Turn Drupal 8 into an Identity Provider with SimpleSAMLphp

By Ronald van Belzen | December 11, 2017

There is enough information available to help you turn a Drupal 7 installation into an Identity Provider (IdP) for Single Signon (SSO) and Single Logout (SLO). In fact that information will help you with accomplishing the same for Drupal 8. However, the amount of configuring that is involved to accomplish this might be too daunting for someone starting out on this venture.

Personally the following links helped me on the way:

The latter delivers a Drupal 7 module and a SimpleSAMLphp module written for Drupal 7 and instructions on how to configure these. They are the same modules used by the author of the blog post in the first link.

Brad Jones has programmed a module inspired by the work done by Steve Moitozo for Drupal 7 (Drupalauth module): saml_idp. This blog describes how to use saml_idp to turn your Drupal 8 installation into an IdP.

Preparation

The saml_idp module that will be installed with Composer depends on openid/php-openid, which in turn requires the PHP extension GMP to be installed. Most standard PHP installations do not include this extension. You may need to install it first. In my situation I used the Linux shell command:

sudo apt-get install php7.1-gmp

After restarting the webserver the module can be installed using Composer:

composer require drupal/saml_idp

The installation description for saml_idp advises you to run the post installation script. You can do this with Drush from the web root with the command:

drush ev 'Drupal\saml_idp\Install::postInstall()'

What this post installation script does is create the subdirectory /vendor/simplesamlphp/simplesamlphp/modules/drupalauth and in that subdirectory create an empty file with the name 'default_enable'.

Next an alias needs to be added onto the Drupal site's host information (the “sites-available” bit of apache2 or nginx) to alias /simplesaml to the folder on the server where the SimpleSAMLphp files where placed. In my case:

<VirtualHost *:80>
  ServerName samlvm.dev
  ServerAlias www.samlvm.dev
  DocumentRoot "/var/www/drupalvm/drupal/web"
  Alias /simplesaml "/var/www/drupalvm/drupal/vendor/simplesamlphp/simplesamlphp/www"

  <Directory "/var/www/drupalvm/drupal/web">
    AllowOverride All
    Options -Indexes +FollowSymLinks
    Require all granted
  </Directory>
  <FilesMatch \.php$>
    SetHandler "proxy:fcgi://127.0.0.1:9000"
  </FilesMatch>
</VirtualHost>

To conclude the preparation enable the saml_idp module and rebuild the cache.

Configuration

Copy the files 'config.php' and 'authsources.php' from the subdirectory /vendor/simplesamlphp/simplesamlphp/config-templates to the subdirectory /vendor/simplesamlphp/simplesamlphp/config (create the subdirectory when it does not exist yet).

In the new 'config.php' file change the values of the following $config array items:

  • 'auth.adminpassword' to another value (for security reasons SimplSAMLphp will not work when you do not reset this value).
  • 'technicalcontact_email' to your own e-mail address
  • 'enable.saml20-idp' to true
  • 'store_type' to 'sql'
  • 'store.sql.dsn', 'store.sql.username', 'store.sql.password' should reflect your (Drupal) database credentials

In the new 'authsources.php' $config['default-sp'] array item add values for 'privatekey', 'certificate' and 'auth':

    'default-sp' => array(
        'saml:SP',

        'privatekey' => 'server.pem',
        'certificate' => 'server.crt',
        'auth' => 'drupal-userpass',

Also add the array item $config['drupal-userpass'] with the value 'drupalauth:External' in 'authsources.php':

    'drupal-userpass' => array( 'drupalauth:External'),

Create the subdirectory /vendor/simplesamlphp/simplesamlphp/metadata with the files 'saml20-idp-hosted.php' and 'saml20-sp-remote.php'.

The content of 'saml20-idp-hosted.php' should be:

<?php
/**
 * SAML 2.0 IdP configuration for SimpleSAMLphp.
 *
 * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
 */

$metadata['__DYNAMIC:1__'] = array(
	/*
	 * The hostname of the server (VHOST) that will use this SAML entity.
	 *
	 * Can be '__DEFAULT__', to use this entry by default.
	 */
	'host' => '__DEFAULT__',

	// X.509 key and certificate. Relative to the cert directory.
	'privatekey' => 'server.pem',
	'certificate' => 'server.crt',

	/*
	 * Authentication source to use. Must be one that is configured in
	 * 'config/authsources.php'.
	 */
	'auth' => 'drupal-userpass',
);

The content of 'saml20-sp-remote.php' is dependend on the URL of your Service Provider (SP). So you will need to change the values of 'AssertionConsumerService' and 'SingleLogoutService' to reflect the correct URL's for your SP:

<?php
/**
 * SAML 2.0 remote SP metadata for SimpleSAMLphp.
 *
 * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
 */

$metadata['http://spvm.dev/user'] = array(
  'AssertionConsumerService' => 'http://spvm.dev/saml/consume',
  'SingleLogoutService' => 'http://spvm.dev/saml/consume',
  'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
  'simplesaml.nameidattribute' => 'mail',
  'simplesaml.attributes' => TRUE,
);

The above settings are for a Drupal SP that uses the module saml_sp. The Entity ID setting for this SP module would be 'http://idp.dev/simplesaml/saml2/idp/metadata.php' and the App name should be 'http://spvm.dev/user'. The App name defined in the metadata usually reflects the URL of the SP.

The settings for IdP Login and Logout URL for the SP will be 'http://idp.dev/simplesaml/saml2/idp/SSOService.php' and 'http://idp.dev/simplesaml/saml2/idp/SingleLogoutService.php' (replacing 'idp.dev' to match the actual URL of your IdP).

What remains is the creation of your certificates. For this create the subdirectory /vendor/simplesamlphp/simplesamlphp/cert and in this subdirectory start the creation of your certificates from the command line with:

openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out server.crt -keyout server.pem

The file content of 'server.crt' can be given to the SP for its configuration.

Concluding remarks

One major drawback of the above configuration is that the configuration files were being placed in the vendor directory. How to solve this issue will be shown in my next blog post. Another issue is that the Drupal 8 saml_idp is less configurable than its Drupal 7 counterpart. How to override the saml_idp module will also be handled in the next blog post.

Comments

EMM (not verified) wrote on Tue, 09/04/2018 - 20:12

saml20-sp-remote.php, I believe only the AssertionConsumerService and SingleLogoutService setting changes even if we go with simplesamlphp_auth as a SP, any idea?

Add new comment