The Single Sign On functionality is achieved by using different modules:
- Drupal 8 uses SimpleSAMLphp as software and simpleSAMLphp Authentication module.
The idea is always the same. Drupal base its authorizations in Permissions given to Roles, which are assigned to Users. Giving manually the Roles to every single user might be frustrating so the previously presented modules provide a way of mapping Roles to Users based on the User’s SSO attributes like fullname, account name, department, E-group, …
Please note that the granting/revoking of Roles is only done once each user is logged into the website, since this is the only moment where Drupal knows the User’s SSO attributes.
The typical use case is to give people of a certain e-group a specific Role in the website. and this will be explained as example now.
The configuration is done under Configuration → SimpleSAMLphp Auth Settings.
Then the Role mapping rules are configured under “User info and syncing” in the “Automatic role population from simpleSAMLphp attributes” section.
This configuration option comes pre-filled with general Role mapping based on type accounts and admin e-group.
The syntax is well explained in the same page so we will instead focus on an example.
Let’s assume the current config option contains:
cern_registered:identityclass,=,CERN Registered|cern_shared:identityclass,=,CERN Shared|hep_trusted:identityclass,=,HEP Trusted|verified_external:identityclass,=,Verified External|unverified_external:identityclass,=,Unverified External|administrator:egroups,=,drupal-admins|administrator:egroups,=,drupal-admins-d8-infrastructure
and we want to grant to the “web-services” e-group the Role “Editor” (by the way, access to the existing Roles is done under People → Roles), if we Edit the role we can see also its “Machine name” which will be neccessary in the future.
So in order to add this mapping rule we need to append to the existing configuration the following:
|editor:egroups,=,web-services
It’s composed of:
| → separator
editor → role_id (must be the machine name of the role)
egroups → SSO attribute_name
= → operation
web-services → value
this will be appended and the configuration option will end up being:
cern_registered:identityclass,=,CERN Registered|cern_shared:identityclass,=,CERN Shared|hep_trusted:identityclass,=,HEP Trusted|verified_external:identityclass,=,Verified External|unverified_external:identityclass,=,Unverified External|administrator:egroups,=,drupal-admins|administrator:egroups,=,drupal-admins-d8-infrastructure|editor:egroups,=,web-services
Just Save configuration and login into the site with an account that is member to this e-group to verify that the Role is granted.