Drupal + SimpleSAMLphp + drupalauth = Complete SAML Identity Provider (IdP)
Users interact with Drupal to create accounts, manage accounts, and authenticate. SAML SPs interact with SimpleSAMLphp. Drupalauth ties Drupal to SimpleSAMLphp.
The drupalauth module for simpleSAMLphp makes it easy to create a SAML or Shibboleth identity provider (IdP) by enabling authentication of users against a Drupal site on the same server. This allows the administrator to leverage the user management and integration capabilities of Drupal for managing the identity life cycle.
NOTE: This is software establishes a SAML identity provider (IdP) using Drupal as the user database instead of LDAP. If you want to establish your Drupal site as a SAML service provider (SP) connected to a SAML or Shibboleth IdP, see the simplesamlphp_auth module for Drupal.
This module for SimpleSAMLphp provides an Authentication Source for authenticating users against a local Drupal site. This allows the administrator to leverage the user management and integration capabilities of Drupal for managing the identity life cycle and the power of SimpleSAMLphp for identity integration. This is a simpleSAMLphp module, NOT a Drupal module. Download this module only if you want to use Drupal as Identity Provider.
If you want to use Drupal as Identity Provide you should also install drupalauth4ssp that is available on Drupal.org. Please note that all issues related to Drupal functionality should be reported there.
If you want to connect your Drupal site as Service Provider to a SAML or Shibboleth IdP, use the simplesamlphp_auth module for Drupal.
Following Semantic Versioning is hard when you have multiple upstream dependencies.
So in a X.Y.Z version:
- X - major SimpleSAMLphp version
- Y - major Drupal version
- Z - inthis module incremental version
Example: for SimpleSAMLphp version 1.15.4 with Drupal version 8.5.6 and this module version 1 we will have tag 1.8.1. Same thing for Drupal 7 will be 1.7.1.
master
at the moment corresponds to 1.8.*. Branch 1.7
is respectfully for Drupal 7 (not composer integration yet).
Disabling discovery
cache will prevent this module from functioning.
See this issue drupalauth#71, specifically this comment.
- Install Drupal 8.x
- Install simpleSAMLphp
- Install drupalauth
- Configure SimpleSAMLphp to use something other than
phpsession
for session storage, e.g., SQL or memcache (See:store.type
insimplesamlphp/config/config.php
). - Configure the authentication source in
simplesamlphp/config/authsources.php
as described below.
The advantage of this approach is that there is no obvious connection between SimpleSAMLphp IdP and the Drupal site.
Details
Configure the authentication source by putting following code into simplesamlphp/config/authsources.php
'drupal-userpass' => array(
'drupalauth:UserPass',
// The filesystem path of the Drupal directory.
'drupalroot' => '/var/www/drupal-8.0',
// Whether to turn on debug
'debug' => true,
// Cookie name. Set this to use a cache-busting cookie pattern
// (e.g. 'SESSdrupalauth4ssp') if hosted on Pantheon so that the cookie
// is is not stripped away by Varnish. See https://pantheon.io/docs/cookies#cache-busting-cookies .
'cookie_name' => 'drupalauth4ssp',
// Which attributes should be retrieved from the Drupal site.
'attributes' => array(
array('field_name' => 'uid', 'attribute_name' => 'uid'),
array('field_name' => 'roles', 'attribute_name' => 'roles', 'field_property' => 'target_id'),
array('field_name' => 'name', 'attribute_name' => 'cn'),
array('field_name' => 'mail', 'attribute_name' => 'mail'),
array('field_name' => 'field_first_name', 'attribute_name' => 'givenName'),
array('field_name' => 'field_last_name', 'attribute_name' => 'sn'),
array('field_name' => 'field_organization', 'attribute_name' => 'ou', 'field_property' => 'target_id'),
),
),
Leave 'attributes' empty or unset to get all available field values. Attribute names in this case would be "$field_name:$property_name".
The advantage of this approach is that the SimpleSAMLphp IdP session is tied to a Drupal session. This allows the user who is already logged into the Drupal site to then navigate to a SAML SP that uses the IdP without the need to authenticate again.
Details
Configure the authentication source by putting following code into simplesamlphp/config/authsources.php
'drupal-userpass' => array('drupalauth:External',
// The filesystem path of the Drupal directory.
'drupalroot' => '/var/www/drupal',
// Whether to turn on debug
'debug' => true,
// Cookie name. Set this to use a cache-busting cookie pattern
// (e.g. 'SESSdrupalauth4ssp') if hosted on Pantheon so that the cookie
// is is not stripped away by Varnish. See https://pantheon.io/docs/cookies#cache-busting-cookies .
'cookie_name' => 'drupalauth4ssp',
// the URL of the Drupal logout page
'drupal_logout_url' => 'https://www.example.com/drupal/user/logout',
// the URL of the Drupal login page
'drupal_login_url' => 'https://www.example.com/drupal/user/login',
// Which attributes should be retrieved from the Drupal site.
'attributes' => array(
array('field_name' => 'uid', 'attribute_name' => 'uid'),
array('field_name' => 'roles', 'attribute_name' => 'roles', 'field_property' => 'target_id'),
array('field_name' => 'name', 'attribute_name' => 'cn'),
array('field_name' => 'mail', 'attribute_name' => 'mail'),
array('field_name' => 'field_first_name', 'attribute_name' => 'givenName'),
array('field_name' => 'field_last_name', 'attribute_name' => 'sn'),
array('field_name' => 'field_organization', 'attribute_name' => 'ou', 'field_property' => 'target_id'),
),
),