Drupal 8 Module of the Week: simpleSAMLphp Authentication

Each day, more Drupal 7 modules are being migrated to Drupal 8 and new ones are being created for the Drupal community’s latest major release. In this series, the Acquia Developer Center is profiling some of the most prominent, useful modules, projects, and tools available for Drupal 8. This week: simpleSAMLphp Authentication.

Sven Decabooter--svendecabooter on Drupal.org--has been a Drupal developer for more than 10 years, contributing both code and helping organise user group meetings and Drupal Camps for the Belgian Drupal community. Sven is part of the D8 MAP team (the Drupal 8 Module Acceleration Program) that is being paid community development rates by Acquia to help port important Drupal 7 contributed modules to Drupal 8. Thanks also goes to Adam Malone, Alex Ward, and Matthew Grasmick for kicking off the porting of this module, and maintainer Balázs Dianiska who reviewed code and architecture during the upgrade process.

What does the simpleSAMLphp Authentication Module do?

Centralized user management is important to many businesses and institutions when they need to control user access for many users across a range of online systems--for example intranets, registration and planning systems, expense tracking, etc. They need to be able to both authorise new users and remove access from existing users quickly and easily. These institutions use authentication technologies, Single Sign-On or similar federated authentication setups (which I’ll refer to as “SSO” in this article) to give each user a single account with a single username/password combination that gives appropriate access to all included systems.

The simpleSAMLphp Authentication Module is a “glue layer” integrating your Drupal site with the popular simpleSAMLphp authentication library, “which lets users log in to log into one or more other Drupal sites, for example, as well as other tools and platforms that support this kind of centralized user management. You can set it up to connect to your LDAP or RADIUS server for example, used a lot in enterprises and big organisations,” adds Sven.

Balázs Dianiska speaks from experience, “Many enterprise clients prefer to use some form of SSO solution, and this component allows us to support several SSO variations, for instance Shibboleth, which is very popular with higher education institutions and SAML, which is widely supported by enterprise identity provider software, such as ADFS.”

simpleSAMLphp Durpal integration in action

Why is this important?

SSO was never really an easy topic. It requires solid, technically validated trust between a third party and our application, which naturally triggered several implementations and approaches. Using this library, Drupal can act as a consumer to many identity provider services, map users to central user accounts, assign Drupal roles and various fields to the users, and so on. To enable more advanced mapping and configuration it can be also extended by various hooks and Rules integration. According to Balász, “This module works reliably and it is supported by several major hosting providers, but the technical configuration and information exchange required between the identity manager and Drupal makes it non-trivial to set up.""

See also:

Sven Decabooter explains, “The simpleSAMLphp Authentication Module lets you connect your Drupal site with a software package that has a lot of options for authenticating and authorizing users. Alongside the SAML protocol, it also supports Shibboleth, CAS, OpenID (used by Google and Yahoo), OAuth (used by Twitter) and other protocols through modules, so it gives you the flexibility to work with different, common industry authentication standards.

Has Drupal 8 changed this module?

The code under the hood now follows Drupal 8 structures and OO-principles, but the functionality of the D8 version was essentially ported directly from the 7.x-3.x branch and is therefore basically the same. If you knew and liked this module in D7, you should be able to get up and running with it in D8.

“However, Drupal 6 and Drupal 7 provided support for mapping external authentication user IDs to Drupal users, through the user_external_login_register() function and authmap table. Since this was removed in D8, we had to provide an alternative, which led to the creation of a new generic module that does just that: ExternalAuth. It's a requirement for the SimpleSAMLphp Auth module, but can be leveraged by other modules as well - and apparently has been, see https://twitter.com/chx/status/701780790724530176 :)” ... quote and original smiley by Sven.

Sven says he needed about 70 hours to complete his part of the porting process, “There weren't any huge blockers or issues, but there were some problems exposed that were lingering in the D7 version as well. Mostly they were edge case issues, but it took some time to find decent solutions, since there were no D7 references where it was working.”

Module maintainer, Balázs Dianiska, praises Sven’s contribution, “In late 2015, Acquia hired Sven Decabooter to finish the port of this module. It was actually a lot of work (as can be seen from his significant list of commits) and it is thanks to him that I can say with fair confidence that this release is now better than it ever was in the 7.x branch. A lot of polish went into the module since he joined and with test coverage, good documentation, and clean code, the Drupal 8 version is a reliable piece of software for an area where reliability is especially important.”

local auth settings

general settings

simpleSAMLphp Drupal integration sync options