Guide for Shibboleth2 as IdP with Drupal

Download Module

Shibboleth2 Single Sign On (SSO) for Drupal miniOrange pro vides a ready to use solution for Drupal. This solution ensures that you are ready to roll out secure access to your Drupal site using Shibboleth2 within minutes.

Step 1: Setup Shibboleth2 as Identity Provider

  • In conf/relying-party.xml, configure Service Provider like this
    • <MetadataProviderxsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" i d="MyInlineMetadata">
      <EntitiesDescriptorxmlns="urn:oasis:names:tc:SAML:2.0:metadata">
        <md:EntityDescriptorxmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" e ntityID="<ENTITY_ID_FROM_PLUGIN>">
          <md:SPSSODescriptorAuthnRequestsSigned="false" WantAssert ionsSigned="true" protocolSupportEnumeration=
              "urn:oasis:names:tc:SAML:2.0:protoco l">
            <urn:oasis:names:tc:SAM L:1.1:nameidformat:emailAddress</md:NameIDFormat>
            <md:AssertionConsumerService Binding="urn:oas is:names:tc:SAML:2.0:bindings:https-POST"
              Location="<ACS_URL_FROM_PLUGIN >" index="1"/>
          </md:SPSSODescriptor>
        </md:EntityDescriptor>
      </EntitiesDescriptor>
    </MetadataProvider>
  • Make sure your Shibboleth server is sending Email Address of the user in Name ID. In attribute -resolver.xml, get the email attribute as Name ID:
    • <resolver:AttributeDefinitionxsi:type="ad:Simple" id="email" sourceAttributeID="mail">
       <resolver:Dependency ref="ldapConnector" />
       <resolver:AttributeEncoderxsi:type="enc:SAML2StringNameID" nameFormat="urn: oasis:names:tc:SAML:1.1:
        nameid-format:emailAddress"/>
    </resolver:AttributeDefinition>
  • In attribute-filter.xml, release the email attribute:
    • <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
    <afp:PolicyRequirementRulexsi:type="basic:ANY"/>
      <afp:AttributeRuleattributeID="email">
        <afp:PermitValueRulexsi:type="basic:ANY"/>
      </afp:AttributeRule>
    </afp:AttributeFilterPolicy>
  • Restart the Shibboleth Server.
  • You need to configure these endpoints in the Service Provider.
    • IDP Entity ID https://<your_domain>/idp/shibboleth
    Single Login URL https://<your_domain>/idp/profile/SAML2/ Redirect/SSO
    X.509 Certificate The public key certificate of your Shibboleth server

Step 2: Configuring Drupal as Service Provider (SP)

  • In miniOrange SAML Module, go to Service Provider Setup tab. There are three ways to config ure the Module:

      • Drupal shibboleth sso icon By Shibboleth2 Metadata URL :

      • Click on Upload IDP Metadata.
      • Enter Metadata URL and click on Fetch Metadata.

      Drupal shibboleth sso icon-1 By Uploading Shibboleth2 Metadata File:

      • Click on Upload IDP Metadata.
      • Upload metadata file and click on Upload.

      Drupal shibboleth sso icon 1 Manual Configuration :

      • Copy SAML Entity ID, SAML Single-Sign-On Endpoint URL and X.509 certifica te from Federation Metadata document and paste it in IdP Entity ID or Is suer, SAML Login URL, X.509 Certificate fields respectively in the Module.
      Identity Provider Name For Example:Shibboleth2
      IdP Entity ID or Issuer SAML Entity ID in the Federation Metadata document
      SAML Login URL SAML Single-Sign-On Endpoint URL in the Federation Metadata document
      X.509 Certificate x.509 Certificate in the Federation Metadata document

Step 3: Attribute Mapping (It is Optional to fill this.) This is Premium feature.

  • Attributes are user details that are stored in your Identity Provider.
  • Attribute Mapping helps you to get user attributes from your Identity Provider (IdP) and map them to Drupal user attributes like firstname, lastname etc.
  • While auto registering the users in your Drupal site these attributes will automatically get mapped to your Drupal user details.
  • In miniOrange SAML Module, go to Mapping tab and fill in all the fields.
    Username: Name of the username attribute from IdP (Keep NameID by default)
    Email: Name of the email attribute from IdP (Keep NameID by default)
    Group/Role Key: Name of the Role attribute from Identity Provider (IdP)
    • Drupal shibboleth sso attribute mapping
  • You can check the Test Configuration Results under Service Provider Setup tab to get a better idea of which values to map here.

Step 4: Role mapping. (It is Optional to fill this.) This is Premium feature.

  • Drupal uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site.
  • Role mapping helps you to assign specific roles to users of a certain group in your Identity Provider (IdP).
  • While auto registering, the users are assigned roles based on the group they are mapped to.
    • Drupal shibboleth sso role mapping

Step 5: Sign In Setting. This is Premium feature.

  • Go to SIGNIN Settings tab. There are multiple features available in this tab like Protect your whole site, Auto redirect the user to Identity Provider,auto-create user and Backdoor Login. To use these features, click on the respective checkboxes.
    • Drupal shibboleth sso sign in settings

Business Trial For Free

If you don't find what you are looking for, please contact us at info@xecurify.com or call us at +1 978 658 9387.