„DrupalShibbolethReadmeDev” változatai közötti eltérés

Innen: KIFÜ Wiki
(Account linking)
(heavy restructuring)
3. sor: 3. sor:
 
{{STOP|This document is written for module version 4.0-x ('''development branch'''). Please consult the [[#Change log]] for the revisions of this document for the previous releases.}}
 
{{STOP|This document is written for module version 4.0-x ('''development branch'''). Please consult the [[#Change log]] for the revisions of this document for the previous releases.}}
  
== Installation ==
+
== Installation and bootstrapping ==
 +
=== Installing the module ===
 
# Download module source for your Drupal version from the [http://drupal.org/project/shib_auth project page].  
 
# Download module source for your Drupal version from the [http://drupal.org/project/shib_auth project page].  
 
# Uncompress archive to the <code>modules/</code> directory
 
# Uncompress archive to the <code>modules/</code> directory
 
# Enable module at '''<code>Administer -> Site building -> Modules</code>'''  
 
# Enable module at '''<code>Administer -> Site building -> Modules</code>'''  
=== Compatibility ===
+
==== Compatibility ====
 
Module is being developed for Drupal 6.x. We have stopped backporting new features to the 5.x branch and Drupal 7 is not yet supported as long as it isn't the stable branch. If you want to contribute to development or porting, please contact '''aai _AT_ niif _DOT_ hu'''!
 
Module is being developed for Drupal 6.x. We have stopped backporting new features to the 5.x branch and Drupal 7 is not yet supported as long as it isn't the stable branch. If you want to contribute to development or porting, please contact '''aai _AT_ niif _DOT_ hu'''!
  
15. sor: 16. sor:
 
}}
 
}}
  
The upgrade script creates a new database table called <code>shib_authmap</code>, and place the usernames that were registered by the module into it. You only need to run this script once, however running it several times does no harm to your installation apart from showing some SQL errors.
+
The upgrade script makes slight changes to the database. You only need to run this script once, however running it several times does no harm to your installation apart from showing some SQL errors.
 
+
{{NOTE_EN|although the upgrade script was designed to be robust, please '''back up your database''' before upgrading.}}
:: '''Note:''' although the upgrade script was designed to be robust, please '''back up your database''' before upgrading.
+
=== Get it running ===
 
+
==== Configuring Shibboleth ====
== Configuration ==
+
You should be familiar with protecting resources with Shibboleth before using this module. (See [https://spaces.internet2.edu/display/SHIB2/NativeSPProtectContent Shibboleth Wiki] for more extensive information) Please check that Shibboleth authentication is working for the location of your Drupal installation and all the necessary attributes are exported to the headers. You can enable [[Drupal Shibboleth module#DEBUG mode | DEBUG mode]] to dump the whole '''$_SERVER''' array. If you can see Shibboleth attributes there, you're fine.
=== Configuring Shibboleth ===
 
You should be familiar with protecting resources with Shibboleth before using this module. (See [https://spaces.internet2.edu/display/SHIB2/NativeSPProtectContent Shibboleth Wiki]) Please check that Shibboleth authentication is working for the location of your Drupal installation and all the necessary attributes are exported to the headers. You can enable [[Drupal Shibboleth module#DEBUG mode | DEBUG mode]] to dump the whole '''$_SERVER''' array. If you can see Shibboleth attributes there, you're fine.
 
  
 
In Shibboleth there are two modes for protecting resources:
 
In Shibboleth there are two modes for protecting resources:
* '''Lazy Sessions''': session is only initiated if an application redirects user to the SessionInitiator URL. In this module, it is done by clicking the ''"Login with Shibboleth"'' link. Anonymous access is possible as well as using other authentication methods.
+
* '''Lazy Sessions''': session is only initiated if an application redirects user to the SessionInitiator URL. In this module, it is done by clicking the ''"Login with Shibboleth"'' link. Anonymous access is possible as well as using other authentication methods. This is what you want to use for a CMS that contains ''public information''.
 
:: <small>Detailed description of [[Lazy Session|lazy sessions]] in Hungarian.</small>
 
:: <small>Detailed description of [[Lazy Session|lazy sessions]] in Hungarian.</small>
* '''"Strict" Sessions''' (normal sessions): users can only access Drupal content if they have a valid Shibboleth session. In this case, no anonymous access can be granted (not even read-only) and you can not use any auxiliary authentication methods.
+
* '''"Strict" Sessions''' (normal sessions): users can only access Drupal content if they have a valid Shibboleth session. In this case, no anonymous access can be granted (not even read-only) and you can not use any auxiliary authentication methods. Most of the advanced features don't work with strict sessions. You should not use this unless you want to protect all the information in the CMS from viewing.
 
+
{{NOTE_EN|after enabling "strict" sessions, you won't be able to login with admin user. [[#Administering Drupal with strict sessions|Read on further]] how to give your own user administrator rights.
{{STOP|If you decide to use lazy sessions and you don't want your users to be able to log in with a password, [[#Disallowing password change|you have to disable changing passwords]]}}
+
}}
 
+
===== Example Shibboleth configuration =====
==== Example Shibboleth configuration ====
 
 
{{NOTE_EN|this example uses lazy sessions. Configuration for Shibboleth 1.3 is quite similar.}}
 
{{NOTE_EN|this example uses lazy sessions. Configuration for Shibboleth 1.3 is quite similar.}}
  
67. sor: 65. sor:
 
Shibboleth 1.3 always uses headers, therefore the <code>ShibUseHeaders</code> directive is invalid with Shibboleth 1.3.}}
 
Shibboleth 1.3 always uses headers, therefore the <code>ShibUseHeaders</code> directive is invalid with Shibboleth 1.3.}}
  
=== DEBUG mode ===
+
==== DEBUG mode ====
 
If you enable DEBUG mode on the module configuration interface, you can dump the whole '''$_SERVER''' array. This shows you all the available attributes and helps you diagnosing possible Shibboleth attribute problems.  
 
If you enable DEBUG mode on the module configuration interface, you can dump the whole '''$_SERVER''' array. This shows you all the available attributes and helps you diagnosing possible Shibboleth attribute problems.  
 
:: <small>Keep in mind that some users might have a specific attribute while others don't.</small>
 
:: <small>Keep in mind that some users might have a specific attribute while others don't.</small>
  
==== Debug path prefix ====
+
===== Debug path prefix =====
 
Leave it empty, if you want to display debug information on every page. Enter the string ''<code>user/</code>'' for displaying DEBUG messages only on paths below <code>user/*</code>  
 
Leave it empty, if you want to display debug information on every page. Enter the string ''<code>user/</code>'' for displaying DEBUG messages only on paths below <code>user/*</code>  
  
 
Adding a prefix is useful, if you want to enable debugging on an online drupal installation without littering all of the pages with the debugging information. You can set it to a non-existent node as well, in this case, the information will be displayed over the built-in 404 page.
 
Adding a prefix is useful, if you want to enable debugging on an online drupal installation without littering all of the pages with the debugging information. You can set it to a non-existent node as well, in this case, the information will be displayed over the built-in 404 page.
  
=== Setting Shibboleth parameters for the module ===
+
==== Setting Shibboleth parameters for the module ====
==== Handler settings ====
+
===== Handler settings =====
 
If you are using lazy sessions, you have to define the Shibboleth SessionInitiator to which the user should be directed when she clicks on "Login with Shibboleth". SessionInitiator URL is constituted of the following:
 
If you are using lazy sessions, you have to define the Shibboleth SessionInitiator to which the user should be directed when she clicks on "Login with Shibboleth". SessionInitiator URL is constituted of the following:
 
* protocol scheme (<code>http://</code> or <code>https://</code>)
 
* protocol scheme (<code>http://</code> or <code>https://</code>)
103. sor: 101. sor:
 
* '''/Login''' for ''WAYF location''
 
* '''/Login''' for ''WAYF location''
  
==== Attribute settings ====
+
===== Attribute settings =====
 
Specify here the '''$_SERVER''' headers to look up the user's username and e-mail address. Please check '''DEBUG''' mode to look for the available headers. If you can not find the desired attribute, then something is wrong with your IdP-SP attribute release flow.
 
Specify here the '''$_SERVER''' headers to look up the user's username and e-mail address. Please check '''DEBUG''' mode to look for the available headers. If you can not find the desired attribute, then something is wrong with your IdP-SP attribute release flow.
  
 
Both fields can have the same value, if you wish.
 
Both fields can have the same value, if you wish.
  
===== Using custom values =====
+
== Understanding features ==
 +
=== Automatic user creation ===
 +
Drupal CMS requires all users to be in its internal SQL database. If the module detects that no user exists in the database with the received Shibboleth user identifier, it creates a new (Drupal) user.
 +
 
 +
Drupal needs 3 pieces of information to create a new user:
 +
* username
 +
* e-mail address
 +
* password
 +
 
 +
The module by default uses the username and e-mail address taken from the <code>$_SERVER</code> headers, see [[#Attribute settings]] right above. On new user creation a random password is generated. This can be overwritten by the user unless you [[#Disallowing password change|disallow it]] by the userprotect module.
 +
{{NOTE_EN|if the user overwrites the password, she can log in with her username and the new password.
 +
 
 +
==== Using custom values ====
 
You may want to let your users to define their own Drupal usernames and e-mail addresses other than what was received from the IdP. If either ''User-defined usernames'' or ''User-defined e-mail addresses'' option is set, new users are presented a form to enter data at the first logon.  
 
You may want to let your users to define their own Drupal usernames and e-mail addresses other than what was received from the IdP. If either ''User-defined usernames'' or ''User-defined e-mail addresses'' option is set, new users are presented a form to enter data at the first logon.  
  
 
{{INFO_EN|
 
{{INFO_EN|
 
* The module ensures that neither values are in use by existing users.
 
* The module ensures that neither values are in use by existing users.
* If you enable and later disable the options, the two behave a bit differently. On subsequent logons:
+
* If you enable and later disable the options, the two behave differently. On subsequent logons:
 
** the user-defined username is '''preserved'''
 
** the user-defined username is '''preserved'''
 
** e-mail address gets '''rewritten''' (or the user gets a fatal error if the IdP does not provide the data)
 
** e-mail address gets '''rewritten''' (or the user gets a fatal error if the IdP does not provide the data)
119. sor: 129. sor:
 
* User-defined e-mail addresses are not verified, only well-formedness is checked
 
* User-defined e-mail addresses are not verified, only well-formedness is checked
 
}}
 
}}
 +
 +
==== Working with federated identifiers ====
 +
If you enable the option ''User-defined usernames'' in the module configuration, every new user is presented a form to specify a Drupal username. This way you can work with opaque (federated) identifiers such as <code>eduPersonTargetedId</code>, as long as it appears in the $_SERVER variable holding the username. The only limitation is that the federated identifier cannot be longer than 255 characters, however it can contain characters otherwise not allowed in Drupal account names (such as exclamation mark, etc).
 +
 +
==== Disallowing password change ====
 +
If you don't want to let your users to change passwords and log in with it, you may want to disallow password change.
 +
# Install Drupal [http://drupal.org/project/userprotect User Protect module]
 +
# At Administer -> User management -> User Protect -> Protected roles tab check '''password''' for the ''authenticated user'' role.
 +
# At Administer -> Permissions -> userprotect module: uncheck '''change own password''' for ''authenticated user''
 +
# Log in with a normal account, go to "My account" -> Edit. You shouldn't see the possibility for changing password; except for the case when the user has user administrator rights.
 +
 +
==== Administering Drupal with strict sessions ====
 +
If you use strict sessions, you can not log in with a password. You need to grant your own user administrator rights to administer the CMS.
 +
# Enable Shibboleth protection
 +
# Login with your own user credentials, so that your Drupal user profile is created
 +
# Disable Shibboleth protection
 +
# Login as 'admin', grant your own user 'Administrator' rights.
 +
# Enable Shibboleth protection
 +
# Login with your own credentials, you should have 'Administrator' rights now.
  
 
=== Logging out ===
 
=== Logging out ===
 
==== Session expiry ====
 
==== Session expiry ====
Enable the option  "''Destroy Drupal session when the Shibboleth session expires''", if you want to force logout the users without a valid Shibboleth session. (This only applies to lazy sessions, otherwise you are always having a Shibboleth session.)  
+
Enable the option  "''Destroy Drupal session when the Shibboleth session expires''", if you want to force logout the users without a valid Shibboleth session. (This only applies to lazy sessions, otherwise it is the webserver what ensures that you have a valid session.)
  
 
{{INFO_EN|;Keep in mind if you leave this option off:
 
{{INFO_EN|;Keep in mind if you leave this option off:
153. sor: 182. sor:
 
* '''$_SERVER''' header name: name of the Shibboleth-derived attribute
 
* '''$_SERVER''' header name: name of the Shibboleth-derived attribute
 
* '''Value regexp''': regexp applied to (all) the value(s) of the Shibboleth-derived attribute
 
* '''Value regexp''': regexp applied to (all) the value(s) of the Shibboleth-derived attribute
* '''Role(s)''': checklist of roles to be assigned for the matching users
+
* '''Role(s)''': checklist of roles to be assigned to the matching users
  
All these rules are evaluated at module initiation time. That means that revoking/adding a Shibboleth attribute rule will take effect immediately on next page refresh. The same applies when the set of headers is happened to be changed.
+
Revoking/adding a Shibboleth attribute rule will take effect immediately on next page refresh. The same applies when the set of headers is happened to be changed.
  
{{NOTE_EN|Although dynamic roles are '''NOT''' displayed on the user page, the permissions assigned to the role are in effect for the user. <br><small>This is a feature, not a bug</small>}}
+
{{NOTE_EN|although dynamic roles are '''NOT''' displayed on the user page, the permissions assigned to the role are in effect for the user. <br><small>This is a feature, not a bug</small>}}
  
Additional roles can be assigned statically to the user (as an individual) by the administrator as normally.
+
Additional roles can be assigned statically to the user (as an individual) by the administrator as normally. Every logged in user gets the role <code>Authenticated user</code> automatically.
  
== Using module ==
 
=== Automatic user creation ===
 
Drupal CMS requires all users to be in its internal SQL database. If the module detects that no user exists in the database with the received Shibboleth user identifier, it creates a new (Drupal) user.
 
=== Disallowing password change ===
 
There is no way for the module to detect if a user has been deleted from the IdP. This simple fact has a number of consequences.
 
 
When a user is first logged in, a Drupal account is automatically created for her. Because Drupal requires a password, a random string is generated for password. Normally the user doesn't need to know it.
 
 
Now suppose that your user is about to leave your institution. If she is malicious enough, she can go to the password change form, reset her password to a known one, and even after she is deleted from the IdP, she still can log in to your precious resource with the (now known) password. (Note that it is only achievable with lazy sessions!).
 
 
Therefore, if your requirements are such that only Shibboleth-authenticated users can log in, '''you have to disable changing passwords''' for users.
 
 
;Steps for disallowing your users to change their passwords:
 
# Install Drupal [http://drupal.org/project/userprotect User Protect module]
 
# At Administer -> User management -> User Protect -> Protected roles tab check '''password''' for the ''authenticated user'' role.
 
# At Administer -> Permissions -> userprotect module: uncheck '''change own password''' for ''authenticated user''
 
# Log in with a normal account, go to "My account" -> Edit. You shouldn't see the possibility for changing password; except for the case when the user has user administrator rights.
 
 
=== Account linking ===
 
=== Account linking ===
On the other hand, there might be cases when you have a number of existing users and you want them to (optionally) log through the federation. If you enable '''account linking''', a user can add her SSO login to her Drupal account. The process of adding an SSO login -> Drupal account association is the following (all steps are performed by the user):
+
There might be cases when you have a number of existing users and you want them to (optionally) log in through the federation. If you enable '''account linking''', a user can add her SSO login to her existing Drupal account. The process of adding an SSO login -> Drupal account association is the following (all steps are performed by the user):
 
# Login to Drupal (with username/password)
 
# Login to Drupal (with username/password)
 
# Go to <code>My account -> Edit</code>
 
# Go to <code>My account -> Edit</code>
194. sor: 206. sor:
 
* On a new user logon, the one cannot choose the Drupal username of another user (when ''user-defined usernames'' is active). For account linking, the user must be already logged in.
 
* On a new user logon, the one cannot choose the Drupal username of another user (when ''user-defined usernames'' is active). For account linking, the user must be already logged in.
 
}}
 
}}
{{UNCERTAIN|
+
{{ATTENTION_EN|Dynamic roles are roles based on server variables, not users. These may well be different on username/password logon and Shibboleth logon.  
* Account linking is disabled when the user is logged in by the module. This might change in the future.
 
* Dynamic roles are roles assigned to server variables, not users. These may well be different on username/password logon and Shibboleth logon.  
 
 
}}
 
}}
=== Working with federated identifiers ===
 
If you enable the option ''User-defined usernames'' in the module configuration, every new user is presented a form to specify a Drupal username. This way you can work with opaque (federated) identifiers such as <code>eduPersonTargetedId</code>, as long as it appears in the $_SERVER variable holding the username. The only limitation is that the federated identifier cannot be longer than 255 characters, however it can contain characters otherwise not allowed in Drupal account names (such as exclamation mark, etc).
 
 
=== Administrator / password login ===
 
If you are using lazy sessions, you can still login with password. If you disabled the username/password login block, append the following to your normal Drupal URL: <code>/?q=user</code>
 
==== Administering Drupal with strict sessions ====
 
If you use strict sessions, you can not log in with a password. It's quite tricky to circumvent it:
 
# Enable Shibboleth protection
 
# Login with your own user credentials, so that your Drupal user profile is created
 
# Disable Shibboleth protection
 
# Login as 'admin', grant your own user 'Administrator' rights.
 
# Enable Shibboleth protection
 
# Login with your own credentials, you should have 'Administrator' rights now.
 
  
 
== Change log ==
 
== Change log ==

A lap 2009. augusztus 26., 14:25-kori változata

Drupal shib_auth module enables Shibboleth authentication for Drupal CMS.


Installation and bootstrapping

Installing the module

  1. Download module source for your Drupal version from the project page.
  2. Uncompress archive to the modules/ directory
  3. Enable module at Administer -> Site building -> Modules

Compatibility

Module is being developed for Drupal 6.x. We have stopped backporting new features to the 5.x branch and Drupal 7 is not yet supported as long as it isn't the stable branch. If you want to contribute to development or porting, please contact aai _AT_ niif _DOT_ hu!

Both Shibboleth 1.3 and Shibboleth 2.x are supported, although some features might require Shibboleth 2.x.

Upgrading the module

If you upgrade from 3.x (or previous versions) to 4.x, you must update the database. After overwriting the files in the modules/ directory, open up YOUR_DRUPAL_INSTALLATION/update.php in your browser and run update for the shib_auth module. This is required to let your user info persist.

The upgrade script makes slight changes to the database. You only need to run this script once, however running it several times does no harm to your installation apart from showing some SQL errors.

Note: although the upgrade script was designed to be robust, please back up your database before upgrading.

Get it running

Configuring Shibboleth

You should be familiar with protecting resources with Shibboleth before using this module. (See Shibboleth Wiki for more extensive information) Please check that Shibboleth authentication is working for the location of your Drupal installation and all the necessary attributes are exported to the headers. You can enable DEBUG mode to dump the whole $_SERVER array. If you can see Shibboleth attributes there, you're fine.

In Shibboleth there are two modes for protecting resources:

  • Lazy Sessions: session is only initiated if an application redirects user to the SessionInitiator URL. In this module, it is done by clicking the "Login with Shibboleth" link. Anonymous access is possible as well as using other authentication methods. This is what you want to use for a CMS that contains public information.
Detailed description of lazy sessions in Hungarian.
  • "Strict" Sessions (normal sessions): users can only access Drupal content if they have a valid Shibboleth session. In this case, no anonymous access can be granted (not even read-only) and you can not use any auxiliary authentication methods. Most of the advanced features don't work with strict sessions. You should not use this unless you want to protect all the information in the CMS from viewing.
Note: after enabling "strict" sessions, you won't be able to login with admin user. Read on further how to give your own user administrator rights.
Example Shibboleth configuration
Note: this example uses lazy sessions. Configuration for Shibboleth 1.3 is quite similar.

/etc/shibboleth/shibboleth2.xml snippet:

<RequestMapper type="Native">
  <RequestMap applicationId="default">
    <Host name="your.host.name">
      <Path name="location_of">
        <Path name="your_Drupal">
          <Path name="installation" authType="shibboleth" requireSession="false" />
        </Path>
      </Path>
    </Host>
  </RequestMap>
</RequestMapper>


Apache config file snippet (ie. /etc/apache2/sites-enabled/your.host.name, or you can even use .htaccess without the <Location> tags):

<Location /location_of/your_Drupal/installation>
  AuthType Shibboleth
  ShibRequireSession Off
  # the following single line is only valid for Shib2
  ShibUseHeaders On
  require shibboleth
</Location>


You MUST use ShibUseHeaders On if you use Shibboleth2 with mod_rewrite.

mod_rewrite prefixes CGI environment variables with REDIRECT_, so you have to instruct Shibboleth2 to use headers instead.

Shibboleth 1.3 always uses headers, therefore the ShibUseHeaders directive is invalid with Shibboleth 1.3.

DEBUG mode

If you enable DEBUG mode on the module configuration interface, you can dump the whole $_SERVER array. This shows you all the available attributes and helps you diagnosing possible Shibboleth attribute problems.

Keep in mind that some users might have a specific attribute while others don't.
Debug path prefix

Leave it empty, if you want to display debug information on every page. Enter the string user/ for displaying DEBUG messages only on paths below user/*

Adding a prefix is useful, if you want to enable debugging on an online drupal installation without littering all of the pages with the debugging information. You can set it to a non-existent node as well, in this case, the information will be displayed over the built-in 404 page.

Setting Shibboleth parameters for the module

Handler settings

If you are using lazy sessions, you have to define the Shibboleth SessionInitiator to which the user should be directed when she clicks on "Login with Shibboleth". SessionInitiator URL is constituted of the following:

  • protocol scheme (http:// or https://)
  • host name
  • Shibboleth handler URL (usually: /Shibboleth.sso)
  • 'location' part of the SessionInitiator definition

/etc/shibboleth/shibboleth2.xml snippet:

<Sessions lifetime="28800" timeout="3600" checkAddress="false"
          handlerURL="/Shibboleth.sso" handlerSSL="false"
          exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
          idpHistory="false" idpHistoryDays="7">
  <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" 
                    relayState="cookie" entityID="https://idp.example.org/shibboleth">
    <SessionInitiator type="SAML2" defaultACSIndex="1" template="bindingTemplate.html"/>
    <SessionInitiator type="Shib1" defaultACSIndex="5"/>
  </SessionInitiator>
  <!-- other things -->
</Sessions>

For this example, you should configure the Shibboleth settings of the module as the following:

  • /Shibboleth.sso for Handler URL
  • HTTPS or HTTP for scheme, depending on whether you are using SSL or not
  • /Login for WAYF location
Attribute settings

Specify here the $_SERVER headers to look up the user's username and e-mail address. Please check DEBUG mode to look for the available headers. If you can not find the desired attribute, then something is wrong with your IdP-SP attribute release flow.

Both fields can have the same value, if you wish.

Understanding features

Automatic user creation

Drupal CMS requires all users to be in its internal SQL database. If the module detects that no user exists in the database with the received Shibboleth user identifier, it creates a new (Drupal) user.

Drupal needs 3 pieces of information to create a new user:

  • username
  • e-mail address
  • password

The module by default uses the username and e-mail address taken from the $_SERVER headers, see #Attribute settings right above. On new user creation a random password is generated. This can be overwritten by the user unless you disallow it by the userprotect module. {{NOTE_EN|if the user overwrites the password, she can log in with her username and the new password.

Using custom values

You may want to let your users to define their own Drupal usernames and e-mail addresses other than what was received from the IdP. If either User-defined usernames or User-defined e-mail addresses option is set, new users are presented a form to enter data at the first logon.


Working with federated identifiers

If you enable the option User-defined usernames in the module configuration, every new user is presented a form to specify a Drupal username. This way you can work with opaque (federated) identifiers such as eduPersonTargetedId, as long as it appears in the $_SERVER variable holding the username. The only limitation is that the federated identifier cannot be longer than 255 characters, however it can contain characters otherwise not allowed in Drupal account names (such as exclamation mark, etc).

Disallowing password change

If you don't want to let your users to change passwords and log in with it, you may want to disallow password change.

  1. Install Drupal User Protect module
  2. At Administer -> User management -> User Protect -> Protected roles tab check password for the authenticated user role.
  3. At Administer -> Permissions -> userprotect module: uncheck change own password for authenticated user
  4. Log in with a normal account, go to "My account" -> Edit. You shouldn't see the possibility for changing password; except for the case when the user has user administrator rights.

Administering Drupal with strict sessions

If you use strict sessions, you can not log in with a password. You need to grant your own user administrator rights to administer the CMS.

  1. Enable Shibboleth protection
  2. Login with your own user credentials, so that your Drupal user profile is created
  3. Disable Shibboleth protection
  4. Login as 'admin', grant your own user 'Administrator' rights.
  5. Enable Shibboleth protection
  6. Login with your own credentials, you should have 'Administrator' rights now.

Logging out

Session expiry

Enable the option "Destroy Drupal session when the Shibboleth session expires", if you want to force logout the users without a valid Shibboleth session. (This only applies to lazy sessions, otherwise it is the webserver what ensures that you have a valid session.)


URL to redirect to after logout

Define an URL here, where you want the user to be navigated after logout. The URL can be absolute or relative to the server base url. The relative paths will be automatically extended with the site base URL.

SAML2 Logout

At the moment, Shibboleth2 SP supports SAML2 logout while the Shibboleth2 IdP does not. It has a consequence that (if you have a standard Shibboleth2 installation), you will get a Shibboleth error message on logout, like this:

Global Logout
Status of Global Logout: Identity provider does not support SAML 2 Single Logout protocol.

You can avoid this message by commenting out SAML2 global logout initiator from /Logout handler in /etc/shibboleth/shibboleth2.xml:

 <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
 <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
   <!-- The following line should be commented out to make Drupal logout work,
        as long as your IdPs do not support SAML2 logout -->
   <!--LogoutInitiator type="SAML2" template="bindingTemplate.html"/-->
   <LogoutInitiator type="Local"/>
 </LogoutInitiator>

Dynamic role assignment

It's possible to assign roles to users based on their Shibboleth attributes.

An assignment rule is made of three parameters:

  • $_SERVER header name: name of the Shibboleth-derived attribute
  • Value regexp: regexp applied to (all) the value(s) of the Shibboleth-derived attribute
  • Role(s): checklist of roles to be assigned to the matching users

Revoking/adding a Shibboleth attribute rule will take effect immediately on next page refresh. The same applies when the set of headers is happened to be changed.

Note: although dynamic roles are NOT displayed on the user page, the permissions assigned to the role are in effect for the user.
This is a feature, not a bug

Additional roles can be assigned statically to the user (as an individual) by the administrator as normally. Every logged in user gets the role Authenticated user automatically.

Account linking

There might be cases when you have a number of existing users and you want them to (optionally) log in through the federation. If you enable account linking, a user can add her SSO login to her existing Drupal account. The process of adding an SSO login -> Drupal account association is the following (all steps are performed by the user):

  1. Login to Drupal (with username/password)
  2. Go to My account -> Edit
  3. Click on Link this account to Shibboleth!
  4. Authenticate with your IdP

From this point the user can choose to login either with Shibboleth or with username/password. This feature can also be useful for users switching home organizations.


Dynamic roles are roles based on server variables, not users. These may well be different on username/password logon and Shibboleth logon.

Change log

Version 3.0 -> 3.1

If you need documentation for 3.0, please use the previous version of the documentation

Release notes

Version 4.0

Bug fixes
  • The module now works with caching enabled
New features
  • Allow specifying Drupal username, thus support opaque identifiers
  • Support account linking