Search Results :

×
Meet us at WordCamp Europe | ShopTalk | DrupalCon Conferences to explore our solutions. Know More

Drupal SAML Single Sign On using Shibboleth 2 as Identity Provider

The Drupal SAML integration using the miniOrange SAML SP module establishes seamless SSO between Shibboleth 2 and the Drupal site. The users will be able to log in to the Drupal site using their Shibboleth 2 credentials. This document will walk you through the steps to configure Single Sign-On - SSO between Drupal as a Service Provider (SP) and Shibboleth 2 as an Identity Provider (IdP). The module is compatible with Drupal 7, Drupal 8, Drupal 9, and Drupal 10.

Installation Steps


  • Download the module: 
    Composer require 'drupal/miniorange_saml'
  • Navigate to Extend menu on your Drupal admin console and search for miniOrange SAML Service Provider using the search box.
  • Enable the module by checking the checkbox and click on install button.
  • Configure the module at 
    {BaseURL}/admin/config/people/miniorange_saml/idp_setup
  • Install the module: 
    drush en drupal/miniorange_saml
  • Clear the cache:
     drush cr
  • Configure the module at 
    {BaseURL}/admin/config/people/miniorange_saml/idp_setup
  • Navigate to Extend menu on your Drupal admin console and click on Install new module button.
  • Install the Drupal SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider module either by downloading the zip or from the URL of the package (tar/zip).
  • Click on Enable newly added modules.
  • Enable this module by checking the checkbox and click on install button.
  • Configure the module at 
    {BaseURL}/admin/config/people/miniorange_saml/idp_setup

Drupal SAML SP Metadata:

  • After installing the module on your Drupal site, in the Administration menu, navigate to Configuration → People → miniOrange SAML Login Configuration. (/admin/config/people/miniorange_saml/idp_setup)
    • Drupal SAML Single Sign-On - Select miniOrange SAML Login Configuration
  • Under the Service Provider Metadata tab, copy the SP Entity ID/Issuer and SP ACS URL and keep them handy. This SP metadata is required to configure Shibboleth 2 as Identity Provider (IdP).
    • Drupal SAML Single Sign-On - Copy SP information which is required to configure Okta as IdP

Configure SAML Single Sign-On Application in Shibboleth 2:

  • In conf/relying-party.xml, configure Service Provider like this:
  • Paste the previously copied information from the module's Service Provider Metadata tab into the respective fields.
    Shibboleth 2 Field Service Provider Information (Drupal)
    EntityDescriptorxmlns SP Entity ID/Issuer
    AssertionConsumerService SP ACS URL 
      <MetadataProviderxsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" i d="MyInlineMetadata">
      <EntitiesDescriptorxmlns="urn:oasis:names:tc:SAML:2.0:metadata">
      <md:EntityDescriptorxmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" e ntityID="<ENTITY_ID_FROM_PLUGIN>">
      <md:SPSSODescriptorAuthnRequestsSigned="false" WantAssert ionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protoco l">
      <urn:oasis:names:tc:SAM L:1.1:nameidformat:emailAddress</md:NameIDFormat>
      <md:AssertionConsumerService Binding="urn:oas is:names:tc:SAML:2.0:bindings:https-POST"Location="<ACS_URL_FROM_PLUGIN >" index="1"/>
      </md:SPSSODescriptor>
      </md:EntityDescriptor>
      </EntitiesDescriptor>
  </MetadataProvider>

  • Make sure your Shibboleth server is sending Email Address of the user in . In attribute -resolver.xml, get the email attribute as Name ID

      <resolver:AttributeDefinitionxsi:type="ad:Simple" id="email" sourceAttributeID="mail">
      <resolver:Dependency ref="ldapConnector" />
      <resolver:AttributeEncoderxsi:type="enc:SAML2StringNameID" nameFormat="urn: oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
  </resolver:AttributeDefinition>

  • In attribute-filter.xml, release the email attribute:

      <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone"> 
      <afp:PolicyRequirementRulexsi:type="basic:ANY"/> 
      <afp:AttributeRuleattributeID="email">
      <afp:PermitValueRulexsi:type="basic:ANY"/> 
      </afp:AttributeRule>
  </afp:AttributeFilterPolicy>
  • Restart the Shibboleth Server.
  • Once setup, you will need to use Shibboleth's Identity Provider Metadata, which looks like this format: "https://example123.com/idp/shibboleth". Keep it handy. (This is required to configure Drupal as SAML SP.)

Configure Drupal as SAML Service Provider:

  • Go to your Drupal site. Navigate to the Service Provider Setup tab of the module and click on Upload IDP Metadata.
  • Paste the previously copied Shibboleth Metadata URL into the Upload Metadata URL text field. Click on the Fetch Metadata button.
    • Drupal-miniOrange-SAML-Upload-IDP-Metadata-Provide-Metadata-URL-field-Shibboleth

    Note: To update Identity Provider Name, follow these steps:

    • Under Action, select the Edit.
    • Enter Okta in the Identity Provider Name text field.
    • Scroll down and click on the Save Configuration button.
  • After successfully saving the configurations, click on the Test link to check the SAML Single Sign-On (SSO) connection between Drupal and Shibboleth 2.
    • Click-on-Test-link-to-check-the-SSO-connection-Shibboleth
  • On a Test Configuration popup, if you don't have an active session in the same browser, you will be asked to sign in to Shibboleth 2. After successfully logging into Shibboleth 2 account, you will be provided with a list of attributes that are received from the Shibboleth 2. Scroll down and click on Done button.
    • Drupal-received-attribute-from-Shibboleth

How does SAML SSO login work?

  • Open a new browser/private window and navigate to the Drupal site login page.
  • Click the Login using Identity Provider (Shibboleth 2) link.
  • You will be redirected to the Shibboleth 2 login page. Enter the Shibboleth 2 credentials. After successful authentication, the user will be redirected back to the Drupal site.

Additional Features:

Explore the advanced features offered by the module with full-featured trial. You can initiate the trial request using Request 7-day trial button of the module or reach out to us at drupalsupport@xecurify.com for one-on-one assistance from Drupal expert.

 Case Studies
miniOrange has successfully catered to the use cases of 400+ trusted customers with its highly flexible/customizable Drupal solutions. Feel free to check out some of our unique case studies using this link.
Read more
 Other Solutions
Feel free to explore other Drupal solutions that we offer here. The popular solutions used by our trusted customers include 2FA, User Provisioning, Website Security. 
Know more
  24*7 Active Support
The Drupal developers at miniOrange offer quick and active support for your queries. We can assist you from choosing the best solution for your use case to deploying and maintaining the solution.
Contact us
Trending searches:
Hello there!

Need Help? We are right here!
support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com