Vanderbilt University Medical Center is an independent non-profit medical facility which has a number of clinics and hospitals serving an extensive patient base around Nashville, Tennessee.
VUMC is known for its highly acclaimed teaching hospital and its groundbreaking efforts in electronic medical records.
VUMC came up with an elementary yet a little crafty requirement to achieve two chief objectives, one to establish an SSO between hundreds of its sites and Ping IdP, and the other to eliminate dependency on the Identity Provider in order to add a site or delete one.
About the project
Key Requirements -
VUMC and miniOrange partnered to devise a solution for the key requirements presented. VUMC wanted to establish a Single-sign-on system with Ping as Identity Provider (or IdP) and a flock of Drupal sites that were of VUMC and its subsidiaries.
-
Establish single sign-on (SSO) between hundreds of Drupal sites of VUMC & its subsidiaries and an IdP.
-
Eliminate dependency on IdP such that whenever a new site is added, the same doesn’t have to be configured at the IdP.
Key Challenges -
-
Mapping each Drupal site to only one application cannot be achieved directly through SAML as it doesn’t allow configuring multiple sites to the same application in IdP. A revised architecture had to be devised to achieve the required use-case goals.
Implementation -
The miniOrange team led an extensive discovery and strategy effort that defined the solution for the stated requirements by VUMC.
The miniOrange module installed on multiple Drupal sites of VUMC to achieve the above-mentioned objective was -
Closely analyzing the requirements, an optimal solution was identified by the developers at miniOrange. The solution was then proposed, discussed and finally the team embarked on with the implementation.
To help you better visualize the setup, above is the pictorial representation of the solution.
A Master site (SP) was placed between the IDP and all the sites. We would refer to this mediator Drupal site as the Master SP and the client Drupal sites as SP1, SP2,…., SPn and so forth.
The SAML SP module was installed on all the Drupal sites under consideration. When a user tries to log in to a site, say SP1, there is a request generated and sent to the IdP. The user is then authenticated by the IdP, SAML response to the authentication request is generated by the IdP and sent to the Master SP. Master SP, in turn, forwards the response to the designated Drupal site which is SP1 in this case.
The key challenge of eliminating dependency on the IdP is tackled in the setup through the use of Master SP. Whenever a new Drupal site is added at the client side, a corresponding application doesn’t have to be created at the IdP. Instead, we made use of relaystate to determine which site initiated the request and to which the response has to be directed.
Relaystate is an HTTP parameter that can be involved as a part of the SAML request as well as the SAML response. Relaystate consists of the Drupal site URL through which the SSO was originally initiated.
The specifically customized solution around the miniOrange SAML SP module helped VUMC achieve organization specific goals along with fulfilling the crafty requirements. The whole ton of sites had SSO configured on each one of them as the end result, the dependency on IdP was eliminated and all the sites were mapped to one single application in the IdP.
Why Drupal was chosen
-
The hundreds of sites under consideration were all built over Drupal. Drupal was chosen for its ability to scale.
-
miniOrange offers a wide range of modules to ameliorate the security of a Drupal website, click here to view our other solutions.
-
As an open source platform trusted by global brands, with no licensing costs, the CMS offers industry-leading digital security.
-
Drupal is highly reliable and well-grounded for numerous sites, as in the case of VUMC and a security solutions organization like miniOrange.
Technical Specifications
Drupal version:
Key modules/theme/distribution used:
