One logon is enough.


TYPO3 Single Sign-On allows direct access to the Third Party Application (TPA) by securely passing a one-time-token to the browser (via URL). Thus, TPAs may be distributed across the net.

Basically, we find a 3-layer architecture:

SSO Server (TYPO3 extension) - dynamically creates a link that includes the desired TPA, user name, and various security information.

Here is the SSO Server documentation (Please note that the version numbers in the docs are a bit outdated - SSO runs perfectly with TYPO3 4.x - but the rest is still valid!)

The SSO Agent, located on each target system (the machine where the TPA lives), validates the incoming browser request , talks to the SSO Adapter, and gives back an HTTP redirect to the browser that points to the TPA itself. Please see the SSO Agent page for the docs.

The SSO Adapter is invoked by the SSO Agent. It creates a valid user session ("logs on the user") by application-specific means, and returns all information needed to the SSO Agent (in a defined format). This adapter is TPA-specific - this means that you need to find or develop an appropriate adapter for every TPA that you wish to integrate. It may be written in any language you favour. See this page for existing SSO adapters and their documentation.

Further Ressources

See the Signature-Based Single Sign-On Framework documentation for a detailed documentation on the Signature-Based Single Sign-On framework architecture and module development.

The TYPO3 Single Sign-On Whitepaper can be found here.

Please not that the above ressources do not yet cover SSOv2 including the User Propagation feature.

New with SSOv2: User Propagation

Version 2 of the SSO framework also covers user propagation.

This means that
- a user that was created on the SSO server (e.g. in TYPO3)
- can now automatically be created on the Third-Party system.