You are here

README.txt in SAML Service Provider 7.3

SAML Service Provider
=====================

This package provides two modules:
- SAML Service Provider API
- SAML Drupal Login


The API module lets other modules leverage SAML authentication.

The SAML Drupal Login module specifically enables Drupal to become a "Service
Provider" for an IDP, so users can authenticate to Drupal (without entering a
username or password) by delegating authenticate to a SAML IDP (Identity
Provider).


Dependencies
============
Drupal module ctools http://drupal.org/project/ctools

Requires the OneLogin SAML-PHP toolkit, downloaded to your 'libraries' folder:

'cd libraries'
'git clone https://github.com/onelogin/php-saml.git'


So that the folder structure looks like this when it comes to lib folder
- libraries
  - php-saml
    ...
    - lib
      - Saml
      - Saml2
        - Auth.php
        ...

NOTE: The PHP-SAML library versions 2.x are not compatible with PHP 7.2+ and
will throw deprecation warnings for mcrypt functions in PHP 7.1. If you are
using PHP 7.1+ you can use the PHP-SAML 3.0.0-namespaceless branch from the
Github repository. The 7.x-2.x version of the saml_sp module will not be
updated to use the 3.0.0 branch using namespaces.

After the php-saml library installed, it requires a xmlseclibs library on which Simple SAML toolkit for PHP library depends on, it should be installed to your libraries folder.

'git clone https://github.com/robrichards/xmlseclibs.git'

Clear the cache, your module is ready for configuration.

SimpleSamlPHP Configuration
===========================

First, configure your IdP in Drupal:
Note: Multiple IdPs can be configured, but only one is chosen to be used for the
Drupal login. This is good for development purposes, because different
environments (local, development, staging, production etc.) can be configured
with different App names and exported to code with Features. Then each
environment chooses a different IdP configuration for the Drupal login.

Name = Human readable name for IdP.

App Name: will be used in the IdP configuration. For example
"demoLocalDrupal".

NameID field: this defaults to user mail and works for most configurations. In
that case the IdP is configure to use email address for NameID.
But if you need to support changing email on the IdP, then you need to add
a custom field to user profile and then choose that field here. It is
recommended to use "Hidden Field Widgets" module (https://www.drupal.org/project/hidden_field)
for that field so that users don't need to worry about it, ever.

IDP Login URL: e.g. http:///myIdp.example.com/simplesaml/saml2/idp/SSOService.php
IDP Logout URL: e.g. http:///myIdp.example.com/simplesaml/saml2/idp/SingleLogoutService.php

x.509 certificate: Should correspond to the "certificate" field in
saml20-idp-hostd.php

Here's a sample config for saml20-sp-remote.php (when email is used for NameID):

$metadata['demoLocalDrupal'] = array(
'AssertionConsumerService' => 'http://mydrupal.example.com/drupal7/?q=saml/consume',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
'simplesaml.nameidattribute' => 'uid',
'simplesaml.attributes' => FALSE,
);

Usage
=====

When everything is set and ready to go, the process begins from
http://www.yoursite.com/saml/drupal_login

A returnTo parameter can be appended to the url, if you want to redirect
the user somewhere else than the front page after login. For example the user
profile page http://www.yoursite.com/saml/drupal_login?returnTo=user

The login block and user login form will show a link with
"Log in using Single Sign-On" text on it. The user login page will return the
user to the profile page and the login block will return the user to the same page
where the login process was started from.

File

README.txt
View source
  1. SAML Service Provider
  2. =====================
  3. This package provides two modules:
  4. - SAML Service Provider API
  5. - SAML Drupal Login
  6. The API module lets other modules leverage SAML authentication.
  7. The SAML Drupal Login module specifically enables Drupal to become a "Service
  8. Provider" for an IDP, so users can authenticate to Drupal (without entering a
  9. username or password) by delegating authenticate to a SAML IDP (Identity
  10. Provider).
  11. Dependencies
  12. ============
  13. Drupal module ctools http://drupal.org/project/ctools
  14. Requires the OneLogin SAML-PHP toolkit, downloaded to your 'libraries' folder:
  15. 'cd libraries'
  16. 'git clone https://github.com/onelogin/php-saml.git'
  17. So that the folder structure looks like this when it comes to lib folder
  18. - libraries
  19. - php-saml
  20. ...
  21. - lib
  22. - Saml
  23. - Saml2
  24. - Auth.php
  25. ...
  26. NOTE: The PHP-SAML library versions 2.x are not compatible with PHP 7.2+ and
  27. will throw deprecation warnings for mcrypt functions in PHP 7.1. If you are
  28. using PHP 7.1+ you can use the PHP-SAML 3.0.0-namespaceless branch from the
  29. Github repository. The 7.x-2.x version of the saml_sp module will not be
  30. updated to use the 3.0.0 branch using namespaces.
  31. After the php-saml library installed, it requires a xmlseclibs library on which Simple SAML toolkit for PHP library depends on, it should be installed to your libraries folder.
  32. 'git clone https://github.com/robrichards/xmlseclibs.git'
  33. Clear the cache, your module is ready for configuration.
  34. SimpleSamlPHP Configuration
  35. ===========================
  36. First, configure your IdP in Drupal:
  37. Note: Multiple IdPs can be configured, but only one is chosen to be used for the
  38. Drupal login. This is good for development purposes, because different
  39. environments (local, development, staging, production etc.) can be configured
  40. with different App names and exported to code with Features. Then each
  41. environment chooses a different IdP configuration for the Drupal login.
  42. Name = Human readable name for IdP.
  43. App Name: will be used in the IdP configuration. For example
  44. "demoLocalDrupal".
  45. NameID field: this defaults to user mail and works for most configurations. In
  46. that case the IdP is configure to use email address for NameID.
  47. But if you need to support changing email on the IdP, then you need to add
  48. a custom field to user profile and then choose that field here. It is
  49. recommended to use "Hidden Field Widgets" module (https://www.drupal.org/project/hidden_field)
  50. for that field so that users don't need to worry about it, ever.
  51. IDP Login URL: e.g. http:///myIdp.example.com/simplesaml/saml2/idp/SSOService.php
  52. IDP Logout URL: e.g. http:///myIdp.example.com/simplesaml/saml2/idp/SingleLogoutService.php
  53. x.509 certificate: Should correspond to the "certificate" field in
  54. saml20-idp-hostd.php
  55. Here's a sample config for saml20-sp-remote.php (when email is used for NameID):
  56. $metadata['demoLocalDrupal'] = array(
  57. 'AssertionConsumerService' => 'http://mydrupal.example.com/drupal7/?q=saml/consume',
  58. 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
  59. 'simplesaml.nameidattribute' => 'uid',
  60. 'simplesaml.attributes' => FALSE,
  61. );
  62. Usage
  63. =====
  64. When everything is set and ready to go, the process begins from
  65. http://www.yoursite.com/saml/drupal_login
  66. A returnTo parameter can be appended to the url, if you want to redirect
  67. the user somewhere else than the front page after login. For example the user
  68. profile page http://www.yoursite.com/saml/drupal_login?returnTo=user
  69. The login block and user login form will show a link with
  70. "Log in using Single Sign-On" text on it. The user login page will return the
  71. user to the profile page and the login block will return the user to the same page
  72. where the login process was started from.