rohit-raj-verma/pimcore-msentra-saml-login

SAML 2.0 Single Sign-On (SSO) bundle for Pimcore 11 admin with Microsoft Entra ID (Azure AD) support and auto user provisioning

Maintainers

Details

github.com/rohit-raj-verma/pimcore-msentra-saml-login

Source

Issues

Installs: 0

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 0

Forks: 0

Open Issues: 0

Type:pimcore-bundle

pkg:composer/rohit-raj-verma/pimcore-msentra-saml-login

v1.0.0 2026-02-13 11:54 UTC

Requires

MIT e2cd653ca25c0904b9ff5e73fe26a594403aac2d

  • Rohit Raj Verma <rohitrajv5.woop@gmail.com>

This package is auto-updated.

Last update: 2026-02-13 11:57:16 UTC

README

A Pimcore bundle that adds SAML 2.0 based Single Sign-On (SSO) to the Pimcore admin login. Supports Microsoft Entra ID (Azure AD) and other SAML 2.0 compliant Identity Providers.

Features

  • SAML 2.0 Authentication: Full SAML 2.0 SP (Service Provider) implementation for Pimcore admin
  • Custom Login Page: Adds a "Login with SSO" button alongside the standard username/password form
  • Auto User Provisioning: Automatically creates Pimcore admin users on first SSO login
  • User Sync: Updates user profile (name, email) from IdP attributes on each login
  • MS Entra ID Support: Built-in support for Microsoft Entra ID (Azure AD) SAML attribute mapping
  • Environment-Based Config: Configure SP settings via environment variables

Requirements

  • Pimcore 11.x
  • PHP 8.1 or higher

Installation

Step 1: Install via Composer

composer require rohit-raj-verma/pimcore-sso-bundle

Step 2: Enable the Bundle

Add the bundle to your config/bundles.php:

return [
    // ...
    SSOBundle\SSOBundle::class => ['all' => true],
];

Step 3: Configure Environment Variables

Add the following variables to your .env file:

###> SSOBundle ###
SAML_SP_ENTITY_ID=https://sts.windows.net/YOUR-TENANT-ID/
SAML_SP_REPLY_URL=https://your-pimcore-domain.com/saml/acs
###< SSOBundle ###
Variable Description Example
SAML_SP_ENTITY_ID The Entity ID of your Identity Provider (IdP) https://sts.windows.net/{tenant-id}/
SAML_SP_REPLY_URL The ACS (Assertion Consumer Service) URL — your Pimcore domain + /saml/acs https://example.com/saml/acs

Step 4: Configure Identity Provider Metadata

Replace the placeholder values in vendor/rohit-raj-verma/pimcore-sso-bundle/Resources/config/saml-idp.xml with your IdP metadata, or copy the file to your project config directory.

For Microsoft Entra ID (Azure AD):

  1. Go to Azure Portal > Enterprise Applications > Your App > Single sign-on
  2. Download the Federation Metadata XML
  3. Copy the entityID and SingleSignOnService Location values into saml-idp.xml

Example saml-idp.xml:

<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor entityID="https://sts.windows.net/YOUR-TENANT-ID/"
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
            Location="https://login.microsoftonline.com/YOUR-TENANT-ID/saml2" />
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
            Location="https://login.microsoftonline.com/YOUR-TENANT-ID/saml2" />
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="https://login.microsoftonline.com/YOUR-TENANT-ID/saml2" />
    </IDPSSODescriptor>
</EntityDescriptor>

Step 5: Configure Azure AD / MS Entra (IdP Side)

In your Identity Provider, configure the following:

Setting Value
Identifier (Entity ID) https://your-pimcore-domain.com/saml/acs (same as SAML_SP_REPLY_URL)
Reply URL (ACS URL) https://your-pimcore-domain.com/saml/acs
Sign-on URL https://your-pimcore-domain.com/saml/login

Required SAML Claims / Attributes:

Claim Description
emailaddress User's email (used as Pimcore username)
displayname User's full name
givenname First name (optional, fallback)
surname Last name (optional, fallback)

Step 6: Clear Cache

bin/console cache:clear

Usage

After installation, the Pimcore admin login page will display a "Login with SSO" button below the standard login form.

Login Flow

  1. User clicks "Login with SSO" on the Pimcore admin login page
  2. The bundle sends a SAML AuthnRequest to the configured IdP
  3. User authenticates with the IdP (e.g., Microsoft login)
  4. IdP sends a SAML Response back to /saml/acs
  5. The bundle validates the response and extracts user attributes
  6. If the user doesn't exist in Pimcore, a new admin user is created automatically
  7. User is logged into Pimcore admin

Routes

Route Path Description
saml_login /saml/login Initiates the SAML authentication request
saml_acs /saml/acs Assertion Consumer Service — receives the IdP response

How It Works

  • RequestService: Builds and sends SAML 2.0 AuthnRequest to the IdP using HTTP-Redirect binding
  • ResponseService: Receives and validates the SAML Response from the IdP, extracts user attributes
  • UserService: Creates or updates Pimcore admin users based on SAML attributes
  • ContainerService: Provides the SAML2 library container implementation (logging, ID generation, etc.)
  • Login Template Override: Overrides the default Pimcore admin login template to add the SSO button

License

This bundle is released under the MIT License.