2014/10/17
17 Oct, 2014

[Article] An Introduction to WSO2 Identity Server Single Sign-On with Drupal

  • Maninda Edirisooriya
  • Associate Technical Lead - WSO2

Table of contents

Introduction to SAML2 Single Sign-On with WSO2 IS

WSO2 Identity Server (WSO2 IS) can be used as an Identity Provider for SAML2-based Single Sign-On with any SAML2
compatible service providers. In this scenario we use SimpleSAMLphp as
the SAML service provider
.

SImpleSAMLphp is a PHP application that can be used as a SAML service provider on many other PHP applications; however, in this scenario, we use Drupal as the web application that is widely used for Content Management Systems (CMS). Single Sign-On helps to simplify the identity management process across various enterprise services and applications by handling authentication of users only once and propagating the authentication details across all the applications and services transparent to the end-user.

For more information on SSO with WSO2 Identity Server watch our webinar on
or read our customer use case on how

Setting up Drupal and WSO2 IS

Instead of following the generic
way of configuring SImpleSAMLphp
, here I have used a XAMPP server, which is bundled with Apache Server, MySQL, and PHP. I have used the Ubuntu 12.04 operating system in the deployment and for testing.

Setting up XAMPP server

  1. Download XAMPP (xampp-linux-x64-1.8.3-5-installer.run file) from here.
  2. Go to the xampp-linux-x64-1.8.3-5-installer.run file directory location in the console and execute the following commands.
    chmod 755 xampp-linux-x64-1.8.3-5-installer.run
    sudo su
            

    Then enter the root password.

    ./xampp-linux-x64-1.8.3-5-installer.run

    Now the XAMPP server should have been installed.

  3. Start all the servers with the following command or with the desktop app UI.
    sudo su

    Enter the root password.

    /opt/lampp/lampp start
  4. Goto https://localhost/phpmyadmin from a web browser. It should show the PHPMyAdmin user interface if the XAMPP
    server was successfully installed.

Install Drupal

  1. Download Drupal from here.
  2. Extract the downloaded archive file and copy the drupal-7.31 directory to XAMPP server deployment location with
    root permission as follows.
    sudo cp -r drupal-7.31 /opt/lampp/htdocs

    Enter the root password.

  3. Go to https://localhost/drupal-7.31/ from a web browser. It should prompt a user interface to install Drupal
  4. Go to https://localhost/phpmyadmin location, select "Databases" tab, create a database with the name, "drupaldb" and
    click on drupaldb's "Check Privileges" link and then "Edit Privileges" link to see whether Global privileges have been
    ticked.
  5. Then make this file writable for initial configuration purposes as follows.
    sudo su

    Enter the root password.

    cd /opt/lampp/htdocs/drupal-7.31/sites/default
    mkdir files
    cp default.settings.php settings.php
    chmod -R a+w .
            
  6. Go back to the Drupal installation wizard https://localhost/drupal/install.php and continue the installation
    process with the following details.
    Database type : MySQL, MariaDB, or equivalent
    Database Name : drupaldb
    Database username : root
            
  7. When asked in the wizard, remove write permissions from the above added file.
    sudo su

    Enter the root password.

    cd /opt/lampp/htdocs/drupal-7.31/sites/default
    chmod -R a-w .
            
  8. Then continue the Drupal setup wizard with the following details (use your own information as required).
    Site name : localhost
    Site e-mail address : [email protected]
    Username : maninda
    E-mail address : [email protected]
    Password : password
            
  9. Once the setup wizard is completed, Drupal should have been installed correctly. You can logout from the site and
    login again with “maninda” as the username and “password” as the password.

Install and Setup SimpleSAMLphp

  1. Download the SimpleSAMLphp PHP library (simplesamlphp-1.11.0.tar.gz) from https://simplesamlphp.org/download to
    /home/maninda directory (or what ever directory you want), extract the “simplesamlphp-1.11.0” and update
    metadata and config files with the console.
    cd /home/maninda
    tar xzf simplesamlphp-1.11.0.tar.gz
    cd simplesamlphp-1.11.0
    cp -r metadata-templates/*.php metadata/
    cp -r config-templates/*.php config
            
  2. Then create a simulink in XAMPP deployment directory to deploy the SimpleSAMLphp library.
    sudo su
            

    Enter the root password.

    cd /opt/lampp/htdocs
    ln -s /home/maninda/simplesamlphp-1.11.0/www/ simplesaml
            
  3. Now I am going to configure SimpleSAMLphp as the SAML2 service provider (with service provider name, “wso2-sp”)
    on behalf of the Drupal application. First, the new service provider has to be configured in
    /home/maninda/simplesamlphp-1.11.0/config/authsources.php as follows.
    'wso2-sp' => array(
            'saml:SP',
            // The entity ID of this SP.
            // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
            'entityID' => 'simplesaml',
    
            // The entity ID of the IdP this should SP should contact.
            // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
            'idp' => 'https://localhost:9443/samlsso',
    
            // The URL to the discovery service.
            // Can be NULL/unset, in which case a builtin discovery service will be used.
            'discoURL' => NULL
    
    ),
            
  4. Configure the IDP configurations in /home/maninda/simplesamlphp-1.11.0/metadata/saml20-idp-remote.php as
    follows. Note that WSO2 IS’s cert fingerprint should be set as the “certFingerprint”. The URL in the
    first line of the below configuration is the entity ID of the IDP.
    $metadata['https://localhost:9443/samlsso'] = array(
       'name' => array(
      	 'en' => 'WSO2 IS',
      	 'no' => 'WSO2 IS',
       ),
       'description'      	=> 'Login with WSO2 IS SAML2 IdP.',
    
       'SingleSignOnService'  => 'https://localhost:9443/samlsso',
       'SingleLogoutService'  => 'https://localhost:9443/samlsso',
       'certFingerprint'  	=> '6bf8e136eb36d4a56ea05c7ae4b9a45b63bf975d'
    );
            

Installing and Configuring WSO2 Identity Server

  1. Download WSO2 Identity Server 5.0.0 (wso2is-5.0.0.zip file) from href="https://wso2.com/products/identity-server">here to directory /home/maninda (or what ever the
    directory you want) and extract there.
  2. Go to the extracted directory and start the server as follows.
    cd /home/maninda/wso2is-5.0.0
    ./bin/wso2server.sh
            
  3. Once WSO2 IS is up and running, go to its Management Console in https://localhost:9443/carbon/ with a web
    browser.
  4. In the Management Console, go to Main → Identity Providers → List → Resident Identity Provider → Resident Realm
    Configuration → Inbound Authentication Configuration → SAML2 Web SSO Configuration . Then set
    https://localhost:9443/samlsso” as the “Identity Provider Entity Id” which was earlier set in the SimpleSAMLphp
    configuration. Then click “Update” button to update the configuration.
  5. Now a service provider should be created in WSO2 IS representing the SimpleSAMLphp service provider. In the
    Management Console, go to Main → Identity → Service Providers → Add . Enter a unique name (e.g. simplesamlphp) for
    “Service Provider Name” and click on “Register” to register a new service provider.
  6. Check on “SaaS Application” checkbox for that service provider.
  7. Under this service provider, go to Inbound Authentication Configuration → SAML2 Web SSO Configuration → Configure
    and configure as follows.
    Issuer: simplesaml
    Assertion Consumer URL: https://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/wso2-sp
    Use fully qualified username in the NameID: True
    Enable Assertion Signing: True
    Enable Single Logout: True
       	Custom Logout URL: https://localhost/simplesaml/module.php/saml/sp/saml2-logout.php/wso2-sp
    Enable Attribute Profile: True
       	Include Attributes in the Response Always: True
            

    WSO2 IS SAML SSO Configuration

  8. Under the same service provider, go to “Claim Configuration” and select “Define Custom Claim Dialect” option.
  9. Add two “Identity Provider Claim URIs” by clicking on the “Add Claim URI” link as follows. Note that this mapping
    will map WSO2 IS's local claims to the SimpleSAMLphp service provider claims.
    Service Provider Claim Local Claim Requested Claim
    Mail https://wso2.com/claims/emailaddress [checked]
    fname https://wso2.org/claims/givenname [checked]

    WSO2 IS SP Configuration

Testing SimpleSAMLphp Service Provider

Now SimpleSAMLphp service provider should be correctly configured with WSO2 IS's identity provider. SimpleSAMLphp has a
UI functionality to test the SAML2 SSO configuration with any IDP and view the claims received from the
authenticated user.

  1. In order to test a scenario, first we have to create a user in WSO2 IS. In the Management Console, go to Configure →
    Configure → Users and Roles → System User Store → Users and add a new user with the following details.
    User Name : wickrema
    Password : password
            
  2. Then go to the “User Profile” of that user and add details as follows and click on “Update” button.
    First Name: Wickrema
    Last Name: Edirisooriya
    Email: [email protected]
            
  3. Go to https://localhost/simplesaml in the web browser and then go to the "Authentication" tab and click on "Test configured
    authentications sources" link.
  4. Among the “Test authentication sources” click on the “wso2-sp” link, which is the service provider we have
    created in the in SImpleSAMLphp service provider.
  5. Now your browser should have been redirected to WSO2 IS and will ask for credentials. Enter as follows (note that
    “wickrema” is the username part of the added email address.)
    Username: wickrema
    Password: password
            

    Now you are logged in. You can see the values set to the mapped claims in IDP.

    Login to SimpleSAMLphp

  6. Now you can click on the “Logout” link to logout. If it was successful, you will be redirected to a “Logged out”
    page.

Configuring Drupal to connect with SimpleSAMLphp Service Provider

There a Drupal module named, “simplesamlphp_auth” is installed into the Drupal and configure that module to interact
with the service provider.

  1. Create the directory /opt/lampp/htdocs/drupal-7.31/sites/all/modules/contrib/ and copy the extracted
    simplesamlphp_auth module downloaded from
    https://ftp.drupal.org/files/projects/simplesamlphp_auth-7.x-2.0-alpha2.zip to /home/maninda (or whatever the
    location).
    sudo su
            

    Enter the root password.

    cd /opt/lampp/htdocs/drupal-7.31/sites/all/modules
    mkdir contrib
    cd contrib
    cp -r /home/maninda/simplesamlphp_auth .
            
  2. Login to Drupal with admin credentials (i.e. maninda/password) and go to “Modules” tab. Then enable the
    "simpleSAMLphp authentication" checkbox under “OTHER” category.
  3. Then go to its configuration from the link, “Configure”.
    Select "Activate authentication via SimpleSAMLphp".
    Installation directory (default: /var/simplesamlphp) : /home/maninda/simplesamlphp-1.11.0
    Autenticaton source for this SP (default: default-sp) : wso2-sp
    Which attribute from simpleSAMLphp should be used as user's name : fname
    Which attribute from simpleSAMLphp should be used as unique identifier for the user : Mail
    Which attribute from simpleSAMLphp should be used as user mail address : Mail
            
  4. Then click on “Save configuration”.
  5. Go to phpmyadmin and create a database named, “SimpleSAMLphpDB” with username/password as root/root. This
    database will be used as the SimpleSAMLphp session store media, which will be shared with “simplesamlphp_auth”
    module in Drupal. Note that after setting this password, you will not be able to login to phpmyadmin again
    without making some other changes, which will not be explained in this article. However, you can still access MySQL with
    the console if you want to make further database changes.
  6. Edit configuration in /home/maninda/simplesamlphp-1.11.0/config/config.php file as follows in order to set the
    above created database as the session store.
    'store.type' => 'sql',
    'store.sql.dsn' => 'mysql:host=localhost;dbname=SimpleSAMLphpDB',
    'store.sql.username' => 'root',
    'store.sql.password' => 'root',
    'store.sql.prefix' => '',
            
  7. As the database credentials have changed, first open the /opt/lampp/htdocs/drupal-7.31/sites/default/settings.php
    file with root access and set password for database, "drupaldb" as "root". Then add the following entry for the
    new database as well.
    $databases['SimpleSAMLphpDB']['default'] = array(
      'driver' => 'mysql',
      'database' => 'SimpleSAMLphpDB',
      'username' => 'root',
      'password' => 'root',
      'host' => 'localhost',
      'prefix' => '',
    );
            

    You will have to override the removed write permissions in order to write the new changes to this file.

  8. Now every required change has been made, therefore the next step is to restart the XAMPP server.
    sudo /opt/lampp/lampp restart
            

    Enter the root password.

Testing the overall scenario of logging into Drupal with WSO2 IS IDP

  1. Goto https://localhost/drupal-7.31 in web browser and click on “Federated Log In” link.
  2. Now you should be redirected to WSO2 IS for entering credentials. Enter your newly created user credentials in WSO2 IS.
    User Name: wickrema
    Password: password
            

    If every configuration was successful, you will be redirected to the Drupal as a logged-in user.

  3. Go to the “Myaccount” link in Drupal and go to the “Edit” tab. You can see your first name, “Wickrema” on top of
    the tabs and your e-mail address inside the tab.

    Login to Drupal with SSO

  4. Once you click on the “Logout” link you should be logged out successfully.

Conclusion

Drupal or other PHP applications can be given SAML2 SSO functionality with the help of PHP library, SimpleSAMLphp. However,
there still should be some module or a piece of code that resides in the PHP application to interact with the SimpleSAMLphp
service provider.
Once the application can be integrated with the SImpleSAMLphp server, it can be easily authenticated by a SAML2
Identity Provider, such as WSO2 IS, due to the open nature of protocol, SAML2.

 

About Author

  • Maninda Edirisooriya
  • Associate Technical Lead
  • WSO2