Provisioning Users between Slack and Drupal

Requirements:

• The users should be able to access other applications once logged into the Drupal site without another authentication ensuring a smooth and consistent user experience.
• Users should not be asked to fill in their profile details again on every application.
• Users should be granted access to certain Slack channels following their roles.
• The solution should be scalable to handle the increasing number of users and applications as the organization grows.
• Provide tools for monitoring and reporting user activities and access patterns for better management and insights.

Challenges:

• Coordinating with the organization’s architecture team, and their developers and coming to a unified solution in a narrow timeline.
• Modifying the SCIM group endpoint to sync Drupal user roles to Slack groups was also a significant challenge.

Implementation:

The integration of multiple applications with Drupal and building a CIAM ecosystem was divided into multiple phases. This case study focuses mainly on the integration with their communication channel, i.e. Slack. Setting up the Drupal site as an Identity Provider for Slack and managing the user life cycle utilized the following miniOrange modules:

• Drupal SAML IDP
• User Provisioning

Chapter 1 - IAM

Drupal site is the primary source of interaction for the customers. Any new users register on the Drupal site or the Drupal admin creates them. To allow all the users to access other applications seamlessly with a single click, the idea was to make Drupal an identity source.

Single Sign-on was set up between the Drupal site and Slack utilizing the industry standard SAML protocol. miniOrange SAML IDP module was installed on their Drupal instance, which incorporated the capability of an identity provider to the site. In accordance with the protocol, the metadata is exchanged between Drupal and Slack to establish trust.

Once the connection was successful, the IDP-initiated SSO feature was utilized that simply posts a SAML response to the configured application, consequently providing access to the specific user. This URL provided by the module was linked to the Drupal page. When the end user clicks on the particular link, they get redirected to Slack without needing to log in again.

The Attribute Mapping feature was used to include multiple user attributes in the SAML response, which were then processed on the Slack end.

Chapter 2 - User Provisioning

Just in time, provisioning was achieved with the SSO setup. The next step was to ensure that the user information was synced on Slack in real time, even if the user did not access their account. On top of it, the access to different Slack channels should be updated based on their Drupal roles.

The Drupal User Provisioning module implements the SCIM protocol to achieve on-the-fly provisioning. As part of the configurations, the base URL and Bearer token were provided on the Drupal site to set up a connection.

The module will then make use of standard SCIM endpoints to create, update, and delete users from Slack as per the actions performed on the central identity source, Drupal.