Drupal SAML Single Sign On using SimpleSAMLphp as Identity Provider

Overview

The Drupal SAML integration using the miniOrange SAML SP module establishes seamless SSO between SimpleSAMLphp and the Drupal site. The users will be able to log in to the Drupal site using their SimpleSAMLphp credentials. This document will walk you through the steps to configure Single Sign-On - SSO between Drupal as a Service Provider (SP) and SimpleSAMLphp as an Identity Provider (IdP). The module is compatible with Drupal 7, Drupal 8, Drupal 9, Drupal 10, and Drupal 11.

Play Ground

Schedule a Meeting

Installation Steps

Using Composer
Using Drush
Manual Installation

Download the module:

Composer require 'drupal/miniorange_saml'

Navigate to Extend menu on your Drupal admin console and search for miniOrange SAML Service Provider using the search box.
Enable the module by checking the checkbox and click on install button.

Configure the module at

{BaseURL}/admin/config/people/miniorange_saml/idp_setup

Install the module:
```
drush en drupal/miniorange_saml
```
Clear the cache:
```
 drush cr
```

Configure the module at

{BaseURL}/admin/config/people/miniorange_saml/idp_setup

Navigate to Extend menu on your Drupal admin console and click on Install new module button.
Install the Drupal SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider module either by downloading the zip or from the URL of the package (tar/zip).
Click on Enable newly added modules.
Enable this module by checking the checkbox and click on install button.

Configure the module at

{BaseURL}/admin/config/people/miniorange_saml/idp_setup

Configuration Steps

Drupal SAML SP Metadata

Go to Configuration → People → SAML Login Configuration in the Administration menu. (/admin/config/people/miniorange_saml/idp_setup)

Configuration-Drupal-Select-miniOrange-SAML-Login-Configuration

Under the Service Provider Metadata tab, copy the SP Entity ID/Issuer and SP ACS URL and keep them handy. This SP metadata is required to configure SimpleSAMLphp as Identity Provider (IdP).

Drupal SAML Single Sign-On - Copy SP information which is required to configure Shibboleth 2 as IdP

Configure SimpleSAMLphp as a Identity Provider

From the SimpleSAML installation directory, open config/config.php and edit the following:
```
‘enable.saml20-idp’ ⇒ true
```
Enable the UserPass authentication module (included in exampleauth). This is done by creating a file named enable (file name) in modules/exampleauth/.

Create an authentication source in config/authsources.php. The file should contain a single entry, refer below:

  <?php
      $metadata['__DYNAMIC:1__'] = 
      [
        /*
        * The hostname for this IdP. This makes it possible to run multiple
        * IdPs from the same configuration. '__DEFAULT__' means that this one
        * should be used by default.
        */
        'host' => '__DEFAULT__',			
        /*
        * The private key and certificate to use when signing responses.
        * These are stored in the cert-directory.
        */
        'privatekey' => 'example.org.pem',
        'certificate' => 'example.org.crt',
        /*
        * The authentication source which should be used to authenticate the
        * user. This must match one of the entries in config/authsources.php.
        */
        'auth' => '' Example:- 'example-userpass', // You can find this in Step Number 3
       ];

This configuration creates two users - student and employee, with the passwords studentpass and employeepass. The username and password are stored in the array index (student:studentpass for the student-user). The attributes for each user are configured in the array referenced by the index. So for the student user, these are:

  [
        'uid' => ['student'],
        'eduPersonAffiliation' => ['member', 'student'],
       ],

The attributes will be returned by the IdP when the user logs on.

Generate a self-signed certificate using one of the following methods:
- Using openssl command
```
openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out example.org.crt -keyout example.org.pem
```
- Generate it by using any online tools and add them in cert directory.
  The extension should be like
```
example.org.crt //(Public Key)example.org.pem //(Private Key)
```

Note: SimpleSAMLphp will only work with RSA certificates. DSA certificates are not supported.

The SAML 2.0 IdP is configured by the metadata stored in metadata/saml20-idp-hosted.php. This is a minimal configuration:

  <?php
  $metadata['__DYNAMIC:1__'] = 
  [
	/*
	* The hostname for this IdP. This makes it possible to run multiple
	* IdPs from the same configuration. '__DEFAULT__' means that this one
	* should be used by default.
	*/
	'host' => '__DEFAULT__',
	/*
	* The private key and certificate to use when signing responses.
	* These are stored in the cert-directory.
	*/
	'privatekey' => 'example.org.pem',
	'certificate' => 'example.org.crt',
	/*
	* The authentication source which should be used to authenticate the
	* user. This must match one of the entries in config/authsources.php.
	*/
	' auth' => '' Example:- 'example-userpass', // You can find this in Step Number 3
   ];

The identity provider you are configuring needs to know about the service providers you are going to connect to it. This is configured by metadata stored in metadata/saml20-sp-remote.php. This is a minimal example of a metadata/saml20-sp-remote.php metadata file for a SimpleSAMLphp SP: (Replace example.com with your Drupal domain name.)

  <?php          
  $metadata['https://example.com/plugins/authentication/miniorangesaml/'] = 
  [
	'AssertionConsumerService' => 'https://example.com/samlassertion',		 
        'SingleLogoutService' => 'https://example.com/user/logout',
	'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
	'simplesaml.nameidattribute' => 'mail',
	'simplesaml.attributes' => true,
	'attributes' => array('mail', 'givenname', 'sn', 'memberOf'),
  ];

Note: That the URI in the Entity ID and the URLs to the AssertionConsumerService and Single Logout Service endpoints change between different service providers. If you have the metadata of the remote SP as an XML file, you can use the built-in XML to SimpleSAMLphp metadata converter, which by default is available as /admin/metadata-converter.php in your SimpleSAMLphp installation.

Go to SimpleSAMLphp homepage of installation. (The URL of an installation can be e.g. https://service.example.com/simplesaml/ where service.example.com has to be replaced by your SimpleSAMLphp path.)
Navigate to the Federation Tab and click on Show Metadata. (This IdP metadata will be required to configure Drupal as SP.)

Configure Drupal as SAML Service Provider:

Go to your Drupal site. Navigate to the Service Provider Setup tab of the module and click on the Upload IDP Metadata.

Upload the previously downloaded Metadata file from SimpleSAML into the Upload Metadata File text field and click on the Upload File button.

Note: To update Identity Provider Name, follow these steps:

Under Action, select the Edit.
Enter SimpleSAMLphp in the Identity Provider Name text field.
Scroll down and click on the Save Configuration button.

Click on the Test link to test the connection between Drupal and SimpleSAMLphp.

Drupal SAML Service Provider - Check connection between Drupal and Simple-SAML

On a Test Configuration popup sign in using SimpleSAMLphp credentials (if an active session is not present). After successful authentication, a list of attributes that are received from SimpleSAMLphp will be displayed. Click on the Done.

Drupal SAML Service Provider - Test configuartion

Congratulations! you have successfully configure SimpleSAMLphp as SAML Identity Provider (IdP) and Drupal as SAML Service Provider.

How does SAML SSO login work?

Open a new browser/private window and navigate to the Drupal site login page.
Click the Login using Identity Provider (SimpleSAMLphp) link.
You will be redirected to the SimpleSAMLphp login page. Enter the SimpleSAMLphp credentials. After successful authentication, the user will be redirected back to the Drupal site.