notifications
      • Add a calculation step
      • How to log calculation step
      • Remove projects impacted by a custom catalog update
  • Design the user interfaces
    • How to customize any frontend part of the application
    • How to add an action button or meta data to the product edit form
    • How to add a tab to a form
    • How to add a new tab in System / Configuration
    • How to add custom information to a field
    • How to add a new field type
    • Create a custom product export builder filter
    • How to create the UI to manage a Reference Data
    • How to add a new page
    • How to customize the main menu
    • Styleguide
  • Maintain Akeneo PIM projects
    • First aid kit
    • Bug qualification
    • Common issues
    • Scalability Guide
      • Audit with 3 Representative Catalogs
      • More than 10k attributes?
      • More than 10k families?
      • More than 10k categories?
      • More than 500 attributes usable in the product grids?
      • More than 100k products to export?
      • More than 1GB of product media to export?
    • How to purge history
      • How to Purge jobs executions
      • How to adapt the version purger to your needs
  • Contribute to Akeneo PIM
    • How to report an issue?
    • How to translate the user interface?
    • How to enhance the documentation?
    • How to contribute to a Connector?
    • How to submit a patch to the PIM?
    • How to contribute to the frontend part of the application
    • How behavior tests are architectured in the PIM?
      • Establishing Decorator Pattern
      • Using Spin In Behat
  • Use SSO authentication locally
  • Reference Entities (beta)
    • Configure Entity Limits
    • Create a new Reference Entity Attribute type
    • Enrich Records with a new Reference Entity Attribute type
    • Add a Custom Property to Your Custom Attribute Type
    • Refresh records completeness
  • Technical overview
    • Product Information
    • Teamwork Assistant (Enterprise Edition)
      • Project creation
      • Project completeness
      • Project Completeness widget
      • Catalog update impact
      • Scalability guide
      • Users permission summary for Behat tests
    • Collaborative workflow
      • Simple workflow
      • Partial workflow
  • Technical architecture
    • Best Practices
      • Create a project
      • Create a reusable bundle
      • Setup Behat
      • Code Conventions
      • Coding Standards
    • How to implement your business logic using the event system
    • Events
      • Storage events
      • Workflow events (Enterprise Edition only)
    • How to Localize your data
      • How to change the PIM locale
      • How to Use Localizers
      • How to use Presenters
    • How to Add a Notification
    • Performances Guide
      • Memory usage of rules execution (Enterprise Edition)
      • Memory leak fix in Rules Engine (ORM)
      • More than 100 WYSIWYG editors in a page
      • PHP7 and HHVM Compatibility?
      • Job product batch size
    • How to Use the Web REST API
    • Standard format
      • Products
      • Other entities
      • Usage
    • Application Technical Information
      • Application Technical Dependencies
      • Server side set up for hosting
      • System Requirements
      • Recommended configuration
      • Client side configuration and compatibilities
      • Operation processes
      • Flow Matrix
  • Akeneo Cloud Edition
    • Flexibility Mode
      • Overview
      • Partners Starterkit
      • Environments Access
      • Composer settings
      • Periodic tasks / Crontab settings
      • PIM Application
      • PIM Updates and Migrations
      • File Transfer (SFTP)
      • Backups management
      • Partners
      • Queue management
      • System Components
      • Disk Usage
      • Ensure the Onboarder worker is always running
    • Serenity Mode
      • Overview
      • PIM Updates and Migrations
  • Akeneo Onboarder
    • Prerequisites
    • Installation
    • Migrate Akeneo Onboarder projects
      • How to apply a patch?
        • How to apply an Onboarder patch - Enterprise Edition - Flexibility Cloud offer
        • How to apply an Onboarder patch - Enterprise Edition - On Premise offer
      • How to upgrade to a minor version?
      • How to upgrade to a major version?
    • Synchronization
    • Troubleshooting
    • Environment variables
      • Using the DotEnv file
      • Using environment variables

Use SSO authentication locally¶

This chapter describes how to enable the SSO authentication for development purpose.

How SSO works ?¶

SSO means Single Sign-On, several SSO protocols exist.
We implemented the SAMLv2 protocol as it is a popular standard in the industry.

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, named an Identity Provider, and a SAML consumer, named a Service Provider.

—Source Wikipedia

The Identity Provider offers user authentication as a service, and the Service Provider could be considered as a client that will ask to authenticate a user.

The content exchanged between the IdP and the SP must be signed, that’s why we have to configure those entities with Certificates and Private keys.

Outbound single sign-on¶

Akeneo PIM is implementing Outbound SAML, that can also be called SP-initiated Single Sign-On (SSO) or traditional SAML. In an outbound SAML transaction a Service Provider (SP) like a website or an application redirects a user to a designated Identity Provider (IDP) for authentication and authorization. The IDP asks for the user’s credentials and upon successful authentication redirects the user to the protected content.

All the exchanges, redirections between the browser, the Service Provider and the Identity Provider could be represented as follows:

../_images/wikimedia-saml2-browser-sso-redirect-post.png

Setting up the Identity Provider (IdP)¶

Using Docker¶

We provide an already configured IdP server image in the docker-compose.yml file, named sso-idp-server.

The following information is here if you want to tweak something, if not, go directly to the Setting up the Service Provider (SP) section.

This container will expose the 8082 port, you can override this value in the .env file.

You can access the IdP administration page at the following url: http://localhost:8082/simplesaml.

Some users are already configured, the same that are in the icecat_demo_dev fixtures.
They are defined in the docker/sso_authsources.php.

The configuration of the Service Provider is automatically provided by environment variables in the docker-compose.yml file line 58 (SIMPLESAMLPHP_SP_ENTITY_ID) of your standard archive.

Without Docker¶

You can install an IdP server or use any SaaS service (Azure AD for example) that respect the SAMLv2 protocol.

The configuration of the IdP depends on the solution you choose so you’ll have to refer to its documentation.

You will have to configure the users:

  • Add the users you’ll want to be able to login into the pim (the user must exists in the pim).
  • The attribute akeneo_uid will have to be sent in the Authentication response, and the value will have to match an existing pim user username attribute.

You will have to configure the Service Provider information with the following data:

  • EntityId: http://your.akeneo-pim.url/saml/metadata
  • Logout url: http://your.akeneo-pim.url/saml/logout
  • ACS url: http://your.akeneo-pim.url/saml/acs

You will have to retrieve the IdP certificate, it will be needed to configure the Service Provider on the Akeneo PIM side.

Setting up the Service Provider (SP)¶

  • Go to the sso configuration page, under System/SAML-based Single Sign-On
  • Enable the feature using the “SSO Enable” toggle button
  • Fill the form with the values provided by your IdP server
  • Then click the Save button
  • If everything went fine, you’ll be logged out and redirected to the IdP login form

For the IdP provided in the docker-compose.yml¶

  • Entity ID: http://localhost:8082/simplesaml/saml2/idp/metadata.php
  • Login URL: http://localhost:8082/simplesaml/saml2/idp/SSOService.php
  • Logout URL: http://localhost:8082/simplesaml/saml2/idp/SingleLogoutService.php
  • Certificate: MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTYxMjMxMTQzNDQ3WhcNNDgwNjI1MTQzNDQ3WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzUCFozgNb1h1M0jzNRSCjhOBnR+uVbVpaWfXYIR+AhWDdEe5ryY+CgavOg8bfLybyzFdehlYdDRgkedEB/GjG8aJw06l0qF4jDOAw0kEygWCu2mcH7XOxRt+YAH3TVHa/Hu1W3WjzkobqqqLQ8gkKWWM27fOgAZ6GieaJBN6VBSMMcPey3HWLBmc+TYJmv1dbaO2jHhKh8pfKw0W12VM8P1PIO8gv4Phu/uuJYieBWKixBEyy0lHjyixYFCR12xdh4CA47q958ZRGnnDUGFVE1QhgRacJCOZ9bd5t9mr8KLaVBYTCJo5ERE8jymab5dPqe5qKfJsCZiqWglbjUo9twIDAQABo1AwTjAdBgNVHQ4EFgQUxpuwcs/CYQOyui+r1G+3KxBNhxkwHwYDVR0jBBgwFoAUxpuwcs/CYQOyui+r1G+3KxBNhxkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAiWUKs/2x/viNCKi3Y6blEuCtAGhzOOZ9EjrvJ8+COH3Rag3tVBWrcBZ3/uhhPq5gy9lqw4OkvEws99/5jFsX1FJ6MKBgqfuy7yh5s1YfM0ANHYczMmYpZeAcQf2CGAaVfwTTfSlzNLsF2lW/ly7yapFzlYSJLGoVE+OHEu8g5SlNACUEfkXw+5Eghh+KzlIN7R6Q7r2ixWNFBC/jWf7NKUfJyX8qIG5md1YUeT6GBW9Bm2/1/RiO24JTaYlfLdKK9TYb8sG5B+OLab2DImG99CJ25RkAcSobWNF5zD0O6lgOo3cEdB/ksCq3hmtlC/DlLZ/D8CJ+7VuZnS1rR2naQ==

FAQ¶

What if I’ve wrongly configured my admin user and I can’t access the PIM?¶

An original login form is here as a fallback in this situation, you can access it here: http://your.akeneo-pim.url/user/login

How can I debug authentication errors ?¶

Various errors can happen, those errors could be due to incorrect configuration on IdP side or SP side.

Regarding the SP, on the SSO configuration page, you have a “download logs” button that will provide a ZIP of var/logs/saml/authentication*.log
You can also check these logs via CLI if your PIM installation is on premise or on PAAS.

Regarding the IdP: * For the one provided in docker-compose.yml, you can check logs outputed by the container docker logs -f your_sso-idp-server_container-name * For custom configuration of the IdP, refer to the documentation.

Found a typo or a hole in the documentation and feel like contributing?
Join us on Github!