Port request: DrupalAuth for SimpleSAMLphp

[yorkshire-pudding]

Name of the module, theme, or layout DrupalAuth for SimpleSAMLphp

I think it would need to be renamed to BackdropCmsAuth for SimpleSAMLphp

I want to integrate another application that will be on the same hosting account and same domain to Backdrop so it can use the users, roles and session of Backdrop. I've hunted high and wide to try and find other methods of doing this and this seems like it might be a possibility.

Link to the drupal.org module, theme, or layout https://www.drupal.org/project/drupalauth4ssp

Would also need a port of: https://github.com/drupalauth/simplesamlphp-module-drupalauth/tree/1.7.x This is the SimpleSAMLphp module that is installed in SimpleSAMPphp.

(Optional) Link to an issue in the drupal.org queue asking the Drupal community if anyone is working on a Backdrop port of this project

(Optional) Bounty

[argiepiano]

I'm also interested in this. Have you been able to set this up successfully in D7?

[yorkshire-pudding]

Not yet. I only discovered SimpleSAMLphp very recently because @laryn had mentioned work on a different SimpleSAMLphp module in Zulip. I noticed quite a few issues in the drupal queue though several have patches that may be suitable.

I may have worked out a different way of integrating this particular application but I still can see lots of use cases for this module and I think it would be a great string to add to Backdrop's bow

[argiepiano]

I've spent many, many hours trying to get the D7 modules to work, without conclusive results. Some parts of it seemed to work ok, but I was never able to fully authenticate a D7 site using another D7 site and simplesamlphp. Documentation is really bad, and the modules seems to have some unresolved issues. If you want to try, these articles helped me somewhat:

• https://dev.to/esnare/single-sign-on-with-simplesamlphp-and-drupal-9-1h1b
• https://www.hashbangcode.com/article/drupal-9-configuring-drupal-authenticate-against-remote-simplesamlphp-identity-provider
• https://medium.com/@giandog17/how-to-configure-simplesamlphp-for-drupal-8-171f0a219835

If you even make the D7 version work, let me know. Once that's working, I think porting shouldn't be too hard.

EDIT: Also, since we are dealing with the D7 version, you'd need to use simplesamlphp version 1 (not the current version 2, which is very different). I tried using simplesamlphp 1.19.

[yorkshire-pudding]

Thanks for looking into this @argiepiano . For my immediate use case, I've found a way to do what I need. We'll leave open in case anyone else wants to try as I still think it could be a good addition.

[argiepiano]

Good news! After many trials and tests I was able to make drupalauth4ssp and simplesamlphp-module-drupalauth work in two D7 sites, in combination with the module simplesamlphp_auth for the Service Provider (which is already ported in Backdrop). This is all working with simplesamlphp version 1.19.

I'll be working on porting this soon (which shouldn't be too hard now that I understand how it works in D7).

[argiepiano]

For my immediate use case, I've found a way to do what I need.

I'm curious about the solution you found?

[yorkshire-pudding]

Great news.

For my immediate need, it is for an app on the same domain, not even a subdomain, so I hooked into the API for authentication and sessions. People will only find it through the site so mostly will just use session.

[argiepiano]

OK, I've ported the module, plus the SimpleSAMLphp auxiliary module.

https://github.com/backdrop-contrib/backdropauth4ssp https://github.com/argiepiano/simplesamlphp-module-backdropauth

There is also a wiki in the module with steps to create a IdP and SP pair with Backdrop sites. If you can test that at some point, that'd be great!

Since the auxiliary module is not a Backdrop module (it's a SimpleSAMLphp module), I decide to put it in my own github, rather than using the backdrop contrib one (which is reserved for Backdrop modules)

[yorkshire-pudding]

Wow! Thank you. I'm going to attempt to follow your example in Lando.

[argiepiano]

Let me know if you encounter any troubles. The steps are quite convoluted and hopefully I did not forget any detail!

[yorkshire-pudding]

I think one key omission is under Installing and configuring the SimpleSAMLphp library. It should make clear to download the tar.gz file as then the following instructions make sense. The reference to unzip made me think the .zip file would work, but it didn't and I wondered why certain files and directories didn't exist and why it caused a fatal error; when I switched to the .tar.gz download, the instructions made sense.

I haven't got it to work in Lando. I think this may be a lando specific constraint in terms of how the different services work with each other. It seemed to switch to http when going through the symlink though this is probably to do with the fact that it is within a separate service within the app. As such it didn't seem to work and while the saml-login path would take me to the idp login page, logging in would not take me back to the SP or log me in on that site. I tried putting them all in the same service, but my .htaccess skills are not enough to direct the domains to different sub folders. I might see if it works with a multisite approach, but if not, I'll have to see if I can set up on my hosting.

[argiepiano]

@yorkshire-pudding thanks for testing. The lando environment is very special, and I'm not really familiar with it.

However, take a look at this tutorial, which was written for Drupal 8 (which differs in some way with the port I made). That tutorial includes directions on how to modify .htaccess to allow the path /simplesaml to load the library UI.

Perhaps we can connect during office hours to check this out.

[yorkshire-pudding]

Thanks for that link; it gives some clues as to where I was going wrong and how I might do this in Lando with Backdrop. I won't be at the later Office Hours tomorrow, but will have another go at this. It is interesting that the writer of that tutorial uses separate lando apps, each with the SimpleSAMLphp library.

When I first starting looking at SimpleSAMLphp, I thought it said that an instance can either be an IdP or an SP which mirrors how that tutorial does it. It is interesting that you have one instance working as both. I think for Lando it may simplify matters having two instances, even if that is just within services within a single Lando app. I will try to document so we have a Backdrop Lando example to follow.

PS - I'm excited by the possibilities of this module, both for some ideas I have, but also for the different properties of backdropcms.org which would really benefit from SSO.

[argiepiano]

Thanks @yorkshire-pudding.

I worked with that tutorial as my starting point. There are things in there that don't work in the D7 version. For example, the SP site there uses default-sp as the authentication source - that does not work in D7 or the ported version.

Yes, I noticed that the tutorial has 2 instances of the library. I think they did it like that because, installing the module through composer actually results in each site downloading its own dependencies - thus the SimpleSAMLphp is downloaded twice, once for each site.

I have yet to test having two separate instances of the libraries - but as far as I can tell, it wouldn't make much of a difference. The only difference is that you will not need to set up the metadata files saml20-sp-remote.php and saml20-idp-hosted.php in your SP instance, and won't need to set up saml20-idp-remote.php in your IdP instance. I'll test this.

One important point I also need to test: notice that the tutorial uses a single database to keep track of the SimpleSAMLphp sessions, despite the fact that there are two instances of the library. I think this is important. Otherwise the SP site will have no way to know whether the user is logged in (I think).

[yorkshire-pudding]

One important point I also need to test: notice that the tutorial uses a single database to keep track of the SimpleSAMLphp sessions, despite the fact that there are two instances of the library. I think this is important. Otherwise the SP site will have no way to know whether the user is logged in (I think).

I think they both share the drupal database that they are installed with. The db credentials are the default for drupal dbs in lando. You can't share databases from one lando app to the other.

The config has a db prefix so it could share the CMS db without any clashes. I can't imagine it making a huge difference performance wise

I think it is ultimately the metadata that allows the sharing and federation. I did do a bit of work with SAML when I was a business analyst and I was writing the spec for our ADFS to federate with a new system for SSO.

[argiepiano]

That makes sense. I'm very new to saml.

[argiepiano]

I've been doing some testing using two different simplesaml databases, one for the SP site and another one for the idp site. Actually I'm using the CMS databases for each, with two different library installations. Unfortunately after login I'm not returned to the SP site anymore when I use two different databases. I need to check what's going on. I'm going to continue this in the issue queue for the module, so that everything gets documented there.

[yorkshire-pudding]

I've got it sort of working with Lando in that I can sometimes login but it is not returning to the SP site. I don't know whether the simplesamlphp_auth is part of the issue here or whether it is a missing config line.

[argiepiano]

I noticed the same thing. My preliminary look at this tells me that we do need the same database to store SimpleSAMLphp sessions, as these are shared by both the idp and SP sites. But I'll look in more detail at this.

The other method to share sessions is memcached. This may actually work better than using DB for this - if you look at the memcache docblock in config.php you'll see that they intend memcache session store to be shared among servers. This may be easier to accomplish than sharing a DB.

Again, all of this after a quick look - I may be completely wrong here!

[yorkshire-pudding]

Thanks for your investigations on this. I'm having to park my testing on this for now but hope to pick up again soon.