Drupal SAML Single Sign On using SimpleSAMLphp as Identity Provider

The Drupal SAML integration using the miniOrange SAML SP module establishes seamless SSO between SimpleSAMLphp and the Drupal site. The users will be able to log in to the Drupal site using their SimpleSAMLphp credentials. This document will walk you through the steps to configure Single Sign-On - SSO between Drupal as a Service Provider (SP) and SimpleSAMLphp as an Identity Provider (IdP). The module is compatible with Drupal 7, Drupal 8, Drupal 9, and Drupal 10.

Drupal SAML SP Metadata

• After installing the module on the Drupal site, in the Administration menu, navigate to Configuration → People → miniOrange SAML Login Configuration. (/admin/config/people/miniorange_saml/idp_setup)

• Copy the SP Entity ID/Issuer and the SP ACS URL in the Service Provider Metadata tab. Keep it handy. (This is required to configure OneLogin as Identity Provider (IdP)).

Configure SimpleSAMLphp as IDP:

• From the SimpleSAML installation directory, open config/config.php and edit the following:

  ‘enable.saml20-idp’ ⇒ true

• Enable the UserPass authentication module (included in exampleauth). This is done by creating a file named enable (file name) in modules/exampleauth/.

• Create an authentication source in config/authsources.php. The file should contain a single entry, refer below:

    <?php
    $metadata['__DYNAMIC:1__'] = 
    [
  	/*
  	* The hostname for this IdP. This makes it possible to run multiple
  	* IdPs from the same configuration. '__DEFAULT__' means that this one
  	* should be used by default.
  	*/
  	'host' => '__DEFAULT__',			
  	/*
  	* The private key and certificate to use when signing responses.
  	* These are stored in the cert-directory.
  	*/
  	'privatekey' => 'example.org.pem',
  	'certificate' => 'example.org.crt',
  	/*
  	* The authentication source which should be used to authenticate the
  	* user. This must match one of the entries in config/authsources.php.
  	*/
  	'auth' => '' Example:- 'example-userpass', // You can find this in Step Number 3
     ];
  

This configuration creates two users - student and employee, with the passwords studentpass and employeepass. The username and password are stored in the array index (student:studentpass for the student-user). The attributes for each user are configured in the array referenced by the index. So for the student user, these are:

  [
	'uid' => ['student'],
	'eduPersonAffiliation' => ['member', 'student'],
   ],

The attributes will be returned by the IdP when the user logs on.

• Generate a self-signed certificate using one of the following methods:

• Using openssl command

  openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out example.org.crt -keyout example.org.pem

• Generate it by using any online tools and add them in cert directory.

  The extension should be like

  example.org.crt //(Public Key)example.org.pem //(Private Key)

Note:SimpleSAMLphp will only work with RSA certificates. DSA certificates are not supported.

• The SAML 2.0 IdP is configured by the metadata stored in metadata/saml20-idp-hosted.php. This is a minimal configuration:

    <?php
    $metadata['__DYNAMIC:1__'] = 
    [
  	/*
  	* The hostname for this IdP. This makes it possible to run multiple
  	* IdPs from the same configuration. '__DEFAULT__' means that this one
  	* should be used by default.
  	*/
  	'host' => '__DEFAULT__',
  	/*
  	* The private key and certificate to use when signing responses.
  	* These are stored in the cert-directory.
  	*/
  	'privatekey' => 'example.org.pem',
  	'certificate' => 'example.org.crt',
  	/*
  	* The authentication source which should be used to authenticate the
  	* user. This must match one of the entries in config/authsources.php.
  	*/
  	' auth' => '' Example:- 'example-userpass', // You can find this in Step Number 3
     ];
  

• The identity provider you are configuring needs to know about the service providers you are going to connect to it. This is configured by metadata stored in metadata/saml20-sp-remote.php. This is a minimal example of a metadata/saml20-sp-remote.php metadata file for a SimpleSAMLphp SP: (Replace example.com with your Drupal domain name.)

    <?php          
    $metadata['https://example.com/plugins/authentication/miniorangesaml/'] = 
    [
  	'AssertionConsumerService' => 'https://example.com/samlassertion',		 
          'SingleLogoutService' => 'https://example.com/user/logout',
  	'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
  	'simplesaml.nameidattribute' => 'mail',
  	'simplesaml.attributes' => true,
  	'attributes' => array('mail', 'givenname', 'sn', 'memberOf'),
    ];
  

Note: That the URI in the Entity ID and the URLs to the AssertionConsumerService and Single Logout Service endpoints change between different service providers. If you have the metadata of the remote SP as an XML file, you can use the built-in XML to SimpleSAMLphp metadata converter, which by default is available as /admin/metadata-converter.php in your SimpleSAMLphp installation.

• Go to SimpleSAMLphp homepage of installation. (The URL of an installation can be e.g. https://service.example.com/simplesaml/ where service.example.com has to be replaced by your SimpleSAMLphp path.)
• Navigate to the Federation Tab and click on Show Metadata. (This IdP metadata will be required to configure Drupal as SP.)

Configure Drupal as SAML Service Provider:

• Navigate to the Service Provider Setup tab of the SAML module on the Drupal site and click on the Upload SP Metadata to expand it.

• Upload the previously downloaded Metadata file from SimpleSAML into the Upload Metadata File text field and click on the Upload File button.

• After successfully saving the configurations, click on the Test link

• On a Test Configuration popup sign in using OneLogincredentials (if an active session is not present). After successful authentication, a list of attributes that are received from OneLogin will be displayed. Click on the Done.

Congratulations! you have successfully configured SimpleSAML as SAML Identity Provider and Drupal as SAML Service Provider.

How does SAML SSO login work?

• Open a new browser/private window and navigate to the Drupal site login page.
• Click the Login using Identity Provider (SimpleSAMLphp) link.
• You will be redirected to the SimpleSAMLphp login page. Enter the SimpleSAMLphp credentials. After successful authentication, the user will be redirected back to the Drupal site.