AppStream 2 SAML Single Sign-On (SSO) Integration with Drupal as IdP

Overview

This guide will help you integrate Drupal as a SAML 2.0 Identity Provider (IdP) and AppStream 2 as a Service Provider (SP) using the miniOrange SAML IDP module. This integration enables centralized user management and permission control, allowing users to access multiple applications with a single set of credentials. The module is compatible with Drupal 7, Drupal 8, Drupal 9, Drupal 10, and Drupal 11.

Installation Steps

• Using Composer
• Using Drush
• Manual Installation

• Download the module:

  Composer require 'drupal/miniorange_saml_idp'

• Navigate to Extend menu on your Drupal admin console and search for miniOrange SAML Identity Provider using the search box.
• Enable the module by checking the checkbox and click on install button.
• Configure the module at

  {BaseURL}/admin/config/people/miniorange_saml_idp/idp_setup

• Install the module:

  drush en miniorange_saml_idp

• Clear the cache:

   drush cr

• Configure the module at

  {BaseURL}/admin/config/people/miniorange_saml_idp/idp_setup

• Navigate to Extend menu on your Drupal admin console and click on Install new module button.
• Install the Drupal SAML IDP 2.0 Single Sign On (SSO) - SAML Identity Provider module either by downloading the zip or from the URL of the package (tar/zip).
• Click on Enable newly added modules.
• Enable this module by checking the checkbox and click on install button.
• Configure the module at

  {BaseURL}/admin/config/people/miniorange_saml_idp/idp_setup

Configuration Steps

Drupal SAML IdP Metadata:

• After installing the module on your Drupal site, in the Administration menu → navigate to Configuration → People → miniOrange SAML IDP Configuration. (/admin/config/people/miniorange_saml_idp/idp_setup)

• Under the IDP Metadata tab, click on the Download Metadata button. Open it on the notepad and copy the IdP information. Keep it handy. (This information is required to configure AppStream 2 as SAML SP.)

Configure AppStream 2 as Service Provider:

• Login into your AWS Administrator console.
• Navigate to Services -> Security, Identity & Compliances -> IAM (Identity and Access Management).

• Select Identity Providers from the left-hand menu bar and then click Add provider button.

• Select SAML as a provider. Enter the name of provider in the Provider Name text field and in the Metadata document, upload the metadata file that you downloaded from the Drupal site.

• Scroll down and click on Add provider button.
• In the next screen, you will be shown your entered provider information. Verify it and click on the Create button. The SAML Provider is created and it should be listed in the Provider table.

Create and Add User Role:

• In the left side menu bar, select Roles and click on Create role button.
• Navigate to Create Role section and select SAML 2.0 federation.
• Under Choose SAML 2.0 Provider, select the SAML Provider that you have created previously i.e., miniOrange

• After that, choose Allow programmatic access only radio option.
• Select SAML:aud option from the Attributedrop-down list.
• Enter the value as https://signin.aws.amazon.com/saml.
• Then, click on Next: Permissions button.
• Check the Policy Name AmazonEC2ReadOnlyAccess and click on Next: Tagsbutton.

• Then, skip step Add Tags (Optional) by clicking on Next: Preview button.
• In the next step, enter Role name and click on CreateRole button.

• Click on your Created role name.
• In the Summary section, click on the Trusted relationship tab and copy Role ARN and Trusted Entities value.
• Keep the values with you in comma separated format. For example- [arn:aws:iam::656620318436:role/SSORole,arn:aws:iam::656620318436:saml-provider/miniOrange](It will needed in further configuration of Drupal as SAML Identity Provider).

Add Attribute for AppStream 2

• Enter the value https://aws.amazon.com/SAML/Attributes/RoleSessionName in the Attribute Name field and select E-Mail Address from the Attribute Value dropdown list.
• Click on the '+' icon besides Additional User Attributes to add another set of attributes and enter the value https://aws.amazon.com/SAML/Attributes/Role in the Attribute Name field and enter the machine name whose value here (arn:aws:iam::656620318436:role/SSORole,arn:aws:iam::656620318436:saml-provider/miniOrange) you want to send to SP.
• select Custom Attribute Value from the Attribute Value list and in the Custom Attribute Value, enter comma separated value that created in step 3 e.g.[arn:aws:iam::656620318436:role/SSORole,arn:aws:iam::656620318436:saml-provider/miniOrange].

Configure Drupal as SAML Identity Provider:

• Navigate to the Drupal site and switch to the Service Provider Setup tab of the miniOrange SAML IDP module and click on the Upload SP metadata to expand it.

• Now, paste the Role ARN which was copied earlier from Amazon AppStream 2, in the Enter Metadata URL text field and click Fetch Metadata button.

• Once the configuration is successfully saved you will get a success message. Now, click on the Test link.

You have successfully set up Amazon AppStream 2.0 as Service Provider and Drupal as Identity Provider.