This tutorial will focus on setting up SAML 2 based Single Sign On for Drupal using the WSO2 Identity Server as the Identity Provider. Here we will be using an Apache2 webserver with PHP5 support and MySQL support for deployment purposes. This tutorial uses Ubuntu 15.10 operating system for deployment and testing.
Prerequisites
WSO2 Identity Server
The WSO2 Identity Server download link and the installation guide are given below,
Step-by-Step Process
Step 1: Configuring the prerequisites
- Install MySQL. Type the following command on the terminal with root access.
sudo apt-get install mysql-server mysql-client
You will be asked to set a root password for the MySQL root user. This password will be used in future for root@localhost.
- Install Apache2. Apache2 is sometimes installed by default in some ubuntu version. Either way run the following command to install or update it.
sudo apt-get install apache2
- Now go to http://localhost in your browser, if the installation was successful, you will be redirected to the apache2 default page.
- Install PHP5. Both PHP5 and Apache PHP module need to be installed. Run the following command to install them.
sudo apt-get install php5 libapache2-mod-php5
- Install MySQL support for PHP5.
sudo apt-get install php5-mysql
- Install the following php extensions using the following command. These are required for the SimpleSAMLphp Service Provider.
sudo apt-get install php5-cli php5-common php5-curl php-pear php5-mcrypt php5-json
- Install phpMyAdmin. phpMYAdmin is a web interface used to manage sql databases.
sudo apt-get install phpmyadmin
- Restart Apache using the following command then goto http://localhost/phpmyadmin to access phpmyadmin.
sudo service apache2 restart
IMPORTANT: For deployment purposes on a local server, an SSL Certificate has to be created for Apache2. This enables the web applications hosted on apache2 to be certified by SSL. Unless this is done the SimpleSAML module used, will throw an error. A separate doc is available on how to Create an SSL certificate for localhost….
Step 2: Setting up Drupal
- Download your preferred version of drupal from here.
- Extract the downloaded archive and copy the contents to /var/www/html/ using the following command. Here I have downloaded the version Drupal-6.37
sudo cp -r drupal-6.37 /var/www/html/
- Visit https://localhost/drupal-6.37/ on a web browser, if the deployment was successful, it should show the installation page of Drupal. Leave this for now and continue with the rest of the steps.
- Go to https://phpmyadmin/ and select the Databases tab then add a new database called drupaldb. Then click on the Check Privileges link next to the database then ensure that root user has Global Privileges by editing his privileges.
- Next we need to mark settings file of Drupal as writable for the initialization. Run the following commands to do this. You would need root access to do this, so run the command sudo su then enter the root password.
cd /var/www/html/drupal-6.37/sites/default
mkdir files
cp default.settings.php settings.php
chmod -R a+w .
- Add the following two lines to settings.php
ini_set('mbstring.http_input', 'pass'); ini_set('mbstring.http_output', 'pass');
- Go back to the Drupal installation page and use the following information to setup the databases.
Database Name | drupaldb |
Database username | root |
Database Password | <your database root password> |
NOTE: This password is the password that you set when installing MySQL and not your OS root password
- Once the configuration is complete, remove the write permissions from the ones changed in step 2.6 by running the following commands as a root user
cd /var/www/html/drupal-6.37/sites/default
chmod -R a-w .
- Finish the drupal installation, use the following information when asked.
Site name | localhost |
Username | admin@wso2.com |
E-mail address | admin@wso2.com |
Password | admin |
- Once the installation is complete, log out of drupal then log in again using the username admin@wso2.com and password admin
Step 3: Setting up SimpleSAMLPHP
- Run the following commands as a root user.
cd /var
mkdir simplesamlphp
cd simplesamlphp
wget http://simplesamlphp.googlecode.com/files/simplesamlphp-1.11.0.tar.gz
tar xvf simplesamlphp-1.11.0.tar.gz
mv simplesamlphp-1.11.0 simplesamlphp
cd simplesamlphp
cp -r metadata-templates/*.php metadata/
cp -r config-templates/*.php config
- Configure simpleSAMLphp web in Apache
cd /var/www/html
ln -s /var/simplesamlphp/simplesamlphp/www simplesaml
- Start apache using the following command
sudo service apache2 start
- If you are able to access the simpleSAMLphp web page using https://localhost/simplesaml, then the installation was successful.
- Change the SimpleSAML admin credentials.
cd /var/simplesamlphp/simplesamlphp
vi config/config.php
Change the value of auth.adminpassword from 123 to admin.
- Go back to https://localhost/simplesaml and click on Login as administrator link then login using the admin credentials.
- Next we need to add a service provider to SimpleSAMLphp. Run the following commands to open the authsources.php file
cd /var/simplesamlphp/simplesamlphp
vi config/authsources.php
- Comment out the default-sp configuration and add the following configuration to the file.
'wso2-sp' => array( 'saml:SP', // The entity ID of this SP. // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL. 'entityID' => 'simplesaml', // The entity ID of the IdP this should SP should contact. // Can be NULL/unset, in which case the user will be shown a list of available IdPs. 'idp' => 'https://localhost:9443/samlsso', // The URL to the discovery service. // Can be NULL/unset, in which case a builtin discovery service will be used. 'discoURL' => NULL ),
- We have to change the identity provider metadata in SimpleSAML. Open the file using the following command.
cd /var/simplesamlphp/simplesamlphp
vi metadata/saml20-idp-remote.php
- Remove the existing idp from the file and add the following details.
$metadata['https://localhost:9443/samlsso'] = array( 'name' => array( 'en' => 'WSO2 IS', 'no' => 'WSO2 IS', ), 'description' => 'Login with WSO2 IS SAML2 IdP.', 'SingleSignOnService' => 'https://localhost:9443/samlsso', 'SingleLogoutService' => 'https://localhost:9443/samlsso', 'certFingerprint' => '6bf8e136eb36d4a56ea05c7ae4b9a45b63bf975d' );
NOTE: The certFingerprint used here is the thumbprint of the default certificate used by WSO2 IS. The SAML response is signed with this certificate.
More information on this step can be obtained from here.
Step 4: Setting up the WSO2 IS
- Start the WSO2 Identity Server and add a service provider. Give a name and check the Saas Application checkbox.
- Select Inbound Authentication Configuration, then SAML2 WEB SSO Configuration. Then click on configure and provide the following details.
Issuer | simplesaml |
Assertion Consumer URL | https://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/wso2-sp |
Enable Assertion Signing | True |
Enable Single Logout | True |
Logout URL | https://localhost/simplesamlphp/www/module.php/saml/sp/saml2-logout.php/wso2-sp |
Enable Idp Initiates SSO | True |
Keep the rest as default values.
- Under Claim Configurations, select Define Custom Claim Dialect then add an Identity Provider Claim URI with the following information.
Service Provider Claim | |
Local Claim | http://wso2.org/claims/emailaddress |
Requested Claim | True |
The final configuration should look like this.
- Now Go to https://localhost/simplesaml and click the Authentication tab and click on Test configured authentication sources. Pick wso2-sp and you will be redirected to the WSO2 IS Authentication Page, which means that the configuration was successful.
Step 5: Connecting Drupal with SimpleSAMLphp
1.Download the relevent simpleSAMLphp Authentication module from here.
- Create the following directory path and extract the downloaded archive into it.
cd /var/www/html/drupal-6.37/sites/all/modules
mkdir contrib
- Go to https://localhost/drupal-6.37/ and login to Drupal with admin credentials then nativate to Administer -> Site Building -> Modules. Then enable the SimpleSAMLphp Authentication which will be found under the other category.
- Click on the Administration by module link then under simpleSAMLphp authentication click on simpleSAMLphp authentication module settings
Select “Activate authentication via SimpleSAMLphp”.
Installation directory (default: /var/simplesamlphp) | /var/simplesamlphp/simplesamlphp |
Autenticaton source for this SP (default: default-sp) | wso2-sp |
Which attribute from simpleSAMLphp should be used as user’s name | |
Which attribute from simpleSAMLphp should be used as unique identifier for the user | |
Which attribute from simpleSAMLphp should be used as user mail address |
The final configuration should look as below.
Then Save configuration.
- Go to phpmyadmin and create a database named, “SimpleSAMLphpDB” with username/password as root/<your password>.
6. Add the following lines to /var/simplesamlphp/simplesamlphp/config/config.php
'store.type' => 'sql', 'store.sql.dsn' => 'mysql:host=localhost;dbname=SimpleSAMLphpDB', 'store.sql.username' => 'root', 'store.sql.password' => 'root', 'store.sql.prefix' => '',
- Add the following entry to the /var/www/html/drupal-6.37/sites/default/settings.php
$databases['SimpleSAMLphpDB']['default'] = array( 'driver' => 'mysql', 'database' => 'SimpleSAMLphpDB', 'username' => 'root', 'password' => 'root', 'host' => 'localhost', 'prefix' => '', );
- Restart the apache server.
Step 6: Use SSO
Go to https://localhost/drupal-6.37 then click on the Federated Log In link then you will be redirected to the WSO2 IS authentication page. You can login using WSO2 credentials and you will be redirected back to the Drupal Dashboard.