1. The attached configpatch is for devportal hosten on pantheon. In case of OPDK, one needs to specify db settings in the config.php

Yes that is correct

@Gitesh Koli @rajeshmishra

Do we need to install

simpleSAMLphp Authentication to the modules folder?

I install both the auth module and the support module, but when I go to Modules in my dev portal It tells me that the support module is missing.

Gitesh,

I am working with Sean on this. We are stuck at "enable module". it's not active in Drupal Modules. Can you please help!!!

Thanks,

Surabhi

This was because the module files werent uploaded . This should be fixed now.

Step 3 should read:

Install and enable simpleSAMLphp Authentication module from https://www.drupal.org/project/simplesamlphp_auth.

It should be installed into the sites/all/modules/contrib directory.

@Gitesh Koli, @rajeshmishra

For step 11:

• Installation directory to, path to Drupal_Root/private/simplesamlphp

Do we put the full path? i.e. /srv/bindings/[hash code]/code/private/simplesamlphp? Will this break if we check-in new code?

When I access https://developer.client-portal.com/saml_login I receive an access denied error message.

Thanks Sean . This is done

You can add the full path or in the settings.php file you can add this

$conf['simplesamlphp_auth_installdir'] = DRUPAL_ROOT .'/private/simplesamlphp';

This will set the path correctly based on which server you are on.

It also seems like on pantheon sometimes with the 1.14.x version of the library in case of an SP initiated SSO there was a problem with the site redirecting to a random port.

To fix that problem please follow what is suggested here https://pantheon.io/docs/server_name-and-server_port/

I also made the following change:

a) In the [dev portal parent directory]/private/simplesamlphp/config/config.php

I set

'enable.saml20-idp' => true,

Assuming that you use the 7.x-3.x-dev development release of https://www.drupal.org/project/simplesamlphp_auth

The following link should be configured as shown below:

https://env-orgname.devportal.apigee.com/admin/config/people/simplesamlphp_auth

You will also have to set the first and last name variables via cli as shown below:

terminus --site=jll-nonprod drush vset simplesamlphp_auth_fname firstName
terminus --site=jll-nonprod drush vset simplesamlphp_auth_lname lastName

If you use the alpha version 7.x-2.0-alpha2 then you do not have to set the first and last name via the cli. You will be able to set those values from the configuration screen shown above.

@swilliams, we tried configuring OKTA using JLL OKTA environemnt. It let's me and Andrew in since we already exist as user in dev portal but doesn't let other users in. Coupld of people tried and they are getting access denied. I had one user test using simplesaml test page, and it shows her authentication. When I checked users, the account wasn't created.

How do we investigataleris-simplesamltest.pnge it?

hey @Surabhi.gupta,

I think this should be a new question, but I will answer here.

Make sure that "Register Users" is selected in the simplesaml configuration. This setting should be on the Basic Settings tab.

@Marc Boschma

Wouldn't it be the IdP's responsibility to force the 2FA for admin's since it knows which user is trying to login ?

The portal does not know this information before authentication.

If the IdP cannot identify users as admin's and force 2FA then there should be 2 entity ID's defined one for regular users and one for Admin's and there should be two different buttons to let user's login as per their role.

Two different entities will allow you to force the correct set of users you who can login against that configuration

Entity 1 -> All users who are not Admins (and this being strictly enforced to make sure admins can't login)

Entity 2 -> All users who are Admins

I do not see how you will achieve this behavior with one entity ID (which may allow admins to login without 2FA, which in my opinion could be a security loophole)

This is very useful @Gitesh Koli. We have a similar requirement with one of our enterprise customer where we can leverage this right way. I am wondering if there is way to package it in a form of some custom module (as a part of product), to make it easy to integrate.

If you're using Edge for Private Cloud v. 4.17.x with nginx, I've posted some required config changes here: https://community.apigee.com/questions/44115/sso-integration-via-saml-with-developer-portal-417.html

@gkoli@apigee.com,

We have been using this module to SSO with OKTA for a year now. It has been working fine but from last few weeks, developer portal is running very slow with I use SSO. I tried using local developer portal account and performance is much better.

Can you please provide any help to investigate/identify the issue?

Hi,

We have installed OPDK 4.17.09 Developer Drupal portal with nginx

We are following all the steps as mentioned in this thread, but got stuck at step-8

8. Once you receive the metadata from the identity provider navigate to https://developer.client-portal.com/simplesaml/ and you will see the simplesamlphp library’s UI

For us the https://<devportal-host>:<port>/simplesaml>; is not working and gives error"Page Not Found"

We have done all the steps, I guess the step-1 itself is wrong that's why step-8 (simplesamlphp library’s UI) is not working

Can anyone please confirm,

- if simplesamlphp need to be copied to /opt/apigee/apigee-drupal/wwwroot/sites/all/libraries/simplesamlphp

- And the symLink should be created at this location /opt/apigee/apigee-drupal/wwwroot as below

ln -s /opt/apigee/apigee-drupal/wwwroot/sites/all/libraries/simplesamlphp/www ./simplesaml

Thanks

Sunil

@Sunil, i too am working with OPDK 4.17.09 but have configured simplesamlphp differently as shown below. however, i'm also having similar problem you are so i think clarity on the EXACT location this module requires for OPDK is needed.

• extract simplesamlphp to /opt/apigee/apigee-drupal/wwwroot/private/simplesamlphp
• symlink file located /opt/apigee/apigee-drupal/wwwroot/simplesaml
• ln -s /opt/apigee/apigee-drupal/wwwroot/private/simplesamlphp/www ./simplesaml

Can someone help me how to call SLO here?

I tried the below steps but it is not working, After succesfull authentication once the user clicks on the logout link First i called the normal drupal user logout and then redirected to the IDP SLO logout url.

Thanks for the article. On step 7 i was stuck because we use microsoft active directory adfs and there was no info about the claims. So i referred article here which helped me alot. Also there was issue in simplesamlphp library about the redirection. Apply patch from here

after enabling saml as well as local accounts, support module was causing the empty name and email address when new user registers and copies existing user's name and email address if saml enabled administrator add new user. I fixed issue by modifying code as below by checking empty before setting the values.

if($account->is_new){
	  if(empty($edit['mail'])) {
		$edit['mail'] = _simplesamlphp_auth_get_mail();
	  }
	  if(empty($edit['field_first_name'][LANGUAGE_NONE][0]['value'])) {
		$edit['field_first_name'][LANGUAGE_NONE][0]['value'] = _simplesaml_support_get_fname();
	  }
	  if(empty($edit['field_last_name'][LANGUAGE_NONE][0]['value'])) {
		$edit['field_last_name'][LANGUAGE_NONE][0]['value'] = _simplesaml_support_get_lname();
	  }
  }  
<br>

Is this guide still valid for Drupal 8 portals on Pantheon? Besides some path modifications and the simplesamlphp_auth module upgrade, is this a viable guide for SSO via SAML? Or is there another method needed for D8?

Its roughly the same, but there are new docs available for Drupal 8-based portals here: https://www.drupal.org/docs/8/modules/apigee-developer-portal-kickstart/integrate-simplesamlphp-auth...