Skip to content Skip to navigation

Sunet Authentication for Drupal using SimpleSAMLphp

Author: 

Setting SSL certificate and https connection

Make sure the web server has a valid SSL certificate. See https://uit.stanford.edu/service/ssl for more information. If you are setting this on on your development machine make sure that it is registered to Stanford.

Setting  SimpleSAMLphp library

  • Download SimpleSAMLphp from https://simplesamlphp.org/download
  • Unzip into a directory and tell server where library is located
  • For configuration on Pantheon follow these instructions to add library in directory /private/simplesamlphp/www  and set symlink https://pantheon.io/docs/shibboleth-sso/
  • For configuration on your local computer
    • unzip into a directory outside your web server docroot.
    • In web server configuration (httpd-ssl.conf, for example, in apache), add the following to the VirtualHost definition for your server:
SetEnv SIMPLESAMLPHP_CONFIG_DIR /Users/irinaz/Sites/siepr/simplesamlphp/config
Alias /simplesaml /Users/irinaz/Sites/siepr/simplesamlphp/www
<Directory /Users/irinaz/Sites/siepr/simplesamlphp/www>
   <IfModule !mod_authz_core.c>
       Order allow,deny
       Allow from all
   </IfModule>
</Directory>
  • For configuration on Pantheon follow these instructions to add universal absolute path to the installation in  settings.php  https://pantheon.io/docs/shibboleth-sso/#drupal-configuration
  • cd into SimpleSAMLphp cert directory (on your local computer) and create a self-signed certificate: openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
  • cd into SimpleSAMLphp metadata directory and edit saml20-idp-remote.php

and add the following to the bottom of the file:

$metadata['https://idp-uat.stanford.edu/'] = array(
 'name' => array(
   'en' => 'Stanford University WebLogin',
 ),
 'description'         => 'Stanford University WebAuth',
 'SingleSignOnService' => 'https://idp-uat.stanford.edu/idp/profile/SAML2/Redirect/SSO',
 'certFingerprint'     => '6e:c8:18:f6:f9:3d:00:9d:8d:ab:18:02:fd:1a:41:14:ed:98:e4:31'
);
  • cd into SimpleSAMLphp/config directory and edit authsources.php
In the "default-sp" section, change

"idp" => null,  
to: "idp" => "https://idp-uat.stanford.edu/',

and add the following:
   'privatekey' => 'saml.pem',
   'certificate' => 'saml.crt',
   'authproc' => array(
     20 => 'saml:NameIDAttribute',
   ),
  • Stay in the config directory and edit config.php

7a. Make sure the following config options are set:

   'baseurlpath' => 'https://<YOUR WEB SERVER HOSTNAME>.stanford.edu/simplesaml/',
   'certdir' => "/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/cert/',
   'metadatadir' => '/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/metadata/',
   'attributenamemapdir' => '/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/attributemap/',
   'loggingdir' => '/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/log/',
   'datadir' => '/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/data/',

7b. Change auth.adminpassword to something better than "123"

7c. Change secretsalt to something other than default by following instructions in config.php

7d. Change technicalcontact_name and technicalcontact_email to your name and email address

7e. Change timezone to 'America/Los_Angeles"

7f. Change "enable.saml20-idp" to true

7g. Replace the "authproc.sp" section with the following:

   'authproc.sp' => array(
       10 => array(
           'class' => 'core:AttributeMap', 'removeurnprefix',
           'oid2name',
       ),
       20 => array(
           'class' => 'authorize:Authorize',
           // use Regular Expression to define which workgroup members can login
           // this example lets in anyone from earthsci:web-authors or earthsci:web-developers, make sure that you use correct workgroup here
           'eduPersonEntitlement' => array(
               '/earthsci:(web-authors|web-developers)/',
           )
       ),
       // Adopts language from attribute to use in UI
       90 => 'core:LanguageAdaptor',

   ),

7h. It is recommended that you do not use "store.type" => "phpsession".
If PHP on your server includes memcache, change "store.type" => "memcache" and (other memcache configuration TBD).

Otherwise, change
"store.type" => "sql",
and set store.sql.dsn, store.sql.username, and store.sql.password to access your Drupal database.
 

Test SimpleSamlphp Library and get metadata

 

  • Go to your website at https://<YOUR WEB SERVER HOSTNAME>.stanford.edu/simplesaml/ and click Configuration tab.
  • Go to configuration tab and run the "sanity check" to see if you are still sane.
  • Go to federation tab and click "SAML 2.0 SP Metadata" for "default-sp"
  • Copy the metadata to your clipboard

Register your SP (service provider) with Stanford

  • Go to https://spdb.stanford.edu  and click "Add New Service Provider"
  • Paste metadata into Metadata field and enter a Contact (Group) Email. You need to be admin of respective workgroup, or you need to submit ServiceNow ticket so 
  • Submit metadata
  •  When you get word back that your SP has been registered, go back to https://<YOUR WEB SERVER HOSTNAME>.stanford.edu/simplesaml/ and click the authentication tab.
  • Click default-sp. You should be taken to WebLogin and back to a page that shows your account information.
Congratulations - now Sunet Login works on your website.

Configure Drupal SimpleSamlPHP or StanfordSimpleSaml modules


11. For Drupal 7.x, install module simplesamlphp_auth
   For Drupal 8.x, install modules simplesamlphp_auth and externalauth

12. Configure simplesamlphp_auth

Drupal 7.x

  • Check activate
  • Enter the location of simplesamlphp directory.   If you are working on Pantheon, this will be defined in settings.php file.
  • Leave default-sp as authentication source
  • Check force https for login links
  • Use "displayName" as attribute for user"s name
  • use "urn:mace:dir:attribute-def:uid" as attribute for unique identifier for user (SUNet ID)
  • use "mail" for user mail address
  • set automatic role population like: "web_author:eduPersonEntitlement,=,earthsci:web-authors|web_developer:eduPersonEntitlement,=,earths:web-developer"
  • check "reevaluate roles every time user logs in"
  • check "Register users" under User Provisioning
  • uncheck "Allow SAML users to set Drupal passwords"
  • check "Allow authentication with local Drupal accounts" and restrict to administrator role and/or user 1
  • option URL for after logging out

Drupal 8.x
 

  • Check activate

  • Leave default-sp as authentication source

  • Change login text to "Stanford WebLogin"

  • Check "Register Users (auto provisioning)"
    uncheck "Allow SAML users to set Drupal passwords" under Local Authentication
    check "Allow authentication with local Drupal accounts" and restrict to administrator role and/or user 1
    option URL for after logging out

  • Under "User Info and Syncing":
    Use "displayName" as attribute for user"s name
    use "urn:mace:dir:attribute-def:uid" as attribute for unique identifier for user (SUNet ID)
    use "mail" for user mail address
    check "synchronize user name on every login"
    check "synchronize user email on every login"
    set automatic role population like: "web_author:eduPersonEntitlement,=,earthsci:web-authors|web_developer:eduPersonEntitlement,=,earths:web-developer"
    check "reevaluate roles every time user logs in"

  • uncheck "Automatically enable SAML authentication for existing users"