Integrating SimpleSAMLphp with Azure Active Directory

Many organisations use Microsoft’s “Azure Active Directory” service to manage all their logins. If you want your web site to let people in one of those organisations log in to your PHP-based web site then the SAML protocol can be used to facilitate that process, without them needing to manually create an account on your site.

SimpleSAMLphp is a library for PHP applications that makes SAML easier. Drupal has a module simplesamlphp_auth (which uses SimpleSAMLphp under the hood) and can automatically create users with the right permissions based on their Active Directory groups.

The process of setting up SimpleSAMLphp is quite well documented, so follow the process described there and on various other websites but refer to this post for Azure-specific tips.

SimpleSAMLphp:

In authsources.php:

Set the entityID to the “Application (client) ID” in Azure AD, with spn: on the front. e.g.

'entityID' => 'spn:7661a295-5f95-45c4-b937-698de049f432',

Add these two lines as described in this blog post, step 8.

'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

'simplesaml.nameidattribute' => 'eduPersonTargetedID',

Azure:

Application ID URI should be

https://<your domain>/simplesaml/module.php/saml/sp/metadata.php/default-sp

Redirect URI should be

https://<your domain>/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp

The ending, ‘default-sp’ might be different if you have defined your service provider key in authsources.php as something else.

Have no optional claims under ‘token configuration’. There may be a bug in AD with this.

Under ‘API permissions’ grant access to email, profile, User.Read

Use https://<your domain>/simplesaml/module.php/core/authenticate.php to test out your configuration. If all goes well you will be redirected back there after logging in through Azure AD and the data sent back from Azure will be displayed. You will need these attributes to create a user in your PHP app.

For Drupal 7 sites with simplesamlphp_auth:

Under “user info and syncing” copy from ‘Your attributes’ in simplesaml authentication test. My options were:

http://schemas.microsoft.com/identity/claims/displayname
http://schemas.microsoft.com/identity/claims/objectidentifier
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

NB how long these are, not just ‘displayname’ or whatever, like OKTA et al uses.

I went with http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name for all 3 fields because that’s the users email address and services the purpose of being unique, their user name and their email.

If you need to allow more than one identity provider to log into your drupal site then it gets interesting – simplesamlphp_auth can only handle one identity provider. To get around this I made a copy of the module (simplesamlphp_auth2) and renamed all the functions and settings to simplesamlphp_auth2. In the configuration of the second module I changed it’s settings to suit and those settings were independent of the original simplesamlphp_auth. So far so good.

Tags

top