Drupal SAML Single Sign On using Shibboleth as Identity Provider
Overview
The Drupal SAML integration using the miniOrange SAML SP module establishes seamless SSO between Shibboleth 4 and the Drupal site. The users will be able to log in to the Drupal site using their Shibboleth 4 credentials. This document will walk you through the steps to configure Single Sign-On - SSO between Drupal as a Service Provider (SP) and Shibboleth 4 as an Identity Provider (IdP). The module is compatible with Drupal 7, Drupal 8, Drupal 9, Drupal 10, and Drupal 11.(You can also configure Shibboleth 3 as an IdP with this setup guide)
Installation Steps
- Using Composer
- Using Drush
- Manual Installation
Configuration Steps
Drupal SAML SP Metadata:
- Go to Configuration → People → SAML Login Configuration in the Administration menu. (/admin/config/people/miniorange_saml/idp_setup)
- Under the Service Provider Metadata tab, scroll down and copy the SP Entity ID/Issuer and the SP ACS URL. Keep it handy. (This is required to configure IdP.)
Configure Shibboleth 4 as a Identity Provider
- In conf/idp.properties, uncomment and set 'idp.encryption.optional' to true. For, example: idp.encryption.optional = true.
-
In conf/metadata-providers.xml, follow the code below to set up a Service Provide:
<MetadataProvider xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"id="miniOrangeInLineEntity" xsi:type="InlineMetadataProvider" sortKey="1"> <samlmd:EntityDescriptor ID="entity" entityID="<SP-EntityID / Issuer from Service Provider Info tab in plugin.>"validUntil="2020-09-06T04:13:32Z"> <samlmd:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <samlmd:NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress </samlmd:NameIDFormat> <samlmd:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"Location="<ACS (AssertionConsumerService) URL from Step1 of the plugin under Identity Provider Tab.>"index="1" /> </samlmd:SPSSODescriptor> </samlmd:EntityDescriptor> </MetadataProvider>
-
In conf/saml-nameid.properties, uncomment and set default NameID as EmailAddress like this:
idp.nameid.saml2.default=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- In conf/saml-nameid-xml, search for shibboleth.SAML2NameIDGenerators.
Uncomment the shibboleth.SAML2 AttributeSourcedGenerator <bean> and comment out the other <ref bean>:
<!-- SAML 2 NameID Generation --> <util:list id="shibboleth.SAML2NameIDGenerators"> <!--<ref bean="shibboleth.SAML2TransientGenerator" /> --> <!--><ref bean="shibboleth.SAML2PersistentGenerator" /> --> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"p:attributeSourceIds="#{ {'email'} }" /> </util:list>
Make sure you have defined AttributeDefinition in conf/attribute-resolver.xml.
AttributeDefinitionid must be same as what you provided in attributeSourceIds in conf/saml-nameid.xml
<resolver:AttributeDefinitionxsi:type="ad:Simple" id="email" sourceAttributeID="mail"> <resolver:Dependency ref="ldapConnector" /> <resolver:AttributeEncoderxsi:type="enc:SAML2String" name="email" friendlyName="email" /> </resolver:AttributeDefinition > <resolver:DataConnector id="ldapConnector" xsi:type="dc:LDAPDirectory" ldapURL="%{idp.authn.LDAP.ldapURL}"baseDN="%{idp.authn.LDAP.baseDN}" principal="%{idp.authn.LDAP.bindDN}"principalCredential="%{idp.authn.LDAP.bindDNCredential}"> <dc:FilterTemplate> <!-- Define you User Search Filter here --> <![CDATA[ (&(objectclass=*)(cn=$requestContext.principalName)) ]]> </dc:FilterTemplate> <dc:ReturnAttributes>*</dc:ReturnAttributes> </resolver:DataConnector>
Make sure you have AttributeFilterPolicy defined in conf/attribute-filter.xml.
<afp:AttributeFilterPolicy id="ldapAttributes"> <afp:PolicyRequirementRulexsi:type="basic:ANY"/> <afp:AttributeRuleattributeID="email"> <afp:PermitValueRulexsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
- Restart the Shibboleth Server.
- Once setup, you will need to use Shibboleth's Identity Provider Metadata, which looks like this format: "https://example123.com/idp/shibboleth". Keep it handy. (This is required to configure Drupal as SAML SP.)
Configure Drupal as SAML Service Provider:
- Go to your Drupal site. Navigate to the Service Provider Setup tab of the module and click on the Upload IDP Metadata.
- Paste the previously copied Shibboleth Metadata URL into Upload Metadata URL text field. Click on the Fetch Metadata button.
Note: To update Identity Provider Name, follow these steps:
- Under Action, select the Edit.
- Enter Shibboleth 4 in the Identity Provider Name text field.
- Scroll down and click on the Save Configuration button.
- Click on the Test link to test the connection between Drupal and Shibboleth 4.
- On a Test Configuration popup, if you don't have an active session in the same browser, you will be asked to sign in to Shibboleth 4. After successfully logging into Shibboleth 4 account, you will be provided with a list of attributes that are received from the Shibboleth 2. Scroll down and click on Done button.
Congratulations! you have successfully configure Shibboleth 4 as SAML Identity Provider (IdP) and Drupal as SAML Service Provider.
How does SAML SSO login work?
- Open a new browser/private window and navigate to the Drupal site login page.
- Click the Login using Identity Provider (Shibboleth 4) link.
- You will be redirected to the Shibboleth 4 login page. Enter the Shibboleth 4 credentials. After successful authentication, the user will be redirected back to the Drupal site.
Why choose us:
Contact us
[MO_CONTACT_US]
