Drupal SAML Single Sign On using Shibboleth as Identity Provider
The Drupal SAML integration using the miniOrange SAML SP module establishes seamless SSO between Shibboleth 4 and the Drupal
site. The users will be able to log in to the Drupal site using their Shibboleth 4 credentials. This document will
through the steps to configure Single Sign-On - SSO between Drupal as a Service Provider (SP) and Shibboleth 4 as an
Identity Provider (IdP). The module is compatible with Drupal 7, Drupal 8, Drupal 9, and Drupal 10.(You can also configure Shibboleth 3 as an IdP with this setup guide)
After installing the module on your Drupal site, in the Administration menu, navigate to
Configuration → People
→ miniOrange SAML Login Configuration. (/admin/config/people/miniorange_saml/idp_setup)
Under the Service Provider Metadata tab, copy the SP Entity ID/Issuer and
SP ACS URL and keep them handy. This SP metadata is required to configure Shibboleth 2 as
Identity Provider (IdP).
Configure SAML Single Sign-On Application in Shibboleth:
In conf/idp.properties, uncomment and set 'idp.encryption.optional' to true.
For, example: idp.encryption.optional = true
In conf/metadata-providers.xml, follow the code below to set up a Service Provide:
<MetadataProvider xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"id="miniOrangeInLineEntity" xsi:type="InlineMetadataProvider" sortKey="1">
<samlmd:EntityDescriptor ID="entity" entityID="<SP-EntityID / Issuer from Service Provider Info tab in plugin.>"validUntil="2020-09-06T04:13:32Z">
<samlmd:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<samlmd:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"Location="<ACS (AssertionConsumerService) URL from Step1 of the plugin under Identity Provider Tab.>"index="1" />
In conf/saml-nameid.properties, uncomment and set default NameID as EmailAddress like this:
Once setup, you will need to use Shibboleth's Identity Provider Metadata, which looks like this format: "https://example123.com/idp/shibboleth". Keep it handy. (This is required to configure Drupal as SAML SP.)
Configure Drupal as SAML Service Provider:
Go to your Drupal site. Navigate to the Service Provider Setup tab of the module and click on Upload IDP Metadata.
Paste the previously copied Shibboleth Metadata URL into the Upload Metadata URL text field. Click on the Fetch Metadata button.
Note: To update Identity Provider Name, follow these steps:
Under Action, select the Edit.
Enter Okta in the Identity Provider Name text field.
Scroll down and click on the Save Configuration button.
After successfully saving the configurations, click on the Test link to check the SAML Single Sign-On (SSO) connection between Drupal and Shibboleth.
On a Test Configuration popup, if you don't have an active session in the same browser, you will be asked to sign in to Shibboleth. After successfully logging into Shibboleth account, you will be provided with a list of attributes that are received from the Shibboleth. Scroll down and click on Done button.
How does SAML SSO login work?
Open a new browser/private window and navigate to the Drupal site login page.
Click the Login using Identity Provider (Shibboleth) link.
You will be redirected to the Shibboleth login page. Enter the Shibboleth credentials. After successful authentication, the user will be redirected back to the Drupal site.
Explore the advanced features offered by the module with full-featured trial. You can initiate the trial request
Request 7-day trial button of the module or reach out to
us at email@example.com for
one-on-one assistance from Drupal expert.
miniOrange has successfully catered to the use cases of 400+ trusted customers with its highly
flexible/customizable Drupal solutions. Feel free to check out some of our unique case studies using
If you dont hear from us within 24 hours, please feel free to send a follow up email to firstname.lastname@example.org
This privacy statement applies to miniorange websites describing how we handle the personal
When you visit any website, it may store or retrieve the information on your browser, mostly in the
form of the cookies. This information might be about you, your preferences or your device and is
mostly used to make the site work as you expect it to. The information does not directly identify
you, but it can give you a more personalized web experience.
Click on the category headings to check how we handle the cookies.
Strictly Necessary Cookies
Necessary cookies help make a website fully usable by enabling the basic functions like site
navigation, logging in, filling forms, etc. The cookies used for the functionality do not store any
personal identifiable information. However, some parts of the website will not work properly without
These cookies only collect aggregated information about the traffic of the website including -
visitors, sources, page clicks and views, etc. This allows us to know more about our most and least
popular pages along with users' interaction on the actionable elements and hence letting us improve
the performance of our website as well as our services.