SAML Single Sign-On (SSO) for Drupal using Shibboleth2 as IDP

Download Module

Drupal SAML Shibboleth2 SSO setup will allow your user to login to your Drupal site using their Shibboleth2 Credentials. Drupal SAML module gives the ability to enable SAML Single Sign-On for Drupal. Drupal module is compatible with all SAML Identity Providers. Here we will go through a guide to configure SAML SSO between Drupal and Shibboleth2. By the end of this guide, users from Shibboleth2 should be able to login into the Drupal site, you can download module click here

Step 1: Setup Shibboleth2 as Identity Provider

In conf/relying-party.xml, configure Service Provider like this


				<MetadataProviderxsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" i 
                                d="MyInlineMetadata"> 

				  <EntitiesDescriptorxmlns="urn:oasis:names:tc:SAML:2.0:metadata"> 

				    <md:EntityDescriptorxmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" e 
                                ntityID="<ENTITY_ID_FROM_PLUGIN>"> 

				      <md:SPSSODescriptorAuthnRequestsSigned="false" WantAssert 
                                ionsSigned="true" protocolSupportEnumeration= 

				          "urn:oasis:names:tc:SAML:2.0:protoco 
                                l"> 

				        <urn:oasis:names:tc:SAM  
                                L:1.1:nameidformat:emailAddress</md:NameIDFormat> 

				        <md:AssertionConsumerService Binding="urn:oas 
                                is:names:tc:SAML:2.0:bindings:https-POST" 

				          Location="<ACS_URL_FROM_PLUGIN 
                                >" index="1"/> 

				      </md:SPSSODescriptor> 

				    </md:EntityDescriptor> 

				  </EntitiesDescriptor> 

				</MetadataProvider>

Make sure your Shibboleth server is sending Email Address of the user in Name ID. In attribute -resolver.xml, get the email attribute as Name ID:


				<resolver:AttributeDefinitionxsi:type="ad:Simple" id="email" sourceAttributeID="mail"> 

				   <resolver:Dependency ref="ldapConnector" /> 

				   <resolver:AttributeEncoderxsi:type="enc:SAML2StringNameID" nameFormat="urn: 
                                oasis:names:tc:SAML:1.1: 

				    nameid-format:emailAddress"/> 

				</resolver:AttributeDefinition>

In attribute-filter.xml, release the email attribute:


				<afp:AttributeFilterPolicy id="releaseTransientIdToAnyone"> 

				<afp:PolicyRequirementRulexsi:type="basic:ANY"/> 

				  <afp:AttributeRuleattributeID="email"> 

				    <afp:PermitValueRulexsi:type="basic:ANY"/> 

				  </afp:AttributeRule> 

				</afp:AttributeFilterPolicy>

Restart the Shibboleth Server.
You need to configure these endpoints in the Service Provider.

IDP Entity ID	https://<your_domain>/idp/shibboleth
Single Login URL	https://<your_domain>/idp/profile/SAML2/ Redirect/SSO
X.509 Certificate	The public key certificate of your Shibboleth server

Step 2: Configuring Drupal as Service Provider (SP)

In miniOrange SAML Module, go to Service Provider Setup tab. There are three ways to config ure the Module:

Drupal shibboleth sso icon By Shibboleth2 Metadata URL :

Click on Upload IDP Metadata.
Enter Metadata URL and click on Fetch Metadata.

Drupal shibboleth sso icon-1 By Uploading Shibboleth2 Metadata File:

Click on Upload IDP Metadata.
Upload metadata file and click on Upload.

Drupal shibboleth sso icon 1 Manual Configuration :

Copy SAML Entity ID, SAML Single-Sign-On Endpoint URL and X.509 certifica te from Federation Metadata document and paste it in IdP Entity ID or Is suer, SAML Login URL, X.509 Certificate fields respectively in the Module.

Identity Provider Name	For Example:Shibboleth2
IdP Entity ID or Issuer	SAML Entity ID in the Federation Metadata document
SAML Login URL	SAML Single-Sign-On Endpoint URL in the Federation Metadata document
X.509 Certificate	x.509 Certificate in the Federation Metadata document

SAML Single Sign-On (SSO) for Drupal using Shibboleth2 as IDP

Step 1: Setup Shibboleth2 as Identity Provider

Step 2: Configuring Drupal as Service Provider (SP)

Additional Resources

Contents

STAY CONNECTED

Product

Solutions

Why miniorange

Company