Show of hands for anyone thrilled about logging in to every website every single time? Anyone? Didn’t think so.
When businesses prioritize convenience, customers will follow. Single Sign-On (SSO) is one such convenient feature that leaves your customers feeling satisfied and less stressed. It is a huge time-saver, is more secure (reduces password breach attacks), and increases productivity. In fact, businesses adopting SSO have seen an increase in user adoption rate too. Do you want to learn about how you can integrate SSO with your Drupal website? Keep reading and dive into the details!
What is SSO ?
Single Sign-On (SSO) is a user authentication service that allows users to use one login credential for all the systems integrated with SSO. Or, if there already is an open session in the main application, just clicking a button will log you in.
An example:
We can consider Quora as an example, as the forum allows you to create a new account, log in with those credentials, and also use social media logins (Google and Facebook).
Source: https://www.quora.com/
Types of SSO Protocols
Like any other concept, there are many available protocols to achieve this. Some of the common protocols are:
XML
XML (eXtensible Markup Language) is a markup language similar to HTML. It has the ability to store and transport data.
Example:
<start>
<first>Data1</first>
<new>NewData</new>
</start>Certificate/Key Generation
Certificates and private keys play a major role in SAML-based SSO. Since they are used for security reasons, they validate incoming requests.
To generate an OpenSSL certificate and private key, run the following command in the terminal:
openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout private_key.key -out certificate.crtHow it Works
In SAML SSO, we consider the application requesting login as a Service Provider (SP), and the application providing authentication information is the Identity Provider (IdP).
Flow:
When a user tries to log in to SP, the browser sends a request to the SP server.
SP will generate a SAML request (which contains SAML data in XML format) and redirect to the configured IdP URL (in SP) for authentication.
Then, the IdP will validate the SAML data from the request XML with the pre-configured data of SP(in IdP).
Once validated, IdP will generate an XML formatted SAML response to the ACS URL from the SAML request of SP with the current email address (by default which can be overridden) value with other data for validation.
Now, SP will validate the data of the SAML response and authenticate the user of the email address in the SAML response.
Source
Here, both the SAML request and SAML Response will be encrypted and will be decrypted in the redirected application (SP/IdP).
In most cases, Drupal is used as a service provider, but it can also be enhanced as an identity provider.
We can have 3 different types of SAML Request(AuthNRequest):
<samlp:Response xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol” xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion” ID=”_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6″ Version=”2.0″ IssueInstant=”2014-07-17T01:01:48Z” Destination=”http://sp.example.com/demo1/index.php?acs” InResponseTo=”ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685″>
<saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value=”urn:oasis:names:tc:SAML:2.0:status:Success”/>
</samlp:Status>
<saml:Assertion xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xs=”http://www.w3.org/2001/XMLSchema” ID=”_d71a3a8e9fcc45c9e9d248ef7049393fc8f04e5f75″ Version=”2.0″ IssueInstant=”2014-07-17T01:01:48Z”>
<saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
<saml:Subject>
<saml:NameID SPNameQualifier=”http://sp.example.com/demo1/metadata.php” Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:transient”>_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7</saml:NameID>
<saml:SubjectConfirmation Method=”urn:oasis:names:tc:SAML:2.0:cm:bearer”>
<saml:SubjectConfirmationData NotOnOrAfter=”2024-01-18T06:21:48Z” Recipient=”http://sp.example.com/demo1/index.php?acs” InResponseTo=”ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685″/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore=”2014-07-17T01:01:18Z” NotOnOrAfter=”2024-01-18T06:21:48Z”>
<saml:AudienceRestriction>
<saml:Audience>http://sp.example.com/demo1/metadata.php</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant=”2014-07-17T01:01:48Z” SessionNotOnOrAfter=”2024-07-17T09:01:48Z” SessionIndex=”_be9967abd904ddcae3c0eb4189adbe3f71e327cf93″>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name=”uid” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xsi:type=”xs:string”>test</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=”mail” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xsi:type=”xs:string”>test@example.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=”eduPersonAffiliation” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xsi:type=”xs:string”>users</saml:AttributeValue>
<saml:AttributeValue xsi:type=”xs:string”>examplerole1</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>The rest of the types can be referred in https://www.samltool.com/generic_sso_res.php.
The request and response can be sent as both GET and POST methods.
Available Modules for SSO
In Drupal, we have a list of modules for Service Provider and Identity Provider. Here are some of the SP and IdP modules:
SP Modules:
Testing Tools:
Even though the data is encrypted, we can debug the SAML request with the help of the following tools.
SAML Tracer for Mozilla Firefox.
SAML Chrome Panel for Google Chrome.
How to integrate SSO in Drupal using SAML
Configure SSO module in SP
Here we have used the saml_sp module for gearing up Drupal as a Service Provider.
Configure SP module Settings
Create the certificate and private_key and place them in a Drupal-readable location.
Install the module.composer require ‘drupal/saml_sp:^4.2’
Enable the module in the Extend section.
Go to the configuration of the module (/admin/config/people/saml_sp).
Configure the SP settings
Provide the entityID if you want to override the default https://sp.lndo.site/user. Here https://sp.lndo.site is the domain.
Provide an assertion URL similar to https://sp.lndo.site/saml/consume.
Provide other mandatory details.
Make sure that if you are using Sign specify the correct algorithm and select the Assertion and Encryption type based on requirement(based on the requirement of IdP).
Provide the certificate and private key file path.Based on the data provided, Metadata will be generated. This XML metadata will be used for configuring the SP data in IdP.
Configure Identity Providers in SP
1. Under Identity Providers click on Add Service Provider.2. Add the data from the metadata file/url provided by IdP.
In SAML SP we can use the Drupal Login module once the above are configured. Under the Login Menu, configure the process of SAML login. For example, if a user without an account in SP but with an account in IdP creates an account in SP with an authenticated role.
Configure SSO module in IdP
Here we have used the light_saml_idp module for gearing up Drupal as an Identity Provider.
Configure IdP module Settings:
1. Create the certificate and private_key and place it in a Drupal readable location.2. Install the module.3. Enable the module in the Extend section.
4. Go to the configuration (/admin/config/people/light_saml_idp)
Provide the entity_id.
Provide the other necessary details.
Make sure to provide the correct file path of the certificate and private_key.
Once the data is provided metadata will be generated under the Metadata tab. This needs to be provided to SP to configure there.
Add the Service Provider under the Service Provider, with the data from SP metadata.
The SSO will work properly once these are configured successfully. Hurray! SSO is integrated successfully.
If you are not able to use the SSO, use testing tools to verify what is causing the issue.
Final Thoughts
You just learned how to seamlessly integrate SSO with Drupal using SAML for a stress-free user experience! Considering the protocols, certificates, and complex SAML login flow we’ve explored, SSO plays a significant role in simplifying user authentication. For a seamless SSO journey and Drupal development expertise, look no further than Specbee – your trusted partner in crafting exceptional digital experiences.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
