The Single Sign On functionality is achieved by using different modules depending on the Drupal version
- Drupal 7 uses Shibboleth as software and Shibboleth Authentication module to integrate it in Drupal
- Drupal 8 uses SimpleSAMLphp as software and simpleSAMLphp Authentication module
On both solutions the idea is always the same. Drupal base its authorizations in Permissions given to Roles, which are assigned to Users. Giving manually the Roles to every single user might be frustrating so the previously presented modules provide a way of mapping Roles to Users based on the User's SSO attributes like fullname, account name, department, E-group, ...
Please note that the granting/revoking of Roles is only done once each user is logged into the website, since this is the only moment where Drupal knows the User's SSO attributes.
The typical use case is to give people of a certain e-group a specific Role in the website. and this will be explained as example now.
For Drupal 7 websites please use the documentation from the following link: https://information-technology.web.cern.ch/services/fe/drupal-infrastructure/howto/use-e-group-role-drupal
For Drupal 8 website please continue reading.
The configuration is done under Configuration -> SimpleSAMLphp Auth Settings
Then the Role mapping rules are configured under "User info and syncing" in the "Automatic role population from simpleSAMLphp attributes" section
This configuration option comes pre-filled with general Role mapping based on type accounts and admin e-group.
The syntax is well explained in the same page so we will instead focus on an example.
Let's assume the current config option contains
cern_registered:identityclass,=,CERN Registered|cern_shared:identityclass,=,CERN Shared|hep_trusted:identityclass,=,HEP Trusted|verified_external:identityclass,=,Verified External|unverified_external:identityclass,=,Unverified External|administrator:egroups,=,drupal-admins|administrator:egroups,=,drupal-admins-d8-infrastructure
and we want to grant to the "web-services" e-group the Role "Editor" (by the way, access to the existing Roles is done under People -> Roles), if we Edit the role we can see also its "Machine name" which will be neccessary in the future.
So in order to add this mapping rule we need to append to the existing configuration the following:
It's composed by:
"|" -> separator
"editor" -> role_id (must be the machine name of the role)
"egroups" -> SSO attribute_name
"=" -> operation
"web-services" -> value
this will be appended and the configuration option will end up being:
cern_registered:identityclass,=,CERN Registered|cern_shared:identityclass,=,CERN Shared|hep_trusted:identityclass,=,HEP Trusted|verified_external:identityclass,=,Verified External|unverified_external:identityclass,=,Unverified External|administrator:egroups,=,drupal-admins|administrator:egroups,=,drupal-admins-d8-infrastructure|editor:egroups,=,web-services
Just Save configuration and login into the site with an account that is member to this e-group to verify that the Role is granted.