mlhess/umichoidc

This module coordinates umich role and authentication with Drupal

3.0.0 2025-07-17 18:40 UTC

README

umichoidc (wwsauth) is a Drupal module that extends the OpenID Connect (openid_connect) module to allow MCommunity groups to be used for authorization roles for group-based permissions in Drupal.

Versions

  • 3.0.x - This release of umichoidc (wwsauth) is dependent upon the 3.0.0-alpha6 release of the openid_connect module. This version works with Drupal 11, and support may be extended back to Drupal 10 as well in the future pending further testing.

  • 1.0.x - The initial release of umichoidc (wwsauth) was dependent upon the 8.x-1.4 release of the openid_connect module. This version works with Drupal 9.5 - 10. This release is still supported currently for Drupal 10 sites in U-M Pantheon.

Features

  • Allows use of U-M MCommunity groups to manage as Roles in Drupal and Role Permissions with the same granularity as native Roles in Drupal.
  • Module adds/removes MCommunity groups based Roles for the user as they login
  • Group membership is managed in MCommunity but the corresponding Drupal Role will likely never reflect more than a snapshot of the MCommunity group membership at any given time.
  • At user login, the Drupal Role will be added to their username at the time of login if they are a member of the corresponding MCommunity group.
  • The Drupal Roles DO NOT sync with MCommunity.
  • Supported / tested OIDC providers:
    • Shibboleth OIDC using the edumember_ismemberof attribute for LDAP group membership.

Install

Requirements

  • Drupal 11 or later
  • PHP 8.3 or later - see Drupal system requirements
  • Client credentials for a supported OIDC provider (for example, Shibboleth OIDC)

Install steps

As of July 9, 2025, new Drupal 11 sites in U-M Pantheon are initialized with openid_connect and umichoidc so no additional installation steps are required for those sites.

Older Drupal 11 sites in U-M Pantheon will need to have these modules installed and configured manually.

Drupal 11 sites hosted outside of U-M Pantheon will require installation and configuration according to your external vendor's specifications.

To Install umichoidc via the command line (CLI) into a U-M Pantheon site that was created prior to OIDC provisioning integration:

  1. Set environment variables for your site name and the environment you're working in (typically will be the "dev" environment)
export SITE="yourSiteName"
export ENV="dev"
  1. Change to sftp mode to make changes
terminus connection:set ${SITE}.${ENV} sftp
  1. Install & enable openid_connect module
terminus composer -n ${SITE}.${ENV} -- require 'drupal/openid_connect:^3.0@alpha'
terminus drush -n ${SITE}.${ENV} -- pm:enable openid_connect
  1. Install & enable umichoidc (wwsauth) module
terminus composer -n ${SITE}.${ENV} -- require "its-webhosting/umichoidc:^v3.0@alpha"
terminus drush -n ${SITE}.${ENV} -- pm:enable wwsauth
  1. Configure umichoidc (wwsauth) module

Obtain the OIDC credentials for your site from the ITS Web Hosting Services Portal.

  • client_id
terminus drush -n ${SITE}.${ENV} -- config:set -y openid_connect.client.wwsumich settings.client_id blahblahblah`
  • client_secret
terminus drush -n ${SITE}.${ENV} -- config:set -y openid_connect.client.wwsumich settings.client_secret blahblahblah`
  • Enable client profile
terminus drush -n ${SITE}.${ENV} -- config:set -y openid_connect.client.wwsumich status true`
  • Replace default login with OIDC login
terminus drush -n ${SITE}.${ENV} -- config:set -y openid_connect.settings user_login_display replace`
  1. Connect Administrator account(s) to external OIDC provider

Repeat these steps for each local user account that needs to be connected to the external OIDC provider.

  • Get uid for Admin user uniqname

Substitute value for "${uniqname}" into sql statement below:

terminus drush -n ${SITE}.${ENV} -- sql:query "select uid from users_field_data where name='${uniqname}'"`
  • Add user to authmap table to connect local user to external OIDC provider

Substitute values for "${uid}" and "${uniqname}" into sql statement below:

terminus drush -n ${SITE}.${ENV} -- sql:query "INSERT INTO authmap (uid, provider, authname, data) VALUES (${uid}, \"openid_connect.wwsumich\", \"${uniqname}\", \"N;\");"`
  1. Commit changes
terminus env:commit --message "install/configure openid_connect" --force -- ${SITE}.${ENV}`
  1. Change back to git mode
terminus connection:set ${SITE}.${ENV} git`
  1. Rebuild cache terminus drush -n ${SITE}.${ENV} -- cache:rebuild

For more details, refer to the documentation from the University of Michigan.

How can I report an issue, get help, request a feature, or help with module development?

Open a GitHub issue or email webmaster@umich.edu