—- plugin —-
Description: This plugin provides Single Sign-on, SSO for phpList via the `SIMPLESAMLPHP`.
author : Fon E. Noel Nfebe <github.com/fenn-cs>
type :
compatible : phpList 3.6.8 and above, PHP 7.4 and above
depends :
conflicts :
similar :
tags : authentication

Source Repository : https://github.com/phpList/phplist-plugin-simplesaml

To easiest way to setup this plugin is through the plugins page (menu Config > Manage plugins) using the package URL https://github.com/phpList/phplist-plugin-simplesaml/archive/refs/heads/main.zip

The plugin may be enabled at this point or after the SimpleSAMLPHP config described below.

This plugin requires an installation of `SIMPLESAMLPHP` to work. So the puglin comes with a ready to use build of SIMPLESAMLPHP. However, it is required that the server on which the phpList instance is running is configured to point to the simplesamlphp folder that comes in the plugin.

Essentially, your-phplist-domain.ext/simplesamlphp should point to the folder in main/simplesaml/simplesamlphp of the extension or a copy of it on your server.

Advanced User: See simplesaml config section in the read me for more detailed information

By default, this plugin is configured to work with the phpList's Keyclaok server. If you wish to change the identity provider, more configuration would be required. As described below.

In main/simplesaml/simplesamlphp/config/authsources.php the following parameters have to be set:

• entityID: The entityID is essentially the client ID which is specified in Keycloak or IDP
• idp: The IDP is the identifier for the IdP (Keycloak) which simplesaml would connect to.
• RelayState: The RelayState specifies where simplesamlphp should redirect to after a successful authentication. Basically it's like a callback url. This should simply be the URL from which the authentication started. Hence, a 'redirect back'.
• NameIDPolicy: The IdP is expected to return a NameID every successful auth session, this name ID is what identifies the user. Depending on the IdP this NameID might change every session. That makes it impossible to tract the user across session. So we have to said the NameIDPolicy to persistent essentially telling the IdP to send the same NameID all the time for the same user.
• In main/simplesaml/simplesamlphp/config/config.php the following parameters have to be set:
  
• baseurlpath: The baseurlpath refers to the base url the running SimpleSAML configuration. Depending on where simplesaml was installed, it could be a separate domain such as phplist.com/simplesamlphp/www or a path like phplist.com/admin/simplesamlphp/www.

NB: The baseurlpath (which is essentially the simplesamlphp installation URI) is where the IdP returns the SAML response after a successful login. The SAML request would then be parsed and simplesamlphp would redirect back to the phplist url that sent the request or the one set via the RelayState property in the config array of authsources.php within the config dir.

For more information about the custom configuration see Readme config section)

See the README file on the GitHub page https://github.com/phpList/phplist-plugin-simplesaml

It is recommended to only enable the plugin only after the SIMPLESAMLPHP configs are set in the various configuration files described above and or in the README.

You should verify that yourdomain.com/simplesamlphp for example phplist.com/simplesamlphp loads the simplesamlphp files correctly and that phplist.com/simplesamlphp/www loads the simplesamlphp UI like the one shown below.

After cloning the plugin in your plugin directory, you should login normally using your admin credentials and activate the plugin from the plugin management tab.

Once the plugin is activated, if you logout the plugin should automatically redirect you the the Identity provider.

Report any issues or questions in the support forum https://discuss.phplist.org/