Your employees may find it painstaking to memorize several credentials for accessing multiple cloud-based web applications. However, your IT support team might find it even more exhausting, when flooded with support requests of setting up or resetting passwords.
It affects their productivity and involves the allocation of a number of IT resources, countless hours, and huge costs, all of which can be leveraged to resolve more pressing IT-related issues.
That is why Single Sign-on via SAML is the go-to solution to overcome such roadblocks. Its main objective is to provide users with the freedom to log on to internal portals and intranet applications by using their official credentials. Azure AD provides integration with Active Directory, either on-premise, hybrid, or cloud.
To achieve this implementation, you need to use a contributed module called miniOrange_saml. It is compatible with most of the SAML Identity Providers.
This blog will help you to configure and use SAML in Drupal as a Service Provider and in Azure AD as an Identity Provider to enable the Single-Sign-On on the Drupal application.
How To Create an Account on Microsoft Azure
Note: You can use the Microsoft Azure trial version to test the SSO functionality; however, it is highly recommended to use the paid version on the production site.
How to configure the Drupal module
To download and install the miniOrange SAML module, perform the following procedure:
1. Run the following command, through composer, to install the module:
Run: Composer require drupal/miniorange_saml
2. Go to your Drupal site and install the downloaded module:
3. Go to /admin/config and click miniOrange SAML login configuration:
4. On the config page, copy the /admin/config/people/miniorange_saml/idp_setup command and copy the following URLs:
- SP Entity ID/Issuer
- SP ACS URL
Note: The copied URLs will be used when configuring the SAML application in Azure AD.
How To Create a SAML Application for Single Sign-on
Now that you have successfully registered on the Azure portal, you need to create an Azure directory application:
1. Log on to the Azure portal. The home page is displayed:
2. Click Azure Active Directory:
3. Click Add > Enterprise Application Link:
4. Click New application:
5. Click Create your own application:
6. Type the name of the SAML application. Click Save:
7. Type the application name and URL (SP ACS URL), copied earlier from the Drupal module configuration page:
8. The application is listed as shown below:
9. Click the Application ID URL link and set the SP Entity ID/Issuer URL, as copied earlier from the Drupal module configuration page:
10. Click the Set link and paste the SP Entity ID/Issuer URL. Click Save:
11. Go to the overview page. Click the certificate and secrets link and generate one secret key:
12. When the secret key is generated, copy the key value. This secret key will be used in the Drupal Module configuration:
13. Return to the overview page, click Endpoint, and copy the Federation metadata document. This metatag will also be used while configuring the Drupal module:
14. The Azure AD configuration is now completed.
How to return to the Drupal Module configuration page
To return to the Drupal module configuration page, perform the following procedure:
1. Run the following command:
2. Add the previously copied Federated Metadata Document () URL in the Upload Metadata URL field (the URL has been copied from the Application endpoint in Azure AD), and click Fetch Metadata:
Example of metadata URL (Federated Metadata Document):
Note: You can obtain the Tenant Id from your Azure application overview page.
3. All the Azure related information is automatically added on the configuration page:
4. Click the Service provider setup tab and then click Test configuration to test the configuration using your Azure AD credentials:
5. The Test Successful message is displayed:
6. Now open a new window in the incognito mode. You can now view the Login via Identify Provider link:
Testing with Azure AD
Now, you can view the SSO login link on your default Drupal login page. To test your credentials with Azure AD, perform the following procedure:
1. When you click the Azure login link via the Drupal login page, you will be redirected to the Microsoft login account:
2. Type your AD credentials in the respective fields:
3. If you have a Microsoft account application on your mobile, then type the code. If not, install the Microsoft account authentication app from the Microsoft app store:
4. To remain signed in, click Yes:
5. You can now log on with your Azure AD credentials:
Drupal will create a new user in the backend. You can ask your admin to check the people page.
Limitations of the Azure SAML module
Some of the limitations of the free version of the SAML module that were observed during the implementation process:
- An open-source version of this module can only map basic attributes, such as Username and Email.
- This module does not provide IDP-based advanced role mapping. The free version does not provide Force Authentication. This feature provides forced authentication of an anonymous user before they can access the Drupal site. In the current scenario, a user is redirected to the SSO login page, if not logged in.
To overcome the above-mentioned limitations, you can opt for the premium version of the module.
It is clearly evident that single sign-on enhances user experience, drives productivity, and provides cost-saving benefits. You should implement SSO to provide your customers and employees the flexibility to log on to different applications and services easily, quickly, and more securely.
Through the miniOrange SAML module, Azure users can use their credentials and log on successfully to the Drupal site. For more information about this module, click here.