Sector(s)
Team Members
Emakina is a User Experience agency which operates with a customer-centric approach. Emakina specialises in providing advanced digital marketing solutions for top-tier domestic and international clients with a strong emphasis on delivering exceptional user experiences to their customers, partners, and employees. They understand that every business has unique needs and work closely with their clients to create tailored solutions prioritising the customer experience.
miniOrange, a leading identity and access management solutions provider, partnered with Emakina, the user agency, to address their client's need for a Single Sign-On (SSO) solution for their Drupal website. In addition to SSO, the client had user-management-related requirements to manage user accounts across their Identity Provider, OneLogin, and Drupal site. With extensive expertise in Drupal development and identity management, miniOrange collaborated with Emakina to deliver a seamless and secure solution that streamlined the client's user management process and enhanced their website's user experience.
About the project
Requirements
- The client required a Single Sign-On (SSO) solution that would enable users to access their Drupal site using their OneLogin credentials. The SSO solution should be easy to configure and ensure a seamless user experience across multiple devices and platforms.
- The client did not want to manage any user-related activities on their Drupal site, such as creating, updating, or deleting user accounts. All CRUD (Create, Read, Update, Delete) operations should be performed only at the Identity Provider's end. This would ensure that user data is consistent and up-to-date across all applications.
- Ensure that if a user is deleted in the IdP, it is reflected on the Drupal site. However, the user content, such as articles, should be preserved and assigned to the anonymous user. This feature should ensure that no user-generated content is lost and that content ownership is maintained even after user account deletion.
- The SSO solution should support the latest security standards, such as SAML (Security Assertion Markup Language) 2.0, and provide robust encryption to protect user data.
Challenges
- OneLogin had some additional requirements which were over and above the standard SCIM implementation. Syncing these two implementations to get it to work was a significant challenge. There were compatibility issues that had to be resolved to ensure seamless syncing between OneLogin and the Drupal site.
- The provisioned users to the Drupal site were losing their role identity, which was a critical aspect of user management. The Drupal module - User Provisioning and Sync for User Management - was customized to assign roles as soon as they were provisioned to the Drupal site. This customization was challenging, as it required in-depth knowledge of Drupal's role-based access control (RBAC) system and the User Provisioning and Sync Module. It was crucial to ensure that users were provisioned with the appropriate roles to ensure seamless access to the site's resources.
Implementation
The implementation of the solution involved the use of two key modules - the miniOrange Drupal SAML SP module and the Drupal User Provisioning & Sync module. The miniOrange SAML SP module was used primarily to configure Single Sign-On (SSO) between the Drupal site and the Identity Provider, which is One Login. The module allows the users residing at the Identity Provider to securely login into the Drupal site using the OneLogin Credentials.
The User Provisioning & Sync module has a complete suite of features for User Management like on-demand provisioning, two-way sync between the IdP and the Drupal site, Attribute Mapping and reporting features such as audits and detailed logs. User provisioning & sync module is used in the solution to effectively manage users and configure automatic provisioning
One of the challenges was that the module's updation flow was not working as expected on the Drupal end. The user data updated on OneLogin's end was not being reflected on the Drupal site. To address this issue, the User Provisioning & Sync module was customized to work with OneLogin's specific implementation of the System for Cross-domain Identity Management (SCIM) protocol.
Another challenge faced during implementation was the issue of users losing their role identity when being provisioned to the Drupal site. To address this challenge, the User Provisioning & Sync module was further customized to assign the appropriate roles to users as soon as they were provisioned on the Drupal site. This customization was critical in ensuring that users had the appropriate access to the site's resources.
To enable automatic provisioning from the Identity Provider to the Drupal site, the Drupal site was set up as a SCIM server while OneLogin acted as the SCIM client. This setup ensured that users were automatically provisioned and synced between the Drupal site and the Identity Provider, eliminating the need for manual user management.
Results
The implementation of miniOrange's SSO solution and User Provisioning and Sync module has significantly improved the client's user experience and security posture. Users can now easily access the Drupal site using their OneLogin credentials, while the IT team can efficiently manage user accounts and access permissions.
Why Drupal was chosen
-
Drupal was chosen for the above solution because it is a flexible and scalable content management system that can be customized to meet unique business requirements. Drupal is known for its robust security features, making it a suitable choice for organizations that prioritize data security.
-
In addition, Drupal has a modular architecture that allows for easy integration with third-party systems and tools. This modular design made it easy to integrate miniOrange's Single Sign-On solution and User Provisioning and Sync module for user management, as well as customize them to meet the client's specific needs.
Technical Specifications
Drupal version:
Key modules/theme/distribution used:
