You are here

Home » API reference » SAML Service Provider 7.2

README.txt in SAML Service Provider 7.2

Same filename and directory in other branches
  1. 8.3 README.txt
  2. 8.2 README.txt
  3. 7.8 README.txt
  4. 7 README.txt
  5. 7.3 README.txt
  6. 4.x README.txt
  7. 3.x README.txt
ub php-salSAML Service Provider
=====================

This package provides two modules:
- SAML Service Provider API
- SAML Drupal Login


The API module lets other modules leverage SAML authentication.

The SAML Drupal Login module specifically enables Drupal to become a "Service
Provider" for an IDP, so users can authenticate to Drupal (without entering a
username or password) by delegating authenticate to a SAML IDP (Identity
Provider).


Dependencies
============
Drupal module ctools http://drupal.org/project/ctools

Requires the OneLogin SAML-PHP toolkit, downloaded to your 'libraries' folder:

'cd libraries'
'git clone https://github.com/onelogin/php-saml.git'


So that the folder structure looks like this when it comes to lib folder
- libraries
  - php-saml
    ...
    - lib
      - Saml
      - Saml2
        - Auth.php
        ...

NOTE: The PHP-SAML library versions 2.x are not compatible with PHP 7.2+ and
will throw deprecation warnings for mcrypt functions in PHP 7.1. If you are
using PHP 7.1+ you can use the PHP-SAML 3.0.0-namespaceless branch from the
Github repository. The 7.x-2.x version of the saml_sp module will not be
updated to use the 3.0.0 branch using namespaces.

SimpleSamlPHP Configuration
===========================

First, configure your IdP in Drupal:
Note: Multiple IdPs can be configured, but only one is chosen to be used for the
Drupal login. This is good for development purposes, because different
environments (local, development, staging, production etc.) can be configured
with different App names and exported to code with Features. Then each
environment chooses a different IdP configuration for the Drupal login.

Name = Human readable name for IdP.

App Name: will be used in the IdP configuration. For example
"demoLocalDrupal".

NameID field: this defaults to user mail and works for most configurations. In
that case the IdP is configure to use email address for NameID.
But if you need to support changing email on the IdP, then you need to add
a custom field to user profile and then choose that field here. It is
recommended to use "Hidden Field Widgets" module (https://www.drupal.org/project/hidden_field)
for that field so that users don't need to worry about it, ever.

IDP Login URL: e.g. http:///myIdp.example.com/simplesaml/saml2/idp/SSOService.php
IDP Logout URL: e.g. http:///myIdp.example.com/simplesaml/saml2/idp/SingleLogoutService.php

x.509 certificate: Should correspond to the "certificate" field in
saml20-idp-hostd.php

Here's a sample config for saml20-sp-remote.php (when email is used for NameID):

$metadata['demoLocalDrupal'] = array(
'AssertionConsumerService' => 'http://mydrupal.example.com/drupal7/?q=saml/consume',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
'simplesaml.nameidattribute' => 'uid',
'simplesaml.attributes' => FALSE,
);

Usage
=====

When everything is set and ready to go, the process begins from
http://www.yoursite.com/saml/drupal_login

A returnTo parameter can be appended to the url, if you want to redirect
the user somewhere else than the front page after login. For example the user
profile page http://www.yoursite.com/saml/drupal_login?returnTo=user

The login block and user login form will show a link with
"Log in using Single Sign-On" text on it. The user login page will return the
user to the profile page and the login block will return the user to the same page
where the login process was started from.

File

README.txt
View source 
  1. ub php-salSAML Service Provider

  2. =====================

  3. 

  4. This package provides two modules:

  5. - SAML Service Provider API

  6. - SAML Drupal Login

  7. 

  8. 

  9. The API module lets other modules leverage SAML authentication.

  10. 

  11. The SAML Drupal Login module specifically enables Drupal to become a "Service

  12. Provider" for an IDP, so users can authenticate to Drupal (without entering a

  13. username or password) by delegating authenticate to a SAML IDP (Identity

  14. Provider).

  15. 

  16. 

  17. Dependencies

  18. ============

  19. Drupal module ctools http://drupal.org/project/ctools

  20. 

  21. Requires the OneLogin SAML-PHP toolkit, downloaded to your 'libraries' folder:

  22. 

  23. 'cd libraries'

  24. 'git clone https://github.com/onelogin/php-saml.git'

  25. 

  26. 

  27. So that the folder structure looks like this when it comes to lib folder

  28. - libraries

  29.   - php-saml

  30.     ...

  31.     - lib

  32.       - Saml

  33.       - Saml2

  34.         - Auth.php

  35.         ...

  36. 

  37. NOTE: The PHP-SAML library versions 2.x are not compatible with PHP 7.2+ and

  38. will throw deprecation warnings for mcrypt functions in PHP 7.1. If you are

  39. using PHP 7.1+ you can use the PHP-SAML 3.0.0-namespaceless branch from the

  40. Github repository. The 7.x-2.x version of the saml_sp module will not be

  41. updated to use the 3.0.0 branch using namespaces.

  42. 

  43. SimpleSamlPHP Configuration

  44. ===========================

  45. 

  46. First, configure your IdP in Drupal:

  47. Note: Multiple IdPs can be configured, but only one is chosen to be used for the

  48. Drupal login. This is good for development purposes, because different

  49. environments (local, development, staging, production etc.) can be configured

  50. with different App names and exported to code with Features. Then each

  51. environment chooses a different IdP configuration for the Drupal login.

  52. 

  53. Name = Human readable name for IdP.

  54. 

  55. App Name: will be used in the IdP configuration. For example

  56. "demoLocalDrupal".

  57. 

  58. NameID field: this defaults to user mail and works for most configurations. In

  59. that case the IdP is configure to use email address for NameID.

  60. But if you need to support changing email on the IdP, then you need to add

  61. a custom field to user profile and then choose that field here. It is

  62. recommended to use "Hidden Field Widgets" module (https://www.drupal.org/project/hidden_field)

  63. for that field so that users don't need to worry about it, ever.

  64. 

  65. IDP Login URL: e.g. http:///myIdp.example.com/simplesaml/saml2/idp/SSOService.php

  66. IDP Logout URL: e.g. http:///myIdp.example.com/simplesaml/saml2/idp/SingleLogoutService.php

  67. 

  68. x.509 certificate: Should correspond to the "certificate" field in

  69. saml20-idp-hostd.php

  70. 

  71. Here's a sample config for saml20-sp-remote.php (when email is used for NameID):

  72. 

  73. $metadata['demoLocalDrupal'] = array(

  74. 'AssertionConsumerService' => 'http://mydrupal.example.com/drupal7/?q=saml/consume',

  75. 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',

  76. 'simplesaml.nameidattribute' => 'uid',

  77. 'simplesaml.attributes' => FALSE,

  78. );

  79. 

  80. Usage

  81. =====

  82. 

  83. When everything is set and ready to go, the process begins from

  84. http://www.yoursite.com/saml/drupal_login

  85. 

  86. A returnTo parameter can be appended to the url, if you want to redirect

  87. the user somewhere else than the front page after login. For example the user

  88. profile page http://www.yoursite.com/saml/drupal_login?returnTo=user

  89. 

  90. The login block and user login form will show a link with

  91. "Log in using Single Sign-On" text on it. The user login page will return the

  92. user to the profile page and the login block will return the user to the same page

  93. where the login process was started from.

  94.