SSO connection with Keycloak for TYPO3 and Magento
AAP Lehrerwelt GmbH, operator of a platform for teaching materials for teachers, would like to give its customers the simplest possible, seamless access to their various online offers. Netresearch took on the task of designing a single-sign-on solution (SSO) and implementing it for various systems such as TYPO3 and Magento.
Why a Single-Sign-On solution for Lehrerwelt?
With an SSO service, the user needs to log in only once. The authentication of the user is completed after a short process. The user then has access to different applications and services. This increases the user-friendliness of the respective portals and services - in the case of Leherwelt: a download platform, the digital desk, and shops for ordering physical teaching materials.
Implementation with the community extension “OpenID Connect Authentication”
For the integration into the TYPO3 CMS of our customer, the TYPO3 extension "OpenID Connect Authentication" was used which serves as the basis for the login and authentication functions against an OpenID server. For the exact identification of the respective frontend user, the user profiles were extended with the respective ID of the OpenID server.
During ongoing operation of the platform, it is important to be able to distinguish between new users and known users who have already been authenticated. In order to be able to display different landing pages to the various user groups, it is necessary to assign certain users to groups. This is achieved by combining the SSO service with a suitable configuration of the custom extension "Frontend User". Here, the users can automatically be assigned to a specific group after authentication. Other user groups that may be used in TYPO3 and are not related to authentication remain unaffected by this assignment.
Using the Keycloak API
User data such as name or e-mail address which can be changed by the users of the Lehrerwelt services should be kept synchronized centrally in Keycloak in real time. The connection to the Keycloak API is therefore created with a TYPO3 extension developed by Netresearch. Mohammad Waleed's Keycloak API Client is used for this. This solution also offers the ability for future expansion if further user data is to be kept centrally in Keycloak.
The Keycloak API also provided good service while initially filling the system before going live. Transferring several 100,000 user data sets with different data structure coming from Magento and TYPO3 was necessary. A Python script was used for this, which filled Keycloak with the dumps of the two user tables.
Summary of SSO integration with Keycloak
Would we integrate Keycloak into TYPO3 again? And were we able to solve the customer's problem? Yes, it was a good experience, even if there are now alternatives. Aside of its advantages, Keycloak also has certain requirements, e.g. because it is written in Java. The template engine and the FreeMaker template language used pose some challenges, as testing and bug fixes were comparatively difficult from a developer's point of view. However, in this project with Keycloak, Netresearch was nonetheless able to significantly expand its expert knowledge.