SAML Single Sign-On (SSO) into Drupal using Shibboleth 2 as IdP

Overview

The Drupal SAML integration using the miniOrange SAML SP module establishes seamless SSO between Shibboleth 2 and the Drupal site. The users will be able to log in to the Drupal site using their Shibboleth 2 credentials. This document will walk you through the steps to configure Single Sign-On - SSO between Drupal as a Service Provider (SP) and Shibboleth 2 as an Identity Provider (IdP). The module is compatible with Drupal 7, Drupal 8, Drupal 9, and Drupal 10, and Drupal 11.

Configure Shibboleth 2 as a Identity Provider

• In conf/relying-party.xml, configure Service Provider like this:
• Paste the previously copied information from the module's Service Provider Metadata tab into the respective fields.
  

  Shibboleth 2 Field	Service Provider Information (Drupal)
  EntityDescriptorxmlns	SP Entity ID/Issuer
  AssertionConsumerService	SP ACS URL

    <MetadataProviderxsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" i d="MyInlineMetadata">
          <EntitiesDescriptorxmlns="urn:oasis:names:tc:SAML:2.0:metadata">
          <md:EntityDescriptorxmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" e ntityID="<ENTITY_ID_FROM_PLUGIN>">
          <md:SPSSODescriptorAuthnRequestsSigned="false" WantAssert ionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protoco l">
          <urn:oasis:names:tc:SAM L:1.1:nameidformat:emailAddress</md:NameIDFormat>
          <md:AssertionConsumerService Binding="urn:oas is:names:tc:SAML:2.0:bindings:https-POST"Location="<ACS_URL_FROM_PLUGIN >" index="1"/>
          </md:SPSSODescriptor>
          </md:EntityDescriptor>
          </EntitiesDescriptor>
      </MetadataProvider>
    

• Make sure your Shibboleth server is sending Email Address of the user in . In attribute -resolver.xml, get the email attribute as Name ID

    <resolver:AttributeDefinitionxsi:type="ad:Simple" id="email" sourceAttributeID="mail">
          <resolver:Dependency ref="ldapConnector" />
          <resolver:AttributeEncoderxsi:type="enc:SAML2StringNameID" nameFormat="urn: oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
      </resolver:AttributeDefinition>
    

• In attribute-filter.xml, release the email attribute:

    <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone"> 
          <afp:PolicyRequirementRulexsi:type="basic:ANY"/> 
          <afp:AttributeRuleattributeID="email">
          <afp:PermitValueRulexsi:type="basic:ANY"/> 
          </afp:AttributeRule>
      </afp:AttributeFilterPolicy> 
    

• Restart the Shibboleth Server.
• Once setup, you will need to use Shibboleth's Identity Provider Metadata, which looks like this format: "https://example123.com/idp/shibboleth". Keep it handy. (This is required to configure Drupal as SAML SP.)

Configure Drupal as SAML Service Provider:

• Go to your Drupal site. Navigate to the Service Provider Setup tab of the module and click on the Upload IDP Metadata.

• Paste the previously copied Shibboleth Metadata URL into Upload Metadata URL text field. Click on the Fetch Metadata button.

• Click on the Test link to test the connection between Drupal and Shibboleth 2.

• On a Test Configuration popup, if you don't have an active session in the same browser, you will be asked to sign in to Shibboleth 2. After successfully logging into Shibboleth 2 account, you will be provided with a list of attributes that are received from the Shibboleth 2. Scroll down and click on Done button.

Congratulations! you have successfully configure Shibboleth 2 as SAML Identity Provider (IdP) and Drupal as SAML Service Provider.

How does SAML SSO login work?

• Open a new browser/private window and navigate to the Drupal site login page.
• Click the Login using Identity Provider (Shibboleth 2) link.
• You will be redirected to the Shibboleth 2 login page. Enter the Shibboleth 2 credentials. After successful authentication, the user will be redirected back to the Drupal site.