SAML Single Sign-On (SSO) into Drupal using ADFS as IdP

Overview

The Drupal SAML integration using the miniOrange SAML SP module establishes seamless SSO between ADFS and the Drupal site. The users will be able to log in to the Drupal site using their ADFS credentials. This document will walk you through the steps to configure Single Sign-On - SSO between Drupal as a Service Provider (SP) and ADFS as an Identity Provider (IdP). The module is compatible with with Drupal 7, Drupal 8, Drupal 9, Drupal 10 and Drupal 11.

Configure SAML Single Sign-On Application in ADFS:

• In Server Manager, click on Tools and then select ADFS Management.

• From the right side panel select Add Relying Party Trust under the ADFS section.

• To proceed, click the Start button on the Welcome screen.

• Select the Import data about the relying party from a file option. Upload the SP metadata file from Drupal. Click on the Next button to continue.

• In the Display Name, enter the name of the application and then click the Next button.

• Select Permit everyone on the Choose Access Control Policy page, then click on the Next button.

• From the Ready to Add Trust page click on the Next button.

• From the Finish page verify that the checkbox next to Configure claims issuance policy for this application is selected, then click Close.

• You can find the application under Relay Party Trust in ADFS once it's been created.
• On the right-side panel, click Edit Claim Issuance Policy from the dropdown menu of the application you created in ADFS (In this case, DrupalSAML).

• Click the Add Rule button on the Issuance Transform Rules tab.

• On the Select Rule Template page click on the Next button.

• Enter the given information on the Configure Rule page:

Claim rule name	Enter the Claim rule name (any), for example, Attribute
Attribute store	Active Directory from dropdown

• Map the outgoing LDAP attribute as follows:

  LDAP Attribute (Select or type to add more)	Outgoing Claim Type (Select or type to add more)
  E-Mail-Addresses	Name ID
  Display-Name	Name

• To continue, click the Finish button.

• On the Issuance Transform Rules tab, click Apply, and then click OK to continue.

• As shown in the below image, select Edit Federation Service Properties from the AD FS dropdown.

Get the metadata of ADFS:

• On the Federation Service Properties window, go to the General tab and copy the Federation Service name.

• Replace "<your_ADFS_domain>" in the URL https://<your_ADFS_domain>/federationmetadata/2007-06/federationmetadata.xm> with your actual "Federation Service name." For instance, if your Federation Service name is "example.com," the updated metadata URL should be https://<your_ADFS_domain>/federationmetadata/2007-06/federationmetadata.xml.
• Next, simply copy the "ADFS IdP metadata URL," which is in the form - https://<your_ADFS_domain>/federationmetadata/2007-06/federationmetadata.xml. (This will be required for further configuration of Drupal)

Configure Drupal as Service Provider:

• Open your Drupal site. Go to the Service Provider Setup tab of the module.
• Click on Upload IDP Metadata Section
• Now paste the metadata URL from the ADFS IdP.

• Click the Test link to verify the connection between Drupal and ADFS.

• In the test configuration window, a success message with SAML response attributes will appear if the configurations are correct; otherwise, error messages with additional troubleshooting instructions will appear. Click on Done.

Congratulations! You have successfully configured ADFS as an Identity Provider and Drupal as a Service Provider.

How does SAML SSO login work?

• Open a new browser/private window and navigate to the Drupal site login page.
• Click the Login using Identity Provider (ADFS) link.
• You will be redirected to the ADFS login page. Enter the ADFS credentials. After successful authentication, the user will be redirected back to the Drupal site.