utexas / pantheon_saml_integration
Composer plugin that integrates the University of Texas Enterprise Authentication on Pantheon for the UT Drupal Kit
Installs: 129 041
Dependents: 3
Suggesters: 0
Security: 0
Stars: 1
Watchers: 4
Forks: 0
Type:composer-plugin
Requires
- composer-plugin-api: ^1.0 || ^2.0
- composer/installers: ^1.9 || ^2.0
- drupal/core: ^10
- drupal/simplesamlphp_auth: 4.0.0
- simplesamlphp/simplesamlphp: 2.1.1
- utexas/utexas_saml_auth_helper: ^3.5
Requires (Dev)
- composer/composer: ^1.0 || ^2.0
README
This is a Composer plugin that integrates the University of Texas Enterprise Authentication on Pantheon for the UT Drupal Kit.
Full user documentation can be found at https://drupalkit.its.utexas.edu/docs/getting_started/pantheon_setup.html#integrating-enterprise-authentication
Architectural overview
Getting the University's SAML-based sign-in method (Enterprise Authentication) working with Drupal, on Pantheon, involves a coordination of different components. The following provides a high-level explanation of how the pieces fit together:
- Enterprise Authentication: the login system, developed and maintained by the University's Information and Access Management (IAM) team that allows applications to use EID-based authentication. It supports Security Assertion Markup Language version 2.0 (SAML 2). In Single Sign On (SSO) terminology, this acts as the Identity Provider (IdP).
- simplesamlphp library: a third-party library which provides the business logic to handle SAML requests in PHP. It has a large collection of sub-libraries. We use only the base library. In SSO terminology, it acts as the Service Provider (SP).
- pantheon_saml_data. This is a collection of certificate and metadata attributes that authorize the
simplesamlphp
library to talk to Enterprise Authentication. These were provisioned in coordination with the IAM team. - simplesamlphp_auth: A Drupal module that integrates the request/response API from
simplesamlphp
into Drupal's authentication system. Specifically, it provides a way for Drupal to redirect users to Enterprise Authentication and then evaluate the response sent back after a login and take action with Drupal's user login/registration system based on that response. We also use this module on some sites to do EID-affiliation-based authorization, such as allowing EID holders with the affiliationcurrent-staff
to receive the Drupal rolestaff
. - pantheon_saml_integration: a Composer plugin developed by the WCMS team to connect the above components in the Pantheon filesystem. This plugin, for example, creates a required symlink at
/simplesaml
for the simplesamlphp library, and symlinks for the certificates and metadata from Pantheon's private file system. As a Composer plugin distributed on Packagist that has a dependency onsimplesamlphp_auth
, it is the only package sites need to require in theircomposer.json
to have all the elements needed in the codebase.