Search Results :

×

Drupal SAML Single Sign On using Shibboleth as Identity Provider

The Drupal SAML integration using the miniOrange SAML SP module establishes seamless SSO between Shibboleth 4 and the Drupal site. The users will be able to log in to the Drupal site using their Shibboleth 4 credentials. This document will walk you through the steps to configure Single Sign-On - SSO between Drupal as a Service Provider (SP) and Shibboleth 4 as an Identity Provider (IdP). The module is compatible with Drupal 7, Drupal 8, Drupal 9, Drupal 10, and Drupal 11.(You can also configure Shibboleth 3 as an IdP with this setup guide)

  • Download the module:
    Composer require 'drupal/miniorange_saml'
  • Navigate to Extend menu on your Drupal admin console and search for miniOrange SAML Service Provider using the search box.
  • Enable the module by checking the checkbox and click on install button.
  • Configure the module at
    {BaseURL}/admin/config/people/miniorange_saml/idp_setup
  • Install the module:
    drush en drupal/miniorange_saml
  • Clear the cache:
     drush cr
  • Configure the module at
    {BaseURL}/admin/config/people/miniorange_saml/idp_setup
  • Navigate to Extend menu on your Drupal admin console and click on Install new module button.
  • Install the Drupal SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider module either by downloading the zip or from the URL of the package (tar/zip).
  • Click on Enable newly added modules.
  • Enable this module by checking the checkbox and click on install button.
  • Configure the module at
    {BaseURL}/admin/config/people/miniorange_saml/idp_setup
  • Go to ConfigurationPeopleSAML Login Configuration in the Administration menu. (/admin/config/people/miniorange_saml/idp_setup)
Drupal SAML SP - select miniOrange SAML Login Configuration
  • Under the Service Provider Metadata tab, scroll down and copy the SP Entity ID/Issuer and the SP ACS URL. Keep it handy. (This is required to configure IdP.)
Drupal SAML SP - Copy SP Entity ID and SP ACS URL
  • In conf/idp.properties, uncomment and set 'idp.encryption.optional' to true. For, example: idp.encryption.optional = true.
  • In conf/metadata-providers.xml, follow the code below to set up a Service Provide:

      <MetadataProvider xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"id="miniOrangeInLineEntity" xsi:type="InlineMetadataProvider" sortKey="1">
                      <samlmd:EntityDescriptor ID="entity" entityID="<SP-EntityID / Issuer from Service Provider Info tab in plugin.>"validUntil="2020-09-06T04:13:32Z">
                      <samlmd:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                      <samlmd:NameIDFormat>
                      urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
                      </samlmd:NameIDFormat>
                      <samlmd:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"Location="<ACS (AssertionConsumerService) URL from Step1 of the plugin under Identity Provider Tab.>"index="1" />
                      </samlmd:SPSSODescriptor>
                      </samlmd:EntityDescriptor>
                  </MetadataProvider>
                
  • In conf/saml-nameid.properties, uncomment and set default NameID as EmailAddress like this:

    idp.nameid.saml2.default=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • In conf/saml-nameid-xml, search for shibboleth.SAML2NameIDGenerators.
  • Uncomment the shibboleth.SAML2 AttributeSourcedGenerator <bean> and comment out the other <ref bean>:

      <!-- SAML 2 NameID Generation -->
              <util:list id="shibboleth.SAML2NameIDGenerators">
                  <!--<ref bean="shibboleth.SAML2TransientGenerator" /> -->
                  <!--><ref bean="shibboleth.SAML2PersistentGenerator" /> -->
                  <bean parent="shibboleth.SAML2AttributeSourcedGenerator"p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"p:attributeSourceIds="#{ {'email'} }" />
              </util:list>
            
  • Make sure you have defined AttributeDefinition in conf/attribute-resolver.xml.

    AttributeDefinitionid must be same as what you provided in attributeSourceIds in conf/saml-nameid.xml
      <resolver:AttributeDefinitionxsi:type="ad:Simple" id="email" sourceAttributeID="mail">
              <resolver:Dependency ref="ldapConnector" />
              <resolver:AttributeEncoderxsi:type="enc:SAML2String" name="email" friendlyName="email" />
              </resolver:AttributeDefinition >
              <resolver:DataConnector id="ldapConnector" xsi:type="dc:LDAPDirectory" ldapURL="%{idp.authn.LDAP.ldapURL}"baseDN="%{idp.authn.LDAP.baseDN}" principal="%{idp.authn.LDAP.bindDN}"principalCredential="%{idp.authn.LDAP.bindDNCredential}">
              <dc:FilterTemplate>
              <!-- Define you User Search Filter here -->
              <![CDATA[ (&(objectclass=*)(cn=$requestContext.principalName)) ]]>
              </dc:FilterTemplate>
              <dc:ReturnAttributes>*</dc:ReturnAttributes>
          </resolver:DataConnector>
        
  • Make sure you have AttributeFilterPolicy defined in conf/attribute-filter.xml.

      <afp:AttributeFilterPolicy id="ldapAttributes"> 
                  <afp:PolicyRequirementRulexsi:type="basic:ANY"/> 
                  <afp:AttributeRuleattributeID="email">
                  <afp:PermitValueRulexsi:type="basic:ANY"/> 
                  </afp:AttributeRule>
              </afp:AttributeFilterPolicy> 
            
  • Restart the Shibboleth Server.
  • Once setup, you will need to use Shibboleth's Identity Provider Metadata, which looks like this format: "https://example123.com/idp/shibboleth". Keep it handy. (This is required to configure Drupal as SAML SP.)
  • Go to your Drupal site. Navigate to the Service Provider Setup tab of the module and click on the Upload IDP Metadata.
Drupal-SAML-IDP-Select-Upload-Metadata

  • Paste the previously copied Shibboleth Metadata URL into Upload Metadata URL text field. Click on the Fetch Metadata button.
drupal saml Single Sign On as SP - upload idp metadata url

Note and Contact Us - SSO between two WordPress sites

Note: To update Identity Provider Name, follow these steps:

  • Under Action, select the Edit.
  • Enter Shibboleth 4 in the Identity Provider Name text field.
  • Scroll down and click on the Save Configuration button.
  • Click on the Test link to test the connection between Drupal and Shibboleth 4.
Click-on-Test-link-to-check-the-SSO-connection-Shibboleth

  • On a Test Configuration popup, if you don't have an active session in the same browser, you will be asked to sign in to Shibboleth 4. After successfully logging into Shibboleth 4 account, you will be provided with a list of attributes that are received from the Shibboleth 2. Scroll down and click on Done button.
Drupal-SAML-SP-received-attribute-from-Shibboleth

Congratulations! you have successfully configure Shibboleth 4 as SAML Identity Provider (IdP) and Drupal as SAML Service Provider.

  • Open a new browser/private window and navigate to the Drupal site login page.
  • Click the Login using Identity Provider (Shibboleth 4) link.
  • You will be redirected to the Shibboleth 4 login page. Enter the Shibboleth 4 credentials. After successful authentication, the user will be redirected back to the Drupal site.
ADFS_sso ×
Hello there!

Need Help? We are right here!

support