 okay and so all right so as as what the topic say is Drupal SSO with SUAD so something I would like to say is I'm not a Drupal guy and Drupal is new to me but I work more on the identity side so you maybe pick up that I talk a lot about identity instead of Drupal so I'm happy for anyone to interrupt me if they need to I try my best to answer the questions yeah if you need me to so let's start so I think a lot of people know what is single sign on but just in case you know you don't know which is pretty much allowed you to sign in once and it will be automatically signed into the other application which is under the same cycle of trust and and the other thing is the good thing for single sign on you don't need to have maintained a separate credential and in every application so I find out in the a lot of identity platform then support single sign on for Drupal so this is some of the like identity platform that you can use quite quite good actually even though Drupal itself can be the what we call identity provider so for single sign on the main concept is authentication and authorization what's that mean is authentication is to identify who you are and mainly is two two kinds of protocol one is the SAMO the other one is open ID protocol that we normally use for authorization which is pretty much is determine what resources the user can actually assess after authentication so O of 2 is a protocol standard that you use to authorize people so when we talk about single sign on that is mainly two party will be involved of course it's got more but the major two party is the what we call identity provider and service provider the identity provider is provide the services to store the user identity and also when the service provider request something it will be response with the user data that's the that's whatever they claim to be able to see so that is what what the IDP identity provider we are playing the serving the responsibility and for the SP is purely was serving the user whatever to provide the protected resources and when they request it with the assess token and authentication assertion in that case so okay so we talk about two things is the SAMO which is the full name is security assertion make-up language it is a very well established secure protocol actually and has been utilized by a quite widely government or industry to use the SAMO or you can say it's more traditional all ways to do it as well and all its data is in the XML format and it's doing the data transport through the simple HTTP or soup so before you authenticate what you need to do is exchange the artifact between the IDP and SP to establish trust relationship so what's that mean is you need to exchange the metadata maybe the endpoints because you want to sending the the grant assess to back to the SP after the user is authenticated through the IDP and during the time the IDP also checking the certificate between IDP and SP so that's why they need to exchange the certificate and how you're going to connect between these two parties also will be defined the method within the XML so this is one of the example for the XML metadata so you can see yeah you can see it's specified the identity ID which is identifier a unit identifier that's need to identify where we are talking to and where should I as a unit identifier to say who you are where the request is coming from that kind of things and the second thing you maybe notice is the whether the request going to be signed or not what is the certificate that you try to exchange so you can see is a lot of information so so when you do authentication actually is involved several steps should be more complicated but already this diagram already simplifies that so but because it's all behind the scene the user doesn't notice so it's good to if you as admin to understand because later on if the user have a problem you're able to help because a lot of things is behind the scene it didn't see the you can't see the the transaction or something unless you use some tools like the browser extension if you need allow to install extension something called SAMO encoding message encoder something like that but most of the time is like a black box to the user so the first step is the user try to go to a web browser using a web browser to request a page or something like that or resources which is step two it will send a request to the service provider and the service provider realize you haven't logged in so it will be send the user to the AD for authentication so once is the user is authenticated which is step five it will issue SAMO token and the SAMO token will be sent back to the web browser which is within the the the web section you know the the request section and then once it's got the SAMO token with my browser mouse yeah here and it will be gets the web browser will be contained get the SAMO token together to with the information that it's request and send it to the service provider and once the service provider is recognized or validate that's that's the user have the P fridge to assess the resources in that case is a page then it will return the page to the user through the web browser so that is how the SAMO authenticated user so is this am i go too fast or has i this to show so yeah all good okay so i just continue you if this is not too fast okay is this very interrupt got the so i should move a little bit okay so in here after we go through the authenticated the flow that's this one will be more easy to understand um that i think because you may be think okay i got you got the SAMO identity um provider where the same thing was going uh okay right i just continue so uh i talked about uh all of uh 2.0 so in your diagram i can't see the authorization server uh in my previous slide so here is more clear in the diagram saying how the authorization server involves when you do single sign-on so you have the same thing um the users start to request something you got the bare accession for uh in the SAMO sense um and then actually is go to uh authorization server and once it's got the access token it will be sent to the resource server to ask for the page so um in my previous slide it's actually because the the service provider also carry the role for authorization so that's why you didn't see uh it's a it's a icon you know or uh area that i talk about the authorization so the authorization is in some cases maybe is combined with the service provider as well providers kind of services so this is one of the uh requests what we call okay so it's i talk about the user um request and then it was sent um to the identity provider and that is the the format of xml format to request uh uh a user to authenticate so uh we normally say it's off in request so it's for authentication and this one is the response you got from the idp once is um the user is successful sign-on and it provides a lot of information for the SAMO uh response so that's why sometimes SAMO they say is very heavy heavy weight uh you can see i just captured the the small subset but actually it's got more information um uh when you have to look on the full set of response so it got defined the time condition here you can see not after so is your token will be valid between that uh let me see how many hours around one hour you can see it's 07 30 and 08 48 so after the the time this time the the um the token that you got the access token that you got will be expired and um this is once you got the access token and use you have after the user authenticates you will get uh uh a token that will be saying what you can do with that token and this is the information you send to the service provider so once you see the information interpret and then it will know what kind of access you got uh based on the protected resources uh so or tells you you don't have the privilege to assess the resources that you're asking so this is the information that's if you have the another continuous example so this is talk about the audience which is the SP so it's my web application it tells it um what kind of tenant ID in Microsoft that's mean is more like your organization indicator and based on what to assess the resources for example you're based on the um your email address and it will tell you what group you entitled to has been grant uh the group is you know encrypted and um maybe you have the admin group your you maybe have the read assess or whatever the other um authentication um protocol is very common nowadays is something called open ID uh connect so open ID connect basically is um built on top of uh all of 2.0 protocol and also it's very widely used and um and more um newer being newer than the SAML um so i can't remember which year it developed i think 2003 something like that um but basically is have the website and um mobile application in in mind and basically is using um uh json uh web token jwt as the what they call is id token so they they design is mainly is for easy to use and easy to adapt so um a lot of developer um prefer to use uh that kind of protocol than the SAML because you can see SAML will be a lot of things you need to read and a lot of things you need to handle as well which is that's why um open id uh is become more much much uh popular because it's just uh one id you need to uh look after or handle and the id token is digital signed and equipped if required um because it's extension of the o of 2.0 protocol so it's actually uh have the capability to to support scope and the endpoint um discovery uh scope uh in the sense is what you uh the permission you can do and um and of the user um what what kind of things you can retrieve uh that's it's kind of what scope means pretty much is you to specify what claim or group of claim uh that you uh that's the idp can return to you yeah so if you ask for a user profile what user attributes uh will be returned to you that kind of things similar as the SAML before the authentication you also need to uh establish a trust relationship with the idp so uh the idp to to establish the relationship you need to have a client id and a secret key from the idp uh to the service provider and also of course is um uh need to have the scope set up because otherwise you don't know uh what you are allowed to do and what you're not allowed to do um and once you set up the um the assess token or id token it will need to have an endpoint that is able to return those information to so that is the major uh three things uh of course it depends on uh the application so sometimes what may need more information or the uh the application uh do it differently uh for a sewer id actually besides using the secret key and the client id uh is uh got the capability to upload uh certificates as well so it's got several different ways you can do it um and I think one of the guy Simon I think uh he said he's using the office 365 uh that will be very useful because you can delegate um user maybe to use the shareporn or any office 365 application that way and this is the flow of the uh authentication flow of the open id connect so you can see um that uh two endpoint once is authorized the other is token authorized is more like its authorization to let the user to log in token is um once you got the uh locking you got the bear token and then you can request the real assess token so uh so staff will um the user uh to assess the application so it's not um because uh when I need to go back not that's not necessary is a user in in the in some cases is user as well as the application because the if I um uh go through automation process not necessarily the user will be locking as such it will using a service account and it will based on the client id and the security key to do the authentication so uh but anyway the flow is the same no matter it is a user or applications as such so it will be uh assess the resources and find out you hasn't uh got the authentication so it will be asked you to authorize for application will be present the uh the secret key for user will be locking where's my cursor here yeah so the next step is once you are authenticated will be return of authorized code and and once you um got the authorized code it will be using uh the bear token to request uh the assess token and you can see assess token and refresh token uh I can talk about later because down to the track uh that will be useful uh very useful um and once uh you got the return assess token and refresh token it will be go back to the web browser or whatever the application um then it will ask for um a valid token which is um which is will be validates um the the token to see what preface you you got and then it will return corresponding uh data that you request and under what um uh assess uh the scope that you have and it will return corresponding uh data because um in some cases uh that is um for example like database um you maybe have a row row um row level assess so even though a whole database you got the thousands records maybe you just return secure data is maybe 10 10 row or something like that yeah so the refresh token will be very useful after a short period of time as as what it's talk about here is the assess token when the assess token is expired this is how we use uh the the um Azure AD is using the refresh token to request another new assess token so the default um I think the assess token is around an hour or something so the refresh token actually won't be expired until 90 days or something like that yeah so you can you don't need to continue um uh asking user to continue login uh for every hours this is the refresh token purposes okay so um as the JUPO is new to me uh but so far what I can find I can tell you you guys may be much more familiar with than me but so far what I found is um it got the for SAML and OpenID connect all offline modules they got um they got uh this one which is called SAML service provider mainly is the I've I try to install it's a mainly is for uh mini orange it sounds mini orange has been very um popular or provide a lot of services so uh so that's why I think this one is is quite good not just because of um it support the SAML maybe I'm wrong but the other um modules that um it seems this module also support the headless and decouple uh JUPO website um which is what um we are using in GA using the headless and decouple I had my I haven't tried that before so I don't know how how that work but science quite easy maybe I may be wrong but anyway um the other one I think is quite useful is OpenID connect Microsoft um AD client uh it's based on open general I OpenID connect but it's it's got the uh the Azure AD capability some features that uh the other OpenID uh connect the generic OpenID connect modules doesn't have and take advantage for example is the Microsoft Graph API which is really uh useful if you uh don't don't know what uh uh user data uh information uh is available then you can use uh different endpoints to um to get the um using different endpoints the uh I think it's the using the user info yeah endpoints to retrieve the user profile attributes the other thing is using the Azure AD group to match uh the JUPO role so I I haven't tried but I think the idea is using the Windows um AD group uh and then uh it will be managed by uh the same team like uh the Windows team will use the group policy um and identify which group you got entitled to and it will can corresponding apply to the JUPO roles that may be very useful because uh in the Azure it's got the role-based control access that kind of thing so that will be very useful and the other thing is the single sign out when you do a single sign on that means allows you to access the info the web application is in your circle of trust but when you sign out it will be allowed you to have logout to the other SSO session as well so it can be a very useful thing and the other one is I think is uh also supports uh headless and decoupled for the open ID and also I find uh the JUPO also can be IDP as well so quite good um diversity um I think the people will ask uh what is the SAML different to open ID connect what is the differences um so this is what I found so far um is because one is new one is uh more well established and a lot of people still using it uh and also SAML is will be more features like more information provided but open ID is because for the web and mobile so it will be a very simple identity basic authentication or data pass through that kind of things however for SAML you need to handle a lot of XML which is maybe a bit too much to handle and not easy to implement compared with open ID and open ID is really will work very well with API so unfortunately I didn't have a demo but I set up a demo not my demo but someone's have get the video so but one for one for one thing that I want to emphasize is in the um uh video um I don't know whether have enough time to to play or not uh so it depends on whether anyone still interested or no one is fall asleep so far um then I can play uh otherwise we can skip it but the main thing is um I think it's after you install the service provider modules on jupo so this is one of the example is mini orange they got the SAML modules that you install I think a lot of people is very familiar with that me uh install it and conflict it but one thing you need to be careful because when you turn on the single sign on you need to ensure you if it's not working you ensure you can lock back so always need to be careful because a lot of people is set up the single sign on however um it's not work so whoever as the admin will be got locked out to the site because they can't do the single sign on and didn't have a separate admin access but for uh Azure AD site which what you need to do is register an application and that is more like is how you do it it's not you know rocket science so very easy you got a lot of radio to help you um so I got a radio in here I'm not sure whether it would take five minutes maybe a bit too long I don't know whether anyone interested or I've been talking too long uh caution to the time or or you can watch yourself uh doesn't matter once you you can see the title yeah uh because the reason why I say so is because I think uh my personal view is uh the uh the single sign on is not difficult and you got a lot of resources but more difficulty is uh how to set up your user lifecycle management that's mean is how do you how do you get the people on the Azure AD so uh if you got like 10 people 10 staff you can manually enter but if you got thousands people it will be hard so this is a course um this is something called uh user lifecycle management in the identity field it's uh how do you got the when the user is on board to your company how do you provision the information to Azure AD then you can use that to do single sign on uh and of course when the user left your company what you need to do to deposition them out of your Azure AD and let me so um in the identity you got um something called Azure AD connect which allows you to have different sign in methods so as a identity provider even though you you can have the three common way to get the people have authenticate so one thing is called password hash synchronization what's that mean is um that on premises um AD which is on premises window AD um you got the password to for your uh your internal network and you can sync your password to the Azure AD and all the user information will be on Azure AD the pass through authentication means is the the password will be pass back to the windows server active directory which is this diagram uh I post in here so what happened is when the user need to sign into the IDP which is the Azure AD it will pass the password to the AD the agents and then pass to the windows AD so once it's authenticate in here then it will pass the identity information back to the AAD so this is how it's work in the back end for pass through that means it's not authenticate purely in the Azure AD but getting the password pass through uh the password hash will be everything authenticate will be happening in AAD the other one is active directory federation services which is a bit I think it depends on your company but it's all the authentication even though the user um profile will be uh validate through the on premises so nothing will be um happen uh on the Azure AD for authentication and the other thing is um how to uh provision uh the uh the information to the different application so that is also very useful which Azure AD also supports is the call SCIM pretty much is you can see in Azure AD is contained a lot of information like the email address the manager job title so when you provision a user all this information can be passed on to the web application or the service provider in that sense so you can so that's why you you say when you have a user already authenticate the user got authenticate and will be automatically create on the service provider site which is like in in the case is Azure AD and Drupal so you don't need to manually enter the we create a user profile on Drupal it can by using the SCIM it will be automatically manage that way but for Azure AD is something you maybe watch out because um it got the concept is disable user it's not delete the user I can't but disable it most of the uh modules uh that we're talking about uh on for example on Drupal site may not be handle the disable a user very well so something need to watch out oh okay so I think uh that's it for me thank you and everyone I stopped sharing thanks a lot for this Alice does anybody have questions I just have more information to be shared along with that uh like I was using the LDAP model with the Drupal uh to connect with the active directories and all and that is the use for single sign on with the Linux best system uh LDAP is a very good module if anyone want to look into that it's very useful and easily provide the role mapping even the fallback login with the local system is also you can do that and you can easily manage everything from the uh directory and it will automatically create user once you sign in on the uh iSystem and you can you don't need to create user on a Drupal system or any other system just use the uh module and it will work in that okay good to know thank you thanks govind um Alice you mentioned a video do you have a URL to the video so but we can post it in the chat and everybody can have a look at that uh I can't find it uh yep thanks a lot for that I can and then I can post it there yeah thank you um I'll just mention uh the word the module I've been using is the 0365 module um so uh slightly different approach but uh it's been pretty easy to set up and use so uh I might be worth it uh check out as well I'll just post a link in the chat also yeah I find um the people has been uh the Drupal modules is very easy to use um it's no problem uh because it's only like five to ten minutes set up but I think it's um only when you have problem then you need to understand the behind the scene to for investigation that will be a big challenge absolutely no I mean but whatever you explain is super important just to understand the basics but the modules do help a lot um thanks a lot for this