This module enables Drupal 8 to authenticate users using Shibboleth, and assign their roles based on information in other identity management systems.
Whenever a Shibboleth session is detected, the user is logged in as that user.
Or, if the account doesn't exist, it'll be created automatically. There is no
filtering of what users should be created. User accounts will be given the
same user name, as their Shibboleth NameID.
The module was designed and tested using Apache with mod_shib_24.
Shibboleth is assumed to be configured to expose:
nameorREDIRECT-name: the ShibbolethNameID, typically set in/etc/shibboleth/attribute-map.xml.mailorREDIRECT-mail: optional ; an e-mail address in string form.
As per https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeExtractor : The name property corresponds to [...] the Format XML attribute of a SAML [...] element. Such a mapping may look like this depending on your Shibboleth configuration:
<Attribute id="name"
name="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />
- new accounts are created on the fly
- if the
mailvalue matches one of the allowed domains, that value is used for the user accountmailandinitbase fields - if that value exists, but does not belong to one of the allowed domains, the value is used, and the account is marked as blocked
- if the
mailvalue is empty or missing, a pseudo-random address is generated and the account is marked as blocked
- if the
- for existing accounts:
- if the
mailvalue matches, the account is used as such - if the
mailvalue does not match, the new value is used to update the user account, and the change is logged for reference. Theinitfield is not updated.
- if the
- in all cases, if the user did not have an active Drupal session, the
logintimestamp field on the user is updated.
To install via Composer, add a repository to your composer.json then install as usual via Composer:
{
"repositories": [
{
"type": "vcs",
"url": "https://github.com/deohs/uwauth"
}
],
"require": {
"drupal/uwauth": "~2.2"
}
}
In addition to enabling the module, you need to modify the .htaccess at the
document root, or its equivalent in your vhost definition, to avoid having URLs
needed by the Shibboleth SP being rewritten.
Before:
# Pass all requests not referring directly to files in the filesystem to
# index.php.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L]
After:
# Pass all requests not referring directly to files in the filesystem to
# index.php.
RewriteCond %{REQUEST_URI} !^/Shibboleth.sso
RewriteCond %{REQUEST_URI} !^/secure
RewriteCond %{REQUEST_URI} !^/shibboleth-sp
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L]
Depending on the specifics of your SP configuration, you may want to tune these
rules. The /Shibboleth.sso Shibboleth SP endpoint is configurable in the
module settings form at /admin/config/people/uwauth.
For stable operation, please download or pull a specific tag (release). Otherwise you are likely to download the latest development code, which may or may not work right.
There is no support for federated logins. The module assumes all users are using centralized identifiers from the group's Shibboleth IdP.
This functionality may change in the future, if the need arises for it.