Skip to end of metadata
Go to start of metadata

Overview

This document explains how to integrate Drupal with SAML2, and hence, MyAccess. This document recommends using the simpleSAMLphp module for Drupal.

Review How Users Are Managed

Before you embark on integrating Drupal with MyAccess, you need to look at how your Drupal users are managed. This is very important, because once you integrated with MyAccess (Shibboleth) everyone at UCSF will be able to authenticated to your Drupal instance. According to several Drupal people around UCSF, "this is not a problem because this is basically how Drupal works anyway." I know, it took us a while to grok this, but according to some, an authenticated user doesn't really mean much, unless you assume an authenticated user has privileges.

So, given that all users at UCSF will be able to authenticate to your Drupal instance, you need to look at how you assign roles to your privileged users. For instance, if you assume that an authenticated user can edit content, you probably want to create a new role for your content editors, and then assign that role to those people, and leave the default, "authenticated user" role with little to no privileges.

Install simpleSAMLphp

We recommend that you use simpleSAMLphp with Drupal. Please see the simpleSAMLphp Service Provider installation instructions. Be sure to note the part about changing the session store.type so that it does not interfere with Drupal's sessions.

Install Drupal simpleSAMLphp module

Download and intall the Drupal simpleSAMLphp module from the Drupal site. If you are a Drupal admin, installing this module should be very straightforward. If you are not familiar with installing Drupal modules, please see the Installing contributed modules (Drupal 5 and 6) page.

Convert Existing Users

A script for doing this is forthcoming. Stay tuned.

Stop Creating Users

The simpleSAMLphp module will automatically create a user for you if the user does not already exist in Drupal. Furthermore, the simpleSAMLphp module does not interact with the main user admin code, which means that if you create a user the way you do now and assign a role to that user, the role will be removed the next time the user authenticates. So, it is best to tell someone to "Go log into the Drupal site", and then once they have done that, you can look them up in the Drupal admin console and then assign the privileged role to them.

  • No labels

3 Comments

  1. In working with this test setup, there were a few things that I thought I'd mention about user management (some of this still needs further testing/verification):

    1. Once the simpleSAMLphp_auth module has been enabled, settings on the normal Drupal 'User Settings' page (/admin/user/settings) seem to be ignored.  The settings on the 'simpleSAMLphp authentication modules settings' page (/admin/user/simplesamlphp_auth) seem to override any of the default drupal user settings values.
    2. On the 'simpleSAMLphp authentication modules settings' page (/admin/user/simplesamlphp_auth), we tested successfully with the settings configured as followed:* Installation Directory:  /var/simplesamlphp (default)
    • Autentication source for this SP:  default-sp (default)
    • SimpleSAMLphp attribute used as user's name: eduPersonPrincipalName
    • SimpleSAMLphp attribute used as unique identifier: eduPersonPrincipalName
    • Reevaluate roles every time the user logs in:  OFF
    • Force https for login links: ON
    • Register users: ON
    • Allow Authentication with local Drupal Accounts: ON (so you can still login as an admin)
    • Which users should be allowed to login with local accounts: 1 (only the 'administrator' user)
      Also note that, in testing, the only attribute requested/require for successful setup was 'eduPersonPrincipalName'.
  2. Jason,

    Can we share this with the Drupal Group now?

    Thanks!

  3. I've added info on dealing with drupal user accounts post-MyAccess authentication at https://wiki.library.ucsf.edu/pages/viewpage.action?pageId=53755921