You are here

README.txt in SAML Service Provider 4.x

SAML Service Provider
=====================

This package provides two modules:
- SAML Service Provider API
- SAML Drupal Login


The API module lets other modules leverage SAML authentication.

The SAML Drupal Login module uses the API module to enables Drupal to become a
SAML Service Provider so users can authenticate to Drupal (without entering a
username or password) by delegating authentication to a SAML IdP (Identity
Provider).

Version 8.x-3.x of this module relies on version 3 of OneLogin's SAML PHP
Toolkit, which is a significant restructuring of that library.


Dependencies
============
Requires the OneLogin SAML-PHP toolkit which is managed by Composer.


Installation
============
Option 1 (strongly recommended): You can require the module with Composer:
    composer config repositories.drupal composer https://packages.drupal.org/8
    composer require drupal/saml_sp
to have composer download the module and the dependent libraries.

Option 2: You can download the module manually, but you will still need to
modify the core composer.json for Composer to install the OneLogin SAML PHP
Toolkit. Change this section:
    {
      "extra": {
        "_readme": [
          "By default Drupal loads the autoloader from ./vendor/autoload.php.",
          "To change the autoloader you can edit ./autoload.php."
        ],
        "merge-plugin": {
            "include": [
            "core/composer.json",
            "modules/saml_sp/composer.json" // <-- add this line
          ],
          "recurse": false,
          "replace": false,
          "merge-extra": false
        }
      },
    }
to add the modules/saml_sp/composer.json line and run
    composer update
this will download the library and add it to your composer autoload.php.


Configuring an IdP
==================

You must specify the remote IdP server in order to use it for authentication.
Typically, you will need to exchange metadata in advance; some systems may
do that automatically, with others you will need to communicate with the
IdP's administrator.

    Note: Multiple IdPs can be configured and multiple can be configured for
    the Drupal Login. This allows you to have multiple Relying Party Trusts
    (RTPs) configured with multiple IdPs and the user can choose which one
    they want to use for authentication from the login form. Different IdPs
    can be configured for each of your different environments (local,
    development, staging, production, etc.). They can be configured with
    different App names and exported using Drupal's configuration management
    system. Then each environment can specify a different IdP configuration for the Drupal login.

If you have received XML metadata for the IdP from its administrator, you can
paste it at the top of the form and the module will automatically parse it
and provide the values below:

Name = Human readable name for IdP.

Entity ID: The IdP's name for itself. It usually looks like a URL.

App name: will be used in the IdP configuration. For example
"demoLocalDrupal".

NameID field: this defaults to user mail and works for most configurations. In
that case the IdP is configured to use email address for NameID.
But if you need to support changing email on the IdP, then you need to add
a custom field to user profile and then choose that field here. The
"Hidden Field Widgets" module (https://www.drupal.org/project/hidden_field)
may be used for that field so that users don't need to worry about it, ever.

IdP login URL: e.g. https:///idp.example.com/saml2/idp/SSOService.php
IdP logout URL: e.g. https:///idp.example.com/saml2/idp/SLOService.php

X.509 certificates: the public certificate of the IdP server.


Usage
=====

When everything is set and ready to go, the process begins from
http://www.yoursite.com/saml/drupal_login

A returnTo parameter can be appended to the url, if you want to redirect
the user somewhere else than the front page after login. For example the user
profile page http://www.yoursite.com/saml/drupal_login?returnTo=user

The login block and user login form will show a link with
"Log in using Single Sign-On" text on it. The user login page will return the
user to the profile page and the login block will return the user to the same
page where the login process was started from.


TODO
====
For the 8.x-3.x version, these items are incomplete:
- Single Log Out (SLO)
- updating Drupal account with attributes from the IdP

File

README.txt
View source
  1. SAML Service Provider
  2. =====================
  3. This package provides two modules:
  4. - SAML Service Provider API
  5. - SAML Drupal Login
  6. The API module lets other modules leverage SAML authentication.
  7. The SAML Drupal Login module uses the API module to enables Drupal to become a
  8. SAML Service Provider so users can authenticate to Drupal (without entering a
  9. username or password) by delegating authentication to a SAML IdP (Identity
  10. Provider).
  11. Version 8.x-3.x of this module relies on version 3 of OneLogin's SAML PHP
  12. Toolkit, which is a significant restructuring of that library.
  13. Dependencies
  14. ============
  15. Requires the OneLogin SAML-PHP toolkit which is managed by Composer.
  16. Installation
  17. ============
  18. Option 1 (strongly recommended): You can require the module with Composer:
  19. composer config repositories.drupal composer https://packages.drupal.org/8
  20. composer require drupal/saml_sp
  21. to have composer download the module and the dependent libraries.
  22. Option 2: You can download the module manually, but you will still need to
  23. modify the core composer.json for Composer to install the OneLogin SAML PHP
  24. Toolkit. Change this section:
  25. {
  26. "extra": {
  27. "_readme": [
  28. "By default Drupal loads the autoloader from ./vendor/autoload.php.",
  29. "To change the autoloader you can edit ./autoload.php."
  30. ],
  31. "merge-plugin": {
  32. "include": [
  33. "core/composer.json",
  34. "modules/saml_sp/composer.json" // <-- add this line
  35. ],
  36. "recurse": false,
  37. "replace": false,
  38. "merge-extra": false
  39. }
  40. },
  41. }
  42. to add the modules/saml_sp/composer.json line and run
  43. composer update
  44. this will download the library and add it to your composer autoload.php.
  45. Configuring an IdP
  46. ==================
  47. You must specify the remote IdP server in order to use it for authentication.
  48. Typically, you will need to exchange metadata in advance; some systems may
  49. do that automatically, with others you will need to communicate with the
  50. IdP's administrator.
  51. Note: Multiple IdPs can be configured and multiple can be configured for
  52. the Drupal Login. This allows you to have multiple Relying Party Trusts
  53. (RTPs) configured with multiple IdPs and the user can choose which one
  54. they want to use for authentication from the login form. Different IdPs
  55. can be configured for each of your different environments (local,
  56. development, staging, production, etc.). They can be configured with
  57. different App names and exported using Drupal's configuration management
  58. system. Then each environment can specify a different IdP configuration for the Drupal login.
  59. If you have received XML metadata for the IdP from its administrator, you can
  60. paste it at the top of the form and the module will automatically parse it
  61. and provide the values below:
  62. Name = Human readable name for IdP.
  63. Entity ID: The IdP's name for itself. It usually looks like a URL.
  64. App name: will be used in the IdP configuration. For example
  65. "demoLocalDrupal".
  66. NameID field: this defaults to user mail and works for most configurations. In
  67. that case the IdP is configured to use email address for NameID.
  68. But if you need to support changing email on the IdP, then you need to add
  69. a custom field to user profile and then choose that field here. The
  70. "Hidden Field Widgets" module (https://www.drupal.org/project/hidden_field)
  71. may be used for that field so that users don't need to worry about it, ever.
  72. IdP login URL: e.g. https:///idp.example.com/saml2/idp/SSOService.php
  73. IdP logout URL: e.g. https:///idp.example.com/saml2/idp/SLOService.php
  74. X.509 certificates: the public certificate of the IdP server.
  75. Usage
  76. =====
  77. When everything is set and ready to go, the process begins from
  78. http://www.yoursite.com/saml/drupal_login
  79. A returnTo parameter can be appended to the url, if you want to redirect
  80. the user somewhere else than the front page after login. For example the user
  81. profile page http://www.yoursite.com/saml/drupal_login?returnTo=user
  82. The login block and user login form will show a link with
  83. "Log in using Single Sign-On" text on it. The user login page will return the
  84. user to the profile page and the login block will return the user to the same
  85. page where the login process was started from.
  86. TODO
  87. ====
  88. For the 8.x-3.x version, these items are incomplete:
  89. - Single Log Out (SLO)
  90. - updating Drupal account with attributes from the IdP