Single Sign On (SSO) using Okta as Identity Provider (IdP) and simpleSAMLphp Authentication as Service Provider (SP)
Installation of simpleSAMLphp Authentication Drupal SAML SP module
- Using composer, download the Drupal contributed module for SimpleSAMLphp. This will fetch all its dependencies. We will enable this module later.
`composer require drupal/simplesamlphp_auth`
- In your Drupal website’s root directory, create a symbolic link to the web-accessible directory of the SimpleSAMLphp library, which is downloaded in the site’s vendor directory upon successful execution of the above composer command.
IF Linux
`ln -s vendor/simplesamlphp/simplesamlphp/www .` // (ln -s path/to/original/ path/to/link)
IF Windows (XAMPP) — C:\xampp\apache\conf\extra\httpd-xampp.conf
Alias /simplesaml C:/xampp/htdocs/d9_saml/vendor/simplesamlphp/simplesamlphp/www”
<Directory “C:/xampp/htdocs/d9_saml/vendor/simplesamlphp/simplesamlphp/www”>
AllowOverride AuthConfig
Require all granted
</Directory>
- To generate certificates, create cert folder inside the simplesamlphp-1.14.8 folder as (DRUPAL_ROOT/simplesamlphp-1.14.8/cert)
- Run the following command inside the cert folder from terminal:
IF Linux
openssl req -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
IF Windows
Open the Command Prompt and enter the below command
cd C:\Program Files\Git\usr\bin\openssl.exe
req -new -x509 -days 3652 -nodes -out C:\xampp\htdocs\d9_saml\vendor\simplesamlphp\simplesamlphp\cert\saml.crt -keyout C:\xampp\htdocs\d9_saml\vendor\simplesamlphp\simplesamlphp\cert\saml.pem
- It will create two files saml.crt and saml.pem in C:\xampp\htdocs\d9_saml\vendor\simplesamlphp\simplesamlphp\cert
- The configuration templates are present in the `vendor/simplesamlphp/simplesamlphp/config-templates` directory.
- Copy the `config.php` (holds SimpleSAMLphp configuration) file to the `vendor/simplesamlphp/simplesamlphp/config` folder and update the following values in the `$config` array:
‘secret_salt’ => ‘anyrandomvalidstringofanylength’
‘auth.adminpassword’ => ‘mypassword’
- The `auth.adminpassword` will be used to login as administrator in the SimpleSAMLphp installation. The `technicalcontact_name` and `technicalcontact_email` can also be specified to receive error logs during installation.
- SimpleSAMLphp must be configured to use something other than the “phpsession” (default) for session storage. The other alternatives are “memcache” or “sql”. The simplest solution would be to set:
‘store.type’ => ‘sql’
‘store.sql.dsn’ => mysql:host=localhost;dbname=d9_saml
‘store.sql.username’ => ‘root’,
‘store.sql.password’ => ‘’,
- Copy the `authsources.php` file to the `vendor/simplesamlphp/simplesamlphp/config` folder and leave it as is without any changes. (We will be doing the necessary modifications in this file, post successful Okta application setup.)
- Now, we can visit ` http://site.base.url/simplesaml` which will display the SimpleSAMLphp installation page upon successful installation as shown below:
Steps to configure Okta as IDP:
- Log in to your Okta Admin Console.
- Click on Applications -> Applications and then click on Create App Integration.
- Now, select SAML 2.0 and click on the Next button.
- In the General Settings, enter App Name and click on the Next button.
- Now, you can follow the table given below to configure the SAML Settings
Single Sign-On URL : Enter ACS (AssertionConsumerService) URL given in the Service Provider Metadata tab of the Drupal SAML SP module
Audience URI (SP Entity ID) : Enter SP Entity ID / Issuer from the Service Provider Metadata tab of the module
Default Relay State : Enter Relay State from the Service Provider Metadata tab of the module
Name ID Format : Select E-Mail Address as a Name Id from the dropdown list
Application Username : Okta username
- Configure Group Attribute Statement (Optional) and click on the Next button.
- After assigning the people/groups to your app go to the Sign On tab.
- Click on view setup instructions to get the SAML Login URL (Single Sign-on URL), Single Logout URL, IDP Entity ID, and X.509 Certificate.
Integrating SimpleSAMLphp and Okta
- The entity ID and metadata of the IdP obtained from the Okta needs to be added to the SP (SimpleSAMLphp installed Drupal).
- In the Drupal codebase, update the ‘entityID’ and ‘IdP’ values for default-sp in the $config array in `vendor/simplesamlphp/simplesamlphp/config/authsources.php` file.
‘entityID’ => ‘okta_sso_drupal’, // Needs to be same as Audience URI or SP Entity ID specified in Okta.
‘idp’ => ‘http://www.okta.com/abc23jefgm3wRz2497', // Identity Provider Issuer or the Entity ID of the IdP obtained from Okta.
- As the name suggests, the default-sp is the default one. Similarly, we can add multiple SP configured with different IdP as different keys in the $config array.
How do you configure Metadata ?
Turn on the “{URL}/simplesaml” address within the “Federation” tab and click on “XML to SimpleSAMLphp metadata converter”.
- Copy the contents of your metadata file into the “XML Metadata” box or select a file. Click on “Parse” to generate the php code to complete the configuration. The result will be the following:
- Copy the files “saml20-sp-remote.php” and “saml20-idp-remote.php”, which you find inside the vendor specifically into:
/var/www/vendor/simplesamlphp/simplesamlphp/metadata-templates
- Copy the contents of the files with the results obtained by the parser.
- Accessing the tab “Federation” the situation will be as follow:
- Now check if the handshake is successful by clicking on the ‘Test configured authentication sources’ link under the Authentication tab in SimpleSAMLphp installation. There will be two options — admin and default-sp as defined in `authsources.php` file, click on default-sp and you will see a screen similar to the following one:
- The above screen means the handshake between SimpleSAMLphp and Okta is successful.
Enabling SSO on Drupal site:
- Now that we have SimpleSAMLphp installed on our Drupal site and we are done with the Okta application set up along with a successful handshake between both, we can enable SSO on our drupal website by enabling and configuring the contributed drupal module — simplesamlphp_auth which we have already downloaded.
- Install the module through the UI or via Drush:
`drush en simplesamlphp_auth -y`
- Enabling the module by default will change the ‘Who can register accounts?’ setting to Administrators only which can be changed as per the need here: `/admin/config/people/accounts`
- Post-installation, in order to configure the module navigate to `/admin/config/people/simplesamlphp_auth`.
- The module can be configured based on your requirements and has descriptive help texts for each config to understand its purpose. We will see some of the configs that need to be configured or taken care of:
Basic Settings:
- The ‘Activate authentication via SimpleSAMLphp’ checkbox should be only checked once we are completely done with the module configuration, as checking this checkbox would disable default Drupal user login for all users except the superuser (uid: 1).
- The Authentication source is what we defined in `vendor/simplesamlphp/simplesamlphp/config/authsources.php` file, which is by default — default-sp.
- SSO Login Link Display Name is the link text for the SSO link which is displayed on the default login page of the Drupal website (/user/login).
Local Authentication:
- Local authentication means allowing users to log in to the site via drupal authentication (/user/login).
- By default, superuser or user with id: 1 is allowed to log in with local drupal accounts. We can configure it to allow for particular users by specifying their user ids or for particular roles.
User info and syncing:
- We have configured an `email` attribute in the Okta application which is sent to drupal site post successful login. We can configure different attributes in Okta which can be used for module configuration in Drupal, but since we have only the `email` attribute we will use it for:
- SimpleSAMLphp attribute to be used as a unique identifier for the user
- SimpleSAMLphp attribute to be used as the username for the user
- SimpleSAMLphp attribute to be used as an email address for the user
- All the other configurations can be kept as is and now we can enable the ‘Activate authentication via SimpleSAMLphp’ checkbox under Basic settings.
That’s it. Now, we can add SSO into our Drupal site by visiting the default login page (/user/login) and clicking on the ‘Federated Login’ link as seen in the screenshot below:
