SAML Single Sign-On (SSO) into Drupal using SiteMinder as IdP

Overview

The Drupal SAML integration using the miniOrange SAML SP module establishes seamless SSO between SiteMinder and the Drupal site. The users will be able to log in to the Drupal site using their SiteMinder credentials. This document will walk you through the steps to configure Single Sign-On - SSO between Drupal as a Service Provider (SP) and SiteMinder as an Identity Provider (IdP). The module is compatible with with Drupal 7, Drupal 8, Drupal 9, Drupal 10 and Drupal 11.

Installation Steps

• Using Composer
• Using Drush
• Manual Installation

• Download the module:

  Composer require 'drupal/miniorange_saml'

• Navigate to Extend menu on your Drupal admin console and search for miniOrange SAML Service Provider using the search box.
• Enable the module by checking the checkbox and click on install button.
• Configure the module at

  {BaseURL}/admin/config/people/miniorange_saml/idp_setup

• Install the module:

  drush en drupal/miniorange_saml

• Clear the cache:

   drush cr

• Configure the module at

  {BaseURL}/admin/config/people/miniorange_saml/idp_setup

• Navigate to Extend menu on your Drupal admin console and click on Install new module button.
• Install the Drupal SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider module either by downloading the zip or from the URL of the package (tar/zip).
• Click on Enable newly added modules.
• Enable this module by checking the checkbox and click on install button.
• Configure the module at

  {BaseURL}/admin/config/people/miniorange_saml/idp_setup

Configuration Steps

Drupal SAML SP Metadata

• Go to Configuration → People → SAML Login Configuration in the Administration menu. (/admin/config/people/miniorange_saml/idp_setup)

• Navigate to the Service Provider Metadata and download the metadata. (This is required in configuring the SiteMinder as a SAML IdP)

Configure SAML Single Sign-On Application in SiteMinder

• Log in to your CA SSO portal as a SiteMinder Single Sign-On administrator.
• Click on Federation tab.
• Now go to Partnership Federation Entities.

• Click on Create Entity.

• To create a local entity, configure the following using SP metadata.

Entity Location	Local
Entity Type	SAML2 IDP
Entity ID	Enter an ID for your local identity provider for identification.
Entity Name	Create a name for your local identity provider.
Base URL	Enter the fully-qualified domain name for the host service SiteMinder SSO Federation Web Services.
Signed Authentication Requests Required	No
Supported NameID format	urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

• Download Metadata XML File from the Service Provider Metadata Tab of the miniOrange SAML Single-Sign-On module.
• Click on Import Metadata and upload the downloaded XML metadata file.

• For Import As, select Remote Entity.
• Provide a name for the Remote Service Provider Entity.

• For creating a partnership, configure the following:

Add Partnership Name	Enter a name for your partnership.
(Optional) Description	Enter a relevant description for your partnership.
Local IDP ID	Enter the Local Identity Provider ID created while adding a Local Entity.
Remote SP ID	Enter the Remote Service Provider ID created while adding a Remote Entity.
Base URL	This field will be pre-populated.
Skew Time	Enter any skew time required by your environment.
User Directories and Search Order	Select the required directories in the required search order.

• On the Federation Users page, add the users you want to include in the partnership.
• In the Assertion Configuration section, configure following:
• Name ID Format: Email Address
• Name ID Type: User Attribute
• Value: mail
• (Optional) Assertion Attributes: Specify any application or group attributes that you want to map to users

• In the SSO and SLO section, perform the following steps:
• SSO Binding: HTTP-POST
• Transactions Allowed: Both IDP and SP initiated

• In the Signature and Encryption section, select Post Signature as Sign Both.
• In the Federation Partnership List, expand the Action dropdown for your partnership and click Activate.
• To get the IDP metadata, Click the Action button and click Export Metadata. This data will be used to configure the module.

Configure Drupal as Service Provider:

• Navigate to the Service Provider Setup tab of the Drupal site and click on Upload IDP Metadata..
• Upload downloaded Metadata file.
• Click on the Fetch Metadata button.

• Click on the Test link to test the connection between Drupal and SiteMinder.

• In the test configuration window, a success message with SAML response attributes will appear if the configurations are correct; otherwise, error messages with additional troubleshooting instructions will appear. Click on Done.

Congratulations! You have successfully configured SiteMinder as an Identity Provider and Drupal as a Service Provider.

How does SAML SSO login work?

• Open a new browser/private window and navigate to the Drupal site login page.
• Click the Login using Identity Provider (SiteMinder) link.
• You will be redirected to the SiteMinder login page. Enter the SiteMinder credentials. After successful authentication, the user will be redirected back to the Drupal site.