Information for: DEVELOPERS   PARTNERS

Setting up single sign-on

Acquia Cloud Site Factory supports single sign-on (SSO) for both Drupal 7 and Drupal 8 websites. Drupal 8 websites on Acquia Cloud Site Factory use SAML (Security Assertion Markup Language) for single sign-on, while Drupal 7 websites use OpenID.

Setting up single sign-on for Drupal 8 websites

Applies to Drupal 8-based websites hosted on Acquia Cloud Site Factory. For single sign-on in Drupal 7 websites, see Specifying login authentication mode.

Setting up single sign-on (SSO) for Drupal 8 websites hosted on Acquia Cloud Site Factory enables users to sign in to those websites by using the actions menu in the Site Factory Management Console.

Using SSO requires a SAML service provider, either Acquia Cloud or an external provider. Although you can use any SAML service provider compatible with your Drupal 8 codebase, Acquia Cloud Site Factory directly supports the use of the SAML Authentication module (version 8.x-2.x).

Important

  • Acquia Cloud Site Factory supports the use of the SAML Identity Provider (IdP) integrated into the Site Factory Management Console, or an external IdP, but not both. If you choose an external IdP, you cannot sign in to websites with the Log in option from a website’s actions menu.
  • If you do not use the SAML Authentication module to connect to your SAML service provider, you cannot use centralized role management.

Installing the SAML Authentication module

Complete the following steps to use the SAML Authentication module with SSO:

  1. Download and add the following modules to your Drupal 8 codebase:
  2. Add the modules from the previous step to your installation profile, along with the acsf_sso module packaged with the Acquia Cloud Site Factory Connector module.
  3. Commit your changes back to your repository.

You can now use single sign-on with your Acquia Cloud Site Factory-hosted websites.

Configuring authentication values

When installing the ACSF SSO module or staging your websites for testing, Acquia Cloud Site Factory changes the samlauth.authentication configuration value to sign your users in to the appropriate staged or live websites.

Do not change the values for samlauth.authentication in active configuration from those set by Acquia Cloud Site Factory. For instance, ensure you do not import stale or incorrect values for samlauth.authentication from configuration files stored in your codebase when installing or staging a site.

Modifying samlauth.authentication in active configuration may cause sign-in attempts to fail, or to sign users in to an environment other than the one you intended.

SimpleSAMLphp and Acquia Cloud Site Factory

Implementing single sign-on with the simpleSAMLphp Authentication module for use with the acsf_sso module (packaged with the Acquia Cloud Site Factory Connector module), requires an Acquia Professional Services engagement.

During your Professional Services engagement, after Acquia provides you with the Service Provider (SP) data, you will perform the following actions:

  • Install the Service Provider (SP) metadata with your IdP.
  • Collaborate with Acquia to test your SimpleSAMLphp configuration.
  • If you do not use Acquia Cloud as your IdP, ensure Acquia has access to and knowledge of your IdP.
  • Own your website’s custom code.
  • Alter the config.php file to use /mnt/gfs/mydocroot.env/files-private/sites.json instead of the default creds.json path.
  • Test any custom workflows not provided by the simpleSAMLphp Authentication module and the SimpleSAMLphp library.
  • Own the testing and validation of all Drupal configurations and workflows integrating with the simpleSAMLphp Authentication module.
  • Configure and activate the simpleSAMLphp Authentication module for your website.