Drupal Azure Ad

 
Azure AD Connect O365 SyncAzure Active Directory
  1. Azure Drupal Hosting
  2. Drupal Azure App Service

Drupal with Azure Database for MariaDB.

When combined with Azure Database for MySQL or MariaDB, organizations benefit from the low-maintenance, performant and highly available managed services of Microsoft Azure for their Drupal content management system website. Setup login / SSO into your Drupal site using an Azure AD account. The Drupal OAuth Client module enables Drupal as an OAuth Client to perform SSO with Azure.

Thu, Aug 11, 2016 · 6 minute read
websso

We had previously made use of the free Azure AD included with our clients Office 365 (E3) subscription and installed Azure AD Sync from out on premise AD to Azure.

Out of the box, Azure AD supports applications and it is capable of support SSO to non-microsoft app’s.

The most simple way is password SSO where an administrator or the user enters their credentials for a 3rd party app which are then stored securely by Microsoft.
These credentials are then pushed into the credential fields of the website when the user connects.
For me, there were two problems with this approach:

  • it apparently requires a browser extension to fetch the credentials but I found precious little documentaiton of that extension
  • it seems to require an Azure AD premium subscription.

An alternative is to install and use SAML authentication.

  1. Install SimpleSAMLPHP

    Do not change the default install directory of /var/simplesamlphp, doing so makes the process unnecessarily more complex as multiple file edits are required.

  2. Configure it

    Need to configure SimpleSAMLPHP as a Service Provider, the details are here
    That said, use this post{:target=”_blank”} (pdf of original1) by Lewis Roberts instead, follow the instructions exactly.

    Note: I chose to change the default baseurlpath to /saml. To test simplesamlphp, go to, e.g., https://drupal-sso.example.org.uk/saml

    Note: Lewis Roberts uses the default Service Provider name of ‘default-sp’ in his post. I chose to change this to ‘azuread’. Adjust your commands accordingly.

    Note: Must configure session to use something other than phpsession. I used sql and the connection details for Drupal database.

    Must be working against Azure AD before proceeding - the authorisation check must succeed (login and out).

  3. Create and configure your app in Azure AD

    In the Configure section pay particular attention to:

    • Sign-On URL
      Should end in /saml_login, e.g. https://drupal-sso.example.org.uk/saml_login

    • App ID URI
      Can be left as the base URL, e.g. https://drupal-sso.example.org.uk

    • Reply URI
      This is critical, it must be changed to something similar to this:
      https://drpual-sso.example.org.uk/saml/module.php/saml/sp/saml2-acs.php/azuread
      If you following the setup instructions from Lewis Roberts then a URL with that query string should work.

  4. Install simplesamlphp_auth module

    Follow the usual druapl module installation instructions.

  5. Configure simplesamlphp_auth module

    Basic settings:
    Installation directory: /var/simplesamlphp
    Authenticaton source for this SP: azuread
    the name used to define entry in simplesamlphp config file
    Federated Log In Link Display Name: Azure AD
    this name will appear in Drupal Login page
    Login path: saml_login
    appended to the Drupal URL, also used as part of sign-on URL in Azure AD, no leading slash.
    Turn on debugging messages: off
    can be useful to have this on during initial setup, writes to Drupal log.
    User provisioning: off
    we do not want this as drupal users are pre-created
    turning this off does mean that users have to be manually created in authmap table.

    Drupal Authentication
    Allow authentication to local Drupal accounts: on
    but only for certain users
    Allow SAML users to set Drupal passwords: off
    we have disabled local Drupal password change
    Which ROLES should be allowed to login with local accounts:
    we allow Administrators to login using local credentials
    Which users should be allowed to login with local accounts: none, leave blank
    Specify a URL for users to go to after logging out: none, leave blank.
    if a user logs out then they will be logged out of all Azure AD which is not really what we want.
    users should not log out of Drupal, just close the tab.

    User info and syncing
    (can get this information from the simplesamlphp authentication test
    Which attribute from simpleSAMLphp should be used as user’s name: http://schemas.microsoft.com/identity/claims/displayname
    Which attribute from simpleSAMLphp should be used as unique identifier for the user: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Which attribute from simpleSAMLphp should be used as user mail address: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Automatic role population from simpleSAMLphp attributes: leave blank
    I’ve found that Drupal role assignments are honoured once user has been logged in.
    This could be used however to map AD roles to Drupal should the need arise
    Reevaluate roles every time the user logs in.: Leave unchecked.
    Automatically enable SAML authentication for existing users upon successful login: leave unchecked.

    Against each Drupal user record there is also this field:
    Enable this user to leverage SAML authentication: leave unchecked.

  6. Create authmap entries

    This setup requires manual creation of entries in the Drupal authmap table.

  7. Activate the simplesamlphp_auth module

    SAMLlogin/out must be working before the simplesamlphp_auth module is activated.
    If it is not working correctly then it is highly likely that you will not be able to login as Drupal after the module is activated.

authmap notes

uid Drupal user ID that the AD user should map to
authname the AD username, usually their email address. This should also match the email address in the Drupal user record.
module must be set to ‘simplesamlphp_auth’

An authmap row can be created by executing an insert similar to:

Drupal in azure

It is also possible bulk insert entries into authmap but need to exclude any users with non-AD email addresses or people that already exist in authmap, e.g.

Troubleshooting.

Assuming you can login to Drupal -
Enable debug in simplesamlphp_auth module, test sign in and check Drupal log.

Exception: Error in simplesamlphp_auth.module: no valid unique id attribute set. in _simplesamlphp_auth_get_authname() ...
Means that the user unique ID identifier is incorrect, the default values will not work with Azure AD.
See:
Configure simplesamlphp_auth module ->
User info and syncing ->
Which attribute from simpleSAMLphp should be used as unique identifier for the user

On successful login the user is always taken to their users ohme page.
This is a known issue documented in https://www.drupal.org/project/simplesamlphp_auth, e.g.

  1. Lewis Roberts, Sept 2015, SSO to Azure AD using SimpleSAMLPHP{:target=”_blank”}
    [return]
Comment on this article using form below. Requires email login only for authentication. HTML forbidden, Markdown only. Please enable JavaScript to view comments.Through our enterprise collaboration and productivity services, we help many organizations create new experiences with intranets and portals to increase productivity and streamline collaboration while cutting operating costs. We have Drupal lift and shift experience where we migrate existing portals to the cloud as well as the ability to architect a custom solution from the ground up if needed.

Azure Drupal Hosting

The Background

Our client, a large financial investment firm, provides financial services and handles multi-billion-dollar assets. The organization had multiple websites running Drupal with a third-party vendor. The vendor provided a custom setup that was riddled with issues such as slow response times, excessive downtime, and high operating costs. As a Microsoft Gold Certified Partner with such experience, AIS was engaged to perform a Drupal lift and shift operation for the websites along with a CI/CD setup across multiple environments.

FREE HALF DAY SESSION: APP MODERNIZATION APPROACHES & BEST PRACTICES
Transform your business into a modern enterprise that engages customers, supports innovation, and has a competitive advantage, all while cutting costs with cloud-based app modernization.

Requirement Gathering

As soon as AIS started the requirement gathering, it was clear that we were going to migrate the websites and databases to a PaaS-based model. Microsoft Azure was deemed the best choice given the plethora of options available for websites. The customer also already had an Enterprise Agreement with Microsoft Azure, making it the perfect fit.

The client had several modifications which required explicit use of Apache Webserver, along with Drush, PHP 7.1 and they needed room for future modifications. People working with Drupal should be quite familiar with that—Drush is often known as the “Swiss Army Knife” for Drupal.

Selecting the Perfect Azure Offerings

Initially, we came up with the following options:

  1. Create Virtual Machines Hosting Web Servers & Databases
  2. Modify the modules requiring Apache and then host the websites on Windows/IIS based Web Apps
  3. Azure Web App for Containers

Option 1 meant that we had to set up the entire infrastructure from scratch. Setting up the infrastructure from scratch wasn’t an issue, but the overhead of maintenance and costs afterward made us look for other alternatives.

Option 2 required quite some rework, and our previous experience taught us that Drush has hiccups when running on Windows-based hosts.

Option 3 was the best choice because it allowed us to write a custom Docker image with Apache, PHP 7.1, Drush and give the room for future modifications. It was the perfect balance of customization, maintenance overhead and costs. We also got added benefits like:

  1. Automated backups handled by Azure
  2. Continuous Deployment handled by the magic of Kudu
  3. Detailed metrics like Response time, number of requests etc. (Who doesn’t love detailed metrics??)
  4. Auto-scaling and more!

The Immediate Benefits of the Drupal Lift and Shift

This is the section which should most interest all of you readers. After moving the sites over to Azure, we immediately noticed a huge drop in…

  1. Time to deploy to various environments
  2. Response time. The response time came down to ~350 milliseconds from almost 1 second and above.
  3. The site was overall much faster…and the best part was that the client’s earlier infrastructure had four cores but this new set up only had two cores and 3.5GB of RAM.

Over the period of almost 20 days, the container served almost 4.6 million requests without breaking a sweat, as you can see from the below graph of CPU/RAM usage:

Figure 1 Mind you, this App Service plan runs another website!

Check Out Our Successes

Drupal Azure App Service

Read the full story, Investment services firm migrates websites to cloud to save money, improve reliability or check out our library of featured success stories! If you’re interested in what AIS can do for you, contact us today and tell us about the challenges you’re facing. There’s an excellent chance we can help.