AppStream 2 SAML Single Sign-On SSO Login using Drupal as IDP

AppStream 2 SAML Single Sign-On SSO Login using Drupal as IDP


Drupal AppStream 2 Integration will allow you to configure Single Sign-On ( SSO ) login between your Drupal site and AWS AppStream2. AWS AppStream 2 SSO integration with your Drupal site will help your users to login into AppStream 2 using their Drupal credentials.
The Drupal SAML IDP - SAML 2.0 Identity Provider Single Sign-On (SSO) Login module is compatible with Drupal 7, Drupal 8 as well as Drupal 9. Here we will go through a step-by-step guide to configure SAML SSO login between Drupal website as IdP ( Identity Provider ) and AWS AppStream2 as SP ( Service Provider ).

If you have any doubts or queries, you can contact us at drupalsupport@xecurify.com. We will help you to configure the module. If you want, we can also schedule an online meeting to help you configure the Drupal SAML Identity Provider - SAML 2.0 as Idp SSO Login module.

Features and Pricing

Know more about Drupal SAML Identity Provider (IDP) module from here.

Pre-requisites: Download

You can download the Drupal SAML Identity Provider (IDP) module from here.

1. Install Drupal SAML IDP module

    1.1. Using Composer:

    • Composer require drupal/miniorange_saml_idp
    • Navigate to Extend menu on your Drupal admin console and search for miniOrange SAML Identity Provider using the search box.
    • Enable the module by checking the checkbox and click on install button.
    • Configure the module at
      {BaseURL}/admin/config/people/miniorange_saml_idp/idp_setup

    1.2. Using Drush:

    • Download the module:
      drush dl miniorange_saml_idp
    • Install the module:
      drush en miniorange_saml_idp
    • Clear the cache:
       drush cr
    • Configure the module at
      {BaseURL}/admin/config/people/miniorange_saml_idp/idp_setup

    1.3. Manual installation:

    • Navigate to Extend menu on your Drupal admin console and click on Install new module button.
    • Install the Drupal SAML IDP 2.0 Single Sign On (SSO) - SAML Identity Provider module either by downloading the zip or from the URL of the package (tar/zip).
    • Click on Enable newly added modules.
    • Enable this module by checking the checkbox and click on install button.
    • Configure the module at
      {BaseURL}/admin/config/people/miniorange_saml_idp/idp_setup

2. Configure Drupal site as Identity Provider

  • Navigate to the Service Provider Setup tab of the miniOrange SAML Identity Provider module on your Drupal site. There are two way to configure your Identity Provider ( Drupal as SAML IDP ):
    • A. By Uploading SP metadata:
    • Click on UPLOAD SP METADATA link.
    • You can either Upload Metadata File and click on Upload button or use a Upload Metadata URL and click on Fetch Metadata.
    • drupal saml idp service provider setup
      B. Manual Configuration:
    • Navigate to Service Provider Setup tab of the miniOrange Drupal IDP module.
    • Provide the required settings (i.e. Service Provider Name, SP Entity ID or Issuer, ACS (Assertion Consumer Service) URL, X.509 Certificate (Optional)) as provided by your Service Provider AppStream2 ( AppStream2 as SP ).
    • Service Provider Name Give any appropriate name to your Service Provider
      SP Entity ID or Issuer Get the SP Entity ID or Issuer from the metadata (https://signin.aws.amazon.com/static/saml-metadata.xml). You will find the value in the first line against entityID. It is set to urn:amazon:webservices but may vary for non-US regions.
      ACS URL https://signin.aws.amazon.com/saml. This might vary for non-US regions in which case you would find it in metadata (https://signin.aws.amazon.com/static/saml-metadata.xml) as Location attribute of AssertionConsumerService.
      Relay State https://console.aws.amazon.com. (You can set value for relay state depending on where you want to redirect the user after SSO.)
      X.509 Certificate Note: You can find the X.509 Certificate in Your SP-Metadata XML file enclosed in tag X509Data having attribute as X509Certificate.
      NameID Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
      Assertion Signed Checked
  • Click on the Save Configuration button to save your configuration. Then click on Test Configuration button to test your configuration.

3. Setting SAML in AWS AppStream2

  • Login to your Amazon Web Services (AWS) Console as an admin.
  • Click on Services Tab. Under Security, Identity, & Compliances, click on IAM (Identity and Access Management).
  • drpal saml idp service tab
  • From the left-hand side list, click on Identity Providers and then click on Create Provider button in the right section.
  • drupal saml idp create provider

4. Configure SP in AWS AppStream2

  • In the Configure Provider, select SAML as Provider type from the drop-down list.
  • Enter any Provider Name (e.g Miniorange).
  • Click on Choose File button and choose a metadata file that you have already downloaded in Step 1, then click on Next Step.
  • drupal saml idp choose a metadata file
  • In the next screen, you will be shown your entered provider information. Verify it and click on the Create button. The SAML Provider is created and it should be listed in the Provider table.
  • drupal saml idp created saml provider

5. Create/Add Role

  • Now click on Roles from the left-hand side list and then click on Create role button.
  • In the Create Role section, click on SAML 2.0 federation tab.
  • Under Choose SAML 2.0 Provider, select the SAML Provider that you have created previously i.e Miniorange.
  • choose saml 2.0 provider
  • After that, choose Allow programmatic access only radio option.
  • Select SAML:aud option from the Attribute drop-down list.
  • Enter the value as https://signin.aws.amazon.com/saml.
  • Then, click on Next: Permissions button.
  • Check the Policy Name AmazonEC2ReadOnlyAccess and click on Next: Tags button.
  • Policy Name AmazonEC2ReadOnlyAccess
  • Then, skip Step Add Tags (Optional) by clicking on Next:Rreview button.
  • In the next step, enter Role name and click on Create Role button.
  • Next:Rreview button
  • Click on your created role name.
  • In the Summary section, click on the trusted relationship tab and copy Role ARN and Trusted Entities value.
  • Keep the values with you in comma separated format. For example- arn:aws:iam::656620318436:role/SSORole,arn:aws:iam::656620318436:saml-provider/miniorange
  • comma separated format

6. Add attributes for AWS AppStream2

  • Enter the value https://aws.amazon.com/SAML/Attributes/RoleSessionName in the Attribute Name field and select E-Mail Address from the Attribute Value dropdown list.
  • Click on the '+' icon besides Additional User Attributes to add another set of attributes and enter the value https://aws.amazon.com/SAML/Attributes/Role in the Attribute Name field and enter the machine name whose value here (arn:aws:iam::656620318436:role/SSORole,arn:aws:iam::656620318436:saml-provider/miniOrange) you want to send to SP.
  • select Custom Attribute Value from the Attribute Value list and in the Custom Attribute Value, enter comma separated value that created in step 3 e.g.[arn:aws:iam::656620318436:role/SSORole,arn:aws:iam::656620318436:saml-provider/miniOrange].
  • attribute mapping
  • Now you have successfully configured miniOrange Drupal SAML IDP with AWS appstream as SP.

24*7 Active Support

If you face any issues or if you have any questions, please feel free to reach out to us at drupalsupport@xecurify.com. In case you want some additional features to be included in the module, please get in touch with us, and we can get that custom-made for you. Also, If you want, we can also schedule an online meeting to help you configure the Drupal SAML IDP SSO Login module.

Free Trial

If you would like to test out the module to ensure your business use case is fulfilled, we do provide a 7-day trial. Please drop us an email at drupalsupport@xecurify.com requesting a trial. You can create an account with us using this link.

Additional Resources

Our Other modules

Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com