Advertising sustains the DA. Ads are hidden for members. Join today

D7 SimpleSAML PHP Auth

This guide has not yet been reviewed by Contributed module documentation archive maintainer(s) and added to the menu.

The SimpleSAML PHP Auth module integrates the simplesamlphp library into Drupal.

For a full description of the module, visit: https://www.drupal.org/project/simplesamlphp_auth

Installation

Installation instructions can be found on the module page at: https://www.drupal.org/project/simplesamlphp_auth

Versions

Recommended releases:
7.x-2.0-alpha2
6.x-2.7

Development releases:
7.x-3.x-dev
7.x-2.x-dev
6.x-3.x-dev

The 3.x branch of the module contains architectural changes from the 2.x branch.

Features

  • Just-in-time provisioning of Drupal user accounts based on SAML attributes (configurable).
  • Automatic role assignment based on SAML attributes (configurable).
  • Dual mode - support for traditional Drupal accounts and SAML-authenticated accounts at the same time (configurable).
  • Support for multiple authentication protocols (thanks to SimpleSAMLphp)
    • OpenID (e.g., Google, Yahoo)
    • Facebook
    • OAuth (e.g., Twitter)
    • SAML 1.1, SAML 2.0
    • Shibboleth 1.3
    • A-Select
    • X509 Client Certificates
    • Radius

Enforcing SSL

In the 3.x series the enforcing of the SSL on the authentication page is removed from the module. The following snippet applied to the .htaccess file can do the same thing:

# Force redirect to HTTPS for SimpleSAMLphp Auth module's login path
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^saml_login https://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L]

Alternatively, this may be handled in-code by implementing hook_url_inbound_alter() in a custom module.
The following code snippet provides equivalent functionality to the mod_rewrite rule shown above:

/*
 * Implements hook_url_inbound_alter().
 */
function MYMODULE_url_inbound_alter(&$path, $original_path, $path_language) {
  if ('saml_login' === $path && !_MYMODULE_is_https_request()) {

    $options = array('absolute' => TRUE);
    if (isset($_GET['destination'])) {
      $options['query']['destination'] = $_GET['destination'];
      unset($_GET['destination']);
    }

    $url = url($path, $options);
    $url = str_replace('http://', 'https://', $url);

    drupal_goto($url);
  }
}

/**
 * Checks whether the current request has been received over HTTPS or not.
 *
 * @return TRUE if the current request has been received over HTTPS, FALSE otherwise.
 *
 * @link https://www.drupal.org/node/313145
 */
function _MYMODULE_is_https_request() {
  $is_https = isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on';

  if (!$is_https) {
    $reverse_proxy_proto_header = 'HTTP_X_FORWARDED_PROTO';
    $is_https = isset($_SERVER[$reverse_proxy_proto_header])
      && 'https' === strtolower($_SERVER[$reverse_proxy_proto_header]);
  }
  return $is_https;
}

D8: Mapping IdP attributes to user entity fields

The following code is the hook provided by the D8 version of the module to map IdP attributes to user object fields.

Mapping IdP attributes to user object fields

The following code illustrates how to map IdP attributes to user object fields.

Role population from simpleSAMLphp attributes

Automatic role population from simpleSAMLphp attributes is achieved by using the following evaluation syntax in admin/config/people

SimpleSAML Runtime Config: Dynamically adjust metadata

(For overall information on SimpleSAML Runtime Config, see the project page.)

Guide maintainers

snufkin's picture