Drupal SAML Single Sign On using Shibboleth as Identity Provider

The Drupal SAML integration using the miniOrange SAML SP module establishes seamless SSO between Shibboleth 4 and the Drupal site. The users will be able to log in to the Drupal site using their Shibboleth 4 credentials. This document will walk you through the steps to configure Single Sign-On - SSO between Drupal as a Service Provider (SP) and Shibboleth 4 as an Identity Provider (IdP). The module is compatible with Drupal 7, Drupal 8, Drupal 9, and Drupal 10.(You can also configure Shibboleth 3 as an IdP with this setup guide)

Drupal SAML SP Metadata:

• After installing the module on your Drupal site, in the Administration menu, navigate to Configuration → People → miniOrange SAML Login Configuration. (/admin/config/people/miniorange_saml/idp_setup)

• Under the Service Provider Metadata tab, copy the SP Entity ID/Issuer and SP ACS URL and keep them handy. This SP metadata is required to configure Shibboleth 2 as Identity Provider (IdP).

Configure SAML Single Sign-On Application in Shibboleth:

• In conf/idp.properties, uncomment and set 'idp.encryption.optional' to true. For, example: idp.encryption.optional = true

• In conf/metadata-providers.xml, follow the code below to set up a Service Provide:

    <MetadataProvider xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"id="miniOrangeInLineEntity" xsi:type="InlineMetadataProvider" sortKey="1">
        <samlmd:EntityDescriptor ID="entity" entityID="<SP-EntityID / Issuer from Service Provider Info tab in plugin.>"validUntil="2020-09-06T04:13:32Z">
        <samlmd:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <samlmd:NameIDFormat>
        urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
        </samlmd:NameIDFormat>
        <samlmd:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"Location="<ACS (AssertionConsumerService) URL from Step1 of the plugin under Identity Provider Tab.>"index="1" />
        </samlmd:SPSSODescriptor>
        </samlmd:EntityDescriptor>
    </MetadataProvider>
  

• In conf/saml-nameid.properties, uncomment and set default NameID as EmailAddress like this:

  idp.nameid.saml2.default=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

• In conf/saml-nameid-xml, search for shibboleth.SAML2NameIDGenerators.

• Uncomment the shibboleth.SAML2 AttributeSourcedGenerator <bean> and comment out the other <ref bean>:

    <!-- SAML 2 NameID Generation -->
    <util:list id="shibboleth.SAML2NameIDGenerators">
        <!--<ref bean="shibboleth.SAML2TransientGenerator" /> -->
        <!--><ref bean="shibboleth.SAML2PersistentGenerator" /> -->
        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"p:attributeSourceIds="#{ {'email'} }" />
    </util:list>
  

• Make sure you have defined AttributeDefinition in conf/attribute-resolver.xml.

  AttributeDefinitionid must be same as what you provided in attributeSourceIds in conf/saml-nameid.xml

    <resolver:AttributeDefinitionxsi:type="ad:Simple" id="email" sourceAttributeID="mail">
        <resolver:Dependency ref="ldapConnector" />
        <resolver:AttributeEncoderxsi:type="enc:SAML2String" name="email" friendlyName="email" />
        </resolver:AttributeDefinition >
        <resolver:DataConnector id="ldapConnector" xsi:type="dc:LDAPDirectory" ldapURL="%{idp.authn.LDAP.ldapURL}"baseDN="%{idp.authn.LDAP.baseDN}" principal="%{idp.authn.LDAP.bindDN}"principalCredential="%{idp.authn.LDAP.bindDNCredential}">
        <dc:FilterTemplate>
        <!-- Define you User Search Filter here -->
        <![CDATA[ (&(objectclass=*)(cn=$requestContext.principalName)) ]]>
        </dc:FilterTemplate>
        <dc:ReturnAttributes>*</dc:ReturnAttributes>
    </resolver:DataConnector>
  

• Make sure you have AttributeFilterPolicy defined in conf/attribute-filter.xml.

    <afp:AttributeFilterPolicy id="ldapAttributes"> 
        <afp:PolicyRequirementRulexsi:type="basic:ANY"/> 
        <afp:AttributeRuleattributeID="email">
        <afp:PermitValueRulexsi:type="basic:ANY"/> 
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy> 
  

• Restart the Shibboleth Server.
• Once setup, you will need to use Shibboleth's Identity Provider Metadata, which looks like this format: "https://example123.com/idp/shibboleth". Keep it handy. (This is required to configure Drupal as SAML SP.)

Configure Drupal as SAML Service Provider:

• Go to your Drupal site. Navigate to the Service Provider Setup tab of the module and click on Upload IDP Metadata.
• Paste the previously copied Shibboleth Metadata URL into the Upload Metadata URL text field. Click on the Fetch Metadata button.


Note: To update Identity Provider Name, follow these steps:

• Under Action, select the Edit.
• Enter Okta in the Identity Provider Name text field.
• Scroll down and click on the Save Configuration button.
• After successfully saving the configurations, click on the Test link to check the SAML Single Sign-On (SSO) connection between Drupal and Shibboleth.

• On a Test Configuration popup, if you don't have an active session in the same browser, you will be asked to sign in to Shibboleth. After successfully logging into Shibboleth account, you will be provided with a list of attributes that are received from the Shibboleth. Scroll down and click on Done button.

How does SAML SSO login work?

• Open a new browser/private window and navigate to the Drupal site login page.
• Click the Login using Identity Provider (Shibboleth) link.
• You will be redirected to the Shibboleth login page. Enter the Shibboleth credentials. After successful authentication, the user will be redirected back to the Drupal site.