Knowledge should be shared
Sunet Authentication for Drupal using SimpleSAMLphp
Post date:
January 7, 2018
Document by K. Sharp
Setting SSL certificate and https connection
Make sure the web server has a valid SSL certificate. See https://uit.stanford.edu/service/ssl for more information. If you are setting this on on your development machine make sure that it is registered to Stanford.
Setting SimpleSAMLphp library
- Download SimpleSAMLphp from https://simplesamlphp.org/download
- Unzip into a directory and tell server where library is located
- For configuration on Pantheon follow these instructions to add library in directory /private/simplesamlphp/www and set symlink https://pantheon.io/docs/shibboleth-sso/
- For configuration on your local computer
- unzip into a directory outside your web server docroot.
- In web server configuration (httpd-ssl.conf, for example, in apache), add the following to the VirtualHost definition for your server:
SetEnv SIMPLESAMLPHP_CONFIG_DIR /Users/irinaz/Sites/siepr/simplesamlphp/config
Alias /simplesaml /Users/irinaz/Sites/siepr/simplesamlphp/www
<Directory /Users/irinaz/Sites/siepr/simplesamlphp/www>
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>
- For configuration on Pantheon follow these instructions to add universal absolute path to the installation in settings.php https://pantheon.io/docs/shibboleth-sso/#drupal-configuration
- cd into SimpleSAMLphp cert directory (on your local computer) and create a self-signed certificate: openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
- cd into SimpleSAMLphp metadata directory and edit saml20-idp-remote.php
and add the following to the bottom of the file:
$metadata['https://idp.stanford.edu/'] = array( 'name' => array( 'en' => 'Stanford University WebLogin', ), 'description' => 'Stanford University WebAuth', 'SingleSignOnService' => 'https://login.stanford.edu/idp/profile/SAML2/Redirect/SSO', 'certFingerprint' => '2b:41:a2:66:6a:4e:3F:40:c6:30:55:6a:1f:ec:c3:e3:0b:ce:ee:8f' );
New config shoud be using certData instead of certFingerprint.
- cd into SimpleSAMLphp/config directory and edit authsources.php
In the "default-sp" section, change
"idp" => null,
to: "idp" => "https://idp.stanford.edu/',
and add the following:
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
'authproc' => array(
20 => 'saml:NameIDAttribute',
),
- Stay in the config directory and edit config.php
7a. Make sure the following config options are set:
'baseurlpath' => 'https://<YOUR WEB SERVER HOSTNAME>.stanford.edu/simplesaml/', 'certdir' => "/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/cert/', 'metadatadir' => '/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/metadata/', 'attributenamemapdir' => '/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/attributemap/', 'loggingdir' => '/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/log/', 'datadir' => '/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/data/',
7b. Change auth.adminpassword to something better than "123"
7c. Change secretsalt to something other than default by following instructions in config.php
7d. Change technicalcontact_name and technicalcontact_email to your name and email address
7e. Change timezone to 'America/Los_Angeles"
7f. Change "enable.saml20-idp" to true
7g. Replace the "authproc.sp" section with the following:
'authproc.sp' => array(
10 => array(
'class' => 'core:AttributeMap', 'removeurnprefix',
'oid2name',
),
20 => array(
'class' => 'authorize:Authorize',
// use Regular Expression to define which workgroup members can login
// this example lets in anyone from earthsci:web-authors or earthsci:web-developers, make sure that you use correct workgroup here
'eduPersonEntitlement' => array(
'/earthsci:(web-authors|web-developers)/',
)
),
// Adopts language from attribute to use in UI
90 => 'core:LanguageAdaptor',
),
7h. It is recommended that you do not use "store.type" => "phpsession".
If PHP on your server includes memcache, change "store.type" => "memcache" and (other memcache configuration TBD).
Otherwise, change
"store.type" => "sql",
and set store.sql.dsn, store.sql.username, and store.sql.password to access your Drupal database.
Test SimpleSamlphp Library and get metadata
- Go to your website at https://<YOUR WEB SERVER HOSTNAME>.stanford.edu/simplesaml/ and click Configuration tab.
- Go to configuration tab and run the "sanity check" to see if you are still sane.
- Go to federation tab and click "SAML 2.0 SP Metadata" for "default-sp"
- Copy the metadata to your clipboard
Register your SP (service provider) with Stanford
- Go to https://spdb.stanford.edu and click "Add New Service Provider"
- Paste metadata into Metadata field and enter a Contact (Group) Email. You need to be admin of respective workgroup, or you need to submit ServiceNow ticket so
- Submit metadata
- When you get word back that your SP has been registered, go back to https://<YOUR WEB SERVER HOSTNAME>.stanford.edu/simplesaml/ and click the authentication tab.
- Click default-sp. You should be taken to WebLogin and back to a page that shows your account information.
Congratulations - now Sunet Login works on your website.
Configure Drupal SimpleSamlPHP or StanfordSimpleSaml modules
11. For Drupal 7.x, install module simplesamlphp_auth. For integration with SPDB use stanford_ssp module
For Drupal 8.x, install modules simplesamlphp_auth and externalauth.
12. Configure simplesamlphp_auth
Drupal 7.x
- Check activate
- Enter the location of simplesamlphp directory. If you are working on Pantheon, this will be defined in settings.php file.
- Leave default-sp as authentication source
- Check force https for login links
- Use "displayName" as attribute for user"s name
- use "urn:mace:dir:attribute-def:uid" as attribute for unique identifier for user (SUNet ID)
- use "mail" for user mail address
- set automatic role population like: "web_author:eduPersonEntitlement,=,earthsci:web-authors|web_developer:eduPersonEntitlement,=,earths:web-developer"
- check "reevaluate roles every time user logs in"
- check "Register users" under User Provisioning
- uncheck "Allow SAML users to set Drupal passwords"
- check "Allow authentication with local Drupal accounts" and restrict to administrator role and/or user 1
- option URL for after logging out
Drupal 8.x
-
Check activate
-
Leave default-sp as authentication source
-
Change login text to "Stanford WebLogin"
-
Check "Register Users (auto provisioning)"
uncheck "Allow SAML users to set Drupal passwords" under Local Authentication
check "Allow authentication with local Drupal accounts" and restrict to administrator role and/or user 1
option URL for after logging out -
Under "User Info and Syncing":
Use "displayName" as attribute for user"s name
use "urn:mace:dir:attribute-def:uid" as attribute for unique identifier for user (SUNet ID)
use "mail" for user mail address
check "synchronize user name on every login"
check "synchronize user email on every login"
set automatic role population like: "web_author:eduPersonEntitlement,=,earthsci:web-authors|web_developer:eduPersonEntitlement,=,earths:web-developer"
check "reevaluate roles every time user logs in" -
uncheck "Automatically enable SAML authentication for existing users"
Entitlements
Additional feature - mapping roles to groups
In Stanford SSP module - uncheck button
User Info and Syncing Tab for SimpleSAMLPHP Auth Settings:
Automatic role population field:
subsite_editor:eduPersonEntitlement,=,earthsci:webdev|staff:suAffiliation,=,stanford:staff|faculty:suAffiliation,=,stanford:faculty|postdoc:suAffiliation,=,stanford:student:postdoc|student:suAffiliation,=,stanford:student
Configuration on Pantheon hosting
The following files are used in cofiguraiton
- settings.php - defines path to simplesaml library ( $settings['simplesamlphp_dir'] = $_SERVER['HOME'] .'/code/private/simplesamlphp';) and redirect to primary custom domain
- config.php - various configuration parameters
- authsources.php
- saml20-idp-remote.php - contains metadata for Stanford IDP and certData
