Drupal Shibboleth SSO | SAML SSO Into Drupal Using Shibboleth 3

Drupal SAML Shibboleth 3 SSO ( Single Sign-on ) setup will allow your user to login to your Drupal site using their Shibboleth 3 Credentials. Drupal SAML module gives the ability to enable SAML Single Sign-on for Drupal. This module is compatible with all SAML Identity Providers ( IDP ). We provide Drupal SAML Single Sign on - Service Provider module which is compatible with Drupal 7, Drupal 8 and Drupal 9. Here we will go through a guide to configure SAML SSO between Drupal and Shibboleth 3 Idp. By the end of this guide, users from your Identity Provider should be able to login into the Drupal site.
If you have any queries or if you need any sort of assistance in configuring the module, you can contact us at drupalsupport@xecurify.com. If you want, we can also schedule an online meeting to help you configure the Drupal SAML Single Sign on - Service Provider SSO Login module.

Steps to configure Shibboleth 3 SAML Single Sign-On ( SSO ) Login into Drupal site

2. Setup Drupal as Service Provider

• In the miniOrage SAML Service Provider module, go to Service Provider Setup tab of the module. There are two way to configure Drupal SAML Service Provider SSO module:

A. By Uploading IDP Metadata

• Click on Upload IDP Metadata link.
• Click on Upload Metadata File and click on Upload File to fetch your information.
• You can either Upload Metadata URLand click on Fetch Metadata button.


B. Manual Configuartion

• Provide the required settings (i.e. Identity Provider Name, Idp Entity ID or Issuer, SAML Login URL and X.509 Certificate ) find to your Identity Provider Shibboleth 3 and click on Save Configuration button to save your configuration.

Identity Provider Name	Enter name of Identity Provider
Idp Entity ID or Issuer	Copy Idp Entity ID / Issuer from Shibboleth 3 Dashboard and paste it.
SAML Login URL	Copy Single Sign On URL from Shibboleth 3 Dashboard and paste it.
X.509 Certificate	Copy and Download Signing certificate from Shibboleth 3 Dashboard and paste it.

3. Setup Shibboleth 3 as Identity Provider

Follow the following steps to Configure Shibboleth 3 as IdP

 Configure Shibboleth 3 as IdP

• In conf/idp.properties, uncomment and set 'idp.encryption.optional' to true.
     eg. idp.encryption.optional = true
• In conf/metadata-providers.xml, configure Service Provider like this
<MetadataProvider xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
  id="miniOrangeInLineEntity" xsi:type="InlineMetadataProvider" sortKey="1">
  <samlmd:EntityDescriptor ID="entity" entityID="<SP-EntityID / Issuer from Service Provider Info tab in plugin.>"
    validUntil="2020-09-06T04:13:32Z">
    <samlmd:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <samlmd:NameIDFormat>
        urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
      </samlmd:NameIDFormat>
    <samlmd:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Location="<ACS (AssertionConsumerService) URL from Step1 of the plugin under Identity Provider Tab.>"
      index="1" />
    </samlmd:SPSSODescriptor>
    </samlmd:EntityDescriptor>
</MetadataProvider>
• In conf/saml-nameid.properties, uncomment and set default NameID as Email Address like this
idp.nameid.saml2.default=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
• In conf/saml-nameid-xml, search for shibboleth.SAML2NameIDGenerators.
• Uncomment the shibboleth.SAML2 Attribute Sourced Generator bean and comment all other ref beans
<!-- SAML 2 NameID Generation -->
<util:list id="shibboleth.SAML2NameIDGenerators">
  <!--<ref bean="shibboleth.SAML2TransientGenerator" /> -->
  <!-->ref bean="shibboleth.SAML2PersistentGenerator" /> -->
  <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
  p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
  p:attributeSourceIds="#{ {'email'} }" />
</util:list>
• Make sure you have defined AttributeDefinition in conf/attribute-resolver.xml.
<!-- Note: AttributeDefinitionid must be same as what you provided in attributeSourceIds in conf/saml-nameid.xml -->
<resolver:AttributeDefinitionxsi:type="ad:Simple" id="email" sourceAttributeID="mail">
  <resolver:Dependency ref="ldapConnector" />
  <resolver:AttributeEncoderxsi:type="enc:SAML2String" name="email" friendlyName="email" />
</resolver:AttributeDefinition >

<resolver:DataConnector id="ldapConnector" xsi:type="dc:LDAPDirectory" ldapURL="%{idp.authn.LDAP.ldapURL}"
  baseDN="%{idp.authn.LDAP.baseDN}" principal="%{idp.authn.LDAP.bindDN}"
  principalCredential="%{idp.authn.LDAP.bindDNCredential}">
  <dc:FilterTemplate>
    <!-- Define you User Search Filter here -->
    <![CDATA[ (&(objectclass=*)(cn=$requestContext.principalName)) ]]>
  </dc:FilterTemplate>

  <dc:ReturnAttributes>*</dc:ReturnAttributes>
</resolver:DataConnector>
• Make sure you have AttributeFilterPolicy defined in conf/attribute-filter.xml.
<afp:AttributeFilterPolicy id="ldapAttributes">
<afp:PolicyRequirementRulexsi:type="basic:ANY"/>
  <afp:AttributeRuleattributeID="email">
    <afp:PermitValueRulexsi:type="basic:ANY"/>
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

• Restart the Shibboleth Server.
• You need to configure these endpoints in the Service Provider.

IDP Entity ID	https://<your_domain>/idp/shibboleth
Single Login URL	https://<your_domain>/idp/profile/SAML2/Redirect/SSO
Single Logout URL	https://<your_domain>/idp/shibboleth
X.509 Certificate	The public key certificate of your Shibboleth server

You have successfully configured Shibboleth 3 as SAML IdP (Identity Provider) for achieving Shibboleth 3 SSO login into your Drupal Site.

In this Guide, you have successfully configured Shibboleth 3 SAML Single Sign-On ( Shibboleth 3 Login ) choosing Shibboleth 3 as IdP and Drupal as SP using miniOrange SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider Login module. This solution ensures that you are ready to roll out secure access to your Drupal site using Shibboleth 3 login credentials within secound.

24*7 Active Support

If you face any issues or if you have any questions, please feel free to reach out to us at drupalsupport@xecurify.com. In case you want some additional features to be included in the module, please get in touch with us, and we can get that custom-made for you. Also, If you want, we can also schedule an online meeting to help you configure the Drupal SAML SP Single Sign On (SSO) module.

Additional Resources

• What is Single Sign-On (SSO)?
• What is SAML?
• what is SSO? How works SAML SSO authentication?
• Frequently Asked Questions (FAQs)

Our Other modules