Authenticates Drupal users via the REMOTE_USER server variable (or
equivalent) set by the web server. No LDAP or other external authentication
backend required.
- Drupal 10.5+ (expected to work on 10, 11 and 12 at least).
- Web server configured to set
REMOTE_USER(e.g. via mod_auth_kerb, mod_auth_sspi, mod_auth_openidc, or similar auth module)
On your web server, make sure the at least the path /user/login/sso is protected by your chosen module. It is OK to protect all pages, but if you'd like Drupal to control the experience you can set just /user/login/sso and use the exclusion lists.
Within Drupal Admin (/admin/config/people/generic-sso) make sure that the
Server variable matches whichever $_SERVER variable is sent (default is
REMOTE_USER, but this can vary by configuration). If your module sends
user@domain or user@realm, you will need to enable realm stripping options.
This code was derived from ldap_sso (with all LDAP dependencies removed and simplified where possible).
-
You can install both ldap_sso and generic_sso concurrently, but generic_sso will take priority once it is enabled, so you must ensure the configuration is copied over using
drushor the UI during maintenance. You can then disable and uninstall the ldap_sso module (and the rest of the ldap stack, assuming you do not use it) at your leisure. -
If the new form doesn't appear in the appropriate admin menu (Admin -> Configure -> People), you can navigate to it via the Extend menu or by URL. It might be useful to try running
\Drupal::service('plugin.manager.menu.link')->rebuild()(after removing ldap_sso indrush) for changes to take effect.