SSO with Sulu CMS and Entra ID

With the Sulu CMS 2.6.0 release, Sulu Admin got support for OIDC authentication. That means we can finally manage Sulu CMS access via Entra ID.

First, we need to create a new App registration on Entra ID, give the App the User.Read permission and configure a Redirect URI in the Manage > Authentication settings of the App registration.

Additionally, we need to create a new secret in the Manage > Certificates & secrets section. The value (or Client Secret) is needed for the Sulu CMS configuration, as well as the Client ID and Tenant ID, which you can find on the Overview tab of the App Registration.

In Sulu CMS, we first need to modify the config/packages/security.yaml file like this:

security:
    firewalls:
        # ...
        admin:
            # ...
            access_token:
                token_handler: sulu_security.single_sign_on_token_handler
                token_extractors: sulu_security.single_sign_on_token_extractor

A new file, config/packages/sulu_security.yaml needs to be created with the following contents:

sulu_security:
    single_sign_on:
        providers:
            'example.org':
              dsn: 'openid://%env(resolve:ENTRA_CLIENT_ID)%:%env(resolve:ENTRA_CLIENT_SECRET)@login.microsoftonline.com/%env(resolve:ENTRA_TENANT_ID)%/v2.0/.well-known/openid-configuration'
              default_role_key: User

In your .env.local configuration, set the values for ENTRA_CLIENT_ID, ENTRA_CLIENT_SECRET, and ENTRA_TENANT_ID similar to this:

ENTRA_CLIENT_ID=b496a848-0ab5-9909-4b08-9c4fb71f860c
ENTRA_CLIENT_SECRET=secret
ENTRA_TENANT_ID=34a8eb12-4bca-9560-46ad-84ebd17f178e

Open the Sulu Admin login page, and you should now be able to log in using your Entra ID.