Status message

Maintenant, vous regardez: Set up SSO service using SAML with Drupal 7 (as IdP) and Drupal 8 (as SP)

Set up SSO service using SAML with Drupal 7 (as IdP) and Drupal 8 (as SP)

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions). SAML is also:

1. A set of XML-based protocol messages
2. A set of protocol message bindings
3. A set of profiles (utilizing all of the above)

The SAML specification defines three roles:
the principal (typically a human user),
the identity provider (IdP),
the service provider (SP).
In the primary use case addressed by SAML, the principal requests a service from the service provider. The service provider requests and obtains an authentication assertion from the identity provider.
On the basis of this assertion, the service provider can make an access control decision, that is, it can decide whether to perform the service for the connected principal.

In general(https://norwegian.blue/article/set-sso-two-drupal-sites-using-saml-and-o...):
SAML - Security Assertion Markup Language - is a " standard for exchanging authentication and authorization data between security domains".
by definition then it is not limited to Drupal sites.
IdP - Identity Provider - the system that manages the identity information and provides a service to allow user authentication.
Any system (not just Drupal) can be configured to authenticate via the IdP (with appropriate certificates etc.)
SP - Service Provider - communicates with the IdP to authenticate a user on a system which is seperated from the IdP.
Can authenticate against any type of IdP, not limited to a Drupal database.

Some packages or modules are needed to set up SSO service:


IdP Part
1. The core functionality is provided by simpleSAMLphp (https://simplesamlphp.org)[IdP, Outside of drupal7 folder].
2. drupalauth(https://github.com/drupalauth/simplesamlphp-module-drupalauth 1.7x branch for drupal 7) is a plugin for simpleSAMLphp which provides a means to define a Drupal database as the IdP[IdP, Within modules folder of simpleasmlphp directory]
3. drupalauthssp(https://www.drupal.org/project/drupalauth4ssp) is the Drupal 7 plugin to allow Drupal to inderact with the simpleSAML IdP enabled by drupalauth.[IdP, Drupal7 module folder]

SP
1. The core functionality is provided by simpleSAMLphp (https://simplesamlphp.org).
2. simpleSAMLphp Authentication(https://www.drupal.org/project/simplesamlphp_auth) is the Drupal module to allow Drupal to interact with the simpleSAML SP[SP, Drupal 8 module folder]
Note: simpleSAMLphp will be installed when installing this SimpleSAMLphp_auth package via composer:

  1. composer require 'drupal/simplesamlphp_auth:^3.0'



IdP part set up:
1. simpleSAMLphp installation
Get the latest version of SimpleSAMLphp from https://simplesamlphp.org/download page, and extract it to desired location

  1. $ ls -l
  2. simplesamlphp/
  3. drupal7/
  4. drupal8/

Within this simplesamplphp folder, run 'composer install' to complete installation and its all dependencies:

  1. composer install

2. drupalauth installation

  1. $ cd simplesamlphp/modules/
  2. $ git clone <a href="https://github.com/drupalauth/simplesamlphp-module-drupalauth.git">https://github.com/drupalauth/simplesamlphp-module-drupalauth.git</a> drupalauth

3. simpleSAMLphp configuration
simplesamlphp is outside the webspace, but the simplesamlphp/www needs to be web accessible, so an alias is created for it
Note: the Alias defined here must match what's in the config.php

  1. <VirtualHost *>
  2. ServerName <a href="http://www.dp7-demo.com
  3. ">www.dp7-demo.com
  4. </a> DocumentRoot /var/www/html/dp7
  5. Alias /simplesaml /var/www/html/simplesaml/www"
  6. <Directory "/var/www/html/simpleaml">
  7. Options Indexes FollowSymLinks
  8. AllowOverride All
  9. Require all granted
  10. </Directory>
  11. </VirtualHost>

simplesamlphp config.php

  1. # simplesamlphp/config/config.php
  2. 'baseurlpath' => 'simplesaml/', //the default should be fine
  3. 'certdir' => 'cert/', //may want to alter this
  4. 'technicalcontact_name' => 'Administrator',
  5. 'technicalcontact_email' => '<a href="mailto:na@example.org">na@example.org</a>',
  6.  
  7. /*
  8. * This is a secret salt used by SimpleSAMLphp when it needs to generate a secure hash
  9. * of a value. It must be changed from its default value to a secret value. The value of
  10. * 'secretsalt' can be any valid string of any length.
  11. *
  12. * A possible way to generate a random salt is by running the following command from a unix shell:
  13. * LC_CTYPE=C tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
  14. */
  15. 'secretsalt' => 'defaultsecretsalt',
  16.  
  17. /*
  18. * Which functionality in SimpleSAMLphp do you want to enable. Normally you would enable only
  19. * one of the functionalities below, but in some cases you could run multiple functionalities.
  20. * In example when you are setting up a federation bridge.
  21. */
  22. 'enable.saml20-idp' => true,
  23. /*
  24. * Configure the data store for SimpleSAMLphp.
  25. *
  26. * - 'phpsession': Limited datastore, which uses the PHP session.
  27. * - 'memcache': Key-value datastore, based on memcache.
  28. * - 'sql': SQL datastore, using PDO.
  29. * - 'redis': Key-value datastore, based on redis.
  30. *
  31. * The default datastore is 'phpsession'.
  32. */
  33. 'store.type' => 'phpsession',
  34.  
  35. /*
  36. * The DSN the sql datastore should connect to.
  37. *
  38. * See <a href="http://www.php.net/manual/en/pdo.drivers.php">http://www.php.net/manual/en/pdo.drivers.php</a> for the various
  39. * syntaxes.
  40. */
  41. 'store.sql.dsn' => 'sqlite:/path/to/sqlitedatabase.sq3',
  42.  
  43. /*
  44. * The username and password to use when connecting to the database.
  45. */
  46. 'store.sql.username' => null,
  47. 'store.sql.password' => null,
  48.  
  49. /*
  50. * The prefix we should use on our tables.
  51. */
  52. 'store.sql.prefix' => 'SimpleSAMLphp',

4.drupalauth configuration
Enable drupalauth module

  1. $ touch simplesamlphp/modules/drupalauth/enable

Then edit config/authsources.php

  1. // To use this put something like this into config/authsources.php:
  2. // took from simplesamlphp/modules/drupalauth/lib/Auth/Source/External.php
  3. 'drupal-userpass' => array(
  4.  
  5. 'drupalauth:External',
  6.  
  7. // The filesystem path of the Drupal directory.
  8. 'drupalroot' => '/Users/elyzium/Sites/yeux/drupal7',
  9.  
  10. // Whether to turn on debug
  11. 'debug' => true,
  12.  
  13. // the URL of the Drupal logout page
  14. 'drupal_logout_url' => '<a href="http://www.yeux-drupal7.loc/user/logout',
  15. ">http://www.yeux-drupal7.loc/user/logout',
  16. </a>
  17. // the URL of the Drupal login page
  18. 'drupal_login_url' => '<a href="http://www.yeux-drupal7.loc/user',
  19. ">http://www.yeux-drupal7.loc/user',
  20. </a>
  21. // Which attributes should be retrieved from the Drupal site.
  22.  
  23. 'attributes' => array(
  24. array('drupaluservar' => 'uid', 'callit' => 'uid'),
  25. array('drupaluservar' => 'name', 'callit' => 'cn'),
  26. array('drupaluservar' => 'mail', 'callit' => 'mail'),
  27. array('drupaluservar' => 'field_first_name', 'callit' => 'givenName'),
  28. array('drupaluservar' => 'field_last_name', 'callit' => 'sn'),
  29. array('drupaluservar' => 'field_organization','callit' => 'ou'),
  30. array('drupaluservar' => 'field_country:iso2','callit' => 'country'),
  31. array('drupaluservar' => 'roles','callit' => 'roles'),
  32. ),
  33. ),

5. Create a certificate

  1. $ cd simplesamlphp/cert/
  2. # <a href="https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_4
  3. ">https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_4
  4. </a>$ openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out example.org.crt -keyout example.org.pem

6. Install drupal module drupalauth4ssp

  1. $ drush dl drupalauth4ssp
  2. $ drush en drupalauth4ssp

Config those item (#overlay=admin/config/people/drupalauth4ssp)
Enter the full path to simplesamlphp
Enter drupal-userpass for the Authentication source
In the "Allowed list of URLs for ReturnTo Parameter" enter an asterix (*) as wildcard.

7. Configure simpleSAMLphp Metadata

  1. $ cd simplesamlphp/metadata-templates/
  2. $ cp saml20-idp-hosted.php saml20-sp-remote.php ../metadata/

Edit metadata/saml20-idp-hosted.php:
Configure the certificate/private-key
Authentication source. Use:
'auth' => 'drupal-userpass',

saml20-sp-remote.php will require data from the SP, so we'll come back to this once the SP is configured.

Set up the SP
The Drupal module simplesamlphp_auth is required, so this was installed with :

  1. composer require 'drupal/simplesamlphp_auth:^3.0'

NOTE:simplesamlphp_auth has a dependancy of simplesamlphp, so after installation, simplsamlphp will be available in:
/drupal8/vendor/simplsaml

Note: there are alternative modules available to provide the SP functuionality in Drupal:
SAML Authentication(https://www.drupal.org/project/samlauth)
SAML Service Provider (https://www.drupal.org/project/saml_sp)

Create the alias for the web interface:

  1. Alias /simplesaml /Users/elyzium/Sites/yeux/drupal8/vendor/simplesamlphp/simplesamlphp/www

Configuration of config.php file in drupal8/vendor/simplesamlphp/simplesamlphp/config folder:

  1. # simpleSAML functionality- leave all disabled
  2. 'store.type' => 'sql',
  3. 'store.sql.dsn' => 'mysql:host=localhost;dbname=drupal8database',
  4. 'store.sql.username' => 'drupal8user',
  5. 'store.sql.password' => 'drupal8password',
  6. 'store.sql.prefix' => 'drupal8_site_prefix',

Configure the Authsource
edit authsources.php and add a new source. Enter the following within the $config - array block:

  1. // Use Drupal 7 as authentication source
  2. 'drupal7site' => array(
  3. 'saml:SP',
  4. 'entityID' => '<a href="http://www.yeux-drupal8.loc',
  5. ">http://www.yeux-drupal8.loc',
  6. </a> 'idp' => '<a href="http://www.yeux-drupal8.loc/simplesaml/saml2/idp/metadata.php',
  7. ">http://www.yeux-drupal8.loc/simplesaml/saml2/idp/metadata.php',
  8. </a> 'privatekey' => 'idp.key',
  9. 'certificate' => 'idp.crt',
  10. ),

Configure the Metadata:
1. Copy vendor/simplsamlphp/simplesamlphp/metadata-templates/saml-20-idp-remote.php to vendor/simplsamlphp/simplesamlphp/metadata/saml-20-idp-remote.php
2. Edit the metadata/saml-20-idp-remote.php
3. On the IdP visit the 'Federation' tab of the simpleSAMLphp admin pages
4. Copy the 'Flat file format' of the IdP metadata (click on the clipboard icon)
5. Paste the metadata into saml-20-idp-remote.php and save the file

Copy the public key
From the IdP Metadata page used above, scroll to the bottom and download the certificate into the location configured in the config.php on the SP. Ensure the name of the file is the same as configured in the Authsource.

Drupal module simplesamlphp_auth
1. Enable the module
2. Configure the module

  • set the installation directory
  • set the Authentication source as drupal7 (or whatever you configured above)
  • map the basic fields (I used uid as the uniqueID, cn as the username and mail as the email address)
  • Configure other settings. Make sure that the admin user can log in locally.

Configure the Metadata for the IdP:
The IdP needs the metadata from the SP that will connect:

  • On the IdP, edit the file metadata/saml-20-sp-remote.php
  • On the SP , visit the Fedaration tab of the simpleSAMLphp admin pages
  • Copy the 'Flat file format' metadata for the Authsource you created ("drupal7site" in this example)
  • Paste into saml-20-sp-remote.php and save the file

That's pretty much it. You should now be able to visit your SP site, visit /saml_login (there's a link created on /user/login), and login to your SP by authenticating on the IdP.