Contrib.social

Migration from simpleSAMLphp Authentication

Open on Drupal.org β†’
Created on 24 June 2025, 2 months ago

Problem/Motivation

Currently, the simpleSAMLphp Authentication β†’ module does not support Drupal 11, but this module does. See πŸ“Œ Drupal 11 compatibility Active .

It would be nice if there were an easy way to migrate the settings and configuration from simpleSAMLphp to work with SAML Authentication.

I think there will soon be a bunch of people currently using simpleSAMLphp Authentication who'll be looking for a D11-compatible SAML solution, so this could end up being useful.

Proposed resolution

I've created a sandbox module that will help migrate a site's simpleSAMLphp settings (Drupal configuration, config.php, authsources.php, and saml20-idp-remote.php) to work with SAML Authentication. It's here:

samlauth_simplesamlphp_auth_migration β†’

This module provides both Drush commands and a UI for viewing and migrating configuration settings.

Once enabled, a UI can be found on a tab under Configuration > People > SAML authentication at https://example.com/admin/config/people/saml/simplesamlphp-auth-migration.

Drush commands:
samlauth_simplesamlphp_auth_migration:showConfig - Show the full set of configuration as read from simpleSAMLphp.
samlauth_simplesamlphp_auth_migration:showChanges - Show how the simpleSAMLphp configuration will be mapped to the configuration for SAML Authentication.
samlauth_simplesamlphp_auth_migration:migrate - Set SAML Auth configuration values based on the simpleSAMLphp configuration.

Remaining Steps

I'm not a SAML expert at all, and wasn't 100% sure how to map all settings, but it seems to be close. It's a work-in-progress that hasn't been fully tested yet.

It would be great if people currently using simpleSAMLphp Authentication could take a look and give feedback on how things are mapped.

If I've got any mappings wrong, please let me know via an issue there, and I can update.

Specifically, I'm not quite sure where to get these SAML Auth settings from in simpleSAMLphp:

Service Provider - Sign metadata (security_metadata_sign)
Add a UUID to the metadata XML and sign it (using the key whose public equivalent is published inside this same metadata).

SAML Message Construction - Encryption algorithm (security_encryption_algorithm)
Algorithm used by the encryption process.

SAML Message Validation - Require messages to be signed (security_messages_sign)
Responses (and logout requests) from the IdP are expected to be signed.

✨ Feature request
Status

Active

Version

3.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States jrb Raleigh-Durham Area, NC, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024