Important Note: This document is in progress. We are working on document to improve it. This module(samlauth) allows users to authenticate against a SAML Identity Provider (IdP) to log in to a Drupal application. Essential basics of SAML, tuned to our situation: The IdP is the remote system which users are directed to upon login, which authorizes the user to log into our site. The Service Provider (SP) is a standalone piece of code (implemented by the SAML PHP Toolkit) which takes care of the SAML communication / validating the assertions sent back by the IdP.
https://git.drupalcode.org/project/samlauth#introduction
https://www.drupal.org/project/samlauth
Since simplesamlphp_auth is not compatible/no stable release for Drupal 10 yet the samlauth is a good replacement.
If you are using simplesamlphp_auth module and you have plans to update your Drupal core, you should first uninstall this module for installing the samlauth module. If you have already uninstalled the module please review `Installing the samlauth module` section.
Uninstalling the simplesamlphp_auth module:¶
Here are the steps to remove the simplesamlphp_auth module completely from your code base:
1- Uninstall the
simplesamlphp_auth module from the Drupal Admin UI or use the following command and please consider your site name, if you have a Drupal multisite:
$ drush pm:uninstall simplesamlphp_auth --uri=default
[success] Successfully uninstalled: simplesamlphp_auth
2- In order to remove the simplesamlphp_auth from your code base we recommend to you to first remove simplesamlphp/composer-module-installer (dependency) and then remove the actual module using composer by running the following commands:
$ composer remove simplesamlphp/composer-module-installer --update-with-all-dependencies
$ composer remove drupal/simplesamlphp_auth --update-with-all-dependencies
3- Clean up your `scripts`, `allow-plugins` section in you composer.json
Remove the following as an example:
"simplesamlphp/composer-module-installer": false
"scripts": {
"post-install-cmd": [
"rm -rf ./vendor/simplesamlphp/simplesamlphp/config",
"rm -rf ./vendor/simplesamlphp/simplesamlphp/metadata",
4- Make sure your composer.lock is up to date by running the following command:
5- If you have a symlink and the certificate/metadata folder in above the docroot, you should remove it now:
$ rm -rf simplesamlphp
$ rm -rf docroot/simplesaml
6- You may have a Drupal menu link for the simplesamlphp_auth login that you should remove or update it for samlauth module to `/saml/login`.
7- Running `drush pm:uninstall simplesamlphp_auth --uri=default` should remove the simplesaml tables from the database but it worth to verify it:
$ drush sqlc --uri=default
mysql>
To check the table:
mysql> show tables like "sim%";
+-----------------------------+
| Tables_in_cs2d8stg (sim%) |
+-----------------------------+
| simplesaml_kvstore |
| simplesaml_saml_LogoutStore |
| simplesaml_tableVersion |
+-----------------------------+
3 rows in set (0.00 sec)
To delete the tables:
mysql> drop table simplesaml_kvstore;
mysql> drop table simplesaml_saml_LogoutStore;
mysql> drop table simplesaml_tableVersion;
Now you can continue to the following section to install the samlauth module:
Installing the samlauth module:¶
1- To install samlauth in your code base, please run the following command:
$ composer require drupal/samlauth --update-with-all-dependencies
2- Install the samlauth module from the Drupal Admin UI or use the following command and please consider your site name, if you have a Drupal multisite:
$ drush enable samlauth --uri=default
[success] Successfully enabled: samlauth
3- After logging in to the Drupal admin using your credentials or using the following Drush command navigate to the “SAML authentication”.
Configuration->People->SAML authentication
$ drush uli --uri=default --uid=1
4- In the SAML authentication page you have the following sections:
- Login / Logout
- Service Provider
- Identity Provider
- User Info and Syncing
- SAML Message Construction
- SAML Message Validation
- Other
- Debugging
You can collapse other sections and navigate to the “Service Provider” section.
5- In “Service Provider” section update the following fields:
- Entity ID: https://yourdomain.com/saml/metadata
- Set the “Type of values to save for the key/certificate” to Configuration or file
- Private Key: Look for your private key on your current/previous branch and copy the key into this section.
$ cat simplesamlphp/cert/saml.pem
-----BEGIN RSA PRIVATE KEY-----
XXXX
-----END RSA PRIVATE KEY-----
- X.509 Certificate: Look for your certificate on your current/previous branch and copy the cert into this section.
$ cat simplesamlphp/cert/saml.crt
-----BEGIN CERTIFICATE-----
XXXX
-----END CERTIFICATE-----
6- In the “Identity Provider” section update the following fields:
- Entity ID: Look for ‘$metadata’ in the simplesamlphp/metadata/saml20-idp-remote.php file and add the ‘entityid’ url to this field(see the image)
- Single Sign On Service: Look for ‘SingleSignOnService’ in the simplesamlphp/metadata/saml20-idp-remote.php file and add 'Location' url into this field.
Important note: This URL is different from the previous URL.
- Set the “Type of values to save for the certificate(s)” to Configuration or file
- X.509 Certificate(s): Look for ‘X509Certificate’ in the simplesamlphp/metadata/saml20-idp-remote.php file and add cert into this field.
7- In your Google Admin console you need to update the ‘ACS URL’ and ’Entity ID` based on the information in the “Service Provider” section from the SAML authentication page.
You should see your “Service Provider” like the following:
8- In this method we have stored the data in Database which you can also store it in a file. In order to store in files you need to install the dev version of the module at the moment.