 Welcome, Ivansa. Yeah, thanks. Hello, Hobart. Good morning, everybody. Good morning. Welcome to Drupal South Day 2. I will explain a little bit about myself. I am Ivanta Lakamge from Sri Lanka. I am currently working as associate technical lead at WSO to Sri Lanka. I started my career about eight years ago as a co-PhP engineer. Then I moved to a few PhD-rated frameworks and platforms. And finally, I stopped at enjoying Drupal for five years. Currently, I am doing some implementations, Drupal implementations with new technologies. And today, I am going to present such implementation. The name is single sign on across Drupal 8. So, sorry. So, you all know that in today's digital driven world, connecting system is a mass for an organization. It's very beneficial. When we consider about the organization, there are a lot of sites and systems. They are called HR systems, payroll systems, web system, blog, stock management, customer portal, a lot of systems. So, let's say the user or employee of the organization want to access, want to login, all these systems. What should do is, user want to register for each system separately, each site separately, and user want to log into them separately. We all know that it's not practical. So, there should be a way to log into all systems using single set of user credentials. So, that's what we are talking about single sign on today. What is single sign on? Single sign on is an authentication mechanism. We can use it for, single sign on is authentication mechanism that allow users to access multiple websites, web systems using single set of user credentials. So, in here, user need to have only one user name and password, and user can log into all the sites and systems in the single sign on environment. I'll take a few example and diagram, and I'll explain what is single sign on and how single sign on is works. In a single sign on environment, all the sites, systems of the organization are connected with the single authentication mechanism. So, once user want to log into a system site, then user want to go via the single authentication mechanism and need to be get authenticated from there and need to access sites and systems. Let's say user want to access the HR system. So, user need to click some link on the HR portal and need to get authenticated from that single authentication mechanism and need to access the HR system. The once user log into the single authentic, once user get authenticated from the single authentication mechanism, then user can access all the sites and systems in the single sign on environment without log into other sites and systems separately. The best known example is Google. You know that Google having different kind of sites and services like Gmail, YouTube, Google Drive, and Google Calendar, YouTube, just like that. So, let's say some person want to access these Google services, then once user logged into Gmail, the users can access all other Google services without log into other sites, without log into other services separately. In the same match, once user register to one service, it will automatically register to other services, other some services and user can access those services. So, I will go through this example. This example, there are three sites has been connected with single, three sites are connected in some single sign on environment to single authentication mechanism. Now, user want to access these sites. So, what user should do is, user need to get authenticated from this single authentication mechanism and user need to access a site. So, in here, user want to keep only one set of user credential for accessing all these sites and systems. So, now people may think, right, it's like little bit complex. Yes, actually, it's little bit complex. There are a few configurations. What are the benefits of having single sign on environment and one set of user credential? So, the main benefit is, user need to have only single user credential to access multiple websites and multiple web systems in the single environment. As well as once user register to one system in the single sign on environment, it will automatically register to all other sites and system in the same environment. In the meantime, the automatic login. As I explained it before, once user login to one system, site in that environment, it will automatically logged into all other sites and systems in the environment. The other benefit is single logout system. We are calling it as SLO. In the once user logged out from one system, one site, it will automatically get logged out from all the sites and system on that environment. I think most of these benefits are from user site. So, you may be think, what are the benefits from organization site? Yeah, those are the benefits from organization sites. Why organizations need SSO? The main advantage is, all the user details, user roles, those permissions are stored in centralized place. So, it's easier to manage by the organization. So, let's say user want to, the organization want to stop accessing HR system for the all users in the organization. Then the serve admin can look into the centralized system, the single authentication mechanism system and the serve admin can give the permissions to relevant users to access HR system. In the meantime, the operational cost and maintain the cost is very low. The reason is the all the user details, user credentials, permissions are stored in a single place. So, security wise, the organization want to secure a single place instead of securing a lot of places like lot of systems and sites. So, in a migration wise, it's easier to migrate. So, as I explained, the users and user roles and user permissions are stored in a separate environment. And if you want to migrate a one system to another, migrate one system to another environment. So, it's easier, the user details are separate then migration process can be done. And also for sometimes organization want to add new site to this environment. Like say, your organization want to add the stock management system for the single sign on environment. Then it's easier organization want to do the only single sign on configuration because user has already configured, user details are configured. Then after single sign on configuration, users can access the stock management system. So, those are the benefits and benefits for the organization. So, I'll let me talk about this SSO standards. Actually, I got this from Google. There are few SSO standards just like similar 2.0, WS Federation, WS Trust or 2.0, OpenID Connect and SCIM. Today, I am going to talk about SAML. So, what is SAML? SAML is XML based data format which is using for exchange in authentication and authorization information between identity, identity provider and server provider. So, this is the definition of SAML. So, I will get a simple example diagram and I will explain what is SAML? How SAML works and what is IDIN provider and what is service provider? So, this is the definition of IDP and service provider. So, this is the example. There are three main entities are enrolled in this environment, user and IDP and service provider. The IDP maintained all user details, user roles and authentication mechanism of the organization. Then service provider, service provider has forced all services of the organization. Now, let's say user is there, user want to access a HR system. So, user need to send a SAML request to IDP and need to get authenticated. The request is going to a service provider. Then after getting the request to IDP, it's IDP is check in weather. The request is coming from a non-source, non-source provider. Then if it is from a non-source, non-source provider, then IDP execute the authentication request and IDP sometimes connecting with the internal database or LDAP and getting authenticated the user and sending response as a SAML response. And to service provider, then service provider consume that response and create a session and given access to users for accessing the HR system. So, this is the example and diagram. So, I explain those steps. These are the steps in all in SAML environment. So, the first is the first one is user want to look into application. So, you say send in a request. Then service provider create a SAML request. Then and service provider sending that SAML request as a HTTP request to identity provider. Then identity provider check in weather. It's coming from a non-source, non-source provider. If it is yes, getting the request and connecting to the LDAP or database or whatever and getting authenticated and create the SAML response and sending back to service provider. What service provider is doing? Service provider consuming that response and creating the session and giving access to users. There are seven steps in all in here. So, those are the steps. So, now we are going to set up a single sign on environment. So, for that these are the requirements we need. We need simple SAML PHO library. This can be downloaded. And also we need two Drupal instances and simple SAML PHP oath Drupal module. This also can be downloaded. The last one, simple SAML PHP underscore Drupal module. It's available for both Drupal 7 and Drupal 8. So, for setting up service provider and ID provider, we need two Drupal instances. We are using SAML and we are creating one Drupal instance as service provider and other Drupal instance as identity provider. So, I have written medium article for this because we all know that I can't get a lot of time to go through the each step. So, you can get basic idea what is single sign on and how it works. And I have written this article. You can go through this article and you can set up your environment. So, in the top part of the article, I will explain the theoretical part. Basically, the things I explained it before, right? In the latter part, I will explain how to set up single sign on environment. So, now you can download simple SAML PHP oath library from this part. And sometimes when you are going to install a simple SAML PHP oath library, they are prerecorded. You need to install the external oath. So, first of all, you need to install external oath. Then, a simple PHP oath library. In some cases, they are asking to simple PHP oath library to run this command because they are asking for some dependent libraries. If in such a requirement, run this command on your terminal. So, now what I am going to do is, now I have downloaded my simple SAML PHP library and I am copy. I have already set up service provider. I have already set up Drupal environment. I am copy that downloaded simple SAML PHP library to simple SAML PHP library to vendor fold of the Drupal service provider. I have created two Drupal instances, one for the service provider and other one for identity provider. Now, what I am doing is, I am getting to download a simple SAML PHP library and go into vendor folder and copy it to here. After that, we need to create a sim link. For that, you need to go to, first of all, you need to run this command. For that, you need to go to and we need to run this command, right. Now, I have created the sim link. After creating sim link, you can see simple SAML folder in here. So, we want to set up HD access for that. Please copy these written rules from my article and copy it down to HD access file on the simple SAML directory. I have already copied it. Please be careful when copying from my article. Sometimes, character problems can be happened. So, please copy this to some notepad though, something and get clean it and copy down to your HD access file. So, after setting up the HD access file, now you want to configure the config.php file. For that, you need to go, I will close down this, right. I will go to simple SAML PHP directory and go to config and config folder and you need to configure all these configurations I mentioned in the article. First of all, we need to get the store type. We need to make it as store type as SQL and we need to connect our Drupal database with this service provider. We are using host as local host, Drupal then database as a Drupal local database. So, I have written down these configuration details here. So, after adding the database, you need to give permission to access the database. So, you can set up username and password just like this. After that, you need to set up the admin password for the simple SAML. The default password will be 123, but I have added ABC 123, you can add whatever you want here. Then you need to give permission to access the IDP for that there is a configuration SAML 20 IDP you need to make it as true. I have already make it as true. Then if you need, you can change technical contact name and technical name, but it's optional. I have put my email address here. If you need, you can change or you can keep default details. Then now as I told you before, we created a SIM link. So, the simple SAML environment is running on this SIM link. So, what we should do is we need to configure the path for that. So, we need to set the base profile. So, base URL for data part of the configuration file, please set up this configuration path. I have already set up the configuration path, my local host environment, Drupal SP and the SIM link paths. So, after setting up all these configurations, now we need to create the cert, certification. For that, there is a folder inside the simple SAML directory called cert, right. In the cert, you need to run this command. So, they ask in to create, they ask in the few details. I will set up like just like this from Colombo and organization name, let's put as Drupal South and also Drupal South and command name, host name, I have local host and my email address. So, after creating that, you can see SAML CRTM, SAML PM files are created, sorry. So, after creating this environment, you can go to your local host slash simple SAML, sorry I need to restart my server. You can see the simple SAML installation page just like this, right. Configuration details are here, authentication details and the federation details. Now, we have already done with the service provider. Now, we should, what we should do is, we need to set up identity provider using simple SAML. So, we need to set up, we need to run those steps like create in simple, create in SIM link and add in ht access, add in access rules and apart from that, you need to enable SAML 20 IDPS true for getting the request form service provider and you need to set up InstoType as SQL. I will explain it. This is my identity provider. Go to vendor file, I have already created SIM link and I upgraded the ht access file and going to, you need to go to vendor and simple SAML and config folder and you need to do the all configurations which we done before for this also. For the SAML 20 IDP, make it as true and data, InstoType SQL database, database username password, admin password and the base URL. So, after that, we need, after all these configurations we need to enable authentication source. So, there are different kind of authentication sources in there. So, what I am doing is, there is an authentication which was called example and user pass. So, I am enabling that authentication source. For that, you need to go to your IDP, CD Drupal IP, then go to vendor. Now, we are going to enable the example loads. For that, you need to go to modules and example load then you need to enable it. Vendor, simple SAML modules. You can see, sorry, you can see the all the modules and example load and you need to enable it. I have already enabled it. So, after that, you need to go to Oath Resources PHP file of the same IDP and we need to uncomment this example user pass array. So, after uncommenting, it says commented just like this or after uncommenting, it will be like this. So, we are doing the authentication using array, but if you need, you can do using LDAP. LDAP configuration is also here and if you need database, you can, sorry, you can connect with the database and you can do the configuration. So, after uncommenting this, the username is student, password is student pass. We are using UID as student and email as student as example.com. Right after them, we need to create the certification again for the IDP, go to cert and run this command, run this command here. Then after running this command, the SAML20 IDP hosted file in the metadata will be with the server PEM file and server CRT file because we have already run this and PEM and CRT file is created. So, now IDP configuration is done after end of the IDP configurations, Drupal IP slash simple SAML IP be like this. Now, we have already set it up both identity provider and a service provider. Now, I am going back to my article. So, now as I told you before, when IDP get a request from service provider, it is checking whether it is from the non-source. So, what you should do is you need to exchange meta information between each other. You need to get this service provider, service provider metadata from here, metadata from here and you need to go to IDP and IDP, sorry, in IDP, there is in metadata folder, there is file name SAML20 SP remote. You need to copy that file to here. Same as you need to get the IDP, IDP metadata, you can get it from here and you need to copy it and you need to go to service provider and metadata, service provider and the metadata and you need to copy it to here. IDP remote.php file. So, now we have already exchanged the metadata between IDP and service provider. Now, what should we do is, go to auth resources PHP file of the service provider, go to config and auth resources PHP file. I will close down others. I will and put the IDP metadata path in here. Basically, you want to change only this part and it changes according to your configurations and after all, you can go to service provider and go to authentication and test configurations. Then you can see that you created the application here, default SP. Click on that. We have set up username as student and password as student pass. Then it will get authenticated from identity provider and got the use ID as student and email as student at example.com. So, now what we should do is, now we need to get simple symbol PHP auth library, sorry, simple symbol PHP auth Drupal module and you need to, as I asked, you need to configure it already and you go to SP and use slash logout from here and login using your super admin details and go to configurations and you can see the simple symbol PHP auth settings and we need to do a small configuration. The first one is you need to activate authentication or simple symbol PHP, tick on it and our authentication source, we created it as default SP and the link, what should be the link people need to show for the click for login to IDP and you need to save these details and there is in the local authentication which stores should be allowed login to with local account if you need tick on authenticated users. If so, user get created here as authentication user otherwise, actually it is not mandatory and if you want to remove super admin from this single sign on environment you can put your super admin ID here, if you have more IDs you can use comma and you can mention those IDs here and update that and go to user infant syncing what should be the user identifier as I told, we had two user identifiers in that array UID equal student UID equal employee, so we are using unique identifier as UID and the username also we use as a student so we are using the parameters UID and email address we use student at example.com so I use the parameter email as email address and save the configurations end of everything end of everything you have already set up it is just an environment and you have already connected with with the Oath simple seminal PHP Oath library so now what you should do is you logged out and login once you login it you can see the federated login icon here click on that you will automatically redirect to drooper.ip this identity provider add your username and password login it will redirect to drooper after the authentication user has been created this is user email address so in code level and the configuration level there are a lot of steps to follow I think it is not easy if we missed one step it will this environment is not created so as a result we thought there are some open source SSO providers I have listed a few in here those are the steps we went through those are the open source SSO providers aerobase, cs, key lock, shibale wso2 identity server I am not sure whether all these open source projects are currently maintaining or not so but I know that this wso2 identity server is maintaining so I will explain how to configure the SSO in wso identity server and drooper lite and how to create the single sign-on environment for that you need to go to you need to download wso2 identity server you can go wso.com site identity access management and you can download the binary file after downloading binary file you need to I have copied to my desktop and I will open new terminal actually I have written another article for that how to configure wso2 identity server SSO with drooper lite so it is also on medium you can go to medium.com at Ivanta these articles I have written the steps here you have first of all you need to create a service provider using a simple semel in your local environment in your drooper environment then you need to download that wso2 identity server binary file and you need to copy somewhere I have already copied in my desktop and go to desktop and bin folder and run this command I have mentioned it in my article and after after connecting it after download after start in it it will be like this I have already started since it will take some time to start just like 30 seconds 40 seconds so then after start in it get this I can use usernames admin this is a console and password password as admin I have stepped down all stepped here and you want to go each step in here because I think we do not have much time to go into each step because I am running out of time it seems so after that after connecting all these steps basically as we did before basically you need to create your claim URLs like we use claim URLs claim use details as student before and we need to create so same details here and the most important thing here is the identity server can be connected with LDAP or even local database whatever you can create users in here and you can be connected so I have created user called rungeaker and now I have already set up this environment since I cannot go through all the steps since we have no time and I have locally set up Drupal environment for this and I will look out and I am going to login it so now this Drupal environment is connected with WSO to identity server so I am create click on federated login then it will automatically redirect to identity environment the port id is 9443 then I have created in user here rungeaker and password use and you can login it will return it back to service provider and user has been created here just like this and also I talk about single log out environment once you click on log out it will call to this WSO to identity server and get in back the response and clear the user session from the single sign on environment so those are the steps I mentioned in my medium article I did demonstration and these are the resources I have written to medium articles first one for how to set up with simple summer and second one is the WSO to identity server and get up environment for downloading simple summer php library and Drupal path for downloading simple summer or Drupal module and the final one the WSO to identity server path for downloading the binary file for creating SSO environment I think that's all right good feeling good okay do I start in questions so I had a question on config management so we see that we do a lot of changes in the simple summer library so how does it map with config management or do we have to actually go into the actual Drupal environment as a production or test or development and make those changes specifically the metadata that was copied across so does it need to be done on each and every environment actually or can it be pushed through config management files actually in the the first part of my presentation I explained how to set up with the simple summer that's what I told there are a lot of configuration what you can do is if you need you can create a configuration file because all the configurations are in different places just like meta file and then configuration, config file or resources file so for that you can create a common configuration file and you can update those configuration details here and if you are using identity server console management I think the number of configurations are very low since I can't to the old steps sorry I couldn't tell about you but if you are going through my articles I think the number of configurations are very low so I think even in the local environment or development environment test environment production environment I think it can be easily managed if you are using simple simple basics yeah it's better to create some common configuration file and call to those pages separately right I just noticed that you were creating like a user and identity provider server so what's happening with an existing website when you have like a few thousand users it's on this website and basically there's going to be like syncing with all of these like sites together so what would we do with syncing I'm creating all of these users the provider in SSO environment as I explain I'll go to yeah the best example is this right so there are three websites right and user details are stored in the single sign on environment in the centralized place right let's say user come to first website and create in the user account but it's creating on that single sign on environment right and the second one also creating in there once user want to update the user details and use a password it will be created in the that website it will update in the centralized environment the single sign on environment so user details are not separately stored in separate places so stored in a single environment so there is no specific kind of sync between each other right so I think sorry yeah I think when when creating the users yes it should be created in single now now I explain how to how to log into systems only right so in the registration you need to store the details in some centralized database or which can be accessed by identity provider right I think we did talk about how to register user in the Drupal site we can write a hook or something and we can write this data to centralized LDPO database okay just got a question about the the multiple protocol support for simple SAML so obviously it supports SAML but it also supports OpenID I am not clear you so it supports SAML but also supports OpenID and OAuth2 for SPs yes sorry actually I am not clear with your question okay yeah I'm just so the IDP supports SAML it supports OAuth2 it supports OpenID yes you are asking about simple SAML yes simple SAML does support that what happens if you've got SPs not all SPs support SAML these days we've got one that you know something support CAS and not SAML some SP support so can you mix and match the answer to the question is yes the port can be changed and also if you need to use a different mechanism yes it can be installed basically there is no much restrictions let's say it's like you are running local database and you are calling to the database and you are getting just like similar to that there is no much limitations on that okay thank you thanks for your talk I noticed when you logged in as student you're still getting the default there are a lot of fields presented but presumably you don't want somebody trying to change their password on the SP so does the Drupal module let you hide those fields from a non-administrator and send them to the IDP to manage their credentials there okay you are talking about this I think I'm just thinking about the user experience if you put that in front of an ordinary user and change their password there are you talking about you are talking about this right yeah but when you logged in to Drupal as student it showed them the user page for that account but that's on the SP yeah it's getting federated from there sure I am not now login yeah it's two different things sorry yeah yes now let's say right right now you already logged in so edit details if you update these passwords it will update the centralized database right now in here now in here this is Drupal page right if you update here it will not update that place because we have not done that configuration so we have to write a menu of course yeah something yeah yes actually actually we don't want to keep these user passwords in a local our database right we can directly a call to API of something and we can store there in the centralized that identity provider side so now we have not configured for updating user details we just work with only login part and log out part so yeah out of the box can you configure that to sync back or do you have to build some code to hide these fields or how much is available in the module and how much do you have to build for that you need to do configure customization from Drupal side and it's like you need to do a write a simple module and you need to build some mechanism to using just like API is to call the IDP and you need to update those details in that side in my in my my opinion is we don't want to keep our user details in our service provide side in our local side so so we need to create some mechanism here yes we can do it because we have already done it so once user update they are user details just like username password and their first name last name we can store there in the identity so I didn't provide the side instead of saving the local environment yeah yeah yes we should hide it I think yeah I think in here I'll explain you need you need to in base yeah in simply you can hide it from Drupal yeah in simply you can hide it from Drupal or otherwise you can configure this now we have used federated login link in here right user need to click on that for going to IDP so if you if you need you can configure this username and password from this side so you are typing your password then username and password in locally and it will call to IDP now what we did is we click on federated login so this is the clicking on federated login is here so update the call a type this username and password here you can call into IDP it will be configure it will be complex and we need to do few configurations for that yeah yeah it's not work no it's not work yeah error because the the student details are not in our in this panel in this login username and password is connected with our internal local database so we don't have user credentials so it's detail signed I didn't provide a side that's what ok questions thank you