Use SSO authentication locally¶
This chapter describes how to enable the SSO authentication for development purpose.
How SSO works ?¶
SAMLv2protocol as it is a popular standard in the industry.
Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, named an
Identity Provider, and a SAML consumer, named a
Identity Provider offers user authentication as a service, and the
Service Provider could be considered as a client that will ask to authenticate a user.
The content exchanged between the IdP and the SP must be signed, that’s why we have to configure those entities with
Outbound single sign-on¶
Akeneo PIM is implementing Outbound SAML, that can also be called SP-initiated Single Sign-On (SSO) or traditional SAML. In an outbound SAML transaction a Service Provider (SP) like a website or an application redirects a user to a designated Identity Provider (IDP) for authentication and authorization. The IDP asks for the user’s credentials and upon successful authentication redirects the user to the protected content.
All the exchanges, redirections between the browser, the Service Provider and the Identity Provider could be represented as follows:
Setting up the Identity Provider (IdP)¶
We provide an already configured IdP server image in the
docker-compose.yml file, named
The following information is here if you want to tweak something, if not, go directly to the Setting up the Service Provider (SP) section.
This container will expose the
8082 port, you can override this value in the
You can access the IdP administration page at the following url: http://localhost:8082/simplesaml.
The configuration of the Service Provider is automatically provided by environment variables in the
docker-compose.yml file line 58 (
SIMPLESAMLPHP_SP_ENTITY_ID) of your standard archive.
You can install an IdP server or use any SaaS service (Azure AD for example) that respect the
The configuration of the IdP depends on the solution you choose so you’ll have to refer to its documentation.
You will have to configure the users:
- Add the users you’ll want to be able to login into the pim (the user must exists in the pim).
- The attribute
akeneo_uidwill have to be sent in the Authentication response, and the value will have to match an existing pim user
You will have to configure the Service Provider information with the following data:
- EntityId: http://your.akeneo-pim.url/saml/metadata
- Logout url: http://your.akeneo-pim.url/saml/logout
- ACS url: http://your.akeneo-pim.url/saml/acs
You will have to retrieve the IdP certificate, it will be needed to configure the Service Provider on the Akeneo PIM side.
Setting up the Service Provider (SP)¶
- Go to the sso configuration page, under
System/SAML-based Single Sign-On
- Enable the feature using the “SSO Enable” toggle button
- Fill the form with the values provided by your IdP server
- Then click the Save button
- If everything went fine, you’ll be logged out and redirected to the IdP login form
For the IdP provided in the docker-compose.yml¶
- Entity ID:
- Login URL:
- Logout URL:
What if I’ve wrongly configured my admin user and I can’t access the PIM?¶
An original login form is here as a fallback in this situation, you can access it here: http://your.akeneo-pim.url/user/login
How can I debug authentication errors ?¶
Various errors can happen, those errors could be due to incorrect configuration on IdP side or SP side.
Regarding the IdP:
* For the one provided in docker-compose.yml, you can check logs outputed by the container
docker logs -f your_sso-idp-server_container-name
* For custom configuration of the IdP, refer to the documentation.
Found a typo or a hole in the documentation and feel like contributing?
Join us on Github!