This document explains how to integrate Drupal with SAML2, and hence, MyAccess. This document recommends using the simpleSAMLphp module for Drupal.

Review How Users Are Managed

Before you embark on integrating Drupal with MyAccess, you need to look at how your Drupal users are managed. This is very important, because once you integrated with MyAccess (Shibboleth) everyone at UCSF will be able to authenticated to your Drupal instance. According to several Drupal people around UCSF, "this is not a problem because this is basically how Drupal works anyway." I know, it took us a while to grok this, but according to some, an authenticated user doesn't really mean much, unless you assume an authenticated user has privileges.

So, given that all users at UCSF will be able to authenticate to your Drupal instance, you need to look at how you assign roles to your privileged users. For instance, if you assume that an authenticated user can edit content, you probably want to create a new role for your content editors, and then assign that role to those people, and leave the default, "authenticated user" role with little to no privileges.

Install simpleSAMLphp

We recommend that you use simpleSAMLphp with Drupal. Please see the simpleSAMLphp Service Provider installation instructions. Be sure to note the part about changing the session store.type so that it does not interfere with Drupal's sessions.

Install Drupal simpleSAMLphp module

Download and intall the Drupal simpleSAMLphp module from the Drupal site. If you are a Drupal admin, installing this module should be very straightforward. If you are not familiar with installing Drupal modules, please see the Installing contributed modules (Drupal 5 and 6) page.

Convert Existing Users

A script for doing this is forthcoming. Stay tuned.

Stop Creating Users

The simpleSAMLphp module will automatically create a user for you if the user does not already exist in Drupal. Furthermore, the simpleSAMLphp module does not interact with the main user admin code, which means that if you create a user the way you do now and assign a role to that user, the role will be removed the next time the user authenticates. So, it is best to tell someone to "Go log into the Drupal site", and then once they have done that, you can look them up in the Drupal admin console and then assign the privileged role to them.