Setting up SimpleSAMLphp for Drupal
1. Make sure the web server on your development machine is registered to Stanford and has a valid SSL certificate. See https://uit.stanford.edu/service/ssl for more information.
2. Download SimpleSAMLphp from https://simplesamlphp.org/download and unzip into a directory outside your web server docroot.
3. In web server configuration (httpd-ssl.conf, for example, in apache), add the following to the VirtualHost definition for your server:
SetEnv SIMPLESAMLPHP_CONFIG_DIR /Users/irinaz/Sites/siepr/simplesamlphp/config
Alias /simplesaml /Users/irinaz/Sites/siepr/simplesamlphp/www
Order allow,deny
Allow from all
4. cd into SimpleSAMLphp cert directory and create a self-signed certificate: openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
5. cd into SimpleSAMLphp metadata directory and edit saml20-idp-remote.php
and add the following to the bottom of the file:
$metadata['https://idp-uat.stanford.edu/'] = array(
'name' => array(
'en' => 'Stanford University WebLogin',
),
'description' => 'Stanford University WebAuth',
'SingleSignOnService' => 'https://idp-uat.stanford.edu/idp/profile/SAML2/Redirect/SSO',
'certFingerprint' => '6e:c8:18:f6:f9:3d:00:9d:8d:ab:18:02:fd:1a:41:14:ed:98:e4:31'
);
6. cd into SimpleSAMLphp/config directory and edit authsources.php
In the ‘default-sp’ section, change
‘idp’ => null,
to: ’idp’ => ‘https://idp-uat.stanford.edu/',
and add the following:
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
'authproc' => array(
20 => 'saml:NameIDAttribute',
),
7. Stay in the config directory and edit config.php
7a. Make sure the following config options are set:
'baseurlpath' => 'https://.stanford.edu/simplesaml/',
'certdir' => ‘//simplesamlphp/cert/',
'metadatadir' => '//simplesamlphp/metadata/',
'attributenamemapdir' => '//simplesamlphp/attributemap/',
'loggingdir' => '//simplesamlphp/log/',
'datadir' => '//simplesamlphp/data/',
7b. Change auth.adminpassword to something better than ’123’
7c. Change secretsalt to something other than default by following instructions in config.php
7d. Change technicalcontact_name and technicalcontact_email to your name and email address
7e. Change timezone to 'America/Los_Angeles’
7f. Change ‘enable.saml20-idp’ to true
7g. Replace the ‘authproc.sp’ section with the following:
'authproc.sp' => array(
10 => array(
'class' => 'core:AttributeMap', 'removeurnprefix',
'oid2name',
),
20 => array(
'class' => 'authorize:Authorize',
// use Regular Expression to define which workgroup members can login
// this example lets in anyone from earthsci:web-authors or earthsci:web-developers
'eduPersonEntitlement' => array(
'/earthsci:(web-authors|web-developers)/',
)
),
// Adopts language from attribute to use in UI
90 => 'core:LanguageAdaptor',
),
7h. It is recommended that you do not use ‘store.type’ => ‘phpsession’.
If PHP on your server includes memcache, change ‘store.type’ => ‘memcache’ and (other memcache configuration TBD).
Otherwise, change
‘store.type’ => ‘sql’,
and set store.sql.dsn, store.sql.username, and store.sql.password to access your Drupal database.
8. Go to your website at https://.stanford.edu/simplesaml/ and click Configuration tab.
8a. Go to configuration tab and run the “sanity check” to see if you are still sane.
8b. Go to federation tab and click “SAML 2.0 SP Metadata” for ‘default-sp’
8c. Copy the metadata to your clipboard
9. Go to https://spdb.stanford.edu and click “Add New Service Provider”
9a. Paste metadata into Metadata field and enter a Contact (Group) Email. Leave other fields blank
9c. Submit metadata
10. When you get word back that your SP has been registered, go back to https://.stanford.edu/simplesaml/ and click the authentication tab.
10a. Click default-sp. You should be taken to WebLogin and back to a page that shows your account information.
11. For Drupal 7.x, install module simplesamlphp_auth
For Drupal 8.x, install modules simplesamlphp_auth and externalauth
12. Configure simplesamlphp_auth
Drupal 7.x
Check activate
Enter the location of simplesamlphp directory
Leave default-sp as authentication source
Check force https for login links
Use ‘displayName’ as attribute for user’s name
use ‘urn:mace:dir:attribute-def:uid’ as attribute for unique identifier for user (SUNet ID)
use ‘mail’ for user mail address
set automatic role population like: ‘web_author:eduPersonEntitlement,=,earthsci:web-authors|web_developer:eduPersonEntitlement,=,earths:web-developer’
check ‘reevaluate roles every time user logs in’
check ‘Register users’ under User Provisioning
uncheck ‘Allow SAML users to set Drupal passwords’
check ‘Allow authentication with local Drupal accounts’ and restrict to administrator role and/or user 1
option URL for after logging out
Drupal 8.x
Check activate
Leave default-sp as authentication source
Change login text to ’Stanford WebLogin’
Check ‘Register Users (auto provisioning)’
uncheck ‘Allow SAML users to set Drupal passwords’ under Local Authentication
check ‘Allow authentication with local Drupal accounts’ and restrict to administrator role and/or user 1
option URL for after logging out
Under ‘User Info and Syncing’:
Use ‘displayName’ as attribute for user’s name
use ‘urn:mace:dir:attribute-def:uid’ as attribute for unique identifier for user (SUNet ID)
use ‘mail’ for user mail address
check ‘synchronize user name on every login’
check ‘synchronize user email on every login’
set automatic role population like: ‘web_author:eduPersonEntitlement,=,earthsci:web-authors|web_developer:eduPersonEntitlement,=,earths:web-developer’
check ‘reevaluate roles every time user logs in’
uncheck ‘Automatically enable SAML authentication for existing users’