Drupal Shibboleth SSO | SAML SSO Into Drupal Using Shibboleth 3

Drupal SAML Shibboleth 3 SSO setup will allow your user to login to your Drupal site using their Shibboleth 3 Credentials. The Drupal SAML module gives the ability to enable SAML Single Sign-On for Drupal. This module is compatible with all SAML Identity Providers ( IDP ). Here we will go through a guide to configure SAML SSO between Drupal and Shibboleth 3 Idp. By the end of this guide, users should be able to login into the Drupal site using their Shibboleth 3 credentials.

If you have any doubts or queries, you can contact us at drupalsupport@xecurify.com. We will help you to configure the module. If you want, we can also schedule an online meeting to help you configure the Drupal SAML SSO module

Step 1: Setup Shibboleth3 as Identity Provider ( IDP )

  • In conf/idp.properties, uncomment and set 'idp.encryption.optional' to true.
       eg. idp.encryption.optional = true
  • In conf/metadata-providers.xml, configure Service Provider like this
  • <MetadataProvider xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
      id="miniOrangeInLineEntity" xsi:type="InlineMetadataProvider" sortKey="1">
      <samlmd:EntityDescriptor ID="entity" entityID="<SP-EntityID / Issuer from Service Provider Info tab in plugin.>"
        validUntil="2020-09-06T04:13:32Z">
        <samlmd:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
          <samlmd:NameIDFormat>
            urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
          </samlmd:NameIDFormat>
        <samlmd:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        Location="<ACS (AssertionConsumerService) URL from Step1 of the plugin under Identity Provider Tab.>"
          index="1" />
        </samlmd:SPSSODescriptor>
        </samlmd:EntityDescriptor>
    </MetadataProvider>
  • In conf/saml-nameid.properties, uncomment and set default NameID as Email Address like this
  • idp.nameid.saml2.default=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • In conf/saml-nameid-xml, search for shibboleth.SAML2NameIDGenerators. Uncomment the shibboleth.SAML2AttributeSourcedGenerator bean and comment all other ref beans
  • <!-- SAML 2 NameID Generation -->
    <util:list id="shibboleth.SAML2NameIDGenerators">
      <!--<ref bean="shibboleth.SAML2TransientGenerator" /> -->
      <!-->ref bean="shibboleth.SAML2PersistentGenerator" /> -->
      <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
      p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
      p:attributeSourceIds="#{ {'email'} }" />
    </util:list>
  • Make sure you have defined AttributeDefinition in conf/attribute-resolver.xml.
  • <!-- Note: AttributeDefinitionid must be same as what you provided in attributeSourceIds in conf/saml-nameid.xml -->
    <resolver:AttributeDefinitionxsi:type="ad:Simple" id="email" sourceAttributeID="mail">
      <resolver:Dependency ref="ldapConnector" />
      <resolver:AttributeEncoderxsi:type="enc:SAML2String" name="email" friendlyName="email" />
    </resolver:AttributeDefinition >

    <resolver:DataConnector id="ldapConnector" xsi:type="dc:LDAPDirectory" ldapURL="%{idp.authn.LDAP.ldapURL}"
      baseDN="%{idp.authn.LDAP.baseDN}" principal="%{idp.authn.LDAP.bindDN}"
      principalCredential="%{idp.authn.LDAP.bindDNCredential}">
      <dc:FilterTemplate>
        <!-- Define you User Search Filter here -->
        <![CDATA[ (&(objectclass=*)(cn=$requestContext.principalName)) ]]>
      </dc:FilterTemplate>

      <dc:ReturnAttributes>*</dc:ReturnAttributes>
    </resolver:DataConnector>
  • Make sure you have AttributeFilterPolicy defined in conf/attribute-filter.xml.
  • <afp:AttributeFilterPolicy id="ldapAttributes">
    <afp:PolicyRequirementRulexsi:type="basic:ANY"/>
      <afp:AttributeRuleattributeID="email">
        <afp:PermitValueRulexsi:type="basic:ANY"/>
      </afp:AttributeRule>
    </afp:AttributeFilterPolicy>
  • Restart the Shibboleth Server.
  • You need to configure these endpoints in the Service Provider.
  • IDP Entity ID https://<your_domain>/idp/shibboleth
    Single Login URL https://<your_domain>/idp/profile/SAML2/Redirect/SSO
    Single Logout URL https://<your_domain>/idp/shibboleth
    X.509 Certificate The public key certificate of your Shibboleth server

Step 2: Configuring Drupal as Service Provider ( SP )

  • In miniOrange SAML Module, go to Service Provider Setup tab. There are three ways to configure the Module:
    • Drupal shibboleth sso icon-1 By Shibboleth3 Metadata URL :

      • Click on Upload IDP Metadata.
      • Enter Metadata URL and click on Fetch Metadata.

      Drupal shibboleth sso icon-2 By Uploading Shibboleth3 Metadata File:

      • Click on Upload IDP Metadata.
      • Upload metadata file and click on Upload.

      Drupal shibboleth sso icon-3 Manual Configuration :

      • Copy SAML Entity ID, SAML Single-Sign-On Endpoint URL and X.509 certificate from Federation Metadata document and paste it in IdP Entity ID or Issuer, SAML Login URL, X.509 Certificate fields respectively in the Module.
      Identity Provider Name For Example:Shibboleth3
      IdP Entity ID or Issuer SAML Entity ID in the Federation Metadata document
      SAML Login URL SAML Single-Sign-On Endpoint URL in the Federation Metadata document
      X.509 Certificate x.509 Certificate in the Federation Metadata document

Business Trial For Free

If you don't find what you are looking for, please contact us at drupalsupport@xecurify.com or call us at +1 978 658 9387.

Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com