Drupal Authentication Setup Manifesto - Cosign -> Shibboleth -> SimpleSAMLphp

Submitted by slackstone on Wed, 12/22/2021 - 06:44

PREFACE: Presented here are some random notes for setting up Federated SAML Authentication on Drupal 9. 

The killer feature for Drupal in the early days was its ability to hook into an organization's user base. The on demand provisioning of new users was a wonderful thing. For context of the time, Microsoft was pushing IIS with SharePoint and Active Directory.  Drupal 6 could do more for less back then.  Early Drupal played nicely with an older tool called Cosign. Many organizations moved forward to Shibboleth and a SHIB_AUTH module for Drupal 7.

Shibboleth is setup as an server service that works with the Apache webserver. Because Shibboleth is run as a service, you need the full overhead of a server host. There is a running server process with settings and comprehensive logging.  Shibboleth is/was a true workhorse for many Drupal 7 sites. It should be noted that Shibboleth is not an option with many Drupal hosting providers.

However, Shibboleth is not the only option. Because the base language of SAML is an open standard, there are many implementations written using different languages.

Available Authentication Libraries, Toolkits and Applications:

A PHP framework that does not require a dedicated server service. SimpleSAMLphp provides SAML authentication as a library that developers can write to. A benefit is that it can be configured as either a SP (app consumer) or an IDP (auth provider). Tools with powerful features typically come with complex setup and configuration, SimpleSAMLphp is no exception.  

OneLogin's SAML PHP Toolkit:
An open source library provided and supported by OneLogin Inc

Available Authentication Modules for D9:

There documentation is required reading, it help better explain the current landscape for authentication tools on Drupal:

SAML Authentication
Requires OneLogin SAML PHP Library 

Basic Shib

What basic configuration settings are needed for enabling SSO?
At a minimum, the admin for the IDP will require the following:
(This is typically provided as an indexed array ?? Need a good example here.)
Entity ID:

The admin for the IDP admin will provide the following:
Entity ID:
Security Certificate: