Headless multi-site with dedicated backend (only CP users login)

[dsmrt]

We have a setup with Craft as a admin backend, with multisite, that acts like an api for generated static Nuxt as frontend. All of the sites (1 backend and 2 frontend) have different domains and the users should only login to the backend. How do i setup so the loginPath goes to the backend? When i have tried to set it up it goes to the frontend domain with /sso/login. My first time adding an SSO, and the costumer haven't used Azure that much either :flushed:

Originally posted by @espensgr in https://github.com/flipboxfactory/saml-sp/issues/37#issuecomment-792787328

[dsmrt]

I think the issue here is, how to manage the saml login with the static site frontend/headless mode. I have not done this before but I think it's possible. Let's me think about this and get back to you.

[espensgr]

Ah, yeah that makes more sense. Didn't think it was connected to the frontend i guess. May i suggest changing the title to "SAML with multi-site Craft as dedicated backend". Covers all the bases :stuck_out_tongue_winking_eye:

My first thought was to add a baseUrl setting to the saml-sp.php file that default to the siteUrl of the providers site. Then you can use the rest of the setup to use the loginPath etc?

[dsmrt]

Ok, let me clarify something ...

Are you trying to authenticate/authorize 1) frontend users or simply 2) get content creators in the Craft CP/backend? I assumed the former but if it's the latter, this seems much more straight forward.

[espensgr]

It is the latter. The frontend is just a Nuxt generated static site with Craft working as an API to get content, with no interaction from the users. So they should login to the backend and make the content there.

[dsmrt]

Ok this all makes much more sense now. Sorry for the confusion. I'm to test/check a couple things and get back to you.

[espensgr]

no worries 😄

[dsmrt]

I was a little worried this would be more work but I think this solution is pretty solid.

I added the docs here: https://saml-sp.flipboxfactory.com/configure/examples/multi-site-with-cp-login.html

Let me know if you have any questions.

[espensgr]

Nice! i will give this a try, haven't had the time to test it yet.

Some questions/clarifications though: The 2 Nuxt sites are getting content from their respective sites in Craft. So there is 1 Craft site per Nuxt site. Therefore the users are controlled by user groups to only get access to 1 site in most cases. And we are going to have 1 SSO service pr site as they are different firms with different user bases. Is this going to work with the current setup you added to the docs for this?

[dsmrt]

So to clarify, the content editors need to have access to edit one of the two Craft Sites (maybe Site A and Site B). The plugin does handle assigning users to Craft groups when configured correctly, using the config/saml-sp.php.

• Config property: https://github.com/flipboxfactory/saml-sp/blob/2995a6d5c84ac4daeb4a1f2f9de41bab295141a9/src/models/Settings.php#L102
• Code on how this works: https://github.com/flipboxfactory/saml-sp/blob/2995a6d5c84ac4daeb4a1f2f9de41bab295141a9/src/services/login/UserGroups.php#L95.

This might be a little bit tricky but ideally you have those editor/users segmented by groups or roles or an attribute that represents a group or a role, on the IdP/Azure AD side. So john@example.com has an attribute or a group assignment that show's he's supposed to be able to edit Site A on the Craft side.

Then in Craft, create a group with permissions to edit Site A and add the config (in config/saml-sp.php) to match the attribute name of the group attribute, in a camel cased manner.

Also, if you need more advanced functionality, see this example on using events: https://saml-sp.flipboxfactory.com/configure/events.html#assign-user-to-a-user-group-based-on-a-property

This might be something you'll have to play around with because the groups stuff isn't easy with every IdP.

[espensgr]

Sorry for the late response, have been swamped at work for other projects. Yeah, thats right. Nice example, i guess this will only be an issue when we have added a second provider i guess? So will take a look at that then. For now i still have problem setting this up, i pm'd you on discord to try to maybe solve it a bit faster there.

[dsmrt]

I responded to you on discord. Feel free to send me a note there or detail the issue you're seeing here.

[michaelroper]

@dsmrt I have a similar setup, where i only want authentication for the CP domain, but don't have any multisite requirements. Do I still need to create the secondary "cp-only" site as described in the example doc?

[dsmrt]

👋 @michaelroper

The purpose of the CP site is to specify the CP domain by setting the site url. So use the CP site if the CP domain differs from the frontend.

[michaelroper]

No worries, will give it a shot. Is this something that you could possibly be able to configure the overriding domain to use in a config/saml-sp.php file? Would be a lot cleaner than having to have the extra cruft of an extra mostly-unnecessary site in the CP UI..

[dsmrt]

@michaelroper, I'm working on some docs (#106) to help clear some of this up but yes, you can update the environment Entity ID by entityId in the config/saml-sp.php. Just know that that value is a unique id that should match the SP provider (My Provider) entity id you created in the plugin.

[michaelroper]

oh, sweet! so something like this would mean I wouldn't have to create the extra site in the CP?

<?php
use craft\helpers\App;
return [
  'entityId' => App::env('BASE_URL') // this is the base CP URL
];

[dsmrt]

@michaelroper

Yep! Exactly. You can also set this in the plugin settings (and avoid the config/saml-sp.php if you want) which also will save that to the project config.

(Obviously the entity id here is a env var named ENTITY_ID).

[michaelroper]

@dsmrt ahh, good to know! I also realised that I can set default group membership in the config/saml-sp.php, so I'm taking advantage of that anyway..

[dsmrt]

This issue has kind of jumped around a little bit. This was resolved here. I cleaned up the title a bit for future users. @michaelroper Feel free to open a new ticket if you are having any issues!

@espensgr I created a new issue for the multiple Azure AD IdPs 👉 #108

[hiasl]

I added the docs here: https://saml-sp.flipboxfactory.com/configure/examples/multi-site-with-cp-login.html

The link has changed: https://saml-sp.flipboxfactory.com/examples/multi-site-with-cp-login.html