mlhess / umichoidc
This module coordinates umich role and authentication with Drupal
Installs: 379
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 2
Forks: 3
Open Issues: 0
Type:drupal-module
Requires
- drupal/core: ^10.2 || ^11
- drupal/openid_connect: ^3.0@alpha
This package is auto-updated.
Last update: 2025-07-17 18:41:20 UTC
README
umichoidc (wwsauth) is a Drupal module that extends the OpenID Connect (openid_connect) module to allow MCommunity groups to be used for authorization roles for group-based permissions in Drupal.
Versions
-
3.0.x - This release of umichoidc (wwsauth) is dependent upon the 3.0.0-alpha6 release of the openid_connect module. This version works with Drupal 11, and support may be extended back to Drupal 10 as well in the future pending further testing.
-
1.0.x - The initial release of umichoidc (wwsauth) was dependent upon the 8.x-1.4 release of the openid_connect module. This version works with Drupal 9.5 - 10. This release is still supported currently for Drupal 10 sites in U-M Pantheon.
Features
- Allows use of U-M MCommunity groups to manage as Roles in Drupal and Role Permissions with the same granularity as native Roles in Drupal.
- Module adds/removes MCommunity groups based Roles for the user as they login
- Group membership is managed in MCommunity but the corresponding Drupal Role will likely never reflect more than a snapshot of the MCommunity group membership at any given time.
- At user login, the Drupal Role will be added to their username at the time of login if they are a member of the corresponding MCommunity group.
- The Drupal Roles DO NOT sync with MCommunity.
- Supported / tested OIDC providers:
- Shibboleth OIDC using the
edumember_ismemberofattribute for LDAP group membership.
- Shibboleth OIDC using the
Install
Requirements
- Drupal 11 or later
- PHP 8.3 or later - see Drupal system requirements
- Client credentials for a supported OIDC provider (for example, Shibboleth OIDC)
Install steps
As of July 9, 2025, new Drupal 11 sites in U-M Pantheon are initialized with openid_connect and umichoidc so no additional installation steps are required for those sites.
Older Drupal 11 sites in U-M Pantheon will need to have these modules installed and configured manually.
Drupal 11 sites hosted outside of U-M Pantheon will require installation and configuration according to your external vendor's specifications.
To Install umichoidc via the command line (CLI) into a U-M Pantheon site that was created prior to OIDC provisioning integration:
-
Prerequisites
-
Pantheon WebOps Workflow: This documentation assumes an understanding of the Pantheon WebOps Workflow. Read the Pantheon WebOps Workflow documentation for more information.
-
Terminus: This documentation assumes an understanding of the Pantheon Terminus command line interface (CLI). Read the Terminus documentation for more information. Install and configure Terminus according to the installation documentation.
-
- Set environment variables for your site name and the environment you're working in (typically will be the "dev" environment)
export SITE="yourSiteName" export ENV="dev"
- Change to sftp mode to make changes
terminus connection:set ${SITE}.${ENV} sftp
- Install & enable openid_connect module
terminus composer -n ${SITE}.${ENV} -- require 'drupal/openid_connect:^3.0@alpha' terminus drush -n ${SITE}.${ENV} -- pm:enable openid_connect
- Install & enable umichoidc (wwsauth) module
terminus composer -n ${SITE}.${ENV} -- require "its-webhosting/umichoidc:^v3.0@alpha" terminus drush -n ${SITE}.${ENV} -- pm:enable wwsauth
- Configure umichoidc (wwsauth) module
Obtain the OIDC credentials for your site from the ITS Web Hosting Services Portal.
- client_id
terminus drush -n ${SITE}.${ENV} -- config:set -y openid_connect.client.wwsumich settings.client_id blahblahblah`
- client_secret
terminus drush -n ${SITE}.${ENV} -- config:set -y openid_connect.client.wwsumich settings.client_secret blahblahblah`
- Enable client profile
terminus drush -n ${SITE}.${ENV} -- config:set -y openid_connect.client.wwsumich status true`
- Replace default login with OIDC login
terminus drush -n ${SITE}.${ENV} -- config:set -y openid_connect.settings user_login_display replace`
- Connect Administrator account(s) to external OIDC provider
Repeat these steps for each local user account that needs to be connected to the external OIDC provider.
- Get uid for Admin user uniqname
Substitute value for "${uniqname}" into sql statement below:
terminus drush -n ${SITE}.${ENV} -- sql:query "select uid from users_field_data where name='${uniqname}'"`
- Add user to authmap table to connect local user to external OIDC provider
Substitute values for "${uid}" and "${uniqname}" into sql statement below:
terminus drush -n ${SITE}.${ENV} -- sql:query "INSERT INTO authmap (uid, provider, authname, data) VALUES (${uid}, \"openid_connect.wwsumich\", \"${uniqname}\", \"N;\");"`
- Commit changes
terminus env:commit --message "install/configure openid_connect" --force -- ${SITE}.${ENV}`
- Change back to git mode
terminus connection:set ${SITE}.${ENV} git`
- Rebuild cache
terminus drush -n ${SITE}.${ENV} -- cache:rebuild
For more details, refer to the documentation from the University of Michigan.
How can I report an issue, get help, request a feature, or help with module development?
Open a GitHub issue or email webmaster@umich.edu