Single Sign On Integration with Drupal

147 views
Skip to first unread message

Alexander Ivanov

unread,
May 3, 2016, 7:31:44 PM5/3/16
to Dataverse Users Community
Hey guys,

I'm Alex and I'm the lead developer on the QDR Project, which some of you may know.  We're looking to adapt Dataverse and integrate it with our existing Drupal site:

Right now we have Fedora Commons on the back-end.  The idea is to replace Fedora with Dataverse.  To integrate Dataverse with the Drupal site I'd like to implement a single sign-on process, such that users would only need to log in once through the Drupal login.  Then when they navigate to Dataverse, the Drupal authentication token should be all they need to authenticate into their "matching" user account in Dataverse.

Does anyone have experience with Single Sign On and Dataverse?  Is there any existing solution for such an integration?  Is there any code out there that I could utilize or use for reference?

Please get back to me when you can. 

Thanks a lot,
Alex
Message has been deleted

Vyacheslav Tikhonov

unread,
May 4, 2016, 3:35:15 AM5/4/16
to Dataverse Users Community
Hi Alex,

We've integrated Dataverse with Drupal in the Clio Infra project https://www.clio-infra.eu, please check out our repositories with source code https://github.com/IISH/drupal-module-clioinfra and https://github.com/IISH/dpe

Do you need some integration just on the metadata level or analysis/visualization stuff based on data as well?

Regards,
Slava

Philip Durbin

unread,
May 4, 2016, 10:09:17 PM5/4/16
to dataverse...@googlegroups.com
Hi Alex,

https://qdr.syr.edu looks nice and it's very interesting that you're considering an integration between Drupal and Dataverse.

From the start I feel like I should mention that OpenScholar, which is based on Drupal, is already integrated with Dataverse in some ways (and more "widgets" are in development). See http://theopenscholar.org/license-people-pluggable-content-features and https://github.com/openscholar/openscholar/tree/SCHOLAR-3.42.0/openscholar/modules/os_features/os_dataverse . That said, I'm not aware of OpenScholar being an Identity Provider (IdP).

Having Drupal be a Identity Provider (IdP) *is* what you're after, right? From a quick look I'm guessing that https://github.com/masupilamie/drupalas may be the right ballpark, at least. It says "A SimpleSAMLphp module allowing you to use your Drupal site as a SAML authentication source and SAML login / logout front-end."

I should pause here and explain that when I think of Single Sign On (SSO), my mind jumps instantly to Shibboleth and SAML, which is the open standard we've adopted for Dataverse. As of Dataverse 4.3, Shibboleth support is still officially experimental per http://guides.dataverse.org/en/4.3/installation/shibboleth.html but it's being used in production at https://dataverse.lib.virginia.edu and I'll attach a screenshot of what it looks like. You can read more about UVA's installation at https://news.library.virginia.edu/2016/03/29/uva-library-launches-libra-data-university-of-virginia-dataverse-repository/

Once you have your Drupal site configured as a Shibboleth/SAML Identity Provider (IdP), you can configure Dataverse to authenticate against it as explained in the guide above.

With regard to the "experimental" status of Shibboleth support in Dataverse, I have a pull request at https://github.com/IQSS/dataverse/pull/3025 that fixes some mostly minor bugs that I imagine will land in Dataverse 4.4 or 4.5. That pull request represents the effort toward "phase 1" of remote authentication requirements listed at https://docs.google.com/document/d/1vcAmo2nkFYavAr7OwwXzxM0IFQbkRZYZrrX43q-wqGE/edit?usp=sharing . Once the pull request is merged we're running Shibboleth in production for a while at https://dataverse.harvard.edu (which may require us registering as a Service Provider (SP) with InCommon first) we'll remove the "experimental" notice. We like to eat our own dog food. :)

I hope this helps. If you set up Drupal as a Shibboleth/SAML Identity Provider (IdP) and tell me where I can download your metadata, I'd be happy to add it to a test Dataverse server (after I send you its metadata, probably from https://shibtest.dataverse.org which is my test server that you're welcome to play around with) so we can make sure login via your Drupal IdP solution works. Or you're welcome to do your own testing on a Dataverse server you install yourself, of course. :)

Shibboleth and SAML are very common in the academic community, but this is not what you had in mind for Single Sign On, please let me know! There's newer stuff like OAuth plus OpenID Connect (used by Google, Facebook, Twitter, et al.) but we've been focusing on Shibboleth and SAML for the phase 1 effort due to its popularity in higher education. The other thread where I've been posting Shibboleth updates is https://groups.google.com/forum/#!topic/dataverse-community/pTmHCBVRE3o

I hope this helps,

Phil

p.s. Slava mentioned https://github.com/IISH/drupal-module-clioinfra which looks interesting, but I think I need some pointers deeper into the code or a nice readme to understand if it's doing SAML or not.)



--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/4fc16847-5c29-49f7-b1f4-ba3400e81267%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Log_In_-_University_of_Virginia_Dataverse_-_2016-05-04_21.38.49.png

Alexander Ivanov

unread,
May 4, 2016, 11:51:50 PM5/4/16
to Dataverse Users Community, philip...@harvard.edu
Hey guys,

Thank you for your responses.  I will spend some time researching the solutions that you've proposed.

Let me just clarify what I mean by single sign-on, as I have previously implemented between two Drupal sites:
  1. User logs into Site A.  Gets authentication cookie
  2. User navigates to Site B. Site B is programmed to check for the authentication cookie from Site A
  3. If the cookie is present, Site B makes a webservice call to Site A, sending over the authentication token and username, to confirm that the user has been authenticated by Site A
  4. Site A sends a response.  If the response is affirmative, the user is logged into Site B. 
    • If it is the user's first time at Site B, an account is created for the user.  However the user will never need to use the login credentials for Site B directly.. all login is done through Site A.
  5. When the user hits Log Out on either Site A or Site B, he is sent to the /logout page of Site A and the authentication cookie is deleted, effectively logging the user out of both sites.

Let me know if that makes sense.  Thanks.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.

Alexander Ivanov

unread,
May 5, 2016, 12:01:34 AM5/5/16
to Dataverse Users Community, philip...@harvard.edu
..As described in this post:
https://www.gluu.org/blog/shibboleth-identity-provider-idp-what-it-is-and-why-you-should-consider-a-managed-service-like-gluu/

It seems that setting up Drupal as a Shibboleth/SAML Identity Provider (IdP) could be a solution for us.  I'll have to look into it further.

Oh and it's a pleasure to meet you, Phil.  Thank you for all the advice.  I'm sure I'll have more questions as I continue to work on this.

Cheers,
Alex
Reply all
Reply to author
Forward
0 new messages