Drupal-based Research Environment with Shibboleth-based User Authentication and Support for Social Provider-based Logins

Owned by Keith Hazelton (Unlicensed)
Last updated: Apr 28, 2013Version comment
2 min read

Install and Configure Drupal

Follow instructions at http://drupal.org/documentation/install/download

Install at chosen location under /var/www/html

Install and Configure Shibboleth SP

See the document in this wiki...

Edit /etc/shibboleth/shibboleth2.xml.dist and save edited version as /etc/shibboleth/shibboleth2.xml

Edits to shibboleth2.xml
     <ApplicationDefaults entityID="https://sp.example.org/shibboleth"
...changed to...
     <ApplicationDefaults entityID="https://sp.yourdomain.org/shibboleth"
             <SSO entityID="https://idp.example.org/idp/shibboleth"
                  discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
...changed to...
             <SSO
                  discoveryProtocol="SAMLDS" discoveryURL="https://yourdomain.org/shibboleth-ds/index.html">
         <Errors supportContact="root@localhost"
...changed to...
         <Errors supportContact="appropriateAdmin@chosen.mail.provider"

...Insert after...
<!-- Example of remotely supplied batch of signed metadata. -->

...these two lines...
         <MetadataProvider type="XML" uri="http://appropriatehost.org/metadata/ProjectBambooSaml2Metadata.xml"
              backingFilePath="federation-metadata.xml" reloadInterval="7200">

Edit /etc/httpd/conf.d/shib.conf to use lazy sessions for the Drupal instance. See the <Location> block at the bottom of the file.

# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig

# RPM installations on platforms with a conf.d directory will
# result in this file being copied into that directory for you
# and preserved across upgrades.

# For non-RPM installs, you should copy the relevant contents of
# this file to a configuration location you control.

#
# Load the Shibboleth module.
#
LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so

#
# Used for example style sheet in error templates.
#
<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    Allow from all
  </Location>
  Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
</IfModule>

#
# Configure the module for content.
#
# You MUST enable AuthType shibboleth for the module to process
# any requests, and there MUST be a require command as well. To
# enable Shibboleth but not specify any session/access requirements
# use "require shibboleth".
#
<Location /drupal>
  AuthType shibboleth
  ShibRequestSetting requireSession 0
  require shibboleth
</Location>

 

Install and Configure the Shibboleth Embedded Discovery Service

Follow instructions at https://wiki.shibboleth.net/confluence/display/EDS10/Embedded+Discovery+Service

First step:

yum install shibboleth-embedded-ds

Install and Configure the Drupal shib_auth Module

See http://drupal.org/project/shib_auth

and https://wiki.aai.niif.hu/index.php?title=DrupalShibbolethReadmeDev

When logged in with administrator privileges after installing the shib_auth module, click "Modules", scroll down to Shibboleth at the bottom of the page and click "Configure".

Here is what the configuration options should look like:

After making any changes (the defaults should work in most cases), click the "Save configuration" button at the bottom of the page.

Your drupal site should now show a "Shibboleth login" option and users can choose their preferred identity provider from those defined in the Bamboo federation metadata. This will include social providers such as Google, Twitter, Yahoo and others if there is a Social2SAML gateway IdP in the federation.