4 Easy Steps to Implement SSO on your Drupal Website

Posted by Vinay Abhang on Jan 11, 2020 8:00:00 AM

Regardless of your position on either side of the web, there is always risk of being a victim of a cyber attack. This has put businesses in a tizz to make personal data of the visitors secure.

Enter Google. 

Google offers a SAML-based Single Sign-On (SSO) service which secures and supports its partner companies with full control over the authorization and authentication by acting as an identity provider to validate users.

SSO fixes major problems of the large and small enterprises by providing-

  1. Greater security and compliance
  2. Enhanced usability and employee satisfaction
  3. Reduced IT costs

This secure single sign-on also helps the user significantly trust the security of online companies while also saving their time. There are other existing open source and commercial identity provider solutions, like OneLogin, Centrify Identity Service, & Microsoft Azure Active Directory, that can help you implement SSO. 

One of our clients wanted to make their app accessible via SSO using Okta. Since their website was built on top of Drupal 8, in this blog we will illustrate the methods of SSO implementation on a Drupal website. We will also explore how individuals can manage various usernames and passwords.

Pre-requisites

  • SimpleSAMLphp as the Service Provider (SP)
    SimpleSAMLphp is the robust and complete implementation of SAML (Security Assertion Markup Language) in PHP. Its integration with Drupal makes it possible for the Drupal website to communicate with SAML for authenticating users. Post the successful integration, the Drupal website acts as a SAML service provider (SP).
  • Okta as the Identity Provider (IdP)
    Okta provides an ability to have SSO access to the cloud, on-premise, and mobile applications. Users can sign-in to different web apps using their Okta credentials, thus eliminating the need to sign-up for different accounts and manage multiple credentials. Okta establishes a secure connection with the user’s browser and then authenticates the user to Okta-managed apps.
  • Drupal 8 website

 

Ready? Now let's dig in!

In 4 Steps, Implement Single Sign-on on Drupal Website

Follow the below-mentioned steps to implement SSO. The following steps are for installation with vanilla Drupal.

#Step1: SimpleSAMLphp installation on Drupal 8 website:

1. Using composer, download the Drupal contributed module for SimpleSAMLphp. This will fetch all its dependencies. We will enable this module later.
`composer require drupal/simplesamlphp_auth`
2. In your Drupal website’s root directory, create a symbolic link to the web-accessible directory of the SimpleSAMLphp library, which is downloaded in the site’s vendor directory upon successful execution of the above composer command.
`ln -s vendor/simplesamlphp/simplesamlphp/www .` // (ln -s path/to/original/ path/to/link)
3. Add the following lines to the existing `.htaccess` file in the site’s root directory:
# Allow access to simplesaml paths.

RewriteCond %{REQUEST_URI} !^/simplesaml

`/simplesaml` is the path where we will have the SimpleSAMLphp installed on the Drupal website. This is the default path in the config file and can be modified as per preference.

 

4. The configuration templates are present in the `vendor/simplesamlphp/simplesamlphp/config-templates` directory.

               a. Copy the `config.php` (holds SimpleSAMLphp configuration) file to the `vendor/simplesamlphp/simplesamlphp/config` folder and update the following values in the `$config` array:

‘secret_salt’ => ‘anyrandomvalidstringofanylength’

‘auth.adminpassword’ => ‘mypassword’

The `auth.adminpassword` will be used to login as administrator in the SimpleSAMLphp installation. The `technicalcontact_name` and `technicalcontact_email` can also be specified to receive error logs during installation.

SimpleSAMLphp must be configured to use something other than the “phpsession” (default) for session storage. The other alternatives are “memcache” or “sql”. The simplest solution would be to set:

‘store.type’ => ‘sql’

‘store.sql.dsn’ => sprintf('mysql:host=%s;port=%s;dbname=%s', '127.0.0.1', '', 'dbname')

'store.sql.username' => 'root',

'store.sql.password' => 'root',

         b. Copy the `authsources.php` file to the `vendor/simplesamlphp/simplesamlphp/config` folder and leave it as is without any changes. (We will be doing the necessary modifications in this file, post successful Okta application setup.)

5. Now, we can visit `http://site.base.url/simplesaml` which will display the SimpleSAMLphp installation page upon successful installation as shown below:

SimpleSAMLphp Installation Page#Step2: Setting up Okta application:

For this, visit http://www.okta.com and log in using the company’s / client’s sign-in URL (considering that you are setting up Okta for your company or client). If you just want to try it out as a developer, then you can create a test account at https://developer.okta.com/signup/ which will provide you with a test Okta domain (similar to your company’s or client’s okta domain).

Once you have successfully logged in, follow the below steps to add and set up a new application for your Drupal website in Okta:

1.  Post login, the displayed screen is the default Developer Console, which needs to be switched to ‘Classic UI’ by hovering on ‘Developer Console’ in the Top-LHS bar. Click on the ‘Add Applications’ option in the RHS Shortcuts section.

2.  Click on ‘Create New App’. Let the Platform option be Web and Sign-on method as SAML 2.0 and click Create.

3.  On the next screen of General Settings, specify the metadata for the new app like name, logo and other visibility options. (This metadata will be used to display the app to the users in their Okta dashboard.)

4.  A form would be displayed on the next screen which would generate the XML needed for the app’s SAML request.

    a.  Single Sign-on URL: The location where the SAML assertion is sent with an HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application. This can be found under the Federation tab in the SimpleSAMLphp installation on the Drupal website. Click on Show metadata and look for AssertionConsumerService with HTTP-POST binding. The URL in the Location is the Single Sign-on URL value and is usually this:

`http://local.test.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp`

 

Keep the ‘Use this for Recipient URL and Destination URL’ checkbox marked.
'Allow this app to request other SSO URLs’ can be selected if we need to add SSO URLs for dev, stage, and prod instances (separate text boxes will be provided to enter multiple URLs). Although multiple URLs are supported but when users will try to access the app via their Okta dashboard, then only the default SSO URL will be used (recommended to add the production instance URL, once the SSO implementation is live, whereas while testing on local we can add the local instance URL as shown above).

  b. Audience URI (SP Entity ID): The application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the SP Entity ID of your application. This can be any relevant unique string (for eg.: okta_sso_drupal).

  c. Rest all fields along-with those in Advanced Settings can be kept as default.

  d. Attribute Statements: Although this is optional, however, specifying an attribute here will help while configuring the Drupal module as these attributes are passed to Drupal site from Okta post successful authentication. Specify Name as ‘email’, Name format as ‘Basic’, and select Value as ‘user.email’. That’s it, click on Next and then fill in some relevant feedback for Okta and then click Finish.

SAML Configuration Settings

5.  Now, you will be redirected to the Sign On tab having a ‘View Setup Instructions’ button. Clicking on which a new browser tab will open with the information needed for the handshake between SimpleSAMLphp and Okta.

  a. Identity Provider Issuer (Entity ID of the IdP)

  b. IDP metadata (needs to be added at the SP end)

 

Assigning the Application To the Users:

Once we have successfully set-up our application in Okta, we need to assign users to the application. This can be done by navigating to the Assignments tab in the application setup and clicking on Assign.

Assigning the application to the user#Step3: Integrating SimpleSAMLphp and Okta

The entity ID and metadata of the IdP obtained from the Okta needs to be added to the SP (SimpleSAMLphp installed Drupal).

1. In the Drupal codebase, update the ‘entityID’ and ‘IdP’ values for default-sp in the $config array in
`vendor/simplesamlphp/simplesamlphp/config/authsources.php` file.

'entityID' => 'okta_sso_drupal', // Needs to be same as Audience URI or SP Entity ID specified in Okta.

'idp' => 'http://www.okta.com/exk25jyaqjm3wRz22357', // Identity Provider Issuer or the Entity ID of the IdP obtained from Okta.

As the name suggests, the default-sp is the default one. Similarly, we can add multiple SP configured with different IdP as different keys in the $config array.

2. For adding the IdP metadata, copy the relevant templates available from the `vendor/simplesamlphp/simplesamlphp/metadata-templates` folder to the `vendor/simplesamlphp/simplesamlphp/metadata` folder (in this case, the file is saml20-idp-remote.php, since we are using SAML 2.0 and we need to specify metadata for remote IdP - Okta).

3. Since the obtained IdP metadata is in XML format and we need to add it in PHP, we will need to parse it. This can be done by navigating to our SimpleSAMLphp installation on our Drupal site and clicking on ‘XML to SimpleSAMLphp metadata converter’ under the Federation tab. (Administrator login is required for this, the username is admin and password is the one specified in ‘auth.adminpassword’ in config.php file.)

4. Copy the XML IdP metadata and paste it in the text area, click Parse and then copy the converted metadata in the PHP format and paste it in the `vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php` file.

5. Now check if the handshake is successful by clicking on the ‘Test configured authentication sources’ link under the Authentication tab in SimpleSAMLphp installation. There will be two options - admin and default-sp as defined in `authsources.php` file, click on default-sp and you will see a screen similar to the following one:

Handshake between SimpleSAMLphp and Okta The above screen means the handshake between SimpleSAMLphp and Okta is successful.

STEP 4: Enabling SSO on Drupal site:

Now that we have SimpleSAMLphp installed on our Drupal site and we are done with the Okta application set up along with a successful handshake between both, we can enable SSO on our drupal website by enabling and configuring the contributed drupal module - simplesamlphp_auth which we have already downloaded.

1. Install the module through the UI or via Drush:
`drush en simplesamlphp_auth -y`
 

Enabling the module by default will change the ‘Who can register accounts?’ setting to Administrators only which can be changed as per the need here: `/admin/config/people/accounts`

2. Post-installation, in order to configure the module navigate to `/admin/config/people/simplesamlphp_auth`.


3. The module can be configured based on your requirements and has descriptive help texts for each config to understand its purpose. We will see some of the configs that need to be configured or taken care of:

a. Basic Settings:

      1. The ‘Activate authentication via SimpleSAMLphp’ checkbox should be only checked once we are completely done with the module configuration, as checking this checkbox would disable default Drupal user login for all users except the superuser (uid: 1).
      2. The Authentication source is what we defined in `vendor/simplesamlphp/simplesamlphp/config/authsources.php` file, which is by default - default-sp.
      3. Federated Login Link Display Name is the link text for the SSO link which is displayed on the default login page of the Drupal website (/user/login).
b. Local Authentication:
  1. Local authentication means allowing users to log in to the site via drupal authentication (/user/login).
  2. By default, superuser or user with id: 1 is allowed to log in with local drupal accounts. We can configure it to allow for particular users by specifying their user ids or for particular roles.

c. User info and syncing:

  1. We have configured an `email` attribute in the Okta application which is sent to drupal site post successful login. We can configure different attributes in Okta which can be used for module configuration in Drupal, but since we have only the `email` attribute we will use it for:
  1. SimpleSAMLphp attribute to be used as a unique identifier for the user
  2. SimpleSAMLphp attribute to be used as the username for the user
  3. SimpleSAMLphp attribute to be used as an email address for the user

 

5. All the other configurations can be kept as is and now we can enable the ‘Activate authentication via SimpleSAMLphp’ checkbox under Basic settings.


That’s it. Now, we can add SSO into our Drupal site by visiting the default login page (/user/login) and clicking on the ‘Federated Login’ link as seen in the screenshot below:SSO Implementation Test

Summing Up

Single sign-on offers great user experience, productivity, and cost-saving benefits. By implementing it, your organization can increase the business’ capability to respond and securely deliver a convenient and seamless user experience throughout your apps and other domains.

Topics: Drupal Planet, Coding and Tutorial, Drupal 8

Why Fortune 500 Companies Use Drupal

Posted by Gaurav Singh on Feb 5, 2019 2:58:00 PM

With so many options available in the market, picking the right content management system (CMS) for your needs can be challenging. A good CMS must allow even a non-technical person to be able to make changes and add content without having to depend on a technical team.

Drupal is the leading CMS for developing sophisticated, flexible and robust web applications that allows unlimited customization. Many Fortune 500 companies choose Drupal because it is built for editors, is powerful for administrators, and has secure and accessible features. Some of these companies include General Electric, Warner Media, Johnson & Johnson and eBay.

Drupal is suitable for complex, content heavy, and high traffic websites, as well as those with large resource libraries and databases.

Why Choose Drupal?

Drupal has evolved and become more than just a CMS. It’s a digital experience management system that creates content and personalized customer experiences which helps your organization connect with customers wherever they are.

Here are a few top-level advantages of using Drupal CMS:

1.    Flexible Content Architecture

One of the key strengths of Drupal is its flexible content architecture with essential tools for content creation and publishing, like a customizable WYSIWYG editor. This allows anyone to create entirely new types of content (landing pages, blog entries, surveys and polls), with complete control over where and how the content is displayed.

Drupal also handles multiple users with different roles and permission sets and lets administrators control access to tasks.

  1.    Super Scalable

Drupal supports among the world's highest traffic sites  such the Emmy’s and Ebay, and is capable of handling both traffic spikes and regular streams of high volume traffic.

  1.    Seamless Integration Capabilities

One of Drupal’s greatest strengths is that it is highly flexible and seamlessly integrates with other solutions and services. It uses an open standard which provides an extensible framework to integrate with data sources. This gives organizations a great opportunity to implement functionality in the most appropriate technology or platform, and then simply connect to it via web services or other means.

This seamless third-party integration feature of Drupal can be used as a new part of your ecosystem, consuming existing services thus minimizing the scale of architectural change needed to introduce new services.

Drupal also integrates with “internal” services - services that you don’t intend to expose to the public (CRM, accounting software, etc.) which make it suitable for Government websites.

  1.   Secure CMS

Security is a major concern for businesses, and Drupal is a proven, secure CMS and application framework that stands up to critical vulnerabilities.

A dedicated security team with dozens of experts from around the world regularly reviews releases and security issues. The team fixes security problems and publishes advisories that explain vulnerabilities, along with steps to mitigate them.

With regular updates and security reports regarding users and software installations, organizations around the world—including leading corporations, banks, and governments industries that deal with a lot of sensitive personal information—rely on Drupal’s ability to prevent security threats.

  1.    IT Cost Reduction

Open source frees business from  “the more you grow the more you pay” model. Drupal open source licensing spares companies and organizations from costly licensing fees and vendor lock-in.

The community-driven nature of the platform allows innovation through code sharing by hundreds of thousands of developers—the code is available to others to use in their projects or to find ways to make it better. With Drupal, an open source system, the focus is on community and collaboration. As more people and organizations participate, more features are available, thus resulting in less expenditure on development, while accelerating innovation.

  1.    Highly Extendable

Drupal allows you to configure and add the appropriate modules to take the platform beyond its core capability. The numerous modules in Drupal help you build amazing sites with little programming skills. And if it doesn’t support the specific business need, then you can build it through custom code.

The most recent upgrade from Drupal 7 to Drupal 8 made the integration and use of contributed modules easier and better than before. There are tens of thousands of modules currently available.

  1.    The Community

Drupal is beloved to a thriving development community. The tagline rightly says, “Come for the Software, Stay for the Community”. Drupal has a large user community which regularly contributes to repositories. Here are a few figures to illustrate this:

  • 38,695 active developers
  • 1.2 million accounts
  • 2,000+ commits / week
  • 31,199 modules and 2,141 themes
  • 2,400+ events each year                                                                                                                                                                                                                                                                                                                                                               Drupal is beloved to a thriving development community

The community maintains a platform for digital innovation and ideas..

While the battle of choosing the right CMS between Drupal and other CMSs is guaranteed to be a longstanding one, the benefits of choosing Drupal for complex, content heavy, and high traffic websites, as well as those with large resource libraries and databases are incomparable. With immense flexibility, extensibility, a huge open source community involvement, massive database accommodation capabilities, and impressive security measures, Drupal is a powerful choice for your content-based website.

Looking to migrate your enterprise websites to Drupal? Speak to our Drupal experts for the efficient, scalable and cost effective way to do this.

Topics: Drupal, Drupal Planet, Enterprises

Discussion

Write to us

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms Of Service apply. By submitting this form, you agree to our Privacy Policy.

See how our uniquely collaborative work style, can help you redesign your business.

Contact us