simpleSAMLphp fish logo

This module integrates Drupal with SimpleSAMLphp, the most robust and complete implementation of SAML in PHP. It makes it possible for Drupal to communicate with SAML or Shibboleth identity providers (IdP) for authenticating users. The resulting Drupal site can effectively act as a SAML or Shibboleth service provider (SP).

Drupal core and SimpleSAMLphp compatibility

Drupal 9 is based on Symfony 4, Drupal 10 is based on Symfony 6. SimpleSAMLphp 1.x is compatible with Symfony 4, 2.0 is compatible with Symfony 5. Version 2.x is therefore not compatible with any Drupal core version and can not be used with this module. Version 8.x-3.x of this module requires SimpleSAMLphp 1.x and can not be Drupal 10 compatible.

SimpleSAMLphp 2.1 is compatible with Symfony 6 and therefore Drupal 10, the new 4.x version of ths project supports that. See the release notes of this project and SimpleSAMLphp for more information.

Prerequisites

  • SimpleSAMLphp - you must have SimpleSAMLphp version 1.6 or newer installed and configured to operate as a service provider (SP).

NOTE: Your SimpleSAMLphp SP must be configured to use something other than "phpsession" (the default) for session storage. The alternatives are memcache or sql. The sql option was added in SimpleSAMLphp version 1.7. The simplest solution for folks running SimpleSAMLphp version 1.7 or higher is to edit the SimpleSAMLphp config/config.php by setting store.type => 'sql' and 'store.sql.dsn' => 'sqlite:/path/to/sqlitedatabase.sq3'

Features

  • Just-in-time provisioning of Drupal user accounts based on SAML attributes (configurable).
  • Automatic role assignment based on SAML attributes (configurable).
  • Dual mode - support for traditional Drupal accounts and SAML-authenticated accounts at the same time (configurable).
  • Support for multiple authentication protocols (thanks to SimpleSAMLphp)
    • OpenID (e.g., Google, Yahoo)
    • Facebook
    • OAuth (e.g., Twitter)
    • SAML 1.1, SAML 2.0
    • Shibboleth 1.3
    • A-Select
    • X509 Client Certificates
    • Radius

Example Use Cases

  • Enterprise single sign-on - connect a Drupal site to your organization's IdP (like connecting Google Apps to your IdP)
  • Single sign-on across Drupal sites on multiple servers - set all the sites up to use this module to authenticate users against one or more IdPs. (This can even be done with a multiple sites using a single SimpleSAMLphp service provider.)
  • Federated Drupal site - allow people from multiple organizations to access the site using their organization's IdP.

Credits

This module is based on the original work done by Andreas Åkre Solberg and Snorre Løvås, from whom I (Steve Moitozo) inherited maintenance duties.

Contributors include:

Installation Overview

  1. Install SimpleSAMLphp
  2. Configure SimpleSAMLphp as a Service Provider
  3. Install Drupal (if you haven't already)
  4. Install simplesamlphp_auth module
  5. Configure simplesamlphp_auth module
  6. Activate the simplesamlphp_auth module

Installation Instructions

For installation and configuration of your SimpleSAMLphp SP you should follow the instructions at both of the following URLs:

Assuming you've followed the instructions above, the first thing you should do is test your SimpleSAMLphp installation and configuration to ensure that you can authenticate against any configured IdPs. You can do this by going to the SimpleSAMLphp application in your browser (e.g., http://www.example.com/simplesaml) and clicking on the "Authentication" tab. Then click "Test configured authentication sources" and then the appropriate SP (e.g., default-sp). If you are properly directed to the IdP and returned to SimpleSAMLphp after authentication with the appropriate attributes then you can move on and look at your simplesamlphp_auth module configuration.

Please note that SimpleSAMLphp must be configured to use something other than "phpsession" as the value for "store.type" in simplesamlphp/config/config.php; memcache or SQL are the other choices.

Assuming the above tests indicate that your SimpleSAMLphp installation is working properly then you need to install the simplesamlphp_auth module, like you would any other Drupal module. Then configure the module, making sure you point to the right directory for simplesamlphp (e.g., /var/simplesamlphp) and that you've mapped attributes that the IdP(s) will be sending; etc.

At this point you can turn on SAML by checking the box next at the top of the configuration page.

If all these things look good then you can attempt to log into Drupal using saml by going to http://yourdrupal/saml_login

Want to use Drupal as a SAML Identity Provider?

This module (simplesamlphp_auth) provides the ability to make a Drupal site into a SAML Service Provider (SP). But what if you want to make Drupal an Identity Provider (IdP)? It is possible using SimpleSAMLphp as the SAML IdP and the drupalauth module for simpleSAMLphp, which allows the SimpleSAMLphp IdP to authenticate users against the Drupal site. The Polder Consortium has a Public SAML 2.0 Identity Provider using this approach.

Alternative modules

Supporting organizations: 
D8 Maintenance

Project information

Releases