SAML Single Sign On (SSO) into Drupal using ADFS as IDP

SAML Single Sign On (SSO) into Drupal using ADFS as IDP

Drupal SAML ADFS SSO setup will allow your user to login to your Drupal site using their ADFS Credentials. Drupal SAML module gives the ability to enable SAML Single Sign-On for Drupal. Drupal module is compatible with all SAML Identity Providers. Here we will go through a guide to configure SAML SSO between Drupal and ADFS . By the end of this guide, users from ADFS should be able to login into the Drupal site, you can download the module from here.

Step 1: Configuring ADFS as Identity Provider (IdP)

  • In ADFS, click on Add Relying Party Trust . Then click on Start .
  • drupal saml add relying party trust drupal saml sp click on start
  • In Select Data Source: Select Enter data about the relying party manually. Click Next .
  • drupal saml sp select data source
  • In Specify Display name: Enter Display name . Click Next.
  • In Choose Profile : Select AD FS profile. Click Next.
  • In Configure Certificate: If you’re using a free Module, skip this step and click Next. If you’re using the premium Module, upload the certificate downloaded from the Module. Click Next.
  • In Configure URL: Check Enable Support for the SAML 2.0 Web SSO Protocol and enter the ACS URL from the Module in Relying Party SAML 2.0 SSO service URL field. Click Next.
  • drupal saml sp configure url
  • Configure Identifiers: Enter the SP-Entity ID/Issuer URL from the Module in Relying Party Trust Identifier field. Click Add. Click Next
  • drupal saml sp relying party trust identifier
  • In Configure Multi-factor Authentication: Select I do not want to configure multi factor authentication settings for this relying party trust. Click Next.
  • In Choose Issuance Authorization Rules, select Permit all users to access this relying party. Click Next.
  • In Ready to Add Trusts, select click Next.
  • Check Open the Edit Claim Rules dialog and click close. Click Add rule and then select Send LDAP Attributes as Claims . Enter the following:
    Claim rule name Enter claim rule name(Any). For example: Attributes
    Attribute Store Active Directory
    LDAP Attribute E-Mail-Addresses
    Outgoing Claim Type Name ID
  • Click on Finish button.
  • drupal saml sp configure rule

Windows SSO (optional)

Follow the steps below to configure Windows SSO.

miniorange img Steps to configure ADFS for Windows Authentication

  • Open elevated Command Prompt on the ADFS Server and execute the following command on it:
    • miniorange img setspn -a HTTP/##ADFS Server FQDN## ##Domain Service Account##

      miniorange img FQDN is Fully Qualified Domain Name (Example : adfs4.example.com)

      miniorange img Domain Service Account is the username of the account in AD.

      miniorange img Example : setspn -a HTTP/adfs.example.com username/domain

  • Open AD FS Management Console and go to Authentication Policies section, edit the Global Authentication Policies. Check Windows Authentication in Intranet zone.
  • SAML Single Sign-On (SSO) using ADFS Identity Provider (IdP), Management Application
  • Open Internet Explorer. Navigate to Security tab in Internet Options.
  • Add the FQDN of AD FS to the list of sites in Local Intranet and restart the browser.
  • Select Custom Level for the Security Zone. In the list of options, select Automatic Logon only in Intranet Zone.
  • SAML Single Sign-On (SSO) using ADFS Identity Provider(IdP),ADFS LOGIN - for the SAML 2.0 Wizard_Enable SAML
  • Open the powershell and execute following two commands to enable windows authentication in Chrome browser.
    • miniorange img Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome")

      miniorange img Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents

  • You have configured ADFS for Windows Authentication. Now to add Relying Party for your Drupal you can follow these steps.

Step 2: Configuring Drupal as Service Provider (SP)

  • In Drupal SAML Module, go to Service Provider Setup tab. There are two ways to configure the Module:
    • ADFS_sso By Uploading ADFS Metadata File :

      • Click on Upload IDP Metadata.
      • Upload metadata file and click on Upload.

      ADFS_sso By ADFS Metadata URL :

      • Click on Upload IDP Metadata.
      • Enter Metadata URL and click on Fetch Metadata.
      • You can provide this metadata url https://<your_ADFS_domain>/federationmetadata/2007-06/federationmetadata.xml
    • If you want Single logout then follow these steps:
    • Navigate to Relying Party Trusts => Properties
    • drupal saml sp unable to load image
    • Navigate to Endpoints => Add SAML
    • drupal saml sp endpoints
    • Select SAML Logout from Endpoint type dropdown.
    • Enter ACS URL in Trusted URL textfield and SAML Logout URL in Response URL textfield then click on OK button.
    • drupal-saml sp add endpoints



If you are looking for anything which you cannot find, please drop us an email on drupalsupport@xecurify.com

Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com