Summary
Add SSO authentication support to EasyAppointments using OpenID Connect (OIDC),
allowing users to log in through an external identity provider such as Keycloak.
Motivation
Many organizations already manage their users through a centralized identity provider.
Having to maintain a separate set of credentials in EasyAppointments creates friction
and potential security risks. SSO support allows administrators to delegate authentication
entirely to their existing IdP.
Proposed implementation
A working implementation is available in the following merge request:
MR !28 - Add SSO / OpenID Connect authentication
Key features
- OIDC authentication via
jumbojett/openid-connect-php
- Automatic account provisioning on first login
- Role mapping from IdP groups to EasyAppointments roles (admin, provider, secretary)
SSO_ONLY mode to disable password-based login entirely
- Security: nonce, state, issuer/audience validation, HTTPS enforcement in production
- Tested with Keycloak 23
Configuration
SSO is configured via config.php (disabled by default):
SSO_ENABLED — enable/disable SSO
SSO_ONLY — disable password login
SSO_PROVIDER — provider type (oidc)
SSO_URL_PUBLIC / SSO_URL_INTERNAL — provider URLs
SSO_REALM / CLIENT_ID / CLIENT_SECRET
SSO_GROUP_ADMIN / SSO_GROUP_PROVIDER / SSO_GROUP_SECRETARY
Impact of Changes
The implementation of SSO authentication support involves some notable changes:
- The
email becomes the foreign key between the SSO provider and the database.
Changing a user's email in the IdP will break the link with their existing account.
- Role changes are not handled automatically. If a user needs a different role,
an administrator must delete the existing account so it can be reprovisioned
with the new role on the next SSO login.
Summary
Add SSO authentication support to EasyAppointments using OpenID Connect (OIDC),
allowing users to log in through an external identity provider such as Keycloak.
Motivation
Many organizations already manage their users through a centralized identity provider.
Having to maintain a separate set of credentials in EasyAppointments creates friction
and potential security risks. SSO support allows administrators to delegate authentication
entirely to their existing IdP.
Proposed implementation
A working implementation is available in the following merge request:
MR !28 - Add SSO / OpenID Connect authentication
Key features
jumbojett/openid-connect-phpSSO_ONLYmode to disable password-based login entirelyConfiguration
SSO is configured via
config.php(disabled by default):SSO_ENABLED— enable/disable SSOSSO_ONLY— disable password loginSSO_PROVIDER— provider type (oidc)SSO_URL_PUBLIC/SSO_URL_INTERNAL— provider URLsSSO_REALM/CLIENT_ID/CLIENT_SECRETSSO_GROUP_ADMIN/SSO_GROUP_PROVIDER/SSO_GROUP_SECRETARYImpact of Changes
The implementation of SSO authentication support involves some notable changes:
emailbecomes the foreign key between the SSO provider and the database.Changing a user's email in the IdP will break the link with their existing account.
an administrator must delete the existing account so it can be reprovisioned
with the new role on the next SSO login.