Looking for Drupal SAML SP implementation
At some point I got a ping from someone that was working on a SAML implementation for Drupal. Unfortunately, that was a year ago or more, and trawling my email doesn't seem to surface anything.
So, anyone out there in blog land working on a SAML *SP* (aka client) implementation for Drupal? I have some folks that would like to test interop. Please contact me if you've got something.
Related to this is the Google Apps Authentication module, which lets you use your Drupal database as an authentication source for Google Apps -- the for pay, Enterprise or Education edition. This is a SAML v2.0 IdP implementation as far as I know...
And yes, I'm still a huge OpenID fan. But combining the two standards is even better, since theoretically you could create new Drupal accounts via OpenID, and the Drupal accounts in turn would serve as auth for Google Apps. AKA how to use OpenID with Google :P
Similar
Comments
Drupal + SAML work at EDIT
We're looking for something similar, and came across this site/implementation. We're currently investigating and will post back any findings. Looks promising from the outside..
http://dev.e-taxonomy.eu/trac/wiki/Shibboleth
we have a basic authentication skeleton for Drupal. Currently, authenticated users must be entered in the Drupal user database by the site administrator. The original Webserver Auth module also supports automatic user registration also. This is currently work in progress, but should be done quite easily.
To shibbolize Drupal and to adopt Drupal to our needs, we will extend this basic authentication module considering the following issues:
Amen!
SAML in Drupal would be wonderful! At one point I was running or monitoring running upwards of 80 websites for student clubs on *.skule.ca, mostly in separate cPanel accounts.
We wanted to make a standard Drupal install profile that would also allow SSO between the various subdomains, since it wasn't convenient to run a single multi-site Drupal install. After fiddling with things like making a MySQL VIEW of the master installation's users table in each site's database (very ugly!) and trying to hack Drupal's built-in distributed auth, we gave up.
SAML IdP/SP modules would really have been a silver bullet. Even better would have been to integrate with our school's own identity service (using Kerberos); they could handle identification/authentication and we'd be able to control authorization across many sites via SAML. *drools* I'd love to hear if you find anything.
Whoops!
I guess the MCE didn't like my HTML.
Have done some limited exploration
I think I might be the person that pinged you around that then. I've done some work on this but it's mainly a hack using the webauth module and some minor code mods to read group information out of the exported-to-CGI-ENV SAML data and mapping it to roles in Drupal. The Drupal site is completely behind a Shib sp (no lazy sessions), so the utility is limited, however it works for the strict configuration used. This was done for the myVocs project at myVocs.org and is part of the myVocs box distro.
On the flip side, I also use Drupal to drive exporting of account information via SAML (using the shib-idp) at OpenIdP.org. This is basically a drupal instance stripped down to just support user account creation. The data is then harvested out the backend by the shib-idp resolver. I've got an over-due todo to add OpenId support to this site, but this will likely come from the new Drupal OpenID support. (The todo is upgrading openidp.org to the latest drupal, targeted for the fall.)
Both of these solutions have worked well but could stand improvement, mainly in the form of updates reflecting my changed views/understandings. A generic/fully functioning SAML module is still needed. (BTW, the Shib extension to MediaWiki could offer some idea as well.)
I'm not familiar with the PHP SAML implementation, which is likely to be a lot more generic. I'd be happy to offer additional pennies based on my experiences. Feel free to contact me.
Thanks to Tom Scavo of the GridShib team for pointing me to this post.
Thanks!
Thanks, John-Paul. I couldn't find the email either, but I *do* remember some connection with Shib :P
You should definitely check out the Google Auth Drupal module, because as far as I can tell that's basically a SAML IdP configured to work directly with Google...
Hmm, OpenIdP, very interesting...from what I've played around with in Drupal, we *should* be able to build an N-way identity connector that allows Shib / OpenID / etc. etc. etc. interoperability. I think the way the accounts and auth_map is implemented in Drupal makes it well suited for this.
BTW, the Drupal 5 OpenID works very well already: Drupal 6 just moves that into core. The OpenID OP implementation still needs forward porting.
Ready to run Shibboleth config
Thanks for the links Boris. I'll check them out.
I'll definetly use the OpenID feature of Drupal in the next revision of openidp.org. I'm just not sure yet how I'll handle the authentication in the SAML flow. I think an N-way identity infrastructure is the way to go.
I understand how people shy away from Shibboleth. It can be somewhat of a bear to set up since most people aren't used to setting up separate interfaces to their identity management infrastructure. In the web application world we like the easy setup of tools like Drupal. I'm no different.
As part of the work related to the myVocs.org site, I built a canned VM called myVocs box that has all the parts found on myVocs.org pre-configured for isolated exploration. It includes a working Shibboleth implementation right out of the box.
This past week I finished up documentation for integrating an instance of that VM to use openidp.org as the identity provider. Basically, the instructions take you from an isolated system to an Internet facing SAML based system environment that can be used for fun things like developing your own integrated application suites.
I like to think of it as an easy way to get started building web desktops or next gen OSes out of federated system components.
Still lots of identity protocols to settle on
Yep. Postel's Law and all that. I've been scheming to make home.bryght.com an experimental N-way identity provider. Heck, even this blog has the ability to do Facebook or OpenID. We can keep adding sites and service protocols.
Re: Shibboleth. If there are more easy canned examples of adding Shibboleth support to sites - and interesting applications built on top of inter-site accounts -- then people will dig in. We're *still* at the bootstrapping phase with identity.
Oh good, so you're aiming small :P. All sounds like excellent stuff.
Project Lightbulb
Do not know about a module, but Pat Patterson from Sun mentioned Drupal in the "Story of Digital Identity" Podcast: http://stodid.libsyn.com/index.php?post_id=156315 about "project Lightbulb" a SAML service provider written in php.
Explanation from 7'30 on, Drupal is mentioned at 9'30.
Yes, I know Pat
Yes, I know Pat and the Liberty/SAML folks at Sun. I've been advising them for some years that they need to pay attention to easy scripting languages like PHP. They listened. I'd like to take some credit, but really, they're all smart people and once they looked beyond enterprise (or maybe at the *next* enterprise) they did something about it, and Lightbulb was the result.
I was hoping perhaps I missed something, but it appears no one else has done anything yet, so I'll see about wrapping the Lightbulb stuff into a SAML SP.