Skip to main content
Skip table of contents

Drupal SAML Integration

This document explains how to implement Monosign with Drupal application. It covers Single Sign-On. Before you continue, starting with Drupal’s Single Sign-On page is better on this page.

This configuration is done with Drupal 10.3.0. If your Drupal version is different please check Drupal documentation.

Based on the documentation and the modules, the SAML integration module works with all versions of the Drupal application.

Monofor has no responsibility to do Drupal configurations. If you need support please contact Drupal Support Services.

📑 Instructions

This documentation contains 4 main steps for integration.

  1. Creating an application on Monosign

  2. Configuration Single Sign-On for Drupal

  3. Assign a user to the Drupal application

  4. Sign In Test

1- Creating an Application on Monosign

Create your application on Monosign and configure your access policy. Once you create, click “Keys” and add a new Access Key for SAML Key for access.

We will need this information while we configure the Drupal application.

Creating Access Key.png

Creating Access Key in Monosign Drupal Application

Creating Access Key SAML.png

Deciding Access Key as SAML and Expiration Date




Key Type


Rest API, OAuth 2.0, JWT, OIDC/OpenID, SAML, RADIUS, Access Gateway, LDAP, AuthN/Z Server



Lifetime or Specific Date/Time - By Default Lifetime is Enabled.

Configuration details for the Drupal application are provided as follows:

SAML Key Details.png

SAML Access Key Details

The third step will use information in the “SAML Access Key Details“ section to configure the Drupal SAML settings.


SAML Configuration on Monosign

ACS (Assertion Consumer Url), Entity Id, Logout URL and Extra Attributes will be configured later while configuring the Configuration Single Sign-On for Drupal step.




UserName Format

Monosign UserName

Defines the UserName format such as Monosign UserName, sAMAccountName, UserprincipalName, Email etc.

Assertion Consumer Url


The URL where the SAML assertion is sent by the IdP. Replace <DRUPAL_IP_OR_FQDN> with the actual IP address or fully qualified domain name of your Drupal site.

Entity Id


A unique identifier for the Drupal service provider. This is used to identify Drupal to the IdP.

Name Id


Specifies the attribute used as the NameID in the SAML assertion, which is the unique identifier for the user. Here, it is set to "UserName".

Logout URL


The URL for the Single Logout Service (SLS) endpoint. This is where the user is redirected for logging out.

Extra Attribute

Attribute: UserName

Value: {{UserName}}

Attribute: Email

Value: {{Email}}

Attribute: eduPersonTargetedID

Value: {{Email}}

Additional attributes that are sent in the SAML assertion.

Signing Algorithm

System Default (SHA 256)

The algorithm used to sign the SAML assertions. Here, it is set to the system default, which is SHA 256.

Enable Group Mapping


Indicates whether group mapping is enabled. When enabled, user groups in the IdP can be mapped to Drupal user roles.

Group Mapping Attribute


The attribute used for group mapping. This specifies which attribute in the SAML assertion contains the group information.

To ensure that the application has access to user groups, follow these steps:

  1. If the application hasn't been configured yet, click the “Edit” option for the application.

  2. In the application settings, navigate to the “Source, Provider, and Profile” tab.

  3. Configure the “User Access Type“ and “User Group Access Type” as “Only Assigned Users.”

Configuring this setting will allow the application to be accessed by user groups when users sign in.


Application Access Configuration




User Access Type

Defines which Users will access this application.

Only Assigned Users
All Users

User Group Access Type

Defines the application’s user group access

Only Assigned Users
Assigned Users and Defined Sources
All Users

Profile Access Type

Defines the Application’s user’s profile access

Restricted - Only restricted user profile attributes
All - All user profile attributes

2- Configuration Single Sign-On for Drupal

As highlighted at the beginning of the document, please check out Drupal’s SAML SSO configuration page first.

Drupal configuration contains below steps:

  1. Install SAML Authentication module

  2. Configure Login / Logout step

  3. Configure Service Provider step

  4. Configure Identity Provider step

  5. Configure User Info and Syncing step

  6. Configure SAML Message Construction step

  7. Configure SAML Message Validation step

a. Install SAML Authentication Module

Drupal does not support authentication via SAML without a SAML Authentication module in the base. In this case, the Drupal Admin user needs to install the “SAML Authentication“ module for Drupal on the

The module installation process can be different for every Drupal application and the installation process is the responsibility of the admin user.

The example module installation process is for Drupal with the composer.

After downloading “SAML Authentication“ module from, you should go to the Admin page for the Drupal application.

Please navigate to the Manage → Extend page on the Admin UI and install the module as shown.


Installing the SAML Authentication Module

After installing the module, please navigate to the “Configuration“ page and click the “SAML authentication“ module to configure the SAML settings as shown.


Navigating to the SAML Authentication Configuration Page

b. Configure Login / Logout

The section configures the login/logout process when users try to log in to Drupal through Monosign.


Login/Logout Configuration




Login menu item title (Mandatory)

Login with Monosign

The configuration changes the default login URL to the SAML URL so users can log in through Monosign.

The SAML Login URL: https://<domain>/saml/login

Logout menu item title (Mandatory)


The configuration changes the default logout URL to the SAML URL so users can log out through Monosign.

The SAML Logout URL: https://<domain>/saml/logout

Roles allowed to use Drupal login also when linked to a SAML login (Optional)

Authenticated user - Not checked

Content editor - Not Checked

Administrator - Checked

Users who have previously logged in through the SAML Identity Provider can only use the standard Drupal login method if they have one of the roles selected here. Drupal users who have never logged in through the IdP are not affected by this restriction.

It is best if you check the “Administrator“. In some cases, the admin account needs login to Drupal without Monosign.

Tell disallowed users they must log in using SAML (Optional)

Not checked

The users were forced to log in to Drupal through SAML. If not checked, we show the generic "Unrecognized username or password" message to users who cannot use the standard Drupal login method. This prevents disclosing information about whether the account name exists but is untrue / potentially confusing.

c. Configure Service Provider

This page configures the necessary details for enabling SAML authentication in Drupal, allowing it to interact with an IdP for single sign-on (SSO) purposes.


Service Provider Configuration

Provide the below information. Entity ID, Assertion Consumer Service and Single Logout Service can be obtained from Drupal Application Keys on Monosign. This is explained in this step.




Metadata URL


Provides the URL where the SP's metadata is available. The URL will be used in Monosign.

Assertion Consumer Service


The endpoint where the IdP sends SAML responses. The URL will be used in Monosign.

Single Logout Service


The endpoint for handling logout requests. The URL will be used in Monosign.

Entity ID


Example: drupal

The unique identifier for the SP.

The Entity ID information will be used in Monosign.

Type of values to save for the key/certificate


Allows saving key and certificate information in the configuration.

Private Key


It contains the private key for signing SAML requests, which should be kept secure.

X.509 Certificate


The public certificate corresponding to the private key, is used by the IdP to verify SAML request signatures.

Please navigate to the Drupal application on the Monosign to set the configuration on the SAML Key settings. The SAML key is created in the first step.

d. Configure Identity Provider

This page configures the necessary details for the Identity Provider (IdP) in the SAML authentication setup, enabling the Drupal application to authenticate users via the specified IdP.


Identity Provider Configuration




Entity ID

A unique identifier for the IdP. This URL is used by the service provider to identify the IdP.

Single Sign On Service

The URL where the service provider redirects users for Single Sign-On (SSO). This is the endpoint where users log in using SAML.

Single Logout Service

The URL where the service provider redirects users for Single Logout (SLO). This is the endpoint where users log out using SAML.

Type of values to save for the certificate(s)


Indicates that the type of data to be saved in the configuration is related to the certificates used for SAML assertions.

X.509 Certificate(s)

The certificate begins with -----BEGIN CERTIFICATE-----

end with


Specifies that the SAML assertions are signed using an X.509 certificate. The certificate must be in a specific format, starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.

e. Configure User Info and Syncing


User Info and Syncing Configuration




Unique ID attribute



A SAML attribute whose value is unique per user and does not change over time. Its value is stored by Drupal and linked to the Drupal user that is logged in. (In principle, a non-transient NameID could also be used for this value; the SAML Authentication module does not support this yet.)
Example: eduPersonPrincipalName or eduPersonTargetedID

Attempt to link SAML data to existing local users


Enable matching on name: Checked

Enable matching on email: Checked

If enabled, whenever the unique ID in the SAML assertion is not already linked to a Drupal user but the assertion data can be matched with an existing non-linked user, that user will be linked and logged in. Matching is attempted in the order of below enabled checkboxes, until a user is found.

Warning: if the data used for matching can be changed by the IdP user, this has security implications; it enables a user to influence which Drupal user they take over.

Create users from SAML data



If data in the SAML assertion is not linked to a Drupal user, a new user is created using the name/email attributes from the response.

User name attribute


When users are linked/created, this field specifies which SAML attribute should be used for the Drupal user name.
Example: cn or eduPersonPrincipalName

The field only can be used if “Create users from SAML data“ option is enabled.

User email attribute


When users are linked/created, this field specifies which SAML attribute should be used for the Drupal email address.
Example: mail

The field only can be used if “Create users from SAML data“ option is enabled.

In the User Info and Syncing section, please make sure all the configuration is configured according to your organization’s policy. Think wisely while configuring the section.

e. SAML Message Construction


SAML Message Construction Configuration




Sign authentication requests


Requests sent to the Single Sign-On Service of the IdP will include a signature.*

Sign logout requests


Requests sent to the Single Logout Service of the IdP will include a signature.

Sign logout responses


Responses sent back to the IdP will include a signature.

Signature algorithm


Algorithm used by the signing process.

Specify authentication context


Specify that only a subset of authentication methods available at the IdP should be used. (If checked, the "PasswordProtectedTransport" authentication method is specified, which is default behavior for the SAML Toolkit library. If other restrictions are needed, we should change the checkbox to a text input.)

Specify NameID policy


A NameIDPolicy element is added in authentication requests, mentioning the below format. This is default behavior for the SAML Toolkit library, but may be unneeded. If unchecked, the "Require NameID" checkbox may need to be unchecked too.

NameID Format


The format for the NameID attribute to request from the identity provider / to send in logout requests.*

f. SAML Message Validation


SAML Message Validation Configuration




Require NameID


The authentication response from the IdP must contain a NameID attribute. (This is default behavior for the SAML Toolkit library, but the SAML Authentication module does not use NameID values, so it seems this can be unchecked safely.)

Strict validation of responses


Validation failures (partly based on the next options) will cause the SAML conversation to be terminated. In production environments, this must be set.

3- Assign a user to the Drupal Application

Please follow the below instructions on how to assign a user to the Drupal application. In this example john.smith will assign to the application access.


Assign User to Drupal

4- Sign In Test

Now try to log in to Drupal using Monosign SSO.

Open a new browser and type Drupal web address. On the Drupal web address click the “Login with Monosign“ button.


Login to Drupal through Monosign SSO-1


Login to Drupal through Monosign SSO-2

It can be login with Passwordless login(Monofor Identity), Passkey or Username and Password(Login with Password)


Login to Drupal with UserName and Password

After clicking Sign in user will able to log in to Drupal.


User Logged in through Monosign SSO

After completing the configuration on Drupal, it is better to clear all caches on the Configuration → Performance menu if the SAML SSO doesn’t work.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.