The Flowpack Single sign-on is designed for integration in TYPO3 Flow applications and offers a full single sign-on solution without the need of external components. The Server package can be used to build a custom authentication server based on TYPO3 Flow while the Client package can be used to integrate existing TYPO3 Flow applications into the single sign-on.
We designed the solution for ease of use and a seamless authentication experience for the user.
- Easy integration into existing TYPO3 Flow applications
- Flow security framework integration, re-use of existing authentication providers (e.g. LDAP, UsernamePassword, OpenID)
- Flexible account data mapping (transfer custom properties of parties)
- Session expiration synchronization
- Remote session management capabilities
- Single Sign-off
- Account switching (impersonate)
- Sessions can use existing Flow cache backends (Redis, Memcache, APC)
- RSA signing of server-side requests
The architecture is designed to be highly extensible and fully integratable in an existing TYPO3 Flow application.
A Single sign-on server is a TYPO3 Flow application that provides a central authentication system which is accessed by the instances. The server consists of the Server package and a domain package that implements a party model for the authentication and provides possible extensions to the Single sign-on data exchange.
The server has a public / private key pair and exports HTTP service as the Service base URI (e.g. http://ssoserver.local/sso/). The service base URI is also used as the unique server identifier.
All the instances have to be registered as a single sign-on client with their public key and service base URI. This allows for (signed) server-side requests initiated by the client or the server. The client public key restricts access to the single sign-on only to explicitly registered clients. The clients are persisted as entities inside a configured database. A management interface for the clients can be implemented in a custom package.
See Single sign-on server for more information about implementing a custom server application.
An instance is a (TYPO3 Flow) application that utilizes a Single sign-on server for authentication using the Client package. The Flowpack Single sign-on can be one of multiple authentication methods on the instance. Usually there will be a larger number of instances in a typical setup.
The single sign-on client on the instance has a public / private key pair and a Service base URI as a unique client identifier. The client needs at least one configured single sign-on server with the server public key and service base URI. The client is used by the instance through the Flow security framework as a special authentication provider.
Authentication round trip¶
This is a simple round trip for access to a secured resource on an instance without prior authentication:
- A user accesses a secured resource on an instance
- Since no account is authenticated on the instance the user is redirected to a configured server
- The user will authenticate on the server through a configured authentication provider (e.g. username / password)
- The server redirects back to the instance and passes an encrypted access token
- The instance decrypts the access token and does a server-side request to redeem the token on the server, the server verifies the token and returns the account data and authorization information (e.g. roles)
- The instance authenticates an account locally and redirects to the original secured resource