Home / Blog / SAML: Simplesamlphp and Drupal multiple external Identity Providers
Angel's picture
Angel Alvarado R.
Soft. and Data engineer.
23 Jan 2017
SAML:
Simplesamlphp and Drupal multiple external Identity Providers

Simplesamlphp and a custom module for Drupal CMS

Body: 

There's a lot of modules out there to help you to accomplish SSO using SAML. The module that met the most of my team's requirements was simplesamlphp_auth. However, there are always edge cases where a contributed module is not enough. This is why we came up with a new version of the aforementioned module called multiple_idp_simplesamlphp

My Team's Basic Requirements: 

  • Use Object Oriented Code.
  • Seamlessly deep linking integration with multiple IdP's using a unique Service Provider.
  • Change any IdP's Attributes on-demand.
  • Provide SLO.
  • Use a different uniqueid per customer. Customers may want to use an employeeId, a random number, an SSN, etc.
  • Use different IdP attributes per customer.
  • Not use a  proxy to prevent a selectlist from appearing in the Simplesamlphp authentication page (in order to take users to their IdP). OpenContext is an example of a third party proxy. Here's a use case.
  • Improve the UX for customers.

Setting up the Simplesamlphp Library

As of today, few modules implement the SAML specification by themselves. One that does is the OneLogin module. Many other modules use the Simplesamlphp library to implement the SAML specification. We decided to use Simplesamlphp while developing multipl_idp_simplesamlphp. Drupal acts as the orquester of the SSO process and Simplesamlphp library acts as the backend when interacting with the SAML specification. The first step, then, is to install and configure Simplesamlphp library as Service Provider and Identity Provider. You can use this Vagrant Machine to speed up your development.

Reviewing SP and IdP configuration 

Based on the aforementioned Vagrant Machine, you can test the local IdP called 'openidp'. Go to http://192.168.33.99/simplesaml/module.php/core/authenticate.php and click on 'openidp.'

You'll be prompted to select which IdP you want to authenticate with.

Then in the login form use:  admin1:admin1 as user:password. You'll see the IdP's attributes. 

 

Installing and configuring multiple_idp_simplesamlphp

Since our SSO process is working on the Simplesamlphp side, let's configure the SSO Drupal module.

  • Download it from github. The multiple_idp_simplesamlphp module is not part of the simplesamlphp_auth module and won't be integrated 
  • Install it as a regular Drupal module.
  • Basic Configuration at http://192.168.33.99/admin/config/people/simplesamlphp_auth. The Vagrant Machine includes the simplesamlphp library in the path /var/simplesamlphp

​​

  • Add an IdP http://192.168.33.99/admin/config/people/simplesamlphp_auth/idp. Use the following settings. 
    • What name do you want to give to this connection: openidp.
      • This is the name of the IdP configured in the Simplesamlphp library, @see /var/simplesamlphp/simplesamlphp/config/config.php
    • What's the company name for the new IDP: Test.
      • This should be an optional parameter
    • Which IDP domain you want to register: domain.com.
      • This domain will be use in the login form, if a given user belongs to an IdP we take them to their IdP.
    • Which attribute from the IDP should be used as user's alias: email.
      • In this use case users always use their email as alias, remember the alias has to be unique beetwen any customer/Drupal user.
    • Which attribute from the IDP should be used as unique identifier for the user: email.
      • The unique identifier will be stored in the authmap table to identified users. Emails are not always unique in enterprise companies, emails can be used by more than one user, this is why the authmap value / unique identifier is customizable (in case email is not the unique ID at a given company)
    • Which attribute from simpleSAMLphp should be used as user mail address: email.
      • This will populate the email column in the users table. 
    • Additional attributes: first_name:first_name.
      • In this use case the attributes had to be change multiple times on demand without a code push, not only that but we encountered attributes with very random formats (i.e. http://xml/use). We learned that attribute names are not always custumizable by Enterprise Identity Providers

Benefits of this module

  • Seamlessly deep linking integration with multiple IdP's using a unique Service Provider.
    • Go to http://192.168.33.99/user and as a E-mail Address use test@domain.com

​​​

  • Login

​​​

Warnings

This module assumes that Roles do not have to be populated. In this use case roles were assigned via an ERP. 

References:

SSO modules for Drupal

 

 

 

 

 

 

Tags: 
SAML
sso
Single Sign On
Angel's picture
Submitted by Angel on Sun, 08/14/2016 - 20:37