Skip to main content
Skip table of contents

Drupal OIDC/OpenID Integration

This document explains how to implement Monosign with Drupal application. It covers Single Sign-On. Before you continue, starting with Drupal’s Single Sign-On page is better on this page.

This configuration is done with Drupal 10.3.0. If your Drupal version is different please check Drupal documentation.

Based on the documentation and the modules, the OpenID integration module works with all versions of the Drupal application.

Monofor has no responsibility to do Drupal configurations. If you need support please contact Drupal Support Services.

📑 Instructions

This documentation contains 4 main steps for integration.

  1. Creating an application on Monosign

  2. Configuration Single Sign-On for Drupal

  3. Assign a user to the Drupal application

  4. Sign In Test

1- Creating an Application on Monosign

Create your application on Monosign and configure your access policy. Once you create, click “Keys” and add a new Access Key for OIDC/OpenID Key for access.

We will need this information while we configure the Drupal application.

Creating Access Key.png

Creating Access Key in Monosign Drupal Application

DecidingAccessKey.png

Deciding Access Key as OIDC/OpenID and Expiration Date

Property

Value

Options

Key Type

OIDC/OpenID

Rest API, OAuth 2.0, JWT, OIDC/OpenID, SAML, RADIUS, Access Gateway, LDAP, AuthN/Z Server

Expiration

Lifetime

Lifetime or Specific Date/Time - By Default Lifetime is Enabled.

Configuration details for the Drupal application are provided as follows:

OIDCAccessKeyDetails.png

OIDC/OpenID Access Key Details

The third step will use information in the “OIDC/OpenID Access Key Details“ section to configure the Drupal OIDC/OpenID settings.

OIDCKeySettings.png

OIDC/OpenID Configuration on Monosign

Property

Value

Description

UserName Format

Monosign UserName

Defines the UserName format such as Monosign UserName, sAMAccountName, UserprincipalName, Email etc.

Signature Algorithm

HS256

This specifies the algorithm used to sign the JWT. HS256 refers to HMAC-SHA256, a common symmetric encryption algorithm used to secure JWTs.

Additional Claims

Claim: email

Value: {{Email}}

Claim: Username

Value: {{UserName}}

Claim: preferred_username

Value: {{UserName}}

These are additional pieces of information (claims) that are included in the JWT payload

To ensure that the application has access to user groups, follow these steps:

  1. If the application hasn't been configured yet, click the “Edit” option for the application.

  2. In the application settings, navigate to the “Source, Provider, and Profile” tab.

  3. Configure the “User Access Type“ and “User Group Access Type” as “Only Assigned Users.”

Configuring this setting will allow the application to be accessed by user groups when users sign in.

ApplicationAccess.png

Application Access Configuration

Property

Description

Options

User Access Type

Defines which Users will access this application.

Only Assigned Users
All Users

User Group Access Type

Defines the application’s user group access

Only Assigned Users
Assigned Users and Defined Sources
All Users

Profile Access Type

Defines the Application’s user’s profile access

Restricted - Only restricted user profile attributes
All - All user profile attributes

2- Configuration Single Sign-On for Drupal

As highlighted at the beginning of the document, please check out Drupal’s OpenID Connect SSO configuration page first.

Drupal configuration contains below steps:

  1. Install OpenID Connect module

  2. Configure OpenID Connect module

a. Install OpenID Connect Module

Drupal does not support authentication via OpenID without a OpenID authentication module in the base. In this case, the Drupal Admin user needs to install the “OpenID Connect“ module for Drupal on the https://www.drupal.org/project/openid_connect.

The module installation process can be different for every Drupal application and the installation process is the responsibility of the admin user.

The example module installation process is for Drupal with the composer.

After downloading “OpenID Connect“ module from https://www.drupal.org/project/openid_connect page, you should go to the Admin page for the Drupal application.

Please navigate to the Manage → Extend page on the Admin UI and install the module as shown.

InstallOpenidModuleDrupal.png

Installing the OpenID Connect Authentication Module

After installing the “OpenID Connect“ module, you can update some texts on the UI. On the module’s configuration page, you can change the text named “Generic“ to “Monosign“ by editing the “OpenIDConnectGenericClient.php“ file.

The default text for third-party IdPs is “Generic“ on the configuration page and the login page. Admin user of Drupal application can find the “OpenIDConnectGenericClient.php” in the folder structure of the application.

You can edit the text from “Generic“ to “Monosign“ in the file.

It is better to clear all caches on the Configuration → Performance after change is made.

CleanShot 2024-07-08 at 04.07.46-20240708-010922.png

Editing OpenIDConnectGenericClient.php File

After editing the module, please navigate to the “Configuration“ page and click the “OpenID Connect“ module to configure the OpenID settings as shown.

OpenIDConfigurationDrupal.png

Navigating to the OpenID Connect Authentication Configuration Page

b. Configure OpenID Connect

The section configures the OpenID Connect module login process when users try to log in to Drupal through Monosign.

OpenIDConfiguration.png

OpenID Connect Configuration

Property

Value

Description

Enabled OpenID Connect clients

Monosign

or

Generic

Choose enabled OpenID Connect clients.

Client ID

Client ID copied from Monosign OIDC/OpenID Access Key details created on the first step.

A unique identifier for the client application.

Client secret

Client Secret copied from Monosign OIDC/OpenID Access Key details created on the first step.

A secret key is known only to the application and the authorization server.

Authorization endpoint

https://account.monofor.com/openid/authorize

Authorization endpoint copied from Monosign OIDC/OpenID Access Key details created on the first step.

The URL where the authorization request is sent.

Token endpoint

https://account.monofor.com/openid/token

Token endpoint copied from Monosign OIDC/OpenID Access Key details created on the first step.

The URL where the token request is sent

UserInfo endpoint

https://account.monofor.com/openid/userinfo

UserInfo Endpoint copied from Monosign OIDC/OpenID Access Key details created on the first step.

The URL where the user information is fetched.

Override registration settings

Checked

When checked, user creation is always allowed, even if the registration setting is set to require admin approval or only allows admins to create users.

Save user claims on every login

Checked

If enabled, user claims will be saved on every login. If disabled, user claims will only be saved when the account is first created.

OpenID buttons display in user login form

Replace

Options to control the display of OpenID Connect login buttons on the user login form.

Automatically connect existing users

Checked

If disabled, authentication will fail for accounts with existing email addresses, users may connect existing accounts on their personal Connected Accounts page in a secure way.

3- Assign a user to the Drupal Application

Please follow the below instructions on how to assign a user to the Drupal application. In this example john.smith will assign to the application access.

AssignUserToDrupal.png

Assign User to Drupal

4- Sign In Test

Now try to log in to Drupal using Monosign SSO.

Open a new browser and type Drupal web address. On the Drupal web address click the “Login“ button.

CleanShot 2024-07-08 at 04.29.23-20240708-012953.png

Login to Drupal through Monosign SSO-1

SignInToDrupal.png

Login to Drupal through Monosign SSO-2

It can be login with Passwordless login(Monofor Identity), Passkey or Username and Password(Login with Password)

LoginWithPassword.png

Login to Drupal with UserName and Password

After clicking Sign in user will able to log in to Drupal.

LoggedIn.png

User Logged in through Monosign SSO

After completing the configuration on Drupal, it is better to clear all caches on the Configuration → Performance menu if the OIDC/OpenID SSO doesn’t work.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.