Simple saml PHP and drupal 6
719 views
Skip to first unread message
Jonathan Dray
Aug 12, 2010, 6:29:30 AM8/12/10
to Drupal SimpleSAMLphp integration
Hi,
I have successfully installed simplesamlphp on my debian box.
I have configured an idp with ldap authentication and a sp.
The authentication works on the simplesamlphp test page with 2 test
users.
Now I want to enable authentication for users on a drupal site with
simplesaml.
I found a drupal plugin (http://code.google.com/p/drupalsimplesaml/) ,
and enabled it on the website.
The documentation on this plugin is very limited and I need more
information :
- When a user visit the website for the first time, he is not
authenticated and he should be redirected to the idp authentication
page (through the sp).
But instead the drupal default login page is displayed. Is it
possible to change this behaviour ?
Do I need some extra apache configuration to authenticate users ?
- The first time a user access the drupal website and if his profile
doesn't exist yet it is automatically created.
As I understand things here, the metadata provided by the sp are
mapped to the drupal user profile fields.
Can I have more information on how the mapping is done ?
- I suppose that if a user is removed from the ldap directory, his
profil still remains in drupal's database right ?
- What happens if user information are modified in the ldap ? Is the
user's drupal profile synchronized ?
Thank you.
Regards,
Jonathan Dray
I have successfully installed simplesamlphp on my debian box.
I have configured an idp with ldap authentication and a sp.
The authentication works on the simplesamlphp test page with 2 test
users.
Now I want to enable authentication for users on a drupal site with
simplesaml.
I found a drupal plugin (http://code.google.com/p/drupalsimplesaml/) ,
and enabled it on the website.
The documentation on this plugin is very limited and I need more
information :
- When a user visit the website for the first time, he is not
authenticated and he should be redirected to the idp authentication
page (through the sp).
But instead the drupal default login page is displayed. Is it
possible to change this behaviour ?
Do I need some extra apache configuration to authenticate users ?
- The first time a user access the drupal website and if his profile
doesn't exist yet it is automatically created.
As I understand things here, the metadata provided by the sp are
mapped to the drupal user profile fields.
Can I have more information on how the mapping is done ?
- I suppose that if a user is removed from the ldap directory, his
profil still remains in drupal's database right ?
- What happens if user information are modified in the ldap ? Is the
user's drupal profile synchronized ?
Thank you.
Regards,
Jonathan Dray
Halvor Utby
Aug 24, 2010, 10:16:12 AM8/24/10
to drupalsi...@googlegroups.com
I'm not a developer of the simplesamlphp_auth module, however I have some note on how we installed this module on our site. Maybe this can help you.
I hereby state that I will not take responsibility for any incorrect information that is given here. All statements should be tested in a safe environment before being put in production sites. Make sure you have backup of your hosts before you begin.
1. Download simplesamlphp and install it at /somewhere/simplesamlphp-<versjon>
2. Create the symlink to simplesaml
ln -s /somewhere/simplesamlphp-<versjon> /somewhere/simplesamlphp
3. Configurer simplesamlphp/config/config.php:
1. Change password
2. Generate secretsalt (as described in the file)
3. Change technicalcontact_name
4. Change technicalcontact_email
5. Change timezone
6. Change log-handler to file, ie. 'logging.handler' => 'file', (make sure that the log-directory to simplesaml is accessable and writeable for httpd, or the apache user)
7. Change language to 'language.default'b=> 'your-language'
8. (You don't need this first step. It's specific for our site) Under 'authproc.sp' => array(
add following lines to get member data on correct for from LDAP
10 => array(
'class' => 'core:AttributeAlter',
'subject' => 'member',
'pattern' => '/^(cn=[^,]*).*/',
'replacement' => '\1',
),
(You might need this step)
Add following lines under 'authproc.sp' to enable smart-name.
59 => 'smartnameattribute:SmartName',
9. Change 'session.handler' => 'memcache',
10. If you have several servers, change under 'memcache_store.servers' => array(
from localhost to external ip-address of your host and add ip-address to failover host. If you only have one host, keep localhost so you save yourself the truble of
iptables.
4. In addition to enable smart-name, rename simplesamlphp/modules/smartnameattribute/default-disabled to simplesamlphp/modules/smartnameattribute/default-enable
5. Change /somewehere/simplesamlphp/metadata/saml-idp-remote.php metadata to your idp.
6. To select default-sp as standard service change the following line in simplesamlphp/config/authsource.php:
'idp' => NULL,
to
'idp' => 'https://your.idp.provider.com/path/to/metadata.php',
7. Make sure you have installed and started memcache on the correct IP-address, (and if running on external IP configured iptables so only your current host and failover
host have access to the memcache port).
8. simplesamlphp/{www,log} should have owenership "httpd:httpd", or what ever your apache is using.
9. Add "Alias /simplesaml /somewhere/simplesamlphp" in your httpd.conf and allow access with the Documentroot directive for /somewhere/simplesamlphp.
10. Send metadata information to your idp.
11. Test if things work properly with https://your.host.com/simplesaml/example-simple/verysimple.php
Drupal part (we have change the simplesamlphp_auth module quite a lot to better suite our needs, so if something is different for you I apologize)
12. Download simplesamlphp_auth from: http://drupalsimplesaml.googlecode.com/svn/trunk/simplesamlphp_auth/ and put it in your modules directory.
13. Enable the module in the module list within Drupal.
14. Configure simpleSAMLphp authentication module settings under http(s)://your.site.com/blog.name/admin/user/simplesamlphp_auth
- "Installation directory" should be set to "/somewhere/simplesamlphp"
- "Autenticaton source for this SP" should be set to default-sp, unless you have several SPs.
- "Which attributes from simpleSAMLphp should be used as user's name" is up to you depending on if you have smart-name enabled in point 8. Your could try to login with different settings to see the difference.
- "Which attribute from simpleSAMLphp should be used as unique identifier for the user" depends on what data you get from your idp. You could find this information in point 11. if I'm not mistaken.
- "Which attribute from simpleSAMLphp should be used as user mail address" should be set to mail. :)
- "Automatic role population from simpleSAMLphp attributes" could be used to lots of useful things. I.e: We have the rule: 2:eduPersonPrincipalName,@=,our.domain.com which will automatically add all users with names ending with our.domain.com as type-2 users. Your different types of users are set in http(s)://your.site.com/blog.name/admin/user/roles. The correct number is easier to find directly in the database.
- "Force https for login links" depends on your sp and idp. I prefer to have it enabled for security reasons.
15. If you are using postgresql as we do. We get an error the first time a user logs in (really the user gets created within drupal). So in /your/drupal/installation/modules/user/user.module, about line 501: replace line
if (!isset($perm[$account->uid])) {
with
if (!isset($perm[$account->uid]) && isset($account->roles)) {
Now to your questions:
- Every time a user logs in via "Login via simplesaml"-link he/she gets redirected to your idp. The first time, the user will also be created in your drupal database, but you can not use the "login provided by drupal" you always have to use the "Login via simplesaml" link. (We have therefore, at our site, add some code to the module removing the login/password box from drupal all together. With the "login/password box" I mean the "user login" block you can enable under http(s)://your.site.com/blog.name/admin/build/block. The same "hack" has changed the http(s)://your.site.com/blog.name/user page to not include the username/password fields).
- Yes, the first time a user logs in successfully trough your idp it will create a user within the drupal user database. However, a user is never authenticated directly to this datebase. Only user information and permissions is stored here.
- A user will still exist in your drupal user database, however, since the user no longer is valid by your idp he will no longer be able to authenticate himself and therefore not able to log in. The mapping is depending on your sp/idp configuration. Use point 11. to figure it out.
- The user information is probably not synchronized. However, you could probably write that part of the code and submit it. I would definitely appreciate it.
I hope this helps you on your way.
--
Halvor Utby
Head Engineer
Snorre Løvås
Aug 24, 2010, 1:40:54 PM8/24/10
to Drupal SimpleSAMLphp integration
On Aug 24, 4:16 pm, Halvor Utby <halv...@gmail.com> wrote:
> I'm not a developer of the simplesamlphp_auth module, however I have some
> note on how we installed this module on our site. Maybe this can help you.
vacation.
>
> *Drupal part* (we have change the simplesamlphp_auth module quite a lot to
> better suite our needs, so if something is different for you I apologize)
> 12. Download simplesamlphp_auth from:http://drupalsimplesaml.googlecode.com/svn/trunk/simplesamlphp_auth/and put
> it in your modules directory.
> 13. Enable the module in the module list within Drupal.
> 14. Configure simpleSAMLphp authentication module settings under http(s)://
> your.site.com/blog.name/admin/user/simplesamlphp_auth
>
> - "Installation directory" should be set to "/somewhere/simplesamlphp"
> 13. Enable the module in the module list within Drupal.
> 14. Configure simpleSAMLphp authentication module settings under http(s)://
> your.site.com/blog.name/admin/user/simplesamlphp_auth
>
> - "Autenticaton source for this SP" should be set to default-sp, unless
> you have several SPs.
This will only be available if you use the trunk. If you download the
zip-file this option isn't there yet.
> - "Which attributes from simpleSAMLphp should be used as user's name" is
> up to you depending on if you have smart-name enabled in point 8. Your could
> try to login with different settings to see the difference.
Be sure that the option you select will be unique in your environment.
> try to login with different settings to see the difference.
Depending on which attributes you have and how they are registered
this may vary.
> - "Which attribute from simpleSAMLphp should be used as unique identifier
> for the user" depends on what data you get from your idp. You could find
> this information in point 11. if I'm not mistaken.
Yes... same comment as above. If two users have the same value here
> this information in point 11. if I'm not mistaken.
they will access the same drupal account.
unique usernames in the federation, targeted IDs and the like is good
candidates. I usually use eduPersonPrincipalName in our federeation as
I know it is unique. For more anonymous settings where the SP doesn't
get the eduPPN i probably would use a targeted ID of some kind from
the IdP.
> - "Which attribute from simpleSAMLphp should be used as user mail
> address" should be set to mail. :)
Most likely :)
> - "Automatic role population from simpleSAMLphp attributes" could be used
> to lots of useful things. I.e: We have the rule:
> 2:eduPersonPrincipalName,@=,our.domain.com which will automatically add
> all users with names ending with our.domain.com as type-2 users. Your
> different types of users are set in http(s)://
> your.site.com/blog.name/admin/user/roles. The correct number is easier to
> find directly in the database.
This option really needs more documentation... :-/
> 2:eduPersonPrincipalName,@=,our.domain.com which will automatically add
> all users with names ending with our.domain.com as type-2 users. Your
> different types of users are set in http(s)://
> your.site.com/blog.name/admin/user/roles. The correct number is easier to
> find directly in the database.
> - "Force https for login links" depends on your sp and idp. I prefer to
> have it enabled for security reasons.
In production sites it really should be set to force https.
>
> 15. If you are using postgresql as we do. We get an error the first time a
> user logs in (really the user gets created within drupal). So in
> /your/drupal/installation/modules/user/user.module, about line 501: replace
> line
> if (!isset($perm[$account->uid])) {
> with
> if (!isset($perm[$account->uid]) && isset($account->roles)) {
>
> Now to your questions:
>
> - Every time a user logs in via "Login via simplesaml"-link he/she gets
> redirected to your idp. The first time, the user will also be created in
> your drupal database, but you can not use the "login provided by drupal" you
> always have to use the "Login via simplesaml" link. (We have therefore, at
> our site, add some code to the module removing the login/password box from
> drupal all together. With the "login/password box" I mean the "user login"
> block you can enable under http(s)://
> your.site.com/blog.name/admin/build/block. The same "hack" has changed the
> http(s)://your.site.com/blog.name/user page to not include the
> username/password fields).
>
login via simpleSAMLphp", and also in the login block.
I haven't found an easy way to disable/remove the default drupal login
fields. Changing the code as described above is one option or maybe
use a css to move the form way off the page.
A custom block/view/node with user friendly login information for your
federated login is probably the best option.
> - Yes, the first time a user logs in successfully trough your idp it will
> create a user within the drupal user database. However, a user is never
> authenticated directly to this datebase. Only user information and
> permissions is stored here.
password and place it in the password field in the db.
http://api.drupal.org/api/function/user_external_login_register/6
So there is a "usable" local username password combination but nobody
knows that local password...
>
> - A user will still exist in your drupal user database, however, since the
> user no longer is valid by your idp he will no longer be able to
> authenticate himself and therefore not able to log in. The mapping is
> depending on your sp/idp configuration. Use point 11. to figure it out.
isn't a valid user at the IdP anymore deprovisioning isn't possible
directly. If you have a "back channel" from the IdP/IdM/IAM-system
telling the SP when users expire you can write some deprovisioning
code to remove local user accounts.
>
> - The user information is probably not synchronized. However, you could
> probably write that part of the code and submit it. I would definitely
> appreciate it.
to turn it off. Currently the modules doesn't update information but
it should be possible by adding a section in simplesamlphp_auth_user
for $op='login'/'logout'.
I haven't had time to work on the module for some time... :-/
Snorre
--
Snorre Løvås
CTO
Norwegian centre for ICT in education
Snorre Løvås
Aug 24, 2010, 2:20:31 PM8/24/10
to Drupal SimpleSAMLphp integration
It also seems the module doesn't work with the newest version of
SimpleSAMLphp... Probably some changes in available functions. I'll
have to look into it...
regards,
Snorre... who just broke three sites... :-/
Steve Moitozo II
Aug 24, 2010, 5:33:28 PM8/24/10
to drupalsi...@googlegroups.com
Snorre,
I have a patch to address the issues and tidy up a couple of items. I just
haven't had a chance to merge it into the repository. Here it is if you'd like
to review it.
-S2
--
Steve Moitozo II
Network Engineer
JAARS Global IT Engineering: Network Systems
704-843-6602
Reply all
Reply to author
Forward
0 new messages