Disclaimer:<\/strong> I am not claiming to be an expert ad SAML, Drupal, or anything else. Implement this at your own risk and expense. The guide provided below is simply my learned experience from my own implementations and I cannot guarantee your success. You still have to learn your own lessons.<\/p>\n\n\n\n CONTENTS<\/strong><\/p>\n\n\n\n This guide is designed to help you understand SAML (using SimpleSAMLphp v2.1+), why we use it, and how it works to serve website users. The only outputs are a working SAML connection between two points \u2013 the IdP (Identity Provider) and the SP (Service Provider). <\/p>\n\n\n\n Why Single Sign-On with SAML? <\/strong>SAML allows us to create a single-sign-on experience for our users so that they only have to remember one password for multiple sites. Over the years, users I’ve served have been extremely frustrated when they\u2019ve needed to reset a password on one site, only to find out that they weren\u2019t resetting the correct one for what they thought were trying to access. My goal is to simplify my environment for them so that they only have to remember account information in one place, and they can access all website services appropriately.<\/p>\n\n\n\n SAML Security: <\/strong>SAML connections are manually established between the IdP and SP over secure, encrypted connections. Both sides MUST exchange information and configure their connections; no SAML connections are able to be established in a one-sided manor.<\/p>\n\n\n\n Assumptions:<\/strong> This guide is written from the perspective of a LAMP stack (Ubuntu Linux, Apache 2.4, PHP 8.1+, MySQL). Your environment may be different, so, when you’re doing some of the Apache-related tasks, check for what the best methods are for your system. Second, I have no experience with NGINX, so I can’t describe how that works differently from Apache. Other tutorials I found on the internet give guidance for that kind of environment, so you should be able to find a comparable example if that’s what you are running.<\/p>\n\n\n\n Additionally, in 2024 and beyond, you should be using Drupal version 10+, Drush version 12+, and Composer version 2.6+. While many of these settings will work for Drupal 8+, those versions are no longer supported with security updates and should be upgraded to the latest stable version of Drupal immediately. SimpleSAMLphp is using version 2.1+ for this tutorial.<\/p>\n\n\n\n The SCOPE of SAML is that it is installed as a component of our Drupal websites. In the IdP, it is required as a dependency of the drupalauth4ssp module<\/a> and in the SP\u2019s it is required as a dependency of the simplesamlphp_auth module<\/a>. In both cases SimpleSAMLphp is found in each site\u2019s SAML\u2019s operating scope is to provide seamless communication between the IdP and the SP\u2019s. All of these connections are managed within the above folder structures and work is done mostly at the command line\/FTP level with some work being done in Drupal for the User information being passed back and forth.<\/p>\n\n\n\n *NOTE:<\/strong> I’ll be using the following variables throughout this tutorial:<\/p>\n\n\n\n The way to have SAML setup, is to have it required as a dependency of Drupal. Therefore, a good working knowledge of Composer<\/a>, Drush<\/a>, and Drupal<\/a>\u2019s user login and access management system (Roles) is needed.<\/p>\n\n\n\n Beyond that, a developer should have at least a basic understanding of what SAML is doing and why.<\/p>\n\n\n\n SAML connects the IdP (Identity Provider) and SP (Service Provider) in a manually established, secure connection. The above infographic shows how a user requests authentication at an SP authentication URL (for example: Our SAML is setup to store\/manage these authentication tokens in our MySQL database. You may care to research alternative methods for your situation and security needs.<\/p>\n\n\n\n Setting up a Drupal site to become an IdP or SP:<\/strong><\/p>\n\n\n\n First determine which site is going to be which, I suggest drawing yourself a diagram. If you\u2019re setting up multiple sites and you know which one is going to be the one where people login and authenticate, that\u2019s going to be your IdP \u2013 where you do all your user management \u2013 and everything else is going to be an SP.<\/p>\n\n\n\n In a best-case scenario, you might want to think about making the IdP its own subdomain like idp.domain.com, then all your other websites will resolve to their own subdomains (sp1.domain.com, intranet.domain.com, community.domain.com) and your main website will resolve at domain.com. This allows you to have really focused user management controls on your IDP site and disable local <\/em>user login on all other sites so that you don\u2019t need all the additional authentication and protection components that your IdP does (reducing attack surfaces).<\/p>\n\n\n\n To add the correct SAML components to your IdP, you need to go to the command line and run: This will install the SimpleSAMLphp drupalauth module into your If your IdP is a Drupal website, it needs to leverage the drupalauth4ssp module<\/a> to connect the Drupal website to SimpleSAMLphp. The setup within Drupal is very simple, with only one module configuration page: ( The allowed list of ReturnTo Parameters<\/strong> is limited to the SP\u2019s we trust and are connected to. By default, this uses an asterisk (*) to allow for returning to any SP that we\u2019ve connected to. Leaning toward a more secure posture, I suggest explicitly naming which SP\u2019s you are connecting to.<\/p>\n\n\n\n I don\u2019t set the IdP-Initiated logout redirect URL mostly because I’ve been happy returning people to the home page after they log out.<\/p>\n\n\n\n In this section, we look at what it takes to setup SAML to work in conjunction with Drupal. We\u2019ll be focusing on the needs of SAML at this point, since the Drupal side of things should be in a good place on the IdP and we’ll be setting the SP Drupal settings up in just a bit.<\/p>\n\n\n\n In order for your SAML to be made available to the internet, you need to create a symlink or alias for it. Here, you also make simplesamlphp\u2019s public directory open to the public. This is intentional, the public directory is designed to be a web user interface for SAML management.<\/p>\n\n\n\n The files you need are the .conf files, found in When you edit one of these .conf files, you\u2019ll need to create a section inside your site’s <virtualhost> tags (probably at the bottom), for SAML with the following parameters.<\/p>\n\n\n\n\n
\n
\n
\n
1. Introduction<\/a><\/h2>\n\n\n\n
2. Scope<\/a><\/h2>\n\n\n\n
[site root]\/vendor\/simplesamlphp*<\/code> folder. In addition, we create each site’s configuration files in the [site root]\/simplesamlphp\/dev*<\/code> folder in each directory. There\u2019s also additional information in the \/etc\/apache2\/sites-available\/*.conf<\/code> files.<\/p>\n\n\n\n\n
[site root]<\/strong><\/code> = this is equivalent to the root directory for your website. If you’re running Drupal, then it is whichever directory the web\/ folder is residing in. The assumption is that all [site root] references should be accessed from the command line or FTP<\/li>\n\n\n\n[your site]<\/strong><\/code> = this is the domain name or subdomain your website resolves to when accessing via an internet browser like Chrome or Firefox.<\/li>\n<\/ul>\n\n\n\n3. Specific Procedures<\/a><\/h2>\n\n\n\n
3.1. Dependencies<\/a><\/h3>\n\n\n\n
3.2. Background<\/a><\/h3>\n\n\n\n
![\"an](\"https:\/\/rexbarkdoll.com\/rexbarkdoll\/wp-content\/uploads\/2023\/12\/SAML-graphic-2400px-1024x512.jpg\")
<\/figure>\n\n\n\nhttps:\/\/[your sp site]\/saml_login<\/code>). The user is then directed to the IdP login page and is asked to setup an account or enter their credentials(for example: https:\/\/[your idp site]\/user\/login<\/code>). Once they can authenticate, their request is checked against the user database (in this case, in Drupal) and they are either rebuffed or sent back to the SP with a token if successful. The token tells the SP that the IdP has successfully verified this user and gives the SP some basic information about the user for account management on the SP side if needed (we mostly care about roles).<\/p>\n\n\n\n3.2.1. Understanding how SimpleSAML IdP\u2019s and SP\u2019s work<\/a><\/h4>\n\n\n\n
![\"\"](\"https:\/\/rexbarkdoll.com\/rexbarkdoll\/wp-content\/uploads\/2023\/12\/SAML-map-2k-1024x512.jpg\")
<\/figure>\n\n\n\n3.2.2. Setting up a Drupal site to be an Identity Provider (IdP)<\/a><\/h4>\n\n\n\n
composer require \u2018drupalauth\/simplesamlphp-module-drupalauth:^2.10@RC\u2019 \u2018drupal\/drupalauth4ssp:^2.0@RC\u2019<\/code><\/p>\n\n\n\n[site root]\/vendor\/simplesamlphp\/simplesamlphp\/modules<\/code> folder (it makes communication between Drupal and SimpleSAMLphp possible), followed by the DrupalAuth4SSp module<\/a> into Drupal. Next, enable DrupalAuth4SSp with drush:drush en drupalauth4ssp<\/code><\/p>\n\n\n\n3.2.2.1. IdP Drupal Settings<\/a><\/h5>\n\n\n\n
https:\/\/[your site]\/admin\/config\/people\/drupalauth4ssp<\/code>).<\/p>\n\n\n\n![\"\"](\"https:\/\/rexbarkdoll.com\/rexbarkdoll\/wp-content\/uploads\/2023\/12\/drupalauth4ssp-settings-1024x914.png\")
<\/figure>\n\n\n\n3.2.3. IDP SAML Files<\/a><\/h4>\n\n\n\n
3.2.3.1. Apache Config Files<\/a><\/h5>\n\n\n\n
\/etc\/apache2\/sites-available\/[website].conf<\/code><\/p>\n\n\n\n