SSO IN/With Drupal and Identitiy Management

50 %
50 %
Information about SSO IN/With Drupal and Identitiy Management

Published on February 21, 2014

Author: manishharsh



This presentation is a result of research and evaluation for SSO and IDM majorly focused to Drupal CMS.

Enterprises, corporations and companies with multiple web properties are struggling to provide a better user experience and offer a single "corporate ID" and "Password" as the key for all.

This single ID should be used across all the properties and corporations should still be able to manage the access level and permission of the respective user based on the grants assigned to this ID in each web property.

SINGLE SIGN ON (SSO) * IN / With Drupal ** With Identity Management Services Presented In: Silicon Valley Drupal User Group When: Feb 19th, 2014 Disclaimer: Information and images used in this presentation is compilation of data from multiple sources (References). Recommendations and opinion shared in this presentation are personal to the presenter. SSO | Drupal | IDM

What is Single Sign On ? A session or user authentication process that allows a user to enter one name and password in order to access multiple applications. SSO | Drupal | IDM

Additional definition for SSO The process authenticates users for all the applications they have been given rights to and eliminates further login prompts when they switch applications during a particular session. SSO | Drupal | IDM

Additional definition for SSO As applications and resources support various authentication mechanisms, SSO internally translates and stores credentials for the different authentication mechanisms from those used for the initial authentication. SSO | Drupal | IDM

Two ways to think about it Users provide credentials only once per session, and then gain access to multiple services without having to sign in again during that session. Users provide same credentials for multiple services; they might have to login multiple times, but always using the same credentials. SSO | Drupal | IDM

The four popular configuration used for SSO Kerberos Based Smart card Based One-time Password Token (OTP) Integrated Windows Authentication SSO | Drupal | IDM

Kerberos Based SSO Enter Credentials Verify the user and get TGT from TGS Authentication Server Client Ticket Granting Server Store The TGT Send the Generated TGT Connect using the stored TGT Connect using the stored TGT Service Server 1 Connect using the stored TGT Service Server 2 …………………………………. AS - Authentication Server SS - Service Server TGS -Ticket Granting Server TGT - Ticket Granting Ticket SSO | Drupal | IDM Service Server N

SSO Scenarios • Corporate Login to Cloud Application • Cloud Login to Internal Application • Corporate Login to Internal Application • Corporate Login to Partner Application • Using Identity as a Service (IdaaS) Hub SSO | Drupal | IDM

Scenario 1: Corporate Login to Cloud Application Most commonly supported SSO scenario • A typical example of this is a user logging in with their Active Directory credentials and then using a Cloud application, such as without being asked to re-authenticate. • In this scenario, the corporation hosts the Federation Server that enables SSO with Cloud applications based on standard protocols like SAML or OAuth. • Corporate Login to Cloud Application SSO has become so ubiquitous that virtually all SaaS providers support standards-based federated SSO. SSO | Drupal | IDM

Scenario 2: Cloud Login to Internal Application Also known as Social Media Login • Examples of commonly used Cloud Logins are Facebook, Google, Windows Live, Yahoo, Twitter, and so on. • A typical example of this is a user logging into a corporate SharePoint web site with their Facebook account. • A familiar, consumer-friendly model like this is easy to use and decreases support costs associated with a large consumer population. SSO | Drupal | IDM

Scenario 3: Corporate Login to Internal Application This scenario is often required by organizations as they acquire other companies but cannot create trusts between their Active Directory domains due to legal limitations imposed by differing localities, time constraints, or other internal policies. Best practice security architecture is to decouple authentication/authorization from within each application and to leverage centralized services for these functions. In this case, internal applications would be developed as “relying parties” that trust an internal corporate identity management system for authentication/ authorization decisions. SSO | Drupal | IDM

Flow For SSO Between Multiple Drupal Sites Check if logged in to master site Drupal Master Site User DB for Master Site Credentials Verified Subsite 1 Subsite 2 Successful login Attempt to Login User SSO | Drupal | IDM …………….. Subsite n

SSO Between Drupal & Non-Drupal Sites 1. Using an Identity Management Service 2. Custom Authentication Between Sites SSO | Drupal | IDM

Identity Management for Drupal (partial list) Module Reference Link (Drupal specific) Janrain Engage OAuth Connector OpenID Selector 1422 26416 onnector 5231 16504 680 8311 selector/ n 5 46 gle-sign-on/ 7408 31435 325 21135 22230062-Okta-Drupal-moduleenabling-SSO-with-Okta-forDrupal not available not available OneLogin CAS Gigya OKTA Installs Downloads SSO | Drupal | IDM About IDM company

Custom Authentication The custom authentication between sites can be done using: 1. External Authentication Script 2. Session Check Script 3. Ticket Generation Script SSO | Drupal | IDM

External Authentication Script Works as follows: 1. User attempts to login to any of the site configured for SSO by providing username and password. 2. The username and password are verified against a common Database (preferably the Master Drupal DB). 3. Once the script validates the user with the Master DB the user is logged in to the requested Site. 4. Appropriate permission parameters are then checked by the script and the user is granted request to the specific resources. SSO | Drupal | IDM

Session Check Script Works as follows: 1. User requests access to any of the resources on the connected sites. 2. The script checks if the user is logged in to the master site. 3. If the user is logged in on the master site the user is succesfully logged in. 4. If the user is not logged in on the master site, the user is taken to the login page for the master site, once the user is logs in on the master site the script check is done again and the user is logged in on the other connected sites. SSO | Drupal | IDM

Ticket Generation Script Works as follows: 1. User requests access to any of the resources on the connected sites. 2. The Master DB is requested to generate ticket for the requesting access. 3. The user is validated and a session ticket is generated by the ticket generation server which is saved as a session parameter in the user’s browser . 4. The connected sites then use this ticket to verify the login for the user with the ticket generation server for the validity of the ticket. 5. Login request providing valid tickets are logged in automatically by the script. 6. The generated tickets are session specific and expire after the configured time. SSO | Drupal | IDM

Drupal Module: CAS (central authentication system) CAS 1. In its most simple use, CAS authenticates users and sends the user to the requested application with a ticket. The application is then responsible for authenticating the ticket (behind the scenes, with a tool like cURL) and automatically logging the user in if the ticket is valid. CAS can also proxy single sign-on. 2. URL: 3. Usage Statistics: SSO | Drupal | IDM

Drupal Module: OAuth Connector OAuth Connector 1. It makes it possible to connect and sign in a Drupal user with accounts on most third party sites with OAuth APIs. It provides a UI for adding and editing specifications of OAuth APIs that the users should be able to connect to. It also provides exportability of those specifications. Is an implementation of the Connector module. 2. URL: 3. Usage Statistics: SSO | Drupal | IDM

Drupal Module: LDAP SSO LDAP SSO 1. The LDAP Single Sign-On module provides an administrator with the ability to configure a Drupal site to use either NTLMSSP (e.g. seamless automatic login using LDAP / Active Directory credentials passed automatically by supported and properly configured browsers) or basic digest authentication as a fallback to authenticate Drupal users. The net effect is that either automatically, or by visiting a link, a user is authenticated and logged into a Drupal site without requiring the user to manually enter credentials on suitably configured installations. 2. URL: 3. Usage Statistics: SSO | Drupal | IDM

Drupal Module: Bakery Bakery SSO 1. Bakery provides a "single sign-on" feature for Drupal based sites that are on the same second-level domain (i.e.,, It could also provide support for any other website that implements the same web cookie, xmlrpc, and POST methods. 2. URL: 3. Usage Statistics: SSO | Drupal | IDM

Drupal Module: Shibboleth Authentication Shibboleth Authentication 1. Provides user authentication with Shibboleth (both v1.3 and v2.0) as well as some authorization features (automatic role assignment based on Shibboleth attributes). 2. More Info: 3. URL: 4. Usage Statistics: SSO | Drupal | IDM

Drupal Module: Account Sync Account Sync 1. The account_sync module allows you to synchronize drupal user account data across multiple Drupal sites. It currently supports basic account information as well as the drupal core profile module. It also has very basic single sign-on support. This module uses XMLRPC to transmit data between sites when updates are made so there is no need to have your sites running on the same database, server, or on the same subdomain. 2. URL: 3. Usage Statistics: SSO | Drupal | IDM

Drupal Module: Open ID SSO relying OpenID Single Sign On Relying Party 1. This module provides a simple single sign on solution based on OpenID and native in Drupal. It is the relying party counterpart for a server based on OpenID, related to OpenID Single Sign On Provider. You can set up a central provider (which ideally is another instance of Drupal) and a lot of another (Drupal) websites (so called relying parties). This way the users can login to every single relying party website using a centralized login provider where authentication is happening. 2. URL: 3. Usage Statistics: SSO | Drupal | IDM

Drupal Module: Google Authentication Google Apps Authentication Google Apps provides a single sign on API that enables people to write applications that do user authentication against a local database, and then tell google that the user is authenticated. This modules implements the API in drupal. In other words, once properly setup, this module lets Google Apps instances authenticate against your drupal user database. URL : Usage Statistics : SSO | Drupal | IDM

Thank You References: Presented By: • • n.pdf Name : Manish Harsh ID: Manish LinkedIn: • • • w-drupal-org-single-sign-on-works • gle-sign-on-sso-concepts-methods-and-frameworks/ • Twitter Handle: @manishharsh SSO | Drupal | IDM

Add a comment

Related presentations

Related pages

Single Sign On In/with Drupal and Identity Management ...

Agenda items: • Multiple SSO scenarios ( General, Non Drupal specific) • SSO within Drupal (5.x / 6.x / 7.x and same version) • SSO of Drupal and ...
Read more

Project Management | Drupal Groups

... development and project management. Primarily in Drupal: ... Single Sign On In/with Drupal and Identity Management. ... • SSO within Drupal ...
Read more

SAML 2.0 Single Sign On for any Identity Provider |

miniOrange SAML 2.0 Single Sign On ... It supports authentication with Drupal, user management, ... Issues for SAML 2.0 Single Sign On for any Identity ...
Read more

Single Sign-On |

Single Sign-On as defined on Wikipedia ... and is responsible of informing Drupal that a given users identity can ... editor role management;
Read more

Drupal Social Login Module by LoginRadius

Integrate Social Login to your Drupal website with LoginRadius ... provide Customer Identity Management. ... LoginRadius’ SSO Library in order to ...
Read more

Single Sign On | ONEsite

ONEsite’s Single Sign-On solutions extend the benefits of identity management and ... Wordpress, Magento, Drupal and more. Use of Single Sign On can ...
Read more

Using OpenID Connect for Single Sign-On with Drupal ...

Using OpenID Connect for Single Sign-On with Drupal. ... Both use the flexibility of OAuth2 to allow users to log in with their ... is an identity protocol ...
Read more

Identity Management as a Service (IDaaS) - Single Sign-On ...

Single Sign-On Unified ... OneLogin Simplifies Identity and Access Management for a More ... Analysts Agree on OneLogin’s Proven Identity Access ...
Read more