SAML & SCIM Implementation for SHA

Key Requirements - 

SHA had pretty straightforward requirements which were a little time consuming yet interesting at the same time.

1. The users were required to be logged into the Drupal site using their Active Directory credentials without having to exist at the Drupal site’s end. This was a single sign-on requirement which is achievable using miniOrange SAML SSO module.

2. The SHA also wanted to keep the users in sync from Microsoft Azure to Drupal, syncing the Users from the Identity Provider which is Azure in this case to the Drupal site.  

Modules Used - 

• miniOrange Drupal SAML SP
• miniOrange Drupal SCIM SERVER

Bringing it all Together - 

Let’s deep dive into the particulars of the solution. The solution was designed to be meticulously sturdy and was developed & delivered on an ambitious timeline. 
miniOrange SAML SP and SCIM Server modules were used to achieve the key requirements. 

SAML SP was used to establish single sign-on (SSO), the users of the Drupal site have to be logged in to the Drupal site using Active Directory credentials. Microsoft Azure has acted as an Identity Provider for the given use case scenario. 

SCIM Server was used for user syncing requirements of this instance. The users had to be synced from Azure to Drupal such that, as soon as a user gets created, updated or deleted in Azure, the same corresponded in the Drupal site.
 

SAML is utilized in this use case for single sign-on, SSO is a standard for logging the users in the Drupal site according to their sessions in other applications. 

SCIM Implementation -

System for Cross-domain Identity Management is an open standard HTTP based protocol for automating the exchange of user identity information between identity domains, or IT systems.

SCIM aims to simplify user provisioning and management in the cloud. For example, as the Identity Provider, Azure in this case, adds, updates, or deletes users, they are added, updated, and removed accordingly from the Drupal User Account.

• SCIM is a systemized combination of two principal endpoints, /users and /groups. It uses common REST verbs like GET, POST, PATCH, PUT and DELETE to create, update and delete objects. For example, an HTTP POST request to /users endpoint is interpreted by the SCIM client to make a new user entry. 

• The authorization of the request being sent is checked through a parameter called ‘Bearer Token’. The bearer token is received in the request's header along with the payload with user information. The bearer token is checked for the authenticity of the request received from the client to perform the specified operation.

• Multiple User fields of Azure were mapped to custom user fields of Drupal. The Attribute Mapping feature was put to use for the solution. 

Outcome -

• The SSO was established for the Drupal site and Azure. The users were able to successfully log into the Drupal site using their Active Directory credentials. 
• The two modules were diligently installed and managed so as to fulfil the requirements put forth by the SHA.
• The SCIM module was used to perform user provisioning, syncing the users from Azure to the Drupal site. 
   

User Provisioning and Deprovisioning is becoming an increasingly popular Access Management practice. In order to know more about the User Provisioning and Deprovisioning module, check out the link here.