You are here

Home » API reference » SAML Service Provider 8.2

README.txt in SAML Service Provider 8.2

Same filename and directory in other branches
  1. 8.3 README.txt
  2. 7.8 README.txt
  3. 7 README.txt
  4. 7.2 README.txt
  5. 7.3 README.txt
  6. 4.x README.txt
  7. 3.x README.txt
SAML Service Provider
=====================

This package provides two modules:
- SAML Service Provider API
- SAML Drupal Login


The API module lets other modules leverage SAML authentication.

The SAML Drupal Login module specifically enables Drupal to become a "Service
Provider" for an IDP, so users can authenticate to Drupal (without entering a
username or password) by delegating authenticate to a SAML IDP (Identity
Provider).


Dependencies
============
Requires the OneLogin SAML-PHP toolkit which is managed by composer.

You can either manually require the module with composer:
    composer config repositories.drupal composer https://packages.drupal.org/8
    composer require drupal/saml_sp
to have composer download the module and the library. Or you can download the
module manually modify the core composer.json, change this section
    {
      "extra": {
        "_readme": [
          "By default Drupal loads the autoloader from ./vendor/autoload.php.",
          "To change the autoloader you can edit ./autoload.php."
        ],
        "merge-plugin": {
            "include": [
            "core/composer.json",
            "modules/saml_sp/composer.json" // <-- add this line
          ],
          "recurse": false,
          "replace": false,
          "merge-extra": false
        }
      },
    }
to add the modules/saml_sp/composer.json and run
    composer update
this will cause the library to be downloaded and added to your composer autoload.php


TODO
====
For the 8.x-2.x version there are a number of items that are still incomplete
- Single Log Out (SLO)
- updating Drupal account with attributes from the IdP

SimpleSamlPHP Configuration
===========================

First, configure your IdP in Drupal:
Note: Multiple IdPs can be configured, but only one is chosen to be used for the
Drupal login. This is good for development purposes, because different
environments (local, development, staging, production etc.) can be configured
with different App names and exported to code with Features. Then each
environment chooses a different IdP configuration for the Drupal login.

Name = Human readable name for IdP.

App Name: will be used in the IdP configuration. For example
"demoLocalDrupal".

NameID field: this defaults to user mail and works for most configurations. In
that case the IdP is configure to use email address for NameID.
But if you need to support changing email on the IdP, then you need to add
a custom field to user profile and then choose that field here. It is
recommended to use "Hidden Field Widgets" module (https://www.drupal.org/project/hidden_field)
for that field so that users don't need to worry about it, ever.

IDP Login URL: e.g. http:///myIdp.example.com/simplesaml/saml2/idp/SSOService.php
IDP Logout URL: e.g. http:///myIdp.example.com/simplesaml/saml2/idp/SingleLogoutService.php

x.509 certificate: Should correspond to the "certificate" field in
saml20-idp-hostd.php

Here's a sample config for saml20-sp-remote.php (when email is used for NameID):

$metadata['demoLocalDrupal'] = array(
'AssertionConsumerService' => 'http://mydrupal.example.com/drupal7/?q=saml/consume',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
'simplesaml.nameidattribute' => 'uid',
'simplesaml.attributes' => FALSE,
);

Usage
=====

When everything is set and ready to go, the process begins from
http://www.yoursite.com/saml/drupal_login

A returnTo parameter can be appended to the url, if you want to redirect
the user somewhere else than the front page after login. For example the user
profile page http://www.yoursite.com/saml/drupal_login?returnTo=user

The login block and user login form will show a link with
"Log in using Single Sign-On" text on it. The user login page will return the
user to the profile page and the login block will return the user to the same page
where the login process was started from.

File

README.txt
View source 
  1. SAML Service Provider

  2. =====================

  3. 

  4. This package provides two modules:

  5. - SAML Service Provider API

  6. - SAML Drupal Login

  7. 

  8. 

  9. The API module lets other modules leverage SAML authentication.

  10. 

  11. The SAML Drupal Login module specifically enables Drupal to become a "Service

  12. Provider" for an IDP, so users can authenticate to Drupal (without entering a

  13. username or password) by delegating authenticate to a SAML IDP (Identity

  14. Provider).

  15. 

  16. 

  17. Dependencies

  18. ============

  19. Requires the OneLogin SAML-PHP toolkit which is managed by composer.

  20. 

  21. You can either manually require the module with composer:

  22.     composer config repositories.drupal composer https://packages.drupal.org/8

  23.     composer require drupal/saml_sp

  24. to have composer download the module and the library. Or you can download the

  25. module manually modify the core composer.json, change this section

  26.     {

  27.       "extra": {

  28.         "_readme": [

  29.           "By default Drupal loads the autoloader from ./vendor/autoload.php.",

  30.           "To change the autoloader you can edit ./autoload.php."

  31.         ],

  32.         "merge-plugin": {

  33.             "include": [

  34.             "core/composer.json",

  35.             "modules/saml_sp/composer.json" // <-- add this line

  36.           ],

  37.           "recurse": false,

  38.           "replace": false,

  39.           "merge-extra": false

  40.         }

  41.       },

  42.     }

  43. to add the modules/saml_sp/composer.json and run

  44.     composer update

  45. this will cause the library to be downloaded and added to your composer autoload.php

  46. 

  47. 

  48. TODO

  49. ====

  50. For the 8.x-2.x version there are a number of items that are still incomplete

  51. - Single Log Out (SLO)

  52. - updating Drupal account with attributes from the IdP

  53. 

  54. SimpleSamlPHP Configuration

  55. ===========================

  56. 

  57. First, configure your IdP in Drupal:

  58. Note: Multiple IdPs can be configured, but only one is chosen to be used for the

  59. Drupal login. This is good for development purposes, because different

  60. environments (local, development, staging, production etc.) can be configured

  61. with different App names and exported to code with Features. Then each

  62. environment chooses a different IdP configuration for the Drupal login.

  63. 

  64. Name = Human readable name for IdP.

  65. 

  66. App Name: will be used in the IdP configuration. For example

  67. "demoLocalDrupal".

  68. 

  69. NameID field: this defaults to user mail and works for most configurations. In

  70. that case the IdP is configure to use email address for NameID.

  71. But if you need to support changing email on the IdP, then you need to add

  72. a custom field to user profile and then choose that field here. It is

  73. recommended to use "Hidden Field Widgets" module (https://www.drupal.org/project/hidden_field)

  74. for that field so that users don't need to worry about it, ever.

  75. 

  76. IDP Login URL: e.g. http:///myIdp.example.com/simplesaml/saml2/idp/SSOService.php

  77. IDP Logout URL: e.g. http:///myIdp.example.com/simplesaml/saml2/idp/SingleLogoutService.php

  78. 

  79. x.509 certificate: Should correspond to the "certificate" field in

  80. saml20-idp-hostd.php

  81. 

  82. Here's a sample config for saml20-sp-remote.php (when email is used for NameID):

  83. 

  84. $metadata['demoLocalDrupal'] = array(

  85. 'AssertionConsumerService' => 'http://mydrupal.example.com/drupal7/?q=saml/consume',

  86. 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',

  87. 'simplesaml.nameidattribute' => 'uid',

  88. 'simplesaml.attributes' => FALSE,

  89. );

  90. 

  91. Usage

  92. =====

  93. 

  94. When everything is set and ready to go, the process begins from

  95. http://www.yoursite.com/saml/drupal_login

  96. 

  97. A returnTo parameter can be appended to the url, if you want to redirect

  98. the user somewhere else than the front page after login. For example the user

  99. profile page http://www.yoursite.com/saml/drupal_login?returnTo=user

  100. 

  101. The login block and user login form will show a link with

  102. "Log in using Single Sign-On" text on it. The user login page will return the

  103. user to the profile page and the login block will return the user to the same page

  104. where the login process was started from.

  105.