SAML SSO Configuration with Aptify
VIDEO TRANSCRIPT | Recorded: 2022-01-27 | Verify against current system state
Abstract¶
Deep technical dive into SAML SSO configuration. Covers Aptify SAML SSO plugin setup including public/private key certificates, login/logout URLs, and assertion attributes stored procedures. Demonstrates CraftCMS SAML Service Provider plugin configuration including keychain setup, identity/service provider settings, and user attribute mapping. Includes member type and group-based content restriction features.
Key Procedures¶
- Create SAML SSO provider in Aptify (eBusiness > SAML SSO Providers)
- Generate public/private key pair using OpenSSL
- Configure issuer name, login URL, logout URL
- Enable SAML request signing and signature verification
- Create stored procedure for assertion attributes
- Set up CraftCMS SAML Service Provider plugin
- Configure keychain with certificates
- Set up identity provider and service provider
- Map user attributes from SAML to CraftCMS fields
- Review SSO logs for troubleshooting
Notable Statements¶
- 0:00:30 "SAML logins occur through a plugin that we purchased from Aptify"
- 0:01:23 "This to me is much more complicated to set up than identity server"
- 0:01:39 "Everything is super picky, super picky"
- 0:02:22 "I had to create a certificate using OpenSSL to make a public and private key"
- 0:02:41 "The public key is shared every time that you do a SAML request to login"
- 0:03:40 "Be very careful changing anything here... if you uncheck one, the entire login process will fail"
- 0:04:11 "You could set up a SAML integration that only works for a specific web group like fellows"
- 0:04:40 "The stored procedure... contains the information that's sent over in the SAML request"
- 0:05:45 "Working with a third party to get SAML set up is much more difficult than... CraftCMS which we control"
- 0:06:48 "The successful ones are ones that actually show the web user ID... If there's an exception here that means it didn't work"
- 0:10:12 "The vendor that we work with for this is pretty responsive"
- 0:13:37 "GraphQL is a way to request information from Craft CMS and into a JSON query"
- 0:16:02 "If they copy... production into our QA environment... the service providers listed here get messed up"
Systems & Configurations¶
Systems Mentioned¶
- Aptify (SAML SSO plugin)
- CraftCMS (SAML Service Provider plugin)
- Higher Logic (SAML integration)
- SM Apply (OAuth, not SAML)
- OpenSSL (certificate generation)
Specific Configurations¶
| Item | Value/Setting | Timestamp | Notes |
|---|---|---|---|
| Aptify entities | SAML SSO Providers, SAML SSO Logs | 0:00:53 | Created by plugin |
| Login URL | /sso/login | 0:01:55 | Standard endpoint |
| Logout URL | /sso/logout | 0:01:55 | Standard endpoint |
| CraftCMS plugin | SAML SSO Service Provider | 0:10:05 | Flipbox Digital |
| Plugin version | 1.0 (2.0 testing in QA) | 0:10:34 | Complete rewrite |
| Assertion attributes | First name, last name, email, member type, etc. | 0:05:10 | Custom stored procedure |
Credentials/Access Mentioned¶
- Aptify admin for SAML SSO configuration
- CraftCMS admin for plugin configuration
- OpenSSL for certificate generation
Vendor Contacts Mentioned¶
- Flipbox Digital (CraftCMS SAML plugin vendor - responsive support)
- Higher Logic (SAML integration partner)
- Mighty Citizen (CraftCMS development)
Errors & Troubleshooting¶
- Issue: QA SAML stops working after production copy
- Cause: Service providers point to production URLs
- Resolution: Delete all providers and recreate from scratch
-
Timestamp: 0:16:06
-
Issue: CraftCMS attribute mapping doesn't work (v1.0)
- Cause: Plugin limitation
- Resolution: Created custom PHP file for mapping
- Timestamp: 0:12:54
Transcript Gaps & Quality Notes¶
- Detailed technical walkthrough (20 minutes)
- Screen sharing of Aptify and CraftCMS admin
- GraphQL discussion at end (tangential)
- Member groups feature upcoming
- Mighty Citizen work pending