Here we going to see how to set up SSO using SimpleSAMLphp using Shibboleth in Drupal 8. SAML
SAML stands for Security Assertion Markup Language, which is an XML-based data format for exchanging authentication and authorization data between an IDP (Identity Provider) and SP (Service Provider).
There are two main parts to SSO
- The Identity Provider: The SAML authority that provides the identity assertion to authenticate a user.
- The Service Provider: The SAML consumer that provides the service for users.
Requirements to set up SSO
- SimpleSAMLphp Library
- Drupal (Latest Version).
- SimpleSAMLphp_auth Drupal module
SimpleSAMLphp Library Configurations:
There are two ways to configure the library:-
- Manual
- Using Drupal SimpleSAMLphp provided (vendor folder)
STEP:- 1
Manual
Step 1:- Download the SimpleSAMLphp:-
There are two ways to download the library
- Download the SimpleSAMLphp library from (https://simplesamlphp.org/download).
- Use Command-Line Interface (CLI) for Version-Specific Download for Windows git bash:
curl -O -L "https://github.com/simplesamlphp/simplesamlphp/releases/download/X.Y.Z/simplesamlphp-X.Y.Z.tar.gz"
Replace X.Y.Z with the desired version number. For example, to download version 1.14.8, the command would be:
curl -O -L "https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.14.8/simplesamlphp-1.14.8.tar.gz"
Step 2:- Put the folder in the level of your docroot.
For example, I have created one folder on the root like private, and inside the private folder placed the SimpleSAMLphp Library which I downloaded via command and manual.
Step 3:- In the docroot directory, create a symbolic link (named simplesaml) that points to the simplesamlphp-1.14.8/www directory in the DRUPAL_ROOT directory.
Step 4: The command to create a symbolic link is :
ln -s ../private/simplesamlphp/www web/simplesaml (here my version is simplesamlphp-1.14.8)
Step 5: To generate certificates, create a cert folder inside the simplesamlphp folder as (DRUPAL_ROOT/simplesamlphp/cert):
Step 6: Run the following command inside the cert folder from the terminal:
openssl req -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
Step 7: It will create two files saml.crt and saml.pem.
Step 8: The configuration templates are present in the `private/simplesamlphp/config-templates` directory.- Create your config.php file using the available file in the config-templates directory using the command:
cp private/simplesamlphp/config-templates/config.php private/simplesamlphp/config/config.php
- Create the new config folder and copy the `config.php` (holds SimpleSAMLphp configuration) file to the `private/simplesamlphp/config` folder and update the following values in the `$config` array:
Step 9: At the bottom of the config.php file, add the following:
- For receiving IDP requests change enable.saml20-idp’ => true in config/config.php
- Change the store.type as sql
- store.sql.dsn as mysql:host=localhost;dbname=db_name (change the host & db_name according to your values)
- Store.sql.username as Drupal database user_name
- Store.sql.password as Drupal database password
- Change the admin password of the simplesaml setup auth.adminpassword
- Add this line to end of the config.php file ($config[‘baseurlpath’] = ‘http://'. $_SERVER[‘HTTP_HOST’] .’/simplesaml/’;)
Check your config file setting below screenshot.
At the bottom of the config.php file, add the following:
If you are pushing your code on the Pantheon server.
- Non-Composer implementations must add the following lines to the settings.php file to allow the Drupal module to locate SimpleSAMLphp:
# Provide a universal absolute path to the installation.
$conf['simplesamlphp_auth_installdir'] = $_ENV['HOME'] .'/code/private/simplesamlphp';
Step 10: Create your authsources.php file using the available file in the config-templates directory see the screenshot on step no 8.
- Create your config.php file using the available file in the config-templates directory using the command:
cp private/simplesamlphp/config-templates/authsources.php private/simplesamlphp/config/authsources.php
Step 11: Open the authsources.php you just created and add the following line at the very bottom of the file:
$config['default-sp']['entityID'] = '[UNIQUE-ID-OFTEN-A-DOMAIN-NAME]';
Apache server
Step 12: On the local need to update the virtual host (httpd-vhosts.config) file
Step 13: To configure the web server using Apache, you can edit the .htaccess file found in the Drupal root directory. Right after the line:
RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics.php$
Add the following lines:
# Allow access to simplesaml paths
RewriteCond %{REQUEST_URI} !^/simplesaml
Step 14: Test the URL
- To confirm that the URL for your application is working, navigate to:
- http://loca.stag/simplesaml
- You should see the web interface for the SAML library:
STEP:- 2 We completed the manual download library steps now using the Drupal internal library you can follow anyone.
Using Drupal SimpleSAMLphp provided (vendor folder):-
Step 13: Install the simpleSAMLphp modules
- Use the following command to install the simpleSAMLphp and simplesamlphp_custom_attributes modules using Composer:
composer require drupal/simplesamlphp_auth:4.x-dev drupal/simplesamlphp_custom_attributes --prefer-dist
- You should now see the simpleSAMLphp library in [root]/vendor/simplesamlphp.
Step 14: See Step 4 to create a symbolic link.
Command is the same only change the relevant path
ln -s ../vendor/simplesamlphp/www web/simplesaml (here my version is simplesamlphp-1.14.8)
Step 15: Create the config folder and meta folder which is a private folder using the composer.- Add this symlink as a post-update script to composer.json. This allows the symlink to be recreated if you update or re-install SimpleSAMLphp using Composer:
"scripts": {
"post-install-cmd": [
"cp -r private/simplesamlphp/config vendor/simplesamlphp/simplesamlphp",
"cp -r private/simplesamlphp/metadata vendor/simplesamlphp/simplesamlphp"
],
"post-update-cmd": [
"cp -r private/simplesamlphp/config vendor/simplesamlphp/simplesamlphp",
"cp -r private/simplesamlphp/metadata vendor/simplesamlphp/simplesamlphp"
],
},
Step 15: Goto the symlink folder check the file _include.php and change line no 4 see the screenshot below.
ex:- The symlink folder path should be:- docroot/web/simplesaml/_include.php
SimpleSAMLphp Library Configurations is done for both library internal and external now next step is:-
Step 16:- Exchange XML data with your identity provider (IdP) administrator (Client).
To complete the connection between your Drupal developer portal service provider and your IdP, you must exchange XML data with your IdP.
- Find the metadata for your Drupal developer portal at https://[portal.com]/simplesaml/module.php/saml/sp/metadata.php/default-sp, where [portal.com] is the URL of your Drupal developer portal.
- Copy the XML document found there, you can just click on the which is screenshot and send it to the administrator of your IDP.
- Ask your IDP for their metadata XML. You should specifically request the name of the attributes used by the IdP for the following:emailfirst namelast nameuser nameunique identifier.Each of these attributes must be included in the SAML response from the IDP to your Drupal developer portal.
Step 17:- You get the XML from the client end and convert the XML response from your IdP, using the converter tool available at simplesaml/admin/metadata-converter.php
- Paste the XML response from your idP into the tool.
- Click Parse.
cp vendor/simplesamlphp/simplesamlphp/metadata-templates/saml20-idp-remote.php vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.
- If the parsed file does not say
saml20-idp-remote
, run the command above using the appropriate template filename that matches. - Open the
saml20-idp-remote.php
(or appropriate file) and paste in the parsed XML response from the IdP.
Note: You can see that the key of the $metadata
array is the entityID of the idP. For example, if the line is:
$metadata['https://openidp.feide.no']
the key is 'https://openidp.feide.no'
.
- Open
authsources.php
once again, and add this line at the bottom, where [METADATA-KEY]
is the entityID or the IdP:
$config['default-sp']['idp'] = '[METADATA-KEY]';
- Check the parsed file. If the file says
saml20-idp-remote
at the top, use the following command to create a metadata/saml20-idp-remote.php
file in your SimpleSAMLphp directory:
Step 18:- Enable and configure your SimpleSAMLphp modules
goto-> admin->config
Now open the module Config > simplesamlphp_custom_attributes
- Click Add mapping.
- Select “username” from the available dropdown and enter the attribute name provided by your IdP.
- Click Save.
- Click Add mapping.
- Select “mail” from the available dropdown and enter the attribute name provided by your IdP.
- Click Save.
Now open the module Config > simplesamlphp_auth
Optional:- if you set the configuration though the code you can just past the code setting.php
// SimpleSAMLphp configuration
# Provide universal absolute path to the installation.
if (isset($_ENV['AH_SITE_NAME']) && is_dir('/var/www/html/' . $_ENV['AH_SITE_NAME'] . '/simplesamlphp-1.14.8')) {
$settings['simplesamlphp_dir'] = '/var/www/html/' . $_ENV['AH_SITE_NAME'] . '/simplesamlphp-1.14.8';
}
else {
// Local SAML path.
if (is_dir(DRUPAL_ROOT . '/../simplesamlphp-1.14.8')) {
$settings['simplesamlphp_dir'] = DRUPAL_ROOT . '/../simplesamlphp-1.14.8';
}
}
// SimpleSAMLphp_auth module settings
$config['simplesamlphp_auth.settings'] = [
// Basic settings.
'activate' => TRUE, // Enable or Disable SAML login.
'auth_source' => 'default-sp',
'login_link_display_name' => 'Login with your SSO account',
'register_users' => TRUE,
'debug' => FALSE,
// Local authentication.
'allow' => array(
'default_login' => TRUE,
'set_drupal_pwd' => TRUE,
'default_login_users' => '',
'default_login_roles' => array(
'authenticated' => FALSE,
'administrator' => 'administrator',
),
),
'logout_goto_url' => '',
// User info and syncing.
// 'unique_id' the value which is unique in the saml response coming from IDP.
'unique_id' => 'mail',
'user_name' => 'username',
'mail_attr' => 'mail',
'sync' => array(
'mail' => TRUE,
'user_name' => TRUE,
),
];
Step 19:- Now we can check with our local environment.
Step 1:- Goto the config.php file and inside the code uncomment the code.
Step 2:- Goto the authsources.php and uncomment the line which is in the screenshot.
'example-userpass' => [ 'exampleauth:UserPass', 'student:studentpassword' => [ 'uid' => ['student'], 'eduPersonAffiliation' => ['member', 'student'], 'email' => 'student@example.com' ], 'employee:employeepassword' => [ 'uid' => ['employee'], 'eduPersonAffiliation' => ['member', 'employee'], 'email' => 'employee@example.com' ], ],
Step 3:- you can check adfs-idp-hosted.php file already there inside your meta folder.
Step 4:- Now we need to create the certificate for configuring IDP, create SSL self-signed certificate. Run following command inside cert folder.
openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out server.crt -keyout server.pem
Step 5:- IdP needs to be configured by the metadata stored in metadata/saml20-idp-hosted.php
Configuring IDP with the SP
Exchange the metadata between the Identity Provider & Service Provider.
- Copy IDP metadata to the metadata/saml20-idp-remote.php file of the Service Provider. IDP metadata can be found in the “SAML 2.0 IdP Metadata” section of the Federation tab of IDP application.
Copy SP metadata to the metadata/saml20-sp-remote.php file of the Identity Provider. SP metadata can be found in the “SAML 2.0 SP Metadata” section of the Federation tab of SP application.
Log in to ‘default-sp’ by clicking on “Test configured authentication source” link of the Authentication tab of the SP.
username: student
password: studentpassword
Refresh sites:-
- The Identity Provider: The SAML authority that provides the identity assertion to authenticate a user.
- The Service Provider: The SAML consumer that provides the service for users.
- SimpleSAMLphp Library
- Drupal (Latest Version).
- SimpleSAMLphp_auth Drupal module
There are two ways to configure the library:-
- Manual
- Using Drupal SimpleSAMLphp provided (vendor folder)
STEP:- 1
There are two ways to download the library
curl -O -L "https://github.com/simplesamlphp/simplesamlphp/releases/download/X.Y.Z/simplesamlphp-X.Y.Z.tar.gz"
Replace X.Y.Z with the desired version number. For example, to download version 1.14.8, the command would be:
curl -O -L "https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.14.8/simplesamlphp-1.14.8.tar.gz"
For example, I have created one folder on the root like private, and inside the private folder placed the SimpleSAMLphp Library which I downloaded via command and manual.
ln -s ../private/simplesamlphp/www web/simplesaml (here my version is simplesamlphp-1.14.8)
openssl req -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
Step 7: It will create two files saml.crt and saml.pem.
- Create your config.php file using the available file in the config-templates directory using the command:
cp private/simplesamlphp/config-templates/config.php private/simplesamlphp/config/config.php - Create the new config folder and copy the `config.php` (holds SimpleSAMLphp configuration) file to the `private/simplesamlphp/config` folder and update the following values in the `$config` array:
- For receiving IDP requests change enable.saml20-idp’ => true in config/config.php
- Change the store.type as sql
- store.sql.dsn as mysql:host=localhost;dbname=db_name (change the host & db_name according to your values)
- Store.sql.username as Drupal database user_name
- Store.sql.password as Drupal database password
- Change the admin password of the simplesaml setup auth.adminpassword
- Add this line to end of the config.php file ($config[‘baseurlpath’] = ‘http://'. $_SERVER[‘HTTP_HOST’] .’/simplesaml/’;)
Check your config file setting below screenshot.
At the bottom of the config.php file, add the following:
If you are pushing your code on the Pantheon server.
Step 10: Create your authsources.php file using the available file in the config-templates directory see the screenshot on step no 8.
$config['default-sp']['entityID'] = '[UNIQUE-ID-OFTEN-A-DOMAIN-NAME]';
If you are pushing your code on the Pantheon server.
- Non-Composer implementations must add the following lines to the settings.php file to allow the Drupal module to locate SimpleSAMLphp:
# Provide a universal absolute path to the installation.
$conf['simplesamlphp_auth_installdir'] = $_ENV['HOME'] .'/code/private/simplesamlphp';
Step 10: Create your authsources.php file using the available file in the config-templates directory see the screenshot on step no 8.- Create your config.php file using the available file in the config-templates directory using the command:
cp private/simplesamlphp/config-templates/authsources.php private/simplesamlphp/config/authsources.php
$config['default-sp']['entityID'] = '[UNIQUE-ID-OFTEN-A-DOMAIN-NAME]';
- To confirm that the URL for your application is working, navigate to:
- http://loca.stag/simplesaml
- You should see the web interface for the SAML library:
STEP:- 2 We completed the manual download library steps now using the Drupal internal library you can follow anyone.
Using Drupal SimpleSAMLphp provided (vendor folder):-
Step 13: Install the simpleSAMLphp modules
- Use the following command to install the simpleSAMLphp and simplesamlphp_custom_attributes modules using Composer:
composer require drupal/simplesamlphp_auth:4.x-dev drupal/simplesamlphp_custom_attributes --prefer-dist - You should now see the simpleSAMLphp library in [root]/vendor/simplesamlphp.
Step 14: See Step 4 to create a symbolic link.
Command is the same only change the relevant path
ln -s ../vendor/simplesamlphp/www web/simplesaml (here my version is simplesamlphp-1.14.8)
Command is the same only change the relevant path
ln -s ../vendor/simplesamlphp/www web/simplesaml (here my version is simplesamlphp-1.14.8)
Step 15: Create the config folder and meta folder which is a private folder using the composer.Step 18:- Enable and configure your SimpleSAMLphp modules
Now open the module Config > simplesamlphp_auth
];
Step 1:- Goto the config.php file and inside the code uncomment the code.
- Add this symlink as a post-update script to composer.json. This allows the symlink to be recreated if you update or re-install SimpleSAMLphp using Composer:
"scripts": {
"post-install-cmd": [
"cp -r private/simplesamlphp/config vendor/simplesamlphp/simplesamlphp",
"cp -r private/simplesamlphp/metadata vendor/simplesamlphp/simplesamlphp"
],
"post-update-cmd": [
"cp -r private/simplesamlphp/config vendor/simplesamlphp/simplesamlphp",
"cp -r private/simplesamlphp/metadata vendor/simplesamlphp/simplesamlphp"
],
},
Step 15: Goto the symlink folder check the file _include.php and change line no 4 see the screenshot below.
ex:- The symlink folder path should be:- docroot/web/simplesaml/_include.php
SimpleSAMLphp Library Configurations is done for both library internal and external now next step is:-
ex:- The symlink folder path should be:- docroot/web/simplesaml/_include.php
SimpleSAMLphp Library Configurations is done for both library internal and external now next step is:-
Step 16:- Exchange XML data with your identity provider (IdP) administrator (Client).
To complete the connection between your Drupal developer portal service provider and your IdP, you must exchange XML data with your IdP.
- Find the metadata for your Drupal developer portal at https://[portal.com]/simplesaml/module.php/saml/sp/metadata.php/default-sp, where [portal.com] is the URL of your Drupal developer portal.
- Copy the XML document found there, you can just click on the which is screenshot and send it to the administrator of your IDP.
- Ask your IDP for their metadata XML. You should specifically request the name of the attributes used by the IdP for the following:emailfirst namelast nameuser nameunique identifier.Each of these attributes must be included in the SAML response from the IDP to your Drupal developer portal.
Step 17:- You get the XML from the client end and convert the XML response from your IdP, using the converter tool available at simplesaml/admin/metadata-converter.php
- Paste the XML response from your idP into the tool.
- Click Parse.
cp vendor/simplesamlphp/simplesamlphp/metadata-templates/saml20-idp-remote.php vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.
- If the parsed file does not say
saml20-idp-remote
, run the command above using the appropriate template filename that matches. - Open the
saml20-idp-remote.php
(or appropriate file) and paste in the parsed XML response from the IdP.
Note: You can see that the key of the
$metadata
array is the entityID of the idP. For example, if the line is:$metadata['https://openidp.feide.no']
the key is
'https://openidp.feide.no'
. - Open
authsources.php
once again, and add this line at the bottom, where[METADATA-KEY]
is the entityID or the IdP:
$config['default-sp']['idp'] = '[METADATA-KEY]';
- Check the parsed file. If the file says
saml20-idp-remote
at the top, use the following command to create ametadata/saml20-idp-remote.php
file in your SimpleSAMLphp directory:
Step 18:- Enable and configure your SimpleSAMLphp modules
goto-> admin->config
Now open the module Config > simplesamlphp_custom_attributes
- Click Add mapping.
- Select “username” from the available dropdown and enter the attribute name provided by your IdP.
- Click Save.
- Click Add mapping.
- Select “mail” from the available dropdown and enter the attribute name provided by your IdP.
- Click Save.
Now open the module Config > simplesamlphp_auth
Optional:- if you set the configuration though the code you can just past the code setting.php
// SimpleSAMLphp configuration
# Provide universal absolute path to the installation.
if (isset($_ENV['AH_SITE_NAME']) && is_dir('/var/www/html/' . $_ENV['AH_SITE_NAME'] . '/simplesamlphp-1.14.8')) {
$settings['simplesamlphp_dir'] = '/var/www/html/' . $_ENV['AH_SITE_NAME'] . '/simplesamlphp-1.14.8';
}
else {
// Local SAML path.
if (is_dir(DRUPAL_ROOT . '/../simplesamlphp-1.14.8')) {
$settings['simplesamlphp_dir'] = DRUPAL_ROOT . '/../simplesamlphp-1.14.8';
}
}
// SimpleSAMLphp_auth module settings
$config['simplesamlphp_auth.settings'] = [
// Basic settings.
'activate' => TRUE, // Enable or Disable SAML login.
'auth_source' => 'default-sp',
'login_link_display_name' => 'Login with your SSO account',
'register_users' => TRUE,
'debug' => FALSE,
// Local authentication.
'allow' => array(
'default_login' => TRUE,
'set_drupal_pwd' => TRUE,
'default_login_users' => '',
'default_login_roles' => array(
'authenticated' => FALSE,
'administrator' => 'administrator',
),
),
'logout_goto_url' => '',
// User info and syncing.
// 'unique_id' the value which is unique in the saml response coming from IDP.
'unique_id' => 'mail',
'user_name' => 'username',
'mail_attr' => 'mail',
'sync' => array(
'mail' => TRUE,
'user_name' => TRUE,
),
];
Step 19:- Now we can check with our local environment.
Step 1:- Goto the config.php file and inside the code uncomment the code.
Step 2:- Goto the authsources.php and uncomment the line which is in the screenshot.
'example-userpass' => [
'exampleauth:UserPass',
'student:studentpassword' => [
'uid' => ['student'],
'eduPersonAffiliation' => ['member', 'student'],
'email' => 'student@example.com'
],
'employee:employeepassword' => [
'uid' => ['employee'],
'eduPersonAffiliation' => ['member', 'employee'],
'email' => 'employee@example.com'
],
],
Step 3:- you can check adfs-idp-hosted.php file already there inside your meta folder.
Step 4:- Now we need to create the certificate for configuring IDP, create SSL self-signed certificate. Run following command inside cert folder.
Step 5:- IdP needs to be configured by the metadata stored in metadata/saml20-idp-hosted.php
Refresh sites:-
Step 3:- you can check adfs-idp-hosted.php file already there inside your meta folder.
Step 4:- Now we need to create the certificate for configuring IDP, create SSL self-signed certificate. Run following command inside cert folder.
openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out server.crt -keyout server.pem
Step 5:- IdP needs to be configured by the metadata stored in metadata/saml20-idp-hosted.php
Configuring IDP with the SP
Exchange the metadata between the Identity Provider & Service Provider.
- Copy IDP metadata to the metadata/saml20-idp-remote.php file of the Service Provider. IDP metadata can be found in the “SAML 2.0 IdP Metadata” section of the Federation tab of IDP application.
Log in to ‘default-sp’ by clicking on “Test configured authentication source” link of the Authentication tab of the SP.
username: student
password: studentpassword
Refresh sites:-
No comments:
Post a Comment
If you have any problem please let me know.