Guide for Drupal Single Sign On (SSO) using RSA SecurID as Identity Provider (IdP)

RSA SecurID Single Sign On (SSO) for Drupal miniOrange provides a ready to use solution for Drupal. This solution ensures that you are ready to roll out secure access to your Drupal site using RSA SecurID within minutes.

Step 1:Setup RSA SecurID as Identity Provider

  • Login to the RSA Secure ID as Super Admin.
  • In the Administration Console, click Application → Application Catalog.
  • Click Create From Template button on the top right corner.
  • Drupal RSA SecurID sso login
  • Next to the SAML Direct, click select in the Choose Connector Template page. The Add Connector wizard appears.
  • Drupal RSA SecurID sso wizard connecter
  • Fill the required information in the Basic Information page on the Add Connector wizard.

    • Name:- Name of the application for eg. miniOrange Plugin.
    • Description (Optional):- Description for your application.
    • Disabled [a checkbox] (optional): Select this only if you want to make this application unavailable to users. When disabled, the application appears in My Application but does not appear in the RSA application portal.
    • Click Next Step button.
    • Drupal RSA SecurID sso rsa application
  • Fill the required information in the Connection Profile page.
    1. Drupal RSA SecurID sso connection profile Connection Profile

      • Upload the miniOrange plugin’s metadata file and click on the Import Metadata button. You can download it from the Service Provider info tab of the plugin.
      • Verify the configured URLs and clicks on the Save button on the top right corner of the pop-up window.
      • Drupal RSA SecurID sso configured url

      Drupal RSA SecurID sso saml workflow Initiate SAML Workflow

      • Select SP-Initiated, if you want the SSO should be invoked from Application or select IDP-initiated, if you want the user should log in into RSA first and then access Application from his RSA Dashboard.
      • Configure base URL of your Application or you can leave it blank if IDP-initiated is selected.
      • Select Binding type: POST and Signed Checked.
      • Drupal RSA SecurID sso Binding type

      Drupal RSA SecurID sso saml idp issuer SAML Identity Provider(Issuer)

      • Upload the public and private key which will be used to signed SAML Response or you can generate new key pair by clicking on the Generate Cert Bundle button.
      • (Optional) Enable checkbox for Include Certificate in Outgoing Assertion.
      • Drupal RSA SecurID sso certificate outgoing assertion

      Drupal RSA SecurID sso SP Service Provider

      • Assertion Consumer Service URL and Audience URL should be preconfigured if you have uploaded plugin’s metadata in the Connection Profile section. If not, you can find the required URLs from Service Provider Info tab of the miniOrange SAML plugin and update the URL here.
      • Drupal RSA SecurID sso Saml plugin tab

      user identity User Identity

      • Configure NameID information that identifies the user on whose behalf the SAML Assertion is generated.
      • Drupal RSA SecurID sso SAML assertion

       Advanced Configuration: Attribute Extention

      • Configure additional user information to be sent to the Application in the SAML Response, for example, username, email, display name, groups etc.
      • Drupal RSA SecurID sso SAML response

      Drupal RSA SecurID sso advance configuration Advanced Configuration: Uncommon Formatting SAML Response

      • Sign outgoing Assertion:- Assertion within Response.
      • Encrypt Assertion (Optional): If checked, you need to load miniOrange plugin’s public certificate and you can download it from the Service Provider Info tab of the plugin.
      • Unchecked Send encoded URL in Assertion.
      • Checked include issuer NameID format and select NameID Format as Unspecified.
      • Save the configuration and move to the next page i.e. User Access page.
      • Drupal RSA SecurID sso user access page
  • Define application access in the User Access page.
  • Configure application display settings for RSA end users like app icon etc and save the settings
  • Now, In the Administration Console, click Application My Application.
  • Find the app that you have configured and click on Edit Export Metadata. Keep the metadata handy, it will require to configure miniOrange plugin.
  • Drupal RSA SecurID sso export metadata
  • Click on Publish Changes in the top left corner of the RSA Admin Console to publish this configuration and immediately activate it.
  • Drupal RSA SecurID sso rsa admin

Step 2: Configuring Drupal as Service Provider (SP)

  • In miniOrange SAML Module, go to Service Provider Setup tab. There are three ways to configure the Module:
    • Drupal RSA SecurID sso icon By RSA Metadata URL :

      • Click on Upload IDP Metadata.
      • Enter Metadata URL and click on Fetch Metadata.

      Drupal RSA SecurID sso metadata file By Uploading RSA Metadata File:

      • Click on Upload IDP Metadata.
      • Upload metadata file and click on Upload.

      Drupal RSA SecurID sso manual configuration Manual Configuration :

      • Copy SAML Entity ID, SAML Single-Sign-On Endpoint URL and X.509 certificate from Federation Metadata document and paste it in IdP Entity ID or Issuer, SAML Login URL, X.509 Certificate fields respectively in the Module.
      Identity Provider Name For Example:RSA
      IdP Entity ID or Issuer SAML Entity ID in the Federation Metadata document
      SAML Login URL SAML Single-Sign-On Endpoint URL in the Federation Metadata document
      X.509 Certificate x.509 Certificate in the Federation Metadata document

Step 3: Attribute Mapping (It is Optional to fill this.) This is Premium feature.

  • Attributes are user details that are stored in your Identity Provider.
  • Attribute Mapping helps you to get user attributes from your Identity Provider (IdP) and map them to Drupal user attributes like firstname, lastname etc.
  • While auto registering the users in your Drupal site these attributes will automatically get mapped to your Drupal user details.
  • In miniOrange SAML Module, go to Mapping tab and fill in all the fields.
    Username: Name of the username attribute from IdP (Keep NameID by default)
    Email: Name of the email attribute from IdP (Keep NameID by default)
    Group/Role Key: Name of the Role attribute from Identity Provider (IdP)
  • drupal saml sp RSA SecurID attribute mapping
  • You can check the Test Configuration Results under Service Provider Setup tab to get a better idea of which values to map here.

Step 4: Role mapping. (It is Optional to fill this.) This is Premium feature.

  • Drupal uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site.
  • Role mapping helps you to assign specific roles to users of a certain group in your Identity Provider (IdP).
  • While auto registering, the users are assigned roles based on the group they are mapped to.
  • Drupal RSA SecurID sso role mapping

Step 5: Sign In Setting. This is Premium feature.

  • Go to SIGNIN Settings tab. There are multiple features availabe in this tab like Protect your whole site, Auto redirect the user to Identity Provider,auto-create user and Backdoor Login. To use these features, click on the respective checkboxes.
  • Drupal RSA SecurID sso sign in settings

Free Trial

If you don't find what you are looking for, please contact us at info@xecurify.com or call us at +1 978 658 9387.