How To Implement Azure AD For Single Sign-On In Drupal

author
By Shifali Baghel Oct 5, 2021

Your employees may find it painstaking to memorize several credentials for accessing multiple cloud-based web applications. However, your IT support team might find it even more exhausting, when flooded with support requests of setting up or resetting passwords.

It affects their productivity and involves the allocation of a number of IT resources, countless hours, and huge costs, all of which can be leveraged to resolve more pressing IT-related issues.

That is why Single Sign-on via SAML is the go-to solution to overcome such roadblocks. Its main objective is to provide users with the freedom to log on to internal portals and intranet applications by using their official credentials. Azure AD provides integration with Active Directory, either on-premise, hybrid, or cloud.

To achieve this implementation, you need to use a contributed module called miniOrange_saml. It is compatible with most of the SAML Identity Providers. 

This blog will help you to configure and use SAML in Drupal as a Service Provider and in Azure AD as an Identity Provider to enable the Single-Sign-On on the Drupal application. 

How To Create an Account on Microsoft Azure

Note:  You can use the Microsoft Azure trial version to test the SSO functionality; however, it is highly recommended to use the paid version on the production site.

How to configure the Drupal module

To download and install the miniOrange SAML module, perform the following procedure:

1.  Run the following command, through composer, to install the module:


Run: Composer require drupal/miniorange_saml

2.  Go to your Drupal site and install the downloaded module:


A screen with text fields

3.  Go to /admin/config and click miniOrange SAML login configuration:

A screen with text fields

4.  On the config page, copy the  /admin/config/people/miniorange_saml/idp_setup command and copy the following URLs:

    • SP Entity ID/Issuer
    • SP ACS URL

A screen with fields and boxes

 

Note: The copied URLs will be used when configuring the SAML application in Azure AD.

How To Create a SAML Application for Single Sign-on

Now that you have successfully registered on the Azure portal, you need to create an Azure directory application: 

1.  Log on to the Azure portal. The home page is displayed:

A screen with fields and boxes2.  Click Azure Active Directory:

3.   Click Add > Enterprise Application Link:

A screen with fields and boxes4.  Click New application:

5.  Click Create your own application:

6. Type the name of the SAML application. Click Save:

A screen with fields and boxes7.  Type the application name and URL (SP ACS URL),  copied earlier from the Drupal module configuration page:

A screen with fields and boxes8.  The application is listed as shown below:

A screen with fields and boxes
9. Click the Application ID URL link and set the SP Entity ID/Issuer URL, as copied earlier from the Drupal module configuration page:

A screen with fields and boxes10.  Click the Set link and paste the SP Entity ID/Issuer URL. Click Save:

A screen with fields and boxes


11. Go to the overview page. Click the certificate and secrets link and generate one secret key:


12. When the secret key is generated, copy the key value. This secret key will be used in the Drupal Module configuration:

A screen with fields and boxes13.  Return to the overview page, click Endpoint, and copy the Federation metadata document. This metatag will also be used while configuring the Drupal module:


A screen with fields and boxes

A screen with fields and boxes
14.  The Azure AD configuration is now completed.

How to return to the Drupal Module configuration page

To return to the Drupal module configuration page, perform the following procedure:

1. Run the following command:



/admin/config/people/miniorange_saml/sp_setup

2.  Add the previously copied Federated Metadata Document  () URL in the Upload Metadata URL field (the URL has been copied from the Application endpoint in Azure AD), and click Fetch Metadata:


A screen with fields and boxes
Example of metadata URL (Federated Metadata Document):
<https://login.microsoftonline.com/<tenant_id>/federationmetadata/2007-06/federationmetadata.xml>

Note: You can obtain the Tenant Id from your Azure application overview page.

3.  All the Azure related information is automatically added on the configuration page:

A screen with fields and boxes4.  Click the Service provider setup tab and then click Test configuration to test the configuration using your Azure AD credentials:


A screen with fields and boxes5.  The Test Successful message is displayed:

6.  Now open a new window in the incognito mode. You can now view the Login via Identify Provider link:

A screen with fields and boxes

7.  Users can now successfully log on to the Drupal site with their Azure AD credentials.

Testing with Azure AD

Now, you can view the SSO login link on your default Drupal login page. To test your credentials with Azure AD, perform the following procedure:

1.  When you click the  Azure login link via the Drupal login page, you will be redirected to the Microsoft login account:

A screen with fields and boxes2.  Type your AD credentials in the respective fields:

A screen with fields and boxes

A screen with fields and boxes3.  If you have a Microsoft account application on your mobile, then type the code. If not, install the Microsoft account authentication app from the Microsoft app store:

A screen with fields and boxes4.  To remain signed in, click Yes:

A screen with fields and boxes5.  You can now log on with your Azure AD credentials:

A screen with fields and boxes
Drupal will create a new user in the backend. You can ask your admin to check the people page.

Limitations of the Azure SAML module

Some of the limitations of the free version of the SAML module that were observed during the implementation process:

  • An open-source version of this module can only map basic attributes, such as Username and Email
  • This module does not provide IDP-based advanced role mapping. The free version does not provide Force Authentication. This feature provides forced authentication of an anonymous user before they can access the Drupal site. In the current scenario, a user is redirected to the SSO login page, if not logged in. 

To overcome the above-mentioned limitations, you can opt for the premium version of the module

Wrapping up

It is clearly evident that single sign-on enhances user experience, drives productivity, and provides cost-saving benefits. You should implement SSO to provide your customers and employees the flexibility to log on to different applications and services easily, quickly, and more securely.

Through the miniOrange SAML module, Azure users can use their credentials and log on successfully to the Drupal site. For more information about this module, click here.

 

Our Innovation

Our Recent Innovations

Let’s start our conversation

  • Business Inquiry
  • Career
  • Others

Business Inquiry

Career

Others