utexas / pantheon_saml_integration
Composer plugin that integrates the University of Texas Enterprise Authentication on Pantheon for the UT Drupal Kit
Installs: 89 153
Dependents: 3
Suggesters: 0
Security: 0
Stars: 1
Watchers: 4
Forks: 0
Type:composer-plugin
Requires
- composer-plugin-api: ^1.0 || ^2.0
- composer/installers: ^1.9 || ^2.0
- drupal/core: ^10
- drupal/simplesamlphp_auth: 4.0.0
- simplesamlphp/simplesamlphp: 2.1.1
- utexas/utexas_saml_auth_helper: 3.3.0
Requires (Dev)
- composer/composer: ^1.0 || ^2.0
This package is auto-updated.
Last update: 2024-04-04 15:43:03 UTC
README
This is a Composer plugin that integrates the University of Texas Enterprise Authentication on Pantheon for the UT Drupal Kit.
Full user documentation can be found at https://drupalkit.its.utexas.edu/docs/getting_started/pantheon_setup.html#integrating-enterprise-authentication
Architectural overview
Getting the University's SAML-based sign-in method (Enterprise Authentication) working with Drupal, on Pantheon, involves a coordination of different components. The following provides a high-level explanation of how the pieces fit together:
- Enterprise Authentication: the login system, developed and maintained by the University's Information and Access Management (IAM) team that allows applications to use EID-based authentication. It supports Security Assertion Markup Language version 2.0 (SAML 2). In Single Sign On (SSO) terminology, this acts as the Identity Provider (IdP).
- simplesamlphp library: a third-party library which provides the business logic to handle SAML requests in PHP. It has a large collection of sub-libraries. We use only the base library. In SSO terminology, it acts as the Service Provider (SP).
- pantheon_saml_data. This is a collection of certificate and metadata attributes that authorize the
simplesamlphplibrary to talk to Enterprise Authentication. These were provisioned in coordination with the IAM team. - simplesamlphp_auth: A Drupal module that integrates the request/response API from
simplesamlphpinto Drupal's authentication system. Specifically, it provides a way for Drupal to redirect users to Enterprise Authentication and then evaluate the response sent back after a login and take action with Drupal's user login/registration system based on that response. We also use this module on some sites to do EID-affiliation-based authorization, such as allowing EID holders with the affiliationcurrent-staffto receive the Drupal rolestaff. - pantheon_saml_integration: a Composer plugin developed by the WCMS team to connect the above components in the Pantheon filesystem. This plugin, for example, creates a required symlink at
/simplesamlfor the simplesamlphp library, and symlinks for the certificates and metadata from Pantheon's private file system. As a Composer plugin distributed on Packagist that has a dependency onsimplesamlphp_auth, it is the only package sites need to require in theircomposer.jsonto have all the elements needed in the codebase.
2023 simplesamlphp fork
Drupal 10 has a dependency on Symfony 6. At the beginning of 2023, when our team was working on upgrading sites to Drupal 10, there was no stable release of simplesamlphp that was compatible with Symfony 6.
References:
- https://www.drupal.org/project/simplesamlphp_auth/issues/3349278
- simplesamlphp/simplesamlphp#1689
- simplesamlphp/simplesamlphp#1798
After substantial research, our team decided that the best option would be to temporarily provide a fork of the simplesamlphp library that was compatible with Symfony 6.
Doing so required additional forking of the Drupal module simplesamlphp_auth to change its requirement from simplesamlphp/simplesamlphp to utexas/simplesamlphp (our fork), and an additional Composer plugin, utexas/simplesaml-fork-installer, to relocate our fork into the expected location of the original library.
The visual below illustrates the relationship of these packages for the 2023 fork methodology:
