Drupal + SimpleSAMLphp + drupalauth = Complete SAML Identity Provider (IdP)
Users interact with Drupal to create accounts, manage accounts, and authenticate. SAML SPs interact with SimpleSAMLphp. Drupalauth ties Drupal to SimpleSAMLphp.
The drupalauth module for simpleSAMLphp makes it easy to create a SAML or Shibboleth identity provider (IdP) by enabling authentication of users against a Drupal site on the same server. This allows the administrator to leverage the user management and integration capabilities of Drupal for managing the identity life cycle.
NOTE: This is software establishes a SAML identity provider (IdP) using Drupal as the user database instead of LDAP. If you want to establish your Drupal site as a SAML service provider (SP) connected to a SAML or Shibboleth IdP, see the simplesamlphp_auth module for Drupal.
This module for SimpleSAMLphp provides an Authentication Source for authenticating users against a local Drupal site. This allows the administrator to leverage the user management and integration capabilities of Drupal for managing the identity life cycle and the power of SimpleSAMLphp for identity integration. This is a simpleSAMLphp module, NOT a Drupal module. Download this module only if you want to use Drupal as Identity Provider.
If you want to use Drupal as Identity Provide you should also install drupalauth4ssp that is available on Drupal.org. Please note that all issues related to Drupal functionality should be reported there.
If you want to connect your Drupal site as Service Provider to a SAML or Shibboleth IdP, use the simplesamlphp_auth module for Drupal.
Following Semantic Versioning is hard when you have multiple upstream dependencies.
So in a X.Y.Z version:
Example: for SimpleSAMLphp version 1.15.4 with Drupal version 8.5.6 and this module version 1 we will have tag 1.8.1. Same thing for Drupal 7 will be 1.7.1.
main
at the moment corresponds to 2.10.*
. Branch 1.7
is respectfully for Drupal 7 (no Composer integration).
Disabling discovery
cache will prevent this module from functioning.
See this issue https://github.com/drupalauth/simplesamlphp-module-drupalauth/issues/71, specifically this comment.
composer require drupalauth/simplesamlphp-module-drupalauth
phpsession
for session storage, e.g., SQL or memcache (See: store.type
in simplesamlphp/config/config.php
).simplesamlphp/config/authsources.php
as described below.The advantage of this approach is that there is no obvious connection between SimpleSAMLphp IdP and the Drupal site.
Details
Configure the authentication source by putting following code into simplesamlphp/config/authsources.php
'drupal-userpass' => array(
'drupalauth:UserPass',
// The filesystem path of the Drupal directory.
'drupalroot' => '/var/www/drupal',
// Whether to turn on debug
'debug' => true,
// Which attributes should be retrieved from the Drupal site.
'attributes' => array(
array('field_name' => 'uid', 'attribute_name' => 'uid'),
array('field_name' => 'roles', 'attribute_name' => 'roles', 'field_property' => 'target_id'),
array('field_name' => 'name', 'attribute_name' => 'cn'),
array('field_name' => 'mail', 'attribute_name' => 'mail'),
array('field_name' => 'field_first_name', 'attribute_name' => 'givenName'),
array('field_name' => 'field_last_name', 'attribute_name' => 'sn'),
array('field_name' => 'field_organization', 'attribute_name' => 'ou', 'field_property' => 'target_id'),
),
),
Leave 'attributes' empty or unset to get all available field values. Attribute names in this case would be "$field_name:$property_name".
The advantage of this approach is that the SimpleSAMLphp IdP session is tied to a Drupal session. This allows the user who is already logged into the Drupal site to then navigate to a SAML SP that uses the IdP without the need to authenticate again.
Details
Configure the authentication source by putting following code into simplesamlphp/config/authsources.php
'drupal-userpass' => array('drupalauth:External',
// The filesystem path of the Drupal directory.
'drupalroot' => '/var/www/drupal',
// Whether to turn on debug
'debug' => true,
// the URL of the Drupal logout page
'drupal_logout_url' => 'https://www.example.com/drupal/user/logout',
// the URL of the Drupal login page
'drupal_login_url' => 'https://www.example.com/drupal/user/login',
// Which attributes should be retrieved from the Drupal site.
'attributes' => array(
array('field_name' => 'uid', 'attribute_name' => 'uid'),
array('field_name' => 'roles', 'attribute_name' => 'roles', 'field_property' => 'target_id'),
array('field_name' => 'name', 'attribute_name' => 'cn'),
array('field_name' => 'mail', 'attribute_name' => 'mail'),
array('field_name' => 'field_first_name', 'attribute_name' => 'givenName'),
array('field_name' => 'field_last_name', 'attribute_name' => 'sn'),
array('field_name' => 'field_organization', 'attribute_name' => 'ou', 'field_property' => 'target_id'),
),
),