Upgrade Your Drupal Skills
We trained 1,000+ Drupal Developers over the last decade.
See Advanced Courses NAH, I know EnoughADFS and SimpleSAMLphp with Drupal
These are instructions on how to configure SimpleSAMLphp library and Drupal on Pantheon, the configuration settings may vary depending on the ADFS configuration.
Requirements
- Download SimpleSAMLphp version 1.11.0. The newer versions available but I haven't had a chance to try them.
- Drupal 7 site (latest version always recommended).
- simpleSAMLphp Authentication Drupal 7 module.
- Drupal 7 site running on Pantheon.
Install SimpleSAMLphp
-
Create a private directory in your document root:
/private
and move downloaded files and folders to/private/simplesamlphp-1.11.0
-
Create a symlink to your
simplesamlphp-1.11.0
directory from/simplesaml
to/private/simplesamlphp-1.11.0/www
$ ln -s ./private/simplesamlphp-1.11.0/www ./simplesaml
$ git add ./private/simplesamlphp-1.11.0
$ git add simplesaml
$ git commit -m "Add SimpleSAMLphp library. Add SimpleSAML symlink."
- Generate certificates as needed and add them to your repository
/private/simplesamlphp-1.11.0/cert
Important: Make sure you are using correct encryption. Microsoft announced that they wouldn't be accepting SHA1 certificates after 2016. Read more. Generate SHA256 certificates:
$ cd cert
$ openssl req -x509 -sha256 -nodes -days 3652 -newkey rsa:2048 -keyout saml.pem -out saml.crt
SimpleSAMLphp Configuration
- Set up your
/private/simplesamlphp-1.11.0/config/config.php
file
// Put this at the top of the config.php file
if (!ini_get('session.save_handler')) {
ini_set('session.save_handler', 'file');
}
$ps = json_decode($_SERVER['PRESSFLOW_SETTINGS'], TRUE);
$host = $_SERVER['HTTP_HOST'];
$drop_id = $ps['conf']['pantheon_binding'];
$db = $ps['databases']['default']['default'];
Set the following parameters in the config = array()
:
// Make sure you have SSL certificate enabled
// if you would like to use HTTPS protocol.
'baseurlpath' => 'https://'. $host .'/simplesaml/',
'certdir' => 'cert/',
'loggingdir' => 'log/',
'datadir' => 'data/',
'tempdir' => '/srv/bindings/'. $drop_id . '/tmp/simplesaml',
// Change admin password.
'auth.adminpassword' => '[YOUR_PASSWORD]',
// Set this to TRUE
'admin.protectindexpage' => true,
// Probably better to set this to TRUE
'admin.protectmetadata' => false,
// Change this salt
'secretsalt' => '[SALT_CHANGE_THIS]',
// Update contact information
'technicalcontact_name' => 'Contact Name',
'technicalcontact_email' => '[email protected]',
'enable.saml20-idp' => true,
'session.cookie.secure' => true,
'store.type' => 'sql',
'store.sql.dsn' => 'mysql:host='
. $db['host']
. ';port='. $db['port']
. ';dbname=' . $db['database'],
'store.sql.username' => $db['username'],
'store.sql.password' => $db['password'],
-
Now you should be able to login to your SimpleSAMLphp interface.
- Visit
http://dev-example.pantheon.io/simplesaml
- Enter the password from the
config.php
value of theauth.adminpassword
parameter. - Make sure Checking your PHP installation on the config page has no red flags.
http://dev-example.pantheon.io/simplesaml/module.php/core/frontpage_config.php
- Make sure SAML 2.0 IdP is green.
- Visit
-
Next, configure
/private/simplesamlphp-1.11.0/config/authsources.php
file
$config = array(
'admin' => array(
'core:AdminPassword',
),
'default-sp' => array(
'saml:SP',
// You can get this from ADFS Federation file
// Contact your ADFS administrator
// to obtain this information.
'entityID' => 'urn:drupal:adfs-saml',
'idp' => 'http://example.org/adfs/services/trust',
'NameIDPolicy' => null,
'redirect.sign' => true,
'assertion.encryption' => true,
'sign.logout' => true,
// Generate using openssl, @see example above.
// These are the certs from `/cert` directory.
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
// Defaults to SHA1 (http://www.w3.org/2000/09/xmldsig#rsa-sha1)
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
),
);
-
Next you will need a Federation metadata file from the ADFS. Contact your ADFS administrator to generate the file.
-
After you obtain the federation metadata file use the XML to SimpleSAMLphp metadata converter to generate other config files. The converter is a part of the SimpleSAMLphp library and can be accessed through web:
http://dev-example.pantheon.io/simplesaml/admin/metadata-converter.php
The result should look similar to the following:
saml20-sp-remote
Put the results of this section into /private/simplesamlphp-1.11.0/metadata/saml20-sp-remote.php
$metadata['http://example.org.org/adfs/services/trust'] = array (
'entityid' => 'http://example.org/adfs/services/trust',
'contacts' =>
array (
0 =>
array (
'contactType' => 'support',
),
),
'metadata-set' => 'saml20-sp-remote',
'AssertionConsumerService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://example.org/adfs/ls/',
'index' => 0,
'isDefault' => true,
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => 'https://example.org/adfs/ls/',
'index' => 1,
),
2 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://example.org/adfs/ls/',
'index' => 2,
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://example.org/adfs/ls/',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://example.org/adfs/ls/',
),
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'keys' =>
array (
0 =>
array (
'encryption' => true,
'signing' => false,
'type' => 'X509Certificate',
'X509Certificate' => .... certificate string ...',
),
1 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => '.... certificate string ...',
),
),
'saml20.sign.assertion' => true,
);
saml20-idp-remote
Put the results of this section into /private/simplesamlphp-1.11.0/metadata/saml20-idp-remote.php
$metadata['http://example.org/adfs/services/trust'] = array (
'entityid' => 'http://example.org/adfs/services/trust',
'contacts' =>
array (
0 =>
array (
'contactType' => 'support',
),
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://example.org/adfs/ls/',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://example.org/adfs/ls/',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://example.org/adfs/ls/',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://example.org/adfs/ls/',
),
),
'ArtifactResolutionService' =>
array (
),
'keys' =>
array (
0 =>
array (
'encryption' => true,
'signing' => false,
'type' => 'X509Certificate',
'X509Certificate' => '.... certificate string ...',
),
1 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => '.... certificate string ...',
),
),
);
- Finally you will have to provide information to your ADFS administrator. The SimpleSAMLphp library can generate the federation metadata file for you. Here this the link:
http://dev-example.pantheon.io/simplesaml/module.php/saml/sp/metadata.php/default-sp?output=xhtml
The federation metadata XML file should look something like this:
.... certificate string ..... .... certificate string ..... Minnur Yunusov [email protected]
Drupal Configuration
Basic setup
User info and syncing
- Usually we set username as user's email address, if this is the case for you please try add the following:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Unique identifier for the user
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
- User mail address
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Hit Save configuration
ADFS Configuration
See Useful Links below. Some of those links contain information on how to configure the ADFS.
Test SimpleSAMLphp and Drupal
- Try login, use the following URL address to test:
https://dev-example.pantheon.io/saml_login
- If you would like to support login via SAML only I would recommend you to replace
Login (user/login)
path with/saml_login
Troubleshoot
- Login works but logout doesn't.
- Make sure your certificates are generated using correct encryption.
- Make sure your ADFS configuration is set to use correct encryption. In my case it was set to SHA256 and the certificates were generated using SHA1.
- If you're using SHA256 certificates make sure to specify encryption algorithm in
config/authsources.php
by addingsignature.algorithm
. See SAML 2.0 Options section. - Get errors on login.
- Make sure ADFS has correct claim rules. All fields should be in it's own Claim Rule.
- Make sure to restart ADFS service every time you make a change.
- If login used to work but stopped working after a year/month etc. Most likely the certificate expiration date was set to be a year/month. To solve this issue simply regenerate the certificate. See example above.
Useful links
About Drupal Sun
Drupal Sun is an Evolving Web project. It allows you to:
- Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
- Facet based on tags, author, or feed
- Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
- View the entire article text inline, or in the context of the site where it was created
See the blog post at Evolving Web